File name:

UndocumentedwordfeaturePub.pub

Full analysis: https://app.any.run/tasks/9c9243c2-e35e-4c16-bf89-8e65df09be32
Verdict: Malicious activity
Analysis date: January 14, 2024, 11:58:45
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
MIME: application/vnd.ms-office
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1252
MD5:

E5AD7198B5D2B1698F4E373CE8F61BC6

SHA1:

B395F085C8A97B0E56B7E59A8984B070A72A5441

SHA256:

6B92EB770C4B165182E3D3152C6E66FF85B36898B9EC192518E4146065382C56

SSDEEP:

384:ujDB74NynEpOjA1avsh/Za1VpxVkAkbyxiKQcuCVewwVk:ESwxiKQc6V

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Reads the Internet Settings

      • MSPUB.EXE (PID: 128)

    • Checks Windows Trust Settings

      • MSPUB.EXE (PID: 128)

    • Reads settings of System Certificates

      • MSPUB.EXE (PID: 128)

    • Reads security settings of Internet Explorer

      • MSPUB.EXE (PID: 128)

  • INFO

    • Checks supported languages

      • MSPUB.EXE (PID: 128)

    • Reads Environment values

      • MSPUB.EXE (PID: 128)

    • Reads the computer name

      • MSPUB.EXE (PID: 128)

    • Reads Microsoft Office registry keys

      • MSPUB.EXE (PID: 128)

    • Reads the machine GUID from the registry

      • MSPUB.EXE (PID: 128)

    • Create files in a temporary directory

      • MSPUB.EXE (PID: 128)

    • Checks proxy server information

      • MSPUB.EXE (PID: 128)

    • Creates files or folders in the user directory

      • MSPUB.EXE (PID: 128)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.pub | Microsoft Publisher document (90.4)

EXIF

FlashPix

CompObjUserTypeLen: 24
CompObjUserType: Microsoft Publisher 3.0
Author: -
ThumbnailClip: (Binary data 58946 bytes, use -b option to extract)
CodePage: Windows Latin 1 (Western European)
Manager: -
Company: -
AppVersion: 16
ScaleCrop: No
LinksUpToDate: No
SharedDoc: No
HyperlinksChanged: No
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
37
Monitored processes
1
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start mspub.exe

Process information

PID
CMD
Path
Indicators
Parent process
128"C:\Program Files\Microsoft Office\Office14\MSPUB.EXE" "C:\Users\admin\AppData\Local\Temp\UndocumentedwordfeaturePub.pub"C:\Program Files\Microsoft Office\Office14\MSPUB.EXE
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Publisher
Exit code:
0
Version:
14.0.6026.1000
Modules
Images
c:\program files\microsoft office\office14\mspub.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_50934f2ebcb7eb57\msvcr90.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
Total events
4 862
Read events
4 797
Write events
62
Delete events
3

Modification events

(PID) Process:(128) MSPUB.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1033
Value:
On
(PID) Process:(128) MSPUB.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1041
Value:
On
(PID) Process:(128) MSPUB.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1046
Value:
On
(PID) Process:(128) MSPUB.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1036
Value:
On
(PID) Process:(128) MSPUB.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1031
Value:
On
(PID) Process:(128) MSPUB.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1040
Value:
On
(PID) Process:(128) MSPUB.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1049
Value:
On
(PID) Process:(128) MSPUB.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:3082
Value:
On
(PID) Process:(128) MSPUB.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1042
Value:
On
(PID) Process:(128) MSPUB.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1055
Value:
On
Executable files
0
Suspicious files
10
Text files
2
Unknown types
0

Dropped files

PID
Process
Filename
Type
128MSPUB.EXEC:\Users\admin\AppData\Local\Temp\CVRF954.tmp.cvr
MD5:
SHA256:
128MSPUB.EXEC:\Users\admin\AppData\Local\Temp\~DF192FF1F6284DDC28.TMPbinary
MD5:FE7D48BBAB4AF9CEBE90118B79D646B5
SHA256:97E7BF9A3D7D04E7C3213E74E059AC7C806E761FEDDA89A4F9E7F3BF9F60E66D
128MSPUB.EXEC:\Users\admin\AppData\Local\Temp\~DF838BEB1A82278B7B.TMPbinary
MD5:2416991C52E1F970C6EA948AC7E0705D
SHA256:2E5BACCA2A2D73595006C6C9472B38008DB960F8D37065B919EA8C6B84447CED
128MSPUB.EXEC:\Users\admin\AppData\Local\Microsoft\Office\ONetConfig\350db95df4cbd94b2a1c300510e12e11.xmlxml
MD5:CE601A0ADBF9841F2F368BE9E1AB1508
SHA256:A1A6A1CCAFFFEBA62781CD88339013926D3898467B7D1926538EC213ED973C72
128MSPUB.EXEC:\Users\admin\AppData\Local\Temp\~DF67624A863CE05A1B.TMPbinary
MD5:BF619EAC0CDF3F68D496EA9344137E8B
SHA256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
128MSPUB.EXEC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157compressed
MD5:1BFE591A4FE3D91B03CDF26EAACD8F89
SHA256:9CF94355051BF0F4A45724CA20D1CC02F76371B963AB7D1E38BD8997737B13D8
128MSPUB.EXEC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157binary
MD5:A3E17C360EA049E0C4385548ED06D409
SHA256:5D071BFA2394A818D635ED070025282E206F23205A6C950B0A06BEADFE123B90
128MSPUB.EXEC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04binary
MD5:CE1CD74FF80BA0C66333B16CAA7A6D78
SHA256:2EC7782A793A74C6A578FBCD199E07CB18577925D1800FC3265053D248426510
128MSPUB.EXEC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04binary
MD5:6F8F3AA785E9D918E38333E8BB35E201
SHA256:01BDA0FF1F0BA6580D52BE8E319EBB9EFD62BDFC7DBE0F22E7400B76846AD5DE
128MSPUB.EXEC:\Users\admin\AppData\Local\Microsoft\Office\ONetConfig\350db95df4cbd94b2a1c300510e12e11.sigbinary
MD5:2EED6F57E650B1DAF15EDFE295C83041
SHA256:95C305A7F7A5AC4A266DE957217945CF43BB40C7EE903DC80F13A1F3502C8299
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
3
TCP/UDP connections
11
DNS requests
6
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
128
MSPUB.EXE
GET
200
52.109.32.97:80
http://office14client.microsoft.com/config14?UILCID=1033&CLCID=1033&ILCID=1033&HelpLCID=1033&App={CD0D7B29-89E7-49C5-8EE1-5D858EFF2593}&build=14.0.6023
unknown
xml
1.96 Kb
unknown
128
MSPUB.EXE
GET
200
93.184.221.240:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?9136cf2b23e1ddd6
unknown
compressed
4.66 Kb
unknown
128
MSPUB.EXE
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEApDqVCbATUviZV57HIIulA%3D
unknown
binary
471 b
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
4
System
192.168.100.255:137
whitelisted
1080
svchost.exe
224.0.0.252:5355
unknown
128
MSPUB.EXE
54.155.179.31:80
cymulatelabs.com
AMAZON-02
IE
unknown
128
MSPUB.EXE
52.109.32.97:80
office14client.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
GB
unknown
128
MSPUB.EXE
52.109.88.174:443
office.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
128
MSPUB.EXE
93.184.221.240:80
ctldl.windowsupdate.com
EDGECAST
GB
whitelisted
128
MSPUB.EXE
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted

DNS requests

Domain
IP
Reputation
cymulatelabs.com
  • 54.155.179.31
unknown
dns.msftncsi.com
  • 131.107.255.255
shared
office14client.microsoft.com
  • 52.109.32.97
whitelisted
office.microsoft.com
  • 52.109.88.174
whitelisted
ctldl.windowsupdate.com
  • 93.184.221.240
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
UndocumentedwordfeaturePub.pub