File name:

payment.docx

Full analysis: https://app.any.run/tasks/97715643-5acc-421a-a117-5ab64536c931
Verdict: Malicious activity
Analysis date: May 20, 2025, 14:09:58
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
cve-2017-11882
exploit
Indicators:
MIME: application/vnd.openxmlformats-officedocument.wordprocessingml.document
File info: Microsoft Word 2007+
MD5:

8DC91825C4AEAA3814ABFF5060ECAF78

SHA1:

4ADC9AA0ED9C13316AB44B77C1593C2594AEF029

SHA256:

7F7D42510E2926B93BAAABB65036834D4898244A2EF237CA1527461150116763

SSDEEP:

3072:LP6rqRX369Om79R6jDh+b0AKWGMjPsjexxv05GKeUQyloI6876R:cqRn1jDh1AShj/eUlM8mR

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • EXPLOIT has been detected (SURICATA)

      • WINWORD.EXE (PID: 7532)

  • SUSPICIOUS

    • Connects to the server without a host name

      • WINWORD.EXE (PID: 7532)

  • INFO

    • Checks proxy server information

      • slui.exe (PID: 8032)

    • Reads the software policy settings

      • slui.exe (PID: 7764)
      • slui.exe (PID: 8032)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.docx | Word Microsoft Office Open XML Format document (52.2)
.zip | Open Packaging Conventions container (38.8)
.zip | ZIP compressed archive (8.8)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: 0x0002
ZipCompression: Deflated
ZipModifyDate: 2025:05:20 07:45:04
ZipCRC: 0x8d4b0b97
ZipCompressedSize: 424
ZipUncompressedSize: 2461
ZipFileName: [Content_Types].xml
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
141
Monitored processes
6
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #EXPLOIT winword.exe sppextcomobj.exe no specs slui.exe svchost.exe ai.exe no specs slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
2108"C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\ai.exe" "6F2EDE92-B51D-473E-85E1-DB70A145D274" "5A62EBA6-CEAB-492E-BE5D-FFB5E2E7A86C" "7532"C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\ai.exeWINWORD.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Artificial Intelligence (AI) Host for the Microsoft® Windows® Operating System and Platform x64.
Version:
0.12.2.0
Modules
Images
c:\program files\microsoft office\root\vfs\programfilescommonx64\microsoft shared\office16\ai.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\common files\microsoft shared\clicktorun\appvisvsubsystems64.dll
c:\program files\common files\microsoft shared\clicktorun\c2r64.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\ole32.dll
2196C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
7532"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n C:\Users\admin\AppData\Local\Temp\payment.docx /o ""C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
16.0.16026.20146
Modules
Images
c:\program files\microsoft office\root\office16\winword.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
7700C:\WINDOWS\system32\SppExtComObj.exe -EmbeddingC:\Windows\System32\SppExtComObj.Exesvchost.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
KMS Connection Broker
Exit code:
0
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\sppextcomobj.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\oleaut32.dll
7764"C:\WINDOWS\System32\SLUI.exe" RuleId=3482d82e-ca2c-4e1f-8864-da0267b484b2;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=4de7cb65-cdf1-4de9-8ae8-e3cce27b9f2c;NotificationInterval=1440;Trigger=TimerEventC:\Windows\System32\slui.exe
SppExtComObj.Exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows Activation Client
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
8032C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
Total events
53 543
Read events
33 792
Write events
19 658
Delete events
93

Modification events

(PID) Process:(7532) WINWORD.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Common\ClientTelemetry\Sampling
Operation:writeName:0
Value:
017012000000001000B24E9A3E02000000000000000600000000000000
(PID) Process:(7532) WINWORD.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Common\CrashPersistence\WINWORD\7532
Operation:writeName:0
Value:
0B0E106CBA6DFC643E66479C2AC8B89F08E2EB230046CC93C6AC8EB2F2ED016A04102400449A7D64B29D01008500A907556E6B6E6F776EC906022222CA0DC2190000C91003783634C511EC3AD2120B770069006E0077006F00720064002E00650078006500C51620C517808004C91808323231322D44656300
(PID) Process:(7532) WINWORD.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:en-US
Value:
2
(PID) Process:(7532) WINWORD.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:de-de
Value:
2
(PID) Process:(7532) WINWORD.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:fr-fr
Value:
2
(PID) Process:(7532) WINWORD.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:es-es
Value:
2
(PID) Process:(7532) WINWORD.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:it-it
Value:
2
(PID) Process:(7532) WINWORD.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:ja-jp
Value:
2
(PID) Process:(7532) WINWORD.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:ko-kr
Value:
2
(PID) Process:(7532) WINWORD.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:pt-br
Value:
2
Executable files
33
Suspicious files
141
Text files
18
Unknown types
0

Dropped files

PID
Process
Filename
Type
7532WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbresbinary
MD5:E6665CDF40FDFFD8D96F9252083592E4
SHA256:51CFFF58860C38CDE6EC20080D309D89DA5475955C3641957A6A04455C452844
7532WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\TokenBroker\Cache\56a61aeb75d8f5be186c26607f4bb213abe7c5ec.tbresbinary
MD5:9FCD10FBEA9120DC637CD0205505CB94
SHA256:25A0300B2661E9A5B2020F25F72663F19124D10EBAE1EF22BA16DD47236B47BB
7532WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Office\16.0\ResourceInfoCache\data.jsonbinary
MD5:A749D8FEE2FE7DA8960DAD52078BE0C9
SHA256:18CB193E093B7C9A0E2EE13551AFAD45DD01440C06631CB256D46F71F63EDD7B
7532WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~$ayment.docxbinary
MD5:F2D89AEE92A68B3818D53045D552E369
SHA256:3A92EFE36A2F16FB7BE3134778AEF62DC8B3319CD7E4D75072CE91DD7C0423E3
7532WINWORD.EXEC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB615187binary
MD5:2E06FC71162E5219FEF0FF8181B041D0
SHA256:3F0EC80472C4FA046766E1BDC3CD0BBDF6084C86A9E1020BC20DB142CAF0EC09
7532WINWORD.EXEC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB615187binary
MD5:DCDB8A2328C8F79589B318B6A8100BBE
SHA256:AC2A15BA22BEA731C449618786895A6FEC601F6D3B96CDCA29B9EB82B0452908
7532WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Office\16.0\AddInClassifierCache\OfficeSharedEntitiesUpdated.bintext
MD5:2CAD680669167D798DB2AEC849228F84
SHA256:F5C665838857BD7B177E88F30F70271DDCD318D06B9F6AED6BCF6ACE72B20A15
7532WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Office\16.0\AddInClassifierCache\OfficeSharedEntities.bintext
MD5:CC90D669144261B198DEAD45AA266572
SHA256:89C701EEFF939A44F28921FD85365ECD87041935DCD0FE0BAF04957DA12C9899
7532WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Office\16.0\ResourceInfoCache\07fc2a8c43a1d1f16572d21e959a4847e306edae.tempbinary
MD5:A749D8FEE2FE7DA8960DAD52078BE0C9
SHA256:18CB193E093B7C9A0E2EE13551AFAD45DD01440C06631CB256D46F71F63EDD7B
7532WINWORD.EXEC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B46811C17859FFB409CF0E904A4AA8F8binary
MD5:09F449A0A9FE721EDE2685FB45BD92EC
SHA256:0BC246AB733E5806DE3CE2129B818AF62D93A466BF8F2BCF534E0E3FFD28523D
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
18
TCP/UDP connections
72
DNS requests
33
Threats
7

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
7532
WINWORD.EXE
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D
unknown
whitelisted
7532
WINWORD.EXE
HEAD
200
107.175.246.32:80
http://107.175.246.32/xampp/rgb/nic/nicetoseeyoubesttingstodobetterwaysgivebetter________nicetoseeyoubesttingstodobetterwaysgivebetter_________nicetoseeyoubesttingstodobetterwaysgivebetter.doc
unknown
unknown
7532
WINWORD.EXE
GET
200
142.250.186.163:80
http://c.pki.goog/r/gsr1.crl
unknown
whitelisted
6544
svchost.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
7532
WINWORD.EXE
GET
200
142.250.186.163:80
http://c.pki.goog/r/r4.crl
unknown
whitelisted
7532
WINWORD.EXE
GET
200
107.175.246.32:80
http://107.175.246.32/xampp/rgb/nic/nicetoseeyoubesttingstodobetterwaysgivebetter________nicetoseeyoubesttingstodobetterwaysgivebetter_________nicetoseeyoubesttingstodobetterwaysgivebetter.doc
unknown
unknown
680
SIHClient.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
680
SIHClient.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
7532
WINWORD.EXE
HEAD
200
107.175.246.32:80
http://107.175.246.32/xampp/rgb/nic/nicetoseeyoubesttingstodobetterwaysgivebetter________nicetoseeyoubesttingstodobetterwaysgivebetter_________nicetoseeyoubesttingstodobetterwaysgivebetter.doc
unknown
unknown
7532
WINWORD.EXE
GET
200
2.19.11.105:80
http://crl.microsoft.com/pki/crl/products/microsoftrootcert.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
4
System
192.168.100.255:137
whitelisted
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
3216
svchost.exe
172.211.123.248:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
7532
WINWORD.EXE
52.109.89.18:443
officeclient.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
7532
WINWORD.EXE
52.109.28.47:443
roaming.officeapps.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
GB
whitelisted
7532
WINWORD.EXE
52.123.130.14:443
ecs.office.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
7532
WINWORD.EXE
2.17.190.73:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted
7532
WINWORD.EXE
2.16.168.101:443
omex.cdn.office.net
Akamai International B.V.
RU
whitelisted
6544
svchost.exe
40.126.31.130:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted

DNS requests

Domain
IP
Reputation
officeclient.microsoft.com
  • 52.109.89.18
whitelisted
client.wns.windows.com
  • 172.211.123.248
  • 172.211.123.250
whitelisted
roaming.officeapps.live.com
  • 52.109.28.47
whitelisted
ecs.office.com
  • 52.123.130.14
  • 52.123.131.14
whitelisted
ocsp.digicert.com
  • 2.17.190.73
  • 2.23.77.188
whitelisted
omex.cdn.office.net
  • 2.16.168.101
  • 2.16.168.119
whitelisted
login.live.com
  • 40.126.31.130
  • 20.190.159.131
  • 20.190.159.23
  • 40.126.31.71
  • 40.126.31.128
  • 40.126.31.3
  • 20.190.159.2
  • 20.190.159.68
whitelisted
smollq.cc
  • 104.21.96.1
  • 104.21.112.1
  • 104.21.48.1
  • 104.21.32.1
  • 104.21.16.1
  • 104.21.80.1
  • 104.21.64.1
unknown
settings-win.data.microsoft.com
  • 20.73.194.208
whitelisted
c.pki.goog
  • 142.250.186.163
whitelisted

Threats

PID
Process
Class
Message
2196
svchost.exe
Potentially Bad Traffic
ET DNS Query for .cc TLD
7532
WINWORD.EXE
Potentially Bad Traffic
ET INFO Dotted Quad Host DOC Request
7532
WINWORD.EXE
Potentially Bad Traffic
ET INFO Dotted Quad Host DOC Request
7532
WINWORD.EXE
Potentially Bad Traffic
ET HUNTING Microsoft Office User-Agent Requesting A Doc File
7532
WINWORD.EXE
Misc Attack
EXPLOIT [ANY.RUN] Obfuscated RTF document including the CLSID of the Equation Editor (CVE-2017-11882)
7532
WINWORD.EXE
Potentially Bad Traffic
ET INFO Dotted Quad Host DOC Request
7532
WINWORD.EXE
Misc activity
ET USER_AGENTS Microsoft Office Existence Discovery User-Agent
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
payment.docx