File name:

Statement Concerning Crisis in Ukraine .docx

Full analysis: https://app.any.run/tasks/faf7bc15-9f65-41f2-9132-04a4651e4c41
Verdict: Malicious activity
Analysis date: April 15, 2025, 19:11:08
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
apt
sidewinder
Indicators:
MIME: application/vnd.openxmlformats-officedocument.wordprocessingml.document
File info: Microsoft Word 2007+
MD5:

1EF91736A85E4EA333607E058E215891

SHA1:

3F256A2C0C82607FDEF7267B993B9D7F80C73953

SHA256:

82F6A7115B1825F83AD3F24EFAC3E9A9EDD90A9222837457213442A683DB7A10

SSDEEP:

6144:wefdXLRcy3EaWqnt3aSLG839zgpAAZR+NhMoThHp:JRjR/ntzC839zOAAeNhMo1J

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • SIDEWINDER has been detected (SURICATA)

      • svchost.exe (PID: 2196)
  • SUSPICIOUS

    No suspicious indicators.
  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.docx | Word Microsoft Office Open XML Format document (52.2)
.zip | Open Packaging Conventions container (38.8)
.zip | ZIP compressed archive (8.8)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: -
ZipCompression: Deflated
ZipModifyDate: 2022:02:25 11:49:48
ZipCRC: 0xb71a911e
ZipCompressedSize: 233
ZipUncompressedSize: 590
ZipFileName: _rels/.rels

XML

Template: Normal
TotalEditTime: 11 minutes
Pages: 1
Words: -
Characters: 1
Application: Microsoft Office Word
DocSecurity: None
Lines: 1
Paragraphs: 1
ScaleCrop: No
Company: -
LinksUpToDate: No
CharactersWithSpaces: 1
SharedDoc: No
HyperlinksChanged: No
AppVersion: 15
Keywords: -
LastModifiedBy: Windows User
RevisionNumber: 3
CreateDate: 2022:02:25 10:25:00Z
ModifyDate: 2022:02:25 10:47:00Z

XMP

Title: -
Subject: -
Creator: Windows User
Description: -
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
136
Monitored processes
5
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winword.exe sppextcomobj.exe no specs slui.exe no specs #SIDEWINDER svchost.exe ai.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
960C:\WINDOWS\system32\SppExtComObj.exe -EmbeddingC:\Windows\System32\SppExtComObj.Exesvchost.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
KMS Connection Broker
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\sppextcomobj.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\oleaut32.dll
1676"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\admin\Desktop\Statement Concerning Crisis in Ukraine .docx" /o ""C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
16.0.16026.20146
Modules
Images
c:\program files\microsoft office\root\office16\winword.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\program files\common files\microsoft shared\clicktorun\appvisvsubsystems64.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
2196C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
6728"C:\WINDOWS\System32\SLUI.exe" RuleId=3482d82e-ca2c-4e1f-8864-da0267b484b2;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=4de7cb65-cdf1-4de9-8ae8-e3cce27b9f2c;NotificationInterval=1440;Trigger=TimerEventC:\Windows\System32\slui.exeSppExtComObj.Exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows Activation Client
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
7380"C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\ai.exe" "88CD0CC4-1EAA-4A2B-B904-FF70D5F084E1" "2A4F3C08-C0C9-4D6D-BCED-A8A95EDF97F4" "1676"C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\ai.exeWINWORD.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Artificial Intelligence (AI) Host for the Microsoft® Windows® Operating System and Platform x64.
Version:
0.12.2.0
Modules
Images
c:\program files\microsoft office\root\vfs\programfilescommonx64\microsoft shared\office16\ai.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\common files\microsoft shared\clicktorun\appvisvsubsystems64.dll
c:\windows\system32\advapi32.dll
c:\program files\common files\microsoft shared\clicktorun\c2r64.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\ole32.dll
Total events
8 888
Read events
8 617
Write events
254
Delete events
17

Modification events

(PID) Process:(1676) WINWORD.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common
Operation:writeName:SessionId
Value:
BA263E1D469A5E4996DDB89DF6122BEB
(PID) Process:(1676) WINWORD.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Common\GracefulExit\WINWORD\2200
Operation:delete valueName:0
Value:
ซ鴐㝅娴Ꝇ힬꿹�䙔�닜樁င$驄摽鶲…ީ湕湫睯쥮Ȇ∢්ł¢ᣂ숁씀褎예됏죃캲ǭ჉砃㐶ᇅᆘዒ看椀渀眀漀爀搀⸀攀砀攀씀‖ៅ肀줄࠘㈲㈱䐭捥
(PID) Process:(1676) WINWORD.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Common\GracefulExit\WINWORD\2200
Operation:delete keyName:(default)
Value:
(PID) Process:(1676) WINWORD.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Common\CrashPersistence\WINWORD\1676
Operation:writeName:0
Value:
0B0E104BED102269DB924B9E403D50D5E3D61A230046D6E798C5A2C7EBED016A04102400449A7D64B29D01008500A907556E6B6E6F776EC906022222CA0DC2190000C50E8908C91003783634C5118C0DD2120B770069006E0077006F00720064002E00650078006500C51620C517808004C91808323231322D44656300
(PID) Process:(1676) WINWORD.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Word\Resiliency\StartupItems
Operation:writeName:6|+
Value:
367C2B008C06000004000000000000004471DF283AAEDB018C00000001000000840000003E0043003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C0052006F0061006D0069006E0067005C004D006900630072006F0073006F00660074005C00540065006D0070006C0061007400650073005C004E006F0072006D0061006C002E0064006F0074006D00000000000000
(PID) Process:(1676) WINWORD.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Word\Resiliency\StartupItems
Operation:delete valueName:6|+
Value:
簶+ڌ
(PID) Process:(1676) WINWORD.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\Roaming
Operation:writeName:RoamingConfigurableSettings
Value:
DC00000000000000803A0900E907040002000F0013000B000F006B02000000000000000000000000201C0000201C00008051010080510100805101008051010080F4030080F4030080F403002C01000084030000805101000000000084030000805101000A0000001E0000001E000000000000000000000080510100010000000100000000000000000000000000000000000000008D2700008D2700008D2700010000000A000000805101000000300000003000000030000000000084030000805101001E0000008403000080510100050000000500000005000000
(PID) Process:(1676) WINWORD.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Common\CrashPersistence\WINWORD\1676
Operation:writeName:0
Value:
0B0E104BED102269DB924B9E403D50D5E3D61A230046D6E798C5A2C7EBED016A04102400449A7D64B29D01008500A907556E6B6E6F776EC906022222CA0DA201C2190000C50E8908C91003783634C5118C0DD2120B770069006E0077006F00720064002E00650078006500C51620C517808004C91808323231322D44656300
(PID) Process:(1676) WINWORD.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Word\Resiliency\StartupItems
Operation:writeName:2|+
Value:
327C2B008C06000002000000000000008D42F7283AAEDB01A000000001000000740000002000000063003A005C00700072006F006700720061006D002000660069006C00650073005C006D006900630072006F0073006F006600740020006F00660066006900630065005C0072006F006F0074005C006F0066006600690063006500310036005C00670065006E006B006F002E0064006C006C000000670065006E006B006F002E0063006F006E006E00650063007400310032000000
(PID) Process:(1676) WINWORD.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Word\AddinsData\Genko.Connect12
Operation:writeName:LoadCount
Value:
5
Executable files
1
Suspicious files
18
Text files
10
Unknown types
0

Dropped files

PID
Process
Filename
Type
1676WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotmbinary
MD5:607754B25697B306E8714EE2D71CF807
SHA256:B9D2F84CF7DF0159446714C29DF56CD9F2C0686B5EF7A012519B8D59AE80EE37
1676WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\9749B986-E375-40AC-9CEA-0A34F67D1B7Dxml
MD5:9E3566618E66E08E129DE310A895A5FE
SHA256:906408AFA6953BB57E32033D65AA9765A7B2E271BA66102D40136BF237C9F9AC
1676WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\566D1B3E.emftext
MD5:912FF26AC760112B12167F902F17ECFD
SHA256:1833637D2BB49186E0667AE0896ECC4D5B00B3383529F74EDB75CAD8748CD9B3
1676WINWORD.EXEC:\Users\admin\Desktop\~$atement Concerning Crisis in Ukraine .docxbinary
MD5:4A1FFD3C353921C655084AC2E7C5024C
SHA256:E58C35A6A9440633701E7F78AC0A5D42C2C659850E574CDCB3F92AC11043809D
1676WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Office\16.0\AddInClassifierCache\OfficeSharedEntities.bintext
MD5:CC90D669144261B198DEAD45AA266572
SHA256:89C701EEFF939A44F28921FD85365ECD87041935DCD0FE0BAF04957DA12C9899
1676WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbresbinary
MD5:9291253AFE43258664E8A2848D8D0EA5
SHA256:4463523CA4EA2FEC5598ED16FA085501E266C805E0A2EF4E434CFB62EA17B17A
1676WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\CB7AA9FC.emftext
MD5:912FF26AC760112B12167F902F17ECFD
SHA256:1833637D2BB49186E0667AE0896ECC4D5B00B3383529F74EDB75CAD8748CD9B3
1676WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\Statement Concerning Crisis in Ukraine .docx.LNKbinary
MD5:CBEF0EDC25EC1A03DEE6821130AB871A
SHA256:92377C2DFC02A1912910D921655556F7952ED1C258EC1A84DDB5EDCE824CF026
1676WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\CE9109CD.emftext
MD5:912FF26AC760112B12167F902F17ECFD
SHA256:1833637D2BB49186E0667AE0896ECC4D5B00B3383529F74EDB75CAD8748CD9B3
1676WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\index.dattext
MD5:202AD59EC0E541C1A0AE9A0CFE781929
SHA256:EF8E8B9AC7E046BCC8B412BC7271C126E64DDBFAEF89896F6B3C51FA99C01276
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
4
TCP/UDP connections
23
DNS requests
18
Threats
2

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
23.48.23.166:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
GET
200
23.48.23.166:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
6544
svchost.exe
GET
200
2.23.77.188:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
1676
WINWORD.EXE
GET
200
2.23.77.188:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEA77flR%2B3w%2FxBpruV2lte6A%3D
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
23.48.23.166:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
1676
WINWORD.EXE
52.109.28.46:443
officeclient.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
GB
whitelisted
1676
WINWORD.EXE
2.19.11.103:443
omex.cdn.office.net
Elisa Oyj
NL
whitelisted
1676
WINWORD.EXE
52.123.129.14:443
ecs.office.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
172.211.123.250:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
6544
svchost.exe
40.126.31.2:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
6544
svchost.exe
2.23.77.188:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
  • 40.127.240.158
whitelisted
google.com
  • 142.250.186.174
whitelisted
crl.microsoft.com
  • 23.48.23.166
  • 23.48.23.143
  • 23.48.23.156
whitelisted
officeclient.microsoft.com
  • 52.109.28.46
whitelisted
omex.cdn.office.net
  • 2.19.11.103
  • 2.19.11.102
whitelisted
ecs.office.com
  • 52.123.129.14
  • 52.123.128.14
whitelisted
client.wns.windows.com
  • 172.211.123.250
whitelisted
login.live.com
  • 40.126.31.2
  • 20.190.159.131
  • 20.190.159.0
  • 40.126.31.3
  • 40.126.31.0
  • 20.190.159.2
  • 20.190.159.129
  • 40.126.31.1
whitelisted
ocsp.digicert.com
  • 2.23.77.188
whitelisted
mofa.ksew.org
unknown

Threats

PID
Process
Class
Message
Targeted Malicious Activity was Detected
ET MALWARE Sidewinder APT Related Domain in DNS Lookup (ksew .org)
Targeted Malicious Activity was Detected
ET MALWARE Sidewinder APT Related Domain in DNS Lookup (ksew .org)
No debug info