File name:

c39-EmprisaMaldoc.rtf

Full analysis: https://app.any.run/tasks/b6cab18b-3c6a-41ec-b65f-d1953eb26a8f
Verdict: Malicious activity
Analysis date: July 02, 2025, 07:51:51
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
ole-embedded
exploit
cve-2017-11882
github
MIME: text/rtf
File info: Rich Text Format data, version 1, ANSI, code page 1252, default language ID 1033
MD5:

D82341600606AFCF027646EA42F285AE

SHA1:

8E908D310A712547CEFDDD3A1FF6E6FDB7879FF3

SHA256:

8F7F608A4104F2E9952F0BDE07BB17187758FEA0D0C53DED45CD537758C045A9

SSDEEP:

48:Mp54iWuukUmjNHDxEXBLsKSmQHu+r/e8exgrNtLTHjLuah23ww9WGvigm3qN:MwuHpzEKauuayyHDM5WGviFaN

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Equation Editor starts application (likely CVE-2017-11882)

      • EQNEDT32.EXE (PID: 3184)
      • EQNEDT32.EXE (PID: 3868)

    • Suspicious connection from the Equation Editor

      • EQNEDT32.EXE (PID: 3184)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • EQNEDT32.EXE (PID: 3184)

    • Reads the Internet Settings

      • EQNEDT32.EXE (PID: 3184)

    • Reads settings of System Certificates

      • EQNEDT32.EXE (PID: 3184)

  • INFO

    • Reads the computer name

      • EQNEDT32.EXE (PID: 3184)
      • EQNEDT32.EXE (PID: 3868)

    • Reads the software policy settings

      • EQNEDT32.EXE (PID: 3184)

    • Creates files or folders in the user directory

      • EQNEDT32.EXE (PID: 3184)

    • Reads the machine GUID from the registry

      • EQNEDT32.EXE (PID: 3868)
      • EQNEDT32.EXE (PID: 3184)

    • Checks proxy server information

      • EQNEDT32.EXE (PID: 3184)

    • Checks supported languages

      • EQNEDT32.EXE (PID: 3868)
      • EQNEDT32.EXE (PID: 3184)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rtf | Rich Text Format (100)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
37
Monitored processes
3
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winword.exe eqnedt32.exe eqnedt32.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3068"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n C:\Users\admin\c39-EmprisaMaldoc.rtfC:\Program Files\Microsoft Office\Office14\WINWORD.EXE
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
14.0.6024.1000
Modules
Images
c:\program files\microsoft office\office14\winword.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_50934f2ebcb7eb57\msvcr90.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.18837_none_ec86b8d6858ec0bc\comctl32.dll
3184"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -EmbeddingC:\Program Files\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE
svchost.exe
User:
admin
Company:
Design Science, Inc.
Integrity Level:
MEDIUM
Description:
Microsoft Equation Editor
Exit code:
1953069125
Version:
00110900
Modules
Images
c:\program files\common files\microsoft shared\equation\eqnedt32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
3868"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -EmbeddingC:\Program Files\Common Files\microsoft shared\EQUATION\EQNEDT32.EXEsvchost.exe
User:
admin
Company:
Design Science, Inc.
Integrity Level:
MEDIUM
Description:
Microsoft Equation Editor
Exit code:
0
Version:
00110900
Modules
Images
c:\program files\common files\microsoft shared\equation\eqnedt32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
Total events
12 479
Read events
11 507
Write events
652
Delete events
320

Modification events

(PID) Process:(3068) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1033
Value:
On
(PID) Process:(3068) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1041
Value:
On
(PID) Process:(3068) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1042
Value:
On
(PID) Process:(3068) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1046
Value:
On
(PID) Process:(3068) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1036
Value:
On
(PID) Process:(3068) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1031
Value:
On
(PID) Process:(3068) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1040
Value:
On
(PID) Process:(3068) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1049
Value:
On
(PID) Process:(3068) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:3082
Value:
On
(PID) Process:(3068) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1055
Value:
On
Executable files
0
Suspicious files
5
Text files
2
Unknown types
6

Dropped files

PID
Process
Filename
Type
3068WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVRCFB.tmp.cvr
MD5:
SHA256:
3068WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotmpgc
MD5:19C57C60E19DBCE27F6478C3B6BDAE0E
SHA256:CEB02504CF0662570FDB98ACC49BDC2063F3C3132141553F455C1E39945554E9
3068WINWORD.EXEC:\Users\admin\~$9-EmprisaMaldoc.rtfpgc
MD5:3C43B84C9C425E36A1F68651A0D082DC
SHA256:74C314A42997D9B67BBD8FFBD9463975BB4468E99415206F2776545C64B2F9AF
3184EQNEDT32.EXEC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711Ebinary
MD5:0998BBBF342D14EC45C4F949286AE552
SHA256:CBEE246CCFC10368D6B97AFB2162D64669324E5BC7A40C62866C02998CF0B78C
3184EQNEDT32.EXEC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711Eder
MD5:A50FCB0B76E13F5EA99C651A5BDDCD73
SHA256:D8FC6A49B9BC6F81FFE6C246719669BA35E78DD555F8F422B9FBB58CD2A1D08A
3184EQNEDT32.EXEC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157binary
MD5:9F2A0931273A4241796024528B47FA97
SHA256:BB96668E56DF79B0C3044F8AD15E62C261A4356CA194F14C1ED54882869FFEAC
3184EQNEDT32.EXEC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850Dbinary
MD5:AF7EB982AE0EB1942F85092345033072
SHA256:FB636D2AB7EEFF536E60C76BDFD968DFAFA961C9DFE65601251749C746DF8DD5
3184EQNEDT32.EXEC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850Dder
MD5:F7A498D66AEA2B7465254E3A173F8C24
SHA256:39C64A66F77C8A6D58D9C7CCE65BC21BC8F8ACC545A0FFCA39B15B3D70ADBD56
3068WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\c39-EmprisaMaldoc.rtf.LNKlnk
MD5:C21106EA102ECF31EC33E19741389A54
SHA256:A13E82F3E942688169E7CFC80E2E6EE97F49482FBB61D217D5448280C396E7B9
3068WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Office\MSO2057.aclbinary
MD5:2938F577C72E897D04489B092835E27F
SHA256:9BF0E1117251AEB1349F277FCE63D908CEC61D4977DC1E070B6984CA14ED4A92
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
6
TCP/UDP connections
12
DNS requests
7
Threats
1

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3184
EQNEDT32.EXE
GET
200
199.232.214.172:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?14d3f8d679f2d15d
unknown
whitelisted
3184
EQNEDT32.EXE
GET
200
104.18.38.233:80
http://ocsp.comodoca.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRTtU9uFqgVGHhJwXZyWCNXmVR5ngQUoBEKIz6W8Qfs4q8p74Klf9AwpLQCEDlyRDr5IrdR19NsEN0xNZU%3D
unknown
whitelisted
3068
WINWORD.EXE
POST
302
23.35.238.131:80
http://go.microsoft.com/fwlink/?LinkID=120750
unknown
whitelisted
3184
EQNEDT32.EXE
GET
200
104.18.38.233:80
http://ocsp.usertrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTNMNJMNDqCqx8FcBWK16EHdimS6QQUU3m%2FWqorSs9UgOHYm8Cd8rIDZssCEH1bUSa0droR23QWC7xTDac%3D
unknown
whitelisted
3068
WINWORD.EXE
POST
302
23.35.238.131:80
http://go.microsoft.com/fwlink/?LinkID=120752
unknown
whitelisted
3068
WINWORD.EXE
POST
302
23.35.238.131:80
http://go.microsoft.com/fwlink/?LinkID=120751
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
224.0.0.252:5355
whitelisted
3184
EQNEDT32.EXE
185.199.109.133:443
raw.githubusercontent.com
FASTLY
US
whitelisted
1080
svchost.exe
224.0.0.252:5355
whitelisted
3184
EQNEDT32.EXE
199.232.214.172:80
ctldl.windowsupdate.com
FASTLY
US
whitelisted
3184
EQNEDT32.EXE
104.18.38.233:80
ocsp.comodoca.com
CLOUDFLARENET
whitelisted
4
System
192.168.100.255:138
whitelisted
3068
WINWORD.EXE
23.35.238.131:80
go.microsoft.com
AKAMAI-AS
DE
whitelisted
3068
WINWORD.EXE
40.91.76.224:443
activation.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.184.238
whitelisted
raw.githubusercontent.com
  • 185.199.109.133
  • 185.199.108.133
  • 185.199.110.133
  • 185.199.111.133
whitelisted
ctldl.windowsupdate.com
  • 199.232.214.172
  • 199.232.210.172
whitelisted
ocsp.comodoca.com
  • 104.18.38.233
  • 172.64.149.23
whitelisted
ocsp.usertrust.com
  • 104.18.38.233
  • 172.64.149.23
whitelisted
go.microsoft.com
  • 23.35.238.131
whitelisted
activation.sls.microsoft.com
  • 40.91.76.224
whitelisted

Threats

PID
Process
Class
Message
1080
svchost.exe
Not Suspicious Traffic
INFO [ANY.RUN] Attempting to access raw user content on GitHub
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
c39-EmprisaMaldoc.rtf