File name:

Teresac_ Payroll_memo.docx

Full analysis: https://app.any.run/tasks/69f00aa4-2c01-41fc-b5b6-581cf845c2f5
Verdict: Malicious activity
Analysis date: August 01, 2025, 01:20:09
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
qrcode
phishing
phish-url
Indicators:
MIME: application/vnd.openxmlformats-officedocument.wordprocessingml.document
File info: Microsoft Word 2007+
MD5:

4B89F01A8E5455EEA4A750E1B1D1368D

SHA1:

3E2E857F7105891D5843AF049E7EEA5458314EA0

SHA256:

98082C1A18545BBE405AA2980B7DBD6AB8C7E4AB861D21B148E0169495164E9E

SSDEEP:

1536:wgENeI7r2JMi0zmQ5IHvLkZtEyP3y+Iuf7:0Nr7KJM/zmQ5IHzCtEyFIa

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • QR code contains URL with email

      • WINWORD.EXE (PID: 6704)

    • Suspicious URL found

      • WINWORD.EXE (PID: 6704)

  • SUSPICIOUS

    No suspicious indicators.

  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.docx | Word Microsoft Office Open XML Format document (52.2)
.zip | Open Packaging Conventions container (38.8)
.zip | ZIP compressed archive (8.8)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: -
ZipCompression: Deflated
ZipModifyDate: 2025:07:31 09:54:52
ZipCRC: 0xd8108942
ZipCompressedSize: 346
ZipUncompressedSize: 1371
ZipFileName: [Content_Types].xml

XML

TotalEditTime: -
Pages: -
Words: -
Characters: -
Application: Microsoft Office Word
DocSecurity: None
Lines: -
Paragraphs: -
ScaleCrop: No
Company: -
LinksUpToDate: No
CharactersWithSpaces: -
SharedDoc: No
HyperlinksChanged: No
AppVersion: 12
RevisionNumber: -
No data.
screenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
136
Monitored processes
2
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winword.exe ai.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1040"C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\ai.exe" "844C1760-9C2A-4FCD-8EAD-4F446A085F00" "8E915D89-C6FC-495B-9D86-E7997C5B6070" "6704"C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\ai.exeWINWORD.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Artificial Intelligence (AI) Host for the Microsoft® Windows® Operating System and Platform x64.
Version:
0.12.2.0
Modules
Images
c:\program files\microsoft office\root\vfs\programfilescommonx64\microsoft shared\office16\ai.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\common files\microsoft shared\clicktorun\appvisvsubsystems64.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
6704"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\Teresac_ Payroll_memo.docx" /o ""C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
16.0.16026.20146
Modules
Images
c:\program files\microsoft office\root\office16\winword.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
Total events
8 546
Read events
8 305
Write events
225
Delete events
16

Modification events

(PID) Process:(6704) WINWORD.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Common\ClientTelemetry\Sampling
Operation:writeName:0
Value:
017012000000001000B24E9A3E02000000000000000600000000000000
(PID) Process:(6704) WINWORD.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Common\CrashPersistence\WINWORD\6704
Operation:writeName:0
Value:
0B0E10F690E52F47C546428767C3E4B8047B6F2300468DBDA3FAA6D080EE016A04102400449A7D64B29D01008500A907556E6B6E6F776EC906022222CA0DC2190000C91003783634C511B034D2120B770069006E0077006F00720064002E00650078006500C51620C517808004C91808323231322D44656300
(PID) Process:(6704) WINWORD.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:en-US
Value:
2
(PID) Process:(6704) WINWORD.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:de-de
Value:
2
(PID) Process:(6704) WINWORD.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:fr-fr
Value:
2
(PID) Process:(6704) WINWORD.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:es-es
Value:
2
(PID) Process:(6704) WINWORD.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:it-it
Value:
2
(PID) Process:(6704) WINWORD.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:ja-jp
Value:
2
(PID) Process:(6704) WINWORD.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:ko-kr
Value:
2
(PID) Process:(6704) WINWORD.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:pt-br
Value:
2
Executable files
0
Suspicious files
8
Text files
4
Unknown types
3

Dropped files

PID
Process
Filename
Type
6704WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\4CF8962D-0C25-4B60-B48B-EA9EF9B59CEBxml
MD5:F24F9C6808AD3B7BBAA0D93CF77917A9
SHA256:B49665B351835B22C3CC2BD7A2FF683E802D2EC6B77DA587F1C8D84EFF229CE2
6704WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-msbinary
MD5:E4A1661C2C886EBB688DEC494532431C
SHA256:B76875C50EF704DBBF7F02C982445971D1BBD61AEBE2E4B28DDC58A1D66317D5
6704WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms~RF18f400.TMPbinary
MD5:4FCB2A3EE025E4A10D21E1B154873FE2
SHA256:90BF6BAA6F968A285F88620FBF91E1F5AA3E66E2BAD50FD16F37913280AD8228
6704WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbresbinary
MD5:7A5ED610257065DCCBF164377071D22F
SHA256:B670E1F72B476D36E213FAAF44211BD3A2914CD5DCA9F8AA2793837DD8F7CAD5
6704WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Office\16.0\AddInClassifierCache\OfficeSharedEntitiesUpdated.bintext
MD5:A7BBE8BBBA745E4933E5917CA3241B54
SHA256:61511CED05509CE0D8B11A4B22504C7470F5929406DAC410B7C460B0C6CCD2CF
6704WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Office\16.0\AddInClassifierCache\OfficeSharedEntities.bintext
MD5:CC90D669144261B198DEAD45AA266572
SHA256:89C701EEFF939A44F28921FD85365ECD87041935DCD0FE0BAF04957DA12C9899
6704WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Office\16.0\UsageMetricsStore\FileActivityStoreV3\Word\ASkwMDAwMDAwMC0wMDAwLTAwMDAtMDAwMC0wMDAwMDAwMDAwMDBfTnVsbAA.Sbinary
MD5:D6880EB8DD293D8AC58328D0DAF48E10
SHA256:9ED7B0671415C30C76BDF8E3932B000020FFE741F14A0DF61BD52C212AF77A0B
6704WINWORD.EXEC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9der
MD5:FA762B161F45FF06C65404A6A36252D6
SHA256:0099EDFE2F9DA7770FF749D177DB9D7C982F7C4A95FFC3D749FDC87AB5EE7451
6704WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lextext
MD5:F3B25701FE362EC84616A93A45CE9998
SHA256:B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
6704WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\1744NH2SY5CWFG8EEP0M.tempbinary
MD5:E4A1661C2C886EBB688DEC494532431C
SHA256:B76875C50EF704DBBF7F02C982445971D1BBD61AEBE2E4B28DDC58A1D66317D5
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
15
DNS requests
10
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
6704
WINWORD.EXE
GET
200
184.30.131.245:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEA77flR%2B3w%2FxBpruV2lte6A%3D
unknown
whitelisted
6176
svchost.exe
GET
200
184.30.131.245:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
1268
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5944
MoUsoCoreWorker.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2992
RUXIMICS.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
6704
WINWORD.EXE
52.109.32.97:443
officeclient.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
GB
whitelisted
6704
WINWORD.EXE
23.50.131.87:443
omex.cdn.office.net
Akamai International B.V.
DE
whitelisted
6704
WINWORD.EXE
52.123.129.14:443
ecs.office.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
4
System
192.168.100.255:138
whitelisted
6704
WINWORD.EXE
52.111.231.8:443
messaging.lifecycle.office.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
6704
WINWORD.EXE
172.187.61.142:443
nleditor.osi.office.net
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
whitelisted
google.com
  • 142.250.185.238
whitelisted
officeclient.microsoft.com
  • 52.109.32.97
whitelisted
omex.cdn.office.net
  • 23.50.131.87
  • 23.50.131.86
whitelisted
ecs.office.com
  • 52.123.129.14
  • 52.123.128.14
whitelisted
messaging.lifecycle.office.com
  • 52.111.231.8
whitelisted
nleditor.osi.office.net
  • 172.187.61.142
whitelisted
login.live.com
  • 40.126.31.130
  • 20.190.159.130
  • 40.126.31.67
  • 20.190.159.129
  • 40.126.31.131
  • 20.190.159.75
  • 20.190.159.4
  • 20.190.159.131
whitelisted
ocsp.digicert.com
  • 184.30.131.245
whitelisted
self.events.data.microsoft.com
  • 40.79.197.34
whitelisted

Threats

No threats detected
Process
Message
WINWORD.EXE
WebView2: Failed to find an installed WebView2 runtime or non-stable Microsoft Edge installation.
WINWORD.EXE
WebView2: Failed to find an installed WebView2 runtime or non-stable Microsoft Edge installation.
WINWORD.EXE
WebView2: Failed to find an installed WebView2 runtime or non-stable Microsoft Edge installation.
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Teresac_ Payroll_memo.docx