File name:	30% Payment.doc
Full analysis:	https://app.any.run/tasks/70a21174-b0f2-4c3d-9463-b9872385b372
Verdict:	Malicious activity
Threats:	A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. Trojans are a group of malicious programs distinguished by their ability to masquerade as benign software. Depending on their type, trojans possess a variety of capabilities, ranging from maintaining full remote control over the victim’s machine to stealing data and files, as well as dropping other malware. At the same time, the main functionality of each trojan family can differ significantly depending on its type. The most common trojan infection chain starts with a phishing email. Malware Trends Tracker >>>
Analysis date:	January 11, 2019, 05:01:21
OS:	Windows 7 Professional Service Pack 1 (build: 7601, 64 bit)
Tags:	generated-doc trojan exploit CVE-2017-11882 loader
Indicators:
MIME:	text/rtf
File info:	Rich Text Format data, version 1, unknown character set
MD5:	68766F2B8CFA7D033A76C6DBCB726C92
SHA1:	733BBE6FE972F7D45AAB03169D43E99A3B4FBD9F
SHA256:	A3AF4D813774AA7860CB2C0AE1401A2D8FA3D63C4F13D42CF4492330A5771FF9
SSDEEP:	12288:cVEV6VFVFVgVgVgVgVgVgVgVhVEVEVdV/VZV9VVbV2V/VRVj:caE//OOOOOOODaa3h3l1E9bx

InternalVersionNumber:	24689
CharactersWithSpaces:	1773
Characters:	1511
Words:	265
Pages:	2
TotalEditTime:	-
RevisionNumber:	2
LastPrinted:	2018:12:12 16:35:00
ModifyDate:	2018:12:14 09:22:00
CreateDate:	2018:12:14 09:22:00
LastModifiedBy:	Windows User
Author:	Mr.Duoc
Upr:	{CH??NG TRÌNH }{*{CH{ƯƠNG TRÌNH }}}

PID	CMD	Path	Indicators	Parent process
2896	"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\af0e7b8b-46d0-42c5-b656-4bd9afad59ff.doc"	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	—	explorer.exe
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.5123.5000
2548	"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE		svchost.exe
User: admin Company: Design Science, Inc. Integrity Level: MEDIUM Description: Microsoft Equation Editor Exit code: 0 Version: 00110900
2256	C:\Users\admin\AppData\Local\Temp\1.exe	C:\Users\admin\AppData\Local\Temp\1.exe	—	EQNEDT32.EXE
User: admin Company: Hapu3 Integrity Level: MEDIUM Description: scrutoire Exit code: 0 Version: 5.01.0005
2916	:\Users\admin\AppData\Local\Temp\1.exe	C:\Users\admin\AppData\Local\Temp\1.exe	—	1.exe
User: admin Company: Hapu3 Integrity Level: MEDIUM Description: scrutoire Version: 5.01.0005

PID	Process	Filename		Type
2896	WINWORD.EXE	C:\Users\admin\AppData\Local\Temp\CVR6DEB.tmp.cvr		—
		MD5:—	SHA256:—
2548	EQNEDT32.EXE	C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\YV55FNIQ.txt		text
		MD5:5764396D8FABB620F6B62634108FB940	SHA256:A73839CDB73DBE730160530B4790542FE67288FD98E1500F538F5991BD8F82BC
2896	WINWORD.EXE	C:\Users\admin\Desktop\~$0e7b8b-46d0-42c5-b656-4bd9afad59ff.doc		pgc
		MD5:4C064B230FE147F90AC506C80E2198BC	SHA256:E984AC177034811D07C2A198943DE4E9BB25B36300BD0DE26B9978BC7238E27A
2548	EQNEDT32.EXE	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\K78MRVB5\q[1].png		executable
		MD5:2A2F7F73BC1367E40C096E81AFDD0EBE	SHA256:38D7E7DEF502A742BACB9F3A0AF37261D9315F5DFC68871A1546E615D265B446
2548	EQNEDT32.EXE	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BDW1XBVN\2D1Ob77[1].htm		html
		MD5:77DAC8F4B57FBBF9C3ED115398E6ED10	SHA256:9548BD76FB33EE1C2E282175C415754847754F1F8CB152C56339F9AB49A13B25
2896	WINWORD.EXE	C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\index.dat		text
		MD5:7F999F17332B44C2AD80FB9E81D433BD	SHA256:BA682A17A234ED4FB3FCCF1AC7C5EFE0E8AD4B9F56BCEF70507B43A847FCE32A
2548	EQNEDT32.EXE	C:\Users\admin\AppData\Local\Temp\1.exe		executable
		MD5:2A2F7F73BC1367E40C096E81AFDD0EBE	SHA256:38D7E7DEF502A742BACB9F3A0AF37261D9315F5DFC68871A1546E615D265B446
2256	1.exe	C:\Users\admin\AppData\Local\Temp\~DF08FDC9BA3B04C8B5.TMP		binary
		MD5:042657F801E7AA3A6AA3259330D954DF	SHA256:C1E3C9D50264BEC197D6A3F66FBF480C5C4CF4B85A2E652CD1FE432A78D5A403
2896	WINWORD.EXE	C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\af0e7b8b-46d0-42c5-b656-4bd9afad59ff.LNK		lnk
		MD5:2F89DFBE1041625F37324F11D99DB653	SHA256:2EE6842C0DE9BC5E802787C602B2D2990134CAFEAB3A82E3F0A06D0ED8FFB6DF

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
2548	EQNEDT32.EXE	GET	200	65.60.35.58:80	http://aoiap.org/q.png	US	executable	913 Kb	malicious
2548	EQNEDT32.EXE	GET	301	67.199.248.10:80	http://bit.ly/2D1Ob77	US	html	109 b	shared

Domain	IP	Reputation
bit.ly	67.199.248.10 67.199.248.11	shared
aoiap.org	65.60.35.58	malicious

PID	Process	Class	Message
2548	EQNEDT32.EXE	A Network Trojan was detected	MALWARE [PTsecurity] PowerShell.Downloader httpHeader
2548	EQNEDT32.EXE	Potential Corporate Privacy Violation	ET POLICY PE EXE or DLL Windows file download HTTP
2548	EQNEDT32.EXE	A Network Trojan was detected	ET TROJAN JS/WSF Downloader Dec 08 2016 M4
2548	EQNEDT32.EXE	A Network Trojan was detected	SC TROJAN_DOWNLOADER Suspicious behavior, PE instead image from server
2548	EQNEDT32.EXE	Misc activity	SUSPICIOUS [PTsecurity] PE as Image Content type mismatch

General Info

30% Payment.doc

68766F2B8CFA7D033A76C6DBCB726C92

733BBE6FE972F7D45AAB03169D43E99A3B4FBD9F

A3AF4D813774AA7860CB2C0AE1401A2D8FA3D63C4F13D42CF4492330A5771FF9

12288:cVEV6VFVFVgVgVgVgVgVgVgVhVEVEVdV/VZV9VVbV2V/VRVj:caE//OOOOOOODaa3h3l1E9bx

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Suspicious connection from the Equation Editor

Downloads executable files with a strange extension

Downloads executable files from the Internet

Equation Editor starts application (CVE-2017-11882)

Application was dropped or rewritten from another process

SUSPICIOUS

Creates files in the user directory

Executable content was dropped or overwritten

Application launched itself

INFO

Reads the machine GUID from the registry

Reads Microsoft Office registry keys

Creates files in the user directory

Malware configuration

Static information

TRiD

EXIF

RTF

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Information

Information

Information

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings