analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

a44cdef9e1d387ff55abf73d3cfe290e0c81805068e56ec5befd8f13b03fd595.doc

Full analysis: https://app.any.run/tasks/32761b17-f5a1-4c45-a828-6e4b4cf5a2d8
Verdict: Malicious activity
Analysis date: October 13, 2019, 23:39:52
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
exploit
CVE-2017-11882
Indicators:
MIME: text/rtf
File info: Rich Text Format data, version 1, unknown character set
MD5:

222028BEEBD7B15BD7185E6EF8EB1E70

SHA1:

17590F35AA53AA13CBA42A83844EFB21ABE8F026

SHA256:

A44CDEF9E1D387FF55ABF73D3CFE290E0C81805068E56EC5BEFD8F13B03FD595

SSDEEP:

24576:ybScDPv19y0NLChgATOvIfZsc0TS7ELMaNPLi7mJx7pFhWKeoxDWVr2IlSyS2/t7:b

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Suspicious connection from the Equation Editor

      • EQNEDT32.EXE (PID: 1948)
    • Equation Editor starts application (CVE-2017-11882)

      • EQNEDT32.EXE (PID: 1948)
  • SUSPICIOUS

    • Creates files in the user directory

      • EQNEDT32.EXE (PID: 1948)
    • Executed via COM

      • EQNEDT32.EXE (PID: 1948)
    • Executes application which crashes

      • EQNEDT32.EXE (PID: 1948)
  • INFO

    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 1404)
    • Creates files in the user directory

      • WINWORD.EXE (PID: 1404)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rtf | Rich Text Format (100)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
37
Monitored processes
3
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winword.exe no specs eqnedt32.exe ntvdm.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1404"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\a44cdef9e1d387ff55abf73d3cfe290e0c81805068e56ec5befd8f13b03fd595.doc.rtf"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
14.0.6024.1000
1948"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -EmbeddingC:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
svchost.exe
User:
admin
Company:
Design Science, Inc.
Integrity Level:
MEDIUM
Description:
Microsoft Equation Editor
Exit code:
0
Version:
00110900
1596"C:\Windows\system32\ntvdm.exe" -i1 C:\Windows\system32\ntvdm.exeEQNEDT32.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
NTVDM.EXE
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
1 555
Read events
884
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
0
Text files
1
Unknown types
2

Dropped files

PID
Process
Filename
Type
1404WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVRB159.tmp.cvr
MD5:
SHA256:
1596ntvdm.exeC:\Users\admin\AppData\Local\Temp\scsBE0B.tmp
MD5:
SHA256:
1596ntvdm.exeC:\Users\admin\AppData\Local\Temp\scsBE1B.tmp
MD5:
SHA256:
1404WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotmpgc
MD5:45822EE62FC571A3151895E367644231
SHA256:EB3C643FA978D554A4FC475FB2EC2D439467CBEED53546B5218462C2B3EC2CB5
1404WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~$4cdef9e1d387ff55abf73d3cfe290e0c81805068e56ec5befd8f13b03fd595.doc.rtfpgc
MD5:14EE943554CCE7189E6B94E8D3A9178E
SHA256:E68DA5A4B87BA879847BCB5033D923E53F43A77367D6F342ED962DC459AF59E1
1948EQNEDT32.EXEC:\Users\admin\AppData\Roaming\98768000.exehtml
MD5:BB8F534FBFF5EE61A95AF9C4740AE043
SHA256:5B13FB5957B84EF7BB9D0B6CD509C947FF6A37D67EFDAC2B896DDD3B908AAD10
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
1
DNS requests
1
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1948
EQNEDT32.EXE
GET
403
139.162.1.95:80
http://funfoodsupplies.com.au/wp/shot.txt
SG
html
199 b
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1948
EQNEDT32.EXE
139.162.1.95:80
funfoodsupplies.com.au
Linode, LLC
SG
malicious

DNS requests

Domain
IP
Reputation
funfoodsupplies.com.au
  • 139.162.1.95
malicious

Threats

No threats detected
No debug info