| File name: | b2ba51b4491da8604ff9410d6e004971e3cd9a321390d0258e294ac42010b546.doc |
| Full analysis: | https://app.any.run/tasks/55d569b9-9bfd-4fc7-9caa-3777cbde23ed |
| Verdict: | Malicious activity |
| Analysis date: | February 24, 2026, 11:35:07 |
| OS: | Windows 10 Professional (build: 19044, 64 bit) |
| Tags: | |
| Indicators: | |
| MIME: | text/rtf |
| File info: | Rich Text Format data, version 1, ANSI, code page 1252, default middle east language ID 1025 |
| MD5: | 95E59536455A089CED64F5AF2539A449 |
| SHA1: | 4592E6173A643699DC526778AA0A30330D16FE08 |
| SHA256: | B2BA51B4491DA8604FF9410D6E004971E3CD9A321390D0258E294AC42010B546 |
| SSDEEP: | 6144:fm1rI2QHBJLHY1cMNkei0evKSgWH8940PYM30+FzW4CUCkXdwUo05bM7I:fC2L41cMHeK/l27I |
MALICIOUS
CVE-2026-21509 has been detected
- WINWORD.EXE (PID: 8952)
GENERIC has been found (auto)
- WINWORD.EXE (PID: 8952)
SUSPICIOUS
Contacting a server suspected of hosting an CnC
- svchost.exe (PID: 2292)
Sets XML DOM element text (SCRIPT)
- splwow64.exe (PID: 3120)
INFO
An automatically generated document
- WINWORD.EXE (PID: 8952)
Drops script file
- splwow64.exe (PID: 3120)
Reads security settings of Internet Explorer
- splwow64.exe (PID: 3120)
Checks proxy server information
- slui.exe (PID: 7756)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .rtf | | | Rich Text Format (100) |
|---|
EXIF
RTF
| Author: | Administrator |
|---|---|
| LastModifiedBy: | Administrator |
| CreateDate: | 2026:01:27 07:43:00 |
| ModifyDate: | 2026:01:27 07:43:00 |
| RevisionNumber: | 2 |
| TotalEditTime: | - |
| Pages: | 1 |
| Words: | 300 |
| Characters: | 1711 |
| CharactersWithSpaces: | 2007 |
| InternalVersionNumber: | 31 |
Total processes
158
Monitored processes
5
Malicious processes
1
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2292 | C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s Dnscache | C:\Windows\System32\svchost.exe | services.exe | ||||||||||||
User: NETWORK SERVICE Company: Microsoft Corporation Integrity Level: SYSTEM Description: Host Process for Windows Services Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 3120 | C:\WINDOWS\splwow64.exe 8192 | C:\Windows\splwow64.exe | — | WINWORD.EXE | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Print driver host for applications Version: 10.0.19041.3636 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 7756 | C:\WINDOWS\System32\slui.exe -Embedding | C:\Windows\System32\slui.exe | svchost.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Activation Client Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 8632 | "C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\ai.exe" "6F5A1D56-5783-48BB-A3D7-456322A9F5C1" "C3D782C8-4325-453C-AE2B-1205D5FB5A66" "8952" | C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\ai.exe | — | WINWORD.EXE | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Artificial Intelligence (AI) Host for the Microsoft® Windows® Operating System and Platform x64. Exit code: 0 Version: 0.12.2.0 Modules
| |||||||||||||||
| 8952 | "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n C:\Users\admin\Desktop\b2ba51b4491da8604ff9410d6e004971e3cd9a321390d0258e294ac42010b546.doc.rtf /o "" | C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE | explorer.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Exit code: 0 Version: 16.0.16026.20146 Modules
| |||||||||||||||
Total events
19 325
Read events
18 928
Write events
360
Delete events
37
Modification events
| (PID) Process: | (8952) WINWORD.EXE | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages |
| Operation: | write | Name: | en-US |
Value: 1 | |||
| (PID) Process: | (8952) WINWORD.EXE | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages |
| Operation: | write | Name: | de-de |
Value: 1 | |||
| (PID) Process: | (8952) WINWORD.EXE | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages |
| Operation: | write | Name: | es-es |
Value: 1 | |||
| (PID) Process: | (8952) WINWORD.EXE | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages |
| Operation: | write | Name: | fr-fr |
Value: 1 | |||
| (PID) Process: | (8952) WINWORD.EXE | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages |
| Operation: | write | Name: | it-it |
Value: 1 | |||
| (PID) Process: | (8952) WINWORD.EXE | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages |
| Operation: | write | Name: | ja-jp |
Value: 1 | |||
| (PID) Process: | (8952) WINWORD.EXE | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages |
| Operation: | write | Name: | ko-kr |
Value: 1 | |||
| (PID) Process: | (8952) WINWORD.EXE | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages |
| Operation: | write | Name: | pt-br |
Value: 1 | |||
| (PID) Process: | (8952) WINWORD.EXE | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages |
| Operation: | write | Name: | ru-ru |
Value: 1 | |||
| (PID) Process: | (8952) WINWORD.EXE | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages |
| Operation: | write | Name: | tr-tr |
Value: 1 | |||
Executable files
33
Suspicious files
157
Text files
30
Unknown types
2
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 8952 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | binary | |
MD5:F1043057C40075EDFE8B0189BDC5CC34 | SHA256:E1AB37EDBB29DF9DA579313C4BDA1A9002BF91EBBB300337DF24B5D2523355A2 | |||
| 8952 | WINWORD.EXE | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A | binary | |
MD5:2E4C190AE5B103E5C622792E240BF062 | SHA256:E47EE49B9CDB356CE53ED6E79C2EC6A25905769C78FAE77BB2D6914CFD8F784F | |||
| 8952 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\6CCDAF8C-A765-4CF5-BBE7-D359336A1091 | xml | |
MD5:DEFF88871B7AE40FBB3FD9EC304B9FEC | SHA256:A4F7145580108EA80920DB0F8C1669001B74CBCFB6DFF539FAE151601AF0FAA8 | |||
| 8952 | WINWORD.EXE | C:\Users\admin\Desktop\~$ba51b4491da8604ff9410d6e004971e3cd9a321390d0258e294ac42010b546.doc.rtf | binary | |
MD5:EF9EE3AE1129940684A2C04ECDE8658F | SHA256:1B277B23CB81D54669C9E7B5C062C76D0EF5647FA10279AB0955B670E92CF120 | |||
| 8952 | WINWORD.EXE | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A | binary | |
MD5:2A14BBB9411C5FF71EC35EEAAA876804 | SHA256:567FCFC72155A59E55CB374F5D3E705ACA332DDA40AA745C9FF9E27592EE13C4 | |||
| 8952 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\TokenBroker\Cache\56a61aeb75d8f5be186c26607f4bb213abe7c5ec.tbres | binary | |
MD5:79BF6F1D3AD454D213F667B34B5C9D8A | SHA256:B38DC78C0B31B59915A009ED214FB7115620F979B6CF54DA3AC2219AF9204AB4 | |||
| 8952 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Office\16.0\AddInClassifierCache\OfficeSharedEntities.bin | text | |
MD5:CC90D669144261B198DEAD45AA266572 | SHA256:89C701EEFF939A44F28921FD85365ECD87041935DCD0FE0BAF04957DA12C9899 | |||
| 8952 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Office\16.0\AddInClassifierCache\OfficeSharedEntitiesUpdated.bin | text | |
MD5:6E81C0CB63143992888200C38E9358D8 | SHA256:00067D735B7AD39DDF487CE8B008EF5B20D479980B5F5679770B240498695DDF | |||
| 8952 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres | binary | |
MD5:C6096ED3CD4EC43B16FE7AC75405A0CE | SHA256:C778F871F55F528F9D3B1EC574007636BCB45EEC3239E875D380A25F1FE6A4D2 | |||
| 8952 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\b2ba51b4491da8604ff9410d6e004971e3cd9a321390d0258e294ac42010b546.doc.rtf.LNK | binary | |
MD5:617C8DF7014E41584B5BE598E998DFAC | SHA256:F785EAEA47960C442E16F08330489B64684935B552C73E90BD4BE45E0163B0A9 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
166
TCP/UDP connections
83
DNS requests
38
Threats
2
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
8952 | WINWORD.EXE | GET | 200 | 52.123.128.14:443 | https://ecs.office.com/config/v2/Office/word/16.0.16026.20146/Production/CC?&Clientid=%7bD61AB268-C26A-439D-BB15-2A0DEDFCA6A3%7d&Application=word&Platform=win32&Version=16.0.16026.20146&MsoVersion=16.0.16026.20002&SDX=fa000000002.2.0.1907.31003&SDX=fa000000005.1.0.1909.30011&SDX=fa000000006.1.0.1909.13002&SDX=fa000000008.1.0.1908.16006&SDX=fa000000009.1.0.1908.6002&SDX=fa000000016.1.0.1810.13001&SDX=fa000000029.1.0.1906.25001&SDX=fa000000033.1.0.1908.24001&SDX=wa104381125.1.0.1810.9001&ProcessName=winword.exe&Audience=Production&Build=ship&Architecture=x64&Language=en-US&SubscriptionLicense=false&PerpetualLicense=2019&LicenseCategory=6&LicenseSKU=Professional2019Retail&OsVersion=10.0&OsBuild=19045&Channel=CC&InstallType=C2R&SessionId=%7bB98F10B3-0F58-4BEE-B2D5-B9CB493E3151%7d&LabMachine=false | US | text | 352 Kb | unknown |
8952 | WINWORD.EXE | GET | 200 | 184.30.131.245:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D | US | binary | 471 b | whitelisted |
6768 | MoUsoCoreWorker.exe | GET | 304 | 4.231.128.59:443 | https://settings-win.data.microsoft.com/settings/v3.0/OneSettings/Client?OSVersionFull=10.0.19045.4046.amd64fre.vb_release.191206-1406&LocalDeviceID=s%3ABAD99146-31D3-4EC6-A1A4-BE76F32BA5D4&FlightRing=Retail&AttrDataVer=186&OSUILocale=en-US&OSSkuId=48&App=WOSC&AppVer=&IsFlightingEnabled=0&TelemetryLevel=1&DeviceFamily=Windows.Desktop | US | — | — | whitelisted |
8952 | WINWORD.EXE | GET | 200 | 23.50.131.86:443 | https://omex.cdn.office.net/addinclassifier/officesharedentities | NL | text | 314 Kb | whitelisted |
1324 | svchost.exe | GET | 304 | 4.231.128.59:443 | https://settings-win.data.microsoft.com/settings/v3.0/WSD/UpdateHealthTools?os=Windows&osVer=10.0.19041.1.amd64fre.vb_release.191206-&sku=48&deviceClass=Windows.Desktop&locale=en-US&deviceId=s:BAD99146-31D3-4EC6-A1A4-BE76F32BA5D4&sampleId=s:95271487&appVer=10.0.19041.3626&FlightRing=Retail&TelemetryLevel=1&HidOverGattReg=C%3A%5CWINDOWS%5CSystem32%5CDriverStore%5CFileRepository%5Chidbthle.inf_amd64_9610b4821fdf82a5%5CMicrosoft.Bluetooth.Profiles.HidOverGatt.dll&AppVer=&ProcessorIdentifier=AMD64%20Family%2023%20Model%201%20Stepping%202&OEMModel=DELL&UpdateOfferedDays=4294967295&ProcessorManufacturer=AuthenticAMD&InstallDate=1661339444&OEMModelBaseBoard=&BranchReadinessLevel=CB&OEMSubModel=J5CR&IsCloudDomainJoined=0&DeferFeatureUpdatePeriodInDays=30&IsDeviceRetailDemo=0&FlightingBranchName=&OSUILocale=en-US&DeviceFamily=Windows.Desktop&WuClientVer=10.0.19041.3996&UninstallActive=1&IsFlightingEnabled=0&OSSkuId=48&ProcessorClockSpeed=3094&TotalPhysicalRAM=6144&SecureBootCapable=0&App=SedimentPack&ProcessorCores=6&CurrentBranch=vb_release&InstallLanguage=en-US&DeferQualityUpdatePeriodInDays=0&OEMName_Uncleaned=DELL&TPMVersion=0&PrimaryDiskTotalCapacity=262144&InstallationType=Client&AttrDataVer=186&ProcessorModel=AMD%20Ryzen%205%203500%206-Core%20Processor&IsEdgeWithChromiumInstalled=1&OSVersion=10.0.19045.4046&IsMDMEnrolled=0&ActivationChannel=Retail&FirmwareVersion=A.40&TrendInstalledKey=1&OSArchitecture=AMD64&DefaultUserRegion=244&UpdateManagementGroup=2 | US | — | — | whitelisted |
8952 | WINWORD.EXE | POST | 200 | 52.109.89.19:443 | https://roaming.svc.cloud.microsoft/rs/RoamingSoapService.svc | US | text | 654 b | unknown |
356 | svchost.exe | POST | 200 | 40.126.32.72:443 | https://login.live.com/RST2.srf | US | xml | 11.1 Kb | whitelisted |
7960 | SIHClient.exe | GET | 304 | 20.165.94.63:443 | https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL | US | — | — | whitelisted |
356 | svchost.exe | POST | 200 | 40.126.32.72:443 | https://login.live.com/RST2.srf | US | xml | 10.3 Kb | whitelisted |
356 | svchost.exe | GET | 200 | 184.30.131.245:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAz1vQYrVgL0erhQLCPM8GY%3D | US | binary | 471 b | whitelisted |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
1324 | svchost.exe | 20.73.194.208:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | whitelisted |
4 | System | 192.168.100.255:137 | — | Not routed | — | whitelisted |
5520 | RUXIMICS.exe | 20.73.194.208:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | whitelisted |
6768 | MoUsoCoreWorker.exe | 20.73.194.208:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | whitelisted |
4 | System | 192.168.100.255:138 | — | Not routed | — | whitelisted |
3412 | svchost.exe | 172.211.123.248:443 | client.wns.windows.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | whitelisted |
8952 | WINWORD.EXE | 52.110.17.17:443 | officeclient.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | whitelisted |
8952 | WINWORD.EXE | 52.109.89.19:443 | roaming.svc.cloud.microsoft | MICROSOFT-CORP-MSN-AS-BLOCK | US | whitelisted |
8952 | WINWORD.EXE | 23.50.131.86:443 | omex.cdn.office.net | AKAMAI-ASN1 | NL | whitelisted |
8952 | WINWORD.EXE | 159.253.120.2:80 | freefoodaid.com | ALEXHOST | MD | unknown |
DNS requests
Domain | IP | Reputation |
|---|---|---|
settings-win.data.microsoft.com |
| whitelisted |
google.com |
| whitelisted |
self.events.data.microsoft.com |
| whitelisted |
client.wns.windows.com |
| whitelisted |
officeclient.microsoft.com |
| whitelisted |
roaming.svc.cloud.microsoft |
| whitelisted |
omex.cdn.office.net |
| whitelisted |
ecs.office.com |
| whitelisted |
ocsp.digicert.com |
| whitelisted |
freefoodaid.com |
| malicious |
Threats
PID | Process | Class | Message |
|---|---|---|---|
2292 | svchost.exe | Domain Observed Used for C2 Detected | MALWARE [ANY.RUN] APT28 related domain (freefoodaid .com) |
8952 | WINWORD.EXE | Misc Attack | ET DROP Spamhaus DROP Listed Traffic Inbound group 29 |
Process | Message |
|---|---|
WINWORD.EXE | WebView2: Failed to find an installed WebView2 runtime or non-stable Microsoft Edge installation.
|
WINWORD.EXE | WebView2: Failed to find an installed WebView2 runtime or non-stable Microsoft Edge installation.
|
WINWORD.EXE | WebView2: Failed to find an installed WebView2 runtime or non-stable Microsoft Edge installation.
|