analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

0abd2ee3a90b8eeb325b70134c750b79.doc

Full analysis: https://app.any.run/tasks/1ba718bc-d40e-4157-acda-65f6f6dcacdd
Verdict: Malicious activity
Analysis date: February 19, 2019, 10:06:21
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
ole-embedded
generated-doc
Indicators:
MIME: text/rtf
File info: Rich Text Format data, unknown version
MD5:

FA130846A6093DF86B6164B36D811BC6

SHA1:

EBF1887F2C1C391767EC174AA86C55C0224C5283

SHA256:

B30F8457446B5C12A791E7A2F751768AB1EB12AC14DEB814C800076498ADE240

SSDEEP:

1536:bBsG2OiYC8XZxdHoP13Gm+xaA2KUm4MSRORnTo:blhiYC8Rc

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Suspicious connection from the Equation Editor

      • EQNEDT32.EXE (PID: 3964)
  • SUSPICIOUS

    • Creates files in the user directory

      • EQNEDT32.EXE (PID: 3964)
  • INFO

    • Application was crashed

      • EQNEDT32.EXE (PID: 3964)
    • Creates files in the user directory

      • WINWORD.EXE (PID: 3372)
    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 3372)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rtf | Rich Text Format (100)

EXIF

RTF

Author: Windows User
LastModifiedBy: Windows User
CreateDate: 2019:01:20 14:19:00
ModifyDate: 2019:01:20 14:19:00
RevisionNumber: 2
TotalEditTime: -
Pages: 1
Words: -
Characters: 4
CharactersWithSpaces: 4
InternalVersionNumber: 85
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
34
Monitored processes
2
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winword.exe no specs eqnedt32.exe

Process information

PID
CMD
Path
Indicators
Parent process
3372"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\0abd2ee3a90b8eeb325b70134c750b79.doc.rtf"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
14.0.6024.1000
3964"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -EmbeddingC:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
svchost.exe
User:
admin
Company:
Design Science, Inc.
Integrity Level:
MEDIUM
Description:
Microsoft Equation Editor
Exit code:
0
Version:
00110900
Total events
1 433
Read events
752
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
0
Text files
1
Unknown types
3

Dropped files

PID
Process
Filename
Type
3372WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVRDD22.tmp.cvr
MD5:
SHA256:
3372WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotmpgc
MD5:FBBFEA77984F3843F5D6730039FD151E
SHA256:36D70954348076FD7D63D0712C7AAF3FBEE801A400F26FDA5E2D532F0AA6889B
3372WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~$bd2ee3a90b8eeb325b70134c750b79.doc.rtfpgc
MD5:B054CBD6C8096023122092B5EED09EBD
SHA256:4BC7547E80E9003725F084C78605FD4D03E45BB5CBCEFE9F1933944DAA01CBDE
3964EQNEDT32.EXEC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\admin@bit[1].txttext
MD5:1B92847AC172280576E8B2CA11A91AB7
SHA256:1471AEF5C81C8C48DBDB62D9BC54CC58ECD41DF5C1AAE3A693F70ED4EE8D3439
3964EQNEDT32.EXEC:\Users\admin\AppData\Roaming\Microsoft\Windows\IETldCache\index.datdat
MD5:D7A950FEFD60DBAA01DF2D85FEFB3862
SHA256:75D0B1743F61B76A35B1FEDD32378837805DE58D79FA950CB6E8164BFA72073A
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
2
DNS requests
2
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3964
EQNEDT32.EXE
GET
301
67.199.248.10:80
http://bit.ly/2UMzaMs
US
html
116 b
shared
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3964
EQNEDT32.EXE
185.84.108.14:443
komfort-sk.ru
Majordomo llc
RU
unknown
3964
EQNEDT32.EXE
67.199.248.10:80
bit.ly
Bitly Inc
US
shared

DNS requests

Domain
IP
Reputation
bit.ly
  • 67.199.248.10
  • 67.199.248.11
shared
komfort-sk.ru
  • 185.84.108.14
unknown

Threats

PID
Process
Class
Message
3964
EQNEDT32.EXE
Misc activity
SUSPICIOUS [PTsecurity] Cmd.Powershell.Download HTTP UserAgent (Win7)
No debug info