analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

VESSEL DELAY LETTER.docx

Full analysis: https://app.any.run/tasks/049d56ab-0d0d-4805-a81b-17ad06a4d02a
Verdict: Malicious activity
Analysis date: March 31, 2020, 01:14:00
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
generated-doc
opendir
exploit
CVE-2017-11882
Indicators:
MIME: application/vnd.openxmlformats-officedocument.wordprocessingml.document
File info: Microsoft Word 2007+
MD5:

62523AAF31E6D489BDCA6D74D19A1927

SHA1:

313E99E54CA50189908D9B59F27E30EB572E815E

SHA256:

C5C43B340957830F5D7484CE06F9DE0EF593D88F3D48C09CD2150E670661F672

SSDEEP:

192:CtNCWUyn0i13pNXqkOcPiYFLwzvdX6Ptpwjnw+umHBCwgV1:aNxUyn0i13LROEiOLkX6Ujnw+3JgV1

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Application was dropped or rewritten from another process

      • vbc.exe (PID: 4048)
    • Suspicious connection from the Equation Editor

      • EQNEDT32.EXE (PID: 3972)
    • Equation Editor starts application (CVE-2017-11882)

      • EQNEDT32.EXE (PID: 3972)
  • SUSPICIOUS

    • Executed via COM

      • EQNEDT32.EXE (PID: 3972)
    • Unusual connect from Microsoft Office

      • WINWORD.EXE (PID: 2580)
    • Reads Internet Cache Settings

      • EQNEDT32.EXE (PID: 3972)
    • Executable content was dropped or overwritten

      • EQNEDT32.EXE (PID: 3972)
    • Creates files in the user directory

      • EQNEDT32.EXE (PID: 3972)
  • INFO

    • Reads Internet Cache Settings

      • WINWORD.EXE (PID: 2580)
    • Creates files in the user directory

      • WINWORD.EXE (PID: 2580)
    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 2580)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.docx | Word Microsoft Office Open XML Format document (52.2)
.zip | Open Packaging Conventions container (38.8)
.zip | ZIP compressed archive (8.8)

EXIF

XMP

Description: -
Creator: HP 15
Subject: -
Title: -

XML

ModifyDate: 2018:03:07 09:39:00Z
CreateDate: 2018:03:07 09:39:00Z
RevisionNumber: 3
LastModifiedBy: HP 15
Keywords: -
AppVersion: 15
HyperlinksChanged: No
SharedDoc: No
CharactersWithSpaces: 5
LinksUpToDate: No
Company: -
ScaleCrop: No
Paragraphs: 1
Lines: 1
DocSecurity: None
Application: Microsoft Office Word
Characters: 5
Words: -
Pages: 1
TotalEditTime: -
Template: Normal.dotm

ZIP

ZipFileName: [Content_Types].xml
ZipUncompressedSize: 1312
ZipCompressedSize: 346
ZipCRC: 0x6cd2a4df
ZipModifyDate: 1980:01:01 00:00:00
ZipCompression: Deflated
ZipBitFlag: 0x0006
ZipRequiredVersion: 20
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
38
Monitored processes
3
Malicious processes
2
Suspicious processes
1

Behavior graph

Click at the process to see the details
start drop and start winword.exe eqnedt32.exe vbc.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2580"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\VESSEL DELAY LETTER.docx"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
14.0.6024.1000
3972"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -EmbeddingC:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
svchost.exe
User:
admin
Company:
Design Science, Inc.
Integrity Level:
MEDIUM
Description:
Microsoft Equation Editor
Exit code:
0
Version:
00110900
4048"C:\Users\admin\AppData\Roaming\vbc.exe" C:\Users\admin\AppData\Roaming\vbc.exeEQNEDT32.EXE
User:
admin
Integrity Level:
MEDIUM
Exit code:
1
Total events
2 453
Read events
1 327
Write events
0
Delete events
0

Modification events

No data
Executable files
2
Suspicious files
24
Text files
7
Unknown types
2

Dropped files

PID
Process
Filename
Type
2580WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVR6B16.tmp.cvr
MD5:
SHA256:
2580WINWORD.EXEC:\Users\admin\AppData\Local\Temp\{1BF12C79-6418-4950-897F-A40C2C58DB1E}
MD5:
SHA256:
2580WINWORD.EXEC:\Users\admin\AppData\Local\Temp\{6FF8C9E0-077B-41E0-AB10-5D54A7B346F1}
MD5:
SHA256:
2580WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{C440ABA5-1DEF-4DD9-A9CD-B3996A574C6E}.FSDbinary
MD5:2E34ABCA8EB57A0165E5AAE7364303DB
SHA256:80A79C5DDFDF5248BA90ACFEBB66389072B7B03470C38530CEB85EB448FB6A3E
2580WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-CNRY.FSDbinary
MD5:F10266961D55FCA1DD64ACC596C4045A
SHA256:1D6CE785C62307B8300673A18012FEA60239EDCEFE79D31A684E178FAF6B3B53
2580WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSDbinary
MD5:EC61406309D419EAB01F95CFD784AE55
SHA256:A390AB6CC94FD7BEE2739D2CDCF26B821BDE8BDAD3E3A0D85F504E7A157F1A3B
2580WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotmpgc
MD5:FFAB4728450B34729C537835FFF7607A
SHA256:68C717E7ACBA227EB2D9C376C2FF366101FA2E3E5E6E790866202C0FCF8C3426
2580WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSF-CTBL.FSFbinary
MD5:1557FD40BBB7F685467D8D44709CFD5A
SHA256:3E453E193F970361D357565D29550AF2FADB0ACE85BD37DBAE2E08AF16B1CBD3
2580WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{63FE4964-F27B-4C2E-9C2F-482ED1C40E07}.FSDbinary
MD5:028D4B79C08524855004DEB7CE71591C
SHA256:2D30953E6913812B68BE3ABF8D44F66B4383399D1D6D15E7861D5A8C502E73E9
2580WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\invoice_11154.doc.urltext
MD5:3779B8B2F1534B25F99C7FF97E2A508E
SHA256:C76016E1AB13AC461361B5F1E95D5950C7936339FCD0263D9E70B8B5FA60800E
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
14
TCP/UDP connections
8
DNS requests
3
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2580
WINWORD.EXE
OPTIONS
200
103.140.250.215:80
http://kungfrdyeducationalinvestment8agender.duckdns.org/office/
unknown
malicious
2580
WINWORD.EXE
HEAD
200
103.140.250.215:80
http://kungfrdyeducationalinvestment8agender.duckdns.org/office/invoice_11154.doc
unknown
malicious
824
svchost.exe
PROPFIND
405
103.140.250.215:80
http://kungfrdyeducationalinvestment8agender.duckdns.org/office/
unknown
xml
1019 b
malicious
824
svchost.exe
OPTIONS
301
103.140.250.215:80
http://kungfrdyeducationalinvestment8agender.duckdns.org/office
unknown
html
412 b
malicious
824
svchost.exe
PROPFIND
302
103.140.250.215:80
http://kungfrdyeducationalinvestment8agender.duckdns.org/
unknown
malicious
2580
WINWORD.EXE
GET
200
103.140.250.215:80
http://kungfrdyeducationalinvestment8agender.duckdns.org/office/invoice_11154.doc
unknown
text
351 Kb
malicious
824
svchost.exe
OPTIONS
200
103.140.250.215:80
http://kungfrdyeducationalinvestment8agender.duckdns.org/office/
unknown
html
412 b
malicious
824
svchost.exe
PROPFIND
103.140.250.215:80
http://kungfrdyeducationalinvestment8agender.duckdns.org/dashboard/
unknown
malicious
824
svchost.exe
PROPFIND
301
103.140.250.215:80
http://kungfrdyeducationalinvestment8agender.duckdns.org/office
unknown
html
412 b
malicious
824
svchost.exe
PROPFIND
302
103.140.250.215:80
http://kungfrdyeducationalinvestment8agender.duckdns.org/
unknown
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
824
svchost.exe
103.140.250.215:80
kungfrdyeducationalinvestment8agender.duckdns.org
malicious
2580
WINWORD.EXE
103.140.250.215:80
kungfrdyeducationalinvestment8agender.duckdns.org
malicious
3972
EQNEDT32.EXE
103.140.250.215:80
kungfrdyeducationalinvestment8agender.duckdns.org
malicious

DNS requests

Domain
IP
Reputation
kungfrdyeducationalinvestment8agender.duckdns.org
  • 103.140.250.215
malicious
dns.msftncsi.com
  • 131.107.255.255
shared

Threats

PID
Process
Class
Message
Misc activity
ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
3972
EQNEDT32.EXE
A Network Trojan was detected
ET CURRENT_EVENTS SUSPICIOUS winlog.exe in URI Probable Process Dump/Trojan Download
3972
EQNEDT32.EXE
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
No debug info