analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Document20190321.doc

Full analysis: https://app.any.run/tasks/256f55ed-d6eb-448d-9073-aa00b532c72f
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Analysis date: March 22, 2019, 07:35:15
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
ole-embedded
trojan
exploit
CVE-2017-11882
loader
Indicators:
MIME: text/rtf
File info: Rich Text Format data, unknown version
MD5:

A37622A82AD6BF530C6952E80D0EB0A6

SHA1:

4919299EF3F20C1F3F49319623F141DB425359A1

SHA256:

CE4DDBF2F897D50FC19D506246014C636DA8FD05E02A3FEB148C620F38FF55C4

SSDEEP:

1536:UBsG2OiYC8Xt9SlMqOS6Dtb+3FbeA7zCXCrHOejDzJJ+FojJZysRKdztFvjFFFFA:UlhiYC89dKtvTaCyo9ZDeFUv

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Suspicious connection from the Equation Editor

      • EQNEDT32.EXE (PID: 2772)
    • Application was dropped or rewritten from another process

      • 3.exe (PID: 2284)
    • Equation Editor starts application (CVE-2017-11882)

      • EQNEDT32.EXE (PID: 2772)
    • Downloads executable files from the Internet

      • EQNEDT32.EXE (PID: 2772)
    • Downloads executable files with a strange extension

      • EQNEDT32.EXE (PID: 2772)
  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • EQNEDT32.EXE (PID: 2772)
    • Creates files in the user directory

      • EQNEDT32.EXE (PID: 2772)
  • INFO

    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 1928)
    • Creates files in the user directory

      • WINWORD.EXE (PID: 1928)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rtf | Rich Text Format (100)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
33
Monitored processes
3
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start drop and start winword.exe no specs eqnedt32.exe 3.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1928"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\Document20190321.doc"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
14.0.6024.1000
2772"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -EmbeddingC:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
svchost.exe
User:
admin
Company:
Design Science, Inc.
Integrity Level:
MEDIUM
Description:
Microsoft Equation Editor
Exit code:
0
Version:
00110900
2284C:\Users\Public\3.exeC:\Users\Public\3.exeEQNEDT32.EXE
User:
admin
Company:
WINGO
Integrity Level:
MEDIUM
Version:
1.01.0009
Total events
1 361
Read events
737
Write events
0
Delete events
0

Modification events

No data
Executable files
2
Suspicious files
0
Text files
1
Unknown types
3

Dropped files

PID
Process
Filename
Type
1928WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVR8B7E.tmp.cvr
MD5:
SHA256:
1928WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotmpgc
MD5:A3D37A96BE99E1B37F142EAB31105E77
SHA256:10776DED098C89C43628A733533878C3854AA3666210F1501E5D0D74311EF8F0
2772EQNEDT32.EXEC:\Users\Public\3.exeexecutable
MD5:039C253EA47841EA2C0345B93616F32F
SHA256:2CE96E145429C07C2FB80B1C67A164C1B2AD32B074B1EBCA45A27E681B444408
2772EQNEDT32.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H6QNMHE9\hhddhd[1].pngexecutable
MD5:039C253EA47841EA2C0345B93616F32F
SHA256:2CE96E145429C07C2FB80B1C67A164C1B2AD32B074B1EBCA45A27E681B444408
2772EQNEDT32.EXEC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\admin@bit[1].txttext
MD5:5E34DBE5F1F5D29A2171D7617FD3B676
SHA256:3597D69E89A7D7F0D6B7F22587C0035024F6F8C023D57865E07C489B2EE8D59F
1928WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~$cument20190321.docpgc
MD5:C4C583F76D8F3B0F6DDF9F1FD69E6BC0
SHA256:AA454E085B8D5AE88945B02C9F2ED96FD263017AC539302532C8ABA00114A755
2772EQNEDT32.EXEC:\Users\admin\AppData\Roaming\Microsoft\Windows\IETldCache\index.datdat
MD5:D7A950FEFD60DBAA01DF2D85FEFB3862
SHA256:75D0B1743F61B76A35B1FEDD32378837805DE58D79FA950CB6E8164BFA72073A
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
2
DNS requests
2
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2772
EQNEDT32.EXE
GET
200
216.119.129.197:80
http://shop.theirishlinenstore.com/hhddhd.png
US
executable
432 Kb
malicious
2772
EQNEDT32.EXE
GET
301
67.199.248.10:80
http://bit.ly/2CvTJpL
US
html
132 b
shared
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2772
EQNEDT32.EXE
67.199.248.10:80
bit.ly
Bitly Inc
US
shared
2772
EQNEDT32.EXE
216.119.129.197:80
shop.theirishlinenstore.com
A2 Hosting, Inc.
US
suspicious

DNS requests

Domain
IP
Reputation
bit.ly
  • 67.199.248.10
  • 67.199.248.11
shared
shop.theirishlinenstore.com
  • 216.119.129.197
malicious

Threats

PID
Process
Class
Message
2772
EQNEDT32.EXE
Misc activity
SUSPICIOUS [PTsecurity] Cmd.Powershell.Download HTTP UserAgent (Win7)
2772
EQNEDT32.EXE
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
2772
EQNEDT32.EXE
A Network Trojan was detected
ET TROJAN JS/WSF Downloader Dec 08 2016 M4
2772
EQNEDT32.EXE
Misc activity
SUSPICIOUS [PTsecurity] PE as Image Content type mismatch
No debug info