analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Document20190321.doc

Full analysis: https://app.any.run/tasks/821b8173-3fe5-4cdb-95b7-33200183c21b
Verdict: Malicious activity
Threats:

FormBook is a data stealer that is being distributed as a MaaS. FormBook differs from a lot of competing malware by its extreme ease of use that allows even the unexperienced threat actors to use FormBook virus.

Analysis date: March 22, 2019, 08:27:26
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
ole-embedded
trojan
exploit
CVE-2017-11882
loader
formbook
stealer
Indicators:
MIME: text/rtf
File info: Rich Text Format data, unknown version
MD5:

A37622A82AD6BF530C6952E80D0EB0A6

SHA1:

4919299EF3F20C1F3F49319623F141DB425359A1

SHA256:

CE4DDBF2F897D50FC19D506246014C636DA8FD05E02A3FEB148C620F38FF55C4

SSDEEP:

1536:UBsG2OiYC8Xt9SlMqOS6Dtb+3FbeA7zCXCrHOejDzJJ+FojJZysRKdztFvjFFFFA:UlhiYC89dKtvTaCyo9ZDeFUv

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Suspicious connection from the Equation Editor

      • EQNEDT32.EXE (PID: 2700)
    • Downloads executable files from the Internet

      • EQNEDT32.EXE (PID: 2700)
    • Equation Editor starts application (CVE-2017-11882)

      • EQNEDT32.EXE (PID: 2700)
    • Downloads executable files with a strange extension

      • EQNEDT32.EXE (PID: 2700)
    • Application was dropped or rewritten from another process

      • 3.exe (PID: 3152)
      • 3.exe (PID: 2280)
    • Connects to CnC server

      • explorer.exe (PID: 1696)
    • Formbook was detected

      • lsass.exe (PID: 4008)
    • FORMBOOK was detected

      • explorer.exe (PID: 1696)
    • Changes the autorun value in the registry

      • lsass.exe (PID: 4008)
    • Actions looks like stealing of personal data

      • lsass.exe (PID: 4008)
    • Stealing of credential data

      • lsass.exe (PID: 4008)
  • SUSPICIOUS

    • Creates files in the user directory

      • EQNEDT32.EXE (PID: 2700)
      • lsass.exe (PID: 4008)
    • Executable content was dropped or overwritten

      • EQNEDT32.EXE (PID: 2700)
    • Application launched itself

      • 3.exe (PID: 3152)
    • Starts CMD.EXE for commands execution

      • lsass.exe (PID: 4008)
    • Loads DLL from Mozilla Firefox

      • lsass.exe (PID: 4008)
  • INFO

    • Starts Microsoft Office Application

      • explorer.exe (PID: 1696)
    • Creates files in the user directory

      • WINWORD.EXE (PID: 928)
    • Reads settings of System Certificates

      • WINWORD.EXE (PID: 928)
    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 928)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rtf | Rich Text Format (100)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
36
Monitored processes
7
Malicious processes
3
Suspicious processes
1

Behavior graph

Click at the process to see the details
start drop and start winword.exe eqnedt32.exe 3.exe no specs 3.exe no specs #FORMBOOK lsass.exe cmd.exe no specs #FORMBOOK explorer.exe

Process information

PID
CMD
Path
Indicators
Parent process
928"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\Document20190321.doc"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
14.0.6024.1000
2700"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -EmbeddingC:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
svchost.exe
User:
admin
Company:
Design Science, Inc.
Integrity Level:
MEDIUM
Description:
Microsoft Equation Editor
Exit code:
0
Version:
00110900
3152C:\Users\Public\3.exeC:\Users\Public\3.exeEQNEDT32.EXE
User:
admin
Company:
WINGO
Integrity Level:
MEDIUM
Exit code:
0
Version:
1.01.0009
2280:\Users\Public\3.exeC:\Users\Public\3.exe3.exe
User:
admin
Company:
WINGO
Integrity Level:
MEDIUM
Exit code:
0
Version:
1.01.0009
4008"C:\Windows\System32\lsass.exe"C:\Windows\System32\lsass.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Local Security Authority Process
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3620/c del "C:\Users\Public\3.exe"C:\Windows\System32\cmd.exelsass.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
1696C:\Windows\Explorer.EXEC:\Windows\explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
14 078
Read events
7 378
Write events
0
Delete events
0

Modification events

No data
Executable files
2
Suspicious files
77
Text files
3
Unknown types
3

Dropped files

PID
Process
Filename
Type
928WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVR8747.tmp.cvr
MD5:
SHA256:
928WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I0488CJO\query[1].asmx
MD5:
SHA256:
928WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~$cument20190321.docpgc
MD5:6104D05CC243B82C17FF0377F4DC82F4
SHA256:AE2999F1B0808159E37DA1248E299E4D8140C2ADA7DB38099D57F83869662622
928WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Office\ONetConfig\b6419f5bc3093b5f22142ce454e02407.sigbinary
MD5:1AB3CCF495161ADCCD26D12FCE09B18A
SHA256:029966FA5D2912C129EDF6032FD529E70EF956529FBF12BA311ADDA824F54914
928WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotmpgc
MD5:A3D37A96BE99E1B37F142EAB31105E77
SHA256:10776DED098C89C43628A733533878C3854AA3666210F1501E5D0D74311EF8F0
2700EQNEDT32.EXEC:\Users\Public\3.exeexecutable
MD5:039C253EA47841EA2C0345B93616F32F
SHA256:2CE96E145429C07C2FB80B1C67A164C1B2AD32B074B1EBCA45A27E681B444408
2700EQNEDT32.EXEC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\admin@bit[1].txttext
MD5:3D5374B5B246A4DE08DDE2243F92D45B
SHA256:DF5D8C2DC5BB316AF652903ED59ECF67A3E495DD9AF9C723622942266724ADC7
928WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Office\ONetConfig\b6419f5bc3093b5f22142ce454e02407.xmlxml
MD5:020BD2BFB45DF10DD5CD55CA4EFA9095
SHA256:BD267536C6D5736BF741C5575E9629AEACC7F04234442D57A8245551364F296E
2700EQNEDT32.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H6QNMHE9\hhddhd[1].pngexecutable
MD5:039C253EA47841EA2C0345B93616F32F
SHA256:2CE96E145429C07C2FB80B1C67A164C1B2AD32B074B1EBCA45A27E681B444408
4008lsass.exeC:\Users\admin\AppData\Roaming\4MPNO94R\4MPlogrc.inibinary
MD5:ABC3E65903C43305DBA1DD27B3F62364
SHA256:0A8AABF9A5B3E255164B22988E6415FFC71F2F89E7217B6D6D3827DD8A69B2CF
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
4
TCP/UDP connections
5
DNS requests
5
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
928
WINWORD.EXE
GET
200
52.109.76.6:80
http://office14client.microsoft.com/config14?UILCID=1033&CLCID=1033&ILCID=1033&HelpLCID=1033&App={019C826E-445A-4649-A5B0-0BF08FCC4EEE}&build=14.0.6023
IE
xml
1.99 Kb
whitelisted
2700
EQNEDT32.EXE
GET
200
216.119.129.197:80
http://shop.theirishlinenstore.com/hhddhd.png
US
executable
432 Kb
malicious
2700
EQNEDT32.EXE
GET
301
67.199.248.11:80
http://bit.ly/2CvTJpL
US
html
132 b
shared
1696
explorer.exe
GET
404
192.64.116.120:80
http://www.humanytc.com/h341/?T8nLhfw=Qf2p2qeXEYnfQIe6TIYPh524BI40pjFDv9kbmvV6lyBpDBWvyU0syzYZmhBNB6C7Vn37Sw==&U4Nh=NtOTwzq8QZcluRE
US
html
328 b
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
928
WINWORD.EXE
52.109.76.6:80
office14client.microsoft.com
Microsoft Corporation
IE
whitelisted
2700
EQNEDT32.EXE
67.199.248.11:80
bit.ly
Bitly Inc
US
shared
2700
EQNEDT32.EXE
216.119.129.197:80
shop.theirishlinenstore.com
A2 Hosting, Inc.
US
suspicious
928
WINWORD.EXE
52.109.8.27:443
rr.office.microsoft.com
Microsoft Corporation
US
whitelisted
1696
explorer.exe
192.64.116.120:80
www.humanytc.com
Namecheap, Inc.
US
malicious

DNS requests

Domain
IP
Reputation
bit.ly
  • 67.199.248.11
  • 67.199.248.10
shared
shop.theirishlinenstore.com
  • 216.119.129.197
malicious
office14client.microsoft.com
  • 52.109.76.6
whitelisted
rr.office.microsoft.com
  • 52.109.8.27
whitelisted
www.humanytc.com
  • 192.64.116.120
malicious

Threats

PID
Process
Class
Message
2700
EQNEDT32.EXE
Misc activity
SUSPICIOUS [PTsecurity] Cmd.Powershell.Download HTTP UserAgent (Win7)
2700
EQNEDT32.EXE
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
2700
EQNEDT32.EXE
A Network Trojan was detected
ET TROJAN JS/WSF Downloader Dec 08 2016 M4
2700
EQNEDT32.EXE
Misc activity
SUSPICIOUS [PTsecurity] PE as Image Content type mismatch
1696
explorer.exe
A Network Trojan was detected
MALWARE [PTsecurity] FormBook CnC Checkin (GET)
1 ETPRO signatures available at the full report
No debug info