File name:

Voicemail_+Transcription+_ATT007510.docx

Full analysis: https://app.any.run/tasks/83ff833b-fe91-4cf2-9f76-fd1fa1f06206
Verdict: Malicious activity
Analysis date: January 11, 2025, 00:47:19
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
generated-doc
qrcode
phishing
phish-url
Indicators:
MIME: application/vnd.openxmlformats-officedocument.wordprocessingml.document
File info: Microsoft Word 2007+
MD5:

FCBA09375508F3F2FE6567EB2CBFCE17

SHA1:

7C0D88AECE64DFF1F9408AF755DFB506241BBAD9

SHA256:

EF7DC64CAC06E989FEE9772E3400237014D1CA57BA18D06F1EA33B675F70D1D7

SSDEEP:

1536:sIMQfxS2iS/Tc9F1gvGChtnOm3uBOX+OEBQ+HQzkw1G:GkS2tbwFGHnOmeBOp6Q+HXwI

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • QR code contains URL with email

      • WINWORD.EXE (PID: 6564)
    • Suspicious URL found

      • WINWORD.EXE (PID: 6564)
  • SUSPICIOUS

    No suspicious indicators.
  • INFO

    • Sends debugging messages

      • WINWORD.EXE (PID: 6564)
    • The process uses the downloaded file

      • WINWORD.EXE (PID: 6564)
    • Drops encrypted VBS script (Microsoft Script Encoder)

      • WINWORD.EXE (PID: 6564)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.docx | Word Microsoft Office Open XML Format document (52.2)
.zip | Open Packaging Conventions container (38.8)
.zip | ZIP compressed archive (8.8)

EXIF

XML

AppVersion: 14
HyperlinksChanged: No
HyperlinkBase: -
SharedDoc: No
CharactersWithSpaces: -
LinksUpToDate: No
Company: -
Manager: -
TitlesOfParts: -
HeadingPairs:
  • Title
  • 1
ScaleCrop: No
Paragraphs: -
Lines: -
DocSecurity: None
Application: Microsoft Macintosh Word
Characters: -
Words: -
Pages: 1
TotalEditTime: -
Template: Normal.dotm
Category: -
ModifyDate: 2013:12:23 23:15:00Z
CreateDate: 2013:12:23 23:15:00Z
RevisionNumber: 1
LastModifiedBy: -
Keywords: -

XMP

Description: generated by python-docx
Creator: python-docx
Subject: -
Title: -

ZIP

ZipFileName: [Content_Types].xml
ZipUncompressedSize: 1788
ZipCompressedSize: 411
ZipCRC: 0xd0aea7fc
ZipModifyDate: 2025:01:10 16:06:22
ZipCompression: Deflated
ZipBitFlag: -
ZipRequiredVersion: 20
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
130
Monitored processes
2
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winword.exe ai.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
6564"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n C:\Users\admin\AppData\Local\Temp\Voicemail_+Transcription+_ATT007510.docx /o ""C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
16.0.16026.20146
Modules
Images
c:\program files\microsoft office\root\office16\winword.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
7068"C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\ai.exe" "DEB00382-EC76-45E4-BE47-9A6E1816F5F8" "0BB7C587-778B-4599-9DC0-8153CAC2053C" "6564"C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\ai.exeWINWORD.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Artificial Intelligence (AI) Host for the Microsoft® Windows® Operating System and Platform x64.
Version:
0.12.2.0
Modules
Images
c:\program files\microsoft office\root\vfs\programfilescommonx64\microsoft shared\office16\ai.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\common files\microsoft shared\clicktorun\appvisvsubsystems64.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\program files\common files\microsoft shared\clicktorun\c2r64.dll
c:\windows\system32\rpcrt4.dll
Total events
13 591
Read events
13 252
Write events
317
Delete events
22

Modification events

(PID) Process:(6564) WINWORD.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Common\ClientTelemetry\Sampling
Operation:writeName:0
Value:
017012000000001000B24E9A3E02000000000000000600000000000000
(PID) Process:(6564) WINWORD.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Common\CrashPersistence\WINWORD\6564
Operation:writeName:0
Value:
0B0E106026493F10392C4889DBB1F124E43101230046B0BEC48BA6F8D8ED016A04102400449A7D64B29D01008500A907556E6B6E6F776EC906022222CA0DC2190000C91003783634C511A433D2120B770069006E0077006F00720064002E00650078006500C51620C517808004C91808323231322D44656300
(PID) Process:(6564) WINWORD.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:en-US
Value:
2
(PID) Process:(6564) WINWORD.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:de-de
Value:
2
(PID) Process:(6564) WINWORD.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:fr-fr
Value:
2
(PID) Process:(6564) WINWORD.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:es-es
Value:
2
(PID) Process:(6564) WINWORD.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:it-it
Value:
2
(PID) Process:(6564) WINWORD.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:ja-jp
Value:
2
(PID) Process:(6564) WINWORD.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:ko-kr
Value:
2
(PID) Process:(6564) WINWORD.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:pt-br
Value:
2
Executable files
31
Suspicious files
115
Text files
16
Unknown types
1

Dropped files

PID
Process
Filename
Type
6564WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotmbinary
MD5:2D2CAEB48C0AFF300D10C389932564B6
SHA256:1A26B7EAA075B5BFC1EF3AC0FF1E669108B992B61969DE594FDDA6F9681D2581
6564WINWORD.EXEC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04binary
MD5:945F4F0A9456844D870AADBE993CFC79
SHA256:AFED4685CDA415428BC884602C5D708EBF10AD80A003BF0358E21A70A35A0A52
6564WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Office\16.0\AddInClassifierCache\OfficeSharedEntitiesUpdated.bintext
MD5:037D5D0780377B33A463E36E1D1BDB87
SHA256:CE79875597DA72686AD3BBD1C2956015D321AB8754E78349E8F025F41888FCEC
6564WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbresbinary
MD5:81583FA7558F7D2859D6AD4827FCCCD2
SHA256:EC2590E185DB8C8C2E6F55F03E1C6CF4E04845F8D66E3AC3E63C28FD26AA918C
6564WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Office\16.0\Personalization\Governance\Anonymous\floodgatecampaigns.json.tmpbinary
MD5:EA9DE561C55F67143CA444FEBEFCAE21
SHA256:DF7256B345CCCB2E6919C6D115BB670E9421D98F13A7641D8D548ABA0F324D90
6564WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\TokenBroker\Cache\56a61aeb75d8f5be186c26607f4bb213abe7c5ec.tbresbinary
MD5:C26EA6010E7E43E7547B1915966BABBC
SHA256:AB6705636C872E0475178618F098B78D6AAF5046B5335259455DFD1B24119619
6564WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~$icemail_+Transcription+_ATT007510.docxbinary
MD5:E70C9A44A1A64E3EE68A5138E065314B
SHA256:48CF64CD66CD313BBA9F4CB8CA54864267DB8E6BF7816262C97D0ED3D5E13597
6564WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Office\16.0\AddInClassifierCache\OfficeSharedEntities.bintext
MD5:CC90D669144261B198DEAD45AA266572
SHA256:89C701EEFF939A44F28921FD85365ECD87041935DCD0FE0BAF04957DA12C9899
6564WINWORD.EXEC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04der
MD5:2F247B5ED87BB5C2F0C79A7D9B2ECF7D
SHA256:1F83E56ECA45B202A86F8E33FEEAA8F41DB3B5D6EB2BA5DF32E82D5499A5BBBE
6564WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms~RF138f24.TMPbinary
MD5:4FCB2A3EE025E4A10D21E1B154873FE2
SHA256:90BF6BAA6F968A285F88620FBF91E1F5AA3E66E2BAD50FD16F37913280AD8228
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
18
TCP/UDP connections
80
DNS requests
26
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
23.48.23.143:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
6564
WINWORD.EXE
GET
200
2.16.241.19:80
http://crl.microsoft.com/pki/crl/products/MicCodSigPCA_08-31-2010.crl
unknown
whitelisted
6564
WINWORD.EXE
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/MicCodSigPCA2011_2011-07-08.crl
unknown
whitelisted
6564
WINWORD.EXE
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEApDqVCbATUviZV57HIIulA%3D
unknown
whitelisted
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
6564
WINWORD.EXE
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEA77flR%2B3w%2FxBpruV2lte6A%3D
unknown
whitelisted
6564
WINWORD.EXE
GET
200
2.16.241.19:80
http://crl.microsoft.com/pki/crl/products/MicrosoftTimeStampPCA.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
unknown
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
unknown
23.48.23.143:80
crl.microsoft.com
Akamai International B.V.
DE
unknown
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
unknown
4
System
192.168.100.255:138
unknown
5064
SearchApp.exe
104.126.37.131:443
www.bing.com
Akamai International B.V.
DE
unknown
1176
svchost.exe
20.190.160.20:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
unknown
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
unknown
6564
WINWORD.EXE
52.109.89.18:443
officeclient.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
unknown
6564
WINWORD.EXE
52.113.194.132:443
ecs.office.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
unknown

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 20.73.194.208
unknown
crl.microsoft.com
  • 23.48.23.143
  • 23.48.23.156
  • 2.16.241.19
  • 2.16.241.12
unknown
www.microsoft.com
  • 184.30.21.171
  • 2.23.246.101
unknown
google.com
  • 142.250.186.46
unknown
www.bing.com
  • 104.126.37.131
  • 104.126.37.145
unknown
login.live.com
  • 20.190.160.20
  • 40.126.32.136
  • 40.126.32.140
  • 40.126.32.76
  • 40.126.32.68
  • 40.126.32.74
  • 40.126.32.134
  • 20.190.160.17
unknown
ocsp.digicert.com
  • 192.229.221.95
unknown
officeclient.microsoft.com
  • 52.109.89.18
unknown
ecs.office.com
  • 52.113.194.132
unknown
roaming.officeapps.live.com
  • 52.109.32.7
unknown

Threats

No threats detected
Process
Message
WINWORD.EXE
WebView2: Failed to find an installed WebView2 runtime or non-stable Microsoft Edge installation.
WINWORD.EXE
WebView2: Failed to find an installed WebView2 runtime or non-stable Microsoft Edge installation.
WINWORD.EXE
WebView2: Failed to find an installed WebView2 runtime or non-stable Microsoft Edge installation.