File name: | fara_titlu-6000 6539654721.doc |
Full analysis: | https://app.any.run/tasks/0466a356-010c-43e7-82ae-ff187bac1835 |
Verdict: | Malicious activity |
Threats: | Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns. |
Analysis date: | October 20, 2020, 09:17:49 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
MIME: | application/msword |
File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, Code page: 1252, Title: Facere., Author: Victor Brun, Template: Normal.dotm, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Fri Oct 16 07:31:00 2020, Last Saved Time/Date: Fri Oct 16 07:31:00 2020, Number of Pages: 1, Number of Words: 2837, Number of Characters: 16174, Security: 8 |
MD5: | 80ECDBB4979308806C15DC62F755EC7D |
SHA1: | C555A9EEE3A110F2851972D262D0EAE9BD84579F |
SHA256: | 0477D3C46A4B4854CD9E0A70B203E6DA1A9F815BB7C2287532ADAEDCEF8EFB3B |
SSDEEP: | 3072:JueCmMmDBeY5kb0TUNAuBqVPlB11nBkEUGI5rKZvFh9D:UdmM+EYOb0TUquBqt7nBSr5O9Fh9D |
.doc | | | Microsoft Word document (54.2) |
---|---|---|
.doc | | | Microsoft Word document (old ver.) (32.2) |
Title: | Facere. |
---|---|
Subject: | - |
Author: | Victor Brun |
Keywords: | - |
Comments: | - |
Template: | Normal.dotm |
LastModifiedBy: | - |
RevisionNumber: | 1 |
Software: | Microsoft Office Word |
TotalEditTime: | - |
CreateDate: | 2020:10:16 06:31:00 |
ModifyDate: | 2020:10:16 06:31:00 |
Pages: | 1 |
Words: | 2837 |
Characters: | 16174 |
Security: | Locked for annotations |
Company: | - |
Lines: | 134 |
Paragraphs: | 37 |
CharCountWithSpaces: | 18974 |
AppVersion: | 15 |
ScaleCrop: | No |
LinksUpToDate: | No |
SharedDoc: | No |
HyperlinksChanged: | No |
TitleOfParts: | - |
HeadingPairs: |
|
CodePage: | Unicode UTF-16, little endian |
LocaleIndicator: | 1033 |
CompObjUserTypeLen: | 32 |
CompObjUserType: | Microsoft Word 97-2003 Document |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2028 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\fara_titlu-6000 6539654721.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 |
PID | Process | Filename | Type | |
---|---|---|---|---|
2028 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR4134.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2028 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6Z2BCOUL\config14[1].xml | — | |
MD5:— | SHA256:— | |||
2028 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\Cab772A.tmp | — | |
MD5:— | SHA256:— | |||
2028 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\Tar772B.tmp | — | |
MD5:— | SHA256:— | |||
2028 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:3F38725990A2E5275FE09A2ED3562A89 | SHA256:7B84026E1ADCCF6ADF17984ED5ECAD01AFE5FD3F99C57E22AA41D83F3F6BF559 | |||
2028 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Office\ONetConfig\b6419f5bc3093b5f22142ce454e02407.sig | binary | |
MD5:C0555F5FE5439C0BEB35D58E1A65DCFC | SHA256:0A04AE7C4B3894D3B74DDB95ADDF30D0042BD8AB62BDE05514A85F9E0B73E9DA | |||
2028 | WINWORD.EXE | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_C9FB72B5AE80778A08024D8B0FDECC6F | der | |
MD5:B62D0A9064DADEA95C251DEB7D68AC20 | SHA256:DD3C7415CF4D75FE083DD4F2D9A2250409BB9F09033F8B2BA6BEB2CD13971918 | |||
2028 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Office\ONetConfig\b6419f5bc3093b5f22142ce454e02407.xml | xml | |
MD5:E6AD4E13FB45F615357A57C1B9DDD9CF | SHA256:4535EB93D5EC26288F10F0B5C4DD8CEB4B558CAAC4AE7FF66FAE348F5B3D9692 | |||
2028 | WINWORD.EXE | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_C9FB72B5AE80778A08024D8B0FDECC6F | binary | |
MD5:6A7C3BFD23F10D9DF51B8F73F1B3F704 | SHA256:249267DD184746961D5F78BC69213692C44D363505BDC4D54E2964D39BE738F0 | |||
2028 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~$ra_titlu-6000 6539654721.doc | pgc | |
MD5:5547D47DD5CCED4F811AED02312EFBEE | SHA256:AD0863F420CE1F66F1130C0504AA2E0B1483871B267309ADEF75DB352D629CE6 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2028 | WINWORD.EXE | GET | 200 | 52.109.76.6:80 | http://office14client.microsoft.com/config14?UILCID=1033&CLCID=1033&ILCID=1033&HelpLCID=1033&App={019C826E-445A-4649-A5B0-0BF08FCC4EEE}&build=14.0.6023 | IE | xml | 1.99 Kb | whitelisted |
2028 | WINWORD.EXE | GET | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEAtqs7A%2Bsan2xGCSaqjN%2FrM%3D | US | der | 1.47 Kb | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2028 | WINWORD.EXE | 93.184.220.29:80 | ocsp.digicert.com | MCI Communications Services, Inc. d/b/a Verizon Business | US | whitelisted |
2028 | WINWORD.EXE | 52.109.76.6:80 | office14client.microsoft.com | Microsoft Corporation | IE | whitelisted |
2028 | WINWORD.EXE | 52.109.120.29:443 | rr.office.microsoft.com | Microsoft Corporation | HK | whitelisted |
Domain | IP | Reputation |
---|---|---|
office14client.microsoft.com |
| whitelisted |
rr.office.microsoft.com |
| whitelisted |
ocsp.digicert.com |
| whitelisted |