File name: | Month Statement.doc |
Full analysis: | https://app.any.run/tasks/2c9a9a4f-a98b-4ba9-993f-0f7bb0e09df6 |
Verdict: | Malicious activity |
Analysis date: | October 09, 2019, 13:22:30 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/msword |
File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, Code page: 1251, Author: adm, Template: Normal, Last Saved By: YJO, Revision Number: 4, Name of Creating Application: Microsoft Office Word, Total Editing Time: 55:00, Create Time/Date: Tue Sep 5 10:03:00 2017, Last Saved Time/Date: Wed Oct 9 10:30:00 2019, Number of Pages: 1, Number of Words: 0, Number of Characters: 1, Security: 0 |
MD5: | A98E37C827BC4A9ACADD4D374D7EDD00 |
SHA1: | DB6CF6B126A48D0E86CBFDD39C58C4FFC0D0B5C2 |
SHA256: | 07BD8255F34529A7A027DB88DC7A90310D2E407357CB5EA67A5BA55BD255F248 |
SSDEEP: | 24576:nXpcuPW7kgAuMTxw5dxsIk4aKpZJZhyPr:XpF5u5dS4PpZJZsPr |
.doc | | | Microsoft Word document (54.2) |
---|---|---|
.doc | | | Microsoft Word document (old ver.) (32.2) |
CompObjUserType: | ???????? Microsoft Word 97-2003 |
---|---|
CompObjUserTypeLen: | 32 |
HeadingPairs: |
|
TitleOfParts: | - |
HyperlinksChanged: | No |
SharedDoc: | No |
LinksUpToDate: | No |
ScaleCrop: | No |
AppVersion: | 15 |
CharCountWithSpaces: | 1 |
Paragraphs: | 1 |
Lines: | 1 |
Company: | - |
CodePage: | Windows Cyrillic |
Security: | None |
Characters: | 1 |
Words: | - |
Pages: | 1 |
ModifyDate: | 2019:10:09 09:30:00 |
CreateDate: | 2017:09:05 09:03:00 |
TotalEditTime: | 55.0 minutes |
Software: | Microsoft Office Word |
RevisionNumber: | 4 |
LastModifiedBy: | YJO |
Template: | Normal |
Comments: | - |
Keywords: | - |
Author: | adm |
Subject: | - |
Title: | - |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3228 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\Month Statement.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
3928 | C:\Windows\System32\WScript.exe "C:\Users\admin\AppData\Local\Temp\error_log.vbe" | C:\Windows\System32\WScript.exe | taskeng.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Exit code: 0 Version: 5.8.7600.16385 | ||||
2932 | C:\Users\admin\AppData\Local\Temp\Colors.exe | C:\Users\admin\AppData\Local\Temp\Colors.exe | taskeng.exe | |
User: admin Integrity Level: MEDIUM |
PID | Process | Filename | Type | |
---|---|---|---|---|
3228 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVRF25.tmp.cvr | — | |
MD5:— | SHA256:— | |||
3228 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:0DA97163FDEBFAEF04B4154A5B8216B7 | SHA256:9229E2C97B8BF46154BD3D26D9F3941F89975DE2735A7B46F86690505905C540 | |||
3228 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\error_log.vbe | vbe | |
MD5:20713396556441F6F04C8D7ABD28B165 | SHA256:F198812396D9A282EEFC40544FCD3F8F84C5AA09AB02E100DB4D276188AE51FC | |||
3928 | WScript.exe | C:\Users\admin\AppData\Local\Temp\Colors.exe | executable | |
MD5:AB2C0D36529119E91FA84562A03307F7 | SHA256:1D772438392B1E84D3CE800E181603646AE675E8572F7F741184B83537C5451F | |||
2932 | Colors.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LH043OAM\ihpupuqluretbwqo[1].txt | html | |
MD5:5C77E0972313D366AD324C76324CC500 | SHA256:D3E60E71F845A6B217A38797DD8C5497EA0EAFB64CAD44BC2B4A09EAD15F5C84 | |||
3228 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~$nth Statement.doc | pgc | |
MD5:AEC958E03165B4A38DD70FB3552B344F | SHA256:6526D66E052E1C596C3CA9D84628F7582D167CBE14D3B47F6C05E7A144AA43B8 |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2932 | Colors.exe | 45.90.32.34:443 | 5571875.info | — | — | malicious |
3928 | WScript.exe | 192.185.195.77:443 | cafeestereo.com | CyrusOne LLC | US | suspicious |
Domain | IP | Reputation |
---|---|---|
cafeestereo.com |
| suspicious |
5571875.info |
| malicious |