File name: | Invoice_documentation_61049X.docm |
Full analysis: | https://app.any.run/tasks/8a14989f-6c7d-49a9-b731-8c12cd740b20 |
Verdict: | Malicious activity |
Analysis date: | August 13, 2019, 18:02:41 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/vnd.openxmlformats-officedocument.wordprocessingml.document |
File info: | Microsoft Word 2007+ |
MD5: | E36380D824811BC28FBC26EA84C1A868 |
SHA1: | 19D5FC16CFABAE3B3C26BBB4F5798DA42733A2FA |
SHA256: | 16429E95922C9521F7A40FA8F4C866444A060122448B243444DD2358A96A344C |
SSDEEP: | 3072:wa5NvylTvySQkTWzHL8N6h1FsRsJQIVgX1lhVKBAm1er4qTFNGCNBMja8g5+/J9W:HNK9vUUW4Y16qYGBzARNLNYw5qJWN |
.docm | | | Word Microsoft Office Open XML Format document (with Macro) (53.6) |
---|---|---|
.docx | | | Word Microsoft Office Open XML Format document (24.2) |
.zip | | | Open Packaging Conventions container (18) |
.zip | | | ZIP compressed archive (4.1) |
Creator: | - |
---|
ModifyDate: | 2019:07:09 12:20:00Z |
---|---|
CreateDate: | 2019:07:08 09:55:00Z |
RevisionNumber: | 1 |
LastModifiedBy: | - |
AppVersion: | 14 |
HyperlinksChanged: | No |
SharedDoc: | No |
CharactersWithSpaces: | 689303 |
LinksUpToDate: | No |
Company: | - |
TitlesOfParts: | - |
HeadingPairs: |
|
ScaleCrop: | No |
Paragraphs: | 1378 |
Lines: | 4896 |
DocSecurity: | None |
Application: | Microsoft Office Word |
Characters: | 587595 |
Words: | 103086 |
Pages: | 176 |
TotalEditTime: | - |
Template: | Normal.dotm |
ZipFileName: | [Content_Types].xml |
---|---|
ZipUncompressedSize: | 2645 |
ZipCompressedSize: | 501 |
ZipCRC: | 0xc6337d17 |
ZipModifyDate: | 1980:01:01 00:00:00 |
ZipCompression: | Deflated |
ZipBitFlag: | - |
ZipRequiredVersion: | 20 |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2072 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\Invoice_documentation_61049X.docm" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Exit code: 0 Version: 14.0.6024.1000 | ||||
2276 | "C:\Windows\System32\wscript.exe" /e:JScript "C:\Users\admin\AppData\Local\Temp\Invoice_documentation_61049X.docmx" | C:\Windows\System32\wscript.exe | — | WINWORD.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Version: 5.8.7600.16385 |
PID | Process | Filename | Type | |
---|---|---|---|---|
2072 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVRE681.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2072 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\CA72AC4D.png | — | |
MD5:— | SHA256:— | |||
2072 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{7BE9D24D-174B-4B29-BE6A-F7962D1A2120}.tmp | — | |
MD5:— | SHA256:— | |||
2072 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{ACF1739E-02CF-466B-8AD6-D9DA3F986404}.tmp | — | |
MD5:— | SHA256:— | |||
2072 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{E4EF2F98-1CD1-423D-AF49-4C1878B55C32}.tmp | — | |
MD5:— | SHA256:— | |||
2072 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{20048F6F-B285-4C1D-A246-D314ADC0CA1A}.tmp | — | |
MD5:— | SHA256:— | |||
2072 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:DF9A06F4E8525464F0A061B7B2662CF5 | SHA256:85CC16C70DF2281B887B20E42CFADD1861E378FD30A6FB14F3AD45CB2CEFA0F8 | |||
2072 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\Invoice_documentation_61049X.docmx | text | |
MD5:3C35905329981F5BC7925363316CE7E7 | SHA256:054D888593B4DF848A8E9FE13630EEEA7D33BDEDC60BEF6F04D7BAE3E2410126 | |||
2072 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~$voice_documentation_61049X.docm | pgc | |
MD5:82FBCCBC4983C374DDE5A680AB976AB9 | SHA256:515CCE3CF2342F59E8FEA378CB87FEA82CC97A0A0CBCFA5CF2D36DADD01B1213 | |||
2072 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex | text | |
MD5:F3B25701FE362EC84616A93A45CE9998 | SHA256:B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209 |