File name: | 51dd25a5.docx |
Full analysis: | https://app.any.run/tasks/a90dbfed-d572-483d-80d5-bfaabf2efc91 |
Verdict: | Malicious activity |
Analysis date: | August 12, 2022, 20:32:11 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
MIME: | application/vnd.openxmlformats-officedocument.wordprocessingml.document |
File info: | Microsoft Word 2007+ |
MD5: | 671CC6C3F279ED83BC75325626BFFA05 |
SHA1: | 8C2F3A8180DB828A7D6EA302C12DB7094DFEB86A |
SHA256: | 183AD1907F32FE5E280A6B25BCD4E177C51A3D0003A40EEF4823339907570EBB |
SSDEEP: | 192:ScIMmtPpAAtG/bYRK5topOo7zlYFRV3Lt:SPXeZ5aOo7zlYFRx5 |
.docx | | | Word Microsoft Office Open XML Format document (52.2) |
---|---|---|
.zip | | | Open Packaging Conventions container (38.8) |
.zip | | | ZIP compressed archive (8.8) |
Creator: | HP 15 |
---|
ModifyDate: | 2022:08:03 18:15:00Z |
---|---|
CreateDate: | 2018:03:07 09:39:00Z |
RevisionNumber: | 1 |
LastModifiedBy: | 91974 |
AppVersion: | 12 |
HyperlinksChanged: | No |
SharedDoc: | No |
CharactersWithSpaces: | 5 |
LinksUpToDate: | No |
Company: | Grizli777 |
ScaleCrop: | No |
Paragraphs: | 1 |
Lines: | 1 |
DocSecurity: | None |
Application: | Microsoft Office Word |
Characters: | 5 |
Words: | - |
Pages: | 1 |
TotalEditTime: | - |
Template: | Normal.dotm |
ZipFileName: | [Content_Types].xml |
---|---|
ZipUncompressedSize: | 1312 |
ZipCompressedSize: | 358 |
ZipCRC: | 0x3795fcdd |
ZipModifyDate: | 1980:01:01 00:00:00 |
ZipCompression: | Deflated |
ZipBitFlag: | 0x0006 |
ZipRequiredVersion: | 20 |
PID | CMD | Path | Indicators | Parent process | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
1420 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\51dd25a5.docx" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Explorer.EXE | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 Modules
|
PID | Process | Filename | Type | |
---|---|---|---|---|
1420 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR9674.tmp.cvr | — | |
MD5:— | SHA256:— | |||
1420 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-CNRY.FSD | binary | |
MD5:66BE89B599375BA1F6EC7441CAD148B8 | SHA256:C15359670FD64D241EC902A25FB816E55AA787457F60526E18053E12F4FA660E | |||
1420 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\{EEE7300E-AFE9-49C4-8DB2-E8E95E360330} | binary | |
MD5:66BE89B599375BA1F6EC7441CAD148B8 | SHA256:C15359670FD64D241EC902A25FB816E55AA787457F60526E18053E12F4FA660E | |||
1420 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD | binary | |
MD5:B21467CA31C8CFD961042D90D979C3A0 | SHA256:E6768AC75991E27C0F028802A9A9A493F369303CED80CE700B11D1B72E4FDF43 | |||
1420 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\{37FA45F1-CFCD-452D-A709-02F76C16B295} | binary | |
MD5:B21467CA31C8CFD961042D90D979C3A0 | SHA256:E6768AC75991E27C0F028802A9A9A493F369303CED80CE700B11D1B72E4FDF43 | |||
1420 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{F1EFC4A0-2A72-4DF0-A969-32C6FFEF48CA}.FSD | binary | |
MD5:2DA86E3D43C197DCDE0B301326BBEA1D | SHA256:103A1E6048C405595358C78D2184A00C920A490A5C77875400B533614E80407B | |||
1420 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{E479647D-398F-4C24-9456-20EBD2349508}.FSD | binary | |
MD5:ABFE982C4D9D0F7E4056E57284DF3E66 | SHA256:53911C84296168D0A06B2C5A5E9F9B73376E1D33DD96F74B32C4E7CEC5D3C00A | |||
1420 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:D2232D7D7255D896578588604E19A8B0 | SHA256:8CFA012DDD8EC220855639B9F805DFF8774ABB4B3C2C0D321A2CD0D8B946691D | |||
1420 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~$dd25a5.docx | pgc | |
MD5:3C43C729A548C29DBECB825B97587C7B | SHA256:B55583761691C23BCDA77BB6B6335A9F418A445D1630D95EFC3C58A55D1D30EA | |||
1420 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSF-{0E1EEE64-E8C6-4E2A-9759-63CF07FD8988}.FSF | binary | |
MD5:D471A0BB5F0B8A9AC834E0172491B7F9 | SHA256:418B6AE0A39787583DCD77DA0ED040F8C3DDA03410E71D04C235EE6E736F298F |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
708 | svchost.exe | OPTIONS | 301 | 34.231.84.230:80 | http://trimurl.co/ | US | html | 162 b | suspicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
708 | svchost.exe | 34.231.84.230:443 | trimurl.co | Amazon.com, Inc. | US | suspicious |
— | — | 34.231.84.230:443 | trimurl.co | Amazon.com, Inc. | US | suspicious |
1420 | WINWORD.EXE | 34.231.84.230:443 | trimurl.co | Amazon.com, Inc. | US | suspicious |
708 | svchost.exe | 34.231.84.230:80 | trimurl.co | Amazon.com, Inc. | US | suspicious |
Domain | IP | Reputation |
---|---|---|
trimurl.co |
| suspicious |
PID | Process | Class | Message |
---|---|---|---|
708 | svchost.exe | Potentially Bad Traffic | ET INFO TLS Handshake Failure |
708 | svchost.exe | Potentially Bad Traffic | ET INFO TLS Handshake Failure |
708 | svchost.exe | Potentially Bad Traffic | ET INFO TLS Handshake Failure |
708 | svchost.exe | Potentially Bad Traffic | ET INFO TLS Handshake Failure |
708 | svchost.exe | Potentially Bad Traffic | ET INFO TLS Handshake Failure |
708 | svchost.exe | Potentially Bad Traffic | ET INFO TLS Handshake Failure |
708 | svchost.exe | Potentially Bad Traffic | ET INFO TLS Handshake Failure |
708 | svchost.exe | Potentially Bad Traffic | ET INFO TLS Handshake Failure |
708 | svchost.exe | Potentially Bad Traffic | ET INFO TLS Handshake Failure |
708 | svchost.exe | Potentially Bad Traffic | ET INFO TLS Handshake Failure |