File name: | Billing-Information-774XSDER.dot |
Full analysis: | https://app.any.run/tasks/2cb14333-de8f-4dff-900f-37c11b4b0092 |
Verdict: | Malicious activity |
Analysis date: | June 19, 2019, 07:06:19 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/msword |
File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, Code page: 1252, Author: Jhon Wick, Template: Billing-Information-774XSDER, Last Saved By: Windows User, Revision Number: 2, Name of Creating Application: Microsoft Office Word, Create Time/Date: Tue Jun 18 16:10:00 2019, Last Saved Time/Date: Tue Jun 18 16:10:00 2019, Number of Pages: 1, Number of Words: 116, Number of Characters: 667, Security: 0 |
MD5: | FEDE13A7E210ABE0DFBA9B4E3584317B |
SHA1: | C3308B6C5AD23EB193DE220E165C86E7A051605F |
SHA256: | 1A792C056D3C22C36B6725E8C65B5E31C330975C5F25E858FDE3394A9AE53282 |
SSDEEP: | 768:/ZdLdRPiikeqjUUd4b1tQQrfCpsn1AlIwuBslL8VPSd5NmVj:Lx0lXY/Cqn1QIwyOLP |
.doc | | | Microsoft Word document (54.2) |
---|---|---|
.doc | | | Microsoft Word document (old ver.) (32.2) |
Author: | Jhon Wick |
---|---|
Template: | Billing-Information-774XSDER |
LastModifiedBy: | Windows User |
RevisionNumber: | 2 |
Software: | Microsoft Office Word |
TotalEditTime: | - |
CreateDate: | 2019:06:18 15:10:00 |
ModifyDate: | 2019:06:18 15:10:00 |
Pages: | 1 |
Words: | 116 |
Characters: | 667 |
Security: | None |
Company: | - |
Lines: | 5 |
Paragraphs: | 1 |
CharCountWithSpaces: | 782 |
AppVersion: | 14 |
ScaleCrop: | No |
LinksUpToDate: | No |
SharedDoc: | No |
HyperlinksChanged: | No |
TitleOfParts: | - |
HeadingPairs: |
|
CodePage: | Windows Latin 1 (Western European) |
Hyperlinks: |
|
CompObjUserTypeLen: | 32 |
CompObjUserType: | Microsoft Word 97-2003 Document |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2948 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\Billing-Information-774XSDER.dot.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 |
PID | Process | Filename | Type | |
---|---|---|---|---|
2948 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVRE9F1.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2948 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][1].txt | — | |
MD5:— | SHA256:— | |||
2948 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][2].txt | text | |
MD5:CB048EC93071197BF938F3165D1A11F9 | SHA256:DC9E7D63644BCC4D3D448D27620E96AC3621157D38DB6467D81F4B4C7627ACC5 | |||
2948 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:816BEA007272E3D591722A84B2EBD2E8 | SHA256:0BD48B965DD591F21A77D8C83E4C24FE5627C543192A698F7B1E1842A0EEDB5A | |||
2948 | WINWORD.EXE | C:\Users\admin\Desktop\~$lling-Information-774XSDER.dot.doc | pgc | |
MD5:052D60CD40560A74BC6BB9EA63A5E6DF | SHA256:43F65A707CA528A8E8F617BE15C13EB3B76A771CCE6A28BA496BB4A395238196 | |||
2948 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\admin@gg[1].txt | text | |
MD5:4CCDC3C991DEEF5CB21335576CCC1429 | SHA256:1745545C6743BEC472D02DA0F39CAE742D06DB7BB45AD49D8FB826E20D67FC94 | |||
2948 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\Billing-Information-774XSDER.dot.doc.LNK | lnk | |
MD5:73859181E8BDB847F3E06C4B08D7147A | SHA256:09A03CCAD928D99CB74FF49F775998DB29568CCF8A7181B9757F5AFA2C0DBC28 | |||
2948 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\index.dat | text | |
MD5:FCAE235D381E4B8DA166D661E019CEE1 | SHA256:2F5EA28B5ED3F35190197BCFD9AAE29E487D41E4A61DC3036912489B4724BFD0 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2948 | WINWORD.EXE | GET | 307 | 165.22.91.181:80 | http://165.22.91.181/index | US | — | — | unknown |
2948 | WINWORD.EXE | GET | 301 | 91.224.140.71:80 | http://gg.gg/ea3c2 | NL | — | — | shared |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2948 | WINWORD.EXE | 165.22.91.181:80 | — | — | US | unknown |
— | — | 34.74.182.44:443 | auth-suppli3d.3utilities.com | — | US | unknown |
2948 | WINWORD.EXE | 34.74.182.44:443 | auth-suppli3d.3utilities.com | — | US | unknown |
2948 | WINWORD.EXE | 91.224.140.71:80 | gg.gg | Innovation IT Solutions LTD | NL | suspicious |
Domain | IP | Reputation |
---|---|---|
gg.gg |
| shared |
auth-suppli3d.3utilities.com |
| unknown |