File name: | 1f853368ba469abd3bbb5ba797e646cf0d3485eb7053b29d5e4501a703b6f17a.docx |
Full analysis: | https://app.any.run/tasks/126f1c97-39b6-47fc-891d-931ae68afde7 |
Verdict: | Malicious activity |
Analysis date: | December 06, 2018, 13:46:48 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | application/zip |
File info: | Zip archive data, at least v2.0 to extract |
MD5: | 2A1C43A62C89A78D6D7A157B3AA86B3B |
SHA1: | 8D886586B9EE017F5C2611CF9E0C51868D284F4C |
SHA256: | 1F853368BA469ABD3BBB5BA797E646CF0D3485EB7053B29D5E4501A703B6F17A |
SSDEEP: | 3072:jSEVa/OV7diMw+bdRBbu2MKIOU9JEyRaV7kVFEjcfUhwCgZSHK0LJx2:eEVTVZb5RxuROoEXV4VFEjcfbCgMKii |
.docx | | | Word Microsoft Office Open XML Format document (52.2) |
---|---|---|
.zip | | | Open Packaging Conventions container (38.8) |
.zip | | | ZIP compressed archive (8.8) |
ModifyDate: | 2018:10:15 16:19:00Z |
---|---|
CreateDate: | 2018:10:15 16:19:00Z |
AppVersion: | 12 |
HyperlinksChanged: | No |
SharedDoc: | No |
CharactersWithSpaces: | - |
LinksUpToDate: | No |
Company: | - |
ScaleCrop: | No |
Paragraphs: | 1 |
Lines: | 1 |
DocSecurity: | None |
Application: | Microsoft Office Word |
Characters: | - |
Words: | - |
Pages: | 1 |
TotalEditTime: | - |
Template: | Normal.dotm |
ZipFileName: | _rels/ |
---|---|
ZipUncompressedSize: | - |
ZipCompressedSize: | - |
ZipCRC: | 0x00000000 |
ZipModifyDate: | 2018:12:04 22:20:22 |
ZipCompression: | None |
ZipBitFlag: | - |
ZipRequiredVersion: | 20 |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2988 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\1f853368ba469abd3bbb5ba797e646cf0d3485eb7053b29d5e4501a703b6f17a.docx" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
4016 | "C:\Program Files\Common Files\Microsoft Shared\OFFICE14\FLTLDR.EXE" C:\Program Files\Common Files\Microsoft Shared\GRPHFLT\EPSIMP32.FLT | C:\Program Files\Common Files\Microsoft Shared\OFFICE14\FLTLDR.EXE | — | WINWORD.EXE |
User: admin Integrity Level: LOW Exit code: 0 | ||||
2728 | "C:\Program Files\Common Files\Microsoft Shared\OFFICE14\FLTLDR.EXE" C:\Program Files\Common Files\Microsoft Shared\GRPHFLT\EPSIMP32.FLT | C:\Program Files\Common Files\Microsoft Shared\OFFICE14\FLTLDR.EXE | — | WINWORD.EXE |
User: admin Integrity Level: LOW Exit code: 0 |
PID | Process | Filename | Type | |
---|---|---|---|---|
2988 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR68DC.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2988 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\OICE_1C9C52DB-CBEC-4B0A-BB6A-5CB342B2458D.0\FL6E9A.tmp | ps | |
MD5:C8F5679981B53D21163E227536DBF058 | SHA256:4A3EA8066674F404F03229CFDDB1EAFE0255AFE909AC36950ADD80D07C23DF4D | |||
2988 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:6B01A4399B399324F54D1B8A2E65AF4E | SHA256:2053FC6E06AD503565098797E40EDDF8CC5E6604C5164B385EF69A4E5CF81581 | |||
2988 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\A3297C78.eps | ps | |
MD5:C8F5679981B53D21163E227536DBF058 | SHA256:4A3EA8066674F404F03229CFDDB1EAFE0255AFE909AC36950ADD80D07C23DF4D | |||
2988 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\1f853368ba469abd3bbb5ba797e646cf0d3485eb7053b29d5e4501a703b6f17a.docx.LNK | lnk | |
MD5:AEECD1823E98D91F7CA9CC40F81AB356 | SHA256:8615B803EF2B6E9DABAB3FD2FED3C135E0EEC273A827189B483E0916749CABC5 | |||
2988 | WINWORD.EXE | C:\Users\admin\Desktop\~$853368ba469abd3bbb5ba797e646cf0d3485eb7053b29d5e4501a703b6f17a.docx | pgc | |
MD5:5483FBFB757E0C3CFCCD3114B945D21A | SHA256:FCEB30276745AAD7D6F58306F92E907F7832BB90D89AF37AE74451B334E996C5 | |||
2988 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\index.dat | text | |
MD5:210A9A61960FBFE7E02338ED4E0DC87E | SHA256:18ADB6A941B28A784F6964762F069B18EAB455200A81AFD1020BA6C0112CDB89 | |||
2988 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\OICE_9AADE63D-7850-4EB9-99DB-F448948054CB.0\FLBD96.tmp | ps | |
MD5:C8F5679981B53D21163E227536DBF058 | SHA256:4A3EA8066674F404F03229CFDDB1EAFE0255AFE909AC36950ADD80D07C23DF4D | |||
2988 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\CBD5AF93.eps | ps | |
MD5:C8F5679981B53D21163E227536DBF058 | SHA256:4A3EA8066674F404F03229CFDDB1EAFE0255AFE909AC36950ADD80D07C23DF4D |