File name: | CO & BL INV 452.docx |
Full analysis: | https://app.any.run/tasks/2c92e8e1-f29a-40c3-a353-cd1211953b6d |
Verdict: | Malicious activity |
Threats: | AZORult can steal banking information, including passwords and credit card details, as well as cryptocurrency. This constantly updated information stealer malware should not be taken lightly, as it continues to be an active threat. |
Analysis date: | December 15, 2018, 01:58:10 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/vnd.openxmlformats-officedocument.wordprocessingml.document |
File info: | Microsoft Word 2007+ |
MD5: | 4F87665C7B04AAD7EC438C8008EFECE1 |
SHA1: | 90F993CD4329EC6331457888D41E5C2F755B8BD1 |
SHA256: | 2771307D115CB188EC94DC605E3D30FE656CC0B33DF7E937D074FDA0AAF77A38 |
SSDEEP: | 192:0I/viR/2ww6yMtWN3v0mqQTnhr5OJQT1Q0P55dKbFTB8GoA6a7kWSm2:0I/viRfw6yMti3hLOJQT1Q0DdQd3om2 |
.docx | | | Word Microsoft Office Open XML Format document (52.2) |
---|---|---|
.zip | | | Open Packaging Conventions container (38.8) |
.zip | | | ZIP compressed archive (8.8) |
ZipRequiredVersion: | 20 |
---|---|
ZipBitFlag: | 0x0002 |
ZipCompression: | Deflated |
ZipModifyDate: | 2018:12:15 02:19:00 |
ZipCRC: | 0x82872409 |
ZipCompressedSize: | 358 |
ZipUncompressedSize: | 1422 |
ZipFileName: | [Content_Types].xml |
Template: | dotm.dotm |
---|---|
TotalEditTime: | 1 minute |
Pages: | 1 |
Words: | 1 |
Characters: | 7 |
Application: | Microsoft Office Word |
DocSecurity: | None |
Lines: | 1 |
Paragraphs: | 1 |
ScaleCrop: | No |
HeadingPairs: |
|
TitlesOfParts: | - |
Company: | SPecialiST RePack |
LinksUpToDate: | No |
CharactersWithSpaces: | 7 |
SharedDoc: | No |
HyperlinksChanged: | No |
AppVersion: | 14 |
LastModifiedBy: | Microsoft |
RevisionNumber: | 1 |
CreateDate: | 2017:09:24 17:26:00Z |
ModifyDate: | 2017:09:24 17:27:00Z |
Creator: | Microsoft |
---|
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2980 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\CO & BL INV 452.docx" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
4008 | "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding | C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE | svchost.exe | |
User: admin Company: Design Science, Inc. Integrity Level: MEDIUM Description: Microsoft Equation Editor Exit code: 0 Version: 00110900 | ||||
3492 | C:\Users\admin\AppData\Local\25802580.exe | C:\Users\admin\AppData\Local\25802580.exe | — | EQNEDT32.EXE |
User: admin Company: Adobe Inc. Integrity Level: MEDIUM Description: Adobe Dreamweaver CC 2019 Exit code: 1 Version: 19.0.0.11193 | ||||
4040 | C:\Users\admin\AppData\Local\25802580.exe | C:\Users\admin\AppData\Local\25802580.exe | 25802580.exe | |
User: admin Company: Adobe Inc. Integrity Level: MEDIUM Description: Adobe Dreamweaver CC 2019 Exit code: 0 Version: 19.0.0.11193 |
PID | Process | Filename | Type | |
---|---|---|---|---|
2980 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR6B1E.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2980 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\{3AF89849-6A65-4918-8652-39916A41967A} | — | |
MD5:— | SHA256:— | |||
2980 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\{D2626904-C7D7-490D-A07A-1AE5E36B9997} | — | |
MD5:— | SHA256:— | |||
2980 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\C6609B35.doc | — | |
MD5:— | SHA256:— | |||
2980 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\643EE80B.doc | — | |
MD5:— | SHA256:— | |||
2980 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSF-CTBL.FSF | binary | |
MD5:B30B87AAE2700DB0ED4E81DFE84D3E58 | SHA256:0753F0D598E000E9472AF7DE340EA192634FF35A8283FF8E0622F4048D13C374 | |||
2980 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{492B5817-69DB-4A05-BE76-0C6CEC0D72DF}.FSD | binary | |
MD5:512D3A3462B85E3EC458ACE96CDA9BCD | SHA256:E5DD28F8459E55DE10FAAA5F94996C723B97079CA22B1CF287CEFB48A709654A | |||
2980 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:D54EF75E542155A03DAEF5B6D413EEBB | SHA256:562D35F242B53183D0D079C1C1AD18E899707440C8E0659262664879D6B869B7 | |||
2980 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD | binary | |
MD5:76B1530FA206F5964792104CC94D1056 | SHA256:B55C1A9111406D62A2F31AFAE0BABA5BD7AE08BDC7B62DC246947CA08649EE46 | |||
2980 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-CNRY.FSD | binary | |
MD5:A2DC3FC20B9735F8C405E6BC5C237B2F | SHA256:52638F7D2A05E611D5C082719A09F73B639CCA9043D14116EEE3C68C39800491 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2980 | WINWORD.EXE | OPTIONS | 200 | 104.27.135.189:80 | http://gahtt9j6.u8f3e5jq.ru/ | US | — | — | malicious |
2980 | WINWORD.EXE | HEAD | 200 | 104.27.135.189:80 | http://gahtt9j6.u8f3e5jq.ru/CO%20&%20BL%20INV%20360.doc | US | — | — | malicious |
980 | svchost.exe | OPTIONS | 200 | 104.27.135.189:80 | http://gahtt9j6.u8f3e5jq.ru/ | US | — | — | malicious |
980 | svchost.exe | PROPFIND | 405 | 104.27.135.189:80 | http://gahtt9j6.u8f3e5jq.ru/ | US | html | 296 b | malicious |
2980 | WINWORD.EXE | GET | 304 | 104.27.135.189:80 | http://gahtt9j6.u8f3e5jq.ru/CO%20&%20BL%20INV%20360.doc | US | — | — | malicious |
2980 | WINWORD.EXE | HEAD | 200 | 104.27.135.189:80 | http://gahtt9j6.u8f3e5jq.ru/CO%20&%20BL%20INV%20360.doc | US | — | — | malicious |
2980 | WINWORD.EXE | HEAD | 200 | 104.27.135.189:80 | http://gahtt9j6.u8f3e5jq.ru/CO%20&%20BL%20INV%20360.doc | US | — | — | malicious |
2980 | WINWORD.EXE | GET | 304 | 104.27.135.189:80 | http://gahtt9j6.u8f3e5jq.ru/CO%20&%20BL%20INV%20360.doc | US | — | — | malicious |
2980 | WINWORD.EXE | HEAD | 200 | 104.27.135.189:80 | http://gahtt9j6.u8f3e5jq.ru/CO%20&%20BL%20INV%20360.doc | US | — | — | malicious |
2980 | WINWORD.EXE | GET | 200 | 104.27.135.189:80 | http://gahtt9j6.u8f3e5jq.ru/CO%20&%20BL%20INV%20360.doc | US | text | 35.4 Kb | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
980 | svchost.exe | 104.27.135.189:80 | gahtt9j6.u8f3e5jq.ru | Cloudflare Inc | US | shared |
2980 | WINWORD.EXE | 104.27.135.189:80 | gahtt9j6.u8f3e5jq.ru | Cloudflare Inc | US | shared |
4008 | EQNEDT32.EXE | 104.27.135.189:80 | gahtt9j6.u8f3e5jq.ru | Cloudflare Inc | US | shared |
4040 | 25802580.exe | 91.217.137.44:53 | — | Meganet-2003 LLC | RU | unknown |
4040 | 25802580.exe | 89.46.223.134:80 | docusign.bit | Avolo Telecom Srl | RO | suspicious |
4040 | 25802580.exe | 151.80.147.153:53 | — | OVH SAS | FR | malicious |
Domain | IP | Reputation |
---|---|---|
gahtt9j6.u8f3e5jq.ru |
| malicious |
docusign.bit |
| malicious |
PID | Process | Class | Message |
---|---|---|---|
2980 | WINWORD.EXE | A Network Trojan was detected | SC TROJAN_DOWNLOADER Suspicious DOC loader of embedded OLE from external source |
2980 | WINWORD.EXE | A Network Trojan was detected | MALWARE [PTsecurity] Possible RTF CVE-2017-11882 document |
4008 | EQNEDT32.EXE | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
4008 | EQNEDT32.EXE | A Network Trojan was detected | ET TROJAN Possible Windows executable sent when remote host claims to send a Text File |
4040 | 25802580.exe | Potentially Bad Traffic | ET CURRENT_EVENTS DNS Query Domain .bit |
4040 | 25802580.exe | Potentially Bad Traffic | ET CURRENT_EVENTS DNS Query Domain .bit |
4040 | 25802580.exe | Potentially Bad Traffic | ET CURRENT_EVENTS DNS Query Domain .bit |
4040 | 25802580.exe | Potentially Bad Traffic | ET CURRENT_EVENTS DNS Query Domain .bit |
4040 | 25802580.exe | Potentially Bad Traffic | ET CURRENT_EVENTS DNS Query Domain .bit |
4040 | 25802580.exe | Potentially Bad Traffic | ET CURRENT_EVENTS DNS Query Domain .bit |