File name: | ARQUIVO 112019.doc |
Full analysis: | https://app.any.run/tasks/66b33dbc-5998-4031-b2fe-6ca0ace6ab67 |
Verdict: | Malicious activity |
Threats: | Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns. |
Analysis date: | December 02, 2019, 23:29:26 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
MIME: | application/msword |
File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Title: Est quasi deleniti., Author: Lucien Hohnheiser, Template: Normal.dotm, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Tue Nov 12 14:18:00 2019, Last Saved Time/Date: Tue Nov 12 14:18:00 2019, Number of Pages: 1, Number of Words: 44, Number of Characters: 254, Security: 0 |
MD5: | 577C09131DB747D83A58C8029FEA63C1 |
SHA1: | 04F03D073444E754EAA69DA4227781BFDD3ED177 |
SHA256: | 284AD2239CC0F333450F8DAE671FC4F08B042A56614D1E72CC7972AF58F1B085 |
SSDEEP: | 3072:NgveLuqK1MH+UaqFh51r/SzFaSaJGBrjC48+WZ/POhh+/gP:NgveLuqK1MHNaqjSzGJD48+aPOn1 |
.doc | | | Microsoft Word document (54.2) |
---|---|---|
.doc | | | Microsoft Word document (old ver.) (32.2) |
HeadingPairs: |
|
---|---|
TitleOfParts: | - |
HyperlinksChanged: | No |
SharedDoc: | No |
LinksUpToDate: | No |
ScaleCrop: | No |
AppVersion: | 16 |
CharCountWithSpaces: | 297 |
Paragraphs: | 1 |
Lines: | 2 |
Company: | - |
CodePage: | Windows Latin 1 (Western European) |
Security: | None |
Characters: | 254 |
Words: | 44 |
Pages: | 1 |
ModifyDate: | 2019:11:12 14:18:00 |
CreateDate: | 2019:11:12 14:18:00 |
TotalEditTime: | - |
Software: | Microsoft Office Word |
RevisionNumber: | 1 |
LastModifiedBy: | - |
Template: | Normal.dotm |
Comments: | - |
Keywords: | - |
Author: | Lucien Hohnheiser |
Subject: | - |
Title: | Est quasi deleniti. |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
944 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\ARQUIVO 112019.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 |
PID | Process | Filename | Type | |
---|---|---|---|---|
944 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVRA795.tmp.cvr | — | |
MD5:— | SHA256:— | |||
944 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\BB9988B.wmf | wmf | |
MD5:AB1A29B1DA34496DB3124F2409809BB0 | SHA256:969143F521C297A101B9339673DF34AEBB22CD43F4E16F1EE67082AF0008FB06 | |||
944 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~$QUIVO 112019.doc | pgc | |
MD5:E70893FD72F10216DC1C5AA8E95BEBAB | SHA256:C34CDD899E83012BBDDCB55E1B567417BAB8424150073F54F2A919943C44DB96 | |||
944 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\83AFEC68.wmf | wmf | |
MD5:2C7073ED38E1D901A5A9D54843218134 | SHA256:9ECAE4644CDD7BCB025ABED6FE6843B53B20F4886AD99FC42CAF52A5DB2B06F4 | |||
944 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\E012A107.wmf | wmf | |
MD5:40355132DDFE82F87EC787314DF23FFC | SHA256:8AC2F2DE52765A559627D0AC206C806D5DEA236E25E99CEF6453F7299D9AA892 | |||
944 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\AEEFF99E.wmf | wmf | |
MD5:F38FF8466EE37EA4C6549C0A24FBC4CC | SHA256:712F5C4B486211CF7F1910D05AA202210B1275DCFAFC0DD048B83D5ED37700F4 | |||
944 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\36F1D6B6.wmf | wmf | |
MD5:0BE1700C36821DC6047C1B472B2EF2A1 | SHA256:67EA4F057FC7DCE4D3ECDE1F542941DF8BB53805F9CD82AEF23D69346201F052 | |||
944 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:45822EE62FC571A3151895E367644231 | SHA256:EB3C643FA978D554A4FC475FB2EC2D439467CBEED53546B5218462C2B3EC2CB5 | |||
944 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\Word8.0\MSForms.exd | tlb | |
MD5:C1583B6DF927C87C7B921925869A7D94 | SHA256:126A1810F7A1B94A55A12D17A414D19463FBCC99E32E6C028E4E50974FC28302 | |||
944 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\80B98C34.wmf | wmf | |
MD5:43DDFB5897B1C78162BA131DF3CE0249 | SHA256:D15C0C7C19EBFB0F06DC929AD6D79438682B6883956A04962E70FC08E41ADDDA |