File name: | ARQUIVO 112019.doc |
Full analysis: | https://app.any.run/tasks/d0245ced-6fe6-4abc-8f69-4de5f36669b0 |
Verdict: | Malicious activity |
Threats: | Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns. |
Analysis date: | December 03, 2019, 01:11:01 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
MIME: | application/msword |
File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Title: Est quasi deleniti., Author: Lucien Hohnheiser, Template: Normal.dotm, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Tue Nov 12 14:18:00 2019, Last Saved Time/Date: Tue Nov 12 14:18:00 2019, Number of Pages: 1, Number of Words: 44, Number of Characters: 254, Security: 0 |
MD5: | 577C09131DB747D83A58C8029FEA63C1 |
SHA1: | 04F03D073444E754EAA69DA4227781BFDD3ED177 |
SHA256: | 284AD2239CC0F333450F8DAE671FC4F08B042A56614D1E72CC7972AF58F1B085 |
SSDEEP: | 3072:NgveLuqK1MH+UaqFh51r/SzFaSaJGBrjC48+WZ/POhh+/gP:NgveLuqK1MHNaqjSzGJD48+aPOn1 |
.doc | | | Microsoft Word document (54.2) |
---|---|---|
.doc | | | Microsoft Word document (old ver.) (32.2) |
HeadingPairs: |
|
---|---|
TitleOfParts: | - |
HyperlinksChanged: | No |
SharedDoc: | No |
LinksUpToDate: | No |
ScaleCrop: | No |
AppVersion: | 16 |
CharCountWithSpaces: | 297 |
Paragraphs: | 1 |
Lines: | 2 |
Company: | - |
CodePage: | Windows Latin 1 (Western European) |
Security: | None |
Characters: | 254 |
Words: | 44 |
Pages: | 1 |
ModifyDate: | 2019:11:12 14:18:00 |
CreateDate: | 2019:11:12 14:18:00 |
TotalEditTime: | - |
Software: | Microsoft Office Word |
RevisionNumber: | 1 |
LastModifiedBy: | - |
Template: | Normal.dotm |
Comments: | - |
Keywords: | - |
Author: | Lucien Hohnheiser |
Subject: | - |
Title: | Est quasi deleniti. |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2152 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\ARQUIVO 112019.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 |
PID | Process | Filename | Type | |
---|---|---|---|---|
2152 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVRA7D3.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2152 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\507F666E.wmf | wmf | |
MD5:3698146FD66506565A70EFC98F13CA64 | SHA256:DE01659CFCD0EA000EC8F7251B6F3EE22BDD80BB2778876C9D23C6611B4C39B7 | |||
2152 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\829F49E1.wmf | wmf | |
MD5:663D37242EACE73CEDF89AF47919D2ED | SHA256:5A5B736A14E16A90FA2BF35AE63892E03CB79A6B82808B017ED9530EA09DE2C1 | |||
2152 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\9C2F139A.wmf | wmf | |
MD5:B3F05EFFF594A679302F8EE24D1BA2B3 | SHA256:4CEA9BEB60BFA867D9EEF532B081A1820C2CC847605F77D71BC69EA3D8316B4A | |||
2152 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:8B378DCC62035BBABEF8B1C2A131A338 | SHA256:7C1F83E56B3CF1632E1D1DDD8BFD13219F8133599041726FA2EA3FB98B22B275 | |||
2152 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~$QUIVO 112019.doc | pgc | |
MD5:BA1AF6B944BE48C8AB8DDEFD8DBAC726 | SHA256:BE96DB2EF7373D9C92A16B1C1CCC1151DEC7A792881F40B8AF30D9E643C001E3 | |||
2152 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\65BEDD86.wmf | wmf | |
MD5:5204181254DBC6385B32C57FD60EBECF | SHA256:5751C64B8905CBA7DAA42A36EAA44766F294FC0A0D2C4BF868400BB8C2A4FC9F | |||
2152 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\25E8AEB8.wmf | wmf | |
MD5:E1E09CD185CFFDB6683E838F40B64E5C | SHA256:318B55A5502A34CCD68D8A11D2D8276492308CFC9345D7259666779531BFE446 | |||
2152 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\52D6ACBD.wmf | wmf | |
MD5:7DF5DDA1A8E1B00241BE829CEDB56AB6 | SHA256:41F4772D4778EE70CACEF74D366FCEE8E309981E8401D894F63C68000154D988 | |||
2152 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\37138CAC.wmf | wmf | |
MD5:2555A54141FB980239AAE296DD64012A | SHA256:F67C8D0973D5A66AF69AA7F3616EF69887E75223986F1B06A9B071BBCDB1E395 |