File name: | 303537b71bdaf8a3cb504c80ab093e3787d3cf857675c00d2971947c223f3c8a.docx |
Full analysis: | https://app.any.run/tasks/500fdf88-df7e-4563-b5ec-7321e78df310 |
Verdict: | Malicious activity |
Analysis date: | October 20, 2020, 07:31:06 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/vnd.openxmlformats-officedocument.wordprocessingml.document |
File info: | Microsoft Word 2007+ |
MD5: | C5E49001239C0014FC99EE95AF679FE2 |
SHA1: | EC1C7433C6C869D32E6523504322DB24295BF251 |
SHA256: | 303537B71BDAF8A3CB504C80AB093E3787D3CF857675C00D2971947C223F3C8A |
SSDEEP: | 192:CtNCWUyn0i13pNXqkOcPiYFLwzvdX6Ptpwjnw+umHBC1nVV:aNxUyn0i13LROEiOLkX6Ujnw+3wnVV |
.docx | | | Word Microsoft Office Open XML Format document (52.2) |
---|---|---|
.zip | | | Open Packaging Conventions container (38.8) |
.zip | | | ZIP compressed archive (8.8) |
ZipRequiredVersion: | 20 |
---|---|
ZipBitFlag: | 0x0006 |
ZipCompression: | Deflated |
ZipModifyDate: | 1980:01:01 00:00:00 |
ZipCRC: | 0x6cd2a4df |
ZipCompressedSize: | 346 |
ZipUncompressedSize: | 1312 |
ZipFileName: | [Content_Types].xml |
Template: | Normal.dotm |
---|---|
TotalEditTime: | - |
Pages: | 1 |
Words: | - |
Characters: | 5 |
Application: | Microsoft Office Word |
DocSecurity: | None |
Lines: | 1 |
Paragraphs: | 1 |
ScaleCrop: | No |
Company: | - |
LinksUpToDate: | No |
CharactersWithSpaces: | 5 |
SharedDoc: | No |
HyperlinksChanged: | No |
AppVersion: | 15 |
Keywords: | - |
LastModifiedBy: | HP 15 |
RevisionNumber: | 3 |
CreateDate: | 2018:03:07 09:39:00Z |
ModifyDate: | 2018:03:07 09:39:00Z |
Title: | - |
---|---|
Subject: | - |
Creator: | HP 15 |
Description: | - |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3072 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\303537b71bdaf8a3cb504c80ab093e3787d3cf857675c00d2971947c223f3c8a.docx" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
3432 | "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding | C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE | svchost.exe | |
User: admin Company: Design Science, Inc. Integrity Level: MEDIUM Description: Microsoft Equation Editor Exit code: 0 Version: 00110900 | ||||
3844 | "C:\Users\Public\vbc.exe" | C:\Users\Public\vbc.exe | — | EQNEDT32.EXE |
User: admin Company: AsIaNHaWk™ Creations Integrity Level: MEDIUM Description: PAYROLL MANAGEMENT SOFTWARE Version: 3.0.0.0 |
PID | Process | Filename | Type | |
---|---|---|---|---|
3072 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR4FF9.tmp.cvr | — | |
MD5:— | SHA256:— | |||
3072 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\{510D738C-8536-4FD4-A636-E53E7DE7018A} | — | |
MD5:— | SHA256:— | |||
3072 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\{C0EDDFF0-CE50-46DC-BD58-DDA769F4C97F} | — | |
MD5:— | SHA256:— | |||
3072 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:992FC7E4702CEA2F73299687C4C6E8DD | SHA256:FE2D0641A82AF16E5DF89B2A32E344F0F6C442BEE6A4CF1020B99E8394B0B7EB | |||
3072 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{50A5ECC6-543E-4273-AD81-178FB2C97943}.FSD | binary | |
MD5:9BF7E24BCE2D96553CA7AE6EA2D60A2B | SHA256:024B8DDCCFF64E32829328F877338966F70843B0035BC61A8209EF4BCBE6B81A | |||
3072 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~$3537b71bdaf8a3cb504c80ab093e3787d3cf857675c00d2971947c223f3c8a.docx | pgc | |
MD5:015CC193E0A138EDBDFE007188099484 | SHA256:861446FC3578C688EFB12DF70FFFB275DFBCF2A34EDF39DDA63A394222DB892D | |||
3072 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-CNRY.FSD | binary | |
MD5:93935F17819B9C97A4D6732DB0CD581A | SHA256:87B710DBD8F048264F960C0FF5F98722366A6788A02E9FDFF7D54584903D06B3 | |||
3072 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSF-CTBL.FSF | binary | |
MD5:6A5E4528FD2BA64F58CA23C238A9A169 | SHA256:56C420D3351D24ED01B3C910A78704F93AF5207701F7B810ADAC4F47962A705C | |||
3072 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD | binary | |
MD5:C18D6E925272D97E13584517D9334C07 | SHA256:D89F7AD622B01DD9C739355A57C77797FE26C6254E318E3CBC47D8D8E94B7549 | |||
3432 | EQNEDT32.EXE | C:\Users\Public\vbc.exe | executable | |
MD5:5871F3BF9AABF95369A8EE932120D515 | SHA256:C3DE5922F4E95E6717F834954C2DB421D8F13F9EFAF42E43D6F25BB378A03E31 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
832 | svchost.exe | OPTIONS | 302 | 75.127.1.211:80 | http://75.127.1.211/ | US | — | — | suspicious |
3072 | WINWORD.EXE | HEAD | 200 | 75.127.1.211:80 | http://75.127.1.211/document_80454774.doc | US | — | — | suspicious |
3072 | WINWORD.EXE | OPTIONS | 302 | 75.127.1.211:80 | http://75.127.1.211/ | US | — | — | suspicious |
832 | svchost.exe | OPTIONS | 200 | 75.127.1.211:80 | http://75.127.1.211/dashboard/ | US | — | — | suspicious |
832 | svchost.exe | PROPFIND | 302 | 75.127.1.211:80 | http://75.127.1.211/ | US | — | — | suspicious |
832 | svchost.exe | PROPFIND | 302 | 75.127.1.211:80 | http://75.127.1.211/ | US | — | — | suspicious |
832 | svchost.exe | PROPFIND | 405 | 75.127.1.211:80 | http://75.127.1.211/dashboard/ | US | html | 328 b | suspicious |
3072 | WINWORD.EXE | HEAD | 200 | 75.127.1.211:80 | http://75.127.1.211/document_80454774.doc | US | text | 12.4 Kb | suspicious |
3072 | WINWORD.EXE | GET | 200 | 75.127.1.211:80 | http://75.127.1.211/document_80454774.doc | US | text | 12.4 Kb | suspicious |
832 | svchost.exe | PROPFIND | 302 | 75.127.1.211:80 | http://75.127.1.211/ | US | html | 328 b | suspicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
832 | svchost.exe | 75.127.1.211:80 | — | ColoCrossing | US | suspicious |
3072 | WINWORD.EXE | 75.127.1.211:80 | — | ColoCrossing | US | suspicious |
3432 | EQNEDT32.EXE | 75.127.1.211:80 | — | ColoCrossing | US | suspicious |
PID | Process | Class | Message |
---|---|---|---|
3072 | WINWORD.EXE | Potentially Bad Traffic | ET INFO Dotted Quad Host DOC Request |
3072 | WINWORD.EXE | Potentially Bad Traffic | ET INFO Dotted Quad Host DOC Request |
3072 | WINWORD.EXE | Potentially Bad Traffic | ET INFO Suspicious Request for Doc to IP Address with Terse Headers |
3072 | WINWORD.EXE | Potentially Bad Traffic | ET INFO Dotted Quad Host DOC Request |
3432 | EQNEDT32.EXE | A Network Trojan was detected | ET INFO Executable Download from dotted-quad Host |
3432 | EQNEDT32.EXE | A Network Trojan was detected | ET CURRENT_EVENTS Likely Evil EXE download from dotted Quad by MSXMLHTTP M1 |
3432 | EQNEDT32.EXE | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
3432 | EQNEDT32.EXE | A Network Trojan was detected | ET CURRENT_EVENTS Likely Evil EXE download from dotted Quad by MSXMLHTTP M2 |
3432 | EQNEDT32.EXE | Potentially Bad Traffic | ET INFO SUSPICIOUS Dotted Quad Host MZ Response |