File name: | Purchase Order.doc |
Full analysis: | https://app.any.run/tasks/58b610d4-acb2-48e1-a723-ebe58c410611 |
Verdict: | Malicious activity |
Analysis date: | April 25, 2019, 13:03:43 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | text/rtf |
File info: | Rich Text Format data, unknown version |
MD5: | 7B43485018C670A83B30C47CEF70DD15 |
SHA1: | 1EBF17541A10DD9C66C3E21746CD719620CAD64A |
SHA256: | 30ACA80B6B48F1479F83F7C046268D4F36EB46557A6CA61F5D23100AFD02B96B |
SSDEEP: | 6144:nMxPNRSdyh6mpKB76jI75HpU4LMMaVD+2:Kv |
.rtf | | | Rich Text Format (100) |
---|
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2924 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\Purchase Order.doc.rtf" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Exit code: 0 Version: 14.0.6024.1000 |
PID | Process | Filename | Type | |
---|---|---|---|---|
2924 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVRFB9E.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2924 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{A7426C66-47BF-4348-A501-2C65FFE926F6}.tmp | — | |
MD5:— | SHA256:— | |||
2924 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{DE6916ED-FD3C-4526-9553-7E90C7ABA4C1}.tmp | — | |
MD5:— | SHA256:— | |||
2924 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{52E60BF2-A0B3-4D91-B5E4-F37E636C8F7A}.tmp | — | |
MD5:— | SHA256:— | |||
2924 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:BA7B319390117FA84C6C59451D190B6E | SHA256:71415E5341283EAAF35AC141D68A99972E59C842590F1AE513B5A914CCC59FED | |||
2924 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H6QNMHE9\htamadu[1].hta | html | |
MD5:50844AB2609E8DC366B7C060CBBBBA3A | SHA256:85FD37F76CC47EFAFAA309FC9A65955CCA5093D19B582281A0CC1A75C1B8C143 | |||
2924 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~$rchase Order.doc.rtf | pgc | |
MD5:F8117171C9E8C9101548CEE475DFDC2C | SHA256:8F11E18C15182FE9921116EC0CDA57540C94134AAAE4613935F40FF4DA7EABF1 | |||
2924 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I0488CJO\js3[1].js | text | |
MD5:DB3CACFB57BA35D3FCFDBBCF7D46BD42 | SHA256:A606134E35DB97024D04789609660C94F87F660DC259D91DB5180E32787D4DAD |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2924 | WINWORD.EXE | GET | 200 | 185.53.179.29:80 | http://dhm-mhn.com/sunday/htamadu.hta | DE | html | 918 b | malicious |
2924 | WINWORD.EXE | GET | 200 | 185.53.179.29:80 | http://parkingcrew.net/assets/scripts/js3.js | DE | text | 17.5 Kb | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2924 | WINWORD.EXE | 185.53.179.29:80 | dhm-mhn.com | Team Internet AG | DE | malicious |
Domain | IP | Reputation |
---|---|---|
dhm-mhn.com |
| malicious |
parkingcrew.net |
| whitelisted |
PID | Process | Class | Message |
---|---|---|---|
2924 | WINWORD.EXE | Potentially Bad Traffic | ET POLICY Possible HTA Application Download |
2924 | WINWORD.EXE | Attempted User Privilege Gain | ET CURRENT_EVENTS SUSPICIOUS Possible CVE-2017-0199 IE7/NoCookie/Referer HTA dl |