File name: | 337b473583d6fb70541ce94effac02e48543668ac85cd2bf8e59f316b1ed2424.docx |
Full analysis: | https://app.any.run/tasks/db71cb47-835f-4db2-bb10-7f2512351ffc |
Verdict: | Malicious activity |
Threats: | FormBook is a data stealer that is being distributed as a MaaS. FormBook differs from a lot of competing malware by its extreme ease of use that allows even the unexperienced threat actors to use FormBook virus. |
Analysis date: | November 14, 2018, 07:02:41 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/vnd.openxmlformats-officedocument.wordprocessingml.document |
File info: | Microsoft Word 2007+ |
MD5: | 1E95310AB93101CB6E72964517587858 |
SHA1: | F091916A106F7FE2E4F2A1B24E7F30BD8864E9CD |
SHA256: | 337B473583D6FB70541CE94EFFAC02E48543668AC85CD2BF8E59F316B1ED2424 |
SSDEEP: | 192:YkUt6ml9yMtWNIs0mqQTnhr5OuQT1QPP55qzKGbFTB8GoA6akkWvmA7:YkUl9yMtiIOLOuQT1QPDqzKMdIxmA7 |
.docx | | | Word Microsoft Office Open XML Format document (52.2) |
---|---|---|
.zip | | | Open Packaging Conventions container (38.8) |
.zip | | | ZIP compressed archive (8.8) |
Creator: | Microsoft |
---|
ModifyDate: | 2017:09:24 17:27:00Z |
---|---|
CreateDate: | 2017:09:24 17:26:00Z |
RevisionNumber: | 1 |
LastModifiedBy: | Microsoft |
AppVersion: | 14 |
HyperlinksChanged: | No |
SharedDoc: | No |
CharactersWithSpaces: | 7 |
LinksUpToDate: | No |
Company: | SPecialiST RePack |
TitlesOfParts: | - |
HeadingPairs: |
|
ScaleCrop: | No |
Paragraphs: | 1 |
Lines: | 1 |
DocSecurity: | None |
Application: | Microsoft Office Word |
Characters: | 7 |
Words: | 1 |
Pages: | 1 |
TotalEditTime: | 1 minute |
Template: | dotm.dotm |
ZipFileName: | [Content_Types].xml |
---|---|
ZipUncompressedSize: | 1422 |
ZipCompressedSize: | 358 |
ZipCRC: | 0x82872409 |
ZipModifyDate: | 2018:11:13 14:59:18 |
ZipCompression: | Deflated |
ZipBitFlag: | 0x0002 |
ZipRequiredVersion: | 20 |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3636 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\337b473583d6fb70541ce94effac02e48543668ac85cd2bf8e59f316b1ed2424.docx" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
2980 | "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding | C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE | svchost.exe | |
User: admin Company: Design Science, Inc. Integrity Level: MEDIUM Description: Microsoft Equation Editor Exit code: 0 Version: 00110900 | ||||
2088 | "C:\Users\admin\AppData\Roaming\config.exe" | C:\Users\admin\AppData\Roaming\config.exe | — | EQNEDT32.EXE |
User: admin Company: Unfireproof Integrity Level: MEDIUM Description: Enantiomorphously Exit code: 0 Version: 1.09 | ||||
3200 | C:\Users\admin\AppData\Roaming\config.exe" | C:\Users\admin\AppData\Roaming\config.exe | — | config.exe |
User: admin Company: Unfireproof Integrity Level: MEDIUM Description: Enantiomorphously Exit code: 0 Version: 1.09 | ||||
384 | "C:\Windows\System32\cmmon32.exe" | C:\Windows\System32\cmmon32.exe | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Connection Manager Monitor Version: 7.02.7600.16385 (win7_rtm.090713-1255) | ||||
3340 | /c del "C:\Users\admin\AppData\Roaming\config.exe" | C:\Windows\System32\cmd.exe | — | cmmon32.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
1772 | C:\Windows\Explorer.EXE | C:\Windows\explorer.exe | — | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Explorer Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
656 | "C:\Program Files\Mozilla Firefox\Firefox.exe" | C:\Program Files\Mozilla Firefox\Firefox.exe | cmmon32.exe | |
User: admin Company: Mozilla Corporation Integrity Level: MEDIUM Description: Firefox Exit code: 0 Version: 61.0.2 |
PID | Process | Filename | Type | |
---|---|---|---|---|
3636 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR3256.tmp.cvr | — | |
MD5:— | SHA256:— | |||
3636 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\{333D0C73-56CC-41B9-A6D8-B92B48F85650} | — | |
MD5:— | SHA256:— | |||
3636 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\{0F93D533-5919-499C-889C-762C01FF3409} | — | |
MD5:— | SHA256:— | |||
3636 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\AA76F632.doc | — | |
MD5:— | SHA256:— | |||
3636 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{E3550006-2EEB-46A2-B6E5-CC1EDB3FEEA2}.FSD | binary | |
MD5:ABF261F7599602D05F2B35EB481B1465 | SHA256:4A27B457EBBC1F69CE310AFC07868E01F8DE4F60C57F85E413607F644CF80A65 | |||
3636 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-CNRY.FSD | binary | |
MD5:0E4AA92D8B5A17E885FFA45E6DE9400A | SHA256:5029E19C6069C6083CAECE63C5A7F88D7EC1F3CF3D55740B48FBE1BCBF3E7779 | |||
3636 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:A4DC25B40AAEF92DCDE38C506EC93C7B | SHA256:E23A1AB7F6A3E45A91FB7675584C3AA1C13252B68A9E32AFCC33F21FA3324896 | |||
3636 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSF-CTBL.FSF | binary | |
MD5:71FBF8D0C2F206C8C28A4F5CDA40585E | SHA256:9EDD6B017C2BA660A68425FB78AE5818B386F075845CD72170E8552470CAA331 | |||
3636 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD | binary | |
MD5:81D6BC3B2A7443BEBCA339DB5074960F | SHA256:55254BBCC6F504EE8B2C150F8C46CE24D42427542D80E9AD57DB84A0BCBD08E6 | |||
3636 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~$7b473583d6fb70541ce94effac02e48543668ac85cd2bf8e59f316b1ed2424.docx | pgc | |
MD5:DDEE8E9D404FF19AC1DFCFA86D5B3A09 | SHA256:65EF21409EBA6DCD3666831151928397ACCAA6363CFB6C898F8799B0DFBF4964 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3636 | WINWORD.EXE | OPTIONS | 200 | 199.192.22.214:80 | http://yawaop.com/ | US | — | — | malicious |
3636 | WINWORD.EXE | HEAD | 200 | 199.192.22.214:80 | http://yawaop.com/anna.doc | US | — | — | malicious |
964 | svchost.exe | PROPFIND | 405 | 199.192.22.214:80 | http://yawaop.com/ | US | html | 349 b | malicious |
964 | svchost.exe | OPTIONS | 200 | 199.192.22.214:80 | http://yawaop.com/ | US | — | — | malicious |
3636 | WINWORD.EXE | GET | 304 | 199.192.22.214:80 | http://yawaop.com/anna.doc | US | — | — | malicious |
3636 | WINWORD.EXE | HEAD | 200 | 199.192.22.214:80 | http://yawaop.com/anna.doc | US | — | — | malicious |
3636 | WINWORD.EXE | HEAD | 200 | 199.192.22.214:80 | http://yawaop.com/anna.doc | US | — | — | malicious |
964 | svchost.exe | PROPFIND | — | 199.192.22.214:80 | http://yawaop.com/ | US | — | — | malicious |
3636 | WINWORD.EXE | HEAD | 200 | 199.192.22.214:80 | http://yawaop.com/anna.doc | US | — | — | malicious |
3636 | WINWORD.EXE | GET | 304 | 199.192.22.214:80 | http://yawaop.com/anna.doc | US | — | — | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3636 | WINWORD.EXE | 199.192.22.214:80 | yawaop.com | — | US | malicious |
1772 | explorer.exe | 198.54.117.211:80 | www.runamokproductions.com | Namecheap, Inc. | US | malicious |
2980 | EQNEDT32.EXE | 88.99.211.112:80 | pmiec.com | Hetzner Online GmbH | DE | suspicious |
1772 | explorer.exe | 207.148.248.143:80 | www.portablestations.com | The Endurance International Group, Inc. | US | malicious |
964 | svchost.exe | 199.192.22.214:80 | yawaop.com | — | US | malicious |
Domain | IP | Reputation |
---|---|---|
yawaop.com |
| malicious |
pmiec.com |
| malicious |
www.portablestations.com |
| malicious |
www.runamokproductions.com |
| malicious |
www.bjtaiyan.com |
| unknown |
PID | Process | Class | Message |
---|---|---|---|
3636 | WINWORD.EXE | A Network Trojan was detected | SC TROJAN_DOWNLOADER Suspicious DOC loader of embedded OLE from external source |
3636 | WINWORD.EXE | A Network Trojan was detected | MALWARE [PTsecurity] Possible RTF CVE-2017-11882 document |
3636 | WINWORD.EXE | Misc activity | SUSPICIOUS [PTsecurity] Possible RTF CVE-2017-11882 header |
2980 | EQNEDT32.EXE | Potentially Bad Traffic | ET CURRENT_EVENTS Terse alphanumeric executable downloader high likelihood of being hostile |
2980 | EQNEDT32.EXE | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
1772 | explorer.exe | A Network Trojan was detected | SC SPYWARE Trojan-Spy.Win32.Noon |
1772 | explorer.exe | A Network Trojan was detected | MALWARE [PTsecurity] FormBook CnC Checkin (GET) |
1772 | explorer.exe | A Network Trojan was detected | SC SPYWARE Trojan-Spy.Win32.Noon |
1772 | explorer.exe | A Network Trojan was detected | MALWARE [PTsecurity] FormBook CnC Checkin (GET) |
1772 | explorer.exe | A Network Trojan was detected | MALWARE [PTsecurity] TrojanSpy:FormBook CnC Checkin (POST) |