File name: | 3461b78384c000e3396589280a34d871c1de3ae266334412202d4a6a85d02439.docx |
Full analysis: | https://app.any.run/tasks/369cbb9d-d76e-4cea-8a14-27877e3b1624 |
Verdict: | Malicious activity |
Analysis date: | March 31, 2020, 09:57:17 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/vnd.openxmlformats-officedocument.wordprocessingml.document |
File info: | Microsoft Word 2007+ |
MD5: | 21898F725AE437DA880CC2F161700488 |
SHA1: | E83AA10CDA32442D405CFF5AFD94DFD0589C10A2 |
SHA256: | 3461B78384C000E3396589280A34D871C1DE3AE266334412202D4A6A85D02439 |
SSDEEP: | 12288:bPpryJVvvz6q85f21O3JP21jkL4ZByBR2/gNsMc:bBgvvz5Ez3JPFL4ZBFIC |
.docm | | | Word Microsoft Office Open XML Format document (with Macro) (53.6) |
---|---|---|
.docx | | | Word Microsoft Office Open XML Format document (24.2) |
.zip | | | Open Packaging Conventions container (18) |
.zip | | | ZIP compressed archive (4.1) |
AppVersion: | 14 |
---|---|
HyperlinksChanged: | No |
SharedDoc: | No |
CharactersWithSpaces: | 11 |
LinksUpToDate: | No |
TitlesOfParts: | - |
HeadingPairs: |
|
ScaleCrop: | No |
Paragraphs: | 1 |
Lines: | 1 |
DocSecurity: | None |
Application: | Microsoft Office Word |
Characters: | 11 |
Words: | 1 |
Pages: | 7 |
TotalEditTime: | - |
Template: | Normal.dotm |
ModifyDate: | 2020:03:02 11:58:00Z |
CreateDate: | 2020:02:27 14:34:00Z |
RevisionNumber: | 1 |
LastModifiedBy: | - |
Creator: | - |
---|
ZipFileName: | [Content_Types].xml |
---|---|
ZipUncompressedSize: | 2010 |
ZipCompressedSize: | 482 |
ZipCRC: | 0xfefd9a9e |
ZipModifyDate: | 1980:01:01 00:00:00 |
ZipCompression: | Deflated |
ZipBitFlag: | 0x0006 |
ZipRequiredVersion: | 20 |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3744 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\3461b78384c000e3396589280a34d871c1de3ae266334412202d4a6a85d02439.docx.docm" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
3528 | cmd /c C:\BugExtended\32654_02032020\log022020.bat | C:\Windows\system32\cmd.exe | — | WINWORD.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
3568 | cscript //nologo C:\BugExtended\23665_02032020\march022020.jse | C:\Windows\system32\cscript.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Console Based Script Host Version: 5.8.7600.16385 |
PID | Process | Filename | Type | |
---|---|---|---|---|
3744 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR7A97.tmp.cvr | — | |
MD5:— | SHA256:— | |||
3744 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~DFA02DCAFC9BA8ED25.TMP | — | |
MD5:— | SHA256:— | |||
3744 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~DF706134503E148383.TMP | — | |
MD5:— | SHA256:— | |||
3744 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~DFDB1EF66AFFED17CA.TMP | — | |
MD5:— | SHA256:— | |||
3744 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~$61b78384c000e3396589280a34d871c1de3ae266334412202d4a6a85d02439.docx.docm | pgc | |
MD5:EED045D4A4AC7110CC2AA22882752F83 | SHA256:35F8E5F348D02B39970E5C045FFAB58CD98194332D34C8E8874E727D839447C6 | |||
3744 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:477916EFB88A373723F281B8A9BC2EA4 | SHA256:F8C4753F90B6CCCCFB7FC260ACCB0BA935A8E56898FCB3BBF10845FF3B8EE27B | |||
3744 | WINWORD.EXE | C:\BugExtended\23665_02032020\march022020.jse | text | |
MD5:E76C84B3E25207CCE5CDD85261692626 | SHA256:B03055674F84C5CD86FC9010C24B6BC738D4996A4E924B61F7F0F60DD714556B | |||
3744 | WINWORD.EXE | C:\BugExtended\32654_02032020\log022020.bat | text | |
MD5:ABD566353B284FD8284523D3052B870B | SHA256:D736F81569D40E7D6DCEA24DC66566FEC81500CBBA75B5E322B0646E90D636B0 | |||
3744 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\VBE\MSForms.exd | tlb | |
MD5:70D47E912B55338BF046E91F51EF1272 | SHA256:ADD8459853B9F2C833590565B86467F96B738E7152C853C0E7E152EB834713CA |