File name: | MAIL 11102019 OIQ962951.doc |
Full analysis: | https://app.any.run/tasks/25c24571-bf42-43c3-970f-3531d369ddb7 |
Verdict: | Malicious activity |
Threats: | Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns. |
Analysis date: | October 14, 2019, 13:32:42 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
MIME: | application/msword |
File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Title: Cross-group, Subject: bluetooth, Author: Dan Vandervort, Keywords: deposit, Comments: Practical Soft Soap, Template: Normal.dotm, Last Saved By: Benny Cremin, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Fri Oct 11 13:56:00 2019, Last Saved Time/Date: Fri Oct 11 13:56:00 2019, Number of Pages: 1, Number of Words: 29, Number of Characters: 170, Security: 0 |
MD5: | 3090FE323545B66E61B477B114DF2A31 |
SHA1: | A7E9EFF00D59801A6414FFAB426C34F51FF150B9 |
SHA256: | 39014551DDA02FFF41CDD3D076949414254E2605B3DF2D468E932C44420D4F98 |
SSDEEP: | 1536:rGTmkaHArkKPubsYwKjtrzu5rGFmRoHynvwMMITLxQOExrt:rGTmkqBKgdzSrG8KyIwLx3q |
.doc | | | Microsoft Word document (54.2) |
---|---|---|
.doc | | | Microsoft Word document (old ver.) (32.2) |
Title: | Cross-group |
---|---|
Subject: | bluetooth |
Author: | Dan Vandervort |
Keywords: | deposit |
Comments: | Practical Soft Soap |
Template: | Normal.dotm |
LastModifiedBy: | Benny Cremin |
RevisionNumber: | 1 |
Software: | Microsoft Office Word |
TotalEditTime: | - |
CreateDate: | 2019:10:11 12:56:00 |
ModifyDate: | 2019:10:11 12:56:00 |
Pages: | 1 |
Words: | 29 |
Characters: | 170 |
Security: | None |
CodePage: | Windows Latin 1 (Western European) |
Company: | O'Conner, Luettgen and Mohr |
Lines: | 1 |
Paragraphs: | 1 |
CharCountWithSpaces: | 198 |
AppVersion: | 16 |
ScaleCrop: | No |
LinksUpToDate: | No |
SharedDoc: | No |
HyperlinksChanged: | No |
TitleOfParts: | - |
HeadingPairs: |
|
Manager: | Bartell |
CompObjUserTypeLen: | 32 |
CompObjUserType: | Microsoft Word 97-2003 Document |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2572 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\MAIL 11102019 OIQ962951.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 |
PID | Process | Filename | Type | |
---|---|---|---|---|
2572 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVRA514.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2572 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\291CFD53.wmf | wmf | |
MD5:2825584A9BB757A6821A3BE33AA1DDC8 | SHA256:5550B6CDE7121589DEDDA8D23F6ED15AD3AA5B148D1C4432847DA7C3C7A3BF41 | |||
2572 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:D3E45E9E34C71A48C10FD945E9620BAF | SHA256:6CC7603DD408465CD9F4E0ED479443E49C34BDBCC43DE9FD1A9A1A1B8185537F | |||
2572 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\6E6E75D9.wmf | wmf | |
MD5:F35006474EDC6ACAA51EE91F33997A70 | SHA256:D986E523C9D90FB49BF3FF5AA63E17DADAE4BBCFAEC0D4AEBC61C17617F1B9C3 | |||
2572 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\Word8.0\MSForms.exd | tlb | |
MD5:0246535078BEFDD3E164ED0A8FAE578B | SHA256:672B58B9109AEBF0D15B6BF6C6636ED9A1DC005A127DE567462E88AA3147DEA5 | |||
2572 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\A7F04B3D.wmf | wmf | |
MD5:2AEE60CC31193BFFF3E4DCF491991BF8 | SHA256:D09F76110E0C51177AA9993B5DA905F1A15A1BE730D6A4DF017BDA843C67D555 | |||
2572 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\54135C35.wmf | wmf | |
MD5:E75A42EE7B3EC419C70BE4B827339CED | SHA256:700EC5E7CF351E861D3DC65B7DE7CC7BDD63CB69769A49BDAB72632C8D13382F | |||
2572 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~$IL 11102019 OIQ962951.doc | pgc | |
MD5:8A3338ADD004C6928BFB8636AA5853E4 | SHA256:7989252CE0F70870B91180CF2223DDA28D4F7408BB9573C571B426D1814B99F0 | |||
2572 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\9E23201A.wmf | wmf | |
MD5:87A64792ED4C59BCB461C1AC480136FB | SHA256:BE55C3AB34B101242528886161842327F6F1D056149323D897FE7188D63EAFAD | |||
2572 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\A017D404.wmf | wmf | |
MD5:6AD74227AE157AA526AB14C90D723C34 | SHA256:7712EA445C89B9E544A5D355A3C9AB2F36653CD66AF3F8FFA09B66CC68BE6B6C |