File name: | Order #2019.docx |
Full analysis: | https://app.any.run/tasks/46b4dbde-9c7b-4bc9-b82a-02c423aa0353 |
Verdict: | Malicious activity |
Analysis date: | January 10, 2019, 16:00:10 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | application/vnd.openxmlformats-officedocument.wordprocessingml.document |
File info: | Microsoft Word 2007+ |
MD5: | 58831C68BA9840CEA8F4153908C1539A |
SHA1: | 1744079CB823FD7868D5B03AF09B5C0A5D7C4D6B |
SHA256: | 3BB2F75972F176B56C56852E0C22EEA860E2CBC28782300937CC297E4EB6D84B |
SSDEEP: | 3072:et7lL2mrdFADYhDFc8rpKSvNYbWRDzUyRBelYc3nTMSFm9d+tlKSvG6s:C7lCAdFkYhDFBxvqyRmTMSFmfSm |
.docx | | | Word Microsoft Office Open XML Format document (52.2) |
---|---|---|
.zip | | | Open Packaging Conventions container (38.8) |
.zip | | | ZIP compressed archive (8.8) |
ZipFileName: | [Content_Types].xml |
---|---|
ZipUncompressedSize: | 1364 |
ZipCompressedSize: | 351 |
ZipCRC: | 0x2ea8411c |
ZipModifyDate: | 1980:01:01 00:00:00 |
ZipCompression: | Deflated |
ZipBitFlag: | 0x0006 |
ZipRequiredVersion: | 20 |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2976 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\Order #2019.docx" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 |
PID | Process | Filename | Type | |
---|---|---|---|---|
2976 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR907E.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2976 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\msoC098.tmp | — | |
MD5:— | SHA256:— | |||
2976 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\{D702C08D-DE70-4047-994E-359584A4982E} | — | |
MD5:— | SHA256:— | |||
2976 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\{FFAB94D9-D4AC-40C9-B11F-43D024A3BC41} | — | |
MD5:— | SHA256:— | |||
2976 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\674759DE.jpeg | — | |
MD5:— | SHA256:— | |||
2976 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSF-CTBL.FSF | binary | |
MD5:37DC6D269B693BC159AEEFBB4FA7123C | SHA256:1253E387CAED441507B463430CB0CA0D4AA3CF9DE1EA22FDC29FA539F2BD5C29 | |||
2976 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD | binary | |
MD5:C6D6DBE9007A44A947E2EAB853BC2E23 | SHA256:59D6F7879A7492FA93CF2DDF65DCFD55042168819BB4DDCEF8B3F560C5447244 | |||
2976 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:5A1AC50DEFFE3ADEEC3C1C6B7CE515EE | SHA256:A05624EE45E532E271EC27383128A22E6F3E19C02D9EF83102D437F8C9A16589 | |||
2976 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{B03BC8B5-2D5C-4681-80D7-B3F36E91493D}.FSD | binary | |
MD5:B0C8F48C58A9D16D8DB5EE2D39CAAEC6 | SHA256:9FF71C65718A4C495B2E0048463F960EC85C7746398286C9876416074A328057 | |||
2976 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~$der #2019.docx | pgc | |
MD5:7DFE0354290C3C24299C69EAF4C9DAF2 | SHA256:B648E89B7F9702A9D58FC6DC978ECF7A4F4FE99AB9E268C8EF78B427F30AD3E7 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2976 | WINWORD.EXE | HEAD | 500 | 76.72.173.69:80 | http://stomnsco.com/cgi/updating.doc | US | — | — | malicious |
2976 | WINWORD.EXE | OPTIONS | 500 | 76.72.173.69:80 | http://stomnsco.com/cgi/ | US | html | 7.14 Kb | malicious |
976 | svchost.exe | OPTIONS | 500 | 76.72.173.69:80 | http://stomnsco.com/cgi | US | html | 7.14 Kb | malicious |
2976 | WINWORD.EXE | GET | 500 | 76.72.173.69:80 | http://stomnsco.com/cgi/updating.doc | US | html | 7.14 Kb | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
976 | svchost.exe | 76.72.173.69:80 | stomnsco.com | Database by Design, LLC | US | malicious |
2976 | WINWORD.EXE | 76.72.173.69:80 | stomnsco.com | Database by Design, LLC | US | malicious |
Domain | IP | Reputation |
---|---|---|
stomnsco.com |
| malicious |
PID | Process | Class | Message |
---|---|---|---|
2976 | WINWORD.EXE | A Network Trojan was detected | SC TROJAN_DOWNLOADER Suspicious DOC loader of embedded OLE from external source |