File name: | 3c3f80349a8961b90b5accf15ae38bf2d288112f5f0dddafe50364a2f31586cd.docx |
Full analysis: | https://app.any.run/tasks/f60983d4-a480-4ab2-b9e2-f4f28bea7a40 |
Verdict: | Malicious activity |
Analysis date: | January 23, 2019, 03:35:52 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
MIME: | application/vnd.openxmlformats-officedocument.wordprocessingml.document |
File info: | Microsoft Word 2007+ |
MD5: | B40A6F6E74C9891589386D44416499D3 |
SHA1: | B46135437AB4BE3C68E0B1D3CDDF9A65737865DF |
SHA256: | 3C3F80349A8961B90B5ACCF15AE38BF2D288112F5F0DDDAFE50364A2F31586CD |
SSDEEP: | 6144:PfIoQYitHI4yJ3KcRxbd7qbF6Be4wHfWIUY4AEof0NmHkc15W3tfM:RQzi4ydKcRlVIF+e4wtx45o8Nckc1idM |
.docm | | | Word Microsoft Office Open XML Format document (with Macro) (53.6) |
---|---|---|
.docx | | | Word Microsoft Office Open XML Format document (24.2) |
.zip | | | Open Packaging Conventions container (18) |
.zip | | | ZIP compressed archive (4.1) |
ZipRequiredVersion: | 20 |
---|---|
ZipBitFlag: | 0x0006 |
ZipCompression: | Deflated |
ZipModifyDate: | 1980:01:01 00:00:00 |
ZipCRC: | 0x3f450766 |
ZipCompressedSize: | 399 |
ZipUncompressedSize: | 1503 |
ZipFileName: | [Content_Types].xml |
Template: | Normal |
---|---|
TotalEditTime: | 3.3 hours |
Pages: | 1 |
Words: | 19 |
Characters: | 117 |
Application: | Microsoft Office Word |
DocSecurity: | None |
Lines: | 1 |
Paragraphs: | 1 |
ScaleCrop: | No |
HeadingPairs: |
|
TitlesOfParts: | - |
Company: | - |
LinksUpToDate: | No |
CharactersWithSpaces: | 135 |
SharedDoc: | No |
HyperlinksChanged: | No |
AppVersion: | 16 |
Keywords: | - |
LastModifiedBy: | Peter Šinaľ |
RevisionNumber: | 18 |
CreateDate: | 2019:01:14 14:12:00Z |
ModifyDate: | 2019:01:22 13:34:00Z |
Title: | - |
---|---|
Subject: | - |
Creator: | Peter Šinaľ |
Description: | - |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2976 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\3c3f80349a8961b90b5accf15ae38bf2d288112f5f0dddafe50364a2f31586cd.docx" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Exit code: 0 Version: 14.0.6024.1000 | ||||
3164 | "C:\Windows\system32\verclsid.exe" /S /C {0B2C9183-C9FA-4C53-AE21-C900B0C39965} /I {0C733A8A-2A1C-11CE-ADE5-00AA0044773D} /X 0x401 | C:\Windows\system32\verclsid.exe | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Extension CLSID Verification Host Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2876 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\3c3f80349a8961b90b5accf15ae38bf2d288112f5f0dddafe50364a2f31586cd.docm" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 |
PID | Process | Filename | Type | |
---|---|---|---|---|
2976 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVRE95A.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2976 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{822D647E-E416-4006-992F-C560E9589ABF}.tmp | — | |
MD5:— | SHA256:— | |||
2876 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR88E6.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2876 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~$3f80349a8961b90b5accf15ae38bf2d288112f5f0dddafe50364a2f31586cd.docm | pgc | |
MD5:641345F4562491BB7B9686CA92300F98 | SHA256:E3C16B5F08C5C853D2451247561230FA65B7BA575AFBD0A794E8B7120FAE8707 | |||
2976 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:633EDCAF70A08EA4C8F9489679EF5BF4 | SHA256:446A4274C3E9935A40A0EA6332996E3ABECA0B7D59EB8A541F56397F29158E6E | |||
2976 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~$3f80349a8961b90b5accf15ae38bf2d288112f5f0dddafe50364a2f31586cd.docx | pgc | |
MD5:D6A1715433EA949ACC28AC28D6670E4C | SHA256:72929A507FBC6EB531EE5CD28E9CAE9EC940BD3B5599366541C4FD24B6C88920 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2876 | WINWORD.EXE | POST | — | 95.129.96.209:443 | http://sensei.tns.cz:443/ | CZ | — | — | suspicious |
2876 | WINWORD.EXE | POST | — | 95.129.96.209:443 | http://sensei.tns.cz:443/ | CZ | — | — | suspicious |
2876 | WINWORD.EXE | POST | — | 95.129.96.209:443 | http://sensei.tns.cz:443/ | CZ | — | — | suspicious |
2876 | WINWORD.EXE | POST | — | 95.129.96.209:443 | http://sensei.tns.cz:443/ | CZ | — | — | suspicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2876 | WINWORD.EXE | 95.129.96.209:443 | sensei.tns.cz | FASTER CZ spol. s r.o. | CZ | suspicious |
Domain | IP | Reputation |
---|---|---|
sensei.tns.cz |
| suspicious |
PID | Process | Class | Message |
---|---|---|---|
2876 | WINWORD.EXE | Potentially Bad Traffic | ET POLICY HTTP traffic on port 443 (POST) |
2876 | WINWORD.EXE | Potentially Bad Traffic | SC BAD_UNKNOWN Empty URI to non-standard port |
2876 | WINWORD.EXE | Potentially Bad Traffic | ET POLICY HTTP traffic on port 443 (POST) |
2876 | WINWORD.EXE | Potentially Bad Traffic | SC BAD_UNKNOWN Empty URI to non-standard port |
2876 | WINWORD.EXE | Potentially Bad Traffic | ET POLICY HTTP traffic on port 443 (POST) |
2876 | WINWORD.EXE | Potentially Bad Traffic | SC BAD_UNKNOWN Empty URI to non-standard port |
2876 | WINWORD.EXE | Potentially Bad Traffic | ET POLICY HTTP traffic on port 443 (POST) |
2876 | WINWORD.EXE | Potentially Bad Traffic | SC BAD_UNKNOWN Empty URI to non-standard port |