File name: | DHL Delivery Details#4567421.doc |
Full analysis: | https://app.any.run/tasks/4e981b87-6958-4349-96af-8a8a5e29a28e |
Verdict: | Malicious activity |
Analysis date: | April 25, 2019, 14:06:07 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | text/rtf |
File info: | Rich Text Format data, unknown version |
MD5: | 5068F4828F9D43E3EB3DD965FF6156F2 |
SHA1: | 08EA0578F4800895BC20C26ED47498118B42E32C |
SHA256: | 3CD88E25D985AE6B7BCD8A4D605C99E46D9C67372C40D56AF2310E0DE40DA112 |
SSDEEP: | 3072:Tr3gC3qJvn7+aJQqOqwTKDLlFh7DdW15VR:Tr3g+qJv7+ajoTKbh7DdW15VR |
.rtf | | | Rich Text Format (100) |
---|
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3012 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\DHL Delivery Details#4567421.doc.rtf" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Exit code: 0 Version: 14.0.6024.1000 |
PID | Process | Filename | Type | |
---|---|---|---|---|
3012 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR5872.tmp.cvr | — | |
MD5:— | SHA256:— | |||
3012 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{9AF68221-616F-4522-BDCF-64654666E807}.tmp | — | |
MD5:— | SHA256:— | |||
3012 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{300BFEF4-91C6-4A9A-99CC-F2C5430229BB}.tmp | — | |
MD5:— | SHA256:— | |||
3012 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{70C157DD-E8A6-4CB5-BC8E-F2A214E30655}.tmp | — | |
MD5:— | SHA256:— | |||
3012 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I0488CJO\js3[1].js | text | |
MD5:DB3CACFB57BA35D3FCFDBBCF7D46BD42 | SHA256:A606134E35DB97024D04789609660C94F87F660DC259D91DB5180E32787D4DAD | |||
3012 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~$L Delivery Details#4567421.doc.rtf | pgc | |
MD5:F4E328931664F04AC601B65288267F4A | SHA256:91A80DB60E364A088E74EF67CA2B411E39D0502378837B2857A83002A094B94D | |||
3012 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:03F75A861CC10AD1C3318BEB891B725B | SHA256:7EBE4AE513B230A4E93B55D5C5B1A8281E935A6A42B38FA33B58EA5B73980E58 | |||
3012 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H6QNMHE9\htaebus[1].hta | html | |
MD5:322EA08FD7583B6350E03E2E0EE4C53A | SHA256:DDAAFFBF54B1755A73ED24E9DBD6E99F1E5EBCF0B99954B9B943293876BF0C30 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3012 | WINWORD.EXE | GET | 200 | 185.53.179.29:80 | http://parkingcrew.net/assets/scripts/js3.js | DE | text | 17.5 Kb | whitelisted |
3012 | WINWORD.EXE | GET | 200 | 185.53.179.29:80 | http://dhm-mhn.com/htaebus.hta | DE | html | 914 b | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3012 | WINWORD.EXE | 185.53.179.29:80 | dhm-mhn.com | Team Internet AG | DE | malicious |
Domain | IP | Reputation |
---|---|---|
dhm-mhn.com |
| malicious |
parkingcrew.net |
| whitelisted |
PID | Process | Class | Message |
---|---|---|---|
3012 | WINWORD.EXE | Potentially Bad Traffic | ET POLICY Possible HTA Application Download |
3012 | WINWORD.EXE | Attempted User Privilege Gain | ET CURRENT_EVENTS SUSPICIOUS Possible CVE-2017-0199 IE7/NoCookie/Referer HTA dl |