File name: | The University of Texas at Tyler Shared Document.docx |
Full analysis: | https://app.any.run/tasks/68c11d0e-fe61-4a8c-a49f-0bfa7bfe019d |
Verdict: | Malicious activity |
Analysis date: | March 21, 2019, 20:01:01 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/vnd.openxmlformats-officedocument.wordprocessingml.document |
File info: | Microsoft Word 2007+ |
MD5: | 39E6B238E3ABDD48507337C0C2344A84 |
SHA1: | 8C48B8A67C43169E06C86B121A40007A32FD47A2 |
SHA256: | 406CB9DB6069F65BB8011AFE747ED6F8F6C04A9BFD48C588044AC4056FA87F71 |
SSDEEP: | 6144:SpCX2M3UQ0KRgZupngVOsVPTlA1qmgIDOBGefB:c0EJkgomrV7uxfeZ |
.docx | | | Word Microsoft Office Open XML Format document (52.2) |
---|---|---|
.zip | | | Open Packaging Conventions container (38.8) |
.zip | | | ZIP compressed archive (8.8) |
ZipRequiredVersion: | 20 |
---|---|
ZipBitFlag: | 0x0006 |
ZipCompression: | Deflated |
ZipModifyDate: | 1980:01:01 00:00:00 |
ZipCRC: | 0x1dbbefa3 |
ZipCompressedSize: | 357 |
ZipUncompressedSize: | 1362 |
ZipFileName: | [Content_Types].xml |
Title: | - |
---|---|
Creator: | JUSTIN MONTAGE |
LastModifiedBy: | laurie victoria |
---|---|
RevisionNumber: | 2 |
LastPrinted: | 2018:04:09 16:12:00Z |
CreateDate: | 2019:03:20 17:57:00Z |
ModifyDate: | 2019:03:20 17:57:00Z |
Template: | Normal.dotm |
TotalEditTime: | - |
Pages: | 1 |
Words: | - |
Characters: | 1 |
Application: | Microsoft Office Word |
DocSecurity: | None |
Lines: | 1 |
Paragraphs: | 1 |
ScaleCrop: | No |
HeadingPairs: |
|
TitlesOfParts: | - |
Company: | Hewlett-Packard |
LinksUpToDate: | No |
CharactersWithSpaces: | 1 |
SharedDoc: | No |
HyperlinksChanged: | No |
AppVersion: | 16 |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3480 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\The University of Texas at Tyler Shared Document.docx" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
3720 | "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding | C:\Program Files\Internet Explorer\iexplore.exe | svchost.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Internet Explorer Version: 8.00.7600.16385 (win7_rtm.090713-1255) | ||||
3716 | "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3720 CREDAT:71937 | C:\Program Files\Internet Explorer\iexplore.exe | iexplore.exe | |
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Internet Explorer Version: 8.00.7600.16385 (win7_rtm.090713-1255) | ||||
3124 | "C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" /o /eo /l /b /id 3716 | C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe | — | iexplore.exe |
User: admin Company: Adobe Systems Incorporated Integrity Level: LOW Description: Adobe Acrobat Reader DC Exit code: 0 Version: 15.23.20070.215641 | ||||
3276 | "C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" /o /eo /l /b /id 3716 | C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe | iexplore.exe | |
User: admin Company: Adobe Systems Incorporated Integrity Level: MEDIUM Description: Adobe Acrobat Reader DC Version: 15.23.20070.215641 | ||||
2376 | "C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" --type=renderer /o /eo /l /b /id 3716 | C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe | — | AcroRd32.exe |
User: admin Company: Adobe Systems Incorporated Integrity Level: LOW Description: Adobe Acrobat Reader DC Version: 15.23.20070.215641 | ||||
2320 | "C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16448250 | C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe | — | AcroRd32.exe |
User: admin Company: Adobe Systems Incorporated Integrity Level: MEDIUM Description: Adobe RdrCEF Version: 15.23.20053.211670 | ||||
3776 | "C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-3d-apis --disable-databases --disable-direct-npapi-requests --disable-file-system --disable-notifications --disable-shared-workers --disable-direct-write --lang=en-US --lang=en-US --log-severity=disable --product-version="ReaderServices/15.23.20053 Chrome/45.0.2454.85" --device-scale-factor=1 --enable-delegated-renderer --num-raster-threads=2 --gpu-rasterization-msaa-sample-count=8 --content-image-texture-target=3553 --video-image-texture-target=3553 --disable-accelerated-video-decode --disable-webrtc-hw-encoding --disable-gpu-compositing --channel="2320.0.1443847330\734181424" --allow-no-sandbox-job /prefetch:673131151 | C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe | — | RdrCEF.exe |
User: admin Company: Adobe Systems Incorporated Integrity Level: LOW Description: Adobe RdrCEF Exit code: 0 Version: 15.23.20053.211670 | ||||
3992 | "C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-3d-apis --disable-databases --disable-direct-npapi-requests --disable-file-system --disable-notifications --disable-shared-workers --disable-direct-write --lang=en-US --lang=en-US --log-severity=disable --product-version="ReaderServices/15.23.20053 Chrome/45.0.2454.85" --device-scale-factor=1 --enable-delegated-renderer --num-raster-threads=2 --gpu-rasterization-msaa-sample-count=8 --content-image-texture-target=3553 --video-image-texture-target=3553 --disable-accelerated-video-decode --disable-webrtc-hw-encoding --disable-gpu-compositing --channel="2320.1.658503697\220164311" --allow-no-sandbox-job /prefetch:673131151 | C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe | — | RdrCEF.exe |
User: admin Company: Adobe Systems Incorporated Integrity Level: LOW Description: Adobe RdrCEF Version: 15.23.20053.211670 | ||||
3256 | "C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-3d-apis --disable-databases --disable-direct-npapi-requests --disable-file-system --disable-notifications --disable-shared-workers --disable-direct-write --lang=en-US --lang=en-US --log-severity=disable --product-version="ReaderServices/15.23.20053 Chrome/45.0.2454.85" --device-scale-factor=1 --enable-delegated-renderer --num-raster-threads=2 --gpu-rasterization-msaa-sample-count=8 --content-image-texture-target=3553 --video-image-texture-target=3553 --disable-accelerated-video-decode --disable-webrtc-hw-encoding --disable-gpu-compositing --channel="2320.2.1684406801\154422440" --allow-no-sandbox-job /prefetch:673131151 | C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe | — | RdrCEF.exe |
User: admin Company: Adobe Systems Incorporated Integrity Level: LOW Description: Adobe RdrCEF Version: 15.23.20053.211670 |
PID | Process | Filename | Type | |
---|---|---|---|---|
3480 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR716.tmp.cvr | — | |
MD5:— | SHA256:— | |||
3720 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I0488CJO\favicon[1].ico | — | |
MD5:— | SHA256:— | |||
3720 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico | — | |
MD5:— | SHA256:— | |||
3480 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~DF5468EF0A3EA62FA1.TMP | — | |
MD5:— | SHA256:— | |||
3480 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H6QNMHE9\index[1].htm | html | |
MD5:48513A134120AD39B55AFB0C530C6C18 | SHA256:BC5C753CC7A7D4B0CCB70B461A7B09057FED27F5B7ABE7AE84255A589AFE4404 | |||
3480 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~$e University of Texas at Tyler Shared Document.docx | pgc | |
MD5:91C5A6596C8E6F84437D8BC32C952267 | SHA256:DFE4BB5BA758EC8A5653F4E62F640868508CD923F63208338D09892DAFD12277 | |||
3716 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\TJUQFCCI\index[1].htm | html | |
MD5:48513A134120AD39B55AFB0C530C6C18 | SHA256:BC5C753CC7A7D4B0CCB70B461A7B09057FED27F5B7ABE7AE84255A589AFE4404 | |||
3716 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\index.dat | dat | |
MD5:51C53891B51A6F74A4FEB83F3D7C5340 | SHA256:34043EAA7479ABD05131EDD6477C0058925BE65D31A8C98193C20B30C97B0BDC | |||
3480 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:7C45A5BCA47C2C12B85AF435A8FF8FB0 | SHA256:1B6BEADCFAF6F3B81CCAD48373544305399C5B159F46075D45014E981435FD58 | |||
3716 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\4K6SNV6C\5cfd9308c50e4f8ae9[1].js | text | |
MD5:8FB305233393B0515B3C707F1FF70286 | SHA256:66931E0018716A290916FC0DD8C0B27F61BC9EBF7AF61FD1C9CCD85F8334B72B |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3716 | iexplore.exe | GET | 200 | 204.152.207.69:80 | http://thefbnews.ga/ty/files/oflog.png | US | image | 63.4 Kb | suspicious |
3716 | iexplore.exe | GET | 200 | 204.152.207.69:80 | http://thefbnews.ga/ty/files/5cfd9308c50e4f8ae9.js | US | text | 54.8 Kb | suspicious |
3716 | iexplore.exe | GET | 404 | 204.152.207.69:80 | http://thefbnews.ga/ty/files/whoami | US | html | 332 b | suspicious |
3480 | WINWORD.EXE | GET | 200 | 204.152.207.69:80 | http://thefbnews.ga/ty/index.php | US | html | 5.29 Kb | suspicious |
3716 | iexplore.exe | GET | 200 | 204.152.207.69:80 | http://thefbnews.ga/ty/index.php | US | html | 5.29 Kb | suspicious |
3716 | iexplore.exe | GET | 200 | 138.201.253.3:80 | http://urlvalidation.com/whoami?jsonp=func10098 | DE | text | 57 b | malicious |
3716 | iexplore.exe | GET | 200 | 204.152.207.69:80 | http://thefbnews.ga/ty/files/offff.png | US | image | 10.6 Kb | suspicious |
3716 | iexplore.exe | GET | 200 | 204.152.207.69:80 | http://thefbnews.ga/ty/files/bac.jpg | US | image | 32.4 Kb | suspicious |
3716 | iexplore.exe | GET | 200 | 204.152.207.69:80 | http://thefbnews.ga/ty/files/lnkr5.js | US | text | 5.55 Kb | suspicious |
3716 | iexplore.exe | GET | 200 | 204.152.207.69:80 | http://thefbnews.ga/ty/files/wrdd.png | US | image | 6.37 Kb | suspicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3720 | iexplore.exe | 204.79.197.200:80 | www.bing.com | Microsoft Corporation | US | whitelisted |
3480 | WINWORD.EXE | 204.152.207.69:80 | thefbnews.ga | QuadraNet, Inc | US | suspicious |
3716 | iexplore.exe | 204.152.207.69:80 | thefbnews.ga | QuadraNet, Inc | US | suspicious |
3716 | iexplore.exe | 138.201.253.3:80 | urlvalidation.com | Hetzner Online GmbH | DE | suspicious |
3716 | iexplore.exe | 91.199.212.52:80 | crt.usertrust.com | Comodo CA Ltd | GB | suspicious |
3720 | iexplore.exe | 204.152.207.69:80 | thefbnews.ga | QuadraNet, Inc | US | suspicious |
3276 | AcroRd32.exe | 2.18.233.74:443 | armmf.adobe.com | Akamai International B.V. | — | whitelisted |
3716 | iexplore.exe | 104.214.68.202:443 | www.uttyler.edu | Microsoft Corporation | US | unknown |
3716 | iexplore.exe | 64.58.121.60:80 | lancheck.net | Servers.com, Inc. | US | malicious |
— | — | 2.18.233.74:443 | armmf.adobe.com | Akamai International B.V. | — | whitelisted |
Domain | IP | Reputation |
---|---|---|
thefbnews.ga |
| suspicious |
www.bing.com |
| whitelisted |
lancheck.net |
| malicious |
urlvalidation.com |
| malicious |
www.uttyler.edu |
| unknown |
crt.usertrust.com |
| whitelisted |
armmf.adobe.com |
| whitelisted |
acroipm2.adobe.com |
| whitelisted |
ardownload2.adobe.com |
| whitelisted |
PID | Process | Class | Message |
---|---|---|---|
— | — | Potentially Bad Traffic | ET INFO DNS Query for Suspicious .ga Domain |
3716 | iexplore.exe | A Network Trojan was detected | SUSPICIOUS [PTsecurity] Successful PDF Online Phishing |
3716 | iexplore.exe | Potentially Bad Traffic | ET INFO HTTP POST Request to Suspicious *.ga Domain |