File name: | IHD - FWO Projs in HQ 10 Corps AOR(1).doc |
Full analysis: | https://app.any.run/tasks/77829126-d28f-449b-9a52-a8293180f361 |
Verdict: | Malicious activity |
Analysis date: | September 19, 2019, 11:32:28 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/zip |
File info: | Zip archive data, at least v1.0 to extract |
MD5: | E6781972CCE05CD304D7A173CBA00BA4 |
SHA1: | 18A375128547930449F648F48B6F4CD88E8C98BF |
SHA256: | 484A690D74020596FBA828A5C1F49294FF50BAE0B3556F217C6FC8815E13B5F1 |
SSDEEP: | 768:Xv3X8FhcmG66wUgiqi2I60uia5hB2PTyz+N2HR+VNyAtBVIb/f2WeksO0QCmzXnp:XnDwjii3Xz+N2HcNLITeTO0+ |
.docx | | | Word Microsoft Office Open XML Format document (52.2) |
---|---|---|
.zip | | | Open Packaging Conventions container (38.8) |
.zip | | | ZIP compressed archive (8.8) |
ZipRequiredVersion: | 10 |
---|---|
ZipBitFlag: | - |
ZipCompression: | None |
ZipModifyDate: | 2019:08:10 00:53:08 |
ZipCRC: | 0x00000000 |
ZipCompressedSize: | - |
ZipUncompressedSize: | - |
ZipFileName: | _rels/ |
Template: | F268BFCE.tmp |
---|---|
TotalEditTime: | - |
Pages: | 1 |
Words: | 1 |
Characters: | 6 |
Application: | Microsoft Office Word |
DocSecurity: | None |
Lines: | 1 |
Paragraphs: | 1 |
ScaleCrop: | No |
HeadingPairs: |
|
TitlesOfParts: | - |
LinksUpToDate: | No |
CharactersWithSpaces: | 6 |
SharedDoc: | No |
HyperlinksChanged: | No |
AppVersion: | 12 |
LastModifiedBy: | - |
RevisionNumber: | 1 |
CreateDate: | 2019:08:07 10:59:00Z |
ModifyDate: | 2019:08:10 07:53:00Z |
Creator: | - |
---|
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2752 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\IHD - FWO Projs in HQ 10 Corps AOR(1).doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
3368 | "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding | C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE | svchost.exe | |
User: admin Company: Design Science, Inc. Integrity Level: MEDIUM Description: Microsoft Equation Editor Exit code: 0 Version: 00110900 |
PID | Process | Filename | Type | |
---|---|---|---|---|
2752 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR89E5.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2752 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\mso8CDA.tmp | — | |
MD5:— | SHA256:— | |||
2752 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\{28958136-E5F3-4C3D-A345-84A56E182BC4} | — | |
MD5:— | SHA256:— | |||
2752 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\{B103B0B9-0555-42EB-A1C4-51B8639E9768} | — | |
MD5:— | SHA256:— | |||
2752 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\wbluikiiy.tyy | — | |
MD5:— | SHA256:— | |||
2752 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~$D - FWO Projs in HQ 10 Corps AOR(1).doc | pgc | |
MD5:F19DBC76FEE38A7D4007BD87C3F67FF3 | SHA256:06C8C3E8BA15AFA7CB090859CB8A98728158CB432B9C5806D095C86ABA7811E8 | |||
2752 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{D6DCA2AC-8110-4B95-9DB2-30BAF2A2B780}.FSD | binary | |
MD5:657F1F3DCAE7538127392C4BA5A5908C | SHA256:D31A1467F0D022DB29CD033BF5F2BC9E0C366CF9ED132D285BA601765EFA252F | |||
2752 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\sev | binary | |
MD5:51D0E8A3E46560B5E341A683A31F735A | SHA256:D9713DB35643A5EE98005846ECB22F22A7F61D4CEAEE483E5F7895B12372C657 | |||
2752 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\D32E6209.tmp | text | |
MD5:C4943A239C484B9D593DCDFD248A26D5 | SHA256:746B2A03A6413F97B66FC96C3E12204488F13F0C4B2255BEE427B54291A9A639 | |||
2752 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:54FC8FD0E5CA55F2CD08D5F0BD2CA9FB | SHA256:CCA462EECDA9073151737A161BF8C950B84ADDA620189C324E950EA2CD8A82B7 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2752 | WINWORD.EXE | OPTIONS | 200 | 178.62.188.63:80 | http://en-content.com/SecurityM/ | NL | — | — | suspicious |
984 | svchost.exe | PROPFIND | 301 | 178.62.188.63:80 | http://en-content.com/SecurityM | NL | html | 240 b | suspicious |
984 | svchost.exe | PROPFIND | 301 | 178.62.188.63:80 | http://en-content.com/SecurityM | NL | html | 240 b | suspicious |
984 | svchost.exe | OPTIONS | 200 | 178.62.188.63:80 | http://en-content.com/SecurityM/ | NL | html | 240 b | suspicious |
2752 | WINWORD.EXE | HEAD | 200 | 178.62.188.63:80 | http://en-content.com/SecurityM/DFILE | NL | — | — | suspicious |
2752 | WINWORD.EXE | HEAD | 200 | 178.62.188.63:80 | http://en-content.com/SecurityM/DFILE | NL | text | 1.11 Mb | suspicious |
984 | svchost.exe | OPTIONS | 301 | 178.62.188.63:80 | http://en-content.com/SecurityM | NL | html | 240 b | suspicious |
984 | svchost.exe | PROPFIND | 405 | 178.62.188.63:80 | http://en-content.com/SecurityM/ | NL | html | 236 b | suspicious |
2752 | WINWORD.EXE | GET | 200 | 178.62.188.63:80 | http://en-content.com/SecurityM/DFILE | NL | text | 1.11 Mb | suspicious |
984 | svchost.exe | PROPFIND | 405 | 178.62.188.63:80 | http://en-content.com/SecurityM/ | NL | html | 236 b | suspicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2752 | WINWORD.EXE | 178.62.188.63:80 | en-content.com | Digital Ocean, Inc. | NL | suspicious |
984 | svchost.exe | 178.62.188.63:80 | en-content.com | Digital Ocean, Inc. | NL | suspicious |
Domain | IP | Reputation |
---|---|---|
en-content.com |
| suspicious |
PID | Process | Class | Message |
---|---|---|---|
2752 | WINWORD.EXE | Potentially Bad Traffic | ET INFO Possible RTF File With Obfuscated Version Header |