File name: | sample.doc |
Full analysis: | https://app.any.run/tasks/585a4d08-007b-46df-b866-ce8fa1cfddc9 |
Verdict: | Malicious activity |
Analysis date: | August 12, 2022, 14:29:44 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
MIME: | application/octet-stream |
File info: | Microsoft OOXML |
MD5: | 52945AF1DEF85B171870B31FA4782E52 |
SHA1: | 06727FFDA60359236A8029E0B3E8A0FD11C23313 |
SHA256: | 4A24048F81AFBE9FB62E7A6A49ADBD1FAF41F266B5F9FEECDCEB567AEC096784 |
SSDEEP: | 192:AEhM7fIUU09264wptGheab8h7Z/c+8poF1d3jvvtl59rGxjPQDasYBcG7h+:AqWfIz092hwLGAabkcfa7pr1lzyxjPQ9 |
.docx | | | Word Microsoft Office Open XML Format document (52.2) |
---|---|---|
.zip | | | Open Packaging Conventions container (38.8) |
.zip | | | ZIP compressed archive (8.8) |
ZipRequiredVersion: | 20 |
---|---|
ZipBitFlag: | - |
ZipCompression: | Deflated |
ZipModifyDate: | 2022:05:26 23:08:07 |
ZipCRC: | 0x6cd2a4df |
ZipCompressedSize: | 340 |
ZipUncompressedSize: | 1312 |
ZipFileName: | [Content_Types].xml |
Template: | Normal |
---|---|
TotalEditTime: | - |
Pages: | 1 |
Words: | - |
Characters: | - |
Application: | Microsoft Office Word |
DocSecurity: | None |
Lines: | - |
Paragraphs: | - |
ScaleCrop: | No |
Company: | - |
LinksUpToDate: | No |
CharactersWithSpaces: | - |
SharedDoc: | No |
HyperlinksChanged: | No |
AppVersion: | 16 |
Keywords: | - |
LastModifiedBy: | KIS2 |
RevisionNumber: | 3 |
CreateDate: | 2022:05:25 13:14:00Z |
ModifyDate: | 2022:05:25 13:14:00Z |
Title: | - |
---|---|
Subject: | - |
Creator: | KIS2 |
Description: | - |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
1448 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\sample.doc.docx" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | Explorer.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 |
(PID) Process: | (1448) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems |
Operation: | write | Name: | l(3 |
Value: 6C283300A8050000010000000000000000000000 | |||
(PID) Process: | (1448) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 1033 |
Value: Off | |||
(PID) Process: | (1448) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 1041 |
Value: Off | |||
(PID) Process: | (1448) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 1046 |
Value: Off | |||
(PID) Process: | (1448) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 1036 |
Value: Off | |||
(PID) Process: | (1448) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 1031 |
Value: Off | |||
(PID) Process: | (1448) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 1040 |
Value: Off | |||
(PID) Process: | (1448) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 1049 |
Value: Off | |||
(PID) Process: | (1448) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 3082 |
Value: Off | |||
(PID) Process: | (1448) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 1042 |
Value: Off |
PID | Process | Filename | Type | |
---|---|---|---|---|
1448 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR9CDD.tmp.cvr | — | |
MD5:— | SHA256:— | |||
1448 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\{62F4B119-88DA-4478-82A1-19B48194A8AC} | binary | |
MD5:2BDF721F52C5C1384CD19AEEADC20DA7 | SHA256:B8D8725C3C8B747878792953A345B185A96569B32407A31D53C78C29B97B69B2 | |||
1448 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\{3B690B64-10E6-40A4-94C0-7C2E79DC9883} | binary | |
MD5:71FB35DCA699443CD375CC0926E81641 | SHA256:D227DCF63C8CAA6C55F6252358EB60FFB322D628C48DBDAA3B6105BA0C2C60D2 | |||
1448 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:D2232D7D7255D896578588604E19A8B0 | SHA256:8CFA012DDD8EC220855639B9F805DFF8774ABB4B3C2C0D321A2CD0D8B946691D | |||
1448 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD | binary | |
MD5:2BDF721F52C5C1384CD19AEEADC20DA7 | SHA256:B8D8725C3C8B747878792953A345B185A96569B32407A31D53C78C29B97B69B2 | |||
1448 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~$mple.doc.docx | pgc | |
MD5:3D2FF67165F68A8D7E444EF914C40557 | SHA256:AFBB413D5DD2B59AA546225AB27127328CEBEF98F06649815FB45FD728860E7C | |||
1448 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{E10C60CE-F0EC-49E8-BA6A-3933755745B7}.FSD | binary | |
MD5:F2110D9032A426B91DD08D0B7AF5004B | SHA256:308245CBBC2736BA5E1E099E0A02E68C1171C5D402BFC14B01F488EAF7E53937 | |||
1448 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-CNRY.FSD | binary | |
MD5:71FB35DCA699443CD375CC0926E81641 | SHA256:D227DCF63C8CAA6C55F6252358EB60FFB322D628C48DBDAA3B6105BA0C2C60D2 | |||
1448 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{C1CEFA32-CB22-471D-A00A-F1F66DB7D83B}.FSD | binary | |
MD5:7F9C662C463B99C72470C64440DFEC9F | SHA256:821BF00859841D5C91C0DF353FA75DEE0C349B74A75CBCB75A73E0FE31937FD8 | |||
1448 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSF-CTBL.FSF | binary | |
MD5:D471A0BB5F0B8A9AC834E0172491B7F9 | SHA256:418B6AE0A39787583DCD77DA0ED040F8C3DDA03410E71D04C235EE6E736F298F |
Domain | IP | Reputation |
---|---|---|
www.xmlformats.com |
| malicious |