File name: | NoticeXofXCourtXFilingXXX29910-25664-00.rtf |
Full analysis: | https://app.any.run/tasks/12f68ce4-5f5d-47d3-9160-f4a0cd9e2ea5 |
Verdict: | Malicious activity |
Analysis date: | March 21, 2019, 14:41:36 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
MIME: | application/msword |
File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1252, Template: Normal, Last Saved By: Suzanne Mifsud, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Total Editing Time: 01:00, Create Time/Date: Thu Mar 21 00:45:00 2019, Last Saved Time/Date: Thu Mar 21 00:46:00 2019, Number of Pages: 1, Number of Words: 0, Number of Characters: 0, Security: 0 |
MD5: | 0FDD82EEC9C2215CE7868E7B7B83DD55 |
SHA1: | 97BBE25D9C9D6293B203CF332ADDC2C67C525EF0 |
SHA256: | 5A381D00EF24AE2BD13C5851311AD821BEF058D18631F87BB51A91936DA29A21 |
SSDEEP: | 384:R+F8iSsqdg1vA9c4bqJaiIwKyAmp6UMGrpA0j3kG59T4tZw:R+S+1o91UxNd6UMQeIkG7D |
.doc | | | Microsoft Word document (54.2) |
---|---|---|
.doc | | | Microsoft Word document (old ver.) (32.2) |
CompObjUserType: | Microsoft Word 97-2003 Document |
---|---|
CompObjUserTypeLen: | 32 |
HeadingPairs: |
|
TitleOfParts: | - |
HyperlinksChanged: | No |
SharedDoc: | No |
LinksUpToDate: | No |
ScaleCrop: | No |
AppVersion: | 16 |
CharCountWithSpaces: | - |
Paragraphs: | - |
Lines: | - |
Bytes: | 11000 |
Company: | - |
CodePage: | Windows Latin 1 (Western European) |
Security: | None |
Characters: | - |
Words: | - |
Pages: | 1 |
ModifyDate: | 2019:03:21 00:46:00 |
CreateDate: | 2019:03:21 00:45:00 |
TotalEditTime: | 1.0 minutes |
Software: | Microsoft Office Word |
RevisionNumber: | 1 |
LastModifiedBy: | Suzanne Mifsud |
Template: | Normal |
Comments: | - |
Keywords: | - |
Author: | - |
Subject: | - |
Title: | - |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2208 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\NoticeXofXCourtXFilingXXX29910-25664-00.rtf.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 |
PID | Process | Filename | Type | |
---|---|---|---|---|
2208 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR93EA.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2208 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\NoticeXofXCourtXFilingXXX29910-25664-00.rtf.doc.LNK | — | |
MD5:— | SHA256:— | |||
2208 | WINWORD.EXE | C:\Users\admin\Desktop\~$ticeXofXCourtXFilingXXX29910-25664-00.rtf.doc | pgc | |
MD5:7027CC1A8FD2DA8A7DB3B0BDB1E85425 | SHA256:E81C9A62D18C85E9B855D18BEF6DCD72B61D7B552ABF746C57AD8F7F78BD83C5 | |||
2208 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:FBC8F1C32B2CC13BF81CECC3CD229306 | SHA256:76E838D600B34FFD13587978AD9D5EEAB70BD32CF8A584543770779D49F59BEB | |||
2208 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\index.dat | text | |
MD5:AD74B06AF8A2FE0626DFCCB4896EE18F | SHA256:D471745C154E8949E438C020E6C527C31877EC1308D87602C18DF2B022A4F02E |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2208 | WINWORD.EXE | GET | — | 50.63.202.91:80 | http://awdmiami.com/srt/ooo.exe | US | — | — | malicious |
2208 | WINWORD.EXE | GET | — | 50.63.202.91:80 | http://awdmiami.com/ONKSZ/srt/ooo.exe | US | — | — | malicious |
2208 | WINWORD.EXE | GET | — | 50.63.202.91:80 | http://awdmiami.com/srt/ooo.exe | US | — | — | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2208 | WINWORD.EXE | 50.63.202.91:80 | awdmiami.com | GoDaddy.com, LLC | US | malicious |
Domain | IP | Reputation |
---|---|---|
awdmiami.com |
| malicious |
PID | Process | Class | Message |
---|---|---|---|
2208 | WINWORD.EXE | Potentially Bad Traffic | ET CURRENT_EVENTS Terse alphanumeric executable downloader high likelihood of being hostile |
2208 | WINWORD.EXE | Potentially Bad Traffic | ET CURRENT_EVENTS Terse alphanumeric executable downloader high likelihood of being hostile |