File name: | Zeskanowany_dokument-9983653-18-09-2019(1).doc |
Full analysis: | https://app.any.run/tasks/564d0f6d-af48-4676-ae8c-e7d51314e5ed |
Verdict: | Malicious activity |
Threats: | Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns. |
Analysis date: | September 19, 2019, 12:14:45 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
MIME: | application/msword |
File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Title: Down-sized, Subject: Berkshire, Author: Ryleigh Rodriguez, Comments: Operations Cambridgeshire, Template: Normal.dotm, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Wed Sep 18 07:22:00 2019, Last Saved Time/Date: Wed Sep 18 07:22:00 2019, Number of Pages: 1, Number of Words: 95, Number of Characters: 547, Security: 0 |
MD5: | BBC81A42114835B2A6EE504E7B050793 |
SHA1: | AE4FD83B66823E2CA159CCF32E38BC2AD6DA0E7D |
SHA256: | 6B809D22892E58C1A222ED140906D44869BBE10756B8D57AF8907229C49E1DDA |
SSDEEP: | 6144:mPqZiq86MofT1K82zw1qWaWPLkIp7NSU4jJntATfDL:mPqZiq86MofT1K82zw1qWaEXp7NSU4Vo |
.doc | | | Microsoft Word document (54.2) |
---|---|---|
.doc | | | Microsoft Word document (old ver.) (32.2) |
CompObjUserType: | Microsoft Word 97-2003 Document |
---|---|
CompObjUserTypeLen: | 32 |
Manager: | Reilly |
HeadingPairs: |
|
TitleOfParts: | - |
HyperlinksChanged: | No |
SharedDoc: | No |
LinksUpToDate: | No |
ScaleCrop: | No |
AppVersion: | 16 |
CharCountWithSpaces: | 641 |
Paragraphs: | 1 |
Lines: | 4 |
Company: | Huel, Nienow and Stehr |
CodePage: | Windows Latin 1 (Western European) |
Security: | None |
Characters: | 547 |
Words: | 95 |
Pages: | 1 |
ModifyDate: | 2019:09:18 06:22:00 |
CreateDate: | 2019:09:18 06:22:00 |
TotalEditTime: | - |
Software: | Microsoft Office Word |
RevisionNumber: | 1 |
LastModifiedBy: | - |
Template: | Normal.dotm |
Comments: | Operations Cambridgeshire |
Keywords: | - |
Author: | Ryleigh Rodriguez |
Subject: | Berkshire |
Title: | Down-sized |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3000 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\Zeskanowany_dokument-9983653-18-09-2019(1).doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 |
PID | Process | Filename | Type | |
---|---|---|---|---|
3000 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVRAC13.tmp.cvr | — | |
MD5:— | SHA256:— | |||
3000 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\4EE2FE80.wmf | wmf | |
MD5:4609BF8554CB32D063F37171D7BAE478 | SHA256:FE80411C066E2380B4B7B56FF300C28FB2DDAC549EF6C8D115219E44C93B41B5 | |||
3000 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\F1E0E337.wmf | wmf | |
MD5:1B6E196535F371F21CE9011806CF9C56 | SHA256:EB7221C54B76290DBB8E962CB3C10A4F69CB2093C5FF8D1EE92687C8646523F0 | |||
3000 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\Word8.0\MSForms.exd | tlb | |
MD5:2F4D676B7BA49B05F123ED7961CC827D | SHA256:8735931E672320038066E93003A31E26920BBF7C21ADAF1BF6E545DDDD9158ED | |||
3000 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\1D5B1365.wmf | wmf | |
MD5:1A2C5846FDBB3EE8145258C4AAC904E0 | SHA256:688EE3468FA0EA5A5729F36669A1DBFCCE62DE84BCF0492B565061A1764E917E | |||
3000 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~$skanowany_dokument-9983653-18-09-2019(1).doc | pgc | |
MD5:7963D51BDE2AA0744C2E95F13E0C06CD | SHA256:A0F29EC7D391F91E2A345B72E386B99596208A928B4D669FCF8C64752051A7AF | |||
3000 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:62F2DA178DD59EBA6B61EE250E55F925 | SHA256:8CF938206B83D51659082A32A71F3A9F077217F5A2E07A98541350C60245A244 | |||
3000 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\D369688E.wmf | wmf | |
MD5:8BC8DFCEB298E702BF9B025FED5168C5 | SHA256:2110F3551238A949DC92B6A3DBE7FE13C64D2672C0DA3D547EC08EA4850520E8 | |||
3000 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\335F9FF.wmf | wmf | |
MD5:51EA3C4ACA7F04B3DB6CF71A1E84388F | SHA256:8FE120AC905129B55F0F00CE4E0EEE5A874B8F160AAF3089207C08E9E2C26D3F | |||
3000 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\C8B8B076.wmf | wmf | |
MD5:AABF0BE179732C7EA576E54D4376BFD0 | SHA256:D07AE2B5A2AC604EB315C30BC1F615814D5DB4AF1ADAB2C1E20FE71ED5275DD8 |