File name: | 738e7f8d70bac3f69c628a8a545bdce5decacb7fcb9f43ddeaf48af9c6eb1c63.doc |
Full analysis: | https://app.any.run/tasks/255c7ada-6d99-464a-81d1-14e2615dbc24 |
Verdict: | Malicious activity |
Analysis date: | October 19, 2020, 23:51:28 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/msword |
File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1251, Template: Normal.dotm, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Tue Oct 13 18:13:00 2020, Last Saved Time/Date: Mon Oct 19 14:52:00 2020, Number of Pages: 1, Number of Words: 127541, Number of Characters: 726986, Security: 0 |
MD5: | 4993777D3DD3930511C0C223B0396B50 |
SHA1: | C0FAA41859C8A24AD31F939C506FA0B9B5CBF895 |
SHA256: | 738E7F8D70BAC3F69C628A8A545BDCE5DECACB7FCB9F43DDEAF48AF9C6EB1C63 |
SSDEEP: | 12288:G65z7Xg4JEg3XSThnkGeLdZZNc/2viqPvK5oWBa3sc09AWv55RSLCtTu/pI/pE:nw4r3XS96LdZZNT1/18AWvDQIa |
.doc | | | Microsoft Word document (54.2) |
---|---|---|
.doc | | | Microsoft Word document (old ver.) (32.2) |
Title: | - |
---|---|
Subject: | - |
Author: | - |
Keywords: | - |
Comments: | - |
Template: | Normal.dotm |
LastModifiedBy: | - |
RevisionNumber: | 1 |
Software: | Microsoft Office Word |
TotalEditTime: | - |
CreateDate: | 2020:10:13 17:13:00 |
ModifyDate: | 2020:10:19 13:52:00 |
Pages: | 1 |
Words: | 127541 |
Characters: | 726986 |
Security: | None |
CodePage: | Windows Cyrillic |
Company: | - |
Lines: | 6058 |
Paragraphs: | 1705 |
CharCountWithSpaces: | 852822 |
AppVersion: | 16 |
ScaleCrop: | No |
LinksUpToDate: | No |
SharedDoc: | No |
HyperlinksChanged: | No |
TitleOfParts: | - |
HeadingPairs: |
|
CompObjUserTypeLen: | 32 |
CompObjUserType: | ???????? Microsoft Word 97-2003 |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
1544 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\738e7f8d70bac3f69c628a8a545bdce5decacb7fcb9f43ddeaf48af9c6eb1c63.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
576 | explorer.exe c:\programdata\ExelTrod.vbe | C:\Windows\explorer.exe | — | wmiprvse.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Explorer Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2536 | C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding | C:\Windows\explorer.exe | — | svchost.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Explorer Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3908 | "C:\Windows\System32\WScript.exe" "C:\ProgramData\ExelTrod.vbe" | C:\Windows\System32\WScript.exe | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Exit code: 0 Version: 5.8.7600.16385 | ||||
3880 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\benefitvideos.rtf" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Exit code: 0 Version: 14.0.6024.1000 | ||||
1632 | C:\Windows\system32\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503} | C:\Windows\system32\DllHost.exe | — | svchost.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: COM Surrogate Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
1544 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR3D8E.tmp.cvr | — | |
MD5:— | SHA256:— | |||
3880 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR2406.tmp.cvr | — | |
MD5:— | SHA256:— | |||
1544 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:C1C67CF0B0C20528938523B8D0982EC8 | SHA256:27B9B160473265404935B036276B5F6D9318BAA022216E75E59796A0EB8C626E | |||
1544 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\VBE\MSForms.exd | tlb | |
MD5:E937A5A3EA05457A6A6B8D023D9E8F2C | SHA256:E9110A5DB587C538C451D081DB7C2CAE3BECDDF4026964C19C99D7B36526A6C9 | |||
1544 | WINWORD.EXE | C:\programdata\ExelTrod.vbe | text | |
MD5:468E8518492FBAE8754111EE61B2E410 | SHA256:8A5579850B8536D721A8CA1F9E9E51F36DEAF1E917668A221413C31EE912B21D | |||
1544 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~$8e7f8d70bac3f69c628a8a545bdce5decacb7fcb9f43ddeaf48af9c6eb1c63.doc | pgc | |
MD5:A4B558FA235B06A40265DA55A68A7D71 | SHA256:50892D99379C3E0C1BB355F4F1EA695E193E01A47240BAE8F256AAC432E95769 | |||
3880 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Document Building Blocks\1042\14\Built-In Building Blocks.dotx | document | |
MD5:F0D6D1BDCAE8509261C4627473FD1622 | SHA256:A7E9C3CC87CEBF7EB59483B283224779D4EC58BCA5A584EBF5DA9A2E0648AA10 | |||
3880 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Document Building Blocks\1046\14\Built-In Building Blocks.dotx | document | |
MD5:68B53CF5E326BAAF22DE050B10EF6E37 | SHA256:7FE75B4EF4BD4C0AF67B2B1326FA6134AC7B1F67217A2F9CC78A6E73029B1F25 | |||
3880 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Document Building Blocks\1049\14\Built-In Building Blocks.dotx | document | |
MD5:871A3FF92041EF7A471ABF7CAA27F266 | SHA256:E18A2500381F238440784A216C6D0796BB86B79F602FFA83B7181AB8C193C196 | |||
3880 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Document Building Blocks\1040\14\Built-In Building Blocks.dotx | document | |
MD5:B39C6349338EDE041D9AEA6EB3CD5B78 | SHA256:E897AAD31EEA5A446554C1EE5E0F993A854EAC3B63C1083CEB3BAA80FD51086D |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3880 | WINWORD.EXE | GET | 404 | 52.109.76.6:80 | http://office14client.microsoft.com/config14?UILCID=1033&CLCID=1033&ILCID=1033&HelpLCID=1033&App={019C826E-445A-4649-A5B0-0BF08FCC4EEE}&build=14.0.6023 | IE | xml | 341 b | whitelisted |
3880 | WINWORD.EXE | GET | 404 | 52.109.76.6:80 | http://office14client.microsoft.com/config14?UILCID=1033&CLCID=1033&ILCID=1033&HelpLCID=1033&App={019C826E-445A-4649-A5B0-0BF08FCC4EEE}&build=14.0.6023 | IE | xml | 341 b | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3880 | WINWORD.EXE | 52.109.76.6:80 | office14client.microsoft.com | Microsoft Corporation | IE | whitelisted |
Domain | IP | Reputation |
---|---|---|
office14client.microsoft.com |
| whitelisted |