File name: | Annex Report.docx |
Full analysis: | https://app.any.run/tasks/c1534581-e9df-4f09-ac2f-0ed54630286b |
Verdict: | Malicious activity |
Analysis date: | March 31, 2020, 07:04:00 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/vnd.openxmlformats-officedocument.wordprocessingml.document |
File info: | Microsoft Word 2007+ |
MD5: | F18579434F992841DCA918A6DE08A30A |
SHA1: | 02EE468B72C9DFBDB285D24A138FA9B417245D7C |
SHA256: | 786442436577C6AF7A61F7E4F1F8964907B53F6CAA551CEB1B3D582AFE77F1ED |
SSDEEP: | 192:9VSaw7yMtWNDP0mqQTnhr5OJQT1Q6P55pzUbFTB8GoA6aZkWCPK4yu:9VSaw7yMtiDBLOJQT1Q6DpzSdlQPK4yu |
.docx | | | Word Microsoft Office Open XML Format document (52.2) |
---|---|---|
.zip | | | Open Packaging Conventions container (38.8) |
.zip | | | ZIP compressed archive (8.8) |
Creator: | Microsoft |
---|
ModifyDate: | 2017:09:24 17:27:00Z |
---|---|
CreateDate: | 2017:09:24 17:26:00Z |
RevisionNumber: | 1 |
LastModifiedBy: | Microsoft |
AppVersion: | 14 |
HyperlinksChanged: | No |
SharedDoc: | No |
CharactersWithSpaces: | 7 |
LinksUpToDate: | No |
Company: | SPecialiST RePack |
TitlesOfParts: | - |
HeadingPairs: |
|
ScaleCrop: | No |
Paragraphs: | 1 |
Lines: | 1 |
DocSecurity: | None |
Application: | Microsoft Office Word |
Characters: | 7 |
Words: | 1 |
Pages: | 1 |
TotalEditTime: | 1 minute |
Template: | dotm.dotm |
ZipFileName: | [Content_Types].xml |
---|---|
ZipUncompressedSize: | 1422 |
ZipCompressedSize: | 358 |
ZipCRC: | 0x82872409 |
ZipModifyDate: | 2018:10:07 14:11:06 |
ZipCompression: | Deflated |
ZipBitFlag: | 0x0002 |
ZipRequiredVersion: | 20 |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
660 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\Annex Report.docx" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
3244 | "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" -Embedding | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | — | svchost.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Excel Version: 14.0.6024.1000 |
PID | Process | Filename | Type | |
---|---|---|---|---|
660 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR6B16.tmp.cvr | — | |
MD5:— | SHA256:— | |||
660 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\{562FA5AD-96CB-429D-A0B0-F0E1BC425FFB} | — | |
MD5:— | SHA256:— | |||
660 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\{2C6F5959-9E24-4BA8-9D35-418B2CEBD75E} | — | |
MD5:— | SHA256:— | |||
660 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\D5C917BA.doc | — | |
MD5:— | SHA256:— | |||
660 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\4D10E7D8.doc | — | |
MD5:— | SHA256:— | |||
3244 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\CVRD26B.tmp.cvr | — | |
MD5:— | SHA256:— | |||
660 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-CNRY.FSD | binary | |
MD5:7C971EED052310252A39CB86EEC7BB28 | SHA256:2FFC0C17D8F7E41B53743517BA494E535D1C2CA5C7D9B580ACC7B61DCDCD084B | |||
660 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~$nex Report.docx | pgc | |
MD5:4B3B1DAD3034BAAA39EEF3109759FCDA | SHA256:884D69A12BF175790DB46D3D8A3543F300970BFB61CB86D9FBB07BECDAB7B88B | |||
660 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:AD0B5B1B6B82BB643D1F6014B3170A7D | SHA256:C963897B81CA00D5A7F3E288E2128F74DEA26D42A41B5E5FE63958E673C7F6B0 | |||
660 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSF-CTBL.FSF | binary | |
MD5:01091E3B7B5ACC4D3CCB6E178AEA4ED2 | SHA256:EBC9EC95010C244FBB9FA7928DE0095B82D0B7F01BDF3F061CFBA14E6967EE0E |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
660 | WINWORD.EXE | GET | 200 | 45.136.245.192:80 | http://office-cleaner-indexes.com/update.doc | unknown | text | 3.67 Mb | malicious |
660 | WINWORD.EXE | GET | 304 | 45.136.245.192:80 | http://office-cleaner-indexes.com/update.doc | unknown | text | 3.67 Mb | malicious |
660 | WINWORD.EXE | HEAD | 200 | 45.136.245.192:80 | http://office-cleaner-indexes.com/update.doc | unknown | — | — | malicious |
660 | WINWORD.EXE | OPTIONS | 200 | 45.136.245.192:80 | http://office-cleaner-indexes.com/ | unknown | — | — | malicious |
660 | WINWORD.EXE | HEAD | 200 | 45.136.245.192:80 | http://office-cleaner-indexes.com/update.doc | unknown | text | 3.67 Mb | malicious |
660 | WINWORD.EXE | HEAD | 200 | 45.136.245.192:80 | http://office-cleaner-indexes.com/update.doc | unknown | — | — | malicious |
660 | WINWORD.EXE | GET | 304 | 45.136.245.192:80 | http://office-cleaner-indexes.com/update.doc | unknown | text | 3.67 Mb | malicious |
660 | WINWORD.EXE | HEAD | 200 | 45.136.245.192:80 | http://office-cleaner-indexes.com/update.doc | unknown | text | 3.67 Mb | malicious |
660 | WINWORD.EXE | HEAD | 200 | 45.136.245.192:80 | http://office-cleaner-indexes.com/update.doc | unknown | — | — | malicious |
660 | WINWORD.EXE | HEAD | 200 | 45.136.245.192:80 | http://office-cleaner-indexes.com/update.doc | unknown | text | 3.67 Mb | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
824 | svchost.exe | 45.136.245.192:80 | office-cleaner-indexes.com | — | — | unknown |
660 | WINWORD.EXE | 45.136.245.192:80 | office-cleaner-indexes.com | — | — | unknown |
Domain | IP | Reputation |
---|---|---|
office-cleaner-indexes.com |
| malicious |