File name: | Paid_invoice_7458548.docm |
Full analysis: | https://app.any.run/tasks/4cb6c741-f399-47db-9744-060a9988f1bb |
Verdict: | Malicious activity |
Analysis date: | August 13, 2019, 18:16:09 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/vnd.openxmlformats-officedocument.wordprocessingml.document |
File info: | Microsoft Word 2007+ |
MD5: | C26002DBC985A645CE07F49FD13098FD |
SHA1: | 3F35CB2C1707A56FCC9B78E4FFE0979B9B634B33 |
SHA256: | 801724CB0DC05E2AF52F443AC053B01BAEE289935B1B840DC961E4D833E7DF29 |
SSDEEP: | 3072:daRAsxdGSIyyPhOHq8Abxg4Qp9UoeidhFEDnP0KxAjDZAeeEh8d98e4crDyREOea:d4AGTyPtXbxg3GoemhCzP0Ku3yeey8UR |
.docm | | | Word Microsoft Office Open XML Format document (with Macro) (53.6) |
---|---|---|
.docx | | | Word Microsoft Office Open XML Format document (24.2) |
.zip | | | Open Packaging Conventions container (18) |
.zip | | | ZIP compressed archive (4.1) |
Creator: | - |
---|
ModifyDate: | 2019:08:09 11:47:00Z |
---|---|
CreateDate: | 2019:07:08 09:55:00Z |
RevisionNumber: | 1 |
LastModifiedBy: | - |
AppVersion: | 15 |
HyperlinksChanged: | No |
SharedDoc: | No |
CharactersWithSpaces: | 790502 |
LinksUpToDate: | No |
Company: | - |
TitlesOfParts: | - |
HeadingPairs: |
|
ScaleCrop: | No |
Paragraphs: | 1581 |
Lines: | 5615 |
DocSecurity: | None |
Application: | Microsoft Office Word |
Characters: | 673862 |
Words: | 118221 |
Pages: | 90 |
TotalEditTime: | - |
Template: | Normal.dotm |
ZipFileName: | [Content_Types].xml |
---|---|
ZipUncompressedSize: | 2535 |
ZipCompressedSize: | 463 |
ZipCRC: | 0x53898b0b |
ZipModifyDate: | 1980:01:01 00:00:00 |
ZipCompression: | Deflated |
ZipBitFlag: | - |
ZipRequiredVersion: | 20 |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
1404 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\Paid_invoice_7458548.docm" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Exit code: 0 Version: 14.0.6024.1000 | ||||
3988 | "C:\Windows\System32\cmd.exe" /c"c:\users\admin\appdata\roaming\microsoft\word\startup\zzs .jse" | C:\Windows\System32\cmd.exe | — | WINWORD.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2388 | "C:\Windows\System32\WScript.exe" "C:\Users\admin\appdata\roaming\microsoft\word\startup\zzs .jse" | C:\Windows\System32\WScript.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Version: 5.8.7600.16385 | ||||
2324 | "C:\Windows\system32\taskmgr.exe" /4 | C:\Windows\system32\taskmgr.exe | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Task Manager Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
(PID) Process: | (1404) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems |
Operation: | write | Name: | -/a |
Value: 2D2F61007C050000010000000000000000000000 | |||
(PID) Process: | (1404) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 1033 |
Value: Off | |||
(PID) Process: | (1404) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 1033 |
Value: On | |||
(PID) Process: | (1404) WINWORD.EXE | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage |
Operation: | write | Name: | WORDFiles |
Value: 1326252062 | |||
(PID) Process: | (1404) WINWORD.EXE | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage |
Operation: | write | Name: | ProductFiles |
Value: 1326252176 | |||
(PID) Process: | (1404) WINWORD.EXE | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage |
Operation: | write | Name: | ProductFiles |
Value: 1326252177 | |||
(PID) Process: | (1404) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word |
Operation: | write | Name: | MTTT |
Value: 7C0500001CB8BD370352D50100000000 | |||
(PID) Process: | (1404) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems |
Operation: | write | Name: | f0a |
Value: 663061007C05000004000000000000008C00000001000000840000003E0043003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C0052006F0061006D0069006E0067005C004D006900630072006F0073006F00660074005C00540065006D0070006C0061007400650073005C004E006F0072006D0061006C002E0064006F0074006D00000000000000 | |||
(PID) Process: | (1404) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems |
Operation: | delete value | Name: | f0a |
Value: 663061007C05000004000000000000008C00000001000000840000003E0043003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C0052006F0061006D0069006E0067005C004D006900630072006F0073006F00660074005C00540065006D0070006C0061007400650073005C004E006F0072006D0061006C002E0064006F0074006D00000000000000 | |||
(PID) Process: | (1404) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | UNCAsIntranet |
Value: 0 |
PID | Process | Filename | Type | |
---|---|---|---|---|
1404 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVRE71D.tmp.cvr | — | |
MD5:— | SHA256:— | |||
1404 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\AF232567.png | — | |
MD5:— | SHA256:— | |||
1404 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{3AFF7B75-2BD4-49DA-9830-8AA3F39CA801}.tmp | — | |
MD5:— | SHA256:— | |||
1404 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{E4F61B9C-DD79-437D-ABE0-541894B65532}.tmp | — | |
MD5:— | SHA256:— | |||
1404 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{2E89DAC8-475D-408E-B4C4-DE1F89AB52A2}.tmp | — | |
MD5:— | SHA256:— | |||
1404 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{ACE35CEA-C28B-467A-A2E6-DABC3C1D6C04}.tmp | — | |
MD5:— | SHA256:— | |||
1404 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:E564A6D6459A6CB0E3CE1F3C14FC8E1F | SHA256:CC2E410900E011B16448B0B13D5493307DB568A24AAF225842F7C8128E98F70A | |||
1404 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~$id_invoice_7458548.docm | pgc | |
MD5:F6424F9681C46CB8FA47A8BFD5E59D73 | SHA256:673A8E80FC309F6BD91A332C5581DE8CD3B56D71B6E2FC787521444CF82B7F14 | |||
1404 | WINWORD.EXE | C:\users\admin\appdata\roaming\microsoft\word\startup\zzs .jse | text | |
MD5:8A35FDC9436A3C2B78005BD10D96A54D | SHA256:23DBA732B6DD25EC6D293DCFB4C8C8A6A9A69431CBB95C1EF9485170EF296D6E | |||
1404 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex | text | |
MD5:F3B25701FE362EC84616A93A45CE9998 | SHA256:B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209 |