File name: | trojan_EvilDoc-IcedID.doc |
Full analysis: | https://app.any.run/tasks/252a33fd-c663-402f-a963-dead7203fc3a |
Verdict: | Malicious activity |
Analysis date: | June 27, 2022, 12:15:13 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/vnd.openxmlformats-officedocument.wordprocessingml.document |
File info: | Microsoft Word 2007+ |
MD5: | 4A88E83B325AA23DA1E4BFA90B4F7C34 |
SHA1: | 06F6DE4F48DBD69D8F8DD5FF1A33A8EEFFC94BAD |
SHA256: | 822A8E3DFA14CD7AAAC749DC0515C35CF20632717E191568BA5DAF137DB7EC17 |
SSDEEP: | 3072:Ek8KJXyyyyyyyyyyyyyyyyyyy09JWQZs2wQ6I1W9m0N27L0Or1h0j6k+:EAJXyyyyyyyyyyyyyyyyyyy0vlZsXDIr |
.docm | | | Word Microsoft Office Open XML Format document (with Macro) (53.6) |
---|---|---|
.docx | | | Word Microsoft Office Open XML Format document (24.2) |
.zip | | | Open Packaging Conventions container (18) |
.zip | | | ZIP compressed archive (4.1) |
AppVersion: | 14 |
---|---|
HyperlinksChanged: | No |
SharedDoc: | No |
CharactersWithSpaces: | 35 |
LinksUpToDate: | No |
Company: | - |
TitlesOfParts: | - |
HeadingPairs: |
|
ScaleCrop: | No |
Paragraphs: | 1 |
Lines: | 1 |
DocSecurity: | None |
Application: | Microsoft Office Word |
Characters: | 31 |
Words: | 5 |
Pages: | 2 |
TotalEditTime: | - |
Template: | Normal.dotm |
ModifyDate: | 2020:05:19 12:23:00Z |
CreateDate: | 2020:05:11 15:09:00Z |
RevisionNumber: | 1 |
LastModifiedBy: | - |
Creator: | - |
---|---|
Title: | - |
ZipFileName: | [Content_Types].xml |
---|---|
ZipUncompressedSize: | 1863 |
ZipCompressedSize: | 479 |
ZipCRC: | 0xa80c5040 |
ZipModifyDate: | 1980:01:01 00:00:00 |
ZipCompression: | Deflated |
ZipBitFlag: | 0x0006 |
ZipRequiredVersion: | 20 |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3064 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\trojan_EvilDoc-IcedID.doc.docm" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Explorer.EXE | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
1372 | C:\1\Whole\PFSDNSKDF.EXE | C:\1\Whole\PFSDNSKDF.EXE | wmiprvse.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft SI/PSI parser for MPEG2 based networks. Version: 6.6.7601.17669 (win7sp1_gdr.110816-1502) |
PID | Process | Filename | Type | |
---|---|---|---|---|
3064 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR4BF1.tmp.cvr | — | |
MD5:— | SHA256:— | |||
3064 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\Word8.0\MSForms.exd | tlb | |
MD5:D84FAB43953E7B63E96C2918B0240ECE | SHA256:6EB9B4CDDCEDCD95B521144819B0216FDE5C95372B9F5908D33F47A95C2DE58D | |||
3064 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:5176404908C3AC0990D2789ADD512AEF | SHA256:18BD16173DC8D991E5F5DBEE1A9DE1A805477152C637C7A482DD20CE03F880C5 | |||
3064 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~$ojan_EvilDoc-IcedID.doc.docm | pgc | |
MD5:58D07B9BFCC3C31CDABCB061AE0ACE45 | SHA256:B8B1CE205D31260E1D62254798D92CB638C04881F2D6063855E379C396049567 | |||
3064 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\58169506.wmf | image | |
MD5:06D376F2B60912A61FBFBF77C04D018A | SHA256:4D023DE0C9F1BBA9D6E4FF1B45C5DCBB4732769BEE295E0F7A2B406B7DC01FAE | |||
3064 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{8EEDA1A3-65BA-41F8-8E20-9D7E0C6AD7EF}.tmp | smt | |
MD5:2C387924EF7B6BFCF56E19EC45D9811E | SHA256:0E8D078E2F8E50D21611BD82585B84F77277F278F98BE33D9FCFCBD89CC0D218 | |||
3064 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\5E59DA38.wmf | image | |
MD5:3EE3DBB80AB8A06CAF51CB67AAF66C48 | SHA256:410B4B4AE1191816B6FFBD3F97C866D806B1CAA3D02799CE2480F3EA10584E17 | |||
3064 | WINWORD.EXE | C:\1\Whole\PFSDNSKDF.EXE | executable | |
MD5:4C9C6B5B6DAA25B8DC274DD78FBC1AAA | SHA256:EE9FD78107CDCAFFC274CF2484D6C74C56C7F3BE39B1896894D9525506118D1E | |||
3064 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\E6FA64D9.dat | image | |
MD5:42F3585D333FAEE5C435DF37883A54C7 | SHA256:C4CAE3542DA5BA4F30A89591EEF07ED634C8334321D611E619B8A7CBC3CC792D |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
1372 | PFSDNSKDF.EXE | 104.125.72.97:443 | support.apple.com | Akamai Technologies, Inc. | NL | unknown |
1372 | PFSDNSKDF.EXE | 104.90.192.50:443 | www.intel.com | Akamai Technologies, Inc. | NL | suspicious |
Domain | IP | Reputation |
---|---|---|
support.apple.com |
| whitelisted |
www.intel.com |
| whitelisted |