File name: | Receipt(998).docm |
Full analysis: | https://app.any.run/tasks/a2db28dd-41c0-4429-86eb-a510bc4c502f |
Verdict: | Malicious activity |
Analysis date: | December 14, 2018, 12:49:35 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/vnd.openxmlformats-officedocument.wordprocessingml.document |
File info: | Microsoft Word 2007+ |
MD5: | 7B34D88349EF75082B746CBD42BB8202 |
SHA1: | 6F792EBFAD913B98D23BDEE33C796A822209A99B |
SHA256: | 8AABB3E77B4D3A75A6CC1C7A5EF7C2D9FC7231EF0D890A2C14C8ADF13D3CCCA4 |
SSDEEP: | 768:3FJVdNrh6q5+F76htUy59j1Ji8JoBXQbV/T:37hy7MhJI2 |
.docm | | | Word Microsoft Office Open XML Format document (with Macro) (53.6) |
---|---|---|
.docx | | | Word Microsoft Office Open XML Format document (24.2) |
.zip | | | Open Packaging Conventions container (18) |
.zip | | | ZIP compressed archive (4.1) |
AppVersion: | 14 |
---|---|
HyperlinksChanged: | No |
SharedDoc: | No |
CharactersWithSpaces: | - |
LinksUpToDate: | No |
Company: | Home |
ScaleCrop: | No |
Paragraphs: | - |
Lines: | - |
DocSecurity: | None |
Application: | Microsoft Office Word |
Characters: | - |
Words: | - |
Pages: | 1 |
TotalEditTime: | - |
Template: | Normal |
ModifyDate: | 2016:08:11 12:37:00Z |
CreateDate: | 2016:08:11 12:37:00Z |
RevisionNumber: | 2 |
LastModifiedBy: | 1 |
Creator: | 1 |
---|
ZipFileName: | [Content_Types].xml |
---|---|
ZipUncompressedSize: | 1563 |
ZipCompressedSize: | 419 |
ZipCRC: | 0x4dc12e6a |
ZipModifyDate: | 1980:01:01 00:00:00 |
ZipCompression: | Deflated |
ZipBitFlag: | 0x0006 |
ZipRequiredVersion: | 20 |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2964 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\Receipt(998).docm" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
1824 | "C:\Windows\system32\ntvdm.exe" -i1 | C:\Windows\system32\ntvdm.exe | — | WINWORD.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: NTVDM.EXE Exit code: 255 Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
2964 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR8BEA.tmp.cvr | — | |
MD5:— | SHA256:— | |||
1824 | ntvdm.exe | C:\Users\admin\AppData\Local\Temp\scs9793.tmp | — | |
MD5:— | SHA256:— | |||
1824 | ntvdm.exe | C:\Users\admin\AppData\Local\Temp\scs9794.tmp | — | |
MD5:— | SHA256:— | |||
2964 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:350A6AB3E642AD77B9E327B84E93FF24 | SHA256:961AA9C799AC2BC892E5FA8DE785D60F887D08804BFFBED4C29E34366375306C | |||
2964 | WINWORD.EXE | C:\Users\admin\AppData\Local\Tempweffvxcvw | html | |
MD5:0F86BD3800C7E462DDE14845AB5452C0 | SHA256:690DEDEAD280369031D554A46C280303325FE1E5231BDC6249E64466CABE5344 | |||
2964 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\turbis.exe | binary | |
MD5:B352E750C117173974320E40B9223E23 | SHA256:3683CE004389862998B1B5C99EF67C39705BC1962DE5E68F355DA97D826FADCB | |||
2964 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~$ceipt(998).docm | pgc | |
MD5:DC8B0FAE221C2615330DEE089FCA951A | SHA256:D5EE6D8EDC2A711BFB2A9BA73CCB2D43DC16738B251FB829669BF578E0217FB3 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2964 | WINWORD.EXE | GET | 404 | 213.205.40.169:80 | http://www.fasulo.org/4GBrdf6 | IT | html | 181 b | suspicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2964 | WINWORD.EXE | 213.205.40.169:80 | www.fasulo.org | Tiscali SpA | IT | suspicious |
Domain | IP | Reputation |
---|---|---|
www.fasulo.org |
| suspicious |