File name: | PO#911007.doc |
Full analysis: | https://app.any.run/tasks/6a01f6e4-2ff2-4293-8258-585734d2eb18 |
Verdict: | Malicious activity |
Analysis date: | July 17, 2019, 05:22:36 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/msword |
File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, Code page: 1252, Template: Normal.dotm, Last Saved By: Livingstone Ozueh, Revision Number: 2, Name of Creating Application: Microsoft Office Word, Total Editing Time: 01:00, Create Time/Date: Tue Jul 16 00:36:00 2019, Last Saved Time/Date: Mon Jul 15 23:38:00 2019, Number of Pages: 1, Number of Words: 0, Number of Characters: 1, Security: 0 |
MD5: | 98C2F7E2AAEA112960B83CA0752B27ED |
SHA1: | 9478599A60D38B5230C15C769EDB3698C41A5758 |
SHA256: | 92686918F7032B9FE1AE938CB314AE981D796598E2DA8A2518D1B74A91261F70 |
SSDEEP: | 3072:uwOvSodDs0IG/yUPVhX+JjsUDyllJkLBUObsLNA7JJjIIdneSRFBpp:RiyEqG7Jy8IdneUFLp |
.doc | | | Microsoft Word document (54.2) |
---|---|---|
.doc | | | Microsoft Word document (old ver.) (32.2) |
Title: | - |
---|---|
Subject: | - |
Author: | - |
Keywords: | - |
Comments: | - |
Template: | Normal.dotm |
LastModifiedBy: | Livingstone Ozueh |
RevisionNumber: | 2 |
Software: | Microsoft Office Word |
TotalEditTime: | 1.0 minutes |
CreateDate: | 2019:07:15 23:36:00 |
ModifyDate: | 2019:07:15 22:38:00 |
Pages: | 1 |
Words: | - |
Characters: | 1 |
Security: | None |
CodePage: | Windows Latin 1 (Western European) |
Company: | - |
Bytes: | 11000 |
Lines: | 1 |
Paragraphs: | 1 |
CharCountWithSpaces: | 1 |
AppVersion: | 15 |
ScaleCrop: | No |
LinksUpToDate: | No |
SharedDoc: | No |
HyperlinksChanged: | No |
TitleOfParts: | - |
HeadingPairs: |
|
CompObjUserTypeLen: | 32 |
CompObjUserType: | Microsoft Word 97-2003 Document |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3376 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\PO#911007.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
3096 | "C:\Windows\system32\ntvdm.exe" -i1 | C:\Windows\system32\ntvdm.exe | — | WINWORD.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: NTVDM.EXE Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
3376 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVRD06F.tmp.cvr | — | |
MD5:— | SHA256:— | |||
3096 | ntvdm.exe | C:\Users\admin\AppData\Local\Temp\scsD87E.tmp | — | |
MD5:— | SHA256:— | |||
3096 | ntvdm.exe | C:\Users\admin\AppData\Local\Temp\scsD88E.tmp | — | |
MD5:— | SHA256:— | |||
3376 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:1E883D61B03A47B9C3C857826D662339 | SHA256:CEFE3F8126AD5E304332119FD6422025183A62D4F7F8ECDD7B5665E88662DDA2 | |||
3376 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JGRR2OYX\suspendedpage[1].htm | html | |
MD5:DBAAADA9E75C88E9649AB8506F83BFD8 | SHA256:F33D487CD0D9037D32B79F802CD6973D15D2C5E65C2D8A8887E10D7F994197E6 | |||
3376 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~$#911007.doc | pgc | |
MD5:8067BD8DD437E74FB3D6E27795A15F28 | SHA256:7B842B1483B690B8F5B66CFFA1186B7BD4118491EF43E1F582800043CE81FFD1 | |||
3376 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\agip.exe | html | |
MD5:DBAAADA9E75C88E9649AB8506F83BFD8 | SHA256:F33D487CD0D9037D32B79F802CD6973D15D2C5E65C2D8A8887E10D7F994197E6 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3376 | WINWORD.EXE | GET | 200 | 173.212.196.156:80 | http://to18.ir/cgi-sys/suspendedpage.cgi | DE | html | 7.39 Kb | suspicious |
3376 | WINWORD.EXE | GET | 302 | 173.212.196.156:80 | http://to18.ir/pic/agip.exe | DE | html | 224 b | suspicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3376 | WINWORD.EXE | 173.212.196.156:80 | to18.ir | Contabo GmbH | DE | suspicious |
Domain | IP | Reputation |
---|---|---|
to18.ir |
| suspicious |