File name: | 7f8e1f2dc29d09f0843204aa00a4f7d8.docx |
Full analysis: | https://app.any.run/tasks/3828d5ff-4db6-48ea-aaca-c05446ed48c2 |
Verdict: | Malicious activity |
Analysis date: | May 24, 2019, 02:44:27 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/zip |
File info: | Zip archive data, at least v1.0 to extract |
MD5: | 7F8E1F2DC29D09F0843204AA00A4F7D8 |
SHA1: | C8705FB5E01ED2E056086371FAF52DC7F9658790 |
SHA256: | 94305086FAFD807B6DC4C4B86A71115744A6552BE7E8B0758BB4E5CC899BFA62 |
SSDEEP: | 768:bBBLLFODrASvfnWhDgSDDkX4rnH4T9kYAnP8:FB83AifWhD5sX4rH49Jv |
.docx | | | Word Microsoft Office Open XML Format document (52.2) |
---|---|---|
.zip | | | Open Packaging Conventions container (38.8) |
.zip | | | ZIP compressed archive (8.8) |
ZipRequiredVersion: | 10 |
---|---|
ZipBitFlag: | - |
ZipCompression: | None |
ZipModifyDate: | 2019:04:01 18:53:22 |
ZipCRC: | 0x00000000 |
ZipCompressedSize: | - |
ZipUncompressedSize: | - |
ZipFileName: | docProps/ |
Template: | Normal.dotm |
---|---|
TotalEditTime: | 1 minute |
Pages: | 1 |
Words: | 140 |
Characters: | 802 |
Application: | Microsoft Office Word |
DocSecurity: | None |
Lines: | 6 |
Paragraphs: | 1 |
ScaleCrop: | No |
HeadingPairs: |
|
TitlesOfParts: | - |
Company: | - |
LinksUpToDate: | No |
CharactersWithSpaces: | 941 |
SharedDoc: | No |
HyperlinksChanged: | No |
AppVersion: | 16 |
LastModifiedBy: | KB4 |
RevisionNumber: | 4 |
CreateDate: | 2018:06:13 17:58:00Z |
ModifyDate: | 2018:06:27 17:52:00Z |
Creator: | brian |
---|
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2464 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\7f8e1f2dc29d09f0843204aa00a4f7d8.docx" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 |
PID | Process | Filename | Type | |
---|---|---|---|---|
2464 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR3FAC.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2464 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H6QNMHE9\query[1].asmx | — | |
MD5:— | SHA256:— | |||
2464 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~$8e1f2dc29d09f0843204aa00a4f7d8.docx | pgc | |
MD5:B4522C9B39ED4FFB34A47C6C4439CC4A | SHA256:42C379B554BBC53B8F8168DCAEB13FF1BD4CD538164AD17DE217B482216CA6CE | |||
2464 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:3107227F47377D26DFEB4773A6AFB83A | SHA256:4EE8125788061B77C12B0342B95E5F66F95A1F848A3B39220512773F24BA77B3 | |||
2464 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Office\ONetConfig\b6419f5bc3093b5f22142ce454e02407.sig | binary | |
MD5:8E530DE975488CCA4C3AEB105B1D500B | SHA256:13562E994517B758D49DC0A16BF73014D45E66BF877259568D1AD46915599E46 | |||
2464 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Office\ONetConfig\b6419f5bc3093b5f22142ce454e02407.xml | xml | |
MD5:4DC75DFED4A232FC6650C8C128BF3FB9 | SHA256:898BA5ABAFABA71CE882AF393B4FEB9AAE5BBA86EA4A944D2F50B8930BA27074 | |||
2464 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex | text | |
MD5:F3B25701FE362EC84616A93A45CE9998 | SHA256:B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2464 | WINWORD.EXE | GET | 200 | 52.73.148.58:80 | http://robust-backend.ancillarycheese.com/XcmVBjaXBpZWf50X2lkPTXQ1OTkxPQOTg5QMCZjYW1wEYWVlnbl9ydW5faWQ9MjA1tMTUyOSZhY3Rpb249YXR0YWNobWVudA== | US | — | — | whitelisted |
2464 | WINWORD.EXE | GET | 200 | 52.109.76.6:80 | http://office14client.microsoft.com/config14?UILCID=1033&CLCID=1033&ILCID=1033&HelpLCID=1033&App={019C826E-445A-4649-A5B0-0BF08FCC4EEE}&build=14.0.6023 | IE | xml | 1.99 Kb | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2464 | WINWORD.EXE | 52.109.76.6:80 | office14client.microsoft.com | Microsoft Corporation | IE | whitelisted |
2464 | WINWORD.EXE | 52.109.120.28:443 | rr.office.microsoft.com | Microsoft Corporation | HK | whitelisted |
2464 | WINWORD.EXE | 52.73.148.58:80 | robust-backend.ancillarycheese.com | Amazon.com, Inc. | US | suspicious |
Domain | IP | Reputation |
---|---|---|
robust-backend.ancillarycheese.com |
| whitelisted |
office14client.microsoft.com |
| whitelisted |
rr.office.microsoft.com |
| whitelisted |