File name: | Unknown_UserForm_9580aaca2e0cd607eaf54c3eb933e41538dc10cd341d41e3daa9185b2a6341c4.doc |
Full analysis: | https://app.any.run/tasks/e927b187-960e-42fc-8962-387c3fcc6ca1 |
Verdict: | Malicious activity |
Analysis date: | April 23, 2019, 15:10:07 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/msword |
File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1252, Author: Windows User, Template: Normal.dotm, Last Saved By: Windows User, Revision Number: 2, Name of Creating Application: Microsoft Office Word, Total Editing Time: 01:00, Create Time/Date: Wed Apr 3 16:04:00 2019, Last Saved Time/Date: Wed Apr 3 16:04:00 2019, Number of Pages: 1, Number of Words: 7, Number of Characters: 43, Security: 0 |
MD5: | 7C538578597D5C66052500FBEF91986C |
SHA1: | 7052A3183010B1C3F56FF18A0B1BCEDE00915E58 |
SHA256: | 9580AACA2E0CD607EAF54C3EB933E41538DC10CD341D41E3DAA9185B2A6341C4 |
SSDEEP: | 3072:7DhIbW+awbHKwZmSZvkTGUfsXHylWbTOC4Y:fhXwZ1ZvkTGrHCWWC |
.doc | | | Microsoft Word document (54.2) |
---|---|---|
.doc | | | Microsoft Word document (old ver.) (32.2) |
Title: | - |
---|---|
Subject: | - |
Author: | Windows User |
Keywords: | - |
Comments: | - |
Template: | Normal.dotm |
LastModifiedBy: | Windows User |
RevisionNumber: | 2 |
Software: | Microsoft Office Word |
TotalEditTime: | 1.0 minutes |
CreateDate: | 2019:04:03 15:04:00 |
ModifyDate: | 2019:04:03 15:04:00 |
Pages: | 1 |
Words: | 7 |
Characters: | 43 |
Security: | None |
CodePage: | Windows Latin 1 (Western European) |
Company: | - |
Lines: | 1 |
Paragraphs: | 1 |
CharCountWithSpaces: | 49 |
AppVersion: | 16 |
ScaleCrop: | No |
LinksUpToDate: | No |
SharedDoc: | No |
HyperlinksChanged: | No |
TitleOfParts: | - |
HeadingPairs: |
|
CompObjUserTypeLen: | 32 |
CompObjUserType: | Microsoft Word 97-2003 Document |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2588 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n C:\Users\admin\AppData\Local\Temp\Unknown_UserForm_9580aaca2e0cd607eaf54c3eb933e41538dc10cd341d41e3daa9185b2a6341c4.doc && c:\windows\explorer.exe shell:::{8dac4e38-b146-4617-96a3-a3f839e5c568} | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Exit code: 0 Version: 14.0.6024.1000 | ||||
3620 | "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | svchost.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Excel Version: 14.0.6024.1000 |
PID | Process | Filename | Type | |
---|---|---|---|---|
2588 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR2E50.tmp.cvr | — | |
MD5:— | SHA256:— | |||
3620 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\CVR3882.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2588 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRD0001.doc | — | |
MD5:— | SHA256:— | |||
2588 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\{7B38C726-56C7-407C-B154-46B1D0BDC59F} | — | |
MD5:— | SHA256:— | |||
2588 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\{2F333853-BF4C-4EC4-A914-B9A8FF12577D} | — | |
MD5:— | SHA256:— | |||
2588 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~DF1F90D8628314D80E.TMP | — | |
MD5:— | SHA256:— | |||
2588 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\explorer.exe.LNK | lnk | |
MD5:64EB5AFC87AE0171CAE5002710617DCA | SHA256:999596065BD9B53A6294B273DAD3A715A7FFF8ECCE67DE81F0E9F2DCAFA13FD9 | |||
2588 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\VBE\MSForms.exd | tlb | |
MD5:1F9256756D24A315C9F143195CC12072 | SHA256:33C76E36AE624C14384D3FBDC40B29B1B01D7F23830B7B976F03DB6A1FA88339 | |||
3620 | EXCEL.EXE | C:\windows\temp\picture.jpg | text | |
MD5:E974935AAAF9A306884205D7C0D2356C | SHA256:38C2EAD389EED9EAD023BDE1609DD5468383CAAD1646D0AB6F648303115D9BBB | |||
2588 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSF-CTBL.FSF | binary | |
MD5:DEBC37AE1FCF83E17723E407F4E87100 | SHA256:ED93DE59EDC803B1AD664678A047BDBC02638EBC6EA4D488EF2509C2F603A4A1 |