File name: | purchase order.doc |
Full analysis: | https://app.any.run/tasks/64d4c8ee-3517-4b83-be1d-88dda7907279 |
Verdict: | Malicious activity |
Analysis date: | May 24, 2019, 08:11:46 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | text/rtf |
File info: | Rich Text Format data, version 1, unknown character set |
MD5: | 75F0ADFCE63477B4BAF9ED41AD21C389 |
SHA1: | 72D7F9D1848C0B1795490E76429A701C564D81B5 |
SHA256: | 9742E39690928A7DCE692B3498AE4F7198453FDAE7E03FC4B23381C9213A6E9C |
SSDEEP: | 3072:oHSXciwuHeXaoPXciwuHeXaoPXciwuHeXaoPXciwuHeXaoPXciwuHeXaoRHIS:nlWaMlWaMlWaMlWaMlWaMHIS |
.rtf | | | Rich Text Format (100) |
---|
InternalVersionNumber: | 57435 |
---|---|
CharactersWithSpaces: | 4 |
Characters: | 4 |
Words: | - |
Pages: | 1 |
TotalEditTime: | - |
RevisionNumber: | 1 |
ModifyDate: | 2019:01:07 23:54:00 |
CreateDate: | 2019:01:07 23:54:00 |
LastModifiedBy: | Admin |
Author: | Admin |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2136 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\purchase order.doc.rtf" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
892 | "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" -Embedding | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | svchost.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Excel Version: 14.0.6024.1000 | ||||
2864 | "C:\Windows\System32\cmd.exe" /c ren "C:\Users\admin\AppData\Local\Temp\h4918a2.png" "h4918a2.exe" &start "" "C:\Users\admin\AppData\Local\Temp\h4918a2.exe" | C:\Windows\System32\cmd.exe | — | EXCEL.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 1 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) |
PID | Process | Filename | Type | |
---|---|---|---|---|
2136 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR4142.tmp.cvr | — | |
MD5:— | SHA256:— | |||
892 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\CVR4970.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2864 | cmd.exe | C:\Users\admin\AppData\Local\Temp\h4918a2.exe | — | |
MD5:— | SHA256:— | |||
2136 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:8CF4B99D86AD2C91E25F7D921404AF08 | SHA256:C71FCB563A60568ED4A3CC029F6FC631E9786D0AACFDB401A8DB9FE46803F35F | |||
2136 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~$rchase order.doc.rtf | pgc | |
MD5:AA5D962E119654F3A13DC1C0A344AB36 | SHA256:DE139547B37100268D59D1EBC5CB36CD8444D31DC8E9B4D74CA4F89D46F83875 |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
892 | EXCEL.EXE | 81.29.220.21:443 | www.bni-eventi.it | Telecitygroup International Limited | IT | malicious |
Domain | IP | Reputation |
---|---|---|
www.bni-eventi.it |
| malicious |