File name: | e88dc637081ff17bf215018595faa974a1cab72e |
Full analysis: | https://app.any.run/tasks/a900b8c4-a5ba-4068-9d84-984054275cda |
Verdict: | Malicious activity |
Analysis date: | October 20, 2020, 03:05:51 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/msword |
File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1251, Author: 1, Template: Normal, Last Saved By: 1, Revision Number: 2, Name of Creating Application: Microsoft Office Word, Create Time/Date: Tue Jul 28 13:30:00 2015, Last Saved Time/Date: Tue Jul 28 13:30:00 2015, Number of Pages: 1, Number of Words: 0, Number of Characters: 0, Security: 0 |
MD5: | E14B93846E305BC9A52C31198B67E721 |
SHA1: | E88DC637081FF17BF215018595FAA974A1CAB72E |
SHA256: | ABB83C8DD0E62919946DE688FD81051162791DB1FEC1184B3217A14606D83F4C |
SSDEEP: | 768:V2xuV67cqupXxwcRpQ4HzfHUgwDfH781mzcyE7dz:UxWGSew+0zfH4b7eb7l |
.doc | | | Microsoft Word document (80) |
---|
Title: | - |
---|---|
Subject: | - |
Author: | 1 |
Keywords: | - |
Template: | Normal |
LastModifiedBy: | 1 |
RevisionNumber: | 2 |
Software: | Microsoft Office Word |
TotalEditTime: | - |
CreateDate: | 2015:07:28 12:30:00 |
ModifyDate: | 2015:07:28 12:30:00 |
Pages: | 1 |
Words: | - |
Characters: | - |
Security: | None |
CodePage: | Windows Cyrillic |
Company: | Home |
Lines: | 1 |
Paragraphs: | 1 |
CharCountWithSpaces: | - |
AppVersion: | 11.9999 |
ScaleCrop: | No |
LinksUpToDate: | No |
SharedDoc: | No |
HyperlinksChanged: | No |
TitleOfParts: | - |
HeadingPairs: |
|
CompObjUserTypeLen: | 31 |
CompObjUserType: | ???????? Microsoft Office Word |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2084 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\e88dc637081ff17bf215018595faa974a1cab72e.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
3208 | "C:\Windows\system32\ntvdm.exe" -i1 | C:\Windows\system32\ntvdm.exe | — | WINWORD.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: NTVDM.EXE Exit code: 3221225477 Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
2084 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR4105.tmp.cvr | — | |
MD5:— | SHA256:— | |||
3208 | ntvdm.exe | C:\Users\admin\AppData\Local\Temp\scs4A8B.tmp | — | |
MD5:— | SHA256:— | |||
3208 | ntvdm.exe | C:\Users\admin\AppData\Local\Temp\scs4A8C.tmp | — | |
MD5:— | SHA256:— | |||
2084 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\treviof.exe | html | |
MD5:0EF5567B70EC7C38EEEA9C9EB35C40D6 | SHA256:B613A2C8FC23DAC0D99DF13652628F0686D9DE5115705E42FF8693FCADB1B7DE | |||
2084 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~$8dc637081ff17bf215018595faa974a1cab72e.doc | pgc | |
MD5:635B6C4B838FCE27B0C968B01083B62D | SHA256:2FF18699DE98EDE76EBB435AABE2460A578F617E71A35C99ED39DFA1CA12E7ED | |||
2084 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:F2ECD342B1A71656879DFEA58EE52FF9 | SHA256:3B3CA7DEBC6D22628077506D9E1A86933DB673B038F8BDA4E9345ADE94946B13 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2084 | WINWORD.EXE | GET | 404 | 178.32.213.120:80 | http://laperleblanche.fr/345/wrw.exe | FR | html | 963 b | suspicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2084 | WINWORD.EXE | 178.32.213.120:80 | laperleblanche.fr | OVH SAS | FR | suspicious |
Domain | IP | Reputation |
---|---|---|
laperleblanche.fr |
| suspicious |
PID | Process | Class | Message |
---|---|---|---|
2084 | WINWORD.EXE | Potentially Bad Traffic | ET CURRENT_EVENTS Terse alphanumeric executable downloader high likelihood of being hostile |