File name: | Fw Unpaid invoice #4806.msg |
Full analysis: | https://app.any.run/tasks/7e47a930-cb01-448c-9da6-0c832603d737 |
Verdict: | Malicious activity |
Analysis date: | January 17, 2019, 23:51:17 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | application/vnd.ms-outlook |
File info: | CDFV2 Microsoft Outlook Message |
MD5: | DAB0C4205DB908DE8F7A71DB2F60EC1B |
SHA1: | AAB8B00BAF9F2E1FEB7DDAE18C56091B75D0DC18 |
SHA256: | AC5D32B43E692F7856B433F002C85D282071F52D9F076EB0165BE437B48A2015 |
SSDEEP: | 1536:FNAiWBWTlk4iTlsctGmfWDcSZfyceOQY5osWilsH7j55+Ck2shaPmK:FfsxsctnSZfyceOQ7sWilsbje84aPmK |
.msg | | | Outlook Message (58.9) |
---|---|---|
.oft | | | Outlook Form Template (34.4) |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2976 | "C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE" /f "C:\Users\admin\AppData\Local\Temp\Fw Unpaid invoice #4806.msg" | C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Outlook Version: 14.0.6025.1000 | ||||
3496 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\3XT7OR7I\StanfordInvoice.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | OUTLOOK.EXE | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 |
PID | Process | Filename | Type | |
---|---|---|---|---|
2976 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Temp\CVRE96A.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2976 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\3XT7OR7I\StanfordInvoice (2).doc\:Zone.Identifier:$DATA | — | |
MD5:— | SHA256:— | |||
3496 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVRFFA1.tmp.cvr | — | |
MD5:— | SHA256:— | |||
3496 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\mso290.tmp | — | |
MD5:— | SHA256:— | |||
3496 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\{CC0FAB83-29B5-407D-896D-E1B07419E011} | — | |
MD5:— | SHA256:— | |||
3496 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\{2CB053D2-B92F-4218-A1AD-496B33EB5434} | — | |
MD5:— | SHA256:— | |||
2976 | OUTLOOK.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$rmalEmail.dotm | pgc | |
MD5:DCC008C40A822CAE9D6B87CB89603347 | SHA256:019761CD3FF9EDCA373DB9F5938E22B4A79971C6AEF21B351C35CF13B5795EE1 | |||
3496 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:5389B86204854124BCB2292390379314 | SHA256:5EE80C0E1F8D2A19C634BAA0F9F4DB0DF78E42E8CA899B64B9B511CB233CF44C | |||
3496 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{3799608D-AA13-4FE4-9A12-C599AC38249C}.FSD | binary | |
MD5:A29B74B739817558405907F462059C80 | SHA256:13ED3F331008330BC83D63808A70876AB5206419C8805071B74BF74D22D89F78 | |||
2976 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\3XT7OR7I\StanfordInvoice.doc | html | |
MD5:EBBB46CDD5D924FEE2D3751A1BF9A054 | SHA256:5E4752E17EA2D2976B0EE4447024312CA7616B952CEE17C477E87E8EDC5E77EA |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2976 | OUTLOOK.EXE | GET | — | 64.4.26.155:80 | http://config.messenger.msn.com/config/msgrconfig.asmx?op=GetOlcConfig | US | — | — | whitelisted |
3496 | WINWORD.EXE | OPTIONS | 403 | 13.32.112.152:80 | http://images.pmeimg.com/system/content_images/uploads/62e/5fe/03-/original/ | US | html | 694 b | shared |
3496 | WINWORD.EXE | OPTIONS | 403 | 13.32.112.152:80 | http://images.pmeimg.com/public/user_assets/db4af2ae-f16b-4e77-bf02-fc3a0b4a8e15/ | US | html | 694 b | shared |
3496 | WINWORD.EXE | OPTIONS | 403 | 13.32.112.152:80 | http://images.pmeimg.com/public/user_assets/db4af2ae-f16b-4e77-bf02-fc3a0b4a8e15/ | US | html | 694 b | shared |
3496 | WINWORD.EXE | OPTIONS | 403 | 100.24.100.138:80 | http://hbm5g0fj5xh.lucrativehiring.com/ | US | text | 16 b | malicious |
3496 | WINWORD.EXE | GET | 200 | 100.24.100.138:80 | http://hbm5g0fj5xh.lucrativehiring.com/c156cdeb-3985-48ae-ba29-af07b04e8b70.png | US | image | 68 b | malicious |
3496 | WINWORD.EXE | GET | 200 | 13.32.112.152:80 | http://images.pmeimg.com/system/content_images/uploads/173/6c8/9c-/original/warning.png | US | image | 2.57 Kb | shared |
3496 | WINWORD.EXE | OPTIONS | 403 | 13.32.112.152:80 | http://images.pmeimg.com/system/content_images/uploads/62e/5fe/03-/original/ | US | html | 694 b | shared |
3496 | WINWORD.EXE | OPTIONS | 403 | 13.32.112.152:80 | http://images.pmeimg.com/system/content_images/uploads/173/6c8/9c-/original/ | US | html | 694 b | shared |
3496 | WINWORD.EXE | GET | 200 | 13.32.112.152:80 | http://images.pmeimg.com/public/user_assets/db4af2ae-f16b-4e77-bf02-fc3a0b4a8e15/su-wide.png | US | image | 4.41 Kb | shared |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3496 | WINWORD.EXE | 13.32.112.152:80 | images.pmeimg.com | Amazon.com, Inc. | US | malicious |
2976 | OUTLOOK.EXE | 64.4.26.155:80 | config.messenger.msn.com | Microsoft Corporation | US | whitelisted |
3496 | WINWORD.EXE | 100.24.100.138:80 | hbm5g0fj5xh.lucrativehiring.com | — | US | suspicious |
Domain | IP | Reputation |
---|---|---|
config.messenger.msn.com |
| whitelisted |
hbm5g0fj5xh.lucrativehiring.com |
| malicious |
images.pmeimg.com |
| shared |
PID | Process | Class | Message |
---|---|---|---|
3496 | WINWORD.EXE | A Network Trojan was detected | SC TROJAN_DOWNLOADER Suspicious DOC loader of embedded OLE from external source |
3496 | WINWORD.EXE | A Network Trojan was detected | SC TROJAN_DOWNLOADER Suspicious DOC loader of embedded OLE from external source |
3496 | WINWORD.EXE | A Network Trojan was detected | SC TROJAN_DOWNLOADER Suspicious DOC loader of embedded OLE from external source |
3496 | WINWORD.EXE | A Network Trojan was detected | SC TROJAN_DOWNLOADER Suspicious DOC loader of embedded OLE from external source |
3496 | WINWORD.EXE | A Network Trojan was detected | SC TROJAN_DOWNLOADER Suspicious DOC loader of embedded OLE from external source |
3496 | WINWORD.EXE | A Network Trojan was detected | SC TROJAN_DOWNLOADER Suspicious DOC loader of embedded OLE from external source |
3496 | WINWORD.EXE | A Network Trojan was detected | SC TROJAN_DOWNLOADER Suspicious DOC loader of embedded OLE from external source |
3496 | WINWORD.EXE | A Network Trojan was detected | SC TROJAN_DOWNLOADER Suspicious DOC loader of embedded OLE from external source |
3496 | WINWORD.EXE | A Network Trojan was detected | SC TROJAN_DOWNLOADER Suspicious DOC loader of embedded OLE from external source |
3496 | WINWORD.EXE | A Network Trojan was detected | SC TROJAN_DOWNLOADER Suspicious DOC loader of embedded OLE from external source |