File name: | Yeni Microsoft Word Belgesi.docx |
Full analysis: | https://app.any.run/tasks/898ece82-9bd3-42a6-8612-b9a865005fd0 |
Verdict: | Malicious activity |
Analysis date: | April 15, 2019, 10:10:52 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/vnd.openxmlformats-officedocument.wordprocessingml.document |
File info: | Microsoft Word 2007+ |
MD5: | BDAE3B410E53A1206EC4D851A6E1DB27 |
SHA1: | 30687EF39CFEB865873CFA1B0D7005557D90E866 |
SHA256: | AD4EADDA407F2414397D626AFF6CFC825D7C8A886B1CFCC8C8E17A4FEAB53FF7 |
SSDEEP: | 3072:C6cRx6bxnD2mQVYGOtkbJbW1tcuUBkRlebM6Y:BKg55GOt01ItcuY2yM1 |
.docx | | | Word Microsoft Office Open XML Format document (52.2) |
---|---|---|
.zip | | | Open Packaging Conventions container (38.8) |
.zip | | | ZIP compressed archive (8.8) |
AppVersion: | 14 |
---|---|
HyperlinksChanged: | No |
SharedDoc: | No |
CharactersWithSpaces: | 20 |
LinksUpToDate: | No |
Company: | Tester |
ScaleCrop: | No |
Paragraphs: | 1 |
Lines: | 1 |
DocSecurity: | None |
Application: | Microsoft Office Word |
Characters: | 18 |
Words: | 3 |
Pages: | 1 |
TotalEditTime: | 3 minutes |
Template: | Normal.dotm |
ModifyDate: | 2019:04:15 10:01:00Z |
CreateDate: | 2019:04:15 09:57:00Z |
RevisionNumber: | 3 |
LastModifiedBy: | Tester |
Keywords: | - |
Description: | - |
---|---|
Creator: | Tester |
Subject: | - |
Title: | - |
ZipFileName: | [Content_Types].xml |
---|---|
ZipUncompressedSize: | 1620 |
ZipCompressedSize: | 429 |
ZipCRC: | 0x4493e0cd |
ZipModifyDate: | 1980:01:01 00:00:00 |
ZipCompression: | Deflated |
ZipBitFlag: | 0x0006 |
ZipRequiredVersion: | 20 |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
4012 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\Yeni Microsoft Word Belgesi.docx" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
764 | "C:\Windows\system32\verclsid.exe" /S /C {00020832-0000-0000-C000-000000000046} /I {00000112-0000-0000-C000-000000000046} /X 0x5 | C:\Windows\system32\verclsid.exe | — | WINWORD.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Extension CLSID Verification Host Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3788 | "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" -Embedding | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | — | svchost.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Excel Exit code: 0 Version: 14.0.6024.1000 | ||||
1712 | "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" -Embedding | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | — | svchost.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Excel Exit code: 0 Version: 14.0.6024.1000 | ||||
2484 | "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" -Embedding | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | — | svchost.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Excel Exit code: 0 Version: 14.0.6024.1000 | ||||
4052 | "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" -Embedding | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | — | svchost.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Excel Exit code: 0 Version: 14.0.6024.1000 |
PID | Process | Filename | Type | |
---|---|---|---|---|
4012 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR5DDB.tmp.cvr | — | |
MD5:— | SHA256:— | |||
4012 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\30988497.png | — | |
MD5:— | SHA256:— | |||
3788 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\CVR7674.tmp.cvr | — | |
MD5:— | SHA256:— | |||
1712 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\CVR7CAD.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2484 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\CVRAB3F.tmp.cvr | — | |
MD5:— | SHA256:— | |||
4052 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\CVRD2AD.tmp.cvr | — | |
MD5:— | SHA256:— | |||
4012 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:BAEC04A54AC968DB29FEE2F2ABDA0EA1 | SHA256:230C0E0381E2EA1B4CED9700B32635C2548CB4B0CE50C1D60F5BF49BA8E63985 | |||
4012 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\AA31976E.emf | emf | |
MD5:561B35441D59AB49FC54B55D02992EFB | SHA256:35A948ABD5710BA44E0C859416BA07924E59F5693C80134DE145CD470DA6DA5E | |||
4012 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\List_91.csv | text | |
MD5:F6BFE69D3C457A0DC73D82D6B4A128CF | SHA256:1696654C9BCC39962F03195C388C1CD1BACB1DADEE1D281C7CA74FCD89321CD9 | |||
4012 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~$ni Microsoft Word Belgesi.docx | pgc | |
MD5:CDC5DE5F19D4B1122F0D7421E1717602 | SHA256:AF320D054972EAABE46CAEF926A57162D72D887F24A73F70172384BC42C8D33C |