File name: | DOC_MDR0307_019.doc |
Full analysis: | https://app.any.run/tasks/67dbc7e0-6519-48d4-b95f-925f755f9fa4 |
Verdict: | Malicious activity |
Analysis date: | January 24, 2022, 15:45:30 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | text/rtf |
File info: | Rich Text Format data, unknown version |
MD5: | 0F99F373718685C0235B20DF7624B00C |
SHA1: | 1ED1E0A6B306BF8BEE39628CFCFA2F8E683BEC77 |
SHA256: | ADC82A58D8C890881CC7781BE8E831B948DC06757664946CA302F2EF5200BD38 |
SSDEEP: | 12288:trN45zrtgVRUXpJLGE1tn2uwBC1voAUq0uOl63XmAf6/oq:L45zrtgVRUXnqy92wOq0plCXmAf6/7 |
.rtf | | | Rich Text Format (100) |
---|
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
1012 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\DOC_MDR0307_019.doc.rtf" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | Explorer.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Exit code: 0 Version: 14.0.6024.1000 | ||||
452 | "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding | C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE | svchost.exe | |
User: admin Company: Design Science, Inc. Integrity Level: MEDIUM Description: Microsoft Equation Editor Exit code: 0 Version: 00110900 |
PID | Process | Filename | Type | |
---|---|---|---|---|
1012 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR4F65.tmp.cvr | — | |
MD5:— | SHA256:— | |||
1012 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:5A1087BEDAF400C3821D9656B383CF42 | SHA256:CF2C51AC79A489002AB9EEC79CA5B647BC9F2D126F89EF5EAEC0D9BDB5C66491 | |||
1012 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{7EA9C246-BB1D-4E6C-AB87-FF1AD9172CF5}.tmp | binary | |
MD5:99C092D6432777075332EEEED24D7924 | SHA256:A9A6A35010D4701CB25C9231A0D27E193FC2D84F2CF3F4E12361E75F1134F604 | |||
1012 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~$C_MDR0307_019.doc.rtf | pgc | |
MD5:73C01FD4194BAB0D4AECC466F7961413 | SHA256:0A748BADAD4ADD252BAF9B08DC8812797A4763B55D00ABC13280545AB7CAD4E0 | |||
1012 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{B8DFE6D8-9F82-45EA-A6DF-B2B04ACB5ABD}.tmp | binary | |
MD5:401055AFC4869D6A58DB4C2A5E8FFE20 | SHA256:5B071A37CF9750D5165D2F161B62AF95BBAA1498B67E35FD3DC7FEA8FC4FAB1C | |||
1012 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{2CAE39D0-67B3-461D-88EC-79D9193969C8}.tmp | smt | |
MD5:5D4D94EE7E06BBB0AF9584119797B23A | SHA256:4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1 |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
452 | EQNEDT32.EXE | 2.58.149.41:80 | paxz.tk | — | — | malicious |
Domain | IP | Reputation |
---|---|---|
paxz.tk |
| unknown |
PID | Process | Class | Message |
---|---|---|---|
— | — | Potentially Bad Traffic | ET DNS Query to a .tk domain - Likely Hostile |