File name: | Prepared_document_13964884.docm |
Full analysis: | https://app.any.run/tasks/45e0085e-81d1-496a-91e3-af356ae78fc5 |
Verdict: | Malicious activity |
Analysis date: | August 13, 2019, 18:10:34 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/vnd.openxmlformats-officedocument.wordprocessingml.document |
File info: | Microsoft Word 2007+ |
MD5: | 560767753EDFBAF47050CFDBA0D4D715 |
SHA1: | DF375B0E6771903814EABE8FE7510B6380402B74 |
SHA256: | B6839EAC3C7D32746F383E28FF3AB421759B0A922040E369265F1400083C50BA |
SSDEEP: | 3072:daRAsxdGSIyyPhOHq89kcUip4NHpESFFUGaP0KxAjDZAeeEh8d98e4crDyREOesj:d4AGTyPtgkFHpE2YP0Ku3yeey8Ue4CDS |
.docm | | | Word Microsoft Office Open XML Format document (with Macro) (53.6) |
---|---|---|
.docx | | | Word Microsoft Office Open XML Format document (24.2) |
.zip | | | Open Packaging Conventions container (18) |
.zip | | | ZIP compressed archive (4.1) |
Creator: | - |
---|
ModifyDate: | 2019:08:09 11:47:00Z |
---|---|
CreateDate: | 2019:07:08 09:55:00Z |
RevisionNumber: | 1 |
LastModifiedBy: | - |
AppVersion: | 15 |
HyperlinksChanged: | No |
SharedDoc: | No |
CharactersWithSpaces: | 790502 |
LinksUpToDate: | No |
Company: | - |
TitlesOfParts: | - |
HeadingPairs: |
|
ScaleCrop: | No |
Paragraphs: | 1581 |
Lines: | 5615 |
DocSecurity: | None |
Application: | Microsoft Office Word |
Characters: | 673862 |
Words: | 118221 |
Pages: | 90 |
TotalEditTime: | - |
Template: | Normal.dotm |
ZipFileName: | [Content_Types].xml |
---|---|
ZipUncompressedSize: | 2535 |
ZipCompressedSize: | 463 |
ZipCRC: | 0x53898b0b |
ZipModifyDate: | 1980:01:01 00:00:00 |
ZipCompression: | Deflated |
ZipBitFlag: | - |
ZipRequiredVersion: | 20 |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2568 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\Prepared_document_13964884.docm" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Exit code: 0 Version: 14.0.6024.1000 | ||||
2108 | "C:\Windows\System32\cmd.exe" /c"c:\users\admin\appdata\roaming\microsoft\word\startup\zzs .jse" | C:\Windows\System32\cmd.exe | — | WINWORD.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2232 | "C:\Windows\System32\WScript.exe" "C:\Users\admin\appdata\roaming\microsoft\word\startup\zzs .jse" | C:\Windows\System32\WScript.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Version: 5.8.7600.16385 |
PID | Process | Filename | Type | |
---|---|---|---|---|
2568 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVRE6CF.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2568 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\7847E0BD.png | — | |
MD5:— | SHA256:— | |||
2568 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{7BE9D24D-174B-4B29-BE6A-F7962D1A2120}.tmp | — | |
MD5:— | SHA256:— | |||
2568 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{ACCD68FA-066B-4657-96CA-E5DA9B9F5804}.tmp | — | |
MD5:— | SHA256:— | |||
2568 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{E4EF2AD4-1CD1-422D-AF49-4C18DCB26032}.tmp | — | |
MD5:— | SHA256:— | |||
2568 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{20048F6F-B285-4C1D-A246-D31431DBF61A}.tmp | — | |
MD5:— | SHA256:— | |||
2568 | WINWORD.EXE | C:\users\admin\appdata\roaming\microsoft\word\startup\zzs .jse | text | |
MD5:D9D3BDAF54217BD1629AEBB16B989087 | SHA256:293BA9EC960160F4B8BCD6E940C35F0CBAD92923B8D1C753809C505D8638AB2C | |||
2568 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~$epared_document_13964884.docm | pgc | |
MD5:60427B6FE763251098DDB8261F30D6F6 | SHA256:1612CEA2AE95187E343B5CF3A9C67EAD59CE444FD33FDB65BE8D40EEF68D108E | |||
2568 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:E564A6D6459A6CB0E3CE1F3C14FC8E1F | SHA256:CC2E410900E011B16448B0B13D5493307DB568A24AAF225842F7C8128E98F70A | |||
2568 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex | text | |
MD5:F3B25701FE362EC84616A93A45CE9998 | SHA256:B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209 |