File name: | feb23f4828b5c9eb3739ba55cf156dc4 |
Full analysis: | https://app.any.run/tasks/84d1d4f3-23a7-4c6d-b7d7-ede9ba2973f1 |
Verdict: | Malicious activity |
Analysis date: | July 18, 2019, 06:28:15 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/vnd.openxmlformats-officedocument.wordprocessingml.document |
File info: | Microsoft Word 2007+ |
MD5: | FEB23F4828B5C9EB3739BA55CF156DC4 |
SHA1: | 5C14EAEAB42EECCE207878B52C92CEE4357D111B |
SHA256: | B72D00138AAA5DBA6FC84CEC44B3023FC85F02EC277658677D52C2D193935479 |
SSDEEP: | 384:X6ma3WcA09CldDaBcUj2JZChvEngqwUgLj54AuZboXTjnQcEGVM:qmUXsmOUj+Z6Eng4gLF3utojj7M |
.docx | | | Word Microsoft Office Open XML Format document (52.2) |
---|---|---|
.zip | | | Open Packaging Conventions container (38.8) |
.zip | | | ZIP compressed archive (8.8) |
ZipRequiredVersion: | 20 |
---|---|
ZipBitFlag: | 0x0006 |
ZipCompression: | Deflated |
ZipModifyDate: | 1980:01:01 00:00:00 |
ZipCRC: | 0x2c2fab17 |
ZipCompressedSize: | 350 |
ZipUncompressedSize: | 1364 |
ZipFileName: | [Content_Types].xml |
Template: | template.dotx |
---|---|
TotalEditTime: | - |
Pages: | 1 |
Words: | - |
Characters: | 2 |
Application: | Microsoft Office Word |
DocSecurity: | None |
Lines: | 1 |
Paragraphs: | 1 |
ScaleCrop: | No |
HeadingPairs: |
|
TitlesOfParts: | - |
Company: | - |
LinksUpToDate: | No |
CharactersWithSpaces: | 2 |
SharedDoc: | No |
HyperlinksChanged: | No |
AppVersion: | 15 |
Keywords: | - |
LastModifiedBy: | Richard |
RevisionNumber: | 2 |
CreateDate: | 2019:07:12 18:57:00Z |
ModifyDate: | 2019:07:12 18:57:00Z |
Title: | - |
---|---|
Subject: | - |
Creator: | user |
Description: | - |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2880 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\feb23f4828b5c9eb3739ba55cf156dc4.docx" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 |
PID | Process | Filename | Type | |
---|---|---|---|---|
2880 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVRD011.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2880 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\{25241DAC-5C89-41BB-9C5B-B8D82879B480} | — | |
MD5:— | SHA256:— | |||
2880 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\{0F0491F8-238B-4B39-8E6F-89A9CAE414B4} | — | |
MD5:— | SHA256:— | |||
2880 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD | binary | |
MD5:F1291B4754FFD2B976817D64A3C60F9F | SHA256:925EA318C3EC24FFA4E227031381C3C7788C8AB1B3547E437DD2CAD88380AB50 | |||
2880 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:B4C9D5F298402DA0CB521B8A3725A8D8 | SHA256:5812F856B8EA0C00F370A2FE430BC3F21E65C8FB196F6A230854E39E0153E266 | |||
2880 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{9CA59EFB-7883-478D-8E2E-EEF6D7792387}.FSD | binary | |
MD5:DF1B22CAA71D3AE26BABAC9D0FFED7EB | SHA256:3F3C81E6B31179D510957E2596971F3329BC48162E282809A29F682137DDFE33 | |||
2880 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-CNRY.FSD | binary | |
MD5:23C942BB3EF6248592B63D7712DEE59D | SHA256:7E9D78555D0405D97F6E4B9F04F2C1BEAFB07A0CDEE069BC7BC2E31417FC8F39 | |||
2880 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSF-CTBL.FSF | binary | |
MD5:40344D99464B783C6FEC24F9DFAA972F | SHA256:95FAE1C61F7CDE742F2200099A32E2A05611583C3B0F2B048A09FDF265B99AF5 | |||
2880 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~$b23f4828b5c9eb3739ba55cf156dc4.docx | pgc | |
MD5:1AB9DA93641A9B52999D8BC69508A0B6 | SHA256:8CAB9C9A0391BFD4350B3B8F7BACC36220649B36A407A2E904C7EC669A716404 | |||
2880 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{0EFCA890-0879-4EAA-BEC5-BDC1198B0AA7}.FSD | binary | |
MD5:1E5CA2ECF89EE16B31E4EADF01234C02 | SHA256:003C38CC4A422597D0A89A8C0E0C4168CC8D1613D3EB622FB980DFD0D49610C6 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
— | — | GET | 302 | 213.186.33.5:80 | http://masters-lille.com/wp-includes/js/crop/dir/updating.doc | FR | html | 154 b | malicious |
2880 | WINWORD.EXE | OPTIONS | 302 | 213.186.33.5:80 | http://masters-lille.com/wp-includes/js/crop/dir/ | FR | html | 154 b | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
— | — | 213.186.33.5:80 | masters-lille.com | OVH SAS | FR | malicious |
2880 | WINWORD.EXE | 213.186.33.5:80 | masters-lille.com | OVH SAS | FR | malicious |
Domain | IP | Reputation |
---|---|---|
masters-lille.com |
| malicious |
dns.msftncsi.com |
| shared |