File name: | albania.doc |
Full analysis: | https://app.any.run/tasks/47297f37-e243-4ff0-9182-395e3ccedf34 |
Verdict: | Malicious activity |
Analysis date: | May 24, 2019, 12:22:32 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/vnd.openxmlformats-officedocument.wordprocessingml.document |
File info: | Microsoft Word 2007+ |
MD5: | C9E0C9C97395E3F9DC6D73B8EBAFBB03 |
SHA1: | 51147BC57ABDFB5324743325D0372370B50B0016 |
SHA256: | BA0167A2FE5C9ABEC7FC9AA925CA1BDC3EBA62E8D403C9DF203777DA1BAB73B4 |
SSDEEP: | 12288:LnXkAnimJ8YqB6mFiS0+7wdLU/5Py3YohmXgJ8tOQJvJPhmSQFwy:bXkAnZdXaf0+7wd4VLWmXu8AQJTmky |
.docx | | | Word Microsoft Office Open XML Format document (52.2) |
---|---|---|
.zip | | | Open Packaging Conventions container (38.8) |
.zip | | | ZIP compressed archive (8.8) |
AppVersion: | 15 |
---|---|
HyperlinksChanged: | No |
SharedDoc: | No |
CharactersWithSpaces: | 20 |
LinksUpToDate: | No |
Company: | - |
ScaleCrop: | No |
Paragraphs: | 1 |
Lines: | 1 |
DocSecurity: | None |
Application: | Microsoft Office Word |
Characters: | 18 |
Words: | 3 |
Pages: | 1 |
TotalEditTime: | - |
Template: | Normal |
ModifyDate: | 2019:05:23 22:16:00Z |
CreateDate: | 2019:05:23 22:16:00Z |
RevisionNumber: | 1 |
LastModifiedBy: | AlbPentesting |
Keywords: | - |
Description: | - |
---|---|
Creator: | AlbPentesting |
Subject: | - |
Title: | - |
ZipFileName: | [Content_Types].xml |
---|---|
ZipUncompressedSize: | 1460 |
ZipCompressedSize: | 373 |
ZipCRC: | 0x24886c04 |
ZipModifyDate: | 1980:01:01 00:00:00 |
ZipCompression: | Deflated |
ZipBitFlag: | 0x0006 |
ZipRequiredVersion: | 20 |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3948 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\albania.doc.docx" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
3404 | "C:\Windows\system32\ntvdm.exe" -i1 | C:\Windows\system32\ntvdm.exe | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: NTVDM.EXE Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3096 | "C:\Windows\system32\cmd.exe" | C:\Windows\system32\cmd.exe | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2576 | "C:\Windows\system32\ntvdm.exe" | C:\Windows\system32\ntvdm.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: NTVDM.EXE Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
3948 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR4019.tmp.cvr | — | |
MD5:— | SHA256:— | |||
3404 | ntvdm.exe | C:\Users\admin\AppData\Local\Temp\scs4247.tmp | — | |
MD5:— | SHA256:— | |||
3404 | ntvdm.exe | C:\Users\admin\AppData\Local\Temp\scs4248.tmp | — | |
MD5:— | SHA256:— | |||
2576 | ntvdm.exe | C:\Users\admin\AppData\Local\Temp\scsA816.tmp | — | |
MD5:— | SHA256:— | |||
2576 | ntvdm.exe | C:\Users\admin\AppData\Local\Temp\scsA826.tmp | — | |
MD5:— | SHA256:— | |||
3948 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~$bania.doc.docx | pgc | |
MD5:2300128F571CD2C041EF1DE8E0E50AC5 | SHA256:9377FD56C340B18A820D9F926039E5091A53411B4A1090A2374CB5C438E6C788 | |||
3948 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:FC364354350804BC97FCC9AEF07F32AD | SHA256:92F1088DD2889EF5A10207CF69EE4CBB09EE8339CF991F0014322B6A82C5C463 | |||
3948 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\putty.exe | executable | |
MD5:7E13B2D92D7490B8B3A1F10EDFE2F410 | SHA256:4156606E2E003B2A3B3A4998B26C218AF8EF30731EE4F5390419BC5B3B0E8ACF | |||
3948 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\F5788859.emf | emf | |
MD5:7C3F3BE11985B7F2A70E45B5E1801380 | SHA256:699BC1E6B812DAF3AC35A61B4675D795253EB40E1EF7B304A7AA6A4411D0EA3E | |||
3948 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\putty (2).exe | executable | |
MD5:7E13B2D92D7490B8B3A1F10EDFE2F410 | SHA256:4156606E2E003B2A3B3A4998B26C218AF8EF30731EE4F5390419BC5B3B0E8ACF |