File name: | bb308bf53944e0c7c74695095169363d1323fe9ce6c6117feda2ee429ebf530d |
Full analysis: | https://app.any.run/tasks/9cb140f2-fc03-4ed7-9a81-2e68beeb35fd |
Verdict: | Malicious activity |
Analysis date: | December 18, 2018, 09:16:32 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/msword |
File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.3, Code page: 1252, Author: Administrator, Template: Normal, Last Saved By: Administrator, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Fri Jun 29 10:09:00 2018, Last Saved Time/Date: Fri Jun 29 10:09:00 2018, Number of Pages: 1, Number of Words: 0, Number of Characters: 1, Security: 0 |
MD5: | B2DDD1A228DB47234DAD1FB164573D82 |
SHA1: | 7FD8631AB719ECA44457630014674A95BC431B91 |
SHA256: | BB308BF53944E0C7C74695095169363D1323FE9CE6C6117FEDA2EE429EBF530D |
SSDEEP: | 1536:gllXyBkWd88+a9gNkLv3rS8O/GegW+RjWJHfsvK/HB1ijTHQQJi:gPXadym3rvOZ1/xyIHBWTHpJi |
.doc | | | Microsoft Word document (54.2) |
---|---|---|
.doc | | | Microsoft Word document (old ver.) (32.2) |
CompObjUserType: | Microsoft Word 97-2003 Document |
---|---|
CompObjUserTypeLen: | 32 |
XfhvqAdWA: | TW5BUGRKcnFPdEhmeDF1Q3dLQnNDZXJxWURzZlBFb1JpS3FGSnpkTGM= |
CodePage: | Windows Latin 1 (Western European) |
HeadingPairs: |
|
TitleOfParts: | - |
HyperlinksChanged: | No |
SharedDoc: | No |
LinksUpToDate: | No |
ScaleCrop: | No |
AppVersion: | 16 |
CharCountWithSpaces: | 1 |
Paragraphs: | 1 |
Lines: | 1 |
Bytes: | 11000 |
Company: | - |
Security: | None |
Characters: | 1 |
Words: | - |
Pages: | 1 |
ModifyDate: | 2018:06:29 09:09:00 |
CreateDate: | 2018:06:29 09:09:00 |
TotalEditTime: | - |
Software: | Microsoft Office Word |
RevisionNumber: | 1 |
LastModifiedBy: | Administrator |
Template: | Normal |
Comments: | - |
Keywords: | - |
Author: | Administrator |
Subject: | - |
Title: | - |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2956 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\bb308bf53944e0c7c74695095169363d1323fe9ce6c6117feda2ee429ebf530d.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 |
PID | Process | Filename | Type | |
---|---|---|---|---|
2956 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR68EC.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2956 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\admin@gyazo[1].txt | — | |
MD5:— | SHA256:— | |||
2956 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\{A47FAE18-C2BF-41B7-9786-46675D236814} | — | |
MD5:— | SHA256:— | |||
2956 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\{CCC9656E-99F9-4670-A603-73167CD119E8} | — | |
MD5:— | SHA256:— | |||
2956 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-CNRY.FSD | binary | |
MD5:A53D5214BB13839A7AB282E6AF4FD7C7 | SHA256:96D72E6B33E12028453DC085C1AC2DB65A5FFB96B7A82682DD0CBE2BCCECA852 | |||
2956 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\VBE\MSForms.exd | tlb | |
MD5:0367FABD57BDEAED9EA8B49F80A225DB | SHA256:EA72C32049F1AE4188DDC0E8B5CF4227EC0C38239B5458400340883B804B21B4 | |||
2956 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\admin@gyazo[2].txt | text | |
MD5:38BCF570F06D401E620E45F75CEA0F00 | SHA256:B4A65D439DBA0289B3327C936AB301AD66E77C099DA572E78B21F483638FD75E | |||
2956 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{6BD839D8-BDBC-46B7-AC80-E9E24DB87FB5}.FSD | binary | |
MD5:7EECC408FA198F25CB4A651A350D9B89 | SHA256:6EB2343C7BA5A35E72ED8CF0FC0D552F722D02ADBE91AB09C5D7E9BA7DC13436 | |||
2956 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSF-CTBL.FSF | binary | |
MD5:DFDB67C6CBADBA6669E675F1DD7F7E88 | SHA256:E2E961C1D2BDD42CDA9DC4CC12D9A29EF15B21DFE385B84D4FECCC8DA61DB79F | |||
2956 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~$308bf53944e0c7c74695095169363d1323fe9ce6c6117feda2ee429ebf530d.doc | pgc | |
MD5:997FB107DF4E8D03C5E003C1B32C149D | SHA256:6FD93EBFE18601F1A1271B5E171A24752F3AE6DBBE5FEE3DC91D1956232B32A7 |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2956 | WINWORD.EXE | 104.19.143.111:443 | i.gyazo.com | Cloudflare Inc | US | shared |
2956 | WINWORD.EXE | 104.19.142.111:443 | i.gyazo.com | Cloudflare Inc | US | shared |
2956 | WINWORD.EXE | 74.119.239.234:443 | dkb-agbs.com | PDR | US | malicious |
Domain | IP | Reputation |
---|---|---|
i.gyazo.com |
| whitelisted |
dns.msftncsi.com |
| shared |
dkb-agbs.com |
| malicious |