File name: | info_11_08.doc |
Full analysis: | https://app.any.run/tasks/8bb73e0f-ddd6-40cd-b40e-c9a5054cbf7d |
Verdict: | Malicious activity |
Analysis date: | November 08, 2019, 15:47:27 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/msword |
File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1251, Title: Auto Formatter v1.2, Subject: Payslip auto formatter, Author: WAREHOUSECOMP1, Comments: Reference #3466, Template: Normal, Last Saved By: Windows, Revision Number: 7, Name of Creating Application: Microsoft Office Word, Total Editing Time: 01:00, Create Time/Date: Tue Aug 6 10:17:00 2019, Last Saved Time/Date: Fri Nov 8 09:36:00 2019, Number of Pages: 1, Number of Words: 0, Number of Characters: 1, Security: 0 |
MD5: | D4367830B0B1EC1AFA90BBC68929173E |
SHA1: | 161C049360C300CEFD5DE40CF140331D9C60132C |
SHA256: | C3CE91767FA1A8D88AC3B98378FC92A854D6690C5981D9D47A6666668D79C82B |
SSDEEP: | 3072:uwIx16RX/0tq4Z/ZeRcMt/jmddUFdonaUPQ69L5hYaS2tfRQ+:ZIx18MtJZeR6dUFdoaUPph7S2tfRQ+ |
.doc | | | Microsoft Word document (54.2) |
---|---|---|
.doc | | | Microsoft Word document (old ver.) (32.2) |
CompObjUserType: | Microsoft Word 97-2003 Document |
---|---|
CompObjUserTypeLen: | 32 |
HeadingPairs: |
|
TitleOfParts: |
|
HyperlinksChanged: | No |
SharedDoc: | No |
LinksUpToDate: | No |
ScaleCrop: | No |
AppVersion: | 16 |
CharCountWithSpaces: | 1 |
Paragraphs: | 1 |
Lines: | 1 |
Bytes: | 27648 |
Company: | EasyLease LLC |
Manager: | Keon Weissnat |
CodePage: | Windows Cyrillic |
Security: | None |
Characters: | 1 |
Words: | - |
Pages: | 1 |
ModifyDate: | 2019:11:08 09:36:00 |
CreateDate: | 2019:08:06 09:17:00 |
TotalEditTime: | 1.0 minutes |
Software: | Microsoft Office Word |
RevisionNumber: | 7 |
LastModifiedBy: | Пользователь Windows |
Template: | Normal |
Comments: | Reference #3466 |
Keywords: | - |
Author: | WAREHOUSECOMP1 |
Subject: | Payslip auto formatter |
Title: | Auto Formatter v1.2 |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
932 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\info_11_08.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
2608 | "C:\Windows\System32\WScript.exe" "C:\Windows\Temp\eekinltaor.js" | C:\Windows\System32\WScript.exe | WINWORD.EXE | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Exit code: 0 Version: 5.8.7600.16385 |
PID | Process | Filename | Type | |
---|---|---|---|---|
932 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVRA850.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2608 | WScript.exe | C:\Users\admin\AppData\Local\Temp\CabD82.tmp | — | |
MD5:— | SHA256:— | |||
2608 | WScript.exe | C:\Users\admin\AppData\Local\Temp\TarD83.tmp | — | |
MD5:— | SHA256:— | |||
2608 | WScript.exe | C:\Users\admin\AppData\Local\Temp\CabD84.tmp | — | |
MD5:— | SHA256:— | |||
2608 | WScript.exe | C:\Users\admin\AppData\Local\Temp\TarD95.tmp | — | |
MD5:— | SHA256:— | |||
2608 | WScript.exe | C:\Users\admin\AppData\Local\Temp\Cab1C2C.tmp | — | |
MD5:— | SHA256:— | |||
2608 | WScript.exe | C:\Users\admin\AppData\Local\Temp\Tar1C2D.tmp | — | |
MD5:— | SHA256:— | |||
932 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:D3E45E9E34C71A48C10FD945E9620BAF | SHA256:6CC7603DD408465CD9F4E0ED479443E49C34BDBCC43DE9FD1A9A1A1B8185537F | |||
932 | WINWORD.EXE | C:\Windows\Temp\eekinltaor.js | text | |
MD5:D596D1CB1DAA288119CBDD4B2C5D05DC | SHA256:614F21D485737B18C9ED703AE47C9BDE3115E3AC4CC9A6BEC46F2DB378DCF484 | |||
932 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\VBE\MSForms.exd | tlb | |
MD5:CB0EBE4A947CF333DA5D3158CE876C90 | SHA256:22937D5BD6841A606FC8494B164CED9765561AE0F212C239197827B62061BE1E |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2608 | WScript.exe | GET | 404 | 185.20.185.84:80 | http://ooroollino.com/zepoli/ironak.php?l=slalel3.cab | NL | — | — | suspicious |
2608 | WScript.exe | GET | 200 | 205.185.216.42:80 | http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab | US | compressed | 57.4 Kb | whitelisted |
2608 | WScript.exe | GET | 200 | 205.185.216.42:80 | http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/F9B5B632455F9CBEEC575F80DCE96E2CC7B278B7.crt | US | der | 848 b | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2608 | WScript.exe | 184.30.217.76:443 | www.trendmicro.com | Akamai International B.V. | NL | unknown |
2608 | WScript.exe | 205.185.216.42:80 | www.download.windowsupdate.com | Highwinds Network Group, Inc. | US | whitelisted |
2608 | WScript.exe | 104.109.84.249:443 | docs.microsoft.com | Akamai International B.V. | NL | whitelisted |
2608 | WScript.exe | 185.20.185.84:80 | ooroollino.com | Serverius Holding B.V. | NL | suspicious |
Domain | IP | Reputation |
---|---|---|
docs.microsoft.com |
| whitelisted |
www.trendmicro.com |
| whitelisted |
www.download.windowsupdate.com |
| whitelisted |
ooroollino.com |
| suspicious |