File name: | Project Proposal N20180632.doc |
Full analysis: | https://app.any.run/tasks/60fcbae0-39b2-4316-a7cc-a65a57bfbb41 |
Verdict: | Malicious activity |
Analysis date: | April 25, 2019, 14:10:03 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | text/rtf |
File info: | Rich Text Format data, unknown version |
MD5: | 8083C5750FC4033C521EEB011EB1CAEA |
SHA1: | 5971995BBC3B47641E4A5394FBCFA82F54D85D01 |
SHA256: | C962ED96B437172682ABF6608E20534346D52E2A7F3EEF61FC56D286FF5DCC1C |
SSDEEP: | 1536:8ZQjbZtT3eB+0KAHelWxWNj6NisKBNjRl/zBbBFGxhQtUXOYEYoSJscW6hN9g8Qe:2QjbZtT3o+D7RNzB1MTsSJsQhN9g8Qe |
.rtf | | | Rich Text Format (100) |
---|
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2520 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\Project Proposal N20180632.doc.rtf" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Exit code: 0 Version: 14.0.6024.1000 |
PID | Process | Filename | Type | |
---|---|---|---|---|
2520 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR641B.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2520 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{9AF68221-FB8F-46A5-B9CB-64654666E807}.tmp | — | |
MD5:— | SHA256:— | |||
2520 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{300BFEF4-91C6-4A9A-99CC-F2C5430229BB}.tmp | — | |
MD5:— | SHA256:— | |||
2520 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{70C157DD-E8A6-4CB5-BC8E-F2A248FF0655}.tmp | — | |
MD5:— | SHA256:— | |||
2520 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H6QNMHE9\htaebukamadu[1].hta | html | |
MD5:6D708A739429BF918A413643DACA59DC | SHA256:8A013EC8D4AD1C1960C1525625F0A8D2F937B9C6DE3C5005586578DF01A41B2A | |||
2520 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:03F75A861CC10AD1C3318BEB891B725B | SHA256:7EBE4AE513B230A4E93B55D5C5B1A8281E935A6A42B38FA33B58EA5B73980E58 | |||
2520 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I0488CJO\js3[1].js | text | |
MD5:DB3CACFB57BA35D3FCFDBBCF7D46BD42 | SHA256:A606134E35DB97024D04789609660C94F87F660DC259D91DB5180E32787D4DAD | |||
2520 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~$oject Proposal N20180632.doc.rtf | pgc | |
MD5:A7206510B9E5442F2E93C88EC16783C1 | SHA256:82A167955D7E0AC176AC42CC7DA4576452CFC9566484866DB423A18102A39C31 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2520 | WINWORD.EXE | GET | 200 | 185.53.179.29:80 | http://parkingcrew.net/assets/scripts/js3.js | DE | text | 17.5 Kb | whitelisted |
2520 | WINWORD.EXE | GET | 200 | 185.53.179.29:80 | http://dhm-mhn.com/sunday/htaebukamadu.hta | DE | html | 913 b | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2520 | WINWORD.EXE | 185.53.179.29:80 | dhm-mhn.com | Team Internet AG | DE | malicious |
Domain | IP | Reputation |
---|---|---|
dhm-mhn.com |
| malicious |
parkingcrew.net |
| whitelisted |
PID | Process | Class | Message |
---|---|---|---|
2520 | WINWORD.EXE | Potentially Bad Traffic | ET POLICY Possible HTA Application Download |
2520 | WINWORD.EXE | Attempted User Privilege Gain | ET CURRENT_EVENTS SUSPICIOUS Possible CVE-2017-0199 IE7/NoCookie/Referer HTA dl |