File name: | Freebitcoin[SCRIPT].docx |
Full analysis: | https://app.any.run/tasks/ddb759bd-be13-42f2-9888-288d228ef930 |
Verdict: | Malicious activity |
Analysis date: | January 22, 2019, 17:24:40 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
MIME: | application/vnd.openxmlformats-officedocument.wordprocessingml.document |
File info: | Microsoft Word 2007+ |
MD5: | 933BFE1E53B4C037A2F4C64DB6BB6620 |
SHA1: | BD704A66C15A6A0EA9A9F9E6F1D9A41271AD2EC1 |
SHA256: | E08007E44FC25659F2FEA4B942EAA2E00E5E7F4482FDE198C8578F8CD4424E31 |
SSDEEP: | 1536:fIeqlO63yV0xdR3xyBJVYfRGs7oTeYRTIz0Dx0DgGKOZ0DC:+ |
.docx | | | Word Microsoft Office Open XML Format document (52.2) |
---|---|---|
.zip | | | Open Packaging Conventions container (38.8) |
.zip | | | ZIP compressed archive (8.8) |
ZipRequiredVersion: | 20 |
---|---|
ZipBitFlag: | - |
ZipCompression: | None |
ZipModifyDate: | 2018:12:21 18:53:16 |
ZipCRC: | 0x6cd2a4df |
ZipCompressedSize: | 1312 |
ZipUncompressedSize: | 1312 |
ZipFileName: | [Content_Types].xml |
Template: | Normal.dotm |
---|---|
TotalEditTime: | - |
Pages: | 1 |
Words: | - |
Characters: | - |
Application: | Microsoft Office Word |
DocSecurity: | None |
Lines: | - |
Paragraphs: | - |
ScaleCrop: | No |
Company: | - |
LinksUpToDate: | No |
CharactersWithSpaces: | - |
SharedDoc: | No |
HyperlinksChanged: | No |
AppVersion: | 16 |
Keywords: | - |
LastModifiedBy: | - |
RevisionNumber: | 1 |
CreateDate: | 2017:10:27 22:24:00Z |
ModifyDate: | 2017:10:27 22:24:00Z |
Title: | - |
---|---|
Subject: | - |
Creator: | - |
Description: | - |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2848 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\Freebitcoin[SCRIPT].docx" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 |
PID | Process | Filename | Type | |
---|---|---|---|---|
2848 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR8860.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2848 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\{AA7554B8-C604-4CE4-B6C6-A95519033270} | — | |
MD5:— | SHA256:— | |||
2848 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\{ACF9EFE7-AE45-421C-81FA-03FDA88D2294} | — | |
MD5:— | SHA256:— | |||
2848 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{10075691-43A0-460A-8DDD-3633954E2A28}.FSD | binary | |
MD5:355C07ABC6AB8F9716F0D3B8C272A78F | SHA256:A66AE3AE4D1DF9C49975523D92092BE27E5AC9828DD0EF082BDA2520070C8B10 | |||
2848 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RB73MZ6Y\Word[1].docx | document | |
MD5:3A66297D4CEB43EBDB4ABCFE3B3B5986 | SHA256:D4C6689BF7B85AC02DD8DCF6E6C7DE4FB9881366D408D5C68898C45E40874364 | |||
2848 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSF-{0E1EEE64-E8C6-4E2A-9759-63CF07FD8988}.FSF | binary | |
MD5:C73ACA7E5291BBFABA8BB651859B10BD | SHA256:A06B069D6FA040BC5BB7827779845B49614A668D356658FC2E1A74922334FE78 | |||
2848 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:BCA7725C8CB9C8D63EC166E879124B21 | SHA256:05E75A6D04CEFC391DEAF88AFF57A37ECFC5F3AF4F711DC7518EB32A07640D73 | |||
2848 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD | binary | |
MD5:F8678751193CF4429107DFACA81A0074 | SHA256:1EC9A0E7A3AE2327B35705A21F142B2B922A8D9C3BC5F320AFE6BB1997B7DF66 | |||
2848 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~$eebitcoin[SCRIPT].docx | pgc | |
MD5:243DD17FC7CCF7E6FC6608397C1BC31A | SHA256:7CF44B24CDC2E79843828A208606CFE49A76F6E4882B533ED738482CD9CA7E6F | |||
2848 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSF-CTBL.FSF | binary | |
MD5:75D0EEEB37A31C2EDCA8086E17BB21C8 | SHA256:A5C6CA8CD13D447CC7207F743290648E78EC4A04D6D6C315555D6E19C07749B9 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2848 | WINWORD.EXE | GET | 200 | 145.14.145.158:80 | http://anticholinergic-num.000webhostapp.com/Word.docx | US | document | 52.9 Kb | shared |
2848 | WINWORD.EXE | HEAD | 200 | 145.14.145.158:80 | http://anticholinergic-num.000webhostapp.com/Word.docx | US | document | 52.9 Kb | shared |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2848 | WINWORD.EXE | 88.99.66.31:443 | iplogger.org | Hetzner Online GmbH | DE | malicious |
2848 | WINWORD.EXE | 213.180.204.221:443 | clck.ru | YANDEX LLC | RU | suspicious |
2848 | WINWORD.EXE | 93.158.134.232:443 | sba.yandex.net | YANDEX LLC | RU | whitelisted |
976 | svchost.exe | 213.180.204.221:443 | clck.ru | YANDEX LLC | RU | suspicious |
2848 | WINWORD.EXE | 145.14.145.158:80 | anticholinergic-num.000webhostapp.com | Hostinger International Limited | US | shared |
Domain | IP | Reputation |
---|---|---|
clck.ru |
| whitelisted |
sba.yandex.net |
| whitelisted |
iplogger.org |
| shared |
anticholinergic-num.000webhostapp.com |
| shared |
PID | Process | Class | Message |
---|---|---|---|
— | — | Not Suspicious Traffic | ET INFO Observed Free Hosting Domain (*.000webhostapp .com in DNS Lookup) |