File name: | Payment_swift.doc |
Full analysis: | https://app.any.run/tasks/c9cf2e7c-6b55-46ca-99b9-2a1433b3c6db |
Verdict: | Malicious activity |
Analysis date: | December 14, 2018, 12:36:12 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
MIME: | application/msword |
File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Author: admin, Template: Normal, Last Saved By: Socrate, Revision Number: 15, Name of Creating Application: Microsoft Office Word, Total Editing Time: 03:00, Create Time/Date: Tue Oct 17 02:08:00 2017, Last Saved Time/Date: Wed Dec 12 20:37:00 2018, Number of Pages: 1, Number of Words: 30, Number of Characters: 174, Security: 0 |
MD5: | FCF20400043EE085FBF863E19775B840 |
SHA1: | 79989FC8ECADA702045F361297ABD08BAA4A6574 |
SHA256: | E1CFA20350FF84C53C409284F2EAEF0F0E1D608428A51FA01AB87BF972ADA46A |
SSDEEP: | 6144:RFuzooD7pXHfGkDQcl7WRjK3iM6XcOAkQV6:iTD7V/9kcAjK16XcO1a |
.doc | | | Microsoft Word document (54.2) |
---|---|---|
.doc | | | Microsoft Word document (old ver.) (32.2) |
Title: | - |
---|---|
Subject: | - |
Author: | admin |
Keywords: | - |
Template: | Normal |
LastModifiedBy: | Socrate |
RevisionNumber: | 15 |
Software: | Microsoft Office Word |
TotalEditTime: | 3.0 minutes |
CreateDate: | 2017:10:17 01:08:00 |
ModifyDate: | 2018:12:12 20:37:00 |
Pages: | 1 |
Words: | 30 |
Characters: | 174 |
Security: | None |
CodePage: | Windows Latin 1 (Western European) |
Company: | - |
Lines: | 1 |
Paragraphs: | 1 |
CharCountWithSpaces: | 203 |
AppVersion: | 14 |
ScaleCrop: | No |
LinksUpToDate: | No |
SharedDoc: | No |
HyperlinksChanged: | No |
TitleOfParts: | - |
HeadingPairs: |
|
CompObjUserTypeLen: | 32 |
CompObjUserType: | Microsoft Word 97-2003 Document |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2936 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\Payment_swift.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 |
PID | Process | Filename | Type | |
---|---|---|---|---|
2936 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVRA78E.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2936 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~$yment_swift.doc | pgc | |
MD5:E0674D5AC904B962A44CFD27B7C946A2 | SHA256:0F9CB53E7468C77E72111FD328059FA911A189F5A9B3C5301BB3BD250D3FA7EB | |||
2936 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:56F575D05EFBC1E63C4B06BCAF85D9D0 | SHA256:C42BCF6A7CD825244C49BE138F201E3FCE18ED84BC2D29A091B48AA13B4147B1 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2936 | WINWORD.EXE | GET | 403 | 145.14.144.75:80 | http://shielding-push.000webhostapp.com/uploads/inv.exe | US | html | 3.00 Kb | shared |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2936 | WINWORD.EXE | 145.14.144.75:80 | shielding-push.000webhostapp.com | Hostinger International Limited | US | shared |
Domain | IP | Reputation |
---|---|---|
shielding-push.000webhostapp.com |
| shared |
PID | Process | Class | Message |
---|---|---|---|
— | — | Not Suspicious Traffic | ET INFO Observed Free Hosting Domain (*.000webhostapp .com in DNS Lookup) |
2936 | WINWORD.EXE | Potentially Bad Traffic | ET CURRENT_EVENTS Terse alphanumeric executable downloader high likelihood of being hostile |