File name: | Info_Project_BSV_2019.docm |
Full analysis: | https://app.any.run/tasks/0ee0ed0e-4c89-49fc-b673-6b1a6ad49d23 |
Verdict: | Malicious activity |
Analysis date: | July 17, 2019, 22:25:07 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/vnd.openxmlformats-officedocument.wordprocessingml.document |
File info: | Microsoft Word 2007+ |
MD5: | 868A06468B0EB6D5E9777681A0CB2AFE |
SHA1: | 2551E34C72E928F615AEBA3B7C2A099B3ADCB84E |
SHA256: | E824650B66C5CDD8C71983F4C4FC0E1AC55CD04809D562F3B6B4790A28521486 |
SSDEEP: | 384:KS9ASfotpAEi8F1c2OfzHt/PRbeRGNr1aBVJmDm1nTfuUQ:pAtplFDfOdBe4YBZtQ |
.docm | | | Word Microsoft Office Open XML Format document (with Macro) (53.6) |
---|---|---|
.docx | | | Word Microsoft Office Open XML Format document (24.2) |
.zip | | | Open Packaging Conventions container (18) |
.zip | | | ZIP compressed archive (4.1) |
ZipRequiredVersion: | 20 |
---|---|
ZipBitFlag: | 0x0006 |
ZipCompression: | Deflated |
ZipModifyDate: | 1980:01:01 00:00:00 |
ZipCRC: | 0xfc7b9e79 |
ZipCompressedSize: | 453 |
ZipUncompressedSize: | 2485 |
ZipFileName: | [Content_Types].xml |
Template: | Normal |
---|---|
TotalEditTime: | - |
Pages: | 1 |
Words: | 5 |
Characters: | 31 |
Application: | Microsoft Office Word |
DocSecurity: | None |
Lines: | 1 |
Paragraphs: | 1 |
ScaleCrop: | No |
HeadingPairs: |
|
TitlesOfParts: | - |
Company: | - |
LinksUpToDate: | No |
CharactersWithSpaces: | 35 |
SharedDoc: | No |
HyperlinksChanged: | No |
AppVersion: | 16 |
Keywords: | - |
LastModifiedBy: | - |
RevisionNumber: | 1 |
CreateDate: | 2019:06:17 07:54:00Z |
ModifyDate: | 2019:06:17 07:54:00Z |
Title: | - |
---|---|
Subject: | - |
Creator: | - |
Description: | - |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2988 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\Info_Project_BSV_2019.docm" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
2812 | "C:\Windows\system32\ntvdm.exe" -i1 | C:\Windows\system32\ntvdm.exe | — | WINWORD.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: NTVDM.EXE Exit code: 3221225477 Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
2988 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVRACCA.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2988 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JGRR2OYX\2hq68vxr3f[1].exe | — | |
MD5:— | SHA256:— | |||
2812 | ntvdm.exe | C:\Users\admin\AppData\Local\Temp\scsBE10.tmp | — | |
MD5:— | SHA256:— | |||
2812 | ntvdm.exe | C:\Users\admin\AppData\Local\Temp\scsBE21.tmp | — | |
MD5:— | SHA256:— | |||
2988 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~$fo_Project_BSV_2019.docm | pgc | |
MD5:11F6838AFFDA4EFDE64E85B037735395 | SHA256:57DE0AD63615AD2BC728700E17EFE3907789D3405E7845A9624DC382D6922E40 | |||
2988 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\LooCipher.exe | html | |
MD5:B4BB521DA5DA4BDAD062E0792ECEC68C | SHA256:1A8E042E2BFCA9B8EC51B7281B844334B31994FC4BBB02FD97E6AB8DA355CE30 | |||
2988 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:F2DE1431816F1A887F11E37F0E5B78C1 | SHA256:AC75C28502BA69F35891655C9ADFC2B4C73730F00CE0F6C22519E9B5B48762BD |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2988 | WINWORD.EXE | GET | 200 | 198.251.80.48:80 | http://hcwyo5rfapkytajg.onion.pet/2hq68vxr3f.exe | US | html | 2.59 Kb | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2988 | WINWORD.EXE | 198.251.80.48:80 | hcwyo5rfapkytajg.onion.pet | FranTech Solutions | US | malicious |
Domain | IP | Reputation |
---|---|---|
hcwyo5rfapkytajg.onion.pet |
| malicious |
PID | Process | Class | Message |
---|---|---|---|
— | — | Potential Corporate Privacy Violation | ET POLICY DNS Query to .onion proxy domain (onion .pet) |
2988 | WINWORD.EXE | A Network Trojan was detected | ET CURRENT_EVENTS Possible Malicious Macro DL EXE Feb 2016 |
2988 | WINWORD.EXE | A Network Trojan was detected | ET CURRENT_EVENTS Possible Malicious Macro EXE DL AlphaNumL |