download: | Swift_message585444090987.doc |
Full analysis: | https://app.any.run/tasks/749d9c9c-80a4-4c36-ba5d-ef9c4057fbf5 |
Verdict: | Malicious activity |
Analysis date: | November 15, 2018, 12:32:34 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | text/rtf |
File info: | Rich Text Format data, unknown version |
MD5: | 5FFD34C6C494525BA72874E419FC5C62 |
SHA1: | 59F5BB0C023AD51BB193643BB8052A3CFE216072 |
SHA256: | EBB20C4AE442066187E21D4079DFE13E511C79A242F0F4B80753FD37E3E3A5DF |
SSDEEP: | 1536:HrJAsqP0F3FeE/0P/0X/0P/0E/0P/0u/0P/07/0P/0R/0P/0v/0P/01m:H2wqU8UZUHUwUyU0Us |
.rtf | | | Rich Text Format (100) |
---|
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2996 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\Swift_message585444090987.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 |
PID | Process | Filename | Type | |
---|---|---|---|---|
2996 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR87B3.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2996 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~$ift_message585444090987.doc | pgc | |
MD5:A91CCA3003085B28E00457575A7DC2AA | SHA256:6E1298B54066059B8421FA7248DD6809446048099CF1FD34633E2ADA1759A7A5 | |||
2996 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:467B3D8E36F8B6FD3F28DBB2ED38891D | SHA256:B9AD11D36AF4D45BB05489D1444AF80BF1BD08E3BD0589FE9B1E2862AF380B0B |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2996 | WINWORD.EXE | 185.83.214.16:443 | a.doko.moe | — | PT | suspicious |
Domain | IP | Reputation |
---|---|---|
a.doko.moe |
| unknown |