File name: | INV, PL & BL.docx |
Full analysis: | https://app.any.run/tasks/1189c6fb-9d4f-4984-9632-f47d17a345fe |
Verdict: | Malicious activity |
Analysis date: | May 20, 2019, 14:19:42 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/vnd.openxmlformats-officedocument.wordprocessingml.document |
File info: | Microsoft Word 2007+ |
MD5: | 278439D93469A5F6FD46D40ADE3A0FA0 |
SHA1: | CBBAD75204CD91C39C7A14133A2C4D8488C18FDB |
SHA256: | F413E0B13F811B244E55A5E1AF550E51E3CA9736A92DC04EEC9D3F191BD6EF4C |
SSDEEP: | 192:7CxP6UKLb+9yMtWN3b0mqQTnhr5OxQT1QkP55NObFTB8GoA6aPkWLmr:7CxiUiuyMti3dLOxQT1QkDNEdb1mr |
.docx | | | Word Microsoft Office Open XML Format document (52.2) |
---|---|---|
.zip | | | Open Packaging Conventions container (38.8) |
.zip | | | ZIP compressed archive (8.8) |
Creator: | Microsoft |
---|
ModifyDate: | 2017:09:24 17:27:00Z |
---|---|
CreateDate: | 2017:09:24 17:26:00Z |
RevisionNumber: | 1 |
LastModifiedBy: | Microsoft |
AppVersion: | 14 |
HyperlinksChanged: | No |
SharedDoc: | No |
CharactersWithSpaces: | 7 |
LinksUpToDate: | No |
Company: | SPecialiST RePack |
TitlesOfParts: | - |
HeadingPairs: |
|
ScaleCrop: | No |
Paragraphs: | 1 |
Lines: | 1 |
DocSecurity: | None |
Application: | Microsoft Office Word |
Characters: | 7 |
Words: | 1 |
Pages: | 1 |
TotalEditTime: | 1 minute |
Template: | dotm.dotm |
ZipFileName: | [Content_Types].xml |
---|---|
ZipUncompressedSize: | 1422 |
ZipCompressedSize: | 358 |
ZipCRC: | 0x82872409 |
ZipModifyDate: | 2019:05:20 00:49:06 |
ZipCompression: | Deflated |
ZipBitFlag: | 0x0002 |
ZipRequiredVersion: | 20 |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2464 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\INV, PL & BL.docx" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
2356 | "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding | C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE | svchost.exe | |
User: admin Company: Design Science, Inc. Integrity Level: MEDIUM Description: Microsoft Equation Editor Exit code: 0 Version: 00110900 | ||||
3044 | "C:\Users\admin\AppData\Roaming\smiley.exe" | C:\Users\admin\AppData\Roaming\smiley.exe | EQNEDT32.EXE | |
User: admin Integrity Level: MEDIUM |
PID | Process | Filename | Type | |
---|---|---|---|---|
2464 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR3F6D.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2464 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\{79F5F166-D795-4C92-B6CC-EFCD88C718B2} | — | |
MD5:— | SHA256:— | |||
2464 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\{E50BC193-61E3-4342-A946-124917757C8E} | — | |
MD5:— | SHA256:— | |||
2464 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H6QNMHE9\smiley[1].doc | — | |
MD5:— | SHA256:— | |||
2464 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\ABF8B999.doc | — | |
MD5:— | SHA256:— | |||
2464 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\4276E80F.doc | — | |
MD5:— | SHA256:— | |||
2464 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-CNRY.FSD | binary | |
MD5:3FCCDFA45E97202BC74595B0DA2C27DA | SHA256:3F80AB0D430695F321EE8D472F1E019F2C729E151991EC0EAB9BA2403E122AC3 | |||
2464 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:B19FF5CEFD1DA5D0F2805A945B570C3C | SHA256:F75A592B67565D406D9D7F15EC8C276CD6D0D5E54AD5EF87413F565E44175FC9 | |||
2464 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{4847CBA6-1548-40D5-BCEF-DDCC213560A2}.FSD | binary | |
MD5:3068DCE2A8A3D0940AC7A55D5D3215C6 | SHA256:1AE74CBEB7183C53C8EBF7D5A1908A70E4A858FBD0BE04D5C7C08C4B5C45F195 | |||
2464 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~$V, PL & BL.docx | pgc | |
MD5:1C641FC96B98F0B8C0A7E014A6EAD4C8 | SHA256:C5A3B68D537CF503AEA6FAB38CD388E5F45F30C969F2DC4180712C9A328ED115 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3044 | smiley.exe | POST | — | 103.229.72.54:80 | http://mikmuncen.ac.id/wp-content/smile/32/index.php | ID | — | — | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2356 | EQNEDT32.EXE | 154.16.114.238:443 | icmap.org.gh | — | IL | unknown |
2464 | WINWORD.EXE | 154.16.114.238:443 | icmap.org.gh | — | IL | unknown |
3044 | smiley.exe | 103.229.72.54:80 | mikmuncen.ac.id | PT Master Web Network | ID | suspicious |
984 | svchost.exe | 154.16.114.238:443 | icmap.org.gh | — | IL | unknown |
Domain | IP | Reputation |
---|---|---|
icmap.org.gh |
| unknown |
dns.msftncsi.com |
| shared |
mikmuncen.ac.id |
| malicious |