File name: | Invoice_yahoo.doc |
Full analysis: | https://app.any.run/tasks/0ea5a9bb-d168-428b-9d7d-0b5ba773f30f |
Verdict: | Malicious activity |
Analysis date: | February 21, 2020, 21:22:29 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/msword |
File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1251, Template: Normal, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Mon Jun 26 15:02:00 2017, Last Saved Time/Date: Mon Jun 26 15:13:00 2017, Number of Pages: 16, Number of Words: 2212, Number of Characters: 12615, Security: 8 |
MD5: | DE8311B3D5C98C5C10DBB89727F2F73E |
SHA1: | 9C7C14FEB472412809EB49EC0F2AA53C6DAF0B8E |
SHA256: | F9EFADC1F2FF65179F005704FAFAF63B7D8F6D9BB6BE3E08329126634DF2D333 |
SSDEEP: | 6144:j7taHthLqLFDtXlNz8VibKilLQuJJtlhx+h:BF5XlN4VcKvuJJtlhx+h |
.doc | | | Microsoft Word document (54.2) |
---|---|---|
.doc | | | Microsoft Word document (old ver.) (32.2) |
Title: | - |
---|---|
Subject: | - |
Author: | - |
Keywords: | - |
Comments: | - |
Template: | Normal |
LastModifiedBy: | - |
RevisionNumber: | 1 |
Software: | Microsoft Office Word |
TotalEditTime: | - |
CreateDate: | 2017:06:26 14:02:00 |
ModifyDate: | 2017:06:26 14:13:00 |
Pages: | 16 |
Words: | 2212 |
Characters: | 12615 |
Security: | Locked for annotations |
CodePage: | Windows Cyrillic |
Company: | - |
Bytes: | 11000 |
Lines: | 105 |
Paragraphs: | 29 |
CharCountWithSpaces: | 14798 |
AppVersion: | 15 |
ScaleCrop: | No |
LinksUpToDate: | No |
SharedDoc: | No |
HyperlinksChanged: | No |
TitleOfParts: | - |
HeadingPairs: |
|
CompObjUserTypeLen: | 32 |
CompObjUserType: | ???????? Microsoft Word 97-2003 |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3232 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\Invoice_yahoo.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
3376 | "C:\Windows\System32\svchost.exe" | C:\Windows\System32\svchost.exe | WINWORD.EXE | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Host Process for Windows Services Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
3232 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR6B07.tmp.cvr | — | |
MD5:— | SHA256:— | |||
3232 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:477916EFB88A373723F281B8A9BC2EA4 | SHA256:F8C4753F90B6CCCCFB7FC260ACCB0BA935A8E56898FCB3BBF10845FF3B8EE27B | |||
3232 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~$voice_yahoo.doc | pgc | |
MD5:1CBF316A82C4D91B2AB72E6D5D2C2CE5 | SHA256:A75F38EBEC635441420AA298173B76402597061D7415BA82457201411D3DAA9D | |||
3232 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\VBE\MSForms.exd | tlb | |
MD5:7C5500749DEE54ECA0592C9EF579E1FE | SHA256:0E634735D71840FDAE80AF173E057DFF5AADE87C7889EC51CCB188995EF61C7F |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3376 | svchost.exe | 54.204.26.223:80 | api.ipify.org | Amazon.com, Inc. | US | malicious |
Domain | IP | Reputation |
---|---|---|
api.ipify.org |
| shared |
dintrolletone.com |
| unknown |
sitgaropte.ru |
| unknown |
johnjoeventrin.ru |
| unknown |
PID | Process | Class | Message |
---|---|---|---|
3376 | svchost.exe | Potential Corporate Privacy Violation | ET POLICY External IP Lookup api.ipify.org |