File name: | Order_verification_O687990.docm |
Full analysis: | https://app.any.run/tasks/d13fdd29-ccc4-49c4-af0f-d10ec5d231ef |
Verdict: | Malicious activity |
Analysis date: | July 11, 2019, 19:19:30 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/vnd.openxmlformats-officedocument.wordprocessingml.document |
File info: | Microsoft Word 2007+ |
MD5: | 7868E54AE077D05325EE3A5F8DF64870 |
SHA1: | 817FE714AF65A7E01E0692E0211F11504C41B188 |
SHA256: | FD41976093409C37AE5C0FB71CF6C3918C7F8E736D39D1D3DB1F3AB07772E8B1 |
SSDEEP: | 6144:s9NK9vUUW4Y16qBg0Ehyv6Fb4zyF2qzkJ:s9NKSv128S4zyUbJ |
.docm | | | Word Microsoft Office Open XML Format document (with Macro) (53.6) |
---|---|---|
.docx | | | Word Microsoft Office Open XML Format document (24.2) |
.zip | | | Open Packaging Conventions container (18) |
.zip | | | ZIP compressed archive (4.1) |
Creator: | - |
---|
ModifyDate: | 2019:07:10 08:17:00Z |
---|---|
CreateDate: | 2019:07:08 09:55:00Z |
RevisionNumber: | 1 |
LastModifiedBy: | - |
AppVersion: | 14 |
HyperlinksChanged: | No |
SharedDoc: | No |
CharactersWithSpaces: | 662200 |
LinksUpToDate: | No |
Company: | - |
TitlesOfParts: | - |
HeadingPairs: |
|
ScaleCrop: | No |
Paragraphs: | 1324 |
Lines: | 4704 |
DocSecurity: | None |
Application: | Microsoft Office Word |
Characters: | 564491 |
Words: | 99033 |
Pages: | 162 |
TotalEditTime: | - |
Template: | Normal.dotm |
ZipFileName: | [Content_Types].xml |
---|---|
ZipUncompressedSize: | 2645 |
ZipCompressedSize: | 501 |
ZipCRC: | 0xc6337d17 |
ZipModifyDate: | 1980:01:01 00:00:00 |
ZipCompression: | Deflated |
ZipBitFlag: | - |
ZipRequiredVersion: | 20 |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2708 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\Order_verification_O687990.docm" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Exit code: 0 Version: 14.0.6024.1000 | ||||
3228 | "C:\Windows\System32\wscript.exe" /e:JScript "C:\Users\admin\AppData\Local\Temp\Order_verification_O687990.docm_backup" | C:\Windows\System32\wscript.exe | — | WINWORD.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Version: 5.8.7600.16385 |
PID | Process | Filename | Type | |
---|---|---|---|---|
2708 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVRDA67.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2708 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\FDBB126D.png | — | |
MD5:— | SHA256:— | |||
2708 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{BAD42556-EB82-4CBF-B5A0-8076DEAF14C0}.tmp | — | |
MD5:— | SHA256:— | |||
2708 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{B86BBF74-3535-438D-87AA-6ECDA8E163D6}.tmp | — | |
MD5:— | SHA256:— | |||
2708 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{DFDF4F65-3757-4335-9A8D-300B44304CDF}.tmp | — | |
MD5:— | SHA256:— | |||
2708 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{18D40B69-A713-466F-BB07-EF1A9CADAE76}.tmp | — | |
MD5:— | SHA256:— | |||
2708 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:CEAE347C0A65B038E6C84B06258582DC | SHA256:BC8835ACF4C6FCF5753ACC74D3C1352E750945EAF3B1899AA1C68F2192E17819 | |||
2708 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\Order_verification_O687990.docm_backup | text | |
MD5:DAE6148676C5C6F4133CB87E04CC1CD0 | SHA256:508BA2399563061FCD5EDA456B3D9A62CF5098B0BE29387A054384183157A3B2 | |||
2708 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~$der_verification_O687990.docm | pgc | |
MD5:FD7272F471D1FD1E8B7A31B988536AA7 | SHA256:FCAC603736DA93496FE066ABA92C21DF2B1C90FA8649B14E9239580B4333A988 | |||
2708 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex | text | |
MD5:F3B25701FE362EC84616A93A45CE9998 | SHA256:B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209 |