aa2e16eb340092bab078db3f0d8848606f332a7e052888346b3c47ac37a9de77

Analysis

Target

aa2e16eb340092bab078db3f0d8848606f332a7e052888346b3c47ac37a9de77.doc
Size

132KB
MD5

af25d98ae8d414145376cd8f1a30cc91
SHA1

3564e94e0d449ed7dd5c0013dc11b7efdbd9b13b
SHA256

aa2e16eb340092bab078db3f0d8848606f332a7e052888346b3c47ac37a9de77
SHA512

4e35717e9d242f81244eb4d7809945d6bc36e2655a5a2f8873a062a7be0c2c34e518ad330cf7297306f691a5c4a9215c9162c8e2eed486bb1467a698a5bb0a91

Score

10^/10

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
676	WINWORD.EXE

Suspicious use of SetWindowsHookEx 16 IoCs

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Program Files\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process	1716	676	regsvr32.exe	23

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 676 wrote to memory of 1716	676	WINWORD.EXE	26
PID 676 wrote to memory of 1716	676	WINWORD.EXE	26
PID 676 wrote to memory of 1716	676	WINWORD.EXE	26
PID 676 wrote to memory of 1716	676	WINWORD.EXE	26
PID 676 wrote to memory of 1716	676	WINWORD.EXE	26

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1716	regsvr32.exe

memory/676-0-0x0000000005A10000-0x0000000005B10000-memory.dmp

Filesize
1024KB

Download