1c822d787c03d5fdefa8efa54a8af4ae8622223b2b01c2a6cbf040f4a218a2ce

Analysis

Target

accordo legale.07.20.doc
Size

134KB
MD5

8f2f3030cd7cddcd5ec80f4585a1714b
SHA1

d632b2efa2723e480b3a952a1d5a9bcb46c00248
SHA256

1c822d787c03d5fdefa8efa54a8af4ae8622223b2b01c2a6cbf040f4a218a2ce
SHA512

8880c7265e7f7e636d6c861fe288f3040882ca4bcc1e4b5c59e0a89e02f4a348a9930c5da21a16e5d6065c86eca6e4fd0eb6fb3678df3a42b5379c6cc1881c0e

Score

10^/10

Suspicious use of SetWindowsHookEx 16 IoCs

Processes:

WINWORD.EXE

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

regsvr32.exe

description	pid	pid_target	process	target process
Parent C:\Program Files\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process	1528	892	regsvr32.exe	WINWORD.EXE

Suspicious use of WriteProcessMemory 5 IoCs

Processes:

WINWORD.EXE

description	pid	process	target process
PID 892 wrote to memory of 1528	892	WINWORD.EXE	regsvr32.exe
PID 892 wrote to memory of 1528	892	WINWORD.EXE	regsvr32.exe
PID 892 wrote to memory of 1528	892	WINWORD.EXE	regsvr32.exe
PID 892 wrote to memory of 1528	892	WINWORD.EXE	regsvr32.exe
PID 892 wrote to memory of 1528	892	WINWORD.EXE	regsvr32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

regsvr32.exe

pid process

1528 regsvr32.exe
Office loads VBA resources, possible macro or embedded object present
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WINWORD.EXE

pid process

892 WINWORD.EXE

pid	process
1528	regsvr32.exe