42ccd85c910961fa939059b6903462d1d1da80ab275b93de655ca248fdb1880b

Analysis

Target

documenti,07.20.doc
Size

132KB
MD5

73a93d4e240df1801c2d031108bdee2c
SHA1

4d8348892e63505e2a65bd5b484626860584df6a
SHA256

42ccd85c910961fa939059b6903462d1d1da80ab275b93de655ca248fdb1880b
SHA512

4fed5a027bccb97f2a2d2d965adbb62a19653fcc52f41e07b208e18272f6303453dc6885c260c3db551d047038f5cfe8295ea4061b359f2e8157cabf5b93e545

Score

10^/10

Office loads VBA resources, possible macro or embedded object present
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WINWORD.EXE

pid process

1108 WINWORD.EXE

Suspicious use of SetWindowsHookEx 16 IoCs

Processes:

WINWORD.EXE

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

regsvr32.exe

description	pid	pid_target	process	target process
Parent C:\Program Files\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process	1512	1108	regsvr32.exe	WINWORD.EXE

Suspicious use of WriteProcessMemory 5 IoCs

Processes:

WINWORD.EXE

description	pid	process	target process
PID 1108 wrote to memory of 1512	1108	WINWORD.EXE	regsvr32.exe
PID 1108 wrote to memory of 1512	1108	WINWORD.EXE	regsvr32.exe
PID 1108 wrote to memory of 1512	1108	WINWORD.EXE	regsvr32.exe
PID 1108 wrote to memory of 1512	1108	WINWORD.EXE	regsvr32.exe
PID 1108 wrote to memory of 1512	1108	WINWORD.EXE	regsvr32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

regsvr32.exe

pid process

1512 regsvr32.exe

pid	process
1512	regsvr32.exe

\??\c:\programdata\35734.jpg

Download Submit
memory/1108-3-0x0000000006FB0000-0x00000000071B0000-memory.dmp

Filesize
2.0MB

Download
memory/1512-4-0x0000000000000000-mapping.dmp

Download