doc下载 - 魔盾安全分析
download 
Report Transcription
下载 - 魔盾安全分析
魔盾安全分析报告
分析类型
开始时间
结束时间
持续时间
分析引擎版本
FILE
2016-09-08 00:33:00
2016-09-08 00:35:15
135 秒
1.4-Maldun
虚拟机机器名
标签
虚拟机管理
开机时间
关机时间
win7-sp1-x64-1
win7-sp1-x64-1
KVM
2016-09-08 00:33:00
2016-09-08 00:35:15
魔盾分数
10.0
恶意的
文件详细信息
文件名
New Doc 115.docm
文件大小
33171 字节
文件类型
Microsoft Word 2007+
CRC32
0D7C634C
MD5
191e2a3bf04b99b4102444e4d6c2288b
SHA1
60a0fa36d59271f2f0e44a5435e493a08ce69eb3
SHA256
b2423d126aa97c39575469f33ee42ba737e139322c36169cd42c7318214fa9a3
SHA512
fa37663ad934f7066bac3e5c33ff65999a8d959de7e857bc1eee6a6c18e3d48b0cc23b1a9b66899d5026
d66c8b4d049451814c8f21df0299db7086e0e07dae43
Ssdeep
768:/L42QcBnsfD/VBqIaPaFmhUHJ2SzYxp2g0puj:rQcxszVddFEUHvop1T
PEiD
无匹配
Yara
无Yara规则匹配
VirusTotal
VirusTotal链接
VirusTotal扫描时间: 2016-03-01 13:29:49
扫描结果: 33/55
特征
Office文件包含了 2 个 macros.
文件已被至少十个VirusTotal上的反病毒引擎检测为病毒
MicroWorld-eScan: W97M.Downloader.AVG
nProtect: W97M.Downloader.AVG
CAT-QuickHeal: O97M.Dropper.UX
ALYac: W97M.Downloader.AVG
VIPRE: Trojan-Downloader.W97M.Agent.asl (v)
F-Prot: New or modified PP97M/Downldr
Symantec: W97M.Downloader
ESET-NOD32: VBA/TrojanDownloader.Agent.ATA
TrendMicro-HouseCall: W2KM_DR.E3C557A5
Avast: VBA:Downloader-AQF [Trj]
ClamAV: XLS.Trojan.Locky
Kaspersky: Trojan-Downloader.MSWord.Agent.aai
BitDefender: W97M.Downloader.AVG
NANO-Antivirus: Trojan.Script.Agent.eajuge
Ad-Aware: W97M.Downloader.AVG
Emsisoft: W97M.Downloader.AVG (B)
F-Secure: W97M.Downloader.AVG
DrWeb: W97M.DownLoader.898
TrendMicro: W2KM_DR.E3C557A5
McAfee-GW-Edition: Downloader-FBBL!67D05A693F7A
Sophos: Troj/DocDl-BCZ
Cyren: PP97M/Downldr
Fortinet: WM/TrojanDownloader.9BB7!tr
Arcabit: W97M.Downloader.AVG
AegisLab: Macro.Gen!c
AhnLab-V3: W97M/Downloader
Microsoft: TrojanDownloader:O97M/Bartallex
McAfee: Downloader-FBBL!67D05A693F7A
AVware: Trojan-Downloader.W97M.Agent.asl (v)
Ikarus: Trojan-Downloader.VBA.Agent
GData: W97M.Downloader.AVG
AVG: W97M/Downloader
Panda: VBS/Jenxcus.A
运行截图
网络分析
UDP连接
IP地址
端口
192.168.122.1
53
192.168.122.255
138
无信息
静态分析
投放文件
~WRS{AD2892E7-0181-465D-85BE-27A3B40B57D9}.tmp
文件名
相关文件
~WRS{AD2892E7-0181-465D-85BE-27A3B40B57D9}.tmp
C:\Users\test\AppData\Local\Microsoft\Windows\Temporary Internet
Files\Content.Word\~WRS{AD2892E7-0181-465D-85BE-27A3B40B57D9}.tmp
文件大小
1024 bytes
文件类型
FoxPro FPT, blocks size 0, next free block index 218103808, 1st used item "\375"
MD5
5d4d94ee7e06bbb0af9584119797b23a
SHA1
dbb111419c704f116efa8e72471dd83e86e49677
SHA256
4826c0d860af884d3343ca6460b0006a7a2ce7dbccc4d743208585d997cc5fd1
SHA512
95f83ae84cafcced5eaf504546725c34d5f9710e5ca2d11761486970f2fbeccb25f9cf50bbfc272bd75e1a6
6a18b7783f09e1c1454afda519624bc2bb2f28ba4
Ssdeep
3:ol3lYdn:4Wn
Yara
无匹配
VirusTotal
搜索相关分析
Normal.dotm
文件名
相关文件
Normal.dotm
C:\Users\test\AppData\Roaming\Microsoft\Templates\Normal.dotm
文件大小
21096 bytes
文件类型
Microsoft Word 2007+
MD5
cd88f09472ec5a7f5fd022c261d20bf7
SHA1
26a4984ae3a6424530f800ce42505df7246ba4e9
SHA256
fbc97b00c88b2d1b889095a7eecbfc69a522c5484d6cebc64673239ccb048f7d
SHA512
d444e99dd860192d77f48c85cf18f66b42802cb67ab10a8b49dae23710b8f209560dce479dc26a167f3f2
c28b99d846373d3ad96150a0d45c01b87e861543dc4
Ssdeep
384:PjlzfI/PKs/8owQPabxqIQ6U0D1pka2oVYP7q2j/IF7PMW3mlcJLEDpPWVY:RAP8zgINU0DPe7XEPMWWeJL
Et7
Yara
无匹配
VirusTotal
搜索相关分析
New Doc 115.docm
文件名
New Doc 115.docm
相关文件
C:\Users\test\AppData\Local\Temp\New Doc 115.docm
文件大小
33171 bytes
文件类型
Microsoft Word 2007+
MD5
191e2a3bf04b99b4102444e4d6c2288b
SHA1
60a0fa36d59271f2f0e44a5435e493a08ce69eb3
SHA256
b2423d126aa97c39575469f33ee42ba737e139322c36169cd42c7318214fa9a3
SHA512
fa37663ad934f7066bac3e5c33ff65999a8d959de7e857bc1eee6a6c18e3d48b0cc23b1a9b66899d5026
d66c8b4d049451814c8f21df0299db7086e0e07dae43
Ssdeep
768:/L42QcBnsfD/VBqIaPaFmhUHJ2SzYxp2g0puj:rQcxszVddFEUHvop1T
Yara
无匹配
VirusTotal
搜索相关分析
~$w Doc 115.docm
文件名
~$w Doc 115.docm
相关文件
C:\Users\test\AppData\Local\Temp\~$w Doc 115.docm
文件大小
162 bytes
文件类型
data
MD5
ae32f9a92379f15573e02787b2b4438b
SHA1
48f1a68b02a73129fbd7725e07401d054337569b
SHA256
3fe39358681a1e1a7b1a40e09425ea7b8e2a7ceb0deecf6d338a76312c44c0dc
SHA512
e6601863cb901fc0ce598f20576501b311aabc6141beb8596570d3388b87f299d66e24dbc2305cabd1ff4
cf5956f3155f778e1e30c29b601d7dcd8de565ef328
Ssdeep
3:TDllrR9L7kjIt9uV:nllrXpC
Yara
无匹配
VirusTotal
搜索相关分析
~$Normal.dotm
文件名
相关文件
~$Normal.dotm
C:\Users\test\AppData\Roaming\Microsoft\Templates\~$Normal.dotm
文件大小
162 bytes
文件类型
data
MD5
732ea5bfc6ee309a4351770343af21b5
SHA1
78c589b2e88ba90219088d5b08d63e7ef8b11606
SHA256
1c7ff21bcd4cdfaeaa62405080db25b61f4cc365801cf7360d4d21c406733f64
SHA512
68082b418383fd9da292fd60f3a8d4ea6d5427254682eaa2e0ebb66876af75f205bd6791d9b1d1a91025
d9a14e576580cdc02062656962f25c597406036039e8
Ssdeep
3:TDllrR9L7kjIt9u0btll:nllrXpDtll
Yara
无匹配
VirusTotal
搜索相关分析
行为分析
互斥量(Mutexes) 无信息
执行的命令 无信息
创建的服务 无信息
启动的服务 无信息
进程
WINWORD.EXE
PID: 2736, 上一级进程 PID: 2152
访问的文件
C:\Users\test\AppData\Local\Temp\New Doc 115.docm
C:\Users\test\AppData\Local\Temp\~$w Doc 115.docm
读取的文件
C:\Users\test\AppData\Local\Temp\New Doc 115.docm
修改的文件
C:\Users\test\AppData\Local\Temp\New Doc 115.docm
C:\Users\test\AppData\Local\Temp\~$w Doc 115.docm
删除的文件 无信息
注册表键
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Options\DefaultCPG
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\General\NoTrack
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\ShipAsserts
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\General\UseOfficeUIFont
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane5
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane6
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane7
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane8
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane9
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane10
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane11
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane12
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane13
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane14
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane16
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\IME
HKEY_CURRENT_USER
HKEY_CURRENT_USER\Software\Microsoft\CTF\LayoutIcon\0804\00000804
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Security\Trusted Documents\MaxTrustedDocuments
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Security\Trusted Documents\LastPurgeTime
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Security\Trusted Documents\PurgeInterval
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Security\Trusted Documents\TrustRecords
读取的注册表键
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Options\DefaultCPG
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\General\NoTrack
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\General\UseOfficeUIFont
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane5
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane6
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane7
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane8
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane9
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane10
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane11
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane12
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane13
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane14
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane16
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Security\Trusted Documents\MaxTrustedDocuments
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Security\Trusted Documents\LastPurgeTime
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Security\Trusted Documents\PurgeInterval
修改的注册表键
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Security\Trusted Documents\LastPurgeTime
删除的注册表键 无信息
API解析
mso.dll.#889
mso.dll.#1511
mso.dll.#8882
mso.dll.#7159
mso.dll.#6115
gdi32.dll.GdiIsMetaPrintDC
mso.dll.#6360
mso.dll.#2405
mso.dll.#6773
gdi32.dll.GetTextExtentExPointWPri
mso.dll.#2880
mso.dll.#10007
oleaut32.dll.SysAllocString
oleaut32.dll.SysStringLen
oleaut32.dll.SysFreeString
mso.dll.#2031
©2016 上海魔盾信息科技有限公司
