比较分析...

分析任务

分析类型 虚拟机标签 开始时间 结束时间 持续时间
文件 (Windows) win7-sp1-x64 2016-09-06 14:44:39 2016-09-06 14:44:59 20 秒

魔盾分数

5.3

可疑的

文件详细信息

文件名 MSOXMLED.EXE
文件大小 121168 字节
文件类型 PE32+ executable (GUI) x86-64, for MS Windows
MD5 f45a7db6aec433fd579774dfdb3eaa89
SHA1 2f8773cc2b720143776a0909d19b98c4954b39cc
SHA256 2bc2372cfabd26933bc4012046e66a5d2efc9554c0835d1a0aa012d3bd1a6f9a
SHA512 03a4b7c53373ff6308a0292bb84981dc1566923e93669bbb11cb03d9f58a8d477a1a2399aac5059f477bbf1cf14b17817d208bc7c496b8675ece83cdabec5662
CRC32 ACEFBD70
Ssdeep 1536:8lyMXxro+pXLAZZxLIty5weZop1+zNP4ZVGKJ32zH9rHUA:8lyKo+p6LItKdWOzNP4ZVGKJGzH9oA
Yara 登录查看Yara规则
样本下载 提交漏报
登录查看威胁特征

运行截图

访问主机纪录 (可点击查询WPING实时安全评级)

无主机纪录.

域名解析 (可点击查询WPING实时安全评级)

无域名信息.

摘要

登录查看详细行为信息

PE 信息

初始地址 0x140000000
入口地址 0x140005de0
声明校验值 0x0002427c
实际校验值 0x0002427c
最低操作系统版本要求 5.2
PDB路径 t:\xdext\x64\ship\0\msoxmled.pdb\x00\ship\0\msoxmled.exe\bbtopt\msoxmledO.pdb
编译时间 2010-02-28 17:24:13
图标
图标精确哈希值 507ae76c2cb36a3c9ea3613ebcbf1de6
图标相似性哈希值 da2fc8a605f5d78230de5b28e7c3459d

版本信息

LegalCopyright
InternalName
FileVersion
CompanyName
LegalTrademarks1
LegalTrademarks3
LegalTrademarks2
ProductName
ProductVersion
FileDescription
OriginalFilename
Translation

微软证书验证 (Sign Tool)

SHA1 时间戳 有效性 错误
aee9bf762b0a066c1ebd772e10eea4e2de8f1e26 Sun Feb 28 17:25:19 2010
证书链 Certificate Chain 1
发行给 Microsoft Root Authority
发行人 Microsoft Root Authority
有效期 Thu Dec 31 150000 2020
SHA1 哈希 a43489159a520f0d93d032ccaf37e7fe20a8b419
证书链 Certificate Chain 2
发行给 Microsoft Code Signing PCA
发行人 Microsoft Root Authority
有效期 Sat Aug 25 150000 2012
SHA1 哈希 3036e3b25b88a55b86fc90e6e9eaad5081445166
证书链 Certificate Chain 3
发行给 Microsoft Corporation
发行人 Microsoft Code Signing PCA
有效期 Tue Mar 08 064029 2011
SHA1 哈希 9617094a1cfb59ae7c1f7dfdb6739e4e7c40508f
证书链 Timestamp Chain 1
发行给 Microsoft Root Authority
发行人 Microsoft Root Authority
有效期 Thu Dec 31 150000 2020
SHA1 哈希 a43489159a520f0d93d032ccaf37e7fe20a8b419
证书链 Timestamp Chain 2
发行给 Microsoft Timestamping PCA
发行人 Microsoft Root Authority
有效期 Sun Sep 15 150000 2019
SHA1 哈希 3ea99a60058275e0ed83b892a909449f8c33b245
证书链 Timestamp Chain 3
发行给 Microsoft Time-Stamp Service
发行人 Microsoft Timestamping PCA
有效期 Fri Jul 26 031115 2013
SHA1 哈希 4d6f357f0e6434da97b1afc540fb6fdd0e85a89f

PE 数据组成

名称 虚拟地址 虚拟大小 原始数据大小 特征 熵(Entropy)
.text 0x00001000 0x000053cb 0x00005400 IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ 6.30
.rdata 0x00007000 0x00001bc8 0x00001c00 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 4.35
.data 0x00009000 0x00000748 0x00000200 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 1.97
.pdata 0x0000a000 0x00000378 0x00000400 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 3.79
.rsrc 0x0000b000 0x000144c0 0x00014600 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 4.77
.reloc 0x00020000 0x0000008c 0x00000200 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_DISCARDABLE|IMAGE_SCN_MEM_READ 1.90

覆盖

偏移量 0x0001c200
大小 0x00001750

资源

名称 偏移量 大小 语言 子语言 熵(Entropy) 文件类型
RT_ICON 0x0001e7dc 0x00000468 LANG_ENGLISH SUBLANG_ENGLISH_US 4.43 GLS_BINARY_LSB_FIRST
RT_ICON 0x0001e7dc 0x00000468 LANG_ENGLISH SUBLANG_ENGLISH_US 4.43 GLS_BINARY_LSB_FIRST
RT_ICON 0x0001e7dc 0x00000468 LANG_ENGLISH SUBLANG_ENGLISH_US 4.43 GLS_BINARY_LSB_FIRST
RT_ICON 0x0001e7dc 0x00000468 LANG_ENGLISH SUBLANG_ENGLISH_US 4.43 GLS_BINARY_LSB_FIRST
RT_ICON 0x0001e7dc 0x00000468 LANG_ENGLISH SUBLANG_ENGLISH_US 4.43 GLS_BINARY_LSB_FIRST
RT_ICON 0x0001e7dc 0x00000468 LANG_ENGLISH SUBLANG_ENGLISH_US 4.43 GLS_BINARY_LSB_FIRST
RT_ICON 0x0001e7dc 0x00000468 LANG_ENGLISH SUBLANG_ENGLISH_US 4.43 GLS_BINARY_LSB_FIRST
RT_ICON 0x0001e7dc 0x00000468 LANG_ENGLISH SUBLANG_ENGLISH_US 4.43 GLS_BINARY_LSB_FIRST
RT_ICON 0x0001e7dc 0x00000468 LANG_ENGLISH SUBLANG_ENGLISH_US 4.43 GLS_BINARY_LSB_FIRST
RT_ICON 0x0001e7dc 0x00000468 LANG_ENGLISH SUBLANG_ENGLISH_US 4.43 GLS_BINARY_LSB_FIRST
RT_GROUP_ICON 0x0001ec44 0x00000092 LANG_ENGLISH SUBLANG_ENGLISH_US 2.92 MS Windows icon resource - 10 icons, 32x32, 16-colors
RT_VERSION 0x0001ecd8 0x0000053c LANG_ENGLISH SUBLANG_ENGLISH_US 3.42 data
RT_MANIFEST 0x0001f214 0x000002aa LANG_ENGLISH SUBLANG_ENGLISH_US 5.00 ASCII text, with very long lines, with no line terminators

导入

库: USER32.dll:
0x140007000 DdeQueryConvInfo
0x140007008 DdeInitializeW
0x140007010 DdeCreateStringHandleW
0x140007018 DdeClientTransaction
0x140007020 DdeUninitialize
0x140007028 DdeDisconnectList
0x140007030 DdeFreeStringHandle
0x140007038 CharLowerW
0x140007040 IsCharAlphaW
0x140007048 DdeConnectList
0x140007050 DdeQueryNextServer
0x140007058 AllowSetForegroundWindow
0x140007060 GetParent
0x140007068 IsIconic
0x140007070 ShowWindow
0x140007078 SetForegroundWindow
0x140007080 DdeFreeDataHandle
库: KERNEL32.dll:
0x140007090 TerminateProcess
0x140007098 GetStartupInfoA
0x1400070a0 Sleep
0x1400070a8 GetModuleHandleW
0x1400070b0 GetProcessHeap
0x1400070b8 GetSystemTimeAsFileTime
0x1400070c0 GetCurrentProcessId
0x1400070c8 GetCurrentThreadId
0x1400070d0 GetTickCount
0x1400070d8 QueryPerformanceCounter
0x1400070e0 VirtualProtect
0x1400070e8 ExitProcess
0x1400070f0 GlobalFree
0x1400070f8 GetLastError
0x140007100 GetCommandLineW
0x140007108 CreateProcessW
0x140007110 GlobalAlloc
0x140007118 GetCurrentProcess
0x140007120 MultiByteToWideChar
0x140007128 GetACP
0x140007130 ReadFile
0x140007138 CreateFileW
0x140007140 lstrlenW
0x140007148 GetProcAddress
0x140007150 UnhandledExceptionFilter
0x140007160 IsDebuggerPresent
0x140007168 RtlVirtualUnwind
0x140007170 RtlLookupFunctionEntry
0x140007178 CloseHandle
0x140007180 RtlCaptureContext
库: ADVAPI32.dll:
0x140007190 RegQueryValueExW
0x140007198 RegOpenKeyExW
0x1400071a0 RegCloseKey
库: SHELL32.dll:
0x1400071b0 CommandLineToArgvW
0x1400071b8 ShellExecuteExW
0x1400071c0 ShellExecuteW
库: SHLWAPI.dll:
0x1400071d0 AssocQueryStringByKeyW
0x1400071d8 PathFindExtensionW
0x1400071e0 PathFindFileNameW
0x1400071e8 AssocQueryStringW
0x1400071f0 PathCreateFromUrlW
0x1400071f8 UrlIsW
库: WININET.dll:
0x140007208 InternetCrackUrlW
0x140007210 CreateUrlCacheEntryW
0x140007218 GetUrlCacheEntryInfoW
0x140007220 InternetCreateUrlW
库: urlmon.dll:
0x140007230 URLDownloadToFileW
库: MSVCR90.dll:
0x140007240 memcpy
0x140007248 __set_app_type
0x140007250 _encode_pointer
0x140007258 _fmode
0x140007260 _commode
0x140007268 __setusermatherr
0x140007270 _configthreadlocale
0x140007278 _initterm_e
0x140007280 _initterm
0x140007288 _acmdln
0x140007290 exit
0x140007298 _cexit
0x1400072a0 _decode_pointer
0x1400072a8 _onexit
0x1400072b0 _lock
0x1400072b8 __dllonexit
0x1400072c0 _unlock
0x1400072c8 ?terminate@@YAXXZ
0x1400072d0 _wcsicmp
0x1400072d8 memset
0x1400072e0 _wcsnicmp
0x1400072e8 wcschr
0x1400072f0 __crt_debugger_hook
0x1400072f8 wcsstr
0x140007300 swscanf_s
0x140007308 _wtoi
0x140007310 wcsncpy_s
0x140007318 __C_specific_handler
0x140007320 _amsg_exit
0x140007328 __getmainargs
0x140007330 _XcptFilter
0x140007338 _exit
0x140007340 _ismbblead
.text
`.rdata
@.data
.pdata
@.rsrc
@.reloc
D$(P@
t*fD9u
t:\xdext\x64\ship\0\msoxmled.pdb
\ship\0\msoxmled.exe\bbtopt\msoxmledO.pdb
+HeapSetInformation
MSVCR90.dll
urlmon.dll
WININET.dll
SHLWAPI.dll
SHELL32.dll
ADVAPI32.dll
KERNEL32.dll
USER32.dll
DdeQueryConvInfo
DdeInitializeW
DdeCreateStringHandleW
DdeClientTransaction
DdeUninitialize
DdeDisconnectList
DdeFreeStringHandle
CharLowerW
IsCharAlphaW
DdeConnectList
DdeQueryNextServer
AllowSetForegroundWindow
GetParent
IsIconic
ShowWindow
SetForegroundWindow
DdeFreeDataHandle
TerminateProcess
GetStartupInfoA
Sleep
GetModuleHandleW
GetProcessHeap
GetSystemTimeAsFileTime
GetCurrentProcessId
GetCurrentThreadId
GetTickCount
QueryPerformanceCounter
VirtualProtect
ExitProcess
GlobalFree
GetLastError
GetCommandLineW
CreateProcessW
GlobalAlloc
GetCurrentProcess
MultiByteToWideChar
GetACP
ReadFile
CreateFileW
lstrlenW
GetProcAddress
UnhandledExceptionFilter
SetUnhandledExceptionFilter
IsDebuggerPresent
RtlVirtualUnwind
RtlLookupFunctionEntry
CloseHandle
RtlCaptureContext
RegQueryValueExW
RegOpenKeyExW
RegCloseKey
CommandLineToArgvW
ShellExecuteExW
ShellExecuteW
AssocQueryStringByKeyW
PathFindExtensionW
PathFindFileNameW
AssocQueryStringW
PathCreateFromUrlW
UrlIsW
InternetCrackUrlW
CreateUrlCacheEntryW
GetUrlCacheEntryInfoW
InternetCreateUrlW
URLDownloadToFileW
memcpy
__set_app_type
_encode_pointer
_fmode
_commode
__setusermatherr
_configthreadlocale
_initterm_e
_initterm
_acmdln
_cexit
_decode_pointer
_onexit
_lock
__dllonexit
_unlock
?terminate@@YAXXZ
_wcsicmp
memset
_wcsnicmp
wcschr
__crt_debugger_hook
wcsstr
swscanf_s
_wtoi
wcsncpy_s
__C_specific_handler
_amsg_exit
__getmainargs
_XcptFilter
_exit
_ismbblead
999999
99990
!!**/E
^HHH>>>;;,,V
qJHHHH>>;;,V
QNNAA;,,,$X
OONNDDDDDDDEEE
QqqqqqqqqQQQOO
sss|||sssqqQO
wuujjjJJHHJHe
@9';jiic]
999''%%$$
G99''%%%$
mkkOOLGC;;j
[>33/4a
XSRREEBB99h
xXSSRREEBBl
BB99''%%%$
BB99'''%%
ggHHHH?H
{{{{{{{xxxXxU
D'++?
4100)C
77410E
IGGG987K
JIGGG9L
BZ^~G
wXakG
Pl":w_}$
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><noInherit></noInherit><assemblyIdentity processorArchitecture="*" type="win32" name="xev" version="1.0.0.0"></assemblyIdentity><description>xev</description><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.VC90.CRT" version="9.0.30729.1" processorArchitecture="amd64" publicKeyToken="1fc8b3b9a1e18e3b"></assemblyIdentity></dependentAssembly></dependency><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel></requestedPrivileges></security></trustInfo></assembly>PA
zw9gj
/genverb
/verb
/verb new "%1"
/verb print "%1"
&Print
print
/verb edit "%1"
&Edit
/verb open "%1"
&Open
Word.RTF
Microsoft FrontPage
FrontPage.Editor.Document
Frontpg
ExcelC
Microsoft Excel
Excel.Sheet
Excel
WinWordC
[AppShow][FileOpen .Name="%1",.Revert=0]
Microsoft Word
Word.Document
WinWord
ddeexec
OpenAsReadOnly
command
Software\Microsoft\Windows\CurrentVersion\App Paths\
UseUrl
\command
\shell\
ddeexec\Application
\CurVer
[Activate("%1")]
shell\
InfoPath.Document
XEV.FailSafeApp
XEV.GenericApp
RedirectVerb
RedirectFileType
UseURL
CurVer
shell
SOFTWARE\Microsoft\Shared\XML\AlternateProgIDs
SOFTWARE\Microsoft\Shared\XML\ProgIDs
Software\Microsoft\Windows\CurrentVersion\App Paths
ftp://
https://
http://
XDocs.Document
progid
mso-application
%SystemRoot%\system32\NOTEPAD.EXE
InfoPath.Document.1
kernel32.dll
IDI_APP_ICON
VS_VERSION_INFO
StringFileInfo
000004E4
CompanyName
Microsoft Corporation
FileDescription
XML Editor
FileVersion
14.0.4750.1000
InternalName
msoxmled.exe
LegalCopyright
2010 Microsoft Corporation. All rights reserved.
LegalTrademarks1
is a registered trademark of Microsoft Corporation.
LegalTrademarks2
is a registered trademark of Microsoft Corporation.
LegalTrademarks3
is a registered trademark of Microsoft Corporation.
OriginalFilename
msoxmled.exe
ProductName
Microsoft Office InfoPath
ProductVersion
14.0.4750.1000
VarFileInfo
Translation
防病毒引擎/厂商 病毒名/规则匹配 病毒库日期
Bkav 未发现病毒 20160711
MicroWorld-eScan 未发现病毒 20160711
nProtect 未发现病毒 20160711
CMC 未发现病毒 20160711
CAT-QuickHeal 未发现病毒 20160711
McAfee 未发现病毒 20160711
Malwarebytes 未发现病毒 20160711
VIPRE 未发现病毒 20160711
TheHacker 未发现病毒 20160709
BitDefender 未发现病毒 20160711
K7GW 未发现病毒 20160711
K7AntiVirus 未发现病毒 20160711
Baidu 未发现病毒 20160711
F-Prot 未发现病毒 20160711
Symantec 未发现病毒 20160711
ESET-NOD32 未发现病毒 20160711
TrendMicro-HouseCall 未发现病毒 20160711
Avast 未发现病毒 20160711
ClamAV 未发现病毒 20160711
Kaspersky 未发现病毒 20160711
Alibaba 未发现病毒 20160711
NANO-Antivirus 未发现病毒 20160711
ViRobot 未发现病毒 20160711
AegisLab 未发现病毒 20160711
Ad-Aware 未发现病毒 20160711
Sophos 未发现病毒 20160711
Comodo 未发现病毒 20160711
F-Secure 未发现病毒 20160711
DrWeb 未发现病毒 20160711
Zillya 未发现病毒 20160711
TrendMicro 未发现病毒 20160711
McAfee-GW-Edition 未发现病毒 20160711
Emsisoft 未发现病毒 20160711
Cyren 未发现病毒 20160711
Jiangmin 未发现病毒 20160711
Avira 未发现病毒 20160711
Antiy-AVL 未发现病毒 20160711
Kingsoft 未发现病毒 20160711
Microsoft 未发现病毒 20160711
Arcabit 未发现病毒 20160711
SUPERAntiSpyware 未发现病毒 20160711
AhnLab-V3 未发现病毒 20160711
GData 未发现病毒 20160711
TotalDefense 未发现病毒 20160711
ALYac 未发现病毒 20160711
AVware 未发现病毒 20160711
VBA32 未发现病毒 20160711
Zoner 未发现病毒 20160711
Tencent 未发现病毒 20160711
Ikarus 未发现病毒 20160711
Fortinet 未发现病毒 20160711
AVG 未发现病毒 20160711
Panda 未发现病毒 20160711
Qihoo-360 未发现病毒 20160711

进程树

MSOXMLED.EXE, PID: 2232, 上一级进程 PID: 768
下载PCAP包

访问主机纪录 (可点击查询WPING实时安全评级)

无主机纪录.

TCP

源地址 源端口 目标地址 目标端口
192.168.122.69 53444 23.32.241.24 80

UDP

源地址 源端口 目标地址 目标端口
192.168.122.69 52766 192.168.122.1 53
192.168.122.69 57129 192.168.122.1 53
192.168.122.69 58396 192.168.122.1 53
192.168.122.69 63333 192.168.122.1 53
192.168.122.69 137 192.168.122.255 137
192.168.122.69 53197 224.0.0.252 5355
192.168.122.69 64810 224.0.0.252 5355
192.168.122.69 50619 239.255.255.250 1900
192.168.122.69 123 52.169.179.91 123
192.168.122.70 5355 192.168.122.69 53197

域名解析 (可点击查询WPING实时安全评级)

无域名信息.

TCP

源地址 源端口 目标地址 目标端口
192.168.122.69 53444 23.32.241.24 80

UDP

源地址 源端口 目标地址 目标端口
192.168.122.69 52766 192.168.122.1 53
192.168.122.69 57129 192.168.122.1 53
192.168.122.69 58396 192.168.122.1 53
192.168.122.69 63333 192.168.122.1 53
192.168.122.69 137 192.168.122.255 137
192.168.122.69 53197 224.0.0.252 5355
192.168.122.69 64810 224.0.0.252 5355
192.168.122.69 50619 239.255.255.250 1900
192.168.122.69 123 52.169.179.91 123
192.168.122.70 5355 192.168.122.69 53197

HTTP 请求

URI HTTP数据
URL专业沙箱检测 -> http://www.msftncsi.com/ncsi.txt 
GET /ncsi.txt HTTP/1.1
Connection: Close
User-Agent: Microsoft NCSI
Host: www.msftncsi.com

SMTP 流量

无SMTP流量.

IRC 流量

无IRC请求.

ICMP 流量

无ICMP流量.

CIF 报告

无 CIF 结果

网络警报

无警报

TLS

No TLS

Suricata HTTP

No Suricata HTTP

未发现网络提取文件
抱歉! 没有任何文件投放。
没有发现相似的分析.
HTML 总结报告
(需15-60分钟同步)		 下载

Processing ( 5.649 seconds )

  • 2.424 VirusTotal
  • 2.128 NetworkAnalysis
  • 0.517 Static
  • 0.261 peid
  • 0.219 TargetInfo
  • 0.035 BehaviorAnalysis
  • 0.022 AnalysisInfo
  • 0.017 Strings
  • 0.013 config_decoder
  • 0.007 Debug
  • 0.003 Dropped
  • 0.002 Memory
  • 0.001 ProcessMemory

Signatures ( 0.053 seconds )

  • 0.012 antiav_detectreg
  • 0.005 persistence_autorun
  • 0.005 infostealer_ftp
  • 0.004 antiav_detectfile
  • 0.004 geodo_banking_trojan
  • 0.003 infostealer_bitcoin
  • 0.003 infostealer_im
  • 0.002 tinba_behavior
  • 0.002 antianalysis_detectreg
  • 0.002 antivm_vbox_files
  • 0.002 disables_browser_warn
  • 0.002 infostealer_mail
  • 0.001 betabot_behavior
  • 0.001 banker_zeus_mutex
  • 0.001 bot_drive
  • 0.001 bot_drive2
  • 0.001 modify_proxy
  • 0.001 browser_security
  • 0.001 ransomware_files

Reporting ( 1.517 seconds )

  • 0.912 ReportPDF
  • 0.596 ReportHTMLSummary
  • 0.009 Malheur
Task ID 16160
Mongo ID 57ce65f24d3bd048e498280c
Cuckoo release 1.4-Maldun