File name: | NEW_price.xls |
Full analysis: | https://app.any.run/tasks/1961fb63-288b-4cdb-a162-e9576f426e3e |
Verdict: | Malicious activity |
Analysis date: | June 19, 2019, 04:49:19 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/vnd.ms-excel |
File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1251, Last Saved By: Admin, Name of Creating Application: Microsoft Excel, Create Time/Date: Tue Feb 5 10:04:55 2013, Last Saved Time/Date: Fri Jul 24 16:45:45 2015, Security: 0 |
MD5: | 34B2F4E2DB7D545A0B63D7C6D6C57B49 |
SHA1: | 6632FBB6966697995CE96880EF45659D99079D81 |
SHA256: | 10061D15BAD9212B36EC4C8F57267FAA38A6EE03FC7FA070DB715CD739330A8C |
SSDEEP: | 3072:L4fGPxVoLES/BBoSa347rhSbBrDo7/3bBOGRswChaaQrwg53Xop:8fGPxVoLES/BBoSa347rhSbBrDo7/3bb |
.xls | | | Microsoft Excel sheet (48) |
---|---|---|
.xls | | | Microsoft Excel sheet (alternate) (39.2) |
LastModifiedBy: | Admin |
---|---|
Software: | Microsoft Excel |
CreateDate: | 2013:02:05 10:04:55 |
ModifyDate: | 2015:07:24 15:45:45 |
Security: | None |
Company: | * |
AppVersion: | 14 |
ScaleCrop: | No |
LinksUpToDate: | No |
SharedDoc: | No |
HyperlinksChanged: | No |
TitleOfParts: |
|
HeadingPairs: |
|
CodePage: | Windows Cyrillic |
Hyperlinks: |
|
CompObjUserTypeLen: | 27 |
CompObjUserType: | ????? Microsoft Excel 2003 |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3168 | "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /dde | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Excel Version: 14.0.6024.1000 | ||||
2496 | "C:\Windows\System32\wscript.exe" "C:\Users\admin\AppData\Local\Temp\skypehelper.js" | C:\Windows\System32\wscript.exe | EXCEL.EXE | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Exit code: 0 Version: 5.8.7600.16385 | ||||
2912 | csrstub.exe 67634196 -P "C:\Users\admin\AppData\Local\Temp\SkypeUpdateScv.exe" | C:\Windows\system32\csrstub.exe | EXCEL.EXE | |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: allows lua to launch 16-bit applications Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
1976 | "C:\Windows\system32\ntvdm.exe" -i1 | C:\Windows\system32\ntvdm.exe | — | csrstub.exe |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: NTVDM.EXE Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
3168 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\CVRC3.tmp.cvr | — | |
MD5:— | SHA256:— | |||
1976 | ntvdm.exe | C:\Users\admin\AppData\Local\Temp\scs1620.tmp | — | |
MD5:— | SHA256:— | |||
1976 | ntvdm.exe | C:\Users\admin\AppData\Local\Temp\scs1631.tmp | — | |
MD5:— | SHA256:— | |||
3168 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\Excel8.0\MSForms.exd | tlb | |
MD5:AABE485F56260523630CAE6CECB37AE0 | SHA256:29FF6A837E1FC0D68AEF85AA455EC3E797322A56F702250D0929D88087D4205C | |||
3168 | EXCEL.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\index.dat | text | |
MD5:383148F2A6AEDF00E9B98EFCDAA0FE62 | SHA256:9EFA0C1873D01197256B8BB065AC144E9F8D775D215A637AE1B2487095C32363 | |||
3168 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\skypehelper.js | text | |
MD5:17B0931A7057487569805EADC6A2A129 | SHA256:98BC2A1FD70A50D4C923C05865ADD00F85B1E4C729AEE6F4986D1D9B106E3CCC | |||
3168 | EXCEL.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\NEW_price.xls.LNK | lnk | |
MD5:17E589B475B7176C2C29CDC6C0F3AA96 | SHA256:5B2B23E375AE153EE19B98B0463F7F6BF299512182A4B54F71DE785EC4FA5567 | |||
2496 | wscript.exe | C:\Users\admin\AppData\Local\Temp\SkypeUpdateScv.exe | xml | |
MD5:AB99593EFDF397078F11D9C37DD218A1 | SHA256:BEAB79184BF1FCA1F52FF3761F8A533827106FEF3749C6C9C9A3E7EEC619A226 | |||
3168 | EXCEL.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\3BC94709.emf | emf | |
MD5:D4AD9EF61D10154867F589FD18A2D90B | SHA256:A0BD9DD1F433C7B081E527305AD12631C8BF50383F55F9F4F23FFFECEDFDF5EA |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2496 | wscript.exe | GET | 404 | 204.74.99.100:80 | http://site.com/run.ex_ | US | xml | 345 b | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2496 | wscript.exe | 204.74.99.100:80 | site.com | NeuStar, Inc. | US | malicious |
Domain | IP | Reputation |
---|---|---|
site.com |
| malicious |