analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

NEW_price.xls

Full analysis: https://app.any.run/tasks/1961fb63-288b-4cdb-a162-e9576f426e3e
Verdict: Malicious activity
Analysis date: June 19, 2019, 04:49:19
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
macros
macros-on-open
Indicators:
MIME: application/vnd.ms-excel
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1251, Last Saved By: Admin, Name of Creating Application: Microsoft Excel, Create Time/Date: Tue Feb 5 10:04:55 2013, Last Saved Time/Date: Fri Jul 24 16:45:45 2015, Security: 0
MD5:

34B2F4E2DB7D545A0B63D7C6D6C57B49

SHA1:

6632FBB6966697995CE96880EF45659D99079D81

SHA256:

10061D15BAD9212B36EC4C8F57267FAA38A6EE03FC7FA070DB715CD739330A8C

SSDEEP:

3072:L4fGPxVoLES/BBoSa347rhSbBrDo7/3bBOGRswChaaQrwg53Xop:8fGPxVoLES/BBoSa347rhSbBrDo7/3bb

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Executes scripts

      • EXCEL.EXE (PID: 3168)
    • Unusual execution from Microsoft Office

      • EXCEL.EXE (PID: 3168)
  • SUSPICIOUS

    • Executes application which crashes

      • csrstub.exe (PID: 2912)
  • INFO

    • Creates files in the user directory

      • EXCEL.EXE (PID: 3168)
    • Reads Microsoft Office registry keys

      • EXCEL.EXE (PID: 3168)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.xls | Microsoft Excel sheet (48)
.xls | Microsoft Excel sheet (alternate) (39.2)

EXIF

FlashPix

LastModifiedBy: Admin
Software: Microsoft Excel
CreateDate: 2013:02:05 10:04:55
ModifyDate: 2015:07:24 15:45:45
Security: None
Company: *
AppVersion: 14
ScaleCrop: No
LinksUpToDate: No
SharedDoc: No
HyperlinksChanged: No
TitleOfParts:
  • Warning
  • Total
  • Code
  • Total!bookmark0
  • Total!bookmark1
HeadingPairs:
  • Аркуші
  • 3
  • Іменовані діапазони
  • 2
CodePage: Windows Cyrillic
Hyperlinks:
  • http://office365.com/
  • http://office365.com/
CompObjUserTypeLen: 27
CompObjUserType: ????? Microsoft Excel 2003
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
42
Monitored processes
4
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start excel.exe no specs wscript.exe csrstub.exe ntvdm.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3168"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /ddeC:\Program Files\Microsoft Office\Office14\EXCEL.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Excel
Version:
14.0.6024.1000
2496"C:\Windows\System32\wscript.exe" "C:\Users\admin\AppData\Local\Temp\skypehelper.js"C:\Windows\System32\wscript.exe
EXCEL.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.8.7600.16385
2912csrstub.exe 67634196 -P "C:\Users\admin\AppData\Local\Temp\SkypeUpdateScv.exe" C:\Windows\system32\csrstub.exe
EXCEL.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
allows lua to launch 16-bit applications
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
1976"C:\Windows\system32\ntvdm.exe" -i1 C:\Windows\system32\ntvdm.execsrstub.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
NTVDM.EXE
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
796
Read events
681
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
0
Text files
4
Unknown types
4

Dropped files

PID
Process
Filename
Type
3168EXCEL.EXEC:\Users\admin\AppData\Local\Temp\CVRC3.tmp.cvr
MD5:
SHA256:
1976ntvdm.exeC:\Users\admin\AppData\Local\Temp\scs1620.tmp
MD5:
SHA256:
1976ntvdm.exeC:\Users\admin\AppData\Local\Temp\scs1631.tmp
MD5:
SHA256:
3168EXCEL.EXEC:\Users\admin\AppData\Local\Temp\Excel8.0\MSForms.exdtlb
MD5:AABE485F56260523630CAE6CECB37AE0
SHA256:29FF6A837E1FC0D68AEF85AA455EC3E797322A56F702250D0929D88087D4205C
3168EXCEL.EXEC:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\index.dattext
MD5:383148F2A6AEDF00E9B98EFCDAA0FE62
SHA256:9EFA0C1873D01197256B8BB065AC144E9F8D775D215A637AE1B2487095C32363
3168EXCEL.EXEC:\Users\admin\AppData\Local\Temp\skypehelper.jstext
MD5:17B0931A7057487569805EADC6A2A129
SHA256:98BC2A1FD70A50D4C923C05865ADD00F85B1E4C729AEE6F4986D1D9B106E3CCC
3168EXCEL.EXEC:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\NEW_price.xls.LNKlnk
MD5:17E589B475B7176C2C29CDC6C0F3AA96
SHA256:5B2B23E375AE153EE19B98B0463F7F6BF299512182A4B54F71DE785EC4FA5567
2496wscript.exeC:\Users\admin\AppData\Local\Temp\SkypeUpdateScv.exexml
MD5:AB99593EFDF397078F11D9C37DD218A1
SHA256:BEAB79184BF1FCA1F52FF3761F8A533827106FEF3749C6C9C9A3E7EEC619A226
3168EXCEL.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\3BC94709.emfemf
MD5:D4AD9EF61D10154867F589FD18A2D90B
SHA256:A0BD9DD1F433C7B081E527305AD12631C8BF50383F55F9F4F23FFFECEDFDF5EA
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
1
DNS requests
1
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2496
wscript.exe
GET
404
204.74.99.100:80
http://site.com/run.ex_
US
xml
345 b
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2496
wscript.exe
204.74.99.100:80
site.com
NeuStar, Inc.
US
malicious

DNS requests

Domain
IP
Reputation
site.com
  • 204.74.99.100
malicious

Threats

No threats detected
No debug info