analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Proforma Invoice.xlsx

Full analysis: https://app.any.run/tasks/9baa056f-db5f-440b-8195-d53bfd6e2648
Verdict: Malicious activity
Analysis date: July 18, 2019, 08:36:35
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
generated-doc
exploit
CVE-2017-11882
Indicators:
MIME: application/octet-stream
File info: Microsoft OOXML
MD5:

85FD3F8E1CB90FEC5BC35C97BB4DE904

SHA1:

517AF559C97ADD6A0526ECAA34064FA3047BCEF6

SHA256:

229C4F5533C38F1AEBAAA570D977DCAD5B63D9876B2862D2623BFB6D33A58452

SSDEEP:

192:hQ9aX3d/X+1Q918FuLJ3RnLpcuryxyBmJyjqdxKPXel:hAG39uwZJ3ouryxy25xKml

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Equation Editor starts application (CVE-2017-11882)

      • EQNEDT32.EXE (PID: 4088)

    • Application was dropped or rewritten from another process

      • name.exe (PID: 116)

  • SUSPICIOUS

    • Executed via COM

      • EQNEDT32.EXE (PID: 4088)

    • Executable content was dropped or overwritten

      • EQNEDT32.EXE (PID: 4088)

    • Creates files in the user directory

      • EQNEDT32.EXE (PID: 4088)

  • INFO

    • Reads Microsoft Office registry keys

      • EXCEL.EXE (PID: 3712)

    • Creates files in the user directory

      • EXCEL.EXE (PID: 3712)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.xlsx | Excel Microsoft Office Open XML Format document (61.2)
.zip | Open Packaging Conventions container (31.5)
.zip | ZIP compressed archive (7.2)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: 0x0002
ZipCompression: Deflated
ZipModifyDate: 2019:07:17 23:56:00
ZipCRC: 0xb0fb548e
ZipCompressedSize: 373
ZipUncompressedSize: 1396
ZipFileName: [Content_Types].xml

XML

Application: Microsoft Excel
DocSecurity: None
ScaleCrop: No
HeadingPairs:
  • Worksheets
  • 1
TitlesOfParts: Sheet1
Company: -
LinksUpToDate: No
SharedDoc: No
HyperlinksChanged: No
AppVersion: 14.03
CreateDate: 2006:09:16 00:00:00Z
ModifyDate: 2006:09:16 00:00:00Z

XMP

Creator: xx
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
37
Monitored processes
3
Malicious processes
1
Suspicious processes
1

Behavior graph

Click at the process to see the details
start drop and start excel.exe no specs eqnedt32.exe name.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3712"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /ddeC:\Program Files\Microsoft Office\Office14\EXCEL.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Excel
Version:
14.0.6024.1000
4088"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -EmbeddingC:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
svchost.exe
User:
admin
Company:
Design Science, Inc.
Integrity Level:
MEDIUM
Description:
Microsoft Equation Editor
Exit code:
0
Version:
00110900
116C:\Users\admin\AppData\Roaming\name.exeC:\Users\admin\AppData\Roaming\name.exeEQNEDT32.EXE
User:
admin
Integrity Level:
MEDIUM
Total events
460
Read events
405
Write events
0
Delete events
0

Modification events

No data
Executable files
2
Suspicious files
0
Text files
2
Unknown types
2

Dropped files

PID
Process
Filename
Type
3712EXCEL.EXEC:\Users\admin\AppData\Local\Temp\CVRF8D7.tmp.cvr
MD5:
SHA256:
3712EXCEL.EXEC:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\Proforma Invoice.xlsx.LNKlnk
MD5:B663394AD2AD2C454AD92D4CDEFE9C9E
SHA256:1C5217252B0F09F25010E2C6D5A9F823FA1EA17CFE6EFCBC6FA7D005D2075780
3712EXCEL.EXEC:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\index.dattext
MD5:B372A74C0230184DD2F59E0004F0B845
SHA256:E5AA64D5EA9FF55DC41481632D89EB32FDBC41EDF53C878072C75457629CA0D3
4088EQNEDT32.EXEC:\Users\admin\AppData\Roaming\name.exeexecutable
MD5:83B3900947FCDDDA5B65C72A26398FF2
SHA256:6B8AE8976390C33D7338D5250E24CA3BEFD7F10EBAC8F4B64871CEF08FB0A879
4088EQNEDT32.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JGRR2OYX\test[1].exeexecutable
MD5:83B3900947FCDDDA5B65C72A26398FF2
SHA256:6B8AE8976390C33D7338D5250E24CA3BEFD7F10EBAC8F4B64871CEF08FB0A879
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
1
DNS requests
1
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4088
EQNEDT32.EXE
50.87.115.208:443
bonbonii.com
Unified Layer
US
malicious

DNS requests

Domain
IP
Reputation
bonbonii.com
  • 50.87.115.208
malicious

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
Proforma Invoice.xlsx