File name: | 60b4d02520783660e254864dcfe438db.xls |
Full analysis: | https://app.any.run/tasks/056372e7-f7b6-4270-8725-9991d816d409 |
Verdict: | Malicious activity |
Analysis date: | January 11, 2019, 07:05:23 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/vnd.ms-excel |
File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 949, Title: , Subject: , Comments: (Yesform) ., Last Saved By: MAX, Name of Creating Application: Microsoft Excel, Last Printed: Tue Jan 1 05:08:09 2019, Create Time/Date: Thu Feb 23 07:43:01 2012, Last Saved Time/Date: Mon Jan 7 04:15:33 2019, Security: 0 |
MD5: | 60B4D02520783660E254864DCFE438DB |
SHA1: | ED432500EDA6A62EB425C618397E6CBC97942451 |
SHA256: | 2777D51E51A61CA7E61FDA0D4822272F85A49C3AC3F21E3153A8E586C6E5A88B |
SSDEEP: | 3072:2vnNZpKGeUznMxMHwo9UBMXdbsl2Pd9qGnu/BXqnOPma9JuVr1iqELam4xXLez1e:KqMHwo9UBMXvl11aeVYDCxyA |
.xls | | | Microsoft Excel sheet (48) |
---|---|---|
.xls | | | Microsoft Excel sheet (alternate) (39.2) |
CompObjUserType: | Microsoft Excel 2003 ??ũ??Ʈ |
---|---|
CompObjUserTypeLen: | 30 |
HeadingPairs: |
|
TitleOfParts: |
|
HyperlinksChanged: | No |
SharedDoc: | No |
LinksUpToDate: | No |
ScaleCrop: | No |
AppVersion: | 14 |
Company: | (??)?????? |
Manager: | ?????? |
Category: | www.yesform.com |
CodePage: | Windows Korean (Unified Hangul Code) |
Security: | None |
ModifyDate: | 2019:01:07 04:15:33 |
CreateDate: | 2012:02:23 07:43:01 |
LastPrinted: | 2019:01:01 05:08:09 |
Software: | Microsoft Excel |
LastModifiedBy: | MAX |
Comments: | ?? ???????? ???۱??? ??????(Yesform)?? ?????? ???? ???? ?? ?????? ?????? ???縦 ???? ?? ?ֽ??ϴ?. |
Author: | ?????? |
Subject: | ?????? ?? ???? ???�?? |
Title: | ?????? ?? ???? ???�?? |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2912 | "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /dde | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Excel Version: 14.0.6024.1000 | ||||
2580 | "C:\Windows\system32\ntvdm.exe" -i1 | C:\Windows\system32\ntvdm.exe | — | EXCEL.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: NTVDM.EXE Exit code: 3221225477 Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
2912 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\CVR938B.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2580 | ntvdm.exe | C:\Users\admin\AppData\Local\Temp\scsA7EE.tmp | — | |
MD5:— | SHA256:— | |||
2580 | ntvdm.exe | C:\Users\admin\AppData\Local\Temp\scsA7EF.tmp | — | |
MD5:— | SHA256:— | |||
2912 | EXCEL.EXE | C:\sMessenger\searchMessenger_upgrade_x.exe | html | |
MD5:E87C6AD9327B04E12803B5D136D8BA71 | SHA256:611E7535905C54DAD45A20EE367829183DD89CF1F3B442F18F1B76120A3445AA | |||
2912 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\VBE\MSForms.exd | tlb | |
MD5:94B49DEA56E4DA3D49780089A2394675 | SHA256:62B04D5A9D16EC64583485602DE65CB1A05E6784D61C6C763A93B04F01201804 | |||
2912 | EXCEL.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\admin@yesform[1].txt | text | |
MD5:0D02E24F165D352C1E3F0EF52FBE0BC4 | SHA256:B22202B01CDC17ABCA7785FCC4052BAD55953787D0E45ED4393BF4D96AB089CA |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2912 | EXCEL.EXE | GET | 302 | 222.122.6.226:80 | http://www.yesform.com/active/searchMessenger/dw.php?mode=etc | KR | — | — | suspicious |
2912 | EXCEL.EXE | GET | 200 | 222.122.6.226:80 | http://www.yesform.com/active/searchMessenger/searchMessenger.php | KR | html | 20.9 Kb | suspicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2912 | EXCEL.EXE | 222.122.6.226:80 | www.yesform.com | Korea Telecom | KR | suspicious |
Domain | IP | Reputation |
---|---|---|
www.yesform.com |
| suspicious |