analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

60b4d02520783660e254864dcfe438db.xls

Full analysis: https://app.any.run/tasks/056372e7-f7b6-4270-8725-9991d816d409
Verdict: Malicious activity
Analysis date: January 11, 2019, 07:05:23
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
macros
macros-on-open
generated-doc
Indicators:
MIME: application/vnd.ms-excel
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 949, Title: , Subject: , Comments: (Yesform) ., Last Saved By: MAX, Name of Creating Application: Microsoft Excel, Last Printed: Tue Jan 1 05:08:09 2019, Create Time/Date: Thu Feb 23 07:43:01 2012, Last Saved Time/Date: Mon Jan 7 04:15:33 2019, Security: 0
MD5:

60B4D02520783660E254864DCFE438DB

SHA1:

ED432500EDA6A62EB425C618397E6CBC97942451

SHA256:

2777D51E51A61CA7E61FDA0D4822272F85A49C3AC3F21E3153A8E586C6E5A88B

SSDEEP:

3072:2vnNZpKGeUznMxMHwo9UBMXdbsl2Pd9qGnu/BXqnOPma9JuVr1iqELam4xXLez1e:KqMHwo9UBMXvl11aeVYDCxyA

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Unusual execution from Microsoft Office

      • EXCEL.EXE (PID: 2912)
  • SUSPICIOUS

    • Unusual connect from Microsoft Office

      • EXCEL.EXE (PID: 2912)
    • Executes application which crashes

      • EXCEL.EXE (PID: 2912)
  • INFO

    • Creates files in the user directory

      • EXCEL.EXE (PID: 2912)
    • Reads Microsoft Office registry keys

      • EXCEL.EXE (PID: 2912)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.xls | Microsoft Excel sheet (48)
.xls | Microsoft Excel sheet (alternate) (39.2)

EXIF

FlashPix

CompObjUserType: Microsoft Excel 2003 ??ũ??Ʈ
CompObjUserTypeLen: 30
HeadingPairs:
  • ??ũ??Ʈ
  • 11
  • ?̸??? ?????? ????
  • 9
TitleOfParts:
  • ?޿?????-?�?? ?ۼ???
  • ?޿??�??
  • 5???޿?
  • 6???޿?
  • 7???޿?
  • 8???޿?
  • 9???޿?
  • 10???޿?
  • 11???޿?
  • 12???޿?
  • Sheet1
  • '5???޿?'!Print_Area
  • '6???޿?'!Print_Area
  • '7???޿?'!Print_Area
  • ?޿??�??!Print_Area
  • '?޿?????-?�?? ?ۼ???'!Print_Area
  • '5???޿?'!??ü
  • '6???޿?'!??ü
  • '7???޿?'!??ü
  • ??ü
HyperlinksChanged: No
SharedDoc: No
LinksUpToDate: No
ScaleCrop: No
AppVersion: 14
Company: (??)??????
Manager: ??????
Category: www.yesform.com
CodePage: Windows Korean (Unified Hangul Code)
Security: None
ModifyDate: 2019:01:07 04:15:33
CreateDate: 2012:02:23 07:43:01
LastPrinted: 2019:01:01 05:08:09
Software: Microsoft Excel
LastModifiedBy: MAX
Comments: ?? ???????? ???۱??? ??????(Yesform)?? ?????? ???? ???? ?? ?????? ?????? ???縦 ???? ?? ?ֽ??ϴ?.
Author: ??????
Subject: ?޿????? ?? ???? ?޿??�??
Title: ?޿????? ?? ???? ?޿??�??
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
33
Monitored processes
2
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start excel.exe ntvdm.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2912"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /ddeC:\Program Files\Microsoft Office\Office14\EXCEL.EXE
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Excel
Version:
14.0.6024.1000
2580"C:\Windows\system32\ntvdm.exe" -i1 C:\Windows\system32\ntvdm.exeEXCEL.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
NTVDM.EXE
Exit code:
3221225477
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
660
Read events
561
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
0
Text files
2
Unknown types
1

Dropped files

PID
Process
Filename
Type
2912EXCEL.EXEC:\Users\admin\AppData\Local\Temp\CVR938B.tmp.cvr
MD5:
SHA256:
2580ntvdm.exeC:\Users\admin\AppData\Local\Temp\scsA7EE.tmp
MD5:
SHA256:
2580ntvdm.exeC:\Users\admin\AppData\Local\Temp\scsA7EF.tmp
MD5:
SHA256:
2912EXCEL.EXEC:\sMessenger\searchMessenger_upgrade_x.exehtml
MD5:E87C6AD9327B04E12803B5D136D8BA71
SHA256:611E7535905C54DAD45A20EE367829183DD89CF1F3B442F18F1B76120A3445AA
2912EXCEL.EXEC:\Users\admin\AppData\Local\Temp\VBE\MSForms.exdtlb
MD5:94B49DEA56E4DA3D49780089A2394675
SHA256:62B04D5A9D16EC64583485602DE65CB1A05E6784D61C6C763A93B04F01201804
2912EXCEL.EXEC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\admin@yesform[1].txttext
MD5:0D02E24F165D352C1E3F0EF52FBE0BC4
SHA256:B22202B01CDC17ABCA7785FCC4052BAD55953787D0E45ED4393BF4D96AB089CA
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
1
DNS requests
1
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2912
EXCEL.EXE
GET
302
222.122.6.226:80
http://www.yesform.com/active/searchMessenger/dw.php?mode=etc
KR
suspicious
2912
EXCEL.EXE
GET
200
222.122.6.226:80
http://www.yesform.com/active/searchMessenger/searchMessenger.php
KR
html
20.9 Kb
suspicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2912
EXCEL.EXE
222.122.6.226:80
www.yesform.com
Korea Telecom
KR
suspicious

DNS requests

Domain
IP
Reputation
www.yesform.com
  • 222.122.6.226
suspicious

Threats

No threats detected
No debug info