File name: | 103-13875646352.xlsm |
Full analysis: | https://app.any.run/tasks/8a8f1a44-d85b-4a74-ad36-e396cd8903a0 |
Verdict: | Malicious activity |
Analysis date: | April 25, 2019, 06:48:26 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/vnd.openxmlformats-officedocument.spreadsheetml.sheet |
File info: | Microsoft Excel 2007+ |
MD5: | 9EFDA574FAAC2B66F467398053598DF5 |
SHA1: | EC5AE72C1233590DBC8BD3EE1DD1E14F06582166 |
SHA256: | 2928262CA2271DC48EB5A4289A988F4B8B51E63423D46243183A89EA57C56A6B |
SSDEEP: | 768:5k76LRCQO6c4FAN7Bidt4FFAcr4WNmOFLgvYmz6t:Y8C+c4GN7M4vJlNmOF0gmz6t |
.xlsx | | | Excel Microsoft Office Open XML Format document (61.2) |
---|---|---|
.zip | | | Open Packaging Conventions container (31.5) |
.zip | | | ZIP compressed archive (7.2) |
Creator: | - |
---|
ModifyDate: | 2019:04:24 16:13:55Z |
---|---|
CreateDate: | 2019:03:18 20:41:36Z |
LastModifiedBy: | - |
AppVersion: | 16.03 |
HyperlinksChanged: | No |
SharedDoc: | No |
LinksUpToDate: | No |
Company: | - |
TitlesOfParts: |
|
HeadingPairs: |
|
ScaleCrop: | No |
DocSecurity: | None |
Application: | Microsoft Excel |
ContentTypeId: | 0x01010079F111ED35F8CC479449609E8A0923A6 |
ZipFileName: | [Content_Types].xml |
---|---|
ZipUncompressedSize: | 3979 |
ZipCompressedSize: | 538 |
ZipCRC: | 0xab2e58ef |
ZipModifyDate: | 2019:04:24 17:15:18 |
ZipCompression: | Deflated |
ZipBitFlag: | 0x0002 |
ZipRequiredVersion: | 20 |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
916 | "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /dde | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Excel Exit code: 0 Version: 14.0.6024.1000 | ||||
2756 | "C:\Windows\explorer.exe" | C:\Windows\explorer.exe | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Explorer Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2412 | "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /dde | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Excel Version: 14.0.6024.1000 | ||||
1496 | "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding | C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE | svchost.exe | |
User: admin Company: Design Science, Inc. Integrity Level: MEDIUM Description: Microsoft Equation Editor Exit code: 0 Version: 00110900 | ||||
2700 | "C:\Windows\system32\ntvdm.exe" -i1 | C:\Windows\system32\ntvdm.exe | — | EQNEDT32.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: NTVDM.EXE Exit code: 3221225477 Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
916 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\CVR2E02.tmp.cvr | — | |
MD5:— | SHA256:— | |||
916 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\~$103-13875646352.xlsm.xlsx | — | |
MD5:— | SHA256:— | |||
2412 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\CVRFB93.tmp.cvr | — | |
MD5:— | SHA256:— | |||
1496 | EQNEDT32.EXE | C:\ProgramData\nameX.exe | html | |
MD5:2C6F0ACB22C00EB765FC3E40878FF7FD | SHA256:60BAB2EB90D144C6C7CD2AE4D88E642E9457C3DCC28ADED40A82855E45CF4B7B | |||
1496 | EQNEDT32.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H6QNMHE9\obi9[1].htm | html | |
MD5:2C6F0ACB22C00EB765FC3E40878FF7FD | SHA256:60BAB2EB90D144C6C7CD2AE4D88E642E9457C3DCC28ADED40A82855E45CF4B7B | |||
1496 | EQNEDT32.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat | dat | |
MD5:D7A950FEFD60DBAA01DF2D85FEFB3862 | SHA256:75D0B1743F61B76A35B1FEDD32378837805DE58D79FA950CB6E8164BFA72073A | |||
2700 | ntvdm.exe | C:\Users\admin\AppData\Local\Temp\scs287F.tmp | text | |
MD5:8CF6DDB5AA59B49F34B967CD46F013B6 | SHA256:EE06792197C3E025B84860A72460EAF628C66637685F8C52C5A08A9CC35D376C | |||
2700 | ntvdm.exe | C:\Users\admin\AppData\Local\Temp\scs2880.tmp | text | |
MD5:4C361DEA398F7AEEF49953BDC0AB4A9B | SHA256:06D61C23E6CA59B9DDAD1796ECCC42C032CD8F6F424AF6CFEE5D085D36FF7DFD |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
1496 | EQNEDT32.EXE | GET | 200 | 185.224.137.188:80 | http://superiorlinks.esy.es/files/obi9.exe | unknown | html | 1.17 Kb | suspicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
1496 | EQNEDT32.EXE | 185.224.137.188:80 | superiorlinks.esy.es | — | — | suspicious |
Domain | IP | Reputation |
---|---|---|
superiorlinks.esy.es |
| suspicious |
PID | Process | Class | Message |
---|---|---|---|
1496 | EQNEDT32.EXE | Potentially Bad Traffic | ET CURRENT_EVENTS Terse alphanumeric executable downloader high likelihood of being hostile |