analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

BANK TRANSFER.xlsx

Full analysis: https://app.any.run/tasks/b953173e-3975-4a14-af74-5f5a461fffc2
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Analysis date: November 08, 2018, 22:14:00
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
opendir
exploit
CVE-2017-11882
loader
Indicators:
MIME: application/vnd.openxmlformats-officedocument.spreadsheetml.sheet
File info: Microsoft Excel 2007+
MD5:

D4BC1E9FEF6EF3E2F87640C9466DF106

SHA1:

D135E01B42562DEDBBFEAB6E68BA3D46AFE95FAA

SHA256:

3E59A4022266E48AA4D446EC217250031829BB6113E1AC73EE195EA74B56707B

SSDEEP:

192:zgq7j1AAlUOV8vdQjmuA4AwHnEu9HSycYuJS6nHkxtCz2cV4y:0+158qmLFYJuJ/HkvCzpVl

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Application was dropped or rewritten from another process

      • project5789.exe (PID: 3944)
    • Suspicious connection from the Equation Editor

      • EQNEDT32.EXE (PID: 3888)
    • Equation Editor starts application (CVE-2017-11882)

      • EQNEDT32.EXE (PID: 3888)
    • Downloads executable files from the Internet

      • EQNEDT32.EXE (PID: 3888)
  • SUSPICIOUS

    • Creates files in the user directory

      • EQNEDT32.EXE (PID: 3888)
    • Executable content was dropped or overwritten

      • EQNEDT32.EXE (PID: 3888)
  • INFO

    • Reads Microsoft Office registry keys

      • EXCEL.EXE (PID: 912)
    • Creates files in the user directory

      • EXCEL.EXE (PID: 912)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.xlsx | Excel Microsoft Office Open XML Format document (61.2)
.zip | Open Packaging Conventions container (31.5)
.zip | ZIP compressed archive (7.2)

EXIF

XML

AppVersion: 12
HyperlinksChanged: No
SharedDoc: No
LinksUpToDate: No
TitlesOfParts:
  • Sheet1
  • Sheet2
  • Sheet3
HeadingPairs:
  • Worksheets
  • 3
ScaleCrop: No
DocSecurity: None
Application: Microsoft Excel
ModifyDate: 2018:10:31 10:38:26Z
CreateDate: 2018:10:31 10:37:04Z
LastModifiedBy: Modey

XMP

Creator: Modey

ZIP

ZipFileName: [Content_Types].xml
ZipUncompressedSize: 1777
ZipCompressedSize: 395
ZipCRC: 0xdfdbf455
ZipModifyDate: 2018:11:08 17:23:16
ZipCompression: Deflated
ZipBitFlag: 0x0002
ZipRequiredVersion: 20
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
33
Monitored processes
3
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start drop and start excel.exe no specs eqnedt32.exe project5789.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
912"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /ddeC:\Program Files\Microsoft Office\Office14\EXCEL.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Excel
Version:
14.0.6024.1000
3888"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -EmbeddingC:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
svchost.exe
User:
admin
Company:
Design Science, Inc.
Integrity Level:
MEDIUM
Description:
Microsoft Equation Editor
Exit code:
0
Version:
00110900
3944"C:\Users\admin\AppData\Roaming\project5789.exe"C:\Users\admin\AppData\Roaming\project5789.exeEQNEDT32.EXE
User:
admin
Company:
Earthlink, Inc.
Integrity Level:
MEDIUM
Description:
Danones yogurt Bio
Exit code:
0
Version:
1.13.9.2
Total events
632
Read events
587
Write events
0
Delete events
0

Modification events

No data
Executable files
2
Suspicious files
0
Text files
2
Unknown types
2

Dropped files

PID
Process
Filename
Type
912EXCEL.EXEC:\Users\admin\AppData\Local\Temp\CVR994D.tmp.cvr
MD5:
SHA256:
912EXCEL.EXEC:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\index.dattext
MD5:47C7F591915E88D6612AA26EB3B9A09D
SHA256:0A5490545397D4DA9E5401CB53F729E2F80DF0B6F2A7522675BD33AE6D26F5C9
3888EQNEDT32.EXEC:\Users\admin\AppData\Roaming\project5789.exeexecutable
MD5:9C8CAB6FBD75527C458760F1E64CE100
SHA256:D6BF6FF46B9C6DCB0B428446FAA66AF2BF8FF6EF443484A60A3D7C078E4850DF
3888EQNEDT32.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RB73MZ6Y\frankjoe[1].exeexecutable
MD5:9C8CAB6FBD75527C458760F1E64CE100
SHA256:D6BF6FF46B9C6DCB0B428446FAA66AF2BF8FF6EF443484A60A3D7C078E4850DF
912EXCEL.EXEC:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\BANK TRANSFER.xlsx.LNKlnk
MD5:661FAF36B2C3B5CCC267365A56263AE1
SHA256:8D80C394EB103F93836CB80A7BB8C7E9320ABEC3E23A8DDC49FBB8EB8022AC3D
3888EQNEDT32.EXEC:\Users\admin\AppData\Roaming\Microsoft\Windows\IETldCache\index.datdat
MD5:D7A950FEFD60DBAA01DF2D85FEFB3862
SHA256:75D0B1743F61B76A35B1FEDD32378837805DE58D79FA950CB6E8164BFA72073A
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
1
DNS requests
1
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3888
EQNEDT32.EXE
GET
200
23.94.188.246:80
http://oceanicproducts.eu/frankjoe/frankjoe.exe
US
executable
403 Kb
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3888
EQNEDT32.EXE
23.94.188.246:80
oceanicproducts.eu
ColoCrossing
US
suspicious

DNS requests

Domain
IP
Reputation
oceanicproducts.eu
  • 23.94.188.246
malicious

Threats

PID
Process
Class
Message
3888
EQNEDT32.EXE
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
No debug info