analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

swf.xlsx

Full analysis: https://app.any.run/tasks/c142ed35-1046-462e-8a29-a3342f3bafdb
Verdict: Malicious activity
Threats:

FormBook is a data stealer that is being distributed as a MaaS. FormBook differs from a lot of competing malware by its extreme ease of use that allows even the unexperienced threat actors to use FormBook virus.

Analysis date: October 14, 2019, 07:22:24
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
exploit
CVE-2017-11882
trojan
formbook
stealer
Indicators:
MIME: application/octet-stream
File info: Microsoft OOXML
MD5:

EFA6B94FAA282326C7FF7F82A6B9647C

SHA1:

02F78C866203F3DDBC3A325890E55BBD0DE8BC6E

SHA256:

532BEA8CBBE360B09DC64ED7299DF2242CBB349FED6D153B00CD59D88107FFE6

SSDEEP:

24576:p0bcdCmfypoX1IOoUYb1t8FQ5IYtDDfnzrDqCQMEDusL4fmHEXxVlcHaaaxb:WQdCm6qKpHQ8I23fzHK1DusL+W6aaJ

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Equation Editor starts application (CVE-2017-11882)

      • EQNEDT32.EXE (PID: 1560)
    • Application was dropped or rewritten from another process

      • avast.exe (PID: 928)
      • userbzl.exe (PID: 3724)
    • FORMBOOK was detected

      • explorer.exe (PID: 352)
      • wuapp.exe (PID: 3956)
      • Firefox.exe (PID: 3488)
    • Connects to CnC server

      • explorer.exe (PID: 352)
    • Actions looks like stealing of personal data

      • wuapp.exe (PID: 3956)
    • Changes the autorun value in the registry

      • wuapp.exe (PID: 3956)
    • Stealing of credential data

      • wuapp.exe (PID: 3956)
  • SUSPICIOUS

    • Executed via COM

      • EQNEDT32.EXE (PID: 1560)
      • DllHost.exe (PID: 444)
    • Creates files in the user directory

      • EQNEDT32.EXE (PID: 1560)
      • wuapp.exe (PID: 3956)
    • Executable content was dropped or overwritten

      • EQNEDT32.EXE (PID: 1560)
      • explorer.exe (PID: 352)
      • DllHost.exe (PID: 444)
    • Starts CMD.EXE for commands execution

      • wuapp.exe (PID: 3956)
    • Loads DLL from Mozilla Firefox

      • wuapp.exe (PID: 3956)
    • Creates files in the program directory

      • DllHost.exe (PID: 444)
    • Executes scripts

      • explorer.exe (PID: 352)
  • INFO

    • Starts Microsoft Office Application

      • explorer.exe (PID: 352)
    • Reads Microsoft Office registry keys

      • EXCEL.EXE (PID: 2752)
    • Manual execution by user

      • wuapp.exe (PID: 3956)
    • Reads the hosts file

      • wuapp.exe (PID: 3956)
    • Creates files in the user directory

      • Firefox.exe (PID: 3488)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.xlsx | Excel Microsoft Office Open XML Format document (61.2)
.zip | Open Packaging Conventions container (31.5)
.zip | ZIP compressed archive (7.2)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: 0x0002
ZipCompression: Deflated
ZipModifyDate: 2019:10:13 16:11:04
ZipCRC: 0xea720091
ZipCompressedSize: 396
ZipUncompressedSize: 1630
ZipFileName: [Content_Types].xml

XML

Application: WPS 表格
HeadingPairs:
  • 工作表
  • 1
TitlesOfParts: stmt (3)
CreateDate: 2019:06:02 21:01:48Z
ModifyDate: 2019:06:02 21:04:29Z
KSOProductBuildVer: 2052-1.1.0.1454
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
45
Monitored processes
10
Malicious processes
4
Suspicious processes
0

Behavior graph

Click at the process to see the details
start drop and start drop and start excel.exe no specs eqnedt32.exe avast.exe no specs #FORMBOOK wuapp.exe cmd.exe no specs #FORMBOOK explorer.exe #FORMBOOK firefox.exe no specs Copy/Move/Rename/Delete/Link Object userbzl.exe no specs cscript.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2752"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /ddeC:\Program Files\Microsoft Office\Office14\EXCEL.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Excel
Version:
14.0.6024.1000
1560"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -EmbeddingC:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
svchost.exe
User:
admin
Company:
Design Science, Inc.
Integrity Level:
MEDIUM
Description:
Microsoft Equation Editor
Exit code:
0
Version:
00110900
928C:\Users\admin\AppData\Roaming\avast.exeC:\Users\admin\AppData\Roaming\avast.exeEQNEDT32.EXE
User:
admin
Company:
IDM Computer Solutions, Inc.
Integrity Level:
MEDIUM
Description:
Msnews Dialup Scheduler Extra Usman Horizontal
Exit code:
0
Version:
3.7.1.7
3956"C:\Windows\System32\wuapp.exe"C:\Windows\System32\wuapp.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Update Application Launcher
Version:
7.5.7601.17514 (win7sp1_rtm.101119-1850)
3832/c del "C:\Users\admin\AppData\Roaming\avast.exe"C:\Windows\System32\cmd.exewuapp.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
352C:\Windows\Explorer.EXEC:\Windows\explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3488"C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe
wuapp.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
MEDIUM
Description:
Firefox
Exit code:
0
Version:
68.0.1
444C:\Windows\system32\DllHost.exe /Processid:{3AD05575-8857-4850-9277-11B85BDB8E09}C:\Windows\system32\DllHost.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
COM Surrogate
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3724"C:\Program Files\Z7notqhc\userbzl.exe"C:\Program Files\Z7notqhc\userbzl.exeexplorer.exe
User:
admin
Company:
IDM Computer Solutions, Inc.
Integrity Level:
MEDIUM
Description:
Msnews Dialup Scheduler Extra Usman Horizontal
Exit code:
0
Version:
3.7.1.7
3504"C:\Windows\System32\cscript.exe"C:\Windows\System32\cscript.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Console Based Script Host
Exit code:
0
Version:
5.8.7600.16385
Total events
715
Read events
622
Write events
82
Delete events
11

Modification events

(PID) Process:(2752) EXCEL.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems
Operation:writeName:s"`
Value:
73226000C00A0000010000000000000000000000
(PID) Process:(2752) EXCEL.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1033
Value:
Off
(PID) Process:(2752) EXCEL.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1041
Value:
Off
(PID) Process:(2752) EXCEL.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1046
Value:
Off
(PID) Process:(2752) EXCEL.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1036
Value:
Off
(PID) Process:(2752) EXCEL.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1031
Value:
Off
(PID) Process:(2752) EXCEL.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1040
Value:
Off
(PID) Process:(2752) EXCEL.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1049
Value:
Off
(PID) Process:(2752) EXCEL.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:3082
Value:
Off
(PID) Process:(2752) EXCEL.EXEKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage
Operation:writeName:EXCELFiles
Value:
1330511897
Executable files
4
Suspicious files
78
Text files
1
Unknown types
0

Dropped files

PID
Process
Filename
Type
2752EXCEL.EXEC:\Users\admin\AppData\Local\Temp\CVRAA73.tmp.cvr
MD5:
SHA256:
928avast.exeC:\Users\admin\AppData\Local\Temp\B65A.tmpbinary
MD5:6C45FB3ACA01435DAAB0BFBA8D93536D
SHA256:15D0ACD2CDD5A77BE32FCF9EEEE04B5DF7FB5D2A0A3A87713AEB9C1CE81EBD2E
3956wuapp.exeC:\Users\admin\AppData\Roaming\4L8P-DA7\4L8logrc.inibinary
MD5:2855A82ECDD565B4D957EC2EE05AED26
SHA256:88E38DA5B12DD96AFD9DC90C79929EC31D8604B1AFDEBDD5A02B19249C08C939
1560EQNEDT32.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LH043OAM\papx5[1].exeexecutable
MD5:2C42DB0C6F56CA547F38898FDD5E24BE
SHA256:A562E25CD73CED6AC595EC3268866B6DD6090BC0097BEF730564449301B4AFCA
1560EQNEDT32.EXEC:\Users\admin\AppData\Roaming\avast.exeexecutable
MD5:2C42DB0C6F56CA547F38898FDD5E24BE
SHA256:A562E25CD73CED6AC595EC3268866B6DD6090BC0097BEF730564449301B4AFCA
3724userbzl.exeC:\Users\admin\AppData\Local\Temp\5E87.tmp
MD5:
SHA256:
3956wuapp.exeC:\Users\admin\AppData\Roaming\4L8P-DA7\4L8logim.jpegimage
MD5:5720AE07126C9BBD2679D26402792638
SHA256:9CCB382136713596827FF63A62077BC4990491CA1F392BFBE89B387DB68E6BF0
3488Firefox.exeC:\Users\admin\AppData\Roaming\4L8P-DA7\4L8logrf.inibinary
MD5:53028481B5B5795F1501241CCC7ABFF6
SHA256:75B5F3045E20C80F264568707E2D444DC7498DB119D9661AE51A91575960FC5A
352explorer.exeC:\Users\admin\AppData\Local\Temp\Z7notqhc\userbzl.exeexecutable
MD5:2C42DB0C6F56CA547F38898FDD5E24BE
SHA256:A562E25CD73CED6AC595EC3268866B6DD6090BC0097BEF730564449301B4AFCA
444DllHost.exeC:\Program Files\Z7notqhc\userbzl.exeexecutable
MD5:2C42DB0C6F56CA547F38898FDD5E24BE
SHA256:A562E25CD73CED6AC595EC3268866B6DD6090BC0097BEF730564449301B4AFCA
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
40
TCP/UDP connections
46
DNS requests
14
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
352
explorer.exe
GET
301
84.16.73.17:80
http://www.valfphotographies.com/zu3/?Ul9=jYMeOLYPl1GWfBw3C2zWltWlgzt2aKxgGrKzNhDpzHJq8vuIq9ODnNMVlMWn2/DRxV9yJA==&5j=uFBXnDRxx08l&sql=1
CH
malicious
352
explorer.exe
GET
301
35.242.251.130:80
http://www.flipderclown.com/zu3/?Ul9=41CxMZ6x06G56kNYfjVbBR/vP0nAccOEqXd5KKxFyqhQyn00PUBA3ThmilW618rDo3Vl4Q==&5j=uFBXnDRxx08l&sql=1
US
malicious
352
explorer.exe
GET
35.242.251.130:80
http://www.suitofbullets.com/zu3/?Ul9=kh3wPp1IOEdHjS5IcbPNLjlsVNwd++PdwHWcOnz5nf2syDyvmt887vSvrO10oHNOJmd5JA==&5j=uFBXnDRxx08l&sql=1
US
malicious
352
explorer.exe
GET
301
184.168.131.241:80
http://www.chrisbarnescreative.com/zu3/?Ul9=VHrPOWOJHpqqXmV0tYJII0A445F37SnGouHxvobYkImGld46a73koxWbmFIX8sCq6QCHOA==&5j=uFBXnDRxx08l
US
malicious
352
explorer.exe
POST
84.16.73.17:80
http://www.valfphotographies.com/zu3/
CH
malicious
352
explorer.exe
POST
35.242.251.130:80
http://www.suitofbullets.com/zu3/
US
malicious
352
explorer.exe
POST
404
199.192.30.91:80
http://www.kerxbin.com/zu3/
US
html
292 b
malicious
352
explorer.exe
POST
199.192.30.91:80
http://www.kerxbin.com/zu3/
US
malicious
352
explorer.exe
POST
35.242.251.130:80
http://www.flipderclown.com/zu3/
US
malicious
352
explorer.exe
POST
35.242.251.130:80
http://www.suitofbullets.com/zu3/
US
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1560
EQNEDT32.EXE
5.101.174.39:443
turacoenterprises.com
UK Dedicated Servers Limited
GB
malicious
352
explorer.exe
35.242.251.130:80
www.flipderclown.com
US
malicious
352
explorer.exe
108.167.137.18:80
www.finebabychoice.com
CyrusOne LLC
US
malicious
352
explorer.exe
184.168.131.241:80
www.chrisbarnescreative.com
GoDaddy.com, LLC
US
shared
352
explorer.exe
84.16.73.17:80
www.valfphotographies.com
Infomaniak Network SA
CH
malicious
35.242.251.130:80
www.flipderclown.com
US
malicious
84.16.73.17:80
www.valfphotographies.com
Infomaniak Network SA
CH
malicious
352
explorer.exe
199.192.30.91:80
www.kerxbin.com
US
malicious
352
explorer.exe
183.90.242.46:80
www.metallsvenskan.net
SAKURA Internet Inc.
JP
malicious
85.233.160.215:80
www.londonphoto-booth.com
Namesco Limited
GB
malicious

DNS requests

Domain
IP
Reputation
turacoenterprises.com
  • 5.101.174.39
unknown
www.santeguadeloupe.info
unknown
www.chrisbarnescreative.com
  • 184.168.131.241
malicious
www.flipderclown.com
  • 35.242.251.130
malicious
www.valfphotographies.com
  • 84.16.73.17
malicious
www.suitofbullets.com
  • 35.242.251.130
malicious
www.finebabychoice.com
  • 108.167.137.18
malicious
www.kerxbin.com
  • 199.192.30.91
malicious
www.apmhearn.com
  • 172.217.22.51
malicious
www.metallsvenskan.net
  • 183.90.242.46
malicious

Threats

PID
Process
Class
Message
352
explorer.exe
A Network Trojan was detected
MALWARE [PTsecurity] FormBook CnC Checkin (GET)
352
explorer.exe
A Network Trojan was detected
MALWARE [PTsecurity] FormBook CnC Checkin (GET)
352
explorer.exe
A Network Trojan was detected
MALWARE [PTsecurity] TrojanSpy:FormBook CnC Checkin (POST)
352
explorer.exe
A Network Trojan was detected
MALWARE [PTsecurity] FormBook CnC Checkin (POST)
352
explorer.exe
A Network Trojan was detected
MALWARE [PTsecurity] TrojanSpy:FormBook CnC Checkin (POST)
352
explorer.exe
A Network Trojan was detected
MALWARE [PTsecurity] FormBook CnC Checkin (POST)
352
explorer.exe
A Network Trojan was detected
MALWARE [PTsecurity] FormBook CnC Checkin (POST)
352
explorer.exe
A Network Trojan was detected
MALWARE [PTsecurity] FormBook CnC Checkin (GET)
352
explorer.exe
A Network Trojan was detected
MALWARE [PTsecurity] TrojanSpy:FormBook CnC Checkin (POST)
352
explorer.exe
A Network Trojan was detected
MALWARE [PTsecurity] FormBook CnC Checkin (POST)
31 ETPRO signatures available at the full report
No debug info