analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

54fa330eca66ee55e09cdb45e873faac0ae4ce3b9c78b9064212780cf1fed272.xla

Full analysis: https://app.any.run/tasks/38bf41b4-d467-47c2-af17-eaca35d9af39
Verdict: Malicious activity
Analysis date: November 15, 2018, 12:17:17
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
macros
macros-on-open
opendir
Indicators:
MIME: application/vnd.ms-excel
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1251, Title: (Word, Excel, TXT) Excel, Author: EducatedFool, Comments: ==== http://ExcelVBA.ru/ ===== Excel ICQ: 5836318 Skype: ExcelVBA.ru======================, Last Saved By: Andrey Shurygin, Revision Number: 3200, Name of Creating Application: AddinUpdater, Create Time/Date: Sun Jun 10 03:49:23 2018, Last Saved Time/Date: Tue Sep 25 18:54:39 2018, Security: 0
MD5:

1FFD9D3ADC21A84CE63A2526AF3A2F11

SHA1:

0D6E1B7647C88FEC4B0960216501A9755B73BB47

SHA256:

54FA330ECA66EE55E09CDB45E873FAAC0AE4CE3B9C78B9064212780CF1FED272

SSDEEP:

24576:79TSwdCWTK07BHuShN3O9zioAhSAIEcPuqRg66L79osPoMv6qyAgcXu1q1h9mW3e:LZBHhN3s

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Unusual execution from Microsoft Office

      • EXCEL.EXE (PID: 3228)
  • SUSPICIOUS

    • Reads Internet Cache Settings

      • EXCEL.EXE (PID: 3228)
    • Unusual connect from Microsoft Office

      • EXCEL.EXE (PID: 3228)
  • INFO

    • Creates files in the user directory

      • WINWORD.EXE (PID: 3880)
      • EXCEL.EXE (PID: 3228)
    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 3880)
      • EXCEL.EXE (PID: 3228)
      • EXCEL.EXE (PID: 3540)
    • Reads settings of System Certificates

      • EXCEL.EXE (PID: 3228)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.xls | Microsoft Excel sheet (36.8)
.xls | Microsoft Excel sheet (alternate) (30)
.doc | Microsoft Word document (old ver.) (23.3)

EXIF

FlashPix

CompObjUserType: ???? Microsoft Excel 2003
CompObjUserTypeLen: 26
Skype: ExcelVBA.ru
E-mail: [email protected]
ICQ: 58-36-318
CodePage: Windows Cyrillic
HeadingPairs:
  • Листы
  • 2
TitleOfParts:
  • translate
  • Лист1
HyperlinksChanged: No
SharedDoc: No
LinksUpToDate: No
ScaleCrop: No
AppVersion: 16
Company: http://excelvba.ru/
Security: None
ModifyDate: 2018:09:25 17:54:39
CreateDate: 2018:06:10 02:49:23
Software: AddinUpdater
RevisionNumber: 3200
LastModifiedBy: Andrey Shurygin
Comments: ==== http://ExcelVBA.ru/ ===== Разработка макросов для Excel ICQ: 5836318 Skype: ExcelVBA.ru ======================
Author: EducatedFool
Title: Программа заполнения документов (Word, Excel, TXT) данными из таблицы Excel
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
39
Monitored processes
7
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start excel.exe winword.exe no specs explorer.exe no specs explorer.exe no specs explorer.exe no specs explorer.exe no specs excel.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3228"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /ddeC:\Program Files\Microsoft Office\Office14\EXCEL.EXE
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Excel
Exit code:
0
Version:
14.0.6024.1000
3880"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -EmbeddingC:\Program Files\Microsoft Office\Office14\WINWORD.EXEsvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Exit code:
0
Version:
14.0.6024.1000
4068"C:\Windows\explorer.exe" /e, "C:\Users\admin\AppData\Local\Temp\Documents\"C:\Windows\explorer.exeEXCEL.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3140C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -EmbeddingC:\Windows\explorer.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3208"C:\Windows\explorer.exe" /e, "C:\Users\admin\AppData\Local\Temp\Documents\"C:\Windows\explorer.exeEXCEL.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3976C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -EmbeddingC:\Windows\explorer.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3540"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" C:\Program Files\Microsoft Office\Office14\EXCEL.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Excel
Exit code:
0
Version:
14.0.6024.1000
Total events
5 232
Read events
4 633
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
24
Text files
8
Unknown types
13

Dropped files

PID
Process
Filename
Type
3228EXCEL.EXEC:\Users\admin\AppData\Local\Temp\CVR9985.tmp.cvr
MD5:
SHA256:
3228EXCEL.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\mso29A1.tmp
MD5:
SHA256:
3228EXCEL.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\mso29D1.tmp
MD5:
SHA256:
3228EXCEL.EXEC:\Users\admin\AppData\Local\Temp\~DF5F6D3152B0B60DC1.TMP
MD5:
SHA256:
3228EXCEL.EXEC:\Users\admin\AppData\Local\Temp\~DFEAE79463C37D2AE6.TMP
MD5:
SHA256:
3228EXCEL.EXEC:\Users\admin\AppData\Local\Temp\~DFD67F8E04AB058F7F.TMP
MD5:
SHA256:
3228EXCEL.EXEC:\Users\admin\AppData\Local\Temp\~DF5C7374DAADE73D58.TMP
MD5:
SHA256:
3228EXCEL.EXEC:\Users\admin\AppData\Local\Temp\~DF9CB62B680F409DE1.TMP
MD5:
SHA256:
3228EXCEL.EXEC:\Users\admin\AppData\Local\Temp\~DF101348005C0CFC66.TMP
MD5:
SHA256:
3228EXCEL.EXEC:\Users\admin\AppData\Local\Temp\~DF1A6E17CE9B23A04F.TMP
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
8
TCP/UDP connections
4
DNS requests
1
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3228
EXCEL.EXE
GET
200
51.254.21.170:80
http://excelvba.ru/resources/FillDocuments/KU%20-%20test.xls
FR
document
52.5 Kb
whitelisted
3228
EXCEL.EXE
GET
200
51.254.21.170:80
http://excelvba.ru/resources/FillDocuments/ExcelTable.xls
FR
document
42.5 Kb
whitelisted
3228
EXCEL.EXE
GET
200
51.254.21.170:80
http://excelvba.ru/resources/FillDocuments/AKT%20-%20test.doc
FR
document
24.5 Kb
whitelisted
3228
EXCEL.EXE
GET
301
51.254.21.170:80
http://excelvba.ru/resources/FillDocuments/
FR
html
256 b
whitelisted
3228
EXCEL.EXE
GET
200
51.254.21.170:80
http://excelvba.ru/resources/FillDocuments/Dogovor%20-%20test.doc
FR
document
98.5 Kb
whitelisted
3228
EXCEL.EXE
POST
200
51.254.21.170:80
http://excelvba.ru/php2/updates.php
FR
text
634 b
whitelisted
3228
EXCEL.EXE
POST
51.254.21.170:80
http://excelvba.ru/php2/updates.php
FR
whitelisted
3228
EXCEL.EXE
GET
200
51.254.21.170:80
http://excelvba.ru/resources/FillDocuments/TEXT%20template.txt
FR
text
934 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3228
EXCEL.EXE
51.254.21.170:443
excelvba.ru
OVH SAS
FR
malicious
3228
EXCEL.EXE
51.254.21.170:80
excelvba.ru
OVH SAS
FR
malicious

DNS requests

Domain
IP
Reputation
excelvba.ru
  • 51.254.21.170
whitelisted

Threats

PID
Process
Class
Message
3228
EXCEL.EXE
Potentially Bad Traffic
ET WEB_CLIENT SUSPICIOUS Possible Office Doc with Embedded VBA Project (Wide)
3228
EXCEL.EXE
Potentially Bad Traffic
ET WEB_CLIENT SUSPICIOUS Possible Office Doc with Embedded VBA Project (Wide)
3 ETPRO signatures available at the full report
No debug info