File name: | 54fa330eca66ee55e09cdb45e873faac0ae4ce3b9c78b9064212780cf1fed272.xla |
Full analysis: | https://app.any.run/tasks/38bf41b4-d467-47c2-af17-eaca35d9af39 |
Verdict: | Malicious activity |
Analysis date: | November 15, 2018, 12:17:17 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/vnd.ms-excel |
File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1251, Title: (Word, Excel, TXT) Excel, Author: EducatedFool, Comments: ==== http://ExcelVBA.ru/ ===== Excel ICQ: 5836318 Skype: ExcelVBA.ru======================, Last Saved By: Andrey Shurygin, Revision Number: 3200, Name of Creating Application: AddinUpdater, Create Time/Date: Sun Jun 10 03:49:23 2018, Last Saved Time/Date: Tue Sep 25 18:54:39 2018, Security: 0 |
MD5: | 1FFD9D3ADC21A84CE63A2526AF3A2F11 |
SHA1: | 0D6E1B7647C88FEC4B0960216501A9755B73BB47 |
SHA256: | 54FA330ECA66EE55E09CDB45E873FAAC0AE4CE3B9C78B9064212780CF1FED272 |
SSDEEP: | 24576:79TSwdCWTK07BHuShN3O9zioAhSAIEcPuqRg66L79osPoMv6qyAgcXu1q1h9mW3e:LZBHhN3s |
.xls | | | Microsoft Excel sheet (36.8) |
---|---|---|
.xls | | | Microsoft Excel sheet (alternate) (30) |
.doc | | | Microsoft Word document (old ver.) (23.3) |
CompObjUserType: | ???? Microsoft Excel 2003 |
---|---|
CompObjUserTypeLen: | 26 |
Skype: | ExcelVBA.ru |
E-mail: | [email protected] |
ICQ: | 58-36-318 |
CodePage: | Windows Cyrillic |
HeadingPairs: |
|
TitleOfParts: |
|
HyperlinksChanged: | No |
SharedDoc: | No |
LinksUpToDate: | No |
ScaleCrop: | No |
AppVersion: | 16 |
Company: | http://excelvba.ru/ |
Security: | None |
ModifyDate: | 2018:09:25 17:54:39 |
CreateDate: | 2018:06:10 02:49:23 |
Software: | AddinUpdater |
RevisionNumber: | 3200 |
LastModifiedBy: | Andrey Shurygin |
Comments: | ==== http://ExcelVBA.ru/ ===== Разработка макросов для Excel ICQ: 5836318 Skype: ExcelVBA.ru ====================== |
Author: | EducatedFool |
Title: | Программа заполнения документов (Word, Excel, TXT) данными из таблицы Excel |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3228 | "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /dde | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Excel Exit code: 0 Version: 14.0.6024.1000 | ||||
3880 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | svchost.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Exit code: 0 Version: 14.0.6024.1000 | ||||
4068 | "C:\Windows\explorer.exe" /e, "C:\Users\admin\AppData\Local\Temp\Documents\" | C:\Windows\explorer.exe | — | EXCEL.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Explorer Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3140 | C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding | C:\Windows\explorer.exe | — | svchost.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Explorer Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3208 | "C:\Windows\explorer.exe" /e, "C:\Users\admin\AppData\Local\Temp\Documents\" | C:\Windows\explorer.exe | — | EXCEL.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Explorer Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3976 | C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding | C:\Windows\explorer.exe | — | svchost.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Explorer Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3540 | "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Excel Exit code: 0 Version: 14.0.6024.1000 |
PID | Process | Filename | Type | |
---|---|---|---|---|
3228 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\CVR9985.tmp.cvr | — | |
MD5:— | SHA256:— | |||
3228 | EXCEL.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\mso29A1.tmp | — | |
MD5:— | SHA256:— | |||
3228 | EXCEL.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\mso29D1.tmp | — | |
MD5:— | SHA256:— | |||
3228 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\~DF5F6D3152B0B60DC1.TMP | — | |
MD5:— | SHA256:— | |||
3228 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\~DFEAE79463C37D2AE6.TMP | — | |
MD5:— | SHA256:— | |||
3228 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\~DFD67F8E04AB058F7F.TMP | — | |
MD5:— | SHA256:— | |||
3228 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\~DF5C7374DAADE73D58.TMP | — | |
MD5:— | SHA256:— | |||
3228 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\~DF9CB62B680F409DE1.TMP | — | |
MD5:— | SHA256:— | |||
3228 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\~DF101348005C0CFC66.TMP | — | |
MD5:— | SHA256:— | |||
3228 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\~DF1A6E17CE9B23A04F.TMP | — | |
MD5:— | SHA256:— |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3228 | EXCEL.EXE | GET | 200 | 51.254.21.170:80 | http://excelvba.ru/resources/FillDocuments/KU%20-%20test.xls | FR | document | 52.5 Kb | whitelisted |
3228 | EXCEL.EXE | GET | 200 | 51.254.21.170:80 | http://excelvba.ru/resources/FillDocuments/ExcelTable.xls | FR | document | 42.5 Kb | whitelisted |
3228 | EXCEL.EXE | GET | 200 | 51.254.21.170:80 | http://excelvba.ru/resources/FillDocuments/AKT%20-%20test.doc | FR | document | 24.5 Kb | whitelisted |
3228 | EXCEL.EXE | GET | 301 | 51.254.21.170:80 | http://excelvba.ru/resources/FillDocuments/ | FR | html | 256 b | whitelisted |
3228 | EXCEL.EXE | GET | 200 | 51.254.21.170:80 | http://excelvba.ru/resources/FillDocuments/Dogovor%20-%20test.doc | FR | document | 98.5 Kb | whitelisted |
3228 | EXCEL.EXE | POST | 200 | 51.254.21.170:80 | http://excelvba.ru/php2/updates.php | FR | text | 634 b | whitelisted |
3228 | EXCEL.EXE | POST | — | 51.254.21.170:80 | http://excelvba.ru/php2/updates.php | FR | — | — | whitelisted |
3228 | EXCEL.EXE | GET | 200 | 51.254.21.170:80 | http://excelvba.ru/resources/FillDocuments/TEXT%20template.txt | FR | text | 934 b | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3228 | EXCEL.EXE | 51.254.21.170:443 | excelvba.ru | OVH SAS | FR | malicious |
3228 | EXCEL.EXE | 51.254.21.170:80 | excelvba.ru | OVH SAS | FR | malicious |
Domain | IP | Reputation |
---|---|---|
excelvba.ru |
| whitelisted |
PID | Process | Class | Message |
---|---|---|---|
3228 | EXCEL.EXE | Potentially Bad Traffic | ET WEB_CLIENT SUSPICIOUS Possible Office Doc with Embedded VBA Project (Wide) |
3228 | EXCEL.EXE | Potentially Bad Traffic | ET WEB_CLIENT SUSPICIOUS Possible Office Doc with Embedded VBA Project (Wide) |