analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

doc8024.xlsx

Full analysis: https://app.any.run/tasks/8090b981-7312-42e0-8031-9b9ac9cbf343
Verdict: Malicious activity
Analysis date: October 14, 2019, 11:49:52
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
adware
Indicators:
MIME: application/vnd.openxmlformats-officedocument.spreadsheetml.sheet
File info: Microsoft Excel 2007+
MD5:

1E8EEB9D558910BADCFAC0BD42F65F53

SHA1:

CAE56D24896EB3DA59667D5104440459E96642AC

SHA256:

5A2E0ADB2700E2D657F4E02300D9FDBA639BB424A9E68E433042D783F049A4DB

SSDEEP:

6144:V85STVA5qHEZEHpwDvTVpANb/ACMQGgMxFx:y0TV0qfOvTVp8cCMfgMxFx

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Unusual execution from Microsoft Office

      • EXCEL.EXE (PID: 996)

  • SUSPICIOUS

    • Starts Internet Explorer

      • EXCEL.EXE (PID: 996)

    • Unusual connect from Microsoft Office

      • EXCEL.EXE (PID: 996)

  • INFO

    • Creates files in the user directory

      • EXCEL.EXE (PID: 996)

    • Reads Microsoft Office registry keys

      • EXCEL.EXE (PID: 996)

    • Reads internet explorer settings

      • iexplore.exe (PID: 532)

    • Changes internet zones settings

      • iexplore.exe (PID: 564)

    • Reads Internet Cache Settings

      • iexplore.exe (PID: 532)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.xlsx | Excel Microsoft Office Open XML Format document (61.2)
.zip | Open Packaging Conventions container (31.5)
.zip | ZIP compressed archive (7.2)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: 0x0006
ZipCompression: Deflated
ZipModifyDate: 1980:01:01 00:00:00
ZipCRC: 0x5fdaf283
ZipCompressedSize: 408
ZipUncompressedSize: 1789
ZipFileName: [Content_Types].xml

XML

KSOProductBuildVer: 1033-10.2.0.5934
Application: Microsoft Excel
DocSecurity: None
ScaleCrop: No
HeadingPairs:
  • Worksheets
  • 3
TitlesOfParts:
  • Sheet1
  • Sheet2
  • Sheet3
LinksUpToDate: No
SharedDoc: No
HyperlinksChanged: No
AppVersion: 15.03
LastModifiedBy: LIVAPUL
CreateDate: 2017:03:09 17:54:00Z
ModifyDate: 2019:10:07 15:49:35Z

XMP

Creator: KRIS FAMCY
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
38
Monitored processes
3
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start excel.exe iexplore.exe iexplore.exe

Process information

PID
CMD
Path
Indicators
Parent process
996"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /ddeC:\Program Files\Microsoft Office\Office14\EXCEL.EXE
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Excel
Version:
14.0.6024.1000
564"C:\Program Files\Internet Explorer\iexplore.exe" -nohomeC:\Program Files\Internet Explorer\iexplore.exe
EXCEL.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Exit code:
1
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
532"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:564 CREDAT:71937C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Exit code:
0
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
Total events
817
Read events
699
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
2
Text files
13
Unknown types
5

Dropped files

PID
Process
Filename
Type
996EXCEL.EXEC:\Users\admin\AppData\Local\Temp\CVRA42A.tmp.cvr
MD5:
SHA256:
564iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I0488CJO\favicon[1].ico
MD5:
SHA256:
564iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
MD5:
SHA256:
532iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\VAYURTWK\fwdssp_com[1].txt
MD5:
SHA256:
532iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\MI0EY88C\fwdssp_com[1].txt
MD5:
SHA256:
564iexplore.exeC:\Users\admin\AppData\Local\Temp\~DF5B59455D71661FB1.TMP
MD5:
SHA256:
564iexplore.exeC:\Users\admin\AppData\Local\Temp\~DF6F5E55387442E67B.TMP
MD5:
SHA256:
564iexplore.exeC:\Users\admin\AppData\Local\Temp\~DFEABE07E825C56318.TMP
MD5:
SHA256:
564iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\Active\{D7896DEC-EE78-11E9-AB41-5254004A04AF}.dat
MD5:
SHA256:
564iexplore.exeC:\Users\admin\AppData\Local\Temp\~DFB685275ED76149CD.TMP
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
7
TCP/UDP connections
7
DNS requests
4
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
996
EXCEL.EXE
GET
302
192.254.189.51:80
http://firesystemsonline.com/wp-includes/fracx/adopoty
US
html
309 b
suspicious
996
EXCEL.EXE
GET
103.74.117.155:80
http://hollywoodsecrets.net/wp-admin/ex/download.php?login=
VN
unknown
996
EXCEL.EXE
GET
103.74.117.155:80
http://hollywoodsecrets.net/wp-admin/ex/download.php?login=
VN
unknown
532
iexplore.exe
GET
200
192.254.189.51:80
http://firesystemsonline.com/cgi-sys/suspendedpage.cgi
US
html
315 b
suspicious
564
iexplore.exe
GET
302
192.254.189.51:80
http://firesystemsonline.com/favicon.ico
US
html
309 b
suspicious
996
EXCEL.EXE
GET
200
192.254.189.51:80
http://firesystemsonline.com/cgi-sys/suspendedpage.cgi
US
html
315 b
suspicious
564
iexplore.exe
GET
200
204.79.197.200:80
http://www.bing.com/favicon.ico
US
image
237 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
564
iexplore.exe
204.79.197.200:80
www.bing.com
Microsoft Corporation
US
whitelisted
532
iexplore.exe
208.91.196.46:80
fwdssp.com
Confluence Networks Inc
VG
malicious
996
EXCEL.EXE
192.254.189.51:80
firesystemsonline.com
Unified Layer
US
suspicious
564
iexplore.exe
192.254.189.51:80
firesystemsonline.com
Unified Layer
US
suspicious
532
iexplore.exe
192.254.189.51:80
firesystemsonline.com
Unified Layer
US
suspicious
996
EXCEL.EXE
103.74.117.155:80
hollywoodsecrets.net
TaDu joint stock company
VN
unknown

DNS requests

Domain
IP
Reputation
firesystemsonline.com
  • 192.254.189.51
suspicious
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
fwdssp.com
  • 208.91.196.46
whitelisted
hollywoodsecrets.net
  • 103.74.117.155
unknown

Threats

PID
Process
Class
Message
532
iexplore.exe
Misc activity
ADWARE [PTsecurity] InstantAccess
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
doc8024.xlsx