File name:

Kafan_Sample_5caffae9f50e3e0b3c499005e0a8b77e50bc9649330ae948ecb2ad9c0df0fb6b.xlsx

Full analysis: https://app.any.run/tasks/f1ad0b04-0179-43f5-978f-16e7de311761
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: May 30, 2020, 07:05:59
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
encrypted
opendir
trojan
exploit
cve-2017-11882
loader
Indicators:
MIME: application/encrypted
File info: CDFV2 Encrypted
MD5:

23D2636AD743E5A2861EE707BF557314

SHA1:

712E38B20C47B578E93C3193E62156FF44517B44

SHA256:

5CAFFAE9F50E3E0B3C499005E0A8B77E50BC9649330AE948ECB2AD9C0DF0FB6B

SSDEEP:

3072:ek9r5YOGU8PneaJvoI92If63PyQugT5uHyaP29u5LU6W4dGSn7qTAGxsDRo:eUr5YOGhhJQI9Bf6MgT5UI9KLtY+qTGO

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Equation Editor starts application (CVE-2017-11882)

      • EQNEDT32.EXE (PID: 2208)

    • Application was dropped or rewritten from another process

      • vbc.exe (PID: 2960)

    • Downloads executable files from the Internet

      • EQNEDT32.EXE (PID: 2208)

  • SUSPICIOUS

    • Executed via COM

      • WINWORD.EXE (PID: 2128)
      • EQNEDT32.EXE (PID: 2208)

    • Reads Internet Cache Settings

      • EQNEDT32.EXE (PID: 2208)

    • Creates files in the user directory

      • EQNEDT32.EXE (PID: 2208)

    • Executable content was dropped or overwritten

      • EQNEDT32.EXE (PID: 2208)

  • INFO

    • Reads Internet Cache Settings

      • EXCEL.EXE (PID: 1992)
      • WINWORD.EXE (PID: 2128)

    • Creates files in the user directory

      • WINWORD.EXE (PID: 2128)
      • EXCEL.EXE (PID: 1992)

    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 2128)
      • EXCEL.EXE (PID: 1992)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
38
Monitored processes
4
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start drop and start excel.exe winword.exe eqnedt32.exe vbc.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1992"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /ddeC:\Program Files\Microsoft Office\Office14\EXCEL.EXE
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Excel
Exit code:
0
Version:
14.0.6024.1000
Modules
Images
c:\program files\microsoft office\office14\excel.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
2128"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" -EmbeddingC:\Program Files\Microsoft Office\Office14\WINWORD.EXE
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Exit code:
0
Version:
14.0.6024.1000
Modules
Images
c:\program files\microsoft office\office14\winword.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_50934f2ebcb7eb57\msvcr90.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll
2208"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -EmbeddingC:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
svchost.exe
User:
admin
Company:
Design Science, Inc.
Integrity Level:
MEDIUM
Description:
Microsoft Equation Editor
Exit code:
0
Version:
00110900
Modules
Images
c:\program files\common files\microsoft shared\equation\eqnedt32.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
2960"C:\Users\admin\AppData\Roaming\vbc.exe" C:\Users\admin\AppData\Roaming\vbc.exeEQNEDT32.EXE
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\roaming\vbc.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
Total events
1 922
Read events
1 069
Write events
602
Delete events
251

Modification events

(PID) Process:(1992) EXCEL.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems
Operation:writeName:)h,
Value:
29682C00C8070000010000000000000000000000
(PID) Process:(1992) EXCEL.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1033
Value:
Off
(PID) Process:(1992) EXCEL.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1041
Value:
Off
(PID) Process:(1992) EXCEL.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1046
Value:
Off
(PID) Process:(1992) EXCEL.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1036
Value:
Off
(PID) Process:(1992) EXCEL.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1031
Value:
Off
(PID) Process:(1992) EXCEL.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1040
Value:
Off
(PID) Process:(1992) EXCEL.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1049
Value:
Off
(PID) Process:(1992) EXCEL.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:3082
Value:
Off
(PID) Process:(1992) EXCEL.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1042
Value:
Off
Executable files
2
Suspicious files
24
Text files
9
Unknown types
4

Dropped files

PID
Process
Filename
Type
1992EXCEL.EXEC:\Users\admin\AppData\Local\Temp\CVR5C09.tmp.cvr
MD5:
SHA256:
2128WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVR6D11.tmp.cvr
MD5:
SHA256:
2128WINWORD.EXEC:\Users\admin\AppData\Local\Temp\{A512F492-A28E-4014-8DDF-10E7E083AE2E}
MD5:
SHA256:
2128WINWORD.EXEC:\Users\admin\AppData\Local\Temp\{FA27EB4F-F70C-4F53-A65F-FFF400C20D78}
MD5:
SHA256:
2208EQNEDT32.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B6QGX7LP\svchost[1].exeexecutable
MD5:
SHA256:
2128WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-CNRY.FSDbinary
MD5:
SHA256:
1992EXCEL.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\9CE0B4EE.emfemf
MD5:
SHA256:
2128WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{B902C241-E0E3-473C-9306-21EEF76B7419}.FSDbinary
MD5:
SHA256:
2128WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSDbinary
MD5:
SHA256:
2128WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSF-{0E1EEE64-E8C6-4E2A-9759-63CF07FD8988}.FSFbinary
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
15
TCP/UDP connections
9
DNS requests
1
Threats
9

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2128
WINWORD.EXE
HEAD
200
180.214.238.5:80
http://sndychnesprvallanouthegreatsoustraofour.duckdns.org/receipt/invoice_112219.doc
VN
malicious
844
svchost.exe
PROPFIND
302
180.214.238.5:80
http://sndychnesprvallanouthegreatsoustraofour.duckdns.org/
VN
malicious
844
svchost.exe
PROPFIND
302
180.214.238.5:80
http://sndychnesprvallanouthegreatsoustraofour.duckdns.org/
VN
malicious
2128
WINWORD.EXE
OPTIONS
200
180.214.238.5:80
http://sndychnesprvallanouthegreatsoustraofour.duckdns.org/receipt/
VN
malicious
2128
WINWORD.EXE
HEAD
200
180.214.238.5:80
http://sndychnesprvallanouthegreatsoustraofour.duckdns.org/receipt/invoice_112219.doc
VN
malicious
844
svchost.exe
PROPFIND
405
180.214.238.5:80
http://sndychnesprvallanouthegreatsoustraofour.duckdns.org/dashboard/
VN
xml
1021 b
malicious
844
svchost.exe
PROPFIND
405
180.214.238.5:80
http://sndychnesprvallanouthegreatsoustraofour.duckdns.org/dashboard/
VN
xml
1021 b
malicious
1992
EXCEL.EXE
GET
200
180.214.238.5:80
http://sndychnesprvallanouthegreatsoustraofour.duckdns.org/receipt/invoice_112219.doc
VN
text
10.9 Kb
malicious
2208
EQNEDT32.EXE
GET
200
180.214.238.5:80
http://sndychnesprvallanouthegreatsoustraofour.duckdns.org/chprvdoc/svchost.exe
VN
executable
502 Kb
malicious
844
svchost.exe
OPTIONS
301
180.214.238.5:80
http://sndychnesprvallanouthegreatsoustraofour.duckdns.org/receipt
VN
html
417 b
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1992
EXCEL.EXE
180.214.238.5:80
sndychnesprvallanouthegreatsoustraofour.duckdns.org
VN
malicious
2128
WINWORD.EXE
180.214.238.5:80
sndychnesprvallanouthegreatsoustraofour.duckdns.org
VN
malicious
844
svchost.exe
180.214.238.5:80
sndychnesprvallanouthegreatsoustraofour.duckdns.org
VN
malicious
2208
EQNEDT32.EXE
180.214.238.5:80
sndychnesprvallanouthegreatsoustraofour.duckdns.org
VN
malicious

DNS requests

Domain
IP
Reputation
sndychnesprvallanouthegreatsoustraofour.duckdns.org
  • 180.214.238.5
malicious

Threats

PID
Process
Class
Message
1052
svchost.exe
Misc activity
ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
2208
EQNEDT32.EXE
A Network Trojan was detected
ET TROJAN Possible Malicious Macro DL EXE Feb 2016
2208
EQNEDT32.EXE
Potentially Bad Traffic
ET INFO Suspicious svchost.exe in URI - Possible Process Dump/Trojan Download
2208
EQNEDT32.EXE
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
5 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Kafan_Sample_5caffae9f50e3e0b3c499005e0a8b77e50bc9649330ae948ecb2ad9c0df0fb6b.xlsx