analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

documento1_82.xls

Full analysis: https://app.any.run/tasks/a0670893-f1a0-46a2-b992-4316809eb72b
Verdict: Malicious activity
Analysis date: October 20, 2020, 11:50:02
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/vnd.ms-excel
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1252, Author: SbnQjOmFeFQKc, Last Saved By: administrator, Name of Creating Application: Microsoft Excel, Create Time/Date: Tue Oct 20 05:51:55 2020, Last Saved Time/Date: Tue Oct 20 06:01:36 2020, Security: 1
MD5:

65B3763463C22CFF9FB3FC7FF8D69E53

SHA1:

AA88D18BF360C9A35E33C6A4D40C44D69CE27C8F

SHA256:

5D1318A607EE08BE77BF9CE071F9F09052BBC81CDB5DE19A8AC50B911FFF3A89

SSDEEP:

3072:IxLSSEYIi589g0JyKSVTIdsLMz3wDAck1TvVzEuCfhaIdUoOUzxUVHADih98wVkX:oWyIM89gkyK4L8vvZbCptUoFzxaFfet

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Unusual execution from Microsoft Office

      • EXCEL.EXE (PID: 2132)

    • Requests a remote executable file from MS Office

      • EXCEL.EXE (PID: 2132)

  • SUSPICIOUS

    • Uses RUNDLL32.EXE to load library

      • EXCEL.EXE (PID: 2132)

  • INFO

    • Reads Internet Cache Settings

      • EXCEL.EXE (PID: 2132)

    • Reads Microsoft Office registry keys

      • EXCEL.EXE (PID: 2132)

    • Creates files in the user directory

      • EXCEL.EXE (PID: 2132)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.xls | Microsoft Excel sheet (78.9)

EXIF

FlashPix

Author: SbnQjOmFeFQKc
LastModifiedBy: administrator
Software: Microsoft Excel
CreateDate: 2020:10:20 04:51:55
ModifyDate: 2020:10:20 05:01:36
Security: Password protected
CodePage: Windows Latin 1 (Western European)
Company: -
AppVersion: 16
ScaleCrop: No
LinksUpToDate: No
SharedDoc: No
HyperlinksChanged: No
TitleOfParts:
  • lOSgcMZyy
  • Foglio2
  • Foglio3
  • Foglio4
  • Foglio5
  • Foglio6
  • Foglio7
  • Foglio8
  • Foglio9
  • Foglio10
  • Foglio11
  • Foglio12
  • Foglio13
  • Foglio14
  • Foglio15
  • Foglio16
  • Foglio17
  • Foglio18
  • Foglio19
  • Sheet1
  • GC
HeadingPairs:
  • Fogli di lavoro
  • 20
  • Macro di Excel 4.0
  • 1
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
40
Monitored processes
2
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start excel.exe rundll32.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2132"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /ddeC:\Program Files\Microsoft Office\Office14\EXCEL.EXE
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Excel
Version:
14.0.6024.1000
3952"C:\Windows\System32\rundll32.exe" qOJmoVb.dll,DllRegisterServerC:\Windows\System32\rundll32.exeEXCEL.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
550
Read events
495
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
0
Text files
2
Unknown types
2

Dropped files

PID
Process
Filename
Type
2132EXCEL.EXEC:\Users\admin\AppData\Local\Temp\CVR4134.tmp.cvr
MD5:
SHA256:
2132EXCEL.EXEC:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\index.dattext
MD5:E907CD4DBCC547E3FC82909CAF2107C2
SHA256:61BD39D074E56360633B100C9951D8C183693731872D5EFE94DE8414F027E481
2132EXCEL.EXEC:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\documento1_82.xls.LNKlnk
MD5:D1CBEE41CA80D4D234B99D3C03BC7E73
SHA256:2AFE14838B4EE073D1F7659F21E922F0CF5E5DAEAC196B8DE97845F009547BD2
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
1
DNS requests
1
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2132
EXCEL.EXE
GET
176.32.32.16:80
http://linksystems.bar/installa.dll
RU
suspicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2132
EXCEL.EXE
176.32.32.16:80
linksystems.bar
LLC Baxet
RU
suspicious

DNS requests

Domain
IP
Reputation
linksystems.bar
  • 176.32.32.16
suspicious

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
documento1_82.xls