File name: | DHL Clearance Document.xlsx |
Full analysis: | https://app.any.run/tasks/9e9040f0-123c-4d86-ae00-8ed7c1155596 |
Verdict: | Malicious activity |
Analysis date: | December 06, 2019, 12:25:43 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/encrypted |
File info: | CDFV2 Encrypted |
MD5: | 98F5B739247E5051A4964B469BC1ED4B |
SHA1: | 5A3A0B0ADF48173748E3B9AD31FAD56A0B57B12A |
SHA256: | 69FED657536E7E792031CF9D9CA05D38E8599317EA27F6E733AA309749D7BFB5 |
SSDEEP: | 24576:BEk1rkfwKSsrrB01BcR/rRSYG2JGEuUkobQqXWcAU7d8inmTYJ:BEKkYHqrlx8VGZ0qGlUhLBJ |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
1292 | "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /dde | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Excel Version: 14.0.6024.1000 | ||||
964 | "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding | C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE | svchost.exe | |
User: admin Company: Design Science, Inc. Integrity Level: MEDIUM Description: Microsoft Equation Editor Exit code: 0 Version: 00110900 | ||||
2120 | "C:\Users\Public\vbc.exe" | C:\Users\Public\vbc.exe | — | EQNEDT32.EXE |
User: admin Company: Rickard Johansson Integrity Level: MEDIUM Description: Supply Place Paid Apogee Version: 7.6.1.5 |
PID | Process | Filename | Type | |
---|---|---|---|---|
1292 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\CVRAAB2.tmp.cvr | — | |
MD5:— | SHA256:— | |||
964 | EQNEDT32.EXE | C:\Users\Public\vbc.exe | executable | |
MD5:48F59373EF63E36CE4796FDB3C912D64 | SHA256:3D6A994684F9E949592558C2B4539C9BD05E3EB2A454ADC73ED73743A4E8D59E | |||
964 | EQNEDT32.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LH043OAM\vbc[1].exe | executable | |
MD5:48F59373EF63E36CE4796FDB3C912D64 | SHA256:3D6A994684F9E949592558C2B4539C9BD05E3EB2A454ADC73ED73743A4E8D59E |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
964 | EQNEDT32.EXE | 216.170.118.183:80 | globalsharesecurefilesgood.duckdns.org | ColoCrossing | US | malicious |
Domain | IP | Reputation |
---|---|---|
globalsharesecurefilesgood.duckdns.org |
| malicious |
PID | Process | Class | Message |
---|---|---|---|
— | — | Misc activity | ET INFO DYNAMIC_DNS Query to *.duckdns. Domain |
964 | EQNEDT32.EXE | Potentially Bad Traffic | ET CURRENT_EVENTS Terse alphanumeric executable downloader high likelihood of being hostile |
964 | EQNEDT32.EXE | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |