analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

sex.xls

Full analysis: https://app.any.run/tasks/656aec1f-ed26-4c96-b147-1a2476dbc3e5
Verdict: Malicious activity
Analysis date: February 22, 2020, 06:54:27
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
macros
ole-embedded
macros-on-open
ta505
Indicators:
MIME: application/vnd.ms-excel
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Title: WS, Subject: ppPDo, Author: mGwGod, Last Saved By: J, Revision Number: 602, Name of Creating Application: Microsoft Excel, Total Editing Time: 13:10:00, Create Time/Date: Fri Aug 30 10:14:50 2019, Last Saved Time/Date: Fri Feb 21 11:22:43 2020, Number of Pages: 1, Number of Words: 4902, Number of Characters: 4696, Security: 0
MD5:

B5EA9BC41A943B39305FBB493216812F

SHA1:

FCA2D12B44F23FB8D582B32EE56B0B64BBB3C20E

SHA256:

6C6F773423EF4BF6FF592E4D2D4B0C2C4FA3C05F172B3BD9A2D00CF888CA9399

SSDEEP:

12288:EA0qa36YhWY3Z3QTfQqEqHF1Pq2HNSpOqbVBBxKHjExVl3cyAuXdMtB:EAjlGZAT4vqHfi0urBEHjMV1cyA7B

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Loads dropped or rewritten executable

      • EXCEL.EXE (PID: 3448)

    • Executable content was dropped or overwritten

      • EXCEL.EXE (PID: 3448)

  • SUSPICIOUS

    No suspicious indicators.

  • INFO

    • Reads Microsoft Office registry keys

      • EXCEL.EXE (PID: 3448)

    • Creates files in the user directory

      • EXCEL.EXE (PID: 3448)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.xls | Microsoft Excel sheet (48)
.xls | Microsoft Excel sheet (alternate) (39.2)

EXIF

FlashPix

CompObjUserTypeLen: 25
CompObjUserType: Microsoft Forms 2.0 Form
Title: WS
Subject: ppPDo
Author: mGwGod
LastModifiedBy: J
RevisionNumber: 602
Software: Microsoft Excel
TotalEditTime: 13.2 hours
CreateDate: 2019:08:30 09:14:50
ModifyDate: 2020:02:21 11:22:43
Pages: 1
Words: 4902
Characters: 4696
Security: None
CodePage: Windows Latin 1 (Western European)
Company: -
Bytes: 63153
Lines: 221
Paragraphs: 29
AppVersion: 16
ScaleCrop: No
LinksUpToDate: No
SharedDoc: No
HyperlinksChanged: No
TitleOfParts: Page2
HeadingPairs:
  • Worksheets
  • 1
No data.
screenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
35
Monitored processes
1
Malicious processes
0
Suspicious processes
1

Behavior graph

Click at the process to see the details
start excel.exe

Process information

PID
CMD
Path
Indicators
Parent process
3448"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /ddeC:\Program Files\Microsoft Office\Office14\EXCEL.EXE
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Excel
Version:
14.0.6024.1000
Total events
714
Read events
576
Write events
0
Delete events
0

Modification events

No data
Executable files
1
Suspicious files
3
Text files
0
Unknown types
36

Dropped files

PID
Process
Filename
Type
3448EXCEL.EXEC:\Users\admin\AppData\Local\Temp\CVR71BD.tmp.cvr
MD5:
SHA256:
3448EXCEL.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\85ADFFC2.emfemf
MD5:547067C026F403ADD46AB6FC9DC24264
SHA256:054263D33C8212630C19B978004092CDB39BED7E8CE9B2CBC9335C18657DB671
3448EXCEL.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\32E775F2.emfemf
MD5:8D92826B31BBE62E26E39622EFC3D7D8
SHA256:7C9E5FBC698151D8AE90F0A7E274DDE10ADF82A5F8AD7827C73EED26D8EBB1E0
3448EXCEL.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\E0C6746.emfemf
MD5:AEB960ED01FE318CB0FCBE3018E91DFD
SHA256:86BBBE42E52D85E48FCFFCA106E3A077CC3C33F574EF97572D487EA61570BAE5
3448EXCEL.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\9CB6BB44.emfemf
MD5:5B152429BF2A750DE6C9D1F11E89F4E7
SHA256:B0DE3E9B212E823B39651F8CD61580425D5889139366AA2FC48329AD7BBF4BAE
3448EXCEL.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\49044278.emfemf
MD5:9EE26F85695C3C88A26D0ED69F664FF2
SHA256:BCE47AC892888B7B0BC78A7B5A6E4A98201B584C27A6E3E0E27C8E4201DE294A
3448EXCEL.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\34A2B82E.emfemf
MD5:2B2163CF080FD099510CF918FA59E2E2
SHA256:A28E207E2970DCEF795AA3610B3DDB389B73DDB3CFF1B6CA87AAF250C8D2B8E7
3448EXCEL.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\7E23AE57.emfemf
MD5:79C94B04BF8710DE88A3A34C0C0EE4F5
SHA256:C250C04F474AC7DC456D4BA9AF50437BADEE271DDB33C016AB1555BB0EA6FF42
3448EXCEL.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\29A3C894.emfemf
MD5:9FB4781FB0BDD10E636A68705FE85F93
SHA256:527A1B59121AC490954D760078A3CF7679C529CBAB4D70BC08D7DF6D108286C3
3448EXCEL.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\2850F520.emfemf
MD5:496E9F126889E7025EFE095044098672
SHA256:955556053097038D1CE582BA34E319881713D4AD3E45632EADD976500E62C7B8
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
1
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

Domain
IP
Reputation
microsoft-ware.com
unknown

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
sex.xls