analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

PMT_2413617874_200054047_201112170000.xls

Full analysis: https://app.any.run/tasks/ae41efbf-aca9-4ccc-b6b2-066044e18937
Verdict: Malicious activity
Analysis date: September 10, 2019, 23:49:18
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
macros
ole-embedded
macros-on-open
ta505
Indicators:
MIME: application/vnd.ms-excel
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1251, Title: A, Subject: caP, Author: Atl, Last Saved By: Microsoft Office, Revision Number: 699, Name of Creating Application: Microsoft Excel, Total Editing Time: 09:05:00, Create Time/Date: Fri Aug 30 10:14:50 2019, Last Saved Time/Date: Tue Sep 10 11:38:59 2019, Number of Pages: 1, Number of Words: 4669, Number of Characters: 1838, Security: 0
MD5:

426B6B647611D1A6DF6FB247E44F3519

SHA1:

D98678B69A978BC78662010DEECA64D6F44660E3

SHA256:

6F50E69F021F1CF17C88421F722B6CEFE084DB07698D669093B092BFF9EE34FF

SSDEEP:

6144:A8mdr74qRlm5ibfVdLRUikJdGC1XcONnxusA2:A8UrDtd9UfPTfV

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Loads dropped or rewritten executable

      • EXCEL.EXE (PID: 3560)

    • Executable content was dropped or overwritten

      • EXCEL.EXE (PID: 3560)

  • SUSPICIOUS

    No suspicious indicators.

  • INFO

    • Creates files in the user directory

      • EXCEL.EXE (PID: 3560)

    • Manual execution by user

      • verclsid.exe (PID: 2840)
      • WinRAR.exe (PID: 2824)

    • Reads Microsoft Office registry keys

      • EXCEL.EXE (PID: 3560)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.xls | Microsoft Excel sheet (48)
.xls | Microsoft Excel sheet (alternate) (39.2)

EXIF

FlashPix

HeadingPairs:
  • Листы
  • 1
TitleOfParts: 1
HyperlinksChanged: No
SharedDoc: No
LinksUpToDate: No
ScaleCrop: No
AppVersion: 11.9999
Paragraphs: 46
Lines: 526
Bytes: 86400
Company: -
CodePage: Windows Cyrillic
Security: None
Characters: 1838
Words: 4669
Pages: 1
ModifyDate: 2019:09:10 10:38:59
CreateDate: 2019:08:30 09:14:50
TotalEditTime: 9.1 hours
Software: Microsoft Excel
RevisionNumber: 699
LastModifiedBy: Microsoft Office
Author: Atl
Subject: caP
Title: A
CompObjUserType: Microsoft Forms 2.0 Form
CompObjUserTypeLen: 25
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
37
Monitored processes
3
Malicious processes
0
Suspicious processes
1

Behavior graph

Click at the process to see the details
start excel.exe verclsid.exe no specs winrar.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3560"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /ddeC:\Program Files\Microsoft Office\Office14\EXCEL.EXE
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Excel
Version:
14.0.6024.1000
2840"C:\Windows\system32\verclsid.exe" /S /C {0B2C9183-C9FA-4C53-AE21-C900B0C39965} /I {0C733A8A-2A1C-11CE-ADE5-00AA0044773D} /X 0x401C:\Windows\system32\verclsid.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Extension CLSID Verification Host
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2824"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\13.xlsx.zip"C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
Total events
1 122
Read events
997
Write events
0
Delete events
0

Modification events

No data
Executable files
1
Suspicious files
3
Text files
0
Unknown types
2

Dropped files

PID
Process
Filename
Type
3560EXCEL.EXEC:\Users\admin\AppData\Local\Temp\CVRA08A.tmp.cvr
MD5:
SHA256:
3560EXCEL.EXEC:\Users\admin\AppData\Local\Temp\VBA976.tmp
MD5:
SHA256:
3560EXCEL.EXEC:\Users\admin\AppData\Local\Temp\VBA966.tmp
MD5:
SHA256:
3560EXCEL.EXEC:\Users\admin\AppData\Local\Temp\~DFB34BA923A1836388.TMP
MD5:
SHA256:
3560EXCEL.EXEC:\Users\admin\AppData\Local\Temp\0AA61000
MD5:
SHA256:
3560EXCEL.EXEC:\Users\admin\AppData\Local\Temp\~DF12268B3A0E2706F6.TMP
MD5:
SHA256:
3560EXCEL.EXEC:\Users\admin\AppData\Local\Temp\~$13.xlsx
MD5:
SHA256:
3560EXCEL.EXEC:\Users\admin\AppData\Local\Temp\~DF031EC19B80D4C154.TMP
MD5:
SHA256:
3560EXCEL.EXEC:\Users\admin\AppData\Local\Temp\13.xlsx.zipdocument
MD5:242449377AF7D8B6795E65C7DFA1080B
SHA256:DF4E677245393A86AABDDC36035276F0FD628C748CFEBCADCB63649869FC4BEB
3560EXCEL.EXEC:\Users\admin\AppData\Local\Temp\13.xlsxdocument
MD5:242449377AF7D8B6795E65C7DFA1080B
SHA256:DF4E677245393A86AABDDC36035276F0FD628C748CFEBCADCB63649869FC4BEB
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
1
DNS requests
1
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3560
EXCEL.EXE
95.216.147.100:443
windows-update-02-en.com
Hetzner Online GmbH
DE
unknown

DNS requests

Domain
IP
Reputation
windows-update-02-en.com
  • 95.216.147.100
malicious

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
PMT_2413617874_200054047_201112170000.xls