File name: | PMT_2413617874_200054047_201112170000.xls |
Full analysis: | https://app.any.run/tasks/ae41efbf-aca9-4ccc-b6b2-066044e18937 |
Verdict: | Malicious activity |
Analysis date: | September 10, 2019, 23:49:18 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/vnd.ms-excel |
File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1251, Title: A, Subject: caP, Author: Atl, Last Saved By: Microsoft Office, Revision Number: 699, Name of Creating Application: Microsoft Excel, Total Editing Time: 09:05:00, Create Time/Date: Fri Aug 30 10:14:50 2019, Last Saved Time/Date: Tue Sep 10 11:38:59 2019, Number of Pages: 1, Number of Words: 4669, Number of Characters: 1838, Security: 0 |
MD5: | 426B6B647611D1A6DF6FB247E44F3519 |
SHA1: | D98678B69A978BC78662010DEECA64D6F44660E3 |
SHA256: | 6F50E69F021F1CF17C88421F722B6CEFE084DB07698D669093B092BFF9EE34FF |
SSDEEP: | 6144:A8mdr74qRlm5ibfVdLRUikJdGC1XcONnxusA2:A8UrDtd9UfPTfV |
.xls | | | Microsoft Excel sheet (48) |
---|---|---|
.xls | | | Microsoft Excel sheet (alternate) (39.2) |
HeadingPairs: |
|
---|---|
TitleOfParts: | 1 |
HyperlinksChanged: | No |
SharedDoc: | No |
LinksUpToDate: | No |
ScaleCrop: | No |
AppVersion: | 11.9999 |
Paragraphs: | 46 |
Lines: | 526 |
Bytes: | 86400 |
Company: | - |
CodePage: | Windows Cyrillic |
Security: | None |
Characters: | 1838 |
Words: | 4669 |
Pages: | 1 |
ModifyDate: | 2019:09:10 10:38:59 |
CreateDate: | 2019:08:30 09:14:50 |
TotalEditTime: | 9.1 hours |
Software: | Microsoft Excel |
RevisionNumber: | 699 |
LastModifiedBy: | Microsoft Office |
Author: | Atl |
Subject: | caP |
Title: | A |
CompObjUserType: | Microsoft Forms 2.0 Form |
CompObjUserTypeLen: | 25 |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3560 | "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /dde | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Excel Version: 14.0.6024.1000 | ||||
2840 | "C:\Windows\system32\verclsid.exe" /S /C {0B2C9183-C9FA-4C53-AE21-C900B0C39965} /I {0C733A8A-2A1C-11CE-ADE5-00AA0044773D} /X 0x401 | C:\Windows\system32\verclsid.exe | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Extension CLSID Verification Host Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2824 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\13.xlsx.zip" | C:\Program Files\WinRAR\WinRAR.exe | — | explorer.exe |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.60.0 |
PID | Process | Filename | Type | |
---|---|---|---|---|
3560 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\CVRA08A.tmp.cvr | — | |
MD5:— | SHA256:— | |||
3560 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\VBA976.tmp | — | |
MD5:— | SHA256:— | |||
3560 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\VBA966.tmp | — | |
MD5:— | SHA256:— | |||
3560 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\~DFB34BA923A1836388.TMP | — | |
MD5:— | SHA256:— | |||
3560 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\0AA61000 | — | |
MD5:— | SHA256:— | |||
3560 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\~DF12268B3A0E2706F6.TMP | — | |
MD5:— | SHA256:— | |||
3560 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\~$13.xlsx | — | |
MD5:— | SHA256:— | |||
3560 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\~DF031EC19B80D4C154.TMP | — | |
MD5:— | SHA256:— | |||
3560 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\13.xlsx.zip | document | |
MD5:242449377AF7D8B6795E65C7DFA1080B | SHA256:DF4E677245393A86AABDDC36035276F0FD628C748CFEBCADCB63649869FC4BEB | |||
3560 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\13.xlsx | document | |
MD5:242449377AF7D8B6795E65C7DFA1080B | SHA256:DF4E677245393A86AABDDC36035276F0FD628C748CFEBCADCB63649869FC4BEB |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3560 | EXCEL.EXE | 95.216.147.100:443 | windows-update-02-en.com | Hetzner Online GmbH | DE | unknown |
Domain | IP | Reputation |
---|---|---|
windows-update-02-en.com |
| malicious |