File name:	42xx202o7a.xlsm
Full analysis:	https://app.any.run/tasks/fb6d44c2-07f8-475b-937a-9125e578a3c5
Verdict:	Malicious activity
Analysis date:	November 30, 2020, 06:19:51
OS:	Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME:	application/vnd.openxmlformats-officedocument.spreadsheetml.sheet
File info:	Microsoft Excel 2007+
MD5:	569EF374C994310BD11B48D663135B05
SHA1:	1D5678BF3676AB70667629E32ABD75D1A5CB3D93
SHA256:	7F9D36065BACA657CF9B1E624515938B57CDDBE9AFB2FC1594CF3B2EB2AC0024
SSDEEP:	3072:c6Stgj2J6J/JgWJGOItpMAfJ/pMWTc9qBAKdT9QP4q/AAP:cADP9qBLiZ

.xlsx	\|	Excel Microsoft Office Open XML Format document (61.2)
.zip	\|	Open Packaging Conventions container (31.5)
.zip	\|	ZIP compressed archive (7.2)

ZipRequiredVersion:	20
ZipBitFlag:	0x0006
ZipCompression:	Deflated
ZipModifyDate:	1980:01:01 00:00:00
ZipCRC:	0x2dd8890b
ZipCompressedSize:	435
ZipUncompressedSize:	1543
ZipFileName:	[Content_Types].xml

Application:	Microsoft Excel
DocSecurity:	None
ScaleCrop:	No
HeadingPairs:	Листы 1 Макросы Excel 4.0 1
TitlesOfParts:	DocuSign SheetSO
LinksUpToDate:	No
SharedDoc:	No
HyperlinksChanged:	No
AppVersion:	15.03
LastModifiedBy:	-
CreateDate:	2006:09:16 00:00:00Z
ModifyDate:	2020:11:30 00:30:19Z


(PID) Process:	(2528) EXCEL.EXE	Key:	HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems
Operation:	write	Name:	vm<
Value: 766D3C00E0090000010000000000000000000000
(PID) Process:	(2528) EXCEL.EXE	Key:	HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:	write	Name:	1033
Value: Off
(PID) Process:	(2528) EXCEL.EXE	Key:	HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:	write	Name:	1041
Value: Off
(PID) Process:	(2528) EXCEL.EXE	Key:	HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:	write	Name:	1046
Value: Off
(PID) Process:	(2528) EXCEL.EXE	Key:	HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:	write	Name:	1036
Value: Off
(PID) Process:	(2528) EXCEL.EXE	Key:	HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:	write	Name:	1031
Value: Off
(PID) Process:	(2528) EXCEL.EXE	Key:	HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:	write	Name:	1040
Value: Off
(PID) Process:	(2528) EXCEL.EXE	Key:	HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:	write	Name:	1049
Value: Off
(PID) Process:	(2528) EXCEL.EXE	Key:	HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:	write	Name:	3082
Value: Off
(PID) Process:	(2528) EXCEL.EXE	Key:	HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:	write	Name:	1042
Value: Off

PID	Process	Filename		Type
2528	EXCEL.EXE	C:\Users\admin\AppData\Local\Temp\CVR7576.tmp.cvr		—
		MD5:—	SHA256:—
2528	EXCEL.EXE	C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\42xx202o7a.xlsm.LNK		lnk
		MD5:—	SHA256:—
2528	EXCEL.EXE	C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\index.dat		text
		MD5:—	SHA256:—

General Info

42xx202o7a.xlsm

569EF374C994310BD11B48D663135B05

1D5678BF3676AB70667629E32ABD75D1A5CB3D93

7F9D36065BACA657CF9B1E624515938B57CDDBE9AFB2FC1594CF3B2EB2AC0024

3072:c6Stgj2J6J/JgWJGOItpMAfJ/pMWTc9qBAKdT9QP4q/AAP:cADP9qBLiZ

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Registers / Runs the DLL via REGSVR32.EXE

Unusual execution from Microsoft Office

SUSPICIOUS

INFO

Reads Microsoft Office registry keys

Creates files in the user directory

Malware configuration

Static information

TRiD

EXIF

ZIP

XML

XMP

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings