analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

1.xls

Full analysis: https://app.any.run/tasks/a253b477-901c-40ce-829a-d129419d2998
Verdict: Malicious activity
Analysis date: May 20, 2019, 09:16:15
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
macros
macros-on-open
maldoc-14
Indicators:
MIME: application/vnd.ms-excel
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, Code page: 1252, Last Saved By: USER HP, Name of Creating Application: Microsoft Excel, Create Time/Date: Mon May 20 00:52:11 2019, Last Saved Time/Date: Mon May 20 00:56:56 2019, Security: 0
MD5:

9DF71DD5E6A139B9A70DC5A9349410F8

SHA1:

7FD09BD6BD7432BF7BE3829D8FBF6A7AB9151776

SHA256:

A378A06A2C0A2FC3B578E76A025B90F0B980D7413EDEEEA8670DA5C180755D9A

SSDEEP:

1536:FaY35qAOJl/YrLYz+WrNhZFGzE+cL2RnA4RRYrDSx7jhaZbSquQJysMjg:0Y35qAOJl/YrLYz+WrNhZFGzE+cL2Rn6

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Starts CMD.EXE for commands execution

      • EXCEL.EXE (PID: 1372)

    • Unusual execution from Microsoft Office

      • EXCEL.EXE (PID: 1372)

  • SUSPICIOUS

    • Executes application which crashes

      • cmd.exe (PID: 3896)

  • INFO

    • Reads Microsoft Office registry keys

      • EXCEL.EXE (PID: 1372)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.xls | Microsoft Excel sheet (36.8)
.xls | Microsoft Excel sheet (alternate) (30)
.doc | Microsoft Word document (old ver.) (23.3)

EXIF

FlashPix

Title: -
Subject: -
Author: -
Keywords: -
Comments: -
LastModifiedBy: USER HP
Software: Microsoft Excel
CreateDate: 2019:05:19 23:52:11
ModifyDate: 2019:05:19 23:56:56
Security: None
CodePage: Windows Latin 1 (Western European)
Company: -
AppVersion: 12
ScaleCrop: No
LinksUpToDate: No
SharedDoc: No
HyperlinksChanged: No
TitleOfParts:
  • Example Test
  • Format Abbr.
  • Readme
  • GRZTZ
HeadingPairs:
  • Worksheets
  • 3
  • Excel 4.0 Macros
  • 1
CompObjUserTypeLen: 38
CompObjUserType: Microsoft Office Excel 2003 Worksheet
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
37
Monitored processes
3
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start excel.exe cmd.exe no specs ntvdm.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1372"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /ddeC:\Program Files\Microsoft Office\Office14\EXCEL.EXE
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Excel
Version:
14.0.6024.1000
3896"C:\Windows\System32\cmd.exe" /c ren "C:\Users\admin\AppData\Local\Temp\k5c5bad.png" "k5c5bad.exe" &start "" "C:\Users\admin\AppData\Local\Temp\k5c5bad.exe" C:\Windows\System32\cmd.exeEXCEL.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
3400"C:\Windows\system32\ntvdm.exe" -i1 C:\Windows\system32\ntvdm.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
NTVDM.EXE
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
605
Read events
568
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
0
Text files
2
Unknown types
0

Dropped files

PID
Process
Filename
Type
1372EXCEL.EXEC:\Users\admin\AppData\Local\Temp\CVR3E06.tmp.cvr
MD5:
SHA256:
3400ntvdm.exeC:\Users\admin\AppData\Local\Temp\scs54AB.tmp
MD5:
SHA256:
3400ntvdm.exeC:\Users\admin\AppData\Local\Temp\scs54BC.tmp
MD5:
SHA256:
3896cmd.exeC:\Users\admin\AppData\Local\Temp\k5c5bad.exehtml
MD5:5BFB02862A6598BCBBB588E0EE8BFA2B
SHA256:7FCD64A6DBF5C92AB13E343D47B5BD129020525F3D383774C29B0CDFE70119D4
1372EXCEL.EXEC:\Users\admin\AppData\Local\Temp\k5c5bad.pnghtml
MD5:5BFB02862A6598BCBBB588E0EE8BFA2B
SHA256:7FCD64A6DBF5C92AB13E343D47B5BD129020525F3D383774C29B0CDFE70119D4
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
3
DNS requests
2
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1372
EXCEL.EXE
GET
301
217.65.97.100:80
http://data.hu/missing.php
HU
html
178 b
suspicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1372
EXCEL.EXE
217.65.97.65:80
ddl7.data.hu
Magyar Telekom plc.
HU
suspicious
1372
EXCEL.EXE
217.65.97.100:443
data.hu
Magyar Telekom plc.
HU
suspicious
1372
EXCEL.EXE
217.65.97.100:80
data.hu
Magyar Telekom plc.
HU
suspicious

DNS requests

Domain
IP
Reputation
ddl7.data.hu
  • 217.65.97.65
  • 217.65.97.68
  • 217.65.97.33
whitelisted
data.hu
  • 217.65.97.100
suspicious

Threats

PID
Process
Class
Message
1372
EXCEL.EXE
Potential Corporate Privacy Violation
ET POLICY Unsupported/Fake Windows NT Version 5.0
1372
EXCEL.EXE
Potentially Bad Traffic
ET CURRENT_EVENTS Terse alphanumeric executable downloader high likelihood of being hostile
1372
EXCEL.EXE
Potential Corporate Privacy Violation
ET POLICY Unsupported/Fake Windows NT Version 5.0
1 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
1.xls