File name: | 1.xls |
Full analysis: | https://app.any.run/tasks/a253b477-901c-40ce-829a-d129419d2998 |
Verdict: | Malicious activity |
Analysis date: | May 20, 2019, 09:16:15 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/vnd.ms-excel |
File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, Code page: 1252, Last Saved By: USER HP, Name of Creating Application: Microsoft Excel, Create Time/Date: Mon May 20 00:52:11 2019, Last Saved Time/Date: Mon May 20 00:56:56 2019, Security: 0 |
MD5: | 9DF71DD5E6A139B9A70DC5A9349410F8 |
SHA1: | 7FD09BD6BD7432BF7BE3829D8FBF6A7AB9151776 |
SHA256: | A378A06A2C0A2FC3B578E76A025B90F0B980D7413EDEEEA8670DA5C180755D9A |
SSDEEP: | 1536:FaY35qAOJl/YrLYz+WrNhZFGzE+cL2RnA4RRYrDSx7jhaZbSquQJysMjg:0Y35qAOJl/YrLYz+WrNhZFGzE+cL2Rn6 |
.xls | | | Microsoft Excel sheet (36.8) |
---|---|---|
.xls | | | Microsoft Excel sheet (alternate) (30) |
.doc | | | Microsoft Word document (old ver.) (23.3) |
Title: | - |
---|---|
Subject: | - |
Author: | - |
Keywords: | - |
Comments: | - |
LastModifiedBy: | USER HP |
Software: | Microsoft Excel |
CreateDate: | 2019:05:19 23:52:11 |
ModifyDate: | 2019:05:19 23:56:56 |
Security: | None |
CodePage: | Windows Latin 1 (Western European) |
Company: | - |
AppVersion: | 12 |
ScaleCrop: | No |
LinksUpToDate: | No |
SharedDoc: | No |
HyperlinksChanged: | No |
TitleOfParts: |
|
HeadingPairs: |
|
CompObjUserTypeLen: | 38 |
CompObjUserType: | Microsoft Office Excel 2003 Worksheet |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
1372 | "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /dde | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Excel Version: 14.0.6024.1000 | ||||
3896 | "C:\Windows\System32\cmd.exe" /c ren "C:\Users\admin\AppData\Local\Temp\k5c5bad.png" "k5c5bad.exe" &start "" "C:\Users\admin\AppData\Local\Temp\k5c5bad.exe" | C:\Windows\System32\cmd.exe | — | EXCEL.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
3400 | "C:\Windows\system32\ntvdm.exe" -i1 | C:\Windows\system32\ntvdm.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: NTVDM.EXE Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
1372 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\CVR3E06.tmp.cvr | — | |
MD5:— | SHA256:— | |||
3400 | ntvdm.exe | C:\Users\admin\AppData\Local\Temp\scs54AB.tmp | — | |
MD5:— | SHA256:— | |||
3400 | ntvdm.exe | C:\Users\admin\AppData\Local\Temp\scs54BC.tmp | — | |
MD5:— | SHA256:— | |||
3896 | cmd.exe | C:\Users\admin\AppData\Local\Temp\k5c5bad.exe | html | |
MD5:5BFB02862A6598BCBBB588E0EE8BFA2B | SHA256:7FCD64A6DBF5C92AB13E343D47B5BD129020525F3D383774C29B0CDFE70119D4 | |||
1372 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\k5c5bad.png | html | |
MD5:5BFB02862A6598BCBBB588E0EE8BFA2B | SHA256:7FCD64A6DBF5C92AB13E343D47B5BD129020525F3D383774C29B0CDFE70119D4 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
1372 | EXCEL.EXE | GET | 301 | 217.65.97.100:80 | http://data.hu/missing.php | HU | html | 178 b | suspicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
1372 | EXCEL.EXE | 217.65.97.65:80 | ddl7.data.hu | Magyar Telekom plc. | HU | suspicious |
1372 | EXCEL.EXE | 217.65.97.100:443 | data.hu | Magyar Telekom plc. | HU | suspicious |
1372 | EXCEL.EXE | 217.65.97.100:80 | data.hu | Magyar Telekom plc. | HU | suspicious |
Domain | IP | Reputation |
---|---|---|
ddl7.data.hu |
| whitelisted |
data.hu |
| suspicious |
PID | Process | Class | Message |
---|---|---|---|
1372 | EXCEL.EXE | Potential Corporate Privacy Violation | ET POLICY Unsupported/Fake Windows NT Version 5.0 |
1372 | EXCEL.EXE | Potentially Bad Traffic | ET CURRENT_EVENTS Terse alphanumeric executable downloader high likelihood of being hostile |
1372 | EXCEL.EXE | Potential Corporate Privacy Violation | ET POLICY Unsupported/Fake Windows NT Version 5.0 |