File name: | Details_of_the_order_711332.xlsm |
Full analysis: | https://app.any.run/tasks/2f240d60-f5bd-48f3-a8dd-bac83db46caf |
Verdict: | Malicious activity |
Analysis date: | May 20, 2019, 13:53:44 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | application/vnd.openxmlformats-officedocument.spreadsheetml.sheet |
File info: | Microsoft Excel 2007+ |
MD5: | 87A84B29F1938A2EDAB99311AF8CE8BC |
SHA1: | 2BDC49803C4F7ED53ACFD3F220E6BEA8D041FD72 |
SHA256: | A43C8DD4F6744777F3369C48FC5309566CD4F579BBE50147D60FDB6C50E57F77 |
SSDEEP: | 768:8Hug5V4bx2ThbyQY2IBlzG5ke/h0bldSSA:Wdk2Fbi2IBF6ZqdSSA |
.xlam | | | Excel Macro-enabled Open XML add-in (42.4) |
---|---|---|
.xlsm | | | Excel Microsoft Office Open XML Format document (with Macro) (29.2) |
.xlsx | | | Excel Microsoft Office Open XML Format document (17.3) |
.zip | | | Open Packaging Conventions container (8.9) |
.zip | | | ZIP compressed archive (2) |
ZipRequiredVersion: | 20 |
---|---|
ZipBitFlag: | 0x0006 |
ZipCompression: | Deflated |
ZipModifyDate: | 1980:01:01 00:00:00 |
ZipCRC: | 0xe69d70d7 |
ZipCompressedSize: | 413 |
ZipUncompressedSize: | 1393 |
ZipFileName: | [Content_Types].xml |
Creator: | - |
---|
LastModifiedBy: | - |
---|---|
CreateDate: | 2006:09:16 00:00:00Z |
ModifyDate: | 2019:05:16 16:59:30Z |
Application: | Microsoft Excel |
DocSecurity: | None |
ScaleCrop: | No |
HeadingPairs: |
|
TitlesOfParts: | Лист1 |
Company: | - |
LinksUpToDate: | No |
SharedDoc: | No |
HyperlinksChanged: | No |
AppVersion: | 15.03 |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2888 | "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /dde | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Excel Version: 14.0.6024.1000 | ||||
3888 | cmd.exe /c C:\Users\admin\AppData\Local\Temp\999.hta | C:\Windows\system32\cmd.exe | — | EXCEL.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
3724 | "C:\Windows\System32\mshta.exe" "C:\Users\admin\AppData\Local\Temp\999.hta" | C:\Windows\System32\mshta.exe | cmd.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft (R) HTML Application host Version: 8.00.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
2888 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\CVRD3.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2888 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\999.hta | html | |
MD5:14DF192CDC815BF57B768B5D97320365 | SHA256:D4E37A29FF4011CAD258CA60080B2F366619570FEC08EC50F95285F725BF8A0D | |||
3724 | mshta.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I0488CJO\error[1] | text | |
MD5:35FE91C2AC1BA0913CC617622B9EB43F | SHA256:966240C0527B20E8E2553B7E5A68594AE69230AA00186F2C6C2C342405494837 | |||
2888 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\VBE\MSForms.exd | tlb | |
MD5:393303FDB14A1D6F275435351374F384 | SHA256:9C844ADFB2A25E0F9135CC8A17AC32591AFEE3BBF751C81A0CB540EF8F89482B | |||
3724 | mshta.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H6QNMHE9\error[1] | html | |
MD5:16AA7C3BEBF9C1B84C9EE07666E3207F | SHA256:7990E703AE060C241EBA6257D963AF2ECF9C6F3FBDB57264C1D48DDA8171E754 | |||
3724 | mshta.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JGRR2OYX\warning[1] | image | |
MD5:124A9E7B6976F7570134B7034EE28D2B | SHA256:5F95EFF2BCAAEA82D0AE34A007DE3595C0D830AC4810EA4854E6526E261108E9 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3724 | mshta.exe | GET | — | 64.44.133.144:80 | http://64.44.133.144/?3mhZb5 | US | — | — | suspicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3724 | mshta.exe | 64.44.133.144:80 | — | Nexeon Technologies, Inc. | US | suspicious |