analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

INTERNATIONAL TRANSFER SWIFT HSBC.xlsx

Full analysis: https://app.any.run/tasks/2661fb59-d256-4615-8cdd-e490baea7c29
Verdict: Malicious activity
Threats:

Trojans are a group of malicious programs distinguished by their ability to masquerade as benign software. Depending on their type, trojans possess a variety of capabilities, ranging from maintaining full remote control over the victim’s machine to stealing data and files, as well as dropping other malware. At the same time, the main functionality of each trojan family can differ significantly depending on its type. The most common trojan infection chain starts with a phishing email.

Malware Trends Tracker     >>>
Analysis date: October 14, 2019, 19:22:12
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
trojan
Indicators:
MIME: application/vnd.openxmlformats-officedocument.spreadsheetml.sheet
File info: Microsoft Excel 2007+
MD5:

2347E4EACBE02DACB60F41EDEF0E219A

SHA1:

F7AD149641EE3EB74FF8BE2EDED6AE467816C1D6

SHA256:

A5038C24AAA4F208D2B5CBAD3FBA6E0BBE25A029262993F9EE581593F96B77BC

SSDEEP:

49152:tCGa6Tpr0nLKfhZUU3SPnCA+Pfuv1e2+bPDxhRgOpcm6f92bYT02aZfTBFZ2VHrL:5HmK/ZinCNntjDlgGcDoPZL7ZYLnrvHn

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Suspicious connection from the Equation Editor

      • EQNEDT32.EXE (PID: 1916)

  • SUSPICIOUS

    • Executed via COM

      • EQNEDT32.EXE (PID: 1916)

    • Creates files in the user directory

      • EQNEDT32.EXE (PID: 1916)

  • INFO

    • Creates files in the user directory

      • WINWORD.EXE (PID: 940)
      • opera.exe (PID: 3904)

    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 940)
      • EXCEL.EXE (PID: 1876)

    • Manual execution by user

      • opera.exe (PID: 3904)
      • WINWORD.EXE (PID: 940)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.xlsx | Excel Microsoft Office Open XML Format document (61.2)
.zip | Open Packaging Conventions container (31.5)
.zip | ZIP compressed archive (7.2)

EXIF

XMP

Creator: Microsoft Corporation

XML

ModifyDate: 2019:03:25 09:18:59Z
CreateDate: 1996:10:14 23:33:28Z
LastPrinted: 2018:03:26 10:27:58Z
LastModifiedBy: Windows User
AppVersion: 15.03
HyperlinksChanged: No
SharedDoc: No
LinksUpToDate: No
Company: -
TitlesOfParts:
  • SUP.APPRSL FORM
  • Sheet2
  • Sheet3
  • 'SUP.APPRSL FORM'!Print_Area
HeadingPairs:
  • Worksheets
  • 3
  • Named Ranges
  • 1
ScaleCrop: No
DocSecurity: None
Application: Microsoft Excel

ZIP

ZipFileName: [Content_Types].xml
ZipUncompressedSize: 1777
ZipCompressedSize: 397
ZipCRC: 0xf03d41ea
ZipModifyDate: 2019:10:10 07:10:06
ZipCompression: Deflated
ZipBitFlag: 0x0002
ZipRequiredVersion: 20
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
40
Monitored processes
4
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start excel.exe no specs eqnedt32.exe winword.exe no specs opera.exe

Process information

PID
CMD
Path
Indicators
Parent process
1876"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /ddeC:\Program Files\Microsoft Office\Office14\EXCEL.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Excel
Version:
14.0.6024.1000
1916"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -EmbeddingC:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
svchost.exe
User:
admin
Company:
Design Science, Inc.
Integrity Level:
MEDIUM
Description:
Microsoft Equation Editor
Exit code:
0
Version:
00110900
940"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\talkresearch.rtf"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
14.0.6024.1000
3904"C:\Program Files\Opera\opera.exe" C:\Program Files\Opera\opera.exe
explorer.exe
User:
admin
Company:
Opera Software
Integrity Level:
MEDIUM
Description:
Opera Internet Browser
Version:
1748
Total events
2 277
Read events
1 447
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
26
Text files
17
Unknown types
5

Dropped files

PID
Process
Filename
Type
1876EXCEL.EXEC:\Users\admin\AppData\Local\Temp\CVRAD42.tmp.cvr
MD5:
SHA256:
940WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVR8B2E.tmp.cvr
MD5:
SHA256:
3904opera.exeC:\Users\admin\AppData\Roaming\Opera\Opera\opr295E.tmp
MD5:
SHA256:
3904opera.exeC:\Users\admin\AppData\Roaming\Opera\Opera\opr29AD.tmp
MD5:
SHA256:
3904opera.exeC:\Users\admin\AppData\Local\Opera\Opera\cache\sesn\opr00001.tmp
MD5:
SHA256:
3904opera.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\F46RHXBEHFXTITPY5EOK.temp
MD5:
SHA256:
940WINWORD.EXEC:\Users\admin\Desktop\~$lkresearch.rtfpgc
MD5:36D769DBE6102A2A6CFA40E10DAF3711
SHA256:1F6C5FE537EFD1B197A7B59BADFF5BD5F0E06FCBF4C8B7DA9731112C7CD1429D
3904opera.exeC:\Users\admin\AppData\Roaming\Opera\Opera\operaprefs.initext
MD5:46DD7F2EFE6F9728ED3A7986FC139850
SHA256:172E80B55011DE40786296A326EDD1EC4974466AF40BF8F64CE437A4760B8BF4
940WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\index.dattext
MD5:003B74631C841C4A45D54C8A62829E30
SHA256:1357E437793EA885BDC37525848BB5AA37D3EB8812A19F9C648DEA6A054ED4BC
3904opera.exeC:\Users\admin\AppData\Roaming\Opera\Opera\sessions\opr9004.tmp
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
14
TCP/UDP connections
16
DNS requests
12
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3904
opera.exe
GET
172.217.16.206:80
http://clients1.google.com/complete/search?q=wtfis&client=opera-suggest-omnibox&hl=de
US
whitelisted
3904
opera.exe
GET
162.255.119.120:80
http://wtfismyip.org/
US
suspicious
3904
opera.exe
GET
200
93.184.220.29:80
http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl
US
der
528 b
whitelisted
3904
opera.exe
GET
200
172.217.16.131:80
http://crl.pki.goog/gsr2/gsr2.crl
US
der
950 b
whitelisted
3904
opera.exe
GET
200
172.217.16.131:80
http://ocsp.pki.goog/gts1o1/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBRCRjDCJxnb3nDwj%2Fxz5aZfZjgXvAQUmNH4bhDrz5vsYJ8YkBug630J%2FSsCEQD2zW1jyh%2BKlgIAAAAARIBi
US
der
472 b
whitelisted
3904
opera.exe
GET
302
172.217.18.99:80
http://www.google.com.ua/search?q=wtfismyip.com%26text&sourceid=opera&ie=utf-8&oe=utf-8&channel=suggest
US
html
333 b
whitelisted
3904
opera.exe
GET
302
172.217.18.99:80
http://www.google.com.ua/search?client=opera&q=wtfismyip.com%26text&sourceid=opera&ie=utf-8&oe=utf-8&channel=suggest
US
html
349 b
whitelisted
3904
opera.exe
GET
200
172.217.16.206:80
http://clients1.google.com/complete/search?q=wtf&client=opera-suggest-omnibox&hl=de
US
text
92 b
whitelisted
3904
opera.exe
GET
200
172.217.16.131:80
http://ocsp.pki.goog/gts1o1/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBRCRjDCJxnb3nDwj%2Fxz5aZfZjgXvAQUmNH4bhDrz5vsYJ8YkBug630J%2FSsCEQCPBMnJDANQzQgAAAAAFPvS
US
der
472 b
whitelisted
3904
opera.exe
GET
200
172.217.16.206:80
http://clients1.google.com/complete/search?q=wtfi&client=opera-suggest-omnibox&hl=de
US
text
110 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3904
opera.exe
93.184.220.29:80
crl4.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
3904
opera.exe
172.217.16.206:80
clients1.google.com
Google Inc.
US
whitelisted
3904
opera.exe
172.217.18.99:80
www.google.com.ua
Google Inc.
US
whitelisted
1916
EQNEDT32.EXE
112.213.89.40:443
tfvn.com.vn
SUPERDATA
VN
malicious
3904
opera.exe
172.217.18.99:443
www.google.com.ua
Google Inc.
US
whitelisted
3904
opera.exe
185.26.182.93:443
certs.opera.com
Opera Software AS
whitelisted
3904
opera.exe
172.217.16.131:80
crl.pki.goog
Google Inc.
US
whitelisted
3904
opera.exe
107.167.110.211:80
sitecheck2.opera.com
Opera Software Americas LLC
US
suspicious
3904
opera.exe
216.58.205.227:443
id.google.com.ua
Google Inc.
US
whitelisted
3904
opera.exe
162.255.119.120:80
wtfismyip.org
Namecheap, Inc.
US
suspicious

DNS requests

Domain
IP
Reputation
tfvn.com.vn
  • 112.213.89.40
unknown
certs.opera.com
  • 185.26.182.93
  • 185.26.182.94
whitelisted
crl4.digicert.com
  • 93.184.220.29
whitelisted
clients1.google.com
  • 172.217.16.206
whitelisted
www.google.com.ua
  • 172.217.18.99
whitelisted
sitecheck2.opera.com
  • 107.167.110.211
  • 107.167.110.216
whitelisted
crl.pki.goog
  • 172.217.16.131
whitelisted
ocsp.pki.goog
  • 172.217.16.131
whitelisted
id.google.com.ua
  • 216.58.205.227
whitelisted
id.google.com
  • 216.58.207.67
whitelisted

Threats

Found threats are available for the paid subscriptions
1 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
INTERNATIONAL TRANSFER SWIFT HSBC.xlsx