File name:

INTERNATIONAL TRANSFER SWIFT HSBC.xlsx

Full analysis: https://app.any.run/tasks/2661fb59-d256-4615-8cdd-e490baea7c29
Verdict: Malicious activity
Threats:

Trojans are a group of malicious programs distinguished by their ability to masquerade as benign software. Depending on their type, trojans possess a variety of capabilities, ranging from maintaining full remote control over the victim’s machine to stealing data and files, as well as dropping other malware. At the same time, the main functionality of each trojan family can differ significantly depending on its type. The most common trojan infection chain starts with a phishing email.

Malware Trends Tracker     >>>
Analysis date: October 14, 2019, 19:22:12
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
trojan
Indicators:
MIME: application/vnd.openxmlformats-officedocument.spreadsheetml.sheet
File info: Microsoft Excel 2007+
MD5:

2347E4EACBE02DACB60F41EDEF0E219A

SHA1:

F7AD149641EE3EB74FF8BE2EDED6AE467816C1D6

SHA256:

A5038C24AAA4F208D2B5CBAD3FBA6E0BBE25A029262993F9EE581593F96B77BC

SSDEEP:

49152:tCGa6Tpr0nLKfhZUU3SPnCA+Pfuv1e2+bPDxhRgOpcm6f92bYT02aZfTBFZ2VHrL:5HmK/ZinCNntjDlgGcDoPZL7ZYLnrvHn

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Suspicious connection from the Equation Editor

      • EQNEDT32.EXE (PID: 1916)

  • SUSPICIOUS

    • Executed via COM

      • EQNEDT32.EXE (PID: 1916)

    • Creates files in the user directory

      • EQNEDT32.EXE (PID: 1916)

  • INFO

    • Reads Microsoft Office registry keys

      • EXCEL.EXE (PID: 1876)
      • WINWORD.EXE (PID: 940)

    • Creates files in the user directory

      • WINWORD.EXE (PID: 940)
      • opera.exe (PID: 3904)

    • Manual execution by user

      • opera.exe (PID: 3904)
      • WINWORD.EXE (PID: 940)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.xlsx | Excel Microsoft Office Open XML Format document (61.2)
.zip | Open Packaging Conventions container (31.5)
.zip | ZIP compressed archive (7.2)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: 0x0002
ZipCompression: Deflated
ZipModifyDate: 2019:10:10 07:10:06
ZipCRC: 0xf03d41ea
ZipCompressedSize: 397
ZipUncompressedSize: 1777
ZipFileName: [Content_Types].xml

XML

Application: Microsoft Excel
DocSecurity: None
ScaleCrop: No
HeadingPairs:
  • Worksheets
  • 3
  • Named Ranges
  • 1
TitlesOfParts:
  • SUP.APPRSL FORM
  • Sheet2
  • Sheet3
  • 'SUP.APPRSL FORM'!Print_Area
Company: -
LinksUpToDate: No
SharedDoc: No
HyperlinksChanged: No
AppVersion: 15.03
LastModifiedBy: Windows User
LastPrinted: 2018:03:26 10:27:58Z
CreateDate: 1996:10:14 23:33:28Z
ModifyDate: 2019:03:25 09:18:59Z

XMP

Creator: Microsoft Corporation
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
40
Monitored processes
4
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start excel.exe no specs eqnedt32.exe winword.exe no specs opera.exe

Process information

PID
CMD
Path
Indicators
Parent process
940"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\talkresearch.rtf"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Exit code:
0
Version:
14.0.6024.1000
Modules
Images
c:\program files\microsoft office\office14\winword.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_50934f2ebcb7eb57\msvcr90.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll
1876"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /ddeC:\Program Files\Microsoft Office\Office14\EXCEL.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Excel
Exit code:
0
Version:
14.0.6024.1000
Modules
Images
c:\program files\microsoft office\office14\excel.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
1916"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -EmbeddingC:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
svchost.exe
User:
admin
Company:
Design Science, Inc.
Integrity Level:
MEDIUM
Description:
Microsoft Equation Editor
Exit code:
0
Version:
00110900
Modules
Images
c:\program files\common files\microsoft shared\equation\eqnedt32.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
3904"C:\Program Files\Opera\opera.exe" C:\Program Files\Opera\opera.exe
explorer.exe
User:
admin
Company:
Opera Software
Integrity Level:
MEDIUM
Description:
Opera Internet Browser
Exit code:
0
Version:
1748
Modules
Images
c:\program files\opera\opera.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\psapi.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\rpcrt4.dll
Total events
2 277
Read events
1 447
Write events
682
Delete events
148

Modification events

(PID) Process:(1876) EXCEL.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems
Operation:writeName:b=<
Value:
623D3C0054070000010000000000000000000000
(PID) Process:(1876) EXCEL.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1033
Value:
Off
(PID) Process:(1876) EXCEL.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1041
Value:
Off
(PID) Process:(1876) EXCEL.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1046
Value:
Off
(PID) Process:(1876) EXCEL.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1036
Value:
Off
(PID) Process:(1876) EXCEL.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1031
Value:
Off
(PID) Process:(1876) EXCEL.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1040
Value:
Off
(PID) Process:(1876) EXCEL.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1049
Value:
Off
(PID) Process:(1876) EXCEL.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:3082
Value:
Off
(PID) Process:(1876) EXCEL.EXEKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage
Operation:writeName:EXCELFiles
Value:
1330511897
Executable files
0
Suspicious files
26
Text files
17
Unknown types
5

Dropped files

PID
Process
Filename
Type
1876EXCEL.EXEC:\Users\admin\AppData\Local\Temp\CVRAD42.tmp.cvr
MD5:
SHA256:
940WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVR8B2E.tmp.cvr
MD5:
SHA256:
3904opera.exeC:\Users\admin\AppData\Roaming\Opera\Opera\opr295E.tmp
MD5:
SHA256:
3904opera.exeC:\Users\admin\AppData\Roaming\Opera\Opera\opr29AD.tmp
MD5:
SHA256:
3904opera.exeC:\Users\admin\AppData\Local\Opera\Opera\cache\sesn\opr00001.tmp
MD5:
SHA256:
3904opera.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\F46RHXBEHFXTITPY5EOK.temp
MD5:
SHA256:
3904opera.exeC:\Users\admin\AppData\Roaming\Opera\Opera\sessions\opr9004.tmp
MD5:
SHA256:
940WINWORD.EXEC:\Users\admin\Desktop\~$lkresearch.rtfpgc
MD5:
SHA256:
3904opera.exeC:\Users\admin\AppData\Roaming\Opera\Opera\opssl6.datbinary
MD5:
SHA256:
3904opera.exeC:\Users\admin\AppData\Roaming\Opera\Opera\sessions\opr9BCD.tmp
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
14
TCP/UDP connections
16
DNS requests
12
Threats
1

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3904
opera.exe
GET
172.217.16.206:80
http://clients1.google.com/complete/search?q=wtfis&client=opera-suggest-omnibox&hl=de
US
whitelisted
3904
opera.exe
GET
200
93.184.220.29:80
http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl
US
der
528 b
whitelisted
3904
opera.exe
GET
302
172.217.18.99:80
http://www.google.com.ua/search?client=opera&q=wtfismyip.com%26text&sourceid=opera&ie=utf-8&oe=utf-8&channel=suggest
US
html
349 b
whitelisted
3904
opera.exe
GET
162.255.119.120:80
http://wtfismyip.org/
US
suspicious
3904
opera.exe
GET
200
172.217.16.131:80
http://ocsp.pki.goog/gts1o1/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBRCRjDCJxnb3nDwj%2Fxz5aZfZjgXvAQUmNH4bhDrz5vsYJ8YkBug630J%2FSsCEQCPBMnJDANQzQgAAAAAFPvS
US
der
472 b
whitelisted
3904
opera.exe
GET
302
172.217.18.99:80
http://www.google.com.ua/search?q=wtfismyip.com%26text&sourceid=opera&ie=utf-8&oe=utf-8&channel=suggest
US
html
333 b
whitelisted
3904
opera.exe
GET
200
172.217.16.206:80
http://clients1.google.com/complete/search?q=wtf&client=opera-suggest-omnibox&hl=de
US
text
92 b
whitelisted
3904
opera.exe
GET
200
172.217.16.131:80
http://ocsp.pki.goog/gts1o1/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBRCRjDCJxnb3nDwj%2Fxz5aZfZjgXvAQUmNH4bhDrz5vsYJ8YkBug630J%2FSsCEQD2zW1jyh%2BKlgIAAAAARIBi
US
der
472 b
whitelisted
3904
opera.exe
GET
200
172.217.16.206:80
http://clients1.google.com/complete/search?q=wtf&client=opera-suggest-omnibox&hl=de
US
text
92 b
whitelisted
3904
opera.exe
GET
200
172.217.16.131:80
http://crl.pki.goog/gsr2/gsr2.crl
US
der
950 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1916
EQNEDT32.EXE
112.213.89.40:443
tfvn.com.vn
SUPERDATA
VN
malicious
3904
opera.exe
93.184.220.29:80
crl4.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
3904
opera.exe
185.26.182.93:443
certs.opera.com
Opera Software AS
whitelisted
3904
opera.exe
172.217.18.99:443
www.google.com.ua
Google Inc.
US
whitelisted
3904
opera.exe
172.217.16.131:80
crl.pki.goog
Google Inc.
US
whitelisted
3904
opera.exe
162.255.119.120:80
wtfismyip.org
Namecheap, Inc.
US
suspicious
3904
opera.exe
216.58.205.227:443
id.google.com.ua
Google Inc.
US
whitelisted
3904
opera.exe
172.217.18.99:80
www.google.com.ua
Google Inc.
US
whitelisted
3904
opera.exe
107.167.110.211:80
sitecheck2.opera.com
Opera Software Americas LLC
US
suspicious
3904
opera.exe
172.217.16.206:80
clients1.google.com
Google Inc.
US
whitelisted

DNS requests

Domain
IP
Reputation
tfvn.com.vn
  • 112.213.89.40
unknown
certs.opera.com
  • 185.26.182.93
  • 185.26.182.94
whitelisted
crl4.digicert.com
  • 93.184.220.29
whitelisted
clients1.google.com
  • 172.217.16.206
whitelisted
www.google.com.ua
  • 172.217.18.99
whitelisted
sitecheck2.opera.com
  • 107.167.110.211
  • 107.167.110.216
whitelisted
crl.pki.goog
  • 172.217.16.131
whitelisted
ocsp.pki.goog
  • 172.217.16.131
whitelisted
id.google.com.ua
  • 216.58.205.227
whitelisted
id.google.com
  • 216.58.207.67
whitelisted

Threats

Found threats are available for the paid subscriptions
1 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
INTERNATIONAL TRANSFER SWIFT HSBC.xlsx