analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

67c118c43656b5551165e30d11943fd8.xlsx

Full analysis: https://app.any.run/tasks/208700c9-f128-4600-837d-aff884dec9f6
Verdict: Malicious activity
Analysis date: April 24, 2019, 04:03:57
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
exploit
CVE-2017-11882
Indicators:
MIME: application/vnd.openxmlformats-officedocument.spreadsheetml.sheet
File info: Microsoft Excel 2007+
MD5:

67C118C43656B5551165E30D11943FD8

SHA1:

3A3F8E48F925F7C15223006BB52D97C3E6D06123

SHA256:

BFE9FD29B5954651B15B7532D5D8D15458C739FD50D5945C7788EA35CF9EB8B6

SSDEEP:

384:yRn2tTE+e8qmAXFGoWJQ2/FGkB7qu5Xb610WWi1XEJURG/BVX249zQW8exr0mis7:yn2tQ+xqmAoJrsRX190SgVGezhrksy4

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Equation Editor starts application (CVE-2017-11882)

      • EQNEDT32.EXE (PID: 1796)

  • SUSPICIOUS

    • Executes application which crashes

      • EQNEDT32.EXE (PID: 1796)

  • INFO

    • Reads Microsoft Office registry keys

      • EXCEL.EXE (PID: 2308)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.xlsx | Excel Microsoft Office Open XML Format document (61.2)
.zip | Open Packaging Conventions container (31.5)
.zip | ZIP compressed archive (7.2)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: 0x0002
ZipCompression: Deflated
ZipModifyDate: 2019:04:22 13:18:12
ZipCRC: 0x6096dbee
ZipCompressedSize: 405
ZipUncompressedSize: 1811
ZipFileName: [Content_Types].xml

XMP

Creator: -

XML

LastModifiedBy: -
CreateDate: 2006:09:16 00:00:00Z
ModifyDate: 2019:04:08 06:19:02Z
Application: Microsoft Excel
DocSecurity: None
ScaleCrop: No
HeadingPairs:
  • Worksheets
  • 3
TitlesOfParts:
  • Sheet1
  • Sheet2
  • Sheet3
Company: -
LinksUpToDate: No
SharedDoc: No
HyperlinksChanged: No
AppVersion: 12
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
36
Monitored processes
3
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start excel.exe no specs eqnedt32.exe ntvdm.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2308"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /ddeC:\Program Files\Microsoft Office\Office14\EXCEL.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Excel
Version:
14.0.6024.1000
1796"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -EmbeddingC:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
svchost.exe
User:
admin
Company:
Design Science, Inc.
Integrity Level:
MEDIUM
Description:
Microsoft Equation Editor
Exit code:
0
Version:
00110900
4060"C:\Windows\system32\ntvdm.exe" -i1 C:\Windows\system32\ntvdm.exeEQNEDT32.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
NTVDM.EXE
Exit code:
255
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
569
Read events
526
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
0
Text files
2
Unknown types
0

Dropped files

PID
Process
Filename
Type
2308EXCEL.EXEC:\Users\admin\AppData\Local\Temp\CVR6BD5.tmp.cvr
MD5:
SHA256:
4060ntvdm.exeC:\Users\admin\AppData\Local\Temp\scs7829.tmp
MD5:
SHA256:
4060ntvdm.exeC:\Users\admin\AppData\Local\Temp\scs783A.tmp
MD5:
SHA256:
1796EQNEDT32.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H6QNMHE9\404[1].htmhtml
MD5:2134DC55BD476E4C305379DC4F98CF87
SHA256:AF5232A9D9389BE4EA22BA00B43FB2990D5FE1C22B08A7879F4B9BDCD6406873
1796EQNEDT32.EXEC:\Users\admin\AppData\Local\Temp\thr5retf.comhtml
MD5:2134DC55BD476E4C305379DC4F98CF87
SHA256:AF5232A9D9389BE4EA22BA00B43FB2990D5FE1C22B08A7879F4B9BDCD6406873
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
1
DNS requests
1
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1796
EQNEDT32.EXE
GET
200
204.152.118.133:80
http://daco-precision.thomaswebs.net/404.html
US
html
3.35 Kb
malicious
1796
EQNEDT32.EXE
GET
302
204.152.118.133:80
http://daco-precision.thomaswebs.net/ww/SII.png
US
html
168 b
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1796
EQNEDT32.EXE
204.152.118.133:80
daco-precision.thomaswebs.net
ReadyTechs, LLC
US
malicious

DNS requests

Domain
IP
Reputation
daco-precision.thomaswebs.net
  • 204.152.118.133
malicious

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
67c118c43656b5551165e30d11943fd8.xlsx