analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

documento1_653.xls

Full analysis: https://app.any.run/tasks/c3958e76-647b-475d-83e2-2b6781935904
Verdict: Malicious activity
Analysis date: October 20, 2020, 12:01:53
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/vnd.ms-excel
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1252, Author: LCsGRzym, Last Saved By: administrator, Name of Creating Application: Microsoft Excel, Create Time/Date: Tue Oct 20 05:51:55 2020, Last Saved Time/Date: Tue Oct 20 06:24:11 2020, Security: 1
MD5:

A3AEDEC7404DE298C5712A7E43F4F5E7

SHA1:

E8D8A38D9FFE9FFF4B69378D753D73A49D6CECE4

SHA256:

C3082633DFDFD21BF76F895E16AE0B7F024D4525F06E8A515B9341763E8D97BA

SSDEEP:

3072:83Dsg/3P3i0gkAKSew3Xe7m8YNKtIxv98oizHX/KpRp/n8nVQTF1DhGhv:83Qu3v9onESKtI/8/HypRpBp1yv

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Unusual execution from Microsoft Office

      • EXCEL.EXE (PID: 3068)

  • SUSPICIOUS

    • Uses RUNDLL32.EXE to load library

      • EXCEL.EXE (PID: 3068)

  • INFO

    • Creates files in the user directory

      • EXCEL.EXE (PID: 3068)

    • Reads Microsoft Office registry keys

      • EXCEL.EXE (PID: 3068)

    • Reads Internet Cache Settings

      • EXCEL.EXE (PID: 3068)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.xls | Microsoft Excel sheet (78.9)

EXIF

FlashPix

Author: LCsGRzym
LastModifiedBy: administrator
Software: Microsoft Excel
CreateDate: 2020:10:20 04:51:55
ModifyDate: 2020:10:20 05:24:11
Security: Password protected
CodePage: Windows Latin 1 (Western European)
Company: -
AppVersion: 16
ScaleCrop: No
LinksUpToDate: No
SharedDoc: No
HyperlinksChanged: No
TitleOfParts:
  • PppGvxpPrWUCq
  • Foglio2
  • Foglio3
  • Foglio4
  • Foglio5
  • Foglio6
  • Foglio7
  • Foglio8
  • Foglio9
  • Foglio10
  • Foglio11
  • Foglio12
  • Foglio13
  • Foglio14
  • Foglio15
  • Foglio16
  • Foglio17
  • Foglio18
  • Foglio19
  • Foglio20
  • Foglio21
  • Foglio22
  • Foglio23
  • Foglio24
  • Foglio25
  • Foglio26
  • Foglio27
  • Foglio28
  • Foglio29
  • Sheet1
  • GC
HeadingPairs:
  • Fogli di lavoro
  • 30
  • Macro di Excel 4.0
  • 1
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
40
Monitored processes
2
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start excel.exe rundll32.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3068"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /ddeC:\Program Files\Microsoft Office\Office14\EXCEL.EXE
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Excel
Version:
14.0.6024.1000
2864"C:\Windows\System32\rundll32.exe" qOJmoVb.dll,DllRegisterServerC:\Windows\System32\rundll32.exeEXCEL.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
552
Read events
497
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
0
Text files
2
Unknown types
2

Dropped files

PID
Process
Filename
Type
3068EXCEL.EXEC:\Users\admin\AppData\Local\Temp\CVR5028.tmp.cvr
MD5:
SHA256:
3068EXCEL.EXEC:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\documento1_653.xls.LNKlnk
MD5:08221B24B1AEA216816381A12818794E
SHA256:2F7846E858F44DDBA03CE2F1DE0A0343551FD57C624EE35BBEF732E4FB484795
3068EXCEL.EXEC:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\index.dattext
MD5:758CA97567DBB0AF9920EAEC4DDAAC30
SHA256:ACD61882BFD5A3B2110234533AB8FC10F6A915C8F1D6905C40077546392AE2BE
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
1
DNS requests
3
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3068
EXCEL.EXE
176.32.32.16:80
linksystems.bar
LLC Baxet
RU
suspicious

DNS requests

Domain
IP
Reputation
linksystems.bar
  • 176.32.32.16
suspicious
dns.msftncsi.com
  • 131.107.255.255
shared

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
documento1_653.xls