analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

yu.xlsx

Full analysis: https://app.any.run/tasks/1c02311c-f19d-401f-a31b-d540bd9a148a
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: March 31, 2020, 00:13:43
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
generated-doc
opendir
exploit
CVE-2017-11882
loader
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

058D55070DCAEC1EEA222CB120A5C80E

SHA1:

22E71A6BCB69D8BCF3FBBA0A367BDC59E92F9563

SHA256:

CDBEACCF65420B71E3B475D829D3B2D2AE5A5CE45E1258F69BDC0322BA5CA302

SSDEEP:

12288:Eu3fH6pOpi2aCP1VO5e6R36LY4wA4JGcmNk8lL129RtarqVpExb:VH6opiwdV/6l6MA4AcmN/l0//Vkb

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Downloads executable files from the Internet

      • EQNEDT32.EXE (PID: 4040)

    • Equation Editor starts application (CVE-2017-11882)

      • EQNEDT32.EXE (PID: 4040)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • EQNEDT32.EXE (PID: 4040)

    • Executed via COM

      • EQNEDT32.EXE (PID: 4040)

    • Creates files in the user directory

      • EQNEDT32.EXE (PID: 4040)

    • Reads Internet Cache Settings

      • EQNEDT32.EXE (PID: 4040)

    • Starts CMD.EXE for commands execution

      • EQNEDT32.EXE (PID: 4040)

  • INFO

    • Reads Microsoft Office registry keys

      • EXCEL.EXE (PID: 3408)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.xlsx | Excel Microsoft Office Open XML Format document (61.2)
.zip | Open Packaging Conventions container (31.5)
.zip | ZIP compressed archive (7.2)

EXIF

XMP

Creator: lop

XML

ModifyDate: 2006:09:16 00:00:00Z
CreateDate: 2006:09:16 00:00:00Z
AppVersion: 12
HyperlinksChanged: No
SharedDoc: No
LinksUpToDate: No
Company: -
TitlesOfParts:
  • Sheet1
  • Sheet2
  • Sheet3
HeadingPairs:
  • Worksheets
  • 3
ScaleCrop: No
DocSecurity: None
Application: Microsoft Excel

ZIP

ZipFileName: docProps/
ZipUncompressedSize: -
ZipCompressedSize: -
ZipCRC: 0x00000000
ZipModifyDate: 2020:03:30 17:12:24
ZipCompression: None
ZipBitFlag: -
ZipRequiredVersion: 20
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
37
Monitored processes
3
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start excel.exe no specs eqnedt32.exe cmd.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3408"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /ddeC:\Program Files\Microsoft Office\Office14\EXCEL.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Excel
Version:
14.0.6024.1000
4040"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -EmbeddingC:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
svchost.exe
User:
admin
Company:
Design Science, Inc.
Integrity Level:
MEDIUM
Description:
Microsoft Equation Editor
Exit code:
0
Version:
00110900
2380C:\Windows\system32\cmd.exe /c C:\Users\admin\AppData\Roaming\pchealth.exeC:\Windows\system32\cmd.exeEQNEDT32.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
1
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Total events
597
Read events
534
Write events
0
Delete events
0

Modification events

No data
Executable files
2
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
3408EXCEL.EXEC:\Users\admin\AppData\Local\Temp\CVR6B26.tmp.cvr
MD5:
SHA256:
4040EQNEDT32.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\78RFYB7Z\putty[1].exeexecutable
MD5:6FA14B3B1C54A26F0B9BBCD2F6B45899
SHA256:601CDBDDFE6AC894DAFF506167C164C65446F893D1D5E4B95E92D960FF5F52B0
4040EQNEDT32.EXEC:\Users\admin\AppData\Roaming\pchealth.exeexecutable
MD5:6FA14B3B1C54A26F0B9BBCD2F6B45899
SHA256:601CDBDDFE6AC894DAFF506167C164C65446F893D1D5E4B95E92D960FF5F52B0
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
1
DNS requests
1
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4040
EQNEDT32.EXE
GET
200
206.190.151.181:80
http://ufostream.com/vent/putty.exe
US
executable
1.12 Mb
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4040
EQNEDT32.EXE
206.190.151.181:80
ufostream.com
WestHost, Inc.
US
malicious

DNS requests

Domain
IP
Reputation
ufostream.com
  • 206.190.151.181
malicious

Threats

PID
Process
Class
Message
4040
EQNEDT32.EXE
Potentially Bad Traffic
ET INFO Possibly Suspicious Request for Putty.exe from Non-Standard Download Location
4040
EQNEDT32.EXE
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
yu.xlsx