analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Bundle_info_104171.xlsm

Full analysis: https://app.any.run/tasks/e894b67e-f131-4273-8c0b-02b140bdd6ef
Verdict: Malicious activity
Analysis date: May 20, 2019, 20:47:49
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/vnd.openxmlformats-officedocument.spreadsheetml.sheet
File info: Microsoft Excel 2007+
MD5:

E4B64E28E7F9F65C3BF44D2FCDD6A961

SHA1:

E80857F144CF406C81D786064E8EA84DA6E7C190

SHA256:

D760D6663E0319AA4664F8D147FED8658934A9F731B048CC2A64BAD6EF612AE5

SSDEEP:

768:8Hug5V4bx2ThbyQY2IBlzG5ke/h0bldSSu:Wdk2Fbi2IBF6ZqdSSu

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Unusual execution from Microsoft Office

      • EXCEL.EXE (PID: 2464)
    • Starts CMD.EXE for commands execution

      • EXCEL.EXE (PID: 2464)
  • SUSPICIOUS

    • Starts MSHTA.EXE for opening HTA or HTMLS files

      • cmd.exe (PID: 3048)
    • Executes application which crashes

      • cmd.exe (PID: 2108)
    • Starts CMD.EXE for commands execution

      • mshta.exe (PID: 3484)
  • INFO

    • Reads Microsoft Office registry keys

      • EXCEL.EXE (PID: 2464)
    • Reads internet explorer settings

      • mshta.exe (PID: 3484)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.xlam | Excel Macro-enabled Open XML add-in (42.4)
.xlsm | Excel Microsoft Office Open XML Format document (with Macro) (29.2)
.xlsx | Excel Microsoft Office Open XML Format document (17.3)
.zip | Open Packaging Conventions container (8.9)
.zip | ZIP compressed archive (2)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: 0x0006
ZipCompression: Deflated
ZipModifyDate: 1980:01:01 00:00:00
ZipCRC: 0xe69d70d7
ZipCompressedSize: 413
ZipUncompressedSize: 1393
ZipFileName: [Content_Types].xml

XMP

Creator: -

XML

LastModifiedBy: -
CreateDate: 2006:09:16 00:00:00Z
ModifyDate: 2019:05:16 16:59:30Z
Application: Microsoft Excel
DocSecurity: None
ScaleCrop: No
HeadingPairs:
  • Листы
  • 1
TitlesOfParts: Лист1
Company: -
LinksUpToDate: No
SharedDoc: No
HyperlinksChanged: No
AppVersion: 15.03
No data.
screenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
39
Monitored processes
5
Malicious processes
1
Suspicious processes
1

Behavior graph

Click at the process to see the details
start excel.exe no specs cmd.exe no specs mshta.exe cmd.exe no specs ntvdm.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2464"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /ddeC:\Program Files\Microsoft Office\Office14\EXCEL.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Excel
Version:
14.0.6024.1000
3048cmd.exe /c C:\Users\admin\AppData\Local\Temp\999.htaC:\Windows\system32\cmd.exeEXCEL.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
3484"C:\Windows\System32\mshta.exe" "C:\Users\admin\AppData\Local\Temp\999.hta" C:\Windows\System32\mshta.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft (R) HTML Application host
Exit code:
0
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
2108"C:\Windows\System32\cmd.exe" /c C:\Users\admin\AppData\Local\Temp\5702uray.exeC:\Windows\System32\cmd.exemshta.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2656"C:\Windows\system32\ntvdm.exe" C:\Windows\system32\ntvdm.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
NTVDM.EXE
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
1 071
Read events
967
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
0
Text files
2
Unknown types
1

Dropped files

PID
Process
Filename
Type
2464EXCEL.EXEC:\Users\admin\AppData\Local\Temp\CVR3F9C.tmp.cvr
MD5:
SHA256:
2656ntvdm.exeC:\Users\admin\AppData\Local\Temp\scs4CCB.tmp
MD5:
SHA256:
2656ntvdm.exeC:\Users\admin\AppData\Local\Temp\scs4CCC.tmp
MD5:
SHA256:
2464EXCEL.EXEC:\Users\admin\AppData\Local\Temp\999.htahtml
MD5:14DF192CDC815BF57B768B5D97320365
SHA256:D4E37A29FF4011CAD258CA60080B2F366619570FEC08EC50F95285F725BF8A0D
2464EXCEL.EXEC:\Users\admin\AppData\Local\Temp\VBE\MSForms.exdtlb
MD5:8838165C4940C309600CED2586781960
SHA256:80E29633A89690DD2A1D12B53DF42B0B9437384ADBB220CA35F092C3B08CA449
3484mshta.exeC:\Users\admin\AppData\Local\Temp\5702uray.exehtml
MD5:3526531CCD6C6A1D2340574A305A18F8
SHA256:B663321AB439CC53A329EE352C1B855D9998D3AF95524A05795A88B42A9ACF07
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
1
DNS requests
0
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3484
mshta.exe
GET
200
64.44.133.144:80
http://64.44.133.144/?3mhZb5
US
html
10.6 Kb
suspicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3484
mshta.exe
64.44.133.144:80
Nexeon Technologies, Inc.
US
suspicious

DNS requests

No data

Threats

No threats detected
No debug info