analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

نتائج استفتاء الدستور-الخارج.xls

Full analysis: https://app.any.run/tasks/0642668b-e7fe-4ddc-9c89-9a5f2eef1a50
Verdict: Malicious activity
Analysis date: April 25, 2019, 13:00:15
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
macros
macros-on-open
Indicators:
MIME: application/vnd.ms-excel
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1252, Author: Admin, Last Saved By: Research, Name of Creating Application: Microsoft Excel, Create Time/Date: Sat Apr 13 10:30:01 2019, Last Saved Time/Date: Mon Apr 22 14:15:51 2019, Security: 1
MD5:

44B9203FED19829E24D1601DBD141C0E

SHA1:

2DAC9ED7BE4DD83DF607A6C7F847C1ED92FA0219

SHA256:

D8589625BBEA522E927FC1B7A3484308F79C481C5D32294BA26A496DFEF18F94

SSDEEP:

768:f5wOYrxfcfo9nJgafwgEuKpzOsNAzBGoydrpU8Pd8Q:f5wHkfanJgewgoxNyBGXFUcd

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Unusual execution from Microsoft Office

      • EXCEL.EXE (PID: 2836)
    • Starts CMD.EXE for commands execution

      • EXCEL.EXE (PID: 2836)
  • SUSPICIOUS

    • Executes scripts

      • explorer.exe (PID: 3012)
    • Creates files in the user directory

      • WScript.exe (PID: 4060)
      • powershell.exe (PID: 2212)
    • Executes PowerShell scripts

      • forfiles.exe (PID: 3460)
  • INFO

    • Creates files in the user directory

      • EXCEL.EXE (PID: 2836)
    • Reads Microsoft Office registry keys

      • EXCEL.EXE (PID: 2836)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.xls | Microsoft Excel sheet (48)
.xls | Microsoft Excel sheet (alternate) (39.2)

EXIF

FlashPix

CompObjUserTypeLen: 31
CompObjUserType: Microsoft Excel 2003 Worksheet
Author: Admin
LastModifiedBy: Research
Software: Microsoft Excel
CreateDate: 2019:04:13 09:30:01
ModifyDate: 2019:04:22 13:15:51
Security: Password protected
CodePage: Windows Latin 1 (Western European)
Company: -
AppVersion: 16
ScaleCrop: No
LinksUpToDate: No
SharedDoc: No
HyperlinksChanged: No
TitleOfParts:
  • Sheet1
  • Sheet2
  • Sheet15
HeadingPairs:
  • Worksheets
  • 2
  • Excel 4.0 Macros
  • 1
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
39
Monitored processes
7
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start excel.exe no specs cmd.exe no specs explorer.exe no specs explorer.exe no specs wscript.exe no specs forfiles.exe no specs powershell.exe

Process information

PID
CMD
Path
Indicators
Parent process
2836"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /ddeC:\Program Files\Microsoft Office\Office14\EXCEL.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Excel
Version:
14.0.6024.1000
3128cmd.exe /C echo %appdata%\Microsoft\Protect\Update.vbs > C:\Users\Public\t.txtC:\Windows\system32\cmd.exeEXCEL.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
1032explorer.exe C:\Users\admin\AppData\Roaming\Microsoft\Protect\Update.vbs C:\Windows\explorer.exeEXCEL.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3012C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -EmbeddingC:\Windows\explorer.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
4060"C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Roaming\Microsoft\Protect\Update.vbs" C:\Windows\System32\WScript.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Version:
5.8.7600.16385
3460"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m calc.exe /c "powershell -C (Get-Content "$ENV:APPDATA\Microsoft\Protect\antiquityn.txt") | iex"C:\Windows\System32\forfiles.exeWScript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
ForFiles - Executes a command on selected files
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2212-C (Get-Content $ENV:APPDATA\Microsoft\Protect\antiquityn.txt) | iexC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
forfiles.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
933
Read events
816
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
2
Text files
3
Unknown types
0

Dropped files

PID
Process
Filename
Type
2836EXCEL.EXEC:\Users\admin\AppData\Local\Temp\CVRFC88.tmp.cvr
MD5:
SHA256:
2212powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\5ALY3HZQGYCCOC4SNI4B.temp
MD5:
SHA256:
2212powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msbinary
MD5:5F9A7BF5388376D94C2EDCA422810BEC
SHA256:8B2183F4F2F735C231B1F81D46CB86CB1FB51168824DE82F3A9EA79C12CAF82C
2836EXCEL.EXEC:\Users\admin\AppData\Roaming\Microsoft\Protect\Update.vbstext
MD5:6EC9DCBE73D07D423AC8A723E960FAB4
SHA256:20633C66282DE9076829342B5D86B08E033CF282C98E26A05C5521B4C16E04CE
2212powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF132406.TMPbinary
MD5:5F9A7BF5388376D94C2EDCA422810BEC
SHA256:8B2183F4F2F735C231B1F81D46CB86CB1FB51168824DE82F3A9EA79C12CAF82C
3128cmd.exeC:\Users\Public\t.txttext
MD5:67F591E07212871DE5E9D8831420AF5A
SHA256:A8A14C6141F02FCC751F619164AC18BACDD63F0B3EC9EF66B9FD773D58876CF1
4060WScript.exeC:\Users\admin\AppData\Roaming\Microsoft\Protect\antiquityn.txttext
MD5:843848E54CA0D8C7862EC29C454903A7
SHA256:E6DCE62226C6BE74B7DCE5901F27C041C1C76C71E0E180B278C9106326C54313
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
1
DNS requests
1
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2212
powershell.exe
104.18.33.7:443
windows-security.net
Cloudflare Inc
US
shared

DNS requests

Domain
IP
Reputation
windows-security.net
  • 104.18.33.7
  • 104.18.32.7
suspicious

Threats

No threats detected
No debug info