analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

نتائج استفتاء الدستور-الخارج.xls

Full analysis: https://app.any.run/tasks/ba9b0afd-ddc8-4085-b5d8-752d97a4298f
Verdict: Malicious activity
Analysis date: April 23, 2019, 11:32:16
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
macros
macros-on-open
Indicators:
MIME: application/vnd.ms-excel
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1252, Author: Admin, Last Saved By: Research, Name of Creating Application: Microsoft Excel, Create Time/Date: Sat Apr 13 10:30:01 2019, Last Saved Time/Date: Mon Apr 22 14:15:51 2019, Security: 1
MD5:

44B9203FED19829E24D1601DBD141C0E

SHA1:

2DAC9ED7BE4DD83DF607A6C7F847C1ED92FA0219

SHA256:

D8589625BBEA522E927FC1B7A3484308F79C481C5D32294BA26A496DFEF18F94

SSDEEP:

768:f5wOYrxfcfo9nJgafwgEuKpzOsNAzBGoydrpU8Pd8Q:f5wHkfanJgewgoxNyBGXFUcd

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Unusual execution from Microsoft Office

      • EXCEL.EXE (PID: 3860)

    • Starts CMD.EXE for commands execution

      • EXCEL.EXE (PID: 3860)

  • SUSPICIOUS

    • Executes scripts

      • explorer.exe (PID: 272)

    • Creates files in the user directory

      • WScript.exe (PID: 3704)
      • powershell.exe (PID: 3152)

    • Executes PowerShell scripts

      • forfiles.exe (PID: 2100)

  • INFO

    • Creates files in the user directory

      • EXCEL.EXE (PID: 3860)

    • Reads Microsoft Office registry keys

      • EXCEL.EXE (PID: 3860)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.xls | Microsoft Excel sheet (48)
.xls | Microsoft Excel sheet (alternate) (39.2)

EXIF

FlashPix

HeadingPairs:
  • Worksheets
  • 2
  • Excel 4.0 Macros
  • 1
TitleOfParts:
  • Sheet1
  • Sheet2
  • Sheet15
HyperlinksChanged: No
SharedDoc: No
LinksUpToDate: No
ScaleCrop: No
AppVersion: 16
Company: -
CodePage: Windows Latin 1 (Western European)
Security: Password protected
ModifyDate: 2019:04:22 13:15:51
CreateDate: 2019:04:13 09:30:01
Software: Microsoft Excel
LastModifiedBy: Research
Author: Admin
CompObjUserType: Microsoft Excel 2003 Worksheet
CompObjUserTypeLen: 31
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
40
Monitored processes
7
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start excel.exe no specs cmd.exe no specs explorer.exe no specs explorer.exe no specs wscript.exe no specs forfiles.exe no specs powershell.exe

Process information

PID
CMD
Path
Indicators
Parent process
3860"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /ddeC:\Program Files\Microsoft Office\Office14\EXCEL.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Excel
Version:
14.0.6024.1000
1804cmd.exe /C echo %appdata%\Microsoft\Protect\Update.vbs > C:\Users\Public\t.txtC:\Windows\system32\cmd.exeEXCEL.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2716explorer.exe C:\Users\admin\AppData\Roaming\Microsoft\Protect\Update.vbs C:\Windows\explorer.exeEXCEL.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
272C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -EmbeddingC:\Windows\explorer.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3704"C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Roaming\Microsoft\Protect\Update.vbs" C:\Windows\System32\WScript.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Version:
5.8.7600.16385
2100"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m calc.exe /c "powershell -C (Get-Content "$ENV:APPDATA\Microsoft\Protect\antiquityn.txt") | iex"C:\Windows\System32\forfiles.exeWScript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
ForFiles - Executes a command on selected files
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3152-C (Get-Content $ENV:APPDATA\Microsoft\Protect\antiquityn.txt) | iexC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
forfiles.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
926
Read events
809
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
2
Text files
3
Unknown types
0

Dropped files

PID
Process
Filename
Type
3860EXCEL.EXEC:\Users\admin\AppData\Local\Temp\CVR2DF3.tmp.cvr
MD5:
SHA256:
3152powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\TEBJ0I0UNGIHSFU3HBVI.temp
MD5:
SHA256:
3152powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF117164.TMPbinary
MD5:33B4C42BAF9E3CA295E3BDCD51C02EAF
SHA256:B4273C31A01B0B90869574075D54D52E8098519587F61AE756B69729D0AF86A5
3860EXCEL.EXEC:\Users\admin\AppData\Roaming\Microsoft\Protect\Update.vbstext
MD5:6EC9DCBE73D07D423AC8A723E960FAB4
SHA256:20633C66282DE9076829342B5D86B08E033CF282C98E26A05C5521B4C16E04CE
3704WScript.exeC:\Users\admin\AppData\Roaming\Microsoft\Protect\antiquityn.txttext
MD5:843848E54CA0D8C7862EC29C454903A7
SHA256:E6DCE62226C6BE74B7DCE5901F27C041C1C76C71E0E180B278C9106326C54313
1804cmd.exeC:\Users\Public\t.txttext
MD5:67F591E07212871DE5E9D8831420AF5A
SHA256:A8A14C6141F02FCC751F619164AC18BACDD63F0B3EC9EF66B9FD773D58876CF1
3152powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msbinary
MD5:33B4C42BAF9E3CA295E3BDCD51C02EAF
SHA256:B4273C31A01B0B90869574075D54D52E8098519587F61AE756B69729D0AF86A5
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
2
DNS requests
2
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3152
powershell.exe
104.18.33.7:443
windows-security.net
Cloudflare Inc
US
shared
3152
powershell.exe
50.16.229.140:443
api.ipify.org
Amazon.com, Inc.
US
malicious

DNS requests

Domain
IP
Reputation
windows-security.net
  • 104.18.33.7
  • 104.18.32.7
suspicious
api.ipify.org
  • 50.16.229.140
  • 50.19.247.198
  • 54.243.147.226
  • 54.204.36.156
  • 54.225.171.237
  • 54.235.124.112
  • 54.243.198.12
  • 23.21.121.219
shared

Threats

PID
Process
Class
Message
3152
powershell.exe
Misc activity
SUSPICIOUS [PTsecurity] ipify.org External IP Check
3152
powershell.exe
Misc activity
SUSPICIOUS [PTsecurity] ipify.org External IP Check
1 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
نتائج استفتاء الدستور-الخارج.xls