analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

documento1_1510.xls

Full analysis: https://app.any.run/tasks/c2508666-23a8-4066-905f-1403b69aeb1f
Verdict: Malicious activity
Analysis date: October 20, 2020, 12:58:32
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/vnd.ms-excel
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1252, Author: xJaowxHfaDFlrLTJoj, Last Saved By: administrator, Name of Creating Application: Microsoft Excel, Create Time/Date: Tue Oct 20 00:28:19 2020, Last Saved Time/Date: Tue Oct 20 01:31:07 2020, Security: 1
MD5:

11E40B15DE6DB46F7C94800DE971ED68

SHA1:

A039900B9E88EDDFFF6255C8FE7A13BC27C5CC54

SHA256:

DAD39DE7EBF29592857C7E632D5C86C07C6E8349C23EF5D18730E21B06A66CBD

SSDEEP:

3072:baIt848Z6lLY1EaWsHsZB2aGFXZd2BVrO15rC/MhP/XwhtAhXBpQKpM:0hoNaWsHB5FXZEBVr+C+whtAhXBpQeM

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Requests a remote executable file from MS Office

      • EXCEL.EXE (PID: 2928)

    • Unusual execution from Microsoft Office

      • EXCEL.EXE (PID: 2928)

  • SUSPICIOUS

    • Uses RUNDLL32.EXE to load library

      • EXCEL.EXE (PID: 2928)

  • INFO

    • Reads Microsoft Office registry keys

      • EXCEL.EXE (PID: 2928)

    • Reads Internet Cache Settings

      • EXCEL.EXE (PID: 2928)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.xls | Microsoft Excel sheet (78.9)

EXIF

FlashPix

Author: xJaowxHfaDFlrLTJoj
LastModifiedBy: administrator
Software: Microsoft Excel
CreateDate: 2020:10:19 23:28:19
ModifyDate: 2020:10:20 00:31:07
Security: Password protected
CodePage: Windows Latin 1 (Western European)
Company: -
AppVersion: 16
ScaleCrop: No
LinksUpToDate: No
SharedDoc: No
HyperlinksChanged: No
TitleOfParts:
  • hFXwXicueBkvB
  • Foglio2
  • Foglio3
  • Foglio4
  • Foglio5
  • Foglio6
  • Foglio7
  • Foglio8
  • Foglio9
  • Foglio10
  • Foglio11
  • Foglio12
  • Foglio13
  • Foglio14
  • Foglio15
  • Foglio16
  • Foglio17
  • Foglio18
  • Foglio19
  • Foglio20
  • Foglio21
  • Foglio22
  • Foglio23
  • Foglio24
  • Foglio25
  • Foglio26
  • Foglio27
  • Foglio28
  • Foglio29
  • Foglio30
  • Sheet1
  • rnc
HeadingPairs:
  • Fogli di lavoro
  • 31
  • Macro di Excel 4.0
  • 1
No data.
screenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
36
Monitored processes
2
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start excel.exe rundll32.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2928"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /ddeC:\Program Files\Microsoft Office\Office14\EXCEL.EXE
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Excel
Version:
14.0.6024.1000
2808"C:\Windows\System32\rundll32.exe" IDgiPjo.dll,DllRegisterServerC:\Windows\System32\rundll32.exeEXCEL.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
632
Read events
579
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
2928EXCEL.EXEC:\Users\admin\AppData\Local\Temp\CVR5112.tmp.cvr
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
1
DNS requests
1
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2928
EXCEL.EXE
GET
109.248.203.236:80
http://linksystems.casa/installa.dll
RU
suspicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2928
EXCEL.EXE
109.248.203.236:80
linksystems.casa
Business Consulting LLC
RU
suspicious

DNS requests

Domain
IP
Reputation
linksystems.casa
  • 109.248.203.236
suspicious

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
documento1_1510.xls