analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

statement Nov.xls

Full analysis: https://app.any.run/tasks/c88fc0d9-e9b8-4551-89a0-c69c3b63a6a8
Verdict: Malicious activity
Analysis date: December 02, 2019, 17:59:30
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
macros
macros-on-open
Indicators:
MIME: application/vnd.ms-excel
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Author: Jawina Convention, Last Saved By: VirusTotal, Name of Creating Application: Microsoft Excel, Create Time/Date: Tue Oct 15 09:15:31 2019, Last Saved Time/Date: Mon Dec 2 14:08:24 2019, Security: 0
MD5:

E290D705B7161CDCA3D3CAC608CB692B

SHA1:

67FAD6DB56DB256F46F5F73AA9FE2EC5F8536B6D

SHA256:

F3CEC11F47655D61E01C1CD2099CD9F9B0D90A9285D67F9461E6372000E7BC2F

SSDEEP:

6144:CZ+RwPONXoRjDhIcp0fDlavx+W26nA05+aH73IcpHOS7soW3oe2rHS3XrpcfBJ4v:wrbtQfx

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • Intel.exe (PID: 2812)
      • Intel.exe (PID: 2264)

    • Unusual execution from Microsoft Office

      • EXCEL.EXE (PID: 4036)

    • Executable content was dropped or overwritten

      • EXCEL.EXE (PID: 4036)

    • Writes to a start menu file

      • Intel.exe (PID: 2264)

  • SUSPICIOUS

    • Application launched itself

      • Intel.exe (PID: 2264)

    • Executable content was dropped or overwritten

      • Intel.exe (PID: 2264)

    • Creates files in the user directory

      • Intel.exe (PID: 2264)

  • INFO

    • Creates files in the user directory

      • EXCEL.EXE (PID: 4036)

    • Application was crashed

      • Intel.exe (PID: 2812)

    • Reads Microsoft Office registry keys

      • EXCEL.EXE (PID: 4036)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.xls | Microsoft Excel sheet (48)
.xls | Microsoft Excel sheet (alternate) (39.2)

EXIF

FlashPix

CompObjUserType: Microsoft Office Excel 2003 Worksheet
CompObjUserTypeLen: 38
HeadingPairs:
  • Worksheets
  • 3
TitleOfParts:
  • Sheet1
  • Sheet2
  • Sheet3
HyperlinksChanged: No
SharedDoc: No
LinksUpToDate: No
ScaleCrop: No
AppVersion: 12
CodePage: Windows Latin 1 (Western European)
Security: None
ModifyDate: 2019:12:02 14:08:24
CreateDate: 2019:10:15 08:15:31
Software: Microsoft Excel
LastModifiedBy: VirusTotal
Author: Jawina Convention
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
41
Monitored processes
3
Malicious processes
1
Suspicious processes
1

Behavior graph

Click at the process to see the details
drop and start start drop and start excel.exe intel.exe intel.exe

Process information

PID
CMD
Path
Indicators
Parent process
4036"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /ddeC:\Program Files\Microsoft Office\Office14\EXCEL.EXE
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Excel
Version:
14.0.6024.1000
2264"C:\Users\admin\Intel Graphics Driver\Intel.exe"C:\Users\admin\Intel Graphics Driver\Intel.exe
EXCEL.EXE
User:
admin
Integrity Level:
MEDIUM
2812"C:\Users\admin\Intel Graphics Driver\Intel.exe"C:\Users\admin\Intel Graphics Driver\Intel.exe
Intel.exe
User:
admin
Integrity Level:
MEDIUM
Total events
583
Read events
456
Write events
0
Delete events
0

Modification events

No data
Executable files
2
Suspicious files
0
Text files
6
Unknown types
3

Dropped files

PID
Process
Filename
Type
4036EXCEL.EXEC:\Users\admin\AppData\Local\Temp\CVRADFD.tmp.cvr
MD5:
SHA256:
4036EXCEL.EXEC:\Users\admin\AppData\Local\Temp\VBB7F2.tmp
MD5:
SHA256:
4036EXCEL.EXEC:\Users\admin\Intel Graphics Driver\new.txttext
MD5:9AE2E0AFC9C1458DAF1151C9A9C318FF
SHA256:5A9DAB8DCB99FD682C0FF590E72FA898FD7C95F4C8EC182ED866FC14D27C1A0D
4036EXCEL.EXEC:\Users\admin\AppData\Local\Temp\VBE\MSForms.exdtlb
MD5:638B1143E674DA555D5A6D995B13593A
SHA256:E30A8C0F27477AC30893EC3A820426931AAAA942A41128CB3AC217B56A88D53D
2264Intel.exeC:\Users\admin\RtlUpd64\RtlUpd64.vbstext
MD5:E069242673043969B0F3BB6C8CB36DD0
SHA256:2D426072C5508715AD283119FDD26F909269BA67FB6081177B442E67DF40B411
4036EXCEL.EXEC:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\index.dattext
MD5:987C9FCA5EE9349C3E1F9AFF8F30832D
SHA256:7BB84A51D238477C94D2BC11809D125FF6F427960CB31F901EF29D4CEC02BDAD
2264Intel.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RtlUpd64.urltext
MD5:C8971CEFDED522F1C9EA8A9589805ABE
SHA256:4F254BDAD3E5180960F0FAA6E17E51B4A83E2F2749A8D967B6B11AEE3B472A17
4036EXCEL.EXEC:\Users\admin\Intel Graphics Driver\Intel.exeexecutable
MD5:CF1206CD2088B5F4573F7EA0BB101B4D
SHA256:C3FB1A453C0B853A2181EE73E0B74D8E62C97A3AB3ECA4F3574A0564E4675EC9
2264Intel.exeC:\Users\admin\RtlUpd64\UevTemplateConfigItemGenerator.exeexecutable
MD5:CF1206CD2088B5F4573F7EA0BB101B4D
SHA256:C3FB1A453C0B853A2181EE73E0B74D8E62C97A3AB3ECA4F3574A0564E4675EC9
4036EXCEL.EXEC:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\statement Nov.xls.LNKlnk
MD5:136689CAFFE95680DCCBE3277301A930
SHA256:34434C7E3AFF7665786F22F84CFC00BFFF0AB3001602AEF943766FEB39B7682E
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
statement Nov.xls