analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

order_091019.xls

Full analysis: https://app.any.run/tasks/3c407a1c-ad18-4cf6-b22a-799750655639
Verdict: Malicious activity
Analysis date: October 09, 2019, 17:03:41
OS: Windows 7 Professional Service Pack 1 (build: 7601, 64 bit)
Tags:
macros
ole-embedded
macros-on-open
ta505
ta505
Indicators:
MIME: application/vnd.ms-excel
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1251, Author: 1, Last Saved By: 1, Name of Creating Application: Microsoft Excel, Create Time/Date: Fri Aug 30 10:14:50 2019, Last Saved Time/Date: Wed Oct 9 12:36:59 2019, Security: 0
MD5:

0E8199B87CEA34AF9D5A919C3152C989

SHA1:

2B2DB989545C2C2559D425D43FC5E4F0F606DF17

SHA256:

F9704B16C55B131C8B80BE4CDC46A5B9EE4EC3B07C9060DA846C6F46F5669459

SSDEEP:

12288:RcngSigpoTkKN/zLYBYPGcHdPlOga9uLNZx57gZJoTcfEhwtFN04R:R/tTkKN7LYBYOcJkga9eTHqE+t8s

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Loads dropped or rewritten executable

      • EXCEL.EXE (PID: 676)
    • Executable content was dropped or overwritten

      • EXCEL.EXE (PID: 676)
  • SUSPICIOUS

    No suspicious indicators.
  • INFO

    • Creates files in the user directory

      • EXCEL.EXE (PID: 676)
    • Reads the machine GUID from the registry

      • EXCEL.EXE (PID: 676)
    • Reads Microsoft Office registry keys

      • EXCEL.EXE (PID: 676)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.xls | Microsoft Excel sheet (48)
.xls | Microsoft Excel sheet (alternate) (39.2)

EXIF

FlashPix

HeadingPairs:
  • Worksheets
  • 1
TitleOfParts: Page2
HyperlinksChanged: No
SharedDoc: No
LinksUpToDate: No
ScaleCrop: No
AppVersion: 16
Company: -
CodePage: Windows Cyrillic
Security: None
ModifyDate: 2019:10:09 11:36:59
CreateDate: 2019:08:30 09:14:50
Software: Microsoft Excel
LastModifiedBy: 1
Author: 1
CompObjUserType: Microsoft Forms 2.0 Form
CompObjUserTypeLen: 25
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
33
Monitored processes
1
Malicious processes
0
Suspicious processes
1

Behavior graph

Click at the process to see the details
start excel.exe

Process information

PID
CMD
Path
Indicators
Parent process
676"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /ddeC:\Program Files\Microsoft Office\Office14\EXCEL.EXE
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Excel
Version:
14.0.4756.1000
Total events
996
Read events
823
Write events
0
Delete events
0

Modification events

No data
Executable files
1
Suspicious files
3
Text files
1
Unknown types
2

Dropped files

PID
Process
Filename
Type
676EXCEL.EXEC:\Users\admin\AppData\Local\Temp\CVR95C1.tmp.cvr
MD5:
SHA256:
676EXCEL.EXEC:\Users\admin\AppData\Local\Temp\VBB67A.tmp
MD5:
SHA256:
676EXCEL.EXEC:\Users\admin\AppData\Local\Temp\~DF86E27E022D4663FE.TMP
MD5:
SHA256:
676EXCEL.EXEC:\Users\admin\AppData\Local\Temp\67B51000
MD5:
SHA256:
676EXCEL.EXEC:\Users\admin\AppData\Local\Temp\~DF8DFCD99B9BC5CB34.TMP
MD5:
SHA256:
676EXCEL.EXEC:\Users\admin\AppData\Local\Temp\~$favorite.xlsx
MD5:
SHA256:
676EXCEL.EXEC:\Users\admin\AppData\Local\Temp\~DF36C3562E260AD1FF.TMP
MD5:
SHA256:
676EXCEL.EXEC:\Users\admin\AppData\Local\Temp\oleObject1.binbinary
MD5:5A90D5E52A978FEDB1A7859A19CEB858
SHA256:CA3DF9FC11E5766270773DE2FE12DAE0646D02F1140E9E1F27FAB4D6F5065BB7
676EXCEL.EXEC:\Users\admin\AppData\Local\Temp\favorite.xlsxdocument
MD5:A5F7CA81E0B6501B55246AF4FD10D984
SHA256:39C4922A81D9EC4690E0B53CD4945DF01E6AB4020052ADA39B244C37BFA88C4D
676EXCEL.EXEC:\Users\admin\AppData\Local\Temp\favorite.xlsx.zipdocument
MD5:A5F7CA81E0B6501B55246AF4FD10D984
SHA256:39C4922A81D9EC4690E0B53CD4945DF01E6AB4020052ADA39B244C37BFA88C4D
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
1
DNS requests
3
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
676
EXCEL.EXE
195.123.228.14:443
windows-sys-update.com
ITL Company
BG
malicious

DNS requests

Domain
IP
Reputation
windows-sys-update.com
  • 195.123.228.14
malicious
dns.msftncsi.com
  • 131.107.255.255
shared

Threats

No threats detected
No debug info