File name: | SKM_C30819111181835.xls |
Full analysis: | https://app.any.run/tasks/32683a2b-4a5c-4c28-986a-7b5e7f46b5e6 |
Verdict: | Malicious activity |
Analysis date: | December 03, 2019, 00:21:29 |
OS: | Windows 10 Professional (build: 16299, 64 bit) |
Tags: | |
Indicators: | |
MIME: | application/vnd.ms-excel |
File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.3, Code page: 1252, Title: CiBQd, Subject: N, Author: NYxaYK, Last Saved By: Administrator, Revision Number: 602, Name of Creating Application: Microsoft Excel, Total Editing Time: 1d+04:31:00, Create Time/Date: Fri Aug 30 10:14:50 2019, Last Saved Time/Date: Mon Dec 2 20:35:23 2019, Number of Pages: 2, Number of Words: 3929, Number of Characters: 7608, Security: 0 |
MD5: | E64732DBBA7C812DE3CFD435B5F1F20B |
SHA1: | 98F84376FE5E050C7783D1819FAB2E6369503066 |
SHA256: | 04C6CE889C9D7E0B4C7D61ECB51F2FDECF3A37CE9892F7A4B6D5D458C8AB4DAF |
SSDEEP: | 12288:6EB+Jx9Cjs/39lKf94sGg0SOMwItwmtSp+gW3:tcCjsnKG4wbmtcBE |
.xls | | | Microsoft Excel sheet (48) |
---|---|---|
.xls | | | Microsoft Excel sheet (alternate) (39.2) |
HeadingPairs: |
|
---|---|
TitleOfParts: | Page2 |
HyperlinksChanged: | No |
SharedDoc: | No |
LinksUpToDate: | No |
ScaleCrop: | No |
AppVersion: | 16 |
Paragraphs: | 36 |
Lines: | 230 |
Bytes: | 12777 |
Company: | - |
CodePage: | Windows Latin 1 (Western European) |
Security: | None |
Characters: | 7608 |
Words: | 3929 |
Pages: | 2 |
ModifyDate: | 2019:12:02 20:35:23 |
CreateDate: | 2019:08:30 09:14:50 |
TotalEditTime: | 1.2 days |
Software: | Microsoft Excel |
RevisionNumber: | 602 |
LastModifiedBy: | Administrator |
Author: | NYxaYK |
Subject: | N |
Title: | CiBQd |
CompObjUserType: | Microsoft Forms 2.0 Form |
CompObjUserTypeLen: | 25 |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
4208 | "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\admin\AppData\Local\Temp\SKM_C30819111181835.xls" | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Excel Version: 16.0.12026.20264 | ||||
1240 | C:\WINDOWS\splwow64.exe 8192 | C:\WINDOWS\splwow64.exe | — | EXCEL.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Print driver host for applications Exit code: 0 Version: 10.0.16299.15 (WinBuild.160101.0800) |
PID | Process | Filename | Type | |
---|---|---|---|---|
4208 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\~DF901CDE733F9959AE.TMP | — | |
MD5:— | SHA256:— | |||
4208 | EXCEL.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\GX40DJG9L5N7WTGHV33S.temp | — | |
MD5:— | SHA256:— | |||
4208 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\VB65E5.tmp | — | |
MD5:— | SHA256:— | |||
4208 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\VB65E4.tmp | — | |
MD5:— | SHA256:— | |||
4208 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\~DFA9806757755F8C1B.TMP | — | |
MD5:— | SHA256:— | |||
4208 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\msohtmlclip1_PendingDelete | — | |
MD5:— | SHA256:— | |||
4208 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\786D2000 | — | |
MD5:— | SHA256:— | |||
4208 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\~DF8BB14BC035E16D81.TMP | — | |
MD5:— | SHA256:— | |||
4208 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\~$vds.xlsx | — | |
MD5:— | SHA256:— | |||
4208 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\~DF174B2BFD28BB847C.TMP | — | |
MD5:— | SHA256:— |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
4208 | EXCEL.EXE | GET | — | 52.109.52.36:443 | https://messaging.office.com/lifecycle/legacygetcustommessage16?app=1&ui=en-US&src=Office_CanvasLocalSaveDocument_Win32&messagetype=Canvas&hwid=04111-083-043729&ver=16.0.12026&lc=en-US&platform=10%3A0%3A16299%3A2%3A0%3A0%3A256%3A1%3A&productid=%7B1717C1E0-47D3-4899-A6D3-1022DB7415E0%7D%3A00411-10830-43729-AA044%3AOffice%2019%2C%20Office19Professional2019R_Retail%20edition&clientsessionid=%7BDC746D3A-E6B9-4A6F-83DB-99A51B9CE2E0%7D&datapropertybag=%7B%22Audience%22%3A%22Production%22%2C%22AudienceGroup%22%3A%22Production%22%2C%22AudienceChannel%22%3A%22CC%22%2C%22Flight%22%3A%22ofaa1msspvo2xw31%2Cofgg6vdq3anjh131%2Cof3ttwdwizkwt531%2Cofskuekmq22yki31%22%7D | JP | — | — | whitelisted |
3472 | svchost.exe | POST | 200 | 40.90.22.184:443 | https://login.live.com/RST2.srf | US | xml | 1.29 Kb | whitelisted |
3472 | svchost.exe | POST | 400 | 40.90.22.184:443 | https://login.live.com/ppsecure/deviceaddcredential.srf | US | text | 210 b | whitelisted |
3472 | svchost.exe | POST | 400 | 40.90.22.184:443 | https://login.live.com/ppsecure/deviceaddcredential.srf | US | text | 210 b | whitelisted |
4208 | EXCEL.EXE | POST | — | 172.104.91.16:443 | https://live-en.com/1111 | JP | — | — | malicious |
3472 | svchost.exe | POST | 400 | 40.90.22.184:443 | https://login.live.com/ppsecure/deviceaddcredential.srf | US | text | 210 b | whitelisted |
2660 | svchost.exe | GET | 200 | 2.16.186.74:80 | http://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl | unknown | der | 555 b | whitelisted |
4208 | EXCEL.EXE | POST | — | 52.114.132.74:443 | https://self.events.data.microsoft.com/OneCollector/1.0/ | US | — | — | whitelisted |
4208 | EXCEL.EXE | GET | 200 | 52.109.52.36:443 | https://messaging.office.com/lifecycle/legacygetcustommessage16?app=1&ui=en-US&src=BizBar&messagetype=BizBar&hwid=04111-083-043729&ver=16.0.12026&lc=en-US&platform=10%3A0%3A16299%3A2%3A0%3A0%3A256%3A1%3A&productid=%7B1717C1E0-47D3-4899-A6D3-1022DB7415E0%7D%3A00411-10830-43729-AA044%3AOffice%2019%2C%20Office19Professional2019R_Retail%20edition&clientsessionid=%7BDC746D3A-E6B9-4A6F-83DB-99A51B9CE2E0%7D&datapropertybag=%7B%22Audience%22%3A%22Production%22%2C%22AudienceGroup%22%3A%22Production%22%2C%22AudienceChannel%22%3A%22CC%22%2C%22Flight%22%3A%22ofaa1msspvo2xw31%2Cofgg6vdq3anjh131%2Cof3ttwdwizkwt531%2Cofskuekmq22yki31%22%7D | JP | xml | 495 b | whitelisted |
4208 | EXCEL.EXE | GET | 200 | 52.109.76.6:443 | https://officeclient.microsoft.com/config16/?syslcid=1033&build=16.0.12026&crev=3 | IE | xml | 111 Kb | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
4208 | EXCEL.EXE | 2.18.232.120:443 | fs.microsoft.com | Akamai International B.V. | — | whitelisted |
3472 | svchost.exe | 40.90.22.184:443 | login.live.com | Microsoft Corporation | US | malicious |
4208 | EXCEL.EXE | 52.109.88.10:443 | roaming.officeapps.live.com | Microsoft Corporation | NL | whitelisted |
4208 | EXCEL.EXE | 13.107.3.128:443 | config.edge.skype.com | Microsoft Corporation | US | whitelisted |
4208 | EXCEL.EXE | 52.109.76.6:443 | officeclient.microsoft.com | Microsoft Corporation | IE | whitelisted |
4208 | EXCEL.EXE | 172.104.91.16:443 | live-en.com | Linode, LLC | JP | malicious |
4208 | EXCEL.EXE | 52.114.132.74:443 | self.events.data.microsoft.com | Microsoft Corporation | US | unknown |
4208 | EXCEL.EXE | 52.109.52.36:443 | messaging.office.com | Microsoft Corporation | JP | unknown |
2660 | svchost.exe | 2.21.38.54:80 | www.microsoft.com | GTT Communications Inc. | FR | malicious |
648 | svchost.exe | 40.90.22.190:443 | login.live.com | Microsoft Corporation | US | malicious |
Domain | IP | Reputation |
---|---|---|
self.events.data.microsoft.com |
| whitelisted |
officeclient.microsoft.com |
| whitelisted |
fs.microsoft.com |
| whitelisted |
roaming.officeapps.live.com |
| whitelisted |
config.edge.skype.com |
| whitelisted |
login.live.com |
| whitelisted |
live-en.com |
| malicious |
messaging.office.com |
| whitelisted |
nexusrules.officeapps.live.com |
| whitelisted |
dns.msftncsi.com |
| shared |