File name:

Puchase Inquiry.xlsx#877032168

Full analysis: https://app.any.run/tasks/0f6c7b21-242b-4478-a6dd-9ffe24feb2fc
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: May 10, 2025, 14:26:02
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
loader
exploit
cve-2017-11882
MIME: application/vnd.openxmlformats-officedocument.spreadsheetml.sheet
File info: Microsoft Excel 2007+
MD5:

FCC2A63F8CDD2069AB09CA37CE20EFD7

SHA1:

E2E622563AE988B5D9121E793E63AC6A66D07B3C

SHA256:

26AED758D73BAA14BF69EAA2FCFA2E297AB21736799AED0E201572312071831C

SSDEEP:

192:GWXsYfxokIfBLu0lNoUaJ64RqYJgMJgM0+tZDFWvIeI4HNsC6HUDmbi1zv3D+gI5:zzoJBo3J7RNJT/tleI4HqC60KbiUhR

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Equation Editor starts application (likely CVE-2017-11882)

      • EQNEDT32.EXE (PID: 3856)

    • Suspicious connection from the Equation Editor

      • EQNEDT32.EXE (PID: 3856)

  • SUSPICIOUS

    • Reads the Internet Settings

      • EQNEDT32.EXE (PID: 3856)

    • Reads settings of System Certificates

      • EQNEDT32.EXE (PID: 3856)

    • Reads security settings of Internet Explorer

      • EQNEDT32.EXE (PID: 3856)

    • Process requests binary or script from the Internet

      • EQNEDT32.EXE (PID: 3856)

  • INFO

    • Checks supported languages

      • EQNEDT32.EXE (PID: 3856)

    • Reads the computer name

      • EQNEDT32.EXE (PID: 3856)

    • Creates files or folders in the user directory

      • EQNEDT32.EXE (PID: 3856)

    • Reads the machine GUID from the registry

      • EQNEDT32.EXE (PID: 3856)

    • Reads the software policy settings

      • EQNEDT32.EXE (PID: 3856)

    • Checks proxy server information

      • EQNEDT32.EXE (PID: 3856)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.xlsx | Excel Microsoft Office Open XML Format document (61.2)
.zip | Open Packaging Conventions container (31.5)
.zip | ZIP compressed archive (7.2)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: 0x0002
ZipCompression: Deflated
ZipModifyDate: 2020:07:06 15:10:32
ZipCRC: 0xb8d5b71e
ZipCompressedSize: 398
ZipUncompressedSize: 1777
ZipFileName: [Content_Types].xml

XML

Application: Microsoft Excel
DocSecurity: None
ScaleCrop: No
HeadingPairs:
  • Worksheets
  • 3
TitlesOfParts:
  • Sheet1
  • Sheet2
  • Sheet3
Company: -
LinksUpToDate: No
SharedDoc: No
HyperlinksChanged: No
AppVersion: 14.03
LastModifiedBy: -
CreateDate: 2006:09:16 00:00:00Z
ModifyDate: 2020:07:06 09:55:30Z

XMP

Creator: -
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
37
Monitored processes
2
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start excel.exe no specs eqnedt32.exe

Process information

PID
CMD
Path
Indicators
Parent process
2840"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /ddeC:\Program Files\Microsoft Office\Office14\EXCEL.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Excel
Version:
14.0.6024.1000
Modules
Images
c:\program files\microsoft office\office14\excel.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
3856"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -EmbeddingC:\Program Files\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE
svchost.exe
User:
admin
Company:
Design Science, Inc.
Integrity Level:
MEDIUM
Description:
Microsoft Equation Editor
Exit code:
0
Version:
00110900
Modules
Images
c:\program files\common files\microsoft shared\equation\eqnedt32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
Total events
13 811
Read events
13 464
Write events
200
Delete events
147

Modification events

(PID) Process:(2840) EXCEL.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1042
Value:
Off
(PID) Process:(2840) EXCEL.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1055
Value:
Off
(PID) Process:(2840) EXCEL.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1033
Value:
On
(PID) Process:(2840) EXCEL.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1046
Value:
On
(PID) Process:(2840) EXCEL.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1036
Value:
On
(PID) Process:(2840) EXCEL.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1031
Value:
On
(PID) Process:(2840) EXCEL.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1040
Value:
On
(PID) Process:(2840) EXCEL.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1041
Value:
On
(PID) Process:(2840) EXCEL.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1049
Value:
On
(PID) Process:(2840) EXCEL.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:3082
Value:
On
Executable files
1
Suspicious files
7
Text files
1
Unknown types
0

Dropped files

PID
Process
Filename
Type
2840EXCEL.EXEC:\Users\admin\AppData\Local\Temp\CVR1875.tmp.cvr
MD5:
SHA256:
2840EXCEL.EXEC:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\Puchase Inquiry.xlsx#877032168.xlsx.LNKbinary
MD5:6EC4BBB947BA95CDCA3280FD6A70DA30
SHA256:452B2AA24B8178F9A630820A3F2F04FE63D718129AF31C0BEBE960680A98A225
3856EQNEDT32.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B6QGX7LP\iHLbYuVCJh03yVY[1].htmhtml
MD5:B91407CFAFFB51655CFBFEC792401D59
SHA256:C7230006579D98F72DD1CD47B280F4B55241E281CC4C5A52FF1103F7815FBDA6
3856EQNEDT32.EXEC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157compressed
MD5:77B20B5CD41BC6BB475CCA3F91AE6E3C
SHA256:5511A9B9F9144ED7BDE4CCB074733B7C564D918D2A8B10D391AFC6BE5B3B1509
3856EQNEDT32.EXEC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157binary
MD5:5AB540F07ABE5F96D80E9A6E113FD2F2
SHA256:F77722B028EDFFEEEC4BF802B6F0B3F78A18AC27C4C09BABA859623BD7EB2D65
3856EQNEDT32.EXEC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\11E5F2E68252C64A7E35952D754AEE6C_7006C2BF3E3407A5F1CA0AB8F5587E15binary
MD5:75DD1262DD46756DBC036C3158282FBC
SHA256:4598274E2293975C9C84989DEFF8AAD4525C0CFC41F19BF2EC5204FBF5C3EC21
3856EQNEDT32.EXEC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\11E5F2E68252C64A7E35952D754AEE6C_7006C2BF3E3407A5F1CA0AB8F5587E15binary
MD5:C3FCE37F743FF2EB61C7F8943B9720A3
SHA256:EB556EA3DF939EF82C11E8117E2C6B9C8A6552CD04FA39D1347E3881352AF4E9
3856EQNEDT32.EXEC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751binary
MD5:E192462F281446B5D1500D474FBACC4B
SHA256:F1BA9F1B63C447682EBF9DE956D0DA2A027B1B779ABEF9522D347D3479139A60
3856EQNEDT32.EXEC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751binary
MD5:7B2D4FF8FA6FE29D9DEBD8BA2CC1C5F0
SHA256:B69FF6924A96942CD6149D95FF083A635E2FBCFCD31FC7BBFEDDEC60D425BBFD
2840EXCEL.EXEC:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\index.dattext
MD5:A21900D09AF8FE4E8D5937F24A833496
SHA256:97ED7EDECD552F235EA61B0333592669A3B0CE23ADD777617F8715FE9EAE47C8
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
4
TCP/UDP connections
11
DNS requests
5
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3856
EQNEDT32.EXE
GET
301
101.53.145.145:80
http://yogeshcycles.com/iHLbYuVCJh03yVY.exe
unknown
unknown
3856
EQNEDT32.EXE
GET
200
69.192.161.44:80
http://x1.c.lencr.org/
unknown
whitelisted
3856
EQNEDT32.EXE
GET
200
199.232.214.172:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?f93cbc25d0a70d7e
unknown
whitelisted
3856
EQNEDT32.EXE
GET
200
184.24.77.79:80
http://r11.o.lencr.org/MFMwUTBPME0wSzAJBgUrDgMCGgUABBQaUrm0WeTDM5ghfoZtS72KO9ZnzgQUCLkRO6XQhRi06g%2BgrZ%2BGHo78OCcCEgVpjXjzS%2Bja9a9Aw7vJleBA0Q%3D%3D
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
224.0.0.252:5355
whitelisted
4
System
192.168.100.255:137
whitelisted
1080
svchost.exe
224.0.0.252:5355
whitelisted
4
System
192.168.100.255:138
whitelisted
3856
EQNEDT32.EXE
101.53.145.145:80
yogeshcycles.com
282, Sector 19
IN
unknown
3856
EQNEDT32.EXE
101.53.145.145:443
yogeshcycles.com
282, Sector 19
IN
unknown
3856
EQNEDT32.EXE
199.232.214.172:80
ctldl.windowsupdate.com
FASTLY
US
whitelisted
3856
EQNEDT32.EXE
69.192.161.44:80
x1.c.lencr.org
AKAMAI-AS
DE
whitelisted
3856
EQNEDT32.EXE
184.24.77.79:80
r11.o.lencr.org
Akamai International B.V.
DE
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.181.238
whitelisted
yogeshcycles.com
  • 101.53.145.145
unknown
ctldl.windowsupdate.com
  • 199.232.214.172
  • 199.232.210.172
whitelisted
x1.c.lencr.org
  • 69.192.161.44
whitelisted
r11.o.lencr.org
  • 184.24.77.79
  • 184.24.77.74
  • 184.24.77.57
  • 184.24.77.44
  • 184.24.77.62
  • 184.24.77.48
  • 184.24.77.71
  • 184.24.77.52
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Puchase Inquiry.xlsx#877032168