File name: | Book1.xlsm |
Full analysis: | https://app.any.run/tasks/5e3758bb-6865-4d90-8359-4e2175f78be1 |
Verdict: | Malicious activity |
Analysis date: | December 06, 2019, 12:03:01 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | application/vnd.openxmlformats-officedocument.spreadsheetml.sheet |
File info: | Microsoft Excel 2007+ |
MD5: | 68887D2BFEB8FAE9F732FD0DC9187096 |
SHA1: | 0916AF22969A04A6F7DC7C1ED54D1942F95A9983 |
SHA256: | 3312BF691C7DEC5230893C3E2A368DEC04B51E58CB9112A120894854A92610C5 |
SSDEEP: | 96:1jiB9WRlgOq4EEwy8CpSAdHOdx7MyGaP9Ul+c6+du8jf6UWTVUwhzQu+8x+ac39A:+41lzXpS0tZaFUlbVvevUqz94lv3G |
.xlsx | | | Excel Microsoft Office Open XML Format document (61.2) |
---|---|---|
.zip | | | Open Packaging Conventions container (31.5) |
.zip | | | ZIP compressed archive (7.2) |
ZipRequiredVersion: | 20 |
---|---|
ZipBitFlag: | 0x0006 |
ZipCompression: | Deflated |
ZipModifyDate: | 1980:01:01 00:00:00 |
ZipCRC: | 0x853fee1f |
ZipCompressedSize: | 365 |
ZipUncompressedSize: | 1113 |
ZipFileName: | [Content_Types].xml |
Creator: | Van Bockhaven, Cedric |
---|
LastModifiedBy: | Van Bockhaven, Cedric |
---|---|
CreateDate: | 2019:12:06 11:35:58Z |
ModifyDate: | 2019:12:06 11:38:09Z |
Application: | Microsoft Excel |
DocSecurity: | None |
ScaleCrop: | No |
HeadingPairs: |
|
TitlesOfParts: |
|
Company: | - |
LinksUpToDate: | No |
SharedDoc: | No |
HyperlinksChanged: | No |
AppVersion: | 16.03 |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2168 | "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /dde | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Excel Exit code: 0 Version: 14.0.6024.1000 | ||||
3624 | calc.exe | C:\Windows\system32\calc.exe | — | EXCEL.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Calculator Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
2168 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\CVRA831.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2168 | EXCEL.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LH043OAM\query[1].asmx | — | |
MD5:— | SHA256:— | |||
2168 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\~$Book1.xlsm | — | |
MD5:— | SHA256:— | |||
2168 | EXCEL.EXE | C:\Users\admin\AppData\Local\Microsoft\Office\ONetConfig\786b7d3a5372048de949b5ce333fe46e.xml | xml | |
MD5:357F63BF715256FDC194C28280FC47BC | SHA256:C1AB3707906F1F48771F1CBE2A8AA73BFB4746DB78B6586AA5799054E80E8D3A | |||
2168 | EXCEL.EXE | C:\Users\admin\AppData\Local\Microsoft\Office\ONetConfig\786b7d3a5372048de949b5ce333fe46e.sig | binary | |
MD5:F6C02FDEF6D52EA6C39EE51FCA5E0492 | SHA256:7F1CD92C9991CD5ABD64425B655D1B3627749857E029418E3EAB7B8BEFF36310 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2168 | EXCEL.EXE | GET | 200 | 52.109.32.27:80 | http://office14client.microsoft.com/config14?UILCID=1033&CLCID=1033&ILCID=1033&HelpLCID=1033&App={538F6C89-2AD5-4006-8154-C6670774E980}&build=14.0.6023 | GB | xml | 1.99 Kb | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2168 | EXCEL.EXE | 52.109.32.27:80 | office14client.microsoft.com | Microsoft Corporation | GB | whitelisted |
2168 | EXCEL.EXE | 52.109.120.28:443 | rr.office.microsoft.com | Microsoft Corporation | HK | whitelisted |
Domain | IP | Reputation |
---|---|---|
office14client.microsoft.com |
| whitelisted |
rr.office.microsoft.com |
| whitelisted |