analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

invoice.xls

Full analysis: https://app.any.run/tasks/c2b2b87a-dbe6-43c0-9de3-b30c172e58b6
Verdict: Malicious activity
Analysis date: November 30, 2020, 04:09:05
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
macros
macros40
Indicators:
MIME: application/vnd.ms-excel
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1252, Author: jjsV, Last Saved By: Administrator, Name of Creating Application: Microsoft Excel, Create Time/Date: Fri Nov 27 13:35:21 2020, Last Saved Time/Date: Fri Nov 27 13:35:22 2020, Security: 0
MD5:

222988B7A4A6E84B3AAB4DEE83F8D99D

SHA1:

DDB10FD5AFB16BDC8DECCA695E545520DEF2B755

SHA256:

4D0D330F1E2B24C3A404CC3C585AEB417D96E9749FA72A85FB615E79408DDF6F

SSDEEP:

768:dPqNk3hbdlylKsgqopeJBWhZFGkE+cL2NdAJVHKN5xE7lgGSWNrmpZSvv:Vok3hbdlylKsgqopeJBWhZFGkE+cL2NS

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Unusual execution from Microsoft Office

      • EXCEL.EXE (PID: 2584)
  • SUSPICIOUS

    • Uses RUNDLL32.EXE to load library

      • EXCEL.EXE (PID: 2584)
  • INFO

    • Reads Microsoft Office registry keys

      • EXCEL.EXE (PID: 2584)
    • Creates files in the user directory

      • EXCEL.EXE (PID: 2584)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.xls | Microsoft Excel sheet (78.9)

EXIF

FlashPix

Author: jjsV
LastModifiedBy: Administrator
Software: Microsoft Excel
CreateDate: 2020:11:27 13:35:21
ModifyDate: 2020:11:27 13:35:22
Security: None
CodePage: Windows Latin 1 (Western European)
Company: -
AppVersion: 16
ScaleCrop: No
LinksUpToDate: No
SharedDoc: No
HyperlinksChanged: No
TitleOfParts:
  • Sheet1
  • rPtKmOF
HeadingPairs:
  • Worksheets
  • 1
  • Excel 4.0 Macros
  • 1
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
36
Monitored processes
2
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start excel.exe rundll32.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2584"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /ddeC:\Program Files\Microsoft Office\Office14\EXCEL.EXE
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Excel
Version:
14.0.6024.1000
1840"C:\Windows\system32\rundll32.exe" C:\Users\Public\Documents\SNGF7o.txt,DllRegisterServerC:\Windows\system32\rundll32.exeEXCEL.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
650
Read events
581
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
10
Text files
5
Unknown types
5

Dropped files

PID
Process
Filename
Type
2584EXCEL.EXEC:\Users\admin\AppData\Local\Temp\CVR3458.tmp.cvr
MD5:
SHA256:
2584EXCEL.EXEC:\Users\admin\AppData\Local\Temp\Cab6A0F.tmp
MD5:
SHA256:
2584EXCEL.EXEC:\Users\admin\AppData\Local\Temp\Tar6A10.tmp
MD5:
SHA256:
2584EXCEL.EXEC:\Users\admin\AppData\Local\Temp\~DF0C746C630C62C010.TMP
MD5:
SHA256:
2584EXCEL.EXEC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CC197601BE0898B7B0FCC91FA15D8A69_7C1C45A209E1552633930171FD75B297der
MD5:8CF610751B51A57A50DB5B565777EF3C
SHA256:D467D24E754EAC9D11BE07C431E0CB25C8AB42F4108DEEF251E1FEB0946C4B75
2584EXCEL.EXEC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\644B8874112055B5E195ECB0E8F243A4binary
MD5:C2F010D45B6BFECCAEAA2A0118DF0197
SHA256:618B166CABA332F3CE6453026E68B08CDC7D5688437058E1383749B697AAACA3
2584EXCEL.EXEC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CFE86DBBE02D859DC92F1E17E0574EE8_46766FC45507C0B9E264E4C18BC7288Bbinary
MD5:F22FF2B5750F5171965B896A4FC89A58
SHA256:C3EC09CAAB06BD263A6712BA621FB769B0CA6CB1B661CEFD3A12D1DF8FB1DA71
2584EXCEL.EXEC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CC197601BE0898B7B0FCC91FA15D8A69_7C1C45A209E1552633930171FD75B297binary
MD5:661E59247721952E0FE866F0571A9B08
SHA256:F9B69C69CAD3AE38CDE2CF72E76D9B52ABF159D4445ACF8FD57159E56A330654
2584EXCEL.EXEC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\RIO5ZQGM.txttext
MD5:EB5577C25761E2960EF96FB4EED863AF
SHA256:2AC0A3780E078518889CB319B093EBADBA4588B95CFDB2F637649AA53EACA3C5
2584EXCEL.EXEC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CC197601BE0898B7B0FCC91FA15D8A69_00822B812F3071D0A5AB02FB7D4F1DF9binary
MD5:98B6175CEC6F72C7FDE0488F0E931CBB
SHA256:BDDEAD898ADC6398DDE560E9FF3DEA0E8CAFA42D895CFAE897DEE03F21813BF9
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
5
TCP/UDP connections
7
DNS requests
6
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2584
EXCEL.EXE
GET
200
172.217.18.99:80
http://ocsp.pki.goog/gts1o1core/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBRCRjDCJxnb3nDwj%2Fxz5aZfZjgXvAQUmNH4bhDrz5vsYJ8YkBug630J%2FSsCEQD76E8xQFZstgIAAAAAgFWS
US
der
472 b
whitelisted
2584
EXCEL.EXE
GET
200
172.217.18.99:80
http://ocsp.pki.goog/gts1o1core/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBRCRjDCJxnb3nDwj%2Fxz5aZfZjgXvAQUmNH4bhDrz5vsYJ8YkBug630J%2FSsCEQDliVAU%2F6ZWzwIAAAAAgFX%2B
US
der
472 b
whitelisted
2584
EXCEL.EXE
GET
200
172.217.18.99:80
http://ocsp.pki.goog/gsr2/ME4wTDBKMEgwRjAJBgUrDgMCGgUABBTgXIsxbvr2lBkPpoIEVRE6gHlCnAQUm%2BIHV2ccHsBqBt5ZtJot39wZhi4CDQHjtJqhjYqpgSVpULg%3D
US
der
468 b
whitelisted
2584
EXCEL.EXE
GET
200
192.35.177.64:80
http://crl.identrust.com/DSTROOTCAX3CRL.crl
US
der
1.16 Kb
whitelisted
2584
EXCEL.EXE
GET
200
23.55.163.61:80
http://isrg.trustid.ocsp.identrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRv9GhNQxLSSGKBnMArPUcsHYovpgQUxKexpHsscfrb4UuQdf%2FEFWCFiRACEAoBQUIAAAFThXNqC4Xspwg%3D
US
der
1.37 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2584
EXCEL.EXE
23.55.163.71:80
isrg.trustid.ocsp.identrust.com
Akamai International B.V.
US
suspicious
2584
EXCEL.EXE
70.32.23.26:443
corlatina.edu.co
A2 Hosting, Inc.
US
malicious
2584
EXCEL.EXE
192.35.177.64:80
crl.identrust.com
IdenTrust
US
malicious
2584
EXCEL.EXE
172.217.12.142:443
google.com
Google Inc.
US
whitelisted
2584
EXCEL.EXE
172.217.18.99:80
ocsp.pki.goog
Google Inc.
US
whitelisted
2584
EXCEL.EXE
23.55.163.61:80
isrg.trustid.ocsp.identrust.com
Akamai International B.V.
US
unknown
2584
EXCEL.EXE
172.217.22.36:443
www.google.com
Google Inc.
US
whitelisted

DNS requests

Domain
IP
Reputation
corlatina.edu.co
  • 70.32.23.26
unknown
isrg.trustid.ocsp.identrust.com
  • 23.55.163.71
  • 23.55.163.61
whitelisted
crl.identrust.com
  • 192.35.177.64
whitelisted
google.com
  • 172.217.12.142
whitelisted
ocsp.pki.goog
  • 172.217.18.99
whitelisted
www.google.com
  • 172.217.22.36
whitelisted

Threats

No threats detected
No debug info