File name:

03092024114503092024MeetingProposal.xls

Full analysis: https://app.any.run/tasks/5f0d2966-0d4c-4134-a3fa-d326252f63f9
Verdict: Malicious activity
Analysis date: September 03, 2024, 13:24:47
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
phishing
phish-doc
MIME: application/vnd.ms-excel
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, Code page: 1252, Name of Creating Application: Microsoft Excel, Create Time/Date: Sat Sep 16 00:00:00 2006, Last Saved Time/Date: Tue Sep 3 00:26:09 2024, Security: 1
MD5:

28B84C2426E3A0DB326DAE6608F86AA3

SHA1:

74FB6525929C35706D698ABD8DE6A16B486F0BEC

SHA256:

5C4A9AB74DA86198EB353488E363A3573DE1861FC51DEAF61EFBC0C804F2DBF6

SSDEEP:

6144:JrQU4f/kjNxi2T3yeATUb1jvcMcPHKPxbgRK:JrQU492T3PATq1jvIHwx0RK

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Phishing document has been detected

      • EXCEL.EXE (PID: 4444)

  • SUSPICIOUS

    No suspicious indicators.

  • INFO

    • The process uses the downloaded file

      • EXCEL.EXE (PID: 4444)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.xls | Microsoft Excel sheet (48)
.xls | Microsoft Excel sheet (alternate) (39.2)

EXIF

FlashPix

Author: -
LastModifiedBy: -
Software: Microsoft Excel
CreateDate: 2006:09:16 00:00:00
ModifyDate: 2024:09:03 00:26:09
Security: Password protected
CodePage: Windows Latin 1 (Western European)
AppVersion: 12
ScaleCrop: No
LinksUpToDate: No
SharedDoc: No
HyperlinksChanged: No
TitleOfParts:
  • Sheet1
  • Sheet2
  • Sheet3
HeadingPairs:
  • Worksheets
  • 3
CompObjUserTypeLen: 38
CompObjUserType: Microsoft Office Excel 2003 Worksheet
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
127
Monitored processes
1
Malicious processes
0
Suspicious processes
0

Behavior graph

Click at the process to see the details
start excel.exe

Process information

PID
CMD
Path
Indicators
Parent process
4444"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" C:\Users\admin\Desktop\03092024114503092024MeetingProposal.xlsC:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Excel
Version:
16.0.16026.20146
Modules
Images
c:\program files\microsoft office\root\office16\excel.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ole32.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\combase.dll
c:\windows\system32\gdi32.dll
Total events
12 882
Read events
12 624
Write events
237
Delete events
21

Modification events

(PID) Process:(4444) EXCEL.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Common\ClientTelemetry\Sampling
Operation:writeName:1
Value:
01D014000000001000B24E9A3E02000000000000000600000000000000
(PID) Process:(4444) EXCEL.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Common\CrashPersistence\EXCEL\4444
Operation:writeName:0
Value:
0B0E101F3E61B262EAC041B6A9BA53AE4865C9230046F6DDB995CBC0BFED016A04102400449A7D64B29D01008500A907556E6B6E6F776EC906022222CA0DC2190000C91003783634C511DC22D2120965007800630065006C002E00650078006500C51620C517808004C91808323231322D44656300
(PID) Process:(4444) EXCEL.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:en-US
Value:
2
(PID) Process:(4444) EXCEL.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:de-de
Value:
2
(PID) Process:(4444) EXCEL.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:fr-fr
Value:
2
(PID) Process:(4444) EXCEL.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:es-es
Value:
2
(PID) Process:(4444) EXCEL.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:it-it
Value:
2
(PID) Process:(4444) EXCEL.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:ja-jp
Value:
2
(PID) Process:(4444) EXCEL.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:ko-kr
Value:
2
(PID) Process:(4444) EXCEL.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:pt-br
Value:
2
Executable files
0
Suspicious files
12
Text files
5
Unknown types
0

Dropped files

PID
Process
Filename
Type
4444EXCEL.EXEC:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\03092024114503092024MeetingProposal.xls.LNKlnk
MD5:B3B073003261BF24AAE4D99E4A9BFA25
SHA256:519C47F7FB2D7B30299B94BAE5C049973C8405A4EA2367E5A3F96C25EE3D9BD6
4444EXCEL.EXEC:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\index.datini
MD5:BBB1488CFF6DC8FC93C503EA5969B9BE
SHA256:28A17EE59ECCE48C9B0118EF4D5291CD1F27634ABE258D6967E8306B164ABCA6
4444EXCEL.EXEC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms~RF1319b5.TMPbinary
MD5:4FCB2A3EE025E4A10D21E1B154873FE2
SHA256:90BF6BAA6F968A285F88620FBF91E1F5AA3E66E2BAD50FD16F37913280AD8228
4444EXCEL.EXEC:\Users\admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xmltext
MD5:6E777ED8A64C8D314E44C19C1AB6A99A
SHA256:5635FA87DC677DF7B62C190853B41088759C1A5B765C413F6D67142B3B342FBC
4444EXCEL.EXEC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\K7YBD9W6W26JAPU8MMEB.tempbinary
MD5:4FCB2A3EE025E4A10D21E1B154873FE2
SHA256:90BF6BAA6F968A285F88620FBF91E1F5AA3E66E2BAD50FD16F37913280AD8228
4444EXCEL.EXEC:\Users\admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbresbinary
MD5:301727E535F8A509D619A3463518E7DF
SHA256:D8E0940E5766A8A94075942FA0FD95BBE7FBF8EDF9BA1F677848155FB2C699B1
4444EXCEL.EXEC:\Users\admin\AppData\Local\Microsoft\Office\16.0\SmartLookupCache\dictionary_words_bloom_filter.databinary
MD5:A4AF96BCD3EE55F0CB99B37C806A82A5
SHA256:1BE6D822C31EDC308903E04B986F13388B216DB44019E2BCC3C060284B480BA6
4444EXCEL.EXEC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\A10IJ1CIUAKZQPA4FVL1.tempbinary
MD5:E4A1661C2C886EBB688DEC494532431C
SHA256:B76875C50EF704DBBF7F02C982445971D1BBD61AEBE2E4B28DDC58A1D66317D5
4444EXCEL.EXEC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-msbinary
MD5:4FCB2A3EE025E4A10D21E1B154873FE2
SHA256:90BF6BAA6F968A285F88620FBF91E1F5AA3E66E2BAD50FD16F37913280AD8228
4444EXCEL.EXEC:\Users\admin\AppData\Local\Microsoft\Office\16.0\SmartLookupCache\microsoft.office.smartlookup.ssr.jss
MD5:0E418555CDAC2691C22284A0297A6131
SHA256:ED15C4C8853E0295104F1396CD51BF638357CEE1FA8CAF2934E9AAEE3C87073C
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
11
TCP/UDP connections
22
DNS requests
10
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
HEAD
200
2.18.160.41:443
https://uci.cdn.office.net/mirrored/smartlookup/current/version.json
unknown
unknown
GET
200
52.109.89.18:443
https://officeclient.microsoft.com/config16/?lcid=1033&syslcid=1033&uilcid=1033&build=16.0.16026&crev=3
unknown
xml
172 Kb
unknown
POST
200
20.44.10.123:443
https://self.events.data.microsoft.com/OneCollector/1.0/
unknown
binary
9 b
unknown
GET
200
52.111.243.8:443
https://messaging.lifecycle.office.com/getcustommessage16?app=1&ui=en-US&src=BizBar&messagetype=BizBar&hwid=04111-083-043729&ver=16.0.16026&lc=en-US&platform=10%3A0%3A19045%3A2%3A0%3A0%3A256%3A1%3A&productid=%7B1717C1E0-47D3-4899-A6D3-1022DB7415E0%7D%3A00411-10830-43729-AA720%3AOffice%2019%2C%20Office19Professional2019R_Retail%20edition&clientsessionid=%7BB2613E1F-EA62-41C0-B6A9-BA53AE4865C9%7D&datapropertybag=%7B%22Audience%22%3A%22Production%22%2C%22AudienceGroup%22%3A%22Production%22%2C%22AudienceChannel%22%3A%22CC%22%2C%22Flight%22%3A%22ofsh6c2b1tla1a31%2Cofcrui4yvdulbf31%2Cofhpex3jznepoo31%2Cofpioygfqmufst31%2Cofaa1msspvo2xw31%22%7D
unknown
text
542 b
unknown
OPTIONS
400
2.18.160.41:443
https://uci.cdn.office.net/mirrored/smartlookup/current/
unknown
xml
297 b
unknown
GET
200
2.18.160.41:443
https://uci.cdn.office.net/mirrored/smartlookup/current/main_ssr.html
unknown
html
396 Kb
unknown
GET
200
52.113.194.132:443
https://ecs.office.com/config/v2/Office/excel/16.0.16026.20146/Production/CC?&Clientid=%7bD61AB268-C26A-439D-BB15-2A0DEDFCA6A3%7d&Application=excel&Platform=win32&Version=16.0.16026.20146&MsoVersion=16.0.16026.20002&SDX=fa000000002.2.0.1907.31003&SDX=fa000000005.1.0.1909.30011&SDX=fa000000006.1.0.1909.13002&SDX=fa000000008.1.0.1908.16006&SDX=fa000000009.1.0.1908.6002&SDX=fa000000016.1.0.1810.13001&SDX=fa000000029.1.0.1906.25001&SDX=fa000000033.1.0.1908.24001&SDX=wa104381125.1.0.1810.9001&ProcessName=excel.exe&Audience=Production&Build=ship&Architecture=x64&Language=en-US&SubscriptionLicense=false&PerpetualLicense=2019&LicenseCategory=6&LicenseSKU=Professional2019Retail&OsVersion=10.0&OsBuild=19045&Channel=CC&InstallType=C2R&SessionId=%7bB2613E1F-EA62-41C0-B6A9-BA53AE4865C9%7d&LabMachine=false
unknown
text
370 Kb
unknown
2120
MoUsoCoreWorker.exe
GET
200
2.18.160.41:443
https://uci.cdn.office.net/mirrored/smartlookup/current/scripts/microsoft.office.smartlookup.ssr.js
unknown
text
2.50 Mb
unknown
GET
200
2.18.160.41:443
https://uci.cdn.office.net/mirrored/smartlookup/current/dictionary_words_bloom_filter.data
unknown
binary
117 Kb
unknown
GET
200
2.18.160.41:443
https://uci.cdn.office.net/mirrored/smartlookup/current/version.json
unknown
binary
78 b
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4760
svchost.exe
20.72.205.209:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
192.168.100.255:138
whitelisted
6280
RUXIMICS.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2120
MoUsoCoreWorker.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2120
MoUsoCoreWorker.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3888
svchost.exe
239.255.255.250:1900
whitelisted
4760
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4324
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4760
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4444
EXCEL.EXE
52.109.76.240:443
officeclient.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 20.72.205.209
  • 40.127.240.158
  • 4.231.128.59
  • 51.124.78.146
whitelisted
google.com
  • 216.58.206.78
whitelisted
officeclient.microsoft.com
  • 52.109.76.240
whitelisted
ecs.office.com
  • 52.113.194.132
whitelisted
messaging.lifecycle.office.com
  • 52.111.243.8
whitelisted
self.events.data.microsoft.com
  • 20.44.10.123
whitelisted
uci.cdn.office.net
  • 23.212.88.34
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
03092024114503092024MeetingProposal.xls