File name:

documento1_82.xls

Full analysis: https://app.any.run/tasks/a0670893-f1a0-46a2-b992-4316809eb72b
Verdict: Malicious activity
Analysis date: October 20, 2020, 11:50:02
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/vnd.ms-excel
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1252, Author: SbnQjOmFeFQKc, Last Saved By: administrator, Name of Creating Application: Microsoft Excel, Create Time/Date: Tue Oct 20 05:51:55 2020, Last Saved Time/Date: Tue Oct 20 06:01:36 2020, Security: 1
MD5:

65B3763463C22CFF9FB3FC7FF8D69E53

SHA1:

AA88D18BF360C9A35E33C6A4D40C44D69CE27C8F

SHA256:

5D1318A607EE08BE77BF9CE071F9F09052BBC81CDB5DE19A8AC50B911FFF3A89

SSDEEP:

3072:IxLSSEYIi589g0JyKSVTIdsLMz3wDAck1TvVzEuCfhaIdUoOUzxUVHADih98wVkX:oWyIM89gkyK4L8vvZbCptUoFzxaFfet

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Requests a remote executable file from MS Office

      • EXCEL.EXE (PID: 2132)

    • Unusual execution from Microsoft Office

      • EXCEL.EXE (PID: 2132)

  • SUSPICIOUS

    • Uses RUNDLL32.EXE to load library

      • EXCEL.EXE (PID: 2132)

  • INFO

    • Creates files in the user directory

      • EXCEL.EXE (PID: 2132)

    • Reads Internet Cache Settings

      • EXCEL.EXE (PID: 2132)

    • Reads Microsoft Office registry keys

      • EXCEL.EXE (PID: 2132)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.xls | Microsoft Excel sheet (78.9)

EXIF

FlashPix

Author: SbnQjOmFeFQKc
LastModifiedBy: administrator
Software: Microsoft Excel
CreateDate: 2020:10:20 04:51:55
ModifyDate: 2020:10:20 05:01:36
Security: Password protected
CodePage: Windows Latin 1 (Western European)
Company: -
AppVersion: 16
ScaleCrop: No
LinksUpToDate: No
SharedDoc: No
HyperlinksChanged: No
TitleOfParts:
  • lOSgcMZyy
  • Foglio2
  • Foglio3
  • Foglio4
  • Foglio5
  • Foglio6
  • Foglio7
  • Foglio8
  • Foglio9
  • Foglio10
  • Foglio11
  • Foglio12
  • Foglio13
  • Foglio14
  • Foglio15
  • Foglio16
  • Foglio17
  • Foglio18
  • Foglio19
  • Sheet1
  • GC
HeadingPairs:
  • Fogli di lavoro
  • 20
  • Macro di Excel 4.0
  • 1
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
40
Monitored processes
2
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start excel.exe rundll32.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2132"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /ddeC:\Program Files\Microsoft Office\Office14\EXCEL.EXE
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Excel
Exit code:
0
Version:
14.0.6024.1000
Modules
Images
c:\program files\microsoft office\office14\excel.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
3952"C:\Windows\System32\rundll32.exe" qOJmoVb.dll,DllRegisterServerC:\Windows\System32\rundll32.exeEXCEL.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\rundll32.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imagehlp.dll
Total events
550
Read events
495
Write events
44
Delete events
11

Modification events

(PID) Process:(2132) EXCEL.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems
Operation:writeName:d95
Value:
6439350054080000010000000000000000000000
(PID) Process:(2132) EXCEL.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1033
Value:
Off
(PID) Process:(2132) EXCEL.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1041
Value:
Off
(PID) Process:(2132) EXCEL.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1046
Value:
Off
(PID) Process:(2132) EXCEL.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1036
Value:
Off
(PID) Process:(2132) EXCEL.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1031
Value:
Off
(PID) Process:(2132) EXCEL.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1040
Value:
Off
(PID) Process:(2132) EXCEL.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1049
Value:
Off
(PID) Process:(2132) EXCEL.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:3082
Value:
Off
(PID) Process:(2132) EXCEL.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1042
Value:
Off
Executable files
0
Suspicious files
0
Text files
2
Unknown types
2

Dropped files

PID
Process
Filename
Type
2132EXCEL.EXEC:\Users\admin\AppData\Local\Temp\CVR4134.tmp.cvr
MD5:
SHA256:
2132EXCEL.EXEC:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\documento1_82.xls.LNKlnk
MD5:
SHA256:
2132EXCEL.EXEC:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\index.dattext
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
1
DNS requests
1
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2132
EXCEL.EXE
GET
176.32.32.16:80
http://linksystems.bar/installa.dll
RU
suspicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2132
EXCEL.EXE
176.32.32.16:80
linksystems.bar
LLC Baxet
RU
suspicious

DNS requests

Domain
IP
Reputation
linksystems.bar
  • 176.32.32.16
suspicious

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
documento1_82.xls