File name:

Qa_6760.xls

Full analysis: https://app.any.run/tasks/db488957-f058-4b24-80d7-4526c0322323
Verdict: No threats detected
Threats:

Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns.

Malware Trends Tracker     >>>
Analysis date: May 08, 2020, 15:05:45
OS: Windows 10 Professional (build: 16299, 32 bit)
Tags:
macros
emotet-doc
emotet
Indicators:
MIME: application/vnd.ms-excel
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1252, Author: Administrator, Last Saved By: Administrator, Name of Creating Application: Microsoft Excel, Create Time/Date: Thu May 7 11:46:25 2020, Last Saved Time/Date: Thu May 7 11:46:30 2020, Security: 0
MD5:

FE7B654418ABFA3F555F1464D3C8F147

SHA1:

873AB59DFB444DB8AA6B03B0C5BA5E5E097646C1

SHA256:

6A4F8862D2FD4AA7B9000EB379533740C86B59382E511CAB29FA90A971ED4279

SSDEEP:

3072:jWk3hbdlylKsgqopeJBWhZFGkE+cL2NdAzX9ONoVJb6ftTtHcXs08XSSdcDOXABm:Ck3hbdlylKsgqopeJBWhZFVE+W2NdAz0

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    No suspicious indicators.

  • INFO

    • Reads Microsoft Office registry keys

      • EXCEL.EXE (PID: 3836)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.xls | Microsoft Excel sheet (78.9)

EXIF

FlashPix

Author: Administrator
LastModifiedBy: Administrator
Software: Microsoft Excel
CreateDate: 2020:05:07 10:46:25
ModifyDate: 2020:05:07 10:46:30
Security: None
CodePage: Windows Latin 1 (Western European)
Company: -
AppVersion: 16
ScaleCrop: No
LinksUpToDate: No
SharedDoc: No
HyperlinksChanged: No
TitleOfParts:
  • Sheet1
  • 3jauv9X287L8tHbbt04SD8ZTauDyOZ
HeadingPairs:
  • Worksheets
  • 1
  • Excel 4.0 Macros
  • 1
CompObjUserTypeLen: 32
CompObjUserType: Microsoft Excel 2003 Worksheet
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
52
Monitored processes
1
Malicious processes
0
Suspicious processes
0

Behavior graph

Click at the process to see the details
start excel.exe

Process information

PID
CMD
Path
Indicators
Parent process
3836"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\admin\Desktop\Qa_6760.xls"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Excel
Exit code:
0
Version:
16.0.11929.20300
Modules
Images
c:\program files\microsoft office\root\office16\excel.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ole32.dll
c:\program files\common files\microsoft shared\clicktorun\appvisvsubsystems32.dll
c:\windows\system32\combase.dll
c:\windows\system32\user32.dll
c:\windows\system32\ucrtbase.dll
Total events
187
Read events
145
Write events
42
Delete events
0

Modification events

(PID) Process:(3836) EXCEL.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\Common\ClientTelemetry\Sampling
Operation:writeName:1
Value:
01E0090000000010004C4F992E03000000000000000700000000000000
(PID) Process:(3836) EXCEL.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:en-US
Value:
2
(PID) Process:(3836) EXCEL.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:de-de
Value:
2
(PID) Process:(3836) EXCEL.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:es-es
Value:
2
(PID) Process:(3836) EXCEL.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:fr-fr
Value:
2
(PID) Process:(3836) EXCEL.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:it-it
Value:
2
(PID) Process:(3836) EXCEL.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:ja-jp
Value:
2
(PID) Process:(3836) EXCEL.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:ko-kr
Value:
2
(PID) Process:(3836) EXCEL.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:pt-br
Value:
2
(PID) Process:(3836) EXCEL.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:ru-ru
Value:
2
Executable files
0
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

No data
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
6
TCP/UDP connections
6
DNS requests
7
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1716
svchost.exe
POST
200
40.90.23.154:443
https://login.live.com/RST2.srf
US
xml
11.1 Kb
whitelisted
1716
svchost.exe
GET
200
52.109.32.27:443
https://officeclient.microsoft.com/config16/?lcid=1033&syslcid=1033&uilcid=1033&build=16.0.11929&crev=3
GB
xml
123 Kb
whitelisted
1716
svchost.exe
POST
202
52.109.76.40:443
https://mrodevicemgr.officeapps.live.com/mrodevicemgrsvc/api/v1/SDXReleaseDataPackages
IE
text
7.18 Kb
whitelisted
1716
svchost.exe
GET
200
13.107.3.128:443
https://config.edge.skype.com/config/v2/Office/excel/16.0.11929.20300/Production/CC?&Clientid=%7b082078A9-BB8F-421B-9363-C2C17BA0E563%7d&Application=excel&Platform=win32&Version=16.0.11929.20300&MsoVersion=16.0.11929.20298&Audience=Production&Build=ship&Architecture=x86&Language=en-US&SubscriptionLicense=false&PerpetualLicense=2019&Channel=CC&InstallType=C2R&SessionId=%7b9CAC26A7-F274-4ECB-A879-02E17AE27E20%7d&LabMachine=false
US
text
85.9 Kb
malicious
1716
svchost.exe
POST
200
52.109.68.21:443
https://roaming.officeapps.live.com/rs/RoamingSoapService.svc
FR
text
581 b
whitelisted
1716
svchost.exe
GET
200
2.18.232.120:443
https://fs.microsoft.com/fs/4.9/flatFontAssets.pkg
unknown
compressed
381 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
40.90.23.154:443
login.live.com
Microsoft Corporation
US
unknown
1668
SDXHelper.exe
52.109.76.40:443
mrodevicemgr.officeapps.live.com
Microsoft Corporation
IE
suspicious
3836
EXCEL.EXE
52.109.32.27:443
officeclient.microsoft.com
Microsoft Corporation
GB
whitelisted
52.109.68.21:443
roaming.officeapps.live.com
Microsoft Corporation
FR
whitelisted
13.107.3.128:443
config.edge.skype.com
Microsoft Corporation
US
whitelisted
2.18.232.120:443
fs.microsoft.com
Akamai International B.V.
whitelisted

DNS requests

Domain
IP
Reputation
login.live.com
  • 40.90.23.154
  • 40.90.137.126
  • 40.90.23.208
whitelisted
mrodevicemgr.officeapps.live.com
  • 52.109.76.40
whitelisted
officeclient.microsoft.com
  • 52.109.32.27
whitelisted
self.events.data.microsoft.com
  • 52.114.7.37
whitelisted
roaming.officeapps.live.com
  • 52.109.68.21
whitelisted
fs.microsoft.com
  • 2.18.232.120
whitelisted
config.edge.skype.com
  • 13.107.3.128
malicious

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Qa_6760.xls