File name:

sex.xls

Full analysis: https://app.any.run/tasks/656aec1f-ed26-4c96-b147-1a2476dbc3e5
Verdict: Malicious activity
Analysis date: February 22, 2020, 06:54:27
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
macros
ole-embedded
macros-on-open
ta505
Indicators:
MIME: application/vnd.ms-excel
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Title: WS, Subject: ppPDo, Author: mGwGod, Last Saved By: J, Revision Number: 602, Name of Creating Application: Microsoft Excel, Total Editing Time: 13:10:00, Create Time/Date: Fri Aug 30 10:14:50 2019, Last Saved Time/Date: Fri Feb 21 11:22:43 2020, Number of Pages: 1, Number of Words: 4902, Number of Characters: 4696, Security: 0
MD5:

B5EA9BC41A943B39305FBB493216812F

SHA1:

FCA2D12B44F23FB8D582B32EE56B0B64BBB3C20E

SHA256:

6C6F773423EF4BF6FF592E4D2D4B0C2C4FA3C05F172B3BD9A2D00CF888CA9399

SSDEEP:

12288:EA0qa36YhWY3Z3QTfQqEqHF1Pq2HNSpOqbVBBxKHjExVl3cyAuXdMtB:EAjlGZAT4vqHfi0urBEHjMV1cyA7B

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Loads dropped or rewritten executable

      • EXCEL.EXE (PID: 3448)

    • Executable content was dropped or overwritten

      • EXCEL.EXE (PID: 3448)

  • SUSPICIOUS

    No suspicious indicators.

  • INFO

    • Reads Microsoft Office registry keys

      • EXCEL.EXE (PID: 3448)

    • Creates files in the user directory

      • EXCEL.EXE (PID: 3448)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.xls | Microsoft Excel sheet (48)
.xls | Microsoft Excel sheet (alternate) (39.2)

EXIF

FlashPix

CompObjUserTypeLen: 25
CompObjUserType: Microsoft Forms 2.0 Form
Title: WS
Subject: ppPDo
Author: mGwGod
LastModifiedBy: J
RevisionNumber: 602
Software: Microsoft Excel
TotalEditTime: 13.2 hours
CreateDate: 2019:08:30 09:14:50
ModifyDate: 2020:02:21 11:22:43
Pages: 1
Words: 4902
Characters: 4696
Security: None
CodePage: Windows Latin 1 (Western European)
Company: -
Bytes: 63153
Lines: 221
Paragraphs: 29
AppVersion: 16
ScaleCrop: No
LinksUpToDate: No
SharedDoc: No
HyperlinksChanged: No
TitleOfParts: Page2
HeadingPairs:
  • Worksheets
  • 1
No data.
screenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
35
Monitored processes
1
Malicious processes
0
Suspicious processes
1

Behavior graph

Click at the process to see the details
start excel.exe

Process information

PID
CMD
Path
Indicators
Parent process
3448"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /ddeC:\Program Files\Microsoft Office\Office14\EXCEL.EXE
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Excel
Exit code:
0
Version:
14.0.6024.1000
Modules
Images
c:\program files\microsoft office\office14\excel.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
Total events
714
Read events
576
Write events
121
Delete events
17

Modification events

(PID) Process:(3448) EXCEL.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems
Operation:writeName:=%4
Value:
3D253400780D0000010000000000000000000000
(PID) Process:(3448) EXCEL.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1033
Value:
Off
(PID) Process:(3448) EXCEL.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1041
Value:
Off
(PID) Process:(3448) EXCEL.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1046
Value:
Off
(PID) Process:(3448) EXCEL.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1036
Value:
Off
(PID) Process:(3448) EXCEL.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1031
Value:
Off
(PID) Process:(3448) EXCEL.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1040
Value:
Off
(PID) Process:(3448) EXCEL.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1049
Value:
Off
(PID) Process:(3448) EXCEL.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:3082
Value:
Off
(PID) Process:(3448) EXCEL.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1042
Value:
Off
Executable files
1
Suspicious files
3
Text files
0
Unknown types
36

Dropped files

PID
Process
Filename
Type
3448EXCEL.EXEC:\Users\admin\AppData\Local\Temp\CVR71BD.tmp.cvr
MD5:
SHA256:
3448EXCEL.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\B29BE11F.emfemf
MD5:605F3C974CC850CB9B0F3FB45A1BB0EA
SHA256:029C1E2CDA8D9AB82F85700CBAFE5373EBCE70E5F740E4E09EBCE328DA9D205A
3448EXCEL.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\29A3C894.emfemf
MD5:9FB4781FB0BDD10E636A68705FE85F93
SHA256:527A1B59121AC490954D760078A3CF7679C529CBAB4D70BC08D7DF6D108286C3
3448EXCEL.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\3DE732A1.emfemf
MD5:B66A05AA32740E9A15275C5BC2BF144C
SHA256:F7840EC63C8E82D8426F145932F6B5A6BDB20D02090B5D34330A1779C5358052
3448EXCEL.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\2850F520.emfemf
MD5:496E9F126889E7025EFE095044098672
SHA256:955556053097038D1CE582BA34E319881713D4AD3E45632EADD976500E62C7B8
3448EXCEL.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\17AF48DB.emfemf
MD5:2F0611CA745C318450034721515B3AE0
SHA256:37BAA0A1CE26E4F38684229F57F364048CB677DC3F105B19AB8975CFF32D5E5D
3448EXCEL.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\E56B3019.emfemf
MD5:EA44EBE0E67D26FA09663A382EC99532
SHA256:683604D042D2EFF4366CA004C5C5F0A134120292E094996EDD8EFF571DE76A35
3448EXCEL.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\16B4A15A.emfemf
MD5:958478837FB2BAFDBC7024C01C6BCF43
SHA256:C7F967BF1D85A65B87BD1141AA746A36FDE949C954A27913116CB8A0DBF0DEFA
3448EXCEL.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\49044278.emfemf
MD5:9EE26F85695C3C88A26D0ED69F664FF2
SHA256:BCE47AC892888B7B0BC78A7B5A6E4A98201B584C27A6E3E0E27C8E4201DE294A
3448EXCEL.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\E1400D93.emfemf
MD5:7B6DC1C3409F7F6E6DE5A6244769CDEF
SHA256:72F50541A03905AC060D0B764480D325E33EC6C79840AA69094D0A3534152AB0
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
1
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

Domain
IP
Reputation
microsoft-ware.com
unknown

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
sex.xls