analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Payslip2.xlsx

Full analysis: https://app.any.run/tasks/fd693026-5f72-4162-a847-05b46278ab4c
Verdict: Malicious activity
Analysis date: January 23, 2019, 08:54:41
OS: Windows 10 Professional (build: 16299, 64 bit)
Indicators:
MIME: application/vnd.openxmlformats-officedocument.spreadsheetml.sheet
File info: Microsoft Excel 2007+
MD5:

DB3539E70754686200DCD5D462F43439

SHA1:

60A7EBD3C3E0C1395005D0C1E1C4D84E9FAA886C

SHA256:

6FFE642E17FBF6D81837A98FE1A43C0549F9FBE3D8D14819874ABF63710473ED

SSDEEP:

96:FmzZ0lRLYi2mzE69pKr5JxGO1PND4JU1L1/l28kJQ408TViCE2:FC0lRLYi2mY692xGO9ND4e1Lhl2lJQ4N

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Starts CMD.EXE for commands execution

      • EXCEL.EXE (PID: 2644)

    • Unusual execution from Microsoft Office

      • EXCEL.EXE (PID: 2644)

  • SUSPICIOUS

    • Unusual connect from Microsoft Office

      • EXCEL.EXE (PID: 2644)

  • INFO

    • Reads the machine GUID from the registry

      • EXCEL.EXE (PID: 2644)

    • Creates files in the user directory

      • EXCEL.EXE (PID: 2644)

    • Reads Microsoft Office registry keys

      • EXCEL.EXE (PID: 2644)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.xlsx | Excel Microsoft Office Open XML Format document (61.2)
.zip | Open Packaging Conventions container (31.5)
.zip | ZIP compressed archive (7.2)

EXIF

XMP

Creator: openpyxl

XML

LastModifiedBy: Пользователь Microsoft Office
ModifyDate: 2019:01:22 17:51:49Z
CreateDate: 2015:06:05 18:19:34Z
AppVersion: 2.5
Application: Microsoft Excel

ZIP

ZipFileName: _rels/.rels
ZipUncompressedSize: 531
ZipCompressedSize: 192
ZipCRC: 0x03cf231f
ZipModifyDate: 2019:01:22 21:07:25
ZipCompression: Deflated
ZipBitFlag: -
ZipRequiredVersion: 20
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
90
Monitored processes
3
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start excel.exe cmd.exe no specs conhost.exe

Process information

PID
CMD
Path
Indicators
Parent process
2644"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\admin\Desktop\Payslip2.xlsx"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Excel
Exit code:
0
Version:
16.0.6741.2048
1868CMD.EXE /c REM.&&@p^o^w^e^r^s^h^e^l^l^|^|c:/*/*2/?al?.?x?"C:\WINDOWS\SYSTEM32\CMD.EXEEXCEL.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
1
Version:
10.0.16299.15 (WinBuild.160101.0800)
5548\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\WINDOWS\system32\conhost.exe
CMD.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.16299.15 (WinBuild.160101.0800)
Total events
1 655
Read events
1 294
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
2
Text files
3
Unknown types
4

Dropped files

PID
Process
Filename
Type
2644EXCEL.EXEC:\Users\admin\Desktop\~$Payslip2.xlsx
MD5:
SHA256:
2644EXCEL.EXEC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_88614FFAD35D353421B8A7E1FE18FCE4der
MD5:CCED2F374436C6F7942F3D303561B177
SHA256:D19154C8EE3E18C98C2F3E1C38ADB03513C7BCA42D34A04D469283CF7302CE12
2644EXCEL.EXEC:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\index.dattext
MD5:9C08FEC36A4D52E03B8AE2CCCB23AD4B
SHA256:2D0DE006D6C4C651E057F53D9F2E6447C847AECF9C8D3A004051A259A4DF3FB3
2644EXCEL.EXEC:\Users\admin\AppData\Local\Microsoft\Office\OTele\{85DB8E1E-3344-44A5-A3A4-051BFA11AB08} (0) - 2644 - excel.exe - OTele.datpgc
MD5:87D374A66312FC8FFBDDC70AC92CB131
SHA256:A6A09A06D57D3874C9E569138C338344FB4353A6B4369562E0FB19984072A104
2644EXCEL.EXEC:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\Payslip2.xlsx.LNKlnk
MD5:82003972C1CF61A8D003B4A907B6FF0B
SHA256:E49E1E599C2D1BDE6C46910339D692252D44815F80EE6A3AE70AA35F9A8341F4
2644EXCEL.EXEC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_88614FFAD35D353421B8A7E1FE18FCE4binary
MD5:7DCB65F8409B85FF258CB99324806417
SHA256:B15A32A7BE8A2059B52DEB75AF1369263931831669B145C23F87D8670F0CBF34
2644EXCEL.EXEC:\Users\admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xmlxml
MD5:8124E024C16F02A46FAB3B156031A5B6
SHA256:13709C86B463C91550A32CD89AC30DD68016DFF379017181DC06337511AD18BB
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
7
TCP/UDP connections
11
DNS requests
8
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2644
EXCEL.EXE
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEAi4elAbvpzaLRZNPjlRv1U%3D
US
der
471 b
whitelisted
2328
svchost.exe
GET
304
93.184.221.240:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/pinrulesstl.cab?ec1013f96dba2e9b
US
whitelisted
2328
svchost.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA8sEMlbBsCTf7jUSfg%2BhWk%3D
US
der
471 b
whitelisted
2328
svchost.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEAtqs7A%2Bsan2xGCSaqjN%2FrM%3D
US
der
471 b
whitelisted
2328
svchost.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEAiIzVJfGSRETRSlgpHeuVI%3D
US
der
471 b
whitelisted
2328
svchost.exe
GET
304
93.184.221.240:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/pinrulesstl.cab?16f570c0217bf5f6
US
whitelisted
2328
svchost.exe
GET
200
93.184.221.240:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?986b7c10856ac7b0
US
compressed
55.2 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
93.184.220.29:80
ocsp.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
2644
EXCEL.EXE
13.107.5.88:443
ocos-office365-s2s.msedge.net
Microsoft Corporation
US
whitelisted
2644
EXCEL.EXE
52.109.88.40:443
nexus.officeapps.live.com
Microsoft Corporation
NL
whitelisted
2644
EXCEL.EXE
52.109.8.19:443
nexusrules.officeapps.live.com
Microsoft Corporation
US
whitelisted
2644
EXCEL.EXE
52.109.32.23:443
roaming.officeapps.live.com
Microsoft Corporation
GB
whitelisted
2644
EXCEL.EXE
93.184.220.29:80
ocsp.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
2644
EXCEL.EXE
52.109.76.5:443
odc.officeapps.live.com
Microsoft Corporation
IE
whitelisted
2328
svchost.exe
93.184.220.29:80
ocsp.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
2328
svchost.exe
93.184.221.240:80
ctldl.windowsupdate.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
93.184.221.240:80
ctldl.windowsupdate.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted

DNS requests

Domain
IP
Reputation
ocos-office365-s2s.msedge.net
  • 13.107.5.88
whitelisted
roaming.officeapps.live.com
  • 52.109.32.23
whitelisted
ocsp.digicert.com
  • 93.184.220.29
whitelisted
odc.officeapps.live.com
  • 52.109.76.5
whitelisted
nexus.officeapps.live.com
  • 52.109.88.40
whitelisted
ctldl.windowsupdate.com
  • 93.184.221.240
whitelisted
nexusrules.officeapps.live.com
  • 52.109.8.19
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
Payslip2.xlsx