File name:

ORDER SHEET.xlsm

Full analysis: https://app.any.run/tasks/85def6fe-9137-45b0-a4b5-cbf7b2e612a5
Verdict: Malicious activity
Analysis date: January 12, 2025, 07:06:49
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
phishing
phish-doc
MIME: application/vnd.openxmlformats-officedocument.spreadsheetml.sheet
File info: Microsoft Excel 2007+
MD5:

7CCF88C0BBE3B29BF19D877C4596A8D4

SHA1:

23F0506D857D38C3CD5354B80AFC725B5F034744

SHA256:

7BCD31BD41686C32663C7CABF42B18C50399E3B3B4533FC2FF002D9F2E058813

SSDEEP:

1536:Hhh3S1cLkPROxXYvoYIZCMMV2ZX0nIcjELcE3E:0cCOxtYIEbsX0n98E

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Phishing document has been detected

      • EXCEL.EXE (PID: 6384)

  • SUSPICIOUS

    No suspicious indicators.

  • INFO

    • The process uses the downloaded file

      • EXCEL.EXE (PID: 6384)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.xlsm | Excel Microsoft Office Open XML Format document (with Macro) (45.9)
.xlsx | Excel Microsoft Office Open XML Format document (27.1)
.zip | Open Packaging Conventions container (13.9)
.ubox | Universe Sandbox simulation (9.6)
.zip | ZIP compressed archive (3.1)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: -
ZipCompression: Deflated
ZipModifyDate: 2021:01:28 11:55:34
ZipCRC: 0xcdc0e5bf
ZipCompressedSize: 427
ZipUncompressedSize: 1789
ZipFileName: [Content_Types].xml

XML

Application: Microsoft Excel
DocSecurity: None
ScaleCrop: No
HeadingPairs:
  • Worksheets
  • 3
TitlesOfParts:
  • Sheet1
  • Sheet2
  • Sheet3
LinksUpToDate: No
SharedDoc: No
HyperlinksChanged: No
AppVersion: 12
LastModifiedBy: Windows
CreateDate: 2020:02:01 18:28:07Z
ModifyDate: 2020:02:01 18:32:27Z

XMP

Creator: Windows
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
126
Monitored processes
1
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start excel.exe

Process information

PID
CMD
Path
Indicators
Parent process
6384"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\admin\AppData\Local\Temp\ORDER SHEET.xlsm.xlsx"C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Excel
Version:
16.0.16026.20146
Modules
Images
c:\program files\microsoft office\root\office16\excel.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ole32.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\combase.dll
c:\windows\system32\gdi32.dll
Total events
43 676
Read events
23 921
Write events
19 663
Delete events
92

Modification events

(PID) Process:(6384) EXCEL.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Common\CrashPersistence\EXCEL\6384
Operation:writeName:0
Value:
0B0E10221C37B116B4EA4593E576DAB832A17823004696A8DEBD8998D9ED016A04102400449A7D64B29D01008500A907556E6B6E6F776EC906022222CA0DC2190000C91003783634C511F031D2120965007800630065006C002E00650078006500C51620C517808004C91808323231322D44656300
(PID) Process:(6384) EXCEL.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:en-US
Value:
2
(PID) Process:(6384) EXCEL.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:de-de
Value:
2
(PID) Process:(6384) EXCEL.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:fr-fr
Value:
2
(PID) Process:(6384) EXCEL.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:es-es
Value:
2
(PID) Process:(6384) EXCEL.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:it-it
Value:
2
(PID) Process:(6384) EXCEL.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:ja-jp
Value:
2
(PID) Process:(6384) EXCEL.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:ko-kr
Value:
2
(PID) Process:(6384) EXCEL.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:pt-br
Value:
2
(PID) Process:(6384) EXCEL.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:ru-ru
Value:
2
Executable files
0
Suspicious files
17
Text files
11
Unknown types
0

Dropped files

PID
Process
Filename
Type
6384EXCEL.EXEC:\Users\admin\AppData\Local\Temp\~$ORDER SHEET.xlsm.xlsxbinary
MD5:21E5D64E6DD2C94C577A61B0A25DE7A4
SHA256:657F0604A7C1F6CFDC4E8A224F59BD6E1900A4A4DD8B3F61A20F67DEBE41F209
6384EXCEL.EXEC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04binary
MD5:E66BC4CC4164D935592F04C2B3D86662
SHA256:AE24B2FFE04A7C60E774A6A97BB39E5A355AA21D3BDBB3B035D5D38DF068355A
6384EXCEL.EXEC:\Users\admin\AppData\Local\Microsoft\FontCache\4\PreviewFont\flat_officeFontsPreview_4_40.ttfbinary
MD5:4296A064B917926682E7EED650D4A745
SHA256:E04E41C74D6C78213BA1588BACEE64B42C0EDECE85224C474A714F39960D8083
6384EXCEL.EXEC:\Users\admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\62456258-E972-4DBC-88F5-4E49E40E64B5xml
MD5:F5CC4F9499BC855FBA4303669F6E8082
SHA256:BC3999A70BD65C1641B20529BAC92063BA763C07F2FDD2CF32D77F770822E1B3
6384EXCEL.EXEC:\Users\admin\AppData\Local\Microsoft\Office\16.0\Personalization\Content\Anonymous\Insights.jsonbinary
MD5:558EA08DFCA69129EE301AF6391F5A8F
SHA256:609F73D4441C777E7F4D245048887C47252A410BE5026A4EC4019F5436BF3E6C
6384EXCEL.EXEC:\Users\admin\AppData\Local\Microsoft\Office\16.0\HomePlaceBanner\3345A9F7-67A1-4A92-95D0-F500BBE18BED.pngimage
MD5:343F250D2F43C77A7FA44C2EE2367E71
SHA256:974B86A60B7F8EA784B49886B796DDBDFAFFD35183695B58C0BF3B244D4628FA
6384EXCEL.EXEC:\Users\admin\AppData\Local\Microsoft\Office\16.0\DTS\en-US{FD5B0A1B-B9CC-4FEC-B718-AE95B88BBBB4}\{F1E634D5-A1B5-49AC-835D-081A1301A359}mt16400647.pngimage
MD5:D3590428E83DC27B626978EC0867477A
SHA256:6B7382E1BF3F58C62F21300DA74F13C649C46BC0FC244188371BA55C56B6117D
6384EXCEL.EXEC:\Users\admin\AppData\Local\Microsoft\Office\16.0\DTS\en-US{FD5B0A1B-B9CC-4FEC-B718-AE95B88BBBB4}\{FAEC9E45-C814-4E5C-BC8B-5D66EA4962DE}mt45299826.pngimage
MD5:1A06FCC9279FE0FA76E1E74E2A26A747
SHA256:55704B4D08BC44CB39D7BE93D9C595ECA75D2F6EAA4ADE529754360427F2396E
6384EXCEL.EXEC:\Users\admin\AppData\Local\Microsoft\Office\16.0\DTS\en-US{FD5B0A1B-B9CC-4FEC-B718-AE95B88BBBB4}\{E90A3DB3-CCE7-49A6-AE5E-2B3D5EFAF501}mt10000137.pngimage
MD5:DE55D11D4C4071BB9F1B2A91487F41BE
SHA256:57733C40F13A9C7F44584AA52F0C1D1DB26C41C0AF73FD3EDD47C3288B85E892
6384EXCEL.EXEC:\Users\admin\AppData\Local\Microsoft\Office\16.0\DTS\en-US{FD5B0A1B-B9CC-4FEC-B718-AE95B88BBBB4}\{C330C309-2369-4027-99BB-87F7DA501375}mt11414620.pngimage
MD5:E37661AB4A1AEB408D06DDA183117349
SHA256:0AF5FC368F802B927A820673ACFDE18B22B15DA0CE865203C065604939875A3F
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
13
TCP/UDP connections
54
DNS requests
30
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4712
MoUsoCoreWorker.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
DE
binary
973 b
whitelisted
GET
200
23.32.238.107:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
DE
binary
1.01 Kb
whitelisted
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
DE
binary
973 b
whitelisted
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
US
binary
312 b
whitelisted
1176
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
US
binary
471 b
whitelisted
6384
EXCEL.EXE
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEA77flR%2B3w%2FxBpruV2lte6A%3D
US
binary
471 b
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
23.32.238.107:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
DE
binary
1.01 Kb
whitelisted
6384
EXCEL.EXE
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEApDqVCbATUviZV57HIIulA%3D
US
binary
471 b
whitelisted
6384
EXCEL.EXE
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
US
binary
471 b
whitelisted
6384
EXCEL.EXE
POST
200
52.242.79.71:80
http://www.microsofttranslator.com/officetrans/register.asmx
US
xml
438 Kb
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:137
whitelisted
23.32.238.107:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4712
MoUsoCoreWorker.exe
23.32.238.107:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4712
MoUsoCoreWorker.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
5064
SearchApp.exe
104.126.37.146:443
www.bing.com
Akamai International B.V.
DE
whitelisted
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted
4
System
192.168.100.255:138
whitelisted
1176
svchost.exe
20.190.159.68:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 20.73.194.208
  • 51.104.136.2
whitelisted
crl.microsoft.com
  • 23.32.238.107
  • 23.32.238.112
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
www.bing.com
  • 104.126.37.146
  • 104.126.37.153
  • 104.126.37.144
  • 104.126.37.154
  • 104.126.37.137
  • 104.126.37.147
  • 104.126.37.139
  • 104.126.37.152
  • 104.126.37.145
whitelisted
google.com
  • 142.250.186.78
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
login.live.com
  • 20.190.159.68
  • 20.190.159.23
  • 20.190.159.64
  • 40.126.31.69
  • 20.190.159.71
  • 40.126.31.73
  • 20.190.159.75
  • 20.190.159.0
whitelisted
go.microsoft.com
  • 23.218.210.69
whitelisted
officeclient.microsoft.com
  • 52.109.89.18
whitelisted
ecs.office.com
  • 52.113.194.132
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
ORDER SHEET.xlsm