File name:

Company_ProfilePosco_Interntional_AUSTRALIA&RequestQuote48989.xls

Full analysis: https://app.any.run/tasks/1294677b-bf43-4ae5-9671-c9633149cb98
Verdict: Malicious activity
Analysis date: November 27, 2019, 07:56:42
OS: Windows 10 Professional (build: 16299, 64 bit)
Tags:
macros
maldoc-19
MIME: application/vnd.ms-excel
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, Code page: 1252, Author: PC, Last Saved By: PC, Name of Creating Application: Microsoft Excel, Create Time/Date: Fri Nov 22 06:59:40 2019, Last Saved Time/Date: Fri Nov 22 07:01:07 2019, Security: 0
MD5:

33F61AB4B319A3C743F8B87B6CA37E2A

SHA1:

2CBD0B1E88362F808F93FC0A6BFA7BE354BD6B1A

SHA256:

8F98D2D841145865762473543DC09F73EAE5FCD8FAB3EFA22C5B6C2E024C7620

SSDEEP:

768:JeMZ+RwPONXoRjDhIcp0fDlaGGx+cL26nAKy7uv4G/eoV2rN7Iih:sMZ+RwPONXoRjDhIcp0fDlaGGx+cL26E

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Scans artifacts that could help determine the target

      • EXCEL.EXE (PID: 6264)

  • SUSPICIOUS

    • Unusual connect from Microsoft Office

      • EXCEL.EXE (PID: 6264)

    • Reads Environment values

      • EXCEL.EXE (PID: 6264)

    • Reads internet explorer settings

      • EXCEL.EXE (PID: 6264)

    • Reads Microsoft Outlook installation path

      • EXCEL.EXE (PID: 6264)

  • INFO

    • Creates files in the user directory

      • EXCEL.EXE (PID: 6264)

    • Reads settings of System Certificates

      • EXCEL.EXE (PID: 6264)

    • Reads the machine GUID from the registry

      • EXCEL.EXE (PID: 6264)

    • Reads Microsoft Office registry keys

      • EXCEL.EXE (PID: 6264)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.xls | Microsoft Excel sheet (48)
.xls | Microsoft Excel sheet (alternate) (39.2)

EXIF

FlashPix

Author: PC
LastModifiedBy: PC
Software: Microsoft Excel
CreateDate: 2019:11:22 06:59:40
ModifyDate: 2019:11:22 07:01:07
Security: None
CodePage: Windows Latin 1 (Western European)
Company: -
AppVersion: 12
ScaleCrop: No
LinksUpToDate: No
SharedDoc: No
HyperlinksChanged: No
TitleOfParts:
  • Sheet1
  • Sheet2
  • Sheet3
HeadingPairs:
  • Worksheets
  • 3
CompObjUserTypeLen: 38
CompObjUserType: Microsoft Office Excel 2003 Worksheet
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
101
Monitored processes
1
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start excel.exe

Process information

PID
CMD
Path
Indicators
Parent process
6264"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\admin\AppData\Local\Temp\Company_ProfilePosco_Interntional_AUSTRALIA&RequestQuote48989.xls"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Excel
Exit code:
0
Version:
16.0.12026.20264
Modules
Images
c:\program files\microsoft office\root\office16\excel.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ole32.dll
c:\program files\common files\microsoft shared\clicktorun\appvisvsubsystems64.dll
c:\windows\system32\combase.dll
c:\windows\system32\user32.dll
c:\windows\system32\ucrtbase.dll
Total events
40 786
Read events
9 268
Write events
31 371
Delete events
147

Modification events

(PID) Process:(6264) EXCEL.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\Common\ClientTelemetry\Sampling
Operation:writeName:1
Value:
01D014000000001000284FFA2E01000000000000000500000000000000
(PID) Process:(6264) EXCEL.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\Common\CrashPersistence\EXCEL\6264
Operation:writeName:0
Value:
0B0E10E9A4E23C90BC5F4C8411D30D155CBE292300469CFFBA92849FE9EA016A0410240044FA5D64A89E01008500A907556E6B6E6F776E00
(PID) Process:(6264) EXCEL.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:en-US
Value:
2
(PID) Process:(6264) EXCEL.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:de-de
Value:
2
(PID) Process:(6264) EXCEL.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:fr-fr
Value:
2
(PID) Process:(6264) EXCEL.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:es-es
Value:
2
(PID) Process:(6264) EXCEL.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:it-it
Value:
2
(PID) Process:(6264) EXCEL.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:ja-jp
Value:
2
(PID) Process:(6264) EXCEL.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:ko-kr
Value:
2
(PID) Process:(6264) EXCEL.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:pt-br
Value:
2
Executable files
0
Suspicious files
7
Text files
45
Unknown types
4

Dropped files

PID
Process
Filename
Type
6264EXCEL.EXEC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\TJEO39L1WIKOX1ZT5CPX.temp
MD5:
SHA256:
6264EXCEL.EXEC:\Users\admin\AppData\Local\Microsoft\Office\16.0\Personalization\Content\Anonymous\Insights.json.tmp
MD5:
SHA256:
6264EXCEL.EXEC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_88614FFAD35D353421B8A7E1FE18FCE4der
MD5:
SHA256:
6264EXCEL.EXEC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_C9FB72B5AE80778A08024D8B0FDECC6Fbinary
MD5:
SHA256:
6264EXCEL.EXEC:\Users\admin\AppData\Local\Microsoft\Office\16.0\Personalization\Content\Anonymous\Insights.jsontext
MD5:
SHA256:
6264EXCEL.EXEC:\Users\admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\EFA98973-3EA6-4F37-9F21-BD83265CFF39xml
MD5:
SHA256:
6264EXCEL.EXEC:\Users\admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\omextemplates.content.office.net\4E72801B-19EE-4434-863C-E7885D558877image
MD5:
SHA256:
6264EXCEL.EXEC:\Users\admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\omextemplates.content.office.net\0672CB71-E4BA-4501-90D3-FA061C61193Dimage
MD5:
SHA256:
6264EXCEL.EXEC:\Users\admin\AppData\Local\Temp\.sestext
MD5:
SHA256:
6264EXCEL.EXEC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_C9FB72B5AE80778A08024D8B0FDECC6Fder
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
7
TCP/UDP connections
28
DNS requests
17
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
6264
EXCEL.EXE
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEAi4elAbvpzaLRZNPjlRv1U%3D
US
der
1.47 Kb
shared
6264
EXCEL.EXE
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEAtqs7A%2Bsan2xGCSaqjN%2FrM%3D
US
der
1.47 Kb
shared
2604
svchost.exe
GET
200
2.16.186.74:80
http://crl.microsoft.com/pki/crl/products/MicCodSigPCA_08-31-2010.crl
unknown
der
555 b
whitelisted
2604
svchost.exe
GET
200
2.16.186.74:80
http://crl.microsoft.com/pki/crl/products/Microsoft%20Code%20Signing%20PCA(2).crl
unknown
der
555 b
whitelisted
2604
svchost.exe
GET
200
2.16.186.74:80
http://crl.microsoft.com/pki/crl/products/microsoftrootcert.crl
unknown
der
781 b
whitelisted
2604
svchost.exe
GET
200
2.16.186.74:80
http://crl.microsoft.com/pki/crl/products/MicrosoftTimeStampPCA.crl
unknown
der
550 b
whitelisted
6264
EXCEL.EXE
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA8sEMlbBsCTf7jUSfg%2BhWk%3D
US
der
1.47 Kb
shared
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
40.90.22.183:443
login.live.com
Microsoft Corporation
US
malicious
51.105.249.223:443
Microsoft Corporation
GB
whitelisted
6264
EXCEL.EXE
52.109.88.8:443
officeclient.microsoft.com
Microsoft Corporation
NL
whitelisted
6264
EXCEL.EXE
2.18.232.120:443
fs.microsoft.com
Akamai International B.V.
whitelisted
6264
EXCEL.EXE
52.109.88.10:443
roaming.officeapps.live.com
Microsoft Corporation
NL
whitelisted
5848
svchost.exe
40.90.22.185:443
login.live.com
Microsoft Corporation
US
unknown
6264
EXCEL.EXE
13.107.3.128:443
config.edge.skype.com
Microsoft Corporation
US
whitelisted
6264
EXCEL.EXE
93.184.220.29:80
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
6264
EXCEL.EXE
52.114.132.74:443
Microsoft Corporation
US
unknown
6264
EXCEL.EXE
40.112.91.29:443
arc.msn.com
Microsoft Corporation
IE
whitelisted

DNS requests

Domain
IP
Reputation
login.live.com
  • 40.90.22.183
  • 40.90.22.187
  • 40.90.22.191
  • 40.90.22.185
  • 40.90.22.190
  • 40.90.22.186
whitelisted
insiderservice.microsoft.com
  • 52.226.130.114
whitelisted
officeclient.microsoft.com
  • 52.109.88.8
whitelisted
roaming.officeapps.live.com
  • 52.109.88.10
whitelisted
fs.microsoft.com
  • 2.18.232.120
whitelisted
config.edge.skype.com
  • 13.107.3.128
malicious
messaging.office.com
  • 52.109.52.36
whitelisted
nexusrules.officeapps.live.com
  • 52.109.76.30
whitelisted
arc.msn.com
  • 40.112.91.29
whitelisted
templatesmetadata.office.net
  • 2.20.132.155
  • 2.16.181.72
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Company_ProfilePosco_Interntional_AUSTRALIA&RequestQuote48989.xls