File name: | DHL_Overdue Invoice Notice_1220957824.xlsm |
Full analysis: | https://app.any.run/tasks/3d5d034b-5175-4a50-b7f2-7513ea62b5b8 |
Verdict: | Malicious activity |
Analysis date: | September 30, 2020, 12:33:37 |
OS: | Windows 10 Professional (build: 16299, 64 bit) |
Tags: | |
Indicators: | |
MIME: | application/vnd.openxmlformats-officedocument.spreadsheetml.sheet |
File info: | Microsoft Excel 2007+ |
MD5: | 155C990DFB8E9456D6B44F3C01A3699B |
SHA1: | B3E46CD16F750440B8B3AC2EAEC082417BD1C97D |
SHA256: | 9852A64FF8DD64E99326DC917C70B9B68C1E80128260035FDAE275BF5FC66972 |
SSDEEP: | 768:kbxfr648mkWPgDPGD1jWuiQkucJTSPZ9Ar0HP:uxfr64NXPgDA1jCQPcJuP3A4v |
.xlsm | | | Excel Microsoft Office Open XML Format document (with Macro) (29.2) |
---|---|---|
.xlsx | | | Excel Microsoft Office Open XML Format document (17.3) |
.zip | | | Open Packaging Conventions container (8.9) |
.zip | | | ZIP compressed archive (2) |
ZipRequiredVersion: | 20 |
---|---|
ZipBitFlag: | 0x0006 |
ZipCompression: | Deflated |
ZipModifyDate: | 1980:01:01 00:00:00 |
ZipCRC: | 0x02a77f1b |
ZipCompressedSize: | 482 |
ZipUncompressedSize: | 1867 |
ZipFileName: | [Content_Types].xml |
Creator: | - |
---|
LastModifiedBy: | - |
---|---|
CreateDate: | 2020:09:30 12:03:43Z |
ModifyDate: | 2020:09:30 12:05:31Z |
Application: | Microsoft Excel |
DocSecurity: | None |
ScaleCrop: | No |
HeadingPairs: |
|
TitlesOfParts: | Accounts Dept. |
Company: | - |
LinksUpToDate: | No |
SharedDoc: | No |
HyperlinksChanged: | No |
AppVersion: | 16.03 |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3076 | "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\admin\Desktop\DHL_Overdue Invoice Notice_1220957824.xlsm" | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Excel Version: 16.0.12026.20264 | ||||
2260 | C:\WINDOWS\system32\WerFault.exe -u -p 3076 -s 3960 | C:\WINDOWS\system32\WerFault.exe | — | EXCEL.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Problem Reporting Version: 10.0.16299.15 (WinBuild.160101.0800) |
PID | Process | Filename | Type | |
---|---|---|---|---|
2260 | WerFault.exe | C:\Users\admin\AppData\Local\CrashDumps\EXCEL.EXE.3076.dmp | — | |
MD5:— | SHA256:— | |||
2260 | WerFault.exe | C:\ProgramData\Microsoft\Windows\WER\Temp\WER1B35.tmp.dmp | dmp | |
MD5:9D5837C97D9ED7DEEFDB608E70FCA3C2 | SHA256:2C457C51625004D6DD88325020333920A8FA33009BE635226E546666F77F4A41 | |||
3076 | EXCEL.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\DHL_Overdue Invoice Notice_1220957824.xlsm.LNK | lnk | |
MD5:08602C30219B1D0097A7AAB6A617C969 | SHA256:2F21B142D9C7D5D61F6282FF0C1130FD1C0C965AE610722CBEFBB6F4BE87765D | |||
3076 | EXCEL.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\584F474D.emf | emf | |
MD5:6EF4EE8E0D63E8089030A41746D23DD9 | SHA256:53A88B00B3C0368A97F07E5705CF02259ED019EFD03221A3F484B750C1F9742F | |||
2260 | WerFault.exe | C:\ProgramData\Microsoft\Windows\WER\Temp\WER2401.tmp.WERInternalMetadata.xml | xml | |
MD5:59827913C484BD0D32464BA2BB8D6B3E | SHA256:F593ED41243392D6BC930616C03E537D6DBBD23E5814D3A654CACDC4FF27380E | |||
2260 | WerFault.exe | C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_EXCEL.EXE_a2f0be3fbba3375c9c4ad00688d285bfa2d811c_e1bfeeb4_a6d72b04\Report.wer | text | |
MD5:7A63A054575953409F526BD9556B53BF | SHA256:7CCD1A843E7D425A7ED11FF37BED2D1747BDA5665A0690B52DC6E8C47F899AE9 | |||
3076 | EXCEL.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\index.dat | text | |
MD5:EB7F84E30586D7FED0075AEFCA919862 | SHA256:787315E7AB324B3B210988B0FE621B8792D2CD3B481A359E9A61716BF8198365 | |||
3076 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\Excel8.0\MSForms.exd | tlb | |
MD5:C3FE295CE350F134FEC48B09C0B02BB0 | SHA256:A7BBE3BCD089B7515C4C43A5A3BB2CB8C520DA21CEEE6811D82E1752A1CB014F | |||
3076 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\.ses | text | |
MD5:70822A872650CEE8953A41FE0515AE4E | SHA256:C35730ED36E56F5A0B41F8FCBDD15DDEDCC34D7FAE872059FF54433BC844341F |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
1928 | svchost.exe | GET | 404 | 13.107.42.23:443 | https://config.edge.skype.com/config/v2/Office/excel/16.0.12026.20264/Production/CC?&Clientid=%7bD61AB268-C26A-439D-BB15-2A0DEDFCA6A3%7d&Application=excel&Platform=win32&Version=16.0.12026.20264&MsoVersion=16.0.12026.20194&Audience=Production&Build=ship&Architecture=x64&Language=en-US&SubscriptionLicense=false&PerpetualLicense=2019&Channel=CC&InstallType=C2R&SessionId=%7b03F9551C-E5C3-4E4C-B6B6-0903A3485EB2%7d&LabMachine=false | US | xml | 345 b | whitelisted |
1928 | svchost.exe | GET | 404 | 23.210.248.85:443 | https://fs.microsoft.com/fs/4.8/flatFontAssets.pkg | NL | xml | 345 b | whitelisted |
1928 | svchost.exe | GET | 404 | 52.109.32.27:443 | https://officeclient.microsoft.com/config16/?syslcid=1033&build=16.0.12026&crev=3 | GB | xml | 345 b | whitelisted |
1928 | svchost.exe | POST | 404 | 52.109.76.8:443 | https://roaming.officeapps.live.com/rs/RoamingSoapService.svc | IE | xml | 345 b | whitelisted |
3076 | EXCEL.EXE | GET | 404 | 23.210.248.85:443 | https://fs.microsoft.com/fs/4.8/flatFontAssets.pkg | NL | xml | 345 b | whitelisted |
3076 | EXCEL.EXE | POST | 404 | 40.90.22.184:443 | https://login.live.com/RST2.srf | US | xml | 345 b | whitelisted |
3076 | EXCEL.EXE | POST | 404 | 40.90.22.184:443 | https://login.live.com/RST2.srf | US | xml | 345 b | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3076 | EXCEL.EXE | 52.109.76.8:443 | roaming.officeapps.live.com | Microsoft Corporation | IE | whitelisted |
3076 | EXCEL.EXE | 23.210.248.85:443 | fs.microsoft.com | Akamai International B.V. | NL | whitelisted |
3076 | EXCEL.EXE | 52.109.32.27:443 | officeclient.microsoft.com | Microsoft Corporation | GB | whitelisted |
1076 | svchost.exe | 40.90.22.184:443 | login.live.com | Microsoft Corporation | US | malicious |
3076 | EXCEL.EXE | 13.107.42.23:443 | config.edge.skype.com | Microsoft Corporation | US | suspicious |
Domain | IP | Reputation |
---|---|---|
officeclient.microsoft.com |
| whitelisted |
roaming.officeapps.live.com |
| whitelisted |
fs.microsoft.com |
| whitelisted |
config.edge.skype.com |
| whitelisted |
login.live.com |
| whitelisted |