analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

DHL_Overdue Invoice Notice_1220957824.xlsm

Full analysis: https://app.any.run/tasks/3d5d034b-5175-4a50-b7f2-7513ea62b5b8
Verdict: Malicious activity
Analysis date: September 30, 2020, 12:33:37
OS: Windows 10 Professional (build: 16299, 64 bit)
Tags:
macros
macros-on-open
Indicators:
MIME: application/vnd.openxmlformats-officedocument.spreadsheetml.sheet
File info: Microsoft Excel 2007+
MD5:

155C990DFB8E9456D6B44F3C01A3699B

SHA1:

B3E46CD16F750440B8B3AC2EAEC082417BD1C97D

SHA256:

9852A64FF8DD64E99326DC917C70B9B68C1E80128260035FDAE275BF5FC66972

SSDEEP:

768:kbxfr648mkWPgDPGD1jWuiQkucJTSPZ9Ar0HP:uxfr64NXPgDA1jCQPcJuP3A4v

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Unusual execution from Microsoft Office

      • EXCEL.EXE (PID: 3076)
  • SUSPICIOUS

    • Reads Environment values

      • WerFault.exe (PID: 2260)
    • Reads CPU info

      • WerFault.exe (PID: 2260)
    • Creates files in the program directory

      • WerFault.exe (PID: 2260)
    • Reads the machine GUID from the registry

      • WerFault.exe (PID: 2260)
  • INFO

    • Reads settings of System Certificates

      • EXCEL.EXE (PID: 3076)
    • Reads Environment values

      • EXCEL.EXE (PID: 3076)
    • Creates files in the user directory

      • EXCEL.EXE (PID: 3076)
    • Reads the software policy settings

      • EXCEL.EXE (PID: 3076)
    • Reads the machine GUID from the registry

      • EXCEL.EXE (PID: 3076)
    • Scans artifacts that could help determine the target

      • EXCEL.EXE (PID: 3076)
    • Reads Microsoft Office registry keys

      • EXCEL.EXE (PID: 3076)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.xlsm | Excel Microsoft Office Open XML Format document (with Macro) (29.2)
.xlsx | Excel Microsoft Office Open XML Format document (17.3)
.zip | Open Packaging Conventions container (8.9)
.zip | ZIP compressed archive (2)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: 0x0006
ZipCompression: Deflated
ZipModifyDate: 1980:01:01 00:00:00
ZipCRC: 0x02a77f1b
ZipCompressedSize: 482
ZipUncompressedSize: 1867
ZipFileName: [Content_Types].xml

XMP

Creator: -

XML

LastModifiedBy: -
CreateDate: 2020:09:30 12:03:43Z
ModifyDate: 2020:09:30 12:05:31Z
Application: Microsoft Excel
DocSecurity: None
ScaleCrop: No
HeadingPairs:
  • Worksheets
  • 1
TitlesOfParts: Accounts Dept.
Company: -
LinksUpToDate: No
SharedDoc: No
HyperlinksChanged: No
AppVersion: 16.03
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
90
Monitored processes
2
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start excel.exe werfault.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3076"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\admin\Desktop\DHL_Overdue Invoice Notice_1220957824.xlsm"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Excel
Version:
16.0.12026.20264
2260C:\WINDOWS\system32\WerFault.exe -u -p 3076 -s 3960C:\WINDOWS\system32\WerFault.exeEXCEL.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Problem Reporting
Version:
10.0.16299.15 (WinBuild.160101.0800)
Total events
1 617
Read events
1 395
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
0
Text files
5
Unknown types
5

Dropped files

PID
Process
Filename
Type
2260WerFault.exeC:\Users\admin\AppData\Local\CrashDumps\EXCEL.EXE.3076.dmp
MD5:
SHA256:
2260WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WER1B35.tmp.dmpdmp
MD5:9D5837C97D9ED7DEEFDB608E70FCA3C2
SHA256:2C457C51625004D6DD88325020333920A8FA33009BE635226E546666F77F4A41
3076EXCEL.EXEC:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\DHL_Overdue Invoice Notice_1220957824.xlsm.LNKlnk
MD5:08602C30219B1D0097A7AAB6A617C969
SHA256:2F21B142D9C7D5D61F6282FF0C1130FD1C0C965AE610722CBEFBB6F4BE87765D
3076EXCEL.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\584F474D.emfemf
MD5:6EF4EE8E0D63E8089030A41746D23DD9
SHA256:53A88B00B3C0368A97F07E5705CF02259ED019EFD03221A3F484B750C1F9742F
2260WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WER2401.tmp.WERInternalMetadata.xmlxml
MD5:59827913C484BD0D32464BA2BB8D6B3E
SHA256:F593ED41243392D6BC930616C03E537D6DBBD23E5814D3A654CACDC4FF27380E
2260WerFault.exeC:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_EXCEL.EXE_a2f0be3fbba3375c9c4ad00688d285bfa2d811c_e1bfeeb4_a6d72b04\Report.wertext
MD5:7A63A054575953409F526BD9556B53BF
SHA256:7CCD1A843E7D425A7ED11FF37BED2D1747BDA5665A0690B52DC6E8C47F899AE9
3076EXCEL.EXEC:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\index.dattext
MD5:EB7F84E30586D7FED0075AEFCA919862
SHA256:787315E7AB324B3B210988B0FE621B8792D2CD3B481A359E9A61716BF8198365
3076EXCEL.EXEC:\Users\admin\AppData\Local\Temp\Excel8.0\MSForms.exdtlb
MD5:C3FE295CE350F134FEC48B09C0B02BB0
SHA256:A7BBE3BCD089B7515C4C43A5A3BB2CB8C520DA21CEEE6811D82E1752A1CB014F
3076EXCEL.EXEC:\Users\admin\AppData\Local\Temp\.sestext
MD5:70822A872650CEE8953A41FE0515AE4E
SHA256:C35730ED36E56F5A0B41F8FCBDD15DDEDCC34D7FAE872059FF54433BC844341F
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
7
TCP/UDP connections
7
DNS requests
5
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1928
svchost.exe
GET
404
13.107.42.23:443
https://config.edge.skype.com/config/v2/Office/excel/16.0.12026.20264/Production/CC?&Clientid=%7bD61AB268-C26A-439D-BB15-2A0DEDFCA6A3%7d&Application=excel&Platform=win32&Version=16.0.12026.20264&MsoVersion=16.0.12026.20194&Audience=Production&Build=ship&Architecture=x64&Language=en-US&SubscriptionLicense=false&PerpetualLicense=2019&Channel=CC&InstallType=C2R&SessionId=%7b03F9551C-E5C3-4E4C-B6B6-0903A3485EB2%7d&LabMachine=false
US
xml
345 b
whitelisted
1928
svchost.exe
GET
404
23.210.248.85:443
https://fs.microsoft.com/fs/4.8/flatFontAssets.pkg
NL
xml
345 b
whitelisted
1928
svchost.exe
GET
404
52.109.32.27:443
https://officeclient.microsoft.com/config16/?syslcid=1033&build=16.0.12026&crev=3
GB
xml
345 b
whitelisted
1928
svchost.exe
POST
404
52.109.76.8:443
https://roaming.officeapps.live.com/rs/RoamingSoapService.svc
IE
xml
345 b
whitelisted
3076
EXCEL.EXE
GET
404
23.210.248.85:443
https://fs.microsoft.com/fs/4.8/flatFontAssets.pkg
NL
xml
345 b
whitelisted
3076
EXCEL.EXE
POST
404
40.90.22.184:443
https://login.live.com/RST2.srf
US
xml
345 b
whitelisted
3076
EXCEL.EXE
POST
404
40.90.22.184:443
https://login.live.com/RST2.srf
US
xml
345 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3076
EXCEL.EXE
52.109.76.8:443
roaming.officeapps.live.com
Microsoft Corporation
IE
whitelisted
3076
EXCEL.EXE
23.210.248.85:443
fs.microsoft.com
Akamai International B.V.
NL
whitelisted
3076
EXCEL.EXE
52.109.32.27:443
officeclient.microsoft.com
Microsoft Corporation
GB
whitelisted
1076
svchost.exe
40.90.22.184:443
login.live.com
Microsoft Corporation
US
malicious
3076
EXCEL.EXE
13.107.42.23:443
config.edge.skype.com
Microsoft Corporation
US
suspicious

DNS requests

Domain
IP
Reputation
officeclient.microsoft.com
  • 52.109.32.27
whitelisted
roaming.officeapps.live.com
  • 52.109.76.8
whitelisted
fs.microsoft.com
  • 23.210.248.85
whitelisted
config.edge.skype.com
  • 13.107.42.23
whitelisted
login.live.com
  • 40.90.22.184
  • 40.90.22.190
  • 40.90.22.189
  • 40.90.22.185
  • 40.90.22.187
  • 40.90.22.186
  • 40.90.22.188
  • 40.90.22.192
whitelisted

Threats

No threats detected
No debug info