analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

DHL_Overdue Invoice Notice_1220957824.xlsm

Full analysis: https://app.any.run/tasks/d1e9e57d-bb43-4887-965d-69e0b2fe7efc
Verdict: Malicious activity
Analysis date: September 30, 2020, 13:54:13
OS: Windows 10 Professional (build: 16299, 32 bit)
Tags:
macros
macros-on-open
Indicators:
MIME: application/vnd.openxmlformats-officedocument.spreadsheetml.sheet
File info: Microsoft Excel 2007+
MD5:

155C990DFB8E9456D6B44F3C01A3699B

SHA1:

B3E46CD16F750440B8B3AC2EAEC082417BD1C97D

SHA256:

9852A64FF8DD64E99326DC917C70B9B68C1E80128260035FDAE275BF5FC66972

SSDEEP:

768:kbxfr648mkWPgDPGD1jWuiQkucJTSPZ9Ar0HP:uxfr64NXPgDA1jCQPcJuP3A4v

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Loads dropped or rewritten executable

      • regsvr32.exe (PID: 2656)
    • Registers / Runs the DLL via REGSVR32.EXE

      • EXCEL.EXE (PID: 2700)
    • Executable content was dropped or overwritten

      • EXCEL.EXE (PID: 2700)
    • Unusual execution from Microsoft Office

      • EXCEL.EXE (PID: 2700)
  • SUSPICIOUS

    No suspicious indicators.
  • INFO

    • Scans artifacts that could help determine the target

      • EXCEL.EXE (PID: 2700)
    • Creates files in the user directory

      • EXCEL.EXE (PID: 2700)
    • Reads Microsoft Office registry keys

      • EXCEL.EXE (PID: 2700)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.xlsm | Excel Microsoft Office Open XML Format document (with Macro) (29.2)
.xlsx | Excel Microsoft Office Open XML Format document (17.3)
.zip | Open Packaging Conventions container (8.9)
.zip | ZIP compressed archive (2)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: 0x0006
ZipCompression: Deflated
ZipModifyDate: 1980:01:01 00:00:00
ZipCRC: 0x02a77f1b
ZipCompressedSize: 482
ZipUncompressedSize: 1867
ZipFileName: [Content_Types].xml

XMP

Creator: -

XML

LastModifiedBy: -
CreateDate: 2020:09:30 12:03:43Z
ModifyDate: 2020:09:30 12:05:31Z
Application: Microsoft Excel
DocSecurity: None
ScaleCrop: No
HeadingPairs:
  • Worksheets
  • 1
TitlesOfParts: Accounts Dept.
Company: -
LinksUpToDate: No
SharedDoc: No
HyperlinksChanged: No
AppVersion: 16.03
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
121
Monitored processes
2
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start excel.exe regsvr32.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2700"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\admin\Desktop\DHL_Overdue Invoice Notice_1220957824.xlsm"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Excel
Exit code:
3221226356
Version:
16.0.11929.20300
2656"C:\Windows\System32\regsvr32.exe" -s C:\bQRmAmpj\YsnVxs\xVmDcR.C:\Windows\System32\regsvr32.exeEXCEL.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft(C) Register Server
Exit code:
1073807364
Version:
10.0.16299.15 (WinBuild.160101.0800)
Total events
1 089
Read events
880
Write events
0
Delete events
0

Modification events

No data
Executable files
2
Suspicious files
5
Text files
5
Unknown types
5

Dropped files

PID
Process
Filename
Type
2700EXCEL.EXEC:\Users\admin\Desktop\~$DHL_Overdue Invoice Notice_1220957824.xlsm
MD5:
SHA256:
2700EXCEL.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\F644C4F0.png
MD5:
SHA256:
2700EXCEL.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\99BDB3EB.png
MD5:
SHA256:
2700EXCEL.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\2365A031.png
MD5:
SHA256:
2700EXCEL.EXEC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_BEB37ABADF39714871232B4792417E04der
MD5:98DD9A57D91A500FC211AAB2EB757346
SHA256:84F7CFD853A8A77A6189BC103DE0A99D0318DAD937DC55D4B2973B62334343F1
2700EXCEL.EXEC:\Users\admin\AppData\Local\Microsoft\Office\OTele\excel.exe.db-walbinary
MD5:1C6FFCAAEC6474FF28837D98C6FBC706
SHA256:800961FACA334AB96E61DFF70526441D7CD684B8E229BA7EFB76BED4B3E34077
2700EXCEL.EXEC:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\DHL_Overdue Invoice Notice_1220957824.xlsm.LNKlnk
MD5:60E1E43818C39B94C35F1B977471CBBA
SHA256:D264958E3F6AD667AB942E2E4427C4C96658E3697BC9017DBFFDA592629016B0
2700EXCEL.EXEC:\Users\admin\AppData\Local\Temp\~DF452095750D94A26B.TMPdocument
MD5:014E8E0C3CEDE1B28AA1D9659403825F
SHA256:0A840D6F43C1C6AE7DF61EFBE3ED437F5519DFFE2F76088E591E05FB26F47DA2
2700EXCEL.EXEC:\Users\admin\AppData\Local\Temp\.sestext
MD5:ECB1A8619A0C16767F914CE68ADE49C8
SHA256:1CCBA06267907848720218E813B62971EA24D667754A6F63C40B0DA19F432567
2700EXCEL.EXEC:\Users\admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\50110106-6A92-4F75-80FA-CA67C21A4CF6xml
MD5:BC75710FAE298B45B810313ED264297D
SHA256:A7E761B10A588A4A180D023514721CA4EC10CF78D826DF8FCC2326117E94E86B
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
9
DNS requests
17
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAH9o%2BtuynXIiEOLckvPvJE%3D
US
der
471 b
whitelisted
2700
EXCEL.EXE
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEAiIzVJfGSRETRSlgpHeuVI%3D
US
der
1.47 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2700
EXCEL.EXE
93.184.220.29:80
ocsp.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
2700
EXCEL.EXE
52.109.32.27:443
officeclient.microsoft.com
Microsoft Corporation
GB
whitelisted
93.184.220.29:80
ocsp.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
2700
EXCEL.EXE
52.109.32.23:443
roaming.officeapps.live.com
Microsoft Corporation
GB
whitelisted
2700
EXCEL.EXE
2.21.165.76:443
fs.microsoft.com
Wind Telecomunicazioni SpA
unknown
2700
EXCEL.EXE
13.107.42.23:443
config.edge.skype.com
Microsoft Corporation
US
suspicious
40.90.22.186:443
login.live.com
Microsoft Corporation
US
malicious
2700
EXCEL.EXE
83.166.138.121:443
seminelogistics.com
Infomaniak Network SA
CH
unknown
2700
EXCEL.EXE
40.122.160.14:443
self.events.data.microsoft.com
Microsoft Corporation
US
unknown

DNS requests

Domain
IP
Reputation
self.events.data.microsoft.com
  • 40.122.160.14
  • 52.114.128.74
whitelisted
officeclient.microsoft.com
  • 52.109.32.27
whitelisted
roaming.officeapps.live.com
  • 52.109.32.23
whitelisted
fs.microsoft.com
  • 2.21.165.76
whitelisted
config.edge.skype.com
  • 13.107.42.23
whitelisted
ocsp.digicert.com
  • 93.184.220.29
whitelisted
login.live.com
  • 40.90.22.186
whitelisted
seminelogistics.com
  • 83.166.138.121
unknown
nexusrules.officeapps.live.com
  • 52.109.76.30
  • 52.109.88.35
whitelisted
www.bing.com
  • 204.79.197.200
whitelisted

Threats

No threats detected
No debug info