File name:

PO266048.xls

Full analysis: https://app.any.run/tasks/05d9a007-d4a6-4ae3-9577-e4abbda77315
Verdict: Malicious activity
Analysis date: March 30, 2020, 16:56:02
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
macros
ole-embedded
macros-on-open
ta505
Indicators:
MIME: application/vnd.ms-excel
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Title: nBCrHDV, Subject: i, Author: VKiV, Last Saved By: Administrator, Revision Number: 615, Name of Creating Application: Microsoft Excel, Total Editing Time: 10:56:00, Create Time/Date: Fri Aug 30 10:14:50 2019, Last Saved Time/Date: Thu Mar 19 17:18:47 2020, Number of Pages: 1, Number of Words: 1168, Number of Characters: 9074, Security: 0
MD5:

F00090EB4995C93199B5E21460540FDC

SHA1:

F5ECA436D5B21CB0EEF5E408A241878D680007AD

SHA256:

C72DC55BD6D32968BCBA7F85D4A77692D019850B9508AA941E402B488B3D48C1

SSDEEP:

12288:XxZ92/aqiNntFCF7iqEbpXjpC2nxvgz8FnQnsEjNO6bh+De98Cd671osO:XxjyIx/bpzp2YFQnZjNO6NJvd67Wj

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Loads dropped or rewritten executable

      • EXCEL.EXE (PID: 3772)

    • Drops known malicious document

      • EXCEL.EXE (PID: 3772)

    • Executable content was dropped or overwritten

      • EXCEL.EXE (PID: 3772)

  • SUSPICIOUS

    No suspicious indicators.

  • INFO

    • Reads Microsoft Office registry keys

      • EXCEL.EXE (PID: 3772)

    • Creates files in the user directory

      • EXCEL.EXE (PID: 3772)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.xls | Microsoft Excel sheet (48)
.xls | Microsoft Excel sheet (alternate) (39.2)

EXIF

FlashPix

CompObjUserTypeLen: 25
CompObjUserType: Microsoft Forms 2.0 Form
Title: nBCrHDV
Subject: i
Author: VKiV
LastModifiedBy: Administrator
RevisionNumber: 615
Software: Microsoft Excel
TotalEditTime: 10.9 hours
CreateDate: 2019:08:30 09:14:50
ModifyDate: 2020:03:19 17:18:47
Pages: 1
Words: 1168
Characters: 9074
Security: None
CodePage: Windows Latin 1 (Western European)
Company: -
Bytes: 26494
Lines: 786
Paragraphs: 95
AppVersion: 16
ScaleCrop: No
LinksUpToDate: No
SharedDoc: No
HyperlinksChanged: No
TitleOfParts:
  • Document
  • Macro1
HeadingPairs:
  • Worksheets
  • 1
  • Excel 4.0 Macros
  • 1
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
35
Monitored processes
1
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start excel.exe

Process information

PID
CMD
Path
Indicators
Parent process
3772"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /ddeC:\Program Files\Microsoft Office\Office14\EXCEL.EXE
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Excel
Exit code:
0
Version:
14.0.6024.1000
Modules
Images
c:\program files\microsoft office\office14\excel.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
Total events
716
Read events
578
Write events
121
Delete events
17

Modification events

(PID) Process:(3772) EXCEL.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems
Operation:writeName:{,5
Value:
7B2C3500BC0E0000010000000000000000000000
(PID) Process:(3772) EXCEL.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1033
Value:
Off
(PID) Process:(3772) EXCEL.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1041
Value:
Off
(PID) Process:(3772) EXCEL.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1046
Value:
Off
(PID) Process:(3772) EXCEL.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1036
Value:
Off
(PID) Process:(3772) EXCEL.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1031
Value:
Off
(PID) Process:(3772) EXCEL.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1040
Value:
Off
(PID) Process:(3772) EXCEL.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1049
Value:
Off
(PID) Process:(3772) EXCEL.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:3082
Value:
Off
(PID) Process:(3772) EXCEL.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1042
Value:
Off
Executable files
1
Suspicious files
3
Text files
0
Unknown types
44

Dropped files

PID
Process
Filename
Type
3772EXCEL.EXEC:\Users\admin\AppData\Local\Temp\CVR6CFB.tmp.cvr
MD5:
SHA256:
3772EXCEL.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\A7944BE7.emfemf
MD5:B66A05AA32740E9A15275C5BC2BF144C
SHA256:F7840EC63C8E82D8426F145932F6B5A6BDB20D02090B5D34330A1779C5358052
3772EXCEL.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\BF044870.emfemf
MD5:547067C026F403ADD46AB6FC9DC24264
SHA256:054263D33C8212630C19B978004092CDB39BED7E8CE9B2CBC9335C18657DB671
3772EXCEL.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\B0A1FA92.emfemf
MD5:9FB4781FB0BDD10E636A68705FE85F93
SHA256:527A1B59121AC490954D760078A3CF7679C529CBAB4D70BC08D7DF6D108286C3
3772EXCEL.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\B7A7A995.emfemf
MD5:605F3C974CC850CB9B0F3FB45A1BB0EA
SHA256:029C1E2CDA8D9AB82F85700CBAFE5373EBCE70E5F740E4E09EBCE328DA9D205A
3772EXCEL.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\F16564C2.emfemf
MD5:5B152429BF2A750DE6C9D1F11E89F4E7
SHA256:B0DE3E9B212E823B39651F8CD61580425D5889139366AA2FC48329AD7BBF4BAE
3772EXCEL.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\4488E085.emfemf
MD5:83B387DEF23CC027CEC5721BAEFF32F9
SHA256:5E1E6D1AD3D49D03BC67263A3FB39F097329F1CAFE864B297ED7313176436577
3772EXCEL.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\44AEA220.emfemf
MD5:8D92826B31BBE62E26E39622EFC3D7D8
SHA256:7C9E5FBC698151D8AE90F0A7E274DDE10ADF82A5F8AD7827C73EED26D8EBB1E0
3772EXCEL.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\26872116.emfemf
MD5:9EE26F85695C3C88A26D0ED69F664FF2
SHA256:BCE47AC892888B7B0BC78A7B5A6E4A98201B584C27A6E3E0E27C8E4201DE294A
3772EXCEL.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\6BF1FFC8.emfemf
MD5:958478837FB2BAFDBC7024C01C6BCF43
SHA256:C7F967BF1D85A65B87BD1141AA746A36FDE949C954A27913116CB8A0DBF0DEFA
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
1
DNS requests
2
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3772
EXCEL.EXE
185.176.221.216:443
static-downloads.com
LV
unknown

DNS requests

Domain
IP
Reputation
static-downloads.com
  • 185.176.221.216
unknown

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
PO266048.xls