File name: | PO-112030087.xls |
Full analysis: | https://app.any.run/tasks/48ec0dd9-4a96-4e94-94a6-fc65c5dacb11 |
Verdict: | Malicious activity |
Analysis date: | May 23, 2023, 06:11:06 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 64 bit) |
Tags: | |
MIME: | application/vnd.ms-excel |
File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, Code page: 1252, Name of Creating Application: Microsoft Excel, Create Time/Date: Sat Sep 16 00:00:00 2006, Last Saved Time/Date: Mon May 22 18:08:42 2023, Security: 0 |
MD5: | C59751674070A6B94D39391AA35223FB |
SHA1: | 7257C0456A9E50C148C46A9F3CF7BD92DE1626EE |
SHA256: | C9A9B17C78C01F10CD983A675DB8C345F0EF0CC2A8E66542ED13E0CB0C694C14 |
SSDEEP: | 24576:NLKa/S6S/aWamQmt+MXUG+MXUdlYxWAz6Vyj5XXXXXXXXXXXXUXXXXXXXXXXXXXy:NLKMSLaK+MXl+MXglY5zMuE+ |
.xls | | | Microsoft Excel sheet (26) |
---|---|---|
.xls | | | Microsoft Excel sheet (alternate) (21.3) |
.doc | | | Microsoft Word document (old ver.) (16.5) |
Author: | - |
---|---|
LastModifiedBy: | - |
Software: | Microsoft Excel |
CreateDate: | 2006:09:16 00:00:00 |
ModifyDate: | 2023:05:22 18:08:42 |
Security: | None |
ThumbnailClip: | (Binary data 119982 bytes, use -b option to extract) |
AppVersion: | 12 |
ScaleCrop: | No |
LinksUpToDate: | No |
SharedDoc: | No |
HyperlinksChanged: | No |
TitleOfParts: |
|
HeadingPairs: |
|
CodePage: | Windows Latin 1 (Western European) |
Hyperlinks: |
|
CompObjUserTypeLen: | 38 |
CompObjUserType: | Microsoft Office Excel 2003 Worksheet |
PID | CMD | Path | Indicators | Parent process | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
2476 | "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /dde | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Excel Version: 14.0.4756.1000 Modules
| |||||||||||||||
2964 | "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding | C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE | svchost.exe | ||||||||||||
User: admin Company: Design Science, Inc. Integrity Level: MEDIUM Description: Microsoft Equation Editor Version: 00110900 Modules
|
(PID) Process: | (2476) EXCEL.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 1033 |
Value: On | |||
(PID) Process: | (2476) EXCEL.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 1041 |
Value: On | |||
(PID) Process: | (2476) EXCEL.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 1042 |
Value: On | |||
(PID) Process: | (2476) EXCEL.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 1046 |
Value: On | |||
(PID) Process: | (2476) EXCEL.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 1036 |
Value: On | |||
(PID) Process: | (2476) EXCEL.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 1031 |
Value: On | |||
(PID) Process: | (2476) EXCEL.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 1040 |
Value: On | |||
(PID) Process: | (2476) EXCEL.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 1049 |
Value: On | |||
(PID) Process: | (2476) EXCEL.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 3082 |
Value: On | |||
(PID) Process: | (2476) EXCEL.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 1055 |
Value: On |
PID | Process | Filename | Type | |
---|---|---|---|---|
2476 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\CVR3A9F.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2476 | EXCEL.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\62B583B.emf | binary | |
MD5:4D59A7E93170340B5EC4009F7FA3AD31 | SHA256:83473215E5C2160333AA92EA7F9B1276D8ED7DD66AFC472DC92C88055D189D7D | |||
2476 | EXCEL.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\966A62F6.emf | binary | |
MD5:5C65827565E89D5357D6F81294701C19 | SHA256:DEC6F35CEB48260F3BA4E6487C48D3F97B274F2EFF29CAB00C2C7E677EEF4B4F | |||
2476 | EXCEL.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\331DFD00.emf | binary | |
MD5:80790DC6AB03E5027E6414ACF5C5B37E | SHA256:5BB6F74DD2F84903B0629F3D5DC31A1E2730F991F92E03421A5A28CA70B5A113 | |||
2476 | EXCEL.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\2D40F7E5.emf | binary | |
MD5:6133D46413B5030EF0CC491BD686580C | SHA256:31775E2B4C5E077B7CC2367813E2CBE804EAEED9C332CE918AF8D77C645E6C52 | |||
2476 | EXCEL.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\B0DB0A7F.emf | binary | |
MD5:4A103FC1809C8EA381D2ACB5380EF4F6 | SHA256:1AB8F5ABD845FFD0C61A61BB09BFCF20569B80B4496BCCB58C623753CF40485C | |||
2476 | EXCEL.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\4053D901.emf | binary | |
MD5:49D782FA9CE9DC8706F03B1F2000F0ED | SHA256:664405896F3A541305B24BAFD3BCFBACCB4A2049CB27968844BA14C3237916EF | |||
2476 | EXCEL.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\646ED4A2.emf | binary | |
MD5:D69C22A341E111FEEA69DF6D8C655D60 | SHA256:05B2053BF1D070D6034B45CD79B54D80DA3C6D88D016671A345E75048B1A68DB | |||
2476 | EXCEL.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\47B52274.emf | binary | |
MD5:35F7C4CEEC52F37D0B0881CCC3A7612D | SHA256:17918DE803C9609AB1D8BF011FC75835E43FF490299D7D67EAB7F550E1FC0968 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2964 | EQNEDT32.EXE | GET | — | 107.172.130.133:80 | http://107.172.130.133/61/IE_CACHE_COOKIE.exe | US | — | — | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
328 | svchost.exe | 224.0.0.252:5355 | — | — | — | unknown |
2964 | EQNEDT32.EXE | 107.172.130.133:80 | — | AS-COLOCROSSING | US | malicious |
PID | Process | Class | Message |
---|---|---|---|
2964 | EQNEDT32.EXE | Potentially Bad Traffic | ET INFO Executable Download from dotted-quad Host |
2964 | EQNEDT32.EXE | A Network Trojan was detected | ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1 |
2964 | EQNEDT32.EXE | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
2964 | EQNEDT32.EXE | A Network Trojan was detected | ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2 |
2964 | EQNEDT32.EXE | Potentially Bad Traffic | ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response |