Malware analysis subscription_1618420095.xlsb Malicious activity

Add for printing

File name:	subscription_1618420095.xlsb
Full analysis:	https://app.any.run/tasks/e5663d6e-0252-4f61-9ed6-59ce61a9ca27
Verdict:	Malicious activity
Analysis date:	May 14, 2025, 09:59:23
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	macros40 maldoc
Indicators:
MIME:	application/vnd.openxmlformats-officedocument.spreadsheetml.sheet
File info:	Microsoft Excel 2007+
MD5:	DC37192B5C4C8C4F94C73C18CE5E3829
SHA1:	0AA6BB11A11DADE2269D90B2781ED0A517362012
SHA256:	DB53F42E13D2685BD34DBC5C79FAD637C9344E72E210CA05504420874E98C2A6
SSDEEP:	6144:Q24+8omWt6TzUGrYp7JrRPXVGdhJJ6GFpIt54QlIT7WS:Q24+lmWt6TwMA9PXVyJJ6HX4QlITKS

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 60 seconds
Heavy Evasion option:: off
Network geolocation:: off
Additional time used:: none
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: on
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
FileZilla 3.65.0 (3.65.0)
Google Chrome (122.0.6261.70)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (122.0.2365.59)
Microsoft Edge Update (1.3.185.17)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (123.0)
Mozilla Maintenance Service (123.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Skype version 8.104 (8.104)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
- Drops known malicious image
  - EXCEL.EXE (PID: 2320)
- Microsoft Office executes commands via PowerShell or Cmd
  - EXCEL.EXE (PID: 2320)
- Detects the decoding of a binary file from Base64 (SCRIPT)
  - EXCEL.EXE (PID: 2320)
- Uses sleep, probably for evasion (MACROS)
  - EXCEL.EXE (PID: 2320)
- Calls Win API functions (MACROS)
  - EXCEL.EXE (PID: 2320)
- Unusual execution from MS Office
  - EXCEL.EXE (PID: 2320)
- Starts CMD.EXE for commands execution
  - EXCEL.EXE (PID: 2320)
SUSPICIOUS
- Decoding a file from Base64 using CertUtil
  - cmd.exe (PID: 4268)
- Likely accesses (executes) a file from the Public directory
  - certutil.exe (PID: 1096)
  - rundll32.exe (PID: 5360)
  - rundll32.exe (PID: 2984)
- Uses RUNDLL32.EXE to load library
  - cmd.exe (PID: 4268)
- Executable content was dropped or overwritten
  - certutil.exe (PID: 1096)
- Writes data into a file (MACROS)
  - EXCEL.EXE (PID: 2320)
- Opens a file (MACROS)
  - EXCEL.EXE (PID: 2320)
- Reads data from a file (MACROS)
  - EXCEL.EXE (PID: 2320)
INFO
- The sample compiled with english language support
  - certutil.exe (PID: 1096)
- Creates files in the program directory
  - rundll32.exe (PID: 2984)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.xlsx	\|	Excel Microsoft Office Open XML Format document (49.2)
.zip	\|	Open Packaging Conventions container (25.3)
.zan	\|	BlueEyes Animation (19.5)
.zip	\|	ZIP compressed archive (5.7)

EXIF

ZIP

ZipRequiredVersion:	20
ZipBitFlag:	0x0006
ZipCompression:	Deflated
ZipModifyDate:	1980:01:01 00:00:00
ZipCRC:	0x48628102
ZipCompressedSize:	585
ZipUncompressedSize:	3611
ZipFileName:	[Content_Types].xml

XMP

Creator:	David Peterson

XML

LastModifiedBy:	User
CreateDate:	2021:04:13 11:33:03Z
ModifyDate:	2020:05:10 17:03:29Z
Application:	Microsoft Excel
DocSecurity:	None
ScaleCrop:	No
HeadingPairs:	Worksheets 8 Excel 4.0 Macros 1
TitlesOfParts:	Main Form Sheet1 Sheet2 Sheet3 Sheet4 Sheet5 Sheet7 Sheet6
Company:	-
LinksUpToDate:	No
SharedDoc:	No
HyperlinksChanged:	No
AppVersion:	16.03

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

137

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

900

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

1096

certutil -decode C:\Users\Public\130486.dot C:\Users\Public\130486.pgj

C:\Windows\System32\certutil.exe

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

CertUtil.exe

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\certutil.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\crypt32.dll

2320

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" C:\Users\admin\AppData\Local\Temp\subscription_1618420095.xlsb

C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE

explorer.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Microsoft Excel

Version:

16.0.16026.20146

Modules

Images
c:\program files\microsoft office\root\office16\excel.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ole32.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\program files\common files\microsoft shared\clicktorun\appvisvsubsystems64.dll
c:\windows\system32\combase.dll

2564

"C:\WINDOWS\System32\SLUI.exe" RuleId=3482d82e-ca2c-4e1f-8864-da0267b484b2;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=4de7cb65-cdf1-4de9-8ae8-e3cce27b9f2c;NotificationInterval=1440;Trigger=TimerEvent

C:\Windows\System32\slui.exe

—

SppExtComObj.Exe

User:

NETWORK SERVICE

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Windows Activation Client

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll

2984

rundll32 C:\Users\Public\130486.pgj,DF1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows host process (Rundll32)

Exit code:

Version:

10.0.19041.3636 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\rundll32.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll

4268

cmd.exe /c certutil -decode %PUBLIC%\130486.dot %PUBLIC%\130486.pgj && rundll32 %PUBLIC%\130486.pgj,DF1

C:\Windows\System32\cmd.exe

—

EXCEL.EXE

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows Command Processor

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\bcrypt.dll

5116

C:\WINDOWS\system32\SppExtComObj.exe -Embedding

C:\Windows\System32\SppExtComObj.Exe

—

svchost.exe

User:

NETWORK SERVICE

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

KMS Connection Broker

Version:

10.0.19041.3996 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\sppextcomobj.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\oleaut32.dll

5360

rundll32 C:\Users\Public\130486.pgj,DF1

C:\Windows\System32\rundll32.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows host process (Rundll32)

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\rundll32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shcore.dll
c:\windows\system32\imagehlp.dll

Add for printing

Total events

8 981

Read events

8 871

Write events

Delete events

Modification events


(PID) Process:	(2320) EXCEL.EXE	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common
Operation:	write	Name:	SessionId
Value: F83F26EB4C333D4283ABE7F0C28A44E8
(PID) Process:	(2320) EXCEL.EXE	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Common\GracefulExit\EXCEL\5396
Operation:	delete value	Name:	0
Value: ซ洐郘Ꙏ蒢㗷ⅾ䛢꿸놜樁င$驄摽鶲ީ湕湫睯쥮Ȇ∢්łᣂ숁씀褎예錏�菈Ǭ჉砃㐶ᇅ⪔ዒ攉砀挀攀氀⸀攀砀攀씀‖ៅ肀줄࠘㈲㈱䐭捥
(PID) Process:	(2320) EXCEL.EXE	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Common\GracefulExit\EXCEL\5396
Operation:	delete key	Name:	(default)
Value:
(PID) Process:	(2320) EXCEL.EXE	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Common\CrashPersistence\EXCEL\2320
Operation:	write	Name:	0
Value: 0B0E101F3AD88BE5F5D641859DE35D9EA7E910230046FEA9DDCCEE96F1ED016A04102400449A7D64B29D01008500A907556E6B6E6F776EC906022222CA0DC2190000C50E8908C91003783634C5119012D2120965007800630065006C002E00650078006500C51620C517808004C91808323231322D44656300
(PID) Process:	(2320) EXCEL.EXE	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Common\ClientTelemetry\Sampling
Operation:	write	Name:	1
Value: 01D014000000001000B24E9A3E02000000000000000600000000000000
(PID) Process:	(2320) EXCEL.EXE	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Common\CrashPersistence\EXCEL\2320
Operation:	write	Name:	0
Value: 0B0E101F3AD88BE5F5D641859DE35D9EA7E910230046FEA9DDCCEE96F1ED016A04102400449A7D64B29D01008500A907556E6B6E6F776EC906022222CA0DC2190000C91003783634C5119012D2120965007800630065006C002E00650078006500C51620C517808004C91808323231322D44656300
(PID) Process:	(2320) EXCEL.EXE	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:	write	Name:	en-US
Value: 2
(PID) Process:	(2320) EXCEL.EXE	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:	write	Name:	de-de
Value: 2
(PID) Process:	(2320) EXCEL.EXE	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:	write	Name:	fr-fr
Value: 2
(PID) Process:	(2320) EXCEL.EXE	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:	write	Name:	es-es
Value: 2

Add for printing

Executable files

Suspicious files

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
2320	EXCEL.EXE	C:\Users\admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres		binary
		MD5:77B2BF93E4C045875D68C36E055C5E38	SHA256:3F5B625357BDAE69EDCE52F4B1CEF5D12CB1FF98F7100502FA61EC3C765CFCE9
2320	EXCEL.EXE	C:\Users\admin\AppData\Local\Microsoft\Office\16.0\Wef\CustomFunctions\v1.7\hostproperties.json		binary
		MD5:7A29F1E157244591277E3C25F29A8029	SHA256:05EEBA4D6CA7148DCD0A6317A45241A49A4C8D88D628B27D8B19889EF6E70771
2320	EXCEL.EXE	C:\Users\Public\130486.xlsb		text
		MD5:5AD4845793B5DC3308172B39F3C3DBC7	SHA256:2632C0CC222A6D436B50A418605A7BD4FA8F363AB8D93D10B831CDB28A2AC1BC
2320	EXCEL.EXE	C:\Users\Public\130486.dot		text
		MD5:5AD4845793B5DC3308172B39F3C3DBC7	SHA256:2632C0CC222A6D436B50A418605A7BD4FA8F363AB8D93D10B831CDB28A2AC1BC
1096	certutil.exe	C:\Users\Public\130486.pgj		executable
		MD5:14089C2D5A4207DD80F71FB258200848	SHA256:8FB061AFF0801FAB1E58EF75B96BAF325F91C6F22BFCAB7195DB69E10D47BC4B
2320	EXCEL.EXE	C:\Users\admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml		text
		MD5:6E777ED8A64C8D314E44C19C1AB6A99A	SHA256:5635FA87DC677DF7B62C190853B41088759C1A5B765C413F6D67142B3B342FBC
2320	EXCEL.EXE	C:\Users\admin\AppData\Local\Microsoft\Office\16.0\UsageMetricsStore\FileActivityStoreV3\Excel\ASkwMDAwMDAwMC0wMDAwLTAwMDAtMDAwMC0wMDAwMDAwMDAwMDBfTnVsbAM.S		binary
		MD5:3E5DFF1D0167FC22BD594E63D003A7C9	SHA256:42E96E1FFAEB9AB81A7920CEDA5CD9A203106DA659997FDE55C6B948075DAA9E
2320	EXCEL.EXE	C:\Users\admin\AppData\Local\Microsoft\Office\16.0\UsageMetricsStore\FileActivityStoreV3\Excel\ASkwMDAwMDAwMC0wMDAwLTAwMDAtMDAwMC0wMDAwMDAwMDAwMDBfTnVsbAA.S		binary
		MD5:912CBF0523B40B5A1A8F5F75FD2CEBD8	SHA256:9819C4E5E1301191471B954EE13087C83BFD1F3873714C6217601FE427B8C16D
2984	rundll32.exe	C:\Users\admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1693682860-607145093-2874071422-1001\0f5007522459c86e95ffcc62f32308f1_bb926e54-e3ca-40fd-ae90-2764341e7792		binary
		MD5:1F119F7F46DBAA44431420B18F06381C	SHA256:7EC49C62CB2706A170D04CB83BFFC5F179C681B0112E5CD0BBD35EDDE76F0CAC
2320	EXCEL.EXE	C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\Public.LNK		binary
		MD5:14748BF446C5C005595E3F8076B92BD9	SHA256:F35769092EA9A42069318D8F442D10308FE669BF1AA402CAE2D952C3C00EBBF2

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
2984	rundll32.exe	POST	404	49.13.77.253:80	http://glass3.xyz/campo/gl/gl3	unknown	—	—	unknown

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
—	—	40.127.240.158:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	IE	unknown
4	System	192.168.100.255:137	—	—	—	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
5496	MoUsoCoreWorker.exe	40.127.240.158:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	IE	unknown
2112	svchost.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
2104	svchost.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
2320	EXCEL.EXE	52.109.76.240:443	officeclient.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
2320	EXCEL.EXE	52.123.129.14:443	ecs.office.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
2984	rundll32.exe	49.13.77.253:80	glass3.xyz	Hetzner Online GmbH	DE	unknown
2320	EXCEL.EXE	52.111.229.20:443	messaging.lifecycle.office.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted

DNS requests

Domain	IP	Reputation
google.com	142.250.186.142	whitelisted
settings-win.data.microsoft.com	4.231.128.59	whitelisted
officeclient.microsoft.com	52.109.76.240	whitelisted
ecs.office.com	52.123.129.14 52.123.128.14	whitelisted
glass3.xyz	49.13.77.253	unknown
messaging.lifecycle.office.com	52.111.229.20	whitelisted
self.events.data.microsoft.com	52.182.143.213	whitelisted
client.wns.windows.com	172.211.123.250	whitelisted
slscr.update.microsoft.com	172.202.163.200	whitelisted
fe3cr.delivery.mp.microsoft.com	40.69.42.241 2603:1030:c02:2::284	whitelisted

Threats

PID	Process	Class	Message
2984	rundll32.exe	Potentially Bad Traffic	ET HUNTING Request to .XYZ Domain with Minimal Headers

Add for printing

No debug info

General Info

subscription_1618420095.xlsb

DC37192B5C4C8C4F94C73C18CE5E3829

0AA6BB11A11DADE2269D90B2781ED0A517362012

DB53F42E13D2685BD34DBC5C79FAD637C9344E72E210CA05504420874E98C2A6

6144:Q24+8omWt6TzUGrYp7JrRPXVGdhJJ6GFpIt54QlIT7WS:Q24+lmWt6TwMA9PXVyJJ6HX4QlITKS

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Drops known malicious image

Microsoft Office executes commands via PowerShell or Cmd

Detects the decoding of a binary file from Base64 (SCRIPT)

Uses sleep, probably for evasion (MACROS)

Calls Win API functions (MACROS)

Unusual execution from MS Office

Starts CMD.EXE for commands execution

SUSPICIOUS

Decoding a file from Base64 using CertUtil

Likely accesses (executes) a file from the Public directory

Uses RUNDLL32.EXE to load library

Executable content was dropped or overwritten

Writes data into a file (MACROS)

Opens a file (MACROS)

Reads data from a file (MACROS)

INFO

The sample compiled with english language support

Creates files in the program directory

Malware configuration

Static information

TRiD

EXIF

ZIP

XMP

XML

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings