File name: | Shqyrtimi i taksave 2019 03172_k2.xls |
Full analysis: | https://app.any.run/tasks/8b50fbef-8dcd-408f-9e11-2a70f50893ad |
Verdict: | Malicious activity |
Analysis date: | January 17, 2020, 21:11:01 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/vnd.ms-excel |
File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1252, Create Time/Date: Tue Nov 19 14:58:31 2019, Last Saved Time/Date: Wed Nov 20 21:49:32 2019, Security: 0 |
MD5: | B1D34757594DC11A3FA9F917083C4358 |
SHA1: | 0726DA8B5DF0D79B1D9CF73AE7ED6361C7FC183D |
SHA256: | E537F6064E582602E4F1E64A6FDBCE2C7A6FD923D7B39D91BC3C1B5052340210 |
SSDEEP: | 1536:+fQzl3ZpWh+QO3uMdS9dSttRJwyE/4XZlLAr+cd5UG:+fQzl3ZpWh+QO3uMdS9dSttRJwyE/4XI |
.xls | | | Microsoft Excel sheet (78.9) |
---|
CreateDate: | 2019:11:19 14:58:31 |
---|---|
ModifyDate: | 2019:11:20 21:49:32 |
Security: | None |
CodePage: | Windows Latin 1 (Western European) |
AppVersion: | 16 |
ScaleCrop: | No |
LinksUpToDate: | No |
SharedDoc: | No |
HyperlinksChanged: | No |
TitleOfParts: |
|
HeadingPairs: |
|
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
— | — | GET | 301 | 104.31.81.81:80 | http://filebin.ca/favicon.ico | US | — | — | suspicious |
— | — | POST | 301 | 104.31.81.81:80 | http://filebin.ca/?__cf_chl_jschl_tk__=092f4a17263396799865db6878e6026b1bab3aaa-1579295612-0-AdugNXVwF9VErpbsM4oWX93Q6cr0B0t6-R2g6CmlRtdBaiwCQKPhk1qbtWKdELf1_0BNGTcPzIsoxQ9lgvlmJXu-gwURCo8xzlslzDr9395J7tkA__LMLe4lpUpw6K1C7CkRw4-Ys8XNqaX0mI12T7QwG9nmhCDgxsK8q6IAL-xtN4v-jSkxBqzmHhNBaYw2l6CA9EpVyt5fW_W7KC0JNbYpAJW6X5UKy2nWoHoGPRzVN2heNfGpXCDvwJ2wlb-ygJHVZq42BfIDljLQWxbvolE | US | — | — | suspicious |
— | — | GET | 200 | 172.217.132.6:80 | http://r1---sn-5hne6nsd.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvOTRmQUFXVHlhaGJaUTdMLWtCSkNJUl9ZQQ/1.0.0.5_nmmhkkegccagdldgiimedpiccmgmieda.crx?cms_redirect=yes&mip=84.17.36.75&mm=28&mn=sn-5hne6nsd&ms=nvh&mt=1579295537&mv=m&mvi=0&pl=24&shardbypass=yes | US | crx | 293 Kb | whitelisted |
— | — | GET | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQu7Xbjq6rqggE7PFAsQRgy8Q8tzwQUkEeKG4TToN%2BkJNYZtBf1IaOym6gCEA7fr0YLsTZHJYxFeyuWNYA%3D | US | der | 471 b | whitelisted |
— | — | GET | 200 | 23.37.43.27:80 | http://s.symcd.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS56bKHAoUD%2BOyl%2B0LhPg9JxyQm4gQUf9Nlp8Ld7LvwMAnzQzn6Aq8zMTMCEHiupDHBXOt1ew2KYQp0jmc%3D | NL | der | 1.71 Kb | shared |
— | — | GET | 200 | 52.109.88.8:80 | http://office14client.microsoft.com/config14?UILCID=1033&CLCID=1033&ILCID=1033&HelpLCID=1033&App={538F6C89-2AD5-4006-8154-C6670774E980}&build=14.0.6023 | NL | xml | 1.99 Kb | whitelisted |
— | — | GET | 302 | 172.217.22.14:80 | http://redirector.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvOWVmQUFXS041NV9ZVXlJVWwxbGc5TUM4dw/7519.422.0.3_pkedcjkdefgpdelpbcmbmeomcjbeemfm.crx | US | html | 512 b | whitelisted |
— | — | GET | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfqhLjKLEJQZPin0KCzkdAQpVYowQUsT7DaQP4v0cB1JgmGggC72NkK8MCEAx5qUSwjBGVIJJhX%2BJrHYM%3D | US | der | 471 b | whitelisted |
— | — | GET | 503 | 104.31.81.81:80 | http://filebin.ca/ | US | html | 15.8 Kb | suspicious |
— | — | GET | 302 | 172.217.22.14:80 | http://redirector.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvOTRmQUFXVHlhaGJaUTdMLWtCSkNJUl9ZQQ/1.0.0.5_nmmhkkegccagdldgiimedpiccmgmieda.crx | US | html | 507 b | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
— | — | 216.58.205.227:443 | clientservices.googleapis.com | Google Inc. | US | whitelisted |
— | — | 52.109.120.28:443 | rr.office.microsoft.com | Microsoft Corporation | HK | whitelisted |
— | — | 52.109.88.8:80 | office14client.microsoft.com | Microsoft Corporation | NL | whitelisted |
— | — | 216.58.207.74:443 | fonts.googleapis.com | Google Inc. | US | whitelisted |
— | — | 172.217.16.131:443 | www.google.com.ua | Google Inc. | US | whitelisted |
— | — | 172.217.22.35:443 | www.gstatic.com | Google Inc. | US | whitelisted |
— | — | 172.217.16.173:443 | accounts.google.com | Google Inc. | US | whitelisted |
— | — | 172.217.18.4:443 | www.google.com | Google Inc. | US | whitelisted |
— | — | 104.31.81.81:80 | filebin.ca | Cloudflare Inc | US | shared |
— | — | 172.217.21.206:443 | ogs.google.com | Google Inc. | US | whitelisted |
Domain | IP | Reputation |
---|---|---|
office14client.microsoft.com |
| whitelisted |
rr.office.microsoft.com |
| whitelisted |
clientservices.googleapis.com |
| whitelisted |
accounts.google.com |
| shared |
www.google.com.ua |
| whitelisted |
fonts.googleapis.com |
| whitelisted |
www.gstatic.com |
| whitelisted |
fonts.gstatic.com |
| whitelisted |
apis.google.com |
| whitelisted |
ogs.google.com |
| whitelisted |
PID | Process | Class | Message |
---|---|---|---|
— | — | Potential Corporate Privacy Violation | ET POLICY Http Client Body contains pass= in cleartext |