Windows Analysis Report
11587 DUBAI BURJ KHALIFA LLC SUPPLIES & SERVICES CO LLC 6000083650.xls

Overview

General Information

Sample name: 11587 DUBAI BURJ KHALIFA LLC SUPPLIES & SERVICES CO LLC 6000083650.xls
Analysis ID: 1427894
MD5: 1b73adcb8a81f3c16c93d068ef96e71c
SHA1: 51a531d12af8a4146a1986c81062b52d97d39f3d
SHA256: d54c6022fce79e44ae05bba1f148fe83b3991c7c6bd8a8efd19f4d615bf15a96
Tags: xls
Infos:

Detection

Score: 88
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Document exploit detected (creates forbidden files)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Document exploit detected (process start blacklist hit)
Excel sheet contains many unusual embedded objects
Microsoft Office drops suspicious files
Yara detected MalDoc
Document contains embedded VBA macros
Document embeds suspicious OLE2 link
Document misses a certain OLE stream usually present in this Microsoft Office document type
JA3 SSL client fingerprint seen in connection with other malware
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Sigma detected: Excel Network Connections
Sigma detected: Suspicious Office Outbound Connections
Uses a known web browser user agent for HTTP communication

Classification

AV Detection
barindex
Multi AV Scanner detection for domain / URL
Source: pop.tg Virustotal: Detection: 6% Perma Link
Multi AV Scanner detection for submitted file
Source: 11587 DUBAI BURJ KHALIFA LLC SUPPLIES & SERVICES CO LLC 6000083650.xls ReversingLabs: Detection: 28%
Source: 11587 DUBAI BURJ KHALIFA LLC SUPPLIES & SERVICES CO LLC 6000083650.xls Virustotal: Detection: 22% Perma Link
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior
Source: unknown HTTPS traffic detected: 172.67.206.230:443 -> 192.168.2.22:49162 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.206.230:443 -> 192.168.2.22:49165 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.206.230:443 -> 192.168.2.22:49167 version: TLS 1.2

Software Vulnerabilities
barindex
Document exploit detected (creates forbidden files)
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\main[1].js Jump to behavior
Document exploit detected (process start blacklist hit)
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
Potential document exploit detected (performs DNS queries)
Source: global traffic DNS query: name: pop.tg
Source: global traffic DNS query: name: www.pop.tg
Potential document exploit detected (performs HTTP gets)
Source: global traffic TCP traffic: 192.168.2.22:49162 -> 172.67.206.230:443
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 172.67.206.230:443
Source: global traffic TCP traffic: 192.168.2.22:49165 -> 172.67.206.230:443
Source: global traffic TCP traffic: 192.168.2.22:49164 -> 172.67.206.230:443
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 172.67.206.230:443
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 172.67.206.230:80
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 172.67.206.230:80
Source: global traffic TCP traffic: 192.168.2.22:49162 -> 172.67.206.230:443
Source: global traffic TCP traffic: 192.168.2.22:49162 -> 172.67.206.230:443
Source: global traffic TCP traffic: 192.168.2.22:49162 -> 172.67.206.230:443
Source: global traffic TCP traffic: 192.168.2.22:49162 -> 172.67.206.230:443
Source: global traffic TCP traffic: 192.168.2.22:49162 -> 172.67.206.230:443
Source: global traffic TCP traffic: 192.168.2.22:49162 -> 172.67.206.230:443
Source: global traffic TCP traffic: 192.168.2.22:49162 -> 172.67.206.230:443
Source: global traffic TCP traffic: 192.168.2.22:49162 -> 172.67.206.230:443
Source: global traffic TCP traffic: 192.168.2.22:49162 -> 172.67.206.230:443
Source: global traffic TCP traffic: 192.168.2.22:49162 -> 172.67.206.230:443
Source: global traffic TCP traffic: 192.168.2.22:49162 -> 172.67.206.230:443
Source: global traffic TCP traffic: 192.168.2.22:49162 -> 172.67.206.230:443
Source: global traffic TCP traffic: 192.168.2.22:49162 -> 172.67.206.230:443
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 172.67.206.230:443
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 172.67.206.230:443
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 172.67.206.230:443
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 172.67.206.230:443
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 172.67.206.230:443
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 172.67.206.230:443
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 172.67.206.230:443
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 172.67.206.230:443
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 172.67.206.230:443
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 172.67.206.230:443
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 172.67.206.230:443
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 172.67.206.230:443
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 172.67.206.230:443
Source: global traffic TCP traffic: 192.168.2.22:49164 -> 172.67.206.230:443
Source: global traffic TCP traffic: 192.168.2.22:49164 -> 172.67.206.230:443
Source: global traffic TCP traffic: 192.168.2.22:49164 -> 172.67.206.230:443
Source: global traffic TCP traffic: 192.168.2.22:49165 -> 172.67.206.230:443
Source: global traffic TCP traffic: 192.168.2.22:49165 -> 172.67.206.230:443
Source: global traffic TCP traffic: 192.168.2.22:49165 -> 172.67.206.230:443
Source: global traffic TCP traffic: 192.168.2.22:49165 -> 172.67.206.230:443
Source: global traffic TCP traffic: 192.168.2.22:49165 -> 172.67.206.230:443
Source: global traffic TCP traffic: 192.168.2.22:49165 -> 172.67.206.230:443
Source: global traffic TCP traffic: 192.168.2.22:49164 -> 172.67.206.230:443
Source: global traffic TCP traffic: 192.168.2.22:49164 -> 172.67.206.230:443
Source: global traffic TCP traffic: 192.168.2.22:49164 -> 172.67.206.230:443
Source: global traffic TCP traffic: 192.168.2.22:49164 -> 172.67.206.230:443
Source: global traffic TCP traffic: 192.168.2.22:49164 -> 172.67.206.230:443
Source: global traffic TCP traffic: 192.168.2.22:49164 -> 172.67.206.230:443
Source: global traffic TCP traffic: 192.168.2.22:49164 -> 172.67.206.230:443
Source: global traffic TCP traffic: 192.168.2.22:49164 -> 172.67.206.230:443
Source: global traffic TCP traffic: 192.168.2.22:49164 -> 172.67.206.230:443
Source: global traffic TCP traffic: 192.168.2.22:49164 -> 172.67.206.230:443
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 172.67.206.230:443
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 172.67.206.230:443
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 172.67.206.230:443
Source: global traffic TCP traffic: 192.168.2.22:49165 -> 172.67.206.230:443
Source: global traffic TCP traffic: 192.168.2.22:49165 -> 172.67.206.230:443
Source: global traffic TCP traffic: 192.168.2.22:49165 -> 172.67.206.230:443
Source: global traffic TCP traffic: 192.168.2.22:49165 -> 172.67.206.230:443
Source: global traffic TCP traffic: 192.168.2.22:49165 -> 172.67.206.230:443
Source: global traffic TCP traffic: 192.168.2.22:49165 -> 172.67.206.230:443
Source: global traffic TCP traffic: 192.168.2.22:49165 -> 172.67.206.230:443
Source: global traffic TCP traffic: 192.168.2.22:49165 -> 172.67.206.230:443
Source: global traffic TCP traffic: 192.168.2.22:49165 -> 172.67.206.230:443
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 172.67.206.230:443
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 172.67.206.230:443
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 172.67.206.230:443
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 172.67.206.230:443
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 172.67.206.230:443
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 172.67.206.230:443
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 172.67.206.230:443
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 172.67.206.230:443
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 172.67.206.230:443
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 172.67.206.230:443
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 172.67.206.230:443
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 172.67.206.230:443
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 172.67.206.230:443
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 172.67.206.230:443
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 172.67.206.230:443
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 172.67.206.230:443
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 172.67.206.230:443
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 172.67.206.230:443
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 172.67.206.230:443
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 172.67.206.230:443
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 172.67.206.230:443
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 172.67.206.230:443
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 172.67.206.230:443
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 172.67.206.230:443
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 172.67.206.230:443
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 172.67.206.230:443
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 172.67.206.230:443
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 172.67.206.230:443
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 172.67.206.230:443
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 172.67.206.230:443
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 172.67.206.230:443
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 172.67.206.230:443
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 172.67.206.230:443
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 172.67.206.230:443
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 172.67.206.230:443
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 172.67.206.230:443
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 172.67.206.230:443
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 172.67.206.230:443
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 172.67.206.230:443
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 172.67.206.230:443
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 172.67.206.230:443
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 172.67.206.230:443
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 172.67.206.230:443
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 172.67.206.230:443
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 172.67.206.230:443
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 172.67.206.230:443
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 172.67.206.230:443
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 172.67.206.230:443
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 172.67.206.230:443
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 172.67.206.230:443
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 172.67.206.230:443
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 172.67.206.230:443
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 172.67.206.230:443
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 172.67.206.230:443
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 172.67.206.230:443
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 172.67.206.230:443
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 172.67.206.230:443
Potential document exploit detected (unknown TCP traffic)
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 172.67.206.230:80
Source: global traffic TCP traffic: 172.67.206.230:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 172.67.206.230:80
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 172.67.206.230:80
Source: global traffic TCP traffic: 172.67.206.230:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 172.67.206.230:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 172.67.206.230:80
Source: global traffic TCP traffic: 192.168.2.22:49162 -> 172.67.206.230:443
Source: global traffic TCP traffic: 172.67.206.230:443 -> 192.168.2.22:49162
Source: global traffic TCP traffic: 192.168.2.22:49162 -> 172.67.206.230:443
Source: global traffic TCP traffic: 192.168.2.22:49162 -> 172.67.206.230:443
Source: global traffic TCP traffic: 172.67.206.230:443 -> 192.168.2.22:49162
Source: global traffic TCP traffic: 172.67.206.230:443 -> 192.168.2.22:49162
Source: global traffic TCP traffic: 192.168.2.22:49162 -> 172.67.206.230:443
Source: global traffic TCP traffic: 192.168.2.22:49162 -> 172.67.206.230:443
Source: global traffic TCP traffic: 172.67.206.230:443 -> 192.168.2.22:49162
Source: global traffic TCP traffic: 172.67.206.230:443 -> 192.168.2.22:49162
Source: global traffic TCP traffic: 192.168.2.22:49162 -> 172.67.206.230:443
Source: global traffic TCP traffic: 192.168.2.22:49162 -> 172.67.206.230:443
Source: global traffic TCP traffic: 172.67.206.230:443 -> 192.168.2.22:49162
Source: global traffic TCP traffic: 172.67.206.230:443 -> 192.168.2.22:49162
Source: global traffic TCP traffic: 192.168.2.22:49162 -> 172.67.206.230:443
Source: global traffic TCP traffic: 172.67.206.230:443 -> 192.168.2.22:49162
Source: global traffic TCP traffic: 192.168.2.22:49162 -> 172.67.206.230:443
Source: global traffic TCP traffic: 172.67.206.230:443 -> 192.168.2.22:49162
Source: global traffic TCP traffic: 192.168.2.22:49162 -> 172.67.206.230:443
Source: global traffic TCP traffic: 172.67.206.230:443 -> 192.168.2.22:49162
Source: global traffic TCP traffic: 192.168.2.22:49162 -> 172.67.206.230:443
Source: global traffic TCP traffic: 172.67.206.230:443 -> 192.168.2.22:49162
Source: global traffic TCP traffic: 192.168.2.22:49162 -> 172.67.206.230:443
Source: global traffic TCP traffic: 192.168.2.22:49162 -> 172.67.206.230:443
Source: global traffic TCP traffic: 172.67.206.230:443 -> 192.168.2.22:49162
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 172.67.206.230:80
Source: global traffic TCP traffic: 172.67.206.230:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 172.67.206.230:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 172.67.206.230:80
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 172.67.206.230:443
Source: global traffic TCP traffic: 172.67.206.230:443 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 172.67.206.230:443
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 172.67.206.230:443
Source: global traffic TCP traffic: 172.67.206.230:443 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 172.67.206.230:443 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 172.67.206.230:443
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 172.67.206.230:443
Source: global traffic TCP traffic: 172.67.206.230:443 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 172.67.206.230:443
Source: global traffic TCP traffic: 172.67.206.230:443 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 172.67.206.230:443 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 172.67.206.230:443
Source: global traffic TCP traffic: 172.67.206.230:443 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 172.67.206.230:443
Source: global traffic TCP traffic: 172.67.206.230:443 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 172.67.206.230:443
Source: global traffic TCP traffic: 172.67.206.230:443 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 172.67.206.230:443
Source: global traffic TCP traffic: 172.67.206.230:443 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 172.67.206.230:443 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 172.67.206.230:443
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 172.67.206.230:443
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 172.67.206.230:443
Source: global traffic TCP traffic: 172.67.206.230:443 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49164 -> 172.67.206.230:443
Source: global traffic TCP traffic: 172.67.206.230:443 -> 192.168.2.22:49164
Source: global traffic TCP traffic: 192.168.2.22:49164 -> 172.67.206.230:443
Source: global traffic TCP traffic: 192.168.2.22:49164 -> 172.67.206.230:443
Source: global traffic TCP traffic: 172.67.206.230:443 -> 192.168.2.22:49164
Source: global traffic TCP traffic: 192.168.2.22:49165 -> 172.67.206.230:443
Source: global traffic TCP traffic: 172.67.206.230:443 -> 192.168.2.22:49165
Source: global traffic TCP traffic: 192.168.2.22:49165 -> 172.67.206.230:443
Source: global traffic TCP traffic: 192.168.2.22:49165 -> 172.67.206.230:443
Source: global traffic TCP traffic: 172.67.206.230:443 -> 192.168.2.22:49165
Source: global traffic TCP traffic: 172.67.206.230:443 -> 192.168.2.22:49165
Source: global traffic TCP traffic: 192.168.2.22:49165 -> 172.67.206.230:443
Source: global traffic TCP traffic: 192.168.2.22:49165 -> 172.67.206.230:443
Source: global traffic TCP traffic: 172.67.206.230:443 -> 192.168.2.22:49165
Source: global traffic TCP traffic: 192.168.2.22:49165 -> 172.67.206.230:443
Source: global traffic TCP traffic: 172.67.206.230:443 -> 192.168.2.22:49165
Source: global traffic TCP traffic: 172.67.206.230:443 -> 192.168.2.22:49164
Source: global traffic TCP traffic: 192.168.2.22:49164 -> 172.67.206.230:443
Source: global traffic TCP traffic: 192.168.2.22:49164 -> 172.67.206.230:443
Source: global traffic TCP traffic: 172.67.206.230:443 -> 192.168.2.22:49164
Source: global traffic TCP traffic: 192.168.2.22:49164 -> 172.67.206.230:443
Source: global traffic TCP traffic: 172.67.206.230:443 -> 192.168.2.22:49164
Source: global traffic TCP traffic: 172.67.206.230:443 -> 192.168.2.22:49164
Source: global traffic TCP traffic: 192.168.2.22:49164 -> 172.67.206.230:443
Source: global traffic TCP traffic: 172.67.206.230:443 -> 192.168.2.22:49164
Source: global traffic TCP traffic: 192.168.2.22:49164 -> 172.67.206.230:443
Source: global traffic TCP traffic: 172.67.206.230:443 -> 192.168.2.22:49164
Source: global traffic TCP traffic: 192.168.2.22:49164 -> 172.67.206.230:443
Source: global traffic TCP traffic: 172.67.206.230:443 -> 192.168.2.22:49164
Source: global traffic TCP traffic: 192.168.2.22:49164 -> 172.67.206.230:443
Source: global traffic TCP traffic: 172.67.206.230:443 -> 192.168.2.22:49164
Source: global traffic TCP traffic: 172.67.206.230:443 -> 192.168.2.22:49164
Source: global traffic TCP traffic: 192.168.2.22:49164 -> 172.67.206.230:443
Source: global traffic TCP traffic: 192.168.2.22:49164 -> 172.67.206.230:443
Source: global traffic TCP traffic: 192.168.2.22:49164 -> 172.67.206.230:443
Source: global traffic TCP traffic: 172.67.206.230:443 -> 192.168.2.22:49164
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 172.67.206.230:443
Source: global traffic TCP traffic: 172.67.206.230:443 -> 192.168.2.22:49167
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 172.67.206.230:443
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 172.67.206.230:443
Source: global traffic TCP traffic: 172.67.206.230:443 -> 192.168.2.22:49167
Source: global traffic TCP traffic: 172.67.206.230:443 -> 192.168.2.22:49165
Source: global traffic TCP traffic: 172.67.206.230:443 -> 192.168.2.22:49165
Source: global traffic TCP traffic: 172.67.206.230:443 -> 192.168.2.22:49165
Source: global traffic TCP traffic: 192.168.2.22:49165 -> 172.67.206.230:443
Source: global traffic TCP traffic: 172.67.206.230:443 -> 192.168.2.22:49165
Source: global traffic TCP traffic: 192.168.2.22:49165 -> 172.67.206.230:443
Source: global traffic TCP traffic: 172.67.206.230:443 -> 192.168.2.22:49165
Source: global traffic TCP traffic: 192.168.2.22:49165 -> 172.67.206.230:443
Source: global traffic TCP traffic: 172.67.206.230:443 -> 192.168.2.22:49165
Source: global traffic TCP traffic: 172.67.206.230:443 -> 192.168.2.22:49165
Source: global traffic TCP traffic: 172.67.206.230:443 -> 192.168.2.22:49165
Source: global traffic TCP traffic: 192.168.2.22:49165 -> 172.67.206.230:443
Source: global traffic TCP traffic: 172.67.206.230:443 -> 192.168.2.22:49165
Source: global traffic TCP traffic: 192.168.2.22:49165 -> 172.67.206.230:443
Source: global traffic TCP traffic: 192.168.2.22:49165 -> 172.67.206.230:443
Source: global traffic TCP traffic: 172.67.206.230:443 -> 192.168.2.22:49165
Source: global traffic TCP traffic: 172.67.206.230:443 -> 192.168.2.22:49165
Source: global traffic TCP traffic: 192.168.2.22:49165 -> 172.67.206.230:443
Source: global traffic TCP traffic: 192.168.2.22:49165 -> 172.67.206.230:443
Source: global traffic TCP traffic: 192.168.2.22:49165 -> 172.67.206.230:443
Source: global traffic TCP traffic: 172.67.206.230:443 -> 192.168.2.22:49165
Source: global traffic TCP traffic: 172.67.206.230:443 -> 192.168.2.22:49167
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 172.67.206.230:443
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 172.67.206.230:443
Source: global traffic TCP traffic: 172.67.206.230:443 -> 192.168.2.22:49167
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 172.67.206.230:443
Source: global traffic TCP traffic: 172.67.206.230:443 -> 192.168.2.22:49167
Source: global traffic TCP traffic: 172.67.206.230:443 -> 192.168.2.22:49167
Source: global traffic TCP traffic: 172.67.206.230:443 -> 192.168.2.22:49167
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 172.67.206.230:443
Source: global traffic TCP traffic: 172.67.206.230:443 -> 192.168.2.22:49167
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 172.67.206.230:443
Source: global traffic TCP traffic: 172.67.206.230:443 -> 192.168.2.22:49167
Source: global traffic TCP traffic: 172.67.206.230:443 -> 192.168.2.22:49167
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 172.67.206.230:443
Source: global traffic TCP traffic: 172.67.206.230:443 -> 192.168.2.22:49167
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 172.67.206.230:443
Source: global traffic TCP traffic: 172.67.206.230:443 -> 192.168.2.22:49167
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 172.67.206.230:443
Source: global traffic TCP traffic: 172.67.206.230:443 -> 192.168.2.22:49167
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 172.67.206.230:443
Source: global traffic TCP traffic: 172.67.206.230:443 -> 192.168.2.22:49167
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 172.67.206.230:443
Source: global traffic TCP traffic: 172.67.206.230:443 -> 192.168.2.22:49167
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 172.67.206.230:443
Source: global traffic TCP traffic: 172.67.206.230:443 -> 192.168.2.22:49167
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 172.67.206.230:443
Source: global traffic TCP traffic: 172.67.206.230:443 -> 192.168.2.22:49167
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 172.67.206.230:443
Source: global traffic TCP traffic: 172.67.206.230:443 -> 192.168.2.22:49167
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 172.67.206.230:443
Source: global traffic TCP traffic: 172.67.206.230:443 -> 192.168.2.22:49167
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 172.67.206.230:443
Source: global traffic TCP traffic: 172.67.206.230:443 -> 192.168.2.22:49167
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 172.67.206.230:443
Source: global traffic TCP traffic: 172.67.206.230:443 -> 192.168.2.22:49167
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 172.67.206.230:443
Source: global traffic TCP traffic: 172.67.206.230:443 -> 192.168.2.22:49167
Source: global traffic TCP traffic: 172.67.206.230:443 -> 192.168.2.22:49167
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 172.67.206.230:443
Source: global traffic TCP traffic: 172.67.206.230:443 -> 192.168.2.22:49167
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 172.67.206.230:443
Source: global traffic TCP traffic: 172.67.206.230:443 -> 192.168.2.22:49167
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 172.67.206.230:443
Source: global traffic TCP traffic: 172.67.206.230:443 -> 192.168.2.22:49167
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 172.67.206.230:443
Source: global traffic TCP traffic: 172.67.206.230:443 -> 192.168.2.22:49167
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 172.67.206.230:443
Source: global traffic TCP traffic: 172.67.206.230:443 -> 192.168.2.22:49167
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 172.67.206.230:443
Source: global traffic TCP traffic: 172.67.206.230:443 -> 192.168.2.22:49167
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 172.67.206.230:443
Source: global traffic TCP traffic: 172.67.206.230:443 -> 192.168.2.22:49167
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 172.67.206.230:443
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 172.67.206.230:443
Source: global traffic TCP traffic: 172.67.206.230:443 -> 192.168.2.22:49167
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 172.67.206.230:443
Source: global traffic TCP traffic: 172.67.206.230:443 -> 192.168.2.22:49167
Source: global traffic TCP traffic: 172.67.206.230:443 -> 192.168.2.22:49167
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 172.67.206.230:443
Source: global traffic TCP traffic: 172.67.206.230:443 -> 192.168.2.22:49167
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 172.67.206.230:443
Source: global traffic TCP traffic: 172.67.206.230:443 -> 192.168.2.22:49167
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 172.67.206.230:443
Source: global traffic TCP traffic: 172.67.206.230:443 -> 192.168.2.22:49167
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 172.67.206.230:443
Source: global traffic TCP traffic: 172.67.206.230:443 -> 192.168.2.22:49167
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 172.67.206.230:443
Source: global traffic TCP traffic: 172.67.206.230:443 -> 192.168.2.22:49167
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 172.67.206.230:443
Source: global traffic TCP traffic: 172.67.206.230:443 -> 192.168.2.22:49167
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 172.67.206.230:443
Source: global traffic TCP traffic: 172.67.206.230:443 -> 192.168.2.22:49167
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 172.67.206.230:443
Source: global traffic TCP traffic: 172.67.206.230:443 -> 192.168.2.22:49167
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 172.67.206.230:443
Source: global traffic TCP traffic: 172.67.206.230:443 -> 192.168.2.22:49167
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 172.67.206.230:443
Source: global traffic TCP traffic: 172.67.206.230:443 -> 192.168.2.22:49167
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 172.67.206.230:443
Source: global traffic TCP traffic: 172.67.206.230:443 -> 192.168.2.22:49167
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 172.67.206.230:443
Source: global traffic TCP traffic: 172.67.206.230:443 -> 192.168.2.22:49167
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 172.67.206.230:443
Source: global traffic TCP traffic: 172.67.206.230:443 -> 192.168.2.22:49167
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 172.67.206.230:443
Source: global traffic TCP traffic: 172.67.206.230:443 -> 192.168.2.22:49167
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 172.67.206.230:443
Source: global traffic TCP traffic: 172.67.206.230:443 -> 192.168.2.22:49167
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 172.67.206.230:443
Source: global traffic TCP traffic: 172.67.206.230:443 -> 192.168.2.22:49167
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 172.67.206.230:443
Source: global traffic TCP traffic: 172.67.206.230:443 -> 192.168.2.22:49167
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 172.67.206.230:443
Source: global traffic TCP traffic: 172.67.206.230:443 -> 192.168.2.22:49167
Source: global traffic TCP traffic: 172.67.206.230:443 -> 192.168.2.22:49167
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 172.67.206.230:443
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 172.67.206.230:443
Source: global traffic TCP traffic: 172.67.206.230:443 -> 192.168.2.22:49167
Source: global traffic TCP traffic: 172.67.206.230:443 -> 192.168.2.22:49167
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 172.67.206.230:443
Source: global traffic TCP traffic: 172.67.206.230:443 -> 192.168.2.22:49167
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 172.67.206.230:443
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 172.67.206.230:443
Source: global traffic TCP traffic: 172.67.206.230:443 -> 192.168.2.22:49167
Source: global traffic TCP traffic: 172.67.206.230:443 -> 192.168.2.22:49167
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 172.67.206.230:443
Source: global traffic TCP traffic: 172.67.206.230:443 -> 192.168.2.22:49167
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 172.67.206.230:443
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 172.67.206.230:443
Source: global traffic TCP traffic: 172.67.206.230:443 -> 192.168.2.22:49167
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 172.67.206.230:443
Source: global traffic TCP traffic: 172.67.206.230:443 -> 192.168.2.22:49167
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 172.67.206.230:443
Source: global traffic TCP traffic: 172.67.206.230:443 -> 192.168.2.22:49167
Source: global traffic TCP traffic: 172.67.206.230:443 -> 192.168.2.22:49167
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 172.67.206.230:443
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 172.67.206.230:443
Source: global traffic TCP traffic: 172.67.206.230:443 -> 192.168.2.22:49167

Networking
barindex
Yara detected MalDoc
Source: Yara match File source: 11587 DUBAI BURJ KHALIFA LLC SUPPLIES & SERVICES CO LLC 6000083650.xls, type: SAMPLE
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 7dcce5b76c8b17472d024758970a406b
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: www.pop.tgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: www.pop.tgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /dist/main.css HTTP/1.1Accept: */*Referer: https://www.pop.tg/Accept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: www.pop.tgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /global.css HTTP/1.1Accept: */*Referer: https://www.pop.tg/Accept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: www.pop.tgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /dist/main.js HTTP/1.1Accept: */*Referer: https://www.pop.tg/Accept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: www.pop.tgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /IGWYr HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: pop.tgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /IGWYr HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: pop.tgConnection: Keep-Alive
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\E3092323.emf Jump to behavior
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: www.pop.tgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: www.pop.tgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /dist/main.css HTTP/1.1Accept: */*Referer: https://www.pop.tg/Accept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: www.pop.tgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /global.css HTTP/1.1Accept: */*Referer: https://www.pop.tg/Accept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: www.pop.tgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /dist/main.js HTTP/1.1Accept: */*Referer: https://www.pop.tg/Accept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: www.pop.tgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /IGWYr HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: pop.tgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /IGWYr HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: pop.tgConnection: Keep-Alive
Source: unknown DNS traffic detected: queries for: pop.tg
Source: index[1].html0.0.dr, index[1].html.0.dr String found in binary or memory: http://ogp.me/ns#
Source: 11587 DUBAI BURJ KHALIFA LLC SUPPLIES & SERVICES CO LLC 6000083650.xls, C2030000.0.dr String found in binary or memory: http://pop.tg/IGWYr
Source: index[1].html0.0.dr, index[1].html.0.dr String found in binary or memory: https://fonts.googleapis.com
Source: index[1].html0.0.dr, index[1].html.0.dr String found in binary or memory: https://fonts.googleapis.com/css2?family=Atkinson
Source: index[1].html0.0.dr, index[1].html.0.dr String found in binary or memory: https://fonts.gstatic.com
Source: css2[1].css.0.dr String found in binary or memory: https://fonts.gstatic.com/l/font?kit=9Bt23C1KxNDXMspQ1lPyU89-1h6ONRlW45GE5A&skey=273537385173c67e&v=
Source: index[1].html0.0.dr, index[1].html.0.dr String found in binary or memory: https://www.pop.tg
Source: unknown Network traffic detected: HTTP traffic on port 49163 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49162 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49167
Source: unknown Network traffic detected: HTTP traffic on port 49164 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49165 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49165
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49164
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49163
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49162
Source: unknown Network traffic detected: HTTP traffic on port 49167 -> 443
Source: unknown HTTPS traffic detected: 172.67.206.230:443 -> 192.168.2.22:49162 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.206.230:443 -> 192.168.2.22:49165 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.206.230:443 -> 192.168.2.22:49167 version: TLS 1.2

System Summary
barindex
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Source: Screenshot number: 8 Screenshot OCR: document is protected Open :he Qxumem h MKmsot mer 1 Prmevmq (M ^e is 2 net m be prc' aed dcjc
Source: Screenshot number: 12 Screenshot OCR: document is protected 11 1 Tabb 12 13 14 15 16 17 2m Qxumem h Ckkc!' "' ' ' ' K.Kmsot mer
Excel sheet contains many unusual embedded objects
Source: 11587 DUBAI BURJ KHALIFA LLC SUPPLIES & SERVICES CO LLC 6000083650.xls OLE: Microsoft Excel 2007+
Source: ~DFB6DE027B7CC70010.TMP.0.dr OLE: Microsoft Excel 2007+
Source: C2030000.0.dr OLE: Microsoft Excel 2007+
Microsoft Office drops suspicious files
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\main[1].js Jump to behavior
Document contains embedded VBA macros
Source: 11587 DUBAI BURJ KHALIFA LLC SUPPLIES & SERVICES CO LLC 6000083650.xls OLE indicator, VBA macros: true
Document embeds suspicious OLE2 link
Source: 11587 DUBAI BURJ KHALIFA LLC SUPPLIES & SERVICES CO LLC 6000083650.xls Stream path 'MBD0004D5A8/\x1Ole' : http://pop.tg/IGWYrmb[m+JMki1<vo]ul+@i1`Ns4!Z667H:jR59?5WANacmg]X"gQA,+e6nH|-J'!yQqctR55kd=w)Kw%#3|LxnU*&MEtaw)b3fM]j4r0uSuqRqBB2VcrBWoKeorLEDi0JHt2kOcEoTGs76Z4uJkcJi9lOeCcnQfX1km36ja2kJKYNsFPBRJV4QHfzGocYYVYSvhD97Bh2CgMvQNwX8yPJLrkmnS3h4qdmiePSxp5xy3VBI+LN+R;\BKS%32
Source: C2030000.0.dr Stream path 'MBD0004D5A8/\x1Ole' : http://pop.tg/IGWYrmb[m+JMki1<vo]ul+@i1`Ns4!Z667H:jR59?5WANacmg]X"gQA,+e6nH|-J'!yQqctR55kd=w)Kw%#3|LxnU*&MEtaw)b3fM]j4r0uSuqRqBB2VcrBWoKeorLEDi0JHt2kOcEoTGs76Z4uJkcJi9lOeCcnQfX1km36ja2kJKYNsFPBRJV4QHfzGocYYVYSvhD97Bh2CgMvQNwX8yPJLrkmnS3h4qdmiePSxp5xy3VBI+LN+R;\BKS%32
Document misses a certain OLE stream usually present in this Microsoft Office document type
Source: ~DFB6DE027B7CC70010.TMP.0.dr OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
Source: classification engine Classification label: mal88.troj.expl.winXLS@10/28@2/1
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\GDIPFONTCACHEV1.DAT Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Temp\CVR6315.tmp Jump to behavior
Source: 11587 DUBAI BURJ KHALIFA LLC SUPPLIES & SERVICES CO LLC 6000083650.xls OLE indicator, Workbook stream: true
Source: C2030000.0.dr OLE indicator, Workbook stream: true
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA Jump to behavior
Source: 11587 DUBAI BURJ KHALIFA LLC SUPPLIES & SERVICES CO LLC 6000083650.xls ReversingLabs: Detection: 28%
Source: 11587 DUBAI BURJ KHALIFA LLC SUPPLIES & SERVICES CO LLC 6000083650.xls Virustotal: Detection: 22%
Source: unknown Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" -Embedding
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe Process created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe Process created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043 Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe Process created: unknown unknown Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior
Source: ~DFB6DE027B7CC70010.TMP.0.dr Initial sample: OLE indicators vbamacros = False
Source: 11587 DUBAI BURJ KHALIFA LLC SUPPLIES & SERVICES CO LLC 6000083650.xls Initial sample: OLE indicators encrypted = True
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: 11587 DUBAI BURJ KHALIFA LLC SUPPLIES & SERVICES CO LLC 6000083650.xls Stream path 'MBD0004D5A5/CONTENTS' entropy: 7.9671168067 (max. 8.0)
Source: 11587 DUBAI BURJ KHALIFA LLC SUPPLIES & SERVICES CO LLC 6000083650.xls Stream path 'Workbook' entropy: 7.99546868067 (max. 8.0)
Source: C2030000.0.dr Stream path 'MBD0004D5A5/CONTENTS' entropy: 7.9671168067 (max. 8.0)
Source: C2030000.0.dr Stream path 'Workbook' entropy: 7.99770345374 (max. 8.0)
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1427894 Sample: 11587 DUBAI BURJ KHALIFA LL... Startdate: 18/04/2024 Architecture: WINDOWS Score: 88 22 Multi AV Scanner detection for domain / URL 2->22 24 Multi AV Scanner detection for submitted file 2->24 26 Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros) 2->26 28 3 other signatures 2->28 7 EXCEL.EXE 58 59 2->7         started        process3 dnsIp4 18 pop.tg 172.67.206.230, 443, 49161, 49162 CLOUDFLARENETUS United States 7->18 20 www.pop.tg 7->20 16 C:\Users\user\AppData\Local\...\main[1].js, Unicode 7->16 dropped 30 Document exploit detected (creates forbidden files) 7->30 32 Microsoft Office drops suspicious files 7->32 12 AcroRd32.exe 22 7->12         started        file5 signatures6 process7 process8 14 RdrCEF.exe 2 12->14         started       
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
172.67.206.230
 www.pop.tg United States
13335 CLOUDFLARENETUS false

Contacted Domains

Name IP Active
www.pop.tg 172.67.206.230 true
pop.tg 172.67.206.230 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://www.pop.tg/dist/main.css false
    		unknown
    https://www.pop.tg/dist/main.js false unknown
    https://www.pop.tg/global.css false
      		unknown
      https://www.pop.tg/ false unknown
      http://pop.tg/IGWYr false unknown