Windows Analysis Report
Ref_Order04.xls

Overview

General Information

Sample name:	Ref_Order04.xls
Analysis ID:	1430742
MD5:	5b24902f7744cc11bd53c183497fbaf7
SHA1:	b70311f80381bd3b80d65a99e46bc390f91ea576
SHA256:	2b49a09f9adf8b45deac6c22dd8ff0409fff3092196327c4e231ae4245a289a1
Tags:	xls
Infos:

Detection

Score:	68
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Document exploit detected (process start blacklist hit)

Document embeds suspicious OLE2 link

IP address seen in connection with other malware

Potential document exploit detected (performs DNS queries)

Potential document exploit detected (performs HTTP gets)

Potential document exploit detected (unknown TCP traffic)

Sigma detected: Excel Network Connections

Sigma detected: Suspicious Office Outbound Connections

Uses a known web browser user agent for HTTP communication

Classification

Signatures

AV Detection

Antivirus detection for URL or domain

Source: http://bun.is/mjai39

Avira URL Cloud: Label: phishing

Multi AV Scanner detection for domain / URL

Source: bun.is	Virustotal: Detection: 7%			Perma Link
Source: http://bun.is/mjai39	Virustotal: Detection: 6%			Perma Link

Multi AV Scanner detection for submitted file

Source: Ref_Order04.xls	ReversingLabs: Detection: 26%
Source: Ref_Order04.xls	Virustotal: Detection: 27%			Perma Link

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Software Vulnerabilities

Document exploit detected (process start blacklist hit)

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Process created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe

Potential document exploit detected (performs DNS queries)

Source: global traffic

DNS query: name: bun.is

Potential document exploit detected (performs HTTP gets)

Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 76.76.21.98:80
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 76.76.21.98:80

Potential document exploit detected (unknown TCP traffic)

Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 76.76.21.98:80
Source: global traffic	TCP traffic: 76.76.21.98:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 76.76.21.98:80
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 76.76.21.98:80
Source: global traffic	TCP traffic: 76.76.21.98:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 76.76.21.98:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 76.76.21.98:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 76.76.21.98:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 76.76.21.98:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 76.76.21.98:80
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 76.76.21.98:80
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 76.76.21.98:80
Source: global traffic	TCP traffic: 76.76.21.98:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 76.76.21.98:80
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 76.76.21.98:80
Source: global traffic	TCP traffic: 76.76.21.98:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 76.76.21.98:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 76.76.21.98:80
Source: global traffic	TCP traffic: 76.76.21.98:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 76.76.21.98:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 76.76.21.98:80
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 76.76.21.98:80
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 76.76.21.98:80
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 76.76.21.98:80
Source: global traffic	TCP traffic: 76.76.21.98:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 76.76.21.98:80
Source: global traffic	TCP traffic: 76.76.21.98:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 76.76.21.98:80
Source: global traffic	TCP traffic: 76.76.21.98:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 76.76.21.98:80
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 76.76.21.98:80
Source: global traffic	TCP traffic: 76.76.21.98:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 76.76.21.98:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 76.76.21.98:80
Source: global traffic	TCP traffic: 76.76.21.98:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 76.76.21.98:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 76.76.21.98:80
Source: global traffic	TCP traffic: 76.76.21.98:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 76.76.21.98:80
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 76.76.21.98:80
Source: global traffic	TCP traffic: 76.76.21.98:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 76.76.21.98:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 76.76.21.98:80
Source: global traffic	TCP traffic: 76.76.21.98:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 76.76.21.98:80
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 76.76.21.98:80
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 76.76.21.98:80
Source: global traffic	TCP traffic: 76.76.21.98:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 76.76.21.98:80
Source: global traffic	TCP traffic: 76.76.21.98:80 -> 192.168.2.22:49166

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 76.76.21.98 76.76.21.98
Source: Joe Sandbox View	IP Address: 76.76.21.98 76.76.21.98

Uses a known web browser user agent for HTTP communication

Source: global traffic	HTTP traffic detected: GET /mjai39 HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: bun.isConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /mjai39 HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: bun.isConnection: Keep-Alive

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\EFC4C163.emf

Jump to behavior

Source: global traffic	HTTP traffic detected: GET /mjai39 HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: bun.isConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /mjai39 HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: bun.isConnection: Keep-Alive

Source: unknown

DNS traffic detected: queries for: bun.is

Source: Ref_Order04.xls

String found in binary or memory: http://bun.is/mjai39

Document embeds suspicious OLE2 link

Source: Ref_Order04.xls	Stream path 'MBD0001E586/\x1Ole' : http://bun.is/mjai39-j\A891?FGDQ\|ucU*#-Lg6v!x(-bg<mUDbSQUM&L%4dt$~UHE;byDv.VMg_YrDb44OnweBsbwZ8kVjliLIgse6e9KmKeYs5in1s7zvqNaevsxLk1,2yJe6k)6wu
Source: 2D030000.0.dr	Stream path 'MBD0001E586/\x1Ole' : http://bun.is/mjai39-j\A891?FGDQ\|ucU*#-Lg6v!x(-bg<mUDbSQUM&L%4dt$~UHE;byDv.VMg_YrDb44OnweBsbwZ8kVjliLIgse6e9KmKeYs5in1s7zvqNaevsxLk1,2yJe6k)6wu

Source: classification engine

Classification label: mal68.expl.winXLS@10/23@1/1

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\GDIPFONTCACHEV1.DAT

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Temp\CVR7187.tmp

Jump to behavior

Source: Ref_Order04.xls	OLE indicator, Workbook stream: true
Source: 2D030000.0.dr	OLE indicator, Workbook stream: true

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: Ref_Order04.xls	ReversingLabs: Detection: 26%
Source: Ref_Order04.xls	Virustotal: Detection: 27%

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" -Embedding
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Process created: unknown unknown	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source: Ref_Order04.xls

Initial sample: OLE indicators vbamacros = False

Source: Ref_Order04.xls

Initial sample: OLE indicators encrypted = True

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: Ref_Order04.xls	Stream path 'MBD0001E584/CONTENTS' entropy: 7.9671168067 (max. 8.0)
Source: Ref_Order04.xls	Stream path 'Workbook' entropy: 7.99574118621 (max. 8.0)
Source: 2D030000.0.dr	Stream path 'MBD0001E584/CONTENTS' entropy: 7.9671168067 (max. 8.0)
Source: 2D030000.0.dr	Stream path 'Workbook' entropy: 7.99780744556 (max. 8.0)

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
76.76.21.98	bun.is	United States		16509	AMAZON-02US	false

Contacted Domains

Name	IP	Active
bun.is	76.76.21.98	true

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://bun.is/mjai39	false	7%, Virustotal, Browse Avira URL Cloud: phishing	unknown

ID:	1430742
Product:	CloudBasic
Start time:	06:49:49
Start date:	24.04.2024
Sample:	Ref_Order04.xls
Cookbook:	defaultwindowsofficecookbook.jbs
System description:	Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Architecture:	WINDOWS
MD5:	5b24902f7744cc11bd53c183497fbaf7
SHA1:	b70311f80381bd3b80d65a99e46bc390f91ea576
SHA256:	2b49a09f9adf8b45deac6c22dd8ff0409fff3092196327c4e231ae4245a289a1
Filetype:	Microsoft Excel sheet (30009/1) 78.94%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Cache\data_1	data	7E3D4B739F9FA9DD2E64442186DFE098	88E2764FE0BB443866877C5B332BE3DC3A907AD2	D3A8660490BB7C951FA100B46C85195F71F1BB894207896F43AEBCF423076C5E
C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LOG	ASCII text	3D6981488EE65ACBA1EC63A2C907A9AB	C789C66896DAC90EE9B9D8DA41DCA010C28E5159	9C5D1B8596C120FA4A5E1BF0303FBAF38F7D06BABA39B6D2E5CB9A222ECEF961
C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LOG.old (copy)	ASCII text	3D6981488EE65ACBA1EC63A2C907A9AB	C789C66896DAC90EE9B9D8DA41DCA010C28E5159	9C5D1B8596C120FA4A5E1BF0303FBAF38F7D06BABA39B6D2E5CB9A222ECEF961
C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LOG.old~RF5ff8c1.TMP (copy)	ASCII text	3D6981488EE65ACBA1EC63A2C907A9AB	C789C66896DAC90EE9B9D8DA41DCA010C28E5159	9C5D1B8596C120FA4A5E1BF0303FBAF38F7D06BABA39B6D2E5CB9A222ECEF961
C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Visited Links	data	FD55D575475A6BD81B055F46FA34BA8B	289A6344929F221E19D2F9097A5907FE42C03855	261CE45767DBF1E61AAF67C5EC1D75C2FF5C02681DF96897D5B0EC56A0F8C2AB
C:\Users\user\AppData\Local\Adobe\Acrobat\DC\AdobeCMapFnt19.lst (copy)	PostScript document text	4D5E3CD969F14362210F0473720C5528	AFD90E9888759B809F78E87D5550B601A288A0A3	79D95D01FDE7FC7C890CD62734A7F203B12A5D44A56D6009D0E43E40D99682AE
C:\Users\user\AppData\Local\Adobe\Acrobat\DC\AdobeFnt16.lst.3132	PostScript document text	4D5E3CD969F14362210F0473720C5528	AFD90E9888759B809F78E87D5550B601A288A0A3	79D95D01FDE7FC7C890CD62734A7F203B12A5D44A56D6009D0E43E40D99682AE
C:\Users\user\AppData\Local\Adobe\Acrobat\DC\AdobeSysFnt19.lst (copy)	PostScript document text	4D5E3CD969F14362210F0473720C5528	AFD90E9888759B809F78E87D5550B601A288A0A3	79D95D01FDE7FC7C890CD62734A7F203B12A5D44A56D6009D0E43E40D99682AE
C:\Users\user\AppData\Local\Adobe\Acrobat\DC\Cache\AcroFnt19.lst (copy)	PostScript document text	63B24EA3A13EAC476D6309BB202EF459	89502C393549C20C933E4553F51F74F3DBE085EF	2B4BE0BED267BBD4E4FFFC912A6C7ED6A8D4735DCF9B69FF90F37CDDEF4110EA
C:\Users\user\AppData\Local\Adobe\Acrobat\DC\Cache\AdobeFnt16.lst.3132	PostScript document text	63B24EA3A13EAC476D6309BB202EF459	89502C393549C20C933E4553F51F74F3DBE085EF	2B4BE0BED267BBD4E4FFFC912A6C7ED6A8D4735DCF9B69FF90F37CDDEF4110EA
C:\Users\user\AppData\Local\Adobe\Acrobat\DC\IconCacheRdr65536.dat	data	B4621E956E08FFC84D8E099B27014FEE	CB4604EED70C03ABADD11C5EF15E566B8A9802E4	0C42B243A4C3673436D22F0C51033E2306005CDB0CFCB82A849452BD3E741CF7
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\74B64408.emf	Windows Enhanced Metafile (EMF) image data version 0x10000	9ABE7EB352E0DB96B52C99AC2FDEA85F	8DC45D02308275BA32B7FFB320A3042256D40C8B	EC022DFF1CC8251BA9D849C16431914635473FC5457AE73AA277651B47948869
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\93FFC36E.emf	Windows Enhanced Metafile (EMF) image data version 0x10000	6B99820E458A1554581172871C434794	AA00D426A3839A846BC0AF34F9482436B4644A21	DF2A8C72AACDBCA3E8A08E06B12883E26FDBDD897663066C1CF2E2ADC191DBFB
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\EFC4C163.emf	Windows Enhanced Metafile (EMF) image data version 0x10000	91332E8817A65272B66F6E4358538A1E	D78D03B17F1BA6148A466494DAA7C800CD977EE4	AE74113545E649795ABE01344C3BC2243F089D32F5187A6E76DB47EF0218A41E
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\F45EDAE1.emf	Windows Enhanced Metafile (EMF) image data version 0x10000	B6DFB3AA7AC4A1A52336C30FA821857B	66ECB808A516AC5B07A01CDFCAD65FD7B9907619	E22202331F689D7568E674B0DCD895DF66FAC5980498F05A846DE244AB3394C4
C:\Users\user\AppData\Local\Temp\~DF4B56670EB3637289.TMP	data	BF619EAC0CDF3F68D496EA9344137E8B	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
C:\Users\user\AppData\Local\Temp\~DF64D55B2DB0DD8C11.TMP	data	BF619EAC0CDF3F68D496EA9344137E8B	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
C:\Users\user\AppData\Local\Temp\~DFB539EB711BE446FF.TMP	data	FE33C379A1B420B679015AE46AAB85A0	D07BF94EC2A04D0BE7DDEBDAB52ABE589CDB49DD	6B94BEA53556D9C2E58DCCBA1AF0C70F19003211F86D08FBFCC240E59FD2F162
C:\Users\user\AppData\Roaming\Adobe\Acrobat\DC\Security\ES_session_store	data	C61F99FE7BEE945FC31B62121BE075CD	083BBD0568633FECB8984002EB4FE8FA08E17DD9	1E0973F4EDEF345D1EA8E90E447B9801FABDE63A2A1751E63B91A8467E130732
C:\Users\user\AppData\Roaming\Adobe\Acrobat\DC\Security\ES_session_storei	data	520FE964934AF1AB0CEBA2366830D0FA	B90310ACA870261CB619FDFD1E54E1B1A25074FF	DBD45EEA386D364B30BA189E079BFA05C2C40D9E5E83722C39A171998ED079C1
C:\Users\user\Desktop\2D030000	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Name of Creating Application: Microsoft Excel, Create Time/Date: Sat Sep 16 01:00:00 2006, Last Saved Time/Date: Wed Apr 24 05:51:17 2024, Security: 1	FB94BDA2B8A5908CA1EFDAA64278667C	C581CA896A6EA34CC8A8346D75918FC883699FA5	3FD72127EF7CA095F58D8A3348BCA17479F12B9CFC6D10B8F43CF868329090CB
C:\Users\user\Desktop\2D030000:Zone.Identifier	ASCII text, with CRLF line terminators	187F488E27DB4AF347237FE461A079AD	6693BA299EC1881249D59262276A0D2CB21F8E64	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
C:\Users\user\Desktop\Ref_Order04.xls (copy)	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Name of Creating Application: Microsoft Excel, Create Time/Date: Sat Sep 16 01:00:00 2006, Last Saved Time/Date: Wed Apr 24 05:51:17 2024, Security: 1	FB94BDA2B8A5908CA1EFDAA64278667C	C581CA896A6EA34CC8A8346D75918FC883699FA5	3FD72127EF7CA095F58D8A3348BCA17479F12B9CFC6D10B8F43CF868329090CB

Windows Analysis Report
Ref_Order04.xls

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

System Summary

Hooking and other Techniques for Hiding and Protection

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report Ref_Order04.xls

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

System Summary

Hooking and other Techniques for Hiding and Protection

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report
Ref_Order04.xls