Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Employee_PTO_Calculator_Tracker_Excel_Template_v2_3.xlsx

Overview

General Information

Sample name:Employee_PTO_Calculator_Tracker_Excel_Template_v2_3.xlsx
Analysis ID:1431695
MD5:026105386d912668f0adaa56f57a56fa
SHA1:cef04163417810b11b1b3e519ad9afbb0b0e8434
SHA256:d90404256a0ab420641745da8c3284c28cd0806ea2a2571854a31b558ac6a447
Infos:

Detection

Score:2
Range:0 - 100
Whitelisted:false
Confidence:60%

Signatures

Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Sigma detected: Excel Network Connections
Sigma detected: Suspicious Office Outbound Connections

Classification

Analysis Advice

No malicious behavior found, analyze the document also on other version of Office / Acrobat
Uses HTTPS for network communication, use the 'Proxy HTTPS (port 443) to read its encrypted data' cookbook for further analysis

Process Tree

  • System is w10x64_ra
  • EXCEL.EXE (PID: 7140 cmdline: "C:\Program Files (x86)\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\user\Desktop\Employee_PTO_Calculator_Tracker_Excel_Template_v2_3.xlsx" MD5: 4A871771235598812032C822E6F68F19)
    • splwow64.exe (PID: 1216 cmdline: C:\Windows\splwow64.exe 12288 MD5: 77DE7761B037061C7C112FD3C5B91E73)
  • cleanup

Yara Signatures

No yara matches

Sigma Signatures

Sigma detected: Excel Network Connections
Source: Network ConnectionAuthor: Christopher Peacock '@securepeacock', SCYTHE '@scythe_io', Florian Roth '@Neo23x0", Tim Shelton: Data: DestinationIp: 13.107.246.41, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE, Initiated: true, ProcessId: 7140, Protocol: tcp, SourceIp: 192.168.2.16, SourceIsIpv6: false, SourcePort: 49716
Sigma detected: Suspicious Office Outbound Connections
Source: Network ConnectionAuthor: X__Junior (Nextron Systems): Data: DestinationIp: 192.168.2.16, DestinationIsIpv6: false, DestinationPort: 49716, EventID: 3, Image: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE, Initiated: true, ProcessId: 7140, Protocol: tcp, SourceIp: 13.107.246.41, SourceIsIpv6: false, SourcePort: 443

Snort Signatures

No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: unknownHTTPS traffic detected: 13.107.246.41:443 -> 192.168.2.16:49717 version: TLS 1.2
Source: unknownHTTPS traffic detected: 13.107.246.41:443 -> 192.168.2.16:49719 version: TLS 1.2
Source: unknownHTTPS traffic detected: 13.107.246.41:443 -> 192.168.2.16:49716 version: TLS 1.2
Source: unknownHTTPS traffic detected: 13.107.246.41:443 -> 192.168.2.16:49720 version: TLS 1.2
Source: unknownHTTPS traffic detected: 13.107.246.41:443 -> 192.168.2.16:49718 version: TLS 1.2
Source: global trafficTCP traffic: 192.168.2.16:49716 -> 13.107.246.41:443
Source: global trafficTCP traffic: 192.168.2.16:49716 -> 13.107.246.41:443
Source: global trafficTCP traffic: 192.168.2.16:49717 -> 13.107.246.41:443
Source: global trafficTCP traffic: 192.168.2.16:49717 -> 13.107.246.41:443
Source: global trafficTCP traffic: 192.168.2.16:49718 -> 13.107.246.41:443
Source: global trafficTCP traffic: 192.168.2.16:49718 -> 13.107.246.41:443
Source: global trafficTCP traffic: 192.168.2.16:49720 -> 13.107.246.41:443
Source: global trafficTCP traffic: 192.168.2.16:49719 -> 13.107.246.41:443
Source: global trafficTCP traffic: 192.168.2.16:49720 -> 13.107.246.41:443
Source: global trafficTCP traffic: 192.168.2.16:49719 -> 13.107.246.41:443
Source: global trafficTCP traffic: 192.168.2.16:49719 -> 13.107.246.41:443
Source: global trafficTCP traffic: 192.168.2.16:49717 -> 13.107.246.41:443
Source: global trafficTCP traffic: 192.168.2.16:49716 -> 13.107.246.41:443
Source: global trafficTCP traffic: 192.168.2.16:49718 -> 13.107.246.41:443
Source: global trafficTCP traffic: 192.168.2.16:49720 -> 13.107.246.41:443
Source: global trafficTCP traffic: 192.168.2.16:49717 -> 13.107.246.41:443
Source: global trafficTCP traffic: 192.168.2.16:49719 -> 13.107.246.41:443
Source: global trafficTCP traffic: 192.168.2.16:49716 -> 13.107.246.41:443
Source: global trafficTCP traffic: 192.168.2.16:49717 -> 13.107.246.41:443
Source: global trafficTCP traffic: 192.168.2.16:49720 -> 13.107.246.41:443
Source: global trafficTCP traffic: 192.168.2.16:49719 -> 13.107.246.41:443
Source: global trafficTCP traffic: 192.168.2.16:49716 -> 13.107.246.41:443
Source: global trafficTCP traffic: 192.168.2.16:49720 -> 13.107.246.41:443
Source: global trafficTCP traffic: 192.168.2.16:49717 -> 13.107.246.41:443
Source: global trafficTCP traffic: 192.168.2.16:49716 -> 13.107.246.41:443
Source: global trafficTCP traffic: 192.168.2.16:49719 -> 13.107.246.41:443
Source: global trafficTCP traffic: 192.168.2.16:49720 -> 13.107.246.41:443
Source: global trafficTCP traffic: 192.168.2.16:49716 -> 13.107.246.41:443
Source: global trafficTCP traffic: 192.168.2.16:49716 -> 13.107.246.41:443
Source: global trafficTCP traffic: 192.168.2.16:49716 -> 13.107.246.41:443
Source: global trafficTCP traffic: 192.168.2.16:49719 -> 13.107.246.41:443
Source: global trafficTCP traffic: 192.168.2.16:49716 -> 13.107.246.41:443
Source: global trafficTCP traffic: 192.168.2.16:49719 -> 13.107.246.41:443
Source: global trafficTCP traffic: 192.168.2.16:49719 -> 13.107.246.41:443
Source: global trafficTCP traffic: 192.168.2.16:49717 -> 13.107.246.41:443
Source: global trafficTCP traffic: 192.168.2.16:49717 -> 13.107.246.41:443
Source: global trafficTCP traffic: 192.168.2.16:49717 -> 13.107.246.41:443
Source: global trafficTCP traffic: 192.168.2.16:49717 -> 13.107.246.41:443
Source: global trafficTCP traffic: 192.168.2.16:49721 -> 13.107.246.41:443
Source: global trafficTCP traffic: 192.168.2.16:49721 -> 13.107.246.41:443
Source: global trafficTCP traffic: 192.168.2.16:49721 -> 13.107.246.41:443
Source: global trafficTCP traffic: 192.168.2.16:49722 -> 13.107.246.41:443
Source: global trafficTCP traffic: 192.168.2.16:49722 -> 13.107.246.41:443
Source: global trafficTCP traffic: 192.168.2.16:49722 -> 13.107.246.41:443
Source: global trafficTCP traffic: 192.168.2.16:49723 -> 13.107.246.41:443
Source: global trafficTCP traffic: 192.168.2.16:49723 -> 13.107.246.41:443
Source: global trafficTCP traffic: 192.168.2.16:49723 -> 13.107.246.41:443
Source: global trafficTCP traffic: 192.168.2.16:49718 -> 13.107.246.41:443
Source: global trafficTCP traffic: 192.168.2.16:49718 -> 13.107.246.41:443
Source: global trafficTCP traffic: 192.168.2.16:49718 -> 13.107.246.41:443
Source: global trafficTCP traffic: 192.168.2.16:49720 -> 13.107.246.41:443
Source: global trafficTCP traffic: 192.168.2.16:49720 -> 13.107.246.41:443
Source: global trafficTCP traffic: 192.168.2.16:49720 -> 13.107.246.41:443
Source: global trafficTCP traffic: 192.168.2.16:49724 -> 13.107.246.41:443
Source: global trafficTCP traffic: 192.168.2.16:49724 -> 13.107.246.41:443
Source: global trafficTCP traffic: 192.168.2.16:49724 -> 13.107.246.41:443
Source: global trafficTCP traffic: 192.168.2.16:49718 -> 13.107.246.41:443
Source: global trafficTCP traffic: 192.168.2.16:49718 -> 13.107.246.41:443
Source: global trafficTCP traffic: 192.168.2.16:49718 -> 13.107.246.41:443
Source: global trafficTCP traffic: 192.168.2.16:49725 -> 13.107.246.41:443
Source: global trafficTCP traffic: 192.168.2.16:49725 -> 13.107.246.41:443
Source: global trafficTCP traffic: 192.168.2.16:49725 -> 13.107.246.41:443
Source: global trafficTCP traffic: 192.168.2.16:49723 -> 13.107.246.41:443
Source: global trafficTCP traffic: 192.168.2.16:49723 -> 13.107.246.41:443
Source: global trafficTCP traffic: 192.168.2.16:49721 -> 13.107.246.41:443
Source: global trafficTCP traffic: 192.168.2.16:49721 -> 13.107.246.41:443
Source: global trafficTCP traffic: 192.168.2.16:49722 -> 13.107.246.41:443
Source: global trafficTCP traffic: 192.168.2.16:49722 -> 13.107.246.41:443
Source: global trafficTCP traffic: 192.168.2.16:49724 -> 13.107.246.41:443
Source: global trafficTCP traffic: 192.168.2.16:49724 -> 13.107.246.41:443
Source: global trafficTCP traffic: 192.168.2.16:49723 -> 13.107.246.41:443
Source: global trafficTCP traffic: 192.168.2.16:49723 -> 13.107.246.41:443
Source: global trafficTCP traffic: 192.168.2.16:49723 -> 13.107.246.41:443
Source: global trafficTCP traffic: 192.168.2.16:49721 -> 13.107.246.41:443
Source: global trafficTCP traffic: 192.168.2.16:49721 -> 13.107.246.41:443
Source: global trafficTCP traffic: 192.168.2.16:49721 -> 13.107.246.41:443
Source: global trafficTCP traffic: 192.168.2.16:49725 -> 13.107.246.41:443
Source: global trafficTCP traffic: 192.168.2.16:49725 -> 13.107.246.41:443
Source: global trafficTCP traffic: 192.168.2.16:49722 -> 13.107.246.41:443
Source: global trafficTCP traffic: 192.168.2.16:49722 -> 13.107.246.41:443
Source: global trafficTCP traffic: 192.168.2.16:49722 -> 13.107.246.41:443
Source: global trafficTCP traffic: 192.168.2.16:49724 -> 13.107.246.41:443
Source: global trafficTCP traffic: 192.168.2.16:49724 -> 13.107.246.41:443
Source: global trafficTCP traffic: 192.168.2.16:49724 -> 13.107.246.41:443
Source: global trafficTCP traffic: 192.168.2.16:49725 -> 13.107.246.41:443
Source: global trafficTCP traffic: 192.168.2.16:49725 -> 13.107.246.41:443
Source: global trafficTCP traffic: 192.168.2.16:49725 -> 13.107.246.41:443
Source: global trafficTCP traffic: 192.168.2.16:49716 -> 13.107.246.41:443
Source: global trafficTCP traffic: 13.107.246.41:443 -> 192.168.2.16:49716
Source: global trafficTCP traffic: 192.168.2.16:49716 -> 13.107.246.41:443
Source: global trafficTCP traffic: 192.168.2.16:49717 -> 13.107.246.41:443
Source: global trafficTCP traffic: 13.107.246.41:443 -> 192.168.2.16:49717
Source: global trafficTCP traffic: 192.168.2.16:49717 -> 13.107.246.41:443
Source: global trafficTCP traffic: 192.168.2.16:49718 -> 13.107.246.41:443
Source: global trafficTCP traffic: 13.107.246.41:443 -> 192.168.2.16:49718
Source: global trafficTCP traffic: 192.168.2.16:49718 -> 13.107.246.41:443
Source: global trafficTCP traffic: 192.168.2.16:49720 -> 13.107.246.41:443
Source: global trafficTCP traffic: 192.168.2.16:49719 -> 13.107.246.41:443
Source: global trafficTCP traffic: 13.107.246.41:443 -> 192.168.2.16:49719
Source: global trafficTCP traffic: 13.107.246.41:443 -> 192.168.2.16:49720
Source: global trafficTCP traffic: 192.168.2.16:49720 -> 13.107.246.41:443
Source: global trafficTCP traffic: 192.168.2.16:49719 -> 13.107.246.41:443
Source: global trafficTCP traffic: 192.168.2.16:49719 -> 13.107.246.41:443
Source: global trafficTCP traffic: 13.107.246.41:443 -> 192.168.2.16:49719
Source: global trafficTCP traffic: 192.168.2.16:49717 -> 13.107.246.41:443
Source: global trafficTCP traffic: 13.107.246.41:443 -> 192.168.2.16:49717
Source: global trafficTCP traffic: 192.168.2.16:49716 -> 13.107.246.41:443
Source: global trafficTCP traffic: 13.107.246.41:443 -> 192.168.2.16:49716
Source: global trafficTCP traffic: 192.168.2.16:49718 -> 13.107.246.41:443
Source: global trafficTCP traffic: 13.107.246.41:443 -> 192.168.2.16:49718
Source: global trafficTCP traffic: 192.168.2.16:49720 -> 13.107.246.41:443
Source: global trafficTCP traffic: 13.107.246.41:443 -> 192.168.2.16:49720
Source: global trafficTCP traffic: 13.107.246.41:443 -> 192.168.2.16:49717
Source: global trafficTCP traffic: 192.168.2.16:49717 -> 13.107.246.41:443
Source: global trafficTCP traffic: 13.107.246.41:443 -> 192.168.2.16:49719
Source: global trafficTCP traffic: 192.168.2.16:49719 -> 13.107.246.41:443
Source: global trafficTCP traffic: 13.107.246.41:443 -> 192.168.2.16:49716
Source: global trafficTCP traffic: 192.168.2.16:49716 -> 13.107.246.41:443
Source: global trafficTCP traffic: 13.107.246.41:443 -> 192.168.2.16:49720
Source: global trafficTCP traffic: 192.168.2.16:49717 -> 13.107.246.41:443
Source: global trafficTCP traffic: 192.168.2.16:49720 -> 13.107.246.41:443
Source: global trafficTCP traffic: 13.107.246.41:443 -> 192.168.2.16:49717
Source: global trafficTCP traffic: 13.107.246.41:443 -> 192.168.2.16:49717
Source: global trafficTCP traffic: 192.168.2.16:49719 -> 13.107.246.41:443
Source: global trafficTCP traffic: 13.107.246.41:443 -> 192.168.2.16:49719
Source: global trafficTCP traffic: 192.168.2.16:49716 -> 13.107.246.41:443
Source: global trafficTCP traffic: 13.107.246.41:443 -> 192.168.2.16:49716
Source: global trafficTCP traffic: 192.168.2.16:49720 -> 13.107.246.41:443
Source: global trafficTCP traffic: 13.107.246.41:443 -> 192.168.2.16:49720
Source: global trafficTCP traffic: 13.107.246.41:443 -> 192.168.2.16:49719
Source: global trafficTCP traffic: 13.107.246.41:443 -> 192.168.2.16:49716
Source: global trafficTCP traffic: 13.107.246.41:443 -> 192.168.2.16:49720
Source: global trafficTCP traffic: 192.168.2.16:49717 -> 13.107.246.41:443
Source: global trafficTCP traffic: 192.168.2.16:49716 -> 13.107.246.41:443
Source: global trafficTCP traffic: 192.168.2.16:49719 -> 13.107.246.41:443
Source: global trafficTCP traffic: 192.168.2.16:49720 -> 13.107.246.41:443
Source: global trafficTCP traffic: 13.107.246.41:443 -> 192.168.2.16:49720
Source: global trafficTCP traffic: 13.107.246.41:443 -> 192.168.2.16:49716
Source: global trafficTCP traffic: 13.107.246.41:443 -> 192.168.2.16:49719
Source: global trafficTCP traffic: 13.107.246.41:443 -> 192.168.2.16:49717
Source: global trafficTCP traffic: 13.107.246.41:443 -> 192.168.2.16:49716
Source: global trafficTCP traffic: 13.107.246.41:443 -> 192.168.2.16:49716
Source: global trafficTCP traffic: 192.168.2.16:49716 -> 13.107.246.41:443
Source: global trafficTCP traffic: 13.107.246.41:443 -> 192.168.2.16:49719
Source: global trafficTCP traffic: 13.107.246.41:443 -> 192.168.2.16:49716
Source: global trafficTCP traffic: 13.107.246.41:443 -> 192.168.2.16:49716
Source: global trafficTCP traffic: 192.168.2.16:49716 -> 13.107.246.41:443
Source: global trafficTCP traffic: 13.107.246.41:443 -> 192.168.2.16:49719
Source: global trafficTCP traffic: 192.168.2.16:49716 -> 13.107.246.41:443
Source: global trafficTCP traffic: 13.107.246.41:443 -> 192.168.2.16:49716
Source: global trafficTCP traffic: 192.168.2.16:49719 -> 13.107.246.41:443
Source: global trafficTCP traffic: 192.168.2.16:49716 -> 13.107.246.41:443
Source: global trafficTCP traffic: 13.107.246.41:443 -> 192.168.2.16:49716
Source: global trafficTCP traffic: 192.168.2.16:49719 -> 13.107.246.41:443
Source: global trafficTCP traffic: 192.168.2.16:49719 -> 13.107.246.41:443
Source: global trafficTCP traffic: 13.107.246.41:443 -> 192.168.2.16:49719
Source: global trafficTCP traffic: 13.107.246.41:443 -> 192.168.2.16:49719
Source: global trafficTCP traffic: 13.107.246.41:443 -> 192.168.2.16:49717
Source: global trafficTCP traffic: 13.107.246.41:443 -> 192.168.2.16:49717
Source: global trafficTCP traffic: 13.107.246.41:443 -> 192.168.2.16:49717
Source: global trafficTCP traffic: 192.168.2.16:49717 -> 13.107.246.41:443
Source: global trafficTCP traffic: 13.107.246.41:443 -> 192.168.2.16:49717
Source: global trafficTCP traffic: 13.107.246.41:443 -> 192.168.2.16:49717
Source: global trafficTCP traffic: 192.168.2.16:49717 -> 13.107.246.41:443
Source: global trafficTCP traffic: 192.168.2.16:49717 -> 13.107.246.41:443
Source: global trafficTCP traffic: 13.107.246.41:443 -> 192.168.2.16:49717
Source: global trafficTCP traffic: 192.168.2.16:49717 -> 13.107.246.41:443
Source: global trafficTCP traffic: 13.107.246.41:443 -> 192.168.2.16:49717
Source: global trafficTCP traffic: 192.168.2.16:49721 -> 13.107.246.41:443
Source: global trafficTCP traffic: 13.107.246.41:443 -> 192.168.2.16:49721
Source: global trafficTCP traffic: 192.168.2.16:49721 -> 13.107.246.41:443
Source: global trafficTCP traffic: 192.168.2.16:49721 -> 13.107.246.41:443
Source: global trafficTCP traffic: 13.107.246.41:443 -> 192.168.2.16:49721
Source: global trafficTCP traffic: 192.168.2.16:49722 -> 13.107.246.41:443
Source: global trafficTCP traffic: 13.107.246.41:443 -> 192.168.2.16:49722
Source: global trafficTCP traffic: 192.168.2.16:49722 -> 13.107.246.41:443
Source: global trafficTCP traffic: 192.168.2.16:49722 -> 13.107.246.41:443
Source: global trafficTCP traffic: 13.107.246.41:443 -> 192.168.2.16:49722
Source: global trafficTCP traffic: 192.168.2.16:49723 -> 13.107.246.41:443
Source: global trafficTCP traffic: 13.107.246.41:443 -> 192.168.2.16:49723
Source: global trafficTCP traffic: 192.168.2.16:49723 -> 13.107.246.41:443
Source: global trafficTCP traffic: 192.168.2.16:49723 -> 13.107.246.41:443
Source: global trafficTCP traffic: 13.107.246.41:443 -> 192.168.2.16:49723
Source: global trafficTCP traffic: 13.107.246.41:443 -> 192.168.2.16:49718
Source: global trafficTCP traffic: 192.168.2.16:49718 -> 13.107.246.41:443
Source: global trafficTCP traffic: 192.168.2.16:49718 -> 13.107.246.41:443
Source: global trafficTCP traffic: 13.107.246.41:443 -> 192.168.2.16:49718
Source: global trafficTCP traffic: 13.107.246.41:443 -> 192.168.2.16:49718
Source: global trafficTCP traffic: 192.168.2.16:49718 -> 13.107.246.41:443
Source: global trafficTCP traffic: 13.107.246.41:443 -> 192.168.2.16:49718
Source: global trafficTCP traffic: 13.107.246.41:443 -> 192.168.2.16:49720
Source: global trafficTCP traffic: 13.107.246.41:443 -> 192.168.2.16:49720
Source: global trafficTCP traffic: 192.168.2.16:49720 -> 13.107.246.41:443
Source: global trafficTCP traffic: 192.168.2.16:49720 -> 13.107.246.41:443
Source: global trafficTCP traffic: 13.107.246.41:443 -> 192.168.2.16:49720
Source: global trafficTCP traffic: 192.168.2.16:49720 -> 13.107.246.41:443
Source: global trafficTCP traffic: 13.107.246.41:443 -> 192.168.2.16:49720
Source: global trafficTCP traffic: 192.168.2.16:49724 -> 13.107.246.41:443
Source: global trafficTCP traffic: 13.107.246.41:443 -> 192.168.2.16:49724
Source: global trafficTCP traffic: 192.168.2.16:49724 -> 13.107.246.41:443
Source: global trafficTCP traffic: 192.168.2.16:49724 -> 13.107.246.41:443
Source: global trafficTCP traffic: 13.107.246.41:443 -> 192.168.2.16:49724
Source: global trafficTCP traffic: 13.107.246.41:443 -> 192.168.2.16:49718
Source: global trafficTCP traffic: 13.107.246.41:443 -> 192.168.2.16:49718
Source: global trafficTCP traffic: 192.168.2.16:49718 -> 13.107.246.41:443
Source: global trafficTCP traffic: 192.168.2.16:49718 -> 13.107.246.41:443
Source: global trafficTCP traffic: 13.107.246.41:443 -> 192.168.2.16:49718
Source: global trafficTCP traffic: 192.168.2.16:49718 -> 13.107.246.41:443
Source: global trafficTCP traffic: 13.107.246.41:443 -> 192.168.2.16:49718
Source: global trafficTCP traffic: 192.168.2.16:49725 -> 13.107.246.41:443
Source: global trafficTCP traffic: 13.107.246.41:443 -> 192.168.2.16:49725
Source: global trafficTCP traffic: 192.168.2.16:49725 -> 13.107.246.41:443
Source: global trafficTCP traffic: 192.168.2.16:49725 -> 13.107.246.41:443
Source: global trafficTCP traffic: 13.107.246.41:443 -> 192.168.2.16:49725
Source: global trafficTCP traffic: 13.107.246.41:443 -> 192.168.2.16:49723
Source: global trafficTCP traffic: 192.168.2.16:49723 -> 13.107.246.41:443
Source: global trafficTCP traffic: 13.107.246.41:443 -> 192.168.2.16:49723
Source: global trafficTCP traffic: 192.168.2.16:49723 -> 13.107.246.41:443
Source: global trafficTCP traffic: 13.107.246.41:443 -> 192.168.2.16:49723
Source: global trafficTCP traffic: 13.107.246.41:443 -> 192.168.2.16:49721
Source: global trafficTCP traffic: 192.168.2.16:49721 -> 13.107.246.41:443
Source: global trafficTCP traffic: 13.107.246.41:443 -> 192.168.2.16:49721
Source: global trafficTCP traffic: 192.168.2.16:49721 -> 13.107.246.41:443
Source: global trafficTCP traffic: 13.107.246.41:443 -> 192.168.2.16:49721
Source: global trafficTCP traffic: 13.107.246.41:443 -> 192.168.2.16:49722
Source: global trafficTCP traffic: 192.168.2.16:49722 -> 13.107.246.41:443
Source: global trafficTCP traffic: 13.107.246.41:443 -> 192.168.2.16:49722
Source: global trafficTCP traffic: 192.168.2.16:49722 -> 13.107.246.41:443
Source: global trafficTCP traffic: 13.107.246.41:443 -> 192.168.2.16:49722
Source: global trafficTCP traffic: 13.107.246.41:443 -> 192.168.2.16:49724
Source: global trafficTCP traffic: 192.168.2.16:49724 -> 13.107.246.41:443
Source: global trafficTCP traffic: 13.107.246.41:443 -> 192.168.2.16:49724
Source: global trafficTCP traffic: 192.168.2.16:49724 -> 13.107.246.41:443
Source: global trafficTCP traffic: 13.107.246.41:443 -> 192.168.2.16:49724
Source: global trafficTCP traffic: 13.107.246.41:443 -> 192.168.2.16:49723
Source: global trafficTCP traffic: 13.107.246.41:443 -> 192.168.2.16:49723
Source: global trafficTCP traffic: 192.168.2.16:49723 -> 13.107.246.41:443
Source: global trafficTCP traffic: 192.168.2.16:49723 -> 13.107.246.41:443
Source: global trafficTCP traffic: 13.107.246.41:443 -> 192.168.2.16:49723
Source: global trafficTCP traffic: 192.168.2.16:49723 -> 13.107.246.41:443
Source: global trafficTCP traffic: 13.107.246.41:443 -> 192.168.2.16:49723
Source: global trafficTCP traffic: 13.107.246.41:443 -> 192.168.2.16:49721
Source: global trafficTCP traffic: 13.107.246.41:443 -> 192.168.2.16:49721
Source: global trafficTCP traffic: 192.168.2.16:49721 -> 13.107.246.41:443
Source: global trafficTCP traffic: 192.168.2.16:49721 -> 13.107.246.41:443
Source: global trafficTCP traffic: 13.107.246.41:443 -> 192.168.2.16:49721
Source: global trafficTCP traffic: 192.168.2.16:49721 -> 13.107.246.41:443
Source: global trafficTCP traffic: 13.107.246.41:443 -> 192.168.2.16:49721
Source: global trafficTCP traffic: 13.107.246.41:443 -> 192.168.2.16:49725
Source: global trafficTCP traffic: 192.168.2.16:49725 -> 13.107.246.41:443
Source: global trafficTCP traffic: 13.107.246.41:443 -> 192.168.2.16:49725
Source: global trafficTCP traffic: 192.168.2.16:49725 -> 13.107.246.41:443
Source: global trafficTCP traffic: 13.107.246.41:443 -> 192.168.2.16:49725
Source: global trafficTCP traffic: 13.107.246.41:443 -> 192.168.2.16:49722
Source: global trafficTCP traffic: 13.107.246.41:443 -> 192.168.2.16:49722
Source: global trafficTCP traffic: 192.168.2.16:49722 -> 13.107.246.41:443
Source: global trafficTCP traffic: 192.168.2.16:49722 -> 13.107.246.41:443
Source: global trafficTCP traffic: 13.107.246.41:443 -> 192.168.2.16:49722
Source: global trafficTCP traffic: 192.168.2.16:49722 -> 13.107.246.41:443
Source: global trafficTCP traffic: 13.107.246.41:443 -> 192.168.2.16:49722
Source: global trafficTCP traffic: 13.107.246.41:443 -> 192.168.2.16:49724
Source: global trafficTCP traffic: 13.107.246.41:443 -> 192.168.2.16:49724
Source: global trafficTCP traffic: 192.168.2.16:49724 -> 13.107.246.41:443
Source: global trafficTCP traffic: 192.168.2.16:49724 -> 13.107.246.41:443
Source: global trafficTCP traffic: 13.107.246.41:443 -> 192.168.2.16:49724
Source: global trafficTCP traffic: 192.168.2.16:49724 -> 13.107.246.41:443
Source: global trafficTCP traffic: 13.107.246.41:443 -> 192.168.2.16:49724
Source: global trafficTCP traffic: 13.107.246.41:443 -> 192.168.2.16:49725
Source: global trafficTCP traffic: 13.107.246.41:443 -> 192.168.2.16:49725
Source: global trafficTCP traffic: 192.168.2.16:49725 -> 13.107.246.41:443
Source: global trafficTCP traffic: 192.168.2.16:49725 -> 13.107.246.41:443
Source: global trafficTCP traffic: 13.107.246.41:443 -> 192.168.2.16:49725
Source: global trafficTCP traffic: 192.168.2.16:49725 -> 13.107.246.41:443
Source: global trafficTCP traffic: 13.107.246.41:443 -> 192.168.2.16:49725
Source: excel.exeMemory has grown: Private usage: 1MB later: 102MB
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49722
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49721
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49720
Source: unknownNetwork traffic detected: HTTP traffic on port 49725 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49724 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49721 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49720 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49719 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49722 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49723 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49719
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49718
Source: unknownNetwork traffic detected: HTTP traffic on port 49716 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49717
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49716
Source: unknownNetwork traffic detected: HTTP traffic on port 49717 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49718 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49725
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49724
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49723
Source: unknownHTTPS traffic detected: 13.107.246.41:443 -> 192.168.2.16:49717 version: TLS 1.2
Source: unknownHTTPS traffic detected: 13.107.246.41:443 -> 192.168.2.16:49719 version: TLS 1.2
Source: unknownHTTPS traffic detected: 13.107.246.41:443 -> 192.168.2.16:49716 version: TLS 1.2
Source: unknownHTTPS traffic detected: 13.107.246.41:443 -> 192.168.2.16:49720 version: TLS 1.2
Source: unknownHTTPS traffic detected: 13.107.246.41:443 -> 192.168.2.16:49718 version: TLS 1.2
Source: classification engineClassification label: clean2.winXLSX@3/2@0/42
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\mso524C.tmp
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\{8A2F0A1F-E585-4A70-B257-6502CB8AD51E} - OProcSessId.dat
Source: Employee_PTO_Calculator_Tracker_Excel_Template_v2_3.xlsxOLE indicator, Workbook stream: true
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEFile read: C:\Users\desktop.ini
Source: unknownProcess created: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE "C:\Program Files (x86)\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\user\Desktop\Employee_PTO_Calculator_Tracker_Excel_Template_v2_3.xlsx"
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess created: C:\Windows\splwow64.exe C:\Windows\splwow64.exe 12288
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess created: C:\Windows\splwow64.exe C:\Windows\splwow64.exe 12288
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{77F10CF0-3DB5-4966-B520-B7C54FD35ED6}\InProcServer32
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: Employee_PTO_Calculator_Tracker_Excel_Template_v2_3.xlsxInitial sample: OLE zip file path = xl/worksheets/sheet4.xml
Source: Employee_PTO_Calculator_Tracker_Excel_Template_v2_3.xlsxInitial sample: OLE zip file path = xl/worksheets/sheet5.xml
Source: Employee_PTO_Calculator_Tracker_Excel_Template_v2_3.xlsxInitial sample: OLE zip file path = xl/drawings/drawing2.xml
Source: Employee_PTO_Calculator_Tracker_Excel_Template_v2_3.xlsxInitial sample: OLE zip file path = xl/charts/style1.xml
Source: Employee_PTO_Calculator_Tracker_Excel_Template_v2_3.xlsxInitial sample: OLE zip file path = xl/charts/colors1.xml
Source: Employee_PTO_Calculator_Tracker_Excel_Template_v2_3.xlsxInitial sample: OLE zip file path = xl/charts/chart1.xml
Source: Employee_PTO_Calculator_Tracker_Excel_Template_v2_3.xlsxInitial sample: OLE zip file path = xl/worksheets/_rels/sheet2.xml.rels
Source: Employee_PTO_Calculator_Tracker_Excel_Template_v2_3.xlsxInitial sample: OLE zip file path = xl/worksheets/_rels/sheet4.xml.rels
Source: Employee_PTO_Calculator_Tracker_Excel_Template_v2_3.xlsxInitial sample: OLE zip file path = xl/worksheets/_rels/sheet5.xml.rels
Source: Employee_PTO_Calculator_Tracker_Excel_Template_v2_3.xlsxInitial sample: OLE zip file path = xl/drawings/_rels/drawing2.xml.rels
Source: Employee_PTO_Calculator_Tracker_Excel_Template_v2_3.xlsxInitial sample: OLE zip file path = xl/charts/_rels/chart1.xml.rels
Source: Employee_PTO_Calculator_Tracker_Excel_Template_v2_3.xlsxInitial sample: OLE zip file path = xl/ctrlProps/ctrlProp1.xml
Source: Employee_PTO_Calculator_Tracker_Excel_Template_v2_3.xlsxInitial sample: OLE zip file path = xl/ctrlProps/ctrlProp2.xml
Source: Employee_PTO_Calculator_Tracker_Excel_Template_v2_3.xlsxInitial sample: OLE zip file path = xl/tables/table1.xml
Source: Employee_PTO_Calculator_Tracker_Excel_Template_v2_3.xlsxInitial sample: OLE zip file path = xl/tables/table3.xml
Source: Employee_PTO_Calculator_Tracker_Excel_Template_v2_3.xlsxInitial sample: OLE zip file path = xl/calcChain.xml
Source: Employee_PTO_Calculator_Tracker_Excel_Template_v2_3.xlsxInitial sample: OLE zip file path = xl/tables/table2.xml
Source: Employee_PTO_Calculator_Tracker_Excel_Template_v2_3.xlsxInitial sample: OLE zip file path = xl/comments1.xml
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\Common
Source: Employee_PTO_Calculator_Tracker_Excel_Template_v2_3.xlsxStatic file information: File size 1903219 > 1048576
Source: Employee_PTO_Calculator_Tracker_Excel_Template_v2_3.xlsxInitial sample: OLE indicators vbamacros = False
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Windows\splwow64.exeThread delayed: delay time: 120000
Source: C:\Windows\splwow64.exeThread delayed: delay time: 120000
Source: C:\Windows\splwow64.exeThread delayed: delay time: 120000
Source: C:\Windows\splwow64.exeThread delayed: delay time: 120000
Source: C:\Windows\splwow64.exeThread delayed: delay time: 120000
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information queried: ProcessInformation

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
Exploitation for Client Execution		Path Interception1
Process Injection		1
Masquerading		OS Credential Dumping1
Process Discovery		Remote ServicesData from Local System2
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
Extra Window Memory Injection		1
Virtualization/Sandbox Evasion		LSASS Memory1
Virtualization/Sandbox Evasion		Remote Desktop ProtocolData from Removable Media1
Application Layer Protocol		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
Process Injection		Security Account Manager1
File and Directory Discovery		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
Extra Window Memory Injection		NTDS1
System Information Discovery		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
Employee_PTO_Calculator_Tracker_Excel_Template_v2_3.xlsx0%ReversingLabs

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

SourceDetectionScannerLabelLink
part-0013.t-0009.t-msedge.net0%VirustotalBrowse

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
part-0013.t-0009.t-msedge.net
13.107.246.41
truefalseunknown

World Map of Contacted IPs

  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Public IPs

IPDomainCountryFlagASNASN NameMalicious
52.109.56.128
unknownUnited States
8075MICROSOFT-CORP-MSN-AS-BLOCKUSfalse
52.113.194.132
unknownUnited States
8068MICROSOFT-CORP-MSN-AS-BLOCKUSfalse
20.189.173.28
unknownUnited States
8075MICROSOFT-CORP-MSN-AS-BLOCKUSfalse
13.107.246.41
part-0013.t-0009.t-msedge.netUnited States
8068MICROSOFT-CORP-MSN-AS-BLOCKUSfalse
23.201.212.130
unknownUnited States
5432PROXIMUS-ISP-ASBEfalse

General Information

Joe Sandbox version:40.0.0 Tourmaline
Analysis ID:1431695
Start date and time:2024-04-25 16:40:24 +02:00
Joe Sandbox product:CloudBasic
Overall analysis duration:
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:defaultwindowsinteractivecookbook.jbs
Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:15
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • EGA enabled
Analysis Mode:stream
Analysis stop reason:Timeout
Sample name:Employee_PTO_Calculator_Tracker_Excel_Template_v2_3.xlsx
Detection:CLEAN
Classification:clean2.winXLSX@3/2@0/42
Cookbook Comments:
  • Found application associated with file extension: .xlsx

Warnings

  • Exclude process from analysis (whitelisted): dllhost.exe, SIHClient.exe, SgrmBroker.exe, MoUsoCoreWorker.exe, svchost.exe
  • Excluded IPs from analysis (whitelisted): 52.109.56.128, 23.201.212.130, 52.113.194.132, 20.189.173.28
  • Excluded domains from analysis (whitelisted): ecs.office.com, self-events-data.trafficmanager.net, fs.microsoft.com, slscr.update.microsoft.com, prod.configsvc1.live.com.akadns.net, self.events.data.microsoft.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, s-0005-office.config.skype.com, asia.configsvc1.live.com.akadns.net, fe3cr.delivery.mp.microsoft.com, ecs-office.s-0005.s-msedge.net, onedscolprdwus18.westus.cloudapp.azure.com, s-0005.s-msedge.net, config.officeapps.live.com, e16604.g.akamaiedge.net, officeclient.microsoft.com, inc-azsc-config.officeapps.live.com, ecs.office.trafficmanager.net, prod.fs.microsoft.com.akadns.net
  • Not all processes where analyzed, report is missing behavior information
  • Report size getting too big, too many NtCreateKey calls found.
  • Report size getting too big, too many NtQueryValueKey calls found.

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\mso524C.tmp

Download File
Process:C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
File Type:PNG image data, 977 x 1024, 8-bit/color RGBA, non-interlaced
Category:dropped
Size (bytes):5477
Entropy (8bit):3.123605833485142
Encrypted:false
SSDEEP:
MD5:C4C38A7D937C652FE5C5A39C668F8D86
SHA1:BAACAB0836AFC11765E1896388D06F7A5DEB9253
SHA-256:48B090CBFA1300A7A60F6EAAFA08DDACCFC96943C8A3E943A4B9D9E45A18B52A
SHA-512:68C53BF3920CF12E2BCF5129DFE2AC61B4A0EF4BFF6692DAED401E53FDA7EEDA73A80FF13ED83D29FB03F97B8C5F5F3AD88890ACFFD3C12DF0F3710DCD4D7CAF
Malicious:false
Reputation:unknown
Preview:.PNG........IHDR................w....pHYs.................tEXtSoftware.Adobe ImageReadyq.e<....IDATx.....0.EA.2....3D.O`..G.5.....m.u...s.J......9M...."....D4....h........ ....@D...."....D4....h........ ....@D.........D4....h........ ....@D.........D4....h........ ....@D...............h........ ....@D.............."......... ....@D.............."......... ....@D.............."....D4... ....@D.............."....D4... ....@D.............."....D4....h...@D.............."....D4....h..................."....D4....h..................."....D4....h........ .........."....D4....h........ ....@D.....D4....h........ ....@D.........D4....h........ ....@D...............h........ ....@D...............h........ ....@D.............."......... ....@D.............."....D4... ....@D.............."....D4... ....@D.............."....D4....h...@D.............."....D4....h...@D.............."....D4....h..................."....D4....h........ .........."....D4....h........ .........."....D4....h........ ...

C:\Users\user\Desktop\~$Employee_PTO_Calculator_Tracker_Excel_Template_v2_3.xlsx

Download File
Process:C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
File Type:data
Category:dropped
Size (bytes):165
Entropy (8bit):1.3520167401771568
Encrypted:false
SSDEEP:
MD5:9AC4D67F6E514F452D4A1DB79CE3B2E8
SHA1:33F8C665ECBB81275D2E49D48F2565A58A282043
SHA-256:407E1D871964C93DBDBD4D00613CD0A9E30D3ED6352D8052C58E7A252D52FC5A
SHA-512:018D0F54AB0AB01F27E9FB870A128F2F581A58487399DD7FB56A94EC4AAEC6874708A5AD5650F362485E45E2C6A557ED08524C5B8335F83F240E0962281A0F1A
Malicious:false
Reputation:unknown
Preview:.user ..c.a.l.i. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Static File Info

General

File type:Microsoft Excel 2007+
Entropy (8bit):7.615350714382858
TrID:
  • Excel Microsoft Office Open XML Format document (40004/1) 83.33%
  • ZIP compressed archive (8000/1) 16.67%
File name:Employee_PTO_Calculator_Tracker_Excel_Template_v2_3.xlsx
File size:1'903'219 bytes
MD5:026105386d912668f0adaa56f57a56fa
SHA1:cef04163417810b11b1b3e519ad9afbb0b0e8434
SHA256:d90404256a0ab420641745da8c3284c28cd0806ea2a2571854a31b558ac6a447
SHA512:60791e399165468bcc52bda76fe96bd09052d1d8688186cb6ad4e4d03202cbf54e95cea4fb50d934f69d0a53de466a17d765858cc58fe8ce949eb1c60cc1531d
SSDEEP:24576:EVkEoyC9mwA1Yd1bstVq9Qmi8OcZTt98nB3gr+0o0yAkiim22p3nh:8RwiYTstVq9WqZTt9MAo0yZiiup3nh
TLSH:B49549B80931EFA1AC8F66A544E349379F381A56A83B1C5E30F9454DD48481E399FF2F
File Content Preview:PK..........!.p...,...........[Content_Types].xml ...(.........................................................................................................................................................................................................

File Icon

Icon Hash:35e58a8c0c8a85b9

Static OLE Info

General

Document Type:OpenXML
Number of OLE Files:1

OLE File "Employee_PTO_Calculator_Tracker_Excel_Template_v2_3.xlsx"

Indicators
Has Summary Info:
Application Name:
Encrypted Document:False
Contains Word Document Stream:False
Contains Workbook/Book Stream:True
Contains PowerPoint Document Stream:False
Contains Visio Document Stream:False
Contains ObjectPool Stream:False
Flash Objects Count:0
Contains VBA Macros:False