Edit tour

Windows Analysis Report
PastePictures 1.xla

Overview

General Information

Sample name:	PastePictures 1.xla
Analysis ID:	1633444
MD5:	c5c860ab09e407ff33e9e171f92feedd
SHA1:	7bb228762dccf79efd386efae2d1c37e7501f735
SHA256:	7094f139fc7a3b89cb19b4fdf34e59dd74291e5c828739c5c8eb190dfc4a6e9b
Infos:

Detection

Score:	60
Range:	0 - 100
Confidence:	100%

Signatures

Document contains an embedded VBA macro with suspicious strings

Document contains an embedded VBA with functions possibly related to ADO stream file operations

Document contains an embedded VBA with functions possibly related to WSH operations (process, registry, environment, or keystrokes)

Document contains an embedded VBA with hexadecimal encoded strings

Office process queries suspicious COM object (likely to drop second stage)

Document contains an embedded VBA macro which executes code when the document is opened / closed

Found URL in obfuscated visual basic script code

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Excel Network Connections

Sigma detected: Suspicious Office Outbound Connections

Suricata IDS alerts with low severity for network traffic

Uses a known web browser user agent for HTTP communication

Classification

Process Tree

System is w10x64

EXCEL.EXE (PID: 8576 cmdline: "C:\Program Files (x86)\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding MD5: 4A871771235598812032C822E6F68F19)

splwow64.exe (PID: 6420 cmdline: C:\Windows\splwow64.exe 12288 MD5: 77DE7761B037061C7C112FD3C5B91E73)

cleanup

Sigma Signatures

System Summary

Sigma detected: Excel Network Connections

Source: Network Connection

Author: Christopher Peacock '@securepeacock', SCYTHE '@scythe_io', Florian Roth '@Neo23x0", Tim Shelton: Data: DestinationIp: 23.88.6.149, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE, Initiated: true, ProcessId: 8576, Protocol: tcp, SourceIp: 192.168.2.5, SourceIsIpv6: false, SourcePort: 49719

Sigma detected: Suspicious Office Outbound Connections

Source: Network Connection

Author: X__Junior (Nextron Systems): Data: DestinationIp: 192.168.2.5, DestinationIsIpv6: false, DestinationPort: 49719, EventID: 3, Image: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE, Initiated: true, ProcessId: 8576, Protocol: tcp, SourceIp: 23.88.6.149, SourceIsIpv6: false, SourcePort: 80

Suricata Signatures

ET JA3 Hash - Possible Malware - Fake Firefox Font Update

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-10T11:24:34.831088+0100	2028371	3	Unknown Traffic	192.168.2.5	49722	13.107.253.72	443	TCP
2025-03-10T11:24:41.993805+0100	2028371	3	Unknown Traffic	192.168.2.5	49723	13.107.253.72	443	TCP
2025-03-10T11:24:42.008751+0100	2028371	3	Unknown Traffic	192.168.2.5	49724	13.107.253.72	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE

File opened: C:\Program Files (x86)\Microsoft Office\root\vfs\SystemX86\MSVCR100.dll

Jump to behavior

Source: unknown

HTTPS traffic detected: 13.107.253.72:443 -> 192.168.2.5:49722 version: TLS 1.2

Source: ~DFF0C0FFD1FF540DED.TMP.0.dr	Binary string: http://translate.google.com/translate?slrutllangcode$uurlencode(url$) - obfuscation quality: 4
Source: ~DFF0C0FFD1FF540DED.TMP.0.dr	Binary string: http://translate.google.com/translate?slrutllangcode$uurlencode(url$) - obfuscation quality: 4

Source: Joe Sandbox View

IP Address: 13.107.253.72 13.107.253.72

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49722 -> 13.107.253.72:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49724 -> 13.107.253.72:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49723 -> 13.107.253.72:443

Source: global traffic

HTTP traffic detected: GET /ip.php HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: xn--80adkunbi5c.xn--p1ai

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /rules/excel.exe-Production-v19.bundle HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Excel 16.0.16827; Pro)Host: otelrules.svc.static.microsoft
Source: global traffic	HTTP traffic detected: GET /rules/rule120607v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Excel 16.0.16827; Pro)Host: otelrules.svc.static.microsoft
Source: global traffic	HTTP traffic detected: GET /rules/rule120603v8s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Excel 16.0.16827; Pro)Host: otelrules.svc.static.microsoft
Source: global traffic	HTTP traffic detected: GET /ip.php HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: xn--80adkunbi5c.xn--p1ai

Source: global traffic	DNS traffic detected: DNS query: xn--80adkunbi5c.xn--p1ai
Source: global traffic	DNS traffic detected: DNS query: otelrules.svc.static.microsoft

Source: ~DFF0C0FFD1FF540DED.TMP.0.dr, 2C230000.0.dr, PastePictures 1.xla.0.dr	String found in binary or memory: http://ExcelVBA.ru
Source: PastePictures 1.xla.0.dr	String found in binary or memory: http://ExcelVBA.ru/
Source: 2C230000.0.dr, PastePictures 1.xla.0.dr	String found in binary or memory: http://ExcelVBA.ru/buy/EULA
Source: ~DFF0C0FFD1FF540DED.TMP.0.dr, 2C230000.0.dr, PastePictures 1.xla.0.dr	String found in binary or memory: http://ExcelVBA.ru/payments
Source: PastePictures 1.xla.0.dr	String found in binary or memory: http://ExcelVBA.ru/php2/updates.php
Source: ~DFF0C0FFD1FF540DED.TMP.0.dr, 2C230000.0.dr, PastePictures 1.xla.0.dr	String found in binary or memory: http://ExcelVBA.ru/programmes/Parser
Source: ~DFF0C0FFD1FF540DED.TMP.0.dr, 2C230000.0.dr, PastePictures 1.xla.0.dr	String found in binary or memory: http://bbs.vbstreets.ru/viewtopic.php?p=66
Source: ~DFF0C0FFD1FF540DED.TMP.0.dr, 2C230000.0.dr, PastePictures 1.xla.0.dr	String found in binary or memory: http://bbs.vbstreets.ru/viewtopic.php?p=6659672#p6659672
Source: 2C230000.0.dr, PastePictures 1.xla.0.dr	String found in binary or memory: http://excelvba.ru/
Source: PastePictures 1.xla.0.dr	String found in binary or memory: http://excelvba.ru/resources/PastePictures/
Source: PastePictures 1.xla.0.dr	String found in binary or memory: http://http://website.com/images/
Source: PastePictures 1.xla.0.dr	String found in binary or memory: http://translate.google.com/translate?sl=ru&tl=
Source: 2C230000.0.dr, PastePictures 1.xla.0.dr	String found in binary or memory: http://website.com/images/
Source: PastePictures 1.xla.0.dr	String found in binary or memory: http://website.com/images/123abc.jpg
Source: PastePictures 1.xla.0.dr	String found in binary or memory: http://website.com/pictures/
Source: PastePictures 1.xla.0.dr	String found in binary or memory: http://www.herber.de/forum/archiv/1192to1196/1192164_Punycode_Unicode.html
Source: PastePictures 1.xla.0.dr	String found in binary or memory: http://www.mvps.org/emorcillo/en/code/vb6/savejpggdip.shtml
Source: ~DFF0C0FFD1FF540DED.TMP.0.dr, 2C230000.0.dr, PastePictures 1.xla.0.dr	String found in binary or memory: http://www.wordarticles.com/Shorts/RibbonVBA/RibbonVBADemo.php
Source: ~DFF0C0FFD1FF540DED.TMP.0.dr, 2C230000.0.dr, PastePictures 1.xla.0.dr	String found in binary or memory: http://www.zhaojunpeng.com/posts/2016/10/28/excel-urldecode
Source: ~DFF0C0FFD1FF540DED.TMP.0.dr, 2C230000.0.dr, PastePictures 1.xla.0.dr	String found in binary or memory: http://xn--80aebe3cdmfdkg.xn--d1abbgf6aiiy.xn--p1ai/%D1%81%D0%BE%D0%B2%D0%B5%D1%82%D1%8B
Source: PastePictures 1.xla.0.dr	String found in binary or memory: https://ExcelVBA.ru/
Source: PastePictures 1.xla.0.dr	String found in binary or memory: https://askdev.ru/q/kak-ya-mogu-url-kodirovat-stroku-v-excel-vba-42634/
Source: PastePictures 1.xla.0.dr	String found in binary or memory: https://betacode.net/12473/javascript-url-encoding
Source: PastePictures 1.xla.0.dr	String found in binary or memory: https://consent.google.ru/
Source: PastePictures 1.xla.0.dr	String found in binary or memory: https://consent.google.ru/save
Source: PastePictures 1.xla.0.dr	String found in binary or memory: https://excelvba.ru/programmes/PastePictures/manuals/errors/webp
Source: PastePictures 1.xla.0.dr	String found in binary or memory: https://excelvba.ru/programmes/RenameFiles
Source: PastePictures 1.xla.0.dr	String found in binary or memory: https://www.google.ru/search
Source: PastePictures 1.xla.0.dr	String found in binary or memory: https://www.google.ru/search?q=

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown	Network traffic detected: HTTP traffic on port 49724 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49724
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49723

Source: unknown

HTTPS traffic detected: 13.107.253.72:443 -> 192.168.2.5:49722 version: TLS 1.2

System Summary

Document contains an embedded VBA macro with suspicious strings

Source: 2C230000.0.dr

OLE, VBA macro line: downloads_folder$ = Replace(SETT.GetText("{374DE290-123F-4565-9164-39C4925E467B}", , USF$), "%USERPROFILE%", Environ("USERPROFILE"))

Document contains an embedded VBA with functions possibly related to ADO stream file operations

Source: PastePictures 1.xla	Stream path '_VBA_PROJECT_CUR/VBA/Module1' : found possibly 'ADODB.Stream' functions open, savetofile, write
Source: PastePictures 1.xla	Stream path '_VBA_PROJECT_CUR/VBA/thisWB' : found possibly 'ADODB.Stream' functions open, savetofile, write
Source: ~DF749E4C5DC9B304F7.TMP.0.dr	Stream path '_VBA_PROJECT_CUR/VBA/Module1' : found possibly 'ADODB.Stream' functions open, savetofile, write
Source: ~DF749E4C5DC9B304F7.TMP.0.dr	Stream path '_VBA_PROJECT_CUR/VBA/thisWB' : found possibly 'ADODB.Stream' functions open, savetofile, write

Document contains an embedded VBA with functions possibly related to WSH operations (process, registry, environment, or keystrokes)

Source: 2C230000.0.dr

Stream path '_VBA_PROJECT_CUR/F_FirstRun' : found possibly 'WScript.Shell' functions specialfolders, createshortcut, run, environ

Document contains an embedded VBA with hexadecimal encoded strings

Source: 2C230000.0.dr

Stream path '_VBA_PROJECT_CUR/F_FirstRun' : found hex strings

Office process queries suspicious COM object (likely to drop second stage)

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE

COM Object queried: ADODB.Stream HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00000566-0000-0010-8000-00AA006D2EA4}\InprocServer32

Jump to behavior

Source: PastePictures 1.xla	OLE, VBA macro line: Private Sub Workbook_Open()
Source: ~DF749E4C5DC9B304F7.TMP.0.dr	OLE, VBA macro line: Private Sub Workbook_Open()
Source: 2C230000.0.dr	OLE, VBA macro line: Private Sub CommandButton_Close_Click(): Unload Me: End Sub
Source: 2C230000.0.dr	OLE, VBA macro line: Private Sub Label_OpenExportFolder_Click()

Source: PastePictures 1.xla.0.dr

Binary or memory string: OriginalFilename vs PastePictures 1.xla

Source: classification engine

Classification label: mal60.expl.winXLA@3/21@2/2

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE

File created: C:\Program Files (x86)\Microsoft Office\root\vfs\Common AppData\Microsoft\Office\Heartbeat\HeartbeatCache.xml

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE

File created: C:\Users\user\Application Data\Microsoft\Forms

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Temp\{6969B2C8-28BA-40E9-9102-C224E58DBAB6} - OProcSessId.dat

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: unknown	Process created: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE "C:\Program Files (x86)\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process created: C:\Windows\splwow64.exe C:\Windows\splwow64.exe 12288
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process created: C:\Windows\splwow64.exe C:\Windows\splwow64.exe 12288	Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\Wow6432Node\CLSID\{C62A69F0-16DC-11CE-9E98-00AA00574A4F}\InprocServer32

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE

Window found: window name: SysTabControl32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE

Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\Common

Jump to behavior

Source: PastePictures 1.xla

Static file information: File size 3037696 > 1048576

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE

File opened: C:\Program Files (x86)\Microsoft Office\root\vfs\SystemX86\MSVCR100.dll

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\splwow64.exe

Window / User API: threadDelayed 994

Jump to behavior

Source: C:\Windows\splwow64.exe	Last function: Thread delayed
Source: C:\Windows\splwow64.exe	Last function: Thread delayed

Source: C:\Windows\splwow64.exe	Thread delayed: delay time: 120000			Jump to behavior
Source: C:\Windows\splwow64.exe	Thread delayed: delay time: 120000			Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE

Process information queried: ProcessInformation

Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	42 Scripting	Valid Accounts	Windows Management Instrumentation	42 Scripting	1 Process Injection	2 Masquerading	OS Credential Dumping	1 Process Discovery	Remote Services	Data from Local System	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Virtualization/Sandbox Evasion	LSASS Memory	1 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	2 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Process Injection	Security Account Manager	1 Application Window Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	13 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	Binary Padding	NTDS	1 File and Directory Discovery	Distributed Component Object Model	Input Capture	1 Ingress Tool Transfer	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	Software Packing	LSA Secrets	1 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
PastePictures 1.xla	2%	Virustotal		Browse
PastePictures 1.xla	3%	ReversingLabs

Source	Detection	Scanner	Label
http://ExcelVBA.ru/programmes/Parser	0%	Avira URL Cloud	safe
http://excelvba.ru/	0%	Avira URL Cloud	safe
https://excelvba.ru/programmes/PastePictures/manuals/errors/webp	0%	Avira URL Cloud	safe
http://excelvba.ru/resources/PastePictures/	0%	Avira URL Cloud	safe
http://ExcelVBA.ru/php2/updates.php	0%	Avira URL Cloud	safe
https://consent.google.ru/	0%	Avira URL Cloud	safe
https://consent.google.ru/save	0%	Avira URL Cloud	safe
http://www.mvps.org/emorcillo/en/code/vb6/savejpggdip.shtml	0%	Avira URL Cloud	safe
http://www.herber.de/forum/archiv/1192to1196/1192164_Punycode_Unicode.html	0%	Avira URL Cloud	safe
http://xn--80aebe3cdmfdkg.xn--d1abbgf6aiiy.xn--p1ai/%D1%81%D0%BE%D0%B2%D0%B5%D1%82%D1%8B	0%	Avira URL Cloud	safe
http://ExcelVBA.ru/buy/EULA	0%	Avira URL Cloud	safe
http://http://website.com/images/	0%	Avira URL Cloud	safe
https://askdev.ru/q/kak-ya-mogu-url-kodirovat-stroku-v-excel-vba-42634/	0%	Avira URL Cloud	safe
https://excelvba.ru/programmes/RenameFiles	0%	Avira URL Cloud	safe
http://www.zhaojunpeng.com/posts/2016/10/28/excel-urldecode	0%	Avira URL Cloud	safe
http://bbs.vbstreets.ru/viewtopic.php?p=66	0%	Avira URL Cloud	safe
http://ExcelVBA.ru	0%	Avira URL Cloud	safe
https://ExcelVBA.ru/	0%	Avira URL Cloud	safe
https://betacode.net/12473/javascript-url-encoding	0%	Avira URL Cloud	safe
http://bbs.vbstreets.ru/viewtopic.php?p=6659672#p6659672	0%	Avira URL Cloud	safe
http://www.wordarticles.com/Shorts/RibbonVBA/RibbonVBADemo.php	0%	Avira URL Cloud	safe
http://ExcelVBA.ru/payments	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
s-part-0044.t-0009.fb-t-msedge.net	13.107.253.72	true	false	high
s-0005.dual-s-msedge.net	52.123.129.14	true	false	high
xn--80adkunbi5c.xn--p1ai	23.88.6.149	true	false	unknown
otelrules.svc.static.microsoft	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Reputation
https://otelrules.svc.static.microsoft/rules/excel.exe-Production-v19.bundle	false	high
https://otelrules.svc.static.microsoft/rules/rule120607v1s19.xml	false	high
https://otelrules.svc.static.microsoft/rules/rule120603v8s19.xml	false	high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://excelvba.ru/	2C230000.0.dr, PastePictures 1.xla.0.dr	false	Avira URL Cloud: safe	unknown
https://www.google.ru/search?q=	PastePictures 1.xla.0.dr	false		high
http://website.com/pictures/	PastePictures 1.xla.0.dr	false		high
http://excelvba.ru/resources/PastePictures/	PastePictures 1.xla.0.dr	false	Avira URL Cloud: safe	unknown
http://ExcelVBA.ru/php2/updates.php	PastePictures 1.xla.0.dr	false	Avira URL Cloud: safe	unknown
http://ExcelVBA.ru/programmes/Parser	~DFF0C0FFD1FF540DED.TMP.0.dr, 2C230000.0.dr, PastePictures 1.xla.0.dr	false	Avira URL Cloud: safe	unknown
https://www.google.ru/search	PastePictures 1.xla.0.dr	false		high
http://website.com/images/	2C230000.0.dr, PastePictures 1.xla.0.dr	false		high
http://xn--80aebe3cdmfdkg.xn--d1abbgf6aiiy.xn--p1ai/%D1%81%D0%BE%D0%B2%D0%B5%D1%82%D1%8B	~DFF0C0FFD1FF540DED.TMP.0.dr, 2C230000.0.dr, PastePictures 1.xla.0.dr	false	Avira URL Cloud: safe	unknown
https://consent.google.ru/	PastePictures 1.xla.0.dr	false	Avira URL Cloud: safe	unknown
https://excelvba.ru/programmes/PastePictures/manuals/errors/webp	PastePictures 1.xla.0.dr	false	Avira URL Cloud: safe	unknown
http://website.com/images/123abc.jpg	PastePictures 1.xla.0.dr	false		high
http://www.herber.de/forum/archiv/1192to1196/1192164_Punycode_Unicode.html	PastePictures 1.xla.0.dr	false	Avira URL Cloud: safe	unknown
https://consent.google.ru/save	PastePictures 1.xla.0.dr	false	Avira URL Cloud: safe	unknown
http://www.mvps.org/emorcillo/en/code/vb6/savejpggdip.shtml	PastePictures 1.xla.0.dr	false	Avira URL Cloud: safe	unknown
http://translate.google.com/translate?sl=ru&tl=	PastePictures 1.xla.0.dr	false		high
http://ExcelVBA.ru/buy/EULA	2C230000.0.dr, PastePictures 1.xla.0.dr	false	Avira URL Cloud: safe	unknown
http://http://website.com/images/	PastePictures 1.xla.0.dr	false	Avira URL Cloud: safe	unknown
https://askdev.ru/q/kak-ya-mogu-url-kodirovat-stroku-v-excel-vba-42634/	PastePictures 1.xla.0.dr	false	Avira URL Cloud: safe	unknown
http://bbs.vbstreets.ru/viewtopic.php?p=66	~DFF0C0FFD1FF540DED.TMP.0.dr, 2C230000.0.dr, PastePictures 1.xla.0.dr	false	Avira URL Cloud: safe	unknown
https://betacode.net/12473/javascript-url-encoding	PastePictures 1.xla.0.dr	false	Avira URL Cloud: safe	unknown
https://ExcelVBA.ru/	PastePictures 1.xla.0.dr	false	Avira URL Cloud: safe	unknown
http://www.zhaojunpeng.com/posts/2016/10/28/excel-urldecode	~DFF0C0FFD1FF540DED.TMP.0.dr, 2C230000.0.dr, PastePictures 1.xla.0.dr	false	Avira URL Cloud: safe	unknown
https://excelvba.ru/programmes/RenameFiles	PastePictures 1.xla.0.dr	false	Avira URL Cloud: safe	unknown
http://ExcelVBA.ru/	PastePictures 1.xla.0.dr	false		unknown
http://bbs.vbstreets.ru/viewtopic.php?p=6659672#p6659672	~DFF0C0FFD1FF540DED.TMP.0.dr, 2C230000.0.dr, PastePictures 1.xla.0.dr	false	Avira URL Cloud: safe	unknown
http://ExcelVBA.ru	~DFF0C0FFD1FF540DED.TMP.0.dr, 2C230000.0.dr, PastePictures 1.xla.0.dr	false	Avira URL Cloud: safe	unknown
http://ExcelVBA.ru/payments	~DFF0C0FFD1FF540DED.TMP.0.dr, 2C230000.0.dr, PastePictures 1.xla.0.dr	false	Avira URL Cloud: safe	unknown
http://www.wordarticles.com/Shorts/RibbonVBA/RibbonVBADemo.php	~DFF0C0FFD1FF540DED.TMP.0.dr, 2C230000.0.dr, PastePictures 1.xla.0.dr	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
13.107.253.72	s-part-0044.t-0009.fb-t-msedge.net	United States		8068	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
23.88.6.149	xn--80adkunbi5c.xn--p1ai	United States		18978	ENZUINC-US	false

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1633444
Start date and time:	2025-03-10 11:22:16 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 0s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultwindowsofficecookbook.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Run name:	Without Instrumentation
Number of analysed new started processes analysed:	15
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	PastePictures 1.xla
Detection:	MAL
Classification:	mal60.expl.winXLA@3/21@2/2
Cookbook Comments:	Found application associated with file extension: .xla Found Word or Excel or PowerPoint or XPS Viewer Attach to Office via COM Active AutoShape Object Scroll down Close Viewer

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, SIHClient.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 52.109.76.240, 52.109.89.19, 23.199.214.10, 20.189.173.10, 52.123.129.14, 4.175.87.197, 20.190.159.130, 150.171.28.10, 23.15.178.145
Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, weu-azsc-000.roaming.officeapps.live.com, g.bing.com, eur.roaming1.live.com.akadns.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, excelvba.ru, roaming.officeapps.live.com, osiprod-weu-buff-azsc-000.westeurope.cloudapp.azure.com, dual-s-0005-office.config.skype.com, login.live.com, officeclient.microsoft.com, prod.fs.microsoft.com.akadns.net, www.bing.com, ecs.office.com, self-events-data.trafficmanager.net, fs.microsoft.com, prod.configsvc1.live.com.akadns.net, self.events.data.microsoft.com, prod.roaming1.live.com.akadns.net, fe3cr.delivery.mp.microsoft.com, neu-azsc-config.officeapps.live.com, config.officeapps.live.com, onedscolprdwus09.westus.cloudapp.azure.com, e16604.f.akamaiedge.net, ecs.office.trafficmanager.net, europe.configsvc1.live.com.akadns.net
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtQueryAttributesFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Report size getting too big, too many NtSetInformationFile calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
06:24:27	API Interceptor	1022x Sleep call for process: splwow64.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
13.107.253.72	Purchase Inquiry.xla.xlsx	Get hash	malicious	Unknown	Browse
	POETDB24-25771.xla.xlsx	Get hash	malicious	Unknown	Browse
	Purchase Inquiry.xla.xlsx	Get hash	malicious	Unknown	Browse
	https://go.irt.calyx.ai/Live	Get hash	malicious	Unknown	Browse
	Purchase Order.xla.xlsx	Get hash	malicious	Unknown	Browse
	Confirmation number 0001592289.xls	Get hash	malicious	Unknown	Browse
	phish_alert_sp2_2.0.0.0-1.eml	Get hash	malicious	HTMLPhisher	Browse
	SecuriteInfo.com.Win64.Malware-gen.1550.5420.exe	Get hash	malicious	Unknown	Browse
	MITRE Enterprise ATTACK v16.1.xlsx	Get hash	malicious	Mimikatz	Browse
	05 BOIRON F 240700457 ORDEN 05 MAR 2025.xls	Get hash	malicious	Unknown	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
s-0005.dual-s-msedge.net	POETDB24-25771.xla.xlsx	Get hash	malicious	Unknown	Browse	52.123.128.14
	f1215469392.dll	Get hash	malicious	Unknown	Browse	52.123.129.14
	Purchase Order No 1417.doc	Get hash	malicious	Unknown	Browse	52.123.128.14
	Purchase Order No 1417.doc	Get hash	malicious	Unknown	Browse	52.123.129.14
	f492136216_mpengine_dll	Get hash	malicious	Unknown	Browse	52.123.128.14
	qVucZkUdbX.exe	Get hash	malicious	Nitrogen	Browse	52.123.129.14
	mal_temp.dotm.doc	Get hash	malicious	Unknown	Browse	52.123.129.14
	Dear david@corerecon.com - Your Stay Has Been Successfully Booked Ocean Breeze Retreat.msg	Get hash	malicious	ScreenConnect Tool	Browse	52.123.129.14
	RFQ-JC25-#595837.xlsx	Get hash	malicious	Unknown	Browse	52.123.128.14
	NEW ORDER (PO. 2100002 (BT-INC).xls	Get hash	malicious	Unknown	Browse	52.123.128.14
s-part-0044.t-0009.fb-t-msedge.net	Purchase Inquiry.xla.xlsx	Get hash	malicious	Unknown	Browse	13.107.253.72
	f1215469392.dll	Get hash	malicious	Unknown	Browse	13.107.253.72
	POETDB24-25771.xla.xlsx	Get hash	malicious	Unknown	Browse	13.107.253.72
	Purchase Inquiry.xla.xlsx	Get hash	malicious	Unknown	Browse	13.107.253.72
	https://go.irt.calyx.ai/Live	Get hash	malicious	Unknown	Browse	13.107.253.72
	Purchase Order.xla.xlsx	Get hash	malicious	Unknown	Browse	13.107.253.72
	Confirmation number 0001592289.xls	Get hash	malicious	Unknown	Browse	13.107.253.72
	ADFoyxP.exe	Get hash	malicious	KeyLogger, StormKitty, VenomRAT	Browse	13.107.253.72
	phish_alert_sp2_2.0.0.0-1.eml	Get hash	malicious	HTMLPhisher	Browse	13.107.253.72
	https://assets-fra.mkt.dynamics.com/a4eec278-88f9-ef11-b013-6045bd6e9afa/digitalassets/standaloneforms/c345aa34-aff9-ef11-bae1-000d3a8999ae	Get hash	malicious	Unknown	Browse	13.107.253.72

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ENZUINC-US	i686.elf	Get hash	malicious	Unknown	Browse	104.203.176.148
	mpsl.elf	Get hash	malicious	Mirai	Browse	23.88.52.204
	jklmips.elf	Get hash	malicious	Unknown	Browse	107.183.227.248
	nabarm.elf	Get hash	malicious	Unknown	Browse	104.202.132.51
	1isequal9.arm7.elf	Get hash	malicious	Mirai	Browse	107.183.94.187
	cbr.mpsl.elf	Get hash	malicious	Mirai	Browse	104.202.16.149
	nabppc.elf	Get hash	malicious	Unknown	Browse	104.202.38.20
	transferencia HSBC.xla.xlsx	Get hash	malicious	Unknown	Browse	23.88.122.137
	transferencia HSBC.xla.xlsx	Get hash	malicious	Unknown	Browse	23.88.122.137
	transferencia HSBC.xla.xlsx	Get hash	malicious	Unknown	Browse	23.88.122.137
MICROSOFT-CORP-MSN-AS-BLOCKUS	sh4.elf	Get hash	malicious	Mirai, Moobot	Browse	13.105.88.171
	Purchase Inquiry.xla.xlsx	Get hash	malicious	Unknown	Browse	13.107.253.72
	POETDB24-25771.xla.xlsx	Get hash	malicious	Unknown	Browse	40.90.65.44
	POETDB24-25771.xla.xlsx	Get hash	malicious	Unknown	Browse	13.107.253.67
	Purchase Inquiry.xla.xlsx	Get hash	malicious	Unknown	Browse	13.107.253.42
	f1215469392.dll	Get hash	malicious	Unknown	Browse	204.79.197.203
	m68k.elf	Get hash	malicious	Mirai, Moobot	Browse	13.64.110.51
	POETDB24-25771.xla.xlsx	Get hash	malicious	Unknown	Browse	13.107.253.72
	Purchase Inquiry.xla.xlsx	Get hash	malicious	Unknown	Browse	13.107.253.72

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
a0e9f5d64349fb13191bc781f81f42e1	ALfzrNn09x.exe	Get hash	malicious	LummaC Stealer	Browse	13.107.253.72
	Purchase Inquiry.xla.xlsx	Get hash	malicious	Unknown	Browse	13.107.253.72
	POETDB24-25771.xla.xlsx	Get hash	malicious	Unknown	Browse	13.107.253.72
	POETDB24-25771.xla.xlsx	Get hash	malicious	Unknown	Browse	13.107.253.72
	Purchase Inquiry.xla.xlsx	Get hash	malicious	Unknown	Browse	13.107.253.72
	EasyWay.exe	Get hash	malicious	LummaC Stealer	Browse	13.107.253.72
	Aura.exe	Get hash	malicious	LummaC Stealer	Browse	13.107.253.72
	EasyWay.exe	Get hash	malicious	LummaC Stealer	Browse	13.107.253.72
	Aura.exe	Get hash	malicious	LummaC Stealer	Browse	13.107.253.72

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	118
Entropy (8bit):	3.5700810731231707
Encrypted:	false
SSDEEP:	3:QaklTlAlXMLLmHlIlFLlmIK/5lTn84vlJlhlXlDHlA6l3l6Als:QFulcLk04/5p8GVz6QRq
MD5:	573220372DA4ED487441611079B623CD
SHA1:	8F9D967AC6EF34640F1F0845214FBC6994C0CB80
SHA-256:	BE84B842025E4241BFE0C9F7B8F86A322E4396D893EF87EA1E29C74F47B6A22D
SHA-512:	F19FA3583668C3AF92A9CEF7010BD6ECEC7285F9C8665F2E9528DBA606F105D9AF9B1DB0CF6E7F77EF2E395943DC0D5CB37149E773319078688979E4024F9DD7
Malicious:	false
Reputation:	high, very likely benign file
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.H.e.a.r.t.b.e.a.t.C.a.c.h.e./.>.

File type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1251, Author: ExcelVBA.ru, Last Saved By: ExcelVBA.ru, Name of Creating Application: Microsoft Excel, Create Time/Date: Mon Apr 3 17:54:13 2023, Last Saved Time/Date: Tue Jul 16 23:41:24 2024, Security: 0
Entropy (8bit):	3.5600350377931385
TrID:	Microsoft Excel sheet (30009/1) 47.99% Microsoft Excel sheet (alternate) (24509/1) 39.20% Generic OLE2 / Multistream Compound File (8008/1) 12.81%
File name:	PastePictures 1.xla
File size:	3'037'696 bytes
MD5:	c5c860ab09e407ff33e9e171f92feedd
SHA1:	7bb228762dccf79efd386efae2d1c37e7501f735
SHA256:	7094f139fc7a3b89cb19b4fdf34e59dd74291e5c828739c5c8eb190dfc4a6e9b
SHA512:	bb351d796e6b440dbcaa2111b77b6d008273a61b19b204c9966d0f15f176480a4f27b155982b9b457b0551e66a7988e93b59b7ce8c3fdfdf2ec162c4878fe886
SSDEEP:	12288:4rESVFJJqhJ7E1C9eyXQCJ9DeaQNkdNQQRtW+R9ikagBVbwlMbb9gQnqs7e76019:wDV1axQVsBVMaCWQI/q
TLSH:	2DE5EBA055AB8680F61F95606DA8BB610272F1A3B9CB1F33133F6506DF9CD212EC6D4D
File Content Preview:	........................>.................../...................................b.......d.......f.......h.......j.......l.......n.......p.......r.......t.......v.......x.......z.......\|.......~...............b.......d.......f.......h.......j.......l......

Has Summary Info:
Application Name:	Microsoft Excel
Encrypted Document:	False
Contains Word Document Stream:	False
Contains Workbook/Book Stream:	True
Contains PowerPoint Document Stream:	False
Contains Visio Document Stream:	False
Contains ObjectPool Stream:	False
Flash Objects Count:	0
Contains VBA Macros:	True

Code Page:	1251
Author:	ExcelVBA.ru
Last Saved By:	ExcelVBA.ru
Create Time:	2023-04-03 16:54:13
Last Saved Time:	2024-07-16 22:41:24
Creating Application:	Microsoft Excel
Security:	0

Document Code Page:	1251
Thumbnail Scaling Desired:	False
Contains Dirty Links:	False
Shared Document:	False
Changed Hyperlinks:	False
Application Version:	917504

General
Stream Path:	_VBA_PROJECT_CUR/VBA/FP
VBA File Name:	FP.frm
Stream Size:	1171
Data ASCII:	. . . . . . . . V . . . . . . L . . . ] . . . . . . . . . . . . . . F J . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . ( . . . . . S < . . . . S < . . . . S < . . . . S < . . . . . . . . . . . 0 . { . D . 7 . A . 3 . E . 9 . B . D . - .
Data Raw:	01 16 03 00 00 f0 00 00 00 56 03 00 00 d4 00 00 00 4c 02 00 00 ff ff ff ff 5d 03 00 00 b1 03 00 00 00 00 00 00 01 00 00 00 46 bd 4a 17 00 00 ff ff 01 00 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

General
Stream Path:	_VBA_PROJECT_CUR/VBA/Module1
VBA File Name:	Module1.bas
Stream Size:	4249
Data ASCII:	. . . . . . . . B . . . . . . . . . K . . . / . . . . . . . . . . . F . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . . < 8 . . . . . . < J . . . . . . < . . . . . . . < . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	01 16 03 00 00 f0 00 00 00 42 04 00 00 d4 00 00 00 b0 01 00 00 ff ff ff ff 4b 04 00 00 2f 0c 00 00 00 00 00 00 01 00 00 00 46 bd a6 9b 00 00 ff ff 03 00 00 00 00 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

General
Stream Path:	_VBA_PROJECT_CUR/VBA/sh
VBA File Name:	sh.cls
Stream Size:	987
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . - . . . . . . . . . . . F ( w . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . S L . . . . S . . . . . S . . . . . < . . . . . . . . . . N . 0 . { . 0 . 0 . 0 . 2 . 0 . 8 . 2 . 0 . -
Data Raw:	01 16 03 00 00 f0 00 00 00 d2 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff d9 02 00 00 2d 03 00 00 00 00 00 00 01 00 00 00 46 bd 28 77 00 00 ff ff 23 00 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

General
Stream Path:	_VBA_PROJECT_CUR/VBA/thisWB
VBA File Name:	thisWB.cls
Stream Size:	4749
Data ASCII:	. . . . . . . . . . . . . . ( . . . . . . w . . . . . . . . . . . F . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . ( . . . . P . . . . . S L . . . . S . . . . . S . . . . . < 8 . . . . . . < J . . . . . . < 0 . . . . . . < 8 . . . . . .
Data Raw:	01 16 03 00 00 f0 00 00 00 f2 04 00 00 d4 00 00 00 28 02 00 00 ff ff ff ff fb 04 00 00 77 0d 00 00 00 00 00 00 01 00 00 00 46 bd c6 c3 00 00 ff ff 23 00 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

General
Stream Path:	\x1CompObj
CLSID:
File Type:	data
Stream Size:	102
Entropy:	4.176928665602674
Base64 Encoded:	True
Data ASCII:	. . . . . . . . . . . . . . . . . . . F . . . . M i c r o s o f t E x c e l 2 0 0 3 . . . . . B i f f 8 . . . . . E x c e l . S h e e t . 8 . 9 q . . . . . . . . . . . .
Data Raw:	01 00 fe ff 03 0a 00 00 ff ff ff ff 20 08 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 1a 00 00 00 cb e8 f1 f2 20 4d 69 63 72 6f 73 6f 66 74 20 45 78 63 65 6c 20 32 30 30 33 00 06 00 00 00 42 69 66 66 38 00 0e 00 00 00 45 78 63 65 6c 2e 53 68 65 65 74 2e 38 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00

General
Stream Path:	\x5DocumentSummaryInformation
CLSID:
File Type:	data
Stream Size:	216
Entropy:	2.626699751943469
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , 0 . . . . . . . . . . . . . . H . . . . . . . P . . . . . . . X . . . . . . . ` . . . . . . . h . . . . . . . p . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . s h e e t . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	fe ff 00 00 06 01 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 00 00 00 a8 00 00 00 08 00 00 00 01 00 00 00 48 00 00 00 17 00 00 00 50 00 00 00 0b 00 00 00 58 00 00 00 10 00 00 00 60 00 00 00 13 00 00 00 68 00 00 00 16 00 00 00 70 00 00 00 0d 00 00 00 78 00 00 00 0c 00 00 00 8a 00 00 00 02 00 00 00 e3 04 00 00

General
Stream Path:	\x5SummaryInformation
CLSID:
File Type:	data
Stream Size:	216
Entropy:	3.77063656648511
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . + ' 0 . . . . . . . . . . . . . . @ . . . . . . . H . . . . . . . \\ . . . . . . . p . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . E x c e l V B A . r u . . . . . . . . . E x c e l V B A . r u . . . . . . . . . M i c r o s o f t E x c e l . @ . . . L f . @ . . . . _ I . . . . . . . . .
Data Raw:	fe ff 00 00 06 01 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 a8 00 00 00 07 00 00 00 01 00 00 00 40 00 00 00 04 00 00 00 48 00 00 00 08 00 00 00 5c 00 00 00 12 00 00 00 70 00 00 00 0c 00 00 00 88 00 00 00 0d 00 00 00 94 00 00 00 13 00 00 00 a0 00 00 00 02 00 00 00 e3 04 00 00 1e 00 00 00 0c 00 00 00

General
Stream Path:	Workbook
CLSID:
File Type:	Applesoft BASIC program data, first line number 16
Stream Size:	2989725
Entropy:	3.4726861081736584
Base64 Encoded:	True
Data ASCII:	. . . . . . . . g 2 . . . . . . . . . . . . . . . . . . . . . . . \\ . p . . . . E x c e l V B A . r u B . . . . a . . . . . . . . = . . . . . . . . . . . . . . t h i s W B . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . = . . . . i . J 8 " < . . . . . . . X . @ . . . . . . . . . . " . . . . . . .
Data Raw:	09 08 10 00 00 06 05 00 67 32 cd 07 c9 80 01 00 06 06 00 00 87 00 00 00 e1 00 02 00 b0 04 c1 00 02 00 00 00 e2 00 00 00 5c 00 70 00 0b 00 00 45 78 63 65 6c 56 42 41 2e 72 75 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20

General
Stream Path:	_VBA_PROJECT_CUR/FP/\x1CompObj
CLSID:
File Type:	data
Stream Size:	97
Entropy:	3.6106491830605214
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . M i c r o s o f t F o r m s 2 . 0 F o r m . . . . . E m b e d d e d O b j e c t . . . . . 9 q . . . . . . . . . . . .
Data Raw:	01 00 fe ff 03 0a 00 00 ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 19 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 46 6f 72 6d 73 20 32 2e 30 20 46 6f 72 6d 00 10 00 00 00 45 6d 62 65 64 64 65 64 20 4f 62 6a 65 63 74 00 00 00 00 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00

General
Stream Path:	_VBA_PROJECT_CUR/FP/\x3VBFrame
CLSID:
File Type:	ASCII text, with CRLF line terminators
Stream Size:	282
Entropy:	4.560235679208743
Base64 Encoded:	True
Data ASCII:	V E R S I O N 5 . 0 0 . . B e g i n { C 6 2 A 6 9 F 0 - 1 6 D C - 1 1 C E - 9 E 9 8 - 0 0 A A 0 0 5 7 4 A 4 F } F P . . C l i e n t H e i g h t = 6 4 5 . . C l i e n t L e f t = 4 5 . . C l i e n t T o p = 3 7 5 . . C l i e n t W i d t h = 4 2 4 5 . . S h o w M o d a l = 0 ' F a l s e . . S t a r t U p P o s i t i o n = 1 ' C e n t e r O w n e r . . T y
Data Raw:	56 45 52 53 49 4f 4e 20 35 2e 30 30 0d 0a 42 65 67 69 6e 20 7b 43 36 32 41 36 39 46 30 2d 31 36 44 43 2d 31 31 43 45 2d 39 45 39 38 2d 30 30 41 41 30 30 35 37 34 41 34 46 7d 20 46 50 20 0d 0a 20 20 20 43 6c 69 65 6e 74 48 65 69 67 68 74 20 20 20 20 3d 20 20 20 36 34 35 0d 0a 20 20 20 43 6c 69 65 6e 74 4c 65 66 74 20 20 20 20 20 20 3d 20 20 20 34 35 0d 0a 20 20 20 43 6c 69 65 6e 74

General
Stream Path:	_VBA_PROJECT_CUR/FP/f
CLSID:
File Type:	data
Stream Size:	191
Entropy:	3.6055730692137606
Base64 Encoded:	False
Data ASCII:	. . ( . H . . . . . . . . @ . . . . . . . . . } . . @ . . . r . . . . . . . . . . . . R . . . . K Q . . . . D B . . . T a h o m a . . . . . . X . . . . . o . . ( . . . . . . . . . . . 2 . . . 0 . . . . . . . P r B a r . . . . . . { . . . . . $ . . . . . . . . . . . 2 . . . 0 . . . . . . . T e x t . . . . . . . . . . . . . . . . . . . .
Data Raw:	00 04 28 00 48 0c 10 0c 03 00 00 00 04 40 00 00 ff ff 00 00 05 00 00 00 00 7d 00 00 40 1d 00 00 72 04 00 00 00 00 00 00 00 00 00 00 03 52 e3 0b 91 8f ce 11 9d e3 00 aa 00 4b b8 51 01 cc 00 00 90 01 44 42 01 00 06 54 61 68 6f 6d 61 00 00 02 00 00 00 58 00 00 00 00 82 01 6f 00 00 28 00 f5 01 00 00 05 00 00 80 01 00 00 00 32 00 00 00 30 00 00 00 00 00 11 00 50 72 42 61 72 00 00 00 d4

General
Stream Path:	_VBA_PROJECT_CUR/FP/o
CLSID:
File Type:	Intel ia64 COFF object file, not stripped, 16 sections, symbol offset=0xff00, 7056 symbols, optional header size 344, created Thu Jan 1 00:00:34 1970
Stream Size:	96
Entropy:	3.0687296366895245
Base64 Encoded:	False
Data ASCII:	. . . . " . . . . . . . . . X . . . . . . . u . . . . . . . . . . . . T a h o m a . . . . . . $ . . . . . . & . . . . . . . . . . 5 . . . . . . . . . . . . . T a h o m a . .
Data Raw:	00 02 10 00 22 00 00 00 00 ff 00 00 90 1b 00 00 58 01 00 00 00 02 18 00 75 00 00 00 06 00 00 80 a5 00 00 00 cc 02 03 00 54 61 68 6f 6d 61 00 00 00 02 10 00 24 00 00 00 13 00 80 00 26 1b 00 00 a7 01 00 00 00 02 18 00 35 00 00 00 06 00 00 80 a5 00 00 00 00 02 00 00 54 61 68 6f 6d 61 00 00

General
Stream Path:	_VBA_PROJECT_CUR/PROJECT
CLSID:
File Type:	ASCII text, with CRLF line terminators
Stream Size:	515
Entropy:	5.297845384204525
Base64 Encoded:	True
Data ASCII:	I D = " { 7 F 5 9 F F 6 B - 0 E C F - 4 9 5 0 - 9 2 9 7 - 7 4 C 7 8 2 4 A 2 F D 7 } " . . D o c u m e n t = t h i s W B / & H 0 0 0 0 0 0 0 0 . . D o c u m e n t = s h / & H 0 0 0 0 0 0 0 0 . . B a s e C l a s s = F P . . M o d u l e = M o d u l e 1 . . N a m e = " V B A P r o j e c t " . . H e l p C o n t e x t I D = " 0 " . . V e r s i o n C o m p a t i b l e 3 2 = " 3 9 3 2 2 2 0 0 0 " . . C M G = " 7 2 7 0 8 F 8 C 7 4 9 0 7 4 9 0 7 4 9 0 7 4 9 0 " . . D P B = " 5 3 5 1 A E A F 8 E B 0 8 E B 0 8 E " . .
Data Raw:	49 44 3d 22 7b 37 46 35 39 46 46 36 42 2d 30 45 43 46 2d 34 39 35 30 2d 39 32 39 37 2d 37 34 43 37 38 32 34 41 32 46 44 37 7d 22 0d 0a 44 6f 63 75 6d 65 6e 74 3d 74 68 69 73 57 42 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 44 6f 63 75 6d 65 6e 74 3d 73 68 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 42 61 73 65 43 6c 61 73 73 3d 46 50 0d 0a 4d 6f 64 75 6c 65 3d 4d 6f 64 75 6c 65 31 0d 0a 4e

General
Stream Path:	_VBA_PROJECT_CUR/PROJECTwm
CLSID:
File Type:	data
Stream Size:	65
Entropy:	3.0134434188439445
Base64 Encoded:	False
Data ASCII:	t h i s W B . t . h . i . s . W . B . . . s h . s . h . . . F P . F . P . . . M o d u l e 1 . M . o . d . u . l . e . 1 . . . . .
Data Raw:	74 68 69 73 57 42 00 74 00 68 00 69 00 73 00 57 00 42 00 00 00 73 68 00 73 00 68 00 00 00 46 50 00 46 00 50 00 00 00 4d 6f 64 75 6c 65 31 00 4d 00 6f 00 64 00 75 00 6c 00 65 00 31 00 00 00 00 00

General
Stream Path:	_VBA_PROJECT_CUR/VBA/_VBA_PROJECT
CLSID:
File Type:	data
Stream Size:	3977
Entropy:	4.507299088638643
Base64 Encoded:	False
Data ASCII:	a . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . * . \\ . G . { . 0 . 0 . 0 . 2 . 0 . 4 . E . F . - . 0 . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . - . C . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 4 . 6 . } . # . 4 . . . 1 . # . 9 . # . C . : . \\ . P . R . O . G . R . A . ~ . 1 . \\ . C . O . M . M . O . N . ~ . 1 . \\ . M . I . C . R . O . S . ~ . 1 . \\ . V . B . A . \\ . V . B . A . 7 . \\ . V . B . E . 7 . . . D . L . L . # . V . i . s . u . a . l . . B . a . s . i . c . . F . o . r .
Data Raw:	cc 61 9a 00 00 03 00 ff 19 04 00 00 09 04 00 00 e3 04 03 00 00 00 00 00 00 00 00 00 01 00 06 00 02 00 fa 00 2a 00 5c 00 47 00 7b 00 30 00 30 00 30 00 32 00 30 00 34 00 45 00 46 00 2d 00 30 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 2d 00 43 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 34 00 36 00 7d 00 23 00 34 00 2e 00 31 00 23 00

General
Stream Path:	_VBA_PROJECT_CUR/VBA/dir
CLSID:
File Type:	Apollo m68k COFF executable not stripped - version 18435
Stream Size:	923
Entropy:	6.512383334584636
Base64 Encoded:	True
Data ASCII:	. . . . . . . . . 0 * . . . . p . . H . . . . d . . . . . . . V B A P r o j e c t . . 4 . . @ . . j . . . = . . . . r . . . . . . . . . k . h . . . . J < . . . . . r s t d o l e > . . . s . t . d . o . l . e . . . h . % . ^ . . * \\ G { 0 0 0 2 0 4 3 0 - . . . . . C . . . . . . 0 0 4 . 6 } # 2 . 0 # 0 . # C : \\ W i n d . o w s \\ s y s t e m 3 2 \\ . e 2 . . t l b # O L E . A u t o m a t i . o n . ` . . E O f f D i c E O . f . i . c E . . E . 2 D F 8 D 0 4 C . - 5 B F A - 1 0 1 B - B D E 5 E A A C 4 . 2 E
Data Raw:	01 97 b3 80 01 00 04 00 00 00 03 00 30 2a 02 02 90 09 00 70 14 06 48 03 00 82 02 00 64 e3 04 04 00 0a 00 1c 00 56 42 41 50 72 6f 6a 65 88 63 74 05 00 34 00 00 40 02 14 6a 06 02 0a 3d 02 0a 07 02 72 01 14 08 05 06 12 09 02 12 6b d5 a7 68 07 94 00 0c 02 4a 3c 02 0a 16 00 01 72 80 73 74 64 6f 6c 65 3e 02 19 00 73 00 74 00 64 00 6f 00 80 6c 00 65 00 0d 00 68 00 25 02 5e 00 03 2a 5c 47

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report PastePictures 1.xla

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

Compliance

Networking

System Summary

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Program Files (x86)\Microsoft Office\root\vfs\Common AppData\Microsoft\OFFICE\Heartbeat\HeartbeatCache.xml

C:\Users\user\AppData\Local\Temp\VBE\MSForms.exd

C:\Users\user\AppData\Local\Temp\file_MainPicture_PastePictures

C:\Users\user\AppData\Local\Temp\~DF0DF9AD89F0F136F4.TMP

C:\Users\user\AppData\Local\Temp\~DF28420C52C7677F1E.TMP

C:\Users\user\AppData\Local\Temp\~DF2DE4CC933B29FD07.TMP

C:\Users\user\AppData\Local\Temp\~DF425E8D0C6F1A8877.TMP

C:\Users\user\AppData\Local\Temp\~DF749E4C5DC9B304F7.TMP

C:\Users\user\AppData\Local\Temp\~DF9F6686FCC515ADC0.TMP

C:\Users\user\AppData\Local\Temp\~DFA71C4ACEC0FA252D.TMP

C:\Users\user\AppData\Local\Temp\~DFB08B1793A21D3229.TMP

C:\Users\user\AppData\Local\Temp\~DFB0A49ABA6634081E.TMP

C:\Users\user\AppData\Local\Temp\~DFCE241BF37DA199FD.TMP

C:\Users\user\AppData\Local\Temp\~DFD05F1E00C413D92F.TMP

C:\Users\user\AppData\Local\Temp\~DFE7B495A8A14BE0CC.TMP

C:\Users\user\AppData\Local\Temp\~DFF0C0FFD1FF540DED.TMP

C:\Users\user\AppData\Local\Temp\~DFF86E7BD069EA6766.TMP

C:\Users\user\AppData\Local\Temp\~DFFD8CEAD239C1971C.TMP

C:\Users\user\Desktop\2C230000

C:\Users\user\Desktop\F109BCEF.tmp (copy)

C:\Users\user\Desktop\PastePictures 1.xla

Static File Info

General

File Icon

Static OLE Info

General

OLE File "PastePictures 1.xla"

Indicators

Windows Analysis Report
PastePictures 1.xla

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 10, 2025 11:23:38.082194090 CET	64309	53	192.168.2.5	1.1.1.1
Mar 10, 2025 11:23:38.144331932 CET	53	64309	1.1.1.1	192.168.2.5
Mar 10, 2025 11:24:32.622050047 CET	64225	53	192.168.2.5	1.1.1.1
Mar 10, 2025 11:24:32.633280993 CET	53	64225	1.1.1.1	192.168.2.5

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Mar 10, 2025 11:23:30.384732962 CET	1.1.1.1	192.168.2.5	0x8373	No error (0)	ecs-office.s-0005.dual-s-msedge.net	s-0005.dual-s-msedge.net		CNAME (Canonical name)	IN (0x0001)	false
Mar 10, 2025 11:23:30.384732962 CET	1.1.1.1	192.168.2.5	0x8373	No error (0)	s-0005.dual-s-msedge.net		52.123.129.14	A (IP address)	IN (0x0001)	false
Mar 10, 2025 11:23:30.384732962 CET	1.1.1.1	192.168.2.5	0x8373	No error (0)	s-0005.dual-s-msedge.net		52.123.128.14	A (IP address)	IN (0x0001)	false
Mar 10, 2025 11:23:38.144331932 CET	1.1.1.1	192.168.2.5	0x91e4	No error (0)	xn--80adkunbi5c.xn--p1ai		23.88.6.149	A (IP address)	IN (0x0001)	false
Mar 10, 2025 11:24:32.633280993 CET	1.1.1.1	192.168.2.5	0xe3f8	No error (0)	otelrules.svc.static.microsoft	otelrules-bzhndjfje8dvh5fd.z01.azurefd.net		CNAME (Canonical name)	IN (0x0001)	false
Mar 10, 2025 11:24:32.633280993 CET	1.1.1.1	192.168.2.5	0xe3f8	No error (0)	otelrules-bzhndjfje8dvh5fd.z01.azurefd.net	star-azurefd-prod.trafficmanager.net		CNAME (Canonical name)	IN (0x0001)	false
Mar 10, 2025 11:24:32.633280993 CET	1.1.1.1	192.168.2.5	0xe3f8	No error (0)	star-azurefd-prod.trafficmanager.net	shed.dual-low.s-part-0032.t-0009.t-msedge.net		CNAME (Canonical name)	IN (0x0001)	false
Mar 10, 2025 11:24:32.633280993 CET	1.1.1.1	192.168.2.5	0xe3f8	No error (0)	shed.dual-low.s-part-0032.t-0009.t-msedge.net	azurefd-t-fb-prod.trafficmanager.net		CNAME (Canonical name)	IN (0x0001)	false
Mar 10, 2025 11:24:32.633280993 CET	1.1.1.1	192.168.2.5	0xe3f8	No error (0)	azurefd-t-fb-prod.trafficmanager.net	dual.s-part-0044.t-0009.fb-t-msedge.net		CNAME (Canonical name)	IN (0x0001)	false
Mar 10, 2025 11:24:32.633280993 CET	1.1.1.1	192.168.2.5	0xe3f8	No error (0)	dual.s-part-0044.t-0009.fb-t-msedge.net	s-part-0044.t-0009.fb-t-msedge.net		CNAME (Canonical name)	IN (0x0001)	false
Mar 10, 2025 11:24:32.633280993 CET	1.1.1.1	192.168.2.5	0xe3f8	No error (0)	s-part-0044.t-0009.fb-t-msedge.net		13.107.253.72	A (IP address)	IN (0x0001)	false

Timestamp	Bytes transferred	Direction	Data
Mar 10, 2025 11:23:38.150753021 CET	164	OUT	GET /ip.php HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Host: xn--80adkunbi5c.xn--p1ai
Mar 10, 2025 11:23:38.824856043 CET	214	IN	HTTP/1.1 200 OK Server: nginx Date: Mon, 10 Mar 2025 10:23:14 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 12 Connection: keep-alive Keep-Alive: timeout=20 Vary: Accept-Encoding Data Raw: 35 31 2e 31 37 38 2e 31 38 2e 36 36 Data Ascii: 51.178.18.66

Timestamp	Bytes transferred	Direction	Data
2025-03-10 10:24:34 UTC	226	OUT	GET /rules/excel.exe-Production-v19.bundle HTTP/1.1 Connection: Keep-Alive Accept-Encoding: gzip User-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Excel 16.0.16827; Pro) Host: otelrules.svc.static.microsoft
2025-03-10 10:24:35 UTC	500	IN	HTTP/1.1 200 OK Date: Mon, 10 Mar 2025 10:24:35 GMT Content-Type: text/plain Content-Length: 1114783 Connection: close Vary: Accept-Encoding Cache-Control: public Last-Modified: Sun, 09 Mar 2025 06:27:07 GMT ETag: "0x8DD5ED36A70D4F4" x-ms-request-id: b2cddfeb-801e-0035-3bf9-90752a000000 x-ms-version: 2018-03-28 x-azure-ref: 20250310T102435Z-r15847dcb49phpnqhC1CH11mvc00000002w0000000000ax2 x-fd-int-roxy-purgeid: 0 X-Cache-Info: L2_T2 X-Cache: TCP_REMOTE_HIT Accept-Ranges: bytes
2025-03-10 10:24:35 UTC	15884	IN	Data Raw: 31 30 30 30 34 32 76 32 2b 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 31 30 30 30 34 32 22 20 56 3d 22 32 22 20 44 43 3d 22 53 4d 22 20 45 4e 3d 22 4f 66 66 69 63 65 2e 55 58 2e 44 65 73 6b 74 6f 70 2e 4f 66 66 69 63 65 54 68 65 6d 65 2e 41 70 70 2e 49 6e 69 74 22 20 41 54 54 3d 22 63 34 33 38 38 63 39 37 37 32 39 37 34 31 33 62 62 30 35 34 62 61 64 31 61 63 66 30 61 64 65 31 2d 63 63 35 38 65 35 33 65 2d 66 35 61 34 2d 34 66 33 37 2d 62 30 64 32 2d 39 61 38 30 37 39 65 33 34 34 32 30 2d 36 38 37 39 22 20 44 43 61 3d 22 50 53 55 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a 20 20 3c 53 3e 0d 0a 20 20 20 20 3c 55 54 53 20 54 3d 22 31 22 20 49 64 3d 22 63 6d 39 79 35 Data Ascii: 100042v2+<?xml version="1.0" encoding="utf-8"?><R Id="100042" V="2" DC="SM" EN="Office.UX.Desktop.OfficeTheme.App.Init" ATT="c4388c977297413bb054bad1acf0ade1-cc58e53e-f5a4-4f37-b0d2-9a8079e34420-6879" DCa="PSU" xmlns=""> <S> <UTS T="1" Id="cm9y5
2025-03-10 10:24:35 UTC	16384	IN	Data Raw: 53 20 54 3d 22 31 22 20 2f 3e 0d 0a 20 20 3c 2f 54 3e 0d 0a 3c 2f 52 3e 0d 0a 3c 24 21 23 3e 31 30 30 31 31 37 76 30 2b 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 31 30 30 31 31 37 22 20 56 3d 22 30 22 20 44 43 3d 22 53 4d 22 20 54 3d 22 53 75 62 72 75 6c 65 22 20 44 43 61 3d 22 50 53 55 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a 20 20 3c 53 3e 0d 0a 20 20 20 20 3c 55 54 53 20 54 3d 22 31 22 20 49 64 3d 22 38 79 6c 6c 66 22 20 2f 3e 0d 0a 20 20 3c 2f 53 3e 0d 0a 20 20 3c 43 20 54 3d 22 57 22 20 49 3d 22 30 22 20 4f 3d 22 66 61 6c 73 65 22 3e 0d 0a 20 20 20 20 3c 56 20 56 3d 22 43 6c 69 63 6b 22 20 54 3d 22 57 22 20 2f 3e 0d 0a 20 20 3c 2f 43 3e 0d 0a 20 20 3c 43 Data Ascii: S T="1" /> </T></R><$!#>100117v0+<?xml version="1.0" encoding="utf-8"?><R Id="100117" V="0" DC="SM" T="Subrule" DCa="PSU" xmlns=""> <S> <UTS T="1" Id="8yllf" /> </S> <C T="W" I="0" O="false"> <V V="Click" T="W" /> </C> <C
2025-03-10 10:24:35 UTC	16384	IN	Data Raw: 20 20 20 3c 2f 41 3e 0d 0a 20 20 3c 2f 43 3e 0d 0a 20 20 3c 54 3e 0d 0a 20 20 20 20 3c 53 20 54 3d 22 32 22 20 2f 3e 0d 0a 20 20 20 20 3c 53 20 54 3d 22 33 22 20 2f 3e 0d 0a 20 20 3c 2f 54 3e 0d 0a 3c 2f 52 3e 0d 0a 3c 24 21 23 3e 31 30 37 38 31 76 31 2b 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 31 30 37 38 31 22 20 56 3d 22 31 22 20 44 43 3d 22 53 4d 22 20 54 3d 22 53 75 62 72 75 6c 65 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a 20 20 3c 53 3e 0d 0a 20 20 20 20 3c 55 54 53 20 54 3d 22 31 22 20 49 64 3d 22 62 67 6f 34 74 22 20 2f 3e 0d 0a 20 20 20 20 3c 55 54 53 20 54 3d 22 32 22 20 49 64 3d 22 62 68 6c 76 79 22 20 2f 3e 0d 0a 20 20 3c 2f 53 3e 0d 0a 20 20 3c 43 Data Ascii: </A> </C> <T> <S T="2" /> <S T="3" /> </T></R><$!#>10781v1+<?xml version="1.0" encoding="utf-8"?><R Id="10781" V="1" DC="SM" T="Subrule" xmlns=""> <S> <UTS T="1" Id="bgo4t" /> <UTS T="2" Id="bhlvy" /> </S> <C
2025-03-10 10:24:35 UTC	16384	IN	Data Raw: 22 41 4e 44 22 3e 0d 0a 20 20 20 20 20 20 20 20 3c 4c 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 3c 4f 20 54 3d 22 47 54 22 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 4c 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 53 20 54 3d 22 31 22 20 46 3d 22 30 22 20 2f 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 4c 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 52 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 56 20 56 3d 22 31 30 30 30 22 20 54 3d 22 55 33 32 22 20 2f 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 52 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 3c 2f 4f 3e 0d 0a 20 20 20 20 20 20 20 20 3c 2f 4c 3e 0d 0a 20 20 20 20 20 20 20 20 3c 52 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 3c 4f 20 54 3d 22 4c 45 22 3e 0d 0a 20 20 20 20 20 20 Data Ascii: "AND"> <L> <O T="GT"> <L> <S T="1" F="0" /> </L> <R> <V V="1000" T="U32" /> </R> </O> </L> <R> <O T="LE">
2025-03-10 10:24:35 UTC	16384	IN	Data Raw: 54 3d 22 55 33 32 22 20 49 3d 22 32 32 22 20 4f 3d 22 66 61 6c 73 65 22 20 4e 3d 22 46 6c 79 6f 75 74 56 69 64 65 6f 43 61 6c 6c 56 69 64 65 6f 22 3e 0d 0a 20 20 20 20 3c 43 3e 0d 0a 20 20 20 20 20 20 3c 53 20 54 3d 22 32 36 22 20 2f 3e 0d 0a 20 20 20 20 3c 2f 43 3e 0d 0a 20 20 3c 2f 43 3e 0d 0a 20 20 3c 43 20 54 3d 22 55 33 32 22 20 49 3d 22 32 33 22 20 4f 3d 22 66 61 6c 73 65 22 20 4e 3d 22 46 6c 79 6f 75 74 53 61 53 22 3e 0d 0a 20 20 20 20 3c 43 3e 0d 0a 20 20 20 20 20 20 3c 53 20 54 3d 22 32 37 22 20 2f 3e 0d 0a 20 20 20 20 3c 2f 43 3e 0d 0a 20 20 3c 2f 43 3e 0d 0a 20 20 3c 43 20 54 3d 22 55 33 32 22 20 49 3d 22 32 34 22 20 4f 3d 22 66 61 6c 73 65 22 20 4e 3d 22 46 6c 79 6f 75 74 4f 76 65 72 66 6c 6f 77 22 3e 0d 0a 20 20 20 20 3c 43 3e 0d 0a 20 20 20 Data Ascii: T="U32" I="22" O="false" N="FlyoutVideoCallVideo"> <C> <S T="26" /> </C> </C> <C T="U32" I="23" O="false" N="FlyoutSaS"> <C> <S T="27" /> </C> </C> <C T="U32" I="24" O="false" N="FlyoutOverflow"> <C>
2025-03-10 10:24:35 UTC	16384	IN	Data Raw: 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 31 30 39 30 37 22 20 56 3d 22 30 22 20 44 43 3d 22 53 4d 22 20 45 4e 3d 22 4f 66 66 69 63 65 2e 4f 75 74 6c 6f 6f 6b 2e 44 65 73 6b 74 6f 70 2e 4e 44 42 2e 55 6e 6b 6e 6f 77 6e 2e 43 6f 72 72 75 70 74 69 6f 6e 22 20 41 54 54 3d 22 64 38 30 37 36 30 39 32 37 36 37 34 34 32 34 35 62 61 66 38 31 62 66 37 62 63 38 30 33 33 66 36 2d 32 32 36 38 65 33 37 34 2d 37 37 36 36 2d 34 39 37 36 2d 62 65 34 34 2d 62 36 61 64 35 62 64 64 63 35 62 36 2d 37 38 31 33 22 20 53 3d 22 31 30 30 22 20 44 43 61 3d 22 50 53 55 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a 20 20 3c 53 3e 0d 0a 20 20 20 20 3c 45 74 77 20 54 3d 22 31 22 20 45 3d 22 33 39 35 22 20 47 3d 22 7b 32 61 64 66 38 65 32 Data Ascii: 1.0" encoding="utf-8"?><R Id="10907" V="0" DC="SM" EN="Office.Outlook.Desktop.NDB.Unknown.Corruption" ATT="d807609276744245baf81bf7bc8033f6-2268e374-7766-4976-be44-b6ad5bddc5b6-7813" S="100" DCa="PSU" xmlns=""> <S> <Etw T="1" E="395" G="{2adf8e2
2025-03-10 10:24:35 UTC	16384	IN	Data Raw: 3d 22 32 22 20 45 3d 22 54 65 6c 65 6d 65 74 72 79 53 68 75 74 64 6f 77 6e 22 20 2f 3e 0d 0a 20 20 20 20 3c 55 54 53 20 54 3d 22 33 22 20 49 64 3d 22 62 70 66 79 31 22 20 2f 3e 0d 0a 20 20 20 20 3c 46 20 54 3d 22 34 22 3e 0d 0a 20 20 20 20 20 20 3c 4f 20 54 3d 22 47 54 22 3e 0d 0a 20 20 20 20 20 20 20 20 3c 4c 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 3c 53 20 54 3d 22 33 22 20 46 3d 22 50 68 6f 74 6f 53 69 7a 65 49 6e 42 79 74 65 73 22 20 2f 3e 0d 0a 20 20 20 20 20 20 20 20 3c 2f 4c 3e 0d 0a 20 20 20 20 20 20 20 20 3c 52 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 3c 56 20 56 3d 22 30 22 20 54 3d 22 55 36 34 22 20 2f 3e 0d 0a 20 20 20 20 20 20 20 20 3c 2f 52 3e 0d 0a 20 20 20 20 20 20 3c 2f 4f 3e 0d 0a 20 20 20 20 3c 2f 46 3e 0d 0a 20 20 3c 2f 53 3e 0d 0a 20 20 Data Ascii: ="2" E="TelemetryShutdown" /> <UTS T="3" Id="bpfy1" /> <F T="4"> <O T="GT"> <L> <S T="3" F="PhotoSizeInBytes" /> </L> <R> <V V="0" T="U64" /> </R> </O> </F> </S>
2025-03-10 10:24:35 UTC	16384	IN	Data Raw: 20 20 20 20 20 20 20 20 3c 4c 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 3c 53 20 54 3d 22 34 22 20 46 3d 22 65 76 65 6e 74 49 64 22 20 2f 3e 0d 0a 20 20 20 20 20 20 20 20 3c 2f 4c 3e 0d 0a 20 20 20 20 20 20 20 20 3c 52 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 3c 56 20 56 3d 22 31 33 35 22 20 54 3d 22 49 33 32 22 20 2f 3e 0d 0a 20 20 20 20 20 20 20 20 3c 2f 52 3e 0d 0a 20 20 20 20 20 20 3c 2f 4f 3e 0d 0a 20 20 20 20 3c 2f 46 3e 0d 0a 20 20 20 20 3c 46 20 54 3d 22 37 22 3e 0d 0a 20 20 20 20 20 20 3c 4f 20 54 3d 22 45 51 22 3e 0d 0a 20 20 20 20 20 20 20 20 3c 4c 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 3c 53 20 54 3d 22 35 22 20 46 3d 22 74 63 69 64 22 20 2f 3e 0d 0a 20 20 20 20 20 20 20 20 3c 2f 4c 3e 0d 0a 20 20 20 20 20 20 20 20 3c 52 3e 0d 0a 20 20 20 20 20 20 Data Ascii: <L> <S T="4" F="eventId" /> </L> <R> <V V="135" T="I32" /> </R> </O> </F> <F T="7"> <O T="EQ"> <L> <S T="5" F="tcid" /> </L> <R>
2025-03-10 10:24:35 UTC	16384	IN	Data Raw: 20 20 20 3c 2f 46 3e 0d 0a 20 20 20 20 3c 46 20 54 3d 22 31 30 22 3e 0d 0a 20 20 20 20 20 20 3c 4f 20 54 3d 22 45 51 22 3e 0d 0a 20 20 20 20 20 20 20 20 3c 4c 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 3c 53 20 54 3d 22 33 22 20 46 3d 22 46 69 6c 65 50 72 6f 74 65 63 74 69 6f 6e 53 74 61 74 65 22 20 2f 3e 0d 0a 20 20 20 20 20 20 20 20 3c 2f 4c 3e 0d 0a 20 20 20 20 20 20 20 20 3c 52 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 3c 56 20 56 3d 22 35 22 20 54 3d 22 55 33 32 22 20 2f 3e 0d 0a 20 20 20 20 20 20 20 20 3c 2f 52 3e 0d 0a 20 20 20 20 20 20 3c 2f 4f 3e 0d 0a 20 20 20 20 3c 2f 46 3e 0d 0a 20 20 3c 2f 53 3e 0d 0a 20 20 3c 43 20 54 3d 22 55 33 32 22 20 49 3d 22 30 22 20 4f 3d 22 66 61 6c 73 65 22 20 4e 3d 22 43 6f 75 6e 74 4f 66 54 68 72 6f 77 6e 45 78 63 65 70 Data Ascii: </F> <F T="10"> <O T="EQ"> <L> <S T="3" F="FileProtectionState" /> </L> <R> <V V="5" T="U32" /> </R> </O> </F> </S> <C T="U32" I="0" O="false" N="CountOfThrownExcep
2025-03-10 10:24:35 UTC	16384	IN	Data Raw: 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 53 20 54 3d 22 35 22 20 46 3d 22 72 65 73 75 6c 74 73 5f 49 73 4e 75 6c 6c 22 20 2f 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 4c 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 52 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 56 20 56 3d 22 66 61 6c 73 65 22 20 54 3d 22 42 22 20 2f 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 52 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 4f 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 4c 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 52 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 4f 20 54 3d 22 45 51 22 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 4c Data Ascii: <S T="5" F="results_IsNull" /> </L> <R> <V V="false" T="B" /> </R> </O> </L> <R> <O T="EQ"> <L

Timestamp	Bytes transferred	Direction	Data
2025-03-10 10:24:41 UTC	214	OUT	GET /rules/rule120607v1s19.xml HTTP/1.1 Connection: Keep-Alive Accept-Encoding: gzip User-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Excel 16.0.16827; Pro) Host: otelrules.svc.static.microsoft
2025-03-10 10:24:42 UTC	491	IN	HTTP/1.1 200 OK Date: Mon, 10 Mar 2025 10:24:42 GMT Content-Type: text/xml Content-Length: 204 Connection: close Cache-Control: public, max-age=604800, immutable Last-Modified: Tue, 09 Apr 2024 00:26:35 GMT ETag: "0x8DC582BB6C8527A" x-ms-request-id: 334649ef-301e-0052-7b94-9165d6000000 x-ms-version: 2018-03-28 x-azure-ref: 20250310T102442Z-15874666d586sqlrhC1CH1ndqc000000034g000000001pg7 x-fd-int-roxy-purgeid: 0 X-Cache: TCP_HIT X-Cache-Info: L1_T2 Accept-Ranges: bytes
2025-03-10 10:24:42 UTC	204	IN	Data Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 31 32 30 36 30 37 22 20 56 3d 22 31 22 20 44 43 3d 22 53 4d 22 20 54 3d 22 53 75 62 72 75 6c 65 22 20 45 52 3d 22 31 32 30 36 30 33 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a 20 20 3c 53 3e 0d 0a 20 20 20 20 3c 55 54 53 20 54 3d 22 31 22 20 49 64 3d 22 62 62 70 7a 73 22 20 41 3d 22 39 34 30 74 63 20 39 78 35 6a 73 22 20 2f 3e 0d 0a 20 20 3c 2f 53 3e 0d 0a 20 20 3c 54 3e 0d 0a 20 20 20 20 3c 53 20 54 3d 22 31 22 20 2f 3e 0d 0a 20 20 3c 2f 54 3e 0d 0a 3c 2f 52 3e Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="120607" V="1" DC="SM" T="Subrule" ER="120603" xmlns=""> <S> <UTS T="1" Id="bbpzs" A="940tc 9x5js" /> </S> <T> <S T="1" /> </T></R>

Timestamp	Bytes transferred	Direction	Data
2025-03-10 10:24:42 UTC	214	OUT	GET /rules/rule120603v8s19.xml HTTP/1.1 Connection: Keep-Alive Accept-Encoding: gzip User-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Excel 16.0.16827; Pro) Host: otelrules.svc.static.microsoft
2025-03-10 10:24:42 UTC	515	IN	HTTP/1.1 200 OK Date: Mon, 10 Mar 2025 10:24:42 GMT Content-Type: text/xml Content-Length: 2128 Connection: close Vary: Accept-Encoding Cache-Control: public, max-age=604800, immutable Last-Modified: Tue, 09 Apr 2024 00:26:04 GMT ETag: "0x8DC582BA41F3C62" x-ms-request-id: 1705ab94-901e-0015-7f94-91b284000000 x-ms-version: 2018-03-28 x-azure-ref: 20250310T102442Z-r15847dcb49g5wtghC1CH16nhw00000003r00000000007ct x-fd-int-roxy-purgeid: 0 X-Cache: TCP_HIT X-Cache-Info: L1_T2 Accept-Ranges: bytes
2025-03-10 10:24:42 UTC	2128	IN	Data Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 31 32 30 36 30 33 22 20 56 3d 22 38 22 20 44 43 3d 22 53 4d 22 20 45 4e 3d 22 4f 66 66 69 63 65 2e 53 79 73 74 65 6d 2e 53 79 73 74 65 6d 48 65 61 6c 74 68 4d 65 74 61 64 61 74 61 41 70 70 6c 69 63 61 74 69 6f 6e 41 64 64 69 74 69 6f 6e 61 6c 22 20 41 54 54 3d 22 63 64 38 33 36 36 32 36 36 31 31 63 34 63 61 61 61 38 66 63 35 62 32 65 37 32 38 65 65 38 31 64 2d 33 62 36 64 36 63 34 35 2d 36 33 37 37 2d 34 62 66 35 2d 39 37 39 32 2d 64 62 66 38 65 31 38 38 31 30 38 38 2d 37 35 32 31 22 20 53 50 3d 22 43 72 69 74 69 63 61 6c 42 75 73 69 6e 65 73 73 49 6d 70 61 63 74 22 20 45 3d 22 66 61 6c 73 65 22 20 44 4c 3d Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="120603" V="8" DC="SM" EN="Office.System.SystemHealthMetadataApplicationAdditional" ATT="cd836626611c4caaa8fc5b2e728ee81d-3b6d6c45-6377-4bf5-9792-dbf8e1881088-7521" SP="CriticalBusinessImpact" E="false" DL=

Target ID:	0
Start time:	06:23:23
Start date:	10/03/2025
Path:	C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
Imagebase:	0xf40000
File size:	53'161'064 bytes
MD5 hash:	4A871771235598812032C822E6F68F19
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre