Click to jump to signature section
Source: .xls | Virustotal: Detection: 24% | Perma Link |
Source: .xls | ReversingLabs: Detection: 15% |
Source: unknown | HTTPS traffic detected: 13.107.246.60:443 -> 192.168.2.4:49734 version: TLS 1.2 |
Source: unknown | HTTPS traffic detected: 13.107.246.60:443 -> 192.168.2.4:49736 version: TLS 1.2 |
Source: global traffic | DNS query: name: otelrules.svc.static.microsoft |
Source: global traffic | TCP traffic: 192.168.2.4:49734 -> 13.107.246.60:443 |
Source: global traffic | TCP traffic: 192.168.2.4:49735 -> 13.107.246.60:443 |
Source: global traffic | TCP traffic: 192.168.2.4:49734 -> 13.107.246.60:443 |
Source: global traffic | TCP traffic: 192.168.2.4:49734 -> 13.107.246.60:443 |
Source: global traffic | TCP traffic: 192.168.2.4:49734 -> 13.107.246.60:443 |
Source: global traffic | TCP traffic: 192.168.2.4:49734 -> 13.107.246.60:443 |
Source: global traffic | TCP traffic: 192.168.2.4:49734 -> 13.107.246.60:443 |
Source: global traffic | TCP traffic: 192.168.2.4:49734 -> 13.107.246.60:443 |
Source: global traffic | TCP traffic: 192.168.2.4:49734 -> 13.107.246.60:443 |
Source: global traffic | TCP traffic: 192.168.2.4:49734 -> 13.107.246.60:443 |
Source: global traffic | TCP traffic: 192.168.2.4:49735 -> 13.107.246.60:443 |
Source: global traffic | TCP traffic: 192.168.2.4:49735 -> 13.107.246.60:443 |
Source: global traffic | TCP traffic: 192.168.2.4:49736 -> 13.107.246.60:443 |
Source: global traffic | TCP traffic: 192.168.2.4:49736 -> 13.107.246.60:443 |
Source: global traffic | TCP traffic: 192.168.2.4:49735 -> 13.107.246.60:443 |
Source: global traffic | TCP traffic: 192.168.2.4:49736 -> 13.107.246.60:443 |
Source: global traffic | TCP traffic: 192.168.2.4:49735 -> 13.107.246.60:443 |
Source: global traffic | TCP traffic: 192.168.2.4:49735 -> 13.107.246.60:443 |
Source: global traffic | TCP traffic: 192.168.2.4:49735 -> 13.107.246.60:443 |
Source: global traffic | TCP traffic: 192.168.2.4:49735 -> 13.107.246.60:443 |
Source: global traffic | TCP traffic: 192.168.2.4:49735 -> 13.107.246.60:443 |
Source: global traffic | TCP traffic: 192.168.2.4:49735 -> 13.107.246.60:443 |
Source: global traffic | TCP traffic: 192.168.2.4:49736 -> 13.107.246.60:443 |
Source: global traffic | TCP traffic: 192.168.2.4:49736 -> 13.107.246.60:443 |
Source: global traffic | TCP traffic: 192.168.2.4:49736 -> 13.107.246.60:443 |
Source: global traffic | TCP traffic: 192.168.2.4:49736 -> 13.107.246.60:443 |
Source: global traffic | TCP traffic: 192.168.2.4:49736 -> 13.107.246.60:443 |
Source: global traffic | TCP traffic: 192.168.2.4:49736 -> 13.107.246.60:443 |
Source: global traffic | TCP traffic: 192.168.2.4:49736 -> 13.107.246.60:443 |
Source: global traffic | TCP traffic: 192.168.2.4:49734 -> 13.107.246.60:443 |
Source: global traffic | TCP traffic: 13.107.246.60:443 -> 192.168.2.4:49734 |
Source: global traffic | TCP traffic: 192.168.2.4:49734 -> 13.107.246.60:443 |
Source: global traffic | TCP traffic: 192.168.2.4:49734 -> 13.107.246.60:443 |
Source: global traffic | TCP traffic: 13.107.246.60:443 -> 192.168.2.4:49734 |
Source: global traffic | TCP traffic: 13.107.246.60:443 -> 192.168.2.4:49734 |
Source: global traffic | TCP traffic: 192.168.2.4:49734 -> 13.107.246.60:443 |
Source: global traffic | TCP traffic: 192.168.2.4:49734 -> 13.107.246.60:443 |
Source: global traffic | TCP traffic: 13.107.246.60:443 -> 192.168.2.4:49734 |
Source: global traffic | TCP traffic: 13.107.246.60:443 -> 192.168.2.4:49734 |
Source: global traffic | TCP traffic: 192.168.2.4:49734 -> 13.107.246.60:443 |
Source: global traffic | TCP traffic: 13.107.246.60:443 -> 192.168.2.4:49734 |
Source: global traffic | TCP traffic: 13.107.246.60:443 -> 192.168.2.4:49734 |
Source: global traffic | TCP traffic: 13.107.246.60:443 -> 192.168.2.4:49734 |
Source: global traffic | TCP traffic: 192.168.2.4:49734 -> 13.107.246.60:443 |
Source: global traffic | TCP traffic: 13.107.246.60:443 -> 192.168.2.4:49734 |
Source: global traffic | TCP traffic: 192.168.2.4:49734 -> 13.107.246.60:443 |
Source: global traffic | TCP traffic: 192.168.2.4:49735 -> 13.107.246.60:443 |
Source: global traffic | TCP traffic: 13.107.246.60:443 -> 192.168.2.4:49735 |
Source: global traffic | TCP traffic: 192.168.2.4:49735 -> 13.107.246.60:443 |
Source: global traffic | TCP traffic: 192.168.2.4:49736 -> 13.107.246.60:443 |
Source: global traffic | TCP traffic: 13.107.246.60:443 -> 192.168.2.4:49736 |
Source: global traffic | TCP traffic: 192.168.2.4:49736 -> 13.107.246.60:443 |
Source: global traffic | TCP traffic: 192.168.2.4:49735 -> 13.107.246.60:443 |
Source: global traffic | TCP traffic: 13.107.246.60:443 -> 192.168.2.4:49735 |
Source: global traffic | TCP traffic: 192.168.2.4:49736 -> 13.107.246.60:443 |
Source: global traffic | TCP traffic: 13.107.246.60:443 -> 192.168.2.4:49736 |
Source: global traffic | TCP traffic: 13.107.246.60:443 -> 192.168.2.4:49735 |
Source: global traffic | TCP traffic: 192.168.2.4:49735 -> 13.107.246.60:443 |
Source: global traffic | TCP traffic: 13.107.246.60:443 -> 192.168.2.4:49735 |
Source: global traffic | TCP traffic: 192.168.2.4:49735 -> 13.107.246.60:443 |
Source: global traffic | TCP traffic: 13.107.246.60:443 -> 192.168.2.4:49735 |
Source: global traffic | TCP traffic: 13.107.246.60:443 -> 192.168.2.4:49735 |
Source: global traffic | TCP traffic: 13.107.246.60:443 -> 192.168.2.4:49735 |
Source: global traffic | TCP traffic: 13.107.246.60:443 -> 192.168.2.4:49735 |
Source: global traffic | TCP traffic: 192.168.2.4:49735 -> 13.107.246.60:443 |
Source: global traffic | TCP traffic: 192.168.2.4:49735 -> 13.107.246.60:443 |
Source: global traffic | TCP traffic: 192.168.2.4:49735 -> 13.107.246.60:443 |
Source: global traffic | TCP traffic: 13.107.246.60:443 -> 192.168.2.4:49735 |
Source: global traffic | TCP traffic: 192.168.2.4:49735 -> 13.107.246.60:443 |
Source: global traffic | TCP traffic: 13.107.246.60:443 -> 192.168.2.4:49735 |
Source: global traffic | TCP traffic: 13.107.246.60:443 -> 192.168.2.4:49736 |
Source: global traffic | TCP traffic: 13.107.246.60:443 -> 192.168.2.4:49736 |
Source: global traffic | TCP traffic: 192.168.2.4:49736 -> 13.107.246.60:443 |
Source: global traffic | TCP traffic: 13.107.246.60:443 -> 192.168.2.4:49736 |
Source: global traffic | TCP traffic: 13.107.246.60:443 -> 192.168.2.4:49736 |
Source: global traffic | TCP traffic: 192.168.2.4:49736 -> 13.107.246.60:443 |
Source: global traffic | TCP traffic: 13.107.246.60:443 -> 192.168.2.4:49736 |
Source: global traffic | TCP traffic: 13.107.246.60:443 -> 192.168.2.4:49736 |
Source: global traffic | TCP traffic: 192.168.2.4:49736 -> 13.107.246.60:443 |
Source: global traffic | TCP traffic: 13.107.246.60:443 -> 192.168.2.4:49736 |
Source: global traffic | TCP traffic: 192.168.2.4:49736 -> 13.107.246.60:443 |
Source: global traffic | TCP traffic: 13.107.246.60:443 -> 192.168.2.4:49736 |
Source: global traffic | TCP traffic: 13.107.246.60:443 -> 192.168.2.4:49736 |
Source: global traffic | TCP traffic: 192.168.2.4:49736 -> 13.107.246.60:443 |
Source: global traffic | TCP traffic: 13.107.246.60:443 -> 192.168.2.4:49736 |
Source: global traffic | TCP traffic: 13.107.246.60:443 -> 192.168.2.4:49736 |
Source: global traffic | TCP traffic: 192.168.2.4:49736 -> 13.107.246.60:443 |
Source: global traffic | TCP traffic: 13.107.246.60:443 -> 192.168.2.4:49736 |
Source: global traffic | TCP traffic: 192.168.2.4:49736 -> 13.107.246.60:443 |
Source: Joe Sandbox View | IP Address: 13.107.246.60 13.107.246.60 |
Source: Joe Sandbox View | JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1 |
Source: Network traffic | Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49736 -> 13.107.246.60:443 |
Source: Network traffic | Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49735 -> 13.107.246.60:443 |
Source: Network traffic | Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49734 -> 13.107.246.60:443 |
Source: unknown | UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: global traffic | HTTP traffic detected: GET /rules/excel.exe-Production-v19.bundle HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Excel 16.0.16827; Pro)Host: otelrules.svc.static.microsoft |
Source: global traffic | HTTP traffic detected: GET /rules/rule120600v5s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Excel 16.0.16827; Pro)Host: otelrules.svc.static.microsoft |
Source: global traffic | DNS traffic detected: DNS query: otelrules.svc.static.microsoft |
Source: unknown | Network traffic detected: HTTP traffic on port 49734 -> 443 |
Source: unknown | Network traffic detected: HTTP traffic on port 49736 -> 443 |
Source: unknown | Network traffic detected: HTTP traffic on port 49735 -> 443 |
Source: unknown | Network traffic detected: HTTP traffic on port 443 -> 49736 |
Source: unknown | Network traffic detected: HTTP traffic on port 443 -> 49735 |
Source: unknown | Network traffic detected: HTTP traffic on port 443 -> 49734 |
Source: unknown | HTTPS traffic detected: 13.107.246.60:443 -> 192.168.2.4:49734 version: TLS 1.2 |
Source: unknown | HTTPS traffic detected: 13.107.246.60:443 -> 192.168.2.4:49736 version: TLS 1.2 |
Source: .xls | OLE, VBA macro line: Open Environ(O000O110001OOOO11()) & O111OO111OO101101() For Output As fileNumber | |
Source: .xls | OLE, VBA macro line: Application.Quit | |
Source: .xls | OLE, VBA macro line: O11111O1O1110OO1O = Environ(O1O1OO101O11O010O()) | |
Source: .xls | OLE indicator, VBA macros: true |
Source: classification engine | Classification label: mal56.expl.evad.winXLS@3/1@1/1 |
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE | File created: C:\Program Files (x86)\Microsoft Office\root\vfs\Common AppData\Microsoft\Office\Heartbeat\HeartbeatCache.xml | Jump to behavior |
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE | File created: C:\Users\user\AppData\Local\Temp\{6E5C2C0C-90D2-4C3E-B6C5-1C9082E603DF} - OProcSessId.dat | Jump to behavior |
Source: .xls | OLE indicator, Workbook stream: true |
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE | File read: C:\Users\desktop.ini | Jump to behavior |
Source: .xls | Virustotal: Detection: 24% |
Source: .xls | ReversingLabs: Detection: 15% |
Source: unknown | Process created: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE "C:\Program Files (x86)\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding | |
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE | Process created: C:\Windows\splwow64.exe C:\Windows\splwow64.exe 12288 | |
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE | Process created: C:\Windows\splwow64.exe C:\Windows\splwow64.exe 12288 | Jump to behavior |
Source: Window Recorder | Window detected: More than 3 window changes detected |
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE | Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\Common | Jump to behavior |
Source: .xls | Static file information: File size 3369984 > 1048576 |
Source: .xls | Stream path '_VBA_PROJECT_CUR/VBA/Sheet1' : High number of string operations | |
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\splwow64.exe | Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\splwow64.exe | Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\splwow64.exe | Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\splwow64.exe | Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\splwow64.exe | Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\splwow64.exe | Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\splwow64.exe | Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\splwow64.exe | Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\splwow64.exe | Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\splwow64.exe | Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\splwow64.exe | Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\splwow64.exe | Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\splwow64.exe | Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\splwow64.exe | Window / User API: threadDelayed 855 | Jump to behavior |
Source: C:\Windows\splwow64.exe | Last function: Thread delayed |
Source: C:\Windows\splwow64.exe | Last function: Thread delayed |
Source: C:\Windows\splwow64.exe | Thread delayed: delay time: 120000 | Jump to behavior |
Source: C:\Windows\splwow64.exe | Thread delayed: delay time: 120000 | Jump to behavior |
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE | Process information queried: ProcessInformation | Jump to behavior |