Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
#U5f38#U5a5c#U6cec#U5ed7#U60d7#U603d#U60ea#U661e.xls

Overview

General Information

Sample name:#U5f38#U5a5c#U6cec#U5ed7#U60d7#U603d#U60ea#U661e.xls
renamed because original name is a hash value
Original sample name:.xls
Analysis ID:1634933
MD5:016df9e04a1cb43d5d109dccc5144f4b
SHA1:da30cd4cfa97a12ff679ad2fc05a9c6152645ece
SHA256:e123fa2abf1a2f12af9f1828b317d486d1df63aff801d591c5e939eb06eb4cfc
Tags:xlsuser-zhuzhu0009
Infos:

Detection

Score:56
Range:0 - 100
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Document contains an embedded VBA macro with suspicious strings
Document contains an embedded VBA with many string operations indicating source code obfuscation
Detected non-DNS traffic on DNS port
Document contains embedded VBA macros
Document misses a certain OLE stream usually present in this Microsoft Office document type
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Excel Network Connections
Sigma detected: Suspicious Office Outbound Connections
Suricata IDS alerts with low severity for network traffic

Classification

Process Tree

  • System is w10x64
  • EXCEL.EXE (PID: 8088 cmdline: "C:\Program Files (x86)\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding MD5: 4A871771235598812032C822E6F68F19)
    • splwow64.exe (PID: 2968 cmdline: C:\Windows\splwow64.exe 12288 MD5: 77DE7761B037061C7C112FD3C5B91E73)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

System Summary

barindex
Sigma detected: Excel Network Connections
Source: Network ConnectionAuthor: Christopher Peacock '@securepeacock', SCYTHE '@scythe_io', Florian Roth '@Neo23x0", Tim Shelton: Data: DestinationIp: 52.123.128.14, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE, Initiated: true, ProcessId: 8088, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 49726
Sigma detected: Suspicious Office Outbound Connections
Source: Network ConnectionAuthor: X__Junior (Nextron Systems): Data: DestinationIp: 192.168.2.4, DestinationIsIpv6: false, DestinationPort: 49726, EventID: 3, Image: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE, Initiated: true, ProcessId: 8088, Protocol: tcp, SourceIp: 52.123.128.14, SourceIsIpv6: false, SourcePort: 443

Suricata Signatures

TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
2025-03-11T07:16:52.713763+010020283713Unknown Traffic192.168.2.44972652.123.128.14443TCP
2025-03-11T07:17:55.182700+010020283713Unknown Traffic192.168.2.45281613.107.253.72443TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Multi AV Scanner detection for submitted file
Source: #U5f38#U5a5c#U6cec#U5ed7#U60d7#U603d#U60ea#U661e.xlsVirustotal: Detection: 24%Perma Link
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEFile opened: C:\Program Files (x86)\Microsoft Office\root\vfs\SystemX86\MSVCR100.dllJump to behavior
Source: unknownHTTPS traffic detected: 13.107.253.72:443 -> 192.168.2.4:52816 version: TLS 1.2
Source: global trafficDNS query: name: 18.31.95.13.in-addr.arpa
Source: global trafficDNS query: name: 56.163.245.4.in-addr.arpa
Source: global trafficDNS query: name: otelrules.svc.static.microsoft
Source: global trafficTCP traffic: 192.168.2.4:49726 -> 52.123.128.14:443
Source: global trafficTCP traffic: 192.168.2.4:49726 -> 52.123.128.14:443
Source: global trafficTCP traffic: 192.168.2.4:49726 -> 52.123.128.14:443
Source: global trafficTCP traffic: 192.168.2.4:49726 -> 52.123.128.14:443
Source: global trafficTCP traffic: 192.168.2.4:49726 -> 52.123.128.14:443
Source: global trafficTCP traffic: 192.168.2.4:49726 -> 52.123.128.14:443
Source: global trafficTCP traffic: 192.168.2.4:49726 -> 52.123.128.14:443
Source: global trafficTCP traffic: 192.168.2.4:49726 -> 52.123.128.14:443
Source: global trafficTCP traffic: 192.168.2.4:49726 -> 52.123.128.14:443
Source: global trafficTCP traffic: 192.168.2.4:49726 -> 52.123.128.14:443
Source: global trafficTCP traffic: 192.168.2.4:49726 -> 52.123.128.14:443
Source: global trafficTCP traffic: 192.168.2.4:49726 -> 52.123.128.14:443
Source: global trafficTCP traffic: 192.168.2.4:49726 -> 52.123.128.14:443
Source: global trafficTCP traffic: 192.168.2.4:49726 -> 52.123.128.14:443
Source: global trafficTCP traffic: 192.168.2.4:49726 -> 52.123.128.14:443
Source: global trafficTCP traffic: 192.168.2.4:49726 -> 52.123.128.14:443
Source: global trafficTCP traffic: 192.168.2.4:49726 -> 52.123.128.14:443
Source: global trafficTCP traffic: 192.168.2.4:49726 -> 52.123.128.14:443
Source: global trafficTCP traffic: 192.168.2.4:49726 -> 52.123.128.14:443
Source: global trafficTCP traffic: 192.168.2.4:49726 -> 52.123.128.14:443
Source: global trafficTCP traffic: 192.168.2.4:49726 -> 52.123.128.14:443
Source: global trafficTCP traffic: 192.168.2.4:49726 -> 52.123.128.14:443
Source: global trafficTCP traffic: 192.168.2.4:49726 -> 52.123.128.14:443
Source: global trafficTCP traffic: 192.168.2.4:49726 -> 52.123.128.14:443
Source: global trafficTCP traffic: 192.168.2.4:49726 -> 52.123.128.14:443
Source: global trafficTCP traffic: 192.168.2.4:49726 -> 52.123.128.14:443
Source: global trafficTCP traffic: 192.168.2.4:49726 -> 52.123.128.14:443
Source: global trafficTCP traffic: 192.168.2.4:49726 -> 52.123.128.14:443
Source: global trafficTCP traffic: 192.168.2.4:49726 -> 52.123.128.14:443
Source: global trafficTCP traffic: 192.168.2.4:49726 -> 52.123.128.14:443
Source: global trafficTCP traffic: 192.168.2.4:49726 -> 52.123.128.14:443
Source: global trafficTCP traffic: 192.168.2.4:49726 -> 52.123.128.14:443
Source: global trafficTCP traffic: 192.168.2.4:49726 -> 52.123.128.14:443
Source: global trafficTCP traffic: 192.168.2.4:49726 -> 52.123.128.14:443
Source: global trafficTCP traffic: 192.168.2.4:49726 -> 52.123.128.14:443
Source: global trafficTCP traffic: 192.168.2.4:49726 -> 52.123.128.14:443
Source: global trafficTCP traffic: 192.168.2.4:49726 -> 52.123.128.14:443
Source: global trafficTCP traffic: 192.168.2.4:49726 -> 52.123.128.14:443
Source: global trafficTCP traffic: 192.168.2.4:49726 -> 52.123.128.14:443
Source: global trafficTCP traffic: 192.168.2.4:49726 -> 52.123.128.14:443
Source: global trafficTCP traffic: 192.168.2.4:49726 -> 52.123.128.14:443
Source: global trafficTCP traffic: 192.168.2.4:49726 -> 52.123.128.14:443
Source: global trafficTCP traffic: 192.168.2.4:49726 -> 52.123.128.14:443
Source: global trafficTCP traffic: 192.168.2.4:49726 -> 52.123.128.14:443
Source: global trafficTCP traffic: 192.168.2.4:49726 -> 52.123.128.14:443
Source: global trafficTCP traffic: 192.168.2.4:49726 -> 52.123.128.14:443
Source: global trafficTCP traffic: 192.168.2.4:49726 -> 52.123.128.14:443
Source: global trafficTCP traffic: 192.168.2.4:49726 -> 52.123.128.14:443
Source: global trafficTCP traffic: 192.168.2.4:49726 -> 52.123.128.14:443
Source: global trafficTCP traffic: 192.168.2.4:49726 -> 52.123.128.14:443
Source: global trafficTCP traffic: 192.168.2.4:49726 -> 52.123.128.14:443
Source: global trafficTCP traffic: 192.168.2.4:49726 -> 52.123.128.14:443
Source: global trafficTCP traffic: 192.168.2.4:49726 -> 52.123.128.14:443
Source: global trafficTCP traffic: 192.168.2.4:52816 -> 13.107.253.72:443
Source: global trafficTCP traffic: 192.168.2.4:52816 -> 13.107.253.72:443
Source: global trafficTCP traffic: 192.168.2.4:52816 -> 13.107.253.72:443
Source: global trafficTCP traffic: 192.168.2.4:52816 -> 13.107.253.72:443
Source: global trafficTCP traffic: 192.168.2.4:52816 -> 13.107.253.72:443
Source: global trafficTCP traffic: 192.168.2.4:52816 -> 13.107.253.72:443
Source: global trafficTCP traffic: 192.168.2.4:52816 -> 13.107.253.72:443
Source: global trafficTCP traffic: 192.168.2.4:52816 -> 13.107.253.72:443
Source: global trafficTCP traffic: 192.168.2.4:52816 -> 13.107.253.72:443
Source: global trafficTCP traffic: 192.168.2.4:52816 -> 13.107.253.72:443
Source: global trafficTCP traffic: 192.168.2.4:52816 -> 13.107.253.72:443
Source: global trafficTCP traffic: 192.168.2.4:52816 -> 13.107.253.72:443
Source: global trafficTCP traffic: 192.168.2.4:52816 -> 13.107.253.72:443
Source: global trafficTCP traffic: 192.168.2.4:52816 -> 13.107.253.72:443
Source: global trafficTCP traffic: 192.168.2.4:52816 -> 13.107.253.72:443
Source: global trafficTCP traffic: 192.168.2.4:52816 -> 13.107.253.72:443
Source: global trafficTCP traffic: 192.168.2.4:52816 -> 13.107.253.72:443
Source: global trafficTCP traffic: 192.168.2.4:49726 -> 52.123.128.14:443
Source: global trafficTCP traffic: 192.168.2.4:49726 -> 52.123.128.14:443
Source: global trafficTCP traffic: 192.168.2.4:49726 -> 52.123.128.14:443
Source: global trafficTCP traffic: 192.168.2.4:49726 -> 52.123.128.14:443
Source: global trafficTCP traffic: 52.123.128.14:443 -> 192.168.2.4:49726
Source: global trafficTCP traffic: 192.168.2.4:49726 -> 52.123.128.14:443
Source: global trafficTCP traffic: 192.168.2.4:49726 -> 52.123.128.14:443
Source: global trafficTCP traffic: 52.123.128.14:443 -> 192.168.2.4:49726
Source: global trafficTCP traffic: 52.123.128.14:443 -> 192.168.2.4:49726
Source: global trafficTCP traffic: 52.123.128.14:443 -> 192.168.2.4:49726
Source: global trafficTCP traffic: 52.123.128.14:443 -> 192.168.2.4:49726
Source: global trafficTCP traffic: 192.168.2.4:49726 -> 52.123.128.14:443
Source: global trafficTCP traffic: 52.123.128.14:443 -> 192.168.2.4:49726
Source: global trafficTCP traffic: 192.168.2.4:49726 -> 52.123.128.14:443
Source: global trafficTCP traffic: 52.123.128.14:443 -> 192.168.2.4:49726
Source: global trafficTCP traffic: 192.168.2.4:49726 -> 52.123.128.14:443
Source: global trafficTCP traffic: 52.123.128.14:443 -> 192.168.2.4:49726
Source: global trafficTCP traffic: 52.123.128.14:443 -> 192.168.2.4:49726
Source: global trafficTCP traffic: 192.168.2.4:49726 -> 52.123.128.14:443
Source: global trafficTCP traffic: 52.123.128.14:443 -> 192.168.2.4:49726
Source: global trafficTCP traffic: 52.123.128.14:443 -> 192.168.2.4:49726
Source: global trafficTCP traffic: 52.123.128.14:443 -> 192.168.2.4:49726
Source: global trafficTCP traffic: 192.168.2.4:49726 -> 52.123.128.14:443
Source: global trafficTCP traffic: 52.123.128.14:443 -> 192.168.2.4:49726
Source: global trafficTCP traffic: 192.168.2.4:49726 -> 52.123.128.14:443
Source: global trafficTCP traffic: 52.123.128.14:443 -> 192.168.2.4:49726
Source: global trafficTCP traffic: 52.123.128.14:443 -> 192.168.2.4:49726
Source: global trafficTCP traffic: 192.168.2.4:49726 -> 52.123.128.14:443
Source: global trafficTCP traffic: 52.123.128.14:443 -> 192.168.2.4:49726
Source: global trafficTCP traffic: 192.168.2.4:49726 -> 52.123.128.14:443
Source: global trafficTCP traffic: 52.123.128.14:443 -> 192.168.2.4:49726
Source: global trafficTCP traffic: 192.168.2.4:49726 -> 52.123.128.14:443
Source: global trafficTCP traffic: 52.123.128.14:443 -> 192.168.2.4:49726
Source: global trafficTCP traffic: 192.168.2.4:49726 -> 52.123.128.14:443
Source: global trafficTCP traffic: 52.123.128.14:443 -> 192.168.2.4:49726
Source: global trafficTCP traffic: 52.123.128.14:443 -> 192.168.2.4:49726
Source: global trafficTCP traffic: 192.168.2.4:49726 -> 52.123.128.14:443
Source: global trafficTCP traffic: 52.123.128.14:443 -> 192.168.2.4:49726
Source: global trafficTCP traffic: 52.123.128.14:443 -> 192.168.2.4:49726
Source: global trafficTCP traffic: 52.123.128.14:443 -> 192.168.2.4:49726
Source: global trafficTCP traffic: 192.168.2.4:49726 -> 52.123.128.14:443
Source: global trafficTCP traffic: 52.123.128.14:443 -> 192.168.2.4:49726
Source: global trafficTCP traffic: 192.168.2.4:49726 -> 52.123.128.14:443
Source: global trafficTCP traffic: 52.123.128.14:443 -> 192.168.2.4:49726
Source: global trafficTCP traffic: 52.123.128.14:443 -> 192.168.2.4:49726
Source: global trafficTCP traffic: 192.168.2.4:49726 -> 52.123.128.14:443
Source: global trafficTCP traffic: 52.123.128.14:443 -> 192.168.2.4:49726
Source: global trafficTCP traffic: 52.123.128.14:443 -> 192.168.2.4:49726
Source: global trafficTCP traffic: 192.168.2.4:49726 -> 52.123.128.14:443
Source: global trafficTCP traffic: 52.123.128.14:443 -> 192.168.2.4:49726
Source: global trafficTCP traffic: 192.168.2.4:49726 -> 52.123.128.14:443
Source: global trafficTCP traffic: 52.123.128.14:443 -> 192.168.2.4:49726
Source: global trafficTCP traffic: 192.168.2.4:49726 -> 52.123.128.14:443
Source: global trafficTCP traffic: 52.123.128.14:443 -> 192.168.2.4:49726
Source: global trafficTCP traffic: 192.168.2.4:49726 -> 52.123.128.14:443
Source: global trafficTCP traffic: 52.123.128.14:443 -> 192.168.2.4:49726
Source: global trafficTCP traffic: 52.123.128.14:443 -> 192.168.2.4:49726
Source: global trafficTCP traffic: 192.168.2.4:49726 -> 52.123.128.14:443
Source: global trafficTCP traffic: 52.123.128.14:443 -> 192.168.2.4:49726
Source: global trafficTCP traffic: 52.123.128.14:443 -> 192.168.2.4:49726
Source: global trafficTCP traffic: 52.123.128.14:443 -> 192.168.2.4:49726
Source: global trafficTCP traffic: 192.168.2.4:49726 -> 52.123.128.14:443
Source: global trafficTCP traffic: 52.123.128.14:443 -> 192.168.2.4:49726
Source: global trafficTCP traffic: 192.168.2.4:49726 -> 52.123.128.14:443
Source: global trafficTCP traffic: 52.123.128.14:443 -> 192.168.2.4:49726
Source: global trafficTCP traffic: 192.168.2.4:49726 -> 52.123.128.14:443
Source: global trafficTCP traffic: 52.123.128.14:443 -> 192.168.2.4:49726
Source: global trafficTCP traffic: 52.123.128.14:443 -> 192.168.2.4:49726
Source: global trafficTCP traffic: 192.168.2.4:49726 -> 52.123.128.14:443
Source: global trafficTCP traffic: 52.123.128.14:443 -> 192.168.2.4:49726
Source: global trafficTCP traffic: 192.168.2.4:49726 -> 52.123.128.14:443
Source: global trafficTCP traffic: 52.123.128.14:443 -> 192.168.2.4:49726
Source: global trafficTCP traffic: 52.123.128.14:443 -> 192.168.2.4:49726
Source: global trafficTCP traffic: 52.123.128.14:443 -> 192.168.2.4:49726
Source: global trafficTCP traffic: 192.168.2.4:49726 -> 52.123.128.14:443
Source: global trafficTCP traffic: 52.123.128.14:443 -> 192.168.2.4:49726
Source: global trafficTCP traffic: 52.123.128.14:443 -> 192.168.2.4:49726
Source: global trafficTCP traffic: 192.168.2.4:49726 -> 52.123.128.14:443
Source: global trafficTCP traffic: 52.123.128.14:443 -> 192.168.2.4:49726
Source: global trafficTCP traffic: 192.168.2.4:49726 -> 52.123.128.14:443
Source: global trafficTCP traffic: 52.123.128.14:443 -> 192.168.2.4:49726
Source: global trafficTCP traffic: 192.168.2.4:49726 -> 52.123.128.14:443
Source: global trafficTCP traffic: 52.123.128.14:443 -> 192.168.2.4:49726
Source: global trafficTCP traffic: 52.123.128.14:443 -> 192.168.2.4:49726
Source: global trafficTCP traffic: 52.123.128.14:443 -> 192.168.2.4:49726
Source: global trafficTCP traffic: 192.168.2.4:49726 -> 52.123.128.14:443
Source: global trafficTCP traffic: 52.123.128.14:443 -> 192.168.2.4:49726
Source: global trafficTCP traffic: 192.168.2.4:49726 -> 52.123.128.14:443
Source: global trafficTCP traffic: 52.123.128.14:443 -> 192.168.2.4:49726
Source: global trafficTCP traffic: 52.123.128.14:443 -> 192.168.2.4:49726
Source: global trafficTCP traffic: 192.168.2.4:49726 -> 52.123.128.14:443
Source: global trafficTCP traffic: 52.123.128.14:443 -> 192.168.2.4:49726
Source: global trafficTCP traffic: 192.168.2.4:49726 -> 52.123.128.14:443
Source: global trafficTCP traffic: 52.123.128.14:443 -> 192.168.2.4:49726
Source: global trafficTCP traffic: 192.168.2.4:49726 -> 52.123.128.14:443
Source: global trafficTCP traffic: 52.123.128.14:443 -> 192.168.2.4:49726
Source: global trafficTCP traffic: 52.123.128.14:443 -> 192.168.2.4:49726
Source: global trafficTCP traffic: 192.168.2.4:49726 -> 52.123.128.14:443
Source: global trafficTCP traffic: 52.123.128.14:443 -> 192.168.2.4:49726
Source: global trafficTCP traffic: 52.123.128.14:443 -> 192.168.2.4:49726
Source: global trafficTCP traffic: 192.168.2.4:49726 -> 52.123.128.14:443
Source: global trafficTCP traffic: 52.123.128.14:443 -> 192.168.2.4:49726
Source: global trafficTCP traffic: 52.123.128.14:443 -> 192.168.2.4:49726
Source: global trafficTCP traffic: 192.168.2.4:49726 -> 52.123.128.14:443
Source: global trafficTCP traffic: 52.123.128.14:443 -> 192.168.2.4:49726
Source: global trafficTCP traffic: 192.168.2.4:49726 -> 52.123.128.14:443
Source: global trafficTCP traffic: 52.123.128.14:443 -> 192.168.2.4:49726
Source: global trafficTCP traffic: 192.168.2.4:49726 -> 52.123.128.14:443
Source: global trafficTCP traffic: 52.123.128.14:443 -> 192.168.2.4:49726
Source: global trafficTCP traffic: 52.123.128.14:443 -> 192.168.2.4:49726
Source: global trafficTCP traffic: 192.168.2.4:49726 -> 52.123.128.14:443
Source: global trafficTCP traffic: 52.123.128.14:443 -> 192.168.2.4:49726
Source: global trafficTCP traffic: 52.123.128.14:443 -> 192.168.2.4:49726
Source: global trafficTCP traffic: 52.123.128.14:443 -> 192.168.2.4:49726
Source: global trafficTCP traffic: 192.168.2.4:49726 -> 52.123.128.14:443
Source: global trafficTCP traffic: 52.123.128.14:443 -> 192.168.2.4:49726
Source: global trafficTCP traffic: 52.123.128.14:443 -> 192.168.2.4:49726
Source: global trafficTCP traffic: 192.168.2.4:49726 -> 52.123.128.14:443
Source: global trafficTCP traffic: 52.123.128.14:443 -> 192.168.2.4:49726
Source: global trafficTCP traffic: 192.168.2.4:49726 -> 52.123.128.14:443
Source: global trafficTCP traffic: 52.123.128.14:443 -> 192.168.2.4:49726
Source: global trafficTCP traffic: 52.123.128.14:443 -> 192.168.2.4:49726
Source: global trafficTCP traffic: 52.123.128.14:443 -> 192.168.2.4:49726
Source: global trafficTCP traffic: 192.168.2.4:49726 -> 52.123.128.14:443
Source: global trafficTCP traffic: 52.123.128.14:443 -> 192.168.2.4:49726
Source: global trafficTCP traffic: 52.123.128.14:443 -> 192.168.2.4:49726
Source: global trafficTCP traffic: 52.123.128.14:443 -> 192.168.2.4:49726
Source: global trafficTCP traffic: 192.168.2.4:49726 -> 52.123.128.14:443
Source: global trafficTCP traffic: 52.123.128.14:443 -> 192.168.2.4:49726
Source: global trafficTCP traffic: 52.123.128.14:443 -> 192.168.2.4:49726
Source: global trafficTCP traffic: 192.168.2.4:49726 -> 52.123.128.14:443
Source: global trafficTCP traffic: 52.123.128.14:443 -> 192.168.2.4:49726
Source: global trafficTCP traffic: 52.123.128.14:443 -> 192.168.2.4:49726
Source: global trafficTCP traffic: 192.168.2.4:49726 -> 52.123.128.14:443
Source: global trafficTCP traffic: 52.123.128.14:443 -> 192.168.2.4:49726
Source: global trafficTCP traffic: 192.168.2.4:49726 -> 52.123.128.14:443
Source: global trafficTCP traffic: 52.123.128.14:443 -> 192.168.2.4:49726
Source: global trafficTCP traffic: 52.123.128.14:443 -> 192.168.2.4:49726
Source: global trafficTCP traffic: 192.168.2.4:49726 -> 52.123.128.14:443
Source: global trafficTCP traffic: 52.123.128.14:443 -> 192.168.2.4:49726
Source: global trafficTCP traffic: 52.123.128.14:443 -> 192.168.2.4:49726
Source: global trafficTCP traffic: 52.123.128.14:443 -> 192.168.2.4:49726
Source: global trafficTCP traffic: 192.168.2.4:49726 -> 52.123.128.14:443
Source: global trafficTCP traffic: 52.123.128.14:443 -> 192.168.2.4:49726
Source: global trafficTCP traffic: 192.168.2.4:49726 -> 52.123.128.14:443
Source: global trafficTCP traffic: 192.168.2.4:52809 -> 162.159.36.2:53
Source: global trafficTCP traffic: 162.159.36.2:53 -> 192.168.2.4:52809
Source: global trafficTCP traffic: 192.168.2.4:52809 -> 162.159.36.2:53
Source: global trafficTCP traffic: 162.159.36.2:53 -> 192.168.2.4:52809
Source: global trafficTCP traffic: 192.168.2.4:52809 -> 162.159.36.2:53
Source: global trafficTCP traffic: 162.159.36.2:53 -> 192.168.2.4:52809
Source: global trafficTCP traffic: 192.168.2.4:52809 -> 162.159.36.2:53
Source: global trafficTCP traffic: 192.168.2.4:52816 -> 13.107.253.72:443
Source: global trafficTCP traffic: 13.107.253.72:443 -> 192.168.2.4:52816
Source: global trafficTCP traffic: 192.168.2.4:52816 -> 13.107.253.72:443
Source: global trafficTCP traffic: 192.168.2.4:52816 -> 13.107.253.72:443
Source: global trafficTCP traffic: 13.107.253.72:443 -> 192.168.2.4:52816
Source: global trafficTCP traffic: 13.107.253.72:443 -> 192.168.2.4:52816
Source: global trafficTCP traffic: 13.107.253.72:443 -> 192.168.2.4:52816
Source: global trafficTCP traffic: 13.107.253.72:443 -> 192.168.2.4:52816
Source: global trafficTCP traffic: 192.168.2.4:52816 -> 13.107.253.72:443
Source: global trafficTCP traffic: 13.107.253.72:443 -> 192.168.2.4:52816
Source: global trafficTCP traffic: 192.168.2.4:52816 -> 13.107.253.72:443
Source: global trafficTCP traffic: 13.107.253.72:443 -> 192.168.2.4:52816
Source: global trafficTCP traffic: 192.168.2.4:52816 -> 13.107.253.72:443
Source: global trafficTCP traffic: 13.107.253.72:443 -> 192.168.2.4:52816
Source: global trafficTCP traffic: 13.107.253.72:443 -> 192.168.2.4:52816
Source: global trafficTCP traffic: 192.168.2.4:52816 -> 13.107.253.72:443
Source: global trafficTCP traffic: 13.107.253.72:443 -> 192.168.2.4:52816
Source: global trafficTCP traffic: 13.107.253.72:443 -> 192.168.2.4:52816
Source: global trafficTCP traffic: 13.107.253.72:443 -> 192.168.2.4:52816
Source: global trafficTCP traffic: 13.107.253.72:443 -> 192.168.2.4:52816
Source: global trafficTCP traffic: 192.168.2.4:52816 -> 13.107.253.72:443
Source: global trafficTCP traffic: 13.107.253.72:443 -> 192.168.2.4:52816
Source: global trafficTCP traffic: 192.168.2.4:52816 -> 13.107.253.72:443
Source: global trafficTCP traffic: 13.107.253.72:443 -> 192.168.2.4:52816
Source: global trafficTCP traffic: 192.168.2.4:52816 -> 13.107.253.72:443
Source: global trafficTCP traffic: 13.107.253.72:443 -> 192.168.2.4:52816
Source: global trafficTCP traffic: 192.168.2.4:52816 -> 13.107.253.72:443
Source: global trafficTCP traffic: 13.107.253.72:443 -> 192.168.2.4:52816
Source: global trafficTCP traffic: 192.168.2.4:52816 -> 13.107.253.72:443
Source: global trafficTCP traffic: 13.107.253.72:443 -> 192.168.2.4:52816
Source: global trafficTCP traffic: 192.168.2.4:52816 -> 13.107.253.72:443
Source: global trafficTCP traffic: 13.107.253.72:443 -> 192.168.2.4:52816
Source: global trafficTCP traffic: 13.107.253.72:443 -> 192.168.2.4:52816
Source: global trafficTCP traffic: 13.107.253.72:443 -> 192.168.2.4:52816
Source: global trafficTCP traffic: 192.168.2.4:52816 -> 13.107.253.72:443
Source: global trafficTCP traffic: 13.107.253.72:443 -> 192.168.2.4:52816
Source: global trafficTCP traffic: 192.168.2.4:52816 -> 13.107.253.72:443
Source: global trafficTCP traffic: 192.168.2.4:52816 -> 13.107.253.72:443
Source: global trafficTCP traffic: 13.107.253.72:443 -> 192.168.2.4:52816
Source: global trafficTCP traffic: 192.168.2.4:52816 -> 13.107.253.72:443
Source: global trafficTCP traffic: 52.123.128.14:443 -> 192.168.2.4:49726
Source: global trafficTCP traffic: 192.168.2.4:49726 -> 52.123.128.14:443
Source: global trafficTCP traffic: 192.168.2.4:49726 -> 52.123.128.14:443
Source: global trafficTCP traffic: 52.123.128.14:443 -> 192.168.2.4:49726
Source: global trafficTCP traffic: 192.168.2.4:49726 -> 52.123.128.14:443
Source: global trafficTCP traffic: 52.123.128.14:443 -> 192.168.2.4:49726
Source: global trafficTCP traffic: 192.168.2.4:52809 -> 162.159.36.2:53
Source: Joe Sandbox ViewIP Address: 13.107.253.72 13.107.253.72
Source: Joe Sandbox ViewIP Address: 52.123.128.14 52.123.128.14
Source: Joe Sandbox ViewJA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:52816 -> 13.107.253.72:443
Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49726 -> 52.123.128.14:443
Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficDNS traffic detected: DNS query: 18.31.95.13.in-addr.arpa
Source: global trafficDNS traffic detected: DNS query: 56.163.245.4.in-addr.arpa
Source: global trafficDNS traffic detected: DNS query: otelrules.svc.static.microsoft
Source: unknownNetwork traffic detected: HTTP traffic on port 52816 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 52816
Source: unknownNetwork traffic detected: HTTP traffic on port 49726 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49726
Source: unknownHTTPS traffic detected: 13.107.253.72:443 -> 192.168.2.4:52816 version: TLS 1.2

System Summary

barindex
Document contains an embedded VBA macro with suspicious strings
Source: #U5f38#U5a5c#U6cec#U5ed7#U60d7#U603d#U60ea#U661e.xlsOLE, VBA macro line: Open Environ(O000O110001OOOO11()) & O111OO111OO101101() For Output As fileNumber
Source: #U5f38#U5a5c#U6cec#U5ed7#U60d7#U603d#U60ea#U661e.xlsOLE, VBA macro line: Application.Quit
Source: #U5f38#U5a5c#U6cec#U5ed7#U60d7#U603d#U60ea#U661e.xlsOLE, VBA macro line: O11111O1O1110OO1O = Environ(O1O1OO101O11O010O())
Source: #U5f38#U5a5c#U6cec#U5ed7#U60d7#U603d#U60ea#U661e.xls.1.drOLE, VBA macro line: Open Environ(O000O110001OOOO11()) & O111OO111OO101101() For Output As fileNumber
Source: #U5f38#U5a5c#U6cec#U5ed7#U60d7#U603d#U60ea#U661e.xls.1.drOLE, VBA macro line: Application.Quit
Source: #U5f38#U5a5c#U6cec#U5ed7#U60d7#U603d#U60ea#U661e.xls.1.drOLE, VBA macro line: O11111O1O1110OO1O = Environ(O1O1OO101O11O010O())
Source: #U5f38#U5a5c#U6cec#U5ed7#U60d7#U603d#U60ea#U661e.xlsOLE indicator, VBA macros: true
Source: #U5f38#U5a5c#U6cec#U5ed7#U60d7#U603d#U60ea#U661e.xls.1.drOLE indicator, VBA macros: true
Source: ~DFAC55E4C13A2B51BE.TMP.1.drOLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
Source: classification engineClassification label: mal56.expl.evad.winXLS@3/6@3/2
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEFile created: C:\Program Files (x86)\Microsoft Office\root\vfs\Common AppData\Microsoft\Office\Heartbeat\HeartbeatCache.xmlJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\{1347640A-3425-49A1-A9E4-189C29046A65} - OProcSessId.datJump to behavior
Source: #U5f38#U5a5c#U6cec#U5ed7#U60d7#U603d#U60ea#U661e.xlsOLE indicator, Workbook stream: true
Source: #U5f38#U5a5c#U6cec#U5ed7#U60d7#U603d#U60ea#U661e.xls.1.drOLE indicator, Workbook stream: true
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEFile read: C:\Users\desktop.iniJump to behavior
Source: #U5f38#U5a5c#U6cec#U5ed7#U60d7#U603d#U60ea#U661e.xlsVirustotal: Detection: 24%
Source: unknownProcess created: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE "C:\Program Files (x86)\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess created: C:\Windows\splwow64.exe C:\Windows\splwow64.exe 12288
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess created: C:\Windows\splwow64.exe C:\Windows\splwow64.exe 12288Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\Wow6432Node\CLSID\{AC9F2F90-E877-11CE-9F68-00AA00574A4F}\InprocServer32Jump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\CommonJump to behavior
Source: #U5f38#U5a5c#U6cec#U5ed7#U60d7#U603d#U60ea#U661e.xlsStatic file information: File size 3369984 > 1048576
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEFile opened: C:\Program Files (x86)\Microsoft Office\root\vfs\SystemX86\MSVCR100.dllJump to behavior
Source: ~DFAC55E4C13A2B51BE.TMP.1.drInitial sample: OLE indicators vbamacros = False

Data Obfuscation

barindex
Document contains an embedded VBA with many string operations indicating source code obfuscation
Source: #U5f38#U5a5c#U6cec#U5ed7#U60d7#U603d#U60ea#U661e.xlsStream path '_VBA_PROJECT_CUR/VBA/Sheet1' : High number of string operations
Source: #U5f38#U5a5c#U6cec#U5ed7#U60d7#U603d#U60ea#U661e.xls.1.drStream path '_VBA_PROJECT_CUR/VBA/Sheet1' : High number of string operations
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeWindow / User API: threadDelayed 944Jump to behavior
Source: C:\Windows\splwow64.exeLast function: Thread delayed
Source: C:\Windows\splwow64.exeLast function: Thread delayed
Source: C:\Windows\splwow64.exeThread delayed: delay time: 120000Jump to behavior
Source: C:\Windows\splwow64.exeThread delayed: delay time: 120000Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information queried: ProcessInformationJump to behavior

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity Information21
Scripting		Valid Accounts3
Exploitation for Client Execution		21
Scripting		1
Process Injection		1
Masquerading		OS Credential Dumping1
Process Discovery		Remote ServicesData from Local System2
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
Virtualization/Sandbox Evasion		LSASS Memory1
Virtualization/Sandbox Evasion		Remote Desktop ProtocolData from Removable Media1
Non-Application Layer Protocol		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
Process Injection		Security Account Manager1
Application Window Discovery		SMB/Windows Admin SharesData from Network Shared Drive2
Application Layer Protocol		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
Obfuscated Files or Information		NTDS1
File and Directory Discovery		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon ScriptSoftware PackingLSA Secrets1
System Information Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
#U5f38#U5a5c#U6cec#U5ed7#U60d7#U603d#U60ea#U661e.xls25%VirustotalBrowse

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
s-part-0044.t-0009.fb-t-msedge.net
13.107.253.72
truefalse
    		high
    s-0005.dual-s-msedge.net
    		52.123.128.14
    		truefalse
      		high
      56.163.245.4.in-addr.arpa
      		unknown
      		unknownfalse
        		high
        18.31.95.13.in-addr.arpa
        		unknown
        		unknownfalse
          		high
          otelrules.svc.static.microsoft
          		unknown
          		unknownfalse
            		high

            World Map of Contacted IPs

            • No. of IPs < 25%
            • 25% < No. of IPs < 50%
            • 50% < No. of IPs < 75%
            • 75% < No. of IPs

            Public IPs

            IPDomainCountryFlagASNASN NameMalicious
            13.107.253.72
            		s-part-0044.t-0009.fb-t-msedge.netUnited States
            		8068MICROSOFT-CORP-MSN-AS-BLOCKUSfalse
            52.123.128.14
            		s-0005.dual-s-msedge.netUnited States
            		8075MICROSOFT-CORP-MSN-AS-BLOCKUSfalse

            General Information

            Joe Sandbox version:42.0.0 Malachite
            Analysis ID:1634933
            Start date and time:2025-03-11 07:15:33 +01:00
            Joe Sandbox product:CloudBasic
            Overall analysis duration:0h 4m 56s
            Hypervisor based Inspection enabled:false
            Report type:full
            Cookbook file name:defaultwindowsofficecookbook.jbs
            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
            Number of analysed new started processes analysed:19
            Number of new started drivers analysed:0
            Number of existing processes analysed:0
            Number of existing drivers analysed:0
            Number of injected processes analysed:0
            Technologies:
            • HCA enabled
            • EGA enabled
            • AMSI enabled
            Analysis Mode:default
            Analysis stop reason:Timeout
            Sample name:#U5f38#U5a5c#U6cec#U5ed7#U60d7#U603d#U60ea#U661e.xls
            renamed because original name is a hash value
            Original Sample Name:.xls
            Detection:MAL
            Classification:mal56.expl.evad.winXLS@3/6@3/2
            EGA Information:Failed
            HCA Information:
            • Successful, ratio: 100%
            • Number of executed functions: 0
            • Number of non-executed functions: 0
            Cookbook Comments:
            • Found application associated with file extension: .xls
            • Found Word or Excel or PowerPoint or XPS Viewer
            • Attach to Office via COM
            • Scroll down
            • Close Viewer

            Warnings

            • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, audiodg.exe, sppsvc.exe, RuntimeBroker.exe, ShellExperienceHost.exe, WMIADAP.exe, SIHClient.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe
            • Excluded IPs from analysis (whitelisted): 23.199.214.10, 52.109.76.240, 52.109.89.19, 20.42.65.85, 20.42.73.26, 20.12.23.50, 131.253.33.254, 20.190.159.4, 13.95.31.18, 4.245.163.56
            • Excluded domains from analysis (whitelisted): a-ring-fallback.msedge.net, slscr.update.microsoft.com, weu-azsc-000.roaming.officeapps.live.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, e16604.dscf.akamaiedge.net, eur.roaming1.live.com.akadns.net, roaming.officeapps.live.com, osiprod-weu-buff-azsc-000.westeurope.cloudapp.azure.com, dual-s-0005-office.config.skype.com, login.live.com, onedscolprdeus09.eastus.cloudapp.azure.com, officeclient.microsoft.com, prod.fs.microsoft.com.akadns.net, ecs.office.com, self-events-data.trafficmanager.net, fs.microsoft.com, prod.configsvc1.live.com.akadns.net, self.events.data.microsoft.com, onedscolprdeus05.eastus.cloudapp.azure.com, prod.roaming1.live.com.akadns.net, fe3cr.delivery.mp.microsoft.com, neu-azsc-config.officeapps.live.com, config.officeapps.live.com, ecs.office.trafficmanager.net, europe.configsvc1.live.com.akadns.net
            • Not all processes where analyzed, report is missing behavior information
            • Report size getting too big, too many NtCreateKey calls found.
            • Report size getting too big, too many NtQueryValueKey calls found.
            • Report size getting too big, too many NtReadVirtualMemory calls found.
            • Report size getting too big, too many NtSetInformationFile calls found.

            Simulations

            Behavior and APIs

            TimeTypeDescription
            02:17:46API Interceptor969x Sleep call for process: splwow64.exe modified

            Joe Sandbox View / Context

            IPs

            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
            13.107.253.72Nouvelle_commande9353834.xlsGet hashmaliciousUnknownBrowse
              R.D. Bitzer Co. Inc.xlsmGet hashmaliciousUnknownBrowse
                221036299-043825-sanlccjavap0004-6531.xlsGet hashmaliciousUnknownBrowse
                  https://assets-fra.mkt.dynamics.com/b3baa109-6efd-ef11-b016-002248d9b9fa/digitalassets/standaloneforms/fe7058e5-a1fd-ef11-bae3-000d3a959714#_msdynmkt_donottrack=0,_msdynmkt_linkid=37db13e4-8bf7-4e91-a0fa-9dd02c9e6ee4Get hashmaliciousHTMLPhisherBrowse
                    https://0utl00k_secure_pdfsharing.wesendit.com/dl/9WeFG1R9WGJTbgaCO/a3Jpc3RhbC5wbGFpc3RlZEBzb2RleG8uY29t__;!!P5FZM7ryyeY!UznDjsW7gO6EJncqNmJhgeM1Zawk4R__aUyCoG6Jb-mYlr-79K2gn3tFm6bOpnkuKuN_n69fA8HZASZsr-9bQyk$Get hashmaliciousUnknownBrowse
                      https://0utl00k_secure_pdfsharing.wesendit.com/dl/9WeFG1R9WGJTbgaCO/a3Jpc3RhbC5wbGFpc3RlZEBzb2RleG8uY29t__;!!P5FZM7ryyeY!UznDjsW7gO6EJncqNmJhgeM1Zawk4R__aUyCoG6Jb-mYlr-79K2gn3tFm6bOpnkuKuN_n69fA8HZASZsr-9bQyk$Get hashmaliciousUnknownBrowse
                        PastePictures 1.xlaGet hashmaliciousUnknownBrowse
                          Purchase Inquiry.xla.xlsxGet hashmaliciousUnknownBrowse
                            POETDB24-25771.xla.xlsxGet hashmaliciousUnknownBrowse
                              Purchase Inquiry.xla.xlsxGet hashmaliciousUnknownBrowse
                                52.123.128.14Nouvelle_commande9353834.xlsGet hashmaliciousUnknownBrowse
                                  Order_Mar25.xlsGet hashmaliciousUnknownBrowse
                                    Nouvelle_commande9353834.xlsGet hashmaliciousUnknownBrowse
                                      LinkedIn Message.emlGet hashmaliciousUnknownBrowse
                                        EXTERNAL Olgoonik Development IT User Invitation.msgGet hashmaliciousUnknownBrowse
                                          phish_alert_iocp_v1.4.48 - 2025-03-10T103931.828.emlGet hashmaliciousUnknownBrowse
                                            phish_alert_sp2_2.0.0.0 (1).emlGet hashmaliciousUnknownBrowse
                                              R.D. Bitzer Co., Inc.xlsmGet hashmaliciousUnknownBrowse
                                                R.D. Bitzer Co., Inc.xlsmGet hashmaliciousUnknownBrowse
                                                  Fw Invitation for Eligibilitytrackingcalculators to Participate in Asset Growth.msgGet hashmaliciousUnknownBrowse

                                                    Domains

                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                    s-0005.dual-s-msedge.net.xlsGet hashmaliciousUnknownBrowse
                                                    • 52.123.128.14
                                                    f468369488.exeGet hashmaliciousUnknownBrowse
                                                    • 52.123.128.14
                                                    1741618096-102373-7694-5517-2.emlGet hashmaliciousUnknownBrowse
                                                    • 52.123.128.14
                                                    COTA#U00c7#U00c3O.xlsGet hashmaliciousUnknownBrowse
                                                    • 52.123.129.14
                                                    FW Sensitive - ADMINISTRATIVE LICENSE REVOCATION (ALR) HEARING REQUEST.msgGet hashmaliciousUnknownBrowse
                                                    • 52.123.128.14
                                                    Order_Mar25.xlsGet hashmaliciousUnknownBrowse
                                                    • 52.123.129.14
                                                    COTA#U00c7#U00c3O.xlsGet hashmaliciousUnknownBrowse
                                                    • 52.123.129.14
                                                    FW Sensitive - ADMINISTRATIVE LICENSE REVOCATION (ALR) HEARING REQUEST.msgGet hashmaliciousUnknownBrowse
                                                    • 52.123.128.14
                                                    Nouvelle_commande9353834.xlsGet hashmaliciousUnknownBrowse
                                                    • 52.123.129.14
                                                    Order_Mar25.xlsGet hashmaliciousUnknownBrowse
                                                    • 52.123.128.14
                                                    s-part-0044.t-0009.fb-t-msedge.net840.xlsGet hashmaliciousUnknownBrowse
                                                    • 13.107.253.72
                                                    ATT09858.htmGet hashmaliciousHTMLPhisherBrowse
                                                    • 13.107.253.72
                                                    R.D. Bitzer Co. Inc.xlsmGet hashmaliciousUnknownBrowse
                                                    • 13.107.253.72
                                                    221036299-043825-sanlccjavap0004-6531.xlsGet hashmaliciousUnknownBrowse
                                                    • 13.107.253.72
                                                    https://assets-fra.mkt.dynamics.com/b3baa109-6efd-ef11-b016-002248d9b9fa/digitalassets/standaloneforms/fe7058e5-a1fd-ef11-bae3-000d3a959714#_msdynmkt_donottrack=0,_msdynmkt_linkid=37db13e4-8bf7-4e91-a0fa-9dd02c9e6ee4Get hashmaliciousHTMLPhisherBrowse
                                                    • 13.107.253.72
                                                    https://0utl00k_secure_pdfsharing.wesendit.com/dl/9WeFG1R9WGJTbgaCO/a3Jpc3RhbC5wbGFpc3RlZEBzb2RleG8uY29t__;!!P5FZM7ryyeY!UznDjsW7gO6EJncqNmJhgeM1Zawk4R__aUyCoG6Jb-mYlr-79K2gn3tFm6bOpnkuKuN_n69fA8HZASZsr-9bQyk$Get hashmaliciousUnknownBrowse
                                                    • 13.107.253.72
                                                    https://0utl00k_secure_pdfsharing.wesendit.com/dl/9WeFG1R9WGJTbgaCO/a3Jpc3RhbC5wbGFpc3RlZEBzb2RleG8uY29t__;!!P5FZM7ryyeY!UznDjsW7gO6EJncqNmJhgeM1Zawk4R__aUyCoG6Jb-mYlr-79K2gn3tFm6bOpnkuKuN_n69fA8HZASZsr-9bQyk$Get hashmaliciousUnknownBrowse
                                                    • 13.107.253.72
                                                    PastePictures 1.xlaGet hashmaliciousUnknownBrowse
                                                    • 13.107.253.72
                                                    Purchase Inquiry.xla.xlsxGet hashmaliciousUnknownBrowse
                                                    • 13.107.253.72
                                                    f1215469392.dllGet hashmaliciousUnknownBrowse
                                                    • 13.107.253.72

                                                    ASNs

                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                    MICROSOFT-CORP-MSN-AS-BLOCKUS.xlsGet hashmaliciousUnknownBrowse
                                                    • 13.107.246.60
                                                    cbr.ppc.elfGet hashmaliciousMiraiBrowse
                                                    • 20.165.7.72
                                                    cbr.arm7.elfGet hashmaliciousMiraiBrowse
                                                    • 20.77.131.126
                                                    cbr.x86.elfGet hashmaliciousMiraiBrowse
                                                    • 104.42.23.140
                                                    4lHZn6Ri2B.exeGet hashmaliciousFormBookBrowse
                                                    • 204.79.197.203
                                                    5Jo27lN4ib.exeGet hashmaliciousFormBookBrowse
                                                    • 20.2.217.253
                                                    f468369488.exeGet hashmaliciousUnknownBrowse
                                                    • 40.126.35.144
                                                    0xHPSESJcg.exeGet hashmaliciousFormBookBrowse
                                                    • 204.79.197.203
                                                    EEcYuuRdFy.exeGet hashmaliciousFormBookBrowse
                                                    • 204.79.197.203
                                                    3P5I851G78.exeGet hashmaliciousFormBookBrowse
                                                    • 204.79.197.203
                                                    MICROSOFT-CORP-MSN-AS-BLOCKUS.xlsGet hashmaliciousUnknownBrowse
                                                    • 13.107.246.60
                                                    cbr.ppc.elfGet hashmaliciousMiraiBrowse
                                                    • 20.165.7.72
                                                    cbr.arm7.elfGet hashmaliciousMiraiBrowse
                                                    • 20.77.131.126
                                                    cbr.x86.elfGet hashmaliciousMiraiBrowse
                                                    • 104.42.23.140
                                                    4lHZn6Ri2B.exeGet hashmaliciousFormBookBrowse
                                                    • 204.79.197.203
                                                    5Jo27lN4ib.exeGet hashmaliciousFormBookBrowse
                                                    • 20.2.217.253
                                                    f468369488.exeGet hashmaliciousUnknownBrowse
                                                    • 40.126.35.144
                                                    0xHPSESJcg.exeGet hashmaliciousFormBookBrowse
                                                    • 204.79.197.203
                                                    EEcYuuRdFy.exeGet hashmaliciousFormBookBrowse
                                                    • 204.79.197.203
                                                    3P5I851G78.exeGet hashmaliciousFormBookBrowse
                                                    • 204.79.197.203

                                                    JA3 Fingerprints

                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                    a0e9f5d64349fb13191bc781f81f42e1.xlsGet hashmaliciousUnknownBrowse
                                                    • 13.107.253.72
                                                    https://ai.omeclk.com/portal/wts/ug%5Ecmsb8As6bbOewDczQAzqeq-sjswaGet hashmaliciousCAPTCHA Scam ClickFixBrowse
                                                    • 13.107.253.72
                                                    9Fat24-jfN6-5Skq7-T70.msiGet hashmaliciousUnknownBrowse
                                                    • 13.107.253.72
                                                    Loader.exeGet hashmaliciousLummaC StealerBrowse
                                                    • 13.107.253.72
                                                    Nexora.exeGet hashmaliciousUnknownBrowse
                                                    • 13.107.253.72
                                                    Malware.zipGet hashmaliciousLummaC StealerBrowse
                                                    • 13.107.253.72
                                                    Launcher.exeGet hashmaliciousUnknownBrowse
                                                    • 13.107.253.72
                                                    CryptocommSetup.msiGet hashmaliciousBumbleBeeBrowse
                                                    • 13.107.253.72
                                                    COTA#U00c7#U00c3O.xlsGet hashmaliciousUnknownBrowse
                                                    • 13.107.253.72
                                                    Order_Mar25.xlsGet hashmaliciousUnknownBrowse
                                                    • 13.107.253.72

                                                    Dropped Files

                                                    No context

                                                    Created / dropped Files