Edit tour

Windows Analysis Report
SWIFT COPY.xls

Overview

General Information

Sample name:	SWIFT COPY.xls
Analysis ID:	1636401
MD5:	b731eb838e4e8d534ea62b2ebf15dcda
SHA1:	2c2d81fef7800be7c3ddbbac94cd8fb7faf09bd7
SHA256:	08cfe7d6a9b65191e9e1b21080083572b724a1dd985b11377586c6d0562d6e73
Tags:	xlsuser-abuse_ch
Infos:

Detection

Score:	68
Range:	0 - 100
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Multi AV Scanner detection for submitted file

Excel sheet contains many unusual embedded objects

Detected non-DNS traffic on DNS port

Document contains embedded VBA macros

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

IP address seen in connection with other malware

Potential document exploit detected (performs DNS queries)

Potential document exploit detected (performs HTTP gets)

Potential document exploit detected (unknown TCP traffic)

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: Excel Network Connections

Sigma detected: Suspicious Office Outbound Connections

Suricata IDS alerts with low severity for network traffic

Classification

Process Tree

System is w10x64

EXCEL.EXE (PID: 6256 cmdline: "C:\Program Files (x86)\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding MD5: 4A871771235598812032C822E6F68F19)

splwow64.exe (PID: 524 cmdline: C:\Windows\splwow64.exe 12288 MD5: 77DE7761B037061C7C112FD3C5B91E73)

EXCEL.EXE (PID: 2444 cmdline: "C:\Program Files (x86)\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\user\Desktop\SWIFT COPY.xls" MD5: 4A871771235598812032C822E6F68F19)

cleanup

Sigma Signatures

System Summary

Sigma detected: Excel Network Connections

Source: Network Connection

Author: Christopher Peacock '@securepeacock', SCYTHE '@scythe_io', Florian Roth '@Neo23x0", Tim Shelton: Data: DestinationIp: 52.123.129.14, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE, Initiated: true, ProcessId: 6256, Protocol: tcp, SourceIp: 192.168.2.7, SourceIsIpv6: false, SourcePort: 49685

Sigma detected: Suspicious Office Outbound Connections

Source: Network Connection

Author: X__Junior (Nextron Systems): Data: DestinationIp: 192.168.2.7, DestinationIsIpv6: false, DestinationPort: 49685, EventID: 3, Image: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE, Initiated: true, ProcessId: 6256, Protocol: tcp, SourceIp: 52.123.129.14, SourceIsIpv6: false, SourcePort: 443

Suricata Signatures

ET JA3 Hash - Possible Malware - Fake Firefox Font Update

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-12T18:43:52.212939+0100	2028371	3	Unknown Traffic	192.168.2.7	49685	52.123.129.14	443	TCP
2025-03-12T18:44:58.682940+0100	2028371	3	Unknown Traffic	192.168.2.7	57529	13.107.246.67	443	TCP
2025-03-12T18:45:19.351981+0100	2028371	3	Unknown Traffic	192.168.2.7	57536	52.123.128.14	443	TCP
2025-03-12T18:45:23.417101+0100	2028371	3	Unknown Traffic	192.168.2.7	57538	13.107.246.67	443	TCP
2025-03-12T18:45:23.517860+0100	2028371	3	Unknown Traffic	192.168.2.7	57539	13.107.246.67	443	TCP
2025-03-12T18:45:23.538266+0100	2028371	3	Unknown Traffic	192.168.2.7	57540	13.107.246.67	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: SWIFT COPY.xls

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\~DF5BBCEEB498D033BD.TMP

Avira: detection malicious, Label: W97M/AVI.Agent.njxdf

Multi AV Scanner detection for submitted file

Source: SWIFT COPY.xls	Virustotal: Detection: 26%			Perma Link
Source: SWIFT COPY.xls	ReversingLabs: Detection: 34%

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE

File opened: C:\Program Files (x86)\Microsoft Office\root\vfs\SystemX86\MSVCR100.dll

Jump to behavior

Source: global traffic

DNS query: name: st3.pro

Source: global traffic	TCP traffic: 192.168.2.7:49685 -> 52.123.129.14:443
Source: global traffic	TCP traffic: 192.168.2.7:49685 -> 52.123.129.14:443
Source: global traffic	TCP traffic: 192.168.2.7:49685 -> 52.123.129.14:443
Source: global traffic	TCP traffic: 192.168.2.7:49685 -> 52.123.129.14:443
Source: global traffic	TCP traffic: 192.168.2.7:49685 -> 52.123.129.14:443
Source: global traffic	TCP traffic: 192.168.2.7:49689 -> 52.123.129.14:443
Source: global traffic	TCP traffic: 192.168.2.7:49689 -> 52.123.129.14:443
Source: global traffic	TCP traffic: 192.168.2.7:49689 -> 52.123.129.14:443
Source: global traffic	TCP traffic: 192.168.2.7:49685 -> 52.123.129.14:443
Source: global traffic	TCP traffic: 192.168.2.7:49689 -> 52.123.129.14:443
Source: global traffic	TCP traffic: 192.168.2.7:49689 -> 52.123.129.14:443
Source: global traffic	TCP traffic: 192.168.2.7:49708 -> 5.161.200.29:443
Source: global traffic	TCP traffic: 192.168.2.7:49708 -> 5.161.200.29:443
Source: global traffic	TCP traffic: 192.168.2.7:49708 -> 5.161.200.29:443
Source: global traffic	TCP traffic: 192.168.2.7:49708 -> 5.161.200.29:443
Source: global traffic	TCP traffic: 192.168.2.7:49708 -> 5.161.200.29:443
Source: global traffic	TCP traffic: 192.168.2.7:49710 -> 5.161.200.29:443
Source: global traffic	TCP traffic: 192.168.2.7:49710 -> 5.161.200.29:443
Source: global traffic	TCP traffic: 192.168.2.7:49710 -> 5.161.200.29:443
Source: global traffic	TCP traffic: 192.168.2.7:49710 -> 5.161.200.29:443
Source: global traffic	TCP traffic: 192.168.2.7:49710 -> 5.161.200.29:443
Source: global traffic	TCP traffic: 192.168.2.7:49712 -> 5.161.200.29:443
Source: global traffic	TCP traffic: 192.168.2.7:49712 -> 5.161.200.29:443
Source: global traffic	TCP traffic: 192.168.2.7:49712 -> 5.161.200.29:443
Source: global traffic	TCP traffic: 192.168.2.7:49712 -> 5.161.200.29:443
Source: global traffic	TCP traffic: 192.168.2.7:57529 -> 13.107.246.67:443
Source: global traffic	TCP traffic: 192.168.2.7:57529 -> 13.107.246.67:443
Source: global traffic	TCP traffic: 192.168.2.7:57529 -> 13.107.246.67:443
Source: global traffic	TCP traffic: 192.168.2.7:57529 -> 13.107.246.67:443
Source: global traffic	TCP traffic: 192.168.2.7:57529 -> 13.107.246.67:443
Source: global traffic	TCP traffic: 192.168.2.7:57531 -> 13.107.246.67:443
Source: global traffic	TCP traffic: 192.168.2.7:57531 -> 13.107.246.67:443
Source: global traffic	TCP traffic: 192.168.2.7:57531 -> 13.107.246.67:443
Source: global traffic	TCP traffic: 192.168.2.7:57531 -> 13.107.246.67:443
Source: global traffic	TCP traffic: 192.168.2.7:57531 -> 13.107.246.67:443
Source: global traffic	TCP traffic: 192.168.2.7:57533 -> 13.107.246.67:443
Source: global traffic	TCP traffic: 192.168.2.7:57533 -> 13.107.246.67:443
Source: global traffic	TCP traffic: 192.168.2.7:57534 -> 13.107.246.67:443
Source: global traffic	TCP traffic: 192.168.2.7:57534 -> 13.107.246.67:443
Source: global traffic	TCP traffic: 192.168.2.7:57535 -> 13.107.246.67:443
Source: global traffic	TCP traffic: 192.168.2.7:57535 -> 13.107.246.67:443
Source: global traffic	TCP traffic: 192.168.2.7:57533 -> 13.107.246.67:443
Source: global traffic	TCP traffic: 192.168.2.7:57534 -> 13.107.246.67:443
Source: global traffic	TCP traffic: 192.168.2.7:57535 -> 13.107.246.67:443
Source: global traffic	TCP traffic: 192.168.2.7:57536 -> 52.123.128.14:443
Source: global traffic	TCP traffic: 192.168.2.7:57536 -> 52.123.128.14:443
Source: global traffic	TCP traffic: 192.168.2.7:57536 -> 52.123.128.14:443
Source: global traffic	TCP traffic: 192.168.2.7:57533 -> 13.107.246.67:443
Source: global traffic	TCP traffic: 192.168.2.7:57533 -> 13.107.246.67:443
Source: global traffic	TCP traffic: 192.168.2.7:57538 -> 13.107.246.67:443
Source: global traffic	TCP traffic: 192.168.2.7:57538 -> 13.107.246.67:443
Source: global traffic	TCP traffic: 192.168.2.7:57538 -> 13.107.246.67:443
Source: global traffic	TCP traffic: 192.168.2.7:57534 -> 13.107.246.67:443
Source: global traffic	TCP traffic: 192.168.2.7:57534 -> 13.107.246.67:443
Source: global traffic	TCP traffic: 192.168.2.7:57539 -> 13.107.246.67:443
Source: global traffic	TCP traffic: 192.168.2.7:57539 -> 13.107.246.67:443
Source: global traffic	TCP traffic: 192.168.2.7:57539 -> 13.107.246.67:443
Source: global traffic	TCP traffic: 192.168.2.7:57535 -> 13.107.246.67:443
Source: global traffic	TCP traffic: 192.168.2.7:57535 -> 13.107.246.67:443
Source: global traffic	TCP traffic: 192.168.2.7:57540 -> 13.107.246.67:443
Source: global traffic	TCP traffic: 192.168.2.7:57540 -> 13.107.246.67:443
Source: global traffic	TCP traffic: 192.168.2.7:57540 -> 13.107.246.67:443
Source: global traffic	TCP traffic: 192.168.2.7:57536 -> 52.123.128.14:443
Source: global traffic	TCP traffic: 192.168.2.7:57536 -> 52.123.128.14:443
Source: global traffic	TCP traffic: 192.168.2.7:57542 -> 52.123.128.14:443
Source: global traffic	TCP traffic: 192.168.2.7:57542 -> 52.123.128.14:443
Source: global traffic	TCP traffic: 192.168.2.7:57542 -> 52.123.128.14:443
Source: global traffic	TCP traffic: 192.168.2.7:57538 -> 13.107.246.67:443
Source: global traffic	TCP traffic: 192.168.2.7:57538 -> 13.107.246.67:443
Source: global traffic	TCP traffic: 192.168.2.7:57539 -> 13.107.246.67:443
Source: global traffic	TCP traffic: 192.168.2.7:57539 -> 13.107.246.67:443
Source: global traffic	TCP traffic: 192.168.2.7:57540 -> 13.107.246.67:443
Source: global traffic	TCP traffic: 192.168.2.7:57540 -> 13.107.246.67:443
Source: global traffic	TCP traffic: 192.168.2.7:57542 -> 52.123.128.14:443
Source: global traffic	TCP traffic: 192.168.2.7:57542 -> 52.123.128.14:443

Source: global traffic	TCP traffic: 192.168.2.7:49685 -> 52.123.129.14:443
Source: global traffic	TCP traffic: 52.123.129.14:443 -> 192.168.2.7:49685
Source: global traffic	TCP traffic: 192.168.2.7:49685 -> 52.123.129.14:443
Source: global traffic	TCP traffic: 192.168.2.7:49685 -> 52.123.129.14:443
Source: global traffic	TCP traffic: 52.123.129.14:443 -> 192.168.2.7:49685
Source: global traffic	TCP traffic: 52.123.129.14:443 -> 192.168.2.7:49685
Source: global traffic	TCP traffic: 192.168.2.7:49685 -> 52.123.129.14:443
Source: global traffic	TCP traffic: 192.168.2.7:49685 -> 52.123.129.14:443
Source: global traffic	TCP traffic: 192.168.2.7:49689 -> 52.123.129.14:443
Source: global traffic	TCP traffic: 52.123.129.14:443 -> 192.168.2.7:49689
Source: global traffic	TCP traffic: 192.168.2.7:49689 -> 52.123.129.14:443
Source: global traffic	TCP traffic: 192.168.2.7:49689 -> 52.123.129.14:443
Source: global traffic	TCP traffic: 52.123.129.14:443 -> 192.168.2.7:49689
Source: global traffic	TCP traffic: 192.168.2.7:49685 -> 52.123.129.14:443
Source: global traffic	TCP traffic: 52.123.129.14:443 -> 192.168.2.7:49685
Source: global traffic	TCP traffic: 52.123.129.14:443 -> 192.168.2.7:49689
Source: global traffic	TCP traffic: 192.168.2.7:49689 -> 52.123.129.14:443
Source: global traffic	TCP traffic: 192.168.2.7:49689 -> 52.123.129.14:443
Source: global traffic	TCP traffic: 52.123.129.14:443 -> 192.168.2.7:49689
Source: global traffic	TCP traffic: 192.168.2.7:49708 -> 5.161.200.29:443
Source: global traffic	TCP traffic: 5.161.200.29:443 -> 192.168.2.7:49708
Source: global traffic	TCP traffic: 192.168.2.7:49708 -> 5.161.200.29:443
Source: global traffic	TCP traffic: 192.168.2.7:49708 -> 5.161.200.29:443
Source: global traffic	TCP traffic: 5.161.200.29:443 -> 192.168.2.7:49708
Source: global traffic	TCP traffic: 5.161.200.29:443 -> 192.168.2.7:49708
Source: global traffic	TCP traffic: 192.168.2.7:49708 -> 5.161.200.29:443
Source: global traffic	TCP traffic: 192.168.2.7:49708 -> 5.161.200.29:443
Source: global traffic	TCP traffic: 5.161.200.29:443 -> 192.168.2.7:49708
Source: global traffic	TCP traffic: 192.168.2.7:49710 -> 5.161.200.29:443
Source: global traffic	TCP traffic: 5.161.200.29:443 -> 192.168.2.7:49710
Source: global traffic	TCP traffic: 192.168.2.7:49710 -> 5.161.200.29:443
Source: global traffic	TCP traffic: 192.168.2.7:49710 -> 5.161.200.29:443
Source: global traffic	TCP traffic: 5.161.200.29:443 -> 192.168.2.7:49710
Source: global traffic	TCP traffic: 5.161.200.29:443 -> 192.168.2.7:49710
Source: global traffic	TCP traffic: 192.168.2.7:49710 -> 5.161.200.29:443
Source: global traffic	TCP traffic: 192.168.2.7:49710 -> 5.161.200.29:443
Source: global traffic	TCP traffic: 5.161.200.29:443 -> 192.168.2.7:49710
Source: global traffic	TCP traffic: 192.168.2.7:49712 -> 5.161.200.29:443
Source: global traffic	TCP traffic: 5.161.200.29:443 -> 192.168.2.7:49712
Source: global traffic	TCP traffic: 192.168.2.7:49712 -> 5.161.200.29:443
Source: global traffic	TCP traffic: 192.168.2.7:49712 -> 5.161.200.29:443
Source: global traffic	TCP traffic: 5.161.200.29:443 -> 192.168.2.7:49712
Source: global traffic	TCP traffic: 192.168.2.7:49712 -> 5.161.200.29:443
Source: global traffic	TCP traffic: 192.168.2.7:57528 -> 1.1.1.1:53
Source: global traffic	TCP traffic: 1.1.1.1:53 -> 192.168.2.7:57528
Source: global traffic	TCP traffic: 192.168.2.7:57528 -> 1.1.1.1:53
Source: global traffic	TCP traffic: 1.1.1.1:53 -> 192.168.2.7:57528
Source: global traffic	TCP traffic: 192.168.2.7:57528 -> 1.1.1.1:53
Source: global traffic	TCP traffic: 1.1.1.1:53 -> 192.168.2.7:57528
Source: global traffic	TCP traffic: 192.168.2.7:57528 -> 1.1.1.1:53
Source: global traffic	TCP traffic: 192.168.2.7:57529 -> 13.107.246.67:443
Source: global traffic	TCP traffic: 13.107.246.67:443 -> 192.168.2.7:57529
Source: global traffic	TCP traffic: 192.168.2.7:57529 -> 13.107.246.67:443
Source: global traffic	TCP traffic: 192.168.2.7:57529 -> 13.107.246.67:443
Source: global traffic	TCP traffic: 13.107.246.67:443 -> 192.168.2.7:57529
Source: global traffic	TCP traffic: 13.107.246.67:443 -> 192.168.2.7:57529
Source: global traffic	TCP traffic: 192.168.2.7:57529 -> 13.107.246.67:443
Source: global traffic	TCP traffic: 192.168.2.7:57529 -> 13.107.246.67:443
Source: global traffic	TCP traffic: 13.107.246.67:443 -> 192.168.2.7:57529
Source: global traffic	TCP traffic: 192.168.2.7:57531 -> 13.107.246.67:443
Source: global traffic	TCP traffic: 13.107.246.67:443 -> 192.168.2.7:57531
Source: global traffic	TCP traffic: 192.168.2.7:57531 -> 13.107.246.67:443
Source: global traffic	TCP traffic: 192.168.2.7:57531 -> 13.107.246.67:443
Source: global traffic	TCP traffic: 13.107.246.67:443 -> 192.168.2.7:57531
Source: global traffic	TCP traffic: 13.107.246.67:443 -> 192.168.2.7:57531
Source: global traffic	TCP traffic: 192.168.2.7:57531 -> 13.107.246.67:443
Source: global traffic	TCP traffic: 192.168.2.7:57531 -> 13.107.246.67:443
Source: global traffic	TCP traffic: 13.107.246.67:443 -> 192.168.2.7:57531
Source: global traffic	TCP traffic: 192.168.2.7:57533 -> 13.107.246.67:443
Source: global traffic	TCP traffic: 13.107.246.67:443 -> 192.168.2.7:57533
Source: global traffic	TCP traffic: 192.168.2.7:57533 -> 13.107.246.67:443
Source: global traffic	TCP traffic: 192.168.2.7:57534 -> 13.107.246.67:443
Source: global traffic	TCP traffic: 13.107.246.67:443 -> 192.168.2.7:57534
Source: global traffic	TCP traffic: 192.168.2.7:57534 -> 13.107.246.67:443
Source: global traffic	TCP traffic: 192.168.2.7:57535 -> 13.107.246.67:443
Source: global traffic	TCP traffic: 13.107.246.67:443 -> 192.168.2.7:57535
Source: global traffic	TCP traffic: 192.168.2.7:57535 -> 13.107.246.67:443
Source: global traffic	TCP traffic: 192.168.2.7:57533 -> 13.107.246.67:443
Source: global traffic	TCP traffic: 13.107.246.67:443 -> 192.168.2.7:57533
Source: global traffic	TCP traffic: 192.168.2.7:57534 -> 13.107.246.67:443
Source: global traffic	TCP traffic: 13.107.246.67:443 -> 192.168.2.7:57534
Source: global traffic	TCP traffic: 192.168.2.7:57535 -> 13.107.246.67:443
Source: global traffic	TCP traffic: 13.107.246.67:443 -> 192.168.2.7:57535
Source: global traffic	TCP traffic: 192.168.2.7:57536 -> 52.123.128.14:443
Source: global traffic	TCP traffic: 52.123.128.14:443 -> 192.168.2.7:57536
Source: global traffic	TCP traffic: 192.168.2.7:57536 -> 52.123.128.14:443
Source: global traffic	TCP traffic: 192.168.2.7:57536 -> 52.123.128.14:443
Source: global traffic	TCP traffic: 52.123.128.14:443 -> 192.168.2.7:57536
Source: global traffic	TCP traffic: 13.107.246.67:443 -> 192.168.2.7:57533
Source: global traffic	TCP traffic: 192.168.2.7:57533 -> 13.107.246.67:443
Source: global traffic	TCP traffic: 192.168.2.7:57533 -> 13.107.246.67:443
Source: global traffic	TCP traffic: 13.107.246.67:443 -> 192.168.2.7:57533
Source: global traffic	TCP traffic: 192.168.2.7:57538 -> 13.107.246.67:443
Source: global traffic	TCP traffic: 13.107.246.67:443 -> 192.168.2.7:57538
Source: global traffic	TCP traffic: 192.168.2.7:57538 -> 13.107.246.67:443
Source: global traffic	TCP traffic: 192.168.2.7:57538 -> 13.107.246.67:443
Source: global traffic	TCP traffic: 13.107.246.67:443 -> 192.168.2.7:57538
Source: global traffic	TCP traffic: 13.107.246.67:443 -> 192.168.2.7:57534
Source: global traffic	TCP traffic: 192.168.2.7:57534 -> 13.107.246.67:443
Source: global traffic	TCP traffic: 192.168.2.7:57534 -> 13.107.246.67:443
Source: global traffic	TCP traffic: 13.107.246.67:443 -> 192.168.2.7:57534
Source: global traffic	TCP traffic: 192.168.2.7:57539 -> 13.107.246.67:443
Source: global traffic	TCP traffic: 13.107.246.67:443 -> 192.168.2.7:57539
Source: global traffic	TCP traffic: 192.168.2.7:57539 -> 13.107.246.67:443
Source: global traffic	TCP traffic: 192.168.2.7:57539 -> 13.107.246.67:443
Source: global traffic	TCP traffic: 13.107.246.67:443 -> 192.168.2.7:57539
Source: global traffic	TCP traffic: 13.107.246.67:443 -> 192.168.2.7:57535
Source: global traffic	TCP traffic: 192.168.2.7:57535 -> 13.107.246.67:443
Source: global traffic	TCP traffic: 192.168.2.7:57535 -> 13.107.246.67:443
Source: global traffic	TCP traffic: 13.107.246.67:443 -> 192.168.2.7:57535
Source: global traffic	TCP traffic: 192.168.2.7:57540 -> 13.107.246.67:443
Source: global traffic	TCP traffic: 13.107.246.67:443 -> 192.168.2.7:57540
Source: global traffic	TCP traffic: 192.168.2.7:57540 -> 13.107.246.67:443
Source: global traffic	TCP traffic: 192.168.2.7:57540 -> 13.107.246.67:443
Source: global traffic	TCP traffic: 13.107.246.67:443 -> 192.168.2.7:57540
Source: global traffic	TCP traffic: 52.123.128.14:443 -> 192.168.2.7:57536
Source: global traffic	TCP traffic: 192.168.2.7:57536 -> 52.123.128.14:443
Source: global traffic	TCP traffic: 192.168.2.7:57536 -> 52.123.128.14:443
Source: global traffic	TCP traffic: 52.123.128.14:443 -> 192.168.2.7:57536
Source: global traffic	TCP traffic: 192.168.2.7:57542 -> 52.123.128.14:443
Source: global traffic	TCP traffic: 52.123.128.14:443 -> 192.168.2.7:57542
Source: global traffic	TCP traffic: 192.168.2.7:57542 -> 52.123.128.14:443
Source: global traffic	TCP traffic: 192.168.2.7:57542 -> 52.123.128.14:443
Source: global traffic	TCP traffic: 52.123.128.14:443 -> 192.168.2.7:57542
Source: global traffic	TCP traffic: 13.107.246.67:443 -> 192.168.2.7:57538
Source: global traffic	TCP traffic: 192.168.2.7:57538 -> 13.107.246.67:443
Source: global traffic	TCP traffic: 192.168.2.7:57538 -> 13.107.246.67:443
Source: global traffic	TCP traffic: 13.107.246.67:443 -> 192.168.2.7:57538
Source: global traffic	TCP traffic: 13.107.246.67:443 -> 192.168.2.7:57539
Source: global traffic	TCP traffic: 192.168.2.7:57539 -> 13.107.246.67:443
Source: global traffic	TCP traffic: 192.168.2.7:57539 -> 13.107.246.67:443
Source: global traffic	TCP traffic: 13.107.246.67:443 -> 192.168.2.7:57539
Source: global traffic	TCP traffic: 13.107.246.67:443 -> 192.168.2.7:57540
Source: global traffic	TCP traffic: 192.168.2.7:57540 -> 13.107.246.67:443
Source: global traffic	TCP traffic: 192.168.2.7:57540 -> 13.107.246.67:443
Source: global traffic	TCP traffic: 13.107.246.67:443 -> 192.168.2.7:57540
Source: global traffic	TCP traffic: 52.123.128.14:443 -> 192.168.2.7:57542
Source: global traffic	TCP traffic: 192.168.2.7:57542 -> 52.123.128.14:443
Source: global traffic	TCP traffic: 192.168.2.7:57542 -> 52.123.128.14:443
Source: global traffic	TCP traffic: 52.123.128.14:443 -> 192.168.2.7:57542

Source: excel.exe

Memory has grown: Private usage: 2MB later: 96MB

Source: global traffic

TCP traffic: 192.168.2.7:57528 -> 1.1.1.1:53

Source: Joe Sandbox View	IP Address: 13.107.246.67 13.107.246.67
Source: Joe Sandbox View	IP Address: 52.123.129.14 52.123.129.14
Source: Joe Sandbox View	IP Address: 5.161.200.29 5.161.200.29
Source: Joe Sandbox View	IP Address: 52.123.128.14 52.123.128.14

Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:57540 -> 13.107.246.67:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49685 -> 52.123.129.14:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:57539 -> 13.107.246.67:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:57538 -> 13.107.246.67:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:57529 -> 13.107.246.67:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:57536 -> 52.123.128.14:443

Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: st3.pro

Source: SWIFT COPY.xls, ~DF5BBCEEB498D033BD.TMP.14.dr

String found in binary or memory: https://st3.pro/K04HU0R?&enigma=dirty&metallurgist=small&motorcycle

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49689
Source: unknown	Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49685
Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57531 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57529
Source: unknown	Network traffic detected: HTTP traffic on port 57533 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57536 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57531
Source: unknown	Network traffic detected: HTTP traffic on port 57534 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57538 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57538
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57539
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57533
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57534
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57535
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57536
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57540
Source: unknown	Network traffic detected: HTTP traffic on port 49685 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57542
Source: unknown	Network traffic detected: HTTP traffic on port 57535 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49689 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57539 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown	Network traffic detected: HTTP traffic on port 57529 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57542 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57540 -> 443

System Summary

Excel sheet contains many unusual embedded objects

Source: SWIFT COPY.xls	OLE: Microsoft Excel 2007+
Source: ~DF5BBCEEB498D033BD.TMP.14.dr	OLE: Microsoft Excel 2007+

Source: SWIFT COPY.xls	OLE indicator, VBA macros: true
Source: ~DF5BBCEEB498D033BD.TMP.14.dr	OLE indicator, VBA macros: true

Source: classification engine

Classification label: mal68.winXLS@4/4@1/4

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE

File created: C:\Program Files (x86)\Microsoft Office\root\vfs\Common AppData\Microsoft\Office\Heartbeat\HeartbeatCache.xml

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE

File created: C:\Users\user~1\AppData\Local\Temp\{02C1041A-81C0-4888-8015-9C5B794D632E} - OProcSessId.dat

Jump to behavior

Source: SWIFT COPY.xls	OLE indicator, Workbook stream: true
Source: ~DF5BBCEEB498D033BD.TMP.14.dr	OLE indicator, Workbook stream: true

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: SWIFT COPY.xls	Virustotal: Detection: 26%
Source: SWIFT COPY.xls	ReversingLabs: Detection: 34%

Source: unknown	Process created: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE "C:\Program Files (x86)\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process created: C:\Windows\splwow64.exe C:\Windows\splwow64.exe 12288
Source: unknown	Process created: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE "C:\Program Files (x86)\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\user\Desktop\SWIFT COPY.xls"
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process created: C:\Windows\splwow64.exe C:\Windows\splwow64.exe 12288	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE

Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\Common

Jump to behavior

Source: SWIFT COPY.xls

Static file information: File size 1261568 > 1048576

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE

File opened: C:\Program Files (x86)\Microsoft Office\root\vfs\SystemX86\MSVCR100.dll

Jump to behavior

Source: SWIFT COPY.xls

Initial sample: OLE indicators encrypted = True

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: SWIFT COPY.xls	Stream path 'Workbook' entropy: 7.96388874982 (max. 8.0)
Source: ~DF5BBCEEB498D033BD.TMP.14.dr	Stream path 'Workbook' entropy: 7.96388874982 (max. 8.0)

Source: C:\Windows\splwow64.exe

Window / User API: threadDelayed 684

Jump to behavior

Source: C:\Windows\splwow64.exe	Last function: Thread delayed
Source: C:\Windows\splwow64.exe	Last function: Thread delayed

Source: C:\Windows\splwow64.exe	Thread delayed: delay time: 120000			Jump to behavior
Source: C:\Windows\splwow64.exe	Thread delayed: delay time: 120000			Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE

Process information queried: ProcessInformation

Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	1 Scripting	Valid Accounts	3 Exploitation for Client Execution	1 Scripting	1 Process Injection	1 Masquerading	OS Credential Dumping	1 Process Discovery	Remote Services	Data from Local System	2 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 Extra Window Memory Injection	1 Virtualization/Sandbox Evasion	LSASS Memory	1 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	1 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Process Injection	Security Account Manager	1 Application Window Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Obfuscated Files or Information	NTDS	1 File and Directory Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Extra Window Memory Injection	LSA Secrets	1 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
SWIFT COPY.xls	26%	Virustotal		Browse
SWIFT COPY.xls	34%	ReversingLabs	Document-Excel.Exploit.CVE-2017-0199
SWIFT COPY.xls	100%	Avira	W97M/AVI.Agent.njxdf

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\~DF5BBCEEB498D033BD.TMP	100%	Avira	W97M/AVI.Agent.njxdf

Source	Detection	Scanner	Label	Link
https://st3.pro/K04HU0R?&enigma=dirty&metallurgist=small&motorcycle	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
st3.pro	5.161.200.29	true	false	high
s-0005.dual-s-msedge.net	52.123.129.14	true	false	high
s-part-0039.t-0009.t-msedge.net	13.107.246.67	true	false	high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://st3.pro/K04HU0R?&enigma=dirty&metallurgist=small&motorcycle	SWIFT COPY.xls, ~DF5BBCEEB498D033BD.TMP.14.dr	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
13.107.246.67	s-part-0039.t-0009.t-msedge.net	United States	8068	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
52.123.129.14	s-0005.dual-s-msedge.net	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
5.161.200.29	st3.pro	Germany	24940	HETZNER-ASDE	false
52.123.128.14	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1636401
Start date and time:	2025-03-12 18:42:27 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 1s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultwindowsofficecookbook.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Run name:	Without Instrumentation
Number of analysed new started processes analysed:	18
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	SWIFT COPY.xls
Detection:	MAL
Classification:	mal68.winXLS@4/4@1/4
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .xls Found Word or Excel or PowerPoint or XPS Viewer Attach to Office via COM Active ActiveX Object Active ActiveX Object Scroll down Close Viewer

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, sppsvc.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 52.109.89.18, 52.109.76.243, 20.42.73.25, 52.109.28.46, 104.208.16.95
Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, otelrules.afd.azureedge.net, onedscolprdcus20.centralus.cloudapp.azure.com, weu-azsc-config.officeapps.live.com, eur.roaming1.live.com.akadns.net, neu-azsc-000.roaming.officeapps.live.com, roaming.officeapps.live.com, dual-s-0005-office.config.skype.com, login.live.com, onedscolprdeus06.eastus.cloudapp.azure.com, officeclient.microsoft.com, c.pki.goog, ecs.office.com, self-events-data.trafficmanager.net, fs.microsoft.com, otelrules.azureedge.net, prod.configsvc1.live.com.akadns.net, self.events.data.microsoft.com, ctldl.windowsupdate.com, prod.roaming1.live.com.akadns.net, fe3cr.delivery.mp.microsoft.com, config.officeapps.live.com, osiprod-neu-buff-azsc-000.northeurope.cloudapp.azure.com, azureedge-t-prod.trafficmanager.net, ecs.office.trafficmanager.net, europe.configsvc1.live.com.akadns.net, uks-azsc-config.officeapps.live.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtQueryAttributesFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
13:44:34	API Interceptor	706x Sleep call for process: splwow64.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
13.107.246.67	Purchase Inquiry.xla.xlsx	Get hash	malicious	Unknown	Browse
	https://site-xtxg5.powerappsportals.com/	Get hash	malicious	HTMLPhisher	Browse
	expense-report.xlsx	Get hash	malicious	KnowBe4	Browse
	Purchase Inquiry.xla.xlsx	Get hash	malicious	Unknown	Browse
	https://surveymars.com/q/78graAmKo	Get hash	malicious	Unknown	Browse
	COTA#U00c7#U00c3O.xls	Get hash	malicious	Unknown	Browse
	Order_Mar25.xls	Get hash	malicious	Unknown	Browse
	840.xls	Get hash	malicious	Unknown	Browse
	Royal Mail Inland Claim Form V1.3.xlsm	Get hash	malicious	Unknown	Browse
52.123.129.14	Purchase Inquiry.xla.xlsx	Get hash	malicious	Unknown	Browse
	NB NT19901102W.xls	Get hash	malicious	Unknown	Browse
	Fw_ VN MSG 4_42_16 AM DURATION_0f0b5f5e889448e7c935c0db95b1d2a6.msg	Get hash	malicious	HTMLPhisher, Invisible JS, Tycoon2FA	Browse
	Brian Logie shared _Newfield Construction, Inc Shared a secured Documents_ with you.eml	Get hash	malicious	Unknown	Browse
	Non-Disclosure Agreement Contract.docx	Get hash	malicious	Unknown	Browse
	Acct# 427094 _ Plateautel Payment_ XEPOOFUCKD.eml	Get hash	malicious	Invisible JS, Tycoon2FA	Browse
	.xls	Get hash	malicious	Unknown	Browse
	Nouvelle_commande9353834.xls	Get hash	malicious	Unknown	Browse
	840.xls	Get hash	malicious	Unknown	Browse
	phish_alert_sp2_2.0.0.0.eml	Get hash	malicious	Unknown	Browse
5.161.200.29	Purchase Inquiry.xla.xlsx	Get hash	malicious	Unknown	Browse
	ORDEM DE COMPRA.xla.xlsx	Get hash	malicious	Unknown	Browse
	NB NT19901102W.xls	Get hash	malicious	Unknown	Browse
	Purchase Inquiry.xla.xlsx	Get hash	malicious	Unknown	Browse
	ORDEM DE COMPRA.xla.xlsx	Get hash	malicious	Unknown	Browse
	NB NT19901102W.xls	Get hash	malicious	Unknown	Browse
	Purchase Inquiry.xla.xlsx	Get hash	malicious	Unknown	Browse
	Purchase Inquiry.xla.xlsx	Get hash	malicious	Unknown	Browse
52.123.128.14	ORDEM DE COMPRA.xla.xlsx	Get hash	malicious	Unknown	Browse
	NB NT19901102W.xls	Get hash	malicious	Unknown	Browse
	phish_alert_sp2_2.0.0.0.eml	Get hash	malicious	Unknown	Browse
	20250304_150220_TA6NsGnFKBQP6WuMJfIAtA3XK3ok9HgQ.eml	Get hash	malicious	Unknown	Browse
	Non-Disclosure Agreement Contract.docx	Get hash	malicious	Unknown	Browse
	Message.eml	Get hash	malicious	Unknown	Browse
	Message_3478625.eml	Get hash	malicious	Unknown	Browse
	#U5f38#U5a5c#U6cec#U5ed7#U60d7#U603d#U60ea#U661e.xls	Get hash	malicious	Unknown	Browse
	Nouvelle_commande9353834.xls	Get hash	malicious	Unknown	Browse
	Order_Mar25.xls	Get hash	malicious	Unknown	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
s-part-0039.t-0009.t-msedge.net	Purchase Inquiry.xla.xlsx	Get hash	malicious	Unknown	Browse	13.107.246.67
	https://site-xtxg5.powerappsportals.com/	Get hash	malicious	HTMLPhisher	Browse	13.107.246.67
	expense-report.xlsx	Get hash	malicious	KnowBe4	Browse	13.107.246.67
	Purchase Inquiry.xla.xlsx	Get hash	malicious	Unknown	Browse	13.107.246.67
	https://surveymars.com/q/78graAmKo	Get hash	malicious	Unknown	Browse	13.107.246.67
	f468369488.exe	Get hash	malicious	Unknown	Browse	13.107.246.67
	COTA#U00c7#U00c3O.xls	Get hash	malicious	Unknown	Browse	13.107.246.67
	Order_Mar25.xls	Get hash	malicious	Unknown	Browse	13.107.246.67
	Royal Mail Inland Claim Form V1.3.xlsm	Get hash	malicious	Unknown	Browse	13.107.246.67
s-0005.dual-s-msedge.net	Purchase Inquiry.xla.xlsx	Get hash	malicious	Unknown	Browse	52.123.129.14
	ORDEM DE COMPRA.xla.xlsx	Get hash	malicious	Unknown	Browse	52.123.128.14
	NB NT19901102W.xls	Get hash	malicious	Unknown	Browse	52.123.129.14

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report SWIFT COPY.xls

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

System Summary

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

Windows Analysis Report
SWIFT COPY.xls