Analysis Report catalog-1521295750.xlsm

Overview

General Information

Sample Name:	catalog-1521295750.xlsm
Analysis ID:	403410
MD5:	72b06d3f0889125b6696fe55db6ff6ab
SHA1:	a285f7bc7a6f79885d81de91420e85f223c6f18f
SHA256:	bbdaa820461e1e4fbde6b4b79ea407d4c644fb8e227432b879e2eb01bd391f4a
Infos:
Most interesting Screenshot:

Detection

Hidden Macro 4.0

Score:	76
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Document exploit detected (UrlDownloadToFile)

Document exploit detected (process start blacklist hit)

Found Excel 4.0 Macro with suspicious formulas

Found abnormal large hidden Excel 4.0 Macro sheet

Yara detected MalDoc1

Excel documents contains an embedded macro which executes code when the document is opened

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

Potential document exploit detected (performs DNS queries)

Potential document exploit detected (performs HTTP gets)

Potential document exploit detected (unknown TCP traffic)

Classification

Signatures

AV Detection:

Multi AV Scanner detection for submitted file

Source: catalog-1521295750.xlsm	Metadefender: Detection: 18%			Perma Link
Source: catalog-1521295750.xlsm	ReversingLabs: Detection: 55%

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source: unknown	HTTPS traffic detected: 192.185.20.98:443 -> 192.168.2.22:49165 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 192.185.5.2:443 -> 192.168.2.22:49167 version: TLS 1.2

Software Vulnerabilities:

Document exploit detected (UrlDownloadToFile)

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Section loaded: \KnownDlls\api-ms-win-downlevel-shlwapi-l2-1-0.dll origin: URLDownloadToFileA

Jump to behavior

Document exploit detected (process start blacklist hit)

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Process created: C:\Windows\System32\rundll32.exe

Potential document exploit detected (performs DNS queries)

Source: global traffic

DNS query: name: legalopspr.com

Potential document exploit detected (performs HTTP gets)

Source: global traffic

TCP traffic: 192.168.2.22:49165 -> 192.185.20.98:443

Potential document exploit detected (unknown TCP traffic)

Source: global traffic

TCP traffic: 192.168.2.22:49165 -> 192.185.20.98:443

Networking:

Yara detected MalDoc1

Source: Yara match

File source: sharedStrings.xml, type: SAMPLE

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 192.185.5.2 192.185.5.2

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 7dcce5b76c8b17472d024758970a406b

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\7318CC95.png

Jump to behavior

Source: rundll32.exe, 00000003.00000002.2112690998.0000000001BC0000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2106456243.0000000001C30000.00000002.00000001.sdmp

String found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)

Source: unknown

DNS traffic detected: queries for: legalopspr.com

Source: E0F5C59F9FA661F6F4C50B87FEF3A15A.0.dr	String found in binary or memory: http://apps.identrust.com/roots/dstrootcax3.p7c
Source: 77EC63BDA74BD0D0E0426DC8F8008506.0.dr	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: jordji.nbvt11.0.dr	String found in binary or memory: http://fwdssp.com/?dn=referer_detect&pid=5POL4F2O4
Source: rundll32.exe, 00000003.00000002.2112690998.0000000001BC0000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2106456243.0000000001C30000.00000002.00000001.sdmp	String found in binary or memory: http://investor.msn.com
Source: rundll32.exe, 00000003.00000002.2112690998.0000000001BC0000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2106456243.0000000001C30000.00000002.00000001.sdmp	String found in binary or memory: http://investor.msn.com/
Source: rundll32.exe, 00000003.00000002.2112977223.0000000001DA7000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2107650969.0000000001E17000.00000002.00000001.sdmp	String found in binary or memory: http://localizability/practices/XML.asp
Source: rundll32.exe, 00000003.00000002.2112977223.0000000001DA7000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2107650969.0000000001E17000.00000002.00000001.sdmp	String found in binary or memory: http://localizability/practices/XMLConfiguration.asp
Source: rundll32.exe, 00000003.00000002.2112977223.0000000001DA7000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2107650969.0000000001E17000.00000002.00000001.sdmp	String found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
Source: rundll32.exe, 00000003.00000002.2112977223.0000000001DA7000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2107650969.0000000001E17000.00000002.00000001.sdmp	String found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
Source: rundll32.exe, 00000003.00000002.2112690998.0000000001BC0000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2106456243.0000000001C30000.00000002.00000001.sdmp	String found in binary or memory: http://www.hotmail.com/oe
Source: rundll32.exe, 00000003.00000002.2112977223.0000000001DA7000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2107650969.0000000001E17000.00000002.00000001.sdmp	String found in binary or memory: http://www.icra.org/vocabulary/.
Source: rundll32.exe, 00000003.00000002.2112690998.0000000001BC0000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2106456243.0000000001C30000.00000002.00000001.sdmp	String found in binary or memory: http://www.msnbc.com/news/ticker.txt
Source: rundll32.exe, 00000004.00000002.2106456243.0000000001C30000.00000002.00000001.sdmp	String found in binary or memory: http://www.windows.com/pctv.

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49169
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49167
Source: unknown	Network traffic detected: HTTP traffic on port 49165 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49165
Source: unknown	Network traffic detected: HTTP traffic on port 49169 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49167 -> 443

Source: unknown	HTTPS traffic detected: 192.185.20.98:443 -> 192.168.2.22:49165 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 192.185.5.2:443 -> 192.168.2.22:49167 version: TLS 1.2

System Summary:

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Source: Screenshot number: 4	Screenshot OCR: Enable Editing from the yellow bar above Once You have Enable Editing , please click Enable Cont
Source: Screenshot number: 4	Screenshot OCR: Enable Content from the yellow bar above RunDLL \|~\| OTherewas a problem starting ..\jordji.nbvt1
Source: Document image extraction number: 8	Screenshot OCR: Enable Editing from the yellow bar above Once You have Enable Editing , please click Enable Conten
Source: Document image extraction number: 8	Screenshot OCR: Enable Content from the yellow bar above WHYICANNOTOPEN THIS DOCUMENT? You are using iOS or Andro
Source: Screenshot number: 8	Screenshot OCR: Enable Editing , please click Enable Content from the yellow bar above WHY I CANNOTOPEN THIS DOCUM
Source: Screenshot number: 8	Screenshot OCR: Enable Content from the yellow bar above WHY I CANNOTOPEN THIS DOCUMENT? 1 W You are usingiOS orA

Found Excel 4.0 Macro with suspicious formulas

Source: catalog-1521295750.xlsm	Initial sample: EXEC
Source: catalog-1521295750.xlsm	Initial sample: CALL

Found abnormal large hidden Excel 4.0 Macro sheet

Source: catalog-1521295750.xlsm

Initial sample: Sheet size: 22177

Excel documents contains an embedded macro which executes code when the document is opened

Source: workbook.xml

Binary string: <workbook xmlns="http://schemas.openxmlformats.org/spreadsheetml/2006/main" xmlns:r="http://schemas.openxmlformats.org/officeDocument/2006/relationships"><fileVersion appName="xl" lastEdited="5" lowestEdited="6" rupBuild="9303"/><workbookPr filterPrivacy="1"/><bookViews><workbookView xWindow="8595" yWindow="0" windowWidth="4020" windowHeight="3120"/></bookViews><sheets><sheet name="Sheet1" sheetId="9" r:id="rId1"/><sheet name="Sheet2" sheetId="4" r:id="rId2"/><sheet name="Sheet3" sheetId="7" r:id="rId3"/><sheet name="Sheet4" sheetId="8" r:id="rId4"/></sheets><definedNames><definedName name="_xlnm.Auto_Open">Sheet2!$AO$115</definedName></definedNames><calcPr calcId="145621"/><extLst><ext uri="{140A7094-0E35-4892-8432-C4D2E57EDEB5}" xmlns:x15="http://schemas.microsoft.com/office/spreadsheetml/2010/11/main"><x15:workbookPr chartTrackingRefBase="1"/></ext></extLst></workbook>

Source: rundll32.exe, 00000003.00000002.2112690998.0000000001BC0000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2106456243.0000000001C30000.00000002.00000001.sdmp

Binary or memory string: .VBPud<_

Source: classification engine

Classification label: mal76.troj.expl.evad.winXLSM@5/18@2/2

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\Desktop\~$catalog-1521295750.xlsm

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Temp\CVRD0C6.tmp

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Process created: C:\Windows\System32\rundll32.exe rundll32 ..\jordji.nbvt1,DllRegisterServer

Source: catalog-1521295750.xlsm	Metadefender: Detection: 18%
Source: catalog-1521295750.xlsm	ReversingLabs: Detection: 55%

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\rundll32.exe rundll32 ..\jordji.nbvt1,DllRegisterServer
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\rundll32.exe rundll32 ..\jordji.nbvt11,DllRegisterServer
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\rundll32.exe rundll32 ..\jordji.nbvt1,DllRegisterServer	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\rundll32.exe rundll32 ..\jordji.nbvt11,DllRegisterServer	Jump to behavior

Source: C:\Windows\System32\rundll32.exe	Automated click: OK
Source: C:\Windows\System32\rundll32.exe	Automated click: OK

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: catalog-1521295750.xlsm	Initial sample: OLE zip file path = xl/media/image4.png
Source: catalog-1521295750.xlsm	Initial sample: OLE zip file path = xl/media/image2.png
Source: catalog-1521295750.xlsm	Initial sample: OLE zip file path = xl/media/image1.png
Source: catalog-1521295750.xlsm	Initial sample: OLE zip file path = xl/media/image3.png
Source: catalog-1521295750.xlsm	Initial sample: OLE zip file path = xl/printerSettings/printerSettings2.bin
Source: catalog-1521295750.xlsm	Initial sample: OLE zip file path = xl/printerSettings/printerSettings3.bin

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
192.185.5.2	dentistelmhurstny.com	United States		46606	UNIFIEDLAYER-AS-1US	false
192.185.20.98	legalopspr.com	United States		46606	UNIFIEDLAYER-AS-1US	false

Contacted Domains

Name	IP	Active
dentistelmhurstny.com	192.185.5.2	true
legalopspr.com	192.185.20.98	true

ID:	403410
Product:	CloudBasic
Start time:	05:24:43
Start date:	04.05.2021
Sample:	catalog-1521295750.xlsm
Cookbook:	defaultwindowsofficecookbook.jbs
System description:	Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Architecture:	WINDOWS
MD5:	72b06d3f0889125b6696fe55db6ff6ab
SHA1:	a285f7bc7a6f79885d81de91420e85f223c6f18f
SHA256:	bbdaa820461e1e4fbde6b4b79ea407d4c644fb8e227432b879e2eb01bd391f4a
Filetype:	Excel Microsoft Office Open XML Format document (40004/1) 83.33%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506	Microsoft Cabinet archive data, 58596 bytes, 1 file	61A03D15CF62612F50B74867090DBE79	15228F34067B4B107E917BEBAF17CC7C3C1280A8	F9E23DC21553DAA34C6EB778CD262831E466CE794F4BEA48150E8D70D3E6AF6D
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E0F5C59F9FA661F6F4C50B87FEF3A15A	data	D4AE187B4574036C2D76B6DF8A8C1A30	B06F409FA14BAB33CBAF4A37811B8740B624D9E5	A2CE3A0FA7D2A833D1801E01EC48E35B70D84F3467CC9F8FAB370386E13879C7
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506	data	4DC88562C8FA22708025B823DD9316C1	B31579C98FB6D1D7F9068F7FBF744E7469B77411	23F54031E70D373DE022F41A3289C7451BAE2EFC004BEA219CE171FF35B9FA3D
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E0F5C59F9FA661F6F4C50B87FEF3A15A	data	0764C5EF401872077930E7DCE879FBE7	C880E3573AA3684268266C4ED06E0D9F9F9F4CCB	83AB551DDBE3264B1E57CF787FA24AEBFB2E490C69DD0583EBCD33DB0BDA9FEA
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\suspendedpage[1].htm	HTML document, ASCII text	0357AA49EA850B11B99D09A2479C321B	41472BA5C40F61FA1C77C42CF06248F13B8785F0	0FF0B7FCB090C65D0BDCB2AF4BBD2C30F33356B3CE9B117186FA20391EF840A3
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\3E3BA770.png	PNG image data, 24 x 24, 8-bit/color RGB, non-interlaced	02DB1068B56D3FD907241C2F3240F849	58EC338C879DDBDF02265CBEFA9A2FB08C569D20	D58FF94F5BB5D49236C138DC109CE83E82879D0D44BE387B0EA3773D908DD25F
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\7318CC95.png	PNG image data, 205 x 58, 8-bit/color RGB, non-interlaced	D8574C9CC4123EF67C8B600850BE52EE	5547AC473B3523BA2410E04B75E37B1944EE0CCC	ADD8156BAA01E6A9DE10132E57A2E4659B1A8027A8850B8937E57D56A4FC204B
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\896006B.png	PNG image data, 24 x 24, 8-bit/color RGB, non-interlaced	A516B6CB784827C6BDE58BC9D341C1BD	9D602E7248E06FF639E6437A0A16EA7A4F9E6C73	EF8F7EDB6BA0B5ACEC64543A0AF1B133539FFD439F8324634C3F970112997074
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\B452C192.png	PNG image data, 485 x 185, 8-bit/color RGB, non-interlaced	2C5A59B7F30E5E41412EC22FDEA1DBB5	9A64FB6A68683EEC580A881725DBD146E80D06B1	E872E66F60AE5651AE96A2C2A88D07B0D1C96CDDD45F787AB04237891AD4E8FB
C:\Users\user\AppData\Local\Temp\CabE199.tmp	Microsoft Cabinet archive data, 58596 bytes, 1 file	61A03D15CF62612F50B74867090DBE79	15228F34067B4B107E917BEBAF17CC7C3C1280A8	F9E23DC21553DAA34C6EB778CD262831E466CE794F4BEA48150E8D70D3E6AF6D
C:\Users\user\AppData\Local\Temp\D9DE0000	data	9B6E20B8271492670279CD58B6A87A24	A7665991CA6A525C60D6CF92FB8EE4CA02719184	028205946D95CF50044135A5D050C1D27A44B2307D29C7EF46EB17C3EF382074
C:\Users\user\AppData\Local\Temp\TarE19A.tmp	data	4E0487E929ADBBA279FD752E7FB9A5C4	2497E03F42D2CBB4F4989E87E541B5BB27643536	AE781E4F9625949F7B8A9445B8901958ADECE7E3B95AF344E2FCB24FE989EEB7
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\Desktop.LNK	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Read-Only, Directory, ctime=Tue Oct 17 10:04:00 2017, mtime=Tue May 4 11:25:41 2021, atime=Tue May 4 11:25:41 2021, length=8192, window=hide	DBDB24C50302D531DFC2980A0AB91EA2	6583E3ADB217EBF7F4971934043DAD8ED459745A	AF05D0B16E6659FEC4162E3FB817FCB7A45C97CAEE773B46B326CE543835F43D
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\catalog-1521295750.LNK	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Aug 26 14:08:14 2020, mtime=Tue May 4 11:25:41 2021, atime=Tue May 4 11:25:41 2021, length=109034, window=hide	7DBDDEA523C7AD054733BEC8F7B74773	BD87ECB8EBA820D74D0C65AE096B89EC81DDDF94	F723EF1157F4DA2469EDCE7A7A451E9B77E842BE92158D14589B40BFC79423D1
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat	ASCII text, with CRLF line terminators	6F6039C232965B96E00FC7ED4793D4FF	5CFEAF6F088D7E57E6CC507E55BD4B766C4C3070	B3C4F4FAE5FD7D1EAD2432ED968E5EEA026098F4D2D2D79EF9CE85DBA02ABAE0
C:\Users\user\Desktop\9ADE0000	data	9B6E20B8271492670279CD58B6A87A24	A7665991CA6A525C60D6CF92FB8EE4CA02719184	028205946D95CF50044135A5D050C1D27A44B2307D29C7EF46EB17C3EF382074
C:\Users\user\Desktop\~$catalog-1521295750.xlsm	data	96114D75E30EBD26B572C1FC83D1D02E	A44EEBDA5EB09862AC46346227F06F8CFAF19407	0C6F8CF0E504C17073E4C614C8A7063F194E335D840611EEFA9E29C7CED1A523
C:\Users\user\jordji.nbvt11	HTML document, ASCII text	0357AA49EA850B11B99D09A2479C321B	41472BA5C40F61FA1C77C42CF06248F13B8785F0	0FF0B7FCB090C65D0BDCB2AF4BBD2C30F33356B3CE9B117186FA20391EF840A3

Analysis Report catalog-1521295750.xlsm

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Compliance:

Software Vulnerabilities:

Networking:

System Summary:

Hooking and other Techniques for Hiding and Protection:

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains