Loading ...

Play interactive tourEdit tour

Windows Analysis Report oBfsC4t10n2.xls

Overview

General Information

Sample Name:oBfsC4t10n2.xls
Analysis ID:461927
MD5:0c09fbdf98f0a6144a42fde00fe21504
SHA1:bb4a594ecf90ed6b9e408c404b08620500fb4c02
SHA256:1f156f86d45e28dac74015051546305497adb86b4e46bb7d9a84ccf5e25a12f4
Infos:

Most interesting Screenshot:

Detection

Hidden Macro 4.0
Score:60
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Yara detected hidden Macro 4.0 in Excel
Document contains embedded VBA macros
Yara signature match

Classification

Process Tree

  • System is w10x64
  • EXCEL.EXE (PID: 5432 cmdline: 'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding MD5: 5D6638F2C8F8571C593999C58866007E)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
oBfsC4t10n2.xlsSUSP_Excel4Macro_AutoOpenDetects Excel4 macro use with auto open / closeJohn Lambert @JohnLaTwC
  • 0x0:$header_docf: D0 CF 11 E0
  • 0xcbcaa:$s1: Excel
  • 0xccd0a:$s1: Excel
  • 0x321f:$Auto_Open: 18 00 17 00 20 00 00 01 07 00 00 00 00 00 00 00 00 00 00 01 3A
oBfsC4t10n2.xlsJoeSecurity_HiddenMacroYara detected hidden Macro 4.0 in ExcelJoe Security

    Sigma Overview

    No Sigma rule has matched

    Jbx Signature Overview

    Click to jump to signature section

    Show All Signature Results

    AV Detection:

    barindex
    Antivirus / Scanner detection for submitted sampleShow sources
    Source: oBfsC4t10n2.xlsAvira: detected
    Multi AV Scanner detection for submitted fileShow sources
    Source: oBfsC4t10n2.xlsVirustotal: Detection: 63%Perma Link
    Source: oBfsC4t10n2.xlsMetadefender: Detection: 44%Perma Link
    Source: oBfsC4t10n2.xlsReversingLabs: Detection: 68%
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile opened: C:\Windows\SysWOW64\MSVCR100.dll
    Source: oBfsC4t10n2.xlsString found in binary or memory: http://0b.htb/s.dll
    Source: 5A9E0E51-5E4D-4CBE-BF29-7CE08F095393.0.drString found in binary or memory: http://olkflt.edog.officeapps.live.com/olkflt/outlookflighting.svc/api/glides
    Source: 5A9E0E51-5E4D-4CBE-BF29-7CE08F095393.0.drString found in binary or memory: http://weather.service.msn.com/data.aspx
    Source: 5A9E0E51-5E4D-4CBE-BF29-7CE08F095393.0.drString found in binary or memory: https://addinsinstallation.store.office.com/app/acquisitionlogging
    Source: 5A9E0E51-5E4D-4CBE-BF29-7CE08F095393.0.drString found in binary or memory: https://addinsinstallation.store.office.com/app/download
    Source: 5A9E0E51-5E4D-4CBE-BF29-7CE08F095393.0.drString found in binary or memory: https://addinsinstallation.store.office.com/appinstall/preinstalled
    Source: 5A9E0E51-5E4D-4CBE-BF29-7CE08F095393.0.drString found in binary or memory: https://addinsinstallation.store.office.com/appinstall/unauthenticated
    Source: 5A9E0E51-5E4D-4CBE-BF29-7CE08F095393.0.drString found in binary or memory: https://addinslicensing.store.office.com/commerce/query
    Source: 5A9E0E51-5E4D-4CBE-BF29-7CE08F095393.0.drString found in binary or memory: https://analysis.windows.net/powerbi/api
    Source: 5A9E0E51-5E4D-4CBE-BF29-7CE08F095393.0.drString found in binary or memory: https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
    Source: 5A9E0E51-5E4D-4CBE-BF29-7CE08F095393.0.drString found in binary or memory: https://api.aadrm.com/
    Source: 5A9E0E51-5E4D-4CBE-BF29-7CE08F095393.0.drString found in binary or memory: https://api.addins.omex.office.net/appinfo/query
    Source: 5A9E0E51-5E4D-4CBE-BF29-7CE08F095393.0.drString found in binary or memory: https://api.addins.omex.office.net/appstate/query
    Source: 5A9E0E51-5E4D-4CBE-BF29-7CE08F095393.0.drString found in binary or memory: https://api.addins.store.office.com/app/query
    Source: 5A9E0E51-5E4D-4CBE-BF29-7CE08F095393.0.drString found in binary or memory: https://api.cortana.ai
    Source: 5A9E0E51-5E4D-4CBE-BF29-7CE08F095393.0.drString found in binary or memory: https://api.diagnostics.office.com
    Source: 5A9E0E51-5E4D-4CBE-BF29-7CE08F095393.0.drString found in binary or memory: https://api.diagnosticssdf.office.com
    Source: 5A9E0E51-5E4D-4CBE-BF29-7CE08F095393.0.drString found in binary or memory: https://api.microsoftstream.com/api/
    Source: 5A9E0E51-5E4D-4CBE-BF29-7CE08F095393.0.drString found in binary or memory: https://api.office.net
    Source: 5A9E0E51-5E4D-4CBE-BF29-7CE08F095393.0.drString found in binary or memory: https://api.onedrive.com
    Source: 5A9E0E51-5E4D-4CBE-BF29-7CE08F095393.0.drString found in binary or memory: https://api.powerbi.com/beta/myorg/imports
    Source: 5A9E0E51-5E4D-4CBE-BF29-7CE08F095393.0.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/datasets
    Source: 5A9E0E51-5E4D-4CBE-BF29-7CE08F095393.0.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/groups
    Source: 5A9E0E51-5E4D-4CBE-BF29-7CE08F095393.0.drString found in binary or memory: https://apis.live.net/v5.0/
    Source: 5A9E0E51-5E4D-4CBE-BF29-7CE08F095393.0.drString found in binary or memory: https://arc.msn.com/v4/api/selection
    Source: 5A9E0E51-5E4D-4CBE-BF29-7CE08F095393.0.drString found in binary or memory: https://asgsmsproxyapi.azurewebsites.net/
    Source: 5A9E0E51-5E4D-4CBE-BF29-7CE08F095393.0.drString found in binary or memory: https://augloop.office.com
    Source: 5A9E0E51-5E4D-4CBE-BF29-7CE08F095393.0.drString found in binary or memory: https://augloop.office.com/v2
    Source: 5A9E0E51-5E4D-4CBE-BF29-7CE08F095393.0.drString found in binary or memory: https://autodiscover-s.outlook.com/
    Source: 5A9E0E51-5E4D-4CBE-BF29-7CE08F095393.0.drString found in binary or memory: https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml
    Source: 5A9E0E51-5E4D-4CBE-BF29-7CE08F095393.0.drString found in binary or memory: https://cdn.entity.
    Source: 5A9E0E51-5E4D-4CBE-BF29-7CE08F095393.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/stat/images/OneDriveUpsell.png
    Source: 5A9E0E51-5E4D-4CBE-BF29-7CE08F095393.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSignUpUpsell
    Source: 5A9E0E51-5E4D-4CBE-BF29-7CE08F095393.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSyncClientUpsell
    Source: 5A9E0E51-5E4D-4CBE-BF29-7CE08F095393.0.drString found in binary or memory: https://client-office365-tas.msedge.net/ab
    Source: 5A9E0E51-5E4D-4CBE-BF29-7CE08F095393.0.drString found in binary or memory: https://clients.config.office.net/
    Source: 5A9E0E51-5E4D-4CBE-BF29-7CE08F095393.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/android/policies
    Source: 5A9E0E51-5E4D-4CBE-BF29-7CE08F095393.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/ios
    Source: 5A9E0E51-5E4D-4CBE-BF29-7CE08F095393.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/mac
    Source: 5A9E0E51-5E4D-4CBE-BF29-7CE08F095393.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/tenantassociationkey
    Source: 5A9E0E51-5E4D-4CBE-BF29-7CE08F095393.0.drString found in binary or memory: https://cloudfiles.onenote.com/upload.aspx
    Source: 5A9E0E51-5E4D-4CBE-BF29-7CE08F095393.0.drString found in binary or memory: https://config.edge.skype.com
    Source: 5A9E0E51-5E4D-4CBE-BF29-7CE08F095393.0.drString found in binary or memory: https://config.edge.skype.com/config/v1/Office
    Source: 5A9E0E51-5E4D-4CBE-BF29-7CE08F095393.0.drString found in binary or memory: https://config.edge.skype.com/config/v2/Office
    Source: 5A9E0E51-5E4D-4CBE-BF29-7CE08F095393.0.drString found in binary or memory: https://cortana.ai
    Source: 5A9E0E51-5E4D-4CBE-BF29-7CE08F095393.0.drString found in binary or memory: https://cortana.ai/api
    Source: 5A9E0E51-5E4D-4CBE-BF29-7CE08F095393.0.drString found in binary or memory: https://cr.office.com
    Source: 5A9E0E51-5E4D-4CBE-BF29-7CE08F095393.0.drString found in binary or memory: https://dataservice.o365filtering.com
    Source: 5A9E0E51-5E4D-4CBE-BF29-7CE08F095393.0.drString found in binary or memory: https://dataservice.o365filtering.com/
    Source: 5A9E0E51-5E4D-4CBE-BF29-7CE08F095393.0.drString found in binary or memory: https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile
    Source: 5A9E0E51-5E4D-4CBE-BF29-7CE08F095393.0.drString found in binary or memory: https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
    Source: 5A9E0E51-5E4D-4CBE-BF29-7CE08F095393.0.drString found in binary or memory: https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies
    Source: 5A9E0E51-5E4D-4CBE-BF29-7CE08F095393.0.drString found in binary or memory: https://dev.cortana.ai
    Source: 5A9E0E51-5E4D-4CBE-BF29-7CE08F095393.0.drString found in binary or memory: https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/
    Source: 5A9E0E51-5E4D-4CBE-BF29-7CE08F095393.0.drString found in binary or memory: https://dev0-api.acompli.net/autodetect
    Source: 5A9E0E51-5E4D-4CBE-BF29-7CE08F095393.0.drString found in binary or memory: https://devnull.onenote.com
    Source: 5A9E0E51-5E4D-4CBE-BF29-7CE08F095393.0.drString found in binary or memory: https://directory.services.
    Source: 5A9E0E51-5E4D-4CBE-BF29-7CE08F095393.0.drString found in binary or memory: https://ecs.office.com/config/v2/Office
    Source: 5A9E0E51-5E4D-4CBE-BF29-7CE08F095393.0.drString found in binary or memory: https://enrichment.osi.office.net/
    Source: 5A9E0E51-5E4D-4CBE-BF29-7CE08F095393.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Refresh/v1
    Source: 5A9E0E51-5E4D-4CBE-BF29-7CE08F095393.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Resolve/v1
    Source: 5A9E0E51-5E4D-4CBE-BF29-7CE08F095393.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Search/v1
    Source: 5A9E0E51-5E4D-4CBE-BF29-7CE08F095393.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/StockHistory/v1
    Source: 5A9E0E51-5E4D-4CBE-BF29-7CE08F095393.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/ipcheck/v1
    Source: 5A9E0E51-5E4D-4CBE-BF29-7CE08F095393.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/
    Source: 5A9E0E51-5E4D-4CBE-BF29-7CE08F095393.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/metadata.json
    Source: 5A9E0E51-5E4D-4CBE-BF29-7CE08F095393.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/desktop/main.cshtml
    Source: 5A9E0E51-5E4D-4CBE-BF29-7CE08F095393.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/web/main.cshtml
    Source: 5A9E0E51-5E4D-4CBE-BF29-7CE08F095393.0.drString found in binary or memory: https://entitlement.diagnostics.office.com
    Source: 5A9E0E51-5E4D-4CBE-BF29-7CE08F095393.0.drString found in binary or memory: https://entitlement.diagnosticssdf.office.com
    Source: 5A9E0E51-5E4D-4CBE-BF29-7CE08F095393.0.drString found in binary or memory: https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
    Source: 5A9E0E51-5E4D-4CBE-BF29-7CE08F095393.0.drString found in binary or memory: https://excel.uservoice.com/forums/304936-excel-for-mobile-devices-tablets-phones-android
    Source: 5A9E0E51-5E4D-4CBE-BF29-7CE08F095393.0.drString found in binary or memory: https://globaldisco.crm.dynamics.com
    Source: 5A9E0E51-5E4D-4CBE-BF29-7CE08F095393.0.drString found in binary or memory: https://graph.ppe.windows.net
    Source: 5A9E0E51-5E4D-4CBE-BF29-7CE08F095393.0.drString found in binary or memory: https://graph.ppe.windows.net/
    Source: 5A9E0E51-5E4D-4CBE-BF29-7CE08F095393.0.drString found in binary or memory: https://graph.windows.net
    Source: 5A9E0E51-5E4D-4CBE-BF29-7CE08F095393.0.drString found in binary or memory: https://graph.windows.net/
    Source: 5A9E0E51-5E4D-4CBE-BF29-7CE08F095393.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/telemetry
    Source: 5A9E0E51-5E4D-4CBE-BF29-7CE08F095393.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?
    Source: 5A9E0E51-5E4D-4CBE-BF29-7CE08F095393.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?cp=remix3d
    Source: 5A9E0E51-5E4D-4CBE-BF29-7CE08F095393.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=icons&premium=1
    Source: 5A9E0E51-5E4D-4CBE-BF29-7CE08F095393.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockimages&premium=1
    Source: 5A9E0E51-5E4D-4CBE-BF29-7CE08F095393.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockvideos&premium=1
    Source: 5A9E0E51-5E4D-4CBE-BF29-7CE08F095393.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsofticon?
    Source: 5A9E0E51-5E4D-4CBE-BF29-7CE08F095393.0.drString found in binary or memory: https://incidents.diagnostics.office.com
    Source: 5A9E0E51-5E4D-4CBE-BF29-7CE08F095393.0.drString found in binary or memory: https://incidents.diagnosticssdf.office.com
    Source: 5A9E0E51-5E4D-4CBE-BF29-7CE08F095393.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive
    Source: 5A9E0E51-5E4D-4CBE-BF29-7CE08F095393.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing
    Source: 5A9E0E51-5E4D-4CBE-BF29-7CE08F095393.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=ClipArt
    Source: 5A9E0E51-5E4D-4CBE-BF29-7CE08F095393.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Facebook
    Source: 5A9E0E51-5E4D-4CBE-BF29-7CE08F095393.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr
    Source: 5A9E0E51-5E4D-4CBE-BF29-7CE08F095393.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive
    Source: 5A9E0E51-5E4D-4CBE-BF29-7CE08F095393.0.drString found in binary or memory: https://insertmedia.bing.office.net/odc/insertmedia
    Source: 5A9E0E51-5E4D-4CBE-BF29-7CE08F095393.0.drString found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/GetFreeformSpeech
    Source: 5A9E0E51-5E4D-4CBE-BF29-7CE08F095393.0.drString found in binary or memory: https://lifecycle.office.com
    Source: 5A9E0E51-5E4D-4CBE-BF29-7CE08F095393.0.drString found in binary or memory: https://login.microsoftonline.com/
    Source: 5A9E0E51-5E4D-4CBE-BF29-7CE08F095393.0.drString found in binary or memory: https://login.windows-ppe.net/common/oauth2/authorize
    Source: 5A9E0E51-5E4D-4CBE-BF29-7CE08F095393.0.drString found in binary or memory: https://login.windows.local
    Source: 5A9E0E51-5E4D-4CBE-BF29-7CE08F095393.0.drString found in binary or memory: https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize
    Source: 5A9E0E51-5E4D-4CBE-BF29-7CE08F095393.0.drString found in binary or memory: https://login.windows.net/common/oauth2/authorize
    Source: 5A9E0E51-5E4D-4CBE-BF29-7CE08F095393.0.drString found in binary or memory: https://loki.delve.office.com/api/v1/configuration/officewin32/
    Source: 5A9E0E51-5E4D-4CBE-BF29-7CE08F095393.0.drString found in binary or memory: https://lookup.onenote.com/lookup/geolocation/v1
    Source: 5A9E0E51-5E4D-4CBE-BF29-7CE08F095393.0.drString found in binary or memory: https://management.azure.com
    Source: 5A9E0E51-5E4D-4CBE-BF29-7CE08F095393.0.drString found in binary or memory: https://management.azure.com/
    Source: 5A9E0E51-5E4D-4CBE-BF29-7CE08F095393.0.drString found in binary or memory: https://messaging.office.com/
    Source: 5A9E0E51-5E4D-4CBE-BF29-7CE08F095393.0.drString found in binary or memory: https://metadata.templates.cdn.office.net/client/log
    Source: 5A9E0E51-5E4D-4CBE-BF29-7CE08F095393.0.drString found in binary or memory: https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy
    Source: 5A9E0E51-5E4D-4CBE-BF29-7CE08F095393.0.drString found in binary or memory: https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
    Source: 5A9E0E51-5E4D-4CBE-BF29-7CE08F095393.0.drString found in binary or memory: https://ncus.contentsync.
    Source: 5A9E0E51-5E4D-4CBE-BF29-7CE08F095393.0.drString found in binary or memory: https://ncus.pagecontentsync.
    Source: 5A9E0E51-5E4D-4CBE-BF29-7CE08F095393.0.drString found in binary or memory: https://o365auditrealtimeingestion.manage.office.com
    Source: 5A9E0E51-5E4D-4CBE-BF29-7CE08F095393.0.drString found in binary or memory: https://o365auditrealtimeingestion.manage.office.com/api/userauditrecord
    Source: 5A9E0E51-5E4D-4CBE-BF29-7CE08F095393.0.drString found in binary or memory: https://o365diagnosticsppe-web.cloudapp.net
    Source: 5A9E0E51-5E4D-4CBE-BF29-7CE08F095393.0.drString found in binary or memory: https://ocos-office365-s2s.msedge.net/ab
    Source: 5A9E0E51-5E4D-4CBE-BF29-7CE08F095393.0.drString found in binary or memory: https://ofcrecsvcapi-int.azurewebsites.net/
    Source: 5A9E0E51-5E4D-4CBE-BF29-7CE08F095393.0.drString found in binary or memory: https://officeapps.live.com
    Source: 5A9E0E51-5E4D-4CBE-BF29-7CE08F095393.0.drString found in binary or memory: https://officeci.azurewebsites.net/api/
    Source: 5A9E0E51-5E4D-4CBE-BF29-7CE08F095393.0.drString found in binary or memory: https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks
    Source: 5A9E0E51-5E4D-4CBE-BF29-7CE08F095393.0.drString found in binary or memory: https://officesetup.getmicrosoftkey.com
    Source: 5A9E0E51-5E4D-4CBE-BF29-7CE08F095393.0.drString found in binary or memory: https://ogma.osi.office.net/TradukoApi/api/v1.0/
    Source: 5A9E0E51-5E4D-4CBE-BF29-7CE08F095393.0.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentities
    Source: 5A9E0E51-5E4D-4CBE-BF29-7CE08F095393.0.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentitiesupdated
    Source: 5A9E0E51-5E4D-4CBE-BF29-7CE08F095393.0.drString found in binary or memory: https://onedrive.live.com
    Source: 5A9E0E51-5E4D-4CBE-BF29-7CE08F095393.0.drString found in binary or memory: https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false
    Source: 5A9E0E51-5E4D-4CBE-BF29-7CE08F095393.0.drString found in binary or memory: https://onedrive.live.com/embed?
    Source: 5A9E0E51-5E4D-4CBE-BF29-7CE08F095393.0.drString found in binary or memory: https://osi.office.net
    Source: 5A9E0E51-5E4D-4CBE-BF29-7CE08F095393.0.drString found in binary or memory: https://outlook.office.com/
    Source: 5A9E0E51-5E4D-4CBE-BF29-7CE08F095393.0.drString found in binary or memory: https://outlook.office.com/autosuggest/api/v1/init?cvid=
    Source: 5A9E0E51-5E4D-4CBE-BF29-7CE08F095393.0.drString found in binary or memory: https://outlook.office365.com/
    Source: 5A9E0E51-5E4D-4CBE-BF29-7CE08F095393.0.drString found in binary or memory: https://outlook.office365.com/api/v1.0/me/Activities
    Source: 5A9E0E51-5E4D-4CBE-BF29-7CE08F095393.0.drString found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.json
    Source: 5A9E0E51-5E4D-4CBE-BF29-7CE08F095393.0.drString found in binary or memory: https://ovisualuiapp.azurewebsites.net/pbiagave/
    Source: 5A9E0E51-5E4D-4CBE-BF29-7CE08F095393.0.drString found in binary or memory: https://pages.store.office.com/appshome.aspx?productgroup=Outlook
    Source: 5A9E0E51-5E4D-4CBE-BF29-7CE08F095393.0.drString found in binary or memory: https://pages.store.office.com/review/query
    Source: 5A9E0E51-5E4D-4CBE-BF29-7CE08F095393.0.drString found in binary or memory: https://pages.store.office.com/webapplandingpage.aspx
    Source: 5A9E0E51-5E4D-4CBE-BF29-7CE08F095393.0.drString found in binary or memory: https://partnerservices.getmicrosoftkey.com/PartnerProvisioning.svc/v1/subscriptions
    Source: 5A9E0E51-5E4D-4CBE-BF29-7CE08F095393.0.drString found in binary or memory: https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json
    Source: 5A9E0E51-5E4D-4CBE-BF29-7CE08F095393.0.drString found in binary or memory: https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json
    Source: 5A9E0E51-5E4D-4CBE-BF29-7CE08F095393.0.drString found in binary or memory: https://portal.office.com/account/?ref=ClientMeControl
    Source: 5A9E0E51-5E4D-4CBE-BF29-7CE08F095393.0.drString found in binary or memory: https://posarprodcssservice.accesscontrol.windows.net/v2/OAuth2-13
    Source: 5A9E0E51-5E4D-4CBE-BF29-7CE08F095393.0.drString found in binary or memory: https://powerlift-frontdesk.acompli.net
    Source: 5A9E0E51-5E4D-4CBE-BF29-7CE08F095393.0.drString found in binary or memory: https://powerlift.acompli.net
    Source: 5A9E0E51-5E4D-4CBE-BF29-7CE08F095393.0.drString found in binary or memory: https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios
    Source: 5A9E0E51-5E4D-4CBE-BF29-7CE08F095393.0.drString found in binary or memory: https://prod-global-autodetect.acompli.net/autodetect
    Source: 5A9E0E51-5E4D-4CBE-BF29-7CE08F095393.0.drString found in binary or memory: https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json
    Source: 5A9E0E51-5E4D-4CBE-BF29-7CE08F095393.0.drString found in binary or memory: https://res.getmicrosoftkey.com/api/redemptionevents
    Source: 5A9E0E51-5E4D-4CBE-BF29-7CE08F095393.0.drString found in binary or memory: https://roaming.edog.
    Source: 5A9E0E51-5E4D-4CBE-BF29-7CE08F095393.0.drString found in binary or memory: https://rpsticket.partnerservices.getmicrosoftkey.com
    Source: 5A9E0E51-5E4D-4CBE-BF29-7CE08F095393.0.drString found in binary or memory: https://settings.outlook.com
    Source: 5A9E0E51-5E4D-4CBE-BF29-7CE08F095393.0.drString found in binary or memory: https://shell.suite.office.com:1443
    Source: 5A9E0E51-5E4D-4CBE-BF29-7CE08F095393.0.drString found in binary or memory: https://skyapi.live.net/Activity/
    Source: 5A9E0E51-5E4D-4CBE-BF29-7CE08F095393.0.drString found in binary or memory: https://sr.outlook.office.net/ws/speech/recognize/assistant/work
    Source: 5A9E0E51-5E4D-4CBE-BF29-7CE08F095393.0.drString found in binary or memory: https://staging.cortana.ai
    Source: 5A9E0E51-5E4D-4CBE-BF29-7CE08F095393.0.drString found in binary or memory: https://storage.live.com/clientlogs/uploadlocation
    Source: 5A9E0E51-5E4D-4CBE-BF29-7CE08F095393.0.drString found in binary or memory: https://store.office.cn/addinstemplate
    Source: 5A9E0E51-5E4D-4CBE-BF29-7CE08F095393.0.drString found in binary or memory: https://store.office.com/addinstemplate
    Source: 5A9E0E51-5E4D-4CBE-BF29-7CE08F095393.0.drString found in binary or memory: https://store.office.de/addinstemplate
    Source: 5A9E0E51-5E4D-4CBE-BF29-7CE08F095393.0.drString found in binary or memory: https://store.officeppe.com/addinstemplate
    Source: 5A9E0E51-5E4D-4CBE-BF29-7CE08F095393.0.drString found in binary or memory: https://substrate.office.com/search/api/v2/init
    Source: 5A9E0E51-5E4D-4CBE-BF29-7CE08F095393.0.drString found in binary or memory: https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
    Source: 5A9E0E51-5E4D-4CBE-BF29-7CE08F095393.0.drString found in binary or memory: https://tasks.office.com
    Source: 5A9E0E51-5E4D-4CBE-BF29-7CE08F095393.0.drString found in binary or memory: https://uci.cdn.office.net/mirrored/smartlookup/current/
    Source: 5A9E0E51-5E4D-4CBE-BF29-7CE08F095393.0.drString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.desktop.html
    Source: 5A9E0E51-5E4D-4CBE-BF29-7CE08F095393.0.drString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.immersive.html
    Source: 5A9E0E51-5E4D-4CBE-BF29-7CE08F095393.0.drString found in binary or memory: https://visio.uservoice.com/forums/368202-visio-on-devices
    Source: 5A9E0E51-5E4D-4CBE-BF29-7CE08F095393.0.drString found in binary or memory: https://web.microsoftstream.com/video/
    Source: 5A9E0E51-5E4D-4CBE-BF29-7CE08F095393.0.drString found in binary or memory: https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/
    Source: 5A9E0E51-5E4D-4CBE-BF29-7CE08F095393.0.drString found in binary or memory: https://webshell.suite.office.com
    Source: 5A9E0E51-5E4D-4CBE-BF29-7CE08F095393.0.drString found in binary or memory: https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios
    Source: 5A9E0E51-5E4D-4CBE-BF29-7CE08F095393.0.drString found in binary or memory: https://wus2.contentsync.
    Source: 5A9E0E51-5E4D-4CBE-BF29-7CE08F095393.0.drString found in binary or memory: https://wus2.pagecontentsync.
    Source: 5A9E0E51-5E4D-4CBE-BF29-7CE08F095393.0.drString found in binary or memory: https://www.bingapis.com/api/v7/urlpreview/search?appid=E93048236FE27D972F67C5AF722136866DF65FA2
    Source: 5A9E0E51-5E4D-4CBE-BF29-7CE08F095393.0.drString found in binary or memory: https://www.odwebp.svc.ms
    Source: oBfsC4t10n2.xlsOLE indicator, VBA macros: true
    Source: oBfsC4t10n2.xls, type: SAMPLEMatched rule: SUSP_Excel4Macro_AutoOpen date = 2020-03-26, author = John Lambert @JohnLaTwC, description = Detects Excel4 macro use with auto open / close, score = 2fb198f6ad33d0f26fb94a1aa159fef7296e0421da68887b8f2548bbd227e58f
    Source: classification engineClassification label: mal60.expl.winXLS@1/1@0/0
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCacheJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\{C2F15E59-7AB6-4325-BA82-930610A7768F} - OProcSessId.datJump to behavior
    Source: oBfsC4t10n2.xlsOLE indicator, Workbook stream: true
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile read: C:\Users\desktop.iniJump to behavior
    Source: oBfsC4t10n2.xlsVirustotal: Detection: 63%
    Source: oBfsC4t10n2.xlsMetadefender: Detection: 44%
    Source: oBfsC4t10n2.xlsReversingLabs: Detection: 68%
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEAutomated click: OK
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEAutomated click: OK
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEAutomated click: OK
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEAutomated click: OK
    Source: Window RecorderWindow detected: More than 3 window changes detected
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile opened: C:\Windows\SysWOW64\MSVCR100.dll
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX

    HIPS / PFW / Operating System Protection Evasion:

    barindex
    Yara detected hidden Macro 4.0 in ExcelShow sources
    Source: Yara matchFile source: oBfsC4t10n2.xls, type: SAMPLE

    Mitre Att&ck Matrix

    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
    Valid AccountsScripting1Path InterceptionPath InterceptionMasquerading1OS Credential DumpingFile and Directory Discovery1Remote ServicesData from Local SystemExfiltration Over Other Network MediumData ObfuscationEavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
    Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsScripting1LSASS MemorySystem Information Discovery1Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet

    Screenshots

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.

    windows-stand

    Antivirus, Machine Learning and Genetic Malware Detection

    Initial Sample

    SourceDetectionScannerLabelLink
    oBfsC4t10n2.xls63%VirustotalBrowse
    oBfsC4t10n2.xls47%MetadefenderBrowse
    oBfsC4t10n2.xls69%ReversingLabsDocument-Excel.Downloader.EncDoc
    oBfsC4t10n2.xls100%AviraXF/Agent.B

    Dropped Files

    No Antivirus matches

    Unpacked PE Files

    No Antivirus matches

    Domains

    No Antivirus matches

    URLs

    SourceDetectionScannerLabelLink
    https://roaming.edog.0%Avira URL Cloudsafe
    https://cdn.entity.0%URL Reputationsafe
    https://powerlift.acompli.net0%URL Reputationsafe
    https://rpsticket.partnerservices.getmicrosoftkey.com0%URL Reputationsafe
    https://cortana.ai0%URL Reputationsafe
    https://api.aadrm.com/0%URL Reputationsafe
    https://ofcrecsvcapi-int.azurewebsites.net/0%VirustotalBrowse
    https://ofcrecsvcapi-int.azurewebsites.net/0%Avira URL Cloudsafe
    https://res.getmicrosoftkey.com/api/redemptionevents0%URL Reputationsafe
    https://powerlift-frontdesk.acompli.net0%URL Reputationsafe
    https://officeci.azurewebsites.net/api/0%VirustotalBrowse
    https://officeci.azurewebsites.net/api/0%Avira URL Cloudsafe
    https://store.office.cn/addinstemplate0%URL Reputationsafe
    https://store.officeppe.com/addinstemplate0%URL Reputationsafe
    https://dev0-api.acompli.net/autodetect0%URL Reputationsafe
    https://www.odwebp.svc.ms0%URL Reputationsafe
    https://dataservice.o365filtering.com/0%URL Reputationsafe
    https://officesetup.getmicrosoftkey.com0%URL Reputationsafe
    https://prod-global-autodetect.acompli.net/autodetect0%URL Reputationsafe
    https://ncus.contentsync.0%URL Reputationsafe
    https://apis.live.net/v5.0/0%URL Reputationsafe
    https://wus2.contentsync.0%URL Reputationsafe
    https://asgsmsproxyapi.azurewebsites.net/0%Avira URL Cloudsafe
    https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile0%URL Reputationsafe
    https://ncus.pagecontentsync.0%URL Reputationsafe
    https://skyapi.live.net/Activity/0%URL Reputationsafe
    https://dataservice.o365filtering.com0%URL Reputationsafe
    https://api.cortana.ai0%URL Reputationsafe
    https://ovisualuiapp.azurewebsites.net/pbiagave/0%Avira URL Cloudsafe
    https://directory.services.0%URL Reputationsafe
    https://staging.cortana.ai0%URL Reputationsafe

    Domains and IPs

    Contacted Domains

    No contacted domains info

    URLs from Memory and Binaries

    NameSourceMaliciousAntivirus DetectionReputation
    https://api.diagnosticssdf.office.com5A9E0E51-5E4D-4CBE-BF29-7CE08F095393.0.drfalse
      high
      https://login.microsoftonline.com/5A9E0E51-5E4D-4CBE-BF29-7CE08F095393.0.drfalse
        high
        https://shell.suite.office.com:14435A9E0E51-5E4D-4CBE-BF29-7CE08F095393.0.drfalse
          high
          https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize5A9E0E51-5E4D-4CBE-BF29-7CE08F095393.0.drfalse
            high
            https://autodiscover-s.outlook.com/5A9E0E51-5E4D-4CBE-BF29-7CE08F095393.0.drfalse
              high
              https://roaming.edog.5A9E0E51-5E4D-4CBE-BF29-7CE08F095393.0.drfalse
              • Avira URL Cloud: safe
              unknown
              https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr5A9E0E51-5E4D-4CBE-BF29-7CE08F095393.0.drfalse
                high
                https://cdn.entity.5A9E0E51-5E4D-4CBE-BF29-7CE08F095393.0.drfalse
                • URL Reputation: safe
                unknown
                https://api.addins.omex.office.net/appinfo/query5A9E0E51-5E4D-4CBE-BF29-7CE08F095393.0.drfalse
                  high
                  https://clients.config.office.net/user/v1.0/tenantassociationkey5A9E0E51-5E4D-4CBE-BF29-7CE08F095393.0.drfalse
                    high
                    https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/5A9E0E51-5E4D-4CBE-BF29-7CE08F095393.0.drfalse
                      high
                      https://powerlift.acompli.net5A9E0E51-5E4D-4CBE-BF29-7CE08F095393.0.drfalse
                      • URL Reputation: safe
                      unknown
                      https://rpsticket.partnerservices.getmicrosoftkey.com5A9E0E51-5E4D-4CBE-BF29-7CE08F095393.0.drfalse
                      • URL Reputation: safe
                      unknown
                      https://lookup.onenote.com/lookup/geolocation/v15A9E0E51-5E4D-4CBE-BF29-7CE08F095393.0.drfalse
                        high
                        https://cortana.ai5A9E0E51-5E4D-4CBE-BF29-7CE08F095393.0.drfalse
                        • URL Reputation: safe
                        unknown
                        https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech5A9E0E51-5E4D-4CBE-BF29-7CE08F095393.0.drfalse
                          high
                          https://cloudfiles.onenote.com/upload.aspx5A9E0E51-5E4D-4CBE-BF29-7CE08F095393.0.drfalse
                            high
                            https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile5A9E0E51-5E4D-4CBE-BF29-7CE08F095393.0.drfalse
                              high
                              https://entitlement.diagnosticssdf.office.com5A9E0E51-5E4D-4CBE-BF29-7CE08F095393.0.drfalse
                                high
                                https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy5A9E0E51-5E4D-4CBE-BF29-7CE08F095393.0.drfalse
                                  high
                                  https://api.aadrm.com/5A9E0E51-5E4D-4CBE-BF29-7CE08F095393.0.drfalse
                                  • URL Reputation: safe
                                  unknown
                                  https://ofcrecsvcapi-int.azurewebsites.net/5A9E0E51-5E4D-4CBE-BF29-7CE08F095393.0.drfalse
                                  • 0%, Virustotal, Browse
                                  • Avira URL Cloud: safe
                                  unknown
                                  https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies5A9E0E51-5E4D-4CBE-BF29-7CE08F095393.0.drfalse
                                    high
                                    https://api.microsoftstream.com/api/5A9E0E51-5E4D-4CBE-BF29-7CE08F095393.0.drfalse
                                      high
                                      https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive5A9E0E51-5E4D-4CBE-BF29-7CE08F095393.0.drfalse
                                        high
                                        https://cr.office.com5A9E0E51-5E4D-4CBE-BF29-7CE08F095393.0.drfalse
                                          high
                                          https://portal.office.com/account/?ref=ClientMeControl5A9E0E51-5E4D-4CBE-BF29-7CE08F095393.0.drfalse
                                            high
                                            https://graph.ppe.windows.net5A9E0E51-5E4D-4CBE-BF29-7CE08F095393.0.drfalse
                                              high
                                              https://res.getmicrosoftkey.com/api/redemptionevents5A9E0E51-5E4D-4CBE-BF29-7CE08F095393.0.drfalse
                                              • URL Reputation: safe
                                              unknown
                                              https://powerlift-frontdesk.acompli.net5A9E0E51-5E4D-4CBE-BF29-7CE08F095393.0.drfalse
                                              • URL Reputation: safe
                                              unknown
                                              https://tasks.office.com5A9E0E51-5E4D-4CBE-BF29-7CE08F095393.0.drfalse
                                                high
                                                https://officeci.azurewebsites.net/api/5A9E0E51-5E4D-4CBE-BF29-7CE08F095393.0.drfalse
                                                • 0%, Virustotal, Browse
                                                • Avira URL Cloud: safe
                                                unknown
                                                https://sr.outlook.office.net/ws/speech/recognize/assistant/work5A9E0E51-5E4D-4CBE-BF29-7CE08F095393.0.drfalse
                                                  high
                                                  https://store.office.cn/addinstemplate5A9E0E51-5E4D-4CBE-BF29-7CE08F095393.0.drfalse
                                                  • URL Reputation: safe
                                                  unknown
                                                  https://outlook.office.com/autosuggest/api/v1/init?cvid=5A9E0E51-5E4D-4CBE-BF29-7CE08F095393.0.drfalse
                                                    high
                                                    https://globaldisco.crm.dynamics.com5A9E0E51-5E4D-4CBE-BF29-7CE08F095393.0.drfalse
                                                      high
                                                      https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech5A9E0E51-5E4D-4CBE-BF29-7CE08F095393.0.drfalse
                                                        high
                                                        https://store.officeppe.com/addinstemplate5A9E0E51-5E4D-4CBE-BF29-7CE08F095393.0.drfalse
                                                        • URL Reputation: safe
                                                        unknown
                                                        https://dev0-api.acompli.net/autodetect5A9E0E51-5E4D-4CBE-BF29-7CE08F095393.0.drfalse
                                                        • URL Reputation: safe
                                                        unknown
                                                        https://www.odwebp.svc.ms5A9E0E51-5E4D-4CBE-BF29-7CE08F095393.0.drfalse
                                                        • URL Reputation: safe
                                                        unknown
                                                        https://api.powerbi.com/v1.0/myorg/groups5A9E0E51-5E4D-4CBE-BF29-7CE08F095393.0.drfalse
                                                          high
                                                          https://web.microsoftstream.com/video/5A9E0E51-5E4D-4CBE-BF29-7CE08F095393.0.drfalse
                                                            high
                                                            https://graph.windows.net5A9E0E51-5E4D-4CBE-BF29-7CE08F095393.0.drfalse
                                                              high
                                                              https://dataservice.o365filtering.com/5A9E0E51-5E4D-4CBE-BF29-7CE08F095393.0.drfalse
                                                              • URL Reputation: safe
                                                              unknown
                                                              https://officesetup.getmicrosoftkey.com5A9E0E51-5E4D-4CBE-BF29-7CE08F095393.0.drfalse
                                                              • URL Reputation: safe
                                                              unknown
                                                              https://analysis.windows.net/powerbi/api5A9E0E51-5E4D-4CBE-BF29-7CE08F095393.0.drfalse
                                                                high
                                                                https://prod-global-autodetect.acompli.net/autodetect5A9E0E51-5E4D-4CBE-BF29-7CE08F095393.0.drfalse
                                                                • URL Reputation: safe
                                                                unknown
                                                                https://outlook.office365.com/autodiscover/autodiscover.json5A9E0E51-5E4D-4CBE-BF29-7CE08F095393.0.drfalse
                                                                  high
                                                                  https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios5A9E0E51-5E4D-4CBE-BF29-7CE08F095393.0.drfalse
                                                                    high
                                                                    https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech5A9E0E51-5E4D-4CBE-BF29-7CE08F095393.0.drfalse
                                                                      high
                                                                      https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json5A9E0E51-5E4D-4CBE-BF29-7CE08F095393.0.drfalse
                                                                        high
                                                                        https://ncus.contentsync.5A9E0E51-5E4D-4CBE-BF29-7CE08F095393.0.drfalse
                                                                        • URL Reputation: safe
                                                                        unknown
                                                                        https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false5A9E0E51-5E4D-4CBE-BF29-7CE08F095393.0.drfalse
                                                                          high
                                                                          https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/5A9E0E51-5E4D-4CBE-BF29-7CE08F095393.0.drfalse
                                                                            high
                                                                            http://weather.service.msn.com/data.aspx5A9E0E51-5E4D-4CBE-BF29-7CE08F095393.0.drfalse
                                                                              high
                                                                              https://apis.live.net/v5.0/5A9E0E51-5E4D-4CBE-BF29-7CE08F095393.0.drfalse
                                                                              • URL Reputation: safe
                                                                              unknown
                                                                              https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks5A9E0E51-5E4D-4CBE-BF29-7CE08F095393.0.drfalse
                                                                                high
                                                                                https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios5A9E0E51-5E4D-4CBE-BF29-7CE08F095393.0.drfalse
                                                                                  high
                                                                                  https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml5A9E0E51-5E4D-4CBE-BF29-7CE08F095393.0.drfalse
                                                                                    high
                                                                                    https://management.azure.com5A9E0E51-5E4D-4CBE-BF29-7CE08F095393.0.drfalse
                                                                                      high
                                                                                      https://wus2.contentsync.5A9E0E51-5E4D-4CBE-BF29-7CE08F095393.0.drfalse
                                                                                      • URL Reputation: safe
                                                                                      unknown
                                                                                      https://incidents.diagnostics.office.com5A9E0E51-5E4D-4CBE-BF29-7CE08F095393.0.drfalse
                                                                                        high
                                                                                        https://clients.config.office.net/user/v1.0/ios5A9E0E51-5E4D-4CBE-BF29-7CE08F095393.0.drfalse
                                                                                          high
                                                                                          https://insertmedia.bing.office.net/odc/insertmedia5A9E0E51-5E4D-4CBE-BF29-7CE08F095393.0.drfalse
                                                                                            high
                                                                                            https://o365auditrealtimeingestion.manage.office.com5A9E0E51-5E4D-4CBE-BF29-7CE08F095393.0.drfalse
                                                                                              high
                                                                                              https://outlook.office365.com/api/v1.0/me/Activities5A9E0E51-5E4D-4CBE-BF29-7CE08F095393.0.drfalse
                                                                                                high
                                                                                                https://api.office.net5A9E0E51-5E4D-4CBE-BF29-7CE08F095393.0.drfalse
                                                                                                  high
                                                                                                  https://incidents.diagnosticssdf.office.com5A9E0E51-5E4D-4CBE-BF29-7CE08F095393.0.drfalse
                                                                                                    high
                                                                                                    https://asgsmsproxyapi.azurewebsites.net/5A9E0E51-5E4D-4CBE-BF29-7CE08F095393.0.drfalse
                                                                                                    • Avira URL Cloud: safe
                                                                                                    unknown
                                                                                                    https://clients.config.office.net/user/v1.0/android/policies5A9E0E51-5E4D-4CBE-BF29-7CE08F095393.0.drfalse
                                                                                                      high
                                                                                                      https://entitlement.diagnostics.office.com5A9E0E51-5E4D-4CBE-BF29-7CE08F095393.0.drfalse
                                                                                                        high
                                                                                                        https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json5A9E0E51-5E4D-4CBE-BF29-7CE08F095393.0.drfalse
                                                                                                          high
                                                                                                          https://substrate.office.com/search/api/v2/init5A9E0E51-5E4D-4CBE-BF29-7CE08F095393.0.drfalse
                                                                                                            high
                                                                                                            https://outlook.office.com/5A9E0E51-5E4D-4CBE-BF29-7CE08F095393.0.drfalse
                                                                                                              high
                                                                                                              https://storage.live.com/clientlogs/uploadlocation5A9E0E51-5E4D-4CBE-BF29-7CE08F095393.0.drfalse
                                                                                                                high
                                                                                                                https://outlook.office365.com/5A9E0E51-5E4D-4CBE-BF29-7CE08F095393.0.drfalse
                                                                                                                  high
                                                                                                                  https://webshell.suite.office.com5A9E0E51-5E4D-4CBE-BF29-7CE08F095393.0.drfalse
                                                                                                                    high
                                                                                                                    https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive5A9E0E51-5E4D-4CBE-BF29-7CE08F095393.0.drfalse
                                                                                                                      high
                                                                                                                      https://management.azure.com/5A9E0E51-5E4D-4CBE-BF29-7CE08F095393.0.drfalse
                                                                                                                        high
                                                                                                                        https://login.windows.net/common/oauth2/authorize5A9E0E51-5E4D-4CBE-BF29-7CE08F095393.0.drfalse
                                                                                                                          high
                                                                                                                          https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile5A9E0E51-5E4D-4CBE-BF29-7CE08F095393.0.drfalse
                                                                                                                          • URL Reputation: safe
                                                                                                                          unknown
                                                                                                                          https://graph.windows.net/5A9E0E51-5E4D-4CBE-BF29-7CE08F095393.0.drfalse
                                                                                                                            high
                                                                                                                            https://api.powerbi.com/beta/myorg/imports5A9E0E51-5E4D-4CBE-BF29-7CE08F095393.0.drfalse
                                                                                                                              high
                                                                                                                              https://devnull.onenote.com5A9E0E51-5E4D-4CBE-BF29-7CE08F095393.0.drfalse
                                                                                                                                high
                                                                                                                                https://ncus.pagecontentsync.5A9E0E51-5E4D-4CBE-BF29-7CE08F095393.0.drfalse
                                                                                                                                • URL Reputation: safe
                                                                                                                                unknown
                                                                                                                                https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json5A9E0E51-5E4D-4CBE-BF29-7CE08F095393.0.drfalse
                                                                                                                                  high
                                                                                                                                  https://messaging.office.com/5A9E0E51-5E4D-4CBE-BF29-7CE08F095393.0.drfalse
                                                                                                                                    high
                                                                                                                                    https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile5A9E0E51-5E4D-4CBE-BF29-7CE08F095393.0.drfalse
                                                                                                                                      high
                                                                                                                                      https://augloop.office.com/v25A9E0E51-5E4D-4CBE-BF29-7CE08F095393.0.drfalse
                                                                                                                                        high
                                                                                                                                        https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing5A9E0E51-5E4D-4CBE-BF29-7CE08F095393.0.drfalse
                                                                                                                                          high
                                                                                                                                          https://skyapi.live.net/Activity/5A9E0E51-5E4D-4CBE-BF29-7CE08F095393.0.drfalse
                                                                                                                                          • URL Reputation: safe
                                                                                                                                          unknown
                                                                                                                                          https://clients.config.office.net/user/v1.0/mac5A9E0E51-5E4D-4CBE-BF29-7CE08F095393.0.drfalse
                                                                                                                                            high
                                                                                                                                            https://dataservice.o365filtering.com5A9E0E51-5E4D-4CBE-BF29-7CE08F095393.0.drfalse
                                                                                                                                            • URL Reputation: safe
                                                                                                                                            unknown
                                                                                                                                            https://api.cortana.ai5A9E0E51-5E4D-4CBE-BF29-7CE08F095393.0.drfalse
                                                                                                                                            • URL Reputation: safe
                                                                                                                                            unknown
                                                                                                                                            https://onedrive.live.com5A9E0E51-5E4D-4CBE-BF29-7CE08F095393.0.drfalse
                                                                                                                                              high
                                                                                                                                              https://ovisualuiapp.azurewebsites.net/pbiagave/5A9E0E51-5E4D-4CBE-BF29-7CE08F095393.0.drfalse
                                                                                                                                              • Avira URL Cloud: safe
                                                                                                                                              unknown
                                                                                                                                              https://visio.uservoice.com/forums/368202-visio-on-devices5A9E0E51-5E4D-4CBE-BF29-7CE08F095393.0.drfalse
                                                                                                                                                high
                                                                                                                                                https://directory.services.5A9E0E51-5E4D-4CBE-BF29-7CE08F095393.0.drfalse
                                                                                                                                                • URL Reputation: safe
                                                                                                                                                unknown
                                                                                                                                                https://login.windows-ppe.net/common/oauth2/authorize5A9E0E51-5E4D-4CBE-BF29-7CE08F095393.0.drfalse
                                                                                                                                                  high
                                                                                                                                                  https://staging.cortana.ai5A9E0E51-5E4D-4CBE-BF29-7CE08F095393.0.drfalse
                                                                                                                                                  • URL Reputation: safe
                                                                                                                                                  unknown

                                                                                                                                                  Contacted IPs

                                                                                                                                                  No contacted IP infos

                                                                                                                                                  General Information

                                                                                                                                                  Joe Sandbox Version:33.0.0 White Diamond
                                                                                                                                                  Analysis ID:461927
                                                                                                                                                  Start date:09.08.2021
                                                                                                                                                  Start time:18:53:49
                                                                                                                                                  Joe Sandbox Product:CloudBasic
                                                                                                                                                  Overall analysis duration:0h 4m 20s
                                                                                                                                                  Hypervisor based Inspection enabled:false
                                                                                                                                                  Report type:light
                                                                                                                                                  Sample file name:oBfsC4t10n2.xls
                                                                                                                                                  Cookbook file name:defaultwindowsofficecookbook.jbs
                                                                                                                                                  Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                                                                                                  Run name:Potential for more IOCs and behavior
                                                                                                                                                  Number of analysed new started processes analysed:25
                                                                                                                                                  Number of new started drivers analysed:0
                                                                                                                                                  Number of existing processes analysed:0
                                                                                                                                                  Number of existing drivers analysed:0
                                                                                                                                                  Number of injected processes analysed:0
                                                                                                                                                  Technologies:
                                                                                                                                                  • HCA enabled
                                                                                                                                                  • EGA enabled
                                                                                                                                                  • HDC enabled
                                                                                                                                                  • AMSI enabled
                                                                                                                                                  Analysis Mode:default
                                                                                                                                                  Analysis stop reason:Timeout
                                                                                                                                                  Detection:MAL
                                                                                                                                                  Classification:mal60.expl.winXLS@1/1@0/0
                                                                                                                                                  Cookbook Comments:
                                                                                                                                                  • Adjust boot time
                                                                                                                                                  • Enable AMSI
                                                                                                                                                  • Found application associated with file extension: .xls
                                                                                                                                                  • Found Word or Excel or PowerPoint or XPS Viewer
                                                                                                                                                  • Attach to Office via COM
                                                                                                                                                  • Scroll down
                                                                                                                                                  • Close Viewer
                                                                                                                                                  Warnings:
                                                                                                                                                  Show All
                                                                                                                                                  • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe
                                                                                                                                                  • Excluded IPs from analysis (whitelisted): 131.253.33.200, 13.107.22.200, 20.50.102.62, 52.147.198.201, 20.189.173.20, 23.54.113.53, 52.109.88.177, 52.109.88.38, 95.100.54.203, 52.109.8.25, 67.26.73.254, 67.27.158.126, 67.27.233.126, 8.238.29.126, 67.27.159.254, 51.103.5.186, 20.82.210.154, 23.10.249.43, 23.10.249.26, 20.54.110.249, 40.112.88.60
                                                                                                                                                  • Excluded domains from analysis (whitelisted): prod-w.nexus.live.com.akadns.net, store-images.s-microsoft.com-c.edgekey.net, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, e12564.dspb.akamaiedge.net, wns.notify.trafficmanager.net, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, www-bing-com.dual-a-0001.a-msedge.net, audownload.windowsupdate.nsatc.net, arc.trafficmanager.net, nexus.officeapps.live.com, officeclient.microsoft.com, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, auto.au.download.windowsupdate.com.c.footprint.net, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, www.bing.com, client.wns.windows.com, fs.microsoft.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, prod.configsvc1.live.com.akadns.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, ris-prod.trafficmanager.net, onedsblobprdwus15.westus.cloudapp.azure.com, asf-ris-prod-neu.northeurope.cloudapp.azure.com, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, iris-de-prod-azsc-uks.uksouth.cloudapp.azure.com, dual-a-0001.dc-msedge.net, skypedataprdcoleus16.cloudapp.net, ris.api.iris.microsoft.com, a-0001.a-afdentry.net.trafficmanager.net, store-images.s-microsoft.com, config.officeapps.live.com, blobcollector.events.data.trafficmanager.net, europe.configsvc1.live.com.akadns.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net
                                                                                                                                                  • Not all processes where analyzed, report is missing behavior information

                                                                                                                                                  Simulations

                                                                                                                                                  Behavior and APIs

                                                                                                                                                  No simulations

                                                                                                                                                  Joe Sandbox View / Context

                                                                                                                                                  IPs

                                                                                                                                                  No context

                                                                                                                                                  Domains

                                                                                                                                                  No context

                                                                                                                                                  ASN

                                                                                                                                                  No context

                                                                                                                                                  JA3 Fingerprints

                                                                                                                                                  No context

                                                                                                                                                  Dropped Files

                                                                                                                                                  No context

                                                                                                                                                  Created / dropped Files

                                                                                                                                                  C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\5A9E0E51-5E4D-4CBE-BF29-7CE08F095393
                                                                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                  File Type:XML 1.0 document, UTF-8 Unicode text, with very long lines, with CRLF line terminators
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):135913
                                                                                                                                                  Entropy (8bit):5.362418168528083
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:1536:NcQIKNveBTA3gBwlnQ9DQW+z2Y34ZliKWXboOidXqE6LWME9:4yQ9DQW+zaX31
                                                                                                                                                  MD5:15C6A0DB4235A300C26328DD184D98CC
                                                                                                                                                  SHA1:E301DCBF618924DB33A445FA5592B8E4F70946C8
                                                                                                                                                  SHA-256:E6A05C3BCAFA4ADD237BAD363CEE9AF978B079BED3CE11537A6C79EEAA192E12
                                                                                                                                                  SHA-512:815B9FDF932462601DB89C7ECC6B8C856FAD2BBB61FE11FC1EBC40E07ABCFA4F8CE71C8F2CC596691AA71E2A053A2D9DD05D7D08090DBB77146996A83492F3FB
                                                                                                                                                  Malicious:false
                                                                                                                                                  Reputation:low
                                                                                                                                                  Preview: <?xml version="1.0" encoding="utf-8"?>..<o:OfficeConfig xmlns:o="urn:schemas-microsoft-com:office:office">.. <o:services o:GenerationTime="2021-08-09T16:54:50">.. Build: 16.0.14404.30525-->.. <o:default>.. <o:ticket o:headerName="Authorization" o:headerValue="{}" />.. </o:default>.. <o:service o:name="Research">.. <o:url>https://rr.office.microsoft.com/research/query.asmx</o:url>.. </o:service>.. <o:service o:name="ORedir">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ORedirSSL">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ClViewClientHelpId">.. <o:url>https://[MAX.BaseHost]/client/results</o:url>.. </o:service>.. <o:service o:name="ClViewClientHome">.. <o:url>https://[MAX.BaseHost]/client/results</o:url>.. </o:service>.. <o:service o:name="ClViewClientTemplate">.. <o:url>https://ocsa.office.microsoft.com/client/15/help/template</o:url>.. </o:service>.. <o:

                                                                                                                                                  Static File Info

                                                                                                                                                  General

                                                                                                                                                  File type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1252, Author: 0xdf, Last Saved By: 0xdf, Name of Creating Application: Microsoft Excel, Create Time/Date: Mon Mar 23 14:19:10 2020, Last Saved Time/Date: Sat Apr 25 19:43:56 2020, Security: 0
                                                                                                                                                  Entropy (8bit):5.658051669585681
                                                                                                                                                  TrID:
                                                                                                                                                  • Microsoft Excel sheet (30009/1) 47.99%
                                                                                                                                                  • Microsoft Excel sheet (alternate) (24509/1) 39.20%
                                                                                                                                                  • Generic OLE2 / Multistream Compound File (8008/1) 12.81%
                                                                                                                                                  File name:oBfsC4t10n2.xls
                                                                                                                                                  File size:849920
                                                                                                                                                  MD5:0c09fbdf98f0a6144a42fde00fe21504
                                                                                                                                                  SHA1:bb4a594ecf90ed6b9e408c404b08620500fb4c02
                                                                                                                                                  SHA256:1f156f86d45e28dac74015051546305497adb86b4e46bb7d9a84ccf5e25a12f4
                                                                                                                                                  SHA512:e07776cc23b1a9629e760173e7cbf47bfc56f87c1f74f51ad59299dad3e01387ed355bed4cdcfcc269cb55ad7357896b3e1d57a7cdea0c6d84ecec09ca79e8d4
                                                                                                                                                  SSDEEP:12288:53wXyuDwsryfLlYUFZWyehWg6rj4P8pJNjavyP:5Axr2YUWyXvzD
                                                                                                                                                  File Content Preview:........................>.......................z...........................m...n...o...p...q...r...s...t...u...v...w...x...y..................................................................................................................................

                                                                                                                                                  File Icon

                                                                                                                                                  Icon Hash:74ecd4c6c3c6c4d8

                                                                                                                                                  Static OLE Info

                                                                                                                                                  General

                                                                                                                                                  Document Type:OLE
                                                                                                                                                  Number of OLE Files:1

                                                                                                                                                  OLE File "oBfsC4t10n2.xls"

                                                                                                                                                  Indicators

                                                                                                                                                  Has Summary Info:True
                                                                                                                                                  Application Name:Microsoft Excel
                                                                                                                                                  Encrypted Document:False
                                                                                                                                                  Contains Word Document Stream:False
                                                                                                                                                  Contains Workbook/Book Stream:True
                                                                                                                                                  Contains PowerPoint Document Stream:False
                                                                                                                                                  Contains Visio Document Stream:False
                                                                                                                                                  Contains ObjectPool Stream:
                                                                                                                                                  Flash Objects Count:
                                                                                                                                                  Contains VBA Macros:True

                                                                                                                                                  Summary

                                                                                                                                                  Code Page:1252
                                                                                                                                                  Author:0xdf
                                                                                                                                                  Last Saved By:0xdf
                                                                                                                                                  Create Time:2020-03-23 14:19:10
                                                                                                                                                  Last Saved Time:2020-04-25 18:43:56
                                                                                                                                                  Creating Application:Microsoft Excel
                                                                                                                                                  Security:0

                                                                                                                                                  Document Summary

                                                                                                                                                  Document Code Page:1252
                                                                                                                                                  Thumbnail Scaling Desired:False
                                                                                                                                                  Company:
                                                                                                                                                  Contains Dirty Links:False
                                                                                                                                                  Shared Document:False
                                                                                                                                                  Changed Hyperlinks:False
                                                                                                                                                  Application Version:1048576

                                                                                                                                                  Streams

                                                                                                                                                  Stream Path: \x5DocumentSummaryInformation, File Type: data, Stream Size: 4096
                                                                                                                                                  General
                                                                                                                                                  Stream Path:\x5DocumentSummaryInformation
                                                                                                                                                  File Type:data
                                                                                                                                                  Stream Size:4096
                                                                                                                                                  Entropy:0.333599520797
                                                                                                                                                  Base64 Encoded:False
                                                                                                                                                  Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , . . 0 . . . . . . . . . . . . . . . P . . . . . . . X . . . . . . . d . . . . . . . l . . . . . . . t . . . . . . . | . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . i n v o i c e . . . . . c 1 z B 0 v a s N o . . . . . . . . . . . . . . . . . W o r k s h e e t s . . . . . . .
                                                                                                                                                  Data Raw:fe ff 00 00 0a 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 00 00 00 f4 00 00 00 09 00 00 00 01 00 00 00 50 00 00 00 0f 00 00 00 58 00 00 00 17 00 00 00 64 00 00 00 0b 00 00 00 6c 00 00 00 10 00 00 00 74 00 00 00 13 00 00 00 7c 00 00 00 16 00 00 00 84 00 00 00 0d 00 00 00 8c 00 00 00 0c 00 00 00 af 00 00 00
                                                                                                                                                  Stream Path: \x5SummaryInformation, File Type: data, Stream Size: 4096
                                                                                                                                                  General
                                                                                                                                                  Stream Path:\x5SummaryInformation
                                                                                                                                                  File Type:data
                                                                                                                                                  Stream Size:4096
                                                                                                                                                  Entropy:0.266633510482
                                                                                                                                                  Base64 Encoded:False
                                                                                                                                                  Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . . . + ' . . 0 . . . . . . . . . . . . . . . @ . . . . . . . H . . . . . . . X . . . . . . . h . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 0 x d f . . . . . . . . . . . . 0 x d f . . . . . . . . . . . . M i c r o s o f t E x c e l . @ . . . . C . . . . . . @ . . . . > . y 1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                                                                                                                                  Data Raw:fe ff 00 00 0a 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 a0 00 00 00 07 00 00 00 01 00 00 00 40 00 00 00 04 00 00 00 48 00 00 00 08 00 00 00 58 00 00 00 12 00 00 00 68 00 00 00 0c 00 00 00 80 00 00 00 0d 00 00 00 8c 00 00 00 13 00 00 00 98 00 00 00 02 00 00 00 e4 04 00 00 1e 00 00 00 08 00 00 00
                                                                                                                                                  Stream Path: Workbook, File Type: Applesoft BASIC program data, first line number 16, Stream Size: 833805
                                                                                                                                                  General
                                                                                                                                                  Stream Path:Workbook
                                                                                                                                                  File Type:Applesoft BASIC program data, first line number 16
                                                                                                                                                  Stream Size:833805
                                                                                                                                                  Entropy:5.70721264282
                                                                                                                                                  Base64 Encoded:True
                                                                                                                                                  Data ASCII:. . . . . . . . Z O . . . . . . . . . . . . . . . . . . . . . . . . . . \\ . p . . . . 0 x d f B . . . . . a . . . . . . . . . = . . . . . . . . . . . . . . T h i s W o r k b o o k . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . = . . . . . . . . E . . 8 . . . . . . . X . @ . .
                                                                                                                                                  Data Raw:09 08 10 00 00 06 05 00 5a 4f cd 07 c9 00 02 00 06 08 00 00 e1 00 02 00 b0 04 c1 00 02 00 00 00 e2 00 00 00 5c 00 70 00 04 00 00 30 78 64 66 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20

                                                                                                                                                  Network Behavior

                                                                                                                                                  Network Port Distribution

                                                                                                                                                  UDP Packets

                                                                                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                  Aug 9, 2021 18:54:32.193594933 CEST6180553192.168.2.58.8.8.8
                                                                                                                                                  Aug 9, 2021 18:54:32.215585947 CEST53618058.8.8.8192.168.2.5
                                                                                                                                                  Aug 9, 2021 18:54:32.232417107 CEST5479553192.168.2.58.8.8.8
                                                                                                                                                  Aug 9, 2021 18:54:32.273241997 CEST53547958.8.8.8192.168.2.5
                                                                                                                                                  Aug 9, 2021 18:54:32.868778944 CEST4955753192.168.2.58.8.8.8
                                                                                                                                                  Aug 9, 2021 18:54:32.891609907 CEST53495578.8.8.8192.168.2.5
                                                                                                                                                  Aug 9, 2021 18:54:35.885212898 CEST6173353192.168.2.58.8.8.8
                                                                                                                                                  Aug 9, 2021 18:54:35.906714916 CEST53617338.8.8.8192.168.2.5
                                                                                                                                                  Aug 9, 2021 18:54:37.043085098 CEST6544753192.168.2.58.8.8.8
                                                                                                                                                  Aug 9, 2021 18:54:37.066266060 CEST53654478.8.8.8192.168.2.5
                                                                                                                                                  Aug 9, 2021 18:54:37.539341927 CEST5244153192.168.2.58.8.8.8
                                                                                                                                                  Aug 9, 2021 18:54:37.606853962 CEST53524418.8.8.8192.168.2.5
                                                                                                                                                  Aug 9, 2021 18:54:38.135129929 CEST6217653192.168.2.58.8.8.8
                                                                                                                                                  Aug 9, 2021 18:54:38.157135963 CEST53621768.8.8.8192.168.2.5
                                                                                                                                                  Aug 9, 2021 18:54:39.380624056 CEST5959653192.168.2.58.8.8.8
                                                                                                                                                  Aug 9, 2021 18:54:39.401242018 CEST53595968.8.8.8192.168.2.5
                                                                                                                                                  Aug 9, 2021 18:54:40.573932886 CEST6529653192.168.2.58.8.8.8
                                                                                                                                                  Aug 9, 2021 18:54:40.595009089 CEST53652968.8.8.8192.168.2.5
                                                                                                                                                  Aug 9, 2021 18:54:42.147542953 CEST6318353192.168.2.58.8.8.8
                                                                                                                                                  Aug 9, 2021 18:54:42.168618917 CEST53631838.8.8.8192.168.2.5
                                                                                                                                                  Aug 9, 2021 18:54:48.876118898 CEST6015153192.168.2.58.8.8.8
                                                                                                                                                  Aug 9, 2021 18:54:48.897981882 CEST53601518.8.8.8192.168.2.5
                                                                                                                                                  Aug 9, 2021 18:54:50.163948059 CEST5696953192.168.2.58.8.8.8
                                                                                                                                                  Aug 9, 2021 18:54:50.240061998 CEST53569698.8.8.8192.168.2.5
                                                                                                                                                  Aug 9, 2021 18:54:50.271064997 CEST5516153192.168.2.58.8.8.8
                                                                                                                                                  Aug 9, 2021 18:54:50.292249918 CEST53551618.8.8.8192.168.2.5
                                                                                                                                                  Aug 9, 2021 18:54:50.558156967 CEST5475753192.168.2.58.8.8.8
                                                                                                                                                  Aug 9, 2021 18:54:50.671000957 CEST53547578.8.8.8192.168.2.5
                                                                                                                                                  Aug 9, 2021 18:54:51.549012899 CEST5475753192.168.2.58.8.8.8
                                                                                                                                                  Aug 9, 2021 18:54:51.569592953 CEST53547578.8.8.8192.168.2.5
                                                                                                                                                  Aug 9, 2021 18:54:52.567133904 CEST5475753192.168.2.58.8.8.8
                                                                                                                                                  Aug 9, 2021 18:54:52.588447094 CEST53547578.8.8.8192.168.2.5
                                                                                                                                                  Aug 9, 2021 18:54:53.581690073 CEST4999253192.168.2.58.8.8.8
                                                                                                                                                  Aug 9, 2021 18:54:53.602202892 CEST53499928.8.8.8192.168.2.5
                                                                                                                                                  Aug 9, 2021 18:54:54.576914072 CEST5475753192.168.2.58.8.8.8
                                                                                                                                                  Aug 9, 2021 18:54:54.598123074 CEST53547578.8.8.8192.168.2.5
                                                                                                                                                  Aug 9, 2021 18:54:54.795897007 CEST6007553192.168.2.58.8.8.8
                                                                                                                                                  Aug 9, 2021 18:54:54.816848040 CEST53600758.8.8.8192.168.2.5
                                                                                                                                                  Aug 9, 2021 18:54:57.654803991 CEST5501653192.168.2.58.8.8.8
                                                                                                                                                  Aug 9, 2021 18:54:57.717314959 CEST53550168.8.8.8192.168.2.5
                                                                                                                                                  Aug 9, 2021 18:54:58.913532972 CEST5475753192.168.2.58.8.8.8
                                                                                                                                                  Aug 9, 2021 18:54:58.958308935 CEST53547578.8.8.8192.168.2.5
                                                                                                                                                  Aug 9, 2021 18:55:06.131884098 CEST6434553192.168.2.58.8.8.8
                                                                                                                                                  Aug 9, 2021 18:55:06.152968884 CEST53643458.8.8.8192.168.2.5
                                                                                                                                                  Aug 9, 2021 18:55:28.440583944 CEST5712853192.168.2.58.8.8.8
                                                                                                                                                  Aug 9, 2021 18:55:28.489326954 CEST53571288.8.8.8192.168.2.5
                                                                                                                                                  Aug 9, 2021 18:55:28.719193935 CEST5479153192.168.2.58.8.8.8
                                                                                                                                                  Aug 9, 2021 18:55:28.761019945 CEST53547918.8.8.8192.168.2.5
                                                                                                                                                  Aug 9, 2021 18:55:30.856345892 CEST5046353192.168.2.58.8.8.8
                                                                                                                                                  Aug 9, 2021 18:55:30.878485918 CEST53504638.8.8.8192.168.2.5
                                                                                                                                                  Aug 9, 2021 18:55:34.551250935 CEST5039453192.168.2.58.8.8.8
                                                                                                                                                  Aug 9, 2021 18:55:34.578723907 CEST53503948.8.8.8192.168.2.5
                                                                                                                                                  Aug 9, 2021 18:55:50.751600027 CEST5853053192.168.2.58.8.8.8
                                                                                                                                                  Aug 9, 2021 18:55:50.772566080 CEST53585308.8.8.8192.168.2.5
                                                                                                                                                  Aug 9, 2021 18:55:51.530077934 CEST5381353192.168.2.58.8.8.8
                                                                                                                                                  Aug 9, 2021 18:55:51.536731958 CEST6373253192.168.2.58.8.8.8
                                                                                                                                                  Aug 9, 2021 18:55:51.559067011 CEST53637328.8.8.8192.168.2.5
                                                                                                                                                  Aug 9, 2021 18:55:51.564588070 CEST53538138.8.8.8192.168.2.5
                                                                                                                                                  Aug 9, 2021 18:55:52.047950029 CEST5734453192.168.2.58.8.8.8
                                                                                                                                                  Aug 9, 2021 18:55:52.071902990 CEST53573448.8.8.8192.168.2.5
                                                                                                                                                  Aug 9, 2021 18:55:52.618679047 CEST5445053192.168.2.58.8.8.8
                                                                                                                                                  Aug 9, 2021 18:55:52.642611980 CEST53544508.8.8.8192.168.2.5
                                                                                                                                                  Aug 9, 2021 18:55:53.144443989 CEST5926153192.168.2.58.8.8.8
                                                                                                                                                  Aug 9, 2021 18:55:53.164999008 CEST53592618.8.8.8192.168.2.5
                                                                                                                                                  Aug 9, 2021 18:55:53.638730049 CEST5715153192.168.2.58.8.8.8
                                                                                                                                                  Aug 9, 2021 18:55:53.737600088 CEST53571518.8.8.8192.168.2.5
                                                                                                                                                  Aug 9, 2021 18:55:54.477782965 CEST5941353192.168.2.58.8.8.8
                                                                                                                                                  Aug 9, 2021 18:55:54.499402046 CEST53594138.8.8.8192.168.2.5
                                                                                                                                                  Aug 9, 2021 18:55:55.317459106 CEST6051653192.168.2.58.8.8.8
                                                                                                                                                  Aug 9, 2021 18:55:55.339262009 CEST53605168.8.8.8192.168.2.5
                                                                                                                                                  Aug 9, 2021 18:55:56.037570000 CEST5164953192.168.2.58.8.8.8
                                                                                                                                                  Aug 9, 2021 18:55:56.062115908 CEST53516498.8.8.8192.168.2.5
                                                                                                                                                  Aug 9, 2021 18:55:56.520291090 CEST6508653192.168.2.58.8.8.8
                                                                                                                                                  Aug 9, 2021 18:55:56.541946888 CEST53650868.8.8.8192.168.2.5
                                                                                                                                                  Aug 9, 2021 18:56:11.318769932 CEST5643253192.168.2.58.8.8.8
                                                                                                                                                  Aug 9, 2021 18:56:11.340473890 CEST53564328.8.8.8192.168.2.5

                                                                                                                                                  Code Manipulations

                                                                                                                                                  Statistics

                                                                                                                                                  System Behavior

                                                                                                                                                  General

                                                                                                                                                  Start time:18:54:47
                                                                                                                                                  Start date:09/08/2021
                                                                                                                                                  Path:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                  Commandline:'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding
                                                                                                                                                  Imagebase:0xa20000
                                                                                                                                                  File size:27110184 bytes
                                                                                                                                                  MD5 hash:5D6638F2C8F8571C593999C58866007E
                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                  Reputation:high

                                                                                                                                                  Disassembly

                                                                                                                                                  Reset < >