Play interactive tour

Edit tour

Windows Analysis Report 00620 - 2011 Dept Expense Detail.xls

Overview

General Information

Sample Name:	00620 - 2011 Dept Expense Detail.xls
Analysis ID:	467210
MD5:	57bcdf4ddd4c73eb7b1579edf9e10d62
SHA1:	fb7ee5e7a2ef599bcbf982ff6823387792a90335
SHA256:	5c0e2dc5c3e763417c7fb8f02f8d12a64e9aad4f7fa4cf0e7a09e31bfe20e4fd
Infos:
Most interesting Screenshot:

Detection

Hidden Macro 4.0

Score:	20
Range:	0 - 100
Whitelisted:	false
Confidence:	80%

Signatures

Yara detected hidden Macro 4.0 in Excel

Document contains embedded VBA macros

Classification

Process Tree

System is w7x64

EXCEL.EXE (PID: 2672 cmdline: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding MD5: 5FB0A0F93382ECD19F5F499A5CAA59F0)

cleanup

Malware Configuration

No configs have been found

Yara Overview

Initial Sample

Source	Rule	Description	Author	Strings
00620 - 2011 Dept Expense Detail.xls	JoeSecurity_HiddenMacro	Yara detected hidden Macro 4.0 in Excel	Joe Security

Sigma Overview

No Sigma rule has matched

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source: 00620 - 2011 Dept Expense Detail.xls

String found in binary or memory: https://peoplesoft.dealercentral.net/psp/SCMPRD_newwin/EMPLOYEE/ERP/c/REPORT_BOOKS.IC_RUN_DRILLDOWN.

Source: 00620 - 2011 Dept Expense Detail.xls

OLE indicator, VBA macros: true

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Temp\CVRC65A.tmp

Jump to behavior

Source: 00620 - 2011 Dept Expense Detail.xls

OLE indicator, Workbook stream: true

Source: classification engine

Classification label: sus20.expl.winXLS@1/1@0/0

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

Yara detected hidden Macro 4.0 in Excel

Show sources

Source: Yara match

File source: 00620 - 2011 Dept Expense Detail.xls, type: SAMPLE

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Scripting1	Path Interception	Path Interception	Scripting1	OS Credential Dumping	File and Directory Discovery1	Remote Services	Data from Local System	Exfiltration Over Other Network Medium	Data Obfuscation	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Rootkit	LSASS Memory	System Information Discovery1	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Junk Data	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
00620 - 2011 Dept Expense Detail.xls	2%	Virustotal		Browse
00620 - 2011 Dept Expense Detail.xls	2%	ReversingLabs	Document.Trojan.CutwailOLE

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://peoplesoft.dealercentral.net/psp/SCMPRD_newwin/EMPLOYEE/ERP/c/REPORT_BOOKS.IC_RUN_DRILLDOWN.	00620 - 2011 Dept Expense Detail.xls	false		high

Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version:	33.0.0 White Diamond
Analysis ID:	467210
Start date:	18.08.2021
Start time:	00:39:02
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 3m 52s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	00620 - 2011 Dept Expense Detail.xls
Cookbook file name:	defaultwindowsofficecookbook.jbs
Analysis system description:	Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Number of analysed new started processes analysed:	2
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	EGA enabled HDC enabled GSI enabled (VBA) AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	SUS
Classification:	sus20.expl.winXLS@1/1@0/0
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .xls Found Word or Excel or PowerPoint or XPS Viewer Attach to Office via COM Scroll down Close Viewer
Warnings:	Show All Exclude process from analysis (whitelisted): dllhost.exe Report size getting too big, too many NtSetInformationFile calls found.

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Temp\VBE\MSForms.exd Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	data
Category:	dropped
Size (bytes):	162688
Entropy (8bit):	4.254475228883147
Encrypted:	false
SSDEEP:	1536:C6vL3FNSc8SetKB96vQVCBumVMOej6mXmYarrJQcd1FaLcm48s:CWJNSc83tKBAvQVCgOtmXmLpLm4l
MD5:	CCD3611D3446F144D1CA56FBC509280F
SHA1:	633BE892B522D00D8F03C98634B311B63C2396C3
SHA-256:	D353C4B1F4F3800EE210702E80E0BAF6D73069BBD18675122993661A5B46A54B
SHA-512:	4D0DE72EF3E04F5B7205866B7C051BD7B8A3F8CA31E5089C71FA56D959B918D834BB7D11BFD2467962ED7F5248B768BE60E3A41205222F624DB6449F6FE2FA06
Malicious:	false
Reputation:	low
Preview:	MSFT................Q................................#......$....... ...................d.......,...........X....... ...........L...........x.......@...........l.......4...........`.......(...........T...................H...........t.......<...........h.......0...........\.......$...........P...........\|.......D...........p.......8...........d.......,...........X....... ...........L...........x.......@........ ..l ... ..4!...!...!..`"..."..(#...#...#..T$...$...%...%...%..H&...&...'..t'...'..<(...(...)..h)...)..0......*..\+...+..$,...,...,..P-...-......\|.......D/.../...0..p0...0..81...1...2..d2...2..,3...3...3..X4...4.. 5...5...5..L6...6...7..x7...7..@8.......8..............................$................................................................................x..xG..............T........................................... ...........................................................&!..............................................................................................

Static File Info

General
File type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 5.2, Code page: 1252, Author: AutoNation USA, Last Saved By: DupreeP, Name of Creating Application: Microsoft Excel, Create Time/Date: Thu Feb 4 16:48:36 1999, Last Saved Time/Date: Tue Sep 20 15:04:38 2011, Security: 0
Entropy (8bit):	4.043229382190713
TrID:	Microsoft Excel sheet (30009/1) 47.99% Microsoft Excel sheet (alternate) (24509/1) 39.20% Generic OLE2 / Multistream Compound File (8008/1) 12.81%
File name:	00620 - 2011 Dept Expense Detail.xls
File size:	53760
MD5:	57bcdf4ddd4c73eb7b1579edf9e10d62
SHA1:	fb7ee5e7a2ef599bcbf982ff6823387792a90335
SHA256:	5c0e2dc5c3e763417c7fb8f02f8d12a64e9aad4f7fa4cf0e7a09e31bfe20e4fd
SHA512:	f0f613246b8fd11cca39102e1aaeea11b3c2228cbee6778245bb34bc96c59bd4ac069e80020ba0bdfb0d90a4b8ccccc6387922b1ec72915fd15c8666bc90643b
SSDEEP:	768:g9RUbndMNmu2jm1xW5aUgAVZx5mXMr2q3rLrLn+zghx0QQDI:iKndMwfjSW5SAVZdygP8
File Content Preview:	........................>...................................M..................................................................................................................................................................................................

File Icon


Icon Hash:	e4eea286a4b4bcb4

Static OLE Info

General
Document Type:	OLE
Number of OLE Files:	1

OLE File "00620 - 2011 Dept Expense Detail.xls"

Indicators
Has Summary Info:	True
Application Name:	Microsoft Excel
Encrypted Document:	False
Contains Word Document Stream:	False
Contains Workbook/Book Stream:	True
Contains PowerPoint Document Stream:	False
Contains Visio Document Stream:	False
Contains ObjectPool Stream:
Flash Objects Count:
Contains VBA Macros:	True

Summary
Code Page:	1252
Author:	AutoNation USA
Last Saved By:	DupreeP
Create Time:	1999-02-04 16:48:36
Last Saved Time:	2011-09-20 14:04:38
Creating Application:	Microsoft Excel
Security:	0

Document Summary
Document Code Page:	1252
Thumbnail Scaling Desired:	False
Contains Dirty Links:	False
Shared Document:	False
Changed Hyperlinks:	False
Application Version:	730895

Streams with VBA

VBA File Name: Module1.bas, Stream Size: 3440

General
Stream Path:	_VBA_PROJECT_CUR/VBA/Module1
VBA File Name:	Module1.bas
Stream Size:	3440
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . & . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	01 16 01 00 06 f0 00 00 00 84 03 00 00 d4 00 00 00 b0 01 00 00 ff ff ff ff b2 03 00 00 26 0a 00 00 01 00 00 00 01 00 00 00 e9 9b 00 00 00 00 ff ff 03 00 00 00 00 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff 04 00 ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

VBA Code Keywords

Keyword
Time:
DateTime
(last
data/layout
insert
"B").Value
report
Hideflag
entire
column)
EndColumn
Range("BeginColumn")
found
'places
searching
cursor
BeginRow
'this
Cnum).Select
Worksheets("Actuals").Activate
EndRow
column
ActiveSheet.Cells(Rnum,
Range("End")
Integer,
HideRows.VB_ProcData.VB_Invoke_Func
Integer
Attribute
hasn't
value
.Column
zeroes.
VB_Name
HideRows()
Range("EndColumn")
other
ActiveCell.Value
Range("BeginRow")
Selection.EntireRow.Hidden
BeginColumn
first

VBA Code

Attribute VB_Name = "Module1"

 Sub HideRows()
Attribute HideRows.VB_ProcData.VB_Invoke_Func = " \n14"
 
    Dim Rnum As Integer, Cnum As Integer, EndRow As Integer
    Dim BeginRow As Integer, BeginColumn As Integer, EndColumn As Integer
    Dim Hideflag
    Dim DateTime
    Worksheets("Actuals").Activate
    With Range("BeginRow")  'Get first row of data/layout
        BeginRow = .Row
    End With
    With Range("End")  'Get last row of data/layout
        EndRow = .Row
    End With
    With Range("BeginColumn")  'Get first column of data/layout
        BeginColumn = .Column
    End With
    With Range("EndColumn")  'Get last column of data/layout
        EndColumn = .Column
    End With
    'this code goes column by row searching for zeroes.  If it gets to
    'the end of a row (last column) and hasn't found a value other than 0,
    'it will hide the entire row and then go to the next row
    For Rnum = BeginRow To EndRow
        Hideflag = "y"
        For Cnum = BeginColumn To EndColumn
          ActiveSheet.Cells(Rnum, Cnum).Select
                If ActiveCell.Value <> 0 Then
                    Hideflag = "n"
                    Cnum = EndColumn
                End If
            If Cnum = EndColumn And Hideflag = "y" Then
                Selection.EntireRow.Hidden = True
            End If
            Next Cnum
        Next Rnum
        
    'this code will insert the run date and time in cell "B2"
    DateTime = Now
    Cells(2, "B").Value = "Run Date and Time: " & DateTime
    
    Range("B1").Select  'places cursor in cell b1 of the report
    
End Sub

VBA File Name: ThisWorkbook.cls, Stream Size: 985

General
Stream Path:	_VBA_PROJECT_CUR/VBA/ThisWorkbook
VBA File Name:	ThisWorkbook.cls
Stream Size:	985
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	01 16 01 00 00 f0 00 00 00 c4 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff cb 02 00 00 1f 03 00 00 00 00 00 00 01 00 00 00 e9 9b 89 96 00 00 ff ff 23 00 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

VBA Code Keywords

Keyword
False
VB_Exposed
Attribute
VB_Name
VB_Creatable
"ThisWorkbook"
VB_PredeclaredId
VB_GlobalNameSpace
VB_Base
VB_Customizable
VB_TemplateDerived

VBA Code

Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Streams

Stream Path: \x1CompObj, File Type: data, Stream Size: 109

General
Stream Path:	\x1CompObj
File Type:	data
Stream Size:	109
Entropy:	4.12087539431
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . F ! . . . M i c r o s o f t O f f i c e E x c e l W o r k s h e e t . . . . . B i f f 8 . . . . . E x c e l . S h e e t . 8 . . 9 . q . . . . . . . . . . . .
Data Raw:	01 00 fe ff 03 0a 00 00 ff ff ff ff 20 08 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 21 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 4f 66 66 69 63 65 20 45 78 63 65 6c 20 57 6f 72 6b 73 68 65 65 74 00 06 00 00 00 42 69 66 66 38 00 0e 00 00 00 45 78 63 65 6c 2e 53 68 65 65 74 2e 38 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00

Stream Path: \x5DocumentSummaryInformation, File Type: data, Stream Size: 376

General
Stream Path:	\x5DocumentSummaryInformation
File Type:	data
Stream Size:	376
Entropy:	3.8484246152
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , . . 0 . . . H . . . . . . . . . . . H . . . . . . . P . . . . . . . X . . . . . . . ` . . . . . . . h . . . . . . . p . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . ' . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A c t u a l s . . . . . M a c r o 1 . . . . . B e g i n C o l u m n . . . . . E n d C o l u m n . . . . . A c t u a l s ! P r i n t _ A r e a . . . . .
Data Raw:	fe ff 00 00 05 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 00 00 00 48 01 00 00 08 00 00 00 01 00 00 00 48 00 00 00 17 00 00 00 50 00 00 00 0b 00 00 00 58 00 00 00 10 00 00 00 60 00 00 00 13 00 00 00 68 00 00 00 16 00 00 00 70 00 00 00 0d 00 00 00 78 00 00 00 0c 00 00 00 e5 00 00 00 02 00 00 00 e4 04 00 00

Stream Path: \x5SummaryInformation, File Type: data, Stream Size: 216

General
Stream Path:	\x5SummaryInformation
File Type:	data
Stream Size:	216
Entropy:	3.75113746536
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . . . + ' . . 0 . . . . . . . . . . . . . . . @ . . . . . . . H . . . . . . . ` . . . . . . . p . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A u t o N a t i o n U S A . . . . . . . . . . D u p r e e P . . . . . . . . . M i c r o s o f t E x c e l . @ . . . . . . 5 ^ P . . @ . . . . _ . ; . w . . . . . . . . . .
Data Raw:	fe ff 00 00 05 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 a8 00 00 00 07 00 00 00 01 00 00 00 40 00 00 00 04 00 00 00 48 00 00 00 08 00 00 00 60 00 00 00 12 00 00 00 70 00 00 00 0c 00 00 00 88 00 00 00 0d 00 00 00 94 00 00 00 13 00 00 00 a0 00 00 00 02 00 00 00 e4 04 00 00 1e 00 00 00 10 00 00 00

Stream Path: Workbook, File Type: Applesoft BASIC program data, first line number 16, Stream Size: 37717

General
Stream Path:	Workbook
File Type:	Applesoft BASIC program data, first line number 16
Stream Size:	37717
Entropy:	3.85189249275
Base64 Encoded:	True
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . \\ . p . . . . D u p r e e P B . . . . . a . . . . . . . . . = . . . . . . . . . . . . . . . . . . . . T h i s W o r k b o o k . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . = . . . . . . . . . F . 8 . . . . . .
Data Raw:	09 08 10 00 00 06 05 00 88 20 cd 07 c9 c0 00 00 06 03 00 00 e1 00 02 00 b0 04 c1 00 02 00 00 00 e2 00 00 00 5c 00 70 00 07 00 00 44 75 70 72 65 65 50 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20

Stream Path: _VBA_PROJECT_CUR/PROJECT, File Type: ASCII text, with CRLF line terminators, Stream Size: 405

General
Stream Path:	_VBA_PROJECT_CUR/PROJECT
File Type:	ASCII text, with CRLF line terminators
Stream Size:	405
Entropy:	5.34110993151
Base64 Encoded:	True
Data ASCII:	I D = " { 6 0 B 0 5 3 F 8 - 9 E 9 D - 1 1 D 2 - 8 F B 6 - 0 0 C 0 4 F 7 7 2 2 2 6 } " . . M o d u l e = M o d u l e 1 . . D o c u m e n t = T h i s W o r k b o o k / & H 0 0 0 0 0 0 0 0 . . N a m e = " F T C O R P . X N V " . . H e l p C o n t e x t I D = " 0 " . . V e r s i o n C o m p a t i b l e 3 2 = " 3 9 3 2 2 2 0 0 0 " . . C M G = " 0 7 0 5 B D 4 6 4 F C 6 4 C C A 4 C C A 4 C C A 4 C C A " . . D P B = " 0 0 0 2 B A B D B B B D B B B D " . . G C = " F 9 F B 4 3 B 4 4 4 B 4 4 4 4 B " . . . . [ H o s t
Data Raw:	49 44 3d 22 7b 36 30 42 30 35 33 46 38 2d 39 45 39 44 2d 31 31 44 32 2d 38 46 42 36 2d 30 30 43 30 34 46 37 37 32 32 32 36 7d 22 0d 0a 4d 6f 64 75 6c 65 3d 4d 6f 64 75 6c 65 31 0d 0a 44 6f 63 75 6d 65 6e 74 3d 54 68 69 73 57 6f 72 6b 62 6f 6f 6b 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 4e 61 6d 65 3d 22 46 54 43 4f 52 50 2e 58 4e 56 22 0d 0a 48 65 6c 70 43 6f 6e 74 65 78 74 49 44 3d

Stream Path: _VBA_PROJECT_CUR/PROJECTwm, File Type: data, Stream Size: 65

General
Stream Path:	_VBA_PROJECT_CUR/PROJECTwm
File Type:	data
Stream Size:	65
Entropy:	3.15495300444
Base64 Encoded:	False
Data ASCII:	M o d u l e 1 . M . o . d . u . l . e . 1 . . . T h i s W o r k b o o k . T . h . i . s . W . o . r . k . b . o . o . k . . . . .
Data Raw:	4d 6f 64 75 6c 65 31 00 4d 00 6f 00 64 00 75 00 6c 00 65 00 31 00 00 00 54 68 69 73 57 6f 72 6b 62 6f 6f 6b 00 54 00 68 00 69 00 73 00 57 00 6f 00 72 00 6b 00 62 00 6f 00 6f 00 6b 00 00 00 00 00

Stream Path: _VBA_PROJECT_CUR/VBA/_VBA_PROJECT, File Type: data, Stream Size: 2821

General
Stream Path:	_VBA_PROJECT_CUR/VBA/_VBA_PROJECT
File Type:	data
Stream Size:	2821
Entropy:	4.25301737665
Base64 Encoded:	False
Data ASCII:	. a y . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . * . \\ . G . { . 0 . 0 . 0 . 2 . 0 . 4 . E . F . - . 0 . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . - . C . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 4 . 6 . } . # . 4 . . . 0 . # . 9 . # . U . : . \\ . P . R . O . G . R . A . ~ . 1 . \\ . C . O . M . M . O . N . ~ . 1 . \\ . M . I . C . R . O . S . ~ . 1 . \\ . V . B . A . \\ . V . B . A . 6 . \\ . V . B . E . 6 . . . D . L . L . # . V . i . s . u . a . l . . B . a . s . i . c . . F .
Data Raw:	cc 61 79 00 00 01 00 ff 09 04 00 00 09 04 00 00 e4 04 01 00 00 00 00 00 00 00 00 00 01 00 04 00 02 00 fa 00 2a 00 5c 00 47 00 7b 00 30 00 30 00 30 00 32 00 30 00 34 00 45 00 46 00 2d 00 30 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 2d 00 43 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 34 00 36 00 7d 00 23 00 34 00 2e 00 30 00 23 00

Stream Path: _VBA_PROJECT_CUR/VBA/__SRP_0, File Type: data, Stream Size: 1169

General
Stream Path:	_VBA_PROJECT_CUR/VBA/__SRP_0
File Type:	data
Stream Size:	1169
Entropy:	3.99317680234
Base64 Encoded:	False
Data ASCII:	. K * y . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . r U . . . . . . . . . . . . . . . . . . . ~ . . . ~ . . . ~ . . . ~ . . . ~ . . . ~ . . . ~ m . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . f H { 4 . . . K . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . a . . . . . . . . . Q . . . . . . . . . . . . . . . . . . . . . . . . . 1 . . . . . . . . . . . . . . . . . . .
Data Raw:	93 4b 2a 79 01 00 10 00 00 00 ff ff 00 00 00 00 01 00 02 00 ff ff 00 00 00 00 01 00 00 00 00 00 00 00 00 00 01 00 02 00 00 00 00 00 00 00 01 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 00 00 72 55 00 01 00 00 80 00 00 00 80 00 00 00 80 00 00 00 04 00 00 7e 01 00 00 7e 01 00 00 7e 01 00 00 7e 01 00 00 7e 01 00 00 7e 02 00 00 7e 6d 00 00 7f 00 00 00 00

Stream Path: _VBA_PROJECT_CUR/VBA/__SRP_1, File Type: data, Stream Size: 82

General
Stream Path:	_VBA_PROJECT_CUR/VBA/__SRP_1
File Type:	data
Stream Size:	82
Entropy:	2.2010509371
Base64 Encoded:	False
Data ASCII:	r U . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 4 q . . . . . . .
Data Raw:	72 55 80 00 00 00 00 00 00 00 80 00 00 00 80 00 00 00 00 00 00 00 0a 00 00 00 09 00 00 00 00 00 00 00 ff ff ff ff ff ff ff ff ff ff ff ff 00 00 00 00 09 00 00 00 00 00 03 00 ff ff ff ff 02 00 00 08 04 00 00 00 20 0a 31 34 71 00 00 7f 00 00 00 00

Stream Path: _VBA_PROJECT_CUR/VBA/__SRP_2, File Type: data, Stream Size: 136

General
Stream Path:	_VBA_PROJECT_CUR/VBA/__SRP_2
File Type:	data
Stream Size:	136
Entropy:	1.6161992012
Base64 Encoded:	False
Data ASCII:	r U . . . . . . . . . . . . . . . . . . . ~ \| . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . k . . . . . . .
Data Raw:	72 55 80 00 00 00 80 00 00 00 80 00 00 00 80 00 00 00 02 00 00 7e 7c 00 00 7f 00 00 00 00 0e 00 00 00 09 00 00 00 00 00 00 00 09 00 00 00 00 00 03 00 08 00 00 00 00 00 02 00 01 00 01 00 00 00 00 00 30 00 00 00 0c 00 00 00 fc c6 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0c 00 00 00 08 00 00 00 00 00 00 00 00 00 00 00 0c 00 00 00 00 00 00 00 00 00 00 00 04 00 00 12 00 00

Stream Path: _VBA_PROJECT_CUR/VBA/__SRP_3, File Type: data, Stream Size: 107

General
Stream Path:	_VBA_PROJECT_CUR/VBA/__SRP_3
File Type:	data
Stream Size:	107
Entropy:	1.90767783468
Base64 Encoded:	False
Data ASCII:	r U . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . $ . . . . . . . . . . . . ` . . . . . . . . . . a . . . . . . . . . . . . . . . . . . . . . . n . . . . . . .
Data Raw:	72 55 80 00 00 00 00 00 00 00 80 00 00 00 80 00 00 00 00 00 00 00 10 00 00 00 09 00 00 00 00 00 02 00 ff ff ff ff ff ff ff ff 00 00 00 00 08 00 00 00 04 00 24 00 81 00 00 00 00 00 02 00 00 00 00 60 00 00 fd ff ff ff ff ff ff ff 61 00 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 6e 00 00 7f 00 00 00 00

Stream Path: _VBA_PROJECT_CUR/VBA/dir, File Type: data, Stream Size: 641

General
Stream Path:	_VBA_PROJECT_CUR/VBA/dir
File Type:	data
Stream Size:	641
Entropy:	6.36296368332
Base64 Encoded:	True
Data ASCII:	. } . . . . . . . . . . 0 * . . . . . p . . H . . . . . d . . . . . . . . F T C O R P . X . N V . . 4 . . @ . . j . . . = . . . . r . . . . . . . . . . . . 6 . . . . . J < . . . . . r . s t d o l e > . . . s . t . d . o . . l . e . . . h . % . ^ . . * \\ G { 0 0 . 0 2 0 4 3 0 - . . . . . C . . . . . . 0 0 4 . 6 } # 2 . 0 # 0 . # U : \\ W I N D . O W S \\ s y s t e m 3 2 \\ . e 2 . . t l b # O L E . A u t o m a t i . o n . ` . . . . . . . . M S F o r m s > . . . . . . S . F . F . r . m . s . 3 . . . . . . E
Data Raw:	01 7d b2 80 01 00 04 00 00 00 01 00 30 2a 02 02 90 09 00 70 14 06 48 03 00 82 02 00 64 e4 04 04 00 0a 00 1c 00 46 54 43 4f 52 50 2e 58 88 4e 56 05 00 34 00 00 40 02 14 6a 06 02 0a 3d 02 0a 07 02 72 01 14 08 05 06 12 09 02 12 2e fa 87 36 04 94 00 0c 02 4a 3c 02 0a 16 00 01 72 80 73 74 64 6f 6c 65 3e 02 19 00 73 00 74 00 64 00 6f 00 80 6c 00 65 00 0d 00 68 00 25 02 5e 00 03 2a 5c 47

Network Behavior

No network behavior found

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

System Behavior

Analysis Process: EXCEL.EXE PID: 2672 Parent PID: 584

General

Start time:	00:39:35
Start date:	18/08/2021
Path:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Wow64 process (32bit):	false
Commandline:	'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Imagebase:	0x13fe80000
File size:	27641504 bytes
MD5 hash:	5FB0A0F93382ECD19F5F499A5CAA59F0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Disassembly

VBA Code

Call Graph

Entrypoint
Decryption Function
Executed
Not Executed
Show Help

Module: Module1

Declaration

Line	Content
1	Attribute VB_Name = "Module1"

Non-Executed Functions

Subroutine HideRows, APIs: 7, Strings: 12, Number of lines: 36, Relevance: 28.536

APIs	Meta Information
Activate
Select
Value
ActiveCell
EntireRow
Now
Select

Strings	Decrypted Strings
"Actuals"
"n"
"y"
"y"
"n"
"y"
"n"
"n"
"y"
"B"
"Run Date and Time: "
"B1"

Line	Instruction	Meta Information
3	Sub HideRows()
4	Attribute HideRows.VB_ProcData.VB_Invoke_Func = " \n14" ' BAD !
6	Dim Rnum as Integer, Cnum as Integer, EndRow as Integer
7	Dim BeginRow as Integer, BeginColumn as Integer, EndColumn as Integer
8	Dim Hideflag
9	Dim DateTime
10	Worksheets("Actuals").Activate	Activate
11	With Range("BeginRow")
12	BeginRow = . Row
13	End With
14	With Range("End")
15	EndRow = . Row
16	End With
17	With Range("BeginColumn")
18	BeginColumn = . Column
19	End With
20	With Range("EndColumn")
21	EndColumn = . Column
22	End With
26	For Rnum = BeginRow To EndRow
27	Hideflag = "y"
28	For Cnum = BeginColumn To EndColumn
29	ActiveSheet.Cells(Rnum, Cnum).Select	Select
30	If ActiveCell.Value <> 0 Then	Value ActiveCell
31	Hideflag = "n"
32	Cnum = EndColumn
33	Endif
34	If Cnum = EndColumn And Hideflag = "y" Then
35	Selection.EntireRow.Hidden = True	EntireRow
36	Endif
37	Next Cnum
38	Next Rnum
41	DateTime = Now	Now
42	Cells(2, "B").Value = "Run Date and Time: " & DateTime
44	Range("B1").Select	Select
46	End Sub

Module: ThisWorkbook

Declaration

Line	Content
1	Attribute VB_Name = "ThisWorkbook"
2	Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
3	Attribute VB_GlobalNameSpace = False
4	Attribute VB_Creatable = False
5	Attribute VB_PredeclaredId = True
6	Attribute VB_Exposed = True
7	Attribute VB_TemplateDerived = False
8	Attribute VB_Customizable = True

Reset < >

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report 00620 - 2011 Dept Expense Detail.xls

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Overview

Initial Sample

Sigma Overview

Jbx Signature Overview

Compliance:

Networking:

System Summary:

Hooking and other Techniques for Hiding and Protection:

HIPS / PFW / Operating System Protection Evasion:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

Contacted IPs

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static OLE Info

General

OLE File "00620 - 2011 Dept Expense Detail.xls"

Indicators

Summary

Document Summary

Streams with VBA

VBA File Name: Module1.bas, Stream Size: 3440

General

VBA Code Keywords

VBA Code

VBA File Name: ThisWorkbook.cls, Stream Size: 985

General

VBA Code Keywords

VBA Code

Streams

Stream Path: \x1CompObj, File Type: data, Stream Size: 109

General

Stream Path: \x5DocumentSummaryInformation, File Type: data, Stream Size: 376

General

Stream Path: \x5SummaryInformation, File Type: data, Stream Size: 216

General

Stream Path: Workbook, File Type: Applesoft BASIC program data, first line number 16, Stream Size: 37717

General

Stream Path: _VBA_PROJECT_CUR/PROJECT, File Type: ASCII text, with CRLF line terminators, Stream Size: 405

General

Stream Path: _VBA_PROJECT_CUR/PROJECTwm, File Type: data, Stream Size: 65

General

Stream Path: _VBA_PROJECT_CUR/VBA/_VBA_PROJECT, File Type: data, Stream Size: 2821