Loading ...

Play interactive tourEdit tour

Windows Analysis Report 00620 - 2011 Dept Expense Detail.xls

Overview

General Information

Sample Name:00620 - 2011 Dept Expense Detail.xls
Analysis ID:467210
MD5:57bcdf4ddd4c73eb7b1579edf9e10d62
SHA1:fb7ee5e7a2ef599bcbf982ff6823387792a90335
SHA256:5c0e2dc5c3e763417c7fb8f02f8d12a64e9aad4f7fa4cf0e7a09e31bfe20e4fd
Infos:

Most interesting Screenshot:

Detection

Hidden Macro 4.0
Score:20
Range:0 - 100
Whitelisted:false
Confidence:80%

Signatures

Yara detected hidden Macro 4.0 in Excel
Document contains embedded VBA macros

Classification

Process Tree

  • System is w7x64
  • EXCEL.EXE (PID: 2652 cmdline: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding MD5: 5FB0A0F93382ECD19F5F499A5CAA59F0)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
00620 - 2011 Dept Expense Detail.xlsJoeSecurity_HiddenMacroYara detected hidden Macro 4.0 in ExcelJoe Security

    Sigma Overview

    No Sigma rule has matched

    Jbx Signature Overview

    Click to jump to signature section

    Show All Signature Results
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll
    Source: 00620 - 2011 Dept Expense Detail.xlsString found in binary or memory: https://peoplesoft.dealercentral.net/psp/SCMPRD_newwin/EMPLOYEE/ERP/c/REPORT_BOOKS.IC_RUN_DRILLDOWN.
    Source: 00620 - 2011 Dept Expense Detail.xlsOLE indicator, VBA macros: true
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile read: C:\Users\desktop.iniJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\CVRC83E.tmpJump to behavior
    Source: 00620 - 2011 Dept Expense Detail.xlsOLE indicator, Workbook stream: true
    Source: classification engineClassification label: sus20.expl.winXLS@1/1@0/0
    Source: Window RecorderWindow detected: More than 3 window changes detected
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX

    HIPS / PFW / Operating System Protection Evasion:

    barindex
    Yara detected hidden Macro 4.0 in ExcelShow sources
    Source: Yara matchFile source: 00620 - 2011 Dept Expense Detail.xls, type: SAMPLE

    Mitre Att&ck Matrix

    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
    Valid AccountsScripting1Path InterceptionPath InterceptionScripting1OS Credential DumpingFile and Directory Discovery1Remote ServicesData from Local SystemExfiltration Over Other Network MediumData ObfuscationEavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
    Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsRootkitLSASS MemorySystem Information Discovery1Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet

    Screenshots

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.

    windows-stand

    Antivirus, Machine Learning and Genetic Malware Detection

    Initial Sample

    SourceDetectionScannerLabelLink
    00620 - 2011 Dept Expense Detail.xls2%VirustotalBrowse
    00620 - 2011 Dept Expense Detail.xls2%ReversingLabsDocument.Trojan.CutwailOLE

    Dropped Files

    No Antivirus matches

    Unpacked PE Files

    No Antivirus matches

    Domains

    No Antivirus matches

    URLs

    No Antivirus matches

    Domains and IPs

    Contacted Domains

    No contacted domains info

    URLs from Memory and Binaries

    NameSourceMaliciousAntivirus DetectionReputation
    https://peoplesoft.dealercentral.net/psp/SCMPRD_newwin/EMPLOYEE/ERP/c/REPORT_BOOKS.IC_RUN_DRILLDOWN.00620 - 2011 Dept Expense Detail.xlsfalse
      high

      Contacted IPs

      No contacted IP infos

      General Information

      Joe Sandbox Version:33.0.0 White Diamond
      Analysis ID:467210
      Start date:18.08.2021
      Start time:00:48:00
      Joe Sandbox Product:CloudBasic
      Overall analysis duration:0h 3m 51s
      Hypervisor based Inspection enabled:false
      Report type:light
      Sample file name:00620 - 2011 Dept Expense Detail.xls
      Cookbook file name:defaultwindowsofficecookbook.jbs
      Analysis system description:Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
      Run name:Without Instrumentation
      Number of analysed new started processes analysed:2
      Number of new started drivers analysed:0
      Number of existing processes analysed:0
      Number of existing drivers analysed:0
      Number of injected processes analysed:0
      Technologies:
      • EGA enabled
      • HDC enabled
      • AMSI enabled
      Analysis Mode:default
      Analysis stop reason:Timeout
      Detection:SUS
      Classification:sus20.expl.winXLS@1/1@0/0
      Cookbook Comments:
      • Adjust boot time
      • Enable AMSI
      • Found application associated with file extension: .xls
      • Found Word or Excel or PowerPoint or XPS Viewer
      • Attach to Office via COM
      • Scroll down
      • Close Viewer
      Warnings:
      Show All
      • Exclude process from analysis (whitelisted): dllhost.exe
      • Report size getting too big, too many NtSetInformationFile calls found.

      Simulations

      Behavior and APIs

      No simulations

      Joe Sandbox View / Context

      IPs

      No context

      Domains

      No context

      ASN

      No context

      JA3 Fingerprints

      No context

      Dropped Files

      No context

      Created / dropped Files

      C:\Users\user\AppData\Local\Temp\VBE\MSForms.exd
      Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
      File Type:data
      Category:dropped
      Size (bytes):162688
      Entropy (8bit):4.254329420014995
      Encrypted:false
      SSDEEP:1536:C6QL3FNSc8SetKB96vQVCBumVMOej6mXmYarrJQcd1FaLcm48s:C5JNSc83tKBAvQVCgOtmXmLpLm4l
      MD5:BA3A5A8B120D0E05EC631751C07686D5
      SHA1:97CC5690EFF6CA2B171FB5FC9C2DE275FF3E1C4F
      SHA-256:6C8F46438F09ED16AF36DF695946F806C5DD8406EBFA9D1930AC7BA6C941F7C8
      SHA-512:85929616D6BB719D5DB8AFDDAF1A12CF61A4E38F6B8C8B2FC78FF05336CDA8A2151514D90AEF46BC9CB182D802D78BD801C77CB9721D1A878A3C2DD5004F8259
      Malicious:false
      Reputation:low
      Preview: MSFT................Q................................#......$....... ...................d.......,...........X....... ...........L...........x.......@...........l.......4...........`.......(...........T...................H...........t.......<...........h.......0...........\.......$...........P...........|.......D...........p.......8...........d.......,...........X....... ...........L...........x.......@........ ..l ... ..4!...!...!..`"..."..(#...#...#..T$...$...%...%...%..H&...&...'..t'...'..<(...(...)..h)...)..0*...*...*..\+...+..$,...,...,..P-...-......|.......D/.../...0..p0...0..81...1...2..d2...2..,3...3...3..X4...4.. 5...5...5..L6...6...7..x7...7..@8.......8..............................$................................................................................x..xG..............T........................................... ...........................................................&!..............................................................................................

      Static File Info

      General

      File type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 5.2, Code page: 1252, Author: AutoNation USA, Last Saved By: DupreeP, Name of Creating Application: Microsoft Excel, Create Time/Date: Thu Feb 4 16:48:36 1999, Last Saved Time/Date: Tue Sep 20 15:04:38 2011, Security: 0
      Entropy (8bit):4.043229382190713
      TrID:
      • Microsoft Excel sheet (30009/1) 47.99%
      • Microsoft Excel sheet (alternate) (24509/1) 39.20%
      • Generic OLE2 / Multistream Compound File (8008/1) 12.81%
      File name:00620 - 2011 Dept Expense Detail.xls
      File size:53760
      MD5:57bcdf4ddd4c73eb7b1579edf9e10d62
      SHA1:fb7ee5e7a2ef599bcbf982ff6823387792a90335
      SHA256:5c0e2dc5c3e763417c7fb8f02f8d12a64e9aad4f7fa4cf0e7a09e31bfe20e4fd
      SHA512:f0f613246b8fd11cca39102e1aaeea11b3c2228cbee6778245bb34bc96c59bd4ac069e80020ba0bdfb0d90a4b8ccccc6387922b1ec72915fd15c8666bc90643b
      SSDEEP:768:g9RUbndMNmu2jm1xW5aUgAVZx5mXMr2q3rLrLn+zghx0QQDI:iKndMwfjSW5SAVZdygP8
      File Content Preview:........................>...................................M..................................................................................................................................................................................................

      File Icon

      Icon Hash:e4eea286a4b4bcb4

      Static OLE Info

      General

      Document Type:OLE
      Number of OLE Files:1

      OLE File "00620 - 2011 Dept Expense Detail.xls"

      Indicators

      Has Summary Info:True
      Application Name:Microsoft Excel
      Encrypted Document:False
      Contains Word Document Stream:False
      Contains Workbook/Book Stream:True
      Contains PowerPoint Document Stream:False
      Contains Visio Document Stream:False
      Contains ObjectPool Stream:
      Flash Objects Count:
      Contains VBA Macros:True

      Summary

      Code Page:1252
      Author:AutoNation USA
      Last Saved By:DupreeP
      Create Time:1999-02-04 16:48:36
      Last Saved Time:2011-09-20 14:04:38
      Creating Application:Microsoft Excel
      Security:0

      Document Summary

      Document Code Page:1252
      Thumbnail Scaling Desired:False
      Contains Dirty Links:False
      Shared Document:False
      Changed Hyperlinks:False
      Application Version:730895

      Streams with VBA

      VBA File Name: Module1.bas, Stream Size: 3440
      General
      Stream Path:_VBA_PROJECT_CUR/VBA/Module1
      VBA File Name:Module1.bas
      Stream Size:3440
      Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . & . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
      Data Raw:01 16 01 00 06 f0 00 00 00 84 03 00 00 d4 00 00 00 b0 01 00 00 ff ff ff ff b2 03 00 00 26 0a 00 00 01 00 00 00 01 00 00 00 e9 9b 00 00 00 00 ff ff 03 00 00 00 00 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff 04 00 ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

      VBA Code Keywords

      Keyword
      Time:
      DateTime
      (last
      data/layout
      insert
      "B").Value
      report
      Hideflag
      entire
      column)
      EndColumn
      Range("BeginColumn")
      found
      'places
      searching
      cursor
      BeginRow
      'this
      Cnum).Select
      Worksheets("Actuals").Activate
      EndRow
      column
      ActiveSheet.Cells(Rnum,
      Range("End")
      Integer,
      HideRows.VB_ProcData.VB_Invoke_Func
      Integer
      Attribute
      hasn't
      value
      .Column
      zeroes.
      VB_Name
      HideRows()
      Range("EndColumn")
      other
      ActiveCell.Value
      Range("BeginRow")
      Selection.EntireRow.Hidden
      BeginColumn
      first
      VBA Code
      VBA File Name: ThisWorkbook.cls, Stream Size: 985
      General
      Stream Path:_VBA_PROJECT_CUR/VBA/ThisWorkbook
      VBA File Name:ThisWorkbook.cls
      Stream Size:985
      Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
      Data Raw:01 16 01 00 00 f0 00 00 00 c4 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff cb 02 00 00 1f 03 00 00 00 00 00 00 01 00 00 00 e9 9b 89 96 00 00 ff ff 23 00 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

      VBA Code Keywords

      Keyword
      False
      VB_Exposed
      Attribute
      VB_Name
      VB_Creatable
      "ThisWorkbook"
      VB_PredeclaredId
      VB_GlobalNameSpace
      VB_Base
      VB_Customizable
      VB_TemplateDerived
      VBA Code

      Streams

      Stream Path: \x1CompObj, File Type: data, Stream Size: 109
      General
      Stream Path:\x1CompObj
      File Type:data
      Stream Size:109
      Entropy:4.12087539431
      Base64 Encoded:False
      Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . F ! . . . M i c r o s o f t O f f i c e E x c e l W o r k s h e e t . . . . . B i f f 8 . . . . . E x c e l . S h e e t . 8 . . 9 . q . . . . . . . . . . . .
      Data Raw:01 00 fe ff 03 0a 00 00 ff ff ff ff 20 08 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 21 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 4f 66 66 69 63 65 20 45 78 63 65 6c 20 57 6f 72 6b 73 68 65 65 74 00 06 00 00 00 42 69 66 66 38 00 0e 00 00 00 45 78 63 65 6c 2e 53 68 65 65 74 2e 38 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00
      Stream Path: \x5DocumentSummaryInformation, File Type: data, Stream Size: 376
      General
      Stream Path:\x5DocumentSummaryInformation
      File Type:data
      Stream Size:376
      Entropy:3.8484246152
      Base64 Encoded:False
      Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , . . 0 . . . H . . . . . . . . . . . H . . . . . . . P . . . . . . . X . . . . . . . ` . . . . . . . h . . . . . . . p . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . ' . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A c t u a l s . . . . . M a c r o 1 . . . . . B e g i n C o l u m n . . . . . E n d C o l u m n . . . . . A c t u a l s ! P r i n t _ A r e a . . . . .
      Data Raw:fe ff 00 00 05 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 00 00 00 48 01 00 00 08 00 00 00 01 00 00 00 48 00 00 00 17 00 00 00 50 00 00 00 0b 00 00 00 58 00 00 00 10 00 00 00 60 00 00 00 13 00 00 00 68 00 00 00 16 00 00 00 70 00 00 00 0d 00 00 00 78 00 00 00 0c 00 00 00 e5 00 00 00 02 00 00 00 e4 04 00 00
      Stream Path: \x5SummaryInformation, File Type: data, Stream Size: 216
      General
      Stream Path:\x5SummaryInformation
      File Type:data
      Stream Size:216
      Entropy:3.75113746536
      Base64 Encoded:False
      Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . . . + ' . . 0 . . . . . . . . . . . . . . . @ . . . . . . . H . . . . . . . ` . . . . . . . p . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A u t o N a t i o n U S A . . . . . . . . . . D u p r e e P . . . . . . . . . M i c r o s o f t E x c e l . @ . . . . . . 5 ^ P . . @ . . . . _ . ; . w . . . . . . . . . .
      Data Raw:fe ff 00 00 05 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 a8 00 00 00 07 00 00 00 01 00 00 00 40 00 00 00 04 00 00 00 48 00 00 00 08 00 00 00 60 00 00 00 12 00 00 00 70 00 00 00 0c 00 00 00 88 00 00 00 0d 00 00 00 94 00 00 00 13 00 00 00 a0 00 00 00 02 00 00 00 e4 04 00 00 1e 00 00 00 10 00 00 00
      Stream Path: Workbook, File Type: Applesoft BASIC program data, first line number 16, Stream Size: 37717
      General
      Stream Path:Workbook
      File Type:Applesoft BASIC program data, first line number 16
      Stream Size:37717
      Entropy:3.85189249275
      Base64 Encoded:True
      Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . \\ . p . . . . D u p r e e P B . . . . . a . . . . . . . . . = . . . . . . . . . . . . . . . . . . . . T h i s W o r k b o o k . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . = . . . . . . . . . F . 8 . . . . . .
      Data Raw:09 08 10 00 00 06 05 00 88 20 cd 07 c9 c0 00 00 06 03 00 00 e1 00 02 00 b0 04 c1 00 02 00 00 00 e2 00 00 00 5c 00 70 00 07 00 00 44 75 70 72 65 65 50 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
      Stream Path: _VBA_PROJECT_CUR/PROJECT, File Type: ASCII text, with CRLF line terminators, Stream Size: 405
      General
      Stream Path:_VBA_PROJECT_CUR/PROJECT
      File Type:ASCII text, with CRLF line terminators
      Stream Size:405
      Entropy:5.34110993151
      Base64 Encoded:True
      Data ASCII:I D = " { 6 0 B 0 5 3 F 8 - 9 E 9 D - 1 1 D 2 - 8 F B 6 - 0 0 C 0 4 F 7 7 2 2 2 6 } " . . M o d u l e = M o d u l e 1 . . D o c u m e n t = T h i s W o r k b o o k / & H 0 0 0 0 0 0 0 0 . . N a m e = " F T C O R P . X N V " . . H e l p C o n t e x t I D = " 0 " . . V e r s i o n C o m p a t i b l e 3 2 = " 3 9 3 2 2 2 0 0 0 " . . C M G = " 0 7 0 5 B D 4 6 4 F C 6 4 C C A 4 C C A 4 C C A 4 C C A " . . D P B = " 0 0 0 2 B A B D B B B D B B B D " . . G C = " F 9 F B 4 3 B 4 4 4 B 4 4 4 4 B " . . . . [ H o s t
      Data Raw:49 44 3d 22 7b 36 30 42 30 35 33 46 38 2d 39 45 39 44 2d 31 31 44 32 2d 38 46 42 36 2d 30 30 43 30 34 46 37 37 32 32 32 36 7d 22 0d 0a 4d 6f 64 75 6c 65 3d 4d 6f 64 75 6c 65 31 0d 0a 44 6f 63 75 6d 65 6e 74 3d 54 68 69 73 57 6f 72 6b 62 6f 6f 6b 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 4e 61 6d 65 3d 22 46 54 43 4f 52 50 2e 58 4e 56 22 0d 0a 48 65 6c 70 43 6f 6e 74 65 78 74 49 44 3d
      Stream Path: _VBA_PROJECT_CUR/PROJECTwm, File Type: data, Stream Size: 65
      General
      Stream Path:_VBA_PROJECT_CUR/PROJECTwm
      File Type:data
      Stream Size:65
      Entropy:3.15495300444
      Base64 Encoded:False
      Data ASCII:M o d u l e 1 . M . o . d . u . l . e . 1 . . . T h i s W o r k b o o k . T . h . i . s . W . o . r . k . b . o . o . k . . . . .
      Data Raw:4d 6f 64 75 6c 65 31 00 4d 00 6f 00 64 00 75 00 6c 00 65 00 31 00 00 00 54 68 69 73 57 6f 72 6b 62 6f 6f 6b 00 54 00 68 00 69 00 73 00 57 00 6f 00 72 00 6b 00 62 00 6f 00 6f 00 6b 00 00 00 00 00
      Stream Path: _VBA_PROJECT_CUR/VBA/_VBA_PROJECT, File Type: data, Stream Size: 2821
      General
      Stream Path:_VBA_PROJECT_CUR/VBA/_VBA_PROJECT
      File Type:data
      Stream Size:2821
      Entropy:4.25301737665
      Base64 Encoded:False
      Data ASCII:. a y . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . * . \\ . G . { . 0 . 0 . 0 . 2 . 0 . 4 . E . F . - . 0 . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . - . C . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 4 . 6 . } . # . 4 . . . 0 . # . 9 . # . U . : . \\ . P . R . O . G . R . A . ~ . 1 . \\ . C . O . M . M . O . N . ~ . 1 . \\ . M . I . C . R . O . S . ~ . 1 . \\ . V . B . A . \\ . V . B . A . 6 . \\ . V . B . E . 6 . . . D . L . L . # . V . i . s . u . a . l . . B . a . s . i . c . . F .
      Data Raw:cc 61 79 00 00 01 00 ff 09 04 00 00 09 04 00 00 e4 04 01 00 00 00 00 00 00 00 00 00 01 00 04 00 02 00 fa 00 2a 00 5c 00 47 00 7b 00 30 00 30 00 30 00 32 00 30 00 34 00 45 00 46 00 2d 00 30 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 2d 00 43 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 34 00 36 00 7d 00 23 00 34 00 2e 00 30 00 23 00
      Stream Path: _VBA_PROJECT_CUR/VBA/__SRP_0, File Type: data, Stream Size: 1169
      General
      Stream Path:_VBA_PROJECT_CUR/VBA/__SRP_0
      File Type:data
      Stream Size:1169
      Entropy:3.99317680234
      Base64 Encoded:False
      Data ASCII:. K * y . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . r U . . . . . . . . . . . . . . . . . . . ~ . . . ~ . . . ~ . . . ~ . . . ~ . . . ~ . . . ~ m . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . f H { 4 . . . K . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . a . . . . . . . . . Q . . . . . . . . . . . . . . . . . . . . . . . . . 1 . . . . . . . . . . . . . . . . . . .
      Data Raw:93 4b 2a 79 01 00 10 00 00 00 ff ff 00 00 00 00 01 00 02 00 ff ff 00 00 00 00 01 00 00 00 00 00 00 00 00 00 01 00 02 00 00 00 00 00 00 00 01 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 00 00 72 55 00 01 00 00 80 00 00 00 80 00 00 00 80 00 00 00 04 00 00 7e 01 00 00 7e 01 00 00 7e 01 00 00 7e 01 00 00 7e 01 00 00 7e 02 00 00 7e 6d 00 00 7f 00 00 00 00
      Stream Path: _VBA_PROJECT_CUR/VBA/__SRP_1, File Type: data, Stream Size: 82
      General
      Stream Path:_VBA_PROJECT_CUR/VBA/__SRP_1
      File Type:data
      Stream Size:82
      Entropy:2.2010509371
      Base64 Encoded:False
      Data ASCII:r U . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 4 q . . . . . . .
      Data Raw:72 55 80 00 00 00 00 00 00 00 80 00 00 00 80 00 00 00 00 00 00 00 0a 00 00 00 09 00 00 00 00 00 00 00 ff ff ff ff ff ff ff ff ff ff ff ff 00 00 00 00 09 00 00 00 00 00 03 00 ff ff ff ff 02 00 00 08 04 00 00 00 20 0a 31 34 71 00 00 7f 00 00 00 00
      Stream Path: _VBA_PROJECT_CUR/VBA/__SRP_2, File Type: data, Stream Size: 136
      General
      Stream Path:_VBA_PROJECT_CUR/VBA/__SRP_2
      File Type:data
      Stream Size:136
      Entropy:1.6161992012
      Base64 Encoded:False
      Data ASCII:r U . . . . . . . . . . . . . . . . . . . ~ | . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . k . . . . . . .
      Data Raw:72 55 80 00 00 00 80 00 00 00 80 00 00 00 80 00 00 00 02 00 00 7e 7c 00 00 7f 00 00 00 00 0e 00 00 00 09 00 00 00 00 00 00 00 09 00 00 00 00 00 03 00 08 00 00 00 00 00 02 00 01 00 01 00 00 00 00 00 30 00 00 00 0c 00 00 00 fc c6 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0c 00 00 00 08 00 00 00 00 00 00 00 00 00 00 00 0c 00 00 00 00 00 00 00 00 00 00 00 04 00 00 12 00 00
      Stream Path: _VBA_PROJECT_CUR/VBA/__SRP_3, File Type: data, Stream Size: 107
      General
      Stream Path:_VBA_PROJECT_CUR/VBA/__SRP_3
      File Type:data
      Stream Size:107
      Entropy:1.90767783468
      Base64 Encoded:False
      Data ASCII:r U . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . $ . . . . . . . . . . . . ` . . . . . . . . . . a . . . . . . . . . . . . . . . . . . . . . . n . . . . . . .
      Data Raw:72 55 80 00 00 00 00 00 00 00 80 00 00 00 80 00 00 00 00 00 00 00 10 00 00 00 09 00 00 00 00 00 02 00 ff ff ff ff ff ff ff ff 00 00 00 00 08 00 00 00 04 00 24 00 81 00 00 00 00 00 02 00 00 00 00 60 00 00 fd ff ff ff ff ff ff ff 61 00 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 6e 00 00 7f 00 00 00 00
      Stream Path: _VBA_PROJECT_CUR/VBA/dir, File Type: data, Stream Size: 641
      General
      Stream Path:_VBA_PROJECT_CUR/VBA/dir
      File Type:data
      Stream Size:641
      Entropy:6.36296368332
      Base64 Encoded:True
      Data ASCII:. } . . . . . . . . . . 0 * . . . . . p . . H . . . . . d . . . . . . . . F T C O R P . X . N V . . 4 . . @ . . j . . . = . . . . r . . . . . . . . . . . . 6 . . . . . J < . . . . . r . s t d o l e > . . . s . t . d . o . . l . e . . . h . % . ^ . . * \\ G { 0 0 . 0 2 0 4 3 0 - . . . . . C . . . . . . 0 0 4 . 6 } # 2 . 0 # 0 . # U : \\ W I N D . O W S \\ s y s t e m 3 2 \\ . e 2 . . t l b # O L E . A u t o m a t i . o n . ` . . . . . . . . M S F o r m s > . . . . . . S . F . F . r . m . s . 3 . . . . . . E
      Data Raw:01 7d b2 80 01 00 04 00 00 00 01 00 30 2a 02 02 90 09 00 70 14 06 48 03 00 82 02 00 64 e4 04 04 00 0a 00 1c 00 46 54 43 4f 52 50 2e 58 88 4e 56 05 00 34 00 00 40 02 14 6a 06 02 0a 3d 02 0a 07 02 72 01 14 08 05 06 12 09 02 12 2e fa 87 36 04 94 00 0c 02 4a 3c 02 0a 16 00 01 72 80 73 74 64 6f 6c 65 3e 02 19 00 73 00 74 00 64 00 6f 00 80 6c 00 65 00 0d 00 68 00 25 02 5e 00 03 2a 5c 47

      Network Behavior

      No network behavior found

      Code Manipulations

      Statistics

      System Behavior

      General

      Start time:00:48:36
      Start date:18/08/2021
      Path:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
      Wow64 process (32bit):false
      Commandline:'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
      Imagebase:0x13f030000
      File size:27641504 bytes
      MD5 hash:5FB0A0F93382ECD19F5F499A5CAA59F0
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Reputation:high

      Disassembly

      Reset < >