Play interactive tour

Edit tour

Windows Analysis Report Faturados_Externo_26_09.xls

Overview

General Information

Sample Name:	Faturados_Externo_26_09.xls
Analysis ID:	491709
MD5:	bb5c37e33e7e1fb9bb7b13960aad6b27
SHA1:	03066751e384c6b9c7df910cd01844f86cbaa43b
SHA256:	002b87472b1991ce420fbaccf76e14620aaf567ee11e2081a559dcefab05fef5
Tags:	geoPRTxls
Infos:
Most interesting Screenshot:

Detection

Score:	0
Range:	0 - 100
Whitelisted:	false
Confidence:	80%

Signatures

Document contains an embedded VBA macro which executes code when the document is opened / closed

Classification

Process Tree

System is w10x64

EXCEL.EXE (PID: 6344 cmdline: 'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding MD5: 5D6638F2C8F8571C593999C58866007E)

cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

No Sigma rule has matched

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

File opened: C:\Windows\SysWOW64\MSVCR100.dll

Jump to behavior

Source: excel.exe

Memory has grown: Private usage: 7MB later: 62MB

Source: 1E49091D-2F41-4D12-AA8A-5E0F0E8C3392.0.dr	String found in binary or memory: http://olkflt.edog.officeapps.live.com/olkflt/outlookflighting.svc/api/glides
Source: 1E49091D-2F41-4D12-AA8A-5E0F0E8C3392.0.dr	String found in binary or memory: http://weather.service.msn.com/data.aspx
Source: 1E49091D-2F41-4D12-AA8A-5E0F0E8C3392.0.dr	String found in binary or memory: https://addinsinstallation.store.office.com/app/acquisitionlogging
Source: 1E49091D-2F41-4D12-AA8A-5E0F0E8C3392.0.dr	String found in binary or memory: https://addinsinstallation.store.office.com/app/download
Source: 1E49091D-2F41-4D12-AA8A-5E0F0E8C3392.0.dr	String found in binary or memory: https://addinsinstallation.store.office.com/appinstall/preinstalled
Source: 1E49091D-2F41-4D12-AA8A-5E0F0E8C3392.0.dr	String found in binary or memory: https://addinsinstallation.store.office.com/appinstall/unauthenticated
Source: 1E49091D-2F41-4D12-AA8A-5E0F0E8C3392.0.dr	String found in binary or memory: https://addinslicensing.store.office.com/commerce/query
Source: 1E49091D-2F41-4D12-AA8A-5E0F0E8C3392.0.dr	String found in binary or memory: https://analysis.windows.net/powerbi/api
Source: 1E49091D-2F41-4D12-AA8A-5E0F0E8C3392.0.dr	String found in binary or memory: https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 1E49091D-2F41-4D12-AA8A-5E0F0E8C3392.0.dr	String found in binary or memory: https://api.aadrm.com/
Source: 1E49091D-2F41-4D12-AA8A-5E0F0E8C3392.0.dr	String found in binary or memory: https://api.addins.omex.office.net/appinfo/query
Source: 1E49091D-2F41-4D12-AA8A-5E0F0E8C3392.0.dr	String found in binary or memory: https://api.addins.omex.office.net/appstate/query
Source: 1E49091D-2F41-4D12-AA8A-5E0F0E8C3392.0.dr	String found in binary or memory: https://api.addins.store.office.com/app/query
Source: 1E49091D-2F41-4D12-AA8A-5E0F0E8C3392.0.dr	String found in binary or memory: https://api.cortana.ai
Source: 1E49091D-2F41-4D12-AA8A-5E0F0E8C3392.0.dr	String found in binary or memory: https://api.diagnostics.office.com
Source: 1E49091D-2F41-4D12-AA8A-5E0F0E8C3392.0.dr	String found in binary or memory: https://api.diagnosticssdf.office.com
Source: 1E49091D-2F41-4D12-AA8A-5E0F0E8C3392.0.dr	String found in binary or memory: https://api.microsoftstream.com/api/
Source: 1E49091D-2F41-4D12-AA8A-5E0F0E8C3392.0.dr	String found in binary or memory: https://api.office.net
Source: 1E49091D-2F41-4D12-AA8A-5E0F0E8C3392.0.dr	String found in binary or memory: https://api.onedrive.com
Source: 1E49091D-2F41-4D12-AA8A-5E0F0E8C3392.0.dr	String found in binary or memory: https://api.powerbi.com/beta/myorg/imports
Source: 1E49091D-2F41-4D12-AA8A-5E0F0E8C3392.0.dr	String found in binary or memory: https://api.powerbi.com/v1.0/myorg/datasets
Source: 1E49091D-2F41-4D12-AA8A-5E0F0E8C3392.0.dr	String found in binary or memory: https://api.powerbi.com/v1.0/myorg/groups
Source: 1E49091D-2F41-4D12-AA8A-5E0F0E8C3392.0.dr	String found in binary or memory: https://apis.live.net/v5.0/
Source: 1E49091D-2F41-4D12-AA8A-5E0F0E8C3392.0.dr	String found in binary or memory: https://arc.msn.com/v4/api/selection
Source: 1E49091D-2F41-4D12-AA8A-5E0F0E8C3392.0.dr	String found in binary or memory: https://asgsmsproxyapi.azurewebsites.net/
Source: 1E49091D-2F41-4D12-AA8A-5E0F0E8C3392.0.dr	String found in binary or memory: https://augloop.office.com
Source: 1E49091D-2F41-4D12-AA8A-5E0F0E8C3392.0.dr	String found in binary or memory: https://augloop.office.com/v2
Source: 1E49091D-2F41-4D12-AA8A-5E0F0E8C3392.0.dr	String found in binary or memory: https://augloop.office.com;https://augloop-gcc.office.com;https://augloop.gov.online.office365.us;ht
Source: 1E49091D-2F41-4D12-AA8A-5E0F0E8C3392.0.dr	String found in binary or memory: https://autodiscover-s.outlook.com/
Source: 1E49091D-2F41-4D12-AA8A-5E0F0E8C3392.0.dr	String found in binary or memory: https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml
Source: 1E49091D-2F41-4D12-AA8A-5E0F0E8C3392.0.dr	String found in binary or memory: https://cdn.entity.
Source: 1E49091D-2F41-4D12-AA8A-5E0F0E8C3392.0.dr	String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/stat/images/OneDriveUpsell.png
Source: 1E49091D-2F41-4D12-AA8A-5E0F0E8C3392.0.dr	String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSignUpUpsell
Source: 1E49091D-2F41-4D12-AA8A-5E0F0E8C3392.0.dr	String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSyncClientUpsell
Source: 1E49091D-2F41-4D12-AA8A-5E0F0E8C3392.0.dr	String found in binary or memory: https://client-office365-tas.msedge.net/ab
Source: 1E49091D-2F41-4D12-AA8A-5E0F0E8C3392.0.dr	String found in binary or memory: https://clients.config.office.net/
Source: 1E49091D-2F41-4D12-AA8A-5E0F0E8C3392.0.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/android/policies
Source: 1E49091D-2F41-4D12-AA8A-5E0F0E8C3392.0.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/ios
Source: 1E49091D-2F41-4D12-AA8A-5E0F0E8C3392.0.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/mac
Source: 1E49091D-2F41-4D12-AA8A-5E0F0E8C3392.0.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/tenantassociationkey
Source: 1E49091D-2F41-4D12-AA8A-5E0F0E8C3392.0.dr	String found in binary or memory: https://cloudfiles.onenote.com/upload.aspx
Source: 1E49091D-2F41-4D12-AA8A-5E0F0E8C3392.0.dr	String found in binary or memory: https://config.edge.skype.com
Source: 1E49091D-2F41-4D12-AA8A-5E0F0E8C3392.0.dr	String found in binary or memory: https://config.edge.skype.com/config/v1/Office
Source: 1E49091D-2F41-4D12-AA8A-5E0F0E8C3392.0.dr	String found in binary or memory: https://config.edge.skype.com/config/v2/Office
Source: 1E49091D-2F41-4D12-AA8A-5E0F0E8C3392.0.dr	String found in binary or memory: https://cortana.ai
Source: 1E49091D-2F41-4D12-AA8A-5E0F0E8C3392.0.dr	String found in binary or memory: https://cortana.ai/api
Source: 1E49091D-2F41-4D12-AA8A-5E0F0E8C3392.0.dr	String found in binary or memory: https://cr.office.com
Source: 1E49091D-2F41-4D12-AA8A-5E0F0E8C3392.0.dr	String found in binary or memory: https://dataservice.o365filtering.com
Source: 1E49091D-2F41-4D12-AA8A-5E0F0E8C3392.0.dr	String found in binary or memory: https://dataservice.o365filtering.com/
Source: 1E49091D-2F41-4D12-AA8A-5E0F0E8C3392.0.dr	String found in binary or memory: https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile
Source: 1E49091D-2F41-4D12-AA8A-5E0F0E8C3392.0.dr	String found in binary or memory: https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: 1E49091D-2F41-4D12-AA8A-5E0F0E8C3392.0.dr	String found in binary or memory: https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies
Source: 1E49091D-2F41-4D12-AA8A-5E0F0E8C3392.0.dr	String found in binary or memory: https://dev.cortana.ai
Source: 1E49091D-2F41-4D12-AA8A-5E0F0E8C3392.0.dr	String found in binary or memory: https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/
Source: 1E49091D-2F41-4D12-AA8A-5E0F0E8C3392.0.dr	String found in binary or memory: https://dev0-api.acompli.net/autodetect
Source: 1E49091D-2F41-4D12-AA8A-5E0F0E8C3392.0.dr	String found in binary or memory: https://devnull.onenote.com
Source: 1E49091D-2F41-4D12-AA8A-5E0F0E8C3392.0.dr	String found in binary or memory: https://directory.services.
Source: 1E49091D-2F41-4D12-AA8A-5E0F0E8C3392.0.dr	String found in binary or memory: https://ecs.office.com/config/v2/Office
Source: 1E49091D-2F41-4D12-AA8A-5E0F0E8C3392.0.dr	String found in binary or memory: https://enrichment.osi.office.net/
Source: 1E49091D-2F41-4D12-AA8A-5E0F0E8C3392.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Refresh/v1
Source: 1E49091D-2F41-4D12-AA8A-5E0F0E8C3392.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Resolve/v1
Source: 1E49091D-2F41-4D12-AA8A-5E0F0E8C3392.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Search/v1
Source: 1E49091D-2F41-4D12-AA8A-5E0F0E8C3392.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/StockHistory/v1
Source: 1E49091D-2F41-4D12-AA8A-5E0F0E8C3392.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/ipcheck/v1
Source: 1E49091D-2F41-4D12-AA8A-5E0F0E8C3392.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/
Source: 1E49091D-2F41-4D12-AA8A-5E0F0E8C3392.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/metadata.json
Source: 1E49091D-2F41-4D12-AA8A-5E0F0E8C3392.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/desktop/main.cshtml
Source: 1E49091D-2F41-4D12-AA8A-5E0F0E8C3392.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/web/main.cshtml
Source: 1E49091D-2F41-4D12-AA8A-5E0F0E8C3392.0.dr	String found in binary or memory: https://entitlement.diagnostics.office.com
Source: 1E49091D-2F41-4D12-AA8A-5E0F0E8C3392.0.dr	String found in binary or memory: https://entitlement.diagnosticssdf.office.com
Source: 1E49091D-2F41-4D12-AA8A-5E0F0E8C3392.0.dr	String found in binary or memory: https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 1E49091D-2F41-4D12-AA8A-5E0F0E8C3392.0.dr	String found in binary or memory: https://excel.uservoice.com/forums/304936-excel-for-mobile-devices-tablets-phones-android
Source: 1E49091D-2F41-4D12-AA8A-5E0F0E8C3392.0.dr	String found in binary or memory: https://globaldisco.crm.dynamics.com
Source: 1E49091D-2F41-4D12-AA8A-5E0F0E8C3392.0.dr	String found in binary or memory: https://graph.ppe.windows.net
Source: 1E49091D-2F41-4D12-AA8A-5E0F0E8C3392.0.dr	String found in binary or memory: https://graph.ppe.windows.net/
Source: 1E49091D-2F41-4D12-AA8A-5E0F0E8C3392.0.dr	String found in binary or memory: https://graph.windows.net
Source: 1E49091D-2F41-4D12-AA8A-5E0F0E8C3392.0.dr	String found in binary or memory: https://graph.windows.net/
Source: 1E49091D-2F41-4D12-AA8A-5E0F0E8C3392.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/telemetry
Source: 1E49091D-2F41-4D12-AA8A-5E0F0E8C3392.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?
Source: 1E49091D-2F41-4D12-AA8A-5E0F0E8C3392.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?cp=remix3d
Source: 1E49091D-2F41-4D12-AA8A-5E0F0E8C3392.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=icons&premium=1
Source: 1E49091D-2F41-4D12-AA8A-5E0F0E8C3392.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockimages&premium=1
Source: 1E49091D-2F41-4D12-AA8A-5E0F0E8C3392.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockvideos&premium=1
Source: 1E49091D-2F41-4D12-AA8A-5E0F0E8C3392.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsofticon?
Source: 1E49091D-2F41-4D12-AA8A-5E0F0E8C3392.0.dr	String found in binary or memory: https://incidents.diagnostics.office.com
Source: 1E49091D-2F41-4D12-AA8A-5E0F0E8C3392.0.dr	String found in binary or memory: https://incidents.diagnosticssdf.office.com
Source: 1E49091D-2F41-4D12-AA8A-5E0F0E8C3392.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive
Source: 1E49091D-2F41-4D12-AA8A-5E0F0E8C3392.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing
Source: 1E49091D-2F41-4D12-AA8A-5E0F0E8C3392.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=ClipArt
Source: 1E49091D-2F41-4D12-AA8A-5E0F0E8C3392.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Facebook
Source: 1E49091D-2F41-4D12-AA8A-5E0F0E8C3392.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr
Source: 1E49091D-2F41-4D12-AA8A-5E0F0E8C3392.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive
Source: 1E49091D-2F41-4D12-AA8A-5E0F0E8C3392.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/odc/insertmedia
Source: 1E49091D-2F41-4D12-AA8A-5E0F0E8C3392.0.dr	String found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/GetFreeformSpeech
Source: 1E49091D-2F41-4D12-AA8A-5E0F0E8C3392.0.dr	String found in binary or memory: https://lifecycle.office.com
Source: 1E49091D-2F41-4D12-AA8A-5E0F0E8C3392.0.dr	String found in binary or memory: https://login.microsoftonline.com/
Source: 1E49091D-2F41-4D12-AA8A-5E0F0E8C3392.0.dr	String found in binary or memory: https://login.windows-ppe.net/common/oauth2/authorize
Source: 1E49091D-2F41-4D12-AA8A-5E0F0E8C3392.0.dr	String found in binary or memory: https://login.windows.local
Source: 1E49091D-2F41-4D12-AA8A-5E0F0E8C3392.0.dr	String found in binary or memory: https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize
Source: 1E49091D-2F41-4D12-AA8A-5E0F0E8C3392.0.dr	String found in binary or memory: https://login.windows.net/common/oauth2/authorize
Source: 1E49091D-2F41-4D12-AA8A-5E0F0E8C3392.0.dr	String found in binary or memory: https://loki.delve.office.com/api/v1/configuration/officewin32/
Source: 1E49091D-2F41-4D12-AA8A-5E0F0E8C3392.0.dr	String found in binary or memory: https://lookup.onenote.com/lookup/geolocation/v1
Source: 1E49091D-2F41-4D12-AA8A-5E0F0E8C3392.0.dr	String found in binary or memory: https://management.azure.com
Source: 1E49091D-2F41-4D12-AA8A-5E0F0E8C3392.0.dr	String found in binary or memory: https://management.azure.com/
Source: 1E49091D-2F41-4D12-AA8A-5E0F0E8C3392.0.dr	String found in binary or memory: https://messaging.office.com/
Source: 1E49091D-2F41-4D12-AA8A-5E0F0E8C3392.0.dr	String found in binary or memory: https://metadata.templates.cdn.office.net/client/log
Source: 1E49091D-2F41-4D12-AA8A-5E0F0E8C3392.0.dr	String found in binary or memory: https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy
Source: 1E49091D-2F41-4D12-AA8A-5E0F0E8C3392.0.dr	String found in binary or memory: https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 1E49091D-2F41-4D12-AA8A-5E0F0E8C3392.0.dr	String found in binary or memory: https://ncus.contentsync.
Source: 1E49091D-2F41-4D12-AA8A-5E0F0E8C3392.0.dr	String found in binary or memory: https://ncus.pagecontentsync.
Source: 1E49091D-2F41-4D12-AA8A-5E0F0E8C3392.0.dr	String found in binary or memory: https://o365auditrealtimeingestion.manage.office.com
Source: 1E49091D-2F41-4D12-AA8A-5E0F0E8C3392.0.dr	String found in binary or memory: https://o365auditrealtimeingestion.manage.office.com/api/userauditrecord
Source: 1E49091D-2F41-4D12-AA8A-5E0F0E8C3392.0.dr	String found in binary or memory: https://o365diagnosticsppe-web.cloudapp.net
Source: 1E49091D-2F41-4D12-AA8A-5E0F0E8C3392.0.dr	String found in binary or memory: https://ocos-office365-s2s.msedge.net/ab
Source: 1E49091D-2F41-4D12-AA8A-5E0F0E8C3392.0.dr	String found in binary or memory: https://ofcrecsvcapi-int.azurewebsites.net/
Source: 1E49091D-2F41-4D12-AA8A-5E0F0E8C3392.0.dr	String found in binary or memory: https://officeapps.live.com
Source: 1E49091D-2F41-4D12-AA8A-5E0F0E8C3392.0.dr	String found in binary or memory: https://officeci.azurewebsites.net/api/
Source: 1E49091D-2F41-4D12-AA8A-5E0F0E8C3392.0.dr	String found in binary or memory: https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks
Source: 1E49091D-2F41-4D12-AA8A-5E0F0E8C3392.0.dr	String found in binary or memory: https://officesetup.getmicrosoftkey.com
Source: 1E49091D-2F41-4D12-AA8A-5E0F0E8C3392.0.dr	String found in binary or memory: https://ogma.osi.office.net/TradukoApi/api/v1.0/
Source: 1E49091D-2F41-4D12-AA8A-5E0F0E8C3392.0.dr	String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentities
Source: 1E49091D-2F41-4D12-AA8A-5E0F0E8C3392.0.dr	String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentitiesupdated
Source: 1E49091D-2F41-4D12-AA8A-5E0F0E8C3392.0.dr	String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officesharedentities
Source: 1E49091D-2F41-4D12-AA8A-5E0F0E8C3392.0.dr	String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officesharedentitiesupdated
Source: 1E49091D-2F41-4D12-AA8A-5E0F0E8C3392.0.dr	String found in binary or memory: https://onedrive.live.com
Source: 1E49091D-2F41-4D12-AA8A-5E0F0E8C3392.0.dr	String found in binary or memory: https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false
Source: 1E49091D-2F41-4D12-AA8A-5E0F0E8C3392.0.dr	String found in binary or memory: https://onedrive.live.com/embed?
Source: 1E49091D-2F41-4D12-AA8A-5E0F0E8C3392.0.dr	String found in binary or memory: https://osi.office.net
Source: 1E49091D-2F41-4D12-AA8A-5E0F0E8C3392.0.dr	String found in binary or memory: https://outlook.office.com
Source: 1E49091D-2F41-4D12-AA8A-5E0F0E8C3392.0.dr	String found in binary or memory: https://outlook.office.com/
Source: 1E49091D-2F41-4D12-AA8A-5E0F0E8C3392.0.dr	String found in binary or memory: https://outlook.office.com/autosuggest/api/v1/init?cvid=
Source: 1E49091D-2F41-4D12-AA8A-5E0F0E8C3392.0.dr	String found in binary or memory: https://outlook.office365.com
Source: 1E49091D-2F41-4D12-AA8A-5E0F0E8C3392.0.dr	String found in binary or memory: https://outlook.office365.com/
Source: 1E49091D-2F41-4D12-AA8A-5E0F0E8C3392.0.dr	String found in binary or memory: https://outlook.office365.com/api/v1.0/me/Activities
Source: 1E49091D-2F41-4D12-AA8A-5E0F0E8C3392.0.dr	String found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.json
Source: 1E49091D-2F41-4D12-AA8A-5E0F0E8C3392.0.dr	String found in binary or memory: https://ovisualuiapp.azurewebsites.net/pbiagave/
Source: 1E49091D-2F41-4D12-AA8A-5E0F0E8C3392.0.dr	String found in binary or memory: https://pages.store.office.com/appshome.aspx?productgroup=Outlook
Source: 1E49091D-2F41-4D12-AA8A-5E0F0E8C3392.0.dr	String found in binary or memory: https://pages.store.office.com/review/query
Source: 1E49091D-2F41-4D12-AA8A-5E0F0E8C3392.0.dr	String found in binary or memory: https://pages.store.office.com/webapplandingpage.aspx
Source: 1E49091D-2F41-4D12-AA8A-5E0F0E8C3392.0.dr	String found in binary or memory: https://partnerservices.getmicrosoftkey.com/PartnerProvisioning.svc/v1/subscriptions
Source: 1E49091D-2F41-4D12-AA8A-5E0F0E8C3392.0.dr	String found in binary or memory: https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json
Source: 1E49091D-2F41-4D12-AA8A-5E0F0E8C3392.0.dr	String found in binary or memory: https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json
Source: 1E49091D-2F41-4D12-AA8A-5E0F0E8C3392.0.dr	String found in binary or memory: https://portal.office.com/account/?ref=ClientMeControl
Source: 1E49091D-2F41-4D12-AA8A-5E0F0E8C3392.0.dr	String found in binary or memory: https://posarprodcssservice.accesscontrol.windows.net/v2/OAuth2-13
Source: 1E49091D-2F41-4D12-AA8A-5E0F0E8C3392.0.dr	String found in binary or memory: https://powerlift-user.acompli.net
Source: 1E49091D-2F41-4D12-AA8A-5E0F0E8C3392.0.dr	String found in binary or memory: https://powerlift.acompli.net
Source: 1E49091D-2F41-4D12-AA8A-5E0F0E8C3392.0.dr	String found in binary or memory: https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios
Source: 1E49091D-2F41-4D12-AA8A-5E0F0E8C3392.0.dr	String found in binary or memory: https://prod-global-autodetect.acompli.net/autodetect
Source: 1E49091D-2F41-4D12-AA8A-5E0F0E8C3392.0.dr	String found in binary or memory: https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json
Source: 1E49091D-2F41-4D12-AA8A-5E0F0E8C3392.0.dr	String found in binary or memory: https://res.getmicrosoftkey.com/api/redemptionevents
Source: 1E49091D-2F41-4D12-AA8A-5E0F0E8C3392.0.dr	String found in binary or memory: https://roaming.edog.
Source: 1E49091D-2F41-4D12-AA8A-5E0F0E8C3392.0.dr	String found in binary or memory: https://rpsticket.partnerservices.getmicrosoftkey.com
Source: 1E49091D-2F41-4D12-AA8A-5E0F0E8C3392.0.dr	String found in binary or memory: https://settings.outlook.com
Source: 1E49091D-2F41-4D12-AA8A-5E0F0E8C3392.0.dr	String found in binary or memory: https://shell.suite.office.com:1443
Source: 1E49091D-2F41-4D12-AA8A-5E0F0E8C3392.0.dr	String found in binary or memory: https://skyapi.live.net/Activity/
Source: 1E49091D-2F41-4D12-AA8A-5E0F0E8C3392.0.dr	String found in binary or memory: https://sr.outlook.office.net/ws/speech/recognize/assistant/work
Source: 1E49091D-2F41-4D12-AA8A-5E0F0E8C3392.0.dr	String found in binary or memory: https://staging.cortana.ai
Source: 1E49091D-2F41-4D12-AA8A-5E0F0E8C3392.0.dr	String found in binary or memory: https://storage.live.com/clientlogs/uploadlocation
Source: 1E49091D-2F41-4D12-AA8A-5E0F0E8C3392.0.dr	String found in binary or memory: https://store.office.cn/addinstemplate
Source: 1E49091D-2F41-4D12-AA8A-5E0F0E8C3392.0.dr	String found in binary or memory: https://store.office.com/addinstemplate
Source: 1E49091D-2F41-4D12-AA8A-5E0F0E8C3392.0.dr	String found in binary or memory: https://store.office.de/addinstemplate
Source: 1E49091D-2F41-4D12-AA8A-5E0F0E8C3392.0.dr	String found in binary or memory: https://store.officeppe.com/addinstemplate
Source: 1E49091D-2F41-4D12-AA8A-5E0F0E8C3392.0.dr	String found in binary or memory: https://substrate.office.com/search/api/v1/SearchHistory
Source: 1E49091D-2F41-4D12-AA8A-5E0F0E8C3392.0.dr	String found in binary or memory: https://substrate.office.com/search/api/v2/init
Source: 1E49091D-2F41-4D12-AA8A-5E0F0E8C3392.0.dr	String found in binary or memory: https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: 1E49091D-2F41-4D12-AA8A-5E0F0E8C3392.0.dr	String found in binary or memory: https://tasks.office.com
Source: 1E49091D-2F41-4D12-AA8A-5E0F0E8C3392.0.dr	String found in binary or memory: https://uci.cdn.office.net/mirrored/smartlookup/current/
Source: 1E49091D-2F41-4D12-AA8A-5E0F0E8C3392.0.dr	String found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.desktop.html
Source: 1E49091D-2F41-4D12-AA8A-5E0F0E8C3392.0.dr	String found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.immersive.html
Source: 1E49091D-2F41-4D12-AA8A-5E0F0E8C3392.0.dr	String found in binary or memory: https://visio.uservoice.com/forums/368202-visio-on-devices
Source: 1E49091D-2F41-4D12-AA8A-5E0F0E8C3392.0.dr	String found in binary or memory: https://web.microsoftstream.com/video/
Source: 1E49091D-2F41-4D12-AA8A-5E0F0E8C3392.0.dr	String found in binary or memory: https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/
Source: 1E49091D-2F41-4D12-AA8A-5E0F0E8C3392.0.dr	String found in binary or memory: https://webshell.suite.office.com
Source: 1E49091D-2F41-4D12-AA8A-5E0F0E8C3392.0.dr	String found in binary or memory: https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios
Source: 1E49091D-2F41-4D12-AA8A-5E0F0E8C3392.0.dr	String found in binary or memory: https://wus2.contentsync.
Source: 1E49091D-2F41-4D12-AA8A-5E0F0E8C3392.0.dr	String found in binary or memory: https://wus2.pagecontentsync.
Source: 1E49091D-2F41-4D12-AA8A-5E0F0E8C3392.0.dr	String found in binary or memory: https://www.bingapis.com/api/v7/urlpreview/search?appid=E93048236FE27D972F67C5AF722136866DF65FA2
Source: 1E49091D-2F41-4D12-AA8A-5E0F0E8C3392.0.dr	String found in binary or memory: https://www.odwebp.svc.ms

Source: VBA code instrumentation

OLE, VBA macro: Module M\xf3dulo1, Function Auto_Open

Name: Auto_Open

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

File created: C:\Users\user~1\AppData\Local\Temp\{4EFB0356-8F93-44D4-A74F-2393094F2033} - OProcSessId.dat

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA

Jump to behavior

Source: classification engine

Classification label: clean0.winXLS@1/4@0/0

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Automated click: OK
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Automated click: OK
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Automated click: OK

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: Faturados_Externo_26_09.xls

Static file information: File size 6468096 > 1048576

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

File opened: C:\Windows\SysWOW64\MSVCR100.dll

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Scripting1	Path Interception	Extra Window Memory Injection1	Masquerading1	OS Credential Dumping	File and Directory Discovery1	Remote Services	Data from Local System	Exfiltration Over Other Network Medium	Data Obfuscation	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Scripting1	LSASS Memory	System Information Discovery2	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Junk Data	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Extra Window Memory Injection1	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
Faturados_Externo_26_09.xls	0%	ReversingLabs

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label
https://roaming.edog.	0%	URL Reputation	safe
https://cdn.entity.	0%	URL Reputation	safe
https://powerlift.acompli.net	0%	URL Reputation	safe
https://rpsticket.partnerservices.getmicrosoftkey.com	0%	URL Reputation	safe
https://cortana.ai	0%	URL Reputation	safe
https://api.aadrm.com/	0%	URL Reputation	safe
https://ofcrecsvcapi-int.azurewebsites.net/	0%	URL Reputation	safe
https://res.getmicrosoftkey.com/api/redemptionevents	0%	URL Reputation	safe
https://powerlift-user.acompli.net	0%	URL Reputation	safe
https://officeci.azurewebsites.net/api/	0%	URL Reputation	safe
https://store.office.cn/addinstemplate	0%	URL Reputation	safe
https://store.officeppe.com/addinstemplate	0%	URL Reputation	safe
https://dev0-api.acompli.net/autodetect	0%	URL Reputation	safe
https://www.odwebp.svc.ms	0%	URL Reputation	safe
https://dataservice.o365filtering.com/	0%	URL Reputation	safe
https://officesetup.getmicrosoftkey.com	0%	URL Reputation	safe
https://prod-global-autodetect.acompli.net/autodetect	0%	URL Reputation	safe
https://ncus.contentsync.	0%	URL Reputation	safe
https://apis.live.net/v5.0/	0%	URL Reputation	safe
https://wus2.contentsync.	0%	URL Reputation	safe
https://asgsmsproxyapi.azurewebsites.net/	0%	URL Reputation	safe
https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile	0%	URL Reputation	safe
https://ncus.pagecontentsync.	0%	URL Reputation	safe
https://skyapi.live.net/Activity/	0%	URL Reputation	safe
https://dataservice.o365filtering.com	0%	URL Reputation	safe
https://api.cortana.ai	0%	URL Reputation	safe
https://ovisualuiapp.azurewebsites.net/pbiagave/	0%	URL Reputation	safe
https://augloop.office.com;https://augloop-gcc.office.com;https://augloop.gov.online.office365.us;ht	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://api.diagnosticssdf.office.com	1E49091D-2F41-4D12-AA8A-5E0F0E8C3392.0.dr	false		high
https://login.microsoftonline.com/	1E49091D-2F41-4D12-AA8A-5E0F0E8C3392.0.dr	false		high
https://shell.suite.office.com:1443	1E49091D-2F41-4D12-AA8A-5E0F0E8C3392.0.dr	false		high
https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize	1E49091D-2F41-4D12-AA8A-5E0F0E8C3392.0.dr	false		high
https://autodiscover-s.outlook.com/	1E49091D-2F41-4D12-AA8A-5E0F0E8C3392.0.dr	false		high
https://roaming.edog.	1E49091D-2F41-4D12-AA8A-5E0F0E8C3392.0.dr	false	URL Reputation: safe	unknown
https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr	1E49091D-2F41-4D12-AA8A-5E0F0E8C3392.0.dr	false		high
https://cdn.entity.	1E49091D-2F41-4D12-AA8A-5E0F0E8C3392.0.dr	false	URL Reputation: safe	unknown
https://api.addins.omex.office.net/appinfo/query	1E49091D-2F41-4D12-AA8A-5E0F0E8C3392.0.dr	false		high
https://clients.config.office.net/user/v1.0/tenantassociationkey	1E49091D-2F41-4D12-AA8A-5E0F0E8C3392.0.dr	false		high
https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/	1E49091D-2F41-4D12-AA8A-5E0F0E8C3392.0.dr	false		high
https://powerlift.acompli.net	1E49091D-2F41-4D12-AA8A-5E0F0E8C3392.0.dr	false	URL Reputation: safe	unknown
https://rpsticket.partnerservices.getmicrosoftkey.com	1E49091D-2F41-4D12-AA8A-5E0F0E8C3392.0.dr	false	URL Reputation: safe	unknown
https://lookup.onenote.com/lookup/geolocation/v1	1E49091D-2F41-4D12-AA8A-5E0F0E8C3392.0.dr	false		high
https://cortana.ai	1E49091D-2F41-4D12-AA8A-5E0F0E8C3392.0.dr	false	URL Reputation: safe	unknown
https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech	1E49091D-2F41-4D12-AA8A-5E0F0E8C3392.0.dr	false		high
https://cloudfiles.onenote.com/upload.aspx	1E49091D-2F41-4D12-AA8A-5E0F0E8C3392.0.dr	false		high
https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile	1E49091D-2F41-4D12-AA8A-5E0F0E8C3392.0.dr	false		high
https://entitlement.diagnosticssdf.office.com	1E49091D-2F41-4D12-AA8A-5E0F0E8C3392.0.dr	false		high
https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy	1E49091D-2F41-4D12-AA8A-5E0F0E8C3392.0.dr	false		high
https://api.aadrm.com/	1E49091D-2F41-4D12-AA8A-5E0F0E8C3392.0.dr	false	URL Reputation: safe	unknown
https://ofcrecsvcapi-int.azurewebsites.net/	1E49091D-2F41-4D12-AA8A-5E0F0E8C3392.0.dr	false	URL Reputation: safe	unknown
https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies	1E49091D-2F41-4D12-AA8A-5E0F0E8C3392.0.dr	false		high
https://api.microsoftstream.com/api/	1E49091D-2F41-4D12-AA8A-5E0F0E8C3392.0.dr	false		high
https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive	1E49091D-2F41-4D12-AA8A-5E0F0E8C3392.0.dr	false		high
https://cr.office.com	1E49091D-2F41-4D12-AA8A-5E0F0E8C3392.0.dr	false		high
https://portal.office.com/account/?ref=ClientMeControl	1E49091D-2F41-4D12-AA8A-5E0F0E8C3392.0.dr	false		high
https://graph.ppe.windows.net	1E49091D-2F41-4D12-AA8A-5E0F0E8C3392.0.dr	false		high
https://res.getmicrosoftkey.com/api/redemptionevents	1E49091D-2F41-4D12-AA8A-5E0F0E8C3392.0.dr	false	URL Reputation: safe	unknown
https://powerlift-user.acompli.net	1E49091D-2F41-4D12-AA8A-5E0F0E8C3392.0.dr	false	URL Reputation: safe	unknown
https://tasks.office.com	1E49091D-2F41-4D12-AA8A-5E0F0E8C3392.0.dr	false		high
https://officeci.azurewebsites.net/api/	1E49091D-2F41-4D12-AA8A-5E0F0E8C3392.0.dr	false	URL Reputation: safe	unknown
https://sr.outlook.office.net/ws/speech/recognize/assistant/work	1E49091D-2F41-4D12-AA8A-5E0F0E8C3392.0.dr	false		high
https://store.office.cn/addinstemplate	1E49091D-2F41-4D12-AA8A-5E0F0E8C3392.0.dr	false	URL Reputation: safe	unknown
https://outlook.office.com/autosuggest/api/v1/init?cvid=	1E49091D-2F41-4D12-AA8A-5E0F0E8C3392.0.dr	false		high
https://globaldisco.crm.dynamics.com	1E49091D-2F41-4D12-AA8A-5E0F0E8C3392.0.dr	false		high
https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech	1E49091D-2F41-4D12-AA8A-5E0F0E8C3392.0.dr	false		high
https://store.officeppe.com/addinstemplate	1E49091D-2F41-4D12-AA8A-5E0F0E8C3392.0.dr	false	URL Reputation: safe	unknown
https://dev0-api.acompli.net/autodetect	1E49091D-2F41-4D12-AA8A-5E0F0E8C3392.0.dr	false	URL Reputation: safe	unknown
https://www.odwebp.svc.ms	1E49091D-2F41-4D12-AA8A-5E0F0E8C3392.0.dr	false	URL Reputation: safe	unknown
https://api.powerbi.com/v1.0/myorg/groups	1E49091D-2F41-4D12-AA8A-5E0F0E8C3392.0.dr	false		high
https://web.microsoftstream.com/video/	1E49091D-2F41-4D12-AA8A-5E0F0E8C3392.0.dr	false		high
https://graph.windows.net	1E49091D-2F41-4D12-AA8A-5E0F0E8C3392.0.dr	false		high
https://dataservice.o365filtering.com/	1E49091D-2F41-4D12-AA8A-5E0F0E8C3392.0.dr	false	URL Reputation: safe	unknown
https://officesetup.getmicrosoftkey.com	1E49091D-2F41-4D12-AA8A-5E0F0E8C3392.0.dr	false	URL Reputation: safe	unknown
https://analysis.windows.net/powerbi/api	1E49091D-2F41-4D12-AA8A-5E0F0E8C3392.0.dr	false		high
https://prod-global-autodetect.acompli.net/autodetect	1E49091D-2F41-4D12-AA8A-5E0F0E8C3392.0.dr	false	URL Reputation: safe	unknown
https://outlook.office365.com/autodiscover/autodiscover.json	1E49091D-2F41-4D12-AA8A-5E0F0E8C3392.0.dr	false		high
https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios	1E49091D-2F41-4D12-AA8A-5E0F0E8C3392.0.dr	false		high
https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech	1E49091D-2F41-4D12-AA8A-5E0F0E8C3392.0.dr	false		high
https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json	1E49091D-2F41-4D12-AA8A-5E0F0E8C3392.0.dr	false		high
https://ncus.contentsync.	1E49091D-2F41-4D12-AA8A-5E0F0E8C3392.0.dr	false	URL Reputation: safe	unknown
https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false	1E49091D-2F41-4D12-AA8A-5E0F0E8C3392.0.dr	false		high
https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/	1E49091D-2F41-4D12-AA8A-5E0F0E8C3392.0.dr	false		high
http://weather.service.msn.com/data.aspx	1E49091D-2F41-4D12-AA8A-5E0F0E8C3392.0.dr	false		high
https://apis.live.net/v5.0/	1E49091D-2F41-4D12-AA8A-5E0F0E8C3392.0.dr	false	URL Reputation: safe	unknown
https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks	1E49091D-2F41-4D12-AA8A-5E0F0E8C3392.0.dr	false		high
https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios	1E49091D-2F41-4D12-AA8A-5E0F0E8C3392.0.dr	false		high
https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml	1E49091D-2F41-4D12-AA8A-5E0F0E8C3392.0.dr	false		high
https://management.azure.com	1E49091D-2F41-4D12-AA8A-5E0F0E8C3392.0.dr	false		high
https://outlook.office365.com	1E49091D-2F41-4D12-AA8A-5E0F0E8C3392.0.dr	false		high
https://wus2.contentsync.	1E49091D-2F41-4D12-AA8A-5E0F0E8C3392.0.dr	false	URL Reputation: safe	unknown
https://incidents.diagnostics.office.com	1E49091D-2F41-4D12-AA8A-5E0F0E8C3392.0.dr	false		high
https://clients.config.office.net/user/v1.0/ios	1E49091D-2F41-4D12-AA8A-5E0F0E8C3392.0.dr	false		high
https://insertmedia.bing.office.net/odc/insertmedia	1E49091D-2F41-4D12-AA8A-5E0F0E8C3392.0.dr	false		high
https://o365auditrealtimeingestion.manage.office.com	1E49091D-2F41-4D12-AA8A-5E0F0E8C3392.0.dr	false		high
https://outlook.office365.com/api/v1.0/me/Activities	1E49091D-2F41-4D12-AA8A-5E0F0E8C3392.0.dr	false		high
https://api.office.net	1E49091D-2F41-4D12-AA8A-5E0F0E8C3392.0.dr	false		high
https://incidents.diagnosticssdf.office.com	1E49091D-2F41-4D12-AA8A-5E0F0E8C3392.0.dr	false		high
https://asgsmsproxyapi.azurewebsites.net/	1E49091D-2F41-4D12-AA8A-5E0F0E8C3392.0.dr	false	URL Reputation: safe	unknown
https://clients.config.office.net/user/v1.0/android/policies	1E49091D-2F41-4D12-AA8A-5E0F0E8C3392.0.dr	false		high
https://entitlement.diagnostics.office.com	1E49091D-2F41-4D12-AA8A-5E0F0E8C3392.0.dr	false		high
https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json	1E49091D-2F41-4D12-AA8A-5E0F0E8C3392.0.dr	false		high
https://substrate.office.com/search/api/v2/init	1E49091D-2F41-4D12-AA8A-5E0F0E8C3392.0.dr	false		high
https://outlook.office.com/	1E49091D-2F41-4D12-AA8A-5E0F0E8C3392.0.dr	false		high
https://storage.live.com/clientlogs/uploadlocation	1E49091D-2F41-4D12-AA8A-5E0F0E8C3392.0.dr	false		high
https://outlook.office365.com/	1E49091D-2F41-4D12-AA8A-5E0F0E8C3392.0.dr	false		high
https://webshell.suite.office.com	1E49091D-2F41-4D12-AA8A-5E0F0E8C3392.0.dr	false		high
https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive	1E49091D-2F41-4D12-AA8A-5E0F0E8C3392.0.dr	false		high
https://substrate.office.com/search/api/v1/SearchHistory	1E49091D-2F41-4D12-AA8A-5E0F0E8C3392.0.dr	false		high
https://management.azure.com/	1E49091D-2F41-4D12-AA8A-5E0F0E8C3392.0.dr	false		high
https://login.windows.net/common/oauth2/authorize	1E49091D-2F41-4D12-AA8A-5E0F0E8C3392.0.dr	false		high
https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile	1E49091D-2F41-4D12-AA8A-5E0F0E8C3392.0.dr	false	URL Reputation: safe	unknown
https://graph.windows.net/	1E49091D-2F41-4D12-AA8A-5E0F0E8C3392.0.dr	false		high
https://api.powerbi.com/beta/myorg/imports	1E49091D-2F41-4D12-AA8A-5E0F0E8C3392.0.dr	false		high
https://devnull.onenote.com	1E49091D-2F41-4D12-AA8A-5E0F0E8C3392.0.dr	false		high
https://ncus.pagecontentsync.	1E49091D-2F41-4D12-AA8A-5E0F0E8C3392.0.dr	false	URL Reputation: safe	unknown
https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json	1E49091D-2F41-4D12-AA8A-5E0F0E8C3392.0.dr	false		high
https://messaging.office.com/	1E49091D-2F41-4D12-AA8A-5E0F0E8C3392.0.dr	false		high
https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile	1E49091D-2F41-4D12-AA8A-5E0F0E8C3392.0.dr	false		high
https://augloop.office.com/v2	1E49091D-2F41-4D12-AA8A-5E0F0E8C3392.0.dr	false		high
https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing	1E49091D-2F41-4D12-AA8A-5E0F0E8C3392.0.dr	false		high
https://skyapi.live.net/Activity/	1E49091D-2F41-4D12-AA8A-5E0F0E8C3392.0.dr	false	URL Reputation: safe	unknown
https://clients.config.office.net/user/v1.0/mac	1E49091D-2F41-4D12-AA8A-5E0F0E8C3392.0.dr	false		high
https://dataservice.o365filtering.com	1E49091D-2F41-4D12-AA8A-5E0F0E8C3392.0.dr	false	URL Reputation: safe	unknown
https://api.cortana.ai	1E49091D-2F41-4D12-AA8A-5E0F0E8C3392.0.dr	false	URL Reputation: safe	unknown
https://onedrive.live.com	1E49091D-2F41-4D12-AA8A-5E0F0E8C3392.0.dr	false		high
https://ovisualuiapp.azurewebsites.net/pbiagave/	1E49091D-2F41-4D12-AA8A-5E0F0E8C3392.0.dr	false	URL Reputation: safe	unknown
https://augloop.office.com;https://augloop-gcc.office.com;https://augloop.gov.online.office365.us;ht	1E49091D-2F41-4D12-AA8A-5E0F0E8C3392.0.dr	false	Avira URL Cloud: safe	low
https://visio.uservoice.com/forums/368202-visio-on-devices	1E49091D-2F41-4D12-AA8A-5E0F0E8C3392.0.dr	false		high

Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version:	33.0.0 White Diamond
Analysis ID:	491709
Start date:	27.09.2021
Start time:	20:33:44
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 6m 41s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	Faturados_Externo_26_09.xls
Cookbook file name:	defaultwindowsofficecookbook.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Run name:	Potential for more IOCs and behavior
Number of analysed new started processes analysed:	11
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled GSI enabled (VBA) AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	CLEAN
Classification:	clean0.winXLS@1/4@0/0
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .xls Found Word or Excel or PowerPoint or XPS Viewer Attach to Office via COM Scroll down Close Viewer
Warnings:	Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe Excluded IPs from analysis (whitelisted): 2.20.86.117, 95.100.54.203, 20.49.150.241, 51.104.136.2, 40.91.76.224, 20.82.210.154, 40.112.88.60, 20.54.110.249, 52.109.88.177, 52.109.88.39, 52.109.76.34, 52.109.76.35, 52.109.8.23, 52.109.76.33, 93.184.221.240, 23.10.249.43, 23.10.249.26, 20.82.209.183 Excluded domains from analysis (whitelisted): prod-w.nexus.live.com.akadns.net, store-images.s-microsoft.com-c.edgekey.net, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, validation-v2.sls.microsoft.com, arc.msn.com, wu.azureedge.net, e12564.dspb.akamaiedge.net, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, bg.apr-52dd2-0503.edgecastdns.net, cs11.wpc.v0cdn.net, hlb.apr-52dd2-0.edgecastdns.net, arc.trafficmanager.net, nexus.officeapps.live.com, displaycatalog.mp.microsoft.com, officeclient.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, validation-v2.sls.trafficmanager.net, iris-de-prod-azsc-neu.northeurope.cloudapp.azure.com, fs.microsoft.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, prod.configsvc1.live.com.akadns.net, wu.ec.azureedge.net, ris-prod.trafficmanager.net, neu-displaycatalogrp.useroor.bigcatalog.commerce.microsoft.com, wu-shim.trafficmanager.net, asf-ris-prod-neu.northeurope.cloudapp.azure.com, e1723.g.akamaiedge.net, settings-win.data.microsoft.com, ctldl.windowsupdate.com, settingsfd-geo.trafficmanager.net, ris.api.iris.microsoft.com, store-images.s-microsoft.com, config.officeapps.live.com, displaycatalog-rp.md.mp.microsoft.com.akadns.net, europe.configsvc1.live.com.akadns.net Not all processes where analyzed, report is missing behavior information Report size getting too big, too many NtReadVirtualMemory calls found. Report size getting too big, too many NtSetInformationFile calls found. VT rate limit hit for: /opt/package/joesandbox/database/analysis/491709/sample/Faturados_Externo_26_09.xls

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\1E49091D-2F41-4D12-AA8A-5E0F0E8C3392 Download File
Process:	C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
File Type:	XML 1.0 document, UTF-8 Unicode text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	138701
Entropy (8bit):	5.360733266434256
Encrypted:	false
SSDEEP:	1536:+cQIKNZeBdA3gBwfnQ9DQW+z2Y34Zli7nXboOidX8E6LWME9:lWQ9DQW+z6Xh1
MD5:	EA5D73D20641058609F3ADE1067F1245
SHA1:	CC453919CCBBA61E77B8F621232E0299B0768010
SHA-256:	8A84ADAF927D4B7F7138C503757E957D5814C4E8B35093DA1FC5399D894DA1B1
SHA-512:	2E34A49C7482E2D125C3CCF65650B597D6DD894727667B78E37976E5E7FB194CC27518B10C9B352BD56B4422EE77CF1694A75B44654BD61C85E4CFCBE1EEB3A7
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="utf-8"?>..<o:OfficeConfig xmlns:o="urn:schemas-microsoft-com:office:office">.. <o:services o:GenerationTime="2021-09-27T18:35:23">.. Build: 16.0.14522.30525-->.. <o:default>.. <o:ticket o:headerName="Authorization" o:headerValue="{}" />.. </o:default>.. <o:service o:name="Research">.. <o:url>https://rr.office.microsoft.com/research/query.asmx</o:url>.. </o:service>.. <o:service o:name="ORedir">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ORedirSSL">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ClViewClientHelpId">.. <o:url>https://[MAX.BaseHost]/client/results</o:url>.. </o:service>.. <o:service o:name="ClViewClientHome">.. <o:url>https://[MAX.BaseHost]/client/results</o:url>.. </o:service>.. <o:service o:name="ClViewClientTemplate">.. <o:url>https://ocsa.office.microsoft.com/client/15/help/template</o:url>.. </o:service>.. <o:

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\77110AAA.emf Download File
Process:	C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
File Type:	Windows Enhanced Metafile (EMF) image data version 0x10000
Category:	dropped
Size (bytes):	2804
Entropy (8bit):	2.6224368355147445
Encrypted:	false
SSDEEP:	24:YAtE+Y0xEjrlbDK3XHqYdV7C2tEDEcq4nJssdCqzvYDy22PEnOds6gAMToFM166q:dmDKnZJdtJcqCJssdCqzvy7imTo
MD5:	14FC01BED46EB78EB1F149A96B852DBF
SHA1:	156279B5667F0ECFC5ECC1E73E6F5F6B0AB2FCBD
SHA-256:	BC79B5AF0298E761109C737731B9832513C86254DC84CABFD6C2C93C813E3A42
SHA-512:	97E0CE4DA26D7239A43F8590E4BBF86FD4C90DE60D8D4F8F9AD9176E4F0F21A5147D4A3B01CC06D9080F4682975C7179D67C9DE6EA1B8CB779918AAFBE4F8D9E
Malicious:	false
Reputation:	low
Preview:	....l...............(................... EMF........2...................V.......5..........................F...`...R...GDIC.........5<.....:...............).............................).................iii.......-.........!...).............!.......(.....................-.........!...(.............!.............................-.........!...'.............!.......'.....................-.........!...&.............!.............................-.........!...%...........-.........!...#.......................)......................................................@..Arial.fR......_.....................-.............)...2.................Atualizar base Input............................................'...................................)...............)...............................)...!.......'...............iii.....%...........L...d...............(...............)...!..............?...........?................................L...d.......(.......(.......(...........!..............?........

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\7DA74C0D.emf Download File
Process:	C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
File Type:	Windows Enhanced Metafile (EMF) image data version 0x10000
Category:	dropped
Size (bytes):	2708
Entropy (8bit):	2.5786874272687887
Encrypted:	false
SSDEEP:	24:YWtEK0iSjIEbAFl1dLMHoaYxD6xZ0Hv539Dv28fEhzds6gh/DA:LLEcFlDoIam53Be8wIE
MD5:	C44F1D185564C8F67F6AA4B5816D39C5
SHA1:	0C2824967371BED57208D775A41F27FA5F67076E
SHA-256:	0D97E2158715C2464899F235E76F91BAFBBF4ABEC8E4EA8B5854EC4D7AFE0E21
SHA-512:	1C7D6A91B45468FE64484D06AA5653D3CBB401B9E4C8F7D9B2083912526FF01BB96E7FFBABD0F62EA135EE603364684AEC1548A691850332A6FADBC1E5C67CB9
Malicious:	false
Reputation:	low
Preview:	....l...........................~....... EMF........2...................V.......5..........................F...@...2...GDIC.........`......................................................................iii.......-.........!.................!.............................-.........!.................!.............................-.........!.................!.............................-.........!.................!.............................-.........!...............-.........!..................................................................................@..Arial.f......._.....;...............-.................2...(.............FINALIZAR.......................'.......................................................................................!.......'...............iii.....%...........L...d...................................!..............?...........?................................L...d...................................!..............?...........?............................

C:\Users\user\AppData\Local\Temp\Excel8.0\MSForms.exd Download File
Process:	C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
File Type:	data
Category:	dropped
Size (bytes):	248808
Entropy (8bit):	4.291083963049068
Encrypted:	false
SSDEEP:	3072:XzuSNQT8WZFVKKHSRDqBcA+FLM0Ar6t3s6bh:XzlNQAMFVTHSIcA+FLM0Awjbh
MD5:	55DF7CB1D2449438B44C234E2F035524
SHA1:	A5435D19D53BC5406A14D4D5473054CA24C07402
SHA-256:	4F02C73E5BE9C15EEE7E5A58DA8A662372F6EF276AC4E7E3D9C16ABB1F7078CE
SHA-512:	B9135D660C6399811DC02F4C77CDB143FB43E7C7ED1F573BEC6EB2562632E4B01626D5298F5E281D06BE8B88564DFE94233A32CC23F3E81AAA89137A9AC0DF3D
Malicious:	false
Reputation:	low
Preview:	MSFT................Q................................%......$....... ...................d.......,...........X....... ...........L...........x.......@...........l.......4...........`.......(...........T...................H...........t.......<...........h.......0...........\.......$...........P...........\|.......D...........p.......8...........d.......,...........X....... ...........L...........x.......@........ ..l ... ..4!...!...!..`"..."..(#...#...#..T$...$...%...%...%..H&...&...'..t'...'..<(...(...)..h)...)..0......*..\+...+..$,...,...,..P-...-......\|.......D/.../...0..p0...0..81...1...2..d2...2..,3...3...3..X4...4.. 5...5...5..L6...6...7..x7...7..@8...8...9..l9...9..4:...:...:..`;...;..(<...<...<..T=...=...>...>...>..H?...?...@..t@...@..<A...A...B..hB.......l...B..........................H...4............................................ ...............................x..lL..............T............ ..P........................... ...................................................

Static File Info

General
File type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1252, Author: multibras eletrodomesticos, Last Saved By: HENRIQUE Tempesta, Name of Creating Application: Microsoft Excel, Create Time/Date: Wed Aug 27 14:16:27 2008, Last Saved Time/Date: Mon Sep 27 17:53:48 2021, Security: 1
Entropy (8bit):	7.504037198033761
TrID:	Microsoft Excel sheet (30009/1) 78.94% Generic OLE2 / Multistream Compound File (8008/1) 21.06%
File name:	Faturados_Externo_26_09.xls
File size:	6468096
MD5:	bb5c37e33e7e1fb9bb7b13960aad6b27
SHA1:	03066751e384c6b9c7df910cd01844f86cbaa43b
SHA256:	002b87472b1991ce420fbaccf76e14620aaf567ee11e2081a559dcefab05fef5
SHA512:	6c8b98b91e9ed390cd6b77ea3d0a077aefa6caf2465d6386574a0a7aa31a38163351b67c2eeb3962753c12eef510fb86a8880e30d63efaf158694e74286c5c59
SSDEEP:	196608:uQfhzNeEyOb5U4TzBLqKU7zgqTvFV21Xq1kYTqE3ZpMf1m+K+76P5veG2cn:npReEzdUVKUQqTvFV/1kYuEZKfs+p7AH
File Content Preview:	........................>...................c...................................c.......e.......g.......i.......k.......m.......o.......q.......s.......u.......w.......y.......{.......}...............a.......c.......e.......g.......i.......k.......m......

File Icon


Icon Hash:	74ecd4c6c3c6c4d8

Network Behavior

Network Port Distribution

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 27, 2021 20:34:39.267716885 CEST	57820	53	192.168.2.7	8.8.8.8
Sep 27, 2021 20:34:39.285800934 CEST	53	57820	8.8.8.8	192.168.2.7
Sep 27, 2021 20:34:50.538496017 CEST	50848	53	192.168.2.7	8.8.8.8
Sep 27, 2021 20:34:50.621289015 CEST	53	50848	8.8.8.8	192.168.2.7
Sep 27, 2021 20:35:01.330779076 CEST	61242	53	192.168.2.7	8.8.8.8
Sep 27, 2021 20:35:01.362319946 CEST	53	61242	8.8.8.8	192.168.2.7
Sep 27, 2021 20:35:01.959630013 CEST	58562	53	192.168.2.7	8.8.8.8
Sep 27, 2021 20:35:01.986485004 CEST	53	58562	8.8.8.8	192.168.2.7
Sep 27, 2021 20:35:02.222446918 CEST	56590	53	192.168.2.7	8.8.8.8
Sep 27, 2021 20:35:02.258907080 CEST	53	56590	8.8.8.8	192.168.2.7
Sep 27, 2021 20:35:02.382972002 CEST	60501	53	192.168.2.7	8.8.8.8
Sep 27, 2021 20:35:02.396140099 CEST	53	60501	8.8.8.8	192.168.2.7
Sep 27, 2021 20:35:03.360610008 CEST	53775	53	192.168.2.7	8.8.8.8
Sep 27, 2021 20:35:03.374425888 CEST	53	53775	8.8.8.8	192.168.2.7
Sep 27, 2021 20:35:05.268197060 CEST	51837	53	192.168.2.7	8.8.8.8
Sep 27, 2021 20:35:05.281961918 CEST	53	51837	8.8.8.8	192.168.2.7
Sep 27, 2021 20:35:10.411232948 CEST	55411	53	192.168.2.7	8.8.8.8
Sep 27, 2021 20:35:10.441078901 CEST	53	55411	8.8.8.8	192.168.2.7
Sep 27, 2021 20:35:15.767214060 CEST	63668	53	192.168.2.7	8.8.8.8
Sep 27, 2021 20:35:15.800151110 CEST	53	63668	8.8.8.8	192.168.2.7
Sep 27, 2021 20:35:15.969851971 CEST	54640	53	192.168.2.7	8.8.8.8
Sep 27, 2021 20:35:15.982896090 CEST	53	54640	8.8.8.8	192.168.2.7
Sep 27, 2021 20:35:16.472429991 CEST	58739	53	192.168.2.7	8.8.8.8
Sep 27, 2021 20:35:16.527059078 CEST	53	58739	8.8.8.8	192.168.2.7
Sep 27, 2021 20:35:16.937247038 CEST	60338	53	192.168.2.7	8.8.8.8
Sep 27, 2021 20:35:16.950819016 CEST	53	60338	8.8.8.8	192.168.2.7
Sep 27, 2021 20:35:17.211555004 CEST	58717	53	192.168.2.7	8.8.8.8
Sep 27, 2021 20:35:17.224188089 CEST	53	58717	8.8.8.8	192.168.2.7
Sep 27, 2021 20:35:17.624660015 CEST	59762	53	192.168.2.7	8.8.8.8
Sep 27, 2021 20:35:17.705667973 CEST	53	59762	8.8.8.8	192.168.2.7
Sep 27, 2021 20:35:18.026458025 CEST	54329	53	192.168.2.7	8.8.8.8
Sep 27, 2021 20:35:18.039784908 CEST	53	54329	8.8.8.8	192.168.2.7
Sep 27, 2021 20:35:18.468652010 CEST	58052	53	192.168.2.7	8.8.8.8
Sep 27, 2021 20:35:18.483472109 CEST	53	58052	8.8.8.8	192.168.2.7
Sep 27, 2021 20:35:19.036345959 CEST	54008	53	192.168.2.7	8.8.8.8
Sep 27, 2021 20:35:19.050621986 CEST	53	54008	8.8.8.8	192.168.2.7
Sep 27, 2021 20:35:19.515542030 CEST	59451	53	192.168.2.7	8.8.8.8
Sep 27, 2021 20:35:19.581887007 CEST	53	59451	8.8.8.8	192.168.2.7
Sep 27, 2021 20:35:19.869642019 CEST	52914	53	192.168.2.7	8.8.8.8
Sep 27, 2021 20:35:19.883462906 CEST	53	52914	8.8.8.8	192.168.2.7
Sep 27, 2021 20:35:23.115374088 CEST	64569	53	192.168.2.7	8.8.8.8
Sep 27, 2021 20:35:23.190433979 CEST	53	64569	8.8.8.8	192.168.2.7
Sep 27, 2021 20:35:23.813245058 CEST	52816	53	192.168.2.7	8.8.8.8
Sep 27, 2021 20:35:23.844614029 CEST	53	52816	8.8.8.8	192.168.2.7
Sep 27, 2021 20:35:24.813949108 CEST	52816	53	192.168.2.7	8.8.8.8
Sep 27, 2021 20:35:24.849855900 CEST	53	52816	8.8.8.8	192.168.2.7
Sep 27, 2021 20:35:25.860825062 CEST	52816	53	192.168.2.7	8.8.8.8
Sep 27, 2021 20:35:25.920773029 CEST	53	52816	8.8.8.8	192.168.2.7
Sep 27, 2021 20:35:27.881825924 CEST	52816	53	192.168.2.7	8.8.8.8
Sep 27, 2021 20:35:27.921606064 CEST	53	52816	8.8.8.8	192.168.2.7
Sep 27, 2021 20:35:31.908091068 CEST	52816	53	192.168.2.7	8.8.8.8
Sep 27, 2021 20:35:31.948730946 CEST	53	52816	8.8.8.8	192.168.2.7
Sep 27, 2021 20:35:32.631789923 CEST	50781	53	192.168.2.7	8.8.8.8
Sep 27, 2021 20:35:32.674144983 CEST	53	50781	8.8.8.8	192.168.2.7
Sep 27, 2021 20:35:44.540184975 CEST	54230	53	192.168.2.7	8.8.8.8
Sep 27, 2021 20:35:44.548353910 CEST	54911	53	192.168.2.7	8.8.8.8
Sep 27, 2021 20:35:44.553406000 CEST	53	54230	8.8.8.8	192.168.2.7
Sep 27, 2021 20:35:44.577534914 CEST	53	54911	8.8.8.8	192.168.2.7
Sep 27, 2021 20:35:48.888216019 CEST	49958	53	192.168.2.7	8.8.8.8
Sep 27, 2021 20:35:48.902065992 CEST	53	49958	8.8.8.8	192.168.2.7
Sep 27, 2021 20:36:21.822010040 CEST	50860	53	192.168.2.7	8.8.8.8
Sep 27, 2021 20:36:21.853615999 CEST	53	50860	8.8.8.8	192.168.2.7
Sep 27, 2021 20:36:23.466706038 CEST	50452	53	192.168.2.7	8.8.8.8
Sep 27, 2021 20:36:23.496978998 CEST	53	50452	8.8.8.8	192.168.2.7

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

System Behavior

Analysis Process: EXCEL.EXE PID: 6344 Parent PID: 792

General

Start time:	20:35:21
Start date:	27/09/2021
Path:	C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
Wow64 process (32bit):	true
Commandline:	'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding
Imagebase:	0x1350000
File size:	27110184 bytes
MD5 hash:	5D6638F2C8F8571C593999C58866007E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Disassembly

VBA Code

Call Graph

Entrypoint
Decryption Function
Executed
Not Executed
Show Help

Module: EstaPasta_de_trabalho

Declaration

Line	Content
1	Attribute VB_Name = "EstaPasta_de_trabalho"
2	Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
3	Attribute VB_GlobalNameSpace = False
4	Attribute VB_Creatable = False
5	Attribute VB_PredeclaredId = True
6	Attribute VB_Exposed = True
7	Attribute VB_TemplateDerived = False
8	Attribute VB_Customizable = True

Module: M\xf3dulo1

Declaration

Line	Content
1	Attribute VB_Name = "M\xf3dulo1"

Executed Functions

Subroutine Auto_Open, APIs: 57, Strings: 30, Number of lines: 73, Relevance: 154.073

APIs	Meta Information
WindowState
xlNormal
Width
Height
InputBox
InputBox
EnableCancelKey
xlDisabled
Cells
Protect
Unprotect
Activate
Select
Activate
Find
ActiveCell
xlValues
xlWhole
xlByRows
xlNext
Row
Cells
Activate
Select
AutoFilter
AutoFilter
Select
Select
Copy
Activate
Select
Paste
Select
Select
Select
CutCopyMode
AutoFilter
Activate
Protect
WindowState
xlMaximized
EnableCancelKey
xlInterrupt
MsgBox
Protect
EnableCancelKey
xlInterrupt
Close
WindowState
xlMaximized
MsgBox
Protect
EnableCancelKey
xlInterrupt
Close
WindowState
xlMaximized

Strings	Decrypted Strings
"Qual o c\xf3digo de cliente ?"
"Favor digitar a senha da planilha."
"Apoio"
""""
""""
"Clientes"
"Clientes"
"A:A"
"A1"
"9:9"
"A1"
"Clientes"
"Final"
"IV65536"
"Lista Pendentes"
"Lista Pendentes"
"Lista Pendentes"
"9:9"
"A1"
"IV65536"
"Final"
"A1"
"A1"
"Lista Pendentes"
"A1"
"Lista Pendentes"
"Clientes"
"Final"
"O c\xf3digo do cliente n\xe3o confere."
"A senha do cliente n\xe3o confere."

Line	Instruction	Meta Information
2	Sub Auto_Open()
3	Attribute Auto_Open.VB_Description = "Macro gravada em 27/8/2008 por Mauro R Mello"	executed
4	Attribute Auto_Open.VB_ProcData.VB_Invoke_Func = " \n14" ' BAD !
11	On Error Goto Pula1
13	Application.WindowState = xlNormal	WindowState xlNormal
14	Application.Width = 127.5	Width
15	Application.Height = 30.75	Height
17	Codigo = InputBox("Qual o c\xf3digo de cliente ?")	InputBox
19	SenhaCliente = InputBox("Favor digitar a senha da planilha.")	InputBox
21	Application.EnableCancelKey = xlDisabled	EnableCancelKey xlDisabled
23	SenhaPlanilha = Sheets("Apoio").Cells(1, 1).Value	Cells
25	ActiveWorkbook.Protect Password := SenhaPlanilha, Structure := True, Windows := True	Protect
27	ActiveWorkbook.Unprotect Password := SenhaPlanilha	Unprotect
30	If Codigo = "" Then
30	Goto PulaCodigo
30	Endif
31	If SenhaCliente = "" Then
31	Goto PulaSenha
31	Endif
33	Sheets("Clientes").Visible = True
34	Sheets("Clientes").Activate	Activate
35	Columns("A:A").Select	Select
36	Range("A1").Activate	Activate
43	Set Existe = Selection.Find(What := Codigo, After := ActiveCell, LookIn := xlValues, LookAt := xlWhole, SearchOrder := xlByRows, SearchDirection := xlNext, MatchCase := False)	Find ActiveCell xlValues xlWhole xlByRows xlNext
47	If Not Existe Is Nothing Then
51	LinhaExiste = Existe.Row	Row
52	Senha = Cells(LinhaExiste, 3).Value	Cells
53	Else
54	Goto PulaCodigo
55	Endif
57	If SenhaCliente = Senha Then
59	Sheets("Lista Pendentes").Visible = True
60	Sheets("Lista Pendentes").Activate	Activate
61	Rows("9:9").Select	Select
62	Selection.AutoFilter	AutoFilter
63	Selection.AutoFilter Field := 4, Criteria1 := Codigo	AutoFilter
64	Range("A1", "IV65536").Select	Select
66	Selection.SpecialCells(xlCellTypeVisible).Select	Select
68	Selection.Copy	Copy
69	Sheets("Final").Activate	Activate
70	Range("A1").Select	Select
71	ActiveSheet.Paste	Paste
72	Range("A1").Select	Select
73	Sheets("Lista Pendentes").Select	Select
74	Range("A1").Select	Select
75	Application.CutCopyMode = False	CutCopyMode
76	Selection.AutoFilter	AutoFilter
77	Sheets("Lista Pendentes").Visible = False
78	Sheets("Clientes").Visible = False
79	Sheets("Final").Activate	Activate
81	ActiveWorkbook.Protect Password := SenhaPlanilha, Structure := True, Windows := True	Protect
83	Application.WindowState = xlMaximized	WindowState xlMaximized
85	Else
87	Goto PulaSenha
89	Endif
90	Application.EnableCancelKey = xlInterrupt	EnableCancelKey xlInterrupt
91	Exit Sub
92	PulaCodigo:
94	MsgBox ("O c\xf3digo do cliente n\xe3o confere.")	MsgBox
94	Pula1:
96	ActiveWorkbook.Protect Password := SenhaPlanilha, Structure := True, Windows := True	Protect
97	Application.EnableCancelKey = xlInterrupt	EnableCancelKey xlInterrupt
98	ActiveWorkbook.Close Savechanges := False	Close
99	Application.WindowState = xlMaximized	WindowState xlMaximized
100	Exit Sub
101	PulaSenha:
103	MsgBox ("A senha do cliente n\xe3o confere.")	MsgBox
104	ActiveWorkbook.Protect Password := SenhaPlanilha, Structure := True, Windows := True	Protect
105	Application.EnableCancelKey = xlInterrupt	EnableCancelKey xlInterrupt
106	ActiveWorkbook.Close Savechanges := False	Close
107	Application.WindowState = xlMaximized	WindowState xlMaximized
108	Exit Sub
110	End Sub

Module: Plan1

Declaration

Line	Content
1	Attribute VB_Name = "Plan1"
2	Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
3	Attribute VB_GlobalNameSpace = False
4	Attribute VB_Creatable = False
5	Attribute VB_PredeclaredId = True
6	Attribute VB_Exposed = True
7	Attribute VB_TemplateDerived = False
8	Attribute VB_Customizable = True
9	Attribute VB_Control = "CommandButton1, 1, 0, MSForms, CommandButton"

Non-Executed Functions

Subroutine CommandButton1_Click, APIs: 4, Strings: 5, Number of lines: 8, Relevance: 13.508

APIs	Meta Information
Cells
Activate
Delete
Protect

Strings	Decrypted Strings
"Apoio"
"Lista Pendentes"
"Clientes"
"Final"
"Final"

Line	Instruction	Meta Information
13	Private Sub CommandButton1_Click()
15	SenhaOutput = Sheets("Apoio").Cells(1, 1).Value	Cells
17	Sheets("Lista Pendentes").Visible = False
18	Sheets("Clientes").Visible = False
19	Sheets("Final").Activate	Activate
20	Sheets("Final").Cells.Delete	Delete
22	ActiveWorkbook.Protect Password := SenhaOutput, Structure := True, Windows := True	Protect
24	End Sub

Module: Plan2

Declaration

Line	Content
1	Attribute VB_Name = "Plan2"
2	Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
3	Attribute VB_GlobalNameSpace = False
4	Attribute VB_Creatable = False
5	Attribute VB_PredeclaredId = True
6	Attribute VB_Exposed = True
7	Attribute VB_TemplateDerived = False
8	Attribute VB_Customizable = True

Module: Plan3

Declaration

Line	Content
1	Attribute VB_Name = "Plan3"
2	Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
3	Attribute VB_GlobalNameSpace = False
4	Attribute VB_Creatable = False
5	Attribute VB_PredeclaredId = True
6	Attribute VB_Exposed = True
7	Attribute VB_TemplateDerived = False
8	Attribute VB_Customizable = True

Module: Plan4

Declaration

Line	Content
1	Attribute VB_Name = "Plan4"
2	Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
3	Attribute VB_GlobalNameSpace = False
4	Attribute VB_Creatable = False
5	Attribute VB_PredeclaredId = True
6	Attribute VB_Exposed = True
7	Attribute VB_TemplateDerived = False
8	Attribute VB_Customizable = True
9	Attribute VB_Control = "CommandButton1, 1, 0, MSForms, CommandButton"

Non-Executed Functions

Subroutine CommandButton1_Click, APIs: 5, Strings: 5, Number of lines: 14, Relevance: 15.014

APIs	Meta Information
Cells
Protect
InputBox
Unprotect
Activate

Strings	Decrypted Strings
"Apoio"
"Digite a senha para esta opera\xe7\xe3o."
"Lista Pendentes"
"Clientes"
"Lista Pendentes"

Line	Instruction	Meta Information
13	Private Sub CommandButton1_Click()
15	SenhaInput = Sheets("Apoio").Cells(1, 1).Value	Cells
17	ActiveWorkbook.Protect Password := SenhaInput, Structure := True, Windows := True	Protect
19	SenhaDela = InputBox("Digite a senha para esta opera\xe7\xe3o.")	InputBox
21	If SenhaInput <> SenhaDela Then
22	Goto Fim
23	Else
24	ActiveWorkbook.Unprotect Password := SenhaInput	Unprotect
25	Sheets("Lista Pendentes").Visible = True
26	Sheets("Clientes").Visible = True
28	Sheets("Lista Pendentes").Activate	Activate
29	Endif
30	Fim:
32	End Sub

Reset < >

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject malicious code into process via Extra Window Memory (EWM) in order to evade process-based defenses as well as possibly elevate privileges. EWM injection is a method of executing arbitrary code in the address space of a separate live process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report Faturados_Externo_26_09.xls

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Overview

Sigma Overview

Jbx Signature Overview

Compliance:

Software Vulnerabilities:

Networking:

System Summary:

Hooking and other Techniques for Hiding and Protection:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

Contacted IPs

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Network Behavior

Network Port Distribution

UDP Packets

Code Manipulations

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

System Behavior

Analysis Process: EXCEL.EXE PID: 6344 Parent PID: 792

General

Chronological Activities

Disassembly

VBA Code

Call Graph

Graph

Module: EstaPasta_de_trabalho

Declaration

Module: M\xf3dulo1

Declaration

Executed Functions

Subroutine Auto_Open, APIs: 57, Strings: 30, Number of lines: 73, Relevance: 154.073

Module: Plan1

Declaration

Non-Executed Functions

Subroutine CommandButton1_Click, APIs: 4, Strings: 5, Number of lines: 8, Relevance: 13.508

Module: Plan2

Declaration

Module: Plan3