Loading ...

Play interactive tourEdit tour

Windows Analysis Report 650912 .xls

Overview

General Information

Sample Name:650912 .xls
Analysis ID:500395
MD5:5b239ac2b45218ad505553d52203c744
SHA1:abefd9905f25fdcea76783cfd877c19206d117ab
SHA256:f3ff9603b23796a30d10ae2cfa0001212752705a3e602371ae74d0f4d8defb71
Tags:brtGoziisfbursnifxls
Infos:

Most interesting Screenshot:

Detection

Ursnif Dropper
Score:60
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Detected Italy targeted Ursnif dropper document
Document contains an embedded VBA macro with suspicious strings
Document contains embedded VBA macros

Classification

Process Tree

  • System is w7x64
  • EXCEL.EXE (PID: 1204 cmdline: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding MD5: D53B85E21886D2AF9815C377537BCAC3)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

No Sigma rule has matched

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

barindex
Multi AV Scanner detection for submitted fileShow sources
Source: 650912 .xlsReversingLabs: Detection: 20%
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

E-Banking Fraud:

barindex
Detected Italy targeted Ursnif dropper documentShow sources
Source: Initial sampleOLE, VBA macro line: Ursnif specific tokens

System Summary:

barindex
Document contains an embedded VBA macro with suspicious stringsShow sources
Source: 650912 .xlsOLE, VBA macro line: Excel4MacroSheets.Add(Before:=Worksheets((1))).Name = vgiom: ottoB
Source: 650912 .xlsOLE, VBA macro line: ActiveSheet.Visible = 0
Source: 650912 .xlsOLE indicator, VBA macros: true
Source: 650912 .xlsReversingLabs: Detection: 20%
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\CVRF41E.tmpJump to behavior
Source: 650912 .xlsOLE indicator, Workbook stream: true
Source: classification engineClassification label: mal60.bank.expl.winXLS@1/0@0/0
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile read: C:\Users\desktop.iniJump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: 650912 .xlsInitial sample: OLE summary comments = ''BRT
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsScripting11Path InterceptionPath InterceptionScripting11OS Credential DumpingFile and Directory Discovery1Remote ServicesData from Local SystemExfiltration Over Other Network MediumData ObfuscationEavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsRootkitLSASS MemorySystem Information Discovery1Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
650912 .xls20%ReversingLabsDocument-Excel.Trojan.Heuristic

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version:33.0.0 White Diamond
Analysis ID:500395
Start date:12.10.2021
Start time:00:15:54
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 4m 14s
Hypervisor based Inspection enabled:false
Report type:light
Sample file name:650912 .xls
Cookbook file name:defaultwindowsofficecookbook.jbs
Analysis system description:Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Number of analysed new started processes analysed:3
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • EGA enabled
  • HDC enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Detection:MAL
Classification:mal60.bank.expl.winXLS@1/0@0/0
Cookbook Comments:
  • Adjust boot time
  • Enable AMSI
  • Found application associated with file extension: .xls
  • Found Word or Excel or PowerPoint or XPS Viewer
  • Attach to Office via COM
  • Active Picture Object
  • Active AutoShape Object
  • Scroll down
  • Close Viewer
Warnings:
Show All
  • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe
  • VT rate limit hit for: /opt/package/joesandbox/database/analysis/500395/sample/650912 .xls

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General

File type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1252, Create Time/Date: Mon Oct 11 09:03:47 2021, Last Saved Time/Date: Mon Oct 11 09:03:49 2021, Security: 0, Comments: ''BRT
Entropy (8bit):5.314831852450583
TrID:
  • Microsoft Excel sheet (30009/1) 78.94%
  • Generic OLE2 / Multistream Compound File (8008/1) 21.06%
File name:650912 .xls
File size:51712
MD5:5b239ac2b45218ad505553d52203c744
SHA1:abefd9905f25fdcea76783cfd877c19206d117ab
SHA256:f3ff9603b23796a30d10ae2cfa0001212752705a3e602371ae74d0f4d8defb71
SHA512:af1bb5477e46cc4ed1177a0b48a6d187b2a45fa68a28291f10466d85816bae8d6ba1ad1579f1b1f6ef4d276ad73efd98cebf4fe7071349769c6a93dc0cbda5fd
SSDEEP:1536:dsQlYkEIbSkKBEqEXPgsRZmbaoFhZhR0cixIHm0THPFDI0LF/yUKAmsiwc:dhlYkEIuPm3fNRZmbaoFhZhR0cixIHmP
File Content Preview:........................>...................................;..................................................................................................................................................................................................

File Icon

Icon Hash:e4eea286a4b4bcb4

Static OLE Info

General

Document Type:OLE
Number of OLE Files:1

OLE File "650912 .xls"

Indicators

Has Summary Info:True
Application Name:unknown
Encrypted Document:False
Contains Word Document Stream:False
Contains Workbook/Book Stream:True
Contains PowerPoint Document Stream:False
Contains Visio Document Stream:False
Contains ObjectPool Stream:
Flash Objects Count:
Contains VBA Macros:True

Summary

Code Page:1252
Comments:''BRT
Create Time:2021-10-11 08:03:47.102000
Last Saved Time:2021-10-11 08:03:49
Security:0

Document Summary

Document Code Page:1252
Thumbnail Scaling Desired:False
Company:
Contains Dirty Links:False
Shared Document:False
Changed Hyperlinks:False
Application Version:1048576

Streams with VBA

VBA File Name: Foglio1, Stream Size: 992
General
Stream Path:_VBA_PROJECT_CUR/VBA/Foglio1
VBA File Name:Foglio1
Stream Size:992
Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . - . . . . . . . . . . . . . . . . . . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:01 16 03 00 00 f0 00 00 00 d2 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff d9 02 00 00 2d 03 00 00 00 00 00 00 01 00 00 00 b8 98 9f 83 00 00 ff ff 23 00 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
VBA Code
VBA File Name: Questa_cartella_di_lavoro, Stream Size: 6050
General
Stream Path:_VBA_PROJECT_CUR/VBA/Questa_cartella_di_lavoro
VBA File Name:Questa_cartella_di_lavoro
Stream Size:6050
Data ASCII:. . . . . . . . . 2 . . . . . . . . . . . ` . . . n . . . b . . . . . . . . . . . . . l . . . . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . p . . . . . . F . . . w . K . f . . . . . : . . . . . . . . . . . . . . . F . . . . . . . . . . . . . . . . . . . . . . . . ` . . J . . . . . ~ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . ` . . J . . . . . ~ . . . F . . . w . K . f . . . . . : . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:01 16 03 00 06 00 01 00 00 32 0b 00 00 e4 00 00 00 10 02 00 00 60 0b 00 00 6e 0b 00 00 62 13 00 00 0e 00 00 00 01 00 00 00 b8 98 6c 8d 00 00 ff ff 23 00 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff 70 00 ff ff 00 00 1c 46 db f0 90 77 d1 4b a7 66 e3 9c a9 9f 00 3a 19 08 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 00 00 00 00 00 00 00 00 00 00 00 00 00
VBA Code

Streams

Stream Path: \x1CompObj, File Type: data, Stream Size: 118
General
Stream Path:\x1CompObj
File Type:data
Stream Size:118
Entropy:4.32915524493
Base64 Encoded:True
Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . F * . . . ( F o g l i o d i l a v o r o d i M i c r o s o f t E x c e l 2 0 0 3 . . . . . B i f f 8 . . . . . E x c e l . S h e e t . 8 . . 9 . q . . . . . . . . . . . .
Data Raw:01 00 fe ff 03 0a 00 00 ff ff ff ff 20 08 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 2a 00 00 00 28 46 6f 67 6c 69 6f 20 64 69 20 6c 61 76 6f 72 6f 20 64 69 20 4d 69 63 72 6f 73 6f 66 74 20 45 78 63 65 6c 20 32 30 30 33 00 06 00 00 00 42 69 66 66 38 00 0e 00 00 00 45 78 63 65 6c 2e 53 68 65 65 74 2e 38 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00
Stream Path: \x5DocumentSummaryInformation, File Type: data, Stream Size: 248
General
Stream Path:\x5DocumentSummaryInformation
File Type:data
Stream Size:248
Entropy:2.78187154374
Base64 Encoded:True
Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , . . 0 . . . . . . . . . . . . . . . P . . . . . . . X . . . . . . . d . . . . . . . l . . . . . . . t . . . . . . . | . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 0 2 1 1 0 . . . . . . . . . . . . . . . . . F o g l i d i l a v o r o . . . . . . . . .
Data Raw:fe ff 00 00 0a 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 00 00 00 c8 00 00 00 09 00 00 00 01 00 00 00 50 00 00 00 0f 00 00 00 58 00 00 00 17 00 00 00 64 00 00 00 0b 00 00 00 6c 00 00 00 10 00 00 00 74 00 00 00 13 00 00 00 7c 00 00 00 16 00 00 00 84 00 00 00 0d 00 00 00 8c 00 00 00 0c 00 00 00 a0 00 00 00
Stream Path: \x5SummaryInformation, File Type: data, Stream Size: 160
General
Stream Path:\x5SummaryInformation
File Type:data
Stream Size:160
Entropy:3.0437641747
Base64 Encoded:False
Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . . . + ' . . 0 . . . p . . . . . . . . . . . 8 . . . . . . . @ . . . . . . . L . . . . . . . X . . . . . . . ` . . . . . . . . . . . . . . . . . . . @ . . . . . . . v . . . @ . . . . . . . v . . . . . . . . . . . . . . . . . . . ' ' B R T . . .
Data Raw:fe ff 00 00 0a 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 70 00 00 00 05 00 00 00 01 00 00 00 38 00 00 00 0c 00 00 00 40 00 00 00 0d 00 00 00 4c 00 00 00 13 00 00 00 58 00 00 00 06 00 00 00 60 00 00 00 00 00 00 00 00 00 00 00 02 00 00 00 e4 04 00 00 40 00 00 00 e0 03 9d 84 76 be d7 01 40 00 00 00
Stream Path: Workbook, File Type: Applesoft BASIC program data, first line number 16, Stream Size: 28527
General
Stream Path:Workbook
File Type:Applesoft BASIC program data, first line number 16
Stream Size:28527
Entropy:6.28607255882
Base64 Encoded:True
Data ASCII:. . . . . . . . Z O . . . . . . . . . . . . . . . . . . . . . . . . . . \\ . p . . . . B . . . . . a . . . . . . . . . = . . . . . . . . . . . . . . . . Q u e s t a _ c a r t e l l a _ d i _ l a v o r o . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . = . . . . . . . . C
Data Raw:09 08 10 00 00 06 05 00 5a 4f cd 07 c9 00 02 00 06 08 00 00 e1 00 02 00 b0 04 c1 00 02 00 00 00 e2 00 00 00 5c 00 70 00 02 00 00 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
Stream Path: _VBA_PROJECT_CUR/PROJECT, File Type: ASCII text, with CRLF line terminators, Stream Size: 454
General
Stream Path:_VBA_PROJECT_CUR/PROJECT
File Type:ASCII text, with CRLF line terminators
Stream Size:454
Entropy:5.34024688628
Base64 Encoded:True
Data ASCII:I D = " { 4 5 6 C 0 9 9 E - 4 D E E - 4 4 5 9 - 9 9 9 E - 2 4 3 6 C D 6 1 0 0 B 1 } " . . D o c u m e n t = Q u e s t a _ c a r t e l l a _ d i _ l a v o r o / & H 0 0 0 0 0 0 0 0 . . D o c u m e n t = F o g l i o 1 / & H 0 0 0 0 0 0 0 0 . . N a m e = " V B A P r o j e c t " . . H e l p C o n t e x t I D = " 0 " . . V e r s i o n C o m p a t i b l e 3 2 = " 3 9 3 2 2 2 0 0 0 " . . C M G = " 8 0 8 2 5 2 5 0 5 6 5 0 5 6 5 0 5 6 5 0 5 6 " . . D P B = " 2 6 2 4 F 4 5 0 3 C 5 0 E 3 5 1 E 3 5 1 E 3 " . . G C = "
Data Raw:49 44 3d 22 7b 34 35 36 43 30 39 39 45 2d 34 44 45 45 2d 34 34 35 39 2d 39 39 39 45 2d 32 34 33 36 43 44 36 31 30 30 42 31 7d 22 0d 0a 44 6f 63 75 6d 65 6e 74 3d 51 75 65 73 74 61 5f 63 61 72 74 65 6c 6c 61 5f 64 69 5f 6c 61 76 6f 72 6f 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 44 6f 63 75 6d 65 6e 74 3d 46 6f 67 6c 69 6f 31 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 4e 61 6d 65 3d 22 56
Stream Path: _VBA_PROJECT_CUR/PROJECTwm, File Type: data, Stream Size: 104
General
Stream Path:_VBA_PROJECT_CUR/PROJECTwm
File Type:data
Stream Size:104
Entropy:3.33133492199
Base64 Encoded:False
Data ASCII:Q u e s t a _ c a r t e l l a _ d i _ l a v o r o . Q . u . e . s . t . a . _ . c . a . r . t . e . l . l . a . _ . d . i . _ . l . a . v . o . r . o . . . F o g l i o 1 . F . o . g . l . i . o . 1 . . . . .
Data Raw:51 75 65 73 74 61 5f 63 61 72 74 65 6c 6c 61 5f 64 69 5f 6c 61 76 6f 72 6f 00 51 00 75 00 65 00 73 00 74 00 61 00 5f 00 63 00 61 00 72 00 74 00 65 00 6c 00 6c 00 61 00 5f 00 64 00 69 00 5f 00 6c 00 61 00 76 00 6f 00 72 00 6f 00 00 00 46 6f 67 6c 69 6f 31 00 46 00 6f 00 67 00 6c 00 69 00 6f 00 31 00 00 00 00 00
Stream Path: _VBA_PROJECT_CUR/VBA/_VBA_PROJECT, File Type: data, Stream Size: 2979
General
Stream Path:_VBA_PROJECT_CUR/VBA/_VBA_PROJECT
File Type:data
Stream Size:2979
Entropy:4.43610309509
Base64 Encoded:False
Data ASCII:. a . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . * . \\ . G . { . 0 . 0 . 0 . 2 . 0 . 4 . E . F . - . 0 . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . - . C . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 4 . 6 . } . # . 4 . . . 2 . # . 9 . # . C . : . \\ . P . r . o . g . r . a . m . . F . i . l . e . s . \\ . C . o . m . m . o . n . . F . i . l . e . s . \\ . M . i . c . r . o . s . o . f . t . . S . h . a . r . e . d . \\ . V . B . A . \\ . V . B . A . 7 . . . 1 . \\ . V . B . E . 7 .
Data Raw:cc 61 b5 00 00 03 00 ff 10 04 00 00 09 04 00 00 e4 04 03 00 00 00 00 00 00 00 00 00 01 00 04 00 02 00 20 01 2a 00 5c 00 47 00 7b 00 30 00 30 00 30 00 32 00 30 00 34 00 45 00 46 00 2d 00 30 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 2d 00 43 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 34 00 36 00 7d 00 23 00 34 00 2e 00 32 00 23 00
Stream Path: _VBA_PROJECT_CUR/VBA/__SRP_0, File Type: data, Stream Size: 2019
General
Stream Path:_VBA_PROJECT_CUR/VBA/__SRP_0
File Type:data
Stream Size:2019
Entropy:3.35046169998
Base64 Encoded:False
Data ASCII:. K * . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . r U . . . . . . . . @ . . . . . . . @ . . . . . . . @ . . . . . . . . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ Z . . . . . . . . . . . . . . . " . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Q . . . . . . . . . . . K G . v . . . J . . , . . | _ X . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:93 4b 2a b5 03 00 10 00 00 00 ff ff 00 00 00 00 01 00 02 00 ff ff 00 00 00 00 01 00 00 00 00 00 00 00 00 00 01 00 02 00 00 00 00 00 00 00 01 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 00 00 72 55 c0 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 06 00 00 00 00 00 00 7e 02 00 00 00 00 00 00 7e 02 00 00 00
Stream Path: _VBA_PROJECT_CUR/VBA/__SRP_1, File Type: data, Stream Size: 268
General
Stream Path:_VBA_PROJECT_CUR/VBA/__SRP_1
File Type:data
Stream Size:268
Entropy:1.7944240825
Base64 Encoded:False
Data ASCII:r U @ . . . . . . . @ . . . . . . . @ . . . . . . . @ . . . . . . . . . . . . . . ~ z . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . q . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . d d . . . . . . . . . . . . . . . . i . . . . . . . . . . . . . . . . w . . . . . . . . . . . . . . . . a . . . . . . . . . . . . . . . . z N . . .
Data Raw:72 55 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 02 00 00 00 00 00 00 7e 7a 00 00 00 00 00 00 7f 00 00 00 00 00 00 00 00 12 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 00 00 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 00 00 00 00 11 00 00 00 00 00 00 00 00 00 03 00 ff ff ff ff ff ff ff ff 06 00 00 00 00 00
Stream Path: _VBA_PROJECT_CUR/VBA/__SRP_2, File Type: data, Stream Size: 2797
General
Stream Path:_VBA_PROJECT_CUR/VBA/__SRP_2
File Type:data
Stream Size:2797
Entropy:1.97411509248
Base64 Encoded:False
Data ASCII:r U . . . . . . . . . . . . . . . . @ . . . . . . . @ . . . . . . . . . . . . . . . 8 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 . ` . . . q . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:72 55 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 38 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 03 00 d0 00 00 00 00 00 00 00 00 00 00 00 0e 00 0e 00 00 00 00 00 01 00 01 00 00 00 01 00 d1 03 00 00 00 00 00 00 00 00 00 00 11 08 00 00 00 00 00 00 00 00 00 00 41 08
Stream Path: _VBA_PROJECT_CUR/VBA/__SRP_3, File Type: data, Stream Size: 1000
General
Stream Path:_VBA_PROJECT_CUR/VBA/__SRP_3
File Type:data
Stream Size:1000
Entropy:2.49662055587
Base64 Encoded:False
Data ASCII:r U @ . . . . . . . . . . . . . . . @ . . . . . . . @ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . @ . . . . . . . . . . . . . . . . ` . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . O . X . . . . . . . . . . . . . . . . ` . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . P . F . O . @ . . . . . . . . . . . . . . . . ` . . . . . .
Data Raw:72 55 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1a 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 02 00 ff ff ff ff ff ff ff ff ff ff ff ff 00 00 00 00 78 00 00 00 08 00 40 00 e1 01 00 00 00 00 00 00 00 00 02 00 00 00 03 60 04 01 d9 08 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 00 00 00 00
Stream Path: _VBA_PROJECT_CUR/VBA/dir, File Type: data, Stream Size: 563
General
Stream Path:_VBA_PROJECT_CUR/VBA/dir
File Type:data
Stream Size:563
Entropy:6.24783906376
Base64 Encoded:True
Data ASCII:. / . . . . . . . . . . 0 . J . . . . H . . H . . . . . . H . . . d . . . . . . . . V B A P r @ o j e c t . . . . T . @ . . . . . = . . . + . r . . . . . . . . y = . W c . . . . J < . . . . . . 9 s t d o l . e > . . s . t . d . . o . l . e . . . . h . % ^ . . * \\ G . { 0 0 0 2 0 4 3 . 0 - . . . . C . . . . . . . 0 0 4 6 } # 2 . . 0 # 0 # C : \\ W . i n d o w s \\ S . y s t e m 3 2 \\ . . e 2 . t l b # O . L E A u t o m . a t i o n . 0 . . . E O f f i c . E O . . f . . i . c . E . . . . . . . . E 2 D F 8 D
Data Raw:01 2f b2 80 01 00 04 00 00 00 03 00 30 aa 4a 02 90 02 00 48 02 02 48 09 00 c0 12 14 06 48 03 00 01 64 e4 04 04 04 00 0a 00 84 56 42 41 50 72 40 6f 6a 65 63 74 05 00 1a 00 54 00 40 02 0a 06 02 0a 3d 02 0a 07 2b 02 72 01 14 08 06 12 09 02 12 79 3d a0 57 63 02 00 0c 02 4a 3c 02 0a 04 16 00 01 39 73 74 64 6f 6c 04 65 3e 02 19 73 00 74 00 64 00 00 6f 00 6c 00 65 00 0d 14 00 68 00 25 5e

Network Behavior

No network behavior found

Code Manipulations

Statistics

System Behavior

General

Start time:00:16:23
Start date:12/10/2021
Path:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Wow64 process (32bit):false
Commandline:'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Imagebase:0x13f240000
File size:28253536 bytes
MD5 hash:D53B85E21886D2AF9815C377537BCAC3
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:moderate

Disassembly

Reset < >