Edit tour

Windows Analysis Report
RU419 FEB17 BSRec_InvNet.xlsx

Overview

General Information

Sample Name:	RU419 FEB17 BSRec_InvNet.xlsx
Analysis ID:	562532
MD5:	bb2bdf2659b515eee1f56c0382847fd7
SHA1:	72405dd23abe1d3f97b75e3eb50bcecbf51669f8
SHA256:	a36ec67f835cb7968270d43f151df7b0b3cbd501b5eeb4688b8676758deadb0e

Detection

Score:	0
Range:	0 - 100
Whitelisted:	false
Confidence:	80%

Signatures

No high impact signatures.

Classification

Process Tree

System is w7x64

EXCEL.EXE (PID: 1704 cmdline: "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding MD5: D53B85E21886D2AF9815C377537BCAC3)

cleanup

Malware Configuration

⊘No configs have been found

Yara Overview

⊘No yara matches

Sigma Overview

⊘No Sigma rule has matched

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\923BA48A.emf

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Temp\CVR2480.tmp

Jump to behavior

Source: classification engine

Classification label: clean0.winXLSX@1/9@0/0

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\Desktop\~$RU419 FEB17 BSRec_InvNet.xlsx

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: RU419 FEB17 BSRec_InvNet.xlsx	Initial sample: OLE zip file path = xl/worksheets/sheet4.xml
Source: RU419 FEB17 BSRec_InvNet.xlsx	Initial sample: OLE zip file path = xl/embeddings/oleObject4.bin
Source: RU419 FEB17 BSRec_InvNet.xlsx	Initial sample: OLE zip file path = xl/drawings/drawing4.xml
Source: RU419 FEB17 BSRec_InvNet.xlsx	Initial sample: OLE zip file path = xl/embeddings/oleObject3.bin
Source: RU419 FEB17 BSRec_InvNet.xlsx	Initial sample: OLE zip file path = xl/drawings/drawing3.xml
Source: RU419 FEB17 BSRec_InvNet.xlsx	Initial sample: OLE zip file path = xl/drawings/vmlDrawing2.vml
Source: RU419 FEB17 BSRec_InvNet.xlsx	Initial sample: OLE zip file path = xl/embeddings/oleObject1.bin
Source: RU419 FEB17 BSRec_InvNet.xlsx	Initial sample: OLE zip file path = xl/embeddings/oleObject2.bin
Source: RU419 FEB17 BSRec_InvNet.xlsx	Initial sample: OLE zip file path = xl/drawings/drawing5.xml
Source: RU419 FEB17 BSRec_InvNet.xlsx	Initial sample: OLE zip file path = xl/drawings/drawing6.xml
Source: RU419 FEB17 BSRec_InvNet.xlsx	Initial sample: OLE zip file path = xl/media/image10.png
Source: RU419 FEB17 BSRec_InvNet.xlsx	Initial sample: OLE zip file path = xl/drawings/_rels/drawing2.xml.rels
Source: RU419 FEB17 BSRec_InvNet.xlsx	Initial sample: OLE zip file path = xl/drawings/_rels/vmlDrawing2.vml.rels
Source: RU419 FEB17 BSRec_InvNet.xlsx	Initial sample: OLE zip file path = xl/drawings/_rels/drawing4.xml.rels
Source: RU419 FEB17 BSRec_InvNet.xlsx	Initial sample: OLE zip file path = xl/drawings/_rels/drawing5.xml.rels
Source: RU419 FEB17 BSRec_InvNet.xlsx	Initial sample: OLE zip file path = xl/drawings/_rels/drawing6.xml.rels
Source: RU419 FEB17 BSRec_InvNet.xlsx	Initial sample: OLE zip file path = xl/worksheets/_rels/sheet19.xml.rels
Source: RU419 FEB17 BSRec_InvNet.xlsx	Initial sample: OLE zip file path = xl/worksheets/_rels/sheet15.xml.rels
Source: RU419 FEB17 BSRec_InvNet.xlsx	Initial sample: OLE zip file path = xl/worksheets/_rels/sheet9.xml.rels
Source: RU419 FEB17 BSRec_InvNet.xlsx	Initial sample: OLE zip file path = xl/worksheets/_rels/sheet2.xml.rels
Source: RU419 FEB17 BSRec_InvNet.xlsx	Initial sample: OLE zip file path = xl/worksheets/_rels/sheet3.xml.rels
Source: RU419 FEB17 BSRec_InvNet.xlsx	Initial sample: OLE zip file path = xl/worksheets/_rels/sheet4.xml.rels
Source: RU419 FEB17 BSRec_InvNet.xlsx	Initial sample: OLE zip file path = xl/drawings/drawing2.xml
Source: RU419 FEB17 BSRec_InvNet.xlsx	Initial sample: OLE zip file path = xl/media/image5.emf
Source: RU419 FEB17 BSRec_InvNet.xlsx	Initial sample: OLE zip file path = xl/worksheets/sheet13.xml
Source: RU419 FEB17 BSRec_InvNet.xlsx	Initial sample: OLE zip file path = xl/worksheets/sheet19.xml
Source: RU419 FEB17 BSRec_InvNet.xlsx	Initial sample: OLE zip file path = xl/worksheets/sheet18.xml
Source: RU419 FEB17 BSRec_InvNet.xlsx	Initial sample: OLE zip file path = xl/worksheets/sheet17.xml
Source: RU419 FEB17 BSRec_InvNet.xlsx	Initial sample: OLE zip file path = xl/worksheets/sheet16.xml
Source: RU419 FEB17 BSRec_InvNet.xlsx	Initial sample: OLE zip file path = xl/worksheets/sheet15.xml
Source: RU419 FEB17 BSRec_InvNet.xlsx	Initial sample: OLE zip file path = xl/worksheets/sheet14.xml
Source: RU419 FEB17 BSRec_InvNet.xlsx	Initial sample: OLE zip file path = xl/worksheets/sheet11.xml
Source: RU419 FEB17 BSRec_InvNet.xlsx	Initial sample: OLE zip file path = xl/worksheets/sheet10.xml
Source: RU419 FEB17 BSRec_InvNet.xlsx	Initial sample: OLE zip file path = xl/worksheets/sheet9.xml
Source: RU419 FEB17 BSRec_InvNet.xlsx	Initial sample: OLE zip file path = xl/worksheets/sheet5.xml
Source: RU419 FEB17 BSRec_InvNet.xlsx	Initial sample: OLE zip file path = xl/media/image3.emf
Source: RU419 FEB17 BSRec_InvNet.xlsx	Initial sample: OLE zip file path = xl/media/image2.emf
Source: RU419 FEB17 BSRec_InvNet.xlsx	Initial sample: OLE zip file path = xl/worksheets/sheet6.xml
Source: RU419 FEB17 BSRec_InvNet.xlsx	Initial sample: OLE zip file path = xl/media/image1.png
Source: RU419 FEB17 BSRec_InvNet.xlsx	Initial sample: OLE zip file path = xl/worksheets/sheet7.xml
Source: RU419 FEB17 BSRec_InvNet.xlsx	Initial sample: OLE zip file path = xl/worksheets/sheet8.xml
Source: RU419 FEB17 BSRec_InvNet.xlsx	Initial sample: OLE zip file path = xl/worksheets/sheet12.xml
Source: RU419 FEB17 BSRec_InvNet.xlsx	Initial sample: OLE zip file path = xl/externalLinks/externalLink1.xml
Source: RU419 FEB17 BSRec_InvNet.xlsx	Initial sample: OLE zip file path = xl/externalLinks/_rels/externalLink2.xml.rels
Source: RU419 FEB17 BSRec_InvNet.xlsx	Initial sample: OLE zip file path = xl/externalLinks/_rels/externalLink7.xml.rels
Source: RU419 FEB17 BSRec_InvNet.xlsx	Initial sample: OLE zip file path = xl/externalLinks/_rels/externalLink6.xml.rels
Source: RU419 FEB17 BSRec_InvNet.xlsx	Initial sample: OLE zip file path = xl/externalLinks/_rels/externalLink5.xml.rels
Source: RU419 FEB17 BSRec_InvNet.xlsx	Initial sample: OLE zip file path = xl/externalLinks/_rels/externalLink4.xml.rels
Source: RU419 FEB17 BSRec_InvNet.xlsx	Initial sample: OLE zip file path = xl/externalLinks/_rels/externalLink3.xml.rels
Source: RU419 FEB17 BSRec_InvNet.xlsx	Initial sample: OLE zip file path = xl/externalLinks/_rels/externalLink1.xml.rels
Source: RU419 FEB17 BSRec_InvNet.xlsx	Initial sample: OLE zip file path = xl/externalLinks/externalLink2.xml
Source: RU419 FEB17 BSRec_InvNet.xlsx	Initial sample: OLE zip file path = xl/externalLinks/externalLink7.xml
Source: RU419 FEB17 BSRec_InvNet.xlsx	Initial sample: OLE zip file path = xl/ctrlProps/ctrlProp1.xml
Source: RU419 FEB17 BSRec_InvNet.xlsx	Initial sample: OLE zip file path = xl/ctrlProps/ctrlProp2.xml
Source: RU419 FEB17 BSRec_InvNet.xlsx	Initial sample: OLE zip file path = xl/printerSettings/printerSettings3.bin
Source: RU419 FEB17 BSRec_InvNet.xlsx	Initial sample: OLE zip file path = xl/externalLinks/externalLink6.xml
Source: RU419 FEB17 BSRec_InvNet.xlsx	Initial sample: OLE zip file path = xl/printerSettings/printerSettings4.bin
Source: RU419 FEB17 BSRec_InvNet.xlsx	Initial sample: OLE zip file path = xl/printerSettings/printerSettings5.bin
Source: RU419 FEB17 BSRec_InvNet.xlsx	Initial sample: OLE zip file path = xl/calcChain.xml
Source: RU419 FEB17 BSRec_InvNet.xlsx	Initial sample: OLE zip file path = xl/printerSettings/printerSettings2.bin
Source: RU419 FEB17 BSRec_InvNet.xlsx	Initial sample: OLE zip file path = xl/externalLinks/externalLink3.xml
Source: RU419 FEB17 BSRec_InvNet.xlsx	Initial sample: OLE zip file path = xl/externalLinks/externalLink4.xml
Source: RU419 FEB17 BSRec_InvNet.xlsx	Initial sample: OLE zip file path = xl/printerSettings/printerSettings6.bin
Source: RU419 FEB17 BSRec_InvNet.xlsx	Initial sample: OLE zip file path = xl/externalLinks/externalLink5.xml
Source: RU419 FEB17 BSRec_InvNet.xlsx	Initial sample: OLE zip file path = docProps/custom.xml

Source: RU419 FEB17 BSRec_InvNet.xlsx

Static file information: File size 4768919 > 1048576

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Source: RU419 FEB17 BSRec_InvNet.xlsx

Initial sample: OLE indicators vbamacros = False

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Path Interception	Path Interception	1 Masquerading	OS Credential Dumping	1 File and Directory Discovery	Remote Services	Data from Local System	Exfiltration Over Other Network Medium	1 Ingress Tool Transfer	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Rootkit	LSASS Memory	1 System Information Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Junk Data	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

⊘No Antivirus matches

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

⊘No contacted domains info

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox Version:	34.0.0 Boulder Opal
Analysis ID:	562532
Start date:	29.01.2022
Start time:	01:08:09
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 11m 57s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	RU419 FEB17 BSRec_InvNet.xlsx
Cookbook file name:	defaultwindowsofficecookbook.jbs
Analysis system description:	Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Number of analysed new started processes analysed:	81
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	CLEAN
Classification:	clean0.winXLSX@1/9@0/0
EGA Information:	Failed
HDC Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .xlsx

Warnings

Max analysis timeout: 600s exceeded, the analysis took too long
Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, mscorsvw.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 92.123.101.218, 92.123.101.179
Excluded domains from analysis (whitelisted): wu-shim.trafficmanager.net, ctldl.windowsupdate.com, a767.dspw65.akamai.net, download.windowsupdate.com.edgesuite.net
Not all processes where analyzed, report is missing behavior information

Simulations

Behavior and APIs

⊘No simulations

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\2BCACAFF.emf

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	Windows Enhanced Metafile (EMF) image data version 0x10000
Category:	dropped
Size (bytes):	5996
Entropy (8bit):	2.187911659414248
Encrypted:	false
SSDEEP:	24:YOPJZ7pbkyVbYqpBBBBBBBUBBBBBBqBBBBBBBUBBBBBBqBBBBBBBUBBBBBBqBBBc:9vdbkgbUKOwfnV3UqcZZI6Lae
MD5:	914B8A0FCDE8E024E1614BC59CF4CEF0
SHA1:	121F6CF39B1341AA8AF2EDC312DCAA3B58701A80
SHA-256:	FB25589D52AC2015251A56299D5DBF0A164B8CB78086F76BCE990DC717838804
SHA-512:	1B7E4837C949D8509F35C528D4B574CF74C15ED36180F014838723B4ED792316712C4A4EED8740388A43C99EAA406079F02D1FCFB2E27BC62FDAB955CD8CF42D
Malicious:	false
Reputation:	low
Preview:	....l...........]...J...........9....... EMF....l...........................8.......}................U..H...F...,... ...EMF+.@..................`...`...F...\...P...EMF+"@...........@..........$@..........0@.............?!@...........@..........!.......%.......................................................................'.......................%...........K.......................................M...$... .......?...!... ....... ... ..................?...........?................l...0........... ... ...(... ..."..............................................................?..................................................................................................3...7...7...?.M....... .......?...!... ....... ... ...F.f............?...........?................l...4........... ... ...(... ... ..... .........................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\42105703.emf

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	Windows Enhanced Metafile (EMF) image data version 0x10000
Category:	dropped
Size (bytes):	5356
Entropy (8bit):	2.3390883230088235
Encrypted:	false
SSDEEP:	48:S83IHpHK2g4x//3G7+wJj7IaK0JohkN+DuuHmt:SVHpHK2x//3+xB7IaK0bNIXGt
MD5:	FA14D04AC7BE94D9470D68B5B05326B9
SHA1:	4C15B8938037773793BC22A9008B83935419D8E0
SHA-256:	CEE5C6209A2D15A2E6EA6DE993B547C375E5716A90D472B55789E4553A212FD1
SHA-512:	419BEFFEE7DA34D924C172A3C8144F160C4306316697123BBF431BD357B3A8AB47540AEEF9855030233C9CFD84BEBD8A429CBFBD10C8D34616EA092D9A6E14EC
Malicious:	false
Reputation:	low
Preview:	....l...........................C#...... EMF................................8.......}................U..H...................K.......................................'.......................%...........L...d...................................!..............?...........?................................%...........(...........'.......................%...........L...d...................................!..............?...........?................................%...........(...........'.......................%...........L...d...................................!..............?...........?................................%...........(...........'.......................%...........L...d...................................!..............?...........?................................%...........(...........'.......................%...........L...d...................................!..............?...........?................................%...........(...........'.......................%...........

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\5CCA9D28.emf

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	Windows Enhanced Metafile (EMF) image data version 0x10000
Category:	dropped
Size (bytes):	5280
Entropy (8bit):	4.841321930941806
Encrypted:	false
SSDEEP:	96:I0DS0VwurYKG5mPKDRv4Og6tO/XP8lEEHuwL:PDS0G5mPaRvO/f8lEEHuwL
MD5:	E630F750E3440205E6695E75AE1179EB
SHA1:	78DA9D8DF55169C1072618BB97DE5C56517E1329
SHA-256:	E1AAD6F483DEDF11E1156DF09545495BA928CFCF93140B40850420940E6EF11A
SHA-512:	1BE3355C0E87C414D810E0A584BEB0117AB250F1B80F2300E8EB9070D8A17EBE6DB70763CB693948FCCDA4932FEF0C4932DB81CEA9E28E84358146C8515CA9A4
Malicious:	false
Reputation:	low
Preview:	....l...).......u.../...........k9..t... EMF............................@.......4...>..................<...............................5...R...p...................................S.e.g.o.e. .U.I...................................................8v..."1.5.\.R.o.o.t.\.O.f.f.i.c.e.......4..nCq........D.:T.........8v...v.....[vd.4...4.......4........v...v8.....u...u..[v..4.k...........@.........4....v...v....\.u...u..;t.......4.........(zu...4...........4..oCq..........4........"..4..}8v........dv......%...................................r............................... ... ..................?...........?................l...4........... ... ...(... ... ..... .............................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\7B2AE0BB.jpeg

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 220x220, segment length 16, baseline, precision 8, 660x137, frames 3
Category:	dropped
Size (bytes):	25938
Entropy (8bit):	7.833218523254594
Encrypted:	false
SSDEEP:	768:RPdG3S2uAu5LAbvlGVzYO00pQlDSmM57dx7SiWIKLvW1:RP88Ap+cZ02kpCiWDg
MD5:	B5BB6A7EF0B322467A20AB38ABC07B97
SHA1:	47B724835E4C7B3DDB0FA32BE2D00CBFD43BADBC
SHA-256:	9CB8D86A1195C6A0C7E2B3FAE92C988BFFB85E24CD245872C543BB3B8295DCBE
SHA-512:	C90C1FF27F5179A9C3CC55C0C72E9B95377902B1F91CE216729BA9BEE899A07671506F4533D759DF3C5351B4263FCCEEA66AECE86E72E15093E361624BC4F0FA
Malicious:	false
Reputation:	low
Preview:	......JFIF.............C....................................................................C............................................................................"............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?.....+3@..(..s....k.....A..>.....(..M.\|-.O..M+..#B.G.7....2M.~!......[........O....o...9..5......{...g.3...H.....5.c.+.....f......"k!.....\|...8_.....M~..5...K$......ZP.>X.Fd..........+@&.+.Z...&..C..W...'..._..\|6+....<K.yg*t.R{]...a\....W...-..Q.Bh.G.......X5y.T....z..?....R.........),...n...8#..N...E....F2.._..B?..........#..v.m......5.i..7.KY..M._.v.fc.9R

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\923BA48A.emf

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	Windows Enhanced Metafile (EMF) image data version 0x10000
Category:	dropped
Size (bytes):	5348
Entropy (8bit):	2.333641896616443
Encrypted:	false
SSDEEP:	48:SE3IHpHK2g4x//3G7+wJj7IaK0pNCedxpc1:SNHpHK2x//3+xB7IaK0pUop8
MD5:	10CC58B3B22AD2D5A9BE889181790552
SHA1:	75D40D411B3A3D288E735A4C628DA44C4C39FA3C
SHA-256:	4A2DDC7AE24E1F9277476B6ACD369F53D0250FC329C9BD3B93B6AE64A17B15F5
SHA-512:	F3407353135BC0DD9A1C3861627D1574CA7DC1609514E32BC47892A84D81B133D1AECEF3C85DAE36B32DE0D53560B8CD36EEEA451F382831E2E387AEB7E608A1
Malicious:	false
Reputation:	low
Preview:	....l...........................C#...... EMF................................8.......}................U..H...................K.......................................'.......................%...........L...d...................................!..............?...........?................................%...........(...........'.......................%...........L...d...................................!..............?...........?................................%...........(...........'.......................%...........L...d...................................!..............?...........?................................%...........(...........'.......................%...........L...d...................................!..............?...........?................................%...........(...........'.......................%...........L...d...................................!..............?...........?................................%...........(...........'.......................%...........

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\B158576.emf

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	Windows Enhanced Metafile (EMF) image data version 0x10000
Category:	dropped
Size (bytes):	5232
Entropy (8bit):	4.879542142933512
Encrypted:	false
SSDEEP:	96:59f2pmYKG5mPKDRv4Og6tO/XP8lEEF6+idRm:5Un5mPaRvO/f8lEE5idRm
MD5:	2A31FF37D8F06AB63C08A874B00F78A5
SHA1:	A216FB97942EE30E82D13F8D308F3D34FB0A3451
SHA-256:	9E941032F88F698814AEC1D444A3541591928A804CCDE5769F535C1590B2907F
SHA-512:	6F51504BFA3FDCF895B04197EA0AA670FEC99BB3A3EE199AF85BC56E5748A1D2B6C113F504431883A7C050C9FF6ADB3D28C50E21B64FDAC4036D5CB6C3D30466
Malicious:	false
Reputation:	low
Preview:	....l...#.......9.../...........50..q... EMF....p...........................8.......}................U..H...........................]...5...R...p...................................S.e.g.o.e. .U.I...................................................,ux3S1.5.\.R.o.o.t.\.O.f.f.i.c.e.....,.E..nQp........D..^.........,u8..w......t..E...E.....`.E...........5...E.P.Tu.6....t..E..XTu...w...w...^..U...U..-(......^.......\|t.5.....@.E....w...w...^0.E.........\.E..oQp........L.E.....x3S\.E..},u........dv......%...................................r............................... ... ..................?...........?................l...4........... ... ...(... ... ..... .............................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\C9CFEB09.emf

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	Windows Enhanced Metafile (EMF) image data version 0x10000
Category:	dropped
Size (bytes):	5220
Entropy (8bit):	4.886315397806876
Encrypted:	false
SSDEEP:	96:F04WAPlYKG5mPKDRv4Og6tO/XP8lEEu6KdRE:i4G5mPaRvO/f8lEE+dRE
MD5:	CFC2EB922357AFC2E08B818DF59D2DB4
SHA1:	8123513647762ABFC4460CEFB958BD4A64ECF759
SHA-256:	CCE3BE7E4559A991BA398CBC436519D5B25B07AC458A454D62288A3C31BD35A0
SHA-512:	FA046F388ADD71D6A0819422C1232D44B9F126DEA55FD4761DB00B52299301CADFE744E06CF4DF8B14A5D10EA7BF10C305AE95594165E0ED232EDED3C07D9DF4
Malicious:	false
Reputation:	low
Preview:	....l...".......0.../...............t... EMF....d.......................@.......4...>..................<...........................S...5...R...p...................................S.e.g.o.e. .U.I....................................................t..].1.5.\.R.o.o.t.\.O.f.f.i.c.e..........n.q........D..P..........t..w.....4v............H...EX;w................6...4v.....X.v..6w...w...P............\.......................(.....6w...w...P............D....o.q........4.........].D....}.t........dv......%...................................r............................... ... ..................?...........?................l...4........... ... ...(... ... ..... .............................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\D914E8F4.emf

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	Windows Enhanced Metafile (EMF) image data version 0x10000
Category:	dropped
Size (bytes):	5364
Entropy (8bit):	4.856335090472488
Encrypted:	false
SSDEEP:	96:QxgBS1YKG5mPKDRv4Og6tO/XP8lEERc0l+e6HK:QxK5mPaRvO/f8lEERdl+e6HK
MD5:	72FEAFCA807874E6742DFBD011C2B2CD
SHA1:	845FFB7468E2B0932848D356D8127CEE249EB712
SHA-256:	F95F6C5360B90FCECB95608C8364FE5BA2D9372166B7F32766C8A9255AA9CDEE
SHA-512:	1A345CF4D4CCCB263893C4C3C7E353E6DAC44E8EDB880DF19264720C35499035A8154A47B468C422E14C0A93AFA89A80FEFA3DF44CE0101640A02F90D868AD6C
Malicious:	false
Reputation:	low
Preview:	....l...0.........../............C..q... EMF................................8.......}................U..H...............................5...R...p...................................S.e.g.o.e. .U.I....................................................vp..&1.5.\.R.o.o.t.\.O.f.f.i.c.e.........mEr........D..Y..........v...v......t...8..........X.wb.P......... ....6....t.....X.t...w...v...Y.................... ...................w...v...Y..............cnEr...............p..&....}.v........dv......%...................................r............................... ... ..................?...........?................l...4........... ... ...(... ... ..... .............................................................................................................................................................................................................................................................................................................................................

C:\Users\user\Desktop\~$RU419 FEB17 BSRec_InvNet.xlsx

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	data
Category:	dropped
Size (bytes):	165
Entropy (8bit):	1.4377382811115937
Encrypted:	false
SSDEEP:	3:vZ/FFDJw2fV:vBFFGS
MD5:	797869BB881CFBCDAC2064F92B26E46F
SHA1:	61C1B8FBF505956A77E9A79CE74EF5E281B01F4B
SHA-256:	D4E4008DD7DFB936F22D9EF3CC569C6F88804715EAB8101045BA1CD0B081F185
SHA-512:	1B8350E1500F969107754045EB84EA9F72B53498B1DC05911D6C7E771316C632EA750FBCE8AD3A82D664E3C65CC5251D0E4A21F750911AE5DC2FC3653E49F58D
Malicious:	false
Reputation:	high, very likely benign file
Preview:	.user ..A.l.b.u.s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Static File Info

General

File type:	Microsoft Excel 2007+
Entropy (8bit):	7.9948250784848955
TrID:	Excel Microsoft Office Open XML Format document (40004/1) 83.33% ZIP compressed archive (8000/1) 16.67%
File name:	RU419 FEB17 BSRec_InvNet.xlsx
File size:	4768919
MD5:	bb2bdf2659b515eee1f56c0382847fd7
SHA1:	72405dd23abe1d3f97b75e3eb50bcecbf51669f8
SHA256:	a36ec67f835cb7968270d43f151df7b0b3cbd501b5eeb4688b8676758deadb0e
SHA512:	9c19fc7b871fbdbb46b7af3c50dc29436ffbd28f94d9ed91dbfcb8e1830210be7b66115012dbd67564afa1132107186e22f8d1c839681ed439d487aa49bc5b00
SSDEEP:	98304:zV40bHJu4znpW5DYAY+5HA0MefCaeCtu2qc60yHkOriCbm2:54A04TpADFYUMfvCtH7f0iCD
File Content Preview:	PK..........!...5#....^.......[Content_Types].xml ...(.........................................................................................................................................................................................................

File Icon


Icon Hash:	e4e2aa8aa4b4bcb4

Static OLE Info

General

Document Type:	OpenXML
Number of OLE Files:	7

OLE File "/opt/package/joesandbox/database/analysis/562532/sample/RU419 FEB17 BSRec_InvNet.xlsx"

Indicators

Has Summary Info:	False
Application Name:	unknown
Encrypted Document:	False
Contains Word Document Stream:
Contains Workbook/Book Stream:
Contains PowerPoint Document Stream:
Contains Visio Document Stream:
Contains ObjectPool Stream:
Flash Objects Count:
Contains VBA Macros:	False

Summary

Author:	Gut, Mateusz
Last Saved By:	Bernas, Justyna
Create Time:	2012-08-13T15:44:29Z
Last Saved Time:	2017-03-29T09:51:12Z
Creating Application:	Microsoft Excel
Security:	0

Document Summary

Thumbnail Scaling Desired:	false
Company:	Boart Longyear
Contains Dirty Links:	false
Shared Document:	false
Changed Hyperlinks:	false
Application Version:	15.0300

Streams

Stream Path: \x1CompObj, File Type: data, Stream Size: 76

General
Stream Path:	\x1CompObj
File Type:	data
Stream Size:	76
Entropy:	3.09344952647
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . F . . . . O L E P a c k a g e . . . . . . . . . P a c k a g e . . 9 . q . . . . . . . . . . . .
Data Raw:	01 00 fe ff 03 0a 00 00 ff ff ff ff 0c 00 03 00 00 00 00 00 c0 00 00 00 00 00 00 46 0c 00 00 00 4f 4c 45 20 50 61 63 6b 61 67 65 00 00 00 00 00 08 00 00 00 50 61 63 6b 61 67 65 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00

Stream Path: \x1Ole10Native, File Type: data, Stream Size: 91443

General
Stream Path:	\x1Ole10Native
File Type:	data
Stream Size:	91443
Entropy:	5.35403120266
Base64 Encoded:	True
Data ASCII:	/ e . . . . R E E M E A G o o d s I n T r a n s i t o l d e r t h a n 9 0 d a y s R U . m s g . C : \\ U s e r s \\ j u s t y n a . b e r n a s \\ D e s k t o p \\ R e c o n M A R - 2 0 1 6 \\ m o j e \\ S E P - 1 6 \\ r a p o r t y \\ R E E M E A G o o d s I n T r a n s i t o l d e r t h a n 9 0 d a y s R U . m s g . . . . . ` . . . C : \\ U s e r s \\ J U S T Y N ~ 1 . B E R \\ A p p D a t a \\ L o c a l \\ T e m p \\ R E E M E A G o o d s I n T r a n s i t o l d e r t
Data Raw:	2f 65 01 00 02 00 52 45 20 45 4d 45 41 20 47 6f 6f 64 73 20 49 6e 20 54 72 61 6e 73 69 74 20 6f 6c 64 65 72 20 74 68 61 6e 20 39 30 20 64 61 79 73 20 52 55 2e 6d 73 67 00 43 3a 5c 55 73 65 72 73 5c 6a 75 73 74 79 6e 61 2e 62 65 72 6e 61 73 5c 44 65 73 6b 74 6f 70 5c 52 65 63 6f 6e 20 4d 41 52 2d 32 30 31 36 5c 6d 6f 6a 65 5c 53 45 50 2d 31 36 5c 72 61 70 6f 72 74 79 5c 52 45 20 45

OLE File "/opt/package/joesandbox/database/analysis/562532/sample/RU419 FEB17 BSRec_InvNet.xlsx"

Indicators

Has Summary Info:	False
Application Name:	unknown
Encrypted Document:	False
Contains Word Document Stream:
Contains Workbook/Book Stream:
Contains PowerPoint Document Stream:
Contains Visio Document Stream:
Contains ObjectPool Stream:
Flash Objects Count:
Contains VBA Macros:	False

Summary

Author:	Gut, Mateusz
Last Saved By:	Bernas, Justyna
Create Time:	2012-08-13T15:44:29Z
Last Saved Time:	2017-03-29T09:51:12Z
Creating Application:	Microsoft Excel
Security:	0

Document Summary

Thumbnail Scaling Desired:	false
Company:	Boart Longyear
Contains Dirty Links:	false
Shared Document:	false
Changed Hyperlinks:	false
Application Version:	15.0300

Streams

Stream Path: \x1CompObj, File Type: data, Stream Size: 76

General
Stream Path:	\x1CompObj
File Type:	data
Stream Size:	76
Entropy:	3.09344952647
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . F . . . . O L E P a c k a g e . . . . . . . . . P a c k a g e . . 9 . q . . . . . . . . . . . .
Data Raw:	01 00 fe ff 03 0a 00 00 ff ff ff ff 0c 00 03 00 00 00 00 00 c0 00 00 00 00 00 00 46 0c 00 00 00 4f 4c 45 20 50 61 63 6b 61 67 65 00 00 00 00 00 08 00 00 00 50 61 63 6b 61 67 65 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00

Stream Path: \x1Ole10Native, File Type: data, Stream Size: 91443

General
Stream Path:	\x1Ole10Native
File Type:	data
Stream Size:	91443
Entropy:	5.35403120266
Base64 Encoded:	True
Data ASCII:	/ e . . . . R E E M E A G o o d s I n T r a n s i t o l d e r t h a n 9 0 d a y s R U . m s g . C : \\ U s e r s \\ j u s t y n a . b e r n a s \\ D e s k t o p \\ R e c o n M A R - 2 0 1 6 \\ m o j e \\ S E P - 1 6 \\ r a p o r t y \\ R E E M E A G o o d s I n T r a n s i t o l d e r t h a n 9 0 d a y s R U . m s g . . . . . ` . . . C : \\ U s e r s \\ J U S T Y N ~ 1 . B E R \\ A p p D a t a \\ L o c a l \\ T e m p \\ R E E M E A G o o d s I n T r a n s i t o l d e r t
Data Raw:	2f 65 01 00 02 00 52 45 20 45 4d 45 41 20 47 6f 6f 64 73 20 49 6e 20 54 72 61 6e 73 69 74 20 6f 6c 64 65 72 20 74 68 61 6e 20 39 30 20 64 61 79 73 20 52 55 2e 6d 73 67 00 43 3a 5c 55 73 65 72 73 5c 6a 75 73 74 79 6e 61 2e 62 65 72 6e 61 73 5c 44 65 73 6b 74 6f 70 5c 52 65 63 6f 6e 20 4d 41 52 2d 32 30 31 36 5c 6d 6f 6a 65 5c 53 45 50 2d 31 36 5c 72 61 70 6f 72 74 79 5c 52 45 20 45

OLE File "/opt/package/joesandbox/database/analysis/562532/sample/RU419 FEB17 BSRec_InvNet.xlsx"

Indicators

Has Summary Info:	False
Application Name:	unknown
Encrypted Document:	False
Contains Word Document Stream:
Contains Workbook/Book Stream:
Contains PowerPoint Document Stream:
Contains Visio Document Stream:
Contains ObjectPool Stream:
Flash Objects Count:
Contains VBA Macros:	False

Summary

Author:	Gut, Mateusz
Last Saved By:	Bernas, Justyna
Create Time:	2012-08-13T15:44:29Z
Last Saved Time:	2017-03-29T09:51:12Z
Creating Application:	Microsoft Excel
Security:	0

Document Summary

Thumbnail Scaling Desired:	false
Company:	Boart Longyear
Contains Dirty Links:	false
Shared Document:	false
Changed Hyperlinks:	false
Application Version:	15.0300

Streams

Stream Path: \x1CompObj, File Type: data, Stream Size: 76

General
Stream Path:	\x1CompObj
File Type:	data
Stream Size:	76
Entropy:	3.09344952647
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . F . . . . O L E P a c k a g e . . . . . . . . . P a c k a g e . . 9 . q . . . . . . . . . . . .
Data Raw:	01 00 fe ff 03 0a 00 00 ff ff ff ff 0c 00 03 00 00 00 00 00 c0 00 00 00 00 00 00 46 0c 00 00 00 4f 4c 45 20 50 61 63 6b 61 67 65 00 00 00 00 00 08 00 00 00 50 61 63 6b 61 67 65 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00

Stream Path: \x1Ole10Native, File Type: data, Stream Size: 91443

General
Stream Path:	\x1Ole10Native
File Type:	data
Stream Size:	91443
Entropy:	5.35403120266
Base64 Encoded:	True
Data ASCII:	/ e . . . . R E E M E A G o o d s I n T r a n s i t o l d e r t h a n 9 0 d a y s R U . m s g . C : \\ U s e r s \\ j u s t y n a . b e r n a s \\ D e s k t o p \\ R e c o n M A R - 2 0 1 6 \\ m o j e \\ S E P - 1 6 \\ r a p o r t y \\ R E E M E A G o o d s I n T r a n s i t o l d e r t h a n 9 0 d a y s R U . m s g . . . . . ` . . . C : \\ U s e r s \\ J U S T Y N ~ 1 . B E R \\ A p p D a t a \\ L o c a l \\ T e m p \\ R E E M E A G o o d s I n T r a n s i t o l d e r t
Data Raw:	2f 65 01 00 02 00 52 45 20 45 4d 45 41 20 47 6f 6f 64 73 20 49 6e 20 54 72 61 6e 73 69 74 20 6f 6c 64 65 72 20 74 68 61 6e 20 39 30 20 64 61 79 73 20 52 55 2e 6d 73 67 00 43 3a 5c 55 73 65 72 73 5c 6a 75 73 74 79 6e 61 2e 62 65 72 6e 61 73 5c 44 65 73 6b 74 6f 70 5c 52 65 63 6f 6e 20 4d 41 52 2d 32 30 31 36 5c 6d 6f 6a 65 5c 53 45 50 2d 31 36 5c 72 61 70 6f 72 74 79 5c 52 45 20 45

OLE File "/opt/package/joesandbox/database/analysis/562532/sample/RU419 FEB17 BSRec_InvNet.xlsx"

Indicators

Has Summary Info:	False
Application Name:	unknown
Encrypted Document:	False
Contains Word Document Stream:
Contains Workbook/Book Stream:
Contains PowerPoint Document Stream:
Contains Visio Document Stream:
Contains ObjectPool Stream:
Flash Objects Count:
Contains VBA Macros:	False

Summary

Author:	Gut, Mateusz
Last Saved By:	Bernas, Justyna
Create Time:	2012-08-13T15:44:29Z
Last Saved Time:	2017-03-29T09:51:12Z
Creating Application:	Microsoft Excel
Security:	0

Document Summary

Thumbnail Scaling Desired:	false
Company:	Boart Longyear
Contains Dirty Links:	false
Shared Document:	false
Changed Hyperlinks:	false
Application Version:	15.0300

Streams

Stream Path: \x1CompObj, File Type: data, Stream Size: 76

General
Stream Path:	\x1CompObj
File Type:	data
Stream Size:	76
Entropy:	3.09344952647
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . F . . . . O L E P a c k a g e . . . . . . . . . P a c k a g e . . 9 . q . . . . . . . . . . . .
Data Raw:	01 00 fe ff 03 0a 00 00 ff ff ff ff 0c 00 03 00 00 00 00 00 c0 00 00 00 00 00 00 46 0c 00 00 00 4f 4c 45 20 50 61 63 6b 61 67 65 00 00 00 00 00 08 00 00 00 50 61 63 6b 61 67 65 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00

Stream Path: \x1Ole10Native, File Type: data, Stream Size: 121286

General
Stream Path:	\x1Ole10Native
File Type:	data
Stream Size:	121286
Entropy:	5.36470100495
Base64 Encoded:	True
Data ASCII:	. . . . . . R E A c c o u n t 1 2 2 8 0 0 r e c o n c i l i a t i o n ( I n v e n t o r y - E x p e n s e s t o b e l a n d e d ) . m s g . C : \\ U s e r s \\ j u s t y n a . b e r n a s \\ D e s k t o p \\ t y m c z a s o w y \\ d o r e c o n o w \\ R E A c c o u n t 1 2 2 8 0 0 r e c o n c i l i a t i o n ( I n v e n t o r y - E x p e n s e s t o b e l a n d e d ) . m s g . . . . . r . . . C : \\ U s e r s \\ J U S T Y N ~ 1 . B E R \\ A p p D a t a \\ L o c a l \\ T e m p \\ R
Data Raw:	c2 d9 01 00 02 00 52 45 20 41 63 63 6f 75 6e 74 20 31 32 32 38 30 30 20 72 65 63 6f 6e 63 69 6c 69 61 74 69 6f 6e 20 28 49 6e 76 65 6e 74 6f 72 79 20 2d 20 45 78 70 65 6e 73 65 73 20 74 6f 20 62 65 20 6c 61 6e 64 65 64 29 2e 6d 73 67 00 43 3a 5c 55 73 65 72 73 5c 6a 75 73 74 79 6e 61 2e 62 65 72 6e 61 73 5c 44 65 73 6b 74 6f 70 5c 74 79 6d 63 7a 61 73 6f 77 79 5c 64 6f 20 72 65 63

OLE File "/opt/package/joesandbox/database/analysis/562532/sample/RU419 FEB17 BSRec_InvNet.xlsx"

Indicators

Has Summary Info:	False
Application Name:	unknown
Encrypted Document:	False
Contains Word Document Stream:
Contains Workbook/Book Stream:
Contains PowerPoint Document Stream:
Contains Visio Document Stream:
Contains ObjectPool Stream:
Flash Objects Count:
Contains VBA Macros:	False

Summary

Author:	Gut, Mateusz
Last Saved By:	Bernas, Justyna
Create Time:	2012-08-13T15:44:29Z
Last Saved Time:	2017-03-29T09:51:12Z
Creating Application:	Microsoft Excel
Security:	0

Document Summary

Thumbnail Scaling Desired:	false
Company:	Boart Longyear
Contains Dirty Links:	false
Shared Document:	false
Changed Hyperlinks:	false
Application Version:	15.0300

Streams

Stream Path: \x1CompObj, File Type: data, Stream Size: 76

General
Stream Path:	\x1CompObj
File Type:	data
Stream Size:	76
Entropy:	3.09344952647
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . F . . . . O L E P a c k a g e . . . . . . . . . P a c k a g e . . 9 . q . . . . . . . . . . . .
Data Raw:	01 00 fe ff 03 0a 00 00 ff ff ff ff 0c 00 03 00 00 00 00 00 c0 00 00 00 00 00 00 46 0c 00 00 00 4f 4c 45 20 50 61 63 6b 61 67 65 00 00 00 00 00 08 00 00 00 50 61 63 6b 61 67 65 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00

Stream Path: \x1Ole10Native, File Type: data, Stream Size: 91431

General
Stream Path:	\x1Ole10Native
File Type:	data
Stream Size:	91431
Entropy:	5.35400764395
Base64 Encoded:	True
Data ASCII:	# e . . . . R E E M E A G o o d s I n T r a n s i t o l d e r t h a n 9 0 d a y s R U . m s g . C : \\ U s e r s \\ j u s t y n a . b e r n a s \\ D e s k t o p \\ R e c o n M A R - 2 0 1 6 \\ m o j e \\ S E P - 1 6 \\ r a p o r t y \\ R E E M E A G o o d s I n T r a n s i t o l d e r t h a n 9 0 d a y s R U . m s g . . . . . \\ . . . C : \\ U s e r s \\ J U S T Y N ~ 1 . B E R \\ A p p D a t a \\ L o c a l \\ T e m p \\ R E E M E A G o o d s I n T r a n s i t o l d e r t
Data Raw:	23 65 01 00 02 00 52 45 20 45 4d 45 41 20 47 6f 6f 64 73 20 49 6e 20 54 72 61 6e 73 69 74 20 6f 6c 64 65 72 20 74 68 61 6e 20 39 30 20 64 61 79 73 20 52 55 2e 6d 73 67 00 43 3a 5c 55 73 65 72 73 5c 6a 75 73 74 79 6e 61 2e 62 65 72 6e 61 73 5c 44 65 73 6b 74 6f 70 5c 52 65 63 6f 6e 20 4d 41 52 2d 32 30 31 36 5c 6d 6f 6a 65 5c 53 45 50 2d 31 36 5c 72 61 70 6f 72 74 79 5c 52 45 20 45

OLE File "/opt/package/joesandbox/database/analysis/562532/sample/RU419 FEB17 BSRec_InvNet.xlsx"

Indicators

Has Summary Info:	False
Application Name:	unknown
Encrypted Document:	False
Contains Word Document Stream:
Contains Workbook/Book Stream:
Contains PowerPoint Document Stream:
Contains Visio Document Stream:
Contains ObjectPool Stream:
Flash Objects Count:
Contains VBA Macros:	False

Summary

Author:	Gut, Mateusz
Last Saved By:	Bernas, Justyna
Create Time:	2012-08-13T15:44:29Z
Last Saved Time:	2017-03-29T09:51:12Z
Creating Application:	Microsoft Excel
Security:	0

Document Summary

Thumbnail Scaling Desired:	false
Company:	Boart Longyear
Contains Dirty Links:	false
Shared Document:	false
Changed Hyperlinks:	false
Application Version:	15.0300

Streams

Stream Path: \x1CompObj, File Type: data, Stream Size: 76

General
Stream Path:	\x1CompObj
File Type:	data
Stream Size:	76
Entropy:	3.09344952647
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . F . . . . O L E P a c k a g e . . . . . . . . . P a c k a g e . . 9 . q . . . . . . . . . . . .
Data Raw:	01 00 fe ff 03 0a 00 00 ff ff ff ff 0c 00 03 00 00 00 00 00 c0 00 00 00 00 00 00 46 0c 00 00 00 4f 4c 45 20 50 61 63 6b 61 67 65 00 00 00 00 00 08 00 00 00 50 61 63 6b 61 67 65 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00

Stream Path: \x1Ole10Native, File Type: data, Stream Size: 169303

General
Stream Path:	\x1Ole10Native
File Type:	data
Stream Size:	169303
Entropy:	7.19148621744
Base64 Encoded:	True
Data ASCII:	S . . . . . I n v o i c e 2 5 0 2 1 3 0 0 1 2 6 3 5 K T C - b o o k i n g w i t h 1 2 0 2 0 0 a c c o u n t . m s g . C : \\ U s e r s \\ j u s t y n a . b e r n a s \\ D e s k t o p \\ R e c o n M A R - 2 0 1 6 \\ m o j e \\ A U G - 1 6 \\ I n v o i c e 2 5 0 2 1 3 0 0 1 2 6 3 5 K T C - b o o k i n g w i t h 1 2 0 2 0 0 a c c o u n t . m s g . . . . . d . . . C : \\ U s e r s \\ J U S T Y N ~ 1 . B E R \\ A p p D a t a \\ L o c a l \\ T e m p \\ I n v o i c e 2 5 0 2 1 3 0 0 1 2 6 3 5 K T C
Data Raw:	53 95 02 00 02 00 49 6e 76 6f 69 63 65 20 32 35 30 32 31 33 30 30 31 32 36 33 35 4b 54 43 20 2d 20 62 6f 6f 6b 69 6e 67 20 77 69 74 68 20 31 32 30 32 30 30 20 61 63 63 6f 75 6e 74 2e 6d 73 67 00 43 3a 5c 55 73 65 72 73 5c 6a 75 73 74 79 6e 61 2e 62 65 72 6e 61 73 5c 44 65 73 6b 74 6f 70 5c 52 65 63 6f 6e 20 4d 41 52 2d 32 30 31 36 5c 6d 6f 6a 65 5c 41 55 47 2d 31 36 5c 49 6e 76 6f

OLE File "/opt/package/joesandbox/database/analysis/562532/sample/RU419 FEB17 BSRec_InvNet.xlsx"

Indicators

Has Summary Info:	False
Application Name:	unknown
Encrypted Document:	False
Contains Word Document Stream:
Contains Workbook/Book Stream:
Contains PowerPoint Document Stream:
Contains Visio Document Stream:
Contains ObjectPool Stream:
Flash Objects Count:
Contains VBA Macros:	False

Summary

Author:	Gut, Mateusz
Last Saved By:	Bernas, Justyna
Create Time:	2012-08-13T15:44:29Z
Last Saved Time:	2017-03-29T09:51:12Z
Creating Application:	Microsoft Excel
Security:	0

Document Summary

Thumbnail Scaling Desired:	false
Company:	Boart Longyear
Contains Dirty Links:	false
Shared Document:	false
Changed Hyperlinks:	false
Application Version:	15.0300

Streams

Stream Path: \x1CompObj, File Type: data, Stream Size: 76

General
Stream Path:	\x1CompObj
File Type:	data
Stream Size:	76
Entropy:	3.09344952647
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . F . . . . O L E P a c k a g e . . . . . . . . . P a c k a g e . . 9 . q . . . . . . . . . . . .
Data Raw:	01 00 fe ff 03 0a 00 00 ff ff ff ff 0c 00 03 00 00 00 00 00 c0 00 00 00 00 00 00 46 0c 00 00 00 4f 4c 45 20 50 61 63 6b 61 67 65 00 00 00 00 00 08 00 00 00 50 61 63 6b 61 67 65 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00

Stream Path: \x1Ole10Native, File Type: data, Stream Size: 35605

General
Stream Path:	\x1Ole10Native
File Type:	data
Stream Size:	35605
Entropy:	3.8995864265
Base64 Encoded:	True
Data ASCII:	. . . . . . E M E A G o o d s I n T r a n s i t o l d e r t h a n 9 0 d a y s I N M . m s g . C : \\ U s e r s \\ j u s t y n a . b e r n a s \\ D e s k t o p \\ R e c o n M A R - 2 0 1 6 \\ m o j e \\ A U G - 1 6 \\ R a p o r t y \\ E M E A G o o d s I n T r a n s i t o l d e r t h a n 9 0 d a y s I N M . m s g . . . . . Z . . . C : \\ U s e r s \\ J U S T Y N ~ 1 . B E R \\ A p p D a t a \\ L o c a l \\ T e m p \\ E M E A G o o d s I n T r a n s i t o l d e r t h a n 9 0
Data Raw:	11 8b 00 00 02 00 45 4d 45 41 20 47 6f 6f 64 73 20 49 6e 20 54 72 61 6e 73 69 74 20 6f 6c 64 65 72 20 74 68 61 6e 20 39 30 20 64 61 79 73 20 49 4e 4d 2e 6d 73 67 00 43 3a 5c 55 73 65 72 73 5c 6a 75 73 74 79 6e 61 2e 62 65 72 6e 61 73 5c 44 65 73 6b 74 6f 70 5c 52 65 63 6f 6e 20 4d 41 52 2d 32 30 31 36 5c 6d 6f 6a 65 5c 41 55 47 2d 31 36 5c 52 61 70 6f 72 74 79 5c 45 4d 45 41 20 47

Network Behavior

⊘No network behavior found

Statistics

⊘No statistics

System Behavior

Analysis Process: EXCEL.EXEPID: 1704, Parent PID: 596

General

Target ID:	0
Start time:	01:09:35
Start date:	29/01/2022
Path:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
Imagebase:	0x13f660000
File size:	28253536 bytes
MD5 hash:	D53B85E21886D2AF9815C377537BCAC3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Disassembly

⊘No disassembly

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report RU419 FEB17 BSRec_InvNet.xlsx

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Overview

Sigma Overview

Jbx Signature Overview

Compliance

Networking

System Summary

Hooking and other Techniques for Hiding and Protection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\2BCACAFF.emf

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\42105703.emf

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\5CCA9D28.emf

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\7B2AE0BB.jpeg

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\923BA48A.emf

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\B158576.emf

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\C9CFEB09.emf

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\D914E8F4.emf

C:\Users\user\Desktop\~$RU419 FEB17 BSRec_InvNet.xlsx

Static File Info

General

File Icon

Static OLE Info

General

OLE File "/opt/package/joesandbox/database/analysis/562532/sample/RU419 FEB17 BSRec_InvNet.xlsx"

Indicators

Summary

Document Summary

Streams

Stream Path: \x1CompObj, File Type: data, Stream Size: 76

General

Stream Path: \x1Ole10Native, File Type: data, Stream Size: 91443

General

OLE File "/opt/package/joesandbox/database/analysis/562532/sample/RU419 FEB17 BSRec_InvNet.xlsx"

Indicators

Summary

Document Summary

Streams

Stream Path: \x1CompObj, File Type: data, Stream Size: 76

General

Stream Path: \x1Ole10Native, File Type: data, Stream Size: 91443

General

OLE File "/opt/package/joesandbox/database/analysis/562532/sample/RU419 FEB17 BSRec_InvNet.xlsx"

Indicators

Windows Analysis Report
RU419 FEB17 BSRec_InvNet.xlsx