Windows Analysis Report
purchase order.xlsx

Overview

General Information

Sample Name:	purchase order.xlsx
Analysis ID:	653502
MD5:	a8930c1fcd80e9965ae26446afb717f6
SHA1:	0cbf04bf7fc8522ab983f0246357fa70a85ee56b
SHA256:	c02ff7b4d28a259d37a659a6951dba4ee574562ef5fc3b3a0135640c0370dee2
Tags:	VelvetSweatshopxlsx
Infos:

Detection

Score:	56
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Multi AV Scanner detection for submitted file

Classification

Signatures

AV Detection

Multi AV Scanner detection for submitted file

Source: purchase order.xlsx

ReversingLabs: Detection: 17%

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\4A9EED13.emf

Jump to behavior

System Summary

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Source: Screenshot number: 4

Screenshot OCR: enable Editing and Content from the Yellow bar 18 A above to view locked content. 19 om 20 m m W

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: purchase order.xlsx

ReversingLabs: Detection: 17%

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Temp\CVR65D3.tmp

Jump to behavior

Source: classification engine

Classification label: mal56.winXLSX@1/9@0/0

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\Desktop\~$purchase order.xlsx

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

⊘No contacted IP infos

ID:	653502
Product:	CloudBasic
Start time:	10:38:23
Start date:	28.06.2022
Sample:	purchase order.xlsx
Cookbook:	defaultwindowsofficecookbook.jbs
System description:	Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Architecture:	WINDOWS
MD5:	a8930c1fcd80e9965ae26446afb717f6
SHA1:	0cbf04bf7fc8522ab983f0246357fa70a85ee56b
SHA256:	c02ff7b4d28a259d37a659a6951dba4ee574562ef5fc3b3a0135640c0370dee2
Filetype:	Generic OLE2 / Multistream Compound File (8008/1) 100.00%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\43629BF8.emf	Windows Enhanced Metafile (EMF) image data version 0x10000	B6B2AE798B3758B49D802640BD39AF32	656AC44B76A94412C192609FBE730B73B238C3A9	6E281E82686640834CECC8BAECB83C1AEB68114A45299115D5B590E7C51E9332
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\4A9EED13.emf	Windows Enhanced Metafile (EMF) image data version 0x10000	00022229E61960C6F67FEA5ABD7CC7BF	95550373818BBB679D2388324C94A949CFFF90D5	CA521CE8E4A2C824905F74E45089E94D008E3E346439ECB9146AAD551C609A0F
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\527F7CC6.png	PNG image data, 130 x 187, 8-bit/color RGB, non-interlaced	86212DE909C5057FF80D28C6BCDA1B97	7B4846994D2A926D32AE44464802C8862D0D89AD	B796FFD015039600D93F191B42361B22A940F84BAADA5E4E7A9BD62829458BD0
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\F15EBB99.png	PNG image data, 130 x 187, 8-bit/color RGB, non-interlaced	86212DE909C5057FF80D28C6BCDA1B97	7B4846994D2A926D32AE44464802C8862D0D89AD	B796FFD015039600D93F191B42361B22A940F84BAADA5E4E7A9BD62829458BD0
C:\Users\user\AppData\Local\Temp\~DF077F770245D24E55.TMP	CDFV2 Encrypted	A8930C1FCD80E9965AE26446AFB717F6	0CBF04BF7FC8522AB983F0246357FA70A85EE56B	C02FF7B4D28A259D37A659A6951DBA4EE574562EF5FC3B3A0135640C0370DEE2
C:\Users\user\AppData\Local\Temp\~DF14B34C0311447876.TMP	data	BF619EAC0CDF3F68D496EA9344137E8B	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
C:\Users\user\AppData\Local\Temp\~DFEA544448D310CFF4.TMP	data	BF619EAC0CDF3F68D496EA9344137E8B	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
C:\Users\user\AppData\Local\Temp\~DFFF7070C2B802BAB2.TMP	data	BF619EAC0CDF3F68D496EA9344137E8B	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
C:\Users\user\Desktop\~$purchase order.xlsx	data	797869BB881CFBCDAC2064F92B26E46F	61C1B8FBF505956A77E9A79CE74EF5E281B01F4B	D4E4008DD7DFB936F22D9EF3CC569C6F88804715EAB8101045BA1CD0B081F185

Windows Analysis Report
purchase order.xlsx

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

Networking

System Summary

Hooking and other Techniques for Hiding and Protection

Screenshots

Behavior Graph

Network Map

Windows Analysis Report purchase order.xlsx

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

Networking

System Summary

Hooking and other Techniques for Hiding and Protection

Screenshots

Behavior Graph

Network Map

Windows Analysis Report
purchase order.xlsx