Edit tour

Windows Analysis Report
Companies House Trust Excel Document.xlsm

Overview

General Information

Sample Name:	Companies House Trust Excel Document.xlsm
Analysis ID:	1350052
MD5:	77b1b8d9244c48ed5a3ec4cabcac2201
SHA1:	f7a38dc3942c47da07f6cd4559beff4e10dca643
SHA256:	ccb6b1b4a79810defd516fb4cf5a3982437068858e001a34622890a1a22f7209
Infos:

Detection

Score:	52
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Document contains an embedded VBA with functions possibly related to ADO stream file operations

Document contains VBA stomped code (only p-code) potentially bypassing AV detection

Document contains an embedded VBA with many string operations indicating source code obfuscation

Document contains embedded VBA macros

Classification

Process Tree

System is w7x64

EXCEL.EXE (PID: 2768 cmdline: "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding MD5: D53B85E21886D2AF9815C377537BCAC3)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

⊘No yara matches

Sigma Signatures

⊘No Sigma rule has matched

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

System Summary

Document contains an embedded VBA with functions possibly related to ADO stream file operations

Source: Companies House Trust Excel Document.xlsm

Stream path 'VBA/Module1' : found possibly 'ADODB.Stream' functions open, read, write

Source: Companies House Trust Excel Document.xlsm

OLE indicator, VBA macros: true

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Temp\CVR753E.tmp

Jump to behavior

Source: Companies House Trust Excel Document.xlsm

OLE indicator, Workbook stream: true

Source: classification engine

Classification label: mal52.evad.winXLSM@1/3@0/0

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\Desktop\~$Companies House Trust Excel Document.xlsm

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: Companies House Trust Excel Document.xlsm	Initial sample: OLE zip file path = xl/worksheets/sheet4.xml
Source: Companies House Trust Excel Document.xlsm	Initial sample: OLE zip file path = xl/worksheets/sheet5.xml
Source: Companies House Trust Excel Document.xlsm	Initial sample: OLE zip file path = xl/worksheets/sheet6.xml
Source: Companies House Trust Excel Document.xlsm	Initial sample: OLE zip file path = xl/worksheets/_rels/sheet6.xml.rels

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Data Obfuscation

Document contains an embedded VBA with many string operations indicating source code obfuscation

Source: Companies House Trust Excel Document.xlsm

Stream path 'VBA/Module1' : High number of string operations

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Document contains VBA stomped code (only p-code) potentially bypassing AV detection

Source: Companies House Trust Excel Document.xlsm

OLE indicator, VBA stomping: true

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact	Resource Development	Reconnaissance
Valid Accounts	21 Scripting	Path Interception	Path Interception	1 Masquerading	OS Credential Dumping	1 File and Directory Discovery	Remote Services	Data from Local System	Exfiltration Over Other Network Medium	Data Obfuscation	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Abuse Accessibility Features	Acquire Infrastructure	Gather Victim Identity Information
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	21 Scripting	LSASS Memory	1 System Information Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Junk Data	SIM Card Swap	Obtain Device Cloud Backups	Network Denial of Service	Domains	Credentials
Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Obfuscated Files or Information	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography			Data Encrypted for Impact	DNS Server	Email Addresses
Local Accounts	Cron	Login Hook	Login Hook	1 Obfuscated Files or Information	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	Traffic Duplication	Protocol Impersonation			Data Destruction	Virtual Private Server	Employee Names

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Download Video

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

⊘No Antivirus matches

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

⊘No contacted domains info

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox Version:	38.0.0 Ammolite
Analysis ID:	1350052
Start date and time:	2023-11-29 19:01:16 +01:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 3m 48s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultwindowsofficecookbook.jbs
Analysis system description:	Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Number of analysed new started processes analysed:	3
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample file name:	Companies House Trust Excel Document.xlsm
Detection:	MAL
Classification:	mal52.evad.winXLSM@1/3@0/0
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .xlsm Found Word or Excel or PowerPoint or XPS Viewer Attach to Office via COM Active AutoShape Object Scroll down Close Viewer

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe
Excluded IPs from analysis (whitelisted): 184.87.173.89, 184.87.173.58, 23.206.121.39, 23.206.121.28
Excluded domains from analysis (whitelisted): ctldl.windowsupdate.com, a767.dspw65.akamai.net, wu-bg-shim.trafficmanager.net, download.windowsupdate.com.edgesuite.net
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtSetInformationFile calls found.
VT rate limit hit for: Companies House Trust Excel Document.xlsm

Simulations

Behavior and APIs

⊘No simulations

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

C:\Users\user\AppData\Local\Temp\VBE\MSForms.exd

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	data
Category:	dropped
Size (bytes):	147284
Entropy (8bit):	4.421670275438143
Encrypted:	false
SSDEEP:	1536:C8lL3FNSc8SetKB96vQVCBumVMOej6mXmYarrJQcd1FaLcmB:CeJNSc83tKBAvQVCgOtmXmLpLmB
MD5:	8E6E187ED4DA7BBBC75A1F2AC1C5CDA4
SHA1:	42C99C555496C241B8F1677D0AABF95E5F4E256E
SHA-256:	5E9E69BD8CF8B92D81E5897BB3B8F781A4849EFA819569AD6059FA4DF4A0F04F
SHA-512:	0AE687D526F9F85A8198DC788DFF2DDC495F7BD5D0DCA2E5D7FAD0778612878E38D91A19B596A7814A08C8A2270376B7D14F265788287545A9308B02912467C4
Malicious:	false
Reputation:	low
Preview:	MSFT................Q................................#......$....... ...................d.......,...........X....... ...........L...........x.......@...........l.......4...........`.......(...........T...................H...........t.......<...........h.......0...........\.......$...........P...........\|.......D...........p.......8...........d.......,...........X....... ...........L...........x.......@........ ..l ... ..4!...!...!..`"..."..(#...#...#..T$...$...%...%...%..H&...&...'..t'...'..<(...(...)..h)...)..0......*..\+...+..$,...,...,..P-...-......\|.......D/.../...0..p0...0..81...1...2..d2...2..,3...3...3..X4...4.. 5...5...5..L6...6...7..x7...7..@8.......8...........N..............\W...............J..............,<...............<..............xW..............xY..xG.............T...........D...............................T...............................................................&!..d...........................................................................................

C:\Users\user\AppData\Local\Temp\~DFE1365C8194EC8BCD.TMP

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	data
Category:	dropped
Size (bytes):	98304
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	0A9156C4E3C48EF827980639C4D1E263
SHA1:	9F13A523321C66208E90D45F87FA0CD9B370E111
SHA-256:	3A3ED164E42500A1C5B2D0093F0A813D27DC50D038F330CC100A7E70ECE2E6E4
SHA-512:	8A46C1B44C0EA338AFF0D2E2D07C34430B67B68B6D27E1ADB8CF216B0F0994172CED106A90283F2F0469B5CAA40ACEDF101D45729B823E5179EA55AC507E04AD
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\Desktop\~$Companies House Trust Excel Document.xlsm

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	data
Category:	dropped
Size (bytes):	165
Entropy (8bit):	1.4377382811115937
Encrypted:	false
SSDEEP:	3:vZ/FFDJw2fV:vBFFGS
MD5:	797869BB881CFBCDAC2064F92B26E46F
SHA1:	61C1B8FBF505956A77E9A79CE74EF5E281B01F4B
SHA-256:	D4E4008DD7DFB936F22D9EF3CC569C6F88804715EAB8101045BA1CD0B081F185
SHA-512:	1B8350E1500F969107754045EB84EA9F72B53498B1DC05911D6C7E771316C632EA750FBCE8AD3A82D664E3C65CC5251D0E4A21F750911AE5DC2FC3653E49F58D
Malicious:	false
Reputation:	high, very likely benign file
Preview:	.user ..A.l.b.u.s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Static File Info

General

File type:	Microsoft Excel 2007+
Entropy (8bit):	7.8748953501236025
TrID:	Excel Microsoft Office Open XML Format document with Macro (52504/1) 52.24% Excel Microsoft Office Open XML Format document (40004/1) 39.80% ZIP compressed archive (8000/1) 7.96%
File name:	Companies House Trust Excel Document.xlsm
File size:	57'842 bytes
MD5:	77b1b8d9244c48ed5a3ec4cabcac2201
SHA1:	f7a38dc3942c47da07f6cd4559beff4e10dca643
SHA256:	ccb6b1b4a79810defd516fb4cf5a3982437068858e001a34622890a1a22f7209
SHA512:	27a9e8aa2ee7140ff3d70a3941b0a8295294fc7a3caccb3a092e056c7231fe69bab89c3b69089750d3ec1c869fc7f3e4983e9cef668e5893aa11b3d6df799cfa
SSDEEP:	1536:Y+vxTRBudd4ThvxbqJPwK/XXsvEzDjZW3Q1tI7KZJr1x:Y+vx1BudulpJK/XXu8xS7KZ5P
TLSH:	F943F14C4680EE4DDFBBCC3E612D40D0258D096E92D3AD5621F5AFCE0342457E795FAA
File Content Preview:	PK..........!...=.............[Content_Types].xml ...(.........................................................................................................................................................................................................

File Icon


Icon Hash:	2562ab89afbfbfaf

Static OLE Info

General

Document Type:	OpenXML
Number of OLE Files:	1

OLE File "Companies House Trust Excel Document.xlsm"

Indicators

Has Summary Info:
Application Name:
Encrypted Document:	False
Contains Word Document Stream:	False
Contains Workbook/Book Stream:	True
Contains PowerPoint Document Stream:	False
Contains Visio Document Stream:	False
Contains ObjectPool Stream:	False
Flash Objects Count:	0
Contains VBA Macros:	True

Summary

Title:
Subject:
Author:	Microsoft Office User
Keywords:
Last Saved By:	Jason Reader
Revion Number:
Total Edit Time:	0
Create Time:	2022-04-07T19:40:59Z
Last Saved Time:	2022-11-15T17:35:20Z
Creating Application:	Microsoft Excel
Security:	0

Document Summary

Thumbnail Scaling Desired:	false
Company:
Contains Dirty Links:	false
Shared Document:	false
Changed Hyperlinks:	false
Application Version:	16.0300

Streams with VBA

VBA File Name: Module1, Stream Size: 31370

General
Stream Path:	VBA/Module1
VBA File Name:	Module1
Stream Size:	31370
Data ASCII:	. . . . . . . . & . . . . . . , . . . . . . _ . . B b . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . H . . . . . . . . 8 L : . . . . . . . . . . . > . . . . . . L . . . . . . . . . . . . . . . . . L . . . . . L .
Data Raw:	01 16 03 00 06 f4 00 00 00 26 1f 00 00 d8 00 00 00 2c 02 00 00 ff ff ff ff f4 1f 00 00 c0 5f 00 00 42 62 00 00 01 00 00 00 01 00 00 00 ff ff ff ff 00 00 ff ff 03 00 00 00 00 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff 08 00 ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

VBA Code

Attribute VB_Name = "Module1"

Sub parseData()
  Worksheets("Create and copy data").Range("b12") = toJSONV2(getValuesRange("Trust"), False) ' Set cell B12's value to our JSON data
  
  
  'uncomment below to test copy to clipboard ..does not work on mac...- then replace text with above json
  'Clipboard "I can copy to the Clipboard!"
  
  ' write to file..does not work on Mac
   ' filesaveName = Application.GetSaveAsFilename(fileFilter:="JSON Files (*.json), *.json")
    ' If filesaveName <> False Then
      ' fileNumber = FreeFile
     '  Open filesaveName For Output As fileNumber
      '  Print #fileNumber, Worksheets("JSONsheet").Range("b1"); Worksheets("JSONsheet").Range("b2"); Worksheets("JSONsheet").Range("b3")
      '  Close fileNumber
   '  End If
   
   'State that copy was successful if we've got here without error
   Worksheets("Create and copy data").Range("a10") = "The data has been created and copied to your device. You can now paste it into the service."
   Worksheets("Create and copy data").Range("a10").Borders.Color = RGB(0, 0, 255)
   Worksheets("Create and copy data").Range("a10").Borders.Weight = xlThick

   ' Attempt to copy the JSON content - MUST BE LAST OPERATION
   worksheetDataCopy (Worksheets("Create and copy data").Range("b12"))

End Sub

Private Sub worksheetDataCopy(ByVal target As Range)
    If Not Intersect(target, Worksheets("Create and copy data").Range("b12")) Is Nothing Then
        target.Copy
        target.Cut
    End If
End Sub

Function Clipboard(Optional StoreText As String) As String
    Dim x As Variant
    'Store as variant for 64-bit VBA support
      x = StoreText
    'Create HTMLFile Object
    With CreateObject("htmlfile")
        With .parentWindow.clipboardData
            Select Case True
            Case Len(StoreText)
                'Write to the clipboard
             .setData "text", x
            Case Else
          'Read from the clipboard (no variable passed through)
            Clipboard = .GetData("text")
        End Select
        End With
    End With
End Function

Function getValuesRange(Sheet As String) As Range
    ' Row variables
    Dim usedRows As Integer: usedRows = 0
    Dim rowCounter As Integer: rowCounter = 1
    Dim rowsToCount As Integer: rowsToCount = 100
    ' Column variables
    Dim usedColumns As Integer: usedColumns = 0
    Dim columnCounter As Integer: columnCounter = 1
    Dim columnsToCount As Integer: columnsToCount = 50

    Do While rowCounter <= rowsToCount ' Loop through each row
        Do While columnCounter <= columnsToCount ' Loop through each column
            If Worksheets(Sheet).Cells(rowCounter, columnCounter) <> "" Then ' Check to see if the cell has a value
                usedRows = rowCounter ' Since the current row has a cell with a value in it, set usedRows to the current row
                If columnCounter > usedColumns Then
                    usedColumns = columnCounter ' If the current column is greater than usedColumns, set usedColumns to the current column
                End If
                If usedRows = rowsToCount Then
                    rowsToCount = rowsToCount + 100 ' If the value of usedRows reaches the rowsToCount limit, then extend the rowsToCount limit by 100
                End If
                If usedColumns = columnsToCount Then
                    columnsToCount = columnsToCount + 50 ' If the value of usedColumns reaches the columnsToCount limit, then extend the columnsToCount limit by 100
                End If
            End If
            columnCounter = columnCounter + 1 ' Increment columnCounter
        Loop
        rowCounter = rowCounter + 1 ' Increment rowCounter
        columnCounter = 1 ' Reset the columnCounter to 1 so we're always checking the first column every time we loop
    Loop
    Set getValuesRange = Worksheets(Sheet).Range("a5", Worksheets(Sheet).Cells(usedRows, usedColumns).Address) ' Return the range of cells that have values
End Function

Function toJSONV2(rangeToParse As Range, parseAsArrays As Boolean) As String
    Dim rowCounter As Integer
    Dim columnCounter As Integer
    Dim parsedData As String: parsedData = "[{"
    Dim temp As String
    Dim indSheet As String: indSheet = "Individuals involved in trust"
    Dim entSheet As String: entSheet = "Entities involved in trust"
    Dim boSheet As String: boSheet = "All beneficial owners"
    Dim keyValue As String: keyValue = ""
    
     For columnCounter = 2 To rangeToParse.Columns.Count
            temp = ""
             For rowCounter = 2 To rangeToParse.Rows.Count
                keyValue = mapnames(rangeToParse.Cells(rowCounter, 1))
                If mapnames(keyValue) <> "NO_DATA" Then
                    ' If the mapnames returns a recognised date string key - do a different construct
                    If keyValue = "dob" Or InStr(1, keyValue, "date") > 0 Then
                        dateStr = splitDates(rangeToParse.Cells(rowCounter, columnCounter), keyValue)
                        temp = temp & dateStr
                    Else
                        temp = temp & """" & mapnames(keyValue) & """" & ":" & """"
                        temp = temp & Replace(rangeToParse.Cells(rowCounter, columnCounter), """", "") & """" & ","
                    End If
                End If
            Next
            temp = temp & "," ' Remove extra comma from after last object
            parsedData = parsedData & temp
       Next
    
    If Len(parsedData) > 2 Then
        parsedData = Left(parsedData, Len(parsedData) - 2) & ","
    End If

    parsedData = parsedData & """" & "INDIVIDUALS" & """" & ": ["
    parsedData = parsedData & toJSONsubElmV2(getValuesRange(indSheet), False, 21)

    parsedData = parsedData & "],"
    parsedData = parsedData & """" & "HISTORICAL_BO" & """" & ": ["
    parsedData = parsedData & toJSONsubElmV2(getValuesRange(boSheet), False, 5) ' Set cell B1's value to our JSON data
  
    parsedData = parsedData & "],"
    parsedData = parsedData & """" & "CORPORATES" & """" & ": ["
    parsedData = parsedData & toJSONsubElmV2(getValuesRange(entSheet), False, 22) ' Set cell B1's value to our JSON data
    
    parsedData = parsedData & "]}]" ' Remove extra comma and add the closing bracket for the JSON array
    Debug.Print parsedData
    
    toJSONV2 = parsedData ' Return the JSON data
End Function

Function toJSONsubElmV2(rangeToParse As Range, parseAsArrays As Boolean, rowsToCheck As Integer) As String
    Dim rowCounter As Integer
    Dim columnCounter As Integer
    Dim parsedData As String: parsedData = ""
    Dim temp As String: temp = ""
    Dim keyValue As String: keyValue = ""
    Dim rowValue As String: rowValue = ""
    Dim dateStr As String: dateStr = ""
    Dim columnHasValue As Boolean
    
    ' work out how many columns are populated do this by checking if we have a value in the second row of each column if we have a value then increment the counter
     populatedColumns = 1
     For columnCounter = 2 To rangeToParse.Columns.Count
        For rowCounter = 2 To (rowsToCheck)
            If Len(rangeToParse.Cells(rowCounter, columnCounter)) > 0 Then ' 2 - roCounter orig value
                 populatedColumns = populatedColumns + 1
                 ' break out the loop - we know there's at least one value in the column
                 rowCounter = 100
            End If
        Next
     Next
    
    For columnCounter = 2 To populatedColumns
            temp = ""
            columnHasValue = False
            For rowCounter = 2 To rangeToParse.Rows.Count
                keyValue = mapnames(rangeToParse.Cells(rowCounter, 1))
                rowValue = rangeToParse.Cells(rowCounter, columnCounter)
                If keyValue <> "NO_DATA" And Len(rowValue) > 0 Or rowValue <> "" Then
                    ' If the mapnames returns a recognised date string key - do a different construct
                    If keyValue = "dob" Or InStr(1, keyValue, "date") > 0 Then
                        dateStr = splitDates(rowValue, keyValue)
                        temp = temp & dateStr
                        columnHasValue = True
                    Else
                        temp = temp & """" & keyValue & """" & ":" & """"
                        temp = temp & Replace(rowValue, """", "") & """" & ","
                        columnHasValue = True
                    End If
                End If
            Next
        If columnHasValue = True Then
            temp = "{" & Left(temp, Len(temp) - 1) & "},"
            parsedData = parsedData & temp
        End If
    Next
    If Len(parsedData) > 1 Then
        parsedData = Left(parsedData, Len(parsedData) - 1)  ' Remove extra comma and add the closing bracket for the JSON array
    End If
    toJSONsubElmV2 = parsedData ' Return the JSON data
End Function

Function splitDates(dateString As String, dateKey As String) As String
    Dim arrSplitDate As Variant
    Dim dayVal As String
    Dim monthVal As String
    Dim yearVal As String
    Dim rtnStr As String: rtnStr = ""
    
    arrSplitDate = Split(dateString, "/")
    
    If arrayLen(arrSplitDate) = 3 Then
        dayVal = Replace(arrSplitDate(0), """", "")
        monthVal = Replace(arrSplitDate(1), """", "")
        yearVal = Replace(arrSplitDate(2), """", "")
    End If
    
    If Len(dayVal) > 0 And Len(monthVal) > 0 And Len(yearVal) > 0 Then
        rtnStr = """" & dateKey & "_day" & """" & ":"
        rtnStr = rtnStr & """" & dayVal & """" & ","
        rtnStr = rtnStr & """" & dateKey & "_month" & """" & ":"
        rtnStr = rtnStr & """" & monthVal & """" & ","
        rtnStr = rtnStr & """" & dateKey & "_year" & """" & ":"
        rtnStr = rtnStr & """" & yearVal & """" & ","
    End If

    splitDates = rtnStr
    
End Function

Function arrayLen(arr As Variant) As Integer
    arrayLen = UBound(arr) - LBound(arr) + 1
End Function

Function mapnames(key As String)
      Dim output As String
      output = key
     'need to fill in all the name mapping below
   Select Case key
   
'  Trusts

      Case "Name of the trust (or a description it can be identified by) (Required)"
          output = "trust_name"
      Case "Date the trust was created. For example, 21/03/2007 (Required)"
          output = "creation_date"
      Case "To the best of their knowledge, does the entity have all the required information about the trust?"
          output = "unable_to_obtain_all_trust_info"

' Historical BOs

      Case "First name (also known as given name)"
          output = "forename"
      Case "Other forenames (also known as middle names)"
          output = "other_forenames"
      Case "Last name (also known as family name)"
          output = "surname"
      Case "Date they became a beneficial owner. For example, 19/07/1981"
          output = "notified_date"
      Case "Date they ceased being a beneficial owner (if relevant). For example, 21/03/2007"
          output = "ceased_date"

' Individuals

      Case "Role within the trust"
          output = "type"
      Case "First name (also known as given name)"
          output = "forename"
      Case "Other forenames (also known as middle names)"
          output = "other_forenames"
      Case "Last name (also known as family name)"
          output = "surname"
      Case "Date of birth. For example, 29/05/1973"
          output = "dob"
      Case "Nationality"
          output = "nationality"
      Case "Home address property name or number"
          output = "ura_address_premises"
      Case "Home address property name or number"
          output = "ura_address_premises"
      Case "Home address line 1"
          output = "ura_address_line_1"
      Case "Home address line 2 (optional)"
          output = "ura_address_line_2"
      Case "Home address city or town"
          output = "ura_address_locality"
      Case "Home address county, state, province or region (optional)"
          output = "ura_address_region"
      Case "Home address country"
          output = "ura_address_country"
      Case "Home address postcode or ZIP code (if applicable)"
          output = "ura_address_postal_code"


      Case "Correspondence address property name or number"
          output = "sa_address_premises"
      Case "Correspondence address line 1"
          output = "sa_address_line_1"
      Case "Correspondence address line 2 (optional)"
          output = "sa_address_line_2"
      Case "Correspondence address city or town"
          output = "sa_address_locality"
      Case "Correspondence address county, state, province or region (optional)"
          output = "sa_address_region"
      Case "Correspondence address country"
          output = "sa_address_country"
      Case "Correspondence address postcode or ZIP code (if applicable)"
          output = "sa_address_postal_code"
      Case "Date they became an interested person (for interested persons only)"
          output = "date_became_interested_person"

' Corporate Entities

      Case "Role of entity"
          output = "type"
      Case "Name of entity"
          output = "name"
      Case "Registered office addressproperty name or number"
          output = "ro_address_premises"
      Case "Registered office address property name or number"
          output = "ro_address_premises"
      Case "Registered office addressproperty name or number"
          output = "ro_address_premises"
      Case "Registered office address line 1"
          output = "ro_address_line_1"
      Case "Registered office address line 2 (optional)"
          output = "ro_address_line_2"
      Case "Registered office address city or town"
          output = "ro_address_locality"
      Case "Registered office address county, state, province or region (optional)"
          output = "ro_address_region"
      Case "Registered office address country"
          output = "ro_address_country"
      Case "Registered office address postcode or ZIP code (if applicable)"
          output = "ro_address_postal_code"
      Case "Correspondence address property name or number"
          output = "sa_address_premises"
      Case "Correspondence address line 1"
          output = "sa_address_line_1"
      Case "Correspondence address line 2 (optional)"
          output = "sa_address_line_2"
      Case "Correspondence address city or town"
          output = "sa_address_locality"
      Case "Correspondence address county, state, province or region (optional)"
          output = "sa_address_region"
      Case "Correspondence address country"
          output = "sa_address_country"
      Case "Correspondence address postcode or ZIP code (if applicable)"
          output = "sa_address_postal_code"
      Case "Country the entity was formed in"
          output = "identification_country_registration"
      Case "Governing law (this is the law it operates under)"
          output = "identification_legal_authority"
      Case "Legal form. For example, limited company."
          output = "identification_legal_form"
      Case "Name of the public register that the entity is on (if applicable)"
          output = "identification_place_registered"
      Case "Entity's registration number on the public register (if applicable)"
          output = "identification_registration_number"
      Case "Date it became an interested person (for interested persons only)"
          output = "date_became_interested_person"


        Case ""
            output = "NO_DATA"
        Case "Information shown on the public register"
            output = "NO_DATA"
        Case "None of the information you provide about the trust will be shown on the public Register of Overseas Entities. However, it may be shared with HMRC."
            output = "NO_DATA"
          
   End Select
     mapnames = output
End Function

VBA File Name: Sheet1, Stream Size: 1329

General
Stream Path:	VBA/Sheet1
VBA File Name:	Sheet1
Stream Size:	1329
Data ASCII:	. . . . . . . . . ^ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . # . . . . . . . . . . . . . . . . . p . . . . E ) . M C . . . . . . . . . . . . . . . F . . . . . . . . . . . . . . . . . . . . : . u . : I . X e . . . . . . . . . . . . . . . . . . . . . . x . . . . : . u . : I . X e . E ) . M C . . . . . . M E . . . . . . . . . . . . . . . . . . . . . ( . . . . . S L . . . . S . . . . . S . . . . 6 " . . . . . . . . . . N . 0 . { . 0 . 0 . 0 . 2 . 0 . 8 . 2 . 0 . - . 0 . 0 . 0 . 0 . - .
Data Raw:	01 16 03 00 06 04 01 00 00 5e 03 00 00 e8 00 00 00 14 02 00 00 8c 03 00 00 9a 03 00 00 ee 03 00 00 80 04 00 00 00 00 00 00 01 00 00 00 ff ff ff ff 00 00 ff ff 23 00 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff 70 00 ff ff 00 00 00 45 bd 29 05 4d 43 8d 93 bb d2 0a a8 0a a8 bb 20 08 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 00 00 00 00 00 00 00 00 00

VBA Code

Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

VBA File Name: Sheet2, Stream Size: 1148

General
Stream Path:	VBA/Sheet2
VBA File Name:	Sheet2
Stream Size:	1148
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . 9 . . . . . . . . . . . . . . \\ . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . S L . . . . S . . . . . S . . . . . < . . . . . . . . . . N . 0 . { . 0 . 0 . 0 . 2 . 0 . 8 . 2 . 0 .
Data Raw:	01 16 03 00 01 f4 00 00 00 de 02 00 00 d8 00 00 00 04 02 00 00 ff ff ff ff e5 02 00 00 39 03 00 00 cb 03 00 00 00 00 00 00 01 00 00 00 ff ff 5c 96 00 00 ff ff 23 00 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

VBA Code

Attribute VB_Name = "Sheet2"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

VBA File Name: Sheet3, Stream Size: 1329

General
Stream Path:	VBA/Sheet3
VBA File Name:	Sheet3
Stream Size:	1329
Data ASCII:	. . . . . . . . . ^ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . # . . . . . . . . . . . . . . . . . p . . . F . m J . k f . . . . . . . . . . . . . F . . . . . . . . . . . . . . . . . . . . 8 > 1 J : O r . . . . . . . . . . . . . . . . . . . . . . . x . . . . 8 > 1 J : O r . F . m J . k f . . . . M E . . . . . . . . . . . . . . . . . . . . . ( . . . . . S L . . . . S . . . . . S . . . . 6 " . . . . . . . . . . N . 0 . { . 0 . 0 . 0 . 2 . 0 . 8 . 2 . 0 . - . 0 . 0 . 0 . 0 . - . 0 . 0 .
Data Raw:	01 16 03 00 06 04 01 00 00 5e 03 00 00 e8 00 00 00 14 02 00 00 8c 03 00 00 9a 03 00 00 ee 03 00 00 80 04 00 00 00 00 00 00 01 00 00 00 ff ff ff ff 00 00 ff ff 23 00 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff 70 00 ff ff 00 00 46 15 c5 d3 ee 6d 4a fd b6 11 b9 a2 87 6b 66 82 20 08 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 00 00 00 00 00 00 00 00 00

VBA Code

Attribute VB_Name = "Sheet3"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

VBA File Name: Sheet4, Stream Size: 1329

General
Stream Path:	VBA/Sheet4
VBA File Name:	Sheet4
Stream Size:	1329
Data ASCII:	. . . . . . . . . ^ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . # . . . . . . . . . . . . . . . . . p . . . . y " D $ r ] f . . . . . . . . . . . . . F . . . . . . . . . . . . . . . . . . . . . G B . . N . . . . . . . . . . . . . . . . . . . . . . x . . . . . G B . . N . y " D $ r ] f . . . . M E . . . . . . . . . . . . . . . . . . . . . ( . . . . . S L . . . . S . . . . . S . . . . 6 " . . . . . . . . . . N . 0 . { . 0 . 0 . 0 . 2 . 0 . 8 . 2 . 0 . - . 0 . 0 . 0 . 0 . - . 0 . 0 . 0 .
Data Raw:	01 16 03 00 06 04 01 00 00 5e 03 00 00 e8 00 00 00 14 02 00 00 8c 03 00 00 9a 03 00 00 ee 03 00 00 80 04 00 00 00 00 00 00 01 00 00 00 ff ff ff ff 00 00 ff ff 23 00 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff 70 00 ff ff 00 00 e4 14 e6 79 f2 22 44 8a a8 24 72 5d a3 66 df c7 20 08 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 00 00 00 00 00 00 00 00 00

VBA Code

Attribute VB_Name = "Sheet4"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

VBA File Name: Sheet5, Stream Size: 1329

General
Stream Path:	VBA/Sheet5
VBA File Name:	Sheet5
Stream Size:	1329
Data ASCII:	. . . . . . . . . ^ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . # . . . . . . . . . . . . . . . . . p . . . . . \| C . y e c . . . . . . . . . . . . . F . . . . . . . . . . . . . . . . . . . . E . 2 I M z . c . . . . . . . . . . . . . . . . . . . . . . . x . . . . E . 2 I M z . c . . . \| C . y e c . . . . M E . . . . . . . . . . . . . . . . . . . . . ( . . . . . S L . . . . S . . . . . S . . . . 6 " . . . . . . . . . . N . 0 . { . 0 . 0 . 0 . 2 . 0 . 8 . 2 . 0 . - . 0 . 0 . 0 . 0 . - .
Data Raw:	01 16 03 00 06 04 01 00 00 5e 03 00 00 e8 00 00 00 14 02 00 00 8c 03 00 00 9a 03 00 00 ee 03 00 00 80 04 00 00 00 00 00 00 01 00 00 00 ff ff ff ff 00 00 ff ff 23 00 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff 70 00 ff ff 00 00 e6 b5 0e 02 d2 7c 43 03 93 9a 79 65 63 83 84 9f 20 08 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 00 00 00 00 00 00 00 00 00

VBA Code

Attribute VB_Name = "Sheet5"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

VBA File Name: Sheet7, Stream Size: 1329

General
Stream Path:	VBA/Sheet7
VBA File Name:	Sheet7
Stream Size:	1329
Data ASCII:	. . . . . . . . . ^ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . # . . . . . . . . . . . . . . . . . p . . . e P z E m / . . . . . . . . . . . . . F . . . . . . . . . . . . . . . . . . . . M W o F l ; * . . . . . . . . . . . . . . . . . . . . . . x . . . . M W o F l ; * e P z E m / . . . . M E . . . . . . . . . . . . . . . . . . . . . ( . . . . . S L . . . . S . . . . . S . . . . 6 " . . . . . . . . . . N . 0 . { . 0 . 0 . 0 . 2 . 0 . 8 . 2 . 0 . - . 0 . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 .
Data Raw:	01 16 03 00 06 04 01 00 00 5e 03 00 00 e8 00 00 00 14 02 00 00 8c 03 00 00 9a 03 00 00 ee 03 00 00 80 04 00 00 00 00 00 00 01 00 00 00 ff ff ff ff 00 00 ff ff 23 00 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff 70 00 ff ff 00 00 b2 65 50 94 7a f6 45 9f aa fb ac e0 ae 6d 97 2f 20 08 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 00 00 00 00 00 00 00 00 00

VBA Code

Attribute VB_Name = "Sheet7"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

VBA File Name: ThisWorkbook, Stream Size: 1156

General
Stream Path:	VBA/ThisWorkbook
VBA File Name:	ThisWorkbook
Stream Size:	1156
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . 9 . . . . . . . . . . . . . . . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . S L . . . . S . . . . . S . . . . . < . . . . . . . . . . N . 0 . { . 0 . 0 . 0 . 2 . 0 . 8 . 1 . 9 . -
Data Raw:	01 16 03 00 01 f4 00 00 00 de 02 00 00 d8 00 00 00 04 02 00 00 ff ff ff ff e5 02 00 00 39 03 00 00 cb 03 00 00 00 00 00 00 01 00 00 00 ff ff ff ff 00 00 ff ff 23 00 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

VBA Code

Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Streams

Stream Path: PROJECT, File Type: ASCII text, with CRLF line terminators, Stream Size: 711

General
Stream Path:	PROJECT
CLSID:
File Type:	ASCII text, with CRLF line terminators
Stream Size:	711
Entropy:	5.07704368192345
Base64 Encoded:	True
Data ASCII:	I D = " { 0 B A 8 D D 0 2 - 0 E 0 3 - 3 4 4 2 - A 7 9 1 - 8 F C C 3 4 5 1 5 5 C 4 } " . . D o c u m e n t = T h i s W o r k b o o k / & H 0 0 0 0 0 0 0 0 . . D o c u m e n t = S h e e t 1 / & H 0 0 0 0 0 0 0 0 . . D o c u m e n t = S h e e t 3 / & H 0 0 0 0 0 0 0 0 . . D o c u m e n t = S h e e t 4 / & H 0 0 0 0 0 0 0 0 . . D o c u m e n t = S h e e t 5 / & H 0 0 0 0 0 0 0 0 . . M o d u l e = M o d u l e 1 . . D o c u m e n t = S h e e t 7 / & H 0 0 0 0 0 0 0 0 . . D o c u m e n t = S h e e t 2 / & H 0 0 0
Data Raw:	49 44 3d 22 7b 30 42 41 38 44 44 30 32 2d 30 45 30 33 2d 33 34 34 32 2d 41 37 39 31 2d 38 46 43 43 33 34 35 31 35 35 43 34 7d 22 0d 0a 44 6f 63 75 6d 65 6e 74 3d 54 68 69 73 57 6f 72 6b 62 6f 6f 6b 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 44 6f 63 75 6d 65 6e 74 3d 53 68 65 65 74 31 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 44 6f 63 75 6d 65 6e 74 3d 53 68 65 65 74 33 2f 26 48 30 30 30

Stream Path: PROJECTwm, File Type: data, Stream Size: 191

General
Stream Path:	PROJECTwm
CLSID:
File Type:	data
Stream Size:	191
Entropy:	3.1529191325831984
Base64 Encoded:	False
Data ASCII:	T h i s W o r k b o o k . T . h . i . s . W . o . r . k . b . o . o . k . . . S h e e t 1 . S . h . e . e . t . 1 . . . S h e e t 3 . S . h . e . e . t . 3 . . . S h e e t 4 . S . h . e . e . t . 4 . . . S h e e t 5 . S . h . e . e . t . 5 . . . M o d u l e 1 . M . o . d . u . l . e . 1 . . . S h e e t 7 . S . h . e . e . t . 7 . . . S h e e t 2 . S . h . e . e . t . 2 . . . . .
Data Raw:	54 68 69 73 57 6f 72 6b 62 6f 6f 6b 00 54 00 68 00 69 00 73 00 57 00 6f 00 72 00 6b 00 62 00 6f 00 6f 00 6b 00 00 00 53 68 65 65 74 31 00 53 00 68 00 65 00 65 00 74 00 31 00 00 00 53 68 65 65 74 33 00 53 00 68 00 65 00 65 00 74 00 33 00 00 00 53 68 65 65 74 34 00 53 00 68 00 65 00 65 00 74 00 34 00 00 00 53 68 65 65 74 35 00 53 00 68 00 65 00 65 00 74 00 35 00 00 00 4d 6f 64 75 6c

Stream Path: VBA/_VBA_PROJECT, File Type: data, Stream Size: 5230

General
Stream Path:	VBA/_VBA_PROJECT
CLSID:
File Type:	data
Stream Size:	5230
Entropy:	4.8463883780985775
Base64 Encoded:	False
Data ASCII:	a . . . . . . . . . . . . . ' . . . . . . . . . . . . . . . . @ . * . \\ . H . { . 0 . 0 . 0 . 2 . 0 . 4 . E . F . - . 0 . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . - . C . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 4 . 6 . } . # . 6 . . . 0 . # . 9 . # . / . A . p . p . l . i . c . a . t . i . o . n . s . / . M . i . c . r . o . s . o . f . t . . E . x . c . e . l . . . a . p . p . / . C . o . n . t . e . n . t . s . / . S . h . a . r . e . d . S . u . p . p . o . r . t . / . T . y . p . e . . L . i
Data Raw:	cc 61 df 00 00 03 00 ff 09 08 00 00 09 04 00 00 10 27 03 00 00 00 00 00 00 00 00 00 01 00 04 00 02 00 40 01 2a 00 5c 00 48 00 7b 00 30 00 30 00 30 00 32 00 30 00 34 00 45 00 46 00 2d 00 30 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 2d 00 43 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 34 00 36 00 7d 00 23 00 36 00 2e 00 30 00 23 00

Stream Path: VBA/__SRP_0, File Type: data, Stream Size: 11440

General
Stream Path:	VBA/__SRP_0
CLSID:
File Type:	data
Stream Size:	11440
Entropy:	3.473454736944786
Base64 Encoded:	False
Data ASCII:	K * . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . r U . . . . . . . . . . . . . . @ . . . . . . . @ . . . . . . . . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . .
Data Raw:	93 4b 2a df 03 00 10 00 00 00 ff ff 00 00 00 00 01 00 02 00 ff ff 00 00 00 00 01 00 00 00 05 00 00 00 00 00 01 00 02 00 05 00 00 00 00 00 01 00 00 00 01 00 00 00 00 00 01 00 02 00 01 00 00 00 00 00 01 00 00 00 03 00 00 00 00 00 01 00 02 00 03 00 00 00 00 00 01 00 00 00 07 00 00 00 00 00 01 00 02 00 07 00 00 00 00 00 01 00 00 00 02 00 00 00 00 00 01 00 02 00 02 00 00 00 00 00 01 00

Stream Path: VBA/__SRP_1, File Type: data, Stream Size: 541

General
Stream Path:	VBA/__SRP_1
CLSID:
File Type:	data
Stream Size:	541
Entropy:	2.619396199691912
Base64 Encoded:	False
Data ASCII:	r U @ . . . . . . . @ . . . . . . . @ . . . . . . . @ . . . . . . . . . . . . . . ~ . . . . . . . ~ v . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . t a r g e t . . . . . . . . . . . . . . . . S t o r e T e x t . . . .
Data Raw:	72 55 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 02 00 00 00 00 00 00 7e 02 00 00 00 00 00 00 7e 76 00 00 00 00 00 00 7f 00 00 00 00 00 00 00 00 12 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 00 00 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 00 00 00 00 ff ff ff ff ff ff ff ff 11 00 00 00 00 00 00 00 00 00

Stream Path: VBA/__SRP_2, File Type: data, Stream Size: 12894

General
Stream Path:	VBA/__SRP_2
CLSID:
File Type:	data
Stream Size:	12894
Entropy:	4.2759294082066965
Base64 Encoded:	False
Data ASCII:	r U @ . . . . . . . @ . . . . . . . @ . . . . . . . @ . . . . . . . . . . . . . . ~ x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Q . . . . . . . . . . . A . . . . . . . . . . . . . . . . . . . . . . q . . . . . . . . . . . A . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . q . . . . . . . . . . . a . . . . . . . . . . . ! . . . . . . . . . . . . . . . . . .
Data Raw:	72 55 40 01 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 04 00 00 00 00 00 00 7e 78 00 00 00 00 00 00 7f 00 00 00 00 00 00 00 00 1a 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 03 00 10 00 00 00 00 00 00 00 00 00 02 00 09 00 09 00 90 00 00 00 c1 0a 00 00 00 00 00 00 00 00 00 00 11 0c 00 00 00 00

Stream Path: VBA/__SRP_3, File Type: data, Stream Size: 772

General
Stream Path:	VBA/__SRP_3
CLSID:
File Type:	data
Stream Size:	772
Entropy:	2.262130968771102
Base64 Encoded:	False
Data ASCII:	r U @ . . . . . . . . . . . . . . . @ . . . . . . . @ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 . . . . . . . . . . . . . . . ` . . . . . . . . . . . . H . . . . . . . . . . . . . . . ` . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . @ . A . . . . . . . . . . . . . . ` . . . . . . . . . . . . . . . . . . . . . . . . P . P . . . . . . . . . . . . . . . ` . . . . . . A . . . . . . . . . . . . . . . . . . . . . . . . . . . . P . X . A .
Data Raw:	72 55 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1a 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 02 00 ff ff ff ff ff ff ff ff ff ff ff ff 00 00 00 00 10 00 00 00 08 00 38 00 f1 00 00 00 00 00 00 00 00 00 02 00 00 00 00 60 00 00 fd ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 00 00 00 00

Stream Path: VBA/__SRP_4, File Type: data, Stream Size: 464

General
Stream Path:	VBA/__SRP_4
CLSID:
File Type:	data
Stream Size:	464
Entropy:	1.6125343829533856
Base64 Encoded:	False
Data ASCII:	r U @ . . . . . . . . . . . . . . . @ . . . . . . . @ . . . . . . . . . . . . . . . 8 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . q . . . . . . . . . . . . . . . ` . . . 1 . . . . . . . . . . . . . . . . . . . . . . a . . . . . . . . . . . . . . . . D . . . . . . . . . . . . . . .
Data Raw:	72 55 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 38 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 05 00 80 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 01 00 00 00 01 00 a1 12 00 00 00 00 00 00 00 00 00 00 d1 12 00 00 00 00 00 00 00 00 00 00 01 13

Stream Path: VBA/__SRP_5, File Type: data, Stream Size: 106

General
Stream Path:	VBA/__SRP_5
CLSID:
File Type:	data
Stream Size:	106
Entropy:	1.3591119461716878
Base64 Encoded:	False
Data ASCII:	r U @ . . . . . . . . . . . . . . . @ . . . . . . . @ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . b . . . . . . . . . . . . . . .
Data Raw:	72 55 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1a 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 04 00 ff ff ff ff ff ff ff ff ff ff ff ff 00 00 00 00 78 00 00 00 08 00 00 00 00 00 00 00 62 00 00 00 00 00 00 7f 00 00 00 00 00 00 00 00

Stream Path: VBA/__SRP_6, File Type: data, Stream Size: 464

General
Stream Path:	VBA/__SRP_6
CLSID:
File Type:	data
Stream Size:	464
Entropy:	1.6217254659415115
Base64 Encoded:	False
Data ASCII:	r U @ . . . . . . . . . . . . . . . @ . . . . . . . @ . . . . . . . . . . . . . . . 8 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A . . . . . . . . . . . . . . . . . . . . . . q . . . . . . . . . . . q . . . . . . . . . . . . . . . ` . . . 1 . . . . . . . . . . . . . . . . . . . . . . a . . . . . . . . . . . . . . . . D . . . . . . . . . . . . . . .
Data Raw:	72 55 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 38 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 07 00 20 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 01 00 00 00 01 00 41 1c 00 00 00 00 00 00 00 00 00 00 d1 12 00 00 00 00 00 00 00 00 00 00 71 1c

Stream Path: VBA/__SRP_7, File Type: data, Stream Size: 106

General
Stream Path:	VBA/__SRP_7
CLSID:
File Type:	data
Stream Size:	106
Entropy:	1.3591119461716878
Base64 Encoded:	False
Data ASCII:	r U @ . . . . . . . . . . . . . . . @ . . . . . . . @ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . b . . . . . . . . . . . . . . .
Data Raw:	72 55 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1a 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 06 00 ff ff ff ff ff ff ff ff ff ff ff ff 00 00 00 00 78 00 00 00 08 00 00 00 00 00 00 00 62 00 00 00 00 00 00 7f 00 00 00 00 00 00 00 00

Stream Path: VBA/__SRP_8, File Type: data, Stream Size: 464

General
Stream Path:	VBA/__SRP_8
CLSID:
File Type:	data
Stream Size:	464
Entropy:	1.6319730683168638
Base64 Encoded:	False
Data ASCII:	r U @ . . . . . . . . . . . . . . . @ . . . . . . . @ . . . . . . . . . . . . . . . 8 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . q . . . . . . . . . . . . . . . ` . . . 1 . . . . . . . . . . . . . . . . . . . . . . a . . . . . . . . . . . . . . . . D . . . . . . . . . . . . . . .
Data Raw:	72 55 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 38 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 09 00 c0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 01 00 00 00 01 00 b1 1e 00 00 00 00 00 00 00 00 00 00 d1 12 00 00 00 00 00 00 00 00 00 00 e1 1e

Stream Path: VBA/__SRP_9, File Type: data, Stream Size: 106

General
Stream Path:	VBA/__SRP_9
CLSID:
File Type:	data
Stream Size:	106
Entropy:	1.3402440216433862
Base64 Encoded:	False
Data ASCII:	r U @ . . . . . . . . . . . . . . . @ . . . . . . . @ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . b . . . . . . . . . . . . . . .
Data Raw:	72 55 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1a 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 08 00 ff ff ff ff ff ff ff ff ff ff ff ff 00 00 00 00 78 00 00 00 08 00 00 00 00 00 00 00 62 00 00 00 00 00 00 7f 00 00 00 00 00 00 00 00

Stream Path: VBA/__SRP_a, File Type: data, Stream Size: 464

General
Stream Path:	VBA/__SRP_a
CLSID:
File Type:	data
Stream Size:	464
Entropy:	1.630346155596684
Base64 Encoded:	False
Data ASCII:	r U @ . . . . . . . . . . . . . . . @ . . . . . . . @ . . . . . . . . . . . . . . . 8 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A . . . . . . . . . . . q . . . . . . . . . . . . . . . ` . . . 1 . . . . . . . . . . . . . . . . . . . . . . a . . . . . . . . . . . . . . . . D . . . . . . . . . . . . . . .
Data Raw:	72 55 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 38 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 0b 00 20 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 01 00 00 00 01 00 11 1f 00 00 00 00 00 00 00 00 00 00 d1 12 00 00 00 00 00 00 00 00 00 00 41 1f

Stream Path: VBA/__SRP_b, File Type: data, Stream Size: 106

General
Stream Path:	VBA/__SRP_b
CLSID:
File Type:	data
Stream Size:	106
Entropy:	1.3591119461716878
Base64 Encoded:	False
Data ASCII:	r U @ . . . . . . . . . . . . . . . @ . . . . . . . @ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . b . . . . . . . . . . . . . . .
Data Raw:	72 55 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1a 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 0a 00 ff ff ff ff ff ff ff ff ff ff ff ff 00 00 00 00 78 00 00 00 08 00 00 00 00 00 00 00 62 00 00 00 00 00 00 7f 00 00 00 00 00 00 00 00

Stream Path: VBA/__SRP_c, File Type: data, Stream Size: 464

General
Stream Path:	VBA/__SRP_c
CLSID:
File Type:	data
Stream Size:	464
Entropy:	1.6319730683168638
Base64 Encoded:	False
Data ASCII:	r U @ . . . . . . . . . . . . . . . @ . . . . . . . @ . . . . . . . . . . . . . . . 8 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . q . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . q . . . . . . . . . . . . . . . ` . . . 1 . . . . . . . . . . . . . . . . . . . . . . a . . . . . . . . . . . . . . . . D . . . . . . . . . . . . . . .
Data Raw:	72 55 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 38 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 0d 00 80 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 01 00 00 00 01 00 71 1f 00 00 00 00 00 00 00 00 00 00 d1 12 00 00 00 00 00 00 00 00 00 00 a1 1f

Stream Path: VBA/__SRP_d, File Type: data, Stream Size: 106

General
Stream Path:	VBA/__SRP_d
CLSID:
File Type:	data
Stream Size:	106
Entropy:	1.3591119461716878
Base64 Encoded:	False
Data ASCII:	r U @ . . . . . . . . . . . . . . . @ . . . . . . . @ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . b . . . . . . . . . . . . . . .
Data Raw:	72 55 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1a 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 0c 00 ff ff ff ff ff ff ff ff ff ff ff ff 00 00 00 00 78 00 00 00 08 00 00 00 00 00 00 00 62 00 00 00 00 00 00 7f 00 00 00 00 00 00 00 00

Stream Path: VBA/dir, File Type: data, Stream Size: 831

General
Stream Path:	VBA/dir
CLSID:
File Type:	data
Stream Size:	831
Entropy:	6.5369046286896095
Base64 Encoded:	True
Data ASCII:	. ; . . . . . . . . 0 J . . . . . . . H * . . . . H . . T . . . ' . . . . V B . A P r o j e c t . . . . . @ . . . . . Z = . . . . r . . . . . . . . . B H d . . . E . J < . . . . . . . M . S F o r m s > . . . . . . S . F . o . . r . m . s . 3 . . . . * \\ H { 0 . D 4 5 2 E E 1 - . E 0 8 F - 1 0 1 . A - 8 . . - 0 2 6 . 0 8 C 4 D 0 B B . 4 } # 2 . 0 # 0 . # / A p p l i c . a t i o n s / M . i c r o s o f t . E x c e l . a . p p / C o n t e . n t s / S h a r . e d S u p p o r . t / T y p e L . i b r a r i
Data Raw:	01 3b b3 80 01 00 04 00 00 00 03 00 30 82 4a 02 90 00 00 01 00 02 02 48 2a 09 00 c0 14 06 48 03 00 54 00 00 20 10 27 04 00 0a 00 ac 56 42 00 41 50 72 6f 6a 65 63 74 a2 05 00 1a 00 00 40 02 0a 06 02 0a 5a 3d 02 0a 07 02 72 01 14 08 06 12 09 01 02 12 42 48 b9 64 04 00 0c 45 02 4a 3c 02 0a 16 00 07 00 07 4d 00 53 46 6f 72 6d 73 3e 00 02 0e 01 0c 00 53 00 46 00 6f 00 00 72 00 6d 00 73

Network Behavior

⊘No network behavior found

Statistics

CPU Usage

• EXCEL.EXE

Click to jump to process

Memory Usage

• EXCEL.EXE

Click to jump to process

High Level Behavior Distribution

• File
• Registry

Click to dive into process behavior distribution

System Behavior

Analysis Process: EXCEL.EXEPID: 2768, Parent PID: 564

Function Logs

General

Target ID:	0
Start time:	19:02:05
Start date:	29/11/2023
Path:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
Imagebase:	0x13fdb0000
File size:	28'253'536 bytes
MD5 hash:	D53B85E21886D2AF9815C377537BCAC3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

File Activities

File Opened

File Created

File Written

File Attributes Queried

Directory Queried

Other File Operations

Show Windows behavior

Section Activities

Sections loaded by Windows

Sections loaded by Program

Show Windows behavior

Registry Activities

Key Opened

Key Created

Key Deleted

Key Value Created

Key Value Deleted

Key Value Queried

Show Windows behavior

Mutex Activities

Mutex Created

Show Windows behavior

Process Activities

Process Information Set

Show Windows behavior

Thread Activities

Thread Created

Thread Delayed

Thread Information Set

Show Windows behavior

Memory Activities

Memory Usage Statistics

Show Windows behavior

System Activities

Language or Locale ID Queried

Show Windows behavior

Timing Activities

User Timer set

Show Windows behavior

Windows UI Activities

Window Created

Window UI Enumerated

Window UI Shown

Window UIs Event Hook Set

Show Windows behavior

LPC Port Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Chronological Activities

Disassembly

⊘No disassembly

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make a payload or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the device or in transit. This is common behavior that can be used across different platforms and the network to evade defenses. Payloads may be compressed, archived, or encrypted in order to avoid detection. These payloads may be used during Initial Access or later to mitigate detection. Portions of files can also be encoded to hide the plaintext strings that would otherwise help defenders with discovery. Payloads may also be split into separate, seemingly benign files that only reveal malicious functionality when reassembled.
Tactics:	Defense Evasion
Data Sources:
Platforms:	Android, iOS
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Companies House Trust Excel Document.xlsm

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

Compliance

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

HIPS / PFW / Operating System Protection Evasion

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\VBE\MSForms.exd

C:\Users\user\AppData\Local\Temp\~DFE1365C8194EC8BCD.TMP

C:\Users\user\Desktop\~$Companies House Trust Excel Document.xlsm

Static File Info

General

File Icon

Static OLE Info

General

OLE File "Companies House Trust Excel Document.xlsm"

Indicators

Summary

Document Summary

Streams with VBA

VBA File Name: Module1, Stream Size: 31370

General

VBA Code

VBA File Name: Sheet1, Stream Size: 1329

General

VBA Code

VBA File Name: Sheet2, Stream Size: 1148

General

VBA Code

VBA File Name: Sheet3, Stream Size: 1329

General

VBA Code

VBA File Name: Sheet4, Stream Size: 1329

General

VBA Code

VBA File Name: Sheet5, Stream Size: 1329

General

VBA Code

VBA File Name: Sheet7, Stream Size: 1329

Windows Analysis Report
Companies House Trust Excel Document.xlsm