Windows Analysis Report
Purchase Order # PO-00159.xla.xlsx

Overview

General Information

Sample name:	Purchase Order # PO-00159.xla.xlsx
Analysis ID:	1446722
MD5:	a2e27ccfd115281542473a2a75817b7b
SHA1:	6fe6c950003d0d574741d68dcaad6f19e76a296e
SHA256:	405173d3f4b78123bdb8d7d14009fe634d7ad45294032b94690836702f2216c7
Tags:	xlaxlsx
Infos:

Detection

Score:	52
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Excel sheet contains many unusual embedded objects

Document contains embedded VBA macros

Document misses a certain OLE stream usually present in this Microsoft Office document type

IP address seen in connection with other malware

Potential document exploit detected (performs DNS queries)

Potential document exploit detected (performs HTTP gets)

Potential document exploit detected (unknown TCP traffic)

Sigma detected: Excel Network Connections

Sigma detected: Suspicious Office Outbound Connections

Uses a known web browser user agent for HTTP communication

Classification

Signatures

AV Detection

Multi AV Scanner detection for submitted file

Source: Purchase Order # PO-00159.xla.xlsx

ReversingLabs: Detection: 13%

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Potential document exploit detected (performs DNS queries)

Source: global traffic

DNS query: name: qr-in.com

Potential document exploit detected (performs HTTP gets)

Source: global traffic

TCP traffic: 192.168.2.22:49161 -> 188.114.96.3:80

Potential document exploit detected (unknown TCP traffic)

Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.96.3:80
Source: global traffic	TCP traffic: 188.114.96.3:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.96.3:80
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.96.3:80
Source: global traffic	TCP traffic: 188.114.96.3:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 188.114.96.3:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 188.114.96.3:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.96.3:80
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.96.3:80
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.96.3:80
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.96.3:80
Source: global traffic	TCP traffic: 188.114.96.3:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 188.114.96.3:80

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 188.114.96.3 188.114.96.3
Source: Joe Sandbox View	IP Address: 188.114.96.3 188.114.96.3

Uses a known web browser user agent for HTTP communication

Source: global traffic

HTTP traffic detected: GET /YXcuqXy HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: qr-in.comConnection: Keep-Alive

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\BB4DC9C1.emf

Jump to behavior

Source: global traffic

DNS traffic detected: DNS query: qr-in.com

Source: Purchase Order # PO-00159.xla.xlsx, 69930000.0.dr

String found in binary or memory: http://qr-in.com/YXcuqXy

System Summary

Excel sheet contains many unusual embedded objects

Source: Purchase Order # PO-00159.xla.xlsx	OLE: Microsoft Excel 2007+
Source: ~DFF6AD63B7AC6BEEB6.TMP.0.dr	OLE: Microsoft Excel 2007+
Source: ~DF5D105711B4331728.TMP.0.dr	OLE: Microsoft Excel 2007+
Source: 69930000.0.dr	OLE: Microsoft Excel 2007+

Document contains embedded VBA macros

Source: Purchase Order # PO-00159.xla.xlsx

OLE indicator, VBA macros: true

Document misses a certain OLE stream usually present in this Microsoft Office document type

Source: ~DFF6AD63B7AC6BEEB6.TMP.0.dr	OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
Source: ~DF5D105711B4331728.TMP.0.dr	OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false

Source: classification engine

Classification label: mal52.winXLSX@1/12@1/1

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\Desktop\~$Purchase Order # PO-00159.xla.xlsx

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Temp\CVR7722.tmp

Jump to behavior

Source: Purchase Order # PO-00159.xla.xlsx	OLE indicator, Workbook stream: true
Source: 69930000.0.dr	OLE indicator, Workbook stream: true

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: Purchase Order # PO-00159.xla.xlsx

ReversingLabs: Detection: 13%

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source: ~DFF6AD63B7AC6BEEB6.TMP.0.dr

Initial sample: OLE indicators vbamacros = False

Source: Purchase Order # PO-00159.xla.xlsx

Initial sample: OLE indicators encrypted = True

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: Purchase Order # PO-00159.xla.xlsx	Stream path 'Workbook' entropy: 7.99322703687 (max. 8.0)
Source: 69930000.0.dr	Stream path 'Workbook' entropy: 7.98794374626 (max. 8.0)

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
188.114.96.3	qr-in.com	European Union		13335	CLOUDFLARENETUS	false

Contacted Domains

Name	IP	Active
qr-in.com	188.114.96.3	true

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://qr-in.com/YXcuqXy	false	Avira URL Cloud: safe	unknown

ID:	1446722
Product:	CloudBasic
Start time:	20:36:28
Start date:	23.05.2024
Sample:	Purchase Order # PO-00159.xla.xlsx
Cookbook:	defaultwindowsofficecookbook.jbs
System description:	Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Architecture:	WINDOWS
MD5:	a2e27ccfd115281542473a2a75817b7b
SHA1:	6fe6c950003d0d574741d68dcaad6f19e76a296e
SHA256:	405173d3f4b78123bdb8d7d14009fe634d7ad45294032b94690836702f2216c7
Filetype:	Microsoft Excel sheet (30009/1) 47.99%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\352F24CE.emf	Windows Enhanced Metafile (EMF) image data version 0x10000	A4D3F37D25C314D8BD34E11152527E97	6DF7C881FE8102F196CAE0D5AF9C00CC26583B02	E0B38B2C8079038B0C98440A0A5945CBB86A41B72154D83EE25F8D362020F9BF
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\BB4DC9C1.emf	Windows Enhanced Metafile (EMF) image data version 0x10000	CD78AE619197FA75843156DA0B4F3E0A	5C6BB2AE4AD7AEFDD695D0170DC788AA27A9BA49	9B26725712337E5DBE305908ADEA4446BBF34FAC67A34F6E7EAA699BAED8F7C1
C:\Users\user\AppData\Local\Temp\ED830000	CDFV2 Encrypted	8AF4893A37355B1DD7C3C6732A19780B	4460A902FB8299FEF9FF0991D8CF9D0432675624	7723B006D1E6E7C16F69CF2C0BF790515EDAD11DBAD81DC5A843370A8BC78291
C:\Users\user\AppData\Local\Temp\~$imgs.xlsx	data	797869BB881CFBCDAC2064F92B26E46F	61C1B8FBF505956A77E9A79CE74EF5E281B01F4B	D4E4008DD7DFB936F22D9EF3CC569C6F88804715EAB8101045BA1CD0B081F185
C:\Users\user\AppData\Local\Temp\~DF21CF0594A7B9BFCC.TMP	data	BF619EAC0CDF3F68D496EA9344137E8B	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
C:\Users\user\AppData\Local\Temp\~DF316EEE353DDD792D.TMP	data	675C1F4F83496C5623227C857B489209	3D04DA570CC915EE2AE31BD2C9D6125B9205D824	82A7EF34D64CE883C1043DAAF4BD35B3C575057FBE4CFA845BDFCA38D40CDA9A
C:\Users\user\AppData\Local\Temp\~DF5D105711B4331728.TMP	Composite Document File V2 Document, Cannot read section info	4C4C6580220C615046E2898FE7DFC3CF	8A1A216F47D798FD8C18FCBB3ED2F934853E4174	928FC360D5F26EB7F67F0757E29AF756A60A1519380F17601AE5A446C41EE488
C:\Users\user\AppData\Local\Temp\~DFF6AD63B7AC6BEEB6.TMP	Composite Document File V2 Document, Cannot read section info	5E2CD8181F4A6BB4A30CAF8F68F537CB	6A115836FAFD5969D3FB15D3D370A0C708CCC83E	03912622F6CCEA9A7FC7A26D44A69902476E762F0A8B68463C0EA11721A2524A
C:\Users\user\Desktop\69930000	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Name of Creating Application: Microsoft Excel, Create Time/Date: Sat Sep 16 01:00:00 2006, Last Saved Time/Date: Thu May 23 19:38:33 2024, Security: 1	1B70C9202AEF50D15E94F096C78B326A	92AC832678312B47EDEACED8664ABA89AC25D1E0	6293DAA5DC1F6D623F255B72303FBD47FEE57FF007842496C481E571A9816093
C:\Users\user\Desktop\69930000:Zone.Identifier	ASCII text, with CRLF line terminators	187F488E27DB4AF347237FE461A079AD	6693BA299EC1881249D59262276A0D2CB21F8E64	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
C:\Users\user\Desktop\Purchase Order # PO-00159.xla.xls (copy)	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Name of Creating Application: Microsoft Excel, Create Time/Date: Sat Sep 16 01:00:00 2006, Last Saved Time/Date: Thu May 23 19:38:33 2024, Security: 1	1B70C9202AEF50D15E94F096C78B326A	92AC832678312B47EDEACED8664ABA89AC25D1E0	6293DAA5DC1F6D623F255B72303FBD47FEE57FF007842496C481E571A9816093
C:\Users\user\Desktop\~$Purchase Order # PO-00159.xla.xlsx	data	797869BB881CFBCDAC2064F92B26E46F	61C1B8FBF505956A77E9A79CE74EF5E281B01F4B	D4E4008DD7DFB936F22D9EF3CC569C6F88804715EAB8101045BA1CD0B081F185

Windows Analysis Report
Purchase Order # PO-00159.xla.xlsx

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

System Summary

Hooking and other Techniques for Hiding and Protection

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report Purchase Order # PO-00159.xla.xlsx

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

System Summary

Hooking and other Techniques for Hiding and Protection

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report
Purchase Order # PO-00159.xla.xlsx