Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
April_2024.xlsx

Overview

General Information

Sample name:	April_2024.xlsx
Analysis ID:	1447845
MD5:	540d4503a8980abd04ae7d4a1893ad13
SHA1:	c2c3e388008debe8a5168a14a5a03195e01e3767
SHA256:	4d718458b777b4d4f03218570a02289fc75b794000166023554db12091e81a69

Detection

Score:	0
Range:	0 - 100
Whitelisted:	false
Confidence:	80%

Signatures

Queries information about the installed CPU (vendor, model number etc)

Classification

×

Process Tree

System is w10x64_ra

EXCEL.EXE (PID: 2396 cmdline: "C:\Program Files (x86)\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\user\Desktop\April_2024.xlsx" MD5: 4A871771235598812032C822E6F68F19)

cleanup

Yara Signatures

⊘No yara matches

Sigma Signatures

⊘No Sigma rule has matched

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: excel.exe

Memory has grown: Private usage: 6MB later: 94MB

Source: classification engine

Classification label: clean0.winXLSX@1/0@0/3

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE

File created: C:\Users\user\Desktop\~$April_2024.xlsx

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Temp\{861A0BA9-0AB9-4F74-8976-2FD20B785159} - OProcSessId.dat

Source: April_2024.xlsx

OLE indicator, Workbook stream: true

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE

File read: C:\Users\desktop.ini

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: April_2024.xlsx	Initial sample: OLE zip file path = xl/worksheets/sheet4.xml
Source: April_2024.xlsx	Initial sample: OLE zip file path = xl/worksheets/sheet5.xml
Source: April_2024.xlsx	Initial sample: OLE zip file path = xl/worksheets/sheet6.xml
Source: April_2024.xlsx	Initial sample: OLE zip file path = xl/worksheets/sheet7.xml
Source: April_2024.xlsx	Initial sample: OLE zip file path = xl/worksheets/sheet8.xml
Source: April_2024.xlsx	Initial sample: OLE zip file path = xl/worksheets/sheet9.xml
Source: April_2024.xlsx	Initial sample: OLE zip file path = xl/worksheets/sheet10.xml
Source: April_2024.xlsx	Initial sample: OLE zip file path = xl/worksheets/sheet11.xml
Source: April_2024.xlsx	Initial sample: OLE zip file path = xl/worksheets/sheet12.xml
Source: April_2024.xlsx	Initial sample: OLE zip file path = xl/worksheets/sheet13.xml
Source: April_2024.xlsx	Initial sample: OLE zip file path = xl/worksheets/sheet14.xml
Source: April_2024.xlsx	Initial sample: OLE zip file path = xl/worksheets/_rels/sheet4.xml.rels
Source: April_2024.xlsx	Initial sample: OLE zip file path = xl/worksheets/_rels/sheet6.xml.rels
Source: April_2024.xlsx	Initial sample: OLE zip file path = xl/worksheets/_rels/sheet7.xml.rels
Source: April_2024.xlsx	Initial sample: OLE zip file path = xl/worksheets/_rels/sheet8.xml.rels
Source: April_2024.xlsx	Initial sample: OLE zip file path = xl/worksheets/_rels/sheet9.xml.rels
Source: April_2024.xlsx	Initial sample: OLE zip file path = xl/worksheets/_rels/sheet11.xml.rels
Source: April_2024.xlsx	Initial sample: OLE zip file path = xl/worksheets/_rels/sheet12.xml.rels
Source: April_2024.xlsx	Initial sample: OLE zip file path = xl/worksheets/_rels/sheet13.xml.rels
Source: April_2024.xlsx	Initial sample: OLE zip file path = xl/worksheets/_rels/sheet14.xml.rels
Source: April_2024.xlsx	Initial sample: OLE zip file path = xl/pivotTables/_rels/pivotTable1.xml.rels
Source: April_2024.xlsx	Initial sample: OLE zip file path = xl/pivotTables/_rels/pivotTable2.xml.rels
Source: April_2024.xlsx	Initial sample: OLE zip file path = xl/pivotTables/_rels/pivotTable3.xml.rels
Source: April_2024.xlsx	Initial sample: OLE zip file path = xl/pivotTables/_rels/pivotTable4.xml.rels
Source: April_2024.xlsx	Initial sample: OLE zip file path = xl/pivotTables/_rels/pivotTable5.xml.rels
Source: April_2024.xlsx	Initial sample: OLE zip file path = xl/pivotTables/pivotTable1.xml
Source: April_2024.xlsx	Initial sample: OLE zip file path = xl/pivotTables/pivotTable2.xml
Source: April_2024.xlsx	Initial sample: OLE zip file path = xl/pivotTables/pivotTable3.xml
Source: April_2024.xlsx	Initial sample: OLE zip file path = xl/pivotTables/pivotTable4.xml
Source: April_2024.xlsx	Initial sample: OLE zip file path = xl/pivotTables/_rels/pivotTable6.xml.rels
Source: April_2024.xlsx	Initial sample: OLE zip file path = xl/pivotTables/_rels/pivotTable7.xml.rels
Source: April_2024.xlsx	Initial sample: OLE zip file path = xl/pivotTables/pivotTable5.xml
Source: April_2024.xlsx	Initial sample: OLE zip file path = xl/pivotTables/pivotTable6.xml
Source: April_2024.xlsx	Initial sample: OLE zip file path = xl/pivotTables/pivotTable7.xml
Source: April_2024.xlsx	Initial sample: OLE zip file path = xl/worksheets/_rels/sheet10.xml.rels
Source: April_2024.xlsx	Initial sample: OLE zip file path = docProps/thumbnail.wmf
Source: April_2024.xlsx	Initial sample: OLE zip file path = xl/worksheets/_rels/sheet2.xml.rels
Source: April_2024.xlsx	Initial sample: OLE zip file path = xl/worksheets/_rels/sheet3.xml.rels
Source: April_2024.xlsx	Initial sample: OLE zip file path = xl/pivotCache/pivotCacheDefinition1.xml
Source: April_2024.xlsx	Initial sample: OLE zip file path = xl/pivotCache/pivotCacheRecords1.xml
Source: April_2024.xlsx	Initial sample: OLE zip file path = xl/pivotCache/pivotCacheDefinition2.xml
Source: April_2024.xlsx	Initial sample: OLE zip file path = xl/pivotCache/pivotCacheRecords2.xml
Source: April_2024.xlsx	Initial sample: OLE zip file path = xl/pivotCache/pivotCacheDefinition3.xml
Source: April_2024.xlsx	Initial sample: OLE zip file path = xl/pivotCache/pivotCacheRecords3.xml
Source: April_2024.xlsx	Initial sample: OLE zip file path = xl/pivotCache/pivotCacheDefinition4.xml
Source: April_2024.xlsx	Initial sample: OLE zip file path = xl/pivotCache/pivotCacheRecords4.xml
Source: April_2024.xlsx	Initial sample: OLE zip file path = xl/pivotCache/pivotCacheDefinition5.xml
Source: April_2024.xlsx	Initial sample: OLE zip file path = xl/pivotCache/pivotCacheRecords5.xml
Source: April_2024.xlsx	Initial sample: OLE zip file path = xl/pivotCache/pivotCacheDefinition6.xml
Source: April_2024.xlsx	Initial sample: OLE zip file path = xl/pivotCache/pivotCacheDefinition7.xml
Source: April_2024.xlsx	Initial sample: OLE zip file path = xl/printerSettings/printerSettings2.bin
Source: April_2024.xlsx	Initial sample: OLE zip file path = customXml/itemProps3.xml
Source: April_2024.xlsx	Initial sample: OLE zip file path = xl/tables/table1.xml
Source: April_2024.xlsx	Initial sample: OLE zip file path = xl/printerSettings/printerSettings3.bin
Source: April_2024.xlsx	Initial sample: OLE zip file path = docProps/custom.xml
Source: April_2024.xlsx	Initial sample: OLE zip file path = xl/printerSettings/printerSettings5.bin
Source: April_2024.xlsx	Initial sample: OLE zip file path = xl/pivotCache/_rels/pivotCacheDefinition1.xml.rels
Source: April_2024.xlsx	Initial sample: OLE zip file path = xl/pivotCache/_rels/pivotCacheDefinition2.xml.rels
Source: April_2024.xlsx	Initial sample: OLE zip file path = xl/pivotCache/_rels/pivotCacheDefinition3.xml.rels
Source: April_2024.xlsx	Initial sample: OLE zip file path = xl/pivotCache/_rels/pivotCacheDefinition4.xml.rels
Source: April_2024.xlsx	Initial sample: OLE zip file path = xl/pivotCache/_rels/pivotCacheDefinition5.xml.rels
Source: April_2024.xlsx	Initial sample: OLE zip file path = xl/printerSettings/printerSettings6.bin
Source: April_2024.xlsx	Initial sample: OLE zip file path = xl/printerSettings/printerSettings4.bin
Source: April_2024.xlsx	Initial sample: OLE zip file path = xl/printerSettings/printerSettings7.bin
Source: April_2024.xlsx	Initial sample: OLE zip file path = customXml/item2.xml
Source: April_2024.xlsx	Initial sample: OLE zip file path = customXml/itemProps2.xml
Source: April_2024.xlsx	Initial sample: OLE zip file path = customXml/item3.xml
Source: April_2024.xlsx	Initial sample: OLE zip file path = customXml/_rels/item2.xml.rels
Source: April_2024.xlsx	Initial sample: OLE zip file path = customXml/_rels/item3.xml.rels

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE

Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\Common

Source: April_2024.xlsx

Initial sample: OLE indicators vbamacros = False

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE

Process information queried: ProcessInformation

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	Path Interception	1 Extra Window Memory Injection	1 Masquerading	OS Credential Dumping	1 Process Discovery	Remote Services	Data from Local System	Data Obfuscation	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Extra Window Memory Injection	LSASS Memory	1 File and Directory Discovery	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	12 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

⊘No Antivirus matches

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

⊘No contacted domains info

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
52.109.28.46	unknown	United States		8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1447845
Start date and time:	2024-05-27 09:04:51 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultwindowsinteractivecookbook.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	12
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	EGA enabled
Analysis Mode:	stream
Analysis stop reason:	Timeout
Sample name:	April_2024.xlsx
Detection:	CLEAN
Classification:	clean0.winXLSX@1/0@0/3
Cookbook Comments:	Found application associated with file extension: .xlsx

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, SIHClient.exe, SgrmBroker.exe, MoUsoCoreWorker.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 52.109.28.46
Excluded domains from analysis (whitelisted): fs.microsoft.com, slscr.update.microsoft.com, config.officeapps.live.com, prod.configsvc1.live.com.akadns.net, ctldl.windowsupdate.com, officeclient.microsoft.com, europe.configsvc1.live.com.akadns.net, uks-azsc-config.officeapps.live.com
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Created / dropped Files

⊘No created / dropped files found

Static File Info

General

File type:	Microsoft Excel 2007+
Entropy (8bit):	7.972364435437886
TrID:	Excel Microsoft Office Open XML Format document (40004/1) 83.33% ZIP compressed archive (8000/1) 16.67%
File name:	April_2024.xlsx
File size:	716'990 bytes
MD5:	540d4503a8980abd04ae7d4a1893ad13
SHA1:	c2c3e388008debe8a5168a14a5a03195e01e3767
SHA256:	4d718458b777b4d4f03218570a02289fc75b794000166023554db12091e81a69
SHA512:	27e3e8f8ca608666f52772b6fd639aa8c2f78f8a3a5fe67094f13e271a497f4340e1e7bb533fc805d35011ebb613a27a88322aee19ac4abe0090324c662a6870
SSDEEP:	12288:y/qmEitn92LCyrq4A6ETrvaMwcYd4nmlZxvZsqvZar1GETq1kAPYO7FOycZT:OqVm9Pt6SrvaMwcYd4nmlZxvZsqq7T6C
TLSH:	9EE41259E32A40B4D344087ED84C5CD9688A908DC5C6EF23399577B86F329EA3F8D7C6
File Content Preview:	PK..........!....=....I.......[Content_Types].xml ...(.........................................................................................................................................................................................................

File Icon


Icon Hash:	35e58a8c0c8a85b9

Static OLE Info

General

Document Type:	OpenXML
Number of OLE Files:	1

OLE File "April_2024.xlsx"

Indicators

Has Summary Info:
Application Name:
Encrypted Document:	False
Contains Word Document Stream:	False
Contains Workbook/Book Stream:	True
Contains PowerPoint Document Stream:	False
Contains Visio Document Stream:	False
Contains ObjectPool Stream:	False
Flash Objects Count:	0
Contains VBA Macros:	False