Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Payment Advice.xls

Overview

General Information

Sample name:Payment Advice.xls
Analysis ID:1559094
MD5:56821dcc602eb746c433a33f0b89808e
SHA1:757059c1429ac7250ed56ddab56f8c893d265c7e
SHA256:58a80743333e461c9a69b9201ad29f667baa8d95789f66f11c49232b4a58005d
Tags:xlsuser-abuse_ch
Infos:

Detection

Score:76
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Multi AV Scanner detection for submitted file
Document exploit detected (process start blacklist hit)
Excel sheet contains many unusual embedded objects
Machine Learning detection for sample
Document contains embedded VBA macros
Document embeds suspicious OLE2 link
Document misses a certain OLE stream usually present in this Microsoft Office document type

Classification

  • System is w7x64
  • EXCEL.EXE (PID: 3348 cmdline: "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding MD5: D53B85E21886D2AF9815C377537BCAC3)
    • AcroRd32.exe (PID: 3560 cmdline: "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" -Embedding MD5: 2F8D93826B8CBF9290BC57535C7A6817)
  • cleanup
No configs have been found
No yara matches
No Sigma rule has matched
No Suricata rule has matched

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Source: Payment Advice.xlsAvira: detected
Source: C:\Users\user\AppData\Local\Temp\~DFC075A240B8575F1A.TMPAvira: detection malicious, Label: TR/AVI.Agent.xoswb
Source: Payment Advice.xlsReversingLabs: Detection: 26%
Source: Payment Advice.xlsJoe Sandbox ML: detected
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior

Software Vulnerabilities

barindex
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\7720F2A3.emfJump to behavior
Source: Payment Advice.xls, 9A330000.0.drString found in binary or memory: https://provit.uk/uEh6tW?&face=romantic&armenian=divergent&step-aunt=upbeat&product=fair&cricket

System Summary

barindex
Source: Payment Advice.xlsOLE: Microsoft Excel 2007+
Source: ~DFC075A240B8575F1A.TMP.0.drOLE: Microsoft Excel 2007+
Source: 9A330000.0.drOLE: Microsoft Excel 2007+
Source: Payment Advice.xlsOLE indicator, VBA macros: true
Source: Payment Advice.xlsStream path 'MBD003AA7BB/\x1Ole' : https://provit.uk/uEh6tW?&face=romantic&armenian=divergent&step-aunt=upbeat&product=fair&cricketJ1XFRD%raSzuZ.{LN)P\09Q|;#{S>0OeX$@i6F1I[iRud+gC~2Dcu4Umvb7BnxLGVVbqXocysuXIHpMKtJGJslM7UJIfmn7FZ69zr678Ja8mJHrr=FxJ'ZJ"vyJ4|xH
Source: 9A330000.0.drStream path 'MBD003AA7BB/\x1Ole' : https://provit.uk/uEh6tW?&face=romantic&armenian=divergent&step-aunt=upbeat&product=fair&cricketJ1XFRD%raSzuZ.{LN)P\09Q|;#{S>0OeX$@i6F1I[iRud+gC~2Dcu4Umvb7BnxLGVVbqXocysuXIHpMKtJGJslM7UJIfmn7FZ69zr678Ja8mJHrr=FxJ'ZJ"vyJ4|xH
Source: ~DFC075A240B8575F1A.TMP.0.drOLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
Source: classification engineClassification label: mal76.expl.winXLS@3/16@0/0
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\Desktop\9A330000Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\CVRA9A6.tmpJump to behavior
Source: Payment Advice.xlsOLE indicator, Workbook stream: true
Source: PORTS SITUATION BULK CARRIERS.xlsx.0.drOLE indicator, Workbook stream: true
Source: 9A330000.0.drOLE indicator, Workbook stream: true
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile read: C:\Users\desktop.iniJump to behavior
Source: Payment Advice.xlsReversingLabs: Detection: 26%
Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" -Embedding
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess created: unknown unknownJump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: PORTS SITUATION BULK CARRIERS.xlsx.0.drInitial sample: OLE zip file path = xl/calcChain.xml
Source: PORTS SITUATION BULK CARRIERS.xlsx.0.drInitial sample: OLE zip file path = docProps/thumbnail.wmf
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItemsJump to behavior
Source: Payment Advice.xlsStatic file information: File size 1136640 > 1048576
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
Source: PORTS SITUATION BULK CARRIERS.xlsx.0.drInitial sample: OLE indicators vbamacros = False
Source: Payment Advice.xlsInitial sample: OLE indicators encrypted = True
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: Payment Advice.xlsStream path 'MBD003AA7BA/Package' entropy: 7.99637913196 (max. 8.0)
Source: Payment Advice.xlsStream path 'Workbook' entropy: 7.99877927517 (max. 8.0)
Source: ~DFC075A240B8575F1A.TMP.0.drStream path 'Package' entropy: 7.99441241291 (max. 8.0)
Source: 9A330000.0.drStream path 'MBD003AA7BA/Package' entropy: 7.99441241291 (max. 8.0)
Source: 9A330000.0.drStream path 'Workbook' entropy: 7.99785841041 (max. 8.0)
ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity Information1
Scripting
Valid Accounts1
Exploitation for Client Execution
1
Scripting
1
Process Injection
1
Masquerading
OS Credential Dumping1
File and Directory Discovery
Remote ServicesData from Local System1
Ingress Tool Transfer
Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
Process Injection
LSASS Memory1
System Information Discovery
Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
Obfuscated Files or Information
Security Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand
SourceDetectionScannerLabelLink
Payment Advice.xls26%ReversingLabsWin32.Exploit.CVE-2017-0199
Payment Advice.xls100%AviraTR/AVI.Agent.xoswb
Payment Advice.xls100%Joe Sandbox ML
SourceDetectionScannerLabelLink
C:\Users\user\AppData\Local\Temp\~DFC075A240B8575F1A.TMP100%AviraTR/AVI.Agent.xoswb
No Antivirus matches
No Antivirus matches
SourceDetectionScannerLabelLink
https://provit.uk/uEh6tW?&face=romantic&armenian=divergent&step-aunt=upbeat&product=fair&cricket0%Avira URL Cloudsafe
No contacted domains info
NameSourceMaliciousAntivirus DetectionReputation
https://provit.uk/uEh6tW?&face=romantic&armenian=divergent&step-aunt=upbeat&product=fair&cricketPayment Advice.xls, 9A330000.0.drfalse
  • Avira URL Cloud: safe
unknown
No contacted IP infos
Joe Sandbox version:41.0.0 Charoite
Analysis ID:1559094
Start date and time:2024-11-20 07:51:32 +01:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 4m 14s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:defaultwindowsofficecookbook.jbs
Analysis system description:Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Number of analysed new started processes analysed:5
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • GSI enabled (VBA)
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Sample name:Payment Advice.xls
Detection:MAL
Classification:mal76.expl.winXLS@3/16@0/0
EGA Information:Failed
HCA Information:
  • Successful, ratio: 100%
  • Number of executed functions: 0
  • Number of non-executed functions: 0
Cookbook Comments:
  • Found application associated with file extension: .xls
  • Found Word or Excel or PowerPoint or XPS Viewer
  • Attach to Office via COM
  • Active ActiveX Object
  • Active ActiveX Object
  • Scroll down
  • Close Viewer
  • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe
  • Report size getting too big, too many NtQueryValueKey calls found.
TimeTypeDescription
01:53:12API Interceptor74x Sleep call for process: AcroRd32.exe modified
No context
No context
No context
No context
No context
Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:Windows Enhanced Metafile (EMF) image data version 0x10000
Category:dropped
Size (bytes):7440
Entropy (8bit):5.6312448977812695
Encrypted:false
SSDEEP:96:PV1Ipi7blJaXn/08zDefAm/luoOHo6MiDbDda91RjTBbPxmPAWmOHDx:PVxvTNAK4oOIGbK1RvVwPAWmOHDx
MD5:DEA1DEA8BEA479821FA2AC1C565B6E56
SHA1:86865637336A9FEFA98AC5ABD189A848BE8852D4
SHA-256:64832E2264B5A851EE2CC7E048DA437D6F41B1C3DCAA385971DAA1B502A11125
SHA-512:1E1858F58748BF88DAB254F524943AC2C8576B4546AA67E37DFFE8917396A1CCCBA3964554AA77C599DD1CA184A56B8AFC3406A14C880A1B88D163EB04BACA1C
Malicious:false
Reputation:low
Preview:....l........... ...<...........w....... EMF................................8...X....................?..............................@...C...R...p...................................S.e.g.o.e. .U.I.....................................................6.).X.......d............................Xt....\.............L...7.Xt........].v?.Xt......Xt.......w8.....9............w....$.......d...........*XYt.....XYtH...8....d....9.-...4...6=.w................<.fv.[Sw....X..V..............................Twdv......%...................................r...................'...........(...(..................?...........?................l...4...........(...(...(...(...(..... .........................................................................................................................................................................................................................................HD?^KHCcNJFfOJFiQMHlSPJoUPLrWRMvYSPx[UR{]XQ~^XS._ZT.a[U.c\U.e^V.e^X.g`Y.hbY.jaZ.jb\.ld].ld].nd^.nf^.
Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:Windows Enhanced Metafile (EMF) image data version 0x10000
Category:dropped
Size (bytes):3191264
Entropy (8bit):2.0118490192617995
Encrypted:false
SSDEEP:6144:nA0Ki15RlURvLuky+NkuCVAKERludvLuk0Vgk9CVnOKAOK1:P5RlMHk5ERlyDkr8a
MD5:04A17584C7203C47419D4AC2163B98C6
SHA1:485E17A82AE4672AC8D4B542CA0F509B80C0C4DF
SHA-256:EBA2B7C929B2EAA16FB1F733B7ACDDDFD80635A7211B3FBE400FF2796C17827E
SHA-512:043092951F27E81FF96DA084E8112107D6F00DAEE83ADA80132BEC696E56309D16FDDED39F7F3810CA58BB6357CC6A75718CDD2F7B4342CF82D0421B7681A88C
Malicious:false
Reputation:low
Preview:....l...........@................S...".. EMF.....0.....#...................8...X....................?......F...,... ...EMF+.@..................x...x...F...\...P...EMF+"@...........@..........$@..........0@.............?!@...........@..........................................................!......."...........!......."...........................!..............................."...........!......................................................."...........!......................................................."...........!......................................................."...........!......................................................."...........!.......................................................'.................P.....%.....................P.....................................L...d.......<.......m.......<.......2...!..............?...........?................................R...p.................................. C.a.l.i.b.r.i...........................................
Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:Windows Enhanced Metafile (EMF) image data version 0x10000
Category:dropped
Size (bytes):1504468
Entropy (8bit):1.7693060102813485
Encrypted:false
SSDEEP:3072:L+6i9zy7v2/uEB1A/meRlmRYT9FANxg2WUZUKdRLuk0VgHPLk9CVi:LKERludvLuk0Vgk9CVi
MD5:EF3C18CC49B02153C770DB977B2E7435
SHA1:D436E0F820DDBBA10DB4D3F1243ED3AA6468C057
SHA-256:F328FB5B6055B687344190BB13D8DD6CDF6EA76D4AAAE6C5112DEC1B32ACE3C2
SHA-512:2081EF5EE87A360894B8726494F30DFEEFF7D922E733D2E633A3D010DE56C6A4CAEADEEBE4CD12A28658AE250ADE3B093F2FAB032B92A31D511D9C99A12AF337
Malicious:false
Reputation:moderate, very likely benign file
Preview:....l...........I...R............:...).. EMF................................8...X....................?...........................................:...)..........J...S...Q...............I...R...................J...S...P...(...x........... ....:...)..(...J...S.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:Windows Enhanced Metafile (EMF) image data version 0x10000
Category:dropped
Size (bytes):3064680
Entropy (8bit):1.8507381356738084
Encrypted:false
SSDEEP:6144:NaeRlcBvLukyV6kTCVQKERludvLuk0Vgk9CVX:oeRlM7kmERlyDku
MD5:93774BB9AECD3837D6496AE965D1BD80
SHA1:AE60D6A30E74BB5BE492CA71B82205D5C6B850C4
SHA-256:6CDB58A3C6906A6DD49DB83340ACC7AF0B7C7BBA5C01D8B0A9F562AEBDC85897
SHA-512:3810C4CDE003BAF916D626A41C0534BF421F5CDBF64D897F385FEDA36F556B6FECC27DB294A39F89C82DF0570424DE2EBB789E0B2294D42BFF80A64756257BD6
Malicious:false
Reputation:moderate, very likely benign file
Preview:....l............................]..WT.. EMF....h...........................8...X....................?......F...,... ...EMF+.@..................x...x...F...\...P...EMF+"@...........@..........$@..........0@.............?!@...........@..........................................................!......."...........!......."...........................!..............................."...........!...............................................2......."...........!...............................................2......."...........!...............................................2......."...........!...............................................2.......'.......................%...........................................................L...d.......L.......!.......L...........!..............?...........?................................L...d...y...Y...........y...Y.......[...!..............?...........?................................'.......................%...................................&...
Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:Windows Enhanced Metafile (EMF) image data version 0x10000
Category:dropped
Size (bytes):1296688
Entropy (8bit):3.5917537931564727
Encrypted:false
SSDEEP:6144:eMg23s01u2uIfTlw35YFhkndm9wHiT53ZkyOmCl6PV2yuxOKoOKg:OOWQTi35nH1RW7vAf
MD5:9DDA150CE7CAF9FEA68E1AF0084FD0F1
SHA1:75CACBC8BEB5E226C44A79B489F76EB4CF01990F
SHA-256:62774D456C891B03F72B0C6ADF8264ADF98E66129D1C876A5915D889553AB5A5
SHA-512:CF65990EFD7688CFE5FA3BB0C8894EBABF3A1FDAF2951EA2346A301377051D9FFAFCE06F10ACC44803D929CE64DA2D45B18675B58BAF0FFB9580394ABD561E98
Malicious:false
Preview:....l...........................6[...%.. EMF....0.......$.......................@...........................F...,... ...EMF+.@..................`...`...F...\...P...EMF+"@...........@..........$@..........0@.............?!@...........@..........................................................!......."...........!......."...........................!..............................."...........!......................................................."...........!......................................................."...........!......................................................."...........!......................................................."...........!.......................................................'.................P.....%.....................P.....................................L...d.......1.......Z.......1.......*...!..............?...........?................................R...p.................................. C.a.l.i.b.r.i...........................................
Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:Microsoft Excel 2007+
Category:dropped
Size (bytes):24052
Entropy (8bit):7.652425367216495
Encrypted:false
SSDEEP:384:EaNYaTXe5BPJ2cpRYnyAt3TtsVaWtmGJA8+6qdPGlDLRoucPQFVJG:Ea6aje5BP7RMYt9h44wQFV4
MD5:AE24ADB29E22854D176245019B60E937
SHA1:28E9F74782AA0D138EE52E3191248F827BF27A1D
SHA-256:5BF5C455288A0B5184B23744506939B604BF402E346AFAE18269BBE888412129
SHA-512:10AE2624E874CBA663DA08AA0C0FEBE19421FD01F72D54957F22A028A58A33BD4078C6A9CCA7CDAB94FC59030894BEA018141E6920AF4E926155C7EE49B6507D
Malicious:false
Preview:PK..........!.*.B.....@.......[Content_Types].xml ...(.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................T.N.0..W.."o.....U.aAaY...`.5~...3....3*(ME3.Dy..|..W[...hch.y........V.z../E...Q..h..P\..,.w.....[....R...+lb.._..."~.k...5....1....`....t..Qu...{%O6..z._.j.J.Y....`>.......g..S.e.. .-3.. bc(.jy..5P.L?.g..u......{.%b..ZP.N..s........G....s..6....`o.N0.........|.<FTM.=..k...7.N.4......p..sL(....@....N...,.s......C.Q........?........:.r...=;q.G....`..O...G.O.)..N...A...i.....o.......PK..........!...%S............_rels/.rels ...(.................................
Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:ASCII text, with CRLF line terminators
Category:dropped
Size (bytes):26
Entropy (8bit):3.95006375643621
Encrypted:false
SSDEEP:3:gAWY3n:qY3n
MD5:FBCCF14D504B7B2DBCB5A5BDA75BD93B
SHA1:D59FC84CDD5217C6CF74785703655F78DA6B582B
SHA-256:EACD09517CE90D34BA562171D15AC40D302F0E691B439F91BE1B6406E25F5913
SHA-512:AA1D2B1EA3C9DE3CCADB319D4E3E3276A2F27DD1A5244FE72DE2B6F94083DDDC762480482C5C2E53F803CD9E3973DDEFC68966F974E124307B5043E654443B98
Malicious:false
Preview:[ZoneTransfer]..ZoneId=3..
Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:data
Category:dropped
Size (bytes):684032
Entropy (8bit):7.93920328752962
Encrypted:false
SSDEEP:12288:SI90mnOAj+5nXpL3VRqfPSMCfhhBKJ+XleX4IOmkqJ5PL+xDuapdfq3:jTOA4tlRwSNjBKJ+XI4Rmf5T+Zbq
MD5:5E59CA1B10907FE670DB2A4DEAA170DC
SHA1:89E163AA6AD81EA006059B3E8BD92D6B97BAC8FA
SHA-256:DB7A1506D52B11DC5B32F707B497497C51096B8F8C48A3B7B9DC6662E3D07923
SHA-512:A4996ACC94B4F3458C5986B63BFF20D4F23FB714C149FC495A264CE3637674E82B63D15E2A0B21838431527F7FAC80D1BDBE9C9CAF63774D4E5180CE921A179A
Malicious:false
Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:data
Category:dropped
Size (bytes):512
Entropy (8bit):0.0
Encrypted:false
SSDEEP:3::
MD5:BF619EAC0CDF3F68D496EA9344137E8B
SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:false
Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:data
Category:dropped
Size (bytes):512
Entropy (8bit):0.0
Encrypted:false
SSDEEP:3::
MD5:BF619EAC0CDF3F68D496EA9344137E8B
SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:false
Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:Composite Document File V2 Document, Cannot read section info
Category:dropped
Size (bytes):676352
Entropy (8bit):7.983690898182405
Encrypted:false
SSDEEP:12288:jI90mnOAj+5nXpL3VRqfPSMCfhhBKJ+XleX4IOmkqJ5PL+xDuapdfq3:sTOA4tlRwSNjBKJ+XI4Rmf5T+Zbq
MD5:3994EB1ED60D61B021A03F64DC46E86E
SHA1:40E76D500B6E95389550572C5B742E602C19B9D8
SHA-256:CD3B55D5409CA130078E38ABDA33F83241AD0F372D3979762B675D42A8E23785
SHA-512:DFCB012E0E498E07F34BD54F0149E811B29871323777EDA33D197701905CE4B64C0E2E5C3E302493E04A4BA5DA5615126B4EFC5FD402590515F5614413EB7684
Malicious:true
Antivirus:
  • Antivirus: Avira, Detection: 100%
Preview:......................>................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................... ...!..."...#...$...%...&...'...(...)...*...+...,...-......./...0...1...2...3...4...5...6...7...8...9...:...;...<...=...>...?...@...A...B...C...D...E...F...G...H...I...J...K...L...M...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...
Process:C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
File Type:data
Category:dropped
Size (bytes):10240
Entropy (8bit):0.6739662216458647
Encrypted:false
SSDEEP:12:Ppb0slZp69PO9tauZ7nH2AaYSQ81v0t4TreIBUxFj87+k/R:RbG4WuZfKZ1c+reIAon/R
MD5:C61F99FE7BEE945FC31B62121BE075CD
SHA1:083BBD0568633FECB8984002EB4FE8FA08E17DD9
SHA-256:1E0973F4EDEF345D1EA8E90E447B9801FABDE63A2A1751E63B91A8467E130732
SHA-512:46D743C564A290EDFF307F8D0EF012BB01ED4AA6D9667E87A53976B8F3E87D78BEBE763121A91BA8FB5B0CF5A8C9FDE313D7FBD144FB929D98D7D39F4C9602C9
Malicious:false
Preview: ....+..F..N..F).~]............\.">.. .......p.J..} /o...rLj-...FS..'x.o..%^ .....zr/..3.y.e4...MM.4..x9.f.D..{..(....'p......9...Qn..d..+.....H..M.)..........].....n-.]........n&.*.H`.sz...r.....1B.....e.."...A.....,-....n..$.<....CO..VO..P..'.......<......n....&5s....z..$.{'IM-.o..(#N.-..(H...a&...y.S..`8.(./...1.P.. .....K.3.......I!]G....@N........F.l.T=.0...`"..L....B...B`nI.<.....&F..2J2....1..Rs....h.Zq.`...t..CJ....@.....I.G.e..k..H.....F..G:..6.G.l=.Y......:...C.........?[.ts...=....;.|...q...@....s................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
Process:C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
File Type:data
Category:dropped
Size (bytes):24152
Entropy (8bit):0.7513521539333206
Encrypted:false
SSDEEP:24:CMLhbFnirW0rAHV4Ji9Tp5fGtFTIvs5/KUC6m6C9xRjNi1uiHIzVp9:CMBFF0kKJoTetFTFZKR6axR6uiozVb
MD5:8A8D71BED4B5760F2F82C680C2C8CACC
SHA1:FA589EA7BA858C514079289BCEA3625432110427
SHA-256:78CF9C5CCAC6BEF4326F7514D4083BBC223347412A3D2975EDA8AD679D4EEB2B
SHA-512:8D06BAC9D7433AAAD1126CF922F133FF2946A830507BFA0308677D3D81E5559A708D7733BB87C9CA70A8146DD6C2DB5B50A4D97F9442FE615483711B12445BC9
Malicious:false
Preview: ...W....K.h.E..g..0...!1sm.[t\......A......Ov..M..E........b...|,.g..t..;x..l..w......:......:..._.u.X....K../...eg..d......di...#....Y....3..m...M..S..U...-.`..2Z..............?.......o P.=...@p...H..J....-..*:..0.z\.i.U..(.3...Z7..8k.......x.Ja&%.t.,..%\...HALm[."..H.....`..kO'..>.6....C.X...Hv..p.~B..-i....C..J>t<...g.n7'....$.........1..1S..4.r.).m...pO........-..9..Y....H.o_u...j....D.+&.9wu5H..r.z...A...%........3.... ......E-....a.p.-!...z...j..J....tSE.B........b..o;.nG.2^...Y,.....5...;......?.K9.{..z\D.G..%..0.,..(..oS...5.......gem...|a...p.uE.G8+....[q......G.;K....,..1&.....b...../%'.Q.;Kl...._"...:]Q.L...Q1?....5..@t .E%......w}..(...J.]..........................................................................................................................................................................................................................................................................................................
Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Name of Creating Application: Microsoft Excel, Create Time/Date: Sat Sep 16 01:00:00 2006, Last Saved Time/Date: Wed Nov 20 06:53:14 2024, Security: 1
Category:dropped
Size (bytes):935936
Entropy (8bit):7.986032953834692
Encrypted:false
SSDEEP:24576:GTOA4tlRwSNjBKJ+XI4Rmf5T+ZbqMnUspWk:3lR/NjBKJCgfFcqGUspWk
MD5:DA9AE8C1C57A5D633DF72DE0356103AF
SHA1:8C1B5C78F8FD4F16B730BE1A023443612A959970
SHA-256:7BF1723E0A07F7064938EB779F53F358D1BE83EB7F46B4476AF3B5892BFB3B7A
SHA-512:B48A4164E28780B82DE1FC1D848182513DD9159A8F1B4690EC28B86E9F991B2541F4654852DC96228FA8F59ACAF96DAD4A6FBFA42DBB7ECACC0764526462EDB5
Malicious:false
Preview:......................>...................................$...........................................................g.......i.......................................................................................................................................................................................................................................................................................................................................................................................................!................................................................................................................... ...!..."...#...$...%...&...'...(...)...*...+...,...-......./...0...1...2...3...4...5...6...7...8...9...:...;...<...=...>...?...@...A...B...C...D...E...F...G...H...I...J...K...L...M...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...
Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:ASCII text, with CRLF line terminators
Category:dropped
Size (bytes):26
Entropy (8bit):3.95006375643621
Encrypted:false
SSDEEP:3:ggPYV:rPYV
MD5:187F488E27DB4AF347237FE461A079AD
SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:false
Preview:[ZoneTransfer]....ZoneId=0
Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Name of Creating Application: Microsoft Excel, Create Time/Date: Sat Sep 16 01:00:00 2006, Last Saved Time/Date: Wed Nov 20 06:53:14 2024, Security: 1
Category:dropped
Size (bytes):935936
Entropy (8bit):7.986032953834692
Encrypted:false
SSDEEP:24576:GTOA4tlRwSNjBKJ+XI4Rmf5T+ZbqMnUspWk:3lR/NjBKJCgfFcqGUspWk
MD5:DA9AE8C1C57A5D633DF72DE0356103AF
SHA1:8C1B5C78F8FD4F16B730BE1A023443612A959970
SHA-256:7BF1723E0A07F7064938EB779F53F358D1BE83EB7F46B4476AF3B5892BFB3B7A
SHA-512:B48A4164E28780B82DE1FC1D848182513DD9159A8F1B4690EC28B86E9F991B2541F4654852DC96228FA8F59ACAF96DAD4A6FBFA42DBB7ECACC0764526462EDB5
Malicious:true
Preview:......................>...................................$...........................................................g.......i.......................................................................................................................................................................................................................................................................................................................................................................................................!................................................................................................................... ...!..."...#...$...%...&...'...(...)...*...+...,...-......./...0...1...2...3...4...5...6...7...8...9...:...;...<...=...>...?...@...A...B...C...D...E...F...G...H...I...J...K...L...M...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...
File type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, Code page: 1252, Name of Creating Application: Microsoft Excel, Create Time/Date: Sat Sep 16 01:00:00 2006, Last Saved Time/Date: Tue Nov 19 10:26:07 2024, Security: 1
Entropy (8bit):7.9803914567037655
TrID:
  • Microsoft Excel sheet (30009/1) 47.99%
  • Microsoft Excel sheet (alternate) (24509/1) 39.20%
  • Generic OLE2 / Multistream Compound File (8008/1) 12.81%
File name:Payment Advice.xls
File size:1'136'640 bytes
MD5:56821dcc602eb746c433a33f0b89808e
SHA1:757059c1429ac7250ed56ddab56f8c893d265c7e
SHA256:58a80743333e461c9a69b9201ad29f667baa8d95789f66f11c49232b4a58005d
SHA512:b684e8990bb2d5be7b687ede6f4ae6cb5ce3605cc5013f97c1c239ef41d8797985b4b9de22e4ac90b462626984f31410fd831bc61c52dcd5e76bc97b66bcc533
SSDEEP:24576:Suq9PLiijE2Z5Z2amSRQnNF84LJQoheMaJw:SuEPLiij7Z5ZKSRYFjLJQohsw
TLSH:95352326FD85DB4BE697AA321C83D8B220547C93FE6413452B31F71E287D8B56F83486
File Content Preview:........................>.......................................................................................................j.......l.......n..............................................................................................................
Icon Hash:276ea3a6a6b7bfbf
Document Type:OLE
Number of OLE Files:1
Has Summary Info:
Application Name:Microsoft Excel
Encrypted Document:True
Contains Word Document Stream:False
Contains Workbook/Book Stream:True
Contains PowerPoint Document Stream:False
Contains Visio Document Stream:False
Contains ObjectPool Stream:False
Flash Objects Count:0
Contains VBA Macros:True
Code Page:1252
Author:
Last Saved By:
Create Time:2006-09-16 00:00:00
Last Saved Time:2024-11-19 10:26:07
Creating Application:Microsoft Excel
Security:1
Document Code Page:1252
Thumbnail Scaling Desired:False
Contains Dirty Links:False
Shared Document:False
Changed Hyperlinks:False
Application Version:786432
General
Stream Path:_VBA_PROJECT_CUR/VBA/Sheet1
VBA File Name:Sheet1.cls
Stream Size:977
Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . o h . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . S L . . . . S . . . . . S . . . . . < . . . . . . . . . . N . 0 . { . 0 . 0 . 0 . 2 . 0 . 8 . 2 . 0 . - .
Data Raw:01 16 01 00 00 f0 00 00 00 c4 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff cb 02 00 00 1f 03 00 00 00 00 00 00 01 00 00 00 fc 6f 68 fd 00 00 ff ff 23 01 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

General
Stream Path:_VBA_PROJECT_CUR/VBA/Sheet2
VBA File Name:Sheet2.cls
Stream Size:977
Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . o x . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . S L . . . . S . . . . . S . . . . . < . . . . . . . . . . N . 0 . { . 0 . 0 . 0 . 2 . 0 . 8 . 2 . 0 . - .
Data Raw:01 16 01 00 00 f0 00 00 00 c4 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff cb 02 00 00 1f 03 00 00 00 00 00 00 01 00 00 00 fc 6f 78 ed 00 00 ff ff 23 01 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Attribute VB_Name = "Sheet2"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

General
Stream Path:_VBA_PROJECT_CUR/VBA/Sheet3
VBA File Name:Sheet3.cls
Stream Size:977
Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . o 5 . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . S L . . . . S . . . . . S . . . . . < . . . . . . . . . . N . 0 . { . 0 . 0 . 0 . 2 . 0 . 8 . 2 . 0 . - .
Data Raw:01 16 01 00 00 f0 00 00 00 c4 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff cb 02 00 00 1f 03 00 00 00 00 00 00 01 00 00 00 fc 6f 35 85 00 00 ff ff 23 01 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Attribute VB_Name = "Sheet3"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

General
Stream Path:_VBA_PROJECT_CUR/VBA/ThisWorkbook
VBA File Name:ThisWorkbook.cls
Stream Size:985
Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . o . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . S L . . . . S . . . . . S . . . . . < . . . . . . . . . . N . 0 . { . 0 . 0 . 0 . 2 . 0 . 8 . 1 . 9 . - . 0
Data Raw:01 16 01 00 00 f0 00 00 00 c4 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff cb 02 00 00 1f 03 00 00 00 00 00 00 01 00 00 00 fc 6f df da 00 00 ff ff 23 01 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

General
Stream Path:\x1CompObj
CLSID:
File Type:data
Stream Size:114
Entropy:4.25248375192737
Base64 Encoded:True
Data ASCII:. . . . . . . . . . . . . . . . . . . F & . . . M i c r o s o f t O f f i c e E x c e l 2 0 0 3 W o r k s h e e t . . . . . B i f f 8 . . . . . E x c e l . S h e e t . 8 . 9 q . . . . . . . . . . . .
Data Raw:01 00 fe ff 03 0a 00 00 ff ff ff ff 20 08 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 26 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 4f 66 66 69 63 65 20 45 78 63 65 6c 20 32 30 30 33 20 57 6f 72 6b 73 68 65 65 74 00 06 00 00 00 42 69 66 66 38 00 0e 00 00 00 45 78 63 65 6c 2e 53 68 65 65 74 2e 38 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00
General
Stream Path:\x5DocumentSummaryInformation
CLSID:
File Type:data
Stream Size:244
Entropy:2.889430592781307
Base64 Encoded:False
Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , 0 . . . . . . . . . . . . . . H . . . . . . . P . . . . . . . X . . . . . . . ` . . . . . . . h . . . . . . . p . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . S h e e t 1 . . . . . S h e e t 2 . . . . . S h e e t 3 . . . . . . . . . . . . . . . . . W o r k s h e e t s . . . . . . . . .
Data Raw:fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 00 00 00 c4 00 00 00 08 00 00 00 01 00 00 00 48 00 00 00 17 00 00 00 50 00 00 00 0b 00 00 00 58 00 00 00 10 00 00 00 60 00 00 00 13 00 00 00 68 00 00 00 16 00 00 00 70 00 00 00 0d 00 00 00 78 00 00 00 0c 00 00 00 a1 00 00 00 02 00 00 00 e4 04 00 00
General
Stream Path:\x5SummaryInformation
CLSID:
File Type:data
Stream Size:200
Entropy:3.3020681057018666
Base64 Encoded:False
Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . + ' 0 . . . . . . . . . . . . . . @ . . . . . . . H . . . . . . . T . . . . . . . ` . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M i c r o s o f t E x c e l . @ . . . . | . # . @ . . . I q m : . . . . . . . . .
Data Raw:fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 98 00 00 00 07 00 00 00 01 00 00 00 40 00 00 00 04 00 00 00 48 00 00 00 08 00 00 00 54 00 00 00 12 00 00 00 60 00 00 00 0c 00 00 00 78 00 00 00 0d 00 00 00 84 00 00 00 13 00 00 00 90 00 00 00 02 00 00 00 e4 04 00 00 1e 00 00 00 04 00 00 00
General
Stream Path:MBD003AA7BA/\x1CompObj
CLSID:
File Type:data
Stream Size:99
Entropy:3.631242196770981
Base64 Encoded:False
Data ASCII:. . . . . . . . . . . . . . . . . . . . . . ! . . . M i c r o s o f t O f f i c e E x c e l W o r k s h e e t . . . . . E x c e l M L 1 2 . . . . . 9 q . . . . . . . . . . . .
Data Raw:01 00 fe ff 03 0a 00 00 ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 21 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 4f 66 66 69 63 65 20 45 78 63 65 6c 20 57 6f 72 6b 73 68 65 65 74 00 0a 00 00 00 45 78 63 65 6c 4d 4c 31 32 00 00 00 00 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00
General
Stream Path:MBD003AA7BA/Package
CLSID:
File Type:Microsoft Excel 2007+
Stream Size:781878
Entropy:7.996379131960943
Base64 Encoded:True
Data ASCII:P K . . . . . . . . . . ! . j A 3 . . . . . . . . . [ C o n t e n t _ T y p e s ] . x m l . ( . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:50 4b 03 04 14 00 06 00 08 00 00 00 21 00 6a 41 33 c9 e9 01 00 00 fc 08 00 00 13 00 e1 01 5b 43 6f 6e 74 65 6e 74 5f 54 79 70 65 73 5d 2e 78 6d 6c 20 a2 dd 01 28 a0 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
General
Stream Path:MBD003AA7BB/\x1Ole
CLSID:
File Type:data
Stream Size:529
Entropy:5.161514005406144
Base64 Encoded:False
Data ASCII:. . . . . , N L 2 . . . . . . . . . . . . 3 . . . y . . . K . / . . . h . t . t . p . s . : . / . / . p . r . o . v . i . t . . . u . k . / . u . E . h . 6 . t . W . ? . & . f . a . c . e . = . r . o . m . a . n . t . i . c . & . a . r . m . e . n . i . a . n . = . d . i . v . e . r . g . e . n . t . & . s . t . e . p . - . a . u . n . t . = . u . p . b . e . a . t . & . p . r . o . d . u . c . t . = . f . a . i . r . & . c . r . i . c . k . e . t . . . . J 1 X . . . . F . R D % r a S . . z u . Z . { L N )
Data Raw:01 00 00 02 1f ac 2c 4e ac 4c ae 32 00 00 00 00 00 00 00 00 00 00 00 00 33 01 00 00 e0 c9 ea 79 f9 ba ce 11 8c 82 00 aa 00 4b a9 0b 2f 01 00 00 68 00 74 00 74 00 70 00 73 00 3a 00 2f 00 2f 00 70 00 72 00 6f 00 76 00 69 00 74 00 2e 00 75 00 6b 00 2f 00 75 00 45 00 68 00 36 00 74 00 57 00 3f 00 26 00 66 00 61 00 63 00 65 00 3d 00 72 00 6f 00 6d 00 61 00 6e 00 74 00 69 00 63 00 26 00
General
Stream Path:Workbook
CLSID:
File Type:Applesoft BASIC program data, first line number 16
Stream Size:330953
Entropy:7.998779275173815
Base64 Encoded:True
Data ASCII:. . . . . . . . . . . . . . . . . / . 6 . . . . . . . . F 5 O . % Q / 6 Q . . . f 1 . + 3 . D . L . . . . . . . ^ . . . \\ . p . k ' P L / 3 . . @ . . u w . . s f 9 < * B * > . ! . z d 3 o . + 2 } . . 1 3 3 P . . . q 9 S + [ . . I H . B . . . \\ a . . . o ` . . . = . . . " F s . . . I . x h . a ~ . . U 9 . . . . . . . . n J . . . . 9 . . . . ' . . . . c . . . . q = . . . o 6 = ^ R . . p a . J @ . . . . . . t " . . . . . . . m . . . . . . . . 1 . . . . N N ) ( . > U . ? . . T I 1 . . . > L o O 9 . x . g
Data Raw:09 08 10 00 00 06 05 00 ab 1f cd 07 c1 00 01 00 06 04 00 00 2f 00 36 00 01 00 01 00 01 00 1c 88 46 35 b2 4f 2e f3 25 bc 8e 51 f3 b9 de ea af 2f 87 36 51 b6 1c ea d2 93 0d 84 be 9c 8e 66 ab 31 ce df b8 f6 fe 2b fe 33 18 44 c3 a9 4c 8e e1 00 02 00 b0 04 c1 00 02 00 5e cb e2 00 00 00 5c 00 70 00 6b 27 ea 50 4c 2f 33 83 f9 e2 a4 15 b6 18 fb 86 40 db a3 05 fd 75 b8 77 ab a4 92 18 cd 7f
General
Stream Path:_VBA_PROJECT_CUR/PROJECT
CLSID:
File Type:ASCII text, with CRLF line terminators
Stream Size:525
Entropy:5.222634301498463
Base64 Encoded:True
Data ASCII:I D = " { 6 B 8 4 0 D 7 9 - D 4 0 8 - 4 E D 6 - B 8 1 2 - 6 7 A 5 5 7 9 E 6 3 D E } " . . D o c u m e n t = T h i s W o r k b o o k / & H 0 0 0 0 0 0 0 0 . . D o c u m e n t = S h e e t 1 / & H 0 0 0 0 0 0 0 0 . . D o c u m e n t = S h e e t 2 / & H 0 0 0 0 0 0 0 0 . . D o c u m e n t = S h e e t 3 / & H 0 0 0 0 0 0 0 0 . . N a m e = " V B A P r o j e c t " . . H e l p C o n t e x t I D = " 0 " . . V e r s i o n C o m p a t i b l e 3 2 = " 3 9 3 2 2 2 0 0 0 " . . C M G = " D 6 D 4 3 5 B D 3 5 C D 3 B D 1 3
Data Raw:49 44 3d 22 7b 36 42 38 34 30 44 37 39 2d 44 34 30 38 2d 34 45 44 36 2d 42 38 31 32 2d 36 37 41 35 35 37 39 45 36 33 44 45 7d 22 0d 0a 44 6f 63 75 6d 65 6e 74 3d 54 68 69 73 57 6f 72 6b 62 6f 6f 6b 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 44 6f 63 75 6d 65 6e 74 3d 53 68 65 65 74 31 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 44 6f 63 75 6d 65 6e 74 3d 53 68 65 65 74 32 2f 26 48 30 30 30
General
Stream Path:_VBA_PROJECT_CUR/PROJECTwm
CLSID:
File Type:data
Stream Size:104
Entropy:3.0488640812019017
Base64 Encoded:False
Data ASCII:T h i s W o r k b o o k . T . h . i . s . W . o . r . k . b . o . o . k . . . S h e e t 1 . S . h . e . e . t . 1 . . . S h e e t 2 . S . h . e . e . t . 2 . . . S h e e t 3 . S . h . e . e . t . 3 . . . . .
Data Raw:54 68 69 73 57 6f 72 6b 62 6f 6f 6b 00 54 00 68 00 69 00 73 00 57 00 6f 00 72 00 6b 00 62 00 6f 00 6f 00 6b 00 00 00 53 68 65 65 74 31 00 53 00 68 00 65 00 65 00 74 00 31 00 00 00 53 68 65 65 74 32 00 53 00 68 00 65 00 65 00 74 00 32 00 00 00 53 68 65 65 74 33 00 53 00 68 00 65 00 65 00 74 00 33 00 00 00 00 00
General
Stream Path:_VBA_PROJECT_CUR/VBA/_VBA_PROJECT
CLSID:
File Type:data
Stream Size:2644
Entropy:3.9848676676542825
Base64 Encoded:False
Data ASCII:a . . . . . @ . . . . . . . . . . . . . . . . . . . . . . . . * . \\ . G . { . 0 . 0 . 0 . 2 . 0 . 4 . E . F . - . 0 . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . - . C . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 4 . 6 . } . # . 4 . . . 0 . # . 9 . # . C . : . \\ . P . R . O . G . R . A . ~ . 2 . \\ . C . O . M . M . O . N . ~ . 1 . \\ . M . I . C . R . O . S . ~ . 1 . \\ . V . B . A . \\ . V . B . A . 6 . \\ . V . B . E . 6 . . . D . L . L . # . V . i . s . u . a . l . . B . a . s . i . c . . F . o . r .
Data Raw:cc 61 88 00 00 01 00 ff 09 40 00 00 09 04 00 00 e4 04 01 00 00 00 00 00 00 00 00 00 01 00 04 00 02 00 fa 00 2a 00 5c 00 47 00 7b 00 30 00 30 00 30 00 32 00 30 00 34 00 45 00 46 00 2d 00 30 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 2d 00 43 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 34 00 36 00 7d 00 23 00 34 00 2e 00 30 00 23 00
General
Stream Path:_VBA_PROJECT_CUR/VBA/dir
CLSID:
File Type:data
Stream Size:553
Entropy:6.37457139885983
Base64 Encoded:True
Data ASCII:. % . . . . . . . . 0 * . . . . p . . H . . . . d . . . . . . . V B A P r o j e c t . . 4 . . @ . . j . . . = . . . . r . . . . . . . . . N i . . . . J < . . . . . r s t d o l e > . . . s . t . d . o . l . e . . . h . % . ^ . . * \\ G { 0 0 0 2 0 4 3 0 - . . . . . C . . . . . . 0 0 4 . 6 } # 2 . 0 # 0 . # C : \\ W i n d . o w s \\ S y s W O W 6 4 \\ . e 2 . . t l b # O L E . A u t o m a t i . o n . ` . . E O f f D i c E O . f . i . c E . . E . 2 D F 8 D 0 4 C . - 5 B F A - 1 0 1 B - B D E 5 E A A C 4 . 2 E
Data Raw:01 25 b2 80 01 00 04 00 00 00 01 00 30 2a 02 02 90 09 00 70 14 06 48 03 00 82 02 00 64 e4 04 04 00 0a 00 1c 00 56 42 41 50 72 6f 6a 65 88 63 74 05 00 34 00 00 40 02 14 6a 06 02 0a 3d 02 0a 07 02 72 01 14 08 05 06 12 09 02 12 e8 af 4e 69 0d 94 00 0c 02 4a 3c 02 0a 16 00 01 72 80 73 74 64 6f 6c 65 3e 02 19 00 73 00 74 00 64 00 6f 00 80 6c 00 65 00 0d 00 68 00 25 02 5e 00 03 2a 5c 47
No network behavior found

Click to jump to process

Click to jump to process

Click to dive into process behavior distribution

Click to jump to process

Target ID:0
Start time:01:52:34
Start date:20/11/2024
Path:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Wow64 process (32bit):false
Commandline:"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
Imagebase:0x13f860000
File size:28'253'536 bytes
MD5 hash:D53B85E21886D2AF9815C377537BCAC3
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:false

Target ID:2
Start time:01:53:12
Start date:20/11/2024
Path:C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
Wow64 process (32bit):true
Commandline:"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" -Embedding
Imagebase:0x1f0000
File size:2'525'680 bytes
MD5 hash:2F8D93826B8CBF9290BC57535C7A6817
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:true

Call Graph

  • Entrypoint
  • Decryption Function
  • Executed
  • Not Executed
  • Show Help
callgraph 1 Error: Graph is empty

Module: Sheet1

Declaration
LineContent
1

Attribute VB_Name = "Sheet1"

2

Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"

3

Attribute VB_GlobalNameSpace = False

4

Attribute VB_Creatable = False

5

Attribute VB_PredeclaredId = True

6

Attribute VB_Exposed = True

7

Attribute VB_TemplateDerived = False

8

Attribute VB_Customizable = True

Module: Sheet2

Declaration
LineContent
1

Attribute VB_Name = "Sheet2"

2

Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"

3

Attribute VB_GlobalNameSpace = False

4

Attribute VB_Creatable = False

5

Attribute VB_PredeclaredId = True

6

Attribute VB_Exposed = True

7

Attribute VB_TemplateDerived = False

8

Attribute VB_Customizable = True

Module: Sheet3

Declaration
LineContent
1

Attribute VB_Name = "Sheet3"

2

Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"

3

Attribute VB_GlobalNameSpace = False

4

Attribute VB_Creatable = False

5

Attribute VB_PredeclaredId = True

6

Attribute VB_Exposed = True

7

Attribute VB_TemplateDerived = False

8

Attribute VB_Customizable = True

Module: ThisWorkbook

Declaration
LineContent
1

Attribute VB_Name = "ThisWorkbook"

2

Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"

3

Attribute VB_GlobalNameSpace = False

4

Attribute VB_Creatable = False

5

Attribute VB_PredeclaredId = True

6

Attribute VB_Exposed = True

7

Attribute VB_TemplateDerived = False

8

Attribute VB_Customizable = True

Reset < >