Edit tour

Windows Analysis Report
Document.xla.xlsx

Overview

General Information

Sample name:	Document.xla.xlsx
Analysis ID:	1576236
MD5:	d4c6ac821c22be30144711786c736a1a
SHA1:	96e697734dd3dcc47ebbe6bb9d3f1055f096c4f7
SHA256:	ab5152794ca45d670ae3f13de6be92fb686c27705d2df9ce0c00f76717bc61f3
Tags:	xlaxlsxuser-abuse_ch
Infos:

Detection

Score:	80
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Multi AV Scanner detection for submitted file

Document exploit detected (process start blacklist hit)

Excel sheet contains many unusual embedded objects

Machine Learning detection for sample

Microsoft Office drops suspicious files

Sigma detected: File With Uncommon Extension Created By An Office Application

Sigma detected: Suspicious Microsoft Office Child Process

Document contains embedded VBA macros

Document embeds suspicious OLE2 link

Document misses a certain OLE stream usually present in this Microsoft Office document type

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

Potential document exploit detected (performs DNS queries)

Potential document exploit detected (performs HTTP gets)

Potential document exploit detected (unknown TCP traffic)

Sample execution stops while process was sleeping (likely an evasion)

Searches for the Microsoft Outlook file path

Sigma detected: Excel Network Connections

Sigma detected: Suspicious Office Outbound Connections

Unable to load, office file is protected or invalid

Uses a known web browser user agent for HTTP communication

Classification

Process Tree

System is w10x64

EXCEL.EXE (PID: 7620 cmdline: "C:\Program Files (x86)\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding MD5: 4A871771235598812032C822E6F68F19)

mshta.exe (PID: 7980 cmdline: C:\Windows\SysWOW64\mshta.exe -Embedding MD5: 06B02D5C097C7DB1F109749C45F3F505)

splwow64.exe (PID: 8120 cmdline: C:\Windows\splwow64.exe 12288 MD5: 77DE7761B037061C7C112FD3C5B91E73)

EXCEL.EXE (PID: 4120 cmdline: "C:\Program Files (x86)\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\user\Desktop\Document.xla.xlsx" MD5: 4A871771235598812032C822E6F68F19)

cleanup

Sigma Signatures

System Summary

Sigma detected: File With Uncommon Extension Created By An Office Application

Source: File created

Author: Vadim Khrykov (ThreatIntel), Cyb3rEng (Rule), Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE, ProcessId: 7620, TargetFilename: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WDKI0JR2\createdbetterthingswithgreatnressgivenmebackwithnice[1].hta

Sigma detected: Suspicious Microsoft Office Child Process

Source: Process started

Author: Florian Roth (Nextron Systems), Markus Neis, FPT.EagleEye Team, Vadim Khrykov, Cyb3rEng, Michael Haag, Christopher Peacock @securepeacock, @scythe_io: Data: Command: C:\Windows\SysWOW64\mshta.exe -Embedding, CommandLine: C:\Windows\SysWOW64\mshta.exe -Embedding, CommandLine|base64offset|contains: Iyb, Image: C:\Windows\SysWOW64\mshta.exe, NewProcessName: C:\Windows\SysWOW64\mshta.exe, OriginalFileName: C:\Windows\SysWOW64\mshta.exe, ParentCommandLine: "C:\Program Files (x86)\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding, ParentImage: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE, ParentProcessId: 7620, ParentProcessName: EXCEL.EXE, ProcessCommandLine: C:\Windows\SysWOW64\mshta.exe -Embedding, ProcessId: 7980, ProcessName: mshta.exe

Sigma detected: Excel Network Connections

Source: Network Connection

Author: Christopher Peacock '@securepeacock', SCYTHE '@scythe_io', Florian Roth '@Neo23x0", Tim Shelton: Data: DesusertionIp: 170.82.174.30, DesusertionIsIpv6: false, DesusertionPort: 443, EventID: 3, Image: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE, Initiated: true, ProcessId: 7620, Protocol: tcp, SourceIp: 192.168.2.9, SourceIsIpv6: false, SourcePort: 49727

Sigma detected: Suspicious Office Outbound Connections

Source: Network Connection

Author: X__Junior (Nextron Systems): Data: DesusertionIp: 192.168.2.9, DesusertionIsIpv6: false, DesusertionPort: 49727, EventID: 3, Image: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE, Initiated: true, ProcessId: 7620, Protocol: tcp, SourceIp: 170.82.174.30, SourceIsIpv6: false, SourcePort: 443

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: https://curt.wiz.co/VvBBUAl9Ti?&compulsion=zealous&mood2	Avira URL Cloud: Label: malware
Source: https://curt.wiz.co/VvBBUAl9Ti?&compulsion=zealous&mood	Avira URL Cloud: Label: malware

Multi AV Scanner detection for submitted file

Source: Document.xla.xlsx

ReversingLabs: Detection: 21%

Machine Learning detection for sample

Source: Document.xla.xlsx

Joe Sandbox ML: detected

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE

File opened: C:\Program Files (x86)\Microsoft Office\root\vfs\SystemX86\MSVCR100.dll

Jump to behavior

Source: unknown

HTTPS traffic detected: 170.82.174.30:443 -> 192.168.2.9:49727 version: TLS 1.2

Software Vulnerabilities

Document exploit detected (process start blacklist hit)

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE

Process created: C:\Windows\SysWOW64\mshta.exe

Source: global traffic

DNS query: name: curt.wiz.co

Source: global traffic	TCP traffic: 192.168.2.9:49727 -> 170.82.174.30:443
Source: global traffic	TCP traffic: 192.168.2.9:49728 -> 172.245.123.12:80
Source: global traffic	TCP traffic: 192.168.2.9:49727 -> 170.82.174.30:443
Source: global traffic	TCP traffic: 192.168.2.9:49727 -> 170.82.174.30:443
Source: global traffic	TCP traffic: 192.168.2.9:49727 -> 170.82.174.30:443
Source: global traffic	TCP traffic: 192.168.2.9:49727 -> 170.82.174.30:443
Source: global traffic	TCP traffic: 192.168.2.9:49727 -> 170.82.174.30:443
Source: global traffic	TCP traffic: 192.168.2.9:49727 -> 170.82.174.30:443
Source: global traffic	TCP traffic: 192.168.2.9:49727 -> 170.82.174.30:443
Source: global traffic	TCP traffic: 192.168.2.9:49727 -> 170.82.174.30:443
Source: global traffic	TCP traffic: 192.168.2.9:49727 -> 170.82.174.30:443
Source: global traffic	TCP traffic: 192.168.2.9:49727 -> 170.82.174.30:443
Source: global traffic	TCP traffic: 192.168.2.9:49727 -> 170.82.174.30:443
Source: global traffic	TCP traffic: 192.168.2.9:49727 -> 170.82.174.30:443
Source: global traffic	TCP traffic: 192.168.2.9:49727 -> 170.82.174.30:443

Source: global traffic	TCP traffic: 192.168.2.9:49727 -> 170.82.174.30:443
Source: global traffic	TCP traffic: 170.82.174.30:443 -> 192.168.2.9:49727
Source: global traffic	TCP traffic: 192.168.2.9:49727 -> 170.82.174.30:443
Source: global traffic	TCP traffic: 192.168.2.9:49727 -> 170.82.174.30:443
Source: global traffic	TCP traffic: 170.82.174.30:443 -> 192.168.2.9:49727
Source: global traffic	TCP traffic: 170.82.174.30:443 -> 192.168.2.9:49727
Source: global traffic	TCP traffic: 192.168.2.9:49727 -> 170.82.174.30:443
Source: global traffic	TCP traffic: 192.168.2.9:49727 -> 170.82.174.30:443
Source: global traffic	TCP traffic: 170.82.174.30:443 -> 192.168.2.9:49727
Source: global traffic	TCP traffic: 170.82.174.30:443 -> 192.168.2.9:49727
Source: global traffic	TCP traffic: 192.168.2.9:49727 -> 170.82.174.30:443
Source: global traffic	TCP traffic: 192.168.2.9:49727 -> 170.82.174.30:443
Source: global traffic	TCP traffic: 170.82.174.30:443 -> 192.168.2.9:49727
Source: global traffic	TCP traffic: 170.82.174.30:443 -> 192.168.2.9:49727
Source: global traffic	TCP traffic: 192.168.2.9:49727 -> 170.82.174.30:443
Source: global traffic	TCP traffic: 170.82.174.30:443 -> 192.168.2.9:49727
Source: global traffic	TCP traffic: 192.168.2.9:49727 -> 170.82.174.30:443
Source: global traffic	TCP traffic: 170.82.174.30:443 -> 192.168.2.9:49727
Source: global traffic	TCP traffic: 170.82.174.30:443 -> 192.168.2.9:49727
Source: global traffic	TCP traffic: 192.168.2.9:49727 -> 170.82.174.30:443
Source: global traffic	TCP traffic: 192.168.2.9:49727 -> 170.82.174.30:443
Source: global traffic	TCP traffic: 170.82.174.30:443 -> 192.168.2.9:49727
Source: global traffic	TCP traffic: 192.168.2.9:49727 -> 170.82.174.30:443
Source: global traffic	TCP traffic: 192.168.2.9:49727 -> 170.82.174.30:443
Source: global traffic	TCP traffic: 192.168.2.9:49728 -> 172.245.123.12:80
Source: global traffic	TCP traffic: 172.245.123.12:80 -> 192.168.2.9:49728
Source: global traffic	TCP traffic: 192.168.2.9:49728 -> 172.245.123.12:80
Source: global traffic	TCP traffic: 192.168.2.9:49728 -> 172.245.123.12:80
Source: global traffic	TCP traffic: 172.245.123.12:80 -> 192.168.2.9:49728
Source: global traffic	TCP traffic: 172.245.123.12:80 -> 192.168.2.9:49728
Source: global traffic	TCP traffic: 192.168.2.9:49728 -> 172.245.123.12:80
Source: global traffic	TCP traffic: 172.245.123.12:80 -> 192.168.2.9:49728
Source: global traffic	TCP traffic: 172.245.123.12:80 -> 192.168.2.9:49728
Source: global traffic	TCP traffic: 192.168.2.9:49728 -> 172.245.123.12:80
Source: global traffic	TCP traffic: 192.168.2.9:49728 -> 172.245.123.12:80
Source: global traffic	TCP traffic: 172.245.123.12:80 -> 192.168.2.9:49728
Source: global traffic	TCP traffic: 172.245.123.12:80 -> 192.168.2.9:49728
Source: global traffic	TCP traffic: 192.168.2.9:49728 -> 172.245.123.12:80
Source: global traffic	TCP traffic: 192.168.2.9:49728 -> 172.245.123.12:80
Source: global traffic	TCP traffic: 172.245.123.12:80 -> 192.168.2.9:49728
Source: global traffic	TCP traffic: 172.245.123.12:80 -> 192.168.2.9:49728
Source: global traffic	TCP traffic: 192.168.2.9:49728 -> 172.245.123.12:80
Source: global traffic	TCP traffic: 192.168.2.9:49728 -> 172.245.123.12:80
Source: global traffic	TCP traffic: 172.245.123.12:80 -> 192.168.2.9:49728
Source: global traffic	TCP traffic: 172.245.123.12:80 -> 192.168.2.9:49728
Source: global traffic	TCP traffic: 192.168.2.9:49728 -> 172.245.123.12:80
Source: global traffic	TCP traffic: 192.168.2.9:49728 -> 172.245.123.12:80
Source: global traffic	TCP traffic: 172.245.123.12:80 -> 192.168.2.9:49728
Source: global traffic	TCP traffic: 192.168.2.9:49728 -> 172.245.123.12:80
Source: global traffic	TCP traffic: 172.245.123.12:80 -> 192.168.2.9:49728
Source: global traffic	TCP traffic: 192.168.2.9:49728 -> 172.245.123.12:80
Source: global traffic	TCP traffic: 172.245.123.12:80 -> 192.168.2.9:49728
Source: global traffic	TCP traffic: 192.168.2.9:49728 -> 172.245.123.12:80
Source: global traffic	TCP traffic: 172.245.123.12:80 -> 192.168.2.9:49728
Source: global traffic	TCP traffic: 172.245.123.12:80 -> 192.168.2.9:49728
Source: global traffic	TCP traffic: 192.168.2.9:49728 -> 172.245.123.12:80
Source: global traffic	TCP traffic: 192.168.2.9:49728 -> 172.245.123.12:80
Source: global traffic	TCP traffic: 172.245.123.12:80 -> 192.168.2.9:49728
Source: global traffic	TCP traffic: 192.168.2.9:49728 -> 172.245.123.12:80
Source: global traffic	TCP traffic: 172.245.123.12:80 -> 192.168.2.9:49728
Source: global traffic	TCP traffic: 192.168.2.9:49728 -> 172.245.123.12:80
Source: global traffic	TCP traffic: 172.245.123.12:80 -> 192.168.2.9:49728
Source: global traffic	TCP traffic: 192.168.2.9:49728 -> 172.245.123.12:80
Source: global traffic	TCP traffic: 172.245.123.12:80 -> 192.168.2.9:49728
Source: global traffic	TCP traffic: 192.168.2.9:49728 -> 172.245.123.12:80
Source: global traffic	TCP traffic: 172.245.123.12:80 -> 192.168.2.9:49728
Source: global traffic	TCP traffic: 192.168.2.9:49728 -> 172.245.123.12:80
Source: global traffic	TCP traffic: 172.245.123.12:80 -> 192.168.2.9:49728
Source: global traffic	TCP traffic: 192.168.2.9:49728 -> 172.245.123.12:80
Source: global traffic	TCP traffic: 172.245.123.12:80 -> 192.168.2.9:49728
Source: global traffic	TCP traffic: 192.168.2.9:49728 -> 172.245.123.12:80
Source: global traffic	TCP traffic: 172.245.123.12:80 -> 192.168.2.9:49728
Source: global traffic	TCP traffic: 192.168.2.9:49728 -> 172.245.123.12:80
Source: global traffic	TCP traffic: 192.168.2.9:49728 -> 172.245.123.12:80
Source: global traffic	TCP traffic: 192.168.2.9:49728 -> 172.245.123.12:80
Source: global traffic	TCP traffic: 172.245.123.12:80 -> 192.168.2.9:49728
Source: global traffic	TCP traffic: 192.168.2.9:49728 -> 172.245.123.12:80
Source: global traffic	TCP traffic: 172.245.123.12:80 -> 192.168.2.9:49728
Source: global traffic	TCP traffic: 192.168.2.9:49728 -> 172.245.123.12:80
Source: global traffic	TCP traffic: 172.245.123.12:80 -> 192.168.2.9:49728
Source: global traffic	TCP traffic: 172.245.123.12:80 -> 192.168.2.9:49728
Source: global traffic	TCP traffic: 192.168.2.9:49728 -> 172.245.123.12:80
Source: global traffic	TCP traffic: 192.168.2.9:49728 -> 172.245.123.12:80
Source: global traffic	TCP traffic: 172.245.123.12:80 -> 192.168.2.9:49728
Source: global traffic	TCP traffic: 192.168.2.9:49728 -> 172.245.123.12:80
Source: global traffic	TCP traffic: 172.245.123.12:80 -> 192.168.2.9:49728
Source: global traffic	TCP traffic: 192.168.2.9:49728 -> 172.245.123.12:80
Source: global traffic	TCP traffic: 172.245.123.12:80 -> 192.168.2.9:49728
Source: global traffic	TCP traffic: 192.168.2.9:49728 -> 172.245.123.12:80
Source: global traffic	TCP traffic: 172.245.123.12:80 -> 192.168.2.9:49728
Source: global traffic	TCP traffic: 192.168.2.9:49728 -> 172.245.123.12:80
Source: global traffic	TCP traffic: 172.245.123.12:80 -> 192.168.2.9:49728
Source: global traffic	TCP traffic: 192.168.2.9:49728 -> 172.245.123.12:80
Source: global traffic	TCP traffic: 172.245.123.12:80 -> 192.168.2.9:49728
Source: global traffic	TCP traffic: 192.168.2.9:49728 -> 172.245.123.12:80
Source: global traffic	TCP traffic: 172.245.123.12:80 -> 192.168.2.9:49728
Source: global traffic	TCP traffic: 192.168.2.9:49728 -> 172.245.123.12:80
Source: global traffic	TCP traffic: 172.245.123.12:80 -> 192.168.2.9:49728
Source: global traffic	TCP traffic: 192.168.2.9:49728 -> 172.245.123.12:80
Source: global traffic	TCP traffic: 172.245.123.12:80 -> 192.168.2.9:49728
Source: global traffic	TCP traffic: 192.168.2.9:49728 -> 172.245.123.12:80

Source: excel.exe

Memory has grown: Private usage: 2MB later: 71MB

Source: Joe Sandbox View	IP Address: 170.82.174.30 170.82.174.30
Source: Joe Sandbox View	IP Address: 170.82.174.30 170.82.174.30

Source: Joe Sandbox View

JA3 fingerprint: 6271f898ce5be7dd52b0fc260d0662b3

Source: global traffic	HTTP traffic detected: GET /VvBBUAl9Ti?&compulsion=zealous&mood HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: curt.wiz.coConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /233/eec/createdbetterthingswithgreatnressgivenmebackwithnice.hta HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoConnection: Keep-AliveHost: 172.245.123.12

Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.123.12
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.123.12
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.123.12
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.123.12
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.123.12
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.123.12
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.123.12
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.123.12
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.123.12
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.123.12
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.123.12
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.123.12
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.123.12
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.123.12
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.123.12
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.123.12
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.123.12
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.123.12
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.123.12
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.123.12
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.123.12
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.123.12
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.123.12
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.123.12
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.123.12
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.123.12
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.123.12
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.123.12
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.123.12
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.123.12
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.123.12
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.123.12
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.123.12
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.123.12
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.123.12
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.123.12
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.123.12
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.123.12
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.123.12
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.123.12
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /VvBBUAl9Ti?&compulsion=zealous&mood HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: curt.wiz.coConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /233/eec/createdbetterthingswithgreatnressgivenmebackwithnice.hta HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoConnection: Keep-AliveHost: 172.245.123.12

Source: global traffic

DNS traffic detected: DNS query: curt.wiz.co

Source: Document.xla.xlsx, 9E530000.0.dr

String found in binary or memory: https://curt.wiz.co/VvBBUAl9Ti?&compulsion=zealous&mood2

Source: unknown	Network traffic detected: HTTP traffic on port 49727 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49727

Source: unknown

HTTPS traffic detected: 170.82.174.30:443 -> 192.168.2.9:49727 version: TLS 1.2

System Summary

Excel sheet contains many unusual embedded objects

Source: Document.xla.xlsx	OLE: Microsoft Excel 2007+
Source: Document.xla.xlsx	OLE: Microsoft Excel 2007+
Source: Document.xla.xlsx	OLE: Microsoft Excel 2007+
Source: Document.xla.xlsx	OLE: Microsoft Excel 2007+
Source: ~DFDAC8ED28624B0F01.TMP.0.dr	OLE: Microsoft Excel 2007+
Source: ~DFDA9B88C57FA58DCA.TMP.0.dr	OLE: Microsoft Excel 2007+
Source: 9E530000.0.dr	OLE: Microsoft Excel 2007+
Source: 9E530000.0.dr	OLE: Microsoft Excel 2007+
Source: 9E530000.0.dr	OLE: Microsoft Excel 2007+
Source: 9E530000.0.dr	OLE: Microsoft Excel 2007+

Microsoft Office drops suspicious files

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WDKI0JR2\createdbetterthingswithgreatnressgivenmebackwithnice[1].hta

Jump to behavior

Source: Document.xla.xlsx	OLE indicator, VBA macros: true
Source: 9E530000.0.dr	OLE indicator, VBA macros: true

Source: Document.xla.xlsx	Stream path 'MBD010681DE/\x1Ole' : https://curt.wiz.co/VvBBUAl9Ti?&compulsion=zealous&mood2h6jl/+kw^EMY%q*1W_Ua^8U\hn8[#+o$j=ru]2uhkN8EWIJW7=>1[&o%XWG1ygEnllZuiJ4eX3jO8wnPvcj0aiVH7z4PcIFxDFm5AJmEGQrkKJjBBimLsrH41avolZKeP8bFWxIXc6PjnfrNnfq0B$HS[;<8/I4#m
Source: 9E530000.0.dr	Stream path 'MBD010681DE/\x1Ole' : https://curt.wiz.co/VvBBUAl9Ti?&compulsion=zealous&mood2h6jl/+kw^EMY%q*1W_Ua^8U\hn8[#+o$j=ru]2uhkN8EWIJW7=>1[&o%XWG1ygEnllZuiJ4eX3jO8wnPvcj0aiVH7z4PcIFxDFm5AJmEGQrkKJjBBimLsrH41avolZKeP8bFWxIXc6PjnfrNnfq0B$HS[;<8/I4#m

Source: ~DFDAC8ED28624B0F01.TMP.0.dr	OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
Source: ~DFDA9B88C57FA58DCA.TMP.0.dr	OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false

Source: C:\Windows\SysWOW64\mshta.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE			Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE			Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE

Window title found: microsoft excel okexcel cannot open the file 'document.xla.xlsx' because the file format or file extension is not valid. verify that the file has not been corrupted and that the file extension matches the format of the file.

Source: classification engine

Classification label: mal80.expl.winXLSX@6/30@1/2

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE

File created: C:\Program Files (x86)\Microsoft Office\root\vfs\Common AppData\Microsoft\Office\Heartbeat\HeartbeatCache.xml

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE

File created: C:\Users\user\Desktop\~$Document.xla.xlsx

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Temp\{D33D90D2-FCFB-4C25-B505-C74DAE694D76} - OProcSessId.dat

Jump to behavior

Source: Document.xla.xlsx	OLE indicator, Workbook stream: true
Source: 9E530000.0.dr	OLE indicator, Workbook stream: true

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\SysWOW64\mshta.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Document.xla.xlsx

ReversingLabs: Detection: 21%

Source: unknown	Process created: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE "C:\Program Files (x86)\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process created: C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\mshta.exe -Embedding
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process created: C:\Windows\splwow64.exe C:\Windows\splwow64.exe 12288
Source: unknown	Process created: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE "C:\Program Files (x86)\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\user\Desktop\Document.xla.xlsx"
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process created: C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\mshta.exe -Embedding	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process created: C:\Windows\splwow64.exe C:\Windows\splwow64.exe 12288	Jump to behavior

Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: c2r32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: mshtml.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: msiso.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: uxtheme.dll	Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3EE60F5C-9BAD-4CD8-8E21-AD2D001D06EB}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE

Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\Common

Jump to behavior

Source: Document.xla.xlsx

Static file information: File size 1106944 > 1048576

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE

File opened: C:\Program Files (x86)\Microsoft Office\root\vfs\SystemX86\MSVCR100.dll

Jump to behavior

Source: ~DFDAC8ED28624B0F01.TMP.0.dr

Initial sample: OLE indicators vbamacros = False

Source: Document.xla.xlsx

Initial sample: OLE indicators encrypted = True

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: Document.xla.xlsx	Stream path 'MBD010681DC/MBD007203CB/Workbook' entropy: 7.97416832031 (max. 8.0)
Source: Document.xla.xlsx	Stream path 'Workbook' entropy: 7.99863707372 (max. 8.0)
Source: 9E530000.0.dr	Stream path 'MBD010681DC/MBD007203CB/Workbook' entropy: 7.97416832031 (max. 8.0)
Source: 9E530000.0.dr	Stream path 'Workbook' entropy: 7.98000171469 (max. 8.0)

Source: C:\Windows\splwow64.exe

Window / User API: threadDelayed 803

Jump to behavior

Source: C:\Windows\splwow64.exe	Last function: Thread delayed
Source: C:\Windows\splwow64.exe	Last function: Thread delayed

Source: C:\Windows\splwow64.exe	Thread delayed: delay time: 120000			Jump to behavior
Source: C:\Windows\splwow64.exe	Thread delayed: delay time: 120000			Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE

Process information queried: ProcessInformation

Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	1 Scripting	Valid Accounts	13 Exploitation for Client Execution	1 Scripting	1 Process Injection	2 Masquerading	OS Credential Dumping	1 Process Discovery	Remote Services	1 Email Collection	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	1 DLL Side-Loading	1 Virtualization/Sandbox Evasion	LSASS Memory	1 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 Extra Window Memory Injection	1 Process Injection	Security Account Manager	1 Application Window Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Obfuscated Files or Information	NTDS	1 File and Directory Discovery	Distributed Component Object Model	Input Capture	13 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	2 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Extra Window Memory Injection	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Document.xla.xlsx	22%	ReversingLabs	Document-Office.Exploit.CVE-2017-0199
Document.xla.xlsx	100%	Joe Sandbox ML

Source	Detection	Scanner	Label	Link
https://curt.wiz.co/VvBBUAl9Ti?&compulsion=zealous&mood2	100%	Avira URL Cloud	malware
https://curt.wiz.co/VvBBUAl9Ti?&compulsion=zealous&mood	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
s-part-0035.t-0009.t-msedge.net	13.107.246.63	true	false	high
curt.wiz.co.cdn.gocache.net	170.82.174.30	true	false	high
curt.wiz.co	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://curt.wiz.co/VvBBUAl9Ti?&compulsion=zealous&mood	false	Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://curt.wiz.co/VvBBUAl9Ti?&compulsion=zealous&mood2	Document.xla.xlsx, 9E530000.0.dr	false	Avira URL Cloud: malware	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
170.82.174.30	curt.wiz.co.cdn.gocache.net	Brazil		266444	3LCLOUDINTERNETSERVICESLTDA-EPPBR	false
172.245.123.12	unknown	United States		36352	AS-COLOCROSSINGUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1576236
Start date and time:	2024-12-16 17:04:09 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 20s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultwindowsofficecookbook.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	15
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled GSI enabled (VBA) AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Document.xla.xlsx
Detection:	MAL
Classification:	mal80.expl.winXLSX@6/30@1/2
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .xlsx Changed system and user locale, location and keyboard layout to French - France Found Word or Excel or PowerPoint or XPS Viewer Attach to Office via COM Active ActiveX Object Active ActiveX Object Active ActiveX Object Active ActiveX Object Scroll down Close Viewer

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, sppsvc.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe, MavInject32.exe
Excluded IPs from analysis (whitelisted): 52.109.28.46, 13.78.111.198, 52.109.32.97, 23.218.208.109, 52.113.194.132, 52.182.141.63, 40.126.53.9, 172.202.163.200, 52.149.20.212, 13.107.246.63
Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, otelrules.afd.azureedge.net, onedscolprdjpe00.japaneast.cloudapp.azure.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, ecs-office.s-0005.s-msedge.net, login.live.com, e16604.g.akamaiedge.net, officeclient.microsoft.com, ukw-azsc-config.officeapps.live.com, prod.fs.microsoft.com.akadns.net, self-events-data.trafficmanager.net, ecs.office.com, fs.microsoft.com, otelrules.azureedge.net, prod.configsvc1.live.com.akadns.net, self.events.data.microsoft.com, s-0005-office.config.skype.com, fe3cr.delivery.mp.microsoft.com, s-0005.s-msedge.net, config.officeapps.live.com, azureedge-t-prod.trafficmanager.net, ecs.office.trafficmanager.net, europe.configsvc1.live.com.akadns.net, uks-azsc-config.officeapps.live.com, onedscolprdcus01.centralus.cloudapp.azure.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtQueryAttributesFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadFile calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: Document.xla.xlsx

Simulations

Behavior and APIs

Time	Type	Description
11:06:13	API Interceptor	862x Sleep call for process: splwow64.exe modified

LLM Input / Output

Input	Output
URL: Office document Model: Joe Sandbox AI	{ "contains_trigger_text": false, "trigger_text": "unknown", "prominent_button_name": "unknown", "text_input_field_labels": "unknown", "pdf_icon_visible": false, "has_visible_captcha": false, "has_urgent_text": false, "has_visible_qrcode": false, "contains_chinese_text": false, "contains_security_alerts": false }

URL: Office document Model: Joe Sandbox AI	{ "brands": [ "Cormier Light Company" ] }
	{ "brands": [ "Cormier Light Company" ] }
URL: Screenshot id: 2 Model: Joe Sandbox AI	{ "contains_trigger_text": false, "trigger_text": "unknown", "prominent_button_name": "unknown", "text_input_field_labels": "unknown", "pdf_icon_visible": false, "has_visible_captcha": false, "has_urgent_text": false, "has_visible_qrcode": false, "contains_chinese_text": false, "contains_security_alerts": false }

URL: Screenshot id: 15 Model: Joe Sandbox AI	{ "contains_trigger_text": false, "trigger_text": "unknown", "prominent_button_name": "unknown", "text_input_field_labels": "unknown", "pdf_icon_visible": false, "has_visible_captcha": false, "has_urgent_text": false, "has_visible_qrcode": false, "contains_chinese_text": false, "contains_security_alerts": false }

URL: Screenshot id: 1 Model: Joe Sandbox AI	{ "contains_trigger_text": false, "trigger_text": "unknown", "prominent_button_name": "unknown", "text_input_field_labels": "unknown", "pdf_icon_visible": false, "has_visible_captcha": false, "has_urgent_text": false, "has_visible_qrcode": false, "contains_chinese_text": false, "contains_security_alerts": false }

URL: Screenshot id: 7 Model: Joe Sandbox AI	{ "contains_trigger_text": false, "trigger_text": "unknown", "prominent_button_name": "unknown", "text_input_field_labels": "unknown", "pdf_icon_visible": false, "has_visible_captcha": false, "has_urgent_text": false, "has_visible_qrcode": false, "contains_chinese_text": false, "contains_security_alerts": false }

URL: Screenshot id: 6 Model: Joe Sandbox AI	{ "contains_trigger_text": false, "trigger_text": "unknown", "prominent_button_name": "unknown", "text_input_field_labels": "unknown", "pdf_icon_visible": false, "has_visible_captcha": false, "has_urgent_text": false, "has_visible_qrcode": false, "contains_chinese_text": false, "contains_security_alerts": false }

URL: Screenshot id: 14 Model: Joe Sandbox AI	{ "contains_trigger_text": false, "trigger_text": "unknown", "prominent_button_name": "unknown", "text_input_field_labels": "unknown", "pdf_icon_visible": false, "has_visible_captcha": false, "has_urgent_text": false, "has_visible_qrcode": false, "contains_chinese_text": false, "contains_security_alerts": false }

URL: Screenshot id: 10 Model: Joe Sandbox AI	{ "contains_trigger_text": false, "trigger_text": "unknown", "prominent_button_name": "unknown", "text_input_field_labels": "unknown", "pdf_icon_visible": false, "has_visible_captcha": false, "has_urgent_text": false, "has_visible_qrcode": false, "contains_chinese_text": false, "contains_security_alerts": false }

URL: Screenshot id: 4 Model: Joe Sandbox AI	{ "contains_trigger_text": false, "trigger_text": "unknown", "prominent_button_name": "unknown", "text_input_field_labels": "unknown", "pdf_icon_visible": false, "has_visible_captcha": false, "has_urgent_text": false, "has_visible_qrcode": false, "contains_chinese_text": false, "contains_security_alerts": false }

URL: Screenshot id: 11 Model: Joe Sandbox AI	{ "contains_trigger_text": false, "trigger_text": "unknown", "prominent_button_name": "unknown", "text_input_field_labels": "unknown", "pdf_icon_visible": false, "has_visible_captcha": false, "has_urgent_text": false, "has_visible_qrcode": false, "contains_chinese_text": false, "contains_security_alerts": false }

URL: Screenshot id: 8 Model: Joe Sandbox AI	{ "contains_trigger_text": false, "trigger_text": "unknown", "prominent_button_name": "unknown", "text_input_field_labels": "unknown", "pdf_icon_visible": false, "has_visible_captcha": false, "has_urgent_text": false, "has_visible_qrcode": false, "contains_chinese_text": false, "contains_security_alerts": false }

URL: Screenshot id: 16 Model: Joe Sandbox AI	{ "contains_trigger_text": false, "trigger_text": "unknown", "prominent_button_name": "unknown", "text_input_field_labels": "unknown", "pdf_icon_visible": false, "has_visible_captcha": false, "has_urgent_text": false, "has_visible_qrcode": false, "contains_chinese_text": false, "contains_security_alerts": false }

URL: Screenshot id: 5 Model: Joe Sandbox AI	{ "contains_trigger_text": false, "trigger_text": "unknown", "prominent_button_name": "unknown", "text_input_field_labels": "unknown", "pdf_icon_visible": false, "has_visible_captcha": false, "has_urgent_text": false, "has_visible_qrcode": false, "contains_chinese_text": false, "contains_security_alerts": false }

URL: Screenshot id: 9 Model: Joe Sandbox AI	{ "contains_trigger_text": true, "trigger_text": "ATTENTION", "prominent_button_name": "unknown", "text_input_field_labels": "unknown", "pdf_icon_visible": false, "has_visible_captcha": false, "has_urgent_text": true, "has_visible_qrcode": false, "contains_chinese_text": false, "contains_security_alerts": true }

URL: Screenshot id: 13 Model: Joe Sandbox AI	{ "contains_trigger_text": false, "trigger_text": "unknown", "prominent_button_name": "unknown", "text_input_field_labels": "unknown", "pdf_icon_visible": false, "has_visible_captcha": false, "has_urgent_text": false, "has_visible_qrcode": false, "contains_chinese_text": false, "contains_security_alerts": false }

URL: Screenshot id: 3 Model: Joe Sandbox AI	{ "contains_trigger_text": false, "trigger_text": "unknown", "prominent_button_name": "unknown", "text_input_field_labels": "unknown", "pdf_icon_visible": false, "has_visible_captcha": false, "has_urgent_text": false, "has_visible_qrcode": false, "contains_chinese_text": false, "contains_security_alerts": false }

URL: Screenshot id: 2 Model: Joe Sandbox AI	{ "brands": "unknown" }
	{ "brands": "unknown" }
URL: Screenshot id: 12 Model: Joe Sandbox AI	{ "contains_trigger_text": true, "trigger_text": "Excel cannot open the file 'Document.xlsx' because the file format or file extension is not valid. Verify that the file has not been corrupted and that the file extension matches the format of the file.", "prominent_button_name": "OK", "text_input_field_labels": "unknown", "pdf_icon_visible": false, "has_visible_captcha": false, "has_urgent_text": false, "has_visible_qrcode": false, "contains_chinese_text": false, "contains_security_alerts": true }

URL: Screenshot id: 7 Model: Joe Sandbox AI	{ "brands": "unknown" }
	{ "brands": "unknown" }
URL: Screenshot id: 14 Model: Joe Sandbox AI	{ "brands": "unknown" }
	{ "brands": "unknown" }
URL: Screenshot id: 15 Model: Joe Sandbox AI	{ "brands": "unknown" }
	{ "brands": "unknown" }
URL: Screenshot id: 5 Model: Joe Sandbox AI	{ "brands": "unknown" }
	{ "brands": "unknown" }
URL: Screenshot id: 11 Model: Joe Sandbox AI	{ "brands": "unknown" }
	{ "brands": "unknown" }
URL: Screenshot id: 4 Model: Joe Sandbox AI	{ "brands": "unknown" }
	{ "brands": "unknown" }
URL: Screenshot id: 13 Model: Joe Sandbox AI	{ "brands": "unknown" }
	{ "brands": "unknown" }
URL: Screenshot id: 8 Model: Joe Sandbox AI	{ "brands": [ "Worms Algerie Shipping SPA" ] }
	{ "brands": [ "Worms Algerie Shipping SPA" ] }
URL: Screenshot id: 1 Model: Joe Sandbox AI	{ "brands": "unknown" }
	{ "brands": "unknown" }
URL: Screenshot id: 3 Model: Joe Sandbox AI	{ "brands": "unknown" }
	{ "brands": "unknown" }
URL: Screenshot id: 10 Model: Joe Sandbox AI	{ "brands": "unknown" }
	{ "brands": "unknown" }
URL: Screenshot id: 16 Model: Joe Sandbox AI	{ "brands": "unknown" }
	{ "brands": "unknown" }
URL: Screenshot id: 9 Model: Joe Sandbox AI	{ "brands": [ "Walship SPA" ] }
	{ "brands": [ "Walship SPA" ] }
URL: Screenshot id: 12 Model: Joe Sandbox AI	{ "brands": "unknown" }
	{ "brands": "unknown" }
URL: Screenshot id: 6 Model: Joe Sandbox AI	{ "brands": "unknown" }
	{ "brands": "unknown" }

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
170.82.174.30	yGktPvplJn.exe	Get hash	malicious	Pushdo	Browse	www.mqs.com.br/
	a5hbkmGD7N.exe	Get hash	malicious	Pushdo	Browse	www.mqs.com.br/
	9oy0DlGMH9.exe	Get hash	malicious	FormBook	Browse	www.faunapetsstore.com/o12i/?dT=j6ATUBhxx2glQbP0&2dq=yiHtOwR0aZ7KTWOJuT9hXfachgSHyHMGkjU/6QKzyqsTP1NPRASfxqCAR1p/c7wMh9GXgUQg6w==
	file.exe	Get hash	malicious	Pushdo, DanaBot, SmokeLoader	Browse	www.mqs.com.br/
	file.exe	Get hash	malicious	Pushdo, DanaBot, SmokeLoader	Browse	www.mqs.com.br/
	file.exe	Get hash	malicious	Pushdo, DanaBot, SmokeLoader	Browse	www.mqs.com.br/
172.245.123.12	seemebestgoodluckthings.hta	Get hash	malicious	Cobalt Strike, FormBook, HTMLPhisher	Browse	172.245.123.12/361/TELNERA.txt
172.245.123.12	PI-02911202409#.xla.xlsx	Get hash	malicious	FormBook, HTMLPhisher	Browse	172.245.123.12/361/TELNERA.txt

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
curt.wiz.co.cdn.gocache.net	BG75-10-01_CurrencyTransfer__530_24_00002559_Processed.xls	Get hash	malicious	Unknown	Browse	170.82.173.30
	Payment_swift_copy.xls	Get hash	malicious	Unknown	Browse	170.82.174.30
	Statement Of Account - (USD 19,490.00 ).xls	Get hash	malicious	Unknown	Browse	170.82.173.30
	Payment_swift_copy.xls	Get hash	malicious	Unknown	Browse	170.82.173.30
	Statement Of Account - (USD 19,490.00 ).xls	Get hash	malicious	Unknown	Browse	170.82.173.30
	Statement Of Account - (USD 19,490.00 ).xls	Get hash	malicious	Unknown	Browse	170.82.174.30
	Payment_swift_copy.xls	Get hash	malicious	Unknown	Browse	170.82.173.30
	NB PO-104105107108.xls	Get hash	malicious	Unknown	Browse	170.82.173.30
	Inquiry_0476452.xls	Get hash	malicious	Remcos	Browse	170.82.174.30
s-part-0035.t-0009.t-msedge.net	BG75-10-01_CurrencyTransfer__530_24_00002559_Processed.xls	Get hash	malicious	Unknown	Browse	13.107.246.63
	JIKJCBEX.exe	Get hash	malicious	LummaC	Browse	13.107.246.63
	LKKWDUFD.exe	Get hash	malicious	Unknown	Browse	13.107.246.63
	KjECqzXLWp.lnk	Get hash	malicious	RHADAMANTHYS	Browse	13.107.246.63
	cey4VIyGKh.lnk	Get hash	malicious	RHADAMANTHYS	Browse	13.107.246.63
	NHnfqsj0C4.exe	Get hash	malicious	Amadey	Browse	13.107.246.63
	dZKPE9gotO.exe	Get hash	malicious	Vidar	Browse	13.107.246.63
	https://qidinfissi.powerappsportals.com/	Get hash	malicious	Unknown	Browse	13.107.246.63
	xmas blessing.exe	Get hash	malicious	FormBook	Browse	13.107.246.63
	Quote_8722.exe	Get hash	malicious	Unknown	Browse	13.107.246.63

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3LCLOUDINTERNETSERVICESLTDA-EPPBR	BG75-10-01_CurrencyTransfer__530_24_00002559_Processed.xls	Get hash	malicious	Unknown	Browse	170.82.173.30
	Payment_swift_copy.xls	Get hash	malicious	Unknown	Browse	170.82.174.30
	Statement Of Account - (USD 19,490.00 ).xls	Get hash	malicious	Unknown	Browse	170.82.173.30
	Payment_swift_copy.xls	Get hash	malicious	Unknown	Browse	170.82.173.30
	Statement Of Account - (USD 19,490.00 ).xls	Get hash	malicious	Unknown	Browse	170.82.173.30
	Statement Of Account - (USD 19,490.00 ).xls	Get hash	malicious	Unknown	Browse	170.82.174.30
	Payment_swift_copy.xls	Get hash	malicious	Unknown	Browse	170.82.173.30
	NB PO-104105107108.xls	Get hash	malicious	Unknown	Browse	170.82.173.30
	yGktPvplJn.exe	Get hash	malicious	Pushdo	Browse	170.82.174.30
	Inquiry_0476452.xls	Get hash	malicious	Remcos	Browse	170.82.173.30
AS-COLOCROSSINGUS	Sample_Order_000000991.xls	Get hash	malicious	Unknown	Browse	192.3.179.166
	Payment_swift_copy.xls	Get hash	malicious	Unknown	Browse	192.3.122.159
	Statement Of Account - (USD 19,490.00 ).xls	Get hash	malicious	Unknown	Browse	23.95.235.29
	Payment_swift_copy.xls	Get hash	malicious	Unknown	Browse	192.3.122.159
	Statement Of Account - (USD 19,490.00 ).xls	Get hash	malicious	Unknown	Browse	23.95.235.29
	Statement Of Account - (USD 19,490.00 ).xls	Get hash	malicious	Unknown	Browse	23.95.235.29
	Payment_swift_copy.xls	Get hash	malicious	Unknown	Browse	192.3.122.159
	givenbestupdatedoingformebestthingswithgreatnewsformegive.hta	Get hash	malicious	Cobalt Strike, Remcos	Browse	192.3.122.159
	clearentirethingwithbestnoticetheeverythinggooodfrome.hta	Get hash	malicious	Cobalt Strike, Remcos	Browse	192.3.122.159
	sh4.elf	Get hash	malicious	Unknown	Browse	107.172.24.189

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
6271f898ce5be7dd52b0fc260d0662b3	Sample_Order_000000991.xls	Get hash	malicious	Unknown	Browse	170.82.174.30
	BG75-10-01_CurrencyTransfer__530_24_00002559_Processed.xls	Get hash	malicious	Unknown	Browse	170.82.174.30
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, Vidar	Browse	170.82.174.30
	Payment_swift_copy.xls	Get hash	malicious	Unknown	Browse	170.82.174.30
	Statement Of Account - (USD 19,490.00 ).xls	Get hash	malicious	Unknown	Browse	170.82.174.30
	Statement Of Account - (USD 19,490.00 ).xls	Get hash	malicious	Unknown	Browse	170.82.174.30
	Payment_swift_copy.xls	Get hash	malicious	Unknown	Browse	170.82.174.30
	https://go.eu.sparkpostmail1.com/f/a/IgPiUnQgGsgttR90IQc-hw~~/AAGCxAA~/RgRpOpvrP0QqaHR0cHM6Ly9tYXNzd29vZHBvbGlzaC5pbi93YXRlci9jb2xkL2luZGV4VwVzcGNldUIKZ1XrFlhnca8zKlISemFyZ2FyQGZhcmlkZWEuY29tWAQAAAAB#YmlsbC5ob2l0dEBwYXJ0bmVyc21ndS5jb20=	Get hash	malicious	HTMLPhisher	Browse	170.82.174.30
	SLNA_Updated_Medical_Grant_Application(1).docx	Get hash	malicious	Unknown	Browse	170.82.174.30
	MHDeXPq2uB.exe	Get hash	malicious	RedLine	Browse	170.82.174.30

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	118
Entropy (8bit):	3.5700810731231707
Encrypted:	false
SSDEEP:	3:QaklTlAlXMLLmHlIlFLlmIK/5lTn84vlJlhlXlDHlA6l3l6Als:QFulcLk04/5p8GVz6QRq
MD5:	573220372DA4ED487441611079B623CD
SHA1:	8F9D967AC6EF34640F1F0845214FBC6994C0CB80
SHA-256:	BE84B842025E4241BFE0C9F7B8F86A322E4396D893EF87EA1E29C74F47B6A22D
SHA-512:	F19FA3583668C3AF92A9CEF7010BD6ECEC7285F9C8665F2E9528DBA606F105D9AF9B1DB0CF6E7F77EF2E395943DC0D5CB37149E773319078688979E4024F9DD7
Malicious:	false
Reputation:	high, very likely benign file
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.H.e.a.r.t.b.e.a.t.C.a.c.h.e./.>.

File type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, Code page: 1252, Name of Creating Application: Microsoft Excel, Create Time/Date: Sat Sep 16 01:00:00 2006, Last Saved Time/Date: Mon Dec 16 08:27:21 2024, Security: 1
Entropy (8bit):	7.749627073428886
TrID:	Microsoft Excel sheet (30009/1) 47.99% Microsoft Excel sheet (alternate) (24509/1) 39.20% Generic OLE2 / Multistream Compound File (8008/1) 12.81%
File name:	Document.xla.xlsx
File size:	1'106'944 bytes
MD5:	d4c6ac821c22be30144711786c736a1a
SHA1:	96e697734dd3dcc47ebbe6bb9d3f1055f096c4f7
SHA256:	ab5152794ca45d670ae3f13de6be92fb686c27705d2df9ce0c00f76717bc61f3
SHA512:	592e25f4e3b9640eec6ad747a421f5498e4f25c74ee3bc47d06a79e4d5c30b0ca487b0518ede189ee491d10d4678a3d0dc1144912e37f798a82d594e967b68bd
SSDEEP:	12288:BumzHJEUiOIBUzMTSmD3DERnLRmF8DgEPbxpsAQx1Zj+juEPEbzYHG2VoUhvzwBF:3BazbARM8D78Z+j5WYHjVvhQccBNM
TLSH:	7E3501D5B28DAB62C606563575F3939E1710AC03D902427B37F8732D2AF76D08607FAA
File Content Preview:	........................>...................................M...................O...P...Q...R...................=...>...X.......m.......o......................................................................................................................

Has Summary Info:
Application Name:	Microsoft Excel
Encrypted Document:	True
Contains Word Document Stream:	False
Contains Workbook/Book Stream:	True
Contains PowerPoint Document Stream:	False
Contains Visio Document Stream:	False
Contains ObjectPool Stream:	False
Flash Objects Count:	0
Contains VBA Macros:	True

Code Page:	1252
Author:
Last Saved By:
Create Time:	2006-09-16 00:00:00
Last Saved Time:	2024-12-16 08:27:21
Creating Application:	Microsoft Excel
Security:	1

Document Code Page:	1252
Thumbnail Scaling Desired:	False
Contains Dirty Links:	False
Shared Document:	False
Changed Hyperlinks:	False
Application Version:	786432

General
Stream Path:	MBD010681DC/MBD007203CB/_VBA_PROJECT_CUR/VBA/Sheet1
VBA File Name:	Sheet1.cls
Stream Size:	977
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ` ! . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . S L . . . . S . . . . . S . . . . . < . . . . . . . . . . N . 0 . { . 0 . 0 . 0 . 2 . 0 . 8 . 2 . 0 . - .
Data Raw:	01 16 01 00 00 f0 00 00 00 c4 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff cb 02 00 00 1f 03 00 00 00 00 00 00 01 00 00 00 60 98 21 8f 00 00 ff ff 23 01 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

General
Stream Path:	_VBA_PROJECT_CUR/VBA/Sheet1
VBA File Name:	Sheet1.cls
Stream Size:	977
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . u . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . S L . . . . S . . . . . S . . . . . < . . . . . . . . . . N . 0 . { . 0 . 0 . 0 . 2 . 0 . 8 . 2 . 0 . - .
Data Raw:	01 16 01 00 00 f0 00 00 00 c4 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff cb 02 00 00 1f 03 00 00 00 00 00 00 01 00 00 00 a2 bc 10 75 00 00 ff ff 23 01 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

General
Stream Path:	_VBA_PROJECT_CUR/VBA/Sheet2
VBA File Name:	Sheet2.cls
Stream Size:	977
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . S L . . . . S . . . . . S . . . . . < . . . . . . . . . . N . 0 . { . 0 . 0 . 0 . 2 . 0 . 8 . 2 . 0 . - . 0
Data Raw:	01 16 01 00 00 f0 00 00 00 c4 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff cb 02 00 00 1f 03 00 00 00 00 00 00 01 00 00 00 a2 bc c2 9e 00 00 ff ff 23 01 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

General
Stream Path:	_VBA_PROJECT_CUR/VBA/Sheet3
VBA File Name:	Sheet3.cls
Stream Size:	977
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . B . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . S L . . . . S . . . . . S . . . . . < . . . . . . . . . . N . 0 . { . 0 . 0 . 0 . 2 . 0 . 8 . 2 . 0 . - . 0
Data Raw:	01 16 01 00 00 f0 00 00 00 c4 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff cb 02 00 00 1f 03 00 00 00 00 00 00 01 00 00 00 a2 bc 42 cd 00 00 ff ff 23 01 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

General
Stream Path:	_VBA_PROJECT_CUR/VBA/ThisWorkbook
VBA File Name:	ThisWorkbook.cls
Stream Size:	985
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . - . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . S L . . . . S . . . . . S . . . . . < . . . . . . . . . . N . 0 . { . 0 . 0 . 0 . 2 . 0 . 8 . 1 . 9 . - . 0
Data Raw:	01 16 01 00 00 f0 00 00 00 c4 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff cb 02 00 00 1f 03 00 00 00 00 00 00 01 00 00 00 a2 bc 2d b4 00 00 ff ff 23 01 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

General
Stream Path:	\x1CompObj
CLSID:
File Type:	data
Stream Size:	114
Entropy:	4.25248375192737
Base64 Encoded:	True
Data ASCII:	. . . . . . . . . . . . . . . . . . . F & . . . M i c r o s o f t O f f i c e E x c e l 2 0 0 3 W o r k s h e e t . . . . . B i f f 8 . . . . . E x c e l . S h e e t . 8 . 9 q . . . . . . . . . . . .
Data Raw:	01 00 fe ff 03 0a 00 00 ff ff ff ff 20 08 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 26 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 4f 66 66 69 63 65 20 45 78 63 65 6c 20 32 30 30 33 20 57 6f 72 6b 73 68 65 65 74 00 06 00 00 00 42 69 66 66 38 00 0e 00 00 00 45 78 63 65 6c 2e 53 68 65 65 74 2e 38 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00

General
Stream Path:	\x5DocumentSummaryInformation
CLSID:
File Type:	data
Stream Size:	244
Entropy:	2.889430592781307
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , 0 . . . . . . . . . . . . . . H . . . . . . . P . . . . . . . X . . . . . . . ` . . . . . . . h . . . . . . . p . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . S h e e t 1 . . . . . S h e e t 2 . . . . . S h e e t 3 . . . . . . . . . . . . . . . . . W o r k s h e e t s . . . . . . . . .
Data Raw:	fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 00 00 00 c4 00 00 00 08 00 00 00 01 00 00 00 48 00 00 00 17 00 00 00 50 00 00 00 0b 00 00 00 58 00 00 00 10 00 00 00 60 00 00 00 13 00 00 00 68 00 00 00 16 00 00 00 70 00 00 00 0d 00 00 00 78 00 00 00 0c 00 00 00 a1 00 00 00 02 00 00 00 e4 04 00 00

General
Stream Path:	\x5SummaryInformation
CLSID:
File Type:	data
Stream Size:	200
Entropy:	3.292068105701867
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . + ' 0 . . . . . . . . . . . . . . @ . . . . . . . H . . . . . . . T . . . . . . . ` . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M i c r o s o f t E x c e l . @ . . . . \| . # . @ . . . : ^ S O . . . . . . . . .
Data Raw:	fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 98 00 00 00 07 00 00 00 01 00 00 00 40 00 00 00 04 00 00 00 48 00 00 00 08 00 00 00 54 00 00 00 12 00 00 00 60 00 00 00 0c 00 00 00 78 00 00 00 0d 00 00 00 84 00 00 00 13 00 00 00 90 00 00 00 02 00 00 00 e4 04 00 00 1e 00 00 00 04 00 00 00

General
Stream Path:	MBD010681DB/\x1CompObj
CLSID:
File Type:	data
Stream Size:	99
Entropy:	3.631242196770981
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . ! . . . M i c r o s o f t O f f i c e E x c e l W o r k s h e e t . . . . . E x c e l M L 1 2 . . . . . 9 q . . . . . . . . . . . .
Data Raw:	01 00 fe ff 03 0a 00 00 ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 21 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 4f 66 66 69 63 65 20 45 78 63 65 6c 20 57 6f 72 6b 73 68 65 65 74 00 0a 00 00 00 45 78 63 65 6c 4d 4c 31 32 00 00 00 00 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00

General
Stream Path:	MBD010681DB/Package
CLSID:
File Type:	Microsoft Excel 2007+
Stream Size:	37036
Entropy:	7.720975169587741
Base64 Encoded:	True
Data ASCII:	P K . . . . . . . . . . ! . 8 . . . . . . . . . [ C o n t e n t _ T y p e s ] . x m l . ( . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	50 4b 03 04 14 00 06 00 08 00 00 00 21 00 b7 a1 38 de e3 01 00 00 cb 09 00 00 13 00 e9 01 5b 43 6f 6e 74 65 6e 74 5f 54 79 70 65 73 5d 2e 78 6d 6c 20 a2 e5 01 28 a0 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

General
Stream Path:	MBD010681DC/\x1CompObj
CLSID:
File Type:	data
Stream Size:	114
Entropy:	4.25248375192737
Base64 Encoded:	True
Data ASCII:	. . . . . . . . . . . . . . . . . . . F & . . . M i c r o s o f t O f f i c e E x c e l 2 0 0 3 W o r k s h e e t . . . . . B i f f 8 . . . . . E x c e l . S h e e t . 8 . 9 q . . . . . . . . . . . .
Data Raw:	01 00 fe ff 03 0a 00 00 ff ff ff ff 20 08 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 26 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 4f 66 66 69 63 65 20 45 78 63 65 6c 20 32 30 30 33 20 57 6f 72 6b 73 68 65 65 74 00 06 00 00 00 42 69 66 66 38 00 0e 00 00 00 45 78 63 65 6c 2e 53 68 65 65 74 2e 38 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00

General
Stream Path:	MBD010681DC/\x5DocumentSummaryInformation
CLSID:
File Type:	data
Stream Size:	244
Entropy:	2.701136490257069
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , 0 . . . . . . . . . . . . . . P . . . . . . . X . . . . . . . d . . . . . . . l . . . . . . . t . . . . . . . \| . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . F e u i l 1 . . . . . . . . . . . . . . . . . W o r k s h e e t s . . . . . . . . . . .
Data Raw:	fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 00 00 00 c4 00 00 00 09 00 00 00 01 00 00 00 50 00 00 00 0f 00 00 00 58 00 00 00 17 00 00 00 64 00 00 00 0b 00 00 00 6c 00 00 00 10 00 00 00 74 00 00 00 13 00 00 00 7c 00 00 00 16 00 00 00 84 00 00 00 0d 00 00 00 8c 00 00 00 0c 00 00 00 9f 00 00 00

General
Stream Path:	MBD010681DC/\x5SummaryInformation
CLSID:
File Type:	data
Stream Size:	220
Entropy:	3.372234242231489
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . + ' 0 . . . . . . . . . . . . . . H . . . . . . . P . . . . . . . \\ . . . . . . . h . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M i c r o s o f t E x c e l . @ . . . . ; { ) . @ . . . . Z % . } . @ . . . . % ? ` * C . . . . . . . . .
Data Raw:	fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 ac 00 00 00 08 00 00 00 01 00 00 00 48 00 00 00 04 00 00 00 50 00 00 00 08 00 00 00 5c 00 00 00 12 00 00 00 68 00 00 00 0b 00 00 00 80 00 00 00 0c 00 00 00 8c 00 00 00 0d 00 00 00 98 00 00 00 13 00 00 00 a4 00 00 00 02 00 00 00 e4 04 00 00

General
Stream Path:	MBD010681DC/MBD0018D4CE/\x1Ole
CLSID:
File Type:	data
Stream Size:	20
Entropy:	0.5689955935892812
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . .
Data Raw:	01 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

General
Stream Path:	MBD010681DC/MBD0018D4CE/\x3ObjInfo
CLSID:
File Type:	data
Stream Size:	4
Entropy:	0.8112781244591328
Base64 Encoded:	False
Data ASCII:	. . . .
Data Raw:	00 00 03 00

General
Stream Path:	MBD010681DC/MBD0018D4CE/Contents
CLSID:
File Type:	Corel Photo-Paint image, version 9, 716 x 547 RGB 24 bits, 11811024 micro dots/mm, 4 blocks, array offset 0x13c
Stream Size:	197671
Entropy:	6.989042939766534
Base64 Encoded:	True
Data ASCII:	C P T 9 F I L E . . . . . . . . . . . . . . . . 8 . 8 . . . . . . . . . . . . . . . . . . . . < . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	43 50 54 39 46 49 4c 45 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d0 38 b4 00 d0 38 b4 00 00 00 00 00 00 00 00 00 04 00 00 00 00 00 01 00 94 00 00 00 3c 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Document.xla.xlsx

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

System Summary

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

LLM Input / Output

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Program Files (x86)\Microsoft Office\root\vfs\Common AppData\Microsoft\OFFICE\Heartbeat\HeartbeatCache.xml

C:\Users\user\AppData\Local\Microsoft\Office\Features\1-7FeatureCache.txt (copy)

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\19E93EA7.emf

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\1C2A7D5D.emf

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\21F8A76F.emf

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\262DBAA4.emf

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\2CD21737.emf

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\333C8C52.emf

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\404A17CC.emf

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\4226A7A6.emf

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\586CA271.emf

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\5E1DB87C.emf

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\62B3D255.emf

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\6DFDCC2B.emf

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\77775BD8.emf

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\97BFB9F9.emf

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\9A306BBA.emf

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\A31FC64D.emf

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\A48B9473.emf

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\A56F8030.emf

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WDKI0JR2\createdbetterthingswithgreatnressgivenmebackwithnice[1].hta

C:\Users\user\AppData\Local\Temp\49CDD860.tmp

C:\Users\user\AppData\Local\Temp\~DFA7ABF8894F100EED.TMP

C:\Users\user\AppData\Local\Temp\~DFD7D2266D78F6C732.TMP

C:\Users\user\AppData\Local\Temp\~DFDA9B88C57FA58DCA.TMP

Windows Analysis Report
Document.xla.xlsx

General
Stream Path:	MBD010681DC/MBD0068D442/\x1CompObj
CLSID:
File Type:	data
Stream Size:	114
Entropy:	4.219515110876372
Base64 Encoded:	False
Data ASCII:	. . . . . . 0 . . . . . . . . . . . . . F ! . . . M i c r o s o f t O f f i c e E x c e l W o r k s h e e t . . . . . E x c e l M L 1 2 . . . . . E x c e l . S h e e t . 1 2 . 9 q . . . . . . . . . . . .
Data Raw:	01 00 fe ff 03 0a 00 00 ff ff ff ff 30 08 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 21 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 4f 66 66 69 63 65 20 45 78 63 65 6c 20 57 6f 72 6b 73 68 65 65 74 00 0a 00 00 00 45 78 63 65 6c 4d 4c 31 32 00 0f 00 00 00 45 78 63 65 6c 2e 53 68 65 65 74 2e 31 32 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00

General
Stream Path:	MBD010681DC/MBD0068D442/Package
CLSID:
File Type:	Microsoft Excel 2007+
Stream Size:	26243
Entropy:	7.635433729726103
Base64 Encoded:	True
Data ASCII:	P K . . . . . . . . . . ! . & . . . . . . . . . [ C o n t e n t _ T y p e s ] . x m l . ( . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	50 4b 03 04 14 00 06 00 08 00 00 00 21 00 a1 26 fd 83 92 01 00 00 ae 05 00 00 13 00 e0 01 5b 43 6f 6e 74 65 6e 74 5f 54 79 70 65 73 5d 2e 78 6d 6c 20 a2 dc 01 28 a0 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

General
Stream Path:	MBD010681DC/MBD007203CB/\x1CompObj
CLSID:
File Type:	data
Stream Size:	114
Entropy:	4.25248375192737
Base64 Encoded:	True
Data ASCII:	. . . . . . . . . . . . . . . . . . . F & . . . M i c r o s o f t O f f i c e E x c e l 2 0 0 3 W o r k s h e e t . . . . . B i f f 8 . . . . . E x c e l . S h e e t . 8 . 9 q . . . . . . . . . . . .
Data Raw:	01 00 fe ff 03 0a 00 00 ff ff ff ff 20 08 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 26 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 4f 66 66 69 63 65 20 45 78 63 65 6c 20 32 30 30 33 20 57 6f 72 6b 73 68 65 65 74 00 06 00 00 00 42 69 66 66 38 00 0e 00 00 00 45 78 63 65 6c 2e 53 68 65 65 74 2e 38 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00

General
Stream Path:	MBD010681DC/MBD007203CB/\x5DocumentSummaryInformation
CLSID:
File Type:	data
Stream Size:	248
Entropy:	3.0523231150355867
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , 0 . . . . . . . . . . . . . . H . . . . . . . P . . . . . . . X . . . . . . . ` . . . . . . . h . . . . . . . p . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . P u r c h a s e O r d e r T e m p l a t e . . . . . . . . . . . . . . . . . . . . . . W o r k s h e e t s . . . . . . . . . . . .
Data Raw:	fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 00 00 00 c8 00 00 00 08 00 00 00 01 00 00 00 48 00 00 00 17 00 00 00 50 00 00 00 0b 00 00 00 58 00 00 00 10 00 00 00 60 00 00 00 13 00 00 00 68 00 00 00 16 00 00 00 70 00 00 00 0d 00 00 00 78 00 00 00 0c 00 00 00 a2 00 00 00 02 00 00 00 e4 04 00 00

General
Stream Path:	MBD010681DC/MBD007203CB/\x5SummaryInformation
CLSID:
File Type:	data
Stream Size:	256
Entropy:	4.086306928392587
Base64 Encoded:	True
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . + ' 0 . . . . . . . . . . . . . . H . . . . . . . P . . . . . . . \| . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . $ . . . B r a t i s l a v M i l o j e v i c \| E L M E D d . o . o . . . . . . . . . . . 9 1 9 7 4 . . . . . . . . . . . M i c r o s o f t E x c e l . @ . . . N ; . . @ . . . . . . . @ . . . . v @ n ) C . . . . . . . . .
Data Raw:	fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 d0 00 00 00 08 00 00 00 01 00 00 00 48 00 00 00 04 00 00 00 50 00 00 00 08 00 00 00 7c 00 00 00 12 00 00 00 8c 00 00 00 0b 00 00 00 a4 00 00 00 0c 00 00 00 b0 00 00 00 0d 00 00 00 bc 00 00 00 13 00 00 00 c8 00 00 00 02 00 00 00 e4 04 00 00

General
Stream Path:	MBD010681DC/MBD007203CB/Workbook
CLSID:
File Type:	Applesoft BASIC program data, first line number 16
Stream Size:	134792
Entropy:	7.974168320310173
Base64 Encoded:	True
Data ASCII:	. . . . . . . . . . . . . . . . . / . 6 . . . . . . . Z i ^ . m . q l % . w " . x . Z q C b g i ' . h . . # . . . . . . . P . . . \\ . p . . 6 u ! l ( n y I T 5 W { L : 1 J . S . . . . 0 x . 3 . ` . X { ( / z 7 / . 8 x X g X # v . . [ d C y . . s . ] G 9 m . u . . . B . . . R a . . . . . . . = . . . L . . . O . . r 7 . v . . . " . . . . " _ K : . . . . . . . . . j # . . . . K . . . . . . . . = . . . " j ! ; . g . . @ . . . . . . . ^ " . . . 9 . . . . r . . . . . . . 1 . . . : . t . ? e . ) n S P x . b & 1
Data Raw:	09 08 10 00 00 06 05 00 ab 1f cd 07 c1 00 01 00 06 04 00 00 2f 00 36 00 01 00 01 00 01 00 5a 69 5e 2e a6 e0 6d 97 16 71 6c a3 ef b8 25 05 77 88 22 87 ec d8 b3 78 17 a4 5a 71 43 ad a8 c2 62 67 69 b8 d9 e2 27 83 c8 df b8 f6 68 1b 05 23 e1 00 02 00 b0 04 c1 00 02 00 ef 50 e2 00 00 00 5c 00 70 00 13 36 75 21 6c 28 6e bd 95 81 f4 c7 79 fa 49 54 35 99 57 f1 85 8d fb f3 e2 7b 4c b1 ea 3a

General
Stream Path:	MBD010681DC/MBD00726B69/\x1CompObj
CLSID:
File Type:	data
Stream Size:	114
Entropy:	4.219515110876372
Base64 Encoded:	False
Data ASCII:	. . . . . . 0 . . . . . . . . . . . . . F ! . . . M i c r o s o f t O f f i c e E x c e l W o r k s h e e t . . . . . E x c e l M L 1 2 . . . . . E x c e l . S h e e t . 1 2 . 9 q . . . . . . . . . . . .
Data Raw:	01 00 fe ff 03 0a 00 00 ff ff ff ff 30 08 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 21 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 4f 66 66 69 63 65 20 45 78 63 65 6c 20 57 6f 72 6b 73 68 65 65 74 00 0a 00 00 00 45 78 63 65 6c 4d 4c 31 32 00 0f 00 00 00 45 78 63 65 6c 2e 53 68 65 65 74 2e 31 32 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00

General
Stream Path:	MBD010681DC/MBD00726B69/Package
CLSID:
File Type:	Microsoft Excel 2007+
Stream Size:	26242
Entropy:	7.635424485665502
Base64 Encoded:	True
Data ASCII:	P K . . . . . . . . . . ! . & . . . . . . . . . [ C o n t e n t _ T y p e s ] . x m l . ( . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	50 4b 03 04 14 00 06 00 08 00 00 00 21 00 a1 26 fd 83 92 01 00 00 ae 05 00 00 13 00 e0 01 5b 43 6f 6e 74 65 6e 74 5f 54 79 70 65 73 5d 2e 78 6d 6c 20 a2 dc 01 28 a0 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

General
Stream Path:	MBD010681DC/Workbook
CLSID:
File Type:	Applesoft BASIC program data, first line number 16
Stream Size:	283872
Entropy:	7.743278150467805
Base64 Encoded:	True
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . \\ . p . . . . B . . . . a . . . . . . . . = . . . . . . . . . . . T h i s W o r k b o o k . . . . . . . . . . . b . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . = . . . . H < l - 9 . . . . . . . X . @ . . . . . . . . . .
Data Raw:	09 08 10 00 00 06 05 00 ab 1f cd 07 c1 00 01 00 06 04 00 00 e1 00 02 00 b0 04 c1 00 02 00 00 00 e2 00 00 00 5c 00 70 00 02 00 00 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20

General
Stream Path:	MBD010681DD/\x1CompObj
CLSID:
File Type:	data
Stream Size:	99
Entropy:	3.631242196770981
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . ! . . . M i c r o s o f t O f f i c e E x c e l W o r k s h e e t . . . . . E x c e l M L 1 2 . . . . . 9 q . . . . . . . . . . . .
Data Raw:	01 00 fe ff 03 0a 00 00 ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 21 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 4f 66 66 69 63 65 20 45 78 63 65 6c 20 57 6f 72 6b 73 68 65 65 74 00 0a 00 00 00 45 78 63 65 6c 4d 4c 31 32 00 00 00 00 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00