Edit tour

Windows Analysis Report
Order_948575494759.xls

Overview

General Information

Sample name:	Order_948575494759.xls
Analysis ID:	1577527
MD5:	6bcc53dc843155e886f469778b4216f1
SHA1:	ca277194f41d84c108389a788d7281e7566ed9f0
SHA256:	379fe2ae5a34b2349fe492b4318c589416c5cc8f1e54eb1502455863da17395e
Tags:	xlsuser-abuse_ch
Infos:

Detection

Score:	84
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Multi AV Scanner detection for submitted file

Document exploit detected (process start blacklist hit)

Excel sheet contains many unusual embedded objects

Machine Learning detection for dropped file

Machine Learning detection for sample

Microsoft Office drops suspicious files

Sigma detected: File With Uncommon Extension Created By An Office Application

Sigma detected: Suspicious Microsoft Office Child Process

Document contains embedded VBA macros

Document embeds suspicious OLE2 link

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

Potential document exploit detected (performs DNS queries)

Potential document exploit detected (performs HTTP gets)

Potential document exploit detected (unknown TCP traffic)

Sample execution stops while process was sleeping (likely an evasion)

Searches for the Microsoft Outlook file path

Sigma detected: Excel Network Connections

Sigma detected: Suspicious Office Outbound Connections

Uses a known web browser user agent for HTTP communication

Classification

Process Tree

System is w10x64

EXCEL.EXE (PID: 7188 cmdline: "C:\Program Files (x86)\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding MD5: 4A871771235598812032C822E6F68F19)

mshta.exe (PID: 7720 cmdline: C:\Windows\SysWOW64\mshta.exe -Embedding MD5: 06B02D5C097C7DB1F109749C45F3F505)

splwow64.exe (PID: 7628 cmdline: C:\Windows\splwow64.exe 12288 MD5: 77DE7761B037061C7C112FD3C5B91E73)

EXCEL.EXE (PID: 8140 cmdline: "C:\Program Files (x86)\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\user\Desktop\Order_948575494759.xls" MD5: 4A871771235598812032C822E6F68F19)

cleanup

Sigma Signatures

System Summary

Sigma detected: File With Uncommon Extension Created By An Office Application

Source: File created

Author: Vadim Khrykov (ThreatIntel), Cyb3rEng (Rule), Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE, ProcessId: 7188, TargetFilename: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WDKI0JR2\greatindiancompaniesgivenbestgiftforyourhealthgivengoodreturns[1].hta

Sigma detected: Suspicious Microsoft Office Child Process

Source: Process started

Author: Florian Roth (Nextron Systems), Markus Neis, FPT.EagleEye Team, Vadim Khrykov, Cyb3rEng, Michael Haag, Christopher Peacock @securepeacock, @scythe_io: Data: Command: C:\Windows\SysWOW64\mshta.exe -Embedding, CommandLine: C:\Windows\SysWOW64\mshta.exe -Embedding, CommandLine|base64offset|contains: Iyb, Image: C:\Windows\SysWOW64\mshta.exe, NewProcessName: C:\Windows\SysWOW64\mshta.exe, OriginalFileName: C:\Windows\SysWOW64\mshta.exe, ParentCommandLine: "C:\Program Files (x86)\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding, ParentImage: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE, ParentProcessId: 7188, ParentProcessName: EXCEL.EXE, ProcessCommandLine: C:\Windows\SysWOW64\mshta.exe -Embedding, ProcessId: 7720, ProcessName: mshta.exe

Sigma detected: Excel Network Connections

Source: Network Connection

Author: Christopher Peacock '@securepeacock', SCYTHE '@scythe_io', Florian Roth '@Neo23x0", Tim Shelton: Data: DesusertionIp: 170.82.174.30, DesusertionIsIpv6: false, DesusertionPort: 443, EventID: 3, Image: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE, Initiated: true, ProcessId: 7188, Protocol: tcp, SourceIp: 192.168.2.9, SourceIsIpv6: false, SourcePort: 49732

Sigma detected: Suspicious Office Outbound Connections

Source: Network Connection

Author: X__Junior (Nextron Systems): Data: DesusertionIp: 192.168.2.9, DesusertionIsIpv6: false, DesusertionPort: 49732, EventID: 3, Image: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE, Initiated: true, ProcessId: 7188, Protocol: tcp, SourceIp: 170.82.174.30, SourceIsIpv6: false, SourcePort: 443

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: https://curt.wiz.co/f0O8JN5298?&letter=muddy&gobbler=tiresome&nexus(Y	Avira URL Cloud: Label: malware
Source: https://curt.wiz.co/f0O8JN5298?&letter=muddy&gobbler=tiresome&nexus	Avira URL Cloud: Label: malware

Multi AV Scanner detection for submitted file

Source: Order_948575494759.xls

ReversingLabs: Detection: 18%

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\~DFEFC13B3210F99F8A.TMP

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: Order_948575494759.xls

Joe Sandbox ML: detected

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE

File opened: C:\Program Files (x86)\Microsoft Office\root\vfs\SystemX86\MSVCR100.dll

Jump to behavior

Source: unknown

HTTPS traffic detected: 170.82.174.30:443 -> 192.168.2.9:49732 version: TLS 1.2

Software Vulnerabilities

Document exploit detected (process start blacklist hit)

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE

Process created: C:\Windows\SysWOW64\mshta.exe

Source: global traffic

DNS query: name: curt.wiz.co

Source: global traffic	TCP traffic: 192.168.2.9:49732 -> 170.82.174.30:443
Source: global traffic	TCP traffic: 192.168.2.9:49733 -> 173.214.167.74:80
Source: global traffic	TCP traffic: 192.168.2.9:49732 -> 170.82.174.30:443
Source: global traffic	TCP traffic: 192.168.2.9:49732 -> 170.82.174.30:443
Source: global traffic	TCP traffic: 192.168.2.9:49732 -> 170.82.174.30:443
Source: global traffic	TCP traffic: 192.168.2.9:49732 -> 170.82.174.30:443
Source: global traffic	TCP traffic: 192.168.2.9:49732 -> 170.82.174.30:443
Source: global traffic	TCP traffic: 192.168.2.9:49732 -> 170.82.174.30:443
Source: global traffic	TCP traffic: 192.168.2.9:49732 -> 170.82.174.30:443
Source: global traffic	TCP traffic: 192.168.2.9:49732 -> 170.82.174.30:443
Source: global traffic	TCP traffic: 192.168.2.9:49732 -> 170.82.174.30:443
Source: global traffic	TCP traffic: 192.168.2.9:49732 -> 170.82.174.30:443
Source: global traffic	TCP traffic: 192.168.2.9:49732 -> 170.82.174.30:443
Source: global traffic	TCP traffic: 192.168.2.9:49732 -> 170.82.174.30:443
Source: global traffic	TCP traffic: 192.168.2.9:49732 -> 170.82.174.30:443
Source: global traffic	TCP traffic: 192.168.2.9:49732 -> 170.82.174.30:443

Source: global traffic	TCP traffic: 192.168.2.9:49732 -> 170.82.174.30:443
Source: global traffic	TCP traffic: 170.82.174.30:443 -> 192.168.2.9:49732
Source: global traffic	TCP traffic: 192.168.2.9:49732 -> 170.82.174.30:443
Source: global traffic	TCP traffic: 192.168.2.9:49732 -> 170.82.174.30:443
Source: global traffic	TCP traffic: 170.82.174.30:443 -> 192.168.2.9:49732
Source: global traffic	TCP traffic: 170.82.174.30:443 -> 192.168.2.9:49732
Source: global traffic	TCP traffic: 192.168.2.9:49732 -> 170.82.174.30:443
Source: global traffic	TCP traffic: 192.168.2.9:49732 -> 170.82.174.30:443
Source: global traffic	TCP traffic: 170.82.174.30:443 -> 192.168.2.9:49732
Source: global traffic	TCP traffic: 170.82.174.30:443 -> 192.168.2.9:49732
Source: global traffic	TCP traffic: 192.168.2.9:49732 -> 170.82.174.30:443
Source: global traffic	TCP traffic: 192.168.2.9:49732 -> 170.82.174.30:443
Source: global traffic	TCP traffic: 170.82.174.30:443 -> 192.168.2.9:49732
Source: global traffic	TCP traffic: 170.82.174.30:443 -> 192.168.2.9:49732
Source: global traffic	TCP traffic: 192.168.2.9:49732 -> 170.82.174.30:443
Source: global traffic	TCP traffic: 170.82.174.30:443 -> 192.168.2.9:49732
Source: global traffic	TCP traffic: 192.168.2.9:49732 -> 170.82.174.30:443
Source: global traffic	TCP traffic: 170.82.174.30:443 -> 192.168.2.9:49732
Source: global traffic	TCP traffic: 192.168.2.9:49732 -> 170.82.174.30:443
Source: global traffic	TCP traffic: 170.82.174.30:443 -> 192.168.2.9:49732
Source: global traffic	TCP traffic: 192.168.2.9:49732 -> 170.82.174.30:443
Source: global traffic	TCP traffic: 192.168.2.9:49732 -> 170.82.174.30:443
Source: global traffic	TCP traffic: 170.82.174.30:443 -> 192.168.2.9:49732
Source: global traffic	TCP traffic: 192.168.2.9:49732 -> 170.82.174.30:443
Source: global traffic	TCP traffic: 192.168.2.9:49732 -> 170.82.174.30:443
Source: global traffic	TCP traffic: 192.168.2.9:49733 -> 173.214.167.74:80
Source: global traffic	TCP traffic: 173.214.167.74:80 -> 192.168.2.9:49733
Source: global traffic	TCP traffic: 192.168.2.9:49733 -> 173.214.167.74:80
Source: global traffic	TCP traffic: 192.168.2.9:49733 -> 173.214.167.74:80
Source: global traffic	TCP traffic: 173.214.167.74:80 -> 192.168.2.9:49733
Source: global traffic	TCP traffic: 173.214.167.74:80 -> 192.168.2.9:49733
Source: global traffic	TCP traffic: 173.214.167.74:80 -> 192.168.2.9:49733
Source: global traffic	TCP traffic: 173.214.167.74:80 -> 192.168.2.9:49733
Source: global traffic	TCP traffic: 192.168.2.9:49733 -> 173.214.167.74:80
Source: global traffic	TCP traffic: 173.214.167.74:80 -> 192.168.2.9:49733
Source: global traffic	TCP traffic: 173.214.167.74:80 -> 192.168.2.9:49733
Source: global traffic	TCP traffic: 173.214.167.74:80 -> 192.168.2.9:49733
Source: global traffic	TCP traffic: 173.214.167.74:80 -> 192.168.2.9:49733
Source: global traffic	TCP traffic: 173.214.167.74:80 -> 192.168.2.9:49733
Source: global traffic	TCP traffic: 192.168.2.9:49733 -> 173.214.167.74:80
Source: global traffic	TCP traffic: 192.168.2.9:49733 -> 173.214.167.74:80
Source: global traffic	TCP traffic: 192.168.2.9:49733 -> 173.214.167.74:80
Source: global traffic	TCP traffic: 173.214.167.74:80 -> 192.168.2.9:49733
Source: global traffic	TCP traffic: 173.214.167.74:80 -> 192.168.2.9:49733
Source: global traffic	TCP traffic: 192.168.2.9:49733 -> 173.214.167.74:80
Source: global traffic	TCP traffic: 173.214.167.74:80 -> 192.168.2.9:49733
Source: global traffic	TCP traffic: 173.214.167.74:80 -> 192.168.2.9:49733
Source: global traffic	TCP traffic: 192.168.2.9:49733 -> 173.214.167.74:80
Source: global traffic	TCP traffic: 173.214.167.74:80 -> 192.168.2.9:49733
Source: global traffic	TCP traffic: 192.168.2.9:49733 -> 173.214.167.74:80
Source: global traffic	TCP traffic: 173.214.167.74:80 -> 192.168.2.9:49733
Source: global traffic	TCP traffic: 173.214.167.74:80 -> 192.168.2.9:49733
Source: global traffic	TCP traffic: 192.168.2.9:49733 -> 173.214.167.74:80
Source: global traffic	TCP traffic: 192.168.2.9:49733 -> 173.214.167.74:80
Source: global traffic	TCP traffic: 173.214.167.74:80 -> 192.168.2.9:49733
Source: global traffic	TCP traffic: 173.214.167.74:80 -> 192.168.2.9:49733
Source: global traffic	TCP traffic: 192.168.2.9:49733 -> 173.214.167.74:80
Source: global traffic	TCP traffic: 173.214.167.74:80 -> 192.168.2.9:49733
Source: global traffic	TCP traffic: 173.214.167.74:80 -> 192.168.2.9:49733
Source: global traffic	TCP traffic: 192.168.2.9:49733 -> 173.214.167.74:80
Source: global traffic	TCP traffic: 173.214.167.74:80 -> 192.168.2.9:49733
Source: global traffic	TCP traffic: 173.214.167.74:80 -> 192.168.2.9:49733
Source: global traffic	TCP traffic: 192.168.2.9:49733 -> 173.214.167.74:80
Source: global traffic	TCP traffic: 173.214.167.74:80 -> 192.168.2.9:49733
Source: global traffic	TCP traffic: 173.214.167.74:80 -> 192.168.2.9:49733
Source: global traffic	TCP traffic: 192.168.2.9:49733 -> 173.214.167.74:80
Source: global traffic	TCP traffic: 173.214.167.74:80 -> 192.168.2.9:49733
Source: global traffic	TCP traffic: 173.214.167.74:80 -> 192.168.2.9:49733
Source: global traffic	TCP traffic: 192.168.2.9:49733 -> 173.214.167.74:80
Source: global traffic	TCP traffic: 173.214.167.74:80 -> 192.168.2.9:49733
Source: global traffic	TCP traffic: 173.214.167.74:80 -> 192.168.2.9:49733
Source: global traffic	TCP traffic: 192.168.2.9:49733 -> 173.214.167.74:80
Source: global traffic	TCP traffic: 173.214.167.74:80 -> 192.168.2.9:49733
Source: global traffic	TCP traffic: 173.214.167.74:80 -> 192.168.2.9:49733
Source: global traffic	TCP traffic: 192.168.2.9:49733 -> 173.214.167.74:80
Source: global traffic	TCP traffic: 173.214.167.74:80 -> 192.168.2.9:49733
Source: global traffic	TCP traffic: 173.214.167.74:80 -> 192.168.2.9:49733
Source: global traffic	TCP traffic: 192.168.2.9:49733 -> 173.214.167.74:80
Source: global traffic	TCP traffic: 173.214.167.74:80 -> 192.168.2.9:49733
Source: global traffic	TCP traffic: 173.214.167.74:80 -> 192.168.2.9:49733
Source: global traffic	TCP traffic: 192.168.2.9:49733 -> 173.214.167.74:80
Source: global traffic	TCP traffic: 173.214.167.74:80 -> 192.168.2.9:49733
Source: global traffic	TCP traffic: 173.214.167.74:80 -> 192.168.2.9:49733
Source: global traffic	TCP traffic: 192.168.2.9:49733 -> 173.214.167.74:80
Source: global traffic	TCP traffic: 173.214.167.74:80 -> 192.168.2.9:49733
Source: global traffic	TCP traffic: 192.168.2.9:49733 -> 173.214.167.74:80
Source: global traffic	TCP traffic: 192.168.2.9:49733 -> 173.214.167.74:80
Source: global traffic	TCP traffic: 192.168.2.9:49733 -> 173.214.167.74:80
Source: global traffic	TCP traffic: 173.214.167.74:80 -> 192.168.2.9:49733
Source: global traffic	TCP traffic: 173.214.167.74:80 -> 192.168.2.9:49733
Source: global traffic	TCP traffic: 192.168.2.9:49733 -> 173.214.167.74:80
Source: global traffic	TCP traffic: 173.214.167.74:80 -> 192.168.2.9:49733
Source: global traffic	TCP traffic: 192.168.2.9:49733 -> 173.214.167.74:80
Source: global traffic	TCP traffic: 173.214.167.74:80 -> 192.168.2.9:49733
Source: global traffic	TCP traffic: 192.168.2.9:49733 -> 173.214.167.74:80
Source: global traffic	TCP traffic: 173.214.167.74:80 -> 192.168.2.9:49733
Source: global traffic	TCP traffic: 192.168.2.9:49733 -> 173.214.167.74:80
Source: global traffic	TCP traffic: 173.214.167.74:80 -> 192.168.2.9:49733
Source: global traffic	TCP traffic: 173.214.167.74:80 -> 192.168.2.9:49733
Source: global traffic	TCP traffic: 192.168.2.9:49733 -> 173.214.167.74:80
Source: global traffic	TCP traffic: 192.168.2.9:49733 -> 173.214.167.74:80
Source: global traffic	TCP traffic: 173.214.167.74:80 -> 192.168.2.9:49733
Source: global traffic	TCP traffic: 173.214.167.74:80 -> 192.168.2.9:49733
Source: global traffic	TCP traffic: 192.168.2.9:49733 -> 173.214.167.74:80
Source: global traffic	TCP traffic: 192.168.2.9:49733 -> 173.214.167.74:80
Source: global traffic	TCP traffic: 173.214.167.74:80 -> 192.168.2.9:49733
Source: global traffic	TCP traffic: 192.168.2.9:49733 -> 173.214.167.74:80
Source: global traffic	TCP traffic: 173.214.167.74:80 -> 192.168.2.9:49733
Source: global traffic	TCP traffic: 192.168.2.9:49733 -> 173.214.167.74:80
Source: global traffic	TCP traffic: 173.214.167.74:80 -> 192.168.2.9:49733
Source: global traffic	TCP traffic: 173.214.167.74:80 -> 192.168.2.9:49733
Source: global traffic	TCP traffic: 192.168.2.9:49733 -> 173.214.167.74:80
Source: global traffic	TCP traffic: 173.214.167.74:80 -> 192.168.2.9:49733
Source: global traffic	TCP traffic: 173.214.167.74:80 -> 192.168.2.9:49733
Source: global traffic	TCP traffic: 192.168.2.9:49733 -> 173.214.167.74:80
Source: global traffic	TCP traffic: 173.214.167.74:80 -> 192.168.2.9:49733
Source: global traffic	TCP traffic: 173.214.167.74:80 -> 192.168.2.9:49733
Source: global traffic	TCP traffic: 192.168.2.9:49733 -> 173.214.167.74:80
Source: global traffic	TCP traffic: 192.168.2.9:49733 -> 173.214.167.74:80

Source: excel.exe

Memory has grown: Private usage: 2MB later: 94MB

Source: Joe Sandbox View	IP Address: 170.82.174.30 170.82.174.30
Source: Joe Sandbox View	IP Address: 170.82.174.30 170.82.174.30

Source: Joe Sandbox View

JA3 fingerprint: 6271f898ce5be7dd52b0fc260d0662b3

Source: global traffic	HTTP traffic detected: GET /f0O8JN5298?&letter=muddy&gobbler=tiresome&nexus HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: curt.wiz.coConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xampp/dcv/greatindiancompaniesgivenbestgiftforyourhealthgivengoodreturns.hta HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoConnection: Keep-AliveHost: 173.214.167.74

Source: unknown	TCP traffic detected without corresponding DNS query: 173.214.167.74
Source: unknown	TCP traffic detected without corresponding DNS query: 173.214.167.74
Source: unknown	TCP traffic detected without corresponding DNS query: 173.214.167.74
Source: unknown	TCP traffic detected without corresponding DNS query: 173.214.167.74
Source: unknown	TCP traffic detected without corresponding DNS query: 173.214.167.74
Source: unknown	TCP traffic detected without corresponding DNS query: 173.214.167.74
Source: unknown	TCP traffic detected without corresponding DNS query: 173.214.167.74
Source: unknown	TCP traffic detected without corresponding DNS query: 173.214.167.74
Source: unknown	TCP traffic detected without corresponding DNS query: 173.214.167.74
Source: unknown	TCP traffic detected without corresponding DNS query: 173.214.167.74
Source: unknown	TCP traffic detected without corresponding DNS query: 173.214.167.74
Source: unknown	TCP traffic detected without corresponding DNS query: 173.214.167.74
Source: unknown	TCP traffic detected without corresponding DNS query: 173.214.167.74
Source: unknown	TCP traffic detected without corresponding DNS query: 173.214.167.74
Source: unknown	TCP traffic detected without corresponding DNS query: 173.214.167.74
Source: unknown	TCP traffic detected without corresponding DNS query: 173.214.167.74
Source: unknown	TCP traffic detected without corresponding DNS query: 173.214.167.74
Source: unknown	TCP traffic detected without corresponding DNS query: 173.214.167.74
Source: unknown	TCP traffic detected without corresponding DNS query: 173.214.167.74
Source: unknown	TCP traffic detected without corresponding DNS query: 173.214.167.74
Source: unknown	TCP traffic detected without corresponding DNS query: 173.214.167.74
Source: unknown	TCP traffic detected without corresponding DNS query: 173.214.167.74
Source: unknown	TCP traffic detected without corresponding DNS query: 173.214.167.74
Source: unknown	TCP traffic detected without corresponding DNS query: 173.214.167.74
Source: unknown	TCP traffic detected without corresponding DNS query: 173.214.167.74
Source: unknown	TCP traffic detected without corresponding DNS query: 173.214.167.74
Source: unknown	TCP traffic detected without corresponding DNS query: 173.214.167.74
Source: unknown	TCP traffic detected without corresponding DNS query: 173.214.167.74
Source: unknown	TCP traffic detected without corresponding DNS query: 173.214.167.74
Source: unknown	TCP traffic detected without corresponding DNS query: 173.214.167.74
Source: unknown	TCP traffic detected without corresponding DNS query: 173.214.167.74
Source: unknown	TCP traffic detected without corresponding DNS query: 173.214.167.74
Source: unknown	TCP traffic detected without corresponding DNS query: 173.214.167.74
Source: unknown	TCP traffic detected without corresponding DNS query: 173.214.167.74
Source: unknown	TCP traffic detected without corresponding DNS query: 173.214.167.74
Source: unknown	TCP traffic detected without corresponding DNS query: 173.214.167.74
Source: unknown	TCP traffic detected without corresponding DNS query: 173.214.167.74
Source: unknown	TCP traffic detected without corresponding DNS query: 173.214.167.74
Source: unknown	TCP traffic detected without corresponding DNS query: 173.214.167.74
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /f0O8JN5298?&letter=muddy&gobbler=tiresome&nexus HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: curt.wiz.coConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xampp/dcv/greatindiancompaniesgivenbestgiftforyourhealthgivengoodreturns.hta HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoConnection: Keep-AliveHost: 173.214.167.74

Source: global traffic

DNS traffic detected: DNS query: curt.wiz.co

Source: Order_948575494759.xls, ~DFEFC13B3210F99F8A.TMP.12.dr

String found in binary or memory: https://curt.wiz.co/f0O8JN5298?&letter=muddy&gobbler=tiresome&nexus(Y

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443

Source: unknown

HTTPS traffic detected: 170.82.174.30:443 -> 192.168.2.9:49732 version: TLS 1.2

System Summary

Excel sheet contains many unusual embedded objects

Source: Order_948575494759.xls	OLE: Microsoft Excel 2007+
Source: Order_948575494759.xls	OLE: Microsoft Excel 2007+
Source: Order_948575494759.xls	OLE: Microsoft Excel 2007+
Source: Order_948575494759.xls	OLE: Microsoft Excel 2007+
Source: Order_948575494759.xls	OLE: Microsoft Excel 2007+
Source: ~DFEFC13B3210F99F8A.TMP.12.dr	OLE: Microsoft Excel 2007+
Source: ~DFEFC13B3210F99F8A.TMP.12.dr	OLE: Microsoft Excel 2007+
Source: ~DFEFC13B3210F99F8A.TMP.12.dr	OLE: Microsoft Excel 2007+
Source: ~DFEFC13B3210F99F8A.TMP.12.dr	OLE: Microsoft Excel 2007+
Source: ~DFEFC13B3210F99F8A.TMP.12.dr	OLE: Microsoft Excel 2007+

Microsoft Office drops suspicious files

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WDKI0JR2\greatindiancompaniesgivenbestgiftforyourhealthgivengoodreturns[1].hta

Jump to behavior

Source: Order_948575494759.xls	OLE indicator, VBA macros: true
Source: ~DFEFC13B3210F99F8A.TMP.12.dr	OLE indicator, VBA macros: true

Source: Order_948575494759.xls	Stream path 'MBD0191BFBA/\x1Ole' : https://curt.wiz.co/f0O8JN5298?&letter=muddy&gobbler=tiresome&nexus(Y?{{&4.vTenNz)J^e\a"gwbr+\|t:R?B$L;:q2>3vkXx#DD%6rxLf1HH~cO%XRlao}>cK8?y/e(fMrwkIfgZIUaBEn6PyQPnllBBJ935NZJO4LDpizQLCnZkC5OPZ8mzPWE9qwTqVIXYLqSdDQoG897OndRP2duPTd9nHdlpMo3KYOvQtwfmm2vrmB2BaFzIAVpsbX14TeMAcPrMtZ4hJMKTNBB22bF((aG\($"JjP
Source: ~DFEFC13B3210F99F8A.TMP.12.dr	Stream path 'MBD0191BFBA/\x1Ole' : https://curt.wiz.co/f0O8JN5298?&letter=muddy&gobbler=tiresome&nexus(Y?{{&4.vTenNz)J^e\a"gwbr+\|t:R?B$L;:q2>3vkXx#DD%6rxLf1HH~cO%XRlao}>cK8?y/e(fMrwkIfgZIUaBEn6PyQPnllBBJ935NZJO4LDpizQLCnZkC5OPZ8mzPWE9qwTqVIXYLqSdDQoG897OndRP2duPTd9nHdlpMo3KYOvQtwfmm2vrmB2BaFzIAVpsbX14TeMAcPrMtZ4hJMKTNBB22bF((aG\($"JjP

Source: C:\Windows\SysWOW64\mshta.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE			Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE			Jump to behavior

Source: classification engine

Classification label: mal84.expl.winXLS@6/21@1/2

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE

File created: C:\Program Files (x86)\Microsoft Office\root\vfs\Common AppData\Microsoft\Office\Heartbeat\HeartbeatCache.xml

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\3E297C04.emf

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Temp\{F697A4B5-1D56-4A47-A698-B36C8B333FB4} - OProcSessId.dat

Jump to behavior

Source: Order_948575494759.xls	OLE indicator, Workbook stream: true
Source: ~DFEFC13B3210F99F8A.TMP.12.dr	OLE indicator, Workbook stream: true

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\SysWOW64\mshta.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Order_948575494759.xls

ReversingLabs: Detection: 18%

Source: unknown	Process created: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE "C:\Program Files (x86)\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process created: C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\mshta.exe -Embedding
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process created: C:\Windows\splwow64.exe C:\Windows\splwow64.exe 12288
Source: unknown	Process created: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE "C:\Program Files (x86)\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\user\Desktop\Order_948575494759.xls"
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process created: C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\mshta.exe -Embedding	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process created: C:\Windows\splwow64.exe C:\Windows\splwow64.exe 12288	Jump to behavior

Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: c2r32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: mshtml.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: msiso.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: uxtheme.dll	Jump to behavior

Source: C:\Windows\SysWOW64\mshta.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{25336920-03F9-11CF-8FD0-00AA00686F13}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE

Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\Common

Jump to behavior

Source: Order_948575494759.xls

Static file information: File size 1124352 > 1048576

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE

File opened: C:\Program Files (x86)\Microsoft Office\root\vfs\SystemX86\MSVCR100.dll

Jump to behavior

Source: Order_948575494759.xls

Initial sample: OLE indicators encrypted = True

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: Order_948575494759.xls	Stream path 'MBD0191BFB8/MBD007203CB/Workbook' entropy: 7.97416832031 (max. 8.0)
Source: Order_948575494759.xls	Stream path 'Workbook' entropy: 7.99854241372 (max. 8.0)
Source: ~DFEFC13B3210F99F8A.TMP.12.dr	Stream path 'MBD0191BFB8/MBD007203CB/Workbook' entropy: 7.97416832031 (max. 8.0)
Source: ~DFEFC13B3210F99F8A.TMP.12.dr	Stream path 'Workbook' entropy: 7.99854241372 (max. 8.0)

Source: C:\Windows\splwow64.exe

Window / User API: threadDelayed 1050

Jump to behavior

Source: C:\Windows\splwow64.exe	Last function: Thread delayed
Source: C:\Windows\splwow64.exe	Last function: Thread delayed

Source: C:\Windows\splwow64.exe	Thread delayed: delay time: 120000			Jump to behavior
Source: C:\Windows\splwow64.exe	Thread delayed: delay time: 120000			Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE

Process information queried: ProcessInformation

Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	1 Scripting	Valid Accounts	13 Exploitation for Client Execution	1 Scripting	1 Process Injection	2 Masquerading	OS Credential Dumping	1 Process Discovery	Remote Services	1 Email Collection	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	1 DLL Side-Loading	1 Virtualization/Sandbox Evasion	LSASS Memory	1 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 Extra Window Memory Injection	1 Process Injection	Security Account Manager	1 Application Window Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Obfuscated Files or Information	NTDS	1 File and Directory Discovery	Distributed Component Object Model	Input Capture	13 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	2 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Extra Window Memory Injection	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Order_948575494759.xls	18%	ReversingLabs
Order_948575494759.xls	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\~DFEFC13B3210F99F8A.TMP	100%	Joe Sandbox ML

Source	Detection	Scanner	Label	Link
https://curt.wiz.co/f0O8JN5298?&letter=muddy&gobbler=tiresome&nexus(Y	100%	Avira URL Cloud	malware
https://curt.wiz.co/f0O8JN5298?&letter=muddy&gobbler=tiresome&nexus	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
s-part-0035.t-0009.t-msedge.net	13.107.246.63	true	false	high
curt.wiz.co.cdn.gocache.net	170.82.174.30	true	false	high
curt.wiz.co	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://curt.wiz.co/f0O8JN5298?&letter=muddy&gobbler=tiresome&nexus	false	Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://curt.wiz.co/f0O8JN5298?&letter=muddy&gobbler=tiresome&nexus(Y	Order_948575494759.xls, ~DFEFC13B3210F99F8A.TMP.12.dr	false	Avira URL Cloud: malware	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
173.214.167.74	unknown	United States		19318	IS-AS-1US	false
170.82.174.30	curt.wiz.co.cdn.gocache.net	Brazil		266444	3LCLOUDINTERNETSERVICESLTDA-EPPBR	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1577527
Start date and time:	2024-12-18 15:13:17 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 21s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultwindowsofficecookbook.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Run name:	Without Instrumentation
Number of analysed new started processes analysed:	13
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Order_948575494759.xls
Detection:	MAL
Classification:	mal84.expl.winXLS@6/21@1/2
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .xls Changed system and user locale, location and keyboard layout to French - France Found Word or Excel or PowerPoint or XPS Viewer Attach to Office via COM Active ActiveX Object Active ActiveX Object Active ActiveX Object Active ActiveX Object Active ActiveX Object Scroll down Close Viewer

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe, MavInject32.exe
Excluded IPs from analysis (whitelisted): 52.109.28.46, 23.218.208.109, 52.113.194.132, 52.109.89.19, 104.208.16.89, 20.190.147.1, 172.202.163.200, 4.175.87.197, 13.107.246.63
Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, otelrules.afd.azureedge.net, weu-azsc-000.roaming.officeapps.live.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, eur.roaming1.live.com.akadns.net, ecs-office.s-0005.s-msedge.net, roaming.officeapps.live.com, osiprod-weu-buff-azsc-000.westeurope.cloudapp.azure.com, ocsp.digicert.com, login.live.com, onedscolprdcus11.centralus.cloudapp.azure.com, e16604.g.akamaiedge.net, officeclient.microsoft.com, prod.fs.microsoft.com.akadns.net, ecs.office.com, self-events-data.trafficmanager.net, fs.microsoft.com, otelrules.azureedge.net, prod.configsvc1.live.com.akadns.net, self.events.data.microsoft.com, prod.roaming1.live.com.akadns.net, s-0005-office.config.skype.com, fe3cr.delivery.mp.microsoft.com, s-0005.s-msedge.net, config.officeapps.live.com, azureedge-t-prod.trafficmanager.net, ecs.office.trafficmanager.net, europe.configsvc1.live.com.akadns.net, uks-azsc-config.officeapps.live.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtQueryAttributesFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: Order_948575494759.xls

Simulations

Behavior and APIs

Time	Type	Description
09:15:28	API Interceptor	1086x Sleep call for process: splwow64.exe modified

LLM Input / Output

Input	Output
URL: Office document Model: Joe Sandbox AI	{ "contains_trigger_text": false, "trigger_text": "unknown", "prominent_button_name": "unknown", "text_input_field_labels": "unknown", "pdf_icon_visible": false, "has_visible_captcha": false, "has_urgent_text": false, "has_visible_qrcode": false, "contains_chinese_text": false, "contains_fake_security_alerts": false }

URL: Office document Model: Joe Sandbox AI	{ "brands": [ "Cormier Light Company" ] }
	{ "brands": [ "Cormier Light Company" ] }
URL: Screenshot id: 15 Model: Joe Sandbox AI	{ "contains_trigger_text": false, "trigger_text": "unknown", "prominent_button_name": "unknown", "text_input_field_labels": "unknown", "pdf_icon_visible": false, "has_visible_captcha": false, "has_urgent_text": false, "has_visible_qrcode": false, "contains_chinese_text": false, "contains_fake_security_alerts": false }

URL: Screenshot id: 6 Model: Joe Sandbox AI	{ "contains_trigger_text": false, "trigger_text": "unknown", "prominent_button_name": "unknown", "text_input_field_labels": "unknown", "pdf_icon_visible": false, "has_visible_captcha": false, "has_urgent_text": false, "has_visible_qrcode": false, "contains_chinese_text": false, "contains_fake_security_alerts": false }

URL: Screenshot id: 12 Model: Joe Sandbox AI	{ "contains_trigger_text": false, "trigger_text": "unknown", "prominent_button_name": "unknown", "text_input_field_labels": "unknown", "pdf_icon_visible": false, "has_visible_captcha": false, "has_urgent_text": false, "has_visible_qrcode": false, "contains_chinese_text": false, "contains_fake_security_alerts": false }

URL: Screenshot id: 2 Model: Joe Sandbox AI	{ "contains_trigger_text": true, "trigger_text": "PURCHASE ORDER", "prominent_button_name": "unknown", "text_input_field_labels": [ "Vendor Name", "Deliver-To Name", "City, State/Province, Zip/Post code", "Country", "Attn. Contact Person", "City, State/Province, Zip/Post code", "Country", "Attn. Contact Person" ], "pdf_icon_visible": false, "has_visible_captcha": false, "has_urgent_text": false, "has_visible_qrcode": false, "contains_chinese_text": false, "contains_fake_security_alerts": false }

URL: Screenshot id: 7 Model: Joe Sandbox AI	{ "contains_trigger_text": false, "trigger_text": "unknown", "prominent_button_name": "unknown", "text_input_field_labels": "unknown", "pdf_icon_visible": false, "has_visible_captcha": false, "has_urgent_text": false, "has_visible_qrcode": false, "contains_chinese_text": false, "contains_fake_security_alerts": false }

URL: Screenshot id: 9 Model: Joe Sandbox AI	{ "contains_trigger_text": false, "trigger_text": "unknown", "prominent_button_name": "unknown", "text_input_field_labels": "unknown", "pdf_icon_visible": false, "has_visible_captcha": false, "has_urgent_text": false, "has_visible_qrcode": false, "contains_chinese_text": false, "contains_fake_security_alerts": false }

URL: Screenshot id: 13 Model: Joe Sandbox AI	{ "contains_trigger_text": true, "trigger_text": "Drafts on departure : Fore/Aft : 05,60 M /08,90 M", "prominent_button_name": "unknown", "text_input_field_labels": "unknown", "pdf_icon_visible": false, "has_visible_captcha": false, "has_urgent_text": false, "has_visible_qrcode": false, "contains_chinese_text": false, "contains_fake_security_alerts": false }

URL: Screenshot id: 10 Model: Joe Sandbox AI	{ "contains_trigger_text": true, "trigger_text": "WORMS ALGERIE SHIPPING SPA", "prominent_button_name": "unknown", "text_input_field_labels": "unknown", "pdf_icon_visible": false, "has_visible_captcha": false, "has_urgent_text": false, "has_visible_qrcode": false, "contains_chinese_text": false, "contains_fake_security_alerts": false }

URL: Screenshot id: 19 Model: Joe Sandbox AI	{ "contains_trigger_text": true, "trigger_text": "Order_9485754949759.xls is locked for editing by another user", "prominent_button_name": "Read Only", "text_input_field_labels": "unknown", "pdf_icon_visible": false, "has_visible_captcha": false, "has_urgent_text": false, "has_visible_qrcode": false, "contains_chinese_text": false, "contains_fake_security_alerts": false }

URL: Screenshot id: 17 Model: Joe Sandbox AI	{ "contains_trigger_text": true, "trigger_text": "SRE NO 21413", "prominent_button_name": "unknown", "text_input_field_labels": "unknown", "pdf_icon_visible": false, "has_visible_captcha": false, "has_urgent_text": false, "has_visible_qrcode": false, "contains_chinese_text": false, "contains_fake_security_alerts": false }

URL: Screenshot id: 4 Model: Joe Sandbox AI	{ "contains_trigger_text": true, "trigger_text": "PURCHASE ORDER", "prominent_button_name": "PURCHASE ORDER", "text_input_field_labels": [ "Vendor Name", "Deliver-To-Name", "City, State/Province, Zip/Post code", "Country", "Attn: Contact Person", "Attn: Contact Person" ], "pdf_icon_visible": false, "has_visible_captcha": false, "has_urgent_text": false, "has_visible_qrcode": false, "contains_chinese_text": false, "contains_fake_security_alerts": false }

URL: Screenshot id: 5 Model: Joe Sandbox AI	{ "contains_trigger_text": true, "trigger_text": "PURCHASE ORDER", "prominent_button_name": "PURCHASE ORDER", "text_input_field_labels": [ "Vendor Name", "Deliver-To-Name", "City, State/Province, Zip/Post code", "Country", "Attn: Contact Person", "Attn: Contact Person" ], "pdf_icon_visible": false, "has_visible_captcha": false, "has_urgent_text": false, "has_visible_qrcode": false, "contains_chinese_text": false, "contains_fake_security_alerts": false }

URL: Screenshot id: 11 Model: Joe Sandbox AI	{ "contains_trigger_text": true, "trigger_text": "LOADING", "prominent_button_name": "unknown", "text_input_field_labels": "unknown", "pdf_icon_visible": false, "has_visible_captcha": false, "has_urgent_text": false, "has_visible_qrcode": false, "contains_chinese_text": false, "contains_fake_security_alerts": false }

URL: Screenshot id: 14 Model: Joe Sandbox AI	{ "contains_trigger_text": true, "trigger_text": "ATTENTION", "prominent_button_name": "unknown", "text_input_field_labels": "unknown", "pdf_icon_visible": false, "has_visible_captcha": false, "has_urgent_text": true, "has_visible_qrcode": false, "contains_chinese_text": false, "contains_fake_security_alerts": false }

URL: Screenshot id: 16 Model: Joe Sandbox AI	{ "contains_trigger_text": true, "trigger_text": "SRE NO 21413", "prominent_button_name": "unknown", "text_input_field_labels": "unknown", "pdf_icon_visible": false, "has_visible_captcha": false, "has_urgent_text": false, "has_visible_qrcode": false, "contains_chinese_text": false, "contains_fake_security_alerts": false }

URL: Screenshot id: 8 Model: Joe Sandbox AI	{ "contains_trigger_text": true, "trigger_text": "PURCHASE ORDER", "prominent_button_name": "unknown", "text_input_field_labels": [ "Vendor Name", "Deliver-To-Name", "City, State/Province, Zip/Post code", "Country", "Attn: Contact Person", "Attn: Contact Person" ], "pdf_icon_visible": false, "has_visible_captcha": false, "has_urgent_text": false, "has_visible_qrcode": false, "contains_chinese_text": false, "contains_fake_security_alerts": false }

URL: Screenshot id: 3 Model: Joe Sandbox AI	{ "contains_trigger_text": true, "trigger_text": "PURCHASE ORDER", "prominent_button_name": "PURCHASE ORDER", "text_input_field_labels": [ "Vendor Name", "Deliver-To-Name", "City, State/Province, Zip/Post code", "Country", "Attn: Contact Person", "Attn: Contact Person" ], "pdf_icon_visible": false, "has_visible_captcha": false, "has_urgent_text": false, "has_visible_qrcode": false, "contains_chinese_text": false, "contains_fake_security_alerts": false }

URL: Screenshot id: 18 Model: Joe Sandbox AI	{ "contains_trigger_text": true, "trigger_text": "WORMS ALGERIE SHIPPING SPA", "prominent_button_name": "unknown", "text_input_field_labels": "unknown", "pdf_icon_visible": false, "has_visible_captcha": false, "has_urgent_text": false, "has_visible_qrcode": false, "contains_chinese_text": false, "contains_fake_security_alerts": false }

URL: Screenshot id: 1 Model: Joe Sandbox AI	{ "contains_trigger_text": true, "trigger_text": "PURCHASE ORDER", "prominent_button_name": "unknown", "text_input_field_labels": [ "Vendor Name", "Deliver-To Name", "City, State/Province, Zip/Post code", "Country", "Attn. Contact Person", "City, State/Province, Zip/Post code", "Country", "Attn. Contact Person" ], "pdf_icon_visible": false, "has_visible_captcha": false, "has_urgent_text": false, "has_visible_qrcode": false, "contains_chinese_text": false, "contains_fake_security_alerts": false }

URL: Screenshot id: 6 Model: Joe Sandbox AI	{ "brands": "unknown" }
	{ "brands": "unknown" }
URL: Screenshot id: 13 Model: Joe Sandbox AI	{ "brands": "unknown" }
	{ "brands": "unknown" }
URL: Screenshot id: 7 Model: Joe Sandbox AI	{ "brands": "unknown" }
	{ "brands": "unknown" }
URL: Screenshot id: 15 Model: Joe Sandbox AI	{ "brands": "unknown" }
	{ "brands": "unknown" }
URL: Screenshot id: 2 Model: Joe Sandbox AI	{ "brands": [ "Cormier Light Company" ] }
	{ "brands": [ "Cormier Light Company" ] }
URL: Screenshot id: 9 Model: Joe Sandbox AI	{ "brands": "unknown" }
	{ "brands": "unknown" }
URL: Screenshot id: 4 Model: Joe Sandbox AI	{ "brands": [ "Cormier Light Company" ] }
	{ "brands": [ "Cormier Light Company" ] }
URL: Screenshot id: 3 Model: Joe Sandbox AI	{ "brands": [ "Cormier Light Company" ] }
	{ "brands": [ "Cormier Light Company" ] }
URL: Screenshot id: 12 Model: Joe Sandbox AI	{ "brands": "unknown" }
	{ "brands": "unknown" }
URL: Screenshot id: 11 Model: Joe Sandbox AI	{ "brands": "unknown" }
	{ "brands": "unknown" }
URL: Screenshot id: 10 Model: Joe Sandbox AI	{ "brands": [ "Worms Algerie Shipping SPA" ] }
	{ "brands": [ "Worms Algerie Shipping SPA" ] }
URL: Screenshot id: 19 Model: Joe Sandbox AI	{ "brands": "unknown" }
	{ "brands": "unknown" }
URL: Screenshot id: 5 Model: Joe Sandbox AI	{ "brands": [ "Cormier Light Company" ] }
	{ "brands": [ "Cormier Light Company" ] }
URL: Screenshot id: 18 Model: Joe Sandbox AI	{ "brands": "unknown" }
	{ "brands": "unknown" }
URL: Screenshot id: 16 Model: Joe Sandbox AI	{ "brands": "unknown" }
	{ "brands": "unknown" }
URL: Screenshot id: 17 Model: Joe Sandbox AI	{ "brands": "unknown" }
	{ "brands": "unknown" }
URL: Screenshot id: 8 Model: Joe Sandbox AI	{ "brands": [ "Cormier Light Company" ] }
	{ "brands": [ "Cormier Light Company" ] }
URL: Screenshot id: 1 Model: Joe Sandbox AI	{ "brands": [ "Cormier Light Company" ] }
	{ "brands": [ "Cormier Light Company" ] }
URL: Screenshot id: 14 Model: Joe Sandbox AI	{ "brands": "unknown" }
	{ "brands": "unknown" }

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
170.82.174.30	yGktPvplJn.exe	Get hash	malicious	Pushdo	Browse	www.mqs.com.br/
	a5hbkmGD7N.exe	Get hash	malicious	Pushdo	Browse	www.mqs.com.br/
	9oy0DlGMH9.exe	Get hash	malicious	FormBook	Browse	www.faunapetsstore.com/o12i/?dT=j6ATUBhxx2glQbP0&2dq=yiHtOwR0aZ7KTWOJuT9hXfachgSHyHMGkjU/6QKzyqsTP1NPRASfxqCAR1p/c7wMh9GXgUQg6w==
	file.exe	Get hash	malicious	Pushdo, DanaBot, SmokeLoader	Browse	www.mqs.com.br/
	file.exe	Get hash	malicious	Pushdo, DanaBot, SmokeLoader	Browse	www.mqs.com.br/
	file.exe	Get hash	malicious	Pushdo, DanaBot, SmokeLoader	Browse	www.mqs.com.br/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
curt.wiz.co.cdn.gocache.net	Document.xla	Get hash	malicious	Unknown	Browse	170.82.174.30
	#U041e#U043f#U043b#U0430#U0442#U0430.xls	Get hash	malicious	Unknown	Browse	170.82.174.30
	#U041e#U043f#U043b#U0430#U0442#U0430.xls	Get hash	malicious	Unknown	Browse	170.82.174.30
	#U041e#U043f#U043b#U0430#U0442#U0430.xls	Get hash	malicious	Unknown	Browse	170.82.174.30
	Smple_Order-048576744759475945.xls	Get hash	malicious	Unknown	Browse	170.82.173.30
	Smple_Order-048576744759475945.xls	Get hash	malicious	Unknown	Browse	170.82.173.30
	Document.xla.xlsx	Get hash	malicious	Unknown	Browse	170.82.174.30
	Sample_Order_000000991.xls	Get hash	malicious	Unknown	Browse	170.82.174.30
s-part-0035.t-0009.t-msedge.net	ldqj18tn.exe	Get hash	malicious	Unknown	Browse	13.107.246.63
	DOC.exe	Get hash	malicious	Cryptbot	Browse	13.107.246.63
	2.png.ps1	Get hash	malicious	Unknown	Browse	13.107.246.63
	1.png.ps1	Get hash	malicious	Unknown	Browse	13.107.246.63
	ko.ps1.2.ps1	Get hash	malicious	Unknown	Browse	13.107.246.63
	kjshdgacg18.bat	Get hash	malicious	Abobus Obfuscator, Braodo	Browse	13.107.246.63
	steel.exe.2.exe	Get hash	malicious	Socks5Systemz	Browse	13.107.246.63
	random.exe.17.exe	Get hash	malicious	ScreenConnect Tool	Browse	13.107.246.63
	steel.exe.3.exe	Get hash	malicious	Socks5Systemz	Browse	13.107.246.63

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3LCLOUDINTERNETSERVICESLTDA-EPPBR	Document.xla	Get hash	malicious	Unknown	Browse	170.82.174.30
	#U041e#U043f#U043b#U0430#U0442#U0430.xls	Get hash	malicious	Unknown	Browse	170.82.174.30
	#U041e#U043f#U043b#U0430#U0442#U0430.xls	Get hash	malicious	Unknown	Browse	170.82.174.30
	#U041e#U043f#U043b#U0430#U0442#U0430.xls	Get hash	malicious	Unknown	Browse	170.82.174.30
	Smple_Order-048576744759475945.xls	Get hash	malicious	Unknown	Browse	170.82.173.30
	Smple_Order-048576744759475945.xls	Get hash	malicious	Unknown	Browse	170.82.173.30
	Document.xla.xlsx	Get hash	malicious	Unknown	Browse	170.82.174.30
	Sample_Order_000000991.xls	Get hash	malicious	Unknown	Browse	170.82.174.30
IS-AS-1US	networkmanager.exe	Get hash	malicious	Unknown	Browse	66.45.226.53
	arm6.elf	Get hash	malicious	Unknown	Browse	208.73.200.113
	jAktiuZ9R3.msi	Get hash	malicious	Unknown	Browse	162.220.166.184
	S54zm7jsZe.msi	Get hash	malicious	Unknown	Browse	162.220.166.184
	https://dashboard.sizle.io/p/f7c9cdf19	Get hash	malicious	HTMLPhisher	Browse	174.138.189.57
	fWAr4zGUkY.exe	Get hash	malicious	Remcos, Amadey, Stealc	Browse	66.45.226.53
	file.exe	Get hash	malicious	Amadey, AsyncRAT, Credential Flusher, LummaC Stealer, Stealc, StormKitty, VenomRAT	Browse	205.209.109.10
	file.exe	Get hash	malicious	Amadey, AsyncRAT, Credential Flusher, LummaC Stealer, Stealc, VenomRAT, Vidar	Browse	205.209.109.10

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
6271f898ce5be7dd52b0fc260d0662b3	YF3YnL4ksc.exe	Get hash	malicious	Unknown	Browse	170.82.174.30
	https://ce4.ajax.a8b.co/get?redir=1&id=d4vCW7zizPl1mo0GYx0ELgo+CCIybH9/c4qC7CeWEuI=&uri=//the-western-fire-chiefs-association.jimdosite.com	Get hash	malicious	Unknown	Browse	170.82.174.30
	IIC0XbKFjS.lnk	Get hash	malicious	RHADAMANTHYS	Browse	170.82.174.30
	Document.xla	Get hash	malicious	Unknown	Browse	170.82.174.30
	V65xPrgEHH.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc, Vidar	Browse	170.82.174.30
	#U041e#U043f#U043b#U0430#U0442#U0430.xls	Get hash	malicious	Unknown	Browse	170.82.174.30
	#U041e#U043f#U043b#U0430#U0442#U0430.xls	Get hash	malicious	Unknown	Browse	170.82.174.30
	Smple_Order-048576744759475945.xls	Get hash	malicious	Unknown	Browse	170.82.174.30
	Document.xla.xlsx	Get hash	malicious	Unknown	Browse	170.82.174.30

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	118
Entropy (8bit):	3.5700810731231707
Encrypted:	false
SSDEEP:	3:QaklTlAlXMLLmHlIlFLlmIK/5lTn84vlJlhlXlDHlA6l3l6Als:QFulcLk04/5p8GVz6QRq
MD5:	573220372DA4ED487441611079B623CD
SHA1:	8F9D967AC6EF34640F1F0845214FBC6994C0CB80
SHA-256:	BE84B842025E4241BFE0C9F7B8F86A322E4396D893EF87EA1E29C74F47B6A22D
SHA-512:	F19FA3583668C3AF92A9CEF7010BD6ECEC7285F9C8665F2E9528DBA606F105D9AF9B1DB0CF6E7F77EF2E395943DC0D5CB37149E773319078688979E4024F9DD7
Malicious:	false
Reputation:	high, very likely benign file
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.H.e.a.r.t.b.e.a.t.C.a.c.h.e./.>.

File type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, Code page: 1252, Name of Creating Application: Microsoft Excel, Create Time/Date: Sat Sep 16 01:00:00 2006, Last Saved Time/Date: Wed Dec 18 01:00:45 2024, Security: 1
Entropy (8bit):	7.743408666722072
TrID:	Microsoft Excel sheet (30009/1) 47.99% Microsoft Excel sheet (alternate) (24509/1) 39.20% Generic OLE2 / Multistream Compound File (8008/1) 12.81%
File name:	Order_948575494759.xls
File size:	1'124'352 bytes
MD5:	6bcc53dc843155e886f469778b4216f1
SHA1:	ca277194f41d84c108389a788d7281e7566ed9f0
SHA256:	379fe2ae5a34b2349fe492b4318c589416c5cc8f1e54eb1502455863da17395e
SHA512:	cd6da13c89795461e4b804be52500b9db81887d18cadb0dd431cc49850db189f4e6dbb9731810d3ae55c7145ee46ee5fdc9e9606dfc73b08c2d9e5a9169abc28
SSDEEP:	12288:y8zJmzHJEUiOIBUzMTSSD3DERnLRmF8DhEPpxpsAQx1Zj+jLEPHbrpW8osAz85qW:MBanbARM8At8Z+j6RsSIUAI
TLSH:	0C35F1E5774DAB52CA06123575F3939E2714AC03D902427B36F8732D2AF7AD08607FA6
File Content Preview:	........................>.......................................................i...j...k...l...m...............V...W...r.......g.......i......................................................................................................................

Has Summary Info:
Application Name:	Microsoft Excel
Encrypted Document:	True
Contains Word Document Stream:	False
Contains Workbook/Book Stream:	True
Contains PowerPoint Document Stream:	False
Contains Visio Document Stream:	False
Contains ObjectPool Stream:	False
Flash Objects Count:	0
Contains VBA Macros:	True

Code Page:	1252
Author:
Last Saved By:
Create Time:	2006-09-16 00:00:00
Last Saved Time:	2024-12-18 01:00:45
Creating Application:	Microsoft Excel
Security:	1

Document Code Page:	1252
Thumbnail Scaling Desired:	False
Contains Dirty Links:	False
Shared Document:	False
Changed Hyperlinks:	False
Application Version:	786432

General
Stream Path:	MBD0191BFB8/MBD007203CB/_VBA_PROJECT_CUR/VBA/Sheet1
VBA File Name:	Sheet1.cls
Stream Size:	977
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ` ! . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . S L . . . . S . . . . . S . . . . . < . . . . . . . . . . N . 0 . { . 0 . 0 . 0 . 2 . 0 . 8 . 2 . 0 . - .
Data Raw:	01 16 01 00 00 f0 00 00 00 c4 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff cb 02 00 00 1f 03 00 00 00 00 00 00 01 00 00 00 60 98 21 8f 00 00 ff ff 23 01 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

General
Stream Path:	_VBA_PROJECT_CUR/VBA/Sheet1
VBA File Name:	Sheet1.cls
Stream Size:	977
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . S L . . . . S . . . . . S . . . . . < . . . . . . . . . . N . 0 . { . 0 . 0 . 0 . 2 . 0 . 8 . 2 . 0 . - . 0
Data Raw:	01 16 01 00 00 f0 00 00 00 c4 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff cb 02 00 00 1f 03 00 00 00 00 00 00 01 00 00 00 9d 36 9c b7 00 00 ff ff 23 01 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

General
Stream Path:	_VBA_PROJECT_CUR/VBA/Sheet2
VBA File Name:	Sheet2.cls
Stream Size:	977
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 \| . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . S L . . . . S . . . . . S . . . . . < . . . . . . . . . . N . 0 . { . 0 . 0 . 0 . 2 . 0 . 8 . 2 . 0 . - .
Data Raw:	01 16 01 00 00 f0 00 00 00 c4 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff cb 02 00 00 1f 03 00 00 00 00 00 00 01 00 00 00 9d 36 86 7c 00 00 ff ff 23 01 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

General
Stream Path:	\x1CompObj
CLSID:
File Type:	data
Stream Size:	114
Entropy:	4.25248375192737
Base64 Encoded:	True
Data ASCII:	. . . . . . . . . . . . . . . . . . . F & . . . M i c r o s o f t O f f i c e E x c e l 2 0 0 3 W o r k s h e e t . . . . . B i f f 8 . . . . . E x c e l . S h e e t . 8 . 9 q . . . . . . . . . . . .
Data Raw:	01 00 fe ff 03 0a 00 00 ff ff ff ff 20 08 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 26 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 4f 66 66 69 63 65 20 45 78 63 65 6c 20 32 30 30 33 20 57 6f 72 6b 73 68 65 65 74 00 06 00 00 00 42 69 66 66 38 00 0e 00 00 00 45 78 63 65 6c 2e 53 68 65 65 74 2e 38 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00

General
Stream Path:	\x5DocumentSummaryInformation
CLSID:
File Type:	data
Stream Size:	244
Entropy:	2.889430592781307
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , 0 . . . . . . . . . . . . . . H . . . . . . . P . . . . . . . X . . . . . . . ` . . . . . . . h . . . . . . . p . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . S h e e t 1 . . . . . S h e e t 2 . . . . . S h e e t 3 . . . . . . . . . . . . . . . . . W o r k s h e e t s . . . . . . . . .
Data Raw:	fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 00 00 00 c4 00 00 00 08 00 00 00 01 00 00 00 48 00 00 00 17 00 00 00 50 00 00 00 0b 00 00 00 58 00 00 00 10 00 00 00 60 00 00 00 13 00 00 00 68 00 00 00 16 00 00 00 70 00 00 00 0d 00 00 00 78 00 00 00 0c 00 00 00 a1 00 00 00 02 00 00 00 e4 04 00 00

General
Stream Path:	\x5SummaryInformation
CLSID:
File Type:	data
Stream Size:	200
Entropy:	3.3020681057018666
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . + ' 0 . . . . . . . . . . . . . . @ . . . . . . . H . . . . . . . T . . . . . . . ` . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M i c r o s o f t E x c e l . @ . . . . \| . # . @ . . . D P . . . . . . . . .
Data Raw:	fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 98 00 00 00 07 00 00 00 01 00 00 00 40 00 00 00 04 00 00 00 48 00 00 00 08 00 00 00 54 00 00 00 12 00 00 00 60 00 00 00 0c 00 00 00 78 00 00 00 0d 00 00 00 84 00 00 00 13 00 00 00 90 00 00 00 02 00 00 00 e4 04 00 00 1e 00 00 00 04 00 00 00

General
Stream Path:	MBD0191BFB6/\x1CompObj
CLSID:
File Type:	data
Stream Size:	99
Entropy:	3.631242196770981
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . ! . . . M i c r o s o f t O f f i c e E x c e l W o r k s h e e t . . . . . E x c e l M L 1 2 . . . . . 9 q . . . . . . . . . . . .
Data Raw:	01 00 fe ff 03 0a 00 00 ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 21 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 4f 66 66 69 63 65 20 45 78 63 65 6c 20 57 6f 72 6b 73 68 65 65 74 00 0a 00 00 00 45 78 63 65 6c 4d 4c 31 32 00 00 00 00 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00

General
Stream Path:	MBD0191BFB6/Package
CLSID:
File Type:	Microsoft Excel 2007+
Stream Size:	12479
Entropy:	7.0945112382968425
Base64 Encoded:	True
Data ASCII:	P K . . . . . . . . . . ! . . . . . . . . . . . [ C o n t e n t _ T y p e s ] . x m l . ( . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	50 4b 03 04 14 00 06 00 08 00 00 00 21 00 a7 95 f9 99 84 01 00 00 14 06 00 00 13 00 dd 01 5b 43 6f 6e 74 65 6e 74 5f 54 79 70 65 73 5d 2e 78 6d 6c 20 a2 d9 01 28 a0 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

General
Stream Path:	MBD0191BFB7/\x1CompObj
CLSID:
File Type:	data
Stream Size:	99
Entropy:	3.631242196770981
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . ! . . . M i c r o s o f t O f f i c e E x c e l W o r k s h e e t . . . . . E x c e l M L 1 2 . . . . . 9 q . . . . . . . . . . . .
Data Raw:	01 00 fe ff 03 0a 00 00 ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 21 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 4f 66 66 69 63 65 20 45 78 63 65 6c 20 57 6f 72 6b 73 68 65 65 74 00 0a 00 00 00 45 78 63 65 6c 4d 4c 31 32 00 00 00 00 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00

General
Stream Path:	MBD0191BFB7/Package
CLSID:
File Type:	Microsoft Excel 2007+
Stream Size:	37036
Entropy:	7.720975169587741
Base64 Encoded:	True
Data ASCII:	P K . . . . . . . . . . ! . 8 . . . . . . . . . [ C o n t e n t _ T y p e s ] . x m l . ( . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	50 4b 03 04 14 00 06 00 08 00 00 00 21 00 b7 a1 38 de e3 01 00 00 cb 09 00 00 13 00 e9 01 5b 43 6f 6e 74 65 6e 74 5f 54 79 70 65 73 5d 2e 78 6d 6c 20 a2 e5 01 28 a0 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

General
Stream Path:	MBD0191BFB8/\x1CompObj
CLSID:
File Type:	data
Stream Size:	114
Entropy:	4.25248375192737
Base64 Encoded:	True
Data ASCII:	. . . . . . . . . . . . . . . . . . . F & . . . M i c r o s o f t O f f i c e E x c e l 2 0 0 3 W o r k s h e e t . . . . . B i f f 8 . . . . . E x c e l . S h e e t . 8 . 9 q . . . . . . . . . . . .
Data Raw:	01 00 fe ff 03 0a 00 00 ff ff ff ff 20 08 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 26 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 4f 66 66 69 63 65 20 45 78 63 65 6c 20 32 30 30 33 20 57 6f 72 6b 73 68 65 65 74 00 06 00 00 00 42 69 66 66 38 00 0e 00 00 00 45 78 63 65 6c 2e 53 68 65 65 74 2e 38 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00

General
Stream Path:	MBD0191BFB8/\x5DocumentSummaryInformation
CLSID:
File Type:	data
Stream Size:	244
Entropy:	2.701136490257069
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , 0 . . . . . . . . . . . . . . P . . . . . . . X . . . . . . . d . . . . . . . l . . . . . . . t . . . . . . . \| . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . F e u i l 1 . . . . . . . . . . . . . . . . . W o r k s h e e t s . . . . . . . . . . .
Data Raw:	fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 00 00 00 c4 00 00 00 09 00 00 00 01 00 00 00 50 00 00 00 0f 00 00 00 58 00 00 00 17 00 00 00 64 00 00 00 0b 00 00 00 6c 00 00 00 10 00 00 00 74 00 00 00 13 00 00 00 7c 00 00 00 16 00 00 00 84 00 00 00 0d 00 00 00 8c 00 00 00 0c 00 00 00 9f 00 00 00

General
Stream Path:	MBD0191BFB8/\x5SummaryInformation
CLSID:
File Type:	data
Stream Size:	220
Entropy:	3.372234242231489
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . + ' 0 . . . . . . . . . . . . . . H . . . . . . . P . . . . . . . \\ . . . . . . . h . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M i c r o s o f t E x c e l . @ . . . . ; { ) . @ . . . . Z % . } . @ . . . . % ? ` * C . . . . . . . . .
Data Raw:	fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 ac 00 00 00 08 00 00 00 01 00 00 00 48 00 00 00 04 00 00 00 50 00 00 00 08 00 00 00 5c 00 00 00 12 00 00 00 68 00 00 00 0b 00 00 00 80 00 00 00 0c 00 00 00 8c 00 00 00 0d 00 00 00 98 00 00 00 13 00 00 00 a4 00 00 00 02 00 00 00 e4 04 00 00

General
Stream Path:	MBD0191BFB8/MBD0018D4CE/\x1Ole
CLSID:
File Type:	data
Stream Size:	20
Entropy:	0.5689955935892812
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . .
Data Raw:	01 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

General
Stream Path:	MBD0191BFB8/MBD0018D4CE/\x3ObjInfo
CLSID:
File Type:	data
Stream Size:	4
Entropy:	0.8112781244591328
Base64 Encoded:	False
Data ASCII:	. . . .
Data Raw:	00 00 03 00

General
Stream Path:	MBD0191BFB8/MBD0018D4CE/Contents
CLSID:
File Type:	Corel Photo-Paint image, version 9, 716 x 547 RGB 24 bits, 11811024 micro dots/mm, 4 blocks, array offset 0x13c
Stream Size:	197671
Entropy:	6.989042939766534
Base64 Encoded:	True
Data ASCII:	C P T 9 F I L E . . . . . . . . . . . . . . . . 8 . 8 . . . . . . . . . . . . . . . . . . . . < . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	43 50 54 39 46 49 4c 45 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d0 38 b4 00 d0 38 b4 00 00 00 00 00 00 00 00 00 04 00 00 00 00 00 01 00 94 00 00 00 3c 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Order_948575494759.xls

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

System Summary

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

LLM Input / Output

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Program Files (x86)\Microsoft Office\root\vfs\Common AppData\Microsoft\OFFICE\Heartbeat\HeartbeatCache.xml

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\257CE251.emf

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\2CE5A790.emf

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\3987F136.emf

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\3E297C04.emf

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\5C5AF44A.emf

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\6997E987.emf

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\6EEDB4B2.emf

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\83D7142D.emf

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\A448C3BF.emf

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\A4E6D5C9.emf

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\B1F1A5DC.emf

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\BE1F42E8.emf

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\C36CC41E.emf

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\C92DE3C3.emf

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\CBE8E435.emf

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\FD73190B.emf

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WDKI0JR2\greatindiancompaniesgivenbestgiftforyourhealthgivengoodreturns[1].hta

C:\Users\user\AppData\Local\Temp\~DF9BA7F70E8B993713.TMP

C:\Users\user\AppData\Local\Temp\~DFE44654CE60698898.TMP

C:\Users\user\AppData\Local\Temp\~DFEFC13B3210F99F8A.TMP

Static File Info

General

File Icon

Static OLE Info

Windows Analysis Report
Order_948575494759.xls

General
Stream Path:	MBD0191BFB8/MBD0068D442/\x1CompObj
CLSID:
File Type:	data
Stream Size:	114
Entropy:	4.219515110876372
Base64 Encoded:	False
Data ASCII:	. . . . . . 0 . . . . . . . . . . . . . F ! . . . M i c r o s o f t O f f i c e E x c e l W o r k s h e e t . . . . . E x c e l M L 1 2 . . . . . E x c e l . S h e e t . 1 2 . 9 q . . . . . . . . . . . .
Data Raw:	01 00 fe ff 03 0a 00 00 ff ff ff ff 30 08 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 21 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 4f 66 66 69 63 65 20 45 78 63 65 6c 20 57 6f 72 6b 73 68 65 65 74 00 0a 00 00 00 45 78 63 65 6c 4d 4c 31 32 00 0f 00 00 00 45 78 63 65 6c 2e 53 68 65 65 74 2e 31 32 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00

General
Stream Path:	MBD0191BFB8/MBD0068D442/Package
CLSID:
File Type:	Microsoft Excel 2007+
Stream Size:	26243
Entropy:	7.635433729726103
Base64 Encoded:	True
Data ASCII:	P K . . . . . . . . . . ! . & . . . . . . . . . [ C o n t e n t _ T y p e s ] . x m l . ( . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	50 4b 03 04 14 00 06 00 08 00 00 00 21 00 a1 26 fd 83 92 01 00 00 ae 05 00 00 13 00 e0 01 5b 43 6f 6e 74 65 6e 74 5f 54 79 70 65 73 5d 2e 78 6d 6c 20 a2 dc 01 28 a0 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

General
Stream Path:	MBD0191BFB8/MBD007203CB/\x1CompObj
CLSID:
File Type:	data
Stream Size:	114
Entropy:	4.25248375192737
Base64 Encoded:	True
Data ASCII:	. . . . . . . . . . . . . . . . . . . F & . . . M i c r o s o f t O f f i c e E x c e l 2 0 0 3 W o r k s h e e t . . . . . B i f f 8 . . . . . E x c e l . S h e e t . 8 . 9 q . . . . . . . . . . . .
Data Raw:	01 00 fe ff 03 0a 00 00 ff ff ff ff 20 08 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 26 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 4f 66 66 69 63 65 20 45 78 63 65 6c 20 32 30 30 33 20 57 6f 72 6b 73 68 65 65 74 00 06 00 00 00 42 69 66 66 38 00 0e 00 00 00 45 78 63 65 6c 2e 53 68 65 65 74 2e 38 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00

General
Stream Path:	MBD0191BFB8/MBD007203CB/\x5DocumentSummaryInformation
CLSID:
File Type:	data
Stream Size:	248
Entropy:	3.0523231150355867
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , 0 . . . . . . . . . . . . . . H . . . . . . . P . . . . . . . X . . . . . . . ` . . . . . . . h . . . . . . . p . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . P u r c h a s e O r d e r T e m p l a t e . . . . . . . . . . . . . . . . . . . . . . W o r k s h e e t s . . . . . . . . . . . .
Data Raw:	fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 00 00 00 c8 00 00 00 08 00 00 00 01 00 00 00 48 00 00 00 17 00 00 00 50 00 00 00 0b 00 00 00 58 00 00 00 10 00 00 00 60 00 00 00 13 00 00 00 68 00 00 00 16 00 00 00 70 00 00 00 0d 00 00 00 78 00 00 00 0c 00 00 00 a2 00 00 00 02 00 00 00 e4 04 00 00

General
Stream Path:	MBD0191BFB8/MBD007203CB/\x5SummaryInformation
CLSID:
File Type:	data
Stream Size:	256
Entropy:	4.086306928392587
Base64 Encoded:	True
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . + ' 0 . . . . . . . . . . . . . . H . . . . . . . P . . . . . . . \| . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . $ . . . B r a t i s l a v M i l o j e v i c \| E L M E D d . o . o . . . . . . . . . . . 9 1 9 7 4 . . . . . . . . . . . M i c r o s o f t E x c e l . @ . . . N ; . . @ . . . . . . . @ . . . . v @ n ) C . . . . . . . . .
Data Raw:	fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 d0 00 00 00 08 00 00 00 01 00 00 00 48 00 00 00 04 00 00 00 50 00 00 00 08 00 00 00 7c 00 00 00 12 00 00 00 8c 00 00 00 0b 00 00 00 a4 00 00 00 0c 00 00 00 b0 00 00 00 0d 00 00 00 bc 00 00 00 13 00 00 00 c8 00 00 00 02 00 00 00 e4 04 00 00

General
Stream Path:	MBD0191BFB8/MBD007203CB/Workbook
CLSID:
File Type:	Applesoft BASIC program data, first line number 16
Stream Size:	134792
Entropy:	7.974168320310173
Base64 Encoded:	True
Data ASCII:	. . . . . . . . . . . . . . . . . / . 6 . . . . . . . Z i ^ . m . q l % . w " . x . Z q C b g i ' . h . . # . . . . . . . P . . . \\ . p . . 6 u ! l ( n y I T 5 W { L : 1 J . S . . . . 0 x . 3 . ` . X { ( / z 7 / . 8 x X g X # v . . [ d C y . . s . ] G 9 m . u . . . B . . . R a . . . . . . . = . . . L . . . O . . r 7 . v . . . " . . . . " _ K : . . . . . . . . . j # . . . . K . . . . . . . . = . . . " j ! ; . g . . @ . . . . . . . ^ " . . . 9 . . . . r . . . . . . . 1 . . . : . t . ? e . ) n S P x . b & 1
Data Raw:	09 08 10 00 00 06 05 00 ab 1f cd 07 c1 00 01 00 06 04 00 00 2f 00 36 00 01 00 01 00 01 00 5a 69 5e 2e a6 e0 6d 97 16 71 6c a3 ef b8 25 05 77 88 22 87 ec d8 b3 78 17 a4 5a 71 43 ad a8 c2 62 67 69 b8 d9 e2 27 83 c8 df b8 f6 68 1b 05 23 e1 00 02 00 b0 04 c1 00 02 00 ef 50 e2 00 00 00 5c 00 70 00 13 36 75 21 6c 28 6e bd 95 81 f4 c7 79 fa 49 54 35 99 57 f1 85 8d fb f3 e2 7b 4c b1 ea 3a

General
Stream Path:	MBD0191BFB8/MBD00726B69/\x1CompObj
CLSID:
File Type:	data
Stream Size:	114
Entropy:	4.219515110876372
Base64 Encoded:	False
Data ASCII:	. . . . . . 0 . . . . . . . . . . . . . F ! . . . M i c r o s o f t O f f i c e E x c e l W o r k s h e e t . . . . . E x c e l M L 1 2 . . . . . E x c e l . S h e e t . 1 2 . 9 q . . . . . . . . . . . .
Data Raw:	01 00 fe ff 03 0a 00 00 ff ff ff ff 30 08 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 21 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 4f 66 66 69 63 65 20 45 78 63 65 6c 20 57 6f 72 6b 73 68 65 65 74 00 0a 00 00 00 45 78 63 65 6c 4d 4c 31 32 00 0f 00 00 00 45 78 63 65 6c 2e 53 68 65 65 74 2e 31 32 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00

General
Stream Path:	MBD0191BFB8/MBD00726B69/Package
CLSID:
File Type:	Microsoft Excel 2007+
Stream Size:	26242
Entropy:	7.635424485665502
Base64 Encoded:	True
Data ASCII:	P K . . . . . . . . . . ! . & . . . . . . . . . [ C o n t e n t _ T y p e s ] . x m l . ( . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	50 4b 03 04 14 00 06 00 08 00 00 00 21 00 a1 26 fd 83 92 01 00 00 ae 05 00 00 13 00 e0 01 5b 43 6f 6e 74 65 6e 74 5f 54 79 70 65 73 5d 2e 78 6d 6c 20 a2 dc 01 28 a0 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

General
Stream Path:	MBD0191BFB8/Workbook
CLSID:
File Type:	Applesoft BASIC program data, first line number 16
Stream Size:	283872
Entropy:	7.743278150467805
Base64 Encoded:	True
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . \\ . p . . . . B . . . . a . . . . . . . . = . . . . . . . . . . . T h i s W o r k b o o k . . . . . . . . . . . b . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . = . . . . H < l - 9 . . . . . . . X . @ . . . . . . . . . .
Data Raw:	09 08 10 00 00 06 05 00 ab 1f cd 07 c1 00 01 00 06 04 00 00 e1 00 02 00 b0 04 c1 00 02 00 00 00 e2 00 00 00 5c 00 70 00 02 00 00 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20

General
Stream Path:	MBD0191BFB9/\x1CompObj
CLSID:
File Type:	data
Stream Size:	99
Entropy:	3.631242196770981
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . ! . . . M i c r o s o f t O f f i c e E x c e l W o r k s h e e t . . . . . E x c e l M L 1 2 . . . . . 9 q . . . . . . . . . . . .
Data Raw:	01 00 fe ff 03 0a 00 00 ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 21 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 4f 66 66 69 63 65 20 45 78 63 65 6c 20 57 6f 72 6b 73 68 65 65 74 00 0a 00 00 00 45 78 63 65 6c 4d 4c 31 32 00 00 00 00 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00