Windows
Analysis Report
PO#45028.xlam.xlsx
Overview
General Information
Detection
Score: | 64 |
Range: | 0 - 100 |
Confidence: | 100% |
Signatures
Classification
- System is w11x64_office
EXCEL.EXE (PID: 7784 cmdline:
"C:\Progra m Files\Mi crosoft Of fice\Root\ Office16\E XCEL.EXE" /automatio n -Embeddi ng MD5: F9F7B6C42211B06E7AC3E4B60AA8FB77) splwow64.exe (PID: 5732 cmdline:
C:\Windows \splwow64. exe 12288 MD5: AF4A7EBF6114EE9E6FBCC910EC3C96E6)
appidpolicyconverter.exe (PID: 7536 cmdline:
"C:\Window s\system32 \appidpoli cyconverte r.exe" MD5: 6567D9CF2545FAAC60974D9D682700D4) conhost.exe (PID: 7520 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 9698384842DA735D80D278A427A229AB)
- cleanup
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
INDICATOR_XML_LegacyDrawing_AutoLoad_Document | detects AutoLoad documents using LegacyDrawing | ditekSHen |
|
System Summary |
---|
Source: | Author: Christopher Peacock '@securepeacock', SCYTHE '@scythe_io', Florian Roth '@Neo23x0", Tim Shelton: |
Source: | Author: X__Junior (Nextron Systems): |
- • AV Detection
- • Compliance
- • Software Vulnerabilities
- • Networking
- • System Summary
- • Hooking and other Techniques for Hiding and Protection
- • Malware Analysis System Evasion
Click to jump to signature section
AV Detection |
---|
Source: | Avira: |
Source: | Virustotal: | Perma Link | ||
Source: | ReversingLabs: |
Source: | Directory created: | Jump to behavior |
Source: | File opened: | Jump to behavior |
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: |
Source: | DNS query: |
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: |
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: |
Source: | IP Address: | ||
Source: | IP Address: |
Source: | JA3 fingerprint: |
Source: | UDP traffic detected without corresponding DNS query: |
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: |
Source: | DNS traffic detected: |
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: |
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: |
System Summary |
---|
Source: | Matched rule: |
Source: | OLE stream indicators for Word, Excel, PowerPoint, and Visio: |
Source: | Matched rule: |
Source: | Classification label: |
Source: | File created: | Jump to behavior |
Source: | File created: | Jump to behavior |
Source: | Mutant created: | ||
Source: | Mutant created: |
Source: | File created: | Jump to behavior |
Source: | File read: | Jump to behavior |
Source: | Key opened: | Jump to behavior |
Source: | Virustotal: | ||
Source: | ReversingLabs: |
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | Jump to behavior |
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior |
Source: | Key value queried: | Jump to behavior |
Source: | Window detected: |
Source: | Key opened: | Jump to behavior |
Source: | Directory created: | Jump to behavior |
Source: | File opened: | Jump to behavior |
Source: | Initial sample: |
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior |
Source: | Window / User API: | Jump to behavior |
Source: | Last function: | ||
Source: | Last function: |
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior |
Source: | Process information queried: | Jump to behavior |
Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | 3 Exploitation for Client Execution | 1 DLL Side-Loading | 1 Process Injection | 3 Masquerading | OS Credential Dumping | 1 Process Discovery | Remote Services | Data from Local System | 1 Encrypted Channel | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
Credentials | Domains | Default Accounts | Scheduled Task/Job | Boot or Logon Initialization Scripts | 1 DLL Side-Loading | 1 Virtualization/Sandbox Evasion | LSASS Memory | 1 Virtualization/Sandbox Evasion | Remote Desktop Protocol | Data from Removable Media | 1 Ingress Tool Transfer | Exfiltration Over Bluetooth | Network Denial of Service |
Email Addresses | DNS Server | Domain Accounts | At | Logon Script (Windows) | Logon Script (Windows) | 1 Process Injection | Security Account Manager | 1 Application Window Discovery | SMB/Windows Admin Shares | Data from Network Shared Drive | 2 Non-Application Layer Protocol | Automated Exfiltration | Data Encrypted for Impact |
Employee Names | Virtual Private Server | Local Accounts | Cron | Login Hook | Login Hook | 1 DLL Side-Loading | NTDS | 1 File and Directory Discovery | Distributed Component Object Model | Input Capture | 3 Application Layer Protocol | Traffic Duplication | Data Destruction |
Gather Victim Network Information | Server | Cloud Accounts | Launchd | Network Logon Script | Network Logon Script | Software Packing | LSA Secrets | 2 System Information Discovery | SSH | Keylogging | Fallback Channels | Scheduled Transfer | Data Encrypted for Impact |
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
37% | Virustotal | Browse | ||
61% | ReversingLabs | Document-Office.Exploit.CVE-2017-11882 | ||
100% | Avira | EXP/CVE-2017-11882.Gen |
Name | IP | Active | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|---|
s-part-0012.t-0009.t-msedge.net | 13.107.246.40 | true | false | high | |
bg.microsoft.map.fastly.net | 199.232.214.172 | true | false | high | |
s-0005.dual-s-msedge.net | 52.123.128.14 | true | false | high | |
otelrules.svc.static.microsoft | unknown | unknown | false | high |
Name | Malicious | Antivirus Detection | Reputation |
---|---|---|---|
false | high | ||
false | high |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
---|---|---|---|---|---|---|
13.107.246.40 | s-part-0012.t-0009.t-msedge.net | United States | 8068 | MICROSOFT-CORP-MSN-AS-BLOCKUS | false |
Joe Sandbox version: | 42.0.0 Malachite |
Analysis ID: | 1647722 |
Start date and time: | 2025-03-25 07:48:07 +01:00 |
Joe Sandbox product: | CloudBasic |
Overall analysis duration: | 0h 5m 16s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Cookbook file name: | defaultwindowsofficecookbook.jbs |
Analysis system description: | Windows 11 23H2 with Office Professional Plus 2021, Chrome 131, Firefox 133, Adobe Reader DC 24, Java 8 Update 431, 7zip 24.09 |
Run name: | Potential for more IOCs and behavior |
Number of analysed new started processes analysed: | 21 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Sample name: | PO#45028.xlam.xlsx |
Detection: | MAL |
Classification: | mal64.winXLSX@5/7@1/1 |
EGA Information: | Failed |
HCA Information: |
|
Cookbook Comments: |
|
- Exclude process from analysis
(whitelisted): MpCmdRun.exe, d llhost.exe, sppsvc.exe, SIHCli ent.exe, conhost.exe, appidcer tstorecheck.exe, svchost.exe - Excluded IPs from analysis (wh
itelisted): 52.109.6.53, 52.10 9.8.36, 23.210.73.5, 23.210.73 .6, 52.109.4.7, 51.105.71.137, 52.123.128.14, 20.190.152.22, 4.175.87.197, 184.31.69.3 - Excluded domains from analysis
(whitelisted): us1.odcsm1.liv e.com.akadns.net, odc.officeap ps.live.com, slscr.update.micr osoft.com, a767.dspw65.akamai. net, mobile.events.data.micros oft.com, roaming.officeapps.li ve.com, onedscolprduks03.uksou th.cloudapp.azure.com, dual-s- 0005-office.config.skype.com, osiprod-cus-buff-azsc-000.cent ralus.cloudapp.azure.com, logi n.live.com, eus2-azsc-config.o fficeapps.live.com, officeclie nt.microsoft.com, osiprod-eus2 -bronze-azsc-000.eastus2.cloud app.azure.com, c.pki.goog, wu- b-net.trafficmanager.net, ecs. office.com, fs.microsoft.com, ctldl.windowsupdate.com.delive ry.microsoft.com, prod.configs vc1.live.com.akadns.net, ctldl .windowsupdate.com, prod.roami ng1.live.com.akadns.net, cus-a zsc-000.roaming.officeapps.liv e.com, fe3cr.delivery.mp.micro soft.com, download.windowsupda te.com.edgesuite.net, us1.roam ing1.live.com.akadns.net, eus2 -azsc-000.odc.officeapps.live. com, config.officeapps.live.co m, us.configsvc1.live.com.akad ns.net, ecs.office.trafficmana ger.net, prod.odcsm1.live.com. akad - Not all processes where analyz
ed, report is missing behavior information - Report size getting too big, t
oo many NtCreateKey calls foun d. - Report size getting too big, t
oo many NtQueryValueKey calls found. - Report size getting too big, t
oo many NtReadVirtualMemory ca lls found. - Report size getting too big, t
oo many NtSetValueKey calls fo und.
Time | Type | Description |
---|---|---|
02:50:12 | API Interceptor |
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
13.107.246.40 | Get hash | malicious | HTMLPhisher | Browse |
| |
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
|
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
s-0005.dual-s-msedge.net | Get hash | malicious | Unknown | Browse |
| |
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
bg.microsoft.map.fastly.net | Get hash | malicious | Unknown | Browse |
| |
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | HTMLPhisher, Invisible JS, Tycoon2FA | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Kdot Stealer | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Iris Stealer | Browse |
| ||
Get hash | malicious | Vidar | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse |
| ||
s-part-0012.t-0009.t-msedge.net | Get hash | malicious | Unknown | Browse |
| |
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | HTMLPhisher | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | HTMLPhisher | Browse |
| ||
Get hash | malicious | HTMLPhisher | Browse |
|
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
MICROSOFT-CORP-MSN-AS-BLOCKUS | Get hash | malicious | FormBook | Browse |
| |
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
|
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
258a5a1e95b8a911872bae9081526644 | Get hash | malicious | Unknown | Browse |
| |
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
|
Process: | C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 118 |
Entropy (8bit): | 3.5700810731231707 |
Encrypted: | false |
SSDEEP: | 3:QaklTlAlXMLLmHlIlFLlmIK/5lTn84vlJlhlXlDHlA6l3l6Als:QFulcLk04/5p8GVz6QRq |
MD5: | 573220372DA4ED487441611079B623CD |
SHA1: | 8F9D967AC6EF34640F1F0845214FBC6994C0CB80 |
SHA-256: | BE84B842025E4241BFE0C9F7B8F86A322E4396D893EF87EA1E29C74F47B6A22D |
SHA-512: | F19FA3583668C3AF92A9CEF7010BD6ECEC7285F9C8665F2E9528DBA606F105D9AF9B1DB0CF6E7F77EF2E395943DC0D5CB37149E773319078688979E4024F9DD7 |
Malicious: | false |
Reputation: | high, very likely benign file |
Preview: |
Process: | C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 20971520 |
Entropy (8bit): | 8.112143835430977E-5 |
Encrypted: | false |
SSDEEP: | 3:Tuekk9NJtHFfs1XsExe/t:qeVJ8 |
MD5: | AFDEAC461EEC32D754D8E6017E845D21 |
SHA1: | 5D0874C19B70638A0737696AEEE55BFCC80D7ED8 |
SHA-256: | 3A96B02F6A09F6A6FAC2A44A5842FF9AEB17EB4D633E48ABF6ADDF6FB447C7E2 |
SHA-512: | CAB6B8F9FFDBD80210F42219BAC8F1124D6C0B6995C5128995F7F48CED8EF0F2159EA06A2CD09B1FDCD409719F94A7DB437C708D3B1FDA01FDC80141A4595FC7 |
Malicious: | false |
Reputation: | moderate, very likely benign file |
Preview: |
Process: | C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 20971520 |
Entropy (8bit): | 0.0 |
Encrypted: | false |
SSDEEP: | 3:: |
MD5: | 8F4E33F3DC3E414FF94E5FB6905CBA8C |
SHA1: | 9674344C90C2F0646F0B78026E127C9B86E3AD77 |
SHA-256: | CD52D81E25F372E6FA4DB2C0DFCEB59862C1969CAB17096DA352B34950C973CC |
SHA-512: | 7FB91E868F3923BBD043725818EF3A5D8D08EBF1059A18AC0FE07040D32EEBA517DA11515E6A4AFAEB29BCC5E0F1543BA2C595B0FE8E6167DDC5E6793EDEF5BB |
Malicious: | false |
Reputation: | high, very likely benign file |
Preview: |
Process: | C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 20971520 |
Entropy (8bit): | 0.19147552475832513 |
Encrypted: | false |
SSDEEP: | 1536:nHRPruPqITOc97sq7p0xozBWHjl37genkTbCY629Ou71VSMYAzBtz3imZlZ986nt:HVra79sqqKBWrkJRD/gAYBCgX |
MD5: | 3C61426384E910C76FCB21A4AE9CD73C |
SHA1: | 4FCF5FF6D199174716C32CF7A7CA5E6A4CE5DA6F |
SHA-256: | 788348D86CB19FA7569B1D88D35E92A636A8E08C720EFEF0AC4DC938AF027ED7 |
SHA-512: | 6711A68C216E8776E8AAC17B4395B1EC3BA761B2A895324757BE8063E45DE942970BDB28580EADD3483B7B96C60975EE22888C7DDD8A8CCA44A0629DA23A6DB7 |
Malicious: | false |
Preview: |
Process: | C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 20971520 |
Entropy (8bit): | 0.0 |
Encrypted: | false |
SSDEEP: | 3:: |
MD5: | 8F4E33F3DC3E414FF94E5FB6905CBA8C |
SHA1: | 9674344C90C2F0646F0B78026E127C9B86E3AD77 |
SHA-256: | CD52D81E25F372E6FA4DB2C0DFCEB59862C1969CAB17096DA352B34950C973CC |
SHA-512: | 7FB91E868F3923BBD043725818EF3A5D8D08EBF1059A18AC0FE07040D32EEBA517DA11515E6A4AFAEB29BCC5E0F1543BA2C595B0FE8E6167DDC5E6793EDEF5BB |
Malicious: | false |
Preview: |
Process: | C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 165 |
Entropy (8bit): | 1.4377382811115937 |
Encrypted: | false |
SSDEEP: | |
MD5: | 359140EB88A757E2BBEF2F7D32DCC4E5 |
SHA1: | FD16035441ADF907BBFC594A96470C202E265067 |
SHA-256: | 42CDE461F058A0C6F6C5A69BD1D21114CD55929011C77BCB9A025B9CA43ED71F |
SHA-512: | 9ADF6AC24E55AA161D2FFA1AC3BBBF03A7028DEFD8E1722FA52CAF7C730F7CF8AAE2073A50FD8AA004AF46E9A578A3B8088DD89415368E64E1916367CE126741 |
Malicious: | false |
Preview: |
Process: | C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 165 |
Entropy (8bit): | 1.4377382811115937 |
Encrypted: | false |
SSDEEP: | |
MD5: | 359140EB88A757E2BBEF2F7D32DCC4E5 |
SHA1: | FD16035441ADF907BBFC594A96470C202E265067 |
SHA-256: | 42CDE461F058A0C6F6C5A69BD1D21114CD55929011C77BCB9A025B9CA43ED71F |
SHA-512: | 9ADF6AC24E55AA161D2FFA1AC3BBBF03A7028DEFD8E1722FA52CAF7C730F7CF8AAE2073A50FD8AA004AF46E9A578A3B8088DD89415368E64E1916367CE126741 |
Malicious: | true |
Preview: |
File type: | |
Entropy (8bit): | 7.9980484834269285 |
TrID: |
|
File name: | PO#45028.xlam.xlsx |
File size: | 717'437 bytes |
MD5: | 8cd71bfa34a4237c40203bd546019582 |
SHA1: | 8776987f67def321d13a7db35cdc569bedc26f7a |
SHA256: | a28b52d6d9e6a3291db8e37d08c1c9874223af5c0122b816814301cc4dc2f049 |
SHA512: | 00a8292ceccdffc5cf3bb6a518cf815c5c0afea2077764aa58b9e3a997fc718f58919532cdf930b26ccdbf6a26302e13df91d99431b99346815355f430b9bbfe |
SSDEEP: | 12288:w5Vx5QAwHiExs6G0XgvJOrDgbwE5hZKhG4A4HJJ1udzMdyvC2LVvDgWf:wDx16hxp4vJO34h/4AOPMdzMdXurg4 |
TLSH: | ABE423C49A325A91D23CF19D52F6F197BED8DC80662691F0116CE46C083AFECBF5AC94 |
File Content Preview: | PK.........FxZ...u....S.......[Content_Types].xmlUT......g...g...g.UKk.1......].JvZB)..........Yi.V......}g.M../1...-B.=....]n..6.............e#.....EE.....6b.$./......R..@.X...(Ez..H...O..=....J...Du6..+.C.P..s.....dk.Z@......:U....T2.....^.......;W.`.R. |
Icon Hash: | 35e58a8c0c8a85b9 |
Document Type: | OpenXML |
Number of OLE Files: | 1 |
Has Summary Info: | |
Application Name: | |
Encrypted Document: | False |
Contains Word Document Stream: | False |
Contains Workbook/Book Stream: | False |
Contains PowerPoint Document Stream: | False |
Contains Visio Document Stream: | False |
Contains ObjectPool Stream: | False |
Flash Objects Count: | 0 |
Contains VBA Macros: | False |
Author: | |
Last Saved By: | |
Create Time: | 2024-03-25T10:30:17Z |
Last Saved Time: | 2024-03-25T10:30:48Z |
Creating Application: | |
Security: | 0 |
Thumbnail Scaling Desired: | false |
Contains Dirty Links: | false |
Shared Document: | false |
Changed Hyperlinks: | false |
Application Version: | 12.0000 |
General | |
Stream Path: | \x1Ole10Native |
CLSID: | |
File Type: | data |
Stream Size: | 961011 |
Entropy: | 5.9940251973719985 |
Base64 Encoded: | True |
Data ASCII: | . . 8 h . . t I H ) I . * . g . g . 6 U . k 6 ! . 5 . . . D . . > + a $ m B g , 5 \\ f $ J $ . - l ~ @ # C . . . 7 B J O " H I t . U U . " [ . 6 Y r r o | u . . . . B { w s . . . R ! F . Y . . . . . * - i . D z H $ . r A _ . . V . D k Z | W ] . E w S % 2 C y d U e W . . . 4 . R | . , . o . y O . ( 6 . . 2 4 . . k . + . k T . . Y _ . . . $ 8 L F 9 T l . N + . " g [ i p | y n . . " E B Y = 5 c 7 I = } 0 . . . . . ) k S . 0 d W . P . Y . A . l ^ . . [ . t . m O c 0 w _ ? ` = ] z X J # z . 9 ^ & \\ L f K ' ? |
Data Raw: | f7 fe b2 03 02 b2 aa 38 e8 68 01 08 c0 ba be 74 94 d3 49 81 f6 48 29 96 49 8b 16 8b 2a be fb 7f 67 da 81 e6 b0 67 de 01 8b 36 55 ff d6 05 6b 36 21 e5 05 35 ca de 1a ff e0 08 b6 11 44 00 94 8e 18 3e 2b 61 24 6d eb 42 67 a3 2c 35 b2 c0 5c 66 24 4a 8e ad 24 19 2d 6c dd 7e 40 f4 23 43 bc 2e de 8d d6 82 97 37 42 4a 4f 22 48 49 e9 74 dd 06 b1 55 55 e3 19 22 f9 5b 1e 36 cd 59 af 9c 72 72 |
General | |
Stream Path: | Usa0XMUN |
CLSID: | |
File Type: | empty |
Stream Size: | 0 |
Entropy: | 0.0 |
Base64 Encoded: | False |
Data ASCII: | |
Data Raw: |
Download Network PCAP: filtered – full
- Total Packets: 20
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Mar 25, 2025 07:50:18.414189100 CET | 49697 | 443 | 192.168.2.25 | 13.107.246.40 |
Mar 25, 2025 07:50:18.414231062 CET | 443 | 49697 | 13.107.246.40 | 192.168.2.25 |
Mar 25, 2025 07:50:18.414381027 CET | 49698 | 443 | 192.168.2.25 | 13.107.246.40 |
Mar 25, 2025 07:50:18.414395094 CET | 49697 | 443 | 192.168.2.25 | 13.107.246.40 |
Mar 25, 2025 07:50:18.414407969 CET | 443 | 49698 | 13.107.246.40 | 192.168.2.25 |
Mar 25, 2025 07:50:18.414474010 CET | 49698 | 443 | 192.168.2.25 | 13.107.246.40 |
Mar 25, 2025 07:50:18.414896011 CET | 49697 | 443 | 192.168.2.25 | 13.107.246.40 |
Mar 25, 2025 07:50:18.414910078 CET | 443 | 49697 | 13.107.246.40 | 192.168.2.25 |
Mar 25, 2025 07:50:18.415148973 CET | 49698 | 443 | 192.168.2.25 | 13.107.246.40 |
Mar 25, 2025 07:50:18.415157080 CET | 443 | 49698 | 13.107.246.40 | 192.168.2.25 |
Mar 25, 2025 07:50:18.705482960 CET | 443 | 49698 | 13.107.246.40 | 192.168.2.25 |
Mar 25, 2025 07:50:18.705625057 CET | 49698 | 443 | 192.168.2.25 | 13.107.246.40 |
Mar 25, 2025 07:50:18.708270073 CET | 443 | 49697 | 13.107.246.40 | 192.168.2.25 |
Mar 25, 2025 07:50:18.708426952 CET | 49697 | 443 | 192.168.2.25 | 13.107.246.40 |
Mar 25, 2025 07:50:18.710072994 CET | 49698 | 443 | 192.168.2.25 | 13.107.246.40 |
Mar 25, 2025 07:50:18.710088968 CET | 443 | 49698 | 13.107.246.40 | 192.168.2.25 |
Mar 25, 2025 07:50:18.710489035 CET | 443 | 49698 | 13.107.246.40 | 192.168.2.25 |
Mar 25, 2025 07:50:18.721272945 CET | 49697 | 443 | 192.168.2.25 | 13.107.246.40 |
Mar 25, 2025 07:50:18.721332073 CET | 443 | 49697 | 13.107.246.40 | 192.168.2.25 |
Mar 25, 2025 07:50:18.721682072 CET | 443 | 49697 | 13.107.246.40 | 192.168.2.25 |
Mar 25, 2025 07:50:18.725678921 CET | 49697 | 443 | 192.168.2.25 | 13.107.246.40 |
Mar 25, 2025 07:50:18.725711107 CET | 49698 | 443 | 192.168.2.25 | 13.107.246.40 |
Mar 25, 2025 07:50:18.768337011 CET | 443 | 49698 | 13.107.246.40 | 192.168.2.25 |
Mar 25, 2025 07:50:18.772325039 CET | 443 | 49697 | 13.107.246.40 | 192.168.2.25 |
Mar 25, 2025 07:50:18.881537914 CET | 443 | 49698 | 13.107.246.40 | 192.168.2.25 |
Mar 25, 2025 07:50:18.881764889 CET | 443 | 49698 | 13.107.246.40 | 192.168.2.25 |
Mar 25, 2025 07:50:18.881874084 CET | 49698 | 443 | 192.168.2.25 | 13.107.246.40 |
Mar 25, 2025 07:50:18.882814884 CET | 49698 | 443 | 192.168.2.25 | 13.107.246.40 |
Mar 25, 2025 07:50:18.882814884 CET | 49698 | 443 | 192.168.2.25 | 13.107.246.40 |
Mar 25, 2025 07:50:18.882846117 CET | 443 | 49698 | 13.107.246.40 | 192.168.2.25 |
Mar 25, 2025 07:50:18.882852077 CET | 443 | 49698 | 13.107.246.40 | 192.168.2.25 |
Mar 25, 2025 07:50:18.889693022 CET | 443 | 49697 | 13.107.246.40 | 192.168.2.25 |
Mar 25, 2025 07:50:18.889756918 CET | 443 | 49697 | 13.107.246.40 | 192.168.2.25 |
Mar 25, 2025 07:50:18.889808893 CET | 49697 | 443 | 192.168.2.25 | 13.107.246.40 |
Mar 25, 2025 07:50:18.889837980 CET | 443 | 49697 | 13.107.246.40 | 192.168.2.25 |
Mar 25, 2025 07:50:18.890353918 CET | 443 | 49697 | 13.107.246.40 | 192.168.2.25 |
Mar 25, 2025 07:50:18.890505075 CET | 49697 | 443 | 192.168.2.25 | 13.107.246.40 |
Mar 25, 2025 07:50:18.890746117 CET | 49697 | 443 | 192.168.2.25 | 13.107.246.40 |
Mar 25, 2025 07:50:18.890746117 CET | 49697 | 443 | 192.168.2.25 | 13.107.246.40 |
Mar 25, 2025 07:50:18.890763044 CET | 443 | 49697 | 13.107.246.40 | 192.168.2.25 |
Mar 25, 2025 07:50:18.890774012 CET | 443 | 49697 | 13.107.246.40 | 192.168.2.25 |
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Mar 25, 2025 07:50:18.314094067 CET | 55344 | 53 | 192.168.2.25 | 1.1.1.1 |
Mar 25, 2025 07:50:18.411710024 CET | 53 | 55344 | 1.1.1.1 | 192.168.2.25 |
Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class | DNS over HTTPS |
---|---|---|---|---|---|---|---|---|
Mar 25, 2025 07:50:18.314094067 CET | 192.168.2.25 | 1.1.1.1 | 0x33bf | Standard query (0) | A (IP address) | IN (0x0001) | false |
Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class | DNS over HTTPS |
---|---|---|---|---|---|---|---|---|---|---|
Mar 25, 2025 07:49:13.038856983 CET | 1.1.1.1 | 192.168.2.25 | 0x8024 | No error (0) | s-0005.dual-s-msedge.net | CNAME (Canonical name) | IN (0x0001) | false | ||
Mar 25, 2025 07:49:13.038856983 CET | 1.1.1.1 | 192.168.2.25 | 0x8024 | No error (0) | 52.123.128.14 | A (IP address) | IN (0x0001) | false | ||
Mar 25, 2025 07:49:13.038856983 CET | 1.1.1.1 | 192.168.2.25 | 0x8024 | No error (0) | 52.123.129.14 | A (IP address) | IN (0x0001) | false | ||
Mar 25, 2025 07:50:15.314155102 CET | 1.1.1.1 | 192.168.2.25 | 0xbd46 | No error (0) | 199.232.214.172 | A (IP address) | IN (0x0001) | false | ||
Mar 25, 2025 07:50:15.314155102 CET | 1.1.1.1 | 192.168.2.25 | 0xbd46 | No error (0) | 199.232.210.172 | A (IP address) | IN (0x0001) | false | ||
Mar 25, 2025 07:50:18.411710024 CET | 1.1.1.1 | 192.168.2.25 | 0x33bf | No error (0) | otelrules-bzhndjfje8dvh5fd.z01.azurefd.net | CNAME (Canonical name) | IN (0x0001) | false | ||
Mar 25, 2025 07:50:18.411710024 CET | 1.1.1.1 | 192.168.2.25 | 0x33bf | No error (0) | star-azurefd-prod.trafficmanager.net | CNAME (Canonical name) | IN (0x0001) | false | ||
Mar 25, 2025 07:50:18.411710024 CET | 1.1.1.1 | 192.168.2.25 | 0x33bf | No error (0) | shed.dual-low.s-part-0012.t-0009.t-msedge.net | CNAME (Canonical name) | IN (0x0001) | false | ||
Mar 25, 2025 07:50:18.411710024 CET | 1.1.1.1 | 192.168.2.25 | 0x33bf | No error (0) | s-part-0012.t-0009.t-msedge.net | CNAME (Canonical name) | IN (0x0001) | false | ||
Mar 25, 2025 07:50:18.411710024 CET | 1.1.1.1 | 192.168.2.25 | 0x33bf | No error (0) | 13.107.246.40 | A (IP address) | IN (0x0001) | false |
|
Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
---|---|---|---|---|---|---|
0 | 192.168.2.25 | 49697 | 13.107.246.40 | 443 | 7784 | C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE |
Timestamp | Bytes transferred | Direction | Data |
---|---|---|---|
2025-03-25 06:50:18 UTC | 215 | OUT | |
2025-03-25 06:50:18 UTC | 515 | IN | |
2025-03-25 06:50:18 UTC | 2781 | IN |
Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
---|---|---|---|---|---|---|
1 | 192.168.2.25 | 49698 | 13.107.246.40 | 443 | 7784 | C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE |
Timestamp | Bytes transferred | Direction | Data |
---|---|---|---|
2025-03-25 06:50:18 UTC | 214 | OUT | |
2025-03-25 06:50:18 UTC | 491 | IN | |
2025-03-25 06:50:18 UTC | 461 | IN |
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
Click to jump to process
Target ID: | 0 |
Start time: | 02:49:08 |
Start date: | 25/03/2025 |
Path: | C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff78ee50000 |
File size: | 70'082'712 bytes |
MD5 hash: | F9F7B6C42211B06E7AC3E4B60AA8FB77 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | moderate |
Has exited: | false |
Target ID: | 6 |
Start time: | 02:49:19 |
Start date: | 25/03/2025 |
Path: | C:\Windows\System32\appidpolicyconverter.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff7beab0000 |
File size: | 155'648 bytes |
MD5 hash: | 6567D9CF2545FAAC60974D9D682700D4 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | moderate |
Has exited: | true |
Target ID: | 7 |
Start time: | 02:49:20 |
Start date: | 25/03/2025 |
Path: | C:\Windows\System32\conhost.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff729690000 |
File size: | 1'040'384 bytes |
MD5 hash: | 9698384842DA735D80D278A427A229AB |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | moderate |
Has exited: | true |
Target ID: | 12 |
Start time: | 02:50:12 |
Start date: | 25/03/2025 |
Path: | C:\Windows\splwow64.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff743be0000 |
File size: | 192'512 bytes |
MD5 hash: | AF4A7EBF6114EE9E6FBCC910EC3C96E6 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | moderate |
Has exited: | false |