Edit tour

Windows Analysis Report
PO#45028.xlam.xlsx

Overview

General Information

Sample name:PO#45028.xlam.xlsx
Analysis ID:1647722
MD5:8cd71bfa34a4237c40203bd546019582
SHA1:8776987f67def321d13a7db35cdc569bedc26f7a
SHA256:a28b52d6d9e6a3291db8e37d08c1c9874223af5c0122b816814301cc4dc2f049
Tags:xlamxlsxuser-abuse_ch
Infos:

Detection

Score:64
Range:0 - 100
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Document misses a certain OLE stream usually present in this Microsoft Office document type
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Excel Network Connections
Sigma detected: Suspicious Office Outbound Connections
Yara signature match

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious
  • System is w11x64_office
  • EXCEL.EXE (PID: 7784 cmdline: "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding MD5: F9F7B6C42211B06E7AC3E4B60AA8FB77)
    • splwow64.exe (PID: 5732 cmdline: C:\Windows\splwow64.exe 12288 MD5: AF4A7EBF6114EE9E6FBCC910EC3C96E6)
  • appidpolicyconverter.exe (PID: 7536 cmdline: "C:\Windows\system32\appidpolicyconverter.exe" MD5: 6567D9CF2545FAAC60974D9D682700D4)
    • conhost.exe (PID: 7520 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 9698384842DA735D80D278A427A229AB)
  • cleanup
No configs have been found
SourceRuleDescriptionAuthorStrings
sheet1.xmlINDICATOR_XML_LegacyDrawing_AutoLoad_Documentdetects AutoLoad documents using LegacyDrawingditekSHen
  • 0x1bb:$s1: <legacyDrawing r:id="
  • 0x1e3:$s2: <oleObject progId="
  • 0x22f:$s3: autoLoad="true"

System Summary

barindex
Source: Network ConnectionAuthor: Christopher Peacock '@securepeacock', SCYTHE '@scythe_io', Florian Roth '@Neo23x0", Tim Shelton: Data: DestinationIp: 13.107.246.40, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE, Initiated: true, ProcessId: 7784, Protocol: tcp, SourceIp: 192.168.2.25, SourceIsIpv6: false, SourcePort: 49697
Source: Network ConnectionAuthor: X__Junior (Nextron Systems): Data: DestinationIp: 192.168.2.25, DestinationIsIpv6: false, DestinationPort: 49697, EventID: 3, Image: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE, Initiated: true, ProcessId: 7784, Protocol: tcp, SourceIp: 13.107.246.40, SourceIsIpv6: false, SourcePort: 443
No Suricata rule has matched

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Source: PO#45028.xlam.xlsxAvira: detected
Source: PO#45028.xlam.xlsxVirustotal: Detection: 36%Perma Link
Source: PO#45028.xlam.xlsxReversingLabs: Detection: 61%
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEDirectory created: C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft\Office\Heartbeat\HeartbeatCache.xmlJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEFile opened: C:\Program Files\Microsoft Office\root\vfs\System\MSVCR100.dllJump to behavior
Source: unknownHTTPS traffic detected: 13.107.246.40:443 -> 192.168.2.25:49698 version: TLS 1.2
Source: unknownHTTPS traffic detected: 13.107.246.40:443 -> 192.168.2.25:49697 version: TLS 1.2
Source: global trafficDNS query: name: otelrules.svc.static.microsoft
Source: global trafficTCP traffic: 192.168.2.25:49697 -> 13.107.246.40:443
Source: global trafficTCP traffic: 192.168.2.25:49698 -> 13.107.246.40:443
Source: global trafficTCP traffic: 192.168.2.25:49697 -> 13.107.246.40:443
Source: global trafficTCP traffic: 192.168.2.25:49698 -> 13.107.246.40:443
Source: global trafficTCP traffic: 192.168.2.25:49697 -> 13.107.246.40:443
Source: global trafficTCP traffic: 192.168.2.25:49698 -> 13.107.246.40:443
Source: global trafficTCP traffic: 192.168.2.25:49697 -> 13.107.246.40:443
Source: global trafficTCP traffic: 192.168.2.25:49698 -> 13.107.246.40:443
Source: global trafficTCP traffic: 192.168.2.25:49698 -> 13.107.246.40:443
Source: global trafficTCP traffic: 192.168.2.25:49697 -> 13.107.246.40:443
Source: global trafficTCP traffic: 192.168.2.25:49698 -> 13.107.246.40:443
Source: global trafficTCP traffic: 192.168.2.25:49697 -> 13.107.246.40:443
Source: global trafficTCP traffic: 192.168.2.25:49697 -> 13.107.246.40:443
Source: global trafficTCP traffic: 192.168.2.25:49698 -> 13.107.246.40:443
Source: global trafficTCP traffic: 192.168.2.25:49698 -> 13.107.246.40:443
Source: global trafficTCP traffic: 192.168.2.25:49698 -> 13.107.246.40:443
Source: global trafficTCP traffic: 192.168.2.25:49698 -> 13.107.246.40:443
Source: global trafficTCP traffic: 192.168.2.25:49697 -> 13.107.246.40:443
Source: global trafficTCP traffic: 192.168.2.25:49697 -> 13.107.246.40:443
Source: global trafficTCP traffic: 192.168.2.25:49697 -> 13.107.246.40:443
Source: global trafficTCP traffic: 192.168.2.25:49697 -> 13.107.246.40:443
Source: global trafficTCP traffic: 192.168.2.25:49697 -> 13.107.246.40:443
Source: global trafficTCP traffic: 13.107.246.40:443 -> 192.168.2.25:49697
Source: global trafficTCP traffic: 192.168.2.25:49698 -> 13.107.246.40:443
Source: global trafficTCP traffic: 192.168.2.25:49697 -> 13.107.246.40:443
Source: global trafficTCP traffic: 13.107.246.40:443 -> 192.168.2.25:49698
Source: global trafficTCP traffic: 192.168.2.25:49698 -> 13.107.246.40:443
Source: global trafficTCP traffic: 192.168.2.25:49697 -> 13.107.246.40:443
Source: global trafficTCP traffic: 13.107.246.40:443 -> 192.168.2.25:49697
Source: global trafficTCP traffic: 192.168.2.25:49698 -> 13.107.246.40:443
Source: global trafficTCP traffic: 13.107.246.40:443 -> 192.168.2.25:49698
Source: global trafficTCP traffic: 13.107.246.40:443 -> 192.168.2.25:49698
Source: global trafficTCP traffic: 192.168.2.25:49698 -> 13.107.246.40:443
Source: global trafficTCP traffic: 13.107.246.40:443 -> 192.168.2.25:49697
Source: global trafficTCP traffic: 192.168.2.25:49697 -> 13.107.246.40:443
Source: global trafficTCP traffic: 192.168.2.25:49698 -> 13.107.246.40:443
Source: global trafficTCP traffic: 13.107.246.40:443 -> 192.168.2.25:49698
Source: global trafficTCP traffic: 13.107.246.40:443 -> 192.168.2.25:49698
Source: global trafficTCP traffic: 192.168.2.25:49697 -> 13.107.246.40:443
Source: global trafficTCP traffic: 13.107.246.40:443 -> 192.168.2.25:49697
Source: global trafficTCP traffic: 13.107.246.40:443 -> 192.168.2.25:49697
Source: global trafficTCP traffic: 192.168.2.25:49697 -> 13.107.246.40:443
Source: global trafficTCP traffic: 192.168.2.25:49698 -> 13.107.246.40:443
Source: global trafficTCP traffic: 13.107.246.40:443 -> 192.168.2.25:49698
Source: global trafficTCP traffic: 13.107.246.40:443 -> 192.168.2.25:49697
Source: global trafficTCP traffic: 13.107.246.40:443 -> 192.168.2.25:49698
Source: global trafficTCP traffic: 13.107.246.40:443 -> 192.168.2.25:49698
Source: global trafficTCP traffic: 192.168.2.25:49698 -> 13.107.246.40:443
Source: global trafficTCP traffic: 192.168.2.25:49698 -> 13.107.246.40:443
Source: global trafficTCP traffic: 192.168.2.25:49698 -> 13.107.246.40:443
Source: global trafficTCP traffic: 13.107.246.40:443 -> 192.168.2.25:49698
Source: global trafficTCP traffic: 13.107.246.40:443 -> 192.168.2.25:49698
Source: global trafficTCP traffic: 13.107.246.40:443 -> 192.168.2.25:49697
Source: global trafficTCP traffic: 13.107.246.40:443 -> 192.168.2.25:49697
Source: global trafficTCP traffic: 192.168.2.25:49697 -> 13.107.246.40:443
Source: global trafficTCP traffic: 13.107.246.40:443 -> 192.168.2.25:49697
Source: global trafficTCP traffic: 13.107.246.40:443 -> 192.168.2.25:49697
Source: global trafficTCP traffic: 192.168.2.25:49697 -> 13.107.246.40:443
Source: global trafficTCP traffic: 192.168.2.25:49697 -> 13.107.246.40:443
Source: global trafficTCP traffic: 192.168.2.25:49697 -> 13.107.246.40:443
Source: global trafficTCP traffic: 13.107.246.40:443 -> 192.168.2.25:49697
Source: global trafficTCP traffic: 13.107.246.40:443 -> 192.168.2.25:49697
Source: Joe Sandbox ViewIP Address: 13.107.246.40 13.107.246.40
Source: Joe Sandbox ViewIP Address: 13.107.246.40 13.107.246.40
Source: Joe Sandbox ViewJA3 fingerprint: 258a5a1e95b8a911872bae9081526644
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficHTTP traffic detected: GET /rules/rule120201v19s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Excel 16.0.18129; Pro)Host: otelrules.svc.static.microsoft
Source: global trafficHTTP traffic detected: GET /rules/rule170146v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Excel 16.0.18129; Pro)Host: otelrules.svc.static.microsoft
Source: global trafficDNS traffic detected: DNS query: otelrules.svc.static.microsoft
Source: unknownNetwork traffic detected: HTTP traffic on port 49698 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49698
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49697
Source: unknownNetwork traffic detected: HTTP traffic on port 49697 -> 443
Source: unknownHTTPS traffic detected: 13.107.246.40:443 -> 192.168.2.25:49698 version: TLS 1.2
Source: unknownHTTPS traffic detected: 13.107.246.40:443 -> 192.168.2.25:49697 version: TLS 1.2

System Summary

barindex
Source: sheet1.xml, type: SAMPLEMatched rule: detects AutoLoad documents using LegacyDrawing Author: ditekSHen
Source: PO#45028.xlam.xlsxOLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
Source: sheet1.xml, type: SAMPLEMatched rule: INDICATOR_XML_LegacyDrawing_AutoLoad_Document author = ditekSHen, description = detects AutoLoad documents using LegacyDrawing
Source: classification engineClassification label: mal64.winXLSX@5/7@1/1
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEFile created: C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft\Office\Heartbeat\HeartbeatCache.xmlJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEFile created: C:\Users\user\Desktop\~$PO#45028.xlam.xlsxJump to behavior
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7520:120:WilError_03
Source: C:\Windows\System32\appidpolicyconverter.exeMutant created: PolicyMutex
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\{D2196DF6-DA69-4148-8442-CA9287FDF32F} - OProcSessId.datJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEFile read: C:\Users\desktop.iniJump to behavior
Source: C:\Windows\System32\appidpolicyconverter.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: PO#45028.xlam.xlsxVirustotal: Detection: 36%
Source: PO#45028.xlam.xlsxReversingLabs: Detection: 61%
Source: unknownProcess created: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
Source: unknownProcess created: C:\Windows\System32\appidpolicyconverter.exe "C:\Windows\system32\appidpolicyconverter.exe"
Source: C:\Windows\System32\appidpolicyconverter.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess created: C:\Windows\splwow64.exe C:\Windows\splwow64.exe 12288
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess created: C:\Windows\splwow64.exe C:\Windows\splwow64.exe 12288Jump to behavior
Source: C:\Windows\System32\appidpolicyconverter.exeSection loaded: msvcp110_win.dllJump to behavior
Source: C:\Windows\System32\appidpolicyconverter.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\appidpolicyconverter.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\appidpolicyconverter.exeSection loaded: srpapi.dllJump to behavior
Source: C:\Windows\System32\appidpolicyconverter.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3EE60F5C-9BAD-4CD8-8E21-AD2D001D06EB}\InprocServer32Jump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\CommonJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEDirectory created: C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft\Office\Heartbeat\HeartbeatCache.xmlJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEFile opened: C:\Program Files\Microsoft Office\root\vfs\System\MSVCR100.dllJump to behavior
Source: PO#45028.xlam.xlsxInitial sample: OLE indicators vbamacros = False
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeWindow / User API: threadDelayed 924Jump to behavior
Source: C:\Windows\splwow64.exeLast function: Thread delayed
Source: C:\Windows\splwow64.exeLast function: Thread delayed
Source: C:\Windows\splwow64.exeThread delayed: delay time: 120000Jump to behavior
Source: C:\Windows\splwow64.exeThread delayed: delay time: 120000Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information queried: ProcessInformationJump to behavior
ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts3
Exploitation for Client Execution
1
DLL Side-Loading
1
Process Injection
3
Masquerading
OS Credential Dumping1
Process Discovery
Remote ServicesData from Local System1
Encrypted Channel
Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
DLL Side-Loading
1
Virtualization/Sandbox Evasion
LSASS Memory1
Virtualization/Sandbox Evasion
Remote Desktop ProtocolData from Removable Media1
Ingress Tool Transfer
Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
Process Injection
Security Account Manager1
Application Window Discovery
SMB/Windows Admin SharesData from Network Shared Drive2
Non-Application Layer Protocol
Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
DLL Side-Loading
NTDS1
File and Directory Discovery
Distributed Component Object ModelInput Capture3
Application Layer Protocol
Traffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon ScriptSoftware PackingLSA Secrets2
System Information Discovery
SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1647722 Sample: PO#45028.xlam.xlsx Startdate: 25/03/2025 Architecture: WINDOWS Score: 64 19 star-azurefd-prod.trafficmanager.net 2->19 21 shed.dual-low.s-part-0012.t-0009.t-msedge.net 2->21 23 3 other IPs or domains 2->23 27 Malicious sample detected (through community Yara rule) 2->27 29 Antivirus / Scanner detection for submitted sample 2->29 31 Multi AV Scanner detection for submitted file 2->31 7 EXCEL.EXE 504 60 2->7         started        11 appidpolicyconverter.exe 1 2->11         started        signatures3 process4 dnsIp5 25 s-part-0012.t-0009.t-msedge.net 13.107.246.40, 443, 49697, 49698 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 7->25 17 C:\Users\user\Desktop\~$PO#45028.xlam.xlsx, data 7->17 dropped 13 splwow64.exe 7->13         started        15 conhost.exe 11->15         started        file6 process7

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand
SourceDetectionScannerLabelLink
PO#45028.xlam.xlsx37%VirustotalBrowse
PO#45028.xlam.xlsx61%ReversingLabsDocument-Office.Exploit.CVE-2017-11882
PO#45028.xlam.xlsx100%AviraEXP/CVE-2017-11882.Gen
No Antivirus matches
No Antivirus matches
No Antivirus matches
No Antivirus matches

Download Network PCAP: filteredfull

NameIPActiveMaliciousAntivirus DetectionReputation
s-part-0012.t-0009.t-msedge.net
13.107.246.40
truefalse
    high
    bg.microsoft.map.fastly.net
    199.232.214.172
    truefalse
      high
      s-0005.dual-s-msedge.net
      52.123.128.14
      truefalse
        high
        otelrules.svc.static.microsoft
        unknown
        unknownfalse
          high
          NameMaliciousAntivirus DetectionReputation
          https://otelrules.svc.static.microsoft/rules/rule170146v0s19.xmlfalse
            high
            https://otelrules.svc.static.microsoft/rules/rule120201v19s19.xmlfalse
              high
              • No. of IPs < 25%
              • 25% < No. of IPs < 50%
              • 50% < No. of IPs < 75%
              • 75% < No. of IPs
              IPDomainCountryFlagASNASN NameMalicious
              13.107.246.40
              s-part-0012.t-0009.t-msedge.netUnited States
              8068MICROSOFT-CORP-MSN-AS-BLOCKUSfalse
              Joe Sandbox version:42.0.0 Malachite
              Analysis ID:1647722
              Start date and time:2025-03-25 07:48:07 +01:00
              Joe Sandbox product:CloudBasic
              Overall analysis duration:0h 5m 16s
              Hypervisor based Inspection enabled:false
              Report type:full
              Cookbook file name:defaultwindowsofficecookbook.jbs
              Analysis system description:Windows 11 23H2 with Office Professional Plus 2021, Chrome 131, Firefox 133, Adobe Reader DC 24, Java 8 Update 431, 7zip 24.09
              Run name:Potential for more IOCs and behavior
              Number of analysed new started processes analysed:21
              Number of new started drivers analysed:0
              Number of existing processes analysed:0
              Number of existing drivers analysed:0
              Number of injected processes analysed:0
              Technologies:
              • HCA enabled
              • EGA enabled
              • AMSI enabled
              Analysis Mode:default
              Analysis stop reason:Timeout
              Sample name:PO#45028.xlam.xlsx
              Detection:MAL
              Classification:mal64.winXLSX@5/7@1/1
              EGA Information:Failed
              HCA Information:
              • Successful, ratio: 100%
              • Number of executed functions: 0
              • Number of non-executed functions: 0
              Cookbook Comments:
              • Found application associated with file extension: .xlsx
              • Found Word or Excel or PowerPoint or XPS Viewer
              • Attach to Office via COM
              • Active ActiveX Object
              • Scroll down
              • Close Viewer
              • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, sppsvc.exe, SIHClient.exe, conhost.exe, appidcertstorecheck.exe, svchost.exe
              • Excluded IPs from analysis (whitelisted): 52.109.6.53, 52.109.8.36, 23.210.73.5, 23.210.73.6, 52.109.4.7, 51.105.71.137, 52.123.128.14, 20.190.152.22, 4.175.87.197, 184.31.69.3
              • Excluded domains from analysis (whitelisted): us1.odcsm1.live.com.akadns.net, odc.officeapps.live.com, slscr.update.microsoft.com, a767.dspw65.akamai.net, mobile.events.data.microsoft.com, roaming.officeapps.live.com, onedscolprduks03.uksouth.cloudapp.azure.com, dual-s-0005-office.config.skype.com, osiprod-cus-buff-azsc-000.centralus.cloudapp.azure.com, login.live.com, eus2-azsc-config.officeapps.live.com, officeclient.microsoft.com, osiprod-eus2-bronze-azsc-000.eastus2.cloudapp.azure.com, c.pki.goog, wu-b-net.trafficmanager.net, ecs.office.com, fs.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, prod.configsvc1.live.com.akadns.net, ctldl.windowsupdate.com, prod.roaming1.live.com.akadns.net, cus-azsc-000.roaming.officeapps.live.com, fe3cr.delivery.mp.microsoft.com, download.windowsupdate.com.edgesuite.net, us1.roaming1.live.com.akadns.net, eus2-azsc-000.odc.officeapps.live.com, config.officeapps.live.com, us.configsvc1.live.com.akadns.net, ecs.office.trafficmanager.net, prod.odcsm1.live.com.akad
              • Not all processes where analyzed, report is missing behavior information
              • Report size getting too big, too many NtCreateKey calls found.
              • Report size getting too big, too many NtQueryValueKey calls found.
              • Report size getting too big, too many NtReadVirtualMemory calls found.
              • Report size getting too big, too many NtSetValueKey calls found.
              TimeTypeDescription
              02:50:12API Interceptor948x Sleep call for process: splwow64.exe modified
              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
              13.107.246.40Payment Transfer Receipt.shtmlGet hashmaliciousHTMLPhisherBrowse
              • www.aib.gov.uk/
              NEW ORDER.xlsGet hashmaliciousUnknownBrowse
              • 2s.gg/3zs
              PO_OCF 408.xlsGet hashmaliciousUnknownBrowse
              • 2s.gg/42Q
              06836722_218 Aluplast.docx.docGet hashmaliciousUnknownBrowse
              • 2s.gg/3zk
              Quotation.xlsGet hashmaliciousUnknownBrowse
              • 2s.gg/3zM
              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
              s-0005.dual-s-msedge.netNew Order.docxGet hashmaliciousUnknownBrowse
              • 52.123.128.14
              Nuevo comando_BR WJO-3-24-2025.xlam.xlsxGet hashmaliciousUnknownBrowse
              • 52.123.128.14
              PURCHASE ORDER 5172025.xla.xlsxGet hashmaliciousUnknownBrowse
              • 52.123.129.14
              Ordersheet_NanshaGA-012.docxGet hashmaliciousUnknownBrowse
              • 52.123.128.14
              New Order.docxGet hashmaliciousUnknownBrowse
              • 52.123.128.14
              BL 248436935 CNTR MRKU9180226.docx.docGet hashmaliciousUnknownBrowse
              • 52.123.129.14
              PURCHASE ORDER 5172025.xla.xlsxGet hashmaliciousUnknownBrowse
              • 52.123.129.14
              Ordersheet_NanshaGA-012.docxGet hashmaliciousUnknownBrowse
              • 52.123.129.14
              BL 248436935 CNTR MRKU9180226.docx.docGet hashmaliciousUnknownBrowse
              • 52.123.128.14
              bg.microsoft.map.fastly.netBL 248436935 CNTR MRKU9180226.docx.docGet hashmaliciousUnknownBrowse
              • 199.232.214.172
              PURCHASE ORDER 5172025.xla.xlsxGet hashmaliciousUnknownBrowse
              • 199.232.214.172
              0064_QB_Payment_Statemnt87T.svgGet hashmaliciousHTMLPhisher, Invisible JS, Tycoon2FABrowse
              • 199.232.210.172
              Ipsen USA RFP.pdfGet hashmaliciousUnknownBrowse
              • 199.232.214.172
              general.ps1Get hashmaliciousKdot StealerBrowse
              • 199.232.214.172
              Final-Payment-Doc#243414512.pdfGet hashmaliciousUnknownBrowse
              • 199.232.210.172
              2xHGY40ElK.exeGet hashmaliciousIris StealerBrowse
              • 199.232.214.172
              JpPY0mRA9f.exeGet hashmaliciousVidarBrowse
              • 199.232.210.172
              jn8DY8kfrM.msiGet hashmaliciousUnknownBrowse
              • 199.232.214.172
              MM-7925-0224_110_AD.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
              • 199.232.214.172
              s-part-0012.t-0009.t-msedge.netNuevo comando_BR WJO-3-24-2025.xlam.xlsxGet hashmaliciousUnknownBrowse
              • 13.107.246.40
              PURCHASE ORDER 5172025.xla.xlsxGet hashmaliciousUnknownBrowse
              • 13.107.246.40
              PURCHASE ORDER 5172025.xla.xlsxGet hashmaliciousUnknownBrowse
              • 13.107.246.40
              YourToDo.svgGet hashmaliciousHTMLPhisherBrowse
              • 13.107.246.40
              SecuriteInfo.com.Other.Malware-gen.24773.2907.xlsxGet hashmaliciousUnknownBrowse
              • 13.107.246.40
              SecuriteInfo.com.Other.Malware-gen.24773.2907.xlsxGet hashmaliciousUnknownBrowse
              • 13.107.246.40
              SecuriteInfo.com.Other.Malware-gen.24773.2907.xlsxGet hashmaliciousUnknownBrowse
              • 13.107.246.40
              https://login.teamcallreplay.com/oFbles&source=outlook&treatment=1819&qpc=3528737790308&oid=ffe835c0-e3b2-47ef-8660-b4810e324348&hubappid=8682d0fa-50b3-4ece-aa5b-e0b33f9919e2&hubappsubpath=/mail/AAMmAHtGNzM0MzlDMy0xRkNCLTQ3MDMtQUZEOS1FOThBMTVBMDY0NzB9AC4AAAAAAGJMF6RqmolHpsTqJExeXkwBAPvm6dU4ayVJsqZ%2B83HB388AAAJskbgAAA%3D%3D/id/AAQmAHtGNzM0MzlDMy0xRkNCLTQ3MDMtQUZEOS1FOThBMTVBMDY0NzB9ABAAVdifTQ0V902%2BTpC4Cm5J9Q%3D%3D/itemId/AAMmAHtGNzM0MzlDMy0xRkNCLTQ3MDMtQUZEOS1FOThBMTVBMDY0NzB9AEYAAAAAAGJMF6RqmolHpsTqJExeXkwHAPvm6dU4ayVJsqZ%2B83HB388AAAJskbgAAOG16XzPXGBOqxaBxVFQG0MAA1Qavb0AAA%3D%3D/immutableItemId/AAkALgAAAAAAHYQDEapmEc2byACqAC%2FEWg0A4bXpfM9cYE6rFoHFUVAbQwADVBuRpwAAGet hashmaliciousHTMLPhisherBrowse
              • 13.107.246.40
              https://jainiklifesciences.com/proposalsGet hashmaliciousHTMLPhisherBrowse
              • 13.107.246.40
              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
              MICROSOFT-CORP-MSN-AS-BLOCKUSTEKLIF_0324.exeGet hashmaliciousFormBookBrowse
              • 204.79.197.203
              Nuevo comando_BR WJO-3-24-2025.xlam.xlsxGet hashmaliciousUnknownBrowse
              • 13.107.246.40
              PURCHASE ORDER 5172025.xla.xlsxGet hashmaliciousUnknownBrowse
              • 20.49.104.35
              PURCHASE ORDER 5172025.xla.xlsxGet hashmaliciousUnknownBrowse
              • 20.49.104.35
              PURCHASE ORDER 5172025.xla.xlsxGet hashmaliciousUnknownBrowse
              • 20.49.104.35
              SecuriteInfo.com.Other.Malware-gen.24773.2907.xlsxGet hashmaliciousUnknownBrowse
              • 13.107.246.40
              Invoice#1427743190.emlGet hashmaliciousUnknownBrowse
              • 20.189.173.12
              SecuriteInfo.com.Other.Malware-gen.24773.2907.xlsxGet hashmaliciousUnknownBrowse
              • 13.107.246.40
              SecuriteInfo.com.Other.Malware-gen.24773.2907.xlsxGet hashmaliciousUnknownBrowse
              • 13.107.246.40
              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
              258a5a1e95b8a911872bae9081526644BL 248436935 CNTR MRKU9180226.docx.docGet hashmaliciousUnknownBrowse
              • 13.107.246.40
              PURCHASE ORDER 5172025.xla.xlsxGet hashmaliciousUnknownBrowse
              • 13.107.246.40
              SecuriteInfo.com.Other.Malware-gen.24773.2907.xlsxGet hashmaliciousUnknownBrowse
              • 13.107.246.40
              CMR ReF 15200477813.docx.docGet hashmaliciousUnknownBrowse
              • 13.107.246.40
              PRE#U00c7O - RFQ 674441-76450.xla.xlsxGet hashmaliciousUnknownBrowse
              • 13.107.246.40
              PURCHASE ORDER - PO#267759.xlam.xlsxGet hashmaliciousUnknownBrowse
              • 13.107.246.40
              Medical GmbH Order.xlsGet hashmaliciousUnknownBrowse
              • 13.107.246.40
              Quotation.xlsGet hashmaliciousUnknownBrowse
              • 13.107.246.40
              ENQUIRY - RFQ 674441-76450.xla.xlsxGet hashmaliciousUnknownBrowse
              • 13.107.246.40
              Payment Advice 24-03-2025.docx.docGet hashmaliciousUnknownBrowse
              • 13.107.246.40
              No context
              Process:C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE
              File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
              Category:dropped
              Size (bytes):118
              Entropy (8bit):3.5700810731231707
              Encrypted:false
              SSDEEP:3:QaklTlAlXMLLmHlIlFLlmIK/5lTn84vlJlhlXlDHlA6l3l6Als:QFulcLk04/5p8GVz6QRq
              MD5:573220372DA4ED487441611079B623CD
              SHA1:8F9D967AC6EF34640F1F0845214FBC6994C0CB80
              SHA-256:BE84B842025E4241BFE0C9F7B8F86A322E4396D893EF87EA1E29C74F47B6A22D
              SHA-512:F19FA3583668C3AF92A9CEF7010BD6ECEC7285F9C8665F2E9528DBA606F105D9AF9B1DB0CF6E7F77EF2E395943DC0D5CB37149E773319078688979E4024F9DD7
              Malicious:false
              Reputation:high, very likely benign file
              Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.H.e.a.r.t.b.e.a.t.C.a.c.h.e./.>.
              Process:C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE
              File Type:data
              Category:dropped
              Size (bytes):20971520
              Entropy (8bit):8.112143835430977E-5
              Encrypted:false
              SSDEEP:3:Tuekk9NJtHFfs1XsExe/t:qeVJ8
              MD5:AFDEAC461EEC32D754D8E6017E845D21
              SHA1:5D0874C19B70638A0737696AEEE55BFCC80D7ED8
              SHA-256:3A96B02F6A09F6A6FAC2A44A5842FF9AEB17EB4D633E48ABF6ADDF6FB447C7E2
              SHA-512:CAB6B8F9FFDBD80210F42219BAC8F1124D6C0B6995C5128995F7F48CED8EF0F2159EA06A2CD09B1FDCD409719F94A7DB437C708D3B1FDA01FDC80141A4595FC7
              Malicious:false
              Reputation:moderate, very likely benign file
              Preview:Timestamp.Process.TID.Area.Category.EventID.Level.Message.Correlation...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
              Process:C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE
              File Type:data
              Category:dropped
              Size (bytes):20971520
              Entropy (8bit):0.0
              Encrypted:false
              SSDEEP:3::
              MD5:8F4E33F3DC3E414FF94E5FB6905CBA8C
              SHA1:9674344C90C2F0646F0B78026E127C9B86E3AD77
              SHA-256:CD52D81E25F372E6FA4DB2C0DFCEB59862C1969CAB17096DA352B34950C973CC
              SHA-512:7FB91E868F3923BBD043725818EF3A5D8D08EBF1059A18AC0FE07040D32EEBA517DA11515E6A4AFAEB29BCC5E0F1543BA2C595B0FE8E6167DDC5E6793EDEF5BB
              Malicious:false
              Reputation:high, very likely benign file
              Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
              Process:C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE
              File Type:ASCII text, with very long lines (28714), with CRLF line terminators
              Category:dropped
              Size (bytes):20971520
              Entropy (8bit):0.19147552475832513
              Encrypted:false
              SSDEEP:1536:nHRPruPqITOc97sq7p0xozBWHjl37genkTbCY629Ou71VSMYAzBtz3imZlZ986nt:HVra79sqqKBWrkJRD/gAYBCgX
              MD5:3C61426384E910C76FCB21A4AE9CD73C
              SHA1:4FCF5FF6D199174716C32CF7A7CA5E6A4CE5DA6F
              SHA-256:788348D86CB19FA7569B1D88D35E92A636A8E08C720EFEF0AC4DC938AF027ED7
              SHA-512:6711A68C216E8776E8AAC17B4395B1EC3BA761B2A895324757BE8063E45DE942970BDB28580EADD3483B7B96C60975EE22888C7DDD8A8CCA44A0629DA23A6DB7
              Malicious:false
              Preview:Timestamp.Process.TID.Area.Category.EventID.Level.Message.Correlation..03/25/2025 06:49:10.880.EXCEL (0x1E68).0x1ED8.Microsoft Excel.Telemetry Event.b7vzq.Medium.SendEvent {"EventName":"Office.Experimentation.FeatureQueryBatched","Flags":33777005812056321,"InternalSequenceNumber":17,"Time":"2025-03-25T06:49:10.880Z","Data.Sequence":0,"Data.Count":128,"Data.Features":"[ { \"ID\" : 1, \"N\" : \"Microsoft.Office.Telemetry.TrackCPSWrites\", \"V\" : false, \"S\" : 1, \"P\" : 0, \"T\" : \"2025-03-25T06:49:10.3494573Z\", \"C\" : \"33\", \"Q\" : 0.0, \"M\" : 0, \"F\" : 5 }, { \"ID\" : 1, \"N\" : \"Microsoft.Office.Telemetry.CPSMaxWrites\", \"V\" : 2, \"S\" : 1, \"P\" : 0, \"T\" : \"2025-03-25T06:49:10.3494573Z\", \"C\" : \"33\", \"Q\" : 0.0, \"M\" : 0, \"F\" : 5 }, { \"ID\" : 1, \"N\" : \"Microsoft.Office.Word.UAEOnSafeModeEnabled\", \"V\" : true, \"S\" : 1, \"P\" : 0, \"T\" : \"2025-03-25T06:49:10.3494573Z\", \"C\" : \"\", \"Q\" : 7.0, \"M\" : 0, \"F\" : 5, \"G\" : \"Opt\" }, { \"ID\" : 1, \"
              Process:C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE
              File Type:data
              Category:dropped
              Size (bytes):20971520
              Entropy (8bit):0.0
              Encrypted:false
              SSDEEP:3::
              MD5:8F4E33F3DC3E414FF94E5FB6905CBA8C
              SHA1:9674344C90C2F0646F0B78026E127C9B86E3AD77
              SHA-256:CD52D81E25F372E6FA4DB2C0DFCEB59862C1969CAB17096DA352B34950C973CC
              SHA-512:7FB91E868F3923BBD043725818EF3A5D8D08EBF1059A18AC0FE07040D32EEBA517DA11515E6A4AFAEB29BCC5E0F1543BA2C595B0FE8E6167DDC5E6793EDEF5BB
              Malicious:false
              Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
              Process:C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE
              File Type:data
              Category:dropped
              Size (bytes):165
              Entropy (8bit):1.4377382811115937
              Encrypted:false
              SSDEEP:
              MD5:359140EB88A757E2BBEF2F7D32DCC4E5
              SHA1:FD16035441ADF907BBFC594A96470C202E265067
              SHA-256:42CDE461F058A0C6F6C5A69BD1D21114CD55929011C77BCB9A025B9CA43ED71F
              SHA-512:9ADF6AC24E55AA161D2FFA1AC3BBBF03A7028DEFD8E1722FA52CAF7C730F7CF8AAE2073A50FD8AA004AF46E9A578A3B8088DD89415368E64E1916367CE126741
              Malicious:false
              Preview:.user ..M.e.r.c.y. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
              Process:C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE
              File Type:data
              Category:dropped
              Size (bytes):165
              Entropy (8bit):1.4377382811115937
              Encrypted:false
              SSDEEP:
              MD5:359140EB88A757E2BBEF2F7D32DCC4E5
              SHA1:FD16035441ADF907BBFC594A96470C202E265067
              SHA-256:42CDE461F058A0C6F6C5A69BD1D21114CD55929011C77BCB9A025B9CA43ED71F
              SHA-512:9ADF6AC24E55AA161D2FFA1AC3BBBF03A7028DEFD8E1722FA52CAF7C730F7CF8AAE2073A50FD8AA004AF46E9A578A3B8088DD89415368E64E1916367CE126741
              Malicious:true
              Preview:.user ..M.e.r.c.y. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
              File type:Microsoft Excel 2007+
              Entropy (8bit):7.9980484834269285
              TrID:
              • Excel Microsoft Office Open XML Format document (35004/1) 81.40%
              • ZIP compressed archive (8000/1) 18.60%
              File name:PO#45028.xlam.xlsx
              File size:717'437 bytes
              MD5:8cd71bfa34a4237c40203bd546019582
              SHA1:8776987f67def321d13a7db35cdc569bedc26f7a
              SHA256:a28b52d6d9e6a3291db8e37d08c1c9874223af5c0122b816814301cc4dc2f049
              SHA512:00a8292ceccdffc5cf3bb6a518cf815c5c0afea2077764aa58b9e3a997fc718f58919532cdf930b26ccdbf6a26302e13df91d99431b99346815355f430b9bbfe
              SSDEEP:12288:w5Vx5QAwHiExs6G0XgvJOrDgbwE5hZKhG4A4HJJ1udzMdyvC2LVvDgWf:wDx16hxp4vJO34h/4AOPMdzMdXurg4
              TLSH:ABE423C49A325A91D23CF19D52F6F197BED8DC80662691F0116CE46C083AFECBF5AC94
              File Content Preview:PK.........FxZ...u....S.......[Content_Types].xmlUT......g...g...g.UKk.1......].JvZB)..........Yi.V......}g.M../1...-B.=....]n..6.............e#.....EE.....6b.$./......R..@.X...(Ez..H...O..=....J...Du6..+.C.P..s.....dk.Z@......:U....T2.....^.......;W.`.R.
              Icon Hash:35e58a8c0c8a85b9
              Document Type:OpenXML
              Number of OLE Files:1
              Has Summary Info:
              Application Name:
              Encrypted Document:False
              Contains Word Document Stream:False
              Contains Workbook/Book Stream:False
              Contains PowerPoint Document Stream:False
              Contains Visio Document Stream:False
              Contains ObjectPool Stream:False
              Flash Objects Count:0
              Contains VBA Macros:False
              Author:HP
              Last Saved By:HP
              Create Time:2024-03-25T10:30:17Z
              Last Saved Time:2024-03-25T10:30:48Z
              Creating Application:Microsoft Excel
              Security:0
              Thumbnail Scaling Desired:false
              Contains Dirty Links:false
              Shared Document:false
              Changed Hyperlinks:false
              Application Version:12.0000
              General
              Stream Path:\x1Ole10Native
              CLSID:
              File Type:data
              Stream Size:961011
              Entropy:5.9940251973719985
              Base64 Encoded:True
              Data ASCII:. . 8 h . . t I H ) I . * . g . g . 6 U . k 6 ! . 5 . . . D . . > + a $ m B g , 5 \\ f $ J $ . - l ~ @ # C . . . 7 B J O " H I t . U U . " [ . 6 Y r r o | u . . . . B { w s . . . R ! F . Y . . . . . * - i . D z H $ . r A _ . . V . D k Z | W ] . E w S % 2 C y d U e W . . . 4 . R | . , . o . y O . ( 6 . . 2 4 . . k . + . k T . . Y _ . . . $ 8 L F 9 T l . N + . " g [ i p | y n . . " E B Y = 5 c 7 I = } 0 . . . . . ) k S . 0 d W . P . Y . A . l ^ . . [ . t . m O c 0 w _ ? ` = ] z X J # z . 9 ^ & \\ L f K ' ?
              Data Raw:f7 fe b2 03 02 b2 aa 38 e8 68 01 08 c0 ba be 74 94 d3 49 81 f6 48 29 96 49 8b 16 8b 2a be fb 7f 67 da 81 e6 b0 67 de 01 8b 36 55 ff d6 05 6b 36 21 e5 05 35 ca de 1a ff e0 08 b6 11 44 00 94 8e 18 3e 2b 61 24 6d eb 42 67 a3 2c 35 b2 c0 5c 66 24 4a 8e ad 24 19 2d 6c dd 7e 40 f4 23 43 bc 2e de 8d d6 82 97 37 42 4a 4f 22 48 49 e9 74 dd 06 b1 55 55 e3 19 22 f9 5b 1e 36 cd 59 af 9c 72 72
              General
              Stream Path:Usa0XMUN
              CLSID:
              File Type:empty
              Stream Size:0
              Entropy:0.0
              Base64 Encoded:False
              Data ASCII:
              Data Raw:

              Download Network PCAP: filteredfull

              • Total Packets: 20
              • 443 (HTTPS)
              • 53 (DNS)
              TimestampSource PortDest PortSource IPDest IP
              Mar 25, 2025 07:50:18.414189100 CET49697443192.168.2.2513.107.246.40
              Mar 25, 2025 07:50:18.414231062 CET4434969713.107.246.40192.168.2.25
              Mar 25, 2025 07:50:18.414381027 CET49698443192.168.2.2513.107.246.40
              Mar 25, 2025 07:50:18.414395094 CET49697443192.168.2.2513.107.246.40
              Mar 25, 2025 07:50:18.414407969 CET4434969813.107.246.40192.168.2.25
              Mar 25, 2025 07:50:18.414474010 CET49698443192.168.2.2513.107.246.40
              Mar 25, 2025 07:50:18.414896011 CET49697443192.168.2.2513.107.246.40
              Mar 25, 2025 07:50:18.414910078 CET4434969713.107.246.40192.168.2.25
              Mar 25, 2025 07:50:18.415148973 CET49698443192.168.2.2513.107.246.40
              Mar 25, 2025 07:50:18.415157080 CET4434969813.107.246.40192.168.2.25
              Mar 25, 2025 07:50:18.705482960 CET4434969813.107.246.40192.168.2.25
              Mar 25, 2025 07:50:18.705625057 CET49698443192.168.2.2513.107.246.40
              Mar 25, 2025 07:50:18.708270073 CET4434969713.107.246.40192.168.2.25
              Mar 25, 2025 07:50:18.708426952 CET49697443192.168.2.2513.107.246.40
              Mar 25, 2025 07:50:18.710072994 CET49698443192.168.2.2513.107.246.40
              Mar 25, 2025 07:50:18.710088968 CET4434969813.107.246.40192.168.2.25
              Mar 25, 2025 07:50:18.710489035 CET4434969813.107.246.40192.168.2.25
              Mar 25, 2025 07:50:18.721272945 CET49697443192.168.2.2513.107.246.40
              Mar 25, 2025 07:50:18.721332073 CET4434969713.107.246.40192.168.2.25
              Mar 25, 2025 07:50:18.721682072 CET4434969713.107.246.40192.168.2.25
              Mar 25, 2025 07:50:18.725678921 CET49697443192.168.2.2513.107.246.40
              Mar 25, 2025 07:50:18.725711107 CET49698443192.168.2.2513.107.246.40
              Mar 25, 2025 07:50:18.768337011 CET4434969813.107.246.40192.168.2.25
              Mar 25, 2025 07:50:18.772325039 CET4434969713.107.246.40192.168.2.25
              Mar 25, 2025 07:50:18.881537914 CET4434969813.107.246.40192.168.2.25
              Mar 25, 2025 07:50:18.881764889 CET4434969813.107.246.40192.168.2.25
              Mar 25, 2025 07:50:18.881874084 CET49698443192.168.2.2513.107.246.40
              Mar 25, 2025 07:50:18.882814884 CET49698443192.168.2.2513.107.246.40
              Mar 25, 2025 07:50:18.882814884 CET49698443192.168.2.2513.107.246.40
              Mar 25, 2025 07:50:18.882846117 CET4434969813.107.246.40192.168.2.25
              Mar 25, 2025 07:50:18.882852077 CET4434969813.107.246.40192.168.2.25
              Mar 25, 2025 07:50:18.889693022 CET4434969713.107.246.40192.168.2.25
              Mar 25, 2025 07:50:18.889756918 CET4434969713.107.246.40192.168.2.25
              Mar 25, 2025 07:50:18.889808893 CET49697443192.168.2.2513.107.246.40
              Mar 25, 2025 07:50:18.889837980 CET4434969713.107.246.40192.168.2.25
              Mar 25, 2025 07:50:18.890353918 CET4434969713.107.246.40192.168.2.25
              Mar 25, 2025 07:50:18.890505075 CET49697443192.168.2.2513.107.246.40
              Mar 25, 2025 07:50:18.890746117 CET49697443192.168.2.2513.107.246.40
              Mar 25, 2025 07:50:18.890746117 CET49697443192.168.2.2513.107.246.40
              Mar 25, 2025 07:50:18.890763044 CET4434969713.107.246.40192.168.2.25
              Mar 25, 2025 07:50:18.890774012 CET4434969713.107.246.40192.168.2.25
              TimestampSource PortDest PortSource IPDest IP
              Mar 25, 2025 07:50:18.314094067 CET5534453192.168.2.251.1.1.1
              Mar 25, 2025 07:50:18.411710024 CET53553441.1.1.1192.168.2.25
              TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
              Mar 25, 2025 07:50:18.314094067 CET192.168.2.251.1.1.10x33bfStandard query (0)otelrules.svc.static.microsoftA (IP address)IN (0x0001)false
              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
              Mar 25, 2025 07:49:13.038856983 CET1.1.1.1192.168.2.250x8024No error (0)ecs-office.s-0005.dual-s-msedge.nets-0005.dual-s-msedge.netCNAME (Canonical name)IN (0x0001)false
              Mar 25, 2025 07:49:13.038856983 CET1.1.1.1192.168.2.250x8024No error (0)s-0005.dual-s-msedge.net52.123.128.14A (IP address)IN (0x0001)false
              Mar 25, 2025 07:49:13.038856983 CET1.1.1.1192.168.2.250x8024No error (0)s-0005.dual-s-msedge.net52.123.129.14A (IP address)IN (0x0001)false
              Mar 25, 2025 07:50:15.314155102 CET1.1.1.1192.168.2.250xbd46No error (0)bg.microsoft.map.fastly.net199.232.214.172A (IP address)IN (0x0001)false
              Mar 25, 2025 07:50:15.314155102 CET1.1.1.1192.168.2.250xbd46No error (0)bg.microsoft.map.fastly.net199.232.210.172A (IP address)IN (0x0001)false
              Mar 25, 2025 07:50:18.411710024 CET1.1.1.1192.168.2.250x33bfNo error (0)otelrules.svc.static.microsoftotelrules-bzhndjfje8dvh5fd.z01.azurefd.netCNAME (Canonical name)IN (0x0001)false
              Mar 25, 2025 07:50:18.411710024 CET1.1.1.1192.168.2.250x33bfNo error (0)otelrules-bzhndjfje8dvh5fd.z01.azurefd.netstar-azurefd-prod.trafficmanager.netCNAME (Canonical name)IN (0x0001)false
              Mar 25, 2025 07:50:18.411710024 CET1.1.1.1192.168.2.250x33bfNo error (0)star-azurefd-prod.trafficmanager.netshed.dual-low.s-part-0012.t-0009.t-msedge.netCNAME (Canonical name)IN (0x0001)false
              Mar 25, 2025 07:50:18.411710024 CET1.1.1.1192.168.2.250x33bfNo error (0)shed.dual-low.s-part-0012.t-0009.t-msedge.nets-part-0012.t-0009.t-msedge.netCNAME (Canonical name)IN (0x0001)false
              Mar 25, 2025 07:50:18.411710024 CET1.1.1.1192.168.2.250x33bfNo error (0)s-part-0012.t-0009.t-msedge.net13.107.246.40A (IP address)IN (0x0001)false
              • otelrules.svc.static.microsoft
              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
              0192.168.2.254969713.107.246.404437784C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE
              TimestampBytes transferredDirectionData
              2025-03-25 06:50:18 UTC215OUTGET /rules/rule120201v19s19.xml HTTP/1.1
              Connection: Keep-Alive
              Accept-Encoding: gzip
              User-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Excel 16.0.18129; Pro)
              Host: otelrules.svc.static.microsoft
              2025-03-25 06:50:18 UTC515INHTTP/1.1 200 OK
              Date: Tue, 25 Mar 2025 06:50:18 GMT
              Content-Type: text/xml
              Content-Length: 2781
              Connection: close
              Vary: Accept-Encoding
              Cache-Control: public, max-age=604800, immutable
              Last-Modified: Tue, 31 Dec 2024 22:07:50 GMT
              ETag: "0x8DD29E791389B5C"
              x-ms-request-id: 873b033d-901e-0029-152a-9d274a000000
              x-ms-version: 2018-03-28
              x-azure-ref: 20250325T065018Z-17cccd5449bvj9xqhC1EWRh59s0000000d2g000000000002
              x-fd-int-roxy-purgeid: 0
              X-Cache-Info: L1_T2
              X-Cache: TCP_HIT
              Accept-Ranges: bytes
              2025-03-25 06:50:18 UTC2781INData Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 31 32 30 32 30 31 22 20 56 3d 22 31 39 22 20 44 43 3d 22 53 4d 22 20 45 4e 3d 22 4f 66 66 69 63 65 2e 53 79 73 74 65 6d 2e 53 79 73 74 65 6d 48 65 61 6c 74 68 55 73 61 67 65 2e 43 6c 69 63 6b 53 74 72 65 61 6d 22 20 41 54 54 3d 22 63 64 38 33 36 36 32 36 36 31 31 63 34 63 61 61 61 38 66 63 35 62 32 65 37 32 38 65 65 38 31 64 2d 33 62 36 64 36 63 34 35 2d 36 33 37 37 2d 34 62 66 35 2d 39 37 39 32 2d 64 62 66 38 65 31 38 38 31 30 38 38 2d 37 35 32 31 22 20 53 50 3d 22 43 72 69 74 69 63 61 6c 55 73 61 67 65 22 20 44 43 61 3d 22 50 53 55 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a 20 20 3c 52 49 53 3e 0d 0a 20 20 20
              Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="120201" V="19" DC="SM" EN="Office.System.SystemHealthUsage.ClickStream" ATT="cd836626611c4caaa8fc5b2e728ee81d-3b6d6c45-6377-4bf5-9792-dbf8e1881088-7521" SP="CriticalUsage" DCa="PSU" xmlns=""> <RIS>


              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
              1192.168.2.254969813.107.246.404437784C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE
              TimestampBytes transferredDirectionData
              2025-03-25 06:50:18 UTC214OUTGET /rules/rule170146v0s19.xml HTTP/1.1
              Connection: Keep-Alive
              Accept-Encoding: gzip
              User-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Excel 16.0.18129; Pro)
              Host: otelrules.svc.static.microsoft
              2025-03-25 06:50:18 UTC491INHTTP/1.1 200 OK
              Date: Tue, 25 Mar 2025 06:50:18 GMT
              Content-Type: text/xml
              Content-Length: 461
              Connection: close
              Cache-Control: public, max-age=604800, immutable
              Last-Modified: Thu, 14 Nov 2024 16:14:57 GMT
              ETag: "0x8DD04C77BDE7614"
              x-ms-request-id: 5b1a42a6-401e-0083-373e-9d075c000000
              x-ms-version: 2018-03-28
              x-azure-ref: 20250325T065018Z-17cccd5449bqvwqkhC1EWR1rfs0000000d0g00000000248n
              x-fd-int-roxy-purgeid: 0
              X-Cache-Info: L1_T2
              X-Cache: TCP_HIT
              Accept-Ranges: bytes
              2025-03-25 06:50:18 UTC461INData Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 31 37 30 31 34 36 22 20 56 3d 22 30 22 20 44 43 3d 22 53 4d 22 20 45 4e 3d 22 4f 66 66 69 63 65 2e 47 72 61 70 68 69 63 73 2e 45 78 70 6f 72 74 42 75 6c 6c 65 74 42 6c 69 70 43 45 78 63 65 70 74 69 6f 6e 22 20 41 54 54 3d 22 63 66 63 66 64 62 39 31 63 36 38 63 34 33 32 39 62 62 38 62 37 63 62 37 62 61 62 62 33 63 66 37 2d 65 30 38 32 63 32 66 32 2d 65 66 31 64 2d 34 32 37 61 2d 61 63 34 64 2d 62 30 62 37 30 30 61 66 65 37 61 37 2d 37 36 35 35 22 20 44 43 61 3d 22 50 53 55 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a 20 20 3c 53 3e 0d 0a 20 20 20 20 3c 55 54 53 20 54 3d 22 31 22 20 49 64 3d 22 34 38 39 66 34 22 20
              Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="170146" V="0" DC="SM" EN="Office.Graphics.ExportBulletBlipCException" ATT="cfcfdb91c68c4329bb8b7cb7babb3cf7-e082c2f2-ef1d-427a-ac4d-b0b700afe7a7-7655" DCa="PSU" xmlns=""> <S> <UTS T="1" Id="489f4"


              Click to jump to process

              Click to jump to process

              • File
              • Registry

              Click to dive into process behavior distribution

              Target ID:0
              Start time:02:49:08
              Start date:25/03/2025
              Path:C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE
              Wow64 process (32bit):false
              Commandline:"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
              Imagebase:0x7ff78ee50000
              File size:70'082'712 bytes
              MD5 hash:F9F7B6C42211B06E7AC3E4B60AA8FB77
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Reputation:moderate
              Has exited:false
              There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
              There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
              There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
              There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
              There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

              Target ID:6
              Start time:02:49:19
              Start date:25/03/2025
              Path:C:\Windows\System32\appidpolicyconverter.exe
              Wow64 process (32bit):false
              Commandline:"C:\Windows\system32\appidpolicyconverter.exe"
              Imagebase:0x7ff7beab0000
              File size:155'648 bytes
              MD5 hash:6567D9CF2545FAAC60974D9D682700D4
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Reputation:moderate
              Has exited:true

              Target ID:7
              Start time:02:49:20
              Start date:25/03/2025
              Path:C:\Windows\System32\conhost.exe
              Wow64 process (32bit):false
              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Imagebase:0x7ff729690000
              File size:1'040'384 bytes
              MD5 hash:9698384842DA735D80D278A427A229AB
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Reputation:moderate
              Has exited:true

              Target ID:12
              Start time:02:50:12
              Start date:25/03/2025
              Path:C:\Windows\splwow64.exe
              Wow64 process (32bit):false
              Commandline:C:\Windows\splwow64.exe 12288
              Imagebase:0x7ff743be0000
              File size:192'512 bytes
              MD5 hash:AF4A7EBF6114EE9E6FBCC910EC3C96E6
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Reputation:moderate
              Has exited:false
              There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
              There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
              There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
              There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
              There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
              There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
              There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

              No disassembly