Edit tour

Windows Analysis Report
quotation_1.xlsx

Overview

General Information

Sample name:quotation_1.xlsx
Analysis ID:1647954
MD5:d605ac3af2f2df976d97079ad4403230
SHA1:a0418b45d8b5d26f4df1b773276983c969ca04b6
SHA256:ff7eab60677d54572eecafca54c450d04aa49462ec7f71f44f0af67268ae8312
Tags:xlsxuser-TeamDreier
Infos:

Detection

Score:64
Range:0 - 100
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Excel Network Connections
Sigma detected: Suspicious Office Outbound Connections
Yara signature match

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious
  • System is w11x64_office
  • EXCEL.EXE (PID: 7144 cmdline: "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding MD5: F9F7B6C42211B06E7AC3E4B60AA8FB77)
    • splwow64.exe (PID: 884 cmdline: C:\Windows\splwow64.exe 12288 MD5: AF4A7EBF6114EE9E6FBCC910EC3C96E6)
  • cleanup
No configs have been found
SourceRuleDescriptionAuthorStrings
sheet1.xmlINDICATOR_XML_LegacyDrawing_AutoLoad_Documentdetects AutoLoad documents using LegacyDrawingditekSHen
  • 0x1bb:$s1: <legacyDrawing r:id="
  • 0x1e3:$s2: <oleObject progId="
  • 0x229:$s3: autoLoad="true"

System Summary

barindex
Source: Network ConnectionAuthor: Christopher Peacock '@securepeacock', SCYTHE '@scythe_io', Florian Roth '@Neo23x0", Tim Shelton: Data: DestinationIp: 13.107.246.40, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE, Initiated: true, ProcessId: 7144, Protocol: tcp, SourceIp: 192.168.2.26, SourceIsIpv6: false, SourcePort: 49713
Source: Network ConnectionAuthor: X__Junior (Nextron Systems): Data: DestinationIp: 192.168.2.26, DestinationIsIpv6: false, DestinationPort: 49713, EventID: 3, Image: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE, Initiated: true, ProcessId: 7144, Protocol: tcp, SourceIp: 13.107.246.40, SourceIsIpv6: false, SourcePort: 443
No Suricata rule has matched

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Source: quotation_1.xlsxAvira: detected
Source: quotation_1.xlsxVirustotal: Detection: 53%Perma Link
Source: quotation_1.xlsxReversingLabs: Detection: 71%
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEDirectory created: C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft\Office\Heartbeat\HeartbeatCache.xmlJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEFile opened: C:\Program Files\Microsoft Office\root\vfs\System\MSVCR100.dllJump to behavior
Source: unknownHTTPS traffic detected: 13.107.246.40:443 -> 192.168.2.26:49713 version: TLS 1.2
Source: unknownHTTPS traffic detected: 13.107.246.40:443 -> 192.168.2.26:49714 version: TLS 1.2
Source: global trafficDNS query: name: otelrules.svc.static.microsoft
Source: global trafficTCP traffic: 192.168.2.26:49713 -> 13.107.246.40:443
Source: global trafficTCP traffic: 192.168.2.26:49714 -> 13.107.246.40:443
Source: global trafficTCP traffic: 192.168.2.26:49713 -> 13.107.246.40:443
Source: global trafficTCP traffic: 192.168.2.26:49713 -> 13.107.246.40:443
Source: global trafficTCP traffic: 192.168.2.26:49714 -> 13.107.246.40:443
Source: global trafficTCP traffic: 192.168.2.26:49714 -> 13.107.246.40:443
Source: global trafficTCP traffic: 192.168.2.26:49713 -> 13.107.246.40:443
Source: global trafficTCP traffic: 192.168.2.26:49714 -> 13.107.246.40:443
Source: global trafficTCP traffic: 192.168.2.26:49714 -> 13.107.246.40:443
Source: global trafficTCP traffic: 192.168.2.26:49713 -> 13.107.246.40:443
Source: global trafficTCP traffic: 192.168.2.26:49713 -> 13.107.246.40:443
Source: global trafficTCP traffic: 192.168.2.26:49714 -> 13.107.246.40:443
Source: global trafficTCP traffic: 192.168.2.26:49713 -> 13.107.246.40:443
Source: global trafficTCP traffic: 192.168.2.26:49714 -> 13.107.246.40:443
Source: global trafficTCP traffic: 192.168.2.26:49714 -> 13.107.246.40:443
Source: global trafficTCP traffic: 192.168.2.26:49714 -> 13.107.246.40:443
Source: global trafficTCP traffic: 192.168.2.26:49714 -> 13.107.246.40:443
Source: global trafficTCP traffic: 192.168.2.26:49713 -> 13.107.246.40:443
Source: global trafficTCP traffic: 192.168.2.26:49713 -> 13.107.246.40:443
Source: global trafficTCP traffic: 192.168.2.26:49713 -> 13.107.246.40:443
Source: global trafficTCP traffic: 192.168.2.26:49713 -> 13.107.246.40:443
Source: global trafficTCP traffic: 13.107.246.40:443 -> 192.168.2.26:49713
Source: global trafficTCP traffic: 192.168.2.26:49713 -> 13.107.246.40:443
Source: global trafficTCP traffic: 192.168.2.26:49714 -> 13.107.246.40:443
Source: global trafficTCP traffic: 13.107.246.40:443 -> 192.168.2.26:49714
Source: global trafficTCP traffic: 192.168.2.26:49714 -> 13.107.246.40:443
Source: global trafficTCP traffic: 192.168.2.26:49713 -> 13.107.246.40:443
Source: global trafficTCP traffic: 13.107.246.40:443 -> 192.168.2.26:49713
Source: global trafficTCP traffic: 192.168.2.26:49714 -> 13.107.246.40:443
Source: global trafficTCP traffic: 13.107.246.40:443 -> 192.168.2.26:49714
Source: global trafficTCP traffic: 13.107.246.40:443 -> 192.168.2.26:49713
Source: global trafficTCP traffic: 13.107.246.40:443 -> 192.168.2.26:49714
Source: global trafficTCP traffic: 192.168.2.26:49714 -> 13.107.246.40:443
Source: global trafficTCP traffic: 192.168.2.26:49713 -> 13.107.246.40:443
Source: global trafficTCP traffic: 192.168.2.26:49713 -> 13.107.246.40:443
Source: global trafficTCP traffic: 192.168.2.26:49714 -> 13.107.246.40:443
Source: global trafficTCP traffic: 13.107.246.40:443 -> 192.168.2.26:49714
Source: global trafficTCP traffic: 13.107.246.40:443 -> 192.168.2.26:49713
Source: global trafficTCP traffic: 13.107.246.40:443 -> 192.168.2.26:49714
Source: global trafficTCP traffic: 13.107.246.40:443 -> 192.168.2.26:49713
Source: global trafficTCP traffic: 192.168.2.26:49713 -> 13.107.246.40:443
Source: global trafficTCP traffic: 192.168.2.26:49714 -> 13.107.246.40:443
Source: global trafficTCP traffic: 13.107.246.40:443 -> 192.168.2.26:49713
Source: global trafficTCP traffic: 13.107.246.40:443 -> 192.168.2.26:49714
Source: global trafficTCP traffic: 13.107.246.40:443 -> 192.168.2.26:49714
Source: global trafficTCP traffic: 13.107.246.40:443 -> 192.168.2.26:49714
Source: global trafficTCP traffic: 192.168.2.26:49714 -> 13.107.246.40:443
Source: global trafficTCP traffic: 192.168.2.26:49714 -> 13.107.246.40:443
Source: global trafficTCP traffic: 192.168.2.26:49714 -> 13.107.246.40:443
Source: global trafficTCP traffic: 13.107.246.40:443 -> 192.168.2.26:49714
Source: global trafficTCP traffic: 13.107.246.40:443 -> 192.168.2.26:49714
Source: global trafficTCP traffic: 13.107.246.40:443 -> 192.168.2.26:49713
Source: global trafficTCP traffic: 13.107.246.40:443 -> 192.168.2.26:49713
Source: global trafficTCP traffic: 13.107.246.40:443 -> 192.168.2.26:49713
Source: global trafficTCP traffic: 192.168.2.26:49713 -> 13.107.246.40:443
Source: global trafficTCP traffic: 192.168.2.26:49713 -> 13.107.246.40:443
Source: global trafficTCP traffic: 13.107.246.40:443 -> 192.168.2.26:49713
Source: global trafficTCP traffic: 192.168.2.26:49713 -> 13.107.246.40:443
Source: global trafficTCP traffic: 13.107.246.40:443 -> 192.168.2.26:49713
Source: Joe Sandbox ViewIP Address: 13.107.246.40 13.107.246.40
Source: Joe Sandbox ViewIP Address: 13.107.246.40 13.107.246.40
Source: Joe Sandbox ViewJA3 fingerprint: 258a5a1e95b8a911872bae9081526644
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficHTTP traffic detected: GET /rules/rule120201v19s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Excel 16.0.18129; Pro)Host: otelrules.svc.static.microsoft
Source: global trafficHTTP traffic detected: GET /rules/rule170146v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Excel 16.0.18129; Pro)Host: otelrules.svc.static.microsoft
Source: global trafficDNS traffic detected: DNS query: otelrules.svc.static.microsoft
Source: Primary1742903630188879300_3FAB2AD7-4636-4D65-8AFA-6B159E9B468A.log.0.drString found in binary or memory: https://res.cdn.office.net/mro1cdnstorage/fonts/prod/4.41/flatfontassets.pkg
Source: unknownNetwork traffic detected: HTTP traffic on port 49713 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49714 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49714
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49713
Source: unknownHTTPS traffic detected: 13.107.246.40:443 -> 192.168.2.26:49713 version: TLS 1.2
Source: unknownHTTPS traffic detected: 13.107.246.40:443 -> 192.168.2.26:49714 version: TLS 1.2

System Summary

barindex
Source: sheet1.xml, type: SAMPLEMatched rule: detects AutoLoad documents using LegacyDrawing Author: ditekSHen
Source: sheet1.xml, type: SAMPLEMatched rule: INDICATOR_XML_LegacyDrawing_AutoLoad_Document author = ditekSHen, description = detects AutoLoad documents using LegacyDrawing
Source: classification engineClassification label: mal64.winXLSX@3/6@1/1
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEFile created: C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft\Office\Heartbeat\HeartbeatCache.xmlJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEFile created: C:\Users\user\Desktop\~$quotation_1.xlsxJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\{3FAB2AD7-4636-4D65-8AFA-6B159E9B468A} - OProcSessId.datJump to behavior
Source: quotation_1.xlsxOLE indicator, Workbook stream: true
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEFile read: C:\Users\desktop.iniJump to behavior
Source: quotation_1.xlsxVirustotal: Detection: 53%
Source: quotation_1.xlsxReversingLabs: Detection: 71%
Source: unknownProcess created: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess created: C:\Windows\splwow64.exe C:\Windows\splwow64.exe 12288
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess created: C:\Windows\splwow64.exe C:\Windows\splwow64.exe 12288Jump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\CommonJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEDirectory created: C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft\Office\Heartbeat\HeartbeatCache.xmlJump to behavior
Source: quotation_1.xlsxStatic file information: File size 1614337 > 1048576
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEFile opened: C:\Program Files\Microsoft Office\root\vfs\System\MSVCR100.dllJump to behavior
Source: quotation_1.xlsxInitial sample: OLE indicators vbamacros = False
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\splwow64.exeWindow / User API: threadDelayed 837Jump to behavior
Source: C:\Windows\splwow64.exeLast function: Thread delayed
Source: C:\Windows\splwow64.exeLast function: Thread delayed
Source: C:\Windows\splwow64.exeThread delayed: delay time: 120000Jump to behavior
Source: C:\Windows\splwow64.exeThread delayed: delay time: 120000Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEProcess information queried: ProcessInformationJump to behavior
ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts3
Exploitation for Client Execution
Path Interception1
Process Injection
3
Masquerading
OS Credential Dumping1
Process Discovery
Remote ServicesData from Local System1
Encrypted Channel
Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
Virtualization/Sandbox Evasion
LSASS Memory1
Virtualization/Sandbox Evasion
Remote Desktop ProtocolData from Removable Media2
Non-Application Layer Protocol
Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
Process Injection
Security Account Manager1
Application Window Discovery
SMB/Windows Admin SharesData from Network Shared Drive3
Application Layer Protocol
Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin HookBinary PaddingNTDS1
File and Directory Discovery
Distributed Component Object ModelInput Capture1
Ingress Tool Transfer
Traffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon ScriptSoftware PackingLSA Secrets1
System Information Discovery
SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1647954 Sample: quotation_1.xlsx Startdate: 25/03/2025 Architecture: WINDOWS Score: 64 15 star-azurefd-prod.trafficmanager.net 2->15 17 shed.dual-low.s-part-0012.t-0009.t-msedge.net 2->17 19 3 other IPs or domains 2->19 23 Malicious sample detected (through community Yara rule) 2->23 25 Antivirus / Scanner detection for submitted sample 2->25 27 Multi AV Scanner detection for submitted file 2->27 7 EXCEL.EXE 504 71 2->7         started        signatures3 process4 dnsIp5 21 s-part-0012.t-0009.t-msedge.net 13.107.246.40, 443, 49713, 49714 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 7->21 13 C:\Users\user\Desktop\~$quotation_1.xlsx, data 7->13 dropped 11 splwow64.exe 1 7->11         started        file6 process7

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand
SourceDetectionScannerLabelLink
quotation_1.xlsx54%VirustotalBrowse
quotation_1.xlsx71%ReversingLabsDocument-Office.Exploit.CVE-2017-11882
quotation_1.xlsx100%AviraEXP/CVE-2017-11882.Gen
No Antivirus matches
No Antivirus matches
No Antivirus matches
No Antivirus matches

Download Network PCAP: filteredfull

NameIPActiveMaliciousAntivirus DetectionReputation
s-part-0012.t-0009.t-msedge.net
13.107.246.40
truefalse
    high
    a726.dscd.akamai.net
    23.57.90.74
    truefalse
      high
      s-0005.dual-s-msedge.net
      52.123.128.14
      truefalse
        high
        otelrules.svc.static.microsoft
        unknown
        unknownfalse
          high
          NameMaliciousAntivirus DetectionReputation
          https://otelrules.svc.static.microsoft/rules/rule170146v0s19.xmlfalse
            high
            https://otelrules.svc.static.microsoft/rules/rule120201v19s19.xmlfalse
              high
              • No. of IPs < 25%
              • 25% < No. of IPs < 50%
              • 50% < No. of IPs < 75%
              • 75% < No. of IPs
              IPDomainCountryFlagASNASN NameMalicious
              13.107.246.40
              s-part-0012.t-0009.t-msedge.netUnited States
              8068MICROSOFT-CORP-MSN-AS-BLOCKUSfalse
              Joe Sandbox version:42.0.0 Malachite
              Analysis ID:1647954
              Start date and time:2025-03-25 12:52:25 +01:00
              Joe Sandbox product:CloudBasic
              Overall analysis duration:0h 5m 30s
              Hypervisor based Inspection enabled:false
              Report type:full
              Cookbook file name:defaultwindowsofficecookbook.jbs
              Analysis system description:Windows 11 23H2 with Office Professional Plus 2021, Chrome 131, Firefox 133, Adobe Reader DC 24, Java 8 Update 431, 7zip 24.09
              Run name:Potential for more IOCs and behavior
              Number of analysed new started processes analysed:19
              Number of new started drivers analysed:0
              Number of existing processes analysed:0
              Number of existing drivers analysed:0
              Number of injected processes analysed:0
              Technologies:
              • HCA enabled
              • EGA enabled
              • AMSI enabled
              Analysis Mode:default
              Analysis stop reason:Timeout
              Sample name:quotation_1.xlsx
              Detection:MAL
              Classification:mal64.winXLSX@3/6@1/1
              EGA Information:Failed
              HCA Information:
              • Successful, ratio: 100%
              • Number of executed functions: 0
              • Number of non-executed functions: 0
              Cookbook Comments:
              • Found application associated with file extension: .xlsx
              • Found Word or Excel or PowerPoint or XPS Viewer
              • Attach to Office via COM
              • Active ActiveX Object
              • Scroll down
              • Close Viewer
              • Exclude process from analysis (whitelisted): SecurityHealthHost.exe, dllhost.exe, sppsvc.exe, RuntimeBroker.exe, ShellExperienceHost.exe, WMIADAP.exe, SystemSettingsBroker.exe, appidcertstorecheck.exe, conhost.exe, backgroundTaskHost.exe, svchost.exe
              • Excluded IPs from analysis (whitelisted): 52.109.8.89, 52.109.6.63, 23.44.136.164, 23.44.136.184, 52.111.227.28, 20.42.73.26, 172.202.163.200, 52.123.128.14, 23.57.90.74, 20.190.152.22, 23.44.136.151, 52.149.20.212
              • Excluded domains from analysis (whitelisted): us1.odcsm1.live.com.akadns.net, odc.officeapps.live.com, slscr.update.microsoft.com, cus-config.officeapps.live.com, res-1.cdn.office.net, eus2-azsc-000.roaming.officeapps.live.com, osiprod-eus2-buff-azsc-000.eastus2.cloudapp.azure.com, mobile.events.data.microsoft.com, roaming.officeapps.live.com, dual-s-0005-office.config.skype.com, login.live.com, teams-staticscdn.trafficmanager.net, onedscolprdeus09.eastus.cloudapp.azure.com, officeclient.microsoft.com, c.pki.goog, osiprod-cus-bronze-azsc-000.centralus.cloudapp.azure.com, statics.teams.cdn.office.net, a1813.dscd.akamai.nEt, ecs.office.com, prod.configsvc1.live.com.akadns.net, uci.cdn.office.net, ctldl.windowsupdate.com, prod.roaming1.live.com.akadns.net, cus-azsc-000.odc.officeapps.live.com, res-stls-prod.edgesuite.net, fe3cr.delivery.mp.microsoft.com, us1.roaming1.live.com.akadns.net, res-prod.trafficmanager.net, config.officeapps.live.com, us.configsvc1.live.com.akadns.net, statics.teams.cdn.office.net-c.edg
              • Not all processes where analyzed, report is missing behavior information
              • Report size getting too big, too many NtCreateKey calls found.
              • Report size getting too big, too many NtQueryAttributesFile calls found.
              • Report size getting too big, too many NtQueryValueKey calls found.
              • Report size getting too big, too many NtReadVirtualMemory calls found.
              • Report size getting too big, too many NtSetValueKey calls found.
              TimeTypeDescription
              07:54:55API Interceptor869x Sleep call for process: splwow64.exe modified
              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
              13.107.246.40Payment Transfer Receipt.shtmlGet hashmaliciousHTMLPhisherBrowse
              • www.aib.gov.uk/
              NEW ORDER.xlsGet hashmaliciousUnknownBrowse
              • 2s.gg/3zs
              PO_OCF 408.xlsGet hashmaliciousUnknownBrowse
              • 2s.gg/42Q
              06836722_218 Aluplast.docx.docGet hashmaliciousUnknownBrowse
              • 2s.gg/3zk
              Quotation.xlsGet hashmaliciousUnknownBrowse
              • 2s.gg/3zM
              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
              a726.dscd.akamai.netUntitled_20250325.docx.docGet hashmaliciousUnknownBrowse
              • 23.57.90.76
              Sales Contract_1.docxGet hashmaliciousUnknownBrowse
              • 23.57.90.80
              https://1drv.ms/o/s!Aij0JRNQrbnneSfOXvmQkoge4b0?e=GSyDcyGet hashmaliciousUnknownBrowse
              • 23.44.133.49
              FILLING SUMMON DOCUMENT.docxGet hashmaliciousHTMLPhisherBrowse
              • 2.16.168.122
              New Order.docxGet hashmaliciousUnknownBrowse
              • 23.219.36.134
              Ordersheet_NanshaGA-012.docxGet hashmaliciousUnknownBrowse
              • 23.219.36.134
              BL 248436935 CNTR MRKU9180226.docx.docGet hashmaliciousUnknownBrowse
              • 23.219.36.135
              PURCHASE ORDER 5172025.xla.xlsxGet hashmaliciousUnknownBrowse
              • 23.219.36.135
              SecuriteInfo.com.Other.Malware-gen.24773.2907.xlsxGet hashmaliciousUnknownBrowse
              • 23.219.36.135
              original (2).emlGet hashmaliciousUnknownBrowse
              • 23.200.0.200
              s-part-0012.t-0009.t-msedge.nethttps://1drv.ms/o/s!Aij0JRNQrbnneSfOXvmQkoge4b0?e=GSyDcyGet hashmaliciousUnknownBrowse
              • 13.107.246.40
              PO#45028.xlam.xlsxGet hashmaliciousUnknownBrowse
              • 13.107.246.40
              Nuevo comando_BR WJO-3-24-2025.xlam.xlsxGet hashmaliciousUnknownBrowse
              • 13.107.246.40
              PO#45028.xlam.xlsxGet hashmaliciousUnknownBrowse
              • 13.107.246.40
              Nuevo comando_BR WJO-3-24-2025.xlam.xlsxGet hashmaliciousUnknownBrowse
              • 13.107.246.40
              PURCHASE ORDER 5172025.xla.xlsxGet hashmaliciousUnknownBrowse
              • 13.107.246.40
              PURCHASE ORDER 5172025.xla.xlsxGet hashmaliciousUnknownBrowse
              • 13.107.246.40
              YourToDo.svgGet hashmaliciousHTMLPhisherBrowse
              • 13.107.246.40
              SecuriteInfo.com.Other.Malware-gen.24773.2907.xlsxGet hashmaliciousUnknownBrowse
              • 13.107.246.40
              SecuriteInfo.com.Other.Malware-gen.24773.2907.xlsxGet hashmaliciousUnknownBrowse
              • 13.107.246.40
              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
              MICROSOFT-CORP-MSN-AS-BLOCKUShttps://1drv.ms/o/s!Aij0JRNQrbnneSfOXvmQkoge4b0?e=GSyDcyGet hashmaliciousUnknownBrowse
              • 52.111.229.20
              PL143_1400277334_2025032512033713_213128_00001..exeGet hashmaliciousFormBookBrowse
              • 204.79.197.203
              https://events.trustifi.com/api/o/v1/click/67e1c733234184b4ce4f8e2f/fff2f3/37054a/3dc20b/bc3eb8/514a43/16c432/a397cb/c8b81b/e8666a/ef542d/85972d/627493/9a11d6/1f4096/1d247f/d2da7c/c26086/829bf6/bead54/704ec1/98daf0/f14b01/f75b40/3bddbc/f38244/49df71/6488f7/9fe5a2/9316cf/d42000/8a1965/9f3267/7b0314/ff3404/33714b/38592e/663c1b/a68c06/81bdb9/55f3ba/3227ca/c52e0b/b3d81e/bc87ef/3e01c3/c02f2b/c10126/2c2594/5e440a/f959ff/c57b2f/efcd67/374391/8b178d/48abaa/b08791/050386/50fe70/daf655/c76e6a/ff2019/597b28/f8c802/04d13e/1f0114/53ccda/d5b926/2701b7/b4e6e7/2cab45/4bd167/f78947/7376ee/dc5bca/d9ca29/561603/a2a34e/11b832/fcbef7/b19b1a/892ca4/7858a9/b64a88/dce9cf/4973dc/0ae7f4/73fc3d/a09197/497515/4c6a00/0d458a#khalid.alyahya@almosafer.comGet hashmaliciousInvisible JS, Tycoon2FABrowse
              • 13.107.246.60
              PO#45028.xlam.xlsxGet hashmaliciousUnknownBrowse
              • 13.107.246.40
              Nuevo comando_BR WJO-3-24-2025.xlam.xlsxGet hashmaliciousUnknownBrowse
              • 13.107.246.40
              TEKLIF_0324.exeGet hashmaliciousFormBookBrowse
              • 204.79.197.203
              PO#45028.xlam.xlsxGet hashmaliciousUnknownBrowse
              • 13.107.246.40
              Nuevo comando_BR WJO-3-24-2025.xlam.xlsxGet hashmaliciousUnknownBrowse
              • 13.107.246.40
              PURCHASE ORDER 5172025.xla.xlsxGet hashmaliciousUnknownBrowse
              • 20.49.104.35
              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
              258a5a1e95b8a911872bae9081526644Untitled_20250325.docx.docGet hashmaliciousUnknownBrowse
              • 13.107.246.40
              PO#45028.xlam.xlsxGet hashmaliciousUnknownBrowse
              • 13.107.246.40
              Nuevo comando_BR WJO-3-24-2025.xlam.xlsxGet hashmaliciousUnknownBrowse
              • 13.107.246.40
              BL 248436935 CNTR MRKU9180226.docx.docGet hashmaliciousUnknownBrowse
              • 13.107.246.40
              PURCHASE ORDER 5172025.xla.xlsxGet hashmaliciousUnknownBrowse
              • 13.107.246.40
              SecuriteInfo.com.Other.Malware-gen.24773.2907.xlsxGet hashmaliciousUnknownBrowse
              • 13.107.246.40
              CMR ReF 15200477813.docx.docGet hashmaliciousUnknownBrowse
              • 13.107.246.40
              PRE#U00c7O - RFQ 674441-76450.xla.xlsxGet hashmaliciousUnknownBrowse
              • 13.107.246.40
              PURCHASE ORDER - PO#267759.xlam.xlsxGet hashmaliciousUnknownBrowse
              • 13.107.246.40
              Medical GmbH Order.xlsGet hashmaliciousUnknownBrowse
              • 13.107.246.40
              No context
              Process:C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE
              File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
              Category:dropped
              Size (bytes):118
              Entropy (8bit):3.5700810731231707
              Encrypted:false
              SSDEEP:3:QaklTlAlXMLLmHlIlFLlmIK/5lTn84vlJlhlXlDHlA6l3l6Als:QFulcLk04/5p8GVz6QRq
              MD5:573220372DA4ED487441611079B623CD
              SHA1:8F9D967AC6EF34640F1F0845214FBC6994C0CB80
              SHA-256:BE84B842025E4241BFE0C9F7B8F86A322E4396D893EF87EA1E29C74F47B6A22D
              SHA-512:F19FA3583668C3AF92A9CEF7010BD6ECEC7285F9C8665F2E9528DBA606F105D9AF9B1DB0CF6E7F77EF2E395943DC0D5CB37149E773319078688979E4024F9DD7
              Malicious:false
              Reputation:high, very likely benign file
              Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.H.e.a.r.t.b.e.a.t.C.a.c.h.e./.>.
              Process:C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE
              File Type:data
              Category:dropped
              Size (bytes):20971520
              Entropy (8bit):8.112143835430977E-5
              Encrypted:false
              SSDEEP:3:Tuekk9NJtHFfs1XsExe/t:qeVJ8
              MD5:AFDEAC461EEC32D754D8E6017E845D21
              SHA1:5D0874C19B70638A0737696AEEE55BFCC80D7ED8
              SHA-256:3A96B02F6A09F6A6FAC2A44A5842FF9AEB17EB4D633E48ABF6ADDF6FB447C7E2
              SHA-512:CAB6B8F9FFDBD80210F42219BAC8F1124D6C0B6995C5128995F7F48CED8EF0F2159EA06A2CD09B1FDCD409719F94A7DB437C708D3B1FDA01FDC80141A4595FC7
              Malicious:false
              Reputation:moderate, very likely benign file
              Preview:Timestamp.Process.TID.Area.Category.EventID.Level.Message.Correlation...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
              Process:C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE
              File Type:data
              Category:dropped
              Size (bytes):20971520
              Entropy (8bit):0.0
              Encrypted:false
              SSDEEP:3::
              MD5:8F4E33F3DC3E414FF94E5FB6905CBA8C
              SHA1:9674344C90C2F0646F0B78026E127C9B86E3AD77
              SHA-256:CD52D81E25F372E6FA4DB2C0DFCEB59862C1969CAB17096DA352B34950C973CC
              SHA-512:7FB91E868F3923BBD043725818EF3A5D8D08EBF1059A18AC0FE07040D32EEBA517DA11515E6A4AFAEB29BCC5E0F1543BA2C595B0FE8E6167DDC5E6793EDEF5BB
              Malicious:false
              Reputation:high, very likely benign file
              Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
              Process:C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE
              File Type:ASCII text, with very long lines (28620), with CRLF line terminators
              Category:dropped
              Size (bytes):20971520
              Entropy (8bit):0.20960107318143942
              Encrypted:false
              SSDEEP:1536:9/NQtoj3xpKF0TddL/8cZO1pgzRmjY1L3rfGdhaFY0U0ghzxj+fSfP7Uf/hWtzZw:9YoyKhdLggzRSJllB9VrqgL49
              MD5:53471567743D3D8FA015E1CA3958FBEC
              SHA1:D4DBCE2F2DE8BA63FE6730D6A090EFD96EDAFF45
              SHA-256:2B373088DD630908CD77DB89B29B6A7EA1E055A9CB77C1C614274F2D93D23397
              SHA-512:7E3A5D72EF08EDA8E2A3F665F4E8343FCB20FED9809CCDEA68323B3741E5A1D568C24416A5F0E2B0F7AD23616AF8DAF09CEF9AEBB7879BEFFA88255E722CB5F2
              Malicious:false
              Reputation:low
              Preview:Timestamp.Process.TID.Area.Category.EventID.Level.Message.Correlation..03/25/2025 11:53:50.252.EXCEL (0x1BE8).0xFD4.Microsoft Excel.Telemetry Event.b7vzq.Medium.SendEvent {"EventName":"Office.Experimentation.FeatureQueryBatched","Flags":33777005812056321,"InternalSequenceNumber":17,"Time":"2025-03-25T11:53:50.236Z","Data.Sequence":0,"Data.Count":128,"Data.Features":"[ { \"ID\" : 1, \"N\" : \"Microsoft.Office.Telemetry.TrackCPSWrites\", \"V\" : false, \"S\" : 1, \"P\" : 0, \"T\" : \"2025-03-25T11:53:48.8408852Z\", \"C\" : \"33\", \"Q\" : 0.0, \"M\" : 0, \"F\" : 5 }, { \"ID\" : 1, \"N\" : \"Microsoft.Office.Telemetry.CPSMaxWrites\", \"V\" : 2, \"S\" : 1, \"P\" : 0, \"T\" : \"2025-03-25T11:53:48.8408852Z\", \"C\" : \"33\", \"Q\" : 0.0, \"M\" : 0, \"F\" : 5 }, { \"ID\" : 1, \"N\" : \"Microsoft.Office.Word.UAEOnSafeModeEnabled\", \"V\" : true, \"S\" : 1, \"P\" : 0, \"T\" : \"2025-03-25T11:53:48.8408852Z\", \"C\" : \"\", \"Q\" : 8.0, \"M\" : 0, \"F\" : 5, \"G\" : \"Opt\" }, { \"ID\" : 1, \"N
              Process:C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE
              File Type:data
              Category:dropped
              Size (bytes):20971520
              Entropy (8bit):0.0
              Encrypted:false
              SSDEEP:3::
              MD5:8F4E33F3DC3E414FF94E5FB6905CBA8C
              SHA1:9674344C90C2F0646F0B78026E127C9B86E3AD77
              SHA-256:CD52D81E25F372E6FA4DB2C0DFCEB59862C1969CAB17096DA352B34950C973CC
              SHA-512:7FB91E868F3923BBD043725818EF3A5D8D08EBF1059A18AC0FE07040D32EEBA517DA11515E6A4AFAEB29BCC5E0F1543BA2C595B0FE8E6167DDC5E6793EDEF5BB
              Malicious:false
              Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
              Process:C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE
              File Type:data
              Category:dropped
              Size (bytes):165
              Entropy (8bit):1.4377382811115937
              Encrypted:false
              SSDEEP:3:E4FFN/EDPWlFlfv:1FWilffv
              MD5:47A294922BE037C38D73C866A3F7F5E0
              SHA1:E165F663BF052660CF1858D065388CC128E631D2
              SHA-256:34033A21A8D54B0627C089E5C6A6C3AD6CE045DF86ACDED6A31D9613B879C265
              SHA-512:F46ABEEF0E3ED4B80B2C996E44E6E103FE22D12F5BF461708AE401C1C5F8CAC3718068C2D7FF0A1995A0866E473AB1DF6A20A4BD12211B9BAA99EB4535CFE83A
              Malicious:true
              Preview:.user ..G.a.n.j.i. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
              File type:Microsoft Excel 2007+
              Entropy (8bit):7.998552885008379
              TrID:
              • Excel Microsoft Office Open XML Format document (35004/1) 81.40%
              • ZIP compressed archive (8000/1) 18.60%
              File name:quotation_1.xlsx
              File size:1'614'337 bytes
              MD5:d605ac3af2f2df976d97079ad4403230
              SHA1:a0418b45d8b5d26f4df1b773276983c969ca04b6
              SHA256:ff7eab60677d54572eecafca54c450d04aa49462ec7f71f44f0af67268ae8312
              SHA512:cf5433b5fc95750484bfed8f3ab84751fcaed98bba80518d918e6fe4a6ff2dc8362a3647e07cf91e333675f71b86913ec09a99c726863845727bc33e4532e3ca
              SSDEEP:24576:eioOz5APfi+5wWmqbPfX5kEywTE8zKFemyGOt2/yySP00Ivth66Gdqg71g:eyz5AHRrPP5dyGnm9Ot2xrur71g
              TLSH:F275336DA27C4848DA3CA53BD28C152EC95D2984F45C905E3BB432FE58D9C0BF2749EE
              File Content Preview:PK.........-yZ7.......c.......[Content_Types].xmlUT....A.g.A.g.A.g.U.N.1......n.S.....B..B"~@i/P........A01a".D7.L........K.-!D.l.Zy.e`.S.N..6zl..,..J.g.`........6.bFh..6C.w.G9.R..y.43q..H.a...s1..n6o.t..b....v.d h..P.|.%....Hl...r.c......&.7Z.$.|i.....L.
              Icon Hash:35e58a8c0c8a85b9
              Document Type:OpenXML
              Number of OLE Files:1
              Has Summary Info:
              Application Name:
              Encrypted Document:False
              Contains Word Document Stream:False
              Contains Workbook/Book Stream:True
              Contains PowerPoint Document Stream:False
              Contains Visio Document Stream:False
              Contains ObjectPool Stream:False
              Flash Objects Count:0
              Contains VBA Macros:False
              Author:ctrl
              Last Saved By:ctrl
              Create Time:2022-11-18T02:05:27Z
              Last Saved Time:2022-11-18T02:07:12Z
              Creating Application:Microsoft Excel
              Security:0
              Thumbnail Scaling Desired:false
              Contains Dirty Links:false
              Shared Document:false
              Changed Hyperlinks:false
              Application Version:12.0000
              General
              Stream Path:\x1OLe10NatiVE
              CLSID:
              File Type:data
              Stream Size:1867055
              Entropy:7.558757514744515
              Base64 Encoded:True
              Data ASCII:_ . . F . I . . F $ . u _ I N / _ u . w = o @ 1 P . M s . - ' d . @ . . v . f . h P . : s S @ _ ? 5 W D s 4 Z k 4 ; . { . . . . s . . n : . d . . . - n H . . . 9 . Z [ . b X : h . . ' / H X . % 0 0 Z C . M J ? . w . 5 % h d b @ H j S y . h . . K . S l . = # - 9 1 . F ; . ? . . X . # . D ; ^ . N . . C I R k } . . N a ' . u o . 0 / . [ ; ] . ; T l R - . } M . ' q . . . R D . . P 8 . % . . ] _ q g . ! U z 1 < . . . . Y M . . . . . c f n 1 . . ] . L H . . , B . a . U W # b . r 4 b | ) k . . F a . d . X r . /
              Data Raw:5f 82 e1 04 03 46 17 49 fb 8d 01 08 46 24 bd 9a 0b 75 5f 81 ed 49 4e 2f 5f 8b 75 eb 8b 06 b9 f0 e7 77 3d 81 e1 b5 6f ce 40 8b 31 50 ff d6 05 4d b2 73 0b 2d 27 87 64 0b ff e0 e7 e4 40 00 1a 91 ed eb ec 76 d6 1b 80 66 a3 1d 68 b7 50 02 a1 9d 3a 73 53 f2 9a 40 8c 5f 3f 35 57 e6 f2 44 73 34 5a 20 6b 34 bc e8 3b d3 1f cf 7b 03 08 0c 16 b4 dc 73 09 0d b2 6e 3a fa 01 df e1 64 90 e9 1c a8
              General
              Stream Path:02Gmz
              CLSID:
              File Type:empty
              Stream Size:0
              Entropy:0.0
              Base64 Encoded:False
              Data ASCII:
              Data Raw:

              Download Network PCAP: filteredfull

              • Total Packets: 19
              • 443 (HTTPS)
              • 53 (DNS)
              TimestampSource PortDest PortSource IPDest IP
              Mar 25, 2025 12:54:56.978235960 CET49713443192.168.2.2613.107.246.40
              Mar 25, 2025 12:54:56.978286028 CET4434971313.107.246.40192.168.2.26
              Mar 25, 2025 12:54:56.978368998 CET49713443192.168.2.2613.107.246.40
              Mar 25, 2025 12:54:56.978492022 CET49714443192.168.2.2613.107.246.40
              Mar 25, 2025 12:54:56.978533983 CET4434971413.107.246.40192.168.2.26
              Mar 25, 2025 12:54:56.978584051 CET49714443192.168.2.2613.107.246.40
              Mar 25, 2025 12:54:56.979648113 CET49713443192.168.2.2613.107.246.40
              Mar 25, 2025 12:54:56.979660988 CET4434971313.107.246.40192.168.2.26
              Mar 25, 2025 12:54:56.980012894 CET49714443192.168.2.2613.107.246.40
              Mar 25, 2025 12:54:56.980027914 CET4434971413.107.246.40192.168.2.26
              Mar 25, 2025 12:54:57.263526917 CET4434971313.107.246.40192.168.2.26
              Mar 25, 2025 12:54:57.263530016 CET4434971413.107.246.40192.168.2.26
              Mar 25, 2025 12:54:57.263762951 CET49714443192.168.2.2613.107.246.40
              Mar 25, 2025 12:54:57.263761997 CET49713443192.168.2.2613.107.246.40
              Mar 25, 2025 12:54:57.266007900 CET49713443192.168.2.2613.107.246.40
              Mar 25, 2025 12:54:57.266007900 CET49714443192.168.2.2613.107.246.40
              Mar 25, 2025 12:54:57.266026974 CET4434971413.107.246.40192.168.2.26
              Mar 25, 2025 12:54:57.266027927 CET4434971313.107.246.40192.168.2.26
              Mar 25, 2025 12:54:57.266299963 CET4434971413.107.246.40192.168.2.26
              Mar 25, 2025 12:54:57.266302109 CET4434971313.107.246.40192.168.2.26
              Mar 25, 2025 12:54:57.267199039 CET49713443192.168.2.2613.107.246.40
              Mar 25, 2025 12:54:57.267812014 CET49714443192.168.2.2613.107.246.40
              Mar 25, 2025 12:54:57.308275938 CET4434971313.107.246.40192.168.2.26
              Mar 25, 2025 12:54:57.312268972 CET4434971413.107.246.40192.168.2.26
              Mar 25, 2025 12:54:57.443690062 CET4434971413.107.246.40192.168.2.26
              Mar 25, 2025 12:54:57.443794012 CET4434971413.107.246.40192.168.2.26
              Mar 25, 2025 12:54:57.444015026 CET49714443192.168.2.2613.107.246.40
              Mar 25, 2025 12:54:57.444780111 CET49714443192.168.2.2613.107.246.40
              Mar 25, 2025 12:54:57.444780111 CET49714443192.168.2.2613.107.246.40
              Mar 25, 2025 12:54:57.444803953 CET4434971413.107.246.40192.168.2.26
              Mar 25, 2025 12:54:57.444813013 CET4434971413.107.246.40192.168.2.26
              Mar 25, 2025 12:54:57.485003948 CET4434971313.107.246.40192.168.2.26
              Mar 25, 2025 12:54:57.485032082 CET4434971313.107.246.40192.168.2.26
              Mar 25, 2025 12:54:57.485091925 CET4434971313.107.246.40192.168.2.26
              Mar 25, 2025 12:54:57.485183954 CET49713443192.168.2.2613.107.246.40
              Mar 25, 2025 12:54:57.485503912 CET49713443192.168.2.2613.107.246.40
              Mar 25, 2025 12:54:57.485517979 CET4434971313.107.246.40192.168.2.26
              Mar 25, 2025 12:54:57.485536098 CET49713443192.168.2.2613.107.246.40
              Mar 25, 2025 12:54:57.485542059 CET4434971313.107.246.40192.168.2.26
              TimestampSource PortDest PortSource IPDest IP
              Mar 25, 2025 12:54:56.877408028 CET5472453192.168.2.261.1.1.1
              Mar 25, 2025 12:54:56.976598978 CET53547241.1.1.1192.168.2.26
              TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
              Mar 25, 2025 12:54:56.877408028 CET192.168.2.261.1.1.10x8e9Standard query (0)otelrules.svc.static.microsoftA (IP address)IN (0x0001)false
              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
              Mar 25, 2025 12:53:52.267153978 CET1.1.1.1192.168.2.260xabdNo error (0)ecs-office.s-0005.dual-s-msedge.nets-0005.dual-s-msedge.netCNAME (Canonical name)IN (0x0001)false
              Mar 25, 2025 12:53:52.267153978 CET1.1.1.1192.168.2.260xabdNo error (0)s-0005.dual-s-msedge.net52.123.128.14A (IP address)IN (0x0001)false
              Mar 25, 2025 12:53:52.267153978 CET1.1.1.1192.168.2.260xabdNo error (0)s-0005.dual-s-msedge.net52.123.129.14A (IP address)IN (0x0001)false
              Mar 25, 2025 12:53:56.620110989 CET1.1.1.1192.168.2.260x8d15No error (0)res-stls-prod.edgesuite.net.globalredir.akadns88.neta726.dscd.akamai.netCNAME (Canonical name)IN (0x0001)false
              Mar 25, 2025 12:53:56.620110989 CET1.1.1.1192.168.2.260x8d15No error (0)a726.dscd.akamai.net23.57.90.74A (IP address)IN (0x0001)false
              Mar 25, 2025 12:53:56.620110989 CET1.1.1.1192.168.2.260x8d15No error (0)a726.dscd.akamai.net23.57.90.81A (IP address)IN (0x0001)false
              Mar 25, 2025 12:53:56.620110989 CET1.1.1.1192.168.2.260x8d15No error (0)a726.dscd.akamai.net23.57.90.69A (IP address)IN (0x0001)false
              Mar 25, 2025 12:54:12.013972998 CET1.1.1.1192.168.2.260xb8d8No error (0)res-stls-prod.edgesuite.net.globalredir.akadns88.neta726.dscd.akamai.netCNAME (Canonical name)IN (0x0001)false
              Mar 25, 2025 12:54:12.013972998 CET1.1.1.1192.168.2.260xb8d8No error (0)a726.dscd.akamai.net23.44.136.151A (IP address)IN (0x0001)false
              Mar 25, 2025 12:54:12.013972998 CET1.1.1.1192.168.2.260xb8d8No error (0)a726.dscd.akamai.net23.44.136.190A (IP address)IN (0x0001)false
              Mar 25, 2025 12:54:12.013972998 CET1.1.1.1192.168.2.260xb8d8No error (0)a726.dscd.akamai.net23.44.136.175A (IP address)IN (0x0001)false
              Mar 25, 2025 12:54:12.013972998 CET1.1.1.1192.168.2.260xb8d8No error (0)a726.dscd.akamai.net23.44.136.179A (IP address)IN (0x0001)false
              Mar 25, 2025 12:54:12.013972998 CET1.1.1.1192.168.2.260xb8d8No error (0)a726.dscd.akamai.net23.44.136.146A (IP address)IN (0x0001)false
              Mar 25, 2025 12:54:56.976598978 CET1.1.1.1192.168.2.260x8e9No error (0)otelrules.svc.static.microsoftotelrules-bzhndjfje8dvh5fd.z01.azurefd.netCNAME (Canonical name)IN (0x0001)false
              Mar 25, 2025 12:54:56.976598978 CET1.1.1.1192.168.2.260x8e9No error (0)otelrules-bzhndjfje8dvh5fd.z01.azurefd.netstar-azurefd-prod.trafficmanager.netCNAME (Canonical name)IN (0x0001)false
              Mar 25, 2025 12:54:56.976598978 CET1.1.1.1192.168.2.260x8e9No error (0)star-azurefd-prod.trafficmanager.netshed.dual-low.s-part-0012.t-0009.t-msedge.netCNAME (Canonical name)IN (0x0001)false
              Mar 25, 2025 12:54:56.976598978 CET1.1.1.1192.168.2.260x8e9No error (0)shed.dual-low.s-part-0012.t-0009.t-msedge.nets-part-0012.t-0009.t-msedge.netCNAME (Canonical name)IN (0x0001)false
              Mar 25, 2025 12:54:56.976598978 CET1.1.1.1192.168.2.260x8e9No error (0)s-part-0012.t-0009.t-msedge.net13.107.246.40A (IP address)IN (0x0001)false
              • otelrules.svc.static.microsoft
              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
              0192.168.2.264971313.107.246.404437144C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE
              TimestampBytes transferredDirectionData
              2025-03-25 11:54:57 UTC215OUTGET /rules/rule120201v19s19.xml HTTP/1.1
              Connection: Keep-Alive
              Accept-Encoding: gzip
              User-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Excel 16.0.18129; Pro)
              Host: otelrules.svc.static.microsoft
              2025-03-25 11:54:57 UTC515INHTTP/1.1 200 OK
              Date: Tue, 25 Mar 2025 11:54:57 GMT
              Content-Type: text/xml
              Content-Length: 2781
              Connection: close
              Vary: Accept-Encoding
              Cache-Control: public, max-age=604800, immutable
              Last-Modified: Tue, 31 Dec 2024 22:07:50 GMT
              ETag: "0x8DD29E791389B5C"
              x-ms-request-id: 873b033d-901e-0029-152a-9d274a000000
              x-ms-version: 2018-03-28
              x-azure-ref: 20250325T115457Z-17cccd5449bzw64jhC1EWRz2340000000dm0000000006a4w
              x-fd-int-roxy-purgeid: 0
              X-Cache-Info: L1_T2
              X-Cache: TCP_HIT
              Accept-Ranges: bytes
              2025-03-25 11:54:57 UTC2781INData Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 31 32 30 32 30 31 22 20 56 3d 22 31 39 22 20 44 43 3d 22 53 4d 22 20 45 4e 3d 22 4f 66 66 69 63 65 2e 53 79 73 74 65 6d 2e 53 79 73 74 65 6d 48 65 61 6c 74 68 55 73 61 67 65 2e 43 6c 69 63 6b 53 74 72 65 61 6d 22 20 41 54 54 3d 22 63 64 38 33 36 36 32 36 36 31 31 63 34 63 61 61 61 38 66 63 35 62 32 65 37 32 38 65 65 38 31 64 2d 33 62 36 64 36 63 34 35 2d 36 33 37 37 2d 34 62 66 35 2d 39 37 39 32 2d 64 62 66 38 65 31 38 38 31 30 38 38 2d 37 35 32 31 22 20 53 50 3d 22 43 72 69 74 69 63 61 6c 55 73 61 67 65 22 20 44 43 61 3d 22 50 53 55 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a 20 20 3c 52 49 53 3e 0d 0a 20 20 20
              Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="120201" V="19" DC="SM" EN="Office.System.SystemHealthUsage.ClickStream" ATT="cd836626611c4caaa8fc5b2e728ee81d-3b6d6c45-6377-4bf5-9792-dbf8e1881088-7521" SP="CriticalUsage" DCa="PSU" xmlns=""> <RIS>


              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
              1192.168.2.264971413.107.246.404437144C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE
              TimestampBytes transferredDirectionData
              2025-03-25 11:54:57 UTC214OUTGET /rules/rule170146v0s19.xml HTTP/1.1
              Connection: Keep-Alive
              Accept-Encoding: gzip
              User-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Excel 16.0.18129; Pro)
              Host: otelrules.svc.static.microsoft
              2025-03-25 11:54:57 UTC491INHTTP/1.1 200 OK
              Date: Tue, 25 Mar 2025 11:54:57 GMT
              Content-Type: text/xml
              Content-Length: 461
              Connection: close
              Cache-Control: public, max-age=604800, immutable
              Last-Modified: Thu, 14 Nov 2024 16:14:57 GMT
              ETag: "0x8DD04C77BDE7614"
              x-ms-request-id: 5b1a42a6-401e-0083-373e-9d075c000000
              x-ms-version: 2018-03-28
              x-azure-ref: 20250325T115457Z-17cccd5449bxd7kxhC1EWRapns0000000dm0000000005mw0
              x-fd-int-roxy-purgeid: 0
              X-Cache-Info: L1_T2
              X-Cache: TCP_HIT
              Accept-Ranges: bytes
              2025-03-25 11:54:57 UTC461INData Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 31 37 30 31 34 36 22 20 56 3d 22 30 22 20 44 43 3d 22 53 4d 22 20 45 4e 3d 22 4f 66 66 69 63 65 2e 47 72 61 70 68 69 63 73 2e 45 78 70 6f 72 74 42 75 6c 6c 65 74 42 6c 69 70 43 45 78 63 65 70 74 69 6f 6e 22 20 41 54 54 3d 22 63 66 63 66 64 62 39 31 63 36 38 63 34 33 32 39 62 62 38 62 37 63 62 37 62 61 62 62 33 63 66 37 2d 65 30 38 32 63 32 66 32 2d 65 66 31 64 2d 34 32 37 61 2d 61 63 34 64 2d 62 30 62 37 30 30 61 66 65 37 61 37 2d 37 36 35 35 22 20 44 43 61 3d 22 50 53 55 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a 20 20 3c 53 3e 0d 0a 20 20 20 20 3c 55 54 53 20 54 3d 22 31 22 20 49 64 3d 22 34 38 39 66 34 22 20
              Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="170146" V="0" DC="SM" EN="Office.Graphics.ExportBulletBlipCException" ATT="cfcfdb91c68c4329bb8b7cb7babb3cf7-e082c2f2-ef1d-427a-ac4d-b0b700afe7a7-7655" DCa="PSU" xmlns=""> <S> <UTS T="1" Id="489f4"


              050100s020406080100

              Click to jump to process

              050100s0.00100200300400MB

              Click to jump to process

              • File
              • Registry

              Click to dive into process behavior distribution

              Click to jump to process

              Target ID:0
              Start time:07:53:43
              Start date:25/03/2025
              Path:C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE
              Wow64 process (32bit):false
              Commandline:"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
              Imagebase:0x7ff6a19c0000
              File size:70'082'712 bytes
              MD5 hash:F9F7B6C42211B06E7AC3E4B60AA8FB77
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Reputation:moderate
              Has exited:false
              There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
              There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
              There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
              There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
              There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

              Target ID:16
              Start time:07:54:55
              Start date:25/03/2025
              Path:C:\Windows\splwow64.exe
              Wow64 process (32bit):false
              Commandline:C:\Windows\splwow64.exe 12288
              Imagebase:0x7ff729900000
              File size:192'512 bytes
              MD5 hash:AF4A7EBF6114EE9E6FBCC910EC3C96E6
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Reputation:moderate
              Has exited:false
              There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
              There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
              There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
              There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
              There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
              There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
              There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

              No disassembly