Windows
Analysis Report
quotation_1.xlsx
Overview
General Information
Detection
Score: | 64 |
Range: | 0 - 100 |
Confidence: | 100% |
Signatures
Classification
- System is w11x64_office
EXCEL.EXE (PID: 7144 cmdline:
"C:\Progra m Files\Mi crosoft Of fice\Root\ Office16\E XCEL.EXE" /automatio n -Embeddi ng MD5: F9F7B6C42211B06E7AC3E4B60AA8FB77) splwow64.exe (PID: 884 cmdline:
C:\Windows \splwow64. exe 12288 MD5: AF4A7EBF6114EE9E6FBCC910EC3C96E6)
- cleanup
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
INDICATOR_XML_LegacyDrawing_AutoLoad_Document | detects AutoLoad documents using LegacyDrawing | ditekSHen |
|
System Summary |
---|
Source: | Author: Christopher Peacock '@securepeacock', SCYTHE '@scythe_io', Florian Roth '@Neo23x0", Tim Shelton: |
Source: | Author: X__Junior (Nextron Systems): |
- • AV Detection
- • Compliance
- • Software Vulnerabilities
- • Networking
- • System Summary
- • Hooking and other Techniques for Hiding and Protection
- • Malware Analysis System Evasion
Click to jump to signature section
AV Detection |
---|
Source: | Avira: |
Source: | Virustotal: | Perma Link | ||
Source: | ReversingLabs: |
Source: | Directory created: | Jump to behavior |
Source: | File opened: | Jump to behavior |
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: |
Source: | DNS query: |
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: |
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: |
Source: | IP Address: | ||
Source: | IP Address: |
Source: | JA3 fingerprint: |
Source: | UDP traffic detected without corresponding DNS query: |
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: |
Source: | DNS traffic detected: |
Source: | String found in binary or memory: |
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: |
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: |
System Summary |
---|
Source: | Matched rule: |
Source: | Matched rule: |
Source: | Classification label: |
Source: | File created: | Jump to behavior |
Source: | File created: | Jump to behavior |
Source: | File created: | Jump to behavior |
Source: | OLE indicator, Workbook stream: |
Source: | File read: | Jump to behavior |
Source: | Virustotal: | ||
Source: | ReversingLabs: |
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | Jump to behavior |
Source: | Window detected: |
Source: | Key opened: | Jump to behavior |
Source: | Directory created: | Jump to behavior |
Source: | Static file information: |
Source: | File opened: | Jump to behavior |
Source: | Initial sample: |
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior |
Source: | Window / User API: | Jump to behavior |
Source: | Last function: | ||
Source: | Last function: |
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior |
Source: | Process information queried: | Jump to behavior |
Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | 3 Exploitation for Client Execution | Path Interception | 1 Process Injection | 3 Masquerading | OS Credential Dumping | 1 Process Discovery | Remote Services | Data from Local System | 1 Encrypted Channel | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
Credentials | Domains | Default Accounts | Scheduled Task/Job | Boot or Logon Initialization Scripts | Boot or Logon Initialization Scripts | 1 Virtualization/Sandbox Evasion | LSASS Memory | 1 Virtualization/Sandbox Evasion | Remote Desktop Protocol | Data from Removable Media | 2 Non-Application Layer Protocol | Exfiltration Over Bluetooth | Network Denial of Service |
Email Addresses | DNS Server | Domain Accounts | At | Logon Script (Windows) | Logon Script (Windows) | 1 Process Injection | Security Account Manager | 1 Application Window Discovery | SMB/Windows Admin Shares | Data from Network Shared Drive | 3 Application Layer Protocol | Automated Exfiltration | Data Encrypted for Impact |
Employee Names | Virtual Private Server | Local Accounts | Cron | Login Hook | Login Hook | Binary Padding | NTDS | 1 File and Directory Discovery | Distributed Component Object Model | Input Capture | 1 Ingress Tool Transfer | Traffic Duplication | Data Destruction |
Gather Victim Network Information | Server | Cloud Accounts | Launchd | Network Logon Script | Network Logon Script | Software Packing | LSA Secrets | 1 System Information Discovery | SSH | Keylogging | Fallback Channels | Scheduled Transfer | Data Encrypted for Impact |
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
54% | Virustotal | Browse | ||
71% | ReversingLabs | Document-Office.Exploit.CVE-2017-11882 | ||
100% | Avira | EXP/CVE-2017-11882.Gen |
Name | IP | Active | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|---|
s-part-0012.t-0009.t-msedge.net | 13.107.246.40 | true | false | high | |
a726.dscd.akamai.net | 23.57.90.74 | true | false | high | |
s-0005.dual-s-msedge.net | 52.123.128.14 | true | false | high | |
otelrules.svc.static.microsoft | unknown | unknown | false | high |
Name | Malicious | Antivirus Detection | Reputation |
---|---|---|---|
false | high | ||
false | high |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
---|---|---|---|---|---|---|
13.107.246.40 | s-part-0012.t-0009.t-msedge.net | United States | 8068 | MICROSOFT-CORP-MSN-AS-BLOCKUS | false |
Joe Sandbox version: | 42.0.0 Malachite |
Analysis ID: | 1647954 |
Start date and time: | 2025-03-25 12:52:25 +01:00 |
Joe Sandbox product: | CloudBasic |
Overall analysis duration: | 0h 5m 30s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Cookbook file name: | defaultwindowsofficecookbook.jbs |
Analysis system description: | Windows 11 23H2 with Office Professional Plus 2021, Chrome 131, Firefox 133, Adobe Reader DC 24, Java 8 Update 431, 7zip 24.09 |
Run name: | Potential for more IOCs and behavior |
Number of analysed new started processes analysed: | 19 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Sample name: | quotation_1.xlsx |
Detection: | MAL |
Classification: | mal64.winXLSX@3/6@1/1 |
EGA Information: | Failed |
HCA Information: |
|
Cookbook Comments: |
|
- Exclude process from analysis
(whitelisted): SecurityHealthH ost.exe, dllhost.exe, sppsvc.e xe, RuntimeBroker.exe, ShellEx perienceHost.exe, WMIADAP.exe, SystemSettingsBroker.exe, app idcertstorecheck.exe, conhost. exe, backgroundTaskHost.exe, s vchost.exe - Excluded IPs from analysis (wh
itelisted): 52.109.8.89, 52.10 9.6.63, 23.44.136.164, 23.44.1 36.184, 52.111.227.28, 20.42.7 3.26, 172.202.163.200, 52.123. 128.14, 23.57.90.74, 20.190.15 2.22, 23.44.136.151, 52.149.20 .212 - Excluded domains from analysis
(whitelisted): us1.odcsm1.liv e.com.akadns.net, odc.officeap ps.live.com, slscr.update.micr osoft.com, cus-config.officeap ps.live.com, res-1.cdn.office. net, eus2-azsc-000.roaming.off iceapps.live.com, osiprod-eus2 -buff-azsc-000.eastus2.cloudap p.azure.com, mobile.events.dat a.microsoft.com, roaming.offic eapps.live.com, dual-s-0005-of fice.config.skype.com, login.l ive.com, teams-staticscdn.traf ficmanager.net, onedscolprdeus 09.eastus.cloudapp.azure.com, officeclient.microsoft.com, c. pki.goog, osiprod-cus-bronze-a zsc-000.centralus.cloudapp.azu re.com, statics.teams.cdn.offi ce.net, a1813.dscd.akamai.nEt, ecs.office.com, prod.configsv c1.live.com.akadns.net, uci.cd n.office.net, ctldl.windowsupd ate.com, prod.roaming1.live.co m.akadns.net, cus-azsc-000.odc .officeapps.live.com, res-stls -prod.edgesuite.net, fe3cr.del ivery.mp.microsoft.com, us1.ro aming1.live.com.akadns.net, re s-prod.trafficmanager.net, con fig.officeapps.live.com, us.co nfigsvc1.live.com.akadns.net, statics.teams.cdn.office.net-c .edg - Not all processes where analyz
ed, report is missing behavior information - Report size getting too big, t
oo many NtCreateKey calls foun d. - Report size getting too big, t
oo many NtQueryAttributesFile calls found. - Report size getting too big, t
oo many NtQueryValueKey calls found. - Report size getting too big, t
oo many NtReadVirtualMemory ca lls found. - Report size getting too big, t
oo many NtSetValueKey calls fo und.
Time | Type | Description |
---|---|---|
07:54:55 | API Interceptor |
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
13.107.246.40 | Get hash | malicious | HTMLPhisher | Browse |
| |
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
|
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
a726.dscd.akamai.net | Get hash | malicious | Unknown | Browse |
| |
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | HTMLPhisher | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
s-part-0012.t-0009.t-msedge.net | Get hash | malicious | Unknown | Browse |
| |
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | HTMLPhisher | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
|
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
MICROSOFT-CORP-MSN-AS-BLOCKUS | Get hash | malicious | Unknown | Browse |
| |
Get hash | malicious | FormBook | Browse |
| ||
Get hash | malicious | Invisible JS, Tycoon2FA | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | FormBook | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
|
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
258a5a1e95b8a911872bae9081526644 | Get hash | malicious | Unknown | Browse |
| |
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
|
Process: | C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 118 |
Entropy (8bit): | 3.5700810731231707 |
Encrypted: | false |
SSDEEP: | 3:QaklTlAlXMLLmHlIlFLlmIK/5lTn84vlJlhlXlDHlA6l3l6Als:QFulcLk04/5p8GVz6QRq |
MD5: | 573220372DA4ED487441611079B623CD |
SHA1: | 8F9D967AC6EF34640F1F0845214FBC6994C0CB80 |
SHA-256: | BE84B842025E4241BFE0C9F7B8F86A322E4396D893EF87EA1E29C74F47B6A22D |
SHA-512: | F19FA3583668C3AF92A9CEF7010BD6ECEC7285F9C8665F2E9528DBA606F105D9AF9B1DB0CF6E7F77EF2E395943DC0D5CB37149E773319078688979E4024F9DD7 |
Malicious: | false |
Reputation: | high, very likely benign file |
Preview: |
Process: | C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 20971520 |
Entropy (8bit): | 8.112143835430977E-5 |
Encrypted: | false |
SSDEEP: | 3:Tuekk9NJtHFfs1XsExe/t:qeVJ8 |
MD5: | AFDEAC461EEC32D754D8E6017E845D21 |
SHA1: | 5D0874C19B70638A0737696AEEE55BFCC80D7ED8 |
SHA-256: | 3A96B02F6A09F6A6FAC2A44A5842FF9AEB17EB4D633E48ABF6ADDF6FB447C7E2 |
SHA-512: | CAB6B8F9FFDBD80210F42219BAC8F1124D6C0B6995C5128995F7F48CED8EF0F2159EA06A2CD09B1FDCD409719F94A7DB437C708D3B1FDA01FDC80141A4595FC7 |
Malicious: | false |
Reputation: | moderate, very likely benign file |
Preview: |
Process: | C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 20971520 |
Entropy (8bit): | 0.0 |
Encrypted: | false |
SSDEEP: | 3:: |
MD5: | 8F4E33F3DC3E414FF94E5FB6905CBA8C |
SHA1: | 9674344C90C2F0646F0B78026E127C9B86E3AD77 |
SHA-256: | CD52D81E25F372E6FA4DB2C0DFCEB59862C1969CAB17096DA352B34950C973CC |
SHA-512: | 7FB91E868F3923BBD043725818EF3A5D8D08EBF1059A18AC0FE07040D32EEBA517DA11515E6A4AFAEB29BCC5E0F1543BA2C595B0FE8E6167DDC5E6793EDEF5BB |
Malicious: | false |
Reputation: | high, very likely benign file |
Preview: |
Process: | C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 20971520 |
Entropy (8bit): | 0.20960107318143942 |
Encrypted: | false |
SSDEEP: | 1536:9/NQtoj3xpKF0TddL/8cZO1pgzRmjY1L3rfGdhaFY0U0ghzxj+fSfP7Uf/hWtzZw:9YoyKhdLggzRSJllB9VrqgL49 |
MD5: | 53471567743D3D8FA015E1CA3958FBEC |
SHA1: | D4DBCE2F2DE8BA63FE6730D6A090EFD96EDAFF45 |
SHA-256: | 2B373088DD630908CD77DB89B29B6A7EA1E055A9CB77C1C614274F2D93D23397 |
SHA-512: | 7E3A5D72EF08EDA8E2A3F665F4E8343FCB20FED9809CCDEA68323B3741E5A1D568C24416A5F0E2B0F7AD23616AF8DAF09CEF9AEBB7879BEFFA88255E722CB5F2 |
Malicious: | false |
Reputation: | low |
Preview: |
Process: | C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 20971520 |
Entropy (8bit): | 0.0 |
Encrypted: | false |
SSDEEP: | 3:: |
MD5: | 8F4E33F3DC3E414FF94E5FB6905CBA8C |
SHA1: | 9674344C90C2F0646F0B78026E127C9B86E3AD77 |
SHA-256: | CD52D81E25F372E6FA4DB2C0DFCEB59862C1969CAB17096DA352B34950C973CC |
SHA-512: | 7FB91E868F3923BBD043725818EF3A5D8D08EBF1059A18AC0FE07040D32EEBA517DA11515E6A4AFAEB29BCC5E0F1543BA2C595B0FE8E6167DDC5E6793EDEF5BB |
Malicious: | false |
Preview: |
Process: | C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 165 |
Entropy (8bit): | 1.4377382811115937 |
Encrypted: | false |
SSDEEP: | 3:E4FFN/EDPWlFlfv:1FWilffv |
MD5: | 47A294922BE037C38D73C866A3F7F5E0 |
SHA1: | E165F663BF052660CF1858D065388CC128E631D2 |
SHA-256: | 34033A21A8D54B0627C089E5C6A6C3AD6CE045DF86ACDED6A31D9613B879C265 |
SHA-512: | F46ABEEF0E3ED4B80B2C996E44E6E103FE22D12F5BF461708AE401C1C5F8CAC3718068C2D7FF0A1995A0866E473AB1DF6A20A4BD12211B9BAA99EB4535CFE83A |
Malicious: | true |
Preview: |
File type: | |
Entropy (8bit): | 7.998552885008379 |
TrID: |
|
File name: | quotation_1.xlsx |
File size: | 1'614'337 bytes |
MD5: | d605ac3af2f2df976d97079ad4403230 |
SHA1: | a0418b45d8b5d26f4df1b773276983c969ca04b6 |
SHA256: | ff7eab60677d54572eecafca54c450d04aa49462ec7f71f44f0af67268ae8312 |
SHA512: | cf5433b5fc95750484bfed8f3ab84751fcaed98bba80518d918e6fe4a6ff2dc8362a3647e07cf91e333675f71b86913ec09a99c726863845727bc33e4532e3ca |
SSDEEP: | 24576:eioOz5APfi+5wWmqbPfX5kEywTE8zKFemyGOt2/yySP00Ivth66Gdqg71g:eyz5AHRrPP5dyGnm9Ot2xrur71g |
TLSH: | F275336DA27C4848DA3CA53BD28C152EC95D2984F45C905E3BB432FE58D9C0BF2749EE |
File Content Preview: | PK.........-yZ7.......c.......[Content_Types].xmlUT....A.g.A.g.A.g.U.N.1......n.S.....B..B"~@i/P........A01a".D7.L........K.-!D.l.Zy.e`.S.N..6zl..,..J.g.`........6.bFh..6C.w.G9.R..y.43q..H.a...s1..n6o.t..b....v.d h..P.|.%....Hl...r.c......&.7Z.$.|i.....L. |
Icon Hash: | 35e58a8c0c8a85b9 |
Document Type: | OpenXML |
Number of OLE Files: | 1 |
Has Summary Info: | |
Application Name: | |
Encrypted Document: | False |
Contains Word Document Stream: | False |
Contains Workbook/Book Stream: | True |
Contains PowerPoint Document Stream: | False |
Contains Visio Document Stream: | False |
Contains ObjectPool Stream: | False |
Flash Objects Count: | 0 |
Contains VBA Macros: | False |
Author: | |
Last Saved By: | |
Create Time: | 2022-11-18T02:05:27Z |
Last Saved Time: | 2022-11-18T02:07:12Z |
Creating Application: | |
Security: | 0 |
Thumbnail Scaling Desired: | false |
Contains Dirty Links: | false |
Shared Document: | false |
Changed Hyperlinks: | false |
Application Version: | 12.0000 |
General | |
Stream Path: | \x1OLe10NatiVE |
CLSID: | |
File Type: | data |
Stream Size: | 1867055 |
Entropy: | 7.558757514744515 |
Base64 Encoded: | True |
Data ASCII: | _ . . F . I . . F $ . u _ I N / _ u . w = o @ 1 P . M s . - ' d . @ . . v . f . h P . : s S @ _ ? 5 W D s 4 Z k 4 ; . { . . . . s . . n : . d . . . - n H . . . 9 . Z [ . b X : h . . ' / H X . % 0 0 Z C . M J ? . w . 5 % h d b @ H j S y . h . . K . S l . = # - 9 1 . F ; . ? . . X . # . D ; ^ . N . . C I R k } . . N a ' . u o . 0 / . [ ; ] . ; T l R - . } M . ' q . . . R D . . P 8 . % . . ] _ q g . ! U z 1 < . . . . Y M . . . . . c f n 1 . . ] . L H . . , B . a . U W # b . r 4 b | ) k . . F a . d . X r . / |
Data Raw: | 5f 82 e1 04 03 46 17 49 fb 8d 01 08 46 24 bd 9a 0b 75 5f 81 ed 49 4e 2f 5f 8b 75 eb 8b 06 b9 f0 e7 77 3d 81 e1 b5 6f ce 40 8b 31 50 ff d6 05 4d b2 73 0b 2d 27 87 64 0b ff e0 e7 e4 40 00 1a 91 ed eb ec 76 d6 1b 80 66 a3 1d 68 b7 50 02 a1 9d 3a 73 53 f2 9a 40 8c 5f 3f 35 57 e6 f2 44 73 34 5a 20 6b 34 bc e8 3b d3 1f cf 7b 03 08 0c 16 b4 dc 73 09 0d b2 6e 3a fa 01 df e1 64 90 e9 1c a8 |
General | |
Stream Path: | 02Gmz |
CLSID: | |
File Type: | empty |
Stream Size: | 0 |
Entropy: | 0.0 |
Base64 Encoded: | False |
Data ASCII: | |
Data Raw: |
Download Network PCAP: filtered – full
- Total Packets: 19
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Mar 25, 2025 12:54:56.978235960 CET | 49713 | 443 | 192.168.2.26 | 13.107.246.40 |
Mar 25, 2025 12:54:56.978286028 CET | 443 | 49713 | 13.107.246.40 | 192.168.2.26 |
Mar 25, 2025 12:54:56.978368998 CET | 49713 | 443 | 192.168.2.26 | 13.107.246.40 |
Mar 25, 2025 12:54:56.978492022 CET | 49714 | 443 | 192.168.2.26 | 13.107.246.40 |
Mar 25, 2025 12:54:56.978533983 CET | 443 | 49714 | 13.107.246.40 | 192.168.2.26 |
Mar 25, 2025 12:54:56.978584051 CET | 49714 | 443 | 192.168.2.26 | 13.107.246.40 |
Mar 25, 2025 12:54:56.979648113 CET | 49713 | 443 | 192.168.2.26 | 13.107.246.40 |
Mar 25, 2025 12:54:56.979660988 CET | 443 | 49713 | 13.107.246.40 | 192.168.2.26 |
Mar 25, 2025 12:54:56.980012894 CET | 49714 | 443 | 192.168.2.26 | 13.107.246.40 |
Mar 25, 2025 12:54:56.980027914 CET | 443 | 49714 | 13.107.246.40 | 192.168.2.26 |
Mar 25, 2025 12:54:57.263526917 CET | 443 | 49713 | 13.107.246.40 | 192.168.2.26 |
Mar 25, 2025 12:54:57.263530016 CET | 443 | 49714 | 13.107.246.40 | 192.168.2.26 |
Mar 25, 2025 12:54:57.263762951 CET | 49714 | 443 | 192.168.2.26 | 13.107.246.40 |
Mar 25, 2025 12:54:57.263761997 CET | 49713 | 443 | 192.168.2.26 | 13.107.246.40 |
Mar 25, 2025 12:54:57.266007900 CET | 49713 | 443 | 192.168.2.26 | 13.107.246.40 |
Mar 25, 2025 12:54:57.266007900 CET | 49714 | 443 | 192.168.2.26 | 13.107.246.40 |
Mar 25, 2025 12:54:57.266026974 CET | 443 | 49714 | 13.107.246.40 | 192.168.2.26 |
Mar 25, 2025 12:54:57.266027927 CET | 443 | 49713 | 13.107.246.40 | 192.168.2.26 |
Mar 25, 2025 12:54:57.266299963 CET | 443 | 49714 | 13.107.246.40 | 192.168.2.26 |
Mar 25, 2025 12:54:57.266302109 CET | 443 | 49713 | 13.107.246.40 | 192.168.2.26 |
Mar 25, 2025 12:54:57.267199039 CET | 49713 | 443 | 192.168.2.26 | 13.107.246.40 |
Mar 25, 2025 12:54:57.267812014 CET | 49714 | 443 | 192.168.2.26 | 13.107.246.40 |
Mar 25, 2025 12:54:57.308275938 CET | 443 | 49713 | 13.107.246.40 | 192.168.2.26 |
Mar 25, 2025 12:54:57.312268972 CET | 443 | 49714 | 13.107.246.40 | 192.168.2.26 |
Mar 25, 2025 12:54:57.443690062 CET | 443 | 49714 | 13.107.246.40 | 192.168.2.26 |
Mar 25, 2025 12:54:57.443794012 CET | 443 | 49714 | 13.107.246.40 | 192.168.2.26 |
Mar 25, 2025 12:54:57.444015026 CET | 49714 | 443 | 192.168.2.26 | 13.107.246.40 |
Mar 25, 2025 12:54:57.444780111 CET | 49714 | 443 | 192.168.2.26 | 13.107.246.40 |
Mar 25, 2025 12:54:57.444780111 CET | 49714 | 443 | 192.168.2.26 | 13.107.246.40 |
Mar 25, 2025 12:54:57.444803953 CET | 443 | 49714 | 13.107.246.40 | 192.168.2.26 |
Mar 25, 2025 12:54:57.444813013 CET | 443 | 49714 | 13.107.246.40 | 192.168.2.26 |
Mar 25, 2025 12:54:57.485003948 CET | 443 | 49713 | 13.107.246.40 | 192.168.2.26 |
Mar 25, 2025 12:54:57.485032082 CET | 443 | 49713 | 13.107.246.40 | 192.168.2.26 |
Mar 25, 2025 12:54:57.485091925 CET | 443 | 49713 | 13.107.246.40 | 192.168.2.26 |
Mar 25, 2025 12:54:57.485183954 CET | 49713 | 443 | 192.168.2.26 | 13.107.246.40 |
Mar 25, 2025 12:54:57.485503912 CET | 49713 | 443 | 192.168.2.26 | 13.107.246.40 |
Mar 25, 2025 12:54:57.485517979 CET | 443 | 49713 | 13.107.246.40 | 192.168.2.26 |
Mar 25, 2025 12:54:57.485536098 CET | 49713 | 443 | 192.168.2.26 | 13.107.246.40 |
Mar 25, 2025 12:54:57.485542059 CET | 443 | 49713 | 13.107.246.40 | 192.168.2.26 |
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Mar 25, 2025 12:54:56.877408028 CET | 54724 | 53 | 192.168.2.26 | 1.1.1.1 |
Mar 25, 2025 12:54:56.976598978 CET | 53 | 54724 | 1.1.1.1 | 192.168.2.26 |
Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class | DNS over HTTPS |
---|---|---|---|---|---|---|---|---|
Mar 25, 2025 12:54:56.877408028 CET | 192.168.2.26 | 1.1.1.1 | 0x8e9 | Standard query (0) | A (IP address) | IN (0x0001) | false |
Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class | DNS over HTTPS |
---|---|---|---|---|---|---|---|---|---|---|
Mar 25, 2025 12:53:52.267153978 CET | 1.1.1.1 | 192.168.2.26 | 0xabd | No error (0) | s-0005.dual-s-msedge.net | CNAME (Canonical name) | IN (0x0001) | false | ||
Mar 25, 2025 12:53:52.267153978 CET | 1.1.1.1 | 192.168.2.26 | 0xabd | No error (0) | 52.123.128.14 | A (IP address) | IN (0x0001) | false | ||
Mar 25, 2025 12:53:52.267153978 CET | 1.1.1.1 | 192.168.2.26 | 0xabd | No error (0) | 52.123.129.14 | A (IP address) | IN (0x0001) | false | ||
Mar 25, 2025 12:53:56.620110989 CET | 1.1.1.1 | 192.168.2.26 | 0x8d15 | No error (0) | a726.dscd.akamai.net | CNAME (Canonical name) | IN (0x0001) | false | ||
Mar 25, 2025 12:53:56.620110989 CET | 1.1.1.1 | 192.168.2.26 | 0x8d15 | No error (0) | 23.57.90.74 | A (IP address) | IN (0x0001) | false | ||
Mar 25, 2025 12:53:56.620110989 CET | 1.1.1.1 | 192.168.2.26 | 0x8d15 | No error (0) | 23.57.90.81 | A (IP address) | IN (0x0001) | false | ||
Mar 25, 2025 12:53:56.620110989 CET | 1.1.1.1 | 192.168.2.26 | 0x8d15 | No error (0) | 23.57.90.69 | A (IP address) | IN (0x0001) | false | ||
Mar 25, 2025 12:54:12.013972998 CET | 1.1.1.1 | 192.168.2.26 | 0xb8d8 | No error (0) | a726.dscd.akamai.net | CNAME (Canonical name) | IN (0x0001) | false | ||
Mar 25, 2025 12:54:12.013972998 CET | 1.1.1.1 | 192.168.2.26 | 0xb8d8 | No error (0) | 23.44.136.151 | A (IP address) | IN (0x0001) | false | ||
Mar 25, 2025 12:54:12.013972998 CET | 1.1.1.1 | 192.168.2.26 | 0xb8d8 | No error (0) | 23.44.136.190 | A (IP address) | IN (0x0001) | false | ||
Mar 25, 2025 12:54:12.013972998 CET | 1.1.1.1 | 192.168.2.26 | 0xb8d8 | No error (0) | 23.44.136.175 | A (IP address) | IN (0x0001) | false | ||
Mar 25, 2025 12:54:12.013972998 CET | 1.1.1.1 | 192.168.2.26 | 0xb8d8 | No error (0) | 23.44.136.179 | A (IP address) | IN (0x0001) | false | ||
Mar 25, 2025 12:54:12.013972998 CET | 1.1.1.1 | 192.168.2.26 | 0xb8d8 | No error (0) | 23.44.136.146 | A (IP address) | IN (0x0001) | false | ||
Mar 25, 2025 12:54:56.976598978 CET | 1.1.1.1 | 192.168.2.26 | 0x8e9 | No error (0) | otelrules-bzhndjfje8dvh5fd.z01.azurefd.net | CNAME (Canonical name) | IN (0x0001) | false | ||
Mar 25, 2025 12:54:56.976598978 CET | 1.1.1.1 | 192.168.2.26 | 0x8e9 | No error (0) | star-azurefd-prod.trafficmanager.net | CNAME (Canonical name) | IN (0x0001) | false | ||
Mar 25, 2025 12:54:56.976598978 CET | 1.1.1.1 | 192.168.2.26 | 0x8e9 | No error (0) | shed.dual-low.s-part-0012.t-0009.t-msedge.net | CNAME (Canonical name) | IN (0x0001) | false | ||
Mar 25, 2025 12:54:56.976598978 CET | 1.1.1.1 | 192.168.2.26 | 0x8e9 | No error (0) | s-part-0012.t-0009.t-msedge.net | CNAME (Canonical name) | IN (0x0001) | false | ||
Mar 25, 2025 12:54:56.976598978 CET | 1.1.1.1 | 192.168.2.26 | 0x8e9 | No error (0) | 13.107.246.40 | A (IP address) | IN (0x0001) | false |
|
Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
---|---|---|---|---|---|---|
0 | 192.168.2.26 | 49713 | 13.107.246.40 | 443 | 7144 | C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE |
Timestamp | Bytes transferred | Direction | Data |
---|---|---|---|
2025-03-25 11:54:57 UTC | 215 | OUT | |
2025-03-25 11:54:57 UTC | 515 | IN | |
2025-03-25 11:54:57 UTC | 2781 | IN |
Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
---|---|---|---|---|---|---|
1 | 192.168.2.26 | 49714 | 13.107.246.40 | 443 | 7144 | C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE |
Timestamp | Bytes transferred | Direction | Data |
---|---|---|---|
2025-03-25 11:54:57 UTC | 214 | OUT | |
2025-03-25 11:54:57 UTC | 491 | IN | |
2025-03-25 11:54:57 UTC | 461 | IN |
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
Click to jump to process
Target ID: | 0 |
Start time: | 07:53:43 |
Start date: | 25/03/2025 |
Path: | C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff6a19c0000 |
File size: | 70'082'712 bytes |
MD5 hash: | F9F7B6C42211B06E7AC3E4B60AA8FB77 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | moderate |
Has exited: | false |
Target ID: | 16 |
Start time: | 07:54:55 |
Start date: | 25/03/2025 |
Path: | C:\Windows\splwow64.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff729900000 |
File size: | 192'512 bytes |
MD5 hash: | AF4A7EBF6114EE9E6FBCC910EC3C96E6 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | moderate |
Has exited: | false |