Create Interactive Tour

Windows Analysis Report mypersonnel.xls

Overview

General Information

Sample Name:mypersonnel.xls
Analysis ID:434482
MD5:c9bc94e078fff9345334a6dd9eb8ab1c
SHA1:0f659372a5b8a7263f624e127a49cccc44edd66b
SHA256:7b741bc7499be813752978778566a0fa5fe79e68e000e8acaf4b4a0c4af2a357
Infos:

Most interesting Screenshot:

Detection

Score:64
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Document contains an embedded VBA with functions possibly related to ADO stream file operations
Machine Learning detection for sample
Document contains an embedded VBA macro which executes code when the document is opened / closed
Document contains embedded VBA macros

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious
  • System is w7x64
  • EXCEL.EXE (PID: 2404 cmdline: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding MD5: 5FB0A0F93382ECD19F5F499A5CAA59F0)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

barindex
Antivirus / Scanner detection for submitted sample
Source: mypersonnel.xlsAvira: detected
Multi AV Scanner detection for submitted file
Source: mypersonnel.xlsVirustotal: Detection: 62%Perma Link
Machine Learning detection for sample
Source: mypersonnel.xlsJoe Sandbox ML: detected
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

System Summary:

barindex
Document contains an embedded VBA with functions possibly related to ADO stream file operations
Source: mypersonnel.xlsStream path '_VBA_PROJECT_CUR/VBA/Kangatang' : found possibly 'ADODB.Stream' functions open, read, write
Source: mypersonnel.xlsOLE, VBA macro line: Sub Auto_Open()
Source: mypersonnel.xlsOLE, VBA macro line: Sub Auto_Close()
Source: VBA code instrumentationOLE, VBA macro: Module Kangatang, Function Auto_Open
Source: VBA code instrumentationOLE, VBA macro: Module Kangatang, Function Auto_Close
Source: mypersonnel.xlsOLE indicator, VBA macros: true
Source: classification engineClassification label: mal64.winXLS@1/0@0/0
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Roaming\Microsoft\Excel\XLSTART\mypersonnel.xlsJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\CVRC2E1.tmpJump to behavior
Source: mypersonnel.xlsOLE indicator, Workbook stream: true
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile read: C:\Users\desktop.iniJump to behavior
Source: mypersonnel.xlsVirustotal: Detection: 62%
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsScripting12Path InterceptionPath InterceptionMasquerading1OS Credential DumpingFile and Directory Discovery1Remote ServicesData from Local SystemExfiltration Over Other Network MediumData ObfuscationEavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsScripting12LSASS MemorySystem Information Discovery1Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 434482 Sample: mypersonnel.xls Startdate: 15/06/2021 Architecture: WINDOWS Score: 64 7 Antivirus / Scanner detection for submitted sample 2->7 9 Multi AV Scanner detection for submitted file 2->9 11 Machine Learning detection for sample 2->11 13 Document contains an embedded VBA with functions possibly related to ADO stream file operations 2->13 5 EXCEL.EXE 12 9 2->5         started        process3

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

windows-stand
SourceDetectionScannerLabelLink
mypersonnel.xls62%VirustotalBrowse
mypersonnel.xls100%AviraX97M/Agent.7251424
mypersonnel.xls100%Joe Sandbox ML
No Antivirus matches
No Antivirus matches
No Antivirus matches
No Antivirus matches
No contacted domains info
No contacted IP infos

General Information

Joe Sandbox Version:32.0.0 Black Diamond
Analysis ID:434482
Start date:15.06.2021
Start time:04:20:34
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 3m 41s
Hypervisor based Inspection enabled:false
Report type:light
Sample file name:mypersonnel.xls
Cookbook file name:defaultwindowsofficecookbook.jbs
Analysis system description:Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Number of analysed new started processes analysed:2
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • EGA enabled
  • HDC enabled
  • GSI enabled (VBA)
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Detection:MAL
Classification:mal64.winXLS@1/0@0/0
Cookbook Comments:
  • Adjust boot time
  • Enable AMSI
  • Found application associated with file extension: .xls
  • Found Word or Excel or PowerPoint or XPS Viewer
  • Attach to Office via COM
  • Scroll down
  • Close Viewer
Warnings:
  • Exclude process from analysis (whitelisted): dllhost.exe
No simulations
No context
No context
No context
No context
No context
No created / dropped files found

Static File Info

General

File type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Name of Creating Application: Microsoft Excel, Create Time/Date: Sat Sep 16 01:00:00 2006, Last Saved Time/Date: Thu Mar 28 02:38:25 2019, Security: 0
Entropy (8bit):4.91680506295722
TrID:
  • Microsoft Excel sheet (30009/1) 47.99%
  • Microsoft Excel sheet (alternate) (24509/1) 39.20%
  • Generic OLE2 / Multistream Compound File (8008/1) 12.81%
File name:mypersonnel.xls
File size:285184
MD5:c9bc94e078fff9345334a6dd9eb8ab1c
SHA1:0f659372a5b8a7263f624e127a49cccc44edd66b
SHA256:7b741bc7499be813752978778566a0fa5fe79e68e000e8acaf4b4a0c4af2a357
SHA512:4ec2aa817c0e31650ffe453a25764e7288d18e82cf7dc05756f3852c99de2cb58c5b66bcfe9a1fc20f9f182effd2464a1000ae8d64cceb1d3c89787b8cd064ba
SSDEEP:6144:UxEtjPOtioVjDGUU1qfDlavx+/YIxAUk2A3WJBP1r7wJT16lv7aMVMlMw+MIi:P2A3oP1vJ7aMVMlMw+MIi
File Content Preview:........................>.......................................................b.......d......................................................................................................................................................................

File Icon

Icon Hash:e4eea286a4b4bcb4

General

Document Type:OLE
Number of OLE Files:1

Indicators

Has Summary Info:True
Application Name:Microsoft Excel
Encrypted Document:False
Contains Word Document Stream:False
Contains Workbook/Book Stream:True
Contains PowerPoint Document Stream:False
Contains Visio Document Stream:False
Contains ObjectPool Stream:
Flash Objects Count:
Contains VBA Macros:True

Summary

Code Page:1252
Author:
Last Saved By:
Create Time:2006-09-16 00:00:00
Last Saved Time:2019-03-28 02:38:25
Creating Application:Microsoft Excel
Security:0

Document Summary

Document Code Page:1252
Thumbnail Scaling Desired:False
Contains Dirty Links:False
Shared Document:False
Changed Hyperlinks:False
Application Version:917504
General
Stream Path:_VBA_PROJECT_CUR/VBA/Kangatang
VBA File Name:Kangatang.bas
Stream Size:3553
Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . N . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:01 16 01 00 06 f0 00 00 00 04 05 00 00 d4 00 00 00 d8 01 00 00 ff ff ff ff d7 05 00 00 17 0b 00 00 02 00 00 00 01 00 00 00 8a 83 be 4e 00 00 ff ff 03 00 00 00 00 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff 04 00 ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Keyword
ThisWorkbook.Path
Password:="",
Auto_Open()
VB_Name
Application.OnSheetActivate
".xlsx",
".xlsx")
"xlsx"
currentsh
"mypersonnel.xls!allocated"
Auto_Close()
ThisWorkbook.Sheets("Kangatang").Copy
Application.Version
ThisWorkbook.SaveAs
".xls"),
"\XLSTART"
Replace(ThisWorkbook.Name,
ActiveSheet.Name
Right(ThisWorkbook.Name,
Application.ScreenUpdating
ReadOnlyRecommended:=False,
"\mypersonnel.xls"
Application.Path
ThisWorkbook.SaveCopyAs
Application.DisplayAlerts
Error
Application.StartupPath
".xls",
Filename:=Application.StartupPath
CreateBackup:=False
WriteResPassword:="",
False
allocated()
Attribute
Resume
Filename:=ThisWorkbook.Path
"Kangatang"
Filename:=Application.Path
ActiveWorkbook.Sheets(currentsh).Select
"\XLSTART\mypersonel.xls"
VBA Code
General
Stream Path:_VBA_PROJECT_CUR/VBA/ThisWorkbook
VBA File Name:ThisWorkbook.cls
Stream Size:1158
Data ASCII:. . . . . . . . . < . . . . . . . . . . . j . . . x . . . . . . . . . . . . . . . . . b : . . . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . < . . . . . . . . . . } e H . ] . M O . . . . . . . . . . . . . . . . . . F . . . . . . . . . . . . . . . . . . . . . Q Q . . . d K . . . . . . . 2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . Q Q . . . d K . . . . . . . 2 . . . . . } e H . ] . M O . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:01 16 01 00 06 00 01 00 00 3c 03 00 00 e4 00 00 00 10 02 00 00 6a 03 00 00 78 03 00 00 cc 03 00 00 00 00 00 00 01 00 00 00 8a 83 62 3a 00 00 ff ff 23 01 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff 3c 00 ff ff 00 00 c9 ec b1 fb c7 7d 65 48 80 5d 0b 4d 4f c0 f7 b2 19 08 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 00 00 00 00 00 00 00 00 00 00 00 00 00
Keyword
False
VB_Exposed
Attribute
VB_Name
VB_Creatable
"ThisWorkbook"
VB_PredeclaredId
VB_GlobalNameSpace
VB_Base
VB_Customizable
VB_TemplateDerived
VBA Code
General
Stream Path:\x5DocumentSummaryInformation
File Type:data
Stream Size:236
Entropy:2.8954854453
Base64 Encoded:True
Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , . . 0 . . . . . . . . . . . . . . . H . . . . . . . P . . . . . . . X . . . . . . . ` . . . . . . . h . . . . . . . p . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 0 1 7 . . . . . 2 0 1 8 & 1 9 . . . . . . . . . . . . . . . . . W o r k s h e e t s . . . . . . . . . . .
Data Raw:fe ff 00 00 06 01 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 00 00 00 bc 00 00 00 08 00 00 00 01 00 00 00 48 00 00 00 17 00 00 00 50 00 00 00 0b 00 00 00 58 00 00 00 10 00 00 00 60 00 00 00 13 00 00 00 68 00 00 00 16 00 00 00 70 00 00 00 0d 00 00 00 78 00 00 00 0c 00 00 00 97 00 00 00 02 00 00 00 e4 04 00 00
General
Stream Path:\x5SummaryInformation
File Type:data
Stream Size:200
Entropy:3.26412475502
Base64 Encoded:False
Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . . . + ' . . 0 . . . . . . . . . . . . . . . @ . . . . . . . H . . . . . . . T . . . . . . . ` . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M i c r o s o f t E x c e l . @ . . . . . | . # . . . @ . . . . . 0 Q . . . . . . . . . . . .
Data Raw:fe ff 00 00 06 01 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 98 00 00 00 07 00 00 00 01 00 00 00 40 00 00 00 04 00 00 00 48 00 00 00 08 00 00 00 54 00 00 00 12 00 00 00 60 00 00 00 0c 00 00 00 78 00 00 00 0d 00 00 00 84 00 00 00 13 00 00 00 90 00 00 00 02 00 00 00 e4 04 00 00 1e 00 00 00 04 00 00 00
General
Stream Path:Workbook
File Type:Applesoft BASIC program data, first line number 16
Stream Size:265302
Entropy:4.93013037462
Base64 Encoded:True
Data ASCII:. . . . . . . . f 2 . . . . . . . . . . . . . . . . . . . . . . . . . . \\ . p . . . . B . . . . . a . . . . . . . . . = . . . . . . . . . . . . . . . . . . . . T h i s W o r k b o o k . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . = . . . . . . . x K . . 9 . . . . . .
Data Raw:09 08 10 00 00 06 05 00 66 32 cd 07 c9 00 02 00 06 06 00 00 e1 00 02 00 b0 04 c1 00 02 00 00 00 e2 00 00 00 5c 00 70 00 02 00 00 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
General
Stream Path:_VBA_PROJECT_CUR/PROJECT
File Type:ASCII text, with CRLF line terminators
Stream Size:347
Entropy:5.31090111474
Base64 Encoded:True
Data ASCII:I D = " { 6 D 8 D 5 1 B B - D 1 C 5 - 4 4 4 4 - 8 5 4 7 - F 1 6 7 5 7 E 8 0 C 2 4 } " . . M o d u l e = K a n g a t a n g . . D o c u m e n t = T h i s W o r k b o o k / & H 0 0 0 0 0 0 0 0 . . N a m e = " V B A P r o j e c t " . . H e l p C o n t e x t I D = " 0 " . . V e r s i o n C o m p a t i b l e 3 2 = " 3 9 3 2 2 2 0 0 0 " . . C M G = " 3 A 3 8 F D C 5 3 3 C 9 3 3 C 9 3 3 C 9 3 3 C 9 " . . D P B = " 7 4 7 6 B 3 0 7 D 7 4 0 D 8 4 0 D 8 4 0 " . . G C = " A E A C 6 9 4 9 9 9 B 9 D 2 B A D 2 B A 2 D " .
Data Raw:49 44 3d 22 7b 36 44 38 44 35 31 42 42 2d 44 31 43 35 2d 34 34 34 34 2d 38 35 34 37 2d 46 31 36 37 35 37 45 38 30 43 32 34 7d 22 0d 0a 4d 6f 64 75 6c 65 3d 4b 61 6e 67 61 74 61 6e 67 0d 0a 44 6f 63 75 6d 65 6e 74 3d 54 68 69 73 57 6f 72 6b 62 6f 6f 6b 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 4e 61 6d 65 3d 22 56 42 41 50 72 6f 6a 65 63 74 22 0d 0a 48 65 6c 70 43 6f 6e 74 65 78 74 49
General
Stream Path:_VBA_PROJECT_CUR/PROJECTwm
File Type:data
Stream Size:71
Entropy:3.13705699461
Base64 Encoded:False
Data ASCII:K a n g a t a n g . K . a . n . g . a . t . a . n . g . . . T h i s W o r k b o o k . T . h . i . s . W . o . r . k . b . o . o . k . . . . .
Data Raw:4b 61 6e 67 61 74 61 6e 67 00 4b 00 61 00 6e 00 67 00 61 00 74 00 61 00 6e 00 67 00 00 00 54 68 69 73 57 6f 72 6b 62 6f 6f 6b 00 54 00 68 00 69 00 73 00 57 00 6f 00 72 00 6b 00 62 00 6f 00 6f 00 6b 00 00 00 00 00
General
Stream Path:_VBA_PROJECT_CUR/VBA/_VBA_PROJECT
File Type:data
Stream Size:2849
Entropy:4.44259472324
Base64 Encoded:False
Data ASCII:. a . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . * . \\ . G . { . 0 . 0 . 0 . 2 . 0 . 4 . E . F . - . 0 . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . - . C . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 4 . 6 . } . # . 4 . . . 1 . # . 9 . # . C . : . \\ . P . R . O . G . R . A . ~ . 1 . \\ . C . O . M . M . O . N . ~ . 1 . \\ . M . I . C . R . O . S . ~ . 1 . \\ . V . B . A . \\ . V . B . A . 7 . \\ . V . B . E . 7 . . . D . L . L . # . V . i . s . u . a . l . . B . a . s . i . c . . F .
Data Raw:cc 61 97 00 00 01 00 ff 09 04 00 00 09 04 00 00 e4 04 01 00 00 00 00 00 00 00 00 00 01 00 04 00 02 00 fa 00 2a 00 5c 00 47 00 7b 00 30 00 30 00 30 00 32 00 30 00 34 00 45 00 46 00 2d 00 30 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 2d 00 43 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 34 00 36 00 7d 00 23 00 34 00 2e 00 31 00 23 00
General
Stream Path:_VBA_PROJECT_CUR/VBA/__SRP_0
File Type:data
Stream Size:1516
Entropy:3.98983141245
Base64 Encoded:False
Data ASCII:. K * . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . r U . . . . . . . . . . . . . . . . . . . ~ . . . ~ . . . ~ . . . ~ . . . ~ . . . ~ . . . ~ . . . ~ g . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . " . . T q . . H . . . . a 7 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . a . . . . . . . . . . . . . . . . . . . . . p . . . . . . . . . . . . .
Data Raw:93 4b 2a 97 01 00 10 00 00 00 ff ff 00 00 00 00 01 00 02 00 ff ff 00 00 00 00 01 00 00 00 00 00 00 00 00 00 01 00 02 00 00 00 00 00 00 00 01 00 00 00 01 00 00 00 00 00 01 00 02 00 01 00 00 00 00 00 01 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 00 00 72 55 80 01 00 00 80 00 00 00 80 00 00 00 80 00 00 00 04 00 00 7e 01 00 00 7e 01 00 00 7e 01 00 00 7e 01 00 00 7e
General
Stream Path:_VBA_PROJECT_CUR/VBA/__SRP_1
File Type:data
Stream Size:110
Entropy:2.15177653068
Base64 Encoded:False
Data ASCII:r U . . . . . . . . . . . . . . . . . . . ~ } . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A . . . . . . . . . . . . . . . p . . . . . . .
Data Raw:72 55 80 00 00 00 80 00 00 00 80 00 00 00 80 00 00 00 01 00 00 7e 7d 00 00 7f 00 00 00 00 0a 00 00 00 09 00 00 00 00 00 00 00 ff ff ff ff ff ff ff ff ff ff ff ff 00 00 00 00 09 00 00 00 00 00 03 00 09 00 00 00 00 00 05 00 03 00 00 09 e1 02 00 00 00 00 00 00 41 07 00 00 00 00 00 00 08 00 00 00 00 00 01 00 70 00 00 7f 00 00 00 00
General
Stream Path:_VBA_PROJECT_CUR/VBA/__SRP_2
File Type:data
Stream Size:824
Entropy:3.70377058957
Base64 Encoded:False
Data ASCII:r U . . . . . . . . . . . . . . . . . . . ~ | . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Q . . . . . . . ) . . . . . . . y . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . a . . . . . . . y . . . . . . . . . . . . . . . . . . " . . . . . . . . x . . . . $ . . . . . . . . x . . . . . . . x . . . K . . . H . t . . . . . . . . . $ . . . 0 . . . l t . . p . . . . . . . x . . . . $ . . . . . . . . x . . . . .
Data Raw:72 55 80 00 00 00 80 00 00 00 80 00 00 00 80 00 00 00 02 00 00 7e 7c 00 00 7f 00 00 00 00 0e 00 00 00 09 00 00 00 00 00 00 00 09 00 00 00 00 00 03 00 08 00 00 00 00 00 02 00 03 00 03 00 0b 00 00 00 f1 08 00 00 00 00 00 00 51 06 00 00 00 00 00 00 29 06 00 00 00 00 00 00 79 06 00 00 00 00 00 00 98 00 00 00 00 00 00 00 09 00 00 00 00 00 04 00 a1 06 00 00 00 00 00 00 a9 07 00 00 00 00
General
Stream Path:_VBA_PROJECT_CUR/VBA/__SRP_3
File Type:data
Stream Size:177
Entropy:1.97819430592
Base64 Encoded:False
Data ASCII:r U . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . $ . . . . . . . . . . . . ` . . . . . . . . . . . . . . . . . . . . . . . $ . . . . . . . . . . . . ` . . . . . . . . . . . . . . . . . . . . . . . $ . . . . . . . . . . . . ` . . . . . . . . . . . . . . . . . . . . . . . . . . . . . n . . . . . . .
Data Raw:72 55 80 00 00 00 00 00 00 00 80 00 00 00 80 00 00 00 00 00 00 00 10 00 00 00 09 00 00 00 00 00 02 00 ff ff ff ff ff ff ff ff 00 00 00 00 08 00 00 00 04 00 24 00 81 00 00 00 00 00 02 00 00 00 00 60 00 00 fd ff ff ff ff ff ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 24 00 a9 00 00 00 00 00 02 00 01 00 00 60 00 00 fd ff ff ff ff ff ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 24 00
General
Stream Path:_VBA_PROJECT_CUR/VBA/__SRP_4
File Type:data
Stream Size:336
Entropy:1.7412530662
Base64 Encoded:False
Data ASCII:r U . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + . 4 . . . A . . . . . . . a . . . . . . . i . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:72 55 80 00 00 00 00 00 00 00 80 00 00 00 80 00 00 00 00 00 00 00 1e 00 00 00 09 00 00 00 00 00 00 00 09 00 00 00 00 00 05 00 88 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 01 00 00 00 01 00 c9 06 00 00 00 00 00 00 f1 06 00 00 00 00 00 00 19 07 00 00 00 00 00 00 ff ff ff ff a1 06 00 00 00 00 00 00 08 00 2b 00 34 00 00 00 41 07 00 00 00 00 00 00 61 00 00 00 00 00 01 00 69 07
General
Stream Path:_VBA_PROJECT_CUR/VBA/__SRP_5
File Type:data
Stream Size:66
Entropy:1.72865567268
Base64 Encoded:False
Data ASCII:r U . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . @ . . . . . . . . . . . n . . . . . . .
Data Raw:72 55 80 00 00 00 00 00 00 00 80 00 00 00 80 00 00 00 00 00 00 00 10 00 00 00 09 00 00 00 00 00 04 00 ff ff ff ff ff ff ff ff 00 00 00 00 40 00 00 00 04 00 00 00 00 00 00 00 6e 00 00 7f 00 00 00 00
General
Stream Path:_VBA_PROJECT_CUR/VBA/dir
File Type:data
Stream Size:526
Entropy:6.24761702052
Base64 Encoded:True
Data ASCII:. . . . . . . . . . . . 0 * . . . . . p . . H . . . . . d . . . . . . . . V B A P r o j e . c t . . 4 . . @ . . j . . . = . . . . r . . . . . . . . . . . ~ ^ . . . . . J < . . . . . r . s t d o l e > . . . s . t . d . o . . l . e . . . h . % . ^ . . * \\ G { 0 0 . 0 2 0 4 3 0 - . . . . . C . . . . . . 0 0 4 . 6 } # 2 . 0 # 0 . # C : \\ W i n d . o w s \\ s y s t e m 3 2 \\ . e 2 . . t l b # O L E . A u t o m a t i . o n . ` . . . E O f f D i c . E O . f . . i . . c . E . . . . . . . E . 2 D F 8 D 0 4 C . -
Data Raw:01 0a b2 80 01 00 04 00 00 00 01 00 30 2a 02 02 90 09 00 70 14 06 48 03 00 82 02 00 64 e4 04 04 00 0a 00 1c 00 56 42 41 50 72 6f 6a 65 88 63 74 05 00 34 00 00 40 02 14 6a 06 02 0a 3d 02 0a 07 02 72 01 14 08 05 06 12 09 02 12 a1 b8 7e 5e 01 94 00 0c 02 4a 3c 02 0a 16 00 01 72 80 73 74 64 6f 6c 65 3e 02 19 00 73 00 74 00 64 00 6f 00 80 6c 00 65 00 0d 00 68 00 25 02 5e 00 03 2a 5c 47

Network Behavior

No network behavior found

Code Manipulations

Statistics

System Behavior

Start time:04:21:34
Start date:15/06/2021
Path:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Wow64 process (32bit):false
Commandline:'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Imagebase:0x13f970000
File size:27641504 bytes
MD5 hash:5FB0A0F93382ECD19F5F499A5CAA59F0
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high

Disassembly