Windows Analysis Report
Sgioba.xlsx

Overview

General Information

Sample name: Sgioba.xlsx
Analysis ID: 1571432
MD5: f098c0bf9bd12985a19ea9f937f93e39
SHA1: 6e5e06752e8c801b7ab21651dfdb9ec232f3f925
SHA256: 064f3e372e8f1aa18916e02aa857c0d4842765942d155266cd40f85f8d171663
Infos:

Detection

Score: 2
Range: 0 - 100
Whitelisted: false
Confidence: 60%

Signatures

Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Sigma detected: Excel Network Connections
Sigma detected: Suspicious Office Outbound Connections
Suricata IDS alerts with low severity for network traffic

Classification

Source: unknown HTTPS traffic detected: 52.113.195.132:443 -> 192.168.2.16:49695 version: TLS 1.2
Potential document exploit detected (performs HTTP gets)
Source: global traffic TCP traffic: 192.168.2.16:49695 -> 52.113.195.132:443
Source: global traffic TCP traffic: 192.168.2.16:49695 -> 52.113.195.132:443
Source: global traffic TCP traffic: 192.168.2.16:49695 -> 52.113.195.132:443
Source: global traffic TCP traffic: 192.168.2.16:49695 -> 52.113.195.132:443
Source: global traffic TCP traffic: 192.168.2.16:49695 -> 52.113.195.132:443
Source: global traffic TCP traffic: 192.168.2.16:49695 -> 52.113.195.132:443
Source: global traffic TCP traffic: 192.168.2.16:49695 -> 52.113.195.132:443
Source: global traffic TCP traffic: 192.168.2.16:49695 -> 52.113.195.132:443
Source: global traffic TCP traffic: 192.168.2.16:49695 -> 52.113.195.132:443
Source: global traffic TCP traffic: 192.168.2.16:49695 -> 52.113.195.132:443
Source: global traffic TCP traffic: 192.168.2.16:49695 -> 52.113.195.132:443
Source: global traffic TCP traffic: 192.168.2.16:49695 -> 52.113.195.132:443
Source: global traffic TCP traffic: 192.168.2.16:49695 -> 52.113.195.132:443
Source: global traffic TCP traffic: 192.168.2.16:49695 -> 52.113.195.132:443
Source: global traffic TCP traffic: 192.168.2.16:49695 -> 52.113.195.132:443
Source: global traffic TCP traffic: 192.168.2.16:49695 -> 52.113.195.132:443
Source: global traffic TCP traffic: 192.168.2.16:49695 -> 52.113.195.132:443
Source: global traffic TCP traffic: 192.168.2.16:49695 -> 52.113.195.132:443
Source: global traffic TCP traffic: 192.168.2.16:49695 -> 52.113.195.132:443
Source: global traffic TCP traffic: 192.168.2.16:49695 -> 52.113.195.132:443
Source: global traffic TCP traffic: 192.168.2.16:49695 -> 52.113.195.132:443
Source: global traffic TCP traffic: 192.168.2.16:49695 -> 52.113.195.132:443
Source: global traffic TCP traffic: 192.168.2.16:49695 -> 52.113.195.132:443
Source: global traffic TCP traffic: 192.168.2.16:49695 -> 52.113.195.132:443
Source: global traffic TCP traffic: 192.168.2.16:49695 -> 52.113.195.132:443
Source: global traffic TCP traffic: 192.168.2.16:49695 -> 52.113.195.132:443
Source: global traffic TCP traffic: 192.168.2.16:49695 -> 52.113.195.132:443
Source: global traffic TCP traffic: 192.168.2.16:49695 -> 52.113.195.132:443
Source: global traffic TCP traffic: 192.168.2.16:49695 -> 52.113.195.132:443
Source: global traffic TCP traffic: 192.168.2.16:49695 -> 52.113.195.132:443
Source: global traffic TCP traffic: 192.168.2.16:49695 -> 52.113.195.132:443
Source: global traffic TCP traffic: 192.168.2.16:49695 -> 52.113.195.132:443
Source: global traffic TCP traffic: 192.168.2.16:49695 -> 52.113.195.132:443
Source: global traffic TCP traffic: 192.168.2.16:49695 -> 52.113.195.132:443
Source: global traffic TCP traffic: 192.168.2.16:49695 -> 52.113.195.132:443
Source: global traffic TCP traffic: 192.168.2.16:49695 -> 52.113.195.132:443
Source: global traffic TCP traffic: 192.168.2.16:49695 -> 52.113.195.132:443
Source: global traffic TCP traffic: 192.168.2.16:49695 -> 52.113.195.132:443
Source: global traffic TCP traffic: 192.168.2.16:49695 -> 52.113.195.132:443
Source: global traffic TCP traffic: 192.168.2.16:49695 -> 52.113.195.132:443
Source: global traffic TCP traffic: 192.168.2.16:49695 -> 52.113.195.132:443
Source: global traffic TCP traffic: 192.168.2.16:49695 -> 52.113.195.132:443
Source: global traffic TCP traffic: 192.168.2.16:49695 -> 52.113.195.132:443
Potential document exploit detected (unknown TCP traffic)
Source: global traffic TCP traffic: 192.168.2.16:49695 -> 52.113.195.132:443
Source: global traffic TCP traffic: 52.113.195.132:443 -> 192.168.2.16:49695
Source: global traffic TCP traffic: 192.168.2.16:49695 -> 52.113.195.132:443
Source: global traffic TCP traffic: 192.168.2.16:49695 -> 52.113.195.132:443
Source: global traffic TCP traffic: 52.113.195.132:443 -> 192.168.2.16:49695
Source: global traffic TCP traffic: 52.113.195.132:443 -> 192.168.2.16:49695
Source: global traffic TCP traffic: 192.168.2.16:49695 -> 52.113.195.132:443
Source: global traffic TCP traffic: 192.168.2.16:49695 -> 52.113.195.132:443
Source: global traffic TCP traffic: 52.113.195.132:443 -> 192.168.2.16:49695
Source: global traffic TCP traffic: 52.113.195.132:443 -> 192.168.2.16:49695
Source: global traffic TCP traffic: 192.168.2.16:49695 -> 52.113.195.132:443
Source: global traffic TCP traffic: 52.113.195.132:443 -> 192.168.2.16:49695
Source: global traffic TCP traffic: 52.113.195.132:443 -> 192.168.2.16:49695
Source: global traffic TCP traffic: 52.113.195.132:443 -> 192.168.2.16:49695
Source: global traffic TCP traffic: 192.168.2.16:49695 -> 52.113.195.132:443
Source: global traffic TCP traffic: 52.113.195.132:443 -> 192.168.2.16:49695
Source: global traffic TCP traffic: 192.168.2.16:49695 -> 52.113.195.132:443
Source: global traffic TCP traffic: 52.113.195.132:443 -> 192.168.2.16:49695
Source: global traffic TCP traffic: 52.113.195.132:443 -> 192.168.2.16:49695
Source: global traffic TCP traffic: 192.168.2.16:49695 -> 52.113.195.132:443
Source: global traffic TCP traffic: 192.168.2.16:49695 -> 52.113.195.132:443
Source: global traffic TCP traffic: 52.113.195.132:443 -> 192.168.2.16:49695
Source: global traffic TCP traffic: 52.113.195.132:443 -> 192.168.2.16:49695
Source: global traffic TCP traffic: 192.168.2.16:49695 -> 52.113.195.132:443
Source: global traffic TCP traffic: 52.113.195.132:443 -> 192.168.2.16:49695
Source: global traffic TCP traffic: 192.168.2.16:49695 -> 52.113.195.132:443
Source: global traffic TCP traffic: 52.113.195.132:443 -> 192.168.2.16:49695
Source: global traffic TCP traffic: 192.168.2.16:49695 -> 52.113.195.132:443
Source: global traffic TCP traffic: 52.113.195.132:443 -> 192.168.2.16:49695
Source: global traffic TCP traffic: 52.113.195.132:443 -> 192.168.2.16:49695
Source: global traffic TCP traffic: 192.168.2.16:49695 -> 52.113.195.132:443
Source: global traffic TCP traffic: 52.113.195.132:443 -> 192.168.2.16:49695
Source: global traffic TCP traffic: 52.113.195.132:443 -> 192.168.2.16:49695
Source: global traffic TCP traffic: 192.168.2.16:49695 -> 52.113.195.132:443
Source: global traffic TCP traffic: 52.113.195.132:443 -> 192.168.2.16:49695
Source: global traffic TCP traffic: 192.168.2.16:49695 -> 52.113.195.132:443
Source: global traffic TCP traffic: 52.113.195.132:443 -> 192.168.2.16:49695
Source: global traffic TCP traffic: 52.113.195.132:443 -> 192.168.2.16:49695
Source: global traffic TCP traffic: 52.113.195.132:443 -> 192.168.2.16:49695
Source: global traffic TCP traffic: 192.168.2.16:49695 -> 52.113.195.132:443
Source: global traffic TCP traffic: 192.168.2.16:49695 -> 52.113.195.132:443
Source: global traffic TCP traffic: 52.113.195.132:443 -> 192.168.2.16:49695
Source: global traffic TCP traffic: 52.113.195.132:443 -> 192.168.2.16:49695
Source: global traffic TCP traffic: 192.168.2.16:49695 -> 52.113.195.132:443
Source: global traffic TCP traffic: 52.113.195.132:443 -> 192.168.2.16:49695
Source: global traffic TCP traffic: 52.113.195.132:443 -> 192.168.2.16:49695
Source: global traffic TCP traffic: 52.113.195.132:443 -> 192.168.2.16:49695
Source: global traffic TCP traffic: 192.168.2.16:49695 -> 52.113.195.132:443
Source: global traffic TCP traffic: 52.113.195.132:443 -> 192.168.2.16:49695
Source: global traffic TCP traffic: 52.113.195.132:443 -> 192.168.2.16:49695
Source: global traffic TCP traffic: 52.113.195.132:443 -> 192.168.2.16:49695
Source: global traffic TCP traffic: 192.168.2.16:49695 -> 52.113.195.132:443
Source: global traffic TCP traffic: 52.113.195.132:443 -> 192.168.2.16:49695
Source: global traffic TCP traffic: 52.113.195.132:443 -> 192.168.2.16:49695
Source: global traffic TCP traffic: 52.113.195.132:443 -> 192.168.2.16:49695
Source: global traffic TCP traffic: 52.113.195.132:443 -> 192.168.2.16:49695
Source: global traffic TCP traffic: 192.168.2.16:49695 -> 52.113.195.132:443
Source: global traffic TCP traffic: 52.113.195.132:443 -> 192.168.2.16:49695
Source: global traffic TCP traffic: 192.168.2.16:49695 -> 52.113.195.132:443
Source: global traffic TCP traffic: 52.113.195.132:443 -> 192.168.2.16:49695
Source: global traffic TCP traffic: 52.113.195.132:443 -> 192.168.2.16:49695
Source: global traffic TCP traffic: 52.113.195.132:443 -> 192.168.2.16:49695
Source: global traffic TCP traffic: 192.168.2.16:49695 -> 52.113.195.132:443
Source: global traffic TCP traffic: 52.113.195.132:443 -> 192.168.2.16:49695
Source: global traffic TCP traffic: 192.168.2.16:49695 -> 52.113.195.132:443
Source: global traffic TCP traffic: 52.113.195.132:443 -> 192.168.2.16:49695
Source: global traffic TCP traffic: 52.113.195.132:443 -> 192.168.2.16:49695
Source: global traffic TCP traffic: 192.168.2.16:49695 -> 52.113.195.132:443
Source: global traffic TCP traffic: 52.113.195.132:443 -> 192.168.2.16:49695
Source: global traffic TCP traffic: 192.168.2.16:49695 -> 52.113.195.132:443
Source: global traffic TCP traffic: 52.113.195.132:443 -> 192.168.2.16:49695
Source: global traffic TCP traffic: 52.113.195.132:443 -> 192.168.2.16:49695
Source: global traffic TCP traffic: 52.113.195.132:443 -> 192.168.2.16:49695
Source: global traffic TCP traffic: 192.168.2.16:49695 -> 52.113.195.132:443
Source: global traffic TCP traffic: 192.168.2.16:49695 -> 52.113.195.132:443
Source: global traffic TCP traffic: 52.113.195.132:443 -> 192.168.2.16:49695
Source: global traffic TCP traffic: 52.113.195.132:443 -> 192.168.2.16:49695
Source: global traffic TCP traffic: 52.113.195.132:443 -> 192.168.2.16:49695
Source: global traffic TCP traffic: 192.168.2.16:49695 -> 52.113.195.132:443
Source: global traffic TCP traffic: 192.168.2.16:49695 -> 52.113.195.132:443
Source: global traffic TCP traffic: 52.113.195.132:443 -> 192.168.2.16:49695
Source: global traffic TCP traffic: 52.113.195.132:443 -> 192.168.2.16:49695
Source: global traffic TCP traffic: 192.168.2.16:49695 -> 52.113.195.132:443
Source: global traffic TCP traffic: 52.113.195.132:443 -> 192.168.2.16:49695
Source: global traffic TCP traffic: 192.168.2.16:49695 -> 52.113.195.132:443
Source: global traffic TCP traffic: 52.113.195.132:443 -> 192.168.2.16:49695
Source: global traffic TCP traffic: 52.113.195.132:443 -> 192.168.2.16:49695
Source: global traffic TCP traffic: 52.113.195.132:443 -> 192.168.2.16:49695
Source: global traffic TCP traffic: 192.168.2.16:49695 -> 52.113.195.132:443
Source: global traffic TCP traffic: 192.168.2.16:49695 -> 52.113.195.132:443
Source: global traffic TCP traffic: 52.113.195.132:443 -> 192.168.2.16:49695
Source: global traffic TCP traffic: 52.113.195.132:443 -> 192.168.2.16:49695
Source: global traffic TCP traffic: 52.113.195.132:443 -> 192.168.2.16:49695
Source: global traffic TCP traffic: 52.113.195.132:443 -> 192.168.2.16:49695
Source: global traffic TCP traffic: 192.168.2.16:49695 -> 52.113.195.132:443
Source: global traffic TCP traffic: 52.113.195.132:443 -> 192.168.2.16:49695
Source: global traffic TCP traffic: 192.168.2.16:49695 -> 52.113.195.132:443
Source: global traffic TCP traffic: 52.113.195.132:443 -> 192.168.2.16:49695
Source: global traffic TCP traffic: 52.113.195.132:443 -> 192.168.2.16:49695
Source: global traffic TCP traffic: 192.168.2.16:49695 -> 52.113.195.132:443
Source: global traffic TCP traffic: 52.113.195.132:443 -> 192.168.2.16:49695
Source: global traffic TCP traffic: 52.113.195.132:443 -> 192.168.2.16:49695
Source: global traffic TCP traffic: 192.168.2.16:49695 -> 52.113.195.132:443
Source: global traffic TCP traffic: 52.113.195.132:443 -> 192.168.2.16:49695
Source: global traffic TCP traffic: 52.113.195.132:443 -> 192.168.2.16:49695
Source: global traffic TCP traffic: 192.168.2.16:49695 -> 52.113.195.132:443
Source: global traffic TCP traffic: 192.168.2.16:49695 -> 52.113.195.132:443
Source: global traffic TCP traffic: 192.168.2.16:49695 -> 52.113.195.132:443
Source: global traffic TCP traffic: 52.113.195.132:443 -> 192.168.2.16:49695
Source: global traffic TCP traffic: 192.168.2.16:49695 -> 52.113.195.132:443
Source: global traffic TCP traffic: 52.113.195.132:443 -> 192.168.2.16:49695
Source: excel.exe Memory has grown: Private usage: 5MB later: 195MB
Suricata IDS alerts with low severity for network traffic
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.16:49695 -> 52.113.195.132:443
Source: unknown Network traffic detected: HTTP traffic on port 49695 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49695
Source: unknown HTTPS traffic detected: 52.113.195.132:443 -> 192.168.2.16:49695 version: TLS 1.2
Source: classification engine Classification label: clean2.winXLSX@1/2@0/8
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE File created: C:\Users\user\Desktop\~$Sgioba.xlsx
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE File created: C:\Users\user\AppData\Local\Temp\{5AE242C3-9890-4546-A378-08865E42228D} - OProcSessId.dat
Source: Sgioba.xlsx OLE indicator, Workbook stream: true
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE File read: C:\Users\desktop.ini
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\Common
Source: Sgioba.xlsx Initial sample: OLE indicators vbamacros = False
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE Process information queried: ProcessInformation
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
windows-stand
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
52.113.195.132
 s-0005.s-dc-msedge.net United States
8068 MICROSOFT-CORP-MSN-AS-BLOCKUS false
52.109.32.97
 unknown United States
8075 MICROSOFT-CORP-MSN-AS-BLOCKUS false
51.116.253.168
 unknown United Kingdom
8075 MICROSOFT-CORP-MSN-AS-BLOCKUS false
52.109.76.243
 unknown United States
8075 MICROSOFT-CORP-MSN-AS-BLOCKUS false

Contacted Domains

Name IP Active
s-0005.s-dc-msedge.net 52.113.195.132 true