Malicious
Malicious
Infection Chain
Summary by MalvaGPT
Characteristics
Hash
 Hash Value
MD5
b572151155cdb30aa3c5096071720dbf
Sha1
cb22695d92994cd2cdee3aadd8304262f18495ea
Sha256
8ef4f92eeff604c0dbd125cf358350141d9e3c1ef400775365b202c5d95b920e
Sha384
afb825e42566ab845cd628b969954064c140cf28f92a8762f967194894e4b46d45015541f21046d4534d01f299fd0b14
Sha512
9d6488562f96130ebe62524aec176db3a040e1e2027816592caece8f561070ae3613d80fa3361767fa10c30c63f76c522c2f6f9a2ad34cfd81a4f1a06d4c9042
SSDeep
12288:zu/ue0pjbVj+nKDiEQeDhmgpWwXU6uAh0Uso0jqKC:+u/pSnBngpWD6uLUJ0jRC
TLSH
25C41219C627721ED91FD039F3A447E26446B72AD083E1AE6D50B84C33272E767CE64D
File Structure
b572151155cdb30aa3c5096071720dbf
Malicious
[Content_Types].xml
_rels
.rels
xl
Malicious
_rels
workbook.xml.rels
workbook.xml
worksheets
sheet4.xml
_rels
sheet2.xml.rels
sheet3.xml.rels
sheet4.xml.rels
sheet5.xml.rels
sheet6.xml.rels
sheet1.xml.rels
sheet7.xml.rels
sheet14.xml.rels
sheet15.xml.rels
sheet16.xml.rels
sheet20.xml.rels
sheet21.xml.rels
sheet13.xml.rels
sheet12.xml.rels
sheet8.xml.rels
sheet9.xml.rels
sheet10.xml.rels
sheet11.xml.rels
sheet2.xml
sheet3.xml
sheet1.xml
sheet21.xml
sheet20.xml
sheet19.xml
sheet18.xml
sheet22.xml
sheet23.xml
sheet24.xml
sheet17.xml
sheet16.xml
sheet15.xml
sheet8.xml
sheet7.xml
sheet6.xml
sheet5.xml
sheet9.xml
sheet10.xml
sheet11.xml
sheet12.xml
sheet13.xml
sheet14.xml
drawings
_rels
drawing2.xml.rels
drawing3.xml.rels
drawing4.xml.rels
drawing10.xml
drawing11.xml
drawing12.xml
drawing13.xml
drawing14.xml
drawing15.xml
drawing16.xml
drawing9.xml
drawing8.xml
drawing1.xml
drawing2.xml
drawing3.xml
drawing4.xml
drawing7.xml
drawing6.xml
drawing5.xml
vbaProject.bin
Malicious
Root Entry
Malicious
PROJECT
PROJECTwm
VBA
Malicious
dir
Sheet2

Sheet2

[Stored VBA]
Malicious
[PCode]
[Decompiled VBA]
Malicious
Sheet3

Sheet3

[Stored VBA]
Malicious
[PCode]
[Decompiled VBA]
Malicious
Sheet5

Sheet5

[Stored VBA]
Malicious
[PCode]
[Decompiled VBA]
Malicious
Sheet7

Sheet7

[Stored VBA]
Malicious
[PCode]
[Decompiled VBA]
Malicious
CSHA256
Malicious

CSHA256

Malicious
[Stored VBA]
Malicious
[PCode]
Malicious
[Decompiled VBA]
Malicious
[Full Diff]
Malicious
[Partial Diff]
Malicious
Module1

Module1

[Stored VBA]
Malicious
[PCode]
[Decompiled VBA]
Malicious
Sheet10

Sheet10

[Stored VBA]
Malicious
[Stored VBA].deobfuscated.vbs
[PCode]
[Decompiled VBA]
Malicious
[Decompiled VBA].deobfuscated.vbs
Sheet12

Sheet12

[Stored VBA]
Malicious
[PCode]
[Decompiled VBA]
Malicious
Sheet16

Sheet16

[Stored VBA]
Malicious
[PCode]
[Decompiled VBA]
Malicious
Sheet17

Sheet17

[Stored VBA]
Malicious
[PCode]
[Decompiled VBA]
Malicious
Sheet23

Sheet23

[Stored VBA]
Malicious
[PCode]
[Decompiled VBA]
Malicious
Sheet25

Sheet25

[Stored VBA]
Malicious
[Decompiled VBA]
Malicious
__SRP_0
__SRP_1
__SRP_2
__SRP_3
__SRP_4
__SRP_5
__SRP_6
__SRP_7
__SRP_8
__SRP_9
__SRP_a
__SRP_b
__SRP_c
__SRP_d
__SRP_e
__SRP_f
FileUtil

FileUtil

[Stored VBA]
Malicious
[PCode]
[Decompiled VBA]
Malicious
__SRP_10
__SRP_11
__SRP_12
__SRP_13
__SRP_14
__SRP_15
__SRP_16
__SRP_17
__SRP_18
__SRP_19
__SRP_1a
__SRP_1b
__SRP_1c
__SRP_1d
__SRP_1e
__SRP_1f
__SRP_20
__SRP_21
__SRP_22
__SRP_23
__SRP_24
__SRP_25
__SRP_26
__SRP_27
__SRP_28
__SRP_29
__SRP_2a
__SRP_2b
__SRP_2c
__SRP_2d
__SRP_2e
__SRP_2f
__SRP_30
__SRP_31
__SRP_32
__SRP_33
__SRP_34
__SRP_35
__SRP_36
__SRP_37
__SRP_38
__SRP_39
__SRP_3a
__SRP_3b
__SRP_3c
__SRP_3d
__SRP_3e
__SRP_3f
__SRP_40
__SRP_41
PDF_Module

PDF_Module

[Stored VBA]
Malicious
[Stored VBA].deobfuscated.vbs
[PCode]
[Decompiled VBA]
Malicious
ValidateMod

ValidateMod

[Stored VBA]
Malicious
[PCode]
[Decompiled VBA]
Malicious
Hashing_JSON

Hashing_JSON

[Stored VBA]
Malicious
[Stored VBA].deobfuscated.vbs
[PCode]
[Decompiled VBA]
Malicious
ThisWorkbook

ThisWorkbook

[Stored VBA]
Malicious
[PCode]
[Decompiled VBA]
Malicious
_VBA_PROJECT
Common_Module

Common_Module

[Stored VBA]
Malicious
[PCode]
[Decompiled VBA]
Malicious
JsonConverter

JsonConverter

[Stored VBA]
Malicious
[Stored VBA].deobfuscated.vbs
[PCode]
[Decompiled VBA]
Malicious
Signing_Module
Malicious

Signing_Module

Malicious
[Stored VBA]
Malicious
[Stored VBA].deobfuscated.vbs
Malicious
[PCode]
[Decompiled VBA]
Malicious
Import_Error_JSON

Import_Error_JSON

[Stored VBA]
Malicious
[PCode]
[Decompiled VBA]
Malicious
Export_JSON_Module

Export_JSON_Module

[Stored VBA]
[PCode]
[Decompiled VBA]
Import_JSON_Module

Import_JSON_Module

[Stored VBA]
Malicious
[PCode]
[Decompiled VBA]
Malicious
Validate_Functions

Validate_Functions

[Stored VBA]
Malicious
[PCode]
[Decompiled VBA]
Malicious
Variable_Initialize

Variable_Initialize

[Stored VBA]
Malicious
[PCode]
sharedStrings.xml
styles.xml
theme
theme1.xml
media
image1.png
image1.png-preview.png
image3.gif
image3.gif-preview.png
image2.png
image2.png-preview.png
printerSettings
printerSettings15.bin
printerSettings18.bin
externalLinks
Malicious
_rels
Malicious
externalLink2.xml.rels
Malicious
externalLink3.xml.rels
Malicious
externalLink1.xml.rels
Malicious
externalLink3.xml
externalLink2.xml
externalLink1.xml
calcChain.xml
docProps
core.xml
app.xml
custom.xml
Malware Configuration - Remote Template
Config. Field
 Value
Target

file:///C:\Users\ashutosh.khaitan\Desktop\Worksheet%20in%20SRS_Offline_GSTR10_30052018.xls
Path

externalLink2.xml.rels
XPath

/Relationships/Relationship
Outer XML

<Relationship Id="rId1" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/externalLinkPath" Target="file:///C:\Users\ashutosh.khaitan\Desktop\Worksheet%20in%20SRS_Offline_GSTR10_30052018.xls" TargetMode="External" xmlns="http://schemas.openxmlformats.org/package/2006/relationships" />
Malware Configuration - Remote Template
Config. Field
 Value
Target

file:///C:\Users\pallav_yadav\Documents\GSTR_4_Offline_Utility_v3.0_new_PY.xls
Path

externalLink3.xml.rels
XPath

/Relationships/Relationship
Outer XML

<Relationship Id="rId1" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/externalLinkPath" Target="file:///C:\Users\pallav_yadav\Documents\GSTR_4_Offline_Utility_v3.0_new_PY.xls" TargetMode="External" xmlns="http://schemas.openxmlformats.org/package/2006/relationships" />
Malware Configuration - Remote Template
Config. Field
 Value
Target

file:///C:\Users\richi.jain\AppData\Local\Temp\Temp1_GSTR_4_Offline_Utility.zip\GSTR_4_Offline_Utility_v3.0.xls
Path

externalLink1.xml.rels
XPath

/Relationships/Relationship
Outer XML

<Relationship Id="rId1" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/externalLinkPath" Target="file:///C:\Users\richi.jain\AppData\Local\Temp\Temp1_GSTR_4_Offline_Utility.zip\GSTR_4_Offline_Utility_v3.0.xls" TargetMode="External" xmlns="http://schemas.openxmlformats.org/package/2006/relationships" />
Artefacts
Name
 Value
URLs in VB Code - #1

https://github.com/VBA-tools/VBA-JSON
URLs in VB Code - #2

http://www.opensource.org/licenses/mit-license.php
URLs in VB Code - #3

http://code.google.com/p/vba-json/
URLs in VB Code - #4

http://msdn.microsoft.com/en-us/library/windows/desktop/ms724421.aspx
URLs in VB Code - #5

http://msdn.microsoft.com/en-us/library/windows/desktop/ms724949.aspx
URLs in VB Code - #6

http://msdn.microsoft.com/en-us/library/windows/desktop/ms725485.aspx
URLs in VB Code - #7

http://support.microsoft.com/kb/269370
URLs in VB Code - #8

http://www.ietf.org/rfc/rfc4627.txt
URLs in VB Code - #9

https://support.microsoft.com/en-us/kb/272138
URLs in VB Code - #10

http://www.vbaccelerator.com/home/VB/Code/Techniques/RunTime_Debug_Tracing/VB6_Tracer_Utility_zip_cStringBuilder_cls.asp
URLs in VB Code - #11

https://github.com/VBA-tools/VBA-JSON/pull/82
URLs in VB Code - #12

https://github.com/VBA-tools/VBA-UtcConverter
URLs in VB Code - #13

http://s
URLs in VB Code - #14

http://www.frez.co.uk
URLs in VB Code - #1

http://www.frez.co.uk
URLs in VB Code - #1

http://www.frez.co.uk
URLs in VB Code - #1

https://github.com/VBA-tools/VBA-JSON
URLs in VB Code - #2

http://www.opensource.org/licenses/mit-license.php
URLs in VB Code - #3

http://code.google.com/p/vba-json/
URLs in VB Code - #4

http://msdn.microsoft.com/en-us/library/windows/desktop/ms724421.aspx
URLs in VB Code - #5

http://msdn.microsoft.com/en-us/library/windows/desktop/ms724949.aspx
URLs in VB Code - #6

http://msdn.microsoft.com/en-us/library/windows/desktop/ms725485.aspx
URLs in VB Code - #7

http://support.microsoft.com/kb/269370
URLs in VB Code - #8

http://www.ietf.org/rfc/rfc4627.txt
URLs in VB Code - #9

https://support.microsoft.com/en-us/kb/272138
URLs in VB Code - #10

http://www.vbaccelerator.com/home/VB/Code/Techniques/RunTime_Debug_Tracing/VB6_Tracer_Utility_zip_cStringBuilder_cls.asp
URLs in VB Code - #11

https://github.com/VBA-tools/VBA-JSON/pull/82
URLs in VB Code - #12

https://github.com/VBA-tools/VBA-UtcConverter
URLs in VB Code - #13

http://s
URLs in VB Code - #1

https://github.com/VBA-tools/VBA-JSON
URLs in VB Code - #2

http://www.opensource.org/licenses/mit-license.php
URLs in VB Code - #3

http://code.google.com/p/vba-json/
URLs in VB Code - #4

http://msdn.microsoft.com/en-us/library/windows/desktop/ms724421.aspx
URLs in VB Code - #5

http://msdn.microsoft.com/en-us/library/windows/desktop/ms724949.aspx
URLs in VB Code - #6

http://msdn.microsoft.com/en-us/library/windows/desktop/ms725485.aspx
URLs in VB Code - #7

http://support.microsoft.com/kb/269370
URLs in VB Code - #8

http://www.ietf.org/rfc/rfc4627.txt
URLs in VB Code - #9

https://support.microsoft.com/en-us/kb/272138
URLs in VB Code - #10

http://www.vbaccelerator.com/home/VB/Code/Techniques/RunTime_Debug_Tracing/VB6_Tracer_Utility_zip_cStringBuilder_cls.asp
URLs in VB Code - #11

https://github.com/VBA-tools/VBA-JSON/pull/82
URLs in VB Code - #12

https://github.com/VBA-tools/VBA-UtcConverter
URLs in VB Code - #1

https://github.com/VBA-tools/VBA-JSON
URLs in VB Code - #2

http://www.opensource.org/licenses/mit-license.php
URLs in VB Code - #3

http://code.google.com/p/vba-json/
URLs in VB Code - #4

http://msdn.microsoft.com/en-us/library/windows/desktop/ms724421.aspx
URLs in VB Code - #5

http://msdn.microsoft.com/en-us/library/windows/desktop/ms724949.aspx
URLs in VB Code - #6

http://msdn.microsoft.com/en-us/library/windows/desktop/ms725485.aspx
URLs in VB Code - #7

http://support.microsoft.com/kb/269370
URLs in VB Code - #8

http://www.ietf.org/rfc/rfc4627.txt
URLs in VB Code - #9

https://support.microsoft.com/en-us/kb/272138
URLs in VB Code - #10

http://www.vbaccelerator.com/home/VB/Code/Techniques/RunTime_Debug_Tracing/VB6_Tracer_Utility_zip_cStringBuilder_cls.asp
URLs in VB Code - #11

https://github.com/VBA-tools/VBA-JSON/pull/82
URLs in VB Code - #12

https://github.com/VBA-tools/VBA-UtcConverter
Remote Template - Highly Suspicious

file:///C:\Users\ashutosh.khaitan\Desktop\Worksheet%20in%20SRS_Offline_GSTR10_30052018.xls
Remote Template - Highly Suspicious

file:///C:\Users\pallav_yadav\Documents\GSTR_4_Offline_Utility_v3.0_new_PY.xls
Remote Template - Highly Suspicious

file:///C:\Users\richi.jain\AppData\Local\Temp\Temp1_GSTR_4_Offline_Utility.zip\GSTR_4_Offline_Utility_v3.0.xls
b572151155cdb30aa3c5096071720dbf (592.07 KB)
File Structure
b572151155cdb30aa3c5096071720dbf
Malicious
[Content_Types].xml
_rels
.rels
xl
Malicious
_rels
workbook.xml.rels
workbook.xml
worksheets
sheet4.xml
_rels
sheet2.xml.rels
sheet3.xml.rels
sheet4.xml.rels
sheet5.xml.rels
sheet6.xml.rels
sheet1.xml.rels
sheet7.xml.rels
sheet14.xml.rels
sheet15.xml.rels
sheet16.xml.rels
sheet20.xml.rels
sheet21.xml.rels
sheet13.xml.rels
sheet12.xml.rels
sheet8.xml.rels
sheet9.xml.rels
sheet10.xml.rels
sheet11.xml.rels
sheet2.xml
sheet3.xml
sheet1.xml
sheet21.xml
sheet20.xml
sheet19.xml
sheet18.xml
sheet22.xml
sheet23.xml
sheet24.xml
sheet17.xml
sheet16.xml
sheet15.xml
sheet8.xml
sheet7.xml
sheet6.xml
sheet5.xml
sheet9.xml
sheet10.xml
sheet11.xml
sheet12.xml
sheet13.xml
sheet14.xml
drawings
_rels
drawing2.xml.rels
drawing3.xml.rels
drawing4.xml.rels
drawing10.xml
drawing11.xml
drawing12.xml
drawing13.xml
drawing14.xml
drawing15.xml
drawing16.xml
drawing9.xml
drawing8.xml
drawing1.xml
drawing2.xml
drawing3.xml
drawing4.xml
drawing7.xml
drawing6.xml
drawing5.xml
vbaProject.bin
Malicious
Root Entry
Malicious
PROJECT
PROJECTwm
VBA
Malicious
dir
Sheet2

Sheet2

[Stored VBA]
Malicious
[PCode]
[Decompiled VBA]
Malicious
Sheet3

Sheet3

[Stored VBA]
Malicious
[PCode]
[Decompiled VBA]
Malicious
Sheet5

Sheet5

[Stored VBA]
Malicious
[PCode]
[Decompiled VBA]
Malicious
Sheet7

Sheet7

[Stored VBA]
Malicious
[PCode]
[Decompiled VBA]
Malicious
CSHA256
Malicious

CSHA256

Malicious
[Stored VBA]
Malicious
[PCode]
Malicious
[Decompiled VBA]
Malicious
[Full Diff]
Malicious
[Partial Diff]
Malicious
Module1

Module1

[Stored VBA]
Malicious
[PCode]
[Decompiled VBA]
Malicious
Sheet10

Sheet10

[Stored VBA]
Malicious
[Stored VBA].deobfuscated.vbs
[PCode]
[Decompiled VBA]
Malicious
[Decompiled VBA].deobfuscated.vbs
Sheet12

Sheet12

[Stored VBA]
Malicious
[PCode]
[Decompiled VBA]
Malicious
Sheet16

Sheet16

[Stored VBA]
Malicious
[PCode]
[Decompiled VBA]
Malicious
Sheet17

Sheet17

[Stored VBA]
Malicious
[PCode]
[Decompiled VBA]
Malicious
Sheet23

Sheet23

[Stored VBA]
Malicious
[PCode]
[Decompiled VBA]
Malicious
Sheet25

Sheet25

[Stored VBA]
Malicious
[Decompiled VBA]
Malicious
__SRP_0
__SRP_1
__SRP_2
__SRP_3
__SRP_4
__SRP_5
__SRP_6
__SRP_7
__SRP_8
__SRP_9
__SRP_a
__SRP_b
__SRP_c
__SRP_d
__SRP_e
__SRP_f
FileUtil

FileUtil

[Stored VBA]
Malicious
[PCode]
[Decompiled VBA]
Malicious
__SRP_10
__SRP_11
__SRP_12
__SRP_13
__SRP_14
__SRP_15
__SRP_16
__SRP_17
__SRP_18
__SRP_19
__SRP_1a
__SRP_1b
__SRP_1c
__SRP_1d
__SRP_1e
__SRP_1f
__SRP_20
__SRP_21
__SRP_22
__SRP_23
__SRP_24
__SRP_25
__SRP_26
__SRP_27
__SRP_28
__SRP_29
__SRP_2a
__SRP_2b
__SRP_2c
__SRP_2d
__SRP_2e
__SRP_2f
__SRP_30
__SRP_31
__SRP_32
__SRP_33
__SRP_34
__SRP_35
__SRP_36
__SRP_37
__SRP_38
__SRP_39
__SRP_3a
__SRP_3b
__SRP_3c
__SRP_3d
__SRP_3e
__SRP_3f
__SRP_40
__SRP_41
PDF_Module

PDF_Module

[Stored VBA]
Malicious
[Stored VBA].deobfuscated.vbs
[PCode]
[Decompiled VBA]
Malicious
ValidateMod

ValidateMod

[Stored VBA]
Malicious
[PCode]
[Decompiled VBA]
Malicious
Hashing_JSON

Hashing_JSON

[Stored VBA]
Malicious
[Stored VBA].deobfuscated.vbs
[PCode]
[Decompiled VBA]
Malicious
ThisWorkbook

ThisWorkbook

[Stored VBA]
Malicious
[PCode]
[Decompiled VBA]
Malicious
_VBA_PROJECT
Common_Module

Common_Module

[Stored VBA]
Malicious
[PCode]
[Decompiled VBA]
Malicious
JsonConverter

JsonConverter

[Stored VBA]
Malicious
[Stored VBA].deobfuscated.vbs
[PCode]
[Decompiled VBA]
Malicious
Signing_Module
Malicious

Signing_Module

Malicious
[Stored VBA]
Malicious
[Stored VBA].deobfuscated.vbs
Malicious
[PCode]
[Decompiled VBA]
Malicious
Import_Error_JSON

Import_Error_JSON

[Stored VBA]
Malicious
[PCode]
[Decompiled VBA]
Malicious
Export_JSON_Module

Export_JSON_Module

[Stored VBA]
[PCode]
[Decompiled VBA]
Import_JSON_Module

Import_JSON_Module

[Stored VBA]
Malicious
[PCode]
[Decompiled VBA]
Malicious
Validate_Functions

Validate_Functions

[Stored VBA]
Malicious
[PCode]
[Decompiled VBA]
Malicious
Variable_Initialize

Variable_Initialize

[Stored VBA]
Malicious
[PCode]
sharedStrings.xml
styles.xml
theme
theme1.xml
media
image1.png
image1.png-preview.png
image3.gif
image3.gif-preview.png
image2.png
image2.png-preview.png
printerSettings
printerSettings15.bin
printerSettings18.bin
externalLinks
Malicious
_rels
Malicious
externalLink2.xml.rels
Malicious
externalLink3.xml.rels
Malicious
externalLink1.xml.rels
Malicious
externalLink3.xml
externalLink2.xml
externalLink1.xml
calcChain.xml
docProps
core.xml
app.xml
custom.xml
Characteristics

vbaDNA - VBA Stomping & Purging Stategy detection

Module Name
Sheet2
VBA Macro
Sheet3
VBA Macro
Sheet5
VBA Macro
Sheet7
VBA Macro
CSHA256
VBA Stomping
ATT&CK T1564.007
Malicious
Malicious Document
VBA Macro

Missing P-Code: The Office document under analysis has been identified as having undergone VBA Purging techniques, as the P-Code block within the document is currently inaccessible. As a result, the decompilation of the code was not possible, leaving only the stored code available in textual format for analysis.

VBA Purging essentially involves the elimination of the PerformanceCache section from the module streams.

To fully erase any traces of the P-Code section, the MODULEOFFSET between the two sections is adjusted to 0 by altering the _VBA_PROJECT stream, and all SRP streams that also house PerformanceCache data are removed. Following the removal of the compiled code, antivirus engines and Yara rules, which depend on precise string matches, are rendered ineffective.

This allows macros to bypass them effortlessly, owing to the compressed format of the remaining source code.

Module1
VBA Macro
Sheet10
VBA Macro
Sheet12
VBA Macro
Sheet16
VBA Macro
Sheet17
VBA Macro
Sheet23
VBA Macro
Sheet25
VBA Macro
FileUtil
VBA Macro
PDF_Module
Blacklist VBA
VBA Macro
ValidateMod
VBA Macro
Hashing_JSON
VBA Macro
ThisWorkbook
VBA Macro
Common_Module
Blacklist VBA
VBA Macro
JsonConverter
Blacklist VBA
VBA Macro
Signing_Module
Blacklist VBA
VBA Macro

Missing P-Code: The Office document under analysis has been identified as having undergone VBA Purging techniques, as the P-Code block within the document is currently inaccessible. As a result, the decompilation of the code was not possible, leaving only the stored code available in textual format for analysis.

VBA Purging essentially involves the elimination of the PerformanceCache section from the module streams.

To fully erase any traces of the P-Code section, the MODULEOFFSET between the two sections is adjusted to 0 by altering the _VBA_PROJECT stream, and all SRP streams that also house PerformanceCache data are removed. Following the removal of the compiled code, antivirus engines and Yara rules, which depend on precise string matches, are rendered ineffective.

This allows macros to bypass them effortlessly, owing to the compressed format of the remaining source code.

Import_Error_JSON
VBA Macro
Export_JSON_Module
Blacklist VBA
VBA Macro
Import_JSON_Module
VBA Macro
Validate_Functions
VBA Macro
Variable_Initialize
VBA Macro
Malware Configuration - Remote Template
Config. Field
 Value
Target

file:///C:\Users\ashutosh.khaitan\Desktop\Worksheet%20in%20SRS_Offline_GSTR10_30052018.xls
Path

externalLink2.xml.rels
XPath

/Relationships/Relationship
Outer XML

<Relationship Id="rId1" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/externalLinkPath" Target="file:///C:\Users\ashutosh.khaitan\Desktop\Worksheet%20in%20SRS_Offline_GSTR10_30052018.xls" TargetMode="External" xmlns="http://schemas.openxmlformats.org/package/2006/relationships" />
Malware Configuration - Remote Template
Config. Field
 Value
Target

file:///C:\Users\pallav_yadav\Documents\GSTR_4_Offline_Utility_v3.0_new_PY.xls
Path

externalLink3.xml.rels
XPath

/Relationships/Relationship
Outer XML

<Relationship Id="rId1" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/externalLinkPath" Target="file:///C:\Users\pallav_yadav\Documents\GSTR_4_Offline_Utility_v3.0_new_PY.xls" TargetMode="External" xmlns="http://schemas.openxmlformats.org/package/2006/relationships" />
Malware Configuration - Remote Template
Config. Field
 Value
Target

file:///C:\Users\richi.jain\AppData\Local\Temp\Temp1_GSTR_4_Offline_Utility.zip\GSTR_4_Offline_Utility_v3.0.xls
Path

externalLink1.xml.rels
XPath

/Relationships/Relationship
Outer XML

<Relationship Id="rId1" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/externalLinkPath" Target="file:///C:\Users\richi.jain\AppData\Local\Temp\Temp1_GSTR_4_Offline_Utility.zip\GSTR_4_Offline_Utility_v3.0.xls" TargetMode="External" xmlns="http://schemas.openxmlformats.org/package/2006/relationships" />
Artefacts
Name
 Value Location
URLs in VB Code - #1

https://github.com/VBA-tools/VBA-JSON

b572151155cdb30aa3c5096071720dbf > xl > vbaProject.bin
URLs in VB Code - #2

http://www.opensource.org/licenses/mit-license.php

b572151155cdb30aa3c5096071720dbf > xl > vbaProject.bin
URLs in VB Code - #3

http://code.google.com/p/vba-json/

b572151155cdb30aa3c5096071720dbf > xl > vbaProject.bin
URLs in VB Code - #4

http://msdn.microsoft.com/en-us/library/windows/desktop/ms724421.aspx

b572151155cdb30aa3c5096071720dbf > xl > vbaProject.bin
URLs in VB Code - #5

http://msdn.microsoft.com/en-us/library/windows/desktop/ms724949.aspx

b572151155cdb30aa3c5096071720dbf > xl > vbaProject.bin
URLs in VB Code - #6

http://msdn.microsoft.com/en-us/library/windows/desktop/ms725485.aspx

b572151155cdb30aa3c5096071720dbf > xl > vbaProject.bin
URLs in VB Code - #7

http://support.microsoft.com/kb/269370

b572151155cdb30aa3c5096071720dbf > xl > vbaProject.bin
URLs in VB Code - #8

http://www.ietf.org/rfc/rfc4627.txt

b572151155cdb30aa3c5096071720dbf > xl > vbaProject.bin
URLs in VB Code - #9

https://support.microsoft.com/en-us/kb/272138

b572151155cdb30aa3c5096071720dbf > xl > vbaProject.bin
URLs in VB Code - #10

http://www.vbaccelerator.com/home/VB/Code/Techniques/RunTime_Debug_Tracing/VB6_Tracer_Utility_zip_cStringBuilder_cls.asp

b572151155cdb30aa3c5096071720dbf > xl > vbaProject.bin
URLs in VB Code - #11

https://github.com/VBA-tools/VBA-JSON/pull/82

b572151155cdb30aa3c5096071720dbf > xl > vbaProject.bin
URLs in VB Code - #12

https://github.com/VBA-tools/VBA-UtcConverter

b572151155cdb30aa3c5096071720dbf > xl > vbaProject.bin
URLs in VB Code - #13

http://s

b572151155cdb30aa3c5096071720dbf > xl > vbaProject.bin
URLs in VB Code - #14

http://www.frez.co.uk

b572151155cdb30aa3c5096071720dbf > xl > vbaProject.bin
URLs in VB Code - #1

http://www.frez.co.uk

b572151155cdb30aa3c5096071720dbf > xl > vbaProject.bin > Root Entry > VBA > CSHA256 > [Stored VBA]
URLs in VB Code - #1

http://www.frez.co.uk

b572151155cdb30aa3c5096071720dbf > xl > vbaProject.bin > Root Entry > VBA > CSHA256 > [Decompiled VBA]
URLs in VB Code - #1

https://github.com/VBA-tools/VBA-JSON

b572151155cdb30aa3c5096071720dbf > xl > vbaProject.bin > Root Entry > VBA > JsonConverter
URLs in VB Code - #2

http://www.opensource.org/licenses/mit-license.php

b572151155cdb30aa3c5096071720dbf > xl > vbaProject.bin > Root Entry > VBA > JsonConverter
URLs in VB Code - #3

http://code.google.com/p/vba-json/

b572151155cdb30aa3c5096071720dbf > xl > vbaProject.bin > Root Entry > VBA > JsonConverter
URLs in VB Code - #4

http://msdn.microsoft.com/en-us/library/windows/desktop/ms724421.aspx

b572151155cdb30aa3c5096071720dbf > xl > vbaProject.bin > Root Entry > VBA > JsonConverter
URLs in VB Code - #5

http://msdn.microsoft.com/en-us/library/windows/desktop/ms724949.aspx

b572151155cdb30aa3c5096071720dbf > xl > vbaProject.bin > Root Entry > VBA > JsonConverter
URLs in VB Code - #6

http://msdn.microsoft.com/en-us/library/windows/desktop/ms725485.aspx

b572151155cdb30aa3c5096071720dbf > xl > vbaProject.bin > Root Entry > VBA > JsonConverter
URLs in VB Code - #7

http://support.microsoft.com/kb/269370

b572151155cdb30aa3c5096071720dbf > xl > vbaProject.bin > Root Entry > VBA > JsonConverter
URLs in VB Code - #8

http://www.ietf.org/rfc/rfc4627.txt

b572151155cdb30aa3c5096071720dbf > xl > vbaProject.bin > Root Entry > VBA > JsonConverter
URLs in VB Code - #9

https://support.microsoft.com/en-us/kb/272138

b572151155cdb30aa3c5096071720dbf > xl > vbaProject.bin > Root Entry > VBA > JsonConverter
URLs in VB Code - #10

http://www.vbaccelerator.com/home/VB/Code/Techniques/RunTime_Debug_Tracing/VB6_Tracer_Utility_zip_cStringBuilder_cls.asp

b572151155cdb30aa3c5096071720dbf > xl > vbaProject.bin > Root Entry > VBA > JsonConverter
URLs in VB Code - #11

https://github.com/VBA-tools/VBA-JSON/pull/82

b572151155cdb30aa3c5096071720dbf > xl > vbaProject.bin > Root Entry > VBA > JsonConverter
URLs in VB Code - #12

https://github.com/VBA-tools/VBA-UtcConverter

b572151155cdb30aa3c5096071720dbf > xl > vbaProject.bin > Root Entry > VBA > JsonConverter
URLs in VB Code - #13

http://s

b572151155cdb30aa3c5096071720dbf > xl > vbaProject.bin > Root Entry > VBA > JsonConverter
URLs in VB Code - #1

https://github.com/VBA-tools/VBA-JSON

b572151155cdb30aa3c5096071720dbf > xl > vbaProject.bin > Root Entry > VBA > JsonConverter > [Stored VBA]
URLs in VB Code - #2

http://www.opensource.org/licenses/mit-license.php

b572151155cdb30aa3c5096071720dbf > xl > vbaProject.bin > Root Entry > VBA > JsonConverter > [Stored VBA]
URLs in VB Code - #3

http://code.google.com/p/vba-json/

b572151155cdb30aa3c5096071720dbf > xl > vbaProject.bin > Root Entry > VBA > JsonConverter > [Stored VBA]
URLs in VB Code - #4

http://msdn.microsoft.com/en-us/library/windows/desktop/ms724421.aspx

b572151155cdb30aa3c5096071720dbf > xl > vbaProject.bin > Root Entry > VBA > JsonConverter > [Stored VBA]
URLs in VB Code - #5

http://msdn.microsoft.com/en-us/library/windows/desktop/ms724949.aspx

b572151155cdb30aa3c5096071720dbf > xl > vbaProject.bin > Root Entry > VBA > JsonConverter > [Stored VBA]
URLs in VB Code - #6

http://msdn.microsoft.com/en-us/library/windows/desktop/ms725485.aspx

b572151155cdb30aa3c5096071720dbf > xl > vbaProject.bin > Root Entry > VBA > JsonConverter > [Stored VBA]
URLs in VB Code - #7

http://support.microsoft.com/kb/269370

b572151155cdb30aa3c5096071720dbf > xl > vbaProject.bin > Root Entry > VBA > JsonConverter > [Stored VBA]
URLs in VB Code - #8

http://www.ietf.org/rfc/rfc4627.txt

b572151155cdb30aa3c5096071720dbf > xl > vbaProject.bin > Root Entry > VBA > JsonConverter > [Stored VBA]
URLs in VB Code - #9

https://support.microsoft.com/en-us/kb/272138

b572151155cdb30aa3c5096071720dbf > xl > vbaProject.bin > Root Entry > VBA > JsonConverter > [Stored VBA]
URLs in VB Code - #10

http://www.vbaccelerator.com/home/VB/Code/Techniques/RunTime_Debug_Tracing/VB6_Tracer_Utility_zip_cStringBuilder_cls.asp

b572151155cdb30aa3c5096071720dbf > xl > vbaProject.bin > Root Entry > VBA > JsonConverter > [Stored VBA]
URLs in VB Code - #11

https://github.com/VBA-tools/VBA-JSON/pull/82

b572151155cdb30aa3c5096071720dbf > xl > vbaProject.bin > Root Entry > VBA > JsonConverter > [Stored VBA]
URLs in VB Code - #12

https://github.com/VBA-tools/VBA-UtcConverter

b572151155cdb30aa3c5096071720dbf > xl > vbaProject.bin > Root Entry > VBA > JsonConverter > [Stored VBA]
URLs in VB Code - #1

https://github.com/VBA-tools/VBA-JSON

b572151155cdb30aa3c5096071720dbf > xl > vbaProject.bin > Root Entry > VBA > JsonConverter > [Decompiled VBA]
URLs in VB Code - #2

http://www.opensource.org/licenses/mit-license.php

b572151155cdb30aa3c5096071720dbf > xl > vbaProject.bin > Root Entry > VBA > JsonConverter > [Decompiled VBA]
URLs in VB Code - #3

http://code.google.com/p/vba-json/

b572151155cdb30aa3c5096071720dbf > xl > vbaProject.bin > Root Entry > VBA > JsonConverter > [Decompiled VBA]
URLs in VB Code - #4

http://msdn.microsoft.com/en-us/library/windows/desktop/ms724421.aspx

b572151155cdb30aa3c5096071720dbf > xl > vbaProject.bin > Root Entry > VBA > JsonConverter > [Decompiled VBA]
URLs in VB Code - #5

http://msdn.microsoft.com/en-us/library/windows/desktop/ms724949.aspx

b572151155cdb30aa3c5096071720dbf > xl > vbaProject.bin > Root Entry > VBA > JsonConverter > [Decompiled VBA]
URLs in VB Code - #6

http://msdn.microsoft.com/en-us/library/windows/desktop/ms725485.aspx

b572151155cdb30aa3c5096071720dbf > xl > vbaProject.bin > Root Entry > VBA > JsonConverter > [Decompiled VBA]
URLs in VB Code - #7

http://support.microsoft.com/kb/269370

b572151155cdb30aa3c5096071720dbf > xl > vbaProject.bin > Root Entry > VBA > JsonConverter > [Decompiled VBA]
URLs in VB Code - #8

http://www.ietf.org/rfc/rfc4627.txt

b572151155cdb30aa3c5096071720dbf > xl > vbaProject.bin > Root Entry > VBA > JsonConverter > [Decompiled VBA]
URLs in VB Code - #9

https://support.microsoft.com/en-us/kb/272138

b572151155cdb30aa3c5096071720dbf > xl > vbaProject.bin > Root Entry > VBA > JsonConverter > [Decompiled VBA]
URLs in VB Code - #10

http://www.vbaccelerator.com/home/VB/Code/Techniques/RunTime_Debug_Tracing/VB6_Tracer_Utility_zip_cStringBuilder_cls.asp

b572151155cdb30aa3c5096071720dbf > xl > vbaProject.bin > Root Entry > VBA > JsonConverter > [Decompiled VBA]
URLs in VB Code - #11

https://github.com/VBA-tools/VBA-JSON/pull/82

b572151155cdb30aa3c5096071720dbf > xl > vbaProject.bin > Root Entry > VBA > JsonConverter > [Decompiled VBA]
URLs in VB Code - #12

https://github.com/VBA-tools/VBA-UtcConverter

b572151155cdb30aa3c5096071720dbf > xl > vbaProject.bin > Root Entry > VBA > JsonConverter > [Decompiled VBA]
Remote Template - Highly Suspicious

file:///C:\Users\ashutosh.khaitan\Desktop\Worksheet%20in%20SRS_Offline_GSTR10_30052018.xls

Malicious

b572151155cdb30aa3c5096071720dbf > xl > externalLinks > _rels > externalLink2.xml.rels
Remote Template - Highly Suspicious

file:///C:\Users\pallav_yadav\Documents\GSTR_4_Offline_Utility_v3.0_new_PY.xls

Malicious

b572151155cdb30aa3c5096071720dbf > xl > externalLinks > _rels > externalLink3.xml.rels
Remote Template - Highly Suspicious

file:///C:\Users\richi.jain\AppData\Local\Temp\Temp1_GSTR_4_Offline_Utility.zip\GSTR_4_Offline_Utility_v3.0.xls

Malicious

b572151155cdb30aa3c5096071720dbf > xl > externalLinks > _rels > externalLink1.xml.rels
You must be signed in to post a comment.
An error has occurred. This application may no longer respond until reloaded. Reload 🗙