Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 066c57024ed47559…

MALICIOUS

Office (OOXML)

1.15 MB Created: 2016-06-03 09:34:00 UTC Authoring application: Microsoft Excel 16.0300 First seen: 2021-09-29
MD5: fc34f996ec7b7e701929e828c949351b SHA-1: 835cde59fa7b56aa93545ca4234e2550bdc9a836 SHA-256: 066c57024ed475591dfeef7e0abae24f770426df030c37d397b8269d17b009bc
270 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File T1059 Command and Scripting Interpreter

This Excel document contains VBA macros that utilize Shell() and WScript.Shell to execute commands. The macros likely download and execute a second-stage payload from one of the embedded URLs, such as http://zigzak.eu/download/esf/esf_2_1.pdf. The document body content suggests a financial reporting lure, which is a common tactic for phishing and malware delivery.

Heuristics 12

  • VBA project inside OOXML medium 5 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present (project part renamed away from vbaProject.bin: xl/vbaProjectSignatureV3.bin)
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • WScript.Shell usage critical OLE_VBA_WSCRIPT
    WScript.Shell usage
  • VBA project part renamed to evade filename detection high OOXML_VBA_PROJECT_RENAMED
    The VBA project is bound through the OOXML relationship/content type but its part is not named vbaProject.bin. Legitimate Office producers always emit vbaProject.bin; renaming it hides the macros from path-only scanners (observed in the SVCReady loader).
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object
  • External hyperlinks (4) low OOXML_EXTERNAL_HYPERLINKS
    Document contains 4 external hyperlinks — clickable URLs are stored as external relationships. First target: http://zigzak.eu/download/esf/esf_2_1.pdf
  • Hidden worksheet (hidden, veryHidden) low OOXML_HIDDEN_SHEET
    Excel workbook contains 4 hidden sheet(s) — hidden sheets are commonly used to conceal macro code, staging data, or intermediate payload construction
  • Payload URL recovered from embedded OLE object (25 URLs) info OOXML_EMBEDDED_OBJECT_URL
    An embedded OLE object (xl/word/ppt embeddings) carries a next-stage download URL in its Ole10Native/Package stream — stored literally (incl. UTF-16) or base64-encoded — which the package-level URL sweep does not see. Surfaced as an IOC; self-validating (only real payload hosts).
  • VBA project carries a recognised code-signing signature info VBA_SIGNED_TRUSTED
    The VBA project is Authenticode-signed and the signer/issuer chain matches a recognised code-signing publisher or CA. Informational only — the signature is NOT yet verified to cover the current project bytes, so it does not (yet) reduce the verdict.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://zigzak.eu/esf In document text (OOXML body / shared strings)
    • http://www.mf.gov.pl/documents/764034/6464789/{jednostka}{baza}%281%29_v1-0.xsdIn document text (OOXML body / shared strings)
    • http://www.mf.gov.pl/schematy/SF/DefinicjeTypySprawozdaniaFinansowe{nsPrefix}{jednostka}{bazaIn document text (OOXML body / shared strings)
    • http://crd.gov.pl/xml/schematy/dziedzinowe/mf/2016/01/25/eD/DefinicjeTypy/In document text (OOXML body / shared strings)
    • http://www.mf.gov.pl/schematy/SF/DefinicjeTypySprawozdaniaFinansowe/2018/07/09/DefinicjeTypySprawozdaniaFinansowe/In document text (OOXML body / shared strings)
    • http://www.mf.gov.pl/schematy/SF/DefinicjeTypySprawozdaniaFinansowe/2018/07/09/JednostkaMikroStrukturyIn document text (OOXML body / shared strings)
    • http://www.mf.gov.pl/schematy/SF/DefinicjeTypySprawozdaniaFinansowe/2018/07/09/JednostkaMalaStrukturyIn document text (OOXML body / shared strings)
    • http://www.mf.gov.pl/schematy/SF/DefinicjeTypySprawozdaniaFinansowe/2018/07/09/JednostkaInnaStrukturyIn document text (OOXML body / shared strings)
    • http://www.mf.gov.pl/schematy/SF/DefinicjeTypySprawozdaniaFinansowe/2018/07/09/JednostkaOpStrukturyIn document text (OOXML body / shared strings)
    • http://www.mf.gov.pl/schematy/SF/DefinicjeTypySprawozdaniaFinansowe/2018/07/09/SkonsolidowanaJednostkaInnaStrukturyIn document text (OOXML body / shared strings)
    • http://www.mf.gov.pl/schematy/SF/DefinicjeTypySprawozdaniaFinansowe/2018/07/09/{jednostka}StrukturyIn document text (OOXML body / shared strings)
    • http://www.mf.gov.pl/schematy/SF/DefinicjeTypySprawozdaniaFinansowe/2018/07/09/JednostkaInna{bazaIn document text (OOXML body / shared strings)
    • http://www.mf.gov.pl/schematy/SF/DefinicjeTypySprawozdaniaFinansowe/2018/07/09/JednostkaMala{bazaIn document text (OOXML body / shared strings)
    • http://www.mf.gov.pl/schematy/SF/DefinicjeTypySprawozdaniaFinansowe/2018/07/09/JednostkaMikro{bazaIn document text (OOXML body / shared strings)
    • http://www.mf.gov.pl/schematy/SF/DefinicjeTypySprawozdaniaFinansowe/2018/07/09/SkonsolidowanaJednostkaInna{bazaIn document text (OOXML body / shared strings)
    • http://www.mf.gov.pl/schematy/SF/DefinicjeTypySprawozdaniaFinansowe/2018/07/09/JednostkaOrganizacjiPozarzadowej{bazaIn document text (OOXML body / shared strings)
    • http://crd.gov.pl/xml/schematy/dziedzinowe/mf/2018/02/01/eD/KodyPKD/In document text (OOXML body / shared strings)
    • http://www.mf.gov.pl/schematy/SF/DefinicjeTypySprawozdaniaFinansowe/2018/07/09/JednostkaInnaWTysiacachIn document text (OOXML body / shared strings)
    • http://www.mf.gov.pl/schematy/SF/DefinicjeTypySprawozdaniaFinansowe/2018/07/09/JednostkaInnaWZlotychIn document text (OOXML body / shared strings)
    • http://www.mf.gov.pl/schematy/SF/DefinicjeTypySprawozdaniaFinansowe/2018/07/09/JednostkaMalaWTysiacachIn document text (OOXML body / shared strings)
    • http://www.mf.gov.pl/schematy/SF/DefinicjeTypySprawozdaniaFinansowe/2018/07/09/JednostkaMalaWZlotychIn document text (OOXML body / shared strings)
    • http://www.mf.gov.pl/schematy/SF/DefinicjeTypySprawozdaniaFinansowe/2018/07/09/JednostkaMikroWTysiacachIn document text (OOXML body / shared strings)
    • http://www.mf.gov.pl/schematy/SF/DefinicjeTypySprawozdaniaFinansowe/2018/07/09/JednostkaMikroWZlotychIn document text (OOXML body / shared strings)
    • http://www.mf.gov.pl/schematy/SF/DefinicjeTypySprawozdaniaFinansowe/2018/07/09/JednostkaOrganizacjiPozarzadowejWTysiacachIn document text (OOXML body / shared strings)
    • http://www.mf.gov.pl/schematy/SF/DefinicjeTypySprawozdaniaFinansowe/2018/07/09/JednostkaOrganizacjiPozarzadowejWZlotychIn document text (OOXML body / shared strings)
    • http://www.mf.gov.pl/schematy/SF/DefinicjeTypySprawozdaniaFinansowe/2018/07/09/SkonsolidowanaJednostkaInnaWZlotychIn document text (OOXML body / shared strings)
    • http://www.mf.gov.pl/schematy/SF/DefinicjeTypySprawozdaniaFinansowe/2018/07/09/SkonsolidowanaJednostkaInnaWTysiacachIn document text (OOXML body / shared strings)
    • http://crd.gov.pl/xml/schematy/dziedzinowe/mf/2016/01/25/eD/DefinicjeTypy/StrukturyDanych_v4-0E.xsdIn document text (OOXML body / shared strings)
    • https://www.gov.pl/documents/2034621/2182793/StrukturyDanychSprFin_v1-2.xsdIn document text (OOXML body / shared strings)
    • https://www.gov.pl/documents/2034621/2182793/JednostkaMikroStrukturyDanychSprFin_v1-2.xsdIn document text (OOXML body / shared strings)
    • https://www.gov.pl/documents/2034621/2182793/JednostkaMalaStrukturyDanychSprFin_v1-2.xsdIn document text (OOXML body / shared strings)
    • https://www.gov.pl/documents/2034621/2182793/JednostkaInnaStrukturyDanychSprFin_v1-2.xsdIn document text (OOXML body / shared strings)
    • https://www.gov.pl/documents/2034621/2182793/JednostkaOpStrukturyDanychSprFin_v1-2.xsdIn document text (OOXML body / shared strings)
    • http://crd.gov.pl/xml/schematy/dziedzinowe/mf/2016/01/25/eD/DefinicjeTypy/KodyUrzedowSkarbowych_v4-0E.xsdIn document text (OOXML body / shared strings)
    • http://crd.gov.pl/xml/schematy/dziedzinowe/mf/2016/01/25/eD/DefinicjeTypy/KodyKrajow_v4-1E.xsdIn document text (OOXML body / shared strings)
    • http://crd.gov.pl/xml/schematy/dziedzinowe/mf/2016/01/25/eD/DefinicjeTypy/ElementarneTypyDanych_v4-0E.xsdIn document text (OOXML body / shared strings)
    • http://crd.gov.pl/xml/schematy/dziedzinowe/mf/2018/02/01/eD/KodyPKD/KodyPKD_v2-0E.xsdIn document text (OOXML body / shared strings)
    • http://zigzak.eu/download/esf/esf_2_1.pdfDocument hyperlink
    • http://www.w3.org/2000/svgIn document text (OOXML body / shared strings)
    • http://www.w3.org/1999/xlinkIn document text (OOXML body / shared strings)
    • http://www.w3.org/2000/09/xmldsig#base64In document text (OOXML body / shared strings)
    • http://www.w3.org/2001/XMLSchemaIn document text (OOXML body / shared strings)

Extracted artifacts 32

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 282577 bytes
SHA-256: eeedcf8eb010a1d85f6ed8e33bc5452b2eb9de2fc2e6c824e412d2752ecb81c5
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "Ten_skoroszyt"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True


Attribute VB_Name = "Arkusz1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Private Sub Worksheet_Change(ByVal Target As Range)
    PreventFieldProtetction Target
End Sub

Attribute VB_Name = "PDF"
Option Explicit
'pomocniczy moduł, do obsługi zapisywania załączników PDF Excela do odrębnego pliku.
'Standardowa przeglądarka - Adobe Acrobat - nie udostepnia obiektów OLE umożliwiających zapis

'Zapisuje podany obiekt (załącznik PDF) do wskazanego pliku
'Argumenty:
'   Obj:    załącznik (PDF)
'   Path:   ścieżka, pod którą trzeba zapisać ten plik
Sub SaveToFile(ByVal Obj As OLEObject, ByVal Path As String)
    Dim data() As Byte 'Bufor na dane załącznika
    Dim pFrom As Long, pTo As Long 'Pozycje: początku i końca pliku PDF w tablicy Data
    GetRawData Obj, data 'Kopiujemy "surowe" dane obiektu do tablicy Data
    
    pFrom = InStrB(data, StrConv("%PDF", vbFromUnicode)) 'Początek właściwego pliku PDF w danych obiektu
    'Końca pliku szukamy w pętli, bo tekst %%EOF może się pojawić więcej niż raz (zazwyczaj dwa razy:)
    Dim Pos As Long
    Pos = pFrom
    Do
     pTo = Pos + 5
     Pos = InStrB(pTo, data, StrConv("%%EOF", vbFromUnicode))
    Loop While Pos > 0
    'W tym momencie mamy już ustalone: pFrom i pTo
    'Nie zaszkodzi mała weryfikacja:
    If pFrom = 0 Or pTo <= (pFrom + 5) Then
        Err.Raise CriticalError, "PDF", GetText("AttachementCorrupted", GetFileName(Path))
    End If
    If FileExists(Path) Then Kill Path 'Miałem problemy z flagami ADOStream.SaveToFile, nie mogłem w tamtej procedurze wymusić nadpisywania
    Stream.BinaryToFile data, Path, pFrom - 1, pTo - pFrom
End Sub

Attribute VB_Name = "ZMakraPrzydatnePodczasEdycji"
Option Explicit

Sub ZmienAdresNaBezwzgledny()
Attribute ZmienAdresNaBezwzgledny.VB_Description = "Zmienia adresy w zaznaczonych komórkach na bezwzględne"
Attribute ZmienAdresNaBezwzgledny.VB_ProcData.VB_Invoke_Func = "g\n14"
'
' Zmienia adresy w zaznaczonych komórkach na bezwzględne
'
' Klawisz skrótu: Ctrl+L
'
    Dim cell As Range, WorkbookName As String
    WorkbookName = "[" & ActiveWorkbook.Name & "]"
    For Each cell In Selection.cells
        If cell.formula Like "=*" Then
            cell.FormulaR1C1 = Replace(Application.ConvertFormula(cell.FormulaR1C1, xlR1C1, ToAbsolute:=True), WorkbookName, "")
        End If
    Next cell
End Sub
'Procedura szuka w kolumnie B wiersza z zaznaczeniem adresu komórki, i kopiuje z niej formułę jako tekst
Sub PrzepiszFormuleDoMapowania()
Attribute PrzepiszFormuleDoMapowania.VB_Description = "Kopiuje formułę z komórki źródłowej do obszaru mapowania (jako tekst)"
Attribute PrzepiszFormuleDoMapowania.VB_ProcData.VB_Invoke_Func = "F\n14"
    Dim Mapowanie As Range
    Dim cell As Range, RefCell As Range, Source As Range
    Set Mapowanie = GetRangeFor("Mapowanie")
    Set cell = Selection.cells(1)
    If Application.Intersect(Mapowanie, cell) Is Nothing Then Exit Sub
    Set RefCell = Mapowanie.cells(cell.row - Mapowanie.row + 1, 1)
    If IsEmpty(RefCell) Then Exit Sub
    Set Source = Range(RefCell.value)
    cell.formula = "'" & Source.formula
End Sub

'Usuwa z aktywnego arkusza niepotrzebne kształty
'Argumenty:
'   Names: lista nazw do usunięcia (rozdzielanych przecinkami)
Sub UnhideShapes(Optional ByVal names)
    Dim Shp As shape
    For Each Shp In ActiveSheet.Shapes
        If IsMissing(names) Or Contains(names, Shp.Name) Then
                Shp.Visible = msoTrue
                Debug.Print Shp.Name, Shp.TopLeftCell.Address
        End 
... (truncated)
ooxml_oleobject_00.bin ooxml-ole-object OOXML embedded OLE part: xl/embeddings/oleObject16.bin 23040 bytes
SHA-256: e8b18fa88bb6689dd38633624f790d231b8e3a484e51e0ed38a1f2f830cfc041
ooxml_oleobject_00_ole10native_00.bin ole-package OOXML xl/embeddings/oleObject16.bin Ole10Native stream: Ole10Native 20017 bytes
SHA-256: dde2576e9c77c2d2349a661bc28e38a4b60da87175949184969b1d96736e6c40
ooxml_oleobject_01.bin ooxml-ole-object OOXML embedded OLE part: xl/embeddings/oleObject1.bin 87552 bytes
SHA-256: 01387d0125f188a4f438b2e561b8935af65800498173938645588f3bb2e70986
ooxml_oleobject_01_ole10native_00.bin ole-package OOXML xl/embeddings/oleObject1.bin Ole10Native stream: Ole10Native 84363 bytes
SHA-256: 2dca02da072789844c5ae2348c0a35917024aa2f32f960f027d70c669b0d150c
ooxml_oleobject_02.bin ooxml-ole-object OOXML embedded OLE part: xl/embeddings/oleObject14.bin 31744 bytes
SHA-256: 8e18f81b05cfe236e006d6899668c6d48f7c5e19d876b2bf46328390fd4b4b9d
ooxml_oleobject_02_ole10native_00.bin ole-package OOXML xl/embeddings/oleObject14.bin Ole10Native stream: Ole10Native 28753 bytes
SHA-256: c93aff0f6eab165b593c089d089b760c28628564b724f8a3b3a83ed12703f24a
ooxml_oleobject_03.bin ooxml-ole-object OOXML embedded OLE part: xl/embeddings/oleObject17.bin 23040 bytes
SHA-256: 1c12ade90390a24d3b4526f99cb3f53ed5dc5d5cedf4bc5f903b57c5a963493d
ooxml_oleobject_03_ole10native_00.bin ole-package OOXML xl/embeddings/oleObject17.bin Ole10Native stream: Ole10Native 20075 bytes
SHA-256: 2b6975e43d6774fada7e766acad5fa70bca432727cceecab058837338bf63ae2
ooxml_oleobject_04.bin ooxml-ole-object OOXML embedded OLE part: xl/embeddings/oleObject9.bin 83456 bytes
SHA-256: 862b7ee8f107270a82a53faed7968678e8aa04d7b0e11bec19319528a14bd85a
ooxml_oleobject_04_ole10native_00.bin ole-package OOXML xl/embeddings/oleObject9.bin Ole10Native stream: Ole10Native 80066 bytes
SHA-256: 1a374b14244f012a6e7e7989d5da4a7031b337c792da7d7d858b2d9ad32047da
ooxml_oleobject_05.bin ooxml-ole-object OOXML embedded OLE part: xl/embeddings/oleObject12.bin 51712 bytes
SHA-256: 46053c5d6cf346525fe76b4761bfa6d85a065365a0ca0469b4224b7a7168163e
ooxml_oleobject_05_ole10native_00.bin ole-package OOXML xl/embeddings/oleObject12.bin Ole10Native stream: Ole10Native 48937 bytes
SHA-256: a3d5b2fb2a55c948534902649eb6b3aed53667d3c51213631c0e9e7937c04abd
ooxml_oleobject_06.bin ooxml-ole-object OOXML embedded OLE part: xl/embeddings/oleObject3.bin 12288 bytes
SHA-256: 3a8d60bcae28245dedb887be740592d04855c4cd23cda238ee4cbb94a2e0b622
ooxml_oleobject_06_ole10native_00.bin ole-package OOXML xl/embeddings/oleObject3.bin Ole10Native stream: Ole10Native 9413 bytes
SHA-256: 8e8c68190feb698b67d2e5fc8b3dd2f07fbc8fa2aa2b0644013b39e0ca451499
ooxml_oleobject_07.bin ooxml-ole-object OOXML embedded OLE part: xl/embeddings/oleObject13.bin 31744 bytes
SHA-256: f6e9281ef23b733a483a21e5b4a546ffb56265c801bf309878e5de9de92ef1f7
ooxml_oleobject_07_ole10native_00.bin ole-package OOXML xl/embeddings/oleObject13.bin Ole10Native stream: Ole10Native 28822 bytes
SHA-256: 9243df4f5513ae723eed20539494daf73cdd566d01423a37bdb735cd4fb1d90a
ooxml_oleobject_08.bin ooxml-ole-object OOXML embedded OLE part: xl/embeddings/oleObject15.bin 69120 bytes
SHA-256: c55499e94c5c1737ca6a90168832a07c8fd5d87514a918f5c9bb10aaa0eb185e
ooxml_oleobject_08_ole10native_00.bin ole-package OOXML xl/embeddings/oleObject15.bin Ole10Native stream: Ole10Native 66009 bytes
SHA-256: 2dee01846e5dbf9728ced6609bc0faeef7d0dea86f2b60fbf6b2ef6bddbadafc
ooxml_oleobject_09.bin ooxml-ole-object OOXML embedded OLE part: xl/embeddings/oleObject2.bin 19968 bytes
SHA-256: 1d7f967dc72a1c9c425b7bea0220b6fb3f390af8299417b23c9a76b2ea4cb673
ooxml_oleobject_09_ole10native_00.bin ole-package OOXML xl/embeddings/oleObject2.bin Ole10Native stream: Ole10Native 17265 bytes
SHA-256: 8b54c73241dfa6c1e8667d1202aeec44fff68b72f90e3dcb83b5a7d021f3c88f
ooxml_oleobject_10.bin ooxml-ole-object OOXML embedded OLE part: xl/embeddings/oleObject5.bin 26624 bytes
SHA-256: ebcd75d46e05c2a464de301b53815ed84b84cedff25cc6022bb747124b16eff4
ooxml_oleobject_10_ole10native_00.bin ole-package OOXML xl/embeddings/oleObject5.bin Ole10Native stream: Ole10Native 23757 bytes
SHA-256: 9cfdc29198a6a4ccdea01e8a8508eec076b258a93e47134702f0c4856d003abb
ooxml_oleobject_11.bin ooxml-ole-object OOXML embedded OLE part: xl/embeddings/oleObject8.bin 10240 bytes
SHA-256: 19cd331f17e47d574a311c039e85b50fb098b4ced3a2ad3d30672d83169917a9
ooxml_oleobject_11_ole10native_00.bin ole-package OOXML xl/embeddings/oleObject8.bin Ole10Native stream: Ole10Native 7592 bytes
SHA-256: 0488fde84916699f74de9eba8a8ef1788590a4fbd4ab436e0e6b9b2bc0eda0e9
ooxml_oleobject_12.bin ooxml-ole-object OOXML embedded OLE part: xl/embeddings/oleObject4.bin 18432 bytes
SHA-256: 948ddc97aa69c3b24a332b9451bb4a2710e799bd8cee600932a37725bd56a49d
ooxml_oleobject_12_ole10native_00.bin ole-package OOXML xl/embeddings/oleObject4.bin Ole10Native stream: Ole10Native 15761 bytes
SHA-256: e4544970fea25be8de7e44ffef0d057d8a076f717df58b49325059fe6b1217ba
ooxml_oleobject_13.bin ooxml-ole-object OOXML embedded OLE part: xl/embeddings/oleObject10.bin 15872 bytes
SHA-256: 28478709c68b7b92e2644bc71fe0d2d6029974f4b9b9993a5876351fcd2e7509
ooxml_oleobject_13_ole10native_00.bin ole-package OOXML xl/embeddings/oleObject10.bin Ole10Native stream: Ole10Native 12906 bytes
SHA-256: d68e7610e3ae47d03d0b9b916c295f1075cf7c1ab99876123c32dab2faaa7542
ooxml_oleobject_14.bin ooxml-ole-object OOXML embedded OLE part: xl/embeddings/oleObject7.bin 10240 bytes
SHA-256: 756d0b0ee19e4815360e3afe4679e90d35f0117b6aca9215a7137c0165b41aa2
ooxml_oleobject_14_ole10native_00.bin ole-package OOXML xl/embeddings/oleObject7.bin Ole10Native stream: Ole10Native 7545 bytes
SHA-256: 5ad1e55f921e486a30ddaa0fca65f3fb0915d871f80eaa87a8a6c54c666f2c57
ooxml_oleobject_15.bin ooxml-ole-object OOXML embedded OLE part: xl/embeddings/oleObject6.bin 287744 bytes
SHA-256: 4687f57045452edc2d706fa2df4c50ad4b7e5d5d331ed6988b7cc4fa51cdeb8a

Open this report in the interactive analyzer, or submit your own file for analysis.