Windows Analysis Report
samradapps_datepicker_221114.xlam

Overview

General Information

Sample name: samradapps_datepicker_221114.xlam
Analysis ID: 1430908
MD5: 9a3a270b12e8549a99df3577010ef12b
SHA1: a639b29041bd72091b0df31da8bb4a660b0c2cd2
SHA256: 66bdc42fa9dff673e23701b27b401171559d1b3acf8e0e4f67404464e8848a84

Detection

Score: 56
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Document contains an embedded VBA macro which may check the desktop resolution (possible anti-VM)
Document contains an embedded VBA macro which may execute shellcode
Document contains an embedded VBA macro with suspicious strings
Document contains an embedded VBA with functions possibly related to ADO stream file operations
Document contains an embedded VBA macro which executes code when the document is opened / closed

Classification

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior

System Summary
barindex
Document contains an embedded VBA macro which may check the desktop resolution (possible anti-VM)
Source: samradapps_datepicker_221114.xlam OLE, VBA macro line: Private Declare PtrSafe Function GetSystemMetrics32 Lib "user32" Alias "GetSystemMetrics" (ByVal nIndex As Long) As Long
Source: samradapps_datepicker_221114.xlam OLE, VBA macro line: Private Declare Function GetSystemMetrics32 Lib "user32" Alias "GetSystemMetrics" (ByVal nIndex As Long) As Long
Source: samradapps_datepicker_221114.xlam OLE, VBA macro line: g_screenHeight = GetSystemMetrics32(SM_CYMAXIMIZED)
Source: samradapps_datepicker_221114.xlam OLE, VBA macro line: g_screenWidth = GetSystemMetrics32(SM_CXMAXIMIZED)
Document contains an embedded VBA macro which may execute shellcode
Source: samradapps_datepicker_221114.xlam OLE, VBA macro line: Private Declare PtrSafe Function CallWindowProc Lib "user32" Alias "CallWindowProcA" (ByVal lpPrevWndFunc As LongPtr, ByVal hwnd As LongPtr, ByVal Msg As Long, ByVal wParam As LongPtr, ByVal lParam As LongPtr) As LongPtr
Source: samradapps_datepicker_221114.xlam OLE, VBA macro line: Private Declare Function CallWindowProc Lib "user32.dll" Alias "CallWindowProcA" (ByVal lpPrevWndFunc As Long, ByVal hwnd As Long, ByVal Msg As Long, ByVal wParam As Long, ByVal lParam As Long) As Long
Document contains an embedded VBA macro with suspicious strings
Source: samradapps_datepicker_221114.xlam OLE, VBA macro line: pathToIcon = Environ("temp") & "\samrad3.bmp"
Document contains an embedded VBA with functions possibly related to ADO stream file operations
Source: samradapps_datepicker_221114.xlam Stream path 'VBA/dp_core' : found possibly 'ADODB.Stream' functions mode, position, read
Document contains an embedded VBA macro which executes code when the document is opened / closed
Source: samradapps_datepicker_221114.xlam OLE, VBA macro line: Private Sub Workbook_Open()
Source: classification engine Classification label: mal56.expl.evad.winXLAM@1/7@0/0
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\Desktop\~$samradapps_datepicker_221114.xlam Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Temp\CVR6C0B.tmp Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C62A69F0-16DC-11CE-9E98-00AA00574A4F}\InprocServer32 Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Window found: window name: SysTabControl32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior

Hooking and other Techniques for Hiding and Protection
barindex
Document contains an embedded VBA macro which may check the desktop resolution (possible anti-VM)
Source: samradapps_datepicker_221114.xlam OLE, VBA macro line: Private Declare PtrSafe Function GetSystemMetrics32 Lib "user32" Alias "GetSystemMetrics" (ByVal nIndex As Long) As Long
Source: samradapps_datepicker_221114.xlam OLE, VBA macro line: Private Declare Function GetSystemMetrics32 Lib "user32" Alias "GetSystemMetrics" (ByVal nIndex As Long) As Long
Source: samradapps_datepicker_221114.xlam OLE, VBA macro line: g_screenHeight = GetSystemMetrics32(SM_CYMAXIMIZED)
Source: samradapps_datepicker_221114.xlam OLE, VBA macro line: g_screenWidth = GetSystemMetrics32(SM_CXMAXIMIZED)
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1430908 Sample: samradapps_datepicker_221114.xlam Startdate: 24/04/2024 Architecture: WINDOWS Score: 56 7 Document contains an embedded VBA macro which may check the desktop resolution (possible anti-VM) 2->7 9 Document contains an embedded VBA macro which may execute shellcode 2->9 11 Document contains an embedded VBA with functions possibly related to ADO stream file operations 2->11 13 Document contains an embedded VBA macro with suspicious strings 2->13 5 EXCEL.EXE 166 16 2->5         started        process3
No contacted IP infos