Windows Analysis Report
Serbia_Vendor_Creation_1.xlsx

Overview

General Information

Sample name:	Serbia_Vendor_Creation_1.xlsx
Analysis ID:	1432059
MD5:	c1cda6d17a11952fef58a1aa3a47c30f
SHA1:	1c51727af61fd17e8d437a736bf254cd470a54a2
SHA256:	7c3babffc38d4b977d7e8ecef338936e9a002655a6fbbbd4bc2feaecfdbbdcca
Infos:

Detection

Score:	52
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Malicious sample detected (through community Yara rule)

Contains an external reference to another file

Yara signature match

Classification

Signatures

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\6DB1906E.emf

Jump to behavior

System Summary

Malicious sample detected (through community Yara rule)

Source: externalLink1.xml.rels, type: SAMPLE	Matched rule: Detects XML relations where an OLE object is refrencing an external target in dropper OOXML documents Author: ditekSHen
Source: externalLink2.xml.rels, type: SAMPLE	Matched rule: Detects XML relations where an OLE object is refrencing an external target in dropper OOXML documents Author: ditekSHen

Yara signature match

Source: externalLink1.xml.rels, type: SAMPLE	Matched rule: INDICATOR_OLE_RemoteTemplate author = ditekSHen, description = Detects XML relations where an OLE object is refrencing an external target in dropper OOXML documents
Source: externalLink2.xml.rels, type: SAMPLE	Matched rule: INDICATOR_OLE_RemoteTemplate author = ditekSHen, description = Detects XML relations where an OLE object is refrencing an external target in dropper OOXML documents

Source: classification engine

Classification label: mal52.evad.winXLSX@1/7@0/0

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\Desktop\~$Serbia_Vendor_Creation_1.xlsx

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Temp\CVR67D6.tmp

Jump to behavior

Source: Serbia_Vendor_Creation_1.xlsx	OLE indicator, Workbook stream: true
Source: 6B9E.tmp.0.dr	OLE indicator, Workbook stream: true

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: Serbia_Vendor_Creation_1.xlsx	Initial sample: OLE zip file path = xl/media/image2.emf
Source: Serbia_Vendor_Creation_1.xlsx	Initial sample: OLE zip file path = xl/media/image3.png
Source: Serbia_Vendor_Creation_1.xlsx	Initial sample: OLE zip file path = xl/media/image4.png
Source: Serbia_Vendor_Creation_1.xlsx	Initial sample: OLE zip file path = xl/externalLinks/externalLink1.xml
Source: Serbia_Vendor_Creation_1.xlsx	Initial sample: OLE zip file path = xl/externalLinks/externalLink2.xml
Source: Serbia_Vendor_Creation_1.xlsx	Initial sample: OLE zip file path = customXml/item3.xml
Source: Serbia_Vendor_Creation_1.xlsx	Initial sample: OLE zip file path = customXml/itemProps3.xml
Source: Serbia_Vendor_Creation_1.xlsx	Initial sample: OLE zip file path = docProps/custom.xml
Source: Serbia_Vendor_Creation_1.xlsx	Initial sample: OLE zip file path = customXml/itemProps2.xml
Source: Serbia_Vendor_Creation_1.xlsx	Initial sample: OLE zip file path = xl/externalLinks/_rels/externalLink1.xml.rels
Source: Serbia_Vendor_Creation_1.xlsx	Initial sample: OLE zip file path = xl/externalLinks/_rels/externalLink2.xml.rels
Source: Serbia_Vendor_Creation_1.xlsx	Initial sample: OLE zip file path = customXml/_rels/item2.xml.rels
Source: Serbia_Vendor_Creation_1.xlsx	Initial sample: OLE zip file path = customXml/_rels/item3.xml.rels
Source: Serbia_Vendor_Creation_1.xlsx	Initial sample: OLE zip file path = customXml/item2.xml
Source: 6B9E.tmp.0.dr	Initial sample: OLE zip file path = xl/media/image2.emf
Source: 6B9E.tmp.0.dr	Initial sample: OLE zip file path = xl/media/image3.png
Source: 6B9E.tmp.0.dr	Initial sample: OLE zip file path = xl/media/image4.png
Source: 6B9E.tmp.0.dr	Initial sample: OLE zip file path = xl/externalLinks/externalLink1.xml
Source: 6B9E.tmp.0.dr	Initial sample: OLE zip file path = xl/externalLinks/externalLink2.xml
Source: 6B9E.tmp.0.dr	Initial sample: OLE zip file path = customXml/item3.xml
Source: 6B9E.tmp.0.dr	Initial sample: OLE zip file path = customXml/itemProps3.xml
Source: 6B9E.tmp.0.dr	Initial sample: OLE zip file path = docProps/custom.xml
Source: 6B9E.tmp.0.dr	Initial sample: OLE zip file path = customXml/itemProps2.xml
Source: 6B9E.tmp.0.dr	Initial sample: OLE zip file path = xl/externalLinks/_rels/externalLink1.xml.rels
Source: 6B9E.tmp.0.dr	Initial sample: OLE zip file path = xl/externalLinks/_rels/externalLink2.xml.rels
Source: 6B9E.tmp.0.dr	Initial sample: OLE zip file path = customXml/_rels/item2.xml.rels
Source: 6B9E.tmp.0.dr	Initial sample: OLE zip file path = customXml/_rels/item3.xml.rels
Source: 6B9E.tmp.0.dr	Initial sample: OLE zip file path = customXml/item2.xml

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source: Serbia_Vendor_Creation_1.xlsx

Initial sample: OLE indicators vbamacros = False

Persistence and Installation Behavior

Contains an external reference to another file

Source: externalLink1.xml.rels

Extracted files from sample: https://hyperoptic-my.sharepoint.com/personal/isidora_karapandzic_hyperoptic_com/documents/desktop/1.%20hyperoptic%20supplier%20code%20of%20conduct%20(1)%20srp.doc

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

⊘No contacted IP infos

ID:	1432059
Product:	CloudBasic
Start time:	11:12:37
Start date:	26.04.2024
Sample:	Serbia_Vendor_Creation_1.xlsx
Cookbook:	defaultwindowsofficecookbook.jbs
System description:	Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Architecture:	WINDOWS
MD5:	c1cda6d17a11952fef58a1aa3a47c30f
SHA1:	1c51727af61fd17e8d437a736bf254cd470a54a2
SHA256:	7c3babffc38d4b977d7e8ecef338936e9a002655a6fbbbd4bc2feaecfdbbdcca
Filetype:	Excel Microsoft Office Open XML Format document (40004/1) 83.33%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\40AD1EBD.png	PNG image data, 918 x 680, 8-bit/color RGBA, non-interlaced	6A01035EDE94C9FE388506D948250EB0	07E3B0CFB128EFA95C934AAEF6EA5C153B972E98	C8700049E8A67BD3278A3D5A178F4D98F84EA608874A489FE854908C0FD3B9E0
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\6C4E2997.emf	Windows Enhanced Metafile (EMF) image data version 0x10000	2DA278DC5FE084DAC89F7E4CEE3E2CD9	ECC4FF84629924B2834C956FFBA4FA61A17FD622	AB7188923D4CB593378AE7E66A1C4D639BF876A903D78E7A4D82570149B916C0
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\6DB1906E.emf	Windows Enhanced Metafile (EMF) image data version 0x10000	921E15C48023C6E4344C9FE296F938A1	3B59C3569C3E0923EFD014A80AEB57F3F3133C73	53DFCD0087F36856D1B1841B46E19FBEF79FC54B7A1366F420F9A360E5D2554C
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\B44946AC.png	PNG image data, 423 x 695, 8-bit/color RGBA, non-interlaced	1E6CB6F45FD9335E2BF06D5E119C4B1A	EF3DF1D0AAC0128C38EF50B4881479AF3788893E	3C0BC62F63769906AB07BA5ECCA08EB50414AA09F4F165492F3E798FDFCACC03
C:\Users\user\AppData\Local\Temp\6B9E.tmp	Microsoft Excel 2007+	C1CDA6D17A11952FEF58A1AA3A47C30F	1C51727AF61FD17E8D437A736BF254CD470A54A2	7C3BABFFC38D4B977D7E8ECEF338936E9A002655A6FBBBD4BC2FEAECFDBBDCCA
C:\Users\user\AppData\Local\Temp\6B9E.tmp:Zone.Identifier	ASCII text, with CRLF line terminators	187F488E27DB4AF347237FE461A079AD	6693BA299EC1881249D59262276A0D2CB21F8E64	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
C:\Users\user\Desktop\~$Serbia_Vendor_Creation_1.xlsx	data	797869BB881CFBCDAC2064F92B26E46F	61C1B8FBF505956A77E9A79CE74EF5E281B01F4B	D4E4008DD7DFB936F22D9EF3CC569C6F88804715EAB8101045BA1CD0B081F185

Windows Analysis Report
Serbia_Vendor_Creation_1.xlsx

Overview

General Information

Detection

Signatures

Classification

Signatures

Compliance

Networking

System Summary

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Screenshots

Behavior Graph

Network Map

Windows Analysis Report Serbia_Vendor_Creation_1.xlsx

Overview

General Information

Detection

Signatures

Classification

Signatures

Compliance

Networking

System Summary

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Screenshots

Behavior Graph

Network Map

Windows Analysis Report
Serbia_Vendor_Creation_1.xlsx