Loading ...

Play interactive tourEdit tour

Analysis Report awnunJUC58.xls

Overview

General Information

Joe Sandbox Version:28.0.0 Lapis Lazuli
Analysis ID:189228
Start date:12.11.2019
Start time:17:55:05
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 3m 44s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:awnunJUC58.xls
Cookbook file name:defaultwindowsofficecookbook.jbs
Analysis system description:Windows 7 SP1 (with Office 2010 SP2, IE 11, FF 54, Chrome 60, Acrobat Reader DC 17, Java 8.0.1440.1, Flash 30.0.0.113)
Number of analysed new started processes analysed:2
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • HDC enabled
  • GSI enabled (VBA)
  • AMSI enabled
Analysis stop reason:Timeout
Detection:MAL
Classification:mal52.expl.evad.winXLS@1/0@0/0
EGA Information:Failed
HDC Information:Failed
HCA Information:
  • Successful, ratio: 100%
  • Number of executed functions: 0
  • Number of non-executed functions: 0
Cookbook Comments:
  • Adjust boot time
  • Enable AMSI
  • Found application associated with file extension: .xls
  • Found Word or Excel or PowerPoint or XPS Viewer
  • Attach to Office via COM
  • Scroll down
  • Close Viewer
Warnings:
Show All
  • Exclude process from analysis (whitelisted): dllhost.exe

Detection

StrategyScoreRangeReportingWhitelistedDetection
Threshold520 - 100falsemalicious

Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold50 - 5false
ConfidenceConfidence


Classification

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and Control
Valid AccountsScripting31Winlogon Helper DLLProcess Injection1Process Injection1Credential DumpingProcess Discovery1Application Deployment SoftwareData from Local SystemData CompressedData Obfuscation
Replication Through Removable MediaService ExecutionPort MonitorsAccessibility FeaturesScripting31Network SniffingFile and Directory Discovery1Remote ServicesData from Removable MediaExfiltration Over Other Network MediumFallback Channels
Drive-by CompromiseWindows Management InstrumentationAccessibility FeaturesPath InterceptionRootkitInput CaptureSystem Information Discovery1Windows Remote ManagementData from Network Shared DriveAutomated ExfiltrationCustom Cryptographic Protocol

Signature Overview

Click to jump to signature section


Networking:

barindex
Urls found in memory or binary dataShow sources
Source: EXCEL.EXE, 00000000.00000002.2472147268.01290000.00000002.00000001.sdmpString found in binary or memory: http://Myserver/Mydoc.htm

System Summary:

barindex
Document contains an embedded VBA macro with suspicious stringsShow sources
Source: awnunJUC58.xlsOLE, VBA macro line: UNombre = Environ("username")
Source: awnunJUC58.xlsOLE, VBA macro line: UDominio = Environ("userdomain")
Source: awnunJUC58.xlsOLE, VBA macro line: Set myWS = CreateObject("WScript.Shell")
Source: awnunJUC58.xlsOLE, VBA macro line: UPerf = Environ("UserProfile")
Source: awnunJUC58.xlsOLE, VBA macro line: WDir = Environ("WinDir")
Source: awnunJUC58.xlsOLE, VBA macro line: UPerf = Environ("UserProfile")
Source: VBA code instrumentationOLE, VBA macro: Module Hoja2, Function Worksheet_Activate, String environ: UNombre = Environ("username")Name: Worksheet_Activate
Source: VBA code instrumentationOLE, VBA macro: Module Hoja2, Function Worksheet_Activate, String environ: UDominio = Environ("userdomain")Name: Worksheet_Activate
Source: VBA code instrumentationOLE, VBA macro: Module Hoja2, Function Worksheet_Activate, String wscript: Set myWS = CreateObject("WScript.Shell")Name: Worksheet_Activate
Source: VBA code instrumentationOLE, VBA macro: Module Hoja2, Function Worksheet_Activate, String environ: UPerf = Environ("UserProfile")Name: Worksheet_Activate
Source: VBA code instrumentationOLE, VBA macro: Module Hoja2, Function Worksheet_Activate, String environ: WDir = Environ("WinDir")Name: Worksheet_Activate
Source: VBA code instrumentationOLE, VBA macro: Module Hoja2, Function TestDecodeToFile, String environ: UPerf = Environ("UserProfile")Name: TestDecodeToFile
Document contains an embedded VBA with functions possibly related to WSH operations (process, registry, environment, or keystrokes)Show sources
Source: awnunJUC58.xlsStream path 'VBA/Hoja2' : found possibly 'WScript.Shell' functions exec, regwrite, environ
Document contains an embedded macro with GUI obfuscationShow sources
Source: awnunJUC58.xlsStream path 'VBA/M\x243dulo1' : Found suspicious string scripting.filesystemobject in non macro stream
Document contains embedded VBA macrosShow sources
Source: awnunJUC58.xlsOLE indicator, VBA macros: true
Document misses a certain OLE stream usually present in this Microsoft Office document typeShow sources
Source: awnunJUC58.xlsOLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
Yara signature matchShow sources
Source: awnunJUC58.xls, type: SAMPLEMatched rule: SUSP_VBA_FileSystem_Access date = 2019-06-21, author = Florian Roth, description = Detects suspicious VBA that writes to disk and is activated on document open, reference = Internal Research, score = 52262bb315fa55b7441a04966e176b0e26b7071376797e35c80aa60696b6d6fc
Classification labelShow sources
Source: classification engineClassification label: mal52.expl.evad.winXLS@1/0@0/0
Creates temporary filesShow sources
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user~1\AppData\Local\Temp\CVR9741.tmpJump to behavior
Reads ini filesShow sources
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile read: C:\Users\desktop.iniJump to behavior
Checks if Microsoft Office is installedShow sources
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItemsJump to behavior
Uses new MSVCR DllsShow sources
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_50916076bcb9a742\MSVCR90.dllJump to behavior
Binary contains paths to debug symbolsShow sources
Source: Binary string: D:\office\Target\XL\X86\ship\1033.pre\xlintl32.PDB source: EXCEL.EXE, 00000000.00000002.2472147268.01290000.00000002.00000001.sdmp

Hooking and other Techniques for Hiding and Protection:

barindex
Disables application error messsages (SetErrorMode)Show sources
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
May try to detect the Windows Explorer process (often used for injection)Show sources
Source: EXCEL.EXE, 00000000.00000002.2471734788.00510000.00000002.00000001.sdmpBinary or memory string: Program Manager
Source: EXCEL.EXE, 00000000.00000002.2471734788.00510000.00000002.00000001.sdmpBinary or memory string: Progman
Source: EXCEL.EXE, 00000000.00000002.2471734788.00510000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Simulations

Behavior and APIs

No simulations

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
awnunJUC58.xls5%VirustotalBrowse

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://Myserver/Mydoc.htm0%Avira URL Cloudsafe

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
awnunJUC58.xlsSUSP_VBA_FileSystem_AccessDetects suspicious VBA that writes to disk and is activated on document openFlorian Roth
  • 0xb8b0:$s1: \Common Files\Microsoft Shared\
  • 0xbbe8:$s1: \Common Files\Microsoft Shared\
  • 0xc3be:$s1: \Common Files\Microsoft Shared\
  • 0x8180:$s2: Scripting.FileSystemObject
  • 0x591d:$a2: WScript.Shell

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

No yara matches

Unpacked PEs

No yara matches

Sigma Overview

No Sigma rule has matched

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.