Loading ...

Play interactive tourEdit tour

Analysis Report 6757Maersk Documents65678.xlsx

Overview

General Information

Sample Name:6757Maersk Documents65678.xlsx
MD5:985517879923fd32e010b259299e5ca3
SHA1:8ecc49957ed2bec355e84c000f6d79c28632b739
SHA256:eefb9bd599edae95d157906b7cdc1c3866872e4b8fdbff154d605770f3e84748

Most interesting Screenshot:

Detection

FormBook
Score:64
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected FormBook
Sample file is different than original file name gathered from version info
Yara signature match

Classification

Startup

  • System is w10x64
  • EXCEL.EXE (PID: 4560 cmdline: 'C:\Program Files (x86)\Microsoft Office\Root\Office16\EXCEL.EXE' /automation -Embedding MD5: D672D26C85AEB9536B9736BF04054969)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
6757Maersk Documents65678.xlsxJoeSecurity_FormBookYara detected FormBookJoe Security
    6757Maersk Documents65678.xlsxFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0xfa050:$sqlite3step: 68 34 1C 7B E1
    • 0xfa17d:$sqlite3step: 68 34 1C 7B E1
    • 0xfa11c:$sqlite3text: 68 38 2A 90 C5
    • 0xfac1e:$sqlite3text: 68 38 2A 90 C5
    • 0xfa12f:$sqlite3blob: 68 53 D8 7F 8C
    • 0xfac34:$sqlite3blob: 68 53 D8 7F 8C
    6757Maersk Documents65678.xlsxFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0xdf005:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0xdf2ab:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0xf4dae:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0xf469d:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0xf588d:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0xf5735:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0xf2fc1:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xe27cd:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0xfeed9:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x100323:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    8976547shipping docs45890.exeJoeSecurity_FormBookYara detected FormBookJoe Security
      8976547shipping docs45890.exeFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
      • 0x74850:$sqlite3step: 68 34 1C 7B E1
      • 0x7497d:$sqlite3step: 68 34 1C 7B E1
      • 0x7491c:$sqlite3text: 68 38 2A 90 C5
      • 0x7541e:$sqlite3text: 68 38 2A 90 C5
      • 0x7492f:$sqlite3blob: 68 53 D8 7F 8C
      • 0x75434:$sqlite3blob: 68 53 D8 7F 8C
      Click to see the 1 entries

      Sigma Overview

      No Sigma rule has matched

      Signature Overview

      Click to jump to signature section

      Show All Signature Results

      AV Detection:

      barindex
      Multi AV Scanner detection for submitted fileShow sources
      Source: 6757Maersk Documents65678.xlsxVirustotal: Detection: 15%Perma Link
      Yara detected FormBookShow sources
      Source: Yara matchFile source: 6757Maersk Documents65678.xlsx, type: SAMPLE
      Source: Yara matchFile source: 8976547shipping docs45890.exe, type: SAMPLE

      Source: 6D2C87E0-FBD2-4A11-8CB8-7D214AD79B14.0.drString found in binary or memory: http://olkflt.edog.officeapps.live.com/olkflt/outlookflighting.svc/api/glides
      Source: 6D2C87E0-FBD2-4A11-8CB8-7D214AD79B14.0.drString found in binary or memory: http://weather.service.msn.com/data.aspx
      Source: 6D2C87E0-FBD2-4A11-8CB8-7D214AD79B14.0.drString found in binary or memory: https://analysis.windows.net/powerbi/api
      Source: 6D2C87E0-FBD2-4A11-8CB8-7D214AD79B14.0.drString found in binary or memory: https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
      Source: 6D2C87E0-FBD2-4A11-8CB8-7D214AD79B14.0.drString found in binary or memory: https://api.aadrm.com/
      Source: 6D2C87E0-FBD2-4A11-8CB8-7D214AD79B14.0.drString found in binary or memory: https://api.diagnostics.office.com
      Source: 6D2C87E0-FBD2-4A11-8CB8-7D214AD79B14.0.drString found in binary or memory: https://api.diagnosticssdf.office.com
      Source: 6D2C87E0-FBD2-4A11-8CB8-7D214AD79B14.0.drString found in binary or memory: https://api.microsoftstream.com/api/
      Source: 6D2C87E0-FBD2-4A11-8CB8-7D214AD79B14.0.drString found in binary or memory: https://api.onedrive.com
      Source: 6D2C87E0-FBD2-4A11-8CB8-7D214AD79B14.0.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/datasets
      Source: 6D2C87E0-FBD2-4A11-8CB8-7D214AD79B14.0.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/groups
      Source: 6D2C87E0-FBD2-4A11-8CB8-7D214AD79B14.0.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/imports
      Source: 6D2C87E0-FBD2-4A11-8CB8-7D214AD79B14.0.drString found in binary or memory: https://apis.live.net/v5.0/
      Source: 6D2C87E0-FBD2-4A11-8CB8-7D214AD79B14.0.drString found in binary or memory: https://arc.msn.com/v4/api/selection
      Source: 6D2C87E0-FBD2-4A11-8CB8-7D214AD79B14.0.drString found in binary or memory: https://asgsmsproxyapi.azurewebsites.net/
      Source: 6D2C87E0-FBD2-4A11-8CB8-7D214AD79B14.0.drString found in binary or memory: https://augloop.office.com
      Source: 6D2C87E0-FBD2-4A11-8CB8-7D214AD79B14.0.drString found in binary or memory: https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml
      Source: 6D2C87E0-FBD2-4A11-8CB8-7D214AD79B14.0.drString found in binary or memory: https://cdn.entity.
      Source: 6D2C87E0-FBD2-4A11-8CB8-7D214AD79B14.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/stat/images/OneDriveUpsell.png
      Source: 6D2C87E0-FBD2-4A11-8CB8-7D214AD79B14.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSignUpUpsell
      Source: 6D2C87E0-FBD2-4A11-8CB8-7D214AD79B14.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSyncClientUpsell
      Source: 6D2C87E0-FBD2-4A11-8CB8-7D214AD79B14.0.drString found in binary or memory: https://client-office365-tas.msedge.net/ab
      Source: 6D2C87E0-FBD2-4A11-8CB8-7D214AD79B14.0.drString found in binary or memory: https://clients.config.office.net/
      Source: 6D2C87E0-FBD2-4A11-8CB8-7D214AD79B14.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/android/policies
      Source: 6D2C87E0-FBD2-4A11-8CB8-7D214AD79B14.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/ios
      Source: 6D2C87E0-FBD2-4A11-8CB8-7D214AD79B14.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/mac
      Source: 6D2C87E0-FBD2-4A11-8CB8-7D214AD79B14.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/tenantassociationkey
      Source: 6D2C87E0-FBD2-4A11-8CB8-7D214AD79B14.0.drString found in binary or memory: https://cloudfiles.onenote.com/upload.aspx
      Source: 6D2C87E0-FBD2-4A11-8CB8-7D214AD79B14.0.drString found in binary or memory: https://config.edge.skype.com
      Source: 6D2C87E0-FBD2-4A11-8CB8-7D214AD79B14.0.drString found in binary or memory: https://config.edge.skype.com/config/v1/Office
      Source: 6D2C87E0-FBD2-4A11-8CB8-7D214AD79B14.0.drString found in binary or memory: https://config.edge.skype.com/config/v2/Office
      Source: 6D2C87E0-FBD2-4A11-8CB8-7D214AD79B14.0.drString found in binary or memory: https://contentstorage.osi.office.net/dynamiccanvas/documentvirality/prod/index.html
      Source: 6D2C87E0-FBD2-4A11-8CB8-7D214AD79B14.0.drString found in binary or memory: https://contentstorage.osi.office.net/dynamiccanvas/progressui/index.html
      Source: 6D2C87E0-FBD2-4A11-8CB8-7D214AD79B14.0.drString found in binary or memory: https://cr.office.com
      Source: 6D2C87E0-FBD2-4A11-8CB8-7D214AD79B14.0.drString found in binary or memory: https://dataservice.o365filtering.com
      Source: 6D2C87E0-FBD2-4A11-8CB8-7D214AD79B14.0.drString found in binary or memory: https://dataservice.o365filtering.com/
      Source: 6D2C87E0-FBD2-4A11-8CB8-7D214AD79B14.0.drString found in binary or memory: https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile
      Source: 6D2C87E0-FBD2-4A11-8CB8-7D214AD79B14.0.drString found in binary or memory: https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
      Source: 6D2C87E0-FBD2-4A11-8CB8-7D214AD79B14.0.drString found in binary or memory: https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies
      Source: 6D2C87E0-FBD2-4A11-8CB8-7D214AD79B14.0.drString found in binary or memory: https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/
      Source: 6D2C87E0-FBD2-4A11-8CB8-7D214AD79B14.0.drString found in binary or memory: https://dev0-api.acompli.net/autodetect
      Source: 6D2C87E0-FBD2-4A11-8CB8-7D214AD79B14.0.drString found in binary or memory: https://devnull.onenote.com
      Source: 6D2C87E0-FBD2-4A11-8CB8-7D214AD79B14.0.drString found in binary or memory: https://directory.services.
      Source: 6D2C87E0-FBD2-4A11-8CB8-7D214AD79B14.0.drString found in binary or memory: https://ecs.office.com/config/v2/Office
      Source: 6D2C87E0-FBD2-4A11-8CB8-7D214AD79B14.0.drString found in binary or memory: https://entitlement.diagnostics.office.com
      Source: 6D2C87E0-FBD2-4A11-8CB8-7D214AD79B14.0.drString found in binary or memory: https://entitlement.diagnosticssdf.office.com
      Source: 6D2C87E0-FBD2-4A11-8CB8-7D214AD79B14.0.drString found in binary or memory: https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
      Source: 6D2C87E0-FBD2-4A11-8CB8-7D214AD79B14.0.drString found in binary or memory: https://excel.uservoice.com/forums/304936-excel-for-mobile-devices-tablets-phones-android
      Source: 6D2C87E0-FBD2-4A11-8CB8-7D214AD79B14.0.drString found in binary or memory: https://globaldisco.crm.dynamics.com
      Source: 6D2C87E0-FBD2-4A11-8CB8-7D214AD79B14.0.drString found in binary or memory: https://graph.ppe.windows.net
      Source: 6D2C87E0-FBD2-4A11-8CB8-7D214AD79B14.0.drString found in binary or memory: https://graph.ppe.windows.net/
      Source: 6D2C87E0-FBD2-4A11-8CB8-7D214AD79B14.0.drString found in binary or memory: https://graph.windows.net
      Source: 6D2C87E0-FBD2-4A11-8CB8-7D214AD79B14.0.drString found in binary or memory: https://graph.windows.net/
      Source: 6D2C87E0-FBD2-4A11-8CB8-7D214AD79B14.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/telemetry
      Source: 6D2C87E0-FBD2-4A11-8CB8-7D214AD79B14.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?
      Source: 6D2C87E0-FBD2-4A11-8CB8-7D214AD79B14.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?cp=remix3d
      Source: 6D2C87E0-FBD2-4A11-8CB8-7D214AD79B14.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=icons&premium=1
      Source: 6D2C87E0-FBD2-4A11-8CB8-7D214AD79B14.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockimages&premium=1
      Source: 6D2C87E0-FBD2-4A11-8CB8-7D214AD79B14.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsofticon?
      Source: 6D2C87E0-FBD2-4A11-8CB8-7D214AD79B14.0.drString found in binary or memory: https://incidents.diagnostics.office.com
      Source: 6D2C87E0-FBD2-4A11-8CB8-7D214AD79B14.0.drString found in binary or memory: https://incidents.diagnosticssdf.office.com
      Source: 6D2C87E0-FBD2-4A11-8CB8-7D214AD79B14.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive
      Source: 6D2C87E0-FBD2-4A11-8CB8-7D214AD79B14.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing
      Source: 6D2C87E0-FBD2-4A11-8CB8-7D214AD79B14.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=ClipArt
      Source: 6D2C87E0-FBD2-4A11-8CB8-7D214AD79B14.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Facebook
      Source: 6D2C87E0-FBD2-4A11-8CB8-7D214AD79B14.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr
      Source: 6D2C87E0-FBD2-4A11-8CB8-7D214AD79B14.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive
      Source: 6D2C87E0-FBD2-4A11-8CB8-7D214AD79B14.0.drString found in binary or memory: https://insertmedia.bing.office.net/odc/insertmedia
      Source: 6D2C87E0-FBD2-4A11-8CB8-7D214AD79B14.0.drString found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/GetFreeformSpeech
      Source: 6D2C87E0-FBD2-4A11-8CB8-7D214AD79B14.0.drString found in binary or memory: https://lifecycle.office.com
      Source: 6D2C87E0-FBD2-4A11-8CB8-7D214AD79B14.0.drString found in binary or memory: https://login.microsoftonline.com/
      Source: 6D2C87E0-FBD2-4A11-8CB8-7D214AD79B14.0.drString found in binary or memory: https://login.microsoftonline.com/common
      Source: 6D2C87E0-FBD2-4A11-8CB8-7D214AD79B14.0.drString found in binary or memory: https://login.windows-ppe.net/common/oauth2/authorize
      Source: 6D2C87E0-FBD2-4A11-8CB8-7D214AD79B14.0.drString found in binary or memory: https://login.windows.local
      Source: 6D2C87E0-FBD2-4A11-8CB8-7D214AD79B14.0.drString found in binary or memory: https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize
      Source: 6D2C87E0-FBD2-4A11-8CB8-7D214AD79B14.0.drString found in binary or memory: https://login.windows.net/common/oauth2/authorize
      Source: 6D2C87E0-FBD2-4A11-8CB8-7D214AD79B14.0.drString found in binary or memory: https://loki.delve.office.com/api/v1/configuration/officewin32/
      Source: 6D2C87E0-FBD2-4A11-8CB8-7D214AD79B14.0.drString found in binary or memory: https://lookup.onenote.com/lookup/geolocation/v1
      Source: 6D2C87E0-FBD2-4A11-8CB8-7D214AD79B14.0.drString found in binary or memory: https://management.azure.com
      Source: 6D2C87E0-FBD2-4A11-8CB8-7D214AD79B14.0.drString found in binary or memory: https://management.azure.com/
      Source: 6D2C87E0-FBD2-4A11-8CB8-7D214AD79B14.0.drString found in binary or memory: https://messaging.office.com/
      Source: 6D2C87E0-FBD2-4A11-8CB8-7D214AD79B14.0.drString found in binary or memory: https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy
      Source: 6D2C87E0-FBD2-4A11-8CB8-7D214AD79B14.0.drString found in binary or memory: https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
      Source: 6D2C87E0-FBD2-4A11-8CB8-7D214AD79B14.0.drString found in binary or memory: https://ncus-000.contentsync.
      Source: 6D2C87E0-FBD2-4A11-8CB8-7D214AD79B14.0.drString found in binary or memory: https://ncus-000.pagecontentsync.
      Source: 6D2C87E0-FBD2-4A11-8CB8-7D214AD79B14.0.drString found in binary or memory: https://o365auditrealtimeingestion.manage.office.com
      Source: 6D2C87E0-FBD2-4A11-8CB8-7D214AD79B14.0.drString found in binary or memory: https://o365auditrealtimeingestion.manage.office.com/api/userauditrecord
      Source: 6D2C87E0-FBD2-4A11-8CB8-7D214AD79B14.0.drString found in binary or memory: https://o365diagnosticsppe-web.cloudapp.net
      Source: 6D2C87E0-FBD2-4A11-8CB8-7D214AD79B14.0.drString found in binary or memory: https://ocos-office365-s2s.msedge.net/ab
      Source: 6D2C87E0-FBD2-4A11-8CB8-7D214AD79B14.0.drString found in binary or memory: https://ofcrecsvcapi-int.azurewebsites.net/
      Source: 6D2C87E0-FBD2-4A11-8CB8-7D214AD79B14.0.drString found in binary or memory: https://officeapps.live.com
      Source: 6D2C87E0-FBD2-4A11-8CB8-7D214AD79B14.0.drString found in binary or memory: https://officeci.azurewebsites.net/api/
      Source: 6D2C87E0-FBD2-4A11-8CB8-7D214AD79B14.0.drString found in binary or memory: https://officesetup.getmicrosoftkey.com
      Source: 6D2C87E0-FBD2-4A11-8CB8-7D214AD79B14.0.drString found in binary or memory: https://ogma.osi.office.net/TradukoApi/api/v1.0/
      Source: 6D2C87E0-FBD2-4A11-8CB8-7D214AD79B14.0.drString found in binary or memory: https://onedrive.live.com
      Source: 6D2C87E0-FBD2-4A11-8CB8-7D214AD79B14.0.drString found in binary or memory: https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false
      Source: 6D2C87E0-FBD2-4A11-8CB8-7D214AD79B14.0.drString found in binary or memory: https://onedrive.live.com/embed?
      Source: 6D2C87E0-FBD2-4A11-8CB8-7D214AD79B14.0.drString found in binary or memory: https://outlook.office.com/autosuggest/api/v1/init?cvid=
      Source: 6D2C87E0-FBD2-4A11-8CB8-7D214AD79B14.0.drString found in binary or memory: https://outlook.office365.com/api/v1.0/me/Activities
      Source: 6D2C87E0-FBD2-4A11-8CB8-7D214AD79B14.0.drString found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.json
      Source: 6D2C87E0-FBD2-4A11-8CB8-7D214AD79B14.0.drString found in binary or memory: https://ovisualuiapp.azurewebsites.net/pbiagave/
      Source: 6D2C87E0-FBD2-4A11-8CB8-7D214AD79B14.0.drString found in binary or memory: https://partnerservices.getmicrosoftkey.com/PartnerProvisioning.svc/v1/subscriptions
      Source: 6D2C87E0-FBD2-4A11-8CB8-7D214AD79B14.0.drString found in binary or memory: https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json
      Source: 6D2C87E0-FBD2-4A11-8CB8-7D214AD79B14.0.drString found in binary or memory: https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json
      Source: 6D2C87E0-FBD2-4A11-8CB8-7D214AD79B14.0.drString found in binary or memory: https://portal.office.com/account/?ref=ClientMeControl
      Source: 6D2C87E0-FBD2-4A11-8CB8-7D214AD79B14.0.drString found in binary or memory: https://posarprodcssservice.accesscontrol.windows.net/v2/OAuth2-13
      Source: 6D2C87E0-FBD2-4A11-8CB8-7D214AD79B14.0.drString found in binary or memory: https://powerlift-frontdesk.acompli.net
      Source: 6D2C87E0-FBD2-4A11-8CB8-7D214AD79B14.0.drString found in binary or memory: https://powerlift.acompli.net
      Source: 6D2C87E0-FBD2-4A11-8CB8-7D214AD79B14.0.drString found in binary or memory: https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios
      Source: 6D2C87E0-FBD2-4A11-8CB8-7D214AD79B14.0.drString found in binary or memory: https://prod-global-autodetect.acompli.net/autodetect
      Source: 6D2C87E0-FBD2-4A11-8CB8-7D214AD79B14.0.drString found in binary or memory: https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json
      Source: 6D2C87E0-FBD2-4A11-8CB8-7D214AD79B14.0.drString found in binary or memory: https://res.getmicrosoftkey.com/api/redemptionevents
      Source: 6D2C87E0-FBD2-4A11-8CB8-7D214AD79B14.0.drString found in binary or memory: https://retailer.osi.office.net/appstate/query
      Source: 6D2C87E0-FBD2-4A11-8CB8-7D214AD79B14.0.drString found in binary or memory: https://rpsticket.partnerservices.getmicrosoftkey.com
      Source: 6D2C87E0-FBD2-4A11-8CB8-7D214AD79B14.0.drString found in binary or memory: https://settings.outlook.com
      Source: 6D2C87E0-FBD2-4A11-8CB8-7D214AD79B14.0.drString found in binary or memory: https://shell.suite.office.com:1443
      Source: 6D2C87E0-FBD2-4A11-8CB8-7D214AD79B14.0.drString found in binary or memory: https://skyapi.live.net/Activity/
      Source: 6D2C87E0-FBD2-4A11-8CB8-7D214AD79B14.0.drString found in binary or memory: https://sr.outlook.office.net/ws/speech/recognize/assistant/work
      Source: 6D2C87E0-FBD2-4A11-8CB8-7D214AD79B14.0.drString found in binary or memory: https://storage.live.com/clientlogs/uploadlocation
      Source: 6D2C87E0-FBD2-4A11-8CB8-7D214AD79B14.0.drString found in binary or memory: https://store.office.cn/addinstemplate
      Source: 6D2C87E0-FBD2-4A11-8CB8-7D214AD79B14.0.drString found in binary or memory: https://store.office.com/?productgroup=Outlook
      Source: 6D2C87E0-FBD2-4A11-8CB8-7D214AD79B14.0.drString found in binary or memory: https://store.office.com/addinstemplate
      Source: 6D2C87E0-FBD2-4A11-8CB8-7D214AD79B14.0.drString found in binary or memory: https://store.office.de/addinstemplate
      Source: 6D2C87E0-FBD2-4A11-8CB8-7D214AD79B14.0.drString found in binary or memory: https://store.officeppe.com/addinstemplate
      Source: 6D2C87E0-FBD2-4A11-8CB8-7D214AD79B14.0.drString found in binary or memory: https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
      Source: 6D2C87E0-FBD2-4A11-8CB8-7D214AD79B14.0.drString found in binary or memory: https://tasks.office.com
      Source: 6D2C87E0-FBD2-4A11-8CB8-7D214AD79B14.0.drString found in binary or memory: https://templatelogging.office.com/client/log
      Source: 6D2C87E0-FBD2-4A11-8CB8-7D214AD79B14.0.drString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.desktop.html
      Source: 6D2C87E0-FBD2-4A11-8CB8-7D214AD79B14.0.drString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.immersive.html
      Source: 6D2C87E0-FBD2-4A11-8CB8-7D214AD79B14.0.drString found in binary or memory: https://visio.uservoice.com/forums/368202-visio-on-devices
      Source: 6D2C87E0-FBD2-4A11-8CB8-7D214AD79B14.0.drString found in binary or memory: https://web.microsoftstream.com/video/
      Source: 6D2C87E0-FBD2-4A11-8CB8-7D214AD79B14.0.drString found in binary or memory: https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/
      Source: 6D2C87E0-FBD2-4A11-8CB8-7D214AD79B14.0.drString found in binary or memory: https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios
      Source: 6D2C87E0-FBD2-4A11-8CB8-7D214AD79B14.0.drString found in binary or memory: https://wus2-000.contentsync.
      Source: 6D2C87E0-FBD2-4A11-8CB8-7D214AD79B14.0.drString found in binary or memory: https://wus2-000.pagecontentsync.
      Source: 6D2C87E0-FBD2-4A11-8CB8-7D214AD79B14.0.drString found in binary or memory: https://www.bingapis.com/api/v7/urlpreview/search?appid=E93048236FE27D972F67C5AF722136866DF65FA2
      Source: 6D2C87E0-FBD2-4A11-8CB8-7D214AD79B14.0.drString found in binary or memory: https://www.odwebp.svc.ms

      E-Banking Fraud:

      barindex
      Yara detected FormBookShow sources
      Source: Yara matchFile source: 6757Maersk Documents65678.xlsx, type: SAMPLE
      Source: Yara matchFile source: 8976547shipping docs45890.exe, type: SAMPLE

      System Summary:

      barindex
      Malicious sample detected (through community Yara rule)Show sources
      Source: 6757Maersk Documents65678.xlsx, type: SAMPLEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: 6757Maersk Documents65678.xlsx, type: SAMPLEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 8976547shipping docs45890.exe, type: SAMPLEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: 8976547shipping docs45890.exe, type: SAMPLEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 6757Maersk Documents65678.xlsxBinary or memory string: OriginalFilename8976547shipping docs45890.exeD vs 6757Maersk Documents65678.xlsx
      Source: 6757Maersk Documents65678.xlsx, type: SAMPLEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: 6757Maersk Documents65678.xlsx, type: SAMPLEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 8976547shipping docs45890.exe, type: SAMPLEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: 8976547shipping docs45890.exe, type: SAMPLEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: classification engineClassification label: mal64.troj.winXLSX@1/8@0/0
      Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Office\16.0\FloodgateJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\{3043A03D-72B5-4E4A-B0DA-309ED18309B9} - OProcSessId.datJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEFile read: C:\Users\desktop.iniJump to behavior
      Source: 6757Maersk Documents65678.xlsxVirustotal: Detection: 15%
      Source: Window RecorderWindow detected: More than 3 window changes detected
      Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OfficeJump to behavior
      Source: 6757Maersk Documents65678.xlsxStatic file information: File size 1097728 > 1048576

      Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior

      Stealing of Sensitive Information:

      barindex
      Yara detected FormBookShow sources
      Source: Yara matchFile source: 6757Maersk Documents65678.xlsx, type: SAMPLE
      Source: Yara matchFile source: 8976547shipping docs45890.exe, type: SAMPLE

      Remote Access Functionality:

      barindex
      Yara detected FormBookShow sources
      Source: Yara matchFile source: 6757Maersk Documents65678.xlsx, type: SAMPLE
      Source: Yara matchFile source: 8976547shipping docs45890.exe, type: SAMPLE

      Mitre Att&ck Matrix

      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
      Valid AccountsGraphical User Interface1Winlogon Helper DLLPort MonitorsMasquerading1Credential DumpingFile and Directory Discovery1Application Deployment SoftwareData from Local SystemData CompressedData ObfuscationEavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
      Replication Through Removable MediaService ExecutionPort MonitorsAccessibility FeaturesBinary PaddingNetwork SniffingSystem Information Discovery1Remote ServicesData from Removable MediaExfiltration Over Other Network MediumFallback ChannelsExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout

      Behavior Graph

      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet

      Screenshots

      Thumbnails

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.