Loading ...

Play interactive tourEdit tour

Analysis Report Form_00062521468.xls

Overview

General Information

Sample Name:Form_00062521468.xls
MD5:01e5f39554a5c84218f5193f9416936f
SHA1:8eb28ade4f82e5e564ec10796a362395f00dd83b
SHA256:1fb2b41cc4867841fa2ee0fedef3c682e977683f7284c305fec24d2995850ef0

Most interesting Screenshot:

Detection

Hidden Macro 4.0
Score:64
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for domain / URL
Document exploit detected (UrlDownloadToFile)
Document exploit detected (process start blacklist hit)
Found abnormal large hidden Excel 4.0 Macro sheet
Sigma detected: Microsoft Office Product Spawning Windows Shell
Checks for available system drives (often done to infect USB drives)
Document contains embedded VBA macros
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Uses a known web browser user agent for HTTP communication
Yara detected Xls With Macro 4.0
Yara signature match

Classification

Startup

  • System is w7
  • EXCEL.EXE (PID: 3928 cmdline: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding MD5: 716335EDBB91DA84FC102425BFDA957E)
    • rundll32.exe (PID: 2124 cmdline: 'C:\Windows\System32\rundll32.exe' C:\lUUHtVr\ESzRDHg\bXMgWNb.dll,DllRegisterServer MD5: C648901695E275C8F2AD04B687A68CE2)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
Form_00062521468.xlsSUSP_Excel4Macro_AutoOpenDetects Excel4 macro use with auto open / closeJohn Lambert @JohnLaTwC
  • 0x0:$header_docf: D0 CF 11 E0
  • 0x278a2:$s1: Excel
  • 0x28996:$s1: Excel
  • 0x3587:$Auto_Open: 18 00 17 00 20 00 00 01 07 00 00 00 00 00 00 00 00 00 00 01 3A
Form_00062521468.xlsJoeSecurity_XlsWithMacro4Yara detected Xls With Macro 4.0Joe Security

    Sigma Overview


    System Summary:

    barindex
    Sigma detected: Microsoft Office Product Spawning Windows ShellShow sources
    Source: Process startedAuthor: Michael Haag, Florian Roth, Markus Neis: Data: Command: 'C:\Windows\System32\rundll32.exe' C:\lUUHtVr\ESzRDHg\bXMgWNb.dll,DllRegisterServer, CommandLine: 'C:\Windows\System32\rundll32.exe' C:\lUUHtVr\ESzRDHg\bXMgWNb.dll,DllRegisterServer, CommandLine|base64offset|contains: , Image: C:\Windows\System32\rundll32.exe, NewProcessName: C:\Windows\System32\rundll32.exe, OriginalFileName: C:\Windows\System32\rundll32.exe, ParentCommandLine: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, ParentProcessId: 3928, ProcessCommandLine: 'C:\Windows\System32\rundll32.exe' C:\lUUHtVr\ESzRDHg\bXMgWNb.dll,DllRegisterServer, ProcessId: 2124

    Signature Overview

    Click to jump to signature section

    Show All Signature Results

    AV Detection:

    barindex
    Multi AV Scanner detection for domain / URLShow sources
    Source: http://81.16.141.208/F3gbNMVirustotal: Detection: 8%Perma Link

    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: z:Jump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: x:Jump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: v:Jump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: t:Jump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: r:Jump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: p:Jump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: n:Jump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: l:Jump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: j:Jump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: h:Jump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: f:Jump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: b:Jump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: y:Jump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: w:Jump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: u:Jump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: s:Jump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: q:Jump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: o:Jump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: m:Jump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: k:Jump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: i:Jump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: g:Jump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: e:Jump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: c:Jump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: a:Jump to behavior

    Software Vulnerabilities:

    barindex
    Document exploit detected (UrlDownloadToFile)Show sources