Loading ...

Play interactive tourEdit tour

Analysis Report Services_prices.xls

Overview

General Information

Sample Name:Services_prices.xls
MD5:958e3617f1a5188b6649ad95893a6b24
SHA1:73301322527cc27356b8a4c3b01afa570a728214
SHA256:0fcbb5d01713986bef119fa8889ea94f9a9e3b79350d6d73f548fcc3754bae35

Most interesting Screenshot:

Detection

Hidden Macro 4.0
Score:60
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malicious Excel 4.0 Macro
Document exploit detected (UrlDownloadToFile)
Found Excel 4.0 Macro with suspicious formulas
Found abnormal large hidden Excel 4.0 Macro sheet
Checks for available system drives (often done to infect USB drives)
Document contains embedded VBA macros
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Uses a known web browser user agent for HTTP communication
Yara detected Xls With Macro 4.0
Yara signature match

Classification

Startup

  • System is w7
  • EXCEL.EXE (PID: 3860 cmdline: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding MD5: 716335EDBB91DA84FC102425BFDA957E)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
Services_prices.xlsSUSP_Excel4Macro_AutoOpenDetects Excel4 macro use with auto open / closeJohn Lambert @JohnLaTwC
  • 0x0:$header_docf: D0 CF 11 E0
  • 0x122a2:$s1: Excel
  • 0x13301:$s1: Excel
  • 0x3632:$Auto_Open: 18 00 17 00 20 00 00 01 07 00 00 00 00 00 00 00 00 00 00 01 3A
Services_prices.xlsSUSP_EnableContent_String_GenDetects suspicious string that asks to enable active content in Office DocFlorian Roth
  • 0x3f1c:$e1: Enable Editing
  • 0x3f31:$e2: Enable Content
Services_prices.xlsJoeSecurity_XlsWithMacro4Yara detected Xls With Macro 4.0Joe Security

    Sigma Overview

    No Sigma rule has matched

    Signature Overview

    Click to jump to signature section

    Show All Signature Results

    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: z:Jump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: x:Jump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: v:Jump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: t:Jump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: r:Jump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: p:Jump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: n:Jump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: l:Jump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: j:Jump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: h:Jump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: f:Jump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: b:Jump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: y:Jump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: w:Jump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: u:Jump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: s:Jump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: q:Jump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: o:Jump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: m:Jump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: k:Jump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: i:Jump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: g:Jump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: e:Jump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: c:Jump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: a:Jump to behavior

    Software Vulnerabilities:

    barindex
    Document exploit detected (UrlDownloadToFile)Show sources
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXESection loaded: \KnownDlls\api-ms-win-downlevel-shlwapi-l2-1-0.dll origin: URLDownloadToFileAJump to behavior
    Source: global trafficTCP traffic: 192.168.2.2:49159 -> 45.140.16.6:80
    Source: global trafficTCP traffic: 192.168.2.2:49159 -> 45.140.16.6:80