Loading ...

Play interactive tourEdit tour

Analysis Report File_COVID-19.xls

Overview

General Information

Sample Name:File_COVID-19.xls
Analysis ID:248559
MD5:f35d6831c7e3a86fa456a70a0e0e639d
SHA1:bd7a2f2ec5f0dfeb8db6a1ea94370091700d8b43
SHA256:d4a1632119f57a9fbbb43e3f322babf9de6fc6a7bfe902b8beaf3eb8207a7e07

Most interesting Screenshot:

Detection

Hidden Macro 4.0
Score:64
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Document exploit detected (process start blacklist hit)
Found Excel 4.0 Macro with suspicious formulas
Found abnormal large hidden Excel 4.0 Macro sheet
Sigma detected: Microsoft Office Product Spawning Windows Shell
Document contains embedded VBA macros
Potential document exploit detected (unknown TCP traffic)
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)
Tries to load missing DLLs
Yara detected Xls With Macro 4.0
Yara signature match

Classification

Startup

  • System is w10x64
  • EXCEL.EXE (PID: 5780 cmdline: 'C:\Program Files (x86)\Microsoft Office\Root\Office16\EXCEL.EXE' /automation -Embedding MD5: D672D26C85AEB9536B9736BF04054969)
    • rundll32.exe (PID: 5316 cmdline: C:\Windows\SysWOW64\rundll32.exe C:\raaNzbx\KYGXJNn\hdSmdTh.dll,DllRegisterServer MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
File_COVID-19.xlsSUSP_Excel4Macro_AutoOpenDetects Excel4 macro use with auto open / closeJohn Lambert @JohnLaTwC
  • 0x0:$header_docf: D0 CF 11 E0
  • 0x55ca2:$s1: Excel
  • 0x56d01:$s1: Excel
  • 0x3699:$Auto_Open: 18 00 17 00 20 00 00 01 07 00 00 00 00 00 00 00 00 00 00 01 3A
File_COVID-19.xlsSUSP_EnableContent_String_GenDetects suspicious string that asks to enable active content in Office DocFlorian Roth
  • 0x50ca0:$e1: Enable Editing
  • 0x50cdb:$e1: Enable Editing
  • 0x50cf9:$e2: Enable Content
File_COVID-19.xlsJoeSecurity_XlsWithMacro4Yara detected Xls With Macro 4.0Joe Security

    Sigma Overview

    System Summary:

    barindex
    Sigma detected: Microsoft Office Product Spawning Windows ShellShow sources
    Source: Process startedAuthor: Michael Haag, Florian Roth, Markus Neis: Data: Command: C:\Windows\SysWOW64\rundll32.exe C:\raaNzbx\KYGXJNn\hdSmdTh.dll,DllRegisterServer, CommandLine: C:\Windows\SysWOW64\rundll32.exe C:\raaNzbx\KYGXJNn\hdSmdTh.dll,DllRegisterServer, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\rundll32.exe, NewProcessName: C:\Windows\SysWOW64\rundll32.exe, OriginalFileName: C:\Windows\SysWOW64\rundll32.exe, ParentCommandLine: 'C:\Program Files (x86)\Microsoft Office\Root\Office16\EXCEL.EXE' /automation -Embedding, ParentImage: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE, ParentProcessId: 5780, ProcessCommandLine: C:\Windows\SysWOW64\rundll32.exe C:\raaNzbx\KYGXJNn\hdSmdTh.dll,DllRegisterServer, ProcessId: 5316

    Signature Overview

    Click to jump to signature section

    Show All Signature Results

    AV Detection:

    barindex
    Multi AV Scanner detection for submitted fileShow sources
    Source: File_COVID-19.xlsVirustotal: Detection: 8%Perma Link

    Software Vulnerabilities:

    barindex
    Document exploit detected (process start blacklist hit)Show sources
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\rundll32.exeJump to behavior
    Source: global trafficTCP traffic: 192.168.2.5:49744 -> 188.40.203.221:80
    Source: global trafficTCP traffic: 192.168.2.5:49744 -> 188.40.203.221:80
    Source: unknownTCP traffic detected without corresponding DNS query: 188.40.203.221
    Source: unknownTCP traffic detected without corresponding DNS query: 188.40.203.221
    Source: unknownTCP traffic detected without corresponding DNS query: 188.40.203.221
    Source: 466023F2-37AF-4E54-A009-BAC2315BBB93.0.drString found in binary or memory: http://olkflt.edog.officeapps.live.com/olkflt/outlookflighting.svc/api/glides
    Source: 466023F2-37AF-4E54-A009-BAC2315BBB93.0.drString found in binary or memory: http://weather.service.msn.com/data.aspx
    Source: 466023F2-37AF-4E54-A009-BAC2315BBB93.0.drString found in binary or memory: https://analysis.windows.net/powerbi/api
    Source: 466023F2-37AF-4E54-A009-BAC2315BBB93.0.drString found in binary or memory: https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
    Source: 466023F2-37AF-4E54-A009-BAC2315BBB93.0.drString found in binary or memory: https://api.aadrm.com/
    Source: 466023F2-37AF-4E54-A009-BAC2315BBB93.0.drString found in binary or memory: https://api.diagnostics.office.com
    Source: 466023F2-37AF-4E54-A009-BAC2315BBB93.0.drString found in binary or memory: https://api.diagnosticssdf.office.com
    Source: 466023F2-37AF-4E54-A009-BAC2315BBB93.0.drString found in binary or memory: https://api.microsoftstream.com/api/
    Source: 466023F2-37AF-4E54-A009-BAC2315BBB93.0.drString found in binary or memory: https://api.onedrive.com
    Source: 466023F2-37AF-4E54-A009-BAC2315BBB93.0.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/datasets
    Source: 466023F2-37AF-4E54-A009-BAC2315BBB93.0.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/groups
    Source: 466023F2-37AF-4E54-A009-BAC2315BBB93.0.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/imports
    Source: 466023F2-37AF-4E54-A009-BAC2315BBB93.0.drString found in binary or memory: https://apis.live.net/v5.0/
    Source: 466023F2-37AF-4E54-A009-BAC2315BBB93.0.drString found in binary or memory: https://app.powerbi.com/taskpane.html
    Source: 466023F2-37AF-4E54-A009-BAC2315BBB93.0.drString found in binary or memory: https://arc.msn.com/v4/api/selection
    Source: 466023F2-37AF-4E54-A009-BAC2315BBB93.0.drString found in binary or memory: https://asgsmsproxyapi.azurewebsites.net/
    Source: 466023F2-37AF-4E54-A009-BAC2315BBB93.0.drString found in binary or memory: https://augloop.office.com
    Source: 466023F2-37AF-4E54-A009-BAC2315BBB93.0.drString found in binary or memory: https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml
    Source: 466023F2-37AF-4E54-A009-BAC2315BBB93.0.drString found in binary or memory: https://cdn.entity.
    Source: 466023F2-37AF-4E54-A009-BAC2315BBB93.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/stat/images/OneDriveUpsell.png
    Source: 466023F2-37AF-4E54-A009-BAC2315BBB93.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSignUpUpsell
    Source: 466023F2-37AF-4E54-A009-BAC2315BBB93.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSyncClientUpsell
    Source: 466023F2-37AF-4E54-A009-BAC2315BBB93.0.drString found in binary or memory: https://client-office365-tas.msedge.net/ab
    Source: 466023F2-37AF-4E54-A009-BAC2315BBB93.0.drString found in binary or memory: https://clients.config.office.net/
    Source: 466023F2-37AF-4E54-A009-BAC2315BBB93.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/android/policies
    Source: 466023F2-37AF-4E54-A009-BAC2315BBB93.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/ios
    Source: 466023F2-37AF-4E54-A009-BAC2315BBB93.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/mac
    Source: 466023F2-37AF-4E54-A009-BAC2315BBB93.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/tenantassociationkey
    Source: 466023F2-37AF-4E54-A009-BAC2315BBB93.0.drString found in binary or memory: https://cloudfiles.onenote.com/upload.aspx
    Source: 466023F2-37AF-4E54-A009-BAC2315BBB93.0.drString found in binary or memory: https://config.edge.skype.com
    Source: 466023F2-37AF-4E54-A009-BAC2315BBB93.0.drString found in binary or memory: https://config.edge.skype.com/config/v1/Office
    Source: 466023F2-37AF-4E54-A009-BAC2315BBB93.0.dr