Loading ...

Play interactive tourEdit tour

Analysis Report tripadvisor_hint.xls

Overview

General Information

Sample Name:tripadvisor_hint.xls
Analysis ID:250297
MD5:f4020bb7757a09499282a052482009c1
SHA1:cbdf36ce6c148b2037df4aa5514fc8f03d49ef85
SHA256:e2e495aede724729169c83f7ad43d71404753372058fd5002818b11386f5980a

Most interesting Screenshot:

Detection

Hidden Macro 4.0
Score:68
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Document exploit detected (UrlDownloadToFile)
Found Excel 4.0 Macro with suspicious formulas
Found abnormal large hidden Excel 4.0 Macro sheet
Document contains embedded VBA macros
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Uses a known web browser user agent for HTTP communication
Yara detected Xls With Macro 4.0
Yara signature match

Classification

Startup

  • System is w7
  • EXCEL.EXE (PID: 4040 cmdline: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding MD5: 716335EDBB91DA84FC102425BFDA957E)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
tripadvisor_hint.xlsSUSP_Excel4Macro_AutoOpenDetects Excel4 macro use with auto open / closeJohn Lambert @JohnLaTwC
  • 0x0:$header_docf: D0 CF 11 E0
  • 0x2d8a2:$s1: Excel
  • 0x2e902:$s1: Excel
  • 0x33df:$Auto_Open: 18 00 17 00 20 00 00 01 07 00 00 00 00 00 00 00 00 00 00 01 3A
tripadvisor_hint.xlsSUSP_EnableContent_String_GenDetects suspicious string that asks to enable active content in Office DocFlorian Roth
  • 0x2d42b:$e1: Enable Editing
  • 0x2d440:$e2: Enable Content
tripadvisor_hint.xlsJoeSecurity_XlsWithMacro4Yara detected Xls With Macro 4.0Joe Security

    Sigma Overview

    No Sigma rule has matched

    Signature Overview

    Click to jump to signature section

    Show All Signature Results

    AV Detection:

    barindex
    Multi AV Scanner detection for submitted fileShow sources
    Source: tripadvisor_hint.xlsVirustotal: Detection: 10%Perma Link

    Software Vulnerabilities:

    barindex
    Document exploit detected (UrlDownloadToFile)Show sources
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXESection loaded: \KnownDlls\api-ms-win-downlevel-shlwapi-l2-1-0.dll origin: URLDownloadToFileAJump to behavior
    Source: global trafficTCP traffic: 192.168.2.2:49159 -> 104.161.32.117:80
    Source: global trafficTCP traffic: 192.168.2.2:49159 -> 104.161.32.117:80