Loading ...

Play interactive tourEdit tour

Analysis Report TripAdvisor_invoice.xls

Overview

General Information

Sample Name:TripAdvisor_invoice.xls
Analysis ID:252857
MD5:b47e19a711002e6e956e4556af540110
SHA1:27158c70e2c7ee77be88dcb45ada8df42be254b4
SHA256:9175ef98449b28fa34ffc5aceace8e9a768754e6959c1c21b6ebc9f2c4dc9f63

Most interesting Screenshot:

Detection

Hidden Macro 4.0
Score:76
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Document exploit detected (UrlDownloadToFile)
Document exploit detected (process start blacklist hit)
Found Excel 4.0 Macro with suspicious formulas
Found abnormal large hidden Excel 4.0 Macro sheet
Sigma detected: Microsoft Office Product Spawning Windows Shell
Document contains embedded VBA macros
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (unknown TCP traffic)
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)
Tries to load missing DLLs
Yara detected Xls With Macro 4.0
Yara signature match

Classification

Startup

  • System is w10x64
  • EXCEL.EXE (PID: 6836 cmdline: 'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding MD5: 5D6638F2C8F8571C593999C58866007E)
    • rundll32.exe (PID: 5084 cmdline: 'C:\Windows\System32\rundll32.exe' C:\tccPCcy\MaIZLPo\jfUoeVj.dll,DllRegisterServer MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
  • wuapihost.exe (PID: 4788 cmdline: C:\Windows\System32\wuapihost.exe -Embedding MD5: 85C9C161B102A164EC09A23CACDDD09E)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
TripAdvisor_invoice.xlsSUSP_Excel4Macro_AutoOpenDetects Excel4 macro use with auto open / closeJohn Lambert @JohnLaTwC
  • 0x0:$header_docf: D0 CF 11 E0
  • 0x28aa2:$s1: Excel
  • 0x29b01:$s1: Excel
  • 0x33c7:$Auto_Open: 18 00 17 00 20 00 00 01 07 00 00 00 00 00 00 00 00 00 00 01 3A
TripAdvisor_invoice.xlsSUSP_EnableContent_String_GenDetects suspicious string that asks to enable active content in Office DocFlorian Roth
  • 0x286ed:$e1: Enable Editing
  • 0x28702:$e2: Enable Content
TripAdvisor_invoice.xlsJoeSecurity_XlsWithMacro4Yara detected Xls With Macro 4.0Joe Security

    Sigma Overview

    System Summary:

    barindex
    Sigma detected: Microsoft Office Product Spawning Windows ShellShow sources
    Source: Process startedAuthor: Michael Haag, Florian Roth, Markus Neis: Data: Command: 'C:\Windows\System32\rundll32.exe' C:\tccPCcy\MaIZLPo\jfUoeVj.dll,DllRegisterServer, CommandLine: 'C:\Windows\System32\rundll32.exe' C:\tccPCcy\MaIZLPo\jfUoeVj.dll,DllRegisterServer, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\rundll32.exe, NewProcessName: C:\Windows\SysWOW64\rundll32.exe, OriginalFileName: C:\Windows\SysWOW64\rundll32.exe, ParentCommandLine: 'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding, ParentImage: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE, ParentProcessId: 6836, ProcessCommandLine: 'C:\Windows\System32\rundll32.exe' C:\tccPCcy\MaIZLPo\jfUoeVj.dll,DllRegisterServer, ProcessId: 5084

    Signature Overview

    Click to jump to signature section

    Show All Signature Results

    AV Detection:

    barindex
    Multi AV Scanner detection for submitted fileShow sources
    Source: TripAdvisor_invoice.xlsReversingLabs: Detection: 31%

    Software Vulnerabilities:

    barindex
    Document exploit detected (UrlDownloadToFile)Show sources
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXESection loaded: unknown origin: URLDownloadToFileAJump to behavior
    Document exploit detected (process start blacklist hit)Show sources
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\rundll32.exeJump to behavior
    Source: global trafficDNS query: name: g.msn.com
    Source: global trafficTCP traffic: 192.168.2.4:49720 -> 51.89.183.112:80
    Source: global trafficTCP traffic: 192.168.2.4:49720 -> 51.89.183.112:80
    Source: unknownTCP traffic detected without corresponding DNS query: 51.89.183.112
    Source: unknownTCP traffic detected without corresponding DNS query: 51.89.183.112
    Source: unknownTCP traffic detected without corresponding DNS query: 51.89.183.112
    Source: unknownDNS traffic detected: queries for: g.msn.com
    Source: DF070261-4574-4F3B-A251-A546801BAFAF.0.drString found in binary or memory: http://olkflt.edog.officeapps.live.com/olkflt/outlookflighting.svc/api/glides
    Source: DF070261-4574-4F3B-A251-A546801BAFAF.0.drString found in binary or memory: http://weather.service.msn.com/data.aspx
    Source: DF070261-4574-4F3B-A251-A546801BAFAF.0.drString found in binary or memory: https://analysis.windows.net/powerbi/api
    Source: DF070261-4574-4F3B-A251-A546801BAFAF.0.drString found in binary or memory: https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
    Source: DF070261-4574-4F3B-A251-A546801BAFAF.0.drString found in binary or memory: https://api.aadrm.com/
    Source: DF070261-4574-4F3B-A251-A546801BAFAF.0.drString found in binary or memory: https://api.diagnostics.office.com
    Source: DF070261-4574-4F3B-A251-A546801BAFAF.0.drString found in binary or memory: https://api.diagnosticssdf.office.com
    Source: DF070261-4574-4F3B-A251-A546801BAFAF.0.drString found in binary or memory: https://api.microsoftstream.com/api/
    Source: DF070261-4574-4F3B-A251-A546801BAFAF.0.drString found in binary or memory: https://api.onedrive.com
    Source: DF070261-4574-4F3B-A251-A546801BAFAF.0.drString found in binary or memory: https://api.powerbi.com/beta/myorg/imports
    Source: DF070261-4574-4F3B-A251-A546801BAFAF.0.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/datasets
    Source: DF070261-4574-4F3B-A251-A546801BAFAF.0.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/groups
    Source: DF070261-4574-4F3B-A251-A546801BAFAF.0.drString found in binary or memory: https://apis.live.net/v5.0/
    Source: DF070261-4574-4F3B-A251-A546801BAFAF.0.drString found in binary or memory: https://app.powerbi.com/taskpane.html
    Source: DF070261-4574-4F3B-A251-A546801BAFAF.0.drString found in binary or memory: https://arc.msn.com/v4/api/selection
    Source: DF070261-4574-4F3B-A251-A546801BAFAF.0.drString found in binary or memory: https://asgsmsproxyapi.azurewebsites.net/
    Source: DF070261-4574-4F3B-A251-A546801BAFAF.0.drString found in binary or memory: https://augloop.office.com
    Source: DF070261-4574-4F3B-A251-A546801BAFAF.0.drString found in binary or memory: https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml
    Source: DF070261-4574-4F3B-A251-A546801BAFAF.0.drString found in binary or memory: https://cdn.entity.
    Source: DF070261-4574-4F3B-A251-A546801BAFAF.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/stat/images/OneDriveUpsell.png
    Source: DF070261-4574-4F3B-A251-A546801BAFAF.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSignUpUpsell
    Source: DF070261-4574-4F3B-A251-A546801BAFAF.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSyncClientUpsell
    Source: DF070261-4574-4F3B-A251-A546801BAFAF.0.drString found in binary or memory: https://client-office365-tas.msedge.net/ab
    Source: DF070261-4574-4F3B-A251-A546801BAFAF.0.drString found in binary or memory: https://clients.config.office.net/
    Source: DF070261-4574-4F3B-A251-A546801BAFAF.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/android/policies
    Source: DF070261-4574-4F3B-A251-A546801BAFAF.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/ios
    Source: DF070261-4574-4F3B-A251-A546801BAFAF.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/mac
    Source: DF070261-4574-4F3B-A251-A546801BAFAF.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/tenantassociationkey
    Source: DF070261-4574-4F3B-A251-A546801BAFAF.0.drString found in binary or memory: https://cloudfiles.onenote.com/upload.aspx
    Source: DF070261-4574-4F3B-A251-A546801BAFAF.0.drString found in binary or memory: https://config.edge.skype.com
    Source: DF070261-4574-4F3B-A251-A546801BAFAF.0.drString found in binary or memory: https://config.edge.skype.com/config/v1/Office
    Source: DF070261-4574-4F3B-A251-A546801BAFAF.0.drString found in binary or memory: https://config.edge.skype.com/config/v2/Office
    Source: DF070261-4574-4F3B-A251-A546801BAFAF.0.drString found in binary or memory: https://cortana.ai
    Source: DF070261-4574-4F3B-A251-A546801BAFAF.0.drString found in binary or memory: https://cr.office.com
    Source: DF070261-4574-4F3B-A251-A546801BAFAF.0.drString found in binary or memory: https://dataservice.o365filtering.com
    Source: DF070261-4574-4F3B-A251-A546801BAFAF.0.drString found in binary or memory: https://dataservice.o365filtering.com/
    Source: DF070261-4574-4F3B-A251-A546801BAFAF.0.drString found in binary or memory: https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile
    Source: DF070261-4574-4F3B-A251-A546801BAFAF.0.drString found in binary or memory: https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
    Source: DF070261-4574-4F3B-A251-A546801BAFAF.0.drString found in binary or memory: https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies
    Source: DF070261-4574-4F3B-A251-A546801BAFAF.0.drString found in binary or memory: https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/
    Source: DF070261-4574-4F3B-A251-A546801BAFAF.0.drString found in binary or memory: https://dev0-api.acompli.net/autodetect
    Source: DF070261-4574-4F3B-A251-A546801BAFAF.0.drString found in binary or memory: https://devnull.onenote.com
    Source: DF070261-4574-4F3B-A251-A546801BAFAF.0.drString found in binary or memory: https://directory.services.
    Source: DF070261-4574-4F3B-A251-A546801BAFAF.0.drString found in binary or memory: https://ecs.office.com/config/v2/Office
    Source: DF070261-4574-4F3B-A251-A546801BAFAF.0.drString found in binary or memory: https://entitlement.diagnostics.office.com
    Source: DF070261-4574-4F3B-A251-A546801BAFAF.0.drString found in binary or memory: https://entitlement.diagnosticssdf.office.com
    Source: DF070261-4574-4F3B-A251-A546801BAFAF.0.drString found in binary or memory: https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
    Source: DF070261-4574-4F3B-A251-A546801BAFAF.0.drString found in binary or memory: https://excel.uservoice.com/forums/304936-excel-for-mobile-devices-tablets-phones-android
    Source: DF070261-4574-4F3B-A251-A546801BAFAF.0.drString found in binary or memory: https://globaldisco.crm.dynamics.com
    Source: DF070261-4574-4F3B-A251-A546801BAFAF.0.drString found in binary or memory: https://graph.ppe.windows.net
    Source: DF070261-4574-4F3B-A251-A546801BAFAF.0.drString found in binary or memory: https://graph.ppe.windows.net/
    Source: DF070261-4574-4F3B-A251-A546801BAFAF.0.drString found in binary or memory: https://graph.windows.net
    Source: DF070261-4574-4F3B-A251-A546801BAFAF.0.drString found in binary or memory: https://graph.windows.net/
    Source: DF070261-4574-4F3B-A251-A546801BAFAF.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/telemetry
    Source: DF070261-4574-4F3B-A251-A546801BAFAF.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?
    Source: DF070261-4574-4F3B-A251-A546801BAFAF.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?cp=remix3d
    Source: DF070261-4574-4F3B-A251-A546801BAFAF.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=icons&premium=1
    Source: DF070261-4574-4F3B-A251-A546801BAFAF.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockimages&premium=1
    Source: DF070261-4574-4F3B-A251-A546801BAFAF.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsofticon?
    Source: DF070261-4574-4F3B-A251-A546801BAFAF.0.drString found in binary or memory: https://incidents.diagnostics.office.com
    Source: DF070261-4574-4F3B-A251-A546801BAFAF.0.drString found in binary or memory: https://incidents.diagnosticssdf.office.com
    S