Analysis Report 903.xls

Overview

General Information

Sample Name: 903.xls
Analysis ID: 289537
MD5: 45d6724e12b54092a46c8b8cf57bb316
SHA1: ab41e637f4bbdf17beb50f4b67b7293aec162737
SHA256: 78dc7b7475fda91e1d378073404fe0dc0ee3b63054ddfe9a68c4bf79958dcbe6

Most interesting Screenshot:

Detection

Hidden Macro 4.0
Score: 21
Range: 0 - 100
Whitelisted: false
Confidence: 80%

Signatures

Yara detected password protected xls with embedded macros
Contains capabilities to detect virtual machines
Unable to load, office file is protected or invalid

Classification

System Summary:

barindex
Unable to load, office file is protected or invalid
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Window title found: password
Source: classification engine Classification label: sus21.expl.winXLS@1/0@0/0
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Temp\CVRCBD6.tmp Jump to behavior
Source: 903.xls OLE indicator, Workbook stream: true
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File read: C:\Users\desktop.ini Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior
Source: 903.xls Initial sample: OLE indicators vbamacros = False
Source: 903.xls Initial sample: OLE indicators encrypted = True
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: 903.xls Stream path 'Workbook' entropy: 7.94785679197 (max. 8.0)

Malware Analysis System Evasion:

barindex
Contains capabilities to detect virtual machines
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File opened / queried: IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b} Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
Yara detected password protected xls with embedded macros
Source: Yara match File source: 903.xls, type: SAMPLE