Loading ...

Play interactive tourEdit tour

Analysis Report SIN029088.xls

Overview

General Information

Sample Name:SIN029088.xls
Analysis ID:319129
MD5:483a0f4cb6a70556b34aed04f24f7962
SHA1:cbd6b0004aca06a46b4863bfbc13f444b3404483
SHA256:ccab18c2ba789320bdb50d364ce3f70a625c60c68a93ad05bbca056f9f6f821a

Most interesting Screenshot:

Detection

Hidden Macro 4.0
Score:80
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Connects to a URL shortener service
Document exploit detected (process start blacklist hit)
Found Excel 4.0 Macro with suspicious formulas
Found obfuscated Excel 4.0 Macro
Obfuscated command line found
Sigma detected: Microsoft Office Product Spawning Windows Shell
Contains capabilities to detect virtual machines
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Document contains embedded VBA macros
Enables debug privileges
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Queries the volume information (name, serial number etc) of a device
Searches for user specific document files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification