Analysis Report sviluppo_economico_18__798.xls

Overview

General Information

Sample Name: sviluppo_economico_18__798.xls
Analysis ID: 320146
MD5: 1f29be209fd50a1c5a2e836b885e4e07
SHA1: 2812a8a68b0662f8650721287449c1e70b86a0a2
SHA256: 62a043b348929fa157ea8deef65ab96b5c094b73a9c14a96c75c2ab1e7427758
Tags: goziisfbitalypwmiseursnifxls

Most interesting Screenshot:

Detection

Hidden Macro 4.0
Score: 20
Range: 0 - 100
Whitelisted: false
Confidence: 80%

Signatures

Yara detected password protected xls with embedded macros
Unable to load, office file is protected or invalid

Classification

System Summary:

barindex
Unable to load, office file is protected or invalid
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Window title found: password
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Window title found: password
Source: classification engine Classification label: sus20.expl.winXLS@1/0@0/0
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Temp\CVRD45E.tmp Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Temp\CVRD45E.tmp Jump to behavior
Source: sviluppo_economico_18__798.xls OLE indicator, Workbook stream: true
Source: sviluppo_economico_18__798.xls OLE indicator, Workbook stream: true
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File read: C:\Users\desktop.ini Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior
Source: sviluppo_economico_18__798.xls Initial sample: OLE indicators vbamacros = False
Source: sviluppo_economico_18__798.xls Initial sample: OLE indicators vbamacros = False
Source: sviluppo_economico_18__798.xls Initial sample: OLE indicators encrypted = True
Source: sviluppo_economico_18__798.xls Initial sample: OLE indicators encrypted = True
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
Yara detected password protected xls with embedded macros
Source: Yara match File source: sviluppo_economico_18__798.xls, type: SAMPLE
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 320146 Sample: sviluppo_economico_18__798.xls Startdate: 19/11/2020 Architecture: WINDOWS Score: 20 7 Yara detected password protected xls with embedded macros 2->7 5 EXCEL.EXE 10 3 2->5         started        process3
No contacted IP infos