Loading ...

Play interactive tourEdit tour

Analysis Report sviluppo_economico_18__798.xls

Overview

General Information

Sample Name:sviluppo_economico_18__798.xls
Analysis ID:320146
MD5:1f29be209fd50a1c5a2e836b885e4e07
SHA1:2812a8a68b0662f8650721287449c1e70b86a0a2
SHA256:62a043b348929fa157ea8deef65ab96b5c094b73a9c14a96c75c2ab1e7427758
Tags:goziisfbitalypwmiseursnifxls

Most interesting Screenshot:

Detection

Hidden Macro 4.0
Score:20
Range:0 - 100
Whitelisted:false
Confidence:80%

Signatures

Yara detected password protected xls with embedded macros
Unable to load, office file is protected or invalid

Classification

Startup

  • System is w7x64
  • EXCEL.EXE (PID: 2452 cmdline: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding MD5: 5FB0A0F93382ECD19F5F499A5CAA59F0)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
sviluppo_economico_18__798.xlsJoeSecurity_PasswordProtectedXlsWithEmbeddedMacrosYara detected password protected xls with embedded macrosJoe Security

    Sigma Overview

    No Sigma rule has matched

    Signature Overview

    Click to jump to signature section

    Show All Signature Results
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEWindow title found: password
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEWindow title found: password
    Source: classification engineClassification label: sus20.expl.winXLS@1/0@0/0
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\CVRD45E.tmpJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\CVRD45E.tmpJump to behavior
    Source: sviluppo_economico_18__798.xlsOLE indicator, Workbook stream: true
    Source: sviluppo_economico_18__798.xlsOLE indicator, Workbook stream: true
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile read: C:\Users\desktop.iniJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile read: C:\Users\desktop.iniJump to behavior
    Source: Window RecorderWindow detected: More than 3 window changes detected
    Source: Window RecorderWindow detected: More than 3 window changes detected
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItemsJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItemsJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
    Source: sviluppo_economico_18__798.xlsInitial sample: OLE indicators vbamacros = False
    Source: sviluppo_economico_18__798.xlsInitial sample: OLE indicators vbamacros = False
    Source: sviluppo_economico_18__798.xlsInitial sample: OLE indicators encrypted = True
    Source: sviluppo_economico_18__798.xlsInitial sample: OLE indicators encrypted = True
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior

    HIPS / PFW / Operating System Protection Evasion:

    barindex
    Yara detected password protected xls with embedded macrosShow sources
    Source: Yara matchFile source: sviluppo_economico_18__798.xls, type: SAMPLE

    Mitre Att&ck Matrix

    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
    Valid AccountsWindows Management InstrumentationPath InterceptionPath InterceptionDirect Volume AccessOS Credential DumpingFile and Directory Discovery1Remote ServicesData from Local SystemExfiltration Over Other Network MediumData ObfuscationEavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
    Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsRootkitLSASS MemorySystem Information Discovery1Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet

    Screenshots

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.

    windows-stand

    Antivirus, Machine Learning and Genetic Malware Detection

    Initial Sample

    SourceDetectionScannerLabelLink
    sviluppo_economico_18__798.xls5%VirustotalBrowse
    sviluppo_economico_18__798.xls8%ReversingLabs

    Dropped Files

    No Antivirus matches

    Unpacked PE Files

    No Antivirus matches

    Domains

    No Antivirus matches

    URLs

    No Antivirus matches

    Domains and IPs

    Contacted Domains

    No contacted domains info

    Contacted IPs

    No contacted IP infos

    General Information

    Joe Sandbox Version:31.0.0 Red Diamond
    Analysis ID:320146
    Start date:19.11.2020
    Start time:04:20:25
    Joe Sandbox Product:CloudBasic
    Overall analysis duration:0h 3m 40s
    Hypervisor based Inspection enabled:false
    Report type:full
    Sample file name:sviluppo_economico_18__798.xls
    Cookbook file name:defaultwindowsofficecookbook.jbs
    Analysis system description:Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
    Number of analysed new started processes analysed:2
    Number of new started drivers analysed:0
    Number of existing processes analysed:0
    Number of existing drivers analysed:0
    Number of injected processes analysed:0
    Technologies:
    • EGA enabled
    • HDC enabled
    • AMSI enabled
    Analysis Mode:default
    Analysis stop reason:Timeout
    Detection:SUS
    Classification:sus20.expl.winXLS@1/0@0/0
    Cookbook Comments:
    • Adjust boot time
    • Enable AMSI
    • Found application associated with file extension: .xls
    • Changed system and user locale, location and keyboard layout to Italian - Italy
    • Found Word or Excel or PowerPoint or XPS Viewer
    • Attach to Office via COM
    • Scroll down
    • Close Viewer
    Warnings:
    Show All
    • Exclude process from analysis (whitelisted): dllhost.exe

    Simulations

    Behavior and APIs

    No simulations

    Joe Sandbox View / Context

    IPs

    No context

    Domains

    No context

    ASN

    No context

    JA3 Fingerprints

    No context

    Dropped Files

    No context

    Created / dropped Files

    No created / dropped files found

    Static File Info

    General

    File type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1252, Author: psvnMbUEloJlp, Last Saved By: administrator, Name of Creating Application: Microsoft Excel, Create Time/Date: Wed Nov 18 21:59:48 2020, Last Saved Time/Date: Wed Nov 18 23:56:01 2020, Security: 1
    Entropy (8bit):7.653974548096761
    TrID:
    • Microsoft Excel sheet (30009/1) 78.94%
    • Generic OLE2 / Multistream Compound File (8008/1) 21.06%
    File name:sviluppo_economico_18__798.xls
    File size:406528
    MD5:1f29be209fd50a1c5a2e836b885e4e07
    SHA1:2812a8a68b0662f8650721287449c1e70b86a0a2
    SHA256:62a043b348929fa157ea8deef65ab96b5c094b73a9c14a96c75c2ab1e7427758
    SHA512:d4c9540a99d5895048fb551ad1b4e896c0102810a4f8d02f19d1ff9ec93e9db0c778b78ea9fef8a7cc702c4650c19fbbac1b1ed5cbc226294187a6f134a0fd29
    SSDEEP:12288:iStyc6XVZU6wZ6wdTh0dw5fNozUcANlO1FMLtE:i+FEVQTZh0d8+YcANlVLW
    File Content Preview:........................>......................................................................................................................................................................................................................................

    File Icon

    Icon Hash:e4eea286a4b4bcb4

    Static OLE Info

    General

    Document Type:OLE
    Number of OLE Files:1

    OLE File "sviluppo_economico_18__798.xls"

    Indicators

    Has Summary Info:True
    Application Name:Microsoft Excel
    Encrypted Document:True
    Contains Word Document Stream:False
    Contains Workbook/Book Stream:True
    Contains PowerPoint Document Stream:False
    Contains Visio Document Stream:False
    Contains ObjectPool Stream:
    Flash Objects Count:
    Contains VBA Macros:False

    Summary

    Code Page:1252
    Author:psvnMbUEloJlp
    Last Saved By:administrator
    Create Time:2020-11-18 21:59:48
    Last Saved Time:2020-11-18 23:56:01
    Creating Application:Microsoft Excel
    Security:1

    Document Summary

    Document Code Page:1252
    Thumbnail Scaling Desired:False
    Company:
    Contains Dirty Links:False
    Shared Document:False
    Changed Hyperlinks:False
    Application Version:1048576

    Streams

    Stream Path: \x5DocumentSummaryInformation, File Type: data, Stream Size: 4096
    General
    Stream Path:\x5DocumentSummaryInformation
    File Type:data
    Stream Size:4096
    Entropy:0.877001986665
    Base64 Encoded:False
    Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , . . 0 . . . h . . . . . . . . . . . P . . . . . . . X . . . . . . . d . . . . . . . l . . . . . . . t . . . . . . . | . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . F o g l i o 1 . . . . . F o g l i o 2 . . . . . F o g l i o 3 . . . . . F o g l i o 4 . . . . . P F k t t s w U
    Data Raw:fe ff 00 00 0a 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 00 00 00 68 02 00 00 09 00 00 00 01 00 00 00 50 00 00 00 0f 00 00 00 58 00 00 00 17 00 00 00 64 00 00 00 0b 00 00 00 6c 00 00 00 10 00 00 00 74 00 00 00 13 00 00 00 7c 00 00 00 16 00 00 00 84 00 00 00 0d 00 00 00 8c 00 00 00 0c 00 00 00 1c 02 00 00
    Stream Path: \x5SummaryInformation, File Type: data, Stream Size: 4096
    General
    Stream Path:\x5SummaryInformation
    File Type:data
    Stream Size:4096
    Entropy:0.326180603731
    Base64 Encoded:False
    Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . . . + ' . . 0 . . . . . . . . . . . . . . . @ . . . . . . . H . . . . . . . ` . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . p s v n M b U E l o J l p . . . . . . . . . . . a d m i n i s t r a t o r . . . . . . . . . . . M i c r o s o f t E x c e l . @ . . . . b . ! . . . . @ . . . . . . ] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
    Data Raw:fe ff 00 00 0a 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 b0 00 00 00 07 00 00 00 01 00 00 00 40 00 00 00 04 00 00 00 48 00 00 00 08 00 00 00 60 00 00 00 12 00 00 00 78 00 00 00 0c 00 00 00 90 00 00 00 0d 00 00 00 9c 00 00 00 13 00 00 00 a8 00 00 00 02 00 00 00 e4 04 00 00 1e 00 00 00 10 00 00 00
    Stream Path: Workbook, File Type: Applesoft BASIC program data, first line number 16, Stream Size: 393505
    General
    Stream Path:Workbook
    File Type:Applesoft BASIC program data, first line number 16
    Stream Size:393505
    Entropy:7.75217740988
    Base64 Encoded:True
    Data ASCII:. . . . . . . . Z O . . . . . . . . . . / . . . . . . . . . . . . . ~ . . . . . . . . . . . . h . . . . . . . . . . . . . . . . . . . . . . M . i . c . r . o . s . o . f . t . . E . n . h . a . n . c . e . d . . C . r . y . p . t . o . g . r . a . p . h . i . c . . P . r . o . v . i . d . e . r . . v . 1 . . . 0 . . . . . . . . . . . e | J . . _ . . . # . . 2 . H \\ 4 1 Z . . / . $ . 0 j . . . . . . . . - A . S . V F . u 6 b . { ~ . . . . . . . . . . . . C . . . . . \\ . p . . . B . . . . . C 3 z -
    Data Raw:09 08 10 00 00 06 05 00 5a 4f cd 07 c9 00 02 00 06 08 00 00 2f 00 c8 00 01 00 04 00 02 00 0c 00 00 00 7e 00 00 00 0c 00 00 00 00 00 00 00 01 68 00 00 04 80 00 00 80 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 4d 00 69 00 63 00 72 00 6f 00 73 00 6f 00 66 00 74 00 20 00 45 00 6e 00 68 00 61 00 6e 00 63 00 65 00 64 00 20 00 43 00 72 00 79 00 70 00 74 00 6f 00 67 00 72 00 61 00 70 00

    Network Behavior

    No network behavior found

    Code Manipulations

    Statistics

    CPU Usage

    Click to jump to process

    Memory Usage

    Click to jump to process

    System Behavior

    General

    Start time:04:20:39
    Start date:19/11/2020
    Path:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
    Wow64 process (32bit):false
    Commandline:'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
    Imagebase:0x13f690000
    File size:27641504 bytes
    MD5 hash:5FB0A0F93382ECD19F5F499A5CAA59F0
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Reputation:high

    Disassembly

    Reset < >