Analysis Report doc2227740.xls

Overview

General Information

Sample Name:	doc2227740.xls
Analysis ID:	320290
MD5:	b43d8b40f9ef15965d0ff901e30c2f32
SHA1:	3c0d89ac4b439b7cf60b6cc6e4195a8ce3514572
SHA256:	196588a7404c90ab92502926afa24fbb25bf67c0ad50dba4f7ff4f1937816dda
Tags:	xlsZLoader
Most interesting Screenshot:

Detection

Hidden Macro 4.0

Score:	52
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Found Excel 4.0 Macro with suspicious formulas

Document contains embedded VBA macros

JA3 SSL client fingerprint seen in connection with other malware

Potential document exploit detected (performs DNS queries)

Potential document exploit detected (performs HTTP gets)

Potential document exploit detected (unknown TCP traffic)

Yara detected Xls With Macro 4.0

Yara signature match

Classification

Signatures

AV Detection:

Multi AV Scanner detection for submitted file

Source: doc2227740.xls	ReversingLabs: Detection: 20%
Source: doc2227740.xls	ReversingLabs: Detection: 20%

Software Vulnerabilities:

Potential document exploit detected (performs DNS queries)

Source: global traffic	DNS query: name: sherpa.rest
Source: global traffic	DNS query: name: sherpa.rest

Potential document exploit detected (performs HTTP gets)

Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 104.27.173.15:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 104.27.173.15:443

Potential document exploit detected (unknown TCP traffic)

Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 104.27.173.15:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 104.27.173.15:443

Networking:

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View	JA3 fingerprint: 7dcce5b76c8b17472d024758970a406b
Source: Joe Sandbox View	JA3 fingerprint: 7dcce5b76c8b17472d024758970a406b

Source: unknown	DNS traffic detected: queries for: sherpa.rest
Source: unknown	DNS traffic detected: queries for: sherpa.rest

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49167
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49166
Source: unknown	Network traffic detected: HTTP traffic on port 49165 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49165
Source: unknown	Network traffic detected: HTTP traffic on port 49167 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49166 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49167
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49166
Source: unknown	Network traffic detected: HTTP traffic on port 49165 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49165
Source: unknown	Network traffic detected: HTTP traffic on port 49167 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49166 -> 443

System Summary:

Found Excel 4.0 Macro with suspicious formulas

Source: doc2227740.xls	Initial sample: EXEC
Source: doc2227740.xls	Initial sample: EXEC

Document contains embedded VBA macros

Source: doc2227740.xls	OLE indicator, VBA macros: true
Source: doc2227740.xls	OLE indicator, VBA macros: true

Yara signature match

Source: doc2227740.xls, type: SAMPLE	Matched rule: SUSP_Excel4Macro_AutoOpen date = 2020-03-26, author = John Lambert @JohnLaTwC, description = Detects Excel4 macro use with auto open / close, score = 2fb198f6ad33d0f26fb94a1aa159fef7296e0421da68887b8f2548bbd227e58f
Source: doc2227740.xls, type: SAMPLE	Matched rule: SUSP_Excel4Macro_AutoOpen date = 2020-03-26, author = John Lambert @JohnLaTwC, description = Detects Excel4 macro use with auto open / close, score = 2fb198f6ad33d0f26fb94a1aa159fef7296e0421da68887b8f2548bbd227e58f

Source: classification engine

Classification label: mal52.evad.winXLS@1/13@1/1

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	File created: C:\Users\user\Application Data\Microsoft\Forms			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	File created: C:\Users\user\Application Data\Microsoft\Forms			Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	File created: C:\Users\user\AppData\Local\Temp\CVRE9E1.tmp			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	File created: C:\Users\user\AppData\Local\Temp\CVRE9E1.tmp			Jump to behavior

Source: doc2227740.xls	OLE indicator, Workbook stream: true
Source: doc2227740.xls	OLE indicator, Workbook stream: true

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	File read: C:\Users\desktop.ini			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	File read: C:\Users\desktop.ini			Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA			Jump to behavior

Source: doc2227740.xls	ReversingLabs: Detection: 20%
Source: doc2227740.xls	ReversingLabs: Detection: 20%

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Window found: window name: SysTabControl32			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Window found: window name: SysTabControl32			Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Automated click: OK
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Automated click: OK
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Automated click: OK
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Automated click: OK

Source: Window Recorder	Window detected: More than 3 window changes detected
Source: Window Recorder	Window detected: More than 3 window changes detected

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems			Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll			Jump to behavior

Source: doc2227740.xls	Initial sample: OLE document summary category = PmFbdwr0TuP
Source: doc2227740.xls	Initial sample: OLE document summary category = PmFbdwr0TuP

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

Yara detected Xls With Macro 4.0

Source: Yara match

File source: doc2227740.xls, type: SAMPLE

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.27.173.15	unknown	United States		13335	CLOUDFLARENETUS	false

Contacted Domains

Name	IP	Active
sherpa.rest	104.27.173.15	true

ID:	320290
Product:	CloudBasic
Start time:	08:39:53
Start date:	19.11.2020
Sample:	doc2227740.xls
Cookbook:	defaultwindowsofficecookbook.jbs
System description:	Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Architecture:	WINDOWS
MD5:	b43d8b40f9ef15965d0ff901e30c2f32
SHA1:	3c0d89ac4b439b7cf60b6cc6e4195a8ce3514572
SHA256:	196588a7404c90ab92502926afa24fbb25bf67c0ad50dba4f7ff4f1937816dda
Filetype:	Microsoft Excel sheet (30009/1) 47.99%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-CNRY.FSD	data	A9B61ED0B8FF3555959ACA5EC1BBFBC6	E06D7B42CE25F326583F0B8C0420B5B8C29B7CEB	5FA33B89DDA4C07247D5485C346C59140EDCC868A089497335179CDD2B6406A1
C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{F85E85D8-9902-430A-877E-35D1221BCC0D}.FSD	data	537D8D39EC19606699121491C7BBC30F	D812B3CFD45A37595012677015B45713ADBB491B	27795C711CA0A573A9C132B940CE12C29BC219B9A9460BF1720742ADE2800F20
C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSF-CTBL.FSF	data	311D741FB8DADAA8776ED6B5E2798678	F6AB7EFC73F1FBB0A8A191FFE56883B349F732EA	9A0AD1ED9C6DD6C327F2405DC5BCB23583600234EA73B05482CB878157FDF5B5
C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD	data	F6B6E12BBADC43D1C575B6CF792D4FF1	A93623DA1281ECF637C69C765FA33EF66DA1F95A	A0179A17F0A8417184D6CA684BC79C8F6B4741E80D2BF178A3F9165EFDA26F35
C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{9F45F1FD-227F-4560-981A-03EE77AD8D6E}.FSD	data	5288C191787983E4A9873ACFA314AC33	F282592FF1E3A8EBE3A2C1283086EDD923C14AA9	F2EEFCD038500D7E36AAE3C95BF36E8E0729AB95636AF9138F63257D4DDD1275
C:\Users\user\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSF-{0E1EEE64-E8C6-4E2A-9759-63CF07FD8988}.FSF	data	FC89710189E7C81130CAC40D0F180CCD	BE07D37034D0D6E2394B5C3AC47F28EB78767E9E	D87C78CFD7A26F6649FA650118F9E464D73DB9EF1CB975817534018A60174F61
C:\Users\user\AppData\Local\Temp\212F0000	data	AFD7B03C25F9C65F6470B21FEC9B9583	9C1BABAE806C2E04A1B0BD782087E331437B677A	FA9D14B316C82357764F99BDD15D69CFE5AAEA4AE2D4293100A315915CCCAFFB
C:\Users\user\AppData\Local\Temp\VBE\MSForms.exd	data	6F4AAED698A1513669A959E29DC5C6F2	6A605C026EF516597E03EFE5FC9D397D7B91110F	D3059A80AFF09E691B3EEB371730DAFA842F171727C80BC3DCFF8CD1539D9631
C:\Users\user\AppData\Local\Temp\{C92AD829-6A2C-4701-99BD-E5B8BFC3D323}	data	6D4AB7FCCB2F8F79E152AF821B194F6D	49344E69BBA72212EE6FB40B48D2AE5D5833D328	EDAAF11F25B09EFAA274FF72F2670913C6D7281356EC46A3738386063AAB7A3C
C:\Users\user\AppData\Local\Temp\{CA81E5EB-CC18-46B5-BFF4-E6AC33BF56F6}	data	AD6ECCAAD220C6D4DF9762E3D64446AE	BC04303DF31488C8606C4095BAAC160F99F3B240	18335078078CB0AAFAA80FE2ADF5FEBA72A5F6F2D017C694A920F555DD2C859B
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\Desktop.LNK	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Read-Only, Directory, ctime=Tue Oct 17 10:04:00 2017, mtime=Thu Nov 19 15:41:02 2020, atime=Thu Nov 19 15:41:02 2020, length=8192, window=hide	B43C9756F00C7F10CE17BA5CD8CE8E70	AF18D1CFBA491DF5D31E6C1A3FB9BEAAF9A020CB	BDC1084BE45505EDC00E0700CA42282F52E624A0824D5AE85DFD03B9507A17B2
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat	ASCII text, with CRLF line terminators	CB81E25C045825270E2E97C347AE6E8F	2069CD47D19BCC5F24D31854972702CEC4C9E9A1	FEC9B386E88BFD7FEC4BA72FDC006A003ECC079E2C204947A57872BB4ED7340A
C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\4MFCXH41.txt	ASCII text	62D6896587AF5C4E4AE819335D822CD0	63F004900567837EB5D2C8C6412A7F8FED960279	02421F20DFDF6D7331D1CA21FBBE6CB0D69B5998023AA9094C8963D66F0B9B88

Analysis Report doc2227740.xls

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Software Vulnerabilities:

Networking:

System Summary:

Hooking and other Techniques for Hiding and Protection:

HIPS / PFW / Operating System Protection Evasion:

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains