Loading ...

Play interactive tourEdit tour

Analysis Report Proforma Invoice.xls

Overview

General Information

Sample Name:Proforma Invoice.xls
Analysis ID:320373
MD5:55db711144ff4a35faf58d982e7cf727
SHA1:ea7b59dde9f0600915069dec66f8410f25cb66fd
SHA256:6e76bd502c91158631cadf485ce44caa4d6504864735593fc23d90477a794d17
Tags:netwirexls

Most interesting Screenshot:

Detection

Hidden Macro 4.0
Score:92
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Multi AV Scanner detection for submitted file
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Bypasses PowerShell execution policy
Document contains an embedded VBA macro which may execute processes
Document exploit detected (process start blacklist hit)
Found Excel 4.0 Macro with suspicious formulas
Found obfuscated Excel 4.0 Macro
Obfuscated command line found
Sigma detected: Microsoft Office Product Spawning Windows Shell
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Document contains an embedded VBA macro which executes code when the document is opened / closed
Document contains embedded VBA macros
Enables debug privileges
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Queries the volume information (name, serial number etc) of a device
Uses code obfuscation techniques (call, push, ret)

Classification