Loading ...

Play interactive tourEdit tour

Analysis Report sviluppo_economico_19__98.xls

Overview

General Information

Sample Name:sviluppo_economico_19__98.xls
Analysis ID:320589
MD5:f85cc34cca018369113e5ea6aff1eae4
SHA1:62cb04d273f22c440aca13dc344bd05ec7fb9b79
SHA256:f93a962db6a8cfaf0513c5d2a36cf61b863c52f32ca7ab856cfe0b024001c9f3

Most interesting Screenshot:

Detection

Hidden Macro 4.0
Score:52
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected password protected xls with embedded macros
Unable to load, office file is protected or invalid

Classification

Startup

  • System is w7x64
  • EXCEL.EXE (PID: 2500 cmdline: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding MD5: 5FB0A0F93382ECD19F5F499A5CAA59F0)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
sviluppo_economico_19__98.xlsJoeSecurity_PasswordProtectedXlsWithEmbeddedMacrosYara detected password protected xls with embedded macrosJoe Security

    Sigma Overview

    No Sigma rule has matched

    Signature Overview

    Click to jump to signature section

    Show All Signature Results

    AV Detection:

    barindex
    Multi AV Scanner detection for submitted fileShow sources
    Source: sviluppo_economico_19__98.xlsVirustotal: Detection: 8%Perma Link
    Source: sviluppo_economico_19__98.xlsReversingLabs: Detection: 10%
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEWindow title found: password
    Source: classification engineClassification label: mal52.expl.winXLS@1/0@0/0
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\CVRD9DA.tmpJump to behavior
    Source: sviluppo_economico_19__98.xlsOLE indicator, Workbook stream: true
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile read: C:\Users\desktop.iniJump to behavior
    Source: sviluppo_economico_19__98.xlsVirustotal: Detection: 8%
    Source: sviluppo_economico_19__98.xlsReversingLabs: Detection: 10%
    Source: Window RecorderWindow detected: More than 3 window changes detected
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItemsJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
    Source: sviluppo_economico_19__98.xlsInitial sample: OLE indicators vbamacros = False
    Source: sviluppo_economico_19__98.xlsInitial sample: OLE indicators encrypted = True
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior

    HIPS / PFW / Operating System Protection Evasion:

    barindex
    Yara detected password protected xls with embedded macrosShow sources
    Source: Yara matchFile source: sviluppo_economico_19__98.xls, type: SAMPLE

    Mitre Att&ck Matrix

    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
    Valid AccountsWindows Management InstrumentationPath InterceptionPath InterceptionDirect Volume AccessOS Credential DumpingFile and Directory Discovery1Remote ServicesData from Local SystemExfiltration Over Other Network MediumData ObfuscationEavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
    Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsRootkitLSASS MemorySystem Information Discovery1Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet

    Screenshots

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.

    windows-stand

    Antivirus, Machine Learning and Genetic Malware Detection

    Initial Sample

    SourceDetectionScannerLabelLink
    sviluppo_economico_19__98.xls8%VirustotalBrowse
    sviluppo_economico_19__98.xls10%ReversingLabs

    Dropped Files

    No Antivirus matches

    Unpacked PE Files

    No Antivirus matches

    Domains

    No Antivirus matches

    URLs

    No Antivirus matches

    Domains and IPs

    Contacted Domains

    No contacted domains info

    Contacted IPs

    No contacted IP infos

    General Information

    Joe Sandbox Version:31.0.0 Red Diamond
    Analysis ID:320589
    Start date:19.11.2020
    Start time:15:33:33
    Joe Sandbox Product:CloudBasic
    Overall analysis duration:0h 3m 44s
    Hypervisor based Inspection enabled:false
    Report type:full
    Sample file name:sviluppo_economico_19__98.xls
    Cookbook file name:defaultwindowsofficecookbook.jbs
    Analysis system description:Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
    Number of analysed new started processes analysed:2
    Number of new started drivers analysed:0
    Number of existing processes analysed:0
    Number of existing drivers analysed:0
    Number of injected processes analysed:0
    Technologies:
    • EGA enabled
    • HDC enabled
    • AMSI enabled
    Analysis Mode:default
    Analysis stop reason:Timeout
    Detection:MAL
    Classification:mal52.expl.winXLS@1/0@0/0
    Cookbook Comments:
    • Adjust boot time
    • Enable AMSI
    • Found application associated with file extension: .xls
    • Changed system and user locale, location and keyboard layout to Italian - Italy
    • Found Word or Excel or PowerPoint or XPS Viewer
    • Attach to Office via COM
    • Scroll down
    • Close Viewer
    Warnings:
    Show All
    • Exclude process from analysis (whitelisted): dllhost.exe

    Simulations

    Behavior and APIs

    No simulations

    Joe Sandbox View / Context

    IPs

    No context

    Domains

    No context

    ASN

    No context

    JA3 Fingerprints

    No context

    Dropped Files

    No context

    Created / dropped Files

    No created / dropped files found

    Static File Info

    General

    File type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1252, Author: OXYWbyFNqEDTXZRqGxi, Last Saved By: administrator, Name of Creating Application: Microsoft Excel, Create Time/Date: Wed Nov 18 22:00:31 2020, Last Saved Time/Date: Wed Nov 18 22:26:33 2020, Security: 1
    Entropy (8bit):7.663256298038157
    TrID:
    • Microsoft Excel sheet (30009/1) 78.94%
    • Generic OLE2 / Multistream Compound File (8008/1) 21.06%
    File name:sviluppo_economico_19__98.xls
    File size:423424
    MD5:f85cc34cca018369113e5ea6aff1eae4
    SHA1:62cb04d273f22c440aca13dc344bd05ec7fb9b79
    SHA256:f93a962db6a8cfaf0513c5d2a36cf61b863c52f32ca7ab856cfe0b024001c9f3
    SHA512:434a43f2b2870596c2384fe678b24d4e2335d0c2bfd9826c23eba04d552e3791db3fa83c7ca1a574d6209ec247e0063cbc354fa3ff68029d9456d23bbb26cd98
    SSDEEP:6144:s9CdPZDiqSz9tpBWL5A4hXF+vu7lTcDHEHUEDagk6xrGgvmHfoiNzaU5AU/cp/:fdhsz7p0L++F+vfDkxagkArGBHflNu/
    File Content Preview:........................>.......................9...........................2...3...4...5...6...7...8..........................................................................................................................................................

    File Icon

    Icon Hash:e4eea286a4b4bcb4

    Static OLE Info

    General

    Document Type:OLE
    Number of OLE Files:1

    OLE File "sviluppo_economico_19__98.xls"

    Indicators

    Has Summary Info:True
    Application Name:Microsoft Excel
    Encrypted Document:True
    Contains Word Document Stream:False
    Contains Workbook/Book Stream:True
    Contains PowerPoint Document Stream:False
    Contains Visio Document Stream:False
    Contains ObjectPool Stream:
    Flash Objects Count:
    Contains VBA Macros:False

    Summary

    Code Page:1252
    Author:OXYWbyFNqEDTXZRqGxi
    Last Saved By:administrator
    Create Time:2020-11-18 22:00:31
    Last Saved Time:2020-11-18 22:26:33
    Creating Application:Microsoft Excel
    Security:1

    Document Summary

    Document Code Page:1252
    Thumbnail Scaling Desired:False
    Company:
    Contains Dirty Links:False
    Shared Document:False
    Changed Hyperlinks:False
    Application Version:1048576

    Streams

    Stream Path: \x5DocumentSummaryInformation, File Type: data, Stream Size: 4096
    General
    Stream Path:\x5DocumentSummaryInformation
    File Type:data
    Stream Size:4096
    Entropy:0.64107045361
    Base64 Encoded:False
    Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , . . 0 . . . . . . . . . . . . . . . P . . . . . . . X . . . . . . . d . . . . . . . l . . . . . . . t . . . . . . . | . . . . . . . . . . . . . . . . . . . . . . . h . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . F o g l i o 1 . . . . . F o g l i o 2 . . . . . F o g l i o 3 . . . . . F o g l i o 4 . . . . . X j z P k Y h F
    Data Raw:fe ff 00 00 0a 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 00 00 00 b4 01 00 00 09 00 00 00 01 00 00 00 50 00 00 00 0f 00 00 00 58 00 00 00 17 00 00 00 64 00 00 00 0b 00 00 00 6c 00 00 00 10 00 00 00 74 00 00 00 13 00 00 00 7c 00 00 00 16 00 00 00 84 00 00 00 0d 00 00 00 8c 00 00 00 0c 00 00 00 68 01 00 00
    Stream Path: \x5SummaryInformation, File Type: data, Stream Size: 4096
    General
    Stream Path:\x5SummaryInformation
    File Type:data
    Stream Size:4096
    Entropy:0.348694171161
    Base64 Encoded:False
    Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . . . + ' . . 0 . . . . . . . . . . . . . . . @ . . . . . . . H . . . . . . . d . . . . . . . | . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . O X Y W b y F N q E D T X Z R q G x i . . . . . . . . . a d m i n i s t r a t o r . . . . . . . . . . . M i c r o s o f t E x c e l . @ . . . . . c ; . . . . @ . . . . . i . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
    Data Raw:fe ff 00 00 0a 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 b4 00 00 00 07 00 00 00 01 00 00 00 40 00 00 00 04 00 00 00 48 00 00 00 08 00 00 00 64 00 00 00 12 00 00 00 7c 00 00 00 0c 00 00 00 94 00 00 00 0d 00 00 00 a0 00 00 00 13 00 00 00 ac 00 00 00 02 00 00 00 e4 04 00 00 1e 00 00 00 14 00 00 00
    Stream Path: Workbook, File Type: Applesoft BASIC program data, first line number 16, Stream Size: 410329
    General
    Stream Path:Workbook
    File Type:Applesoft BASIC program data, first line number 16
    Stream Size:410329
    Entropy:7.75910354304
    Base64 Encoded:True
    Data ASCII:. . . . . . . . Z O . . . . . . . . . . / . . . . . . . . . . . . . ~ . . . . . . . . . . . . h . . . . . . . . . . . . . . . . . . . . . . M . i . c . r . o . s . o . f . t . . E . n . h . a . n . c . e . d . . C . r . y . p . t . o . g . r . a . p . h . i . c . . P . r . o . v . i . d . e . r . . v . 1 . . . 0 . . . . . . . . . a ) _ . . . S . . . = . j . . . . X x . . + . ~ v ^ . p = . . . . . . . R . . $ R . . B M . . . _ . . . . . . . . . . . . . . . _ . . . . \\ . p . k . B d 9 . . E . . B K
    Data Raw:09 08 10 00 00 06 05 00 5a 4f cd 07 c9 00 02 00 06 08 00 00 2f 00 c8 00 01 00 04 00 02 00 0c 00 00 00 7e 00 00 00 0c 00 00 00 00 00 00 00 01 68 00 00 04 80 00 00 80 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 4d 00 69 00 63 00 72 00 6f 00 73 00 6f 00 66 00 74 00 20 00 45 00 6e 00 68 00 61 00 6e 00 63 00 65 00 64 00 20 00 43 00 72 00 79 00 70 00 74 00 6f 00 67 00 72 00 61 00 70 00

    Network Behavior

    No network behavior found

    Code Manipulations

    Statistics

    CPU Usage

    Click to jump to process

    Memory Usage

    Click to jump to process

    System Behavior

    General

    Start time:15:34:40
    Start date:19/11/2020
    Path:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
    Wow64 process (32bit):false
    Commandline:'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
    Imagebase:0x13f9a0000
    File size:27641504 bytes
    MD5 hash:5FB0A0F93382ECD19F5F499A5CAA59F0
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Reputation:high

    Disassembly

    Reset < >