Analysis Report document-1387828094.xls

Overview

General Information

Sample Name:	document-1387828094.xls
Analysis ID:	324310
MD5:	57d6ae1173dbde7042f89a088de5edb7
SHA1:	2cdfca3712f53104813befb773da278cbe0ff191
SHA256:	4a1096abdae4eb29f96055f0a4b385c8b6edabda3b6b4bde20490730156bb0a4
Tags:	goziSilentBuilderursnifxls
Most interesting Screenshot:

Detection

Hidden Macro 4.0

Score:	21
Range:	0 - 100
Whitelisted:	false
Confidence:	80%

Signatures

Yara detected hidden Macro 4.0 in Excel

Document contains embedded VBA macros

Yara signature match

Classification

Signatures

Source: document-1387828094.xls

String found in binary or memory: https://birdexim.com/ds/231120.gif

System Summary:

Document contains embedded VBA macros

Source: document-1387828094.xls

OLE indicator, VBA macros: true

Yara signature match

Source: document-1387828094.xls, type: SAMPLE

Matched rule: SUSP_Excel4Macro_AutoOpen date = 2020-03-26, author = John Lambert @JohnLaTwC, description = Detects Excel4 macro use with auto open / close, score = 2fb198f6ad33d0f26fb94a1aa159fef7296e0421da68887b8f2548bbd227e58f

Source: classification engine

Classification label: sus21.expl.winXLS@1/0@0/0

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Temp\CVRDAE3.tmp

Jump to behavior

Source: document-1387828094.xls

OLE indicator, Workbook stream: true

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

Yara detected hidden Macro 4.0 in Excel

Source: Yara match

File source: document-1387828094.xls, type: SAMPLE

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No contacted IP infos

ID:	324310
Product:	CloudBasic
Start time:	05:04:11
Start date:	29.11.2020
Sample:	document-1387828094.xls
Cookbook:	defaultwindowsofficecookbook.jbs
System description:	Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Architecture:	WINDOWS
MD5:	57d6ae1173dbde7042f89a088de5edb7
SHA1:	2cdfca3712f53104813befb773da278cbe0ff191
SHA256:	4a1096abdae4eb29f96055f0a4b385c8b6edabda3b6b4bde20490730156bb0a4
Filetype:	Microsoft Excel sheet (30009/1) 78.94%

Analysis Report document-1387828094.xls

Overview

General Information

Detection

Signatures

Classification

Signatures

Networking:

System Summary:

Hooking and other Techniques for Hiding and Protection:

HIPS / PFW / Operating System Protection Evasion:

Screenshots

Behavior Graph

Network Map