Analysis Report document-1411385003.xls

ID:	324316
Product:	CloudBasic
Start time:	06:02:08
Start date:	29.11.2020
Sample:	document-1411385003.xls
Cookbook:	defaultwindowsofficecookbook.jbs
System description:	Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Architecture:	WINDOWS
MD5:	0e578c836b3cc5b29771e51f3c4b0cf9
SHA1:	2fb23ab9b9439f7d447ec529415e1039143d33d1
SHA256:	e4b39e254df2f996274732baea7d3ead38ca845d404aac72e682f378b78531be
Filetype:	Microsoft Excel sheet (30009/1) 78.94%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Temp\50EE0000	data	BD6FEE98DC956A97F2085054D09D055E	3907740BED9C539D453E2AF2CA569BDBA75F145C	96528633FE30A9C50F29386B3F8754C54FE33828575967CA2D76F78A2CDFA6DF
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\Desktop.LNK	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Read-Only, Directory, ctime=Tue Oct 17 10:04:00 2017, mtime=Sun Nov 29 13:02:43 2020, atime=Sun Nov 29 13:02:43 2020, length=8192, window=hide	57EF378CB949CEA48A13D45D110F50ED	D8B9B60488F47736366B8A02F22683CDF4138AF0	E6ADCF0A4739586513F671566F410306792DA622C2B7298BCA7CDC3F21D92F08
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\document-1411385003.LNK	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Aug 26 14:08:13 2020, mtime=Sun Nov 29 13:02:43 2020, atime=Sun Nov 29 13:02:43 2020, length=339968, window=hide	0E49CE990AC503E4E9CCF8F2DD0957CB	69A9A829E1ECC43D8A7BB7F51709A5FABC020D41	EA41B7D8D8E0D9AAAA7425A15CB5BD93215D18F0D848F986B77E04030ED01B3E
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat	ASCII text, with CRLF line terminators	2533CD7B5053F7312DE40EFA72755FCC	49CF1CD8E42325C9560D5C956B0761F53230A916	B9B4D2DB01459583632D2ACCB47BDAC642FD3C52A64689DDEEB6378F5B4E8792
C:\Users\user\Desktop\E1EE0000	Applesoft BASIC program data, first line number 16	A00E5BE15A73ADA4F6FFF9DA7C7987E1	ACF64805C40D3D2DB9D40F7AAA3B38E49B79623A	B0EDC9153FD2C4E23DCD7E006D0D6B95B4AD1623FAA8D6BB3510359C56A7126E

AV Detection:

Multi AV Scanner detection for submitted file

Source: document-1411385003.xls

ReversingLabs: Detection: 48%

Software Vulnerabilities:

Document exploit detected (UrlDownloadToFile)

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Section loaded: \KnownDlls\api-ms-win-downlevel-shlwapi-l2-1-0.dll origin: URLDownloadToFileA

Jump to behavior

Document exploit detected (process start blacklist hit)

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Process created: C:\Windows\System32\regsvr32.exe

Jump to behavior

Allocates a big amount of memory (probably used for heap spraying)

Source: excel.exe

Memory has grown: Private usage: 4MB later: 55MB

Potential document exploit detected (performs DNS queries)

Source: global traffic

DNS query: name: dtmh.gr

Potential document exploit detected (performs HTTP gets)

Source: global traffic

TCP traffic: 192.168.2.22:49165 -> 78.46.235.88:443

Potential document exploit detected (unknown TCP traffic)

Source: global traffic

TCP traffic: 192.168.2.22:49165 -> 78.46.235.88:443

Networking:

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 78.46.235.88 78.46.235.88

Performs DNS lookups

Source: unknown

DNS traffic detected: queries for: dtmh.gr

Urls found in memory or binary data

Source: regsvr32.exe, 00000003.00000002.2139185175.0000000001D80000.00000002.00000001.sdmp	String found in binary or memory: http://servername/isapibackend.dll
Source: document-1411385003.xls	String found in binary or memory: https://dtmh.gr/ds/231120.gif

Uses HTTPS

Source: unknown	Network traffic detected: HTTP traffic on port 49165 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49165

System Summary:

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Source: Screenshot number: 4

Screenshot OCR: Enable Content X I Al " "," jR " A B C D E F G H I J K L M N O P Q R S T : 1 2 3 4 5 6 7

Found Excel 4.0 Macro with suspicious formulas

Source: document-1411385003.xls	Initial sample: CALL
Source: document-1411385003.xls	Initial sample: CALL
Source: document-1411385003.xls	Initial sample: CALL
Source: document-1411385003.xls	Initial sample: CALL
Source: document-1411385003.xls	Initial sample: EXEC

Found obfuscated Excel 4.0 Macro

Source: document-1411385003.xls

Initial sample: High usage of CHAR() function: 18

Document contains embedded VBA macros

Source: document-1411385003.xls

OLE indicator, VBA macros: true

Yara signature match

Source: document-1411385003.xls, type: SAMPLE

Matched rule: SUSP_Excel4Macro_AutoOpen date = 2020-03-26, author = John Lambert @JohnLaTwC, description = Detects Excel4 macro use with auto open / close, score = 2fb198f6ad33d0f26fb94a1aa159fef7296e0421da68887b8f2548bbd227e58f

Classification label

Source: classification engine

Classification label: mal80.expl.evad.winXLS@3/5@1/1

Creates files inside the user directory

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\Desktop\E1EE0000

Jump to behavior

Creates temporary files

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Temp\CVRD900.tmp

Jump to behavior

Document contains an OLE Workbook stream indicating a Microsoft Excel file

Source: document-1411385003.xls

OLE indicator, Workbook stream: true

Reads ini files

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Reads software policies

Source: C:\Windows\System32\regsvr32.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Sample is known by Antivirus

Source: document-1411385003.xls

ReversingLabs: Detection: 48%

Spawns processes

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Source: unknown	Process created: C:\Windows\System32\regsvr32.exe regsvr32 -s C:\giogti\mpomqr\fwpxeohi.dll
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\regsvr32.exe regsvr32 -s C:\giogti\mpomqr\fwpxeohi.dll			Jump to behavior

Found graphical window changes (likely an installer)

Source: Window Recorder

Window detected: More than 3 window changes detected

Checks if Microsoft Office is installed

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems

Jump to behavior

Uses new MSVCR Dlls

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Data Obfuscation:

Registers a DLL

Source: unknown

Process created: C:\Windows\System32\regsvr32.exe regsvr32 -s C:\giogti\mpomqr\fwpxeohi.dll

Hooking and other Techniques for Hiding and Protection:

Disables application error messsages (SetErrorMode)

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

Yara detected hidden Macro 4.0 in Excel

Source: Yara match

File source: document-1411385003.xls, type: SAMPLE