Analysis Report Document_280325456.xlsm

Overview

General Information

Sample Name: Document_280325456.xlsm
Analysis ID: 336351
MD5: c1bf94e62e9006b88957ff148ea99a4a
SHA1: 96b65855460b4ef922a53527fb07a31c87f0743c
SHA256: 4f753f04450557e02847d44c31b1f498b41a7eb7cb4cd60cd8c8d60a3e38f3a6

Most interesting Screenshot:

Detection

Hidden Macro 4.0
Score: 64
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Document exploit detected (UrlDownloadToFile)
Found Excel 4.0 Macro with suspicious formulas
Excel documents contains an embedded macro which executes code when the document is opened

Classification

AV Detection:

barindex
Multi AV Scanner detection for submitted file
Source: Document_280325456.xlsm Virustotal: Detection: 11% Perma Link

Software Vulnerabilities:

barindex
Document exploit detected (UrlDownloadToFile)
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Section loaded: unknown origin: URLDownloadToFileA Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\37E9613F.png Jump to behavior

System Summary:

barindex
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Source: Screenshot number: 4 Screenshot OCR: Enable Editing 1 11 12 1 from the yellow bar above 13 14 1 @Once You have Enable Editing, please
Source: Screenshot number: 4 Screenshot OCR: Enable Content 15 1 from the yellow bar above 16 CI 17 I " I WHY I CANNOTOPEN THIS DOCUMENT? 19
Source: Document image extraction number: 2 Screenshot OCR: Enable Editing from the yellow bar above Once You have Enable Editing, please click Enable Content
Source: Document image extraction number: 2 Screenshot OCR: Enable Content from the yellow bar above WHYICANNOTOPEN THIS DOCUMENT? You are using iOS or Andro
Source: Document image extraction number: 8 Screenshot OCR: Enable Editing from the yellow bar above @Once You have Enable Editing, please click Enable Conten
Source: Document image extraction number: 8 Screenshot OCR: Enable Content from the yellow bar above WHYICANNOTOPEN THIS DOCUMENT? wYou are using IDS or Andr
Found Excel 4.0 Macro with suspicious formulas
Source: Document_280325456.xlsm Initial sample: EXEC
Excel documents contains an embedded macro which executes code when the document is opened
Source: workbook.xml Binary string: " defaultThemeVersion="124226"/><bookViews><workbookView xWindow="240" yWindow="105" windowWidth="14805" windowHeight="8010"/></bookViews><sheets><sheet name="DocuSign" sheetId="7" r:id="rId1"/><sheet name="Sheet" sheetId="4" state="hidden" r:id="rId2"/><sheet name="Biola" sheetId="8" state="hidden" r:id="rId3"/></sheets><definedNames><definedName name="_xlnm.Auto_Open">Sheet!$A$100</definedName></definedNames><calcPr calcId="144525"/></workbook>
Source: classification engine Classification label: mal64.expl.evad.winXLSM@1/9@0/0
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\Desktop\~$Document_280325456.xlsm Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Temp\CVRD95D.tmp Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File read: C:\Users\desktop.ini Jump to behavior
Source: Document_280325456.xlsm Virustotal: Detection: 11%
Source: Window Recorder Window detected: More than 3 window changes detected
Source: Document_280325456.xlsm Initial sample: OLE zip file path = xl/worksheets/_rels/sheet2.xml.rels
Source: Document_280325456.xlsm Initial sample: OLE zip file path = xl/media/image1.png
Source: Document_280325456.xlsm Initial sample: OLE zip file path = xl/media/image3.png
Source: Document_280325456.xlsm Initial sample: OLE zip file path = xl/media/image2.png
Source: Document_280325456.xlsm Initial sample: OLE zip file path = xl/printerSettings/printerSettings2.bin
Source: Document_280325456.xlsm Initial sample: OLE zip file path = xl/printerSettings/printerSettings3.bin
Source: Document_280325456.xlsm Initial sample: OLE zip file path = xl/calcChain.xml
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 336351 Sample: Document_280325456.xlsm Startdate: 05/01/2021 Architecture: WINDOWS Score: 64 11 Multi AV Scanner detection for submitted file 2->11 13 Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros) 2->13 15 Found Excel 4.0 Macro with suspicious formulas 2->15 5 EXCEL.EXE 84 28 2->5         started        process3 file4 9 C:\Users\user\...\~$Document_280325456.xlsm, data 5->9 dropped 17 Document exploit detected (UrlDownloadToFile) 5->17 signatures5
No contacted IP infos