Analysis Report document-1900770373.xls

Overview

General Information

Sample Name:	document-1900770373.xls
Analysis ID:	355743
MD5:	139a10b28479f4f9e2e4465053e039f8
SHA1:	10251eb69e603ed7259265015b71b1160e3b4a06
SHA256:	ed17094f3e820674c9fa18192292108e8766d28eb0afcc0cf350a44b54196c1d
Tags:	xls
Most interesting Screenshot:

Detection

Hidden Macro 4.0

Score:	96
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Found malicious Excel 4.0 Macro

Multi AV Scanner detection for domain / URL

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Document exploit detected (UrlDownloadToFile)

Document exploit detected (process start blacklist hit)

Found Excel 4.0 Macro with suspicious formulas

Found abnormal large hidden Excel 4.0 Macro sheet

Sigma detected: Microsoft Office Product Spawning Windows Shell

Yara detected hidden Macro 4.0 in Excel

Document contains embedded VBA macros

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

Potential document exploit detected (performs DNS queries)

Potential document exploit detected (performs HTTP gets)

Potential document exploit detected (unknown TCP traffic)

Yara signature match

Classification

Signatures

AV Detection:

Antivirus detection for URL or domain

Source: https://kashful.softwarebd.biz/ds/1802.gif	Avira URL Cloud: Label: malware
Source: https://kashful.softwarebd.biz/ds/1802.Dc	Avira URL Cloud: Label: malware

Multi AV Scanner detection for domain / URL

Source: kashful.softwarebd.biz	Virustotal: Detection: 6%			Perma Link
Source: https://kashful.softwarebd.biz/ds/1802.gif	Virustotal: Detection: 13%			Perma Link

Compliance:

Uses new MSVCR Dlls

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Uses secure TLS version for HTTPS connections

Source: unknown

HTTPS traffic detected: 185.151.30.170:443 -> 192.168.2.22:49165 version: TLS 1.2

Software Vulnerabilities:

Document exploit detected (UrlDownloadToFile)

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Section loaded: \KnownDlls\api-ms-win-downlevel-shlwapi-l2-1-0.dll origin: URLDownloadToFileA

Jump to behavior

Document exploit detected (process start blacklist hit)

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Process created: C:\Windows\System32\rundll32.exe

Jump to behavior

Potential document exploit detected (performs DNS queries)

Source: global traffic

DNS query: name: kashful.softwarebd.biz

Potential document exploit detected (performs HTTP gets)

Source: global traffic

TCP traffic: 192.168.2.22:49165 -> 185.151.30.170:443

Potential document exploit detected (unknown TCP traffic)

Source: global traffic

TCP traffic: 192.168.2.22:49165 -> 185.151.30.170:443

Networking:

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: TWENTYIGB TWENTYIGB

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 7dcce5b76c8b17472d024758970a406b

Source: rundll32.exe, 00000003.00000002.2089178138.0000000001BF0000.00000002.00000001.sdmp

String found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)

Source: unknown

DNS traffic detected: queries for: kashful.softwarebd.biz

Source: E0F5C59F9FA661F6F4C50B87FEF3A15A.0.dr	String found in binary or memory: http://apps.identrust.com/roots/dstrootcax3.p7c
Source: CD13771E5132C64BEEF257719A4363C40.0.dr	String found in binary or memory: http://apps.identrust.com/roots/dstrootcax3.p7c0
Source: CD13771E5132C64BEEF257719A4363C4.0.dr	String found in binary or memory: http://cert.int-x1.letsencrypt.org/
Source: CD13771E5132C64BEEF257719A4363C40.0.dr	String found in binary or memory: http://cps.root-x1.letsencrypt.org0
Source: CD13771E5132C64BEEF257719A4363C40.0.dr	String found in binary or memory: http://crl.identrust.com/DSTROOTCAX3CRL.crl0
Source: 77EC63BDA74BD0D0E0426DC8F8008506.0.dr	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: rundll32.exe, 00000003.00000002.2089178138.0000000001BF0000.00000002.00000001.sdmp	String found in binary or memory: http://investor.msn.com
Source: rundll32.exe, 00000003.00000002.2089178138.0000000001BF0000.00000002.00000001.sdmp	String found in binary or memory: http://investor.msn.com/
Source: CD13771E5132C64BEEF257719A4363C40.0.dr	String found in binary or memory: http://isrg.trustid.ocsp.identrust.com0;
Source: rundll32.exe, 00000003.00000002.2089330403.0000000001DD7000.00000002.00000001.sdmp	String found in binary or memory: http://localizability/practices/XML.asp
Source: rundll32.exe, 00000003.00000002.2089330403.0000000001DD7000.00000002.00000001.sdmp	String found in binary or memory: http://localizability/practices/XMLConfiguration.asp
Source: rundll32.exe, 00000003.00000002.2089330403.0000000001DD7000.00000002.00000001.sdmp	String found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
Source: rundll32.exe, 00000003.00000002.2089330403.0000000001DD7000.00000002.00000001.sdmp	String found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
Source: rundll32.exe, 00000003.00000002.2089178138.0000000001BF0000.00000002.00000001.sdmp	String found in binary or memory: http://www.hotmail.com/oe
Source: rundll32.exe, 00000003.00000002.2089330403.0000000001DD7000.00000002.00000001.sdmp	String found in binary or memory: http://www.icra.org/vocabulary/.
Source: rundll32.exe, 00000003.00000002.2089178138.0000000001BF0000.00000002.00000001.sdmp	String found in binary or memory: http://www.msnbc.com/news/ticker.txt
Source: rundll32.exe, 00000003.00000002.2089178138.0000000001BF0000.00000002.00000001.sdmp	String found in binary or memory: http://www.windows.com/pctv.
Source: document-1900770373.xls	String found in binary or memory: https://kashful.softwarebd.biz/ds/1802.Dc
Source: document-1900770373.xls	String found in binary or memory: https://kashful.softwarebd.biz/ds/1802.gif

Source: unknown	Network traffic detected: HTTP traffic on port 49165 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49165

Source: unknown

HTTPS traffic detected: 185.151.30.170:443 -> 192.168.2.22:49165 version: TLS 1.2

System Summary:

Found malicious Excel 4.0 Macro

Source: document-1900770373.xls

Initial sample: urlmon

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Source: Screenshot number: 4	Screenshot OCR: Enable Editing" 11 from the yellow bar above 12 13 @Once You have Enable Editing, please click "I
Source: Document image extraction number: 1	Screenshot OCR: Enable Editing" from the yellow bar above Once You have Enable Editing, please click "Enable Conte
Source: Document image extraction number: 1	Screenshot OCR: Enable Content" from the yellow bar above WHY I CANNOT OPEN THIS DOCUMENT? You are using iOS or A
Source: Document image extraction number: 6	Screenshot OCR: Enable Editing" from the yellow bar above @Once You have Enable Editing, please click "EnableConte

Found Excel 4.0 Macro with suspicious formulas

Source: document-1900770373.xls

Initial sample: EXEC

Found abnormal large hidden Excel 4.0 Macro sheet

Source: document-1900770373.xls

Initial sample: Sheet size: 4931

Document contains embedded VBA macros

Source: document-1900770373.xls

OLE indicator, VBA macros: true

Yara signature match

Source: document-1900770373.xls, type: SAMPLE	Matched rule: SUSP_EnableContent_String_Gen date = 2019-02-12, hash1 = 525ba2c8d35f6972ac8fcec8081ae35f6fe8119500be20a4113900fe57d6a0de, author = Florian Roth, description = Detects suspicious string that asks to enable active content in Office Doc, reference = Internal Research
Source: document-1900770373.xls, type: SAMPLE	Matched rule: SUSP_Excel4Macro_AutoOpen date = 2020-03-26, author = John Lambert @JohnLaTwC, description = Detects Excel4 macro use with auto open / close, score = 2fb198f6ad33d0f26fb94a1aa159fef7296e0421da68887b8f2548bbd227e58f

Source: rundll32.exe, 00000003.00000002.2089178138.0000000001BF0000.00000002.00000001.sdmp

Binary or memory string: .VBPud<_

Source: classification engine

Classification label: mal96.expl.evad.winXLS@3/13@3/1

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\Desktop\CBBE0000

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Temp\CVRB4FC.tmp

Jump to behavior

Source: document-1900770373.xls

OLE indicator, Workbook stream: true

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA

Jump to behavior

Source: unknown

Process created: C:\Windows\System32\rundll32.exe rundll32 ..\idefje.ekfd,DllRegisterServer

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Source: unknown	Process created: C:\Windows\System32\rundll32.exe rundll32 ..\idefje.ekfd,DllRegisterServer
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\rundll32.exe rundll32 ..\idefje.ekfd,DllRegisterServer	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

Yara detected hidden Macro 4.0 in Excel

Source: Yara match

File source: document-1900770373.xls, type: SAMPLE

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
185.151.30.170	unknown	United Kingdom		48254	TWENTYIGB	true

Contacted Domains

Name	IP	Active
kashful.softwarebd.biz	185.151.30.170	true
cert.int-x1.letsencrypt.org	unknown	unknown

ID:	355743
Product:	CloudBasic
Start time:	16:54:13
Start date:	21.02.2021
Sample:	document-1900770373.xls
Cookbook:	defaultwindowsofficecookbook.jbs
System description:	Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Architecture:	WINDOWS
MD5:	139a10b28479f4f9e2e4465053e039f8
SHA1:	10251eb69e603ed7259265015b71b1160e3b4a06
SHA256:	ed17094f3e820674c9fa18192292108e8766d28eb0afcc0cf350a44b54196c1d
Filetype:	Microsoft Excel sheet (30009/1) 78.94%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506	Microsoft Cabinet archive data, 59134 bytes, 1 file	E92176B0889CC1BB97114BEB2F3C1728	AD1459D390EC23AB1C3DA73FF2FBEC7FA3A7F443	58A4F38BA43F115BA3F465C311EAAF67F43D92E580F7F153DE3AB605FC9900F3
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CD13771E5132C64BEEF257719A4363C4	data	33E25CB51753B4C38817774E38BD2107	3EAE91937EC85D74483FF4B77B07B43E2AF36BF4	7FDCE3BF4103C2684B3ADBB5792884BD45C75094C217788863950346F79C90A3
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E0F5C59F9FA661F6F4C50B87FEF3A15A	data	D4AE187B4574036C2D76B6DF8A8C1A30	B06F409FA14BAB33CBAF4A37811B8740B624D9E5	A2CE3A0FA7D2A833D1801E01EC48E35B70D84F3467CC9F8FAB370386E13879C7
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506	data	EEAC39EA5331BA303E68BBDD882ADCA6	5F83BB30297D7995917BD67BFFA69D94FA6DCEE5	42E7CEFF41646464D6345C40BB70A027488339C3B1FD20CFFA8CA19DA22EFB30
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CD13771E5132C64BEEF257719A4363C4	data	717AB1416592925CC18663F80CDFE1C4	869238FE2FB612791255160C4DC56E67DEEE250C	228638ABAEA3EFFAF4E5C7788B805431E820E2CBE95B7A9FA9DA73FAD85A8020
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E0F5C59F9FA661F6F4C50B87FEF3A15A	data	889812E029148036DB54C56A370BF52A	5F50C6B33BC205351966658FB63CC2D44B8B7EC1	58A61FF80EE210E555AD05B86F7C8621F1D97DC5F54A823DCDC6C76FD76AEEC8
C:\Users\user\AppData\Local\Temp\2BBE0000	data	700CF16F61668BC891925220CB8C45D4	C4B8150813677A0D1A9AD745C5A194CD317A9AD5	9BCA582BD5E6437C93F5BEAC3C1C847782923021E60747D51337FDEBA87E3C33
C:\Users\user\AppData\Local\Temp\CabD03B.tmp	Microsoft Cabinet archive data, 59134 bytes, 1 file	E92176B0889CC1BB97114BEB2F3C1728	AD1459D390EC23AB1C3DA73FF2FBEC7FA3A7F443	58A4F38BA43F115BA3F465C311EAAF67F43D92E580F7F153DE3AB605FC9900F3
C:\Users\user\AppData\Local\Temp\TarD03C.tmp	data	64FEDADE4387A8B92C120B21EC61E394	15A2673209A41CCA2BC3ADE90537FE676010A962	BB899286BE1709A14630DC5ED80B588FDD872DB361678D3105B0ACE0D1EA6745
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\Desktop.LNK	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Read-Only, Directory, ctime=Tue Oct 17 10:04:00 2017, mtime=Sun Feb 21 23:54:33 2021, atime=Sun Feb 21 23:54:33 2021, length=8192, window=hide	E12BEE9E20A696477746D5F44BB148D9	206C61524DCC3BFADF63CC72949D7099546E2D32	7CE1439063814D6F21A651A40E0EFF007FF110B0F7FBFB35249B3DC87EFD40D8
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\document-1900770373.LNK	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Aug 26 14:08:11 2020, mtime=Sun Feb 21 23:54:33 2021, atime=Sun Feb 21 23:54:33 2021, length=90112, window=hide	AA7DA2F11BCCE0F1907562D8927A929E	C4EBE836AFF376566387ADAEFD89C6CA17A0BC60	908EBF9A4A447F1B2A6EA847D0C7D46C57E62E709D6B611CDFA2636AD4B8421A
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat	ASCII text, with CRLF line terminators	272B1562977081250539767E3399438F	E87F8BFACFFDA4A3CE7996758C15638EAB13AEEC	1CC134C7A3B67DC666D5784FFCCB1829E009872CEE863DBED2F03B72065AF66B
C:\Users\user\Desktop\CBBE0000	Applesoft BASIC program data, first line number 16	8629CE00F391281A44C231AFE0CA74CB	3CAABA6FF240667682D4EC63A8C56306C7C32506	6321FB6481A8997198C3B2E23DF71C3CDBCD27CA39633B917DF84D3FE20A28B2

Analysis Report document-1900770373.xls

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Compliance:

Software Vulnerabilities:

Networking:

System Summary:

Hooking and other Techniques for Hiding and Protection:

HIPS / PFW / Operating System Protection Evasion:

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains