Analysis Report Document1094680387_02012021.xls

Overview

General Information

Sample Name: Document1094680387_02012021.xls
Analysis ID: 356299
MD5: 9423ee9775707d51960e0eac95b3f6cc
SHA1: debc0defc997fde77a2f0cee9b3b1fcbed54ea91
SHA256: 7034e21128da9ce58c2d5249d3fd73dd766cf90437fa52f79faa50098f359634

Most interesting Screenshot:

Detection

Hidden Macro 4.0
Score: 76
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for domain / URL
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Document exploit detected (UrlDownloadToFile)
Document exploit detected (process start blacklist hit)
Found Excel 4.0 Macro with suspicious formulas
Sigma detected: Microsoft Office Product Spawning Windows Shell
Yara detected hidden Macro 4.0 in Excel
Internet Provider seen in connection with other malware
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Uses a known web browser user agent for HTTP communication
Yara signature match

Classification

AV Detection:

barindex
Multi AV Scanner detection for domain / URL
Source: healthymachinery.com Virustotal: Detection: 8% Perma Link
Source: http://healthymachinery.com/health/32-422-76.assp Virustotal: Detection: 8% Perma Link

Compliance:

barindex
Uses new MSVCR Dlls
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior

Software Vulnerabilities:

barindex
Document exploit detected (UrlDownloadToFile)
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Section loaded: \KnownDlls\api-ms-win-downlevel-shlwapi-l2-1-0.dll origin: URLDownloadToFileA Jump to behavior
Document exploit detected (process start blacklist hit)
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\rundll32.exe Jump to behavior
Potential document exploit detected (performs DNS queries)
Source: global traffic DNS query: name: healthymachinery.com
Potential document exploit detected (performs HTTP gets)
Source: global traffic TCP traffic: 192.168.2.22:49165 -> 172.67.149.197:80
Potential document exploit detected (unknown TCP traffic)
Source: global traffic TCP traffic: 192.168.2.22:49165 -> 172.67.149.197:80

Networking:

barindex
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /health/32-422-76.assp HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: healthymachinery.comConnection: Keep-Alive
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ Jump to behavior
Source: global traffic HTTP traffic detected: GET /health/32-422-76.assp HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: healthymachinery.comConnection: Keep-Alive
Source: rundll32.exe, 00000003.00000002.2084485230.0000000001BB0000.00000002.00000001.sdmp String found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)
Source: unknown DNS traffic detected: queries for: healthymachinery.com
Source: rundll32.exe, 00000003.00000002.2084485230.0000000001BB0000.00000002.00000001.sdmp String found in binary or memory: http://investor.msn.com
Source: rundll32.exe, 00000003.00000002.2084485230.0000000001BB0000.00000002.00000001.sdmp String found in binary or memory: http://investor.msn.com/
Source: rundll32.exe, 00000003.00000002.2084703023.0000000001D97000.00000002.00000001.sdmp String found in binary or memory: http://localizability/practices/XML.asp
Source: rundll32.exe, 00000003.00000002.2084703023.0000000001D97000.00000002.00000001.sdmp String found in binary or memory: http://localizability/practices/XMLConfiguration.asp
Source: rundll32.exe, 00000003.00000002.2084703023.0000000001D97000.00000002.00000001.sdmp String found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
Source: rundll32.exe, 00000003.00000002.2084703023.0000000001D97000.00000002.00000001.sdmp String found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
Source: rundll32.exe, 00000003.00000002.2084485230.0000000001BB0000.00000002.00000001.sdmp String found in binary or memory: http://www.hotmail.com/oe
Source: rundll32.exe, 00000003.00000002.2084703023.0000000001D97000.00000002.00000001.sdmp String found in binary or memory: http://www.icra.org/vocabulary/.
Source: rundll32.exe, 00000003.00000002.2084485230.0000000001BB0000.00000002.00000001.sdmp String found in binary or memory: http://www.msnbc.com/news/ticker.txt
Source: rundll32.exe, 00000003.00000002.2084485230.0000000001BB0000.00000002.00000001.sdmp String found in binary or memory: http://www.windows.com/pctv.
Source: 32-422-76[1].htm.0.dr String found in binary or memory: https://www.cloudflare.com/5xx-error-landing

System Summary:

barindex
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Source: Screenshot number: 4 Screenshot OCR: Enable Editing 1 11 12 1 from the yellow bar above 13 14 1 @Once You have Enable Editing, please
Source: Screenshot number: 4 Screenshot OCR: Enable Content 15 1 from the yellow bar above 16 CI 17 I " I WHY I CANNOTOPEN THIS DOCUMENT? 19
Source: Document image extraction number: 2 Screenshot OCR: Enable Editing from the yellow bar above Once You have Enable Editing, please click Enable Content
Source: Document image extraction number: 2 Screenshot OCR: Enable Content from the yellow bar above WHYICANNOTOPEN THIS DOCUMENT? You are using iOS or Andro
Source: Document image extraction number: 8 Screenshot OCR: Enable Editing from the yellow bar above @Once You have Enable Editing, please click Enable Conten
Source: Document image extraction number: 8 Screenshot OCR: Enable Content from the yellow bar above WHYICANNOTOPEN THIS DOCUMENT? wYou are using IDS or Andr
Found Excel 4.0 Macro with suspicious formulas
Source: Document1094680387_02012021.xls Initial sample: EXEC
Yara signature match
Source: Document1094680387_02012021.xls, type: SAMPLE Matched rule: SUSP_EnableContent_String_Gen date = 2019-02-12, hash1 = 525ba2c8d35f6972ac8fcec8081ae35f6fe8119500be20a4113900fe57d6a0de, author = Florian Roth, description = Detects suspicious string that asks to enable active content in Office Doc, reference = Internal Research
Source: rundll32.exe, 00000003.00000002.2084485230.0000000001BB0000.00000002.00000001.sdmp Binary or memory string: .VBPud<_
Source: classification engine Classification label: mal76.expl.evad.winXLS@3/8@1/1
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\Desktop\76CE0000 Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Temp\CVRBE9D.tmp Jump to behavior
Source: Document1094680387_02012021.xls OLE indicator, Workbook stream: true
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Windows\System32\rundll32.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Windows\System32\rundll32.exe rundll32 ..\MORI.BAST,DllRegisterServer
Source: unknown Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Source: unknown Process created: C:\Windows\System32\rundll32.exe rundll32 ..\MORI.BAST,DllRegisterServer
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\rundll32.exe rundll32 ..\MORI.BAST,DllRegisterServer Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior
Source: Document1094680387_02012021.xls Initial sample: OLE indicators vbamacros = False
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
Yara detected hidden Macro 4.0 in Excel
Source: Yara match File source: Document1094680387_02012021.xls, type: SAMPLE
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 356299 Sample: Document1094680387_02012021.xls Startdate: 22/02/2021 Architecture: WINDOWS Score: 76 14 Multi AV Scanner detection for domain / URL 2->14 16 Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros) 2->16 18 Sigma detected: Microsoft Office Product Spawning Windows Shell 2->18 20 2 other signatures 2->20 6 EXCEL.EXE 83 42 2->6         started        process3 dnsIp4 12 healthymachinery.com 172.67.149.197, 49165, 80 CLOUDFLARENETUS United States 6->12 22 Document exploit detected (process start blacklist hit) 6->22 24 Document exploit detected (UrlDownloadToFile) 6->24 10 rundll32.exe 6->10         started        signatures5 process6
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
172.67.149.197
 unknown United States
13335 CLOUDFLARENETUS true

Contacted Domains

Name IP Active
healthymachinery.com 172.67.149.197 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://healthymachinery.com/health/32-422-76.assp true
  • 8%, Virustotal, Browse
  • Avira URL Cloud: safe
 unknown