Analysis Report Complaint-1091191320-02182021.xls

Overview

General Information

Sample Name: Complaint-1091191320-02182021.xls
Analysis ID: 356327
MD5: da47abb08bf5ab8ccd6dde8b8395585d
SHA1: f4ffc845ceb85dee839ac85228ff410d9a01bd33
SHA256: 91b4e89cdfe2e0d0f29642b21d4035ee4201f99e24e5ec841d4c8bb73547cd78

Most interesting Screenshot:

Detection

Hidden Macro 4.0
Score: 88
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus detection for URL or domain
Found malicious Excel 4.0 Macro
Multi AV Scanner detection for submitted file
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Document exploit detected (UrlDownloadToFile)
Document exploit detected (process start blacklist hit)
Found Excel 4.0 Macro with suspicious formulas
Sigma detected: Microsoft Office Product Spawning Windows Shell
Document contains embedded VBA macros
IP address seen in connection with other malware
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Uses a known web browser user agent for HTTP communication
Yara signature match

Classification

AV Detection:

barindex
Antivirus detection for URL or domain
Source: http://chandni.pk/cgi-sys/suspendedpage.cgi Avira URL Cloud: Label: malware
Source: http://batikentklinik.com/qtuofsxtov/44249951829861100000.dat Avira URL Cloud: Label: malware
Source: http://7ruzezendegi.com/samsgtlfwzt/44249951829861100000.dat Avira URL Cloud: Label: malware
Source: http://7ruzezendegi.com/cgi-sys/suspendedpage.cgi Avira URL Cloud: Label: malware
Multi AV Scanner detection for submitted file
Source: Complaint-1091191320-02182021.xls Metadefender: Detection: 13% Perma Link
Source: Complaint-1091191320-02182021.xls ReversingLabs: Detection: 37%

Compliance:

barindex
Uses new MSVCR Dlls
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior

Software Vulnerabilities:

barindex
Document exploit detected (UrlDownloadToFile)
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Section loaded: \KnownDlls\api-ms-win-downlevel-shlwapi-l2-1-0.dll origin: URLDownloadToFileA Jump to behavior
Document exploit detected (process start blacklist hit)
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\rundll32.exe Jump to behavior
Potential document exploit detected (performs DNS queries)
Source: global traffic DNS query: name: dindorf.com.ar
Potential document exploit detected (performs HTTP gets)
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 181.88.192.136:80
Potential document exploit detected (unknown TCP traffic)
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 181.88.192.136:80

Networking:

barindex
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 192.185.16.95 192.185.16.95
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /ntpnttfypqs/44249951829861100000.dat HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: dindorf.com.arConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /samsgtlfwzt/44249951829861100000.dat HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 7ruzezendegi.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /cgi-sys/suspendedpage.cgi HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 7ruzezendegi.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /qtuofsxtov/44249951829861100000.dat HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: batikentklinik.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /ictrljsfuh/44249951829861100000.dat HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: chandni.pkConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /cgi-sys/suspendedpage.cgi HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: chandni.pkConnection: Keep-Alive
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Mon, 22 Feb 2021 21:51:12 GMTServer: nginx/1.19.5Content-Type: text/htmlContent-Length: 315Vary: Accept-EncodingContent-Encoding: gzipX-Server-Cache: falseData Raw: 1f 8b 08 00 00 00 00 00 00 03 65 91 d1 4f c2 30 10 c6 df fd 2b 6a 13 7d 1b 1d 8a 89 d1 76 26 0e 54 92 c9 88 cc 18 9f 4c 59 6f ac c9 b6 ce ee 26 f2 df cb 56 10 0d f7 f6 fb 72 f7 f5 eb 1d 3f 1d c7 61 f2 3e 9f 90 1c cb 82 cc 5f ef a3 69 48 a8 c7 d8 db 65 c8 d8 38 19 93 a7 e4 39 22 a3 81 3f 24 89 95 55 a3 51 9b 4a 16 8c 4d 66 34 38 e1 dd 58 70 42 5c f1 1c a4 fa a5 7d 71 d4 58 40 10 9a 0a 65 8a 64 d1 d6 b5 b1 c8 99 93 8f ba 4b 40 b9 4d 83 b5 07 9f ad fe 12 b4 1b 84 0a bd 64 53 03 25 a9 23 41 11 be 91 75 cf df 92 34 97 b6 01 14 2d 66 de 35 3d c4 61 ff f2 f0 a5 51 1b 52 4a bb d2 d5 5a 2b cc 05 f5 e9 8e 73 d0 ab 1c 7b a1 80 0c 9d d8 23 9a fa 40 c7 69 75 66 65 09 64 e7 37 f4 fd 33 4a f6 66 8e fa 86 a5 b1 0a 6c 6f b8 08 5f e2 28 9a ce 1e 05 95 2d 1a 7a 94 a8 b1 a9 a0 dd 02 6e 18 cb d6 aa 69 ea 41 6a 4a 76 a7 2a 61 21 03 0b f6 43 01 42 8a e7 b5 56 e2 6a 1e 47 a3 87 8b 78 44 03 ce 5c 9a 3f 0b e8 be bc bd 12 73 67 fa 01 31 ba ab ae ee 01 00 00 Data Ascii: eO0+j}v&TLYo&Vr?a>_iHe89"?$UQJMf48XpB\}qX@edK@MdS%#Au4-f5=aQRJZ+s{#@iufed73Jflo_(-zniAjJv*a!CBVjGxD\?sg1
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ Jump to behavior
Source: global traffic HTTP traffic detected: GET /ntpnttfypqs/44249951829861100000.dat HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: dindorf.com.arConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /samsgtlfwzt/44249951829861100000.dat HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 7ruzezendegi.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /cgi-sys/suspendedpage.cgi HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 7ruzezendegi.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /qtuofsxtov/44249951829861100000.dat HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: batikentklinik.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /ictrljsfuh/44249951829861100000.dat HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: chandni.pkConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /cgi-sys/suspendedpage.cgi HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: chandni.pkConnection: Keep-Alive
Source: rundll32.exe, 00000004.00000002.2170893256.0000000001AF0000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2164131332.0000000001AC0000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2155760549.0000000001C10000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2152472144.0000000001AA0000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2146230091.0000000001C50000.00000002.00000001.sdmp String found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)
Source: unknown DNS traffic detected: queries for: dindorf.com.ar
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=UTF-8Expires: Wed, 11 Jan 1984 05:00:00 GMTCache-Control: no-cache, must-revalidate, max-age=0Link: <https://batikentklinik.com/wp-json/>; rel="https://api.w.org/"X-Litespeed-Cache-Control: public,max-age=3600X-Litespeed-Tag: 164_HTTP.404,164_404,164_URL.13aed0d0174f3be9038c17f54db51e93,164_Transfer-Encoding: chunkedDate: Mon, 22 Feb 2021 21:49:24 GMTServer: LiteSpeedConnection: Keep-AliveData Raw: 35 31 31 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 74 72 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0d 0a 09 3c 74 69 74 6c 65 3e 53 61 79 66 61 20 62 75 6c 75 6e 61 6d 61 64 c4 b1 20 26 23 38 32 31 31 3b 20 4b 65 6e 74 20 4b 6c 69 6e 69 6b 3c 2f 74 69 74 6c 65 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 27 64 6e 73 2d 70 72 65 66 65 74 63 68 27 20 68 72 65 66 3d 27 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 27 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 27 64 6e 73 2d 70 72 65 66 65 74 63 68 27 20 68 72 65 66 3d 27 2f 2f 73 2e 77 2e 6f 72 67 27 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 61 6c 74 65 72 6e 61 74 65 22 20 74 79 70 65 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 72 73 73 2b 78 6d 6c 22 20 74 69 74 6c 65 3d 22 4b 65 6e 74 20 4b 6c 69 6e 69 6b 20 26 72 61 71 75 6f 3b 20 62 65 73 6c 65 6d 65 73 69 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 62 61 74 69 6b 65 6e 74 6b 6c 69 6e 69 6b 2e 63 6f 6d 2f 66 65 65 64 2f 22 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 61 6c 74 65 72 6e 61 74 65 22 20 74 79 70 65 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 72 73 73 2b 78 6d 6c 22 20 74 69 74 6c 65 3d 22 4b 65 6e 74 20 4b 6c 69 6e 69 6b 20 26 72 61 71 75 6f 3b 20 79 6f 72 75 6d 20 62 65 73 6c 65 6d 65 73 69 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 62 61 74 69 6b 65 6e 74 6b 6c 69 6e 69 6b 2e 63 6f 6d 2f 63 6f 6d 6d 65 6e 74 73 2f 66 65 65 64 2f 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 53 4b 59 50 45 5f 54 4f 4f 4c 42 41 52 22 20 63 6f 6e 74 65 6e 74 3d 22 53 4b 59 50 45 5f 54 4f 4f 4c 42 41 52 5f 50 41 52 53 45 52 5f 43 4f 4d 50 41 54 49 42 4c 45 22 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 74 68 65 6d 65 2d 63 6f 6c 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 23 66 35 66 35 66 35 22 3e 0a 3c 6d 65 74 61 20 70 72 6f 70 65 72 74 79 3d 22 6f 67 3a 74 69 74 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 53 61 79 66 61 20 62 75 6c 75 6e 61 6d 61 64 c4 b1 20 26 23 38 32 31 31 3b 20 4b 65 6e 74 20 4b 6c 69 6e 69 6b 22 3e 0a 3c 6d 65 74 61 20 70 72 6f 70 65 72 74 79 3d 22 6f 67 3a 75 72 6c 22 20 63 6f 6e 74 65 6e 74 3d 22 68 74 74 70 3a 2f 2f 62 61 74 69 6b 65 6e 74 6b 6c 69 6e 69 6b 2e 63 6f 6d 2f 71 74 75 6f 66 73 78 74 6f 76 2f 34 34 32 34 39 39 35 3
Source: rundll32.exe, 00000004.00000002.2170893256.0000000001AF0000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2164131332.0000000001AC0000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2155760549.0000000001C10000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2152472144.0000000001AA0000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2146230091.0000000001C50000.00000002.00000001.sdmp String found in binary or memory: http://investor.msn.com
Source: rundll32.exe, 00000004.00000002.2170893256.0000000001AF0000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2164131332.0000000001AC0000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2155760549.0000000001C10000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2152472144.0000000001AA0000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2146230091.0000000001C50000.00000002.00000001.sdmp String found in binary or memory: http://investor.msn.com/
Source: rundll32.exe, 00000004.00000002.2171015522.0000000001CD7000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2164266296.0000000001CA7000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2156318745.0000000001DF7000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2152670940.0000000001C87000.00000002.00000001.sdmp String found in binary or memory: http://localizability/practices/XML.asp
Source: rundll32.exe, 00000004.00000002.2171015522.0000000001CD7000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2164266296.0000000001CA7000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2156318745.0000000001DF7000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2152670940.0000000001C87000.00000002.00000001.sdmp String found in binary or memory: http://localizability/practices/XMLConfiguration.asp
Source: rundll32.exe, 00000004.00000002.2171015522.0000000001CD7000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2164266296.0000000001CA7000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2156318745.0000000001DF7000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2152670940.0000000001C87000.00000002.00000001.sdmp String found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
Source: rundll32.exe, 00000004.00000002.2171015522.0000000001CD7000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2164266296.0000000001CA7000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2156318745.0000000001DF7000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2152670940.0000000001C87000.00000002.00000001.sdmp String found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
Source: rundll32.exe, 00000004.00000002.2170893256.0000000001AF0000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2164131332.0000000001AC0000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2155760549.0000000001C10000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2152472144.0000000001AA0000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2146230091.0000000001C50000.00000002.00000001.sdmp String found in binary or memory: http://www.hotmail.com/oe
Source: rundll32.exe, 00000004.00000002.2171015522.0000000001CD7000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2164266296.0000000001CA7000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2156318745.0000000001DF7000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2152670940.0000000001C87000.00000002.00000001.sdmp String found in binary or memory: http://www.icra.org/vocabulary/.
Source: rundll32.exe, 00000004.00000002.2170893256.0000000001AF0000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2164131332.0000000001AC0000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2155760549.0000000001C10000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2152472144.0000000001AA0000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2146230091.0000000001C50000.00000002.00000001.sdmp String found in binary or memory: http://www.msnbc.com/news/ticker.txt
Source: rundll32.exe, 00000008.00000002.2146230091.0000000001C50000.00000002.00000001.sdmp String found in binary or memory: http://www.windows.com/pctv.

System Summary:

barindex
Found malicious Excel 4.0 Macro
Source: Complaint-1091191320-02182021.xls Initial sample: urlmon
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Source: Screenshot number: 4 Screenshot OCR: Enable Editing, please click Enabk " 14 from the yellow bar above NuOll I XA I 15 R nn|| I f? I .
Source: Screenshot number: 8 Screenshot OCR: Enable Editing, please click Enable Content 14 from the yellow bar above 15 16 17 ,, WHY I CANN
Source: Screenshot number: 8 Screenshot OCR: Enable Content 14 from the yellow bar above 15 16 17 ,, WHY I CANNOTOPEN THIS DOCUMENT? 19 20
Source: Document image extraction number: 2 Screenshot OCR: Enable Editing from the yellow bar above Once You have Enable Editing, please click Enable Content
Source: Document image extraction number: 2 Screenshot OCR: Enable Content from the yellow bar above WHYICANNOTOPEN THIS DOCUMENT? You are using iOS or Andro
Source: Document image extraction number: 8 Screenshot OCR: Enable Editing from the yellow bar above @Once You have Enable Editing, please click Enable Conten
Source: Document image extraction number: 8 Screenshot OCR: Enable Content from the yellow bar above WHYICANNOTOPEN THIS DOCUMENT? m You are using IDS or And
Found Excel 4.0 Macro with suspicious formulas
Source: Complaint-1091191320-02182021.xls Initial sample: EXEC
Document contains embedded VBA macros
Source: Complaint-1091191320-02182021.xls OLE indicator, VBA macros: true
Yara signature match
Source: Complaint-1091191320-02182021.xls, type: SAMPLE Matched rule: SUSP_EnableContent_String_Gen date = 2019-02-12, hash1 = 525ba2c8d35f6972ac8fcec8081ae35f6fe8119500be20a4113900fe57d6a0de, author = Florian Roth, description = Detects suspicious string that asks to enable active content in Office Doc, reference = Internal Research
Source: rundll32.exe, 00000004.00000002.2170893256.0000000001AF0000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2164131332.0000000001AC0000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2155760549.0000000001C10000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2152472144.0000000001AA0000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2146230091.0000000001C50000.00000002.00000001.sdmp Binary or memory string: .VBPud<_
Source: classification engine Classification label: mal88.expl.evad.winXLS@11/9@5/5
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\Desktop\8DCE0000 Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Temp\CVRC689.tmp Jump to behavior
Source: Complaint-1091191320-02182021.xls OLE indicator, Workbook stream: true
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Windows\System32\rundll32.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Windows\System32\rundll32.exe rundll32 ..\JDFR.hdfgr,DllRegisterServer
Source: Complaint-1091191320-02182021.xls Metadefender: Detection: 13%
Source: Complaint-1091191320-02182021.xls ReversingLabs: Detection: 37%
Source: unknown Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Source: unknown Process created: C:\Windows\System32\rundll32.exe rundll32 ..\JDFR.hdfgr,DllRegisterServer
Source: unknown Process created: C:\Windows\System32\rundll32.exe rundll32 ..\JDFR.hdfgr1,DllRegisterServer
Source: unknown Process created: C:\Windows\System32\rundll32.exe rundll32 ..\JDFR.hdfgr2,DllRegisterServer
Source: unknown Process created: C:\Windows\System32\rundll32.exe rundll32 ..\JDFR.hdfgr3,DllRegisterServer
Source: unknown Process created: C:\Windows\System32\rundll32.exe rundll32 ..\JDFR.hdfgr4,DllRegisterServer
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\rundll32.exe rundll32 ..\JDFR.hdfgr,DllRegisterServer Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\rundll32.exe rundll32 ..\JDFR.hdfgr1,DllRegisterServer Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\rundll32.exe rundll32 ..\JDFR.hdfgr2,DllRegisterServer Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\rundll32.exe rundll32 ..\JDFR.hdfgr3,DllRegisterServer Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\rundll32.exe rundll32 ..\JDFR.hdfgr4,DllRegisterServer Jump to behavior
Source: C:\Windows\System32\rundll32.exe Automated click: OK
Source: C:\Windows\System32\rundll32.exe Automated click: OK
Source: C:\Windows\System32\rundll32.exe Automated click: OK
Source: C:\Windows\System32\rundll32.exe Automated click: OK
Source: C:\Windows\System32\rundll32.exe Automated click: OK
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 356327 Sample: Complaint-1091191320-02182021.xls Startdate: 22/02/2021 Architecture: WINDOWS Score: 88 24 Antivirus detection for URL or domain 2->24 26 Multi AV Scanner detection for submitted file 2->26 28 Found malicious Excel 4.0 Macro 2->28 30 3 other signatures 2->30 6 EXCEL.EXE 84 44 2->6         started        process3 dnsIp4 18 chandni.pk 192.185.16.95, 49171, 80 UNIFIEDLAYER-AS-1US United States 6->18 20 dindorf.com.ar 181.88.192.136, 49167, 80 TelecomArgentinaSAAR Argentina 6->20 22 3 other IPs or domains 6->22 32 Document exploit detected (process start blacklist hit) 6->32 34 Document exploit detected (UrlDownloadToFile) 6->34 10 rundll32.exe 6->10         started        12 rundll32.exe 6->12         started        14 rundll32.exe 6->14         started        16 2 other processes 6->16 signatures5 process6
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
185.159.153.72
unknown Iran (ISLAMIC Republic Of)
201999 SERVERPARSIR false
181.88.192.136
unknown Argentina
7303 TelecomArgentinaSAAR false
112.125.131.128
unknown China
37963 CNNIC-ALIBABA-CN-NET-APHangzhouAlibabaAdvertisingCoLtd false
2.59.117.215
unknown Turkey
42926 RADORETR false
192.185.16.95
unknown United States
46606 UNIFIEDLAYER-AS-1US false

Contacted Domains

Name IP Active
dindorf.com.ar 181.88.192.136 true
batikentklinik.com 2.59.117.215 true
chandni.pk 192.185.16.95 true
miaovideo.com 112.125.131.128 true
7ruzezendegi.com 185.159.153.72 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://chandni.pk/cgi-sys/suspendedpage.cgi true
  • Avira URL Cloud: malware
unknown
http://batikentklinik.com/qtuofsxtov/44249951829861100000.dat true
  • Avira URL Cloud: malware
unknown
http://7ruzezendegi.com/samsgtlfwzt/44249951829861100000.dat true
  • Avira URL Cloud: malware
unknown
http://chandni.pk/ictrljsfuh/44249951829861100000.dat false
  • Avira URL Cloud: safe
unknown
http://dindorf.com.ar/ntpnttfypqs/44249951829861100000.dat false
  • Avira URL Cloud: safe
unknown
http://7ruzezendegi.com/cgi-sys/suspendedpage.cgi true
  • Avira URL Cloud: malware
unknown