Loading ...

Play interactive tourEdit tour

Analysis Report document-1370071295.xls

Overview

General Information

Sample Name:document-1370071295.xls
Analysis ID:381642
MD5:09d41d14738707c2ce1e28b2313e1e5c
SHA1:5714bc70d7d24c3db8c939c89fcea4b1d62736df
SHA256:4844dc6311611acbba6d5afd762bcee79e3b4a5cc0d3d89b0ddc9c486f7b8d5e
Tags:IcedIDxls
Infos:

Most interesting Screenshot:

Detection

Hidden Macro 4.0 Ursnif
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Document exploit detected (drops PE files)
Found malware configuration
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Yara detected Ursnif
Yara detected Ursnif
Document exploit detected (UrlDownloadToFile)
Document exploit detected (process start blacklist hit)
Drops PE files to the user root directory
Found Excel 4.0 Macro with suspicious formulas
Found abnormal large hidden Excel 4.0 Macro sheet
Found obfuscated Excel 4.0 Macro
Machine Learning detection for dropped file
Office process drops PE file
Sigma detected: Microsoft Office Product Spawning Windows Shell
Writes registry values via WMI
Yara detected hidden Macro 4.0 in Excel
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Antivirus or Machine Learning detection for unpacked file
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Document contains embedded VBA macros
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the user directory
Drops files with a non-matching file extension (content does not match file extension)
Found dropped PE file which has not been started or loaded
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Uses code obfuscation techniques (call, push, ret)
Yara detected Xls With Macro 4.0
Yara signature match

Classification

Startup

  • System is w7x64
  • EXCEL.EXE (PID: 2004 cmdline: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding MD5: 5FB0A0F93382ECD19F5F499A5CAA59F0)
    • rundll32.exe (PID: 2292 cmdline: rundll32 ..\fikftkm.thj,DllRegisterServer MD5: DD81D91FF3B0763C392422865C9AC12E)
    • rundll32.exe (PID: 2396 cmdline: rundll32 ..\fikftkm.thj1,DllRegisterServer MD5: DD81D91FF3B0763C392422865C9AC12E)
    • rundll32.exe (PID: 2748 cmdline: rundll32 ..\fikftkm.thj2,DllRegisterServer MD5: DD81D91FF3B0763C392422865C9AC12E)
      • rundll32.exe (PID: 2764 cmdline: rundll32 ..\fikftkm.thj2,DllRegisterServer MD5: 51138BEEA3E2C21EC44D0932C71762A8)
    • rundll32.exe (PID: 2852 cmdline: rundll32 ..\fikftkm.thj3,DllRegisterServer MD5: DD81D91FF3B0763C392422865C9AC12E)
    • rundll32.exe (PID: 2968 cmdline: rundll32 ..\fikftkm.thj4,DllRegisterServer MD5: DD81D91FF3B0763C392422865C9AC12E)
  • iexplore.exe (PID: 2824 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 4EB098135821348270F27157F7A84E65)
    • iexplore.exe (PID: 2528 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:2824 CREDAT:275457 /prefetch:2 MD5: 8A590F790A98F3D77399BE457E01386A)
  • iexplore.exe (PID: 3004 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 4EB098135821348270F27157F7A84E65)
    • iexplore.exe (PID: 3064 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:3004 CREDAT:275457 /prefetch:2 MD5: 8A590F790A98F3D77399BE457E01386A)
  • cleanup

Malware Configuration

Threatname: Ursnif

[{"RSA Public Key": "Om1HeBhXBR6NHvmWFG5B2kyl5mdcRMsb8ux2uo9VgGW0O2LzHZKk3w9bxw9stgphU0ayytcOYkK6GCNJlKSeMTZJ5WPgZiX+MaXiUccStEUTXkW1ubp0gdr16sb5U4M+rzWWPvc3s7bj9o1yqSJtP7PmMVp7E+3llLULQ9/DZbAD7SXaft6wcY8wFjSkI+8D"}, {"c2_domain": ["bing.com", "update4.microsoft.com", "under17.com", "urs-world.com"], "botnet": "5566", "server": "12", "serpent_key": "10301029JSJUYDWG", "sleep_time": "10", "SetWaitableTimer_value": "0", "DGA_count": "10"}]

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
document-1370071295.xlsSUSP_EnableContent_String_GenDetects suspicious string that asks to enable active content in Office DocFlorian Roth
  • 0x1ed97:$e1: Enable Editing
  • 0x1edb6:$e2: Enable Content
document-1370071295.xlsSUSP_Excel4Macro_AutoOpenDetects Excel4 macro use with auto open / closeJohn Lambert @JohnLaTwC
  • 0x0:$header_docf: D0 CF 11 E0
  • 0x2aaa2:$s1: Excel
  • 0x2bb0b:$s1: Excel
  • 0x3b3c:$Auto_Open1: 18 00 17 00 AA 03 00 01 07 00 00 00 00 00 00 00 00 00 00 01 3A
document-1370071295.xlsJoeSecurity_XlsWithMacro4Yara detected Xls With Macro 4.0Joe Security
    document-1370071295.xlsJoeSecurity_HiddenMacroYara detected hidden Macro 4.0 in ExcelJoe Security

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      00000006.00000003.2495224017.00000000030CD000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
        00000006.00000002.2504044164.0000000000170000.00000004.00000001.sdmpJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
          00000006.00000003.2357108464.00000000031CB000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
            Process Memory Space: rundll32.exe PID: 2764JoeSecurity_UrsnifYara detected UrsnifJoe Security

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              6.2.rundll32.exe.170000.0.raw.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
                6.2.rundll32.exe.10000000.10.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security

                  Sigma Overview

                  System Summary:

                  barindex
                  Sigma detected: Microsoft Office Product Spawning Windows ShellShow sources
                  Source: Process startedAuthor: Michael Haag, Florian Roth, Markus Neis, Elastic, FPT.EagleEye Team: Data: Command: rundll32 ..\fikftkm.thj,DllRegisterServer, CommandLine: rundll32 ..\fikftkm.thj,DllRegisterServer, CommandLine|base64offset|contains: ], Image: C:\Windows\System32\rundll32.exe, NewProcessName: C:\Windows\System32\rundll32.exe, OriginalFileName: C:\Windows\System32\rundll32.exe, ParentCommandLine: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, ParentProcessId: 2004, ProcessCommandLine: rundll32 ..\fikftkm.thj,DllRegisterServer, ProcessId: 2292

                  Signature Overview

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection:

                  barindex
                  Found malware configurationShow sources
                  Source: 6.2.rundll32.exe.2e39590.9.raw.unpackMalware Configuration Extractor: Ursnif [{"RSA Public Key": "Om1HeBhXBR6NHvmWFG5B2kyl5mdcRMsb8ux2uo9VgGW0O2LzHZKk3w9bxw9stgphU0ayytcOYkK6GCNJlKSeMTZJ5WPgZiX+MaXiUccStEUTXkW1ubp0gdr16sb5U4M+rzWWPvc3s7bj9o1yqSJtP7PmMVp7E+3llLULQ9/DZbAD7SXaft6wcY8wFjSkI+8D"}, {"c2_domain": ["bing.com", "update4.microsoft.com", "under17.com", "urs-world.com"], "botnet": "5566", "server": "12", "serpent_key": "10301029JSJUYDWG", "sleep_time": "10", "SetWaitableTimer_value": "0", "DGA_count": "10"}]
                  Multi AV Scanner detection for domain / URLShow sources
                  Source: accesslinksgroup.comVirustotal: Detection: 8%Perma Link
                  Multi AV Scanner detection for submitted fileShow sources
                  Source: document-1370071295.xlsVirustotal: Detection: 16%Perma Link
                  Source: document-1370071295.xlsMetadefender: Detection: 18%Perma Link
                  Source: document-1370071295.xlsReversingLabs: Detection: 48%
                  Machine Learning detection for dropped fileShow sources
                  Source: C:\Users\user\fikftkm.thj2Joe Sandbox ML: detected
                  Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\0104[1].gifJoe Sandbox ML: detected
                  Source: 6.2.rundll32.exe.2a0000.2.unpackAvira: Label: TR/Crypt.XPACK.Gen3
                  Source: 6.2.rundll32.exe.10000000.10.unpackAvira: Label: TR/Crypt.XPACK.Gen8
                  Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
                  Source: unknownHTTPS traffic detected: 207.174.213.126:443 -> 192.168.2.22:49167 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 162.241.62.4:443 -> 192.168.2.22:49170 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 192.185.129.4:443 -> 192.168.2.22:49172 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 5.100.155.169:443 -> 192.168.2.22:49173 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 198.50.218.68:443 -> 192.168.2.22:49174 version: TLS 1.2
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_001C12D4 RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,CloseHandle,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree,6_2_001C12D4

                  Software Vulnerabilities:

                  barindex
                  Document exploit detected (drops PE files)Show sources
                  Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: 0104[1].gif.0.drJump to dropped file
                  Document exploit detected (UrlDownloadToFile)Show sources
                  Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXESection loaded: \KnownDlls\api-ms-win-downlevel-shlwapi-l2-1-0.dll origin: URLDownloadToFileAJump to behavior
                  Document exploit detected (process start blacklist hit)Show sources
                  Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\rundll32.exe
                  Source: Joe Sandbox ViewIP Address: 207.174.213.126 207.174.213.126
                  Source: Joe Sandbox ViewIP Address: 162.241.62.4 162.241.62.4
                  Source: Joe Sandbox ViewJA3 fingerprint: 7dcce5b76c8b17472d024758970a406b
                  Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZJump to behavior
                  Source: rundll32.exe, 00000003.00000002.2108057689.0000000001B80000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2102163408.0000000001D30000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2504193532.0000000001AC0000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2504502612.00000000020F0000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2173123549.0000000001C10000.00000002.00000001.sdmpString found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)
                  Source: unknownDNS traffic detected: queries for: vts.us.com
                  Source: rundll32.exe, 00000003.00000002.2108057689.0000000001B80000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2102163408.0000000001D30000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2504193532.0000000001AC0000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2504502612.00000000020F0000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2173123549.0000000001C10000.00000002.00000001.sdmpString found in binary or memory: http://investor.msn.com
                  Source: rundll32.exe, 00000003.00000002.2108057689.0000000001B80000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2102163408.0000000001D30000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2504193532.0000000001AC0000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2504502612.00000000020F0000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2173123549.0000000001C10000.00000002.00000001.sdmpString found in binary or memory: http://investor.msn.com/
                  Source: rundll32.exe, 00000003.00000002.2108249236.0000000001D67000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2102325978.0000000001F17000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2504417204.0000000001CA7000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2504688386.00000000022D7000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2173362712.0000000001DF7000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.2167173953.0000000001CC7000.00000002.00000001.sdmpString found in binary or memory: http://localizability/practices/XML.asp
                  Source: rundll32.exe, 00000003.00000002.2108249236.0000000001D67000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2102325978.0000000001F17000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2504417204.0000000001CA7000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2504688386.00000000022D7000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2173362712.0000000001DF7000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.2167173953.0000000001CC7000.00000002.00000001.sdmpString found in binary or memory: http://localizability/practices/XMLConfiguration.asp
                  Source: rundll32.exe, 00000003.00000002.2108249236.0000000001D67000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2102325978.0000000001F17000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2504417204.0000000001CA7000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2504688386.00000000022D7000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2173362712.0000000001DF7000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.2167173953.0000000001CC7000.00000002.00000001.sdmpString found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
                  Source: rundll32.exe, 00000006.00000002.2504310287.00000000004CD000.00000004.00000020.sdmpString found in binary or memory: http://under17.com
                  Source: rundll32.exe, 00000006.00000002.2504310287.00000000004CD000.00000004.00000020.sdmpString found in binary or memory: http://under17.com/joomla/W8irzuIA03OC/DHBetYa3Vzl/hddQ_2FkuTZ0IV/Oq1yvMr7E_2Frfr6f90DE/Wv_2B_2Bqw4C
                  Source: rundll32.exe, 00000003.00000002.2108249236.0000000001D67000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2102325978.0000000001F17000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2504417204.0000000001CA7000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2504688386.00000000022D7000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2173362712.0000000001DF7000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.2167173953.0000000001CC7000.00000002.00000001.sdmpString found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
                  Source: rundll32.exe, 00000003.00000002.2108057689.0000000001B80000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2102163408.0000000001D30000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2504193532.0000000001AC0000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2504502612.00000000020F0000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2173123549.0000000001C10000.00000002.00000001.sdmpString found in binary or memory: http://www.hotmail.com/oe
                  Source: rundll32.exe, 00000003.00000002.2108249236.0000000001D67000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2102325978.0000000001F17000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2504417204.0000000001CA7000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2504688386.00000000022D7000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2173362712.0000000001DF7000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.2167173953.0000000001CC7000.00000002.00000001.sdmpString found in binary or memory: http://www.icra.org/vocabulary/.
                  Source: rundll32.exe, 00000003.00000002.2108057689.0000000001B80000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2102163408.0000000001D30000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2504193532.0000000001AC0000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2504502612.00000000020F0000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2173123549.0000000001C10000.00000002.00000001.sdmpString found in binary or memory: http://www.msnbc.com/news/ticker.txt
                  Source: rundll32.exe, 00000009.00000002.2166965953.0000000001AE0000.00000002.00000001.sdmpString found in binary or memory: http://www.windows.com/pctv.
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49169
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49167
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49174
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49173
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49172
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49170
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49172 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49169 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49170 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49167 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49173 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49174 -> 443
                  Source: unknownHTTPS traffic detected: 207.174.213.126:443 -> 192.168.2.22:49167 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 162.241.62.4:443 -> 192.168.2.22:49170 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 192.185.129.4:443 -> 192.168.2.22:49172 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 5.100.155.169:443 -> 192.168.2.22:49173 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 198.50.218.68:443 -> 192.168.2.22:49174 version: TLS 1.2

                  Key, Mouse, Clipboard, Microphone and Screen Capturing:

                  barindex
                  Yara detected UrsnifShow sources
                  Source: Yara matchFile source: 00000006.00000002.2504044164.0000000000170000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 6.2.rundll32.exe.170000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 6.2.rundll32.exe.10000000.10.unpack, type: UNPACKEDPE
                  Yara detected UrsnifShow sources
                  Source: Yara matchFile source: 00000006.00000003.2495224017.00000000030CD000.00000004.00000040.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000006.00000003.2357108464.00000000031CB000.00000004.00000040.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 2764, type: MEMORY

                  E-Banking Fraud:

                  barindex
                  Yara detected UrsnifShow sources
                  Source: Yara matchFile source: 00000006.00000002.2504044164.0000000000170000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 6.2.rundll32.exe.170000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 6.2.rundll32.exe.10000000.10.unpack, type: UNPACKEDPE
                  Yara detected UrsnifShow sources
                  Source: Yara matchFile source: 00000006.00000003.2495224017.00000000030CD000.00000004.00000040.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000006.00000003.2357108464.00000000031CB000.00000004.00000040.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 2764, type: MEMORY

                  System Summary:

                  barindex
                  Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)Show sources
                  Source: Screenshot number: 4Screenshot OCR: Enable Editing 11 from the yellow bar above 12 13 Once You have Enable Editing, please elk 14 Ru
                  Source: Screenshot number: 8Screenshot OCR: Enable Editing 11 from the yellow bar above 12 13 Once You have Enable Editing, please clic 14 R
                  Source: Screenshot number: 12Screenshot OCR: Enable Editing, please click Enable Content 14 1 from the yellow bar above 15 CI c? 16 17 I 18
                  Source: Screenshot number: 12Screenshot OCR: Enable Content 14 1 from the yellow bar above 15 CI c? 16 17 I 18 I WHY I CANNOTOPEN THIS DOCU
                  Source: Document image extraction number: 9Screenshot OCR: Enable Editing from the yellow bar above Once You have Enable Editing , please click Enable Conten
                  Source: Document image extraction number: 9Screenshot OCR: Enable Content from the yellow bar above WHYICANNOTOPEN THIS DOCUMENT? You are using iOS or Andro
                  Source: Document image extraction number: 15Screenshot OCR: Enable Editing from the yellow bar above CB Once You have Enable Editing, please click Enable Cont
                  Source: Document image extraction number: 15Screenshot OCR: Enable Content from the yellow bar above WHYICANNOTOPEN THIS DOCUMENT? W You are using IDS or And
                  Source: Screenshot number: 16Screenshot OCR: Enable Editing 11 1 from the yellow bar above 12 13 ' @ Once You have Enable Editing, please clic
                  Source: Screenshot number: 16Screenshot OCR: Enable Content 14 1 from the yellow bar above 15 CI c? 16 17 I 18 I WHY I CANNOTOPEN THIS DOCU
                  Found Excel 4.0 Macro with suspicious formulasShow sources
                  Source: document-1370071295.xlsInitial sample: CALL
                  Source: document-1370071295.xlsInitial sample: EXEC
                  Found abnormal large hidden Excel 4.0 Macro sheetShow sources
                  Source: document-1370071295.xlsInitial sample: Sheet size: 4081
                  Source: document-1370071295.xlsInitial sample: Sheet size: 12790
                  Found obfuscated Excel 4.0 MacroShow sources
                  Source: document-1370071295.xlsInitial sample: High usage of CHAR() function: 40
                  Office process drops PE fileShow sources
                  Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\fikftkm.thj2Jump to dropped file
                  Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\0104[1].gifJump to dropped file
                  Writes registry values via WMIShow sources
                  Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - StdRegProv::SetDWORDValue
                  Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - StdRegProv::SetBinaryValue
                  Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - StdRegProv::SetDWORDValue
                  Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - StdRegProv::SetBinaryValue
                  Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - StdRegProv::SetStringValue
                  Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76E20000 page execute and read and writeJump to behavior
                  Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76D20000 page execute and read and writeJump to behavior
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_10001D9F NtMapViewOfSection,6_2_10001D9F
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_10001EB5 GetProcAddress,NtCreateSection,memset,6_2_10001EB5
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_10002375 NtQueryVirtualMemory,6_2_10002375
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_001C83B7 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,6_2_001C83B7
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_001CB341 NtQueryVirtualMemory,6_2_001CB341
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_002A348F6_2_002A348F
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_002A64246_2_002A6424
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_002A10006_2_002A1000
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_002A19186_2_002A1918
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_002A33146_2_002A3314
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_002A596E6_2_002A596E
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_002A237B6_2_002A237B
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_002A247B6_2_002A247B
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_002A5C766_2_002A5C76
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_002A13746_2_002A1374
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_002A554B6_2_002A554B
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_002A48596_2_002A4859
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_002A3FA86_2_002A3FA8
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_002A3A856_2_002A3A85
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_002A1B956_2_002A1B95
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_002A28EB6_2_002A28EB
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_002A20EE6_2_002A20EE
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_002A52EC6_2_002A52EC
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_002A5AF66_2_002A5AF6
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_002A3BDB6_2_002A3BDB
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_100021546_2_10002154
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_001C40946_2_001C4094
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_001CB11C6_2_001CB11C
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_001C97F26_2_001C97F2
                  Source: document-1370071295.xlsOLE indicator, VBA macros: true
                  Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\0104[1].gif A05711289E9F8DBA5F0CE5FE3B3096F8C181F537D169997E2DB30F83036052D3
                  Source: Joe Sandbox ViewDropped File: C:\Users\user\fikftkm.thj2 A05711289E9F8DBA5F0CE5FE3B3096F8C181F537D169997E2DB30F83036052D3
                  Source: document-1370071295.xls, type: SAMPLEMatched rule: SUSP_EnableContent_String_Gen date = 2019-02-12, hash1 = 525ba2c8d35f6972ac8fcec8081ae35f6fe8119500be20a4113900fe57d6a0de, author = Florian Roth, description = Detects suspicious string that asks to enable active content in Office Doc, reference = Internal Research
                  Source: document-1370071295.xls, type: SAMPLEMatched rule: SUSP_Excel4Macro_AutoOpen date = 2020-03-26, author = John Lambert @JohnLaTwC, description = Detects Excel4 macro use with auto open / close, score = 2fb198f6ad33d0f26fb94a1aa159fef7296e0421da68887b8f2548bbd227e58f
                  Source: rundll32.exe, 00000003.00000002.2108057689.0000000001B80000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2102163408.0000000001D30000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2504193532.0000000001AC0000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2504502612.00000000020F0000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2173123549.0000000001C10000.00000002.00000001.sdmpBinary or memory string: .VBPud<_
                  Source: classification engineClassification label: mal100.troj.expl.evad.winXLS@19/59@7/6
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_001C757F CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,6_2_001C757F
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_001C7B5D SetWaitableTimer,CoCreateInstance,CoSetProxyBlanket,6_2_001C7B5D
                  Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\Desktop\19CE0000Jump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\CVRC1D8.tmpJump to behavior
                  Source: document-1370071295.xlsOLE indicator, Workbook stream: true
                  Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile read: C:\Users\desktop.iniJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CAJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\rundll32.exe rundll32 ..\fikftkm.thj,DllRegisterServer
                  Source: document-1370071295.xlsVirustotal: Detection: 16%
                  Source: document-1370071295.xlsMetadefender: Detection: 18%
                  Source: document-1370071295.xlsReversingLabs: Detection: 48%
                  Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
                  Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\rundll32.exe rundll32 ..\fikftkm.thj,DllRegisterServer
                  Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\rundll32.exe rundll32 ..\fikftkm.thj1,DllRegisterServer
                  Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\rundll32.exe rundll32 ..\fikftkm.thj2,DllRegisterServer
                  Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32 ..\fikftkm.thj2,DllRegisterServer
                  Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\rundll32.exe rundll32 ..\fikftkm.thj3,DllRegisterServer
                  Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\rundll32.exe rundll32 ..\fikftkm.thj4,DllRegisterServer
                  Source: unknownProcess created: C:\Program Files\Internet Explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
                  Source: C:\Program Files\Internet Explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:2824 CREDAT:275457 /prefetch:2
                  Source: unknownProcess created: C:\Program Files\Internet Explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
                  Source: C:\Program Files\Internet Explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:3004 CREDAT:275457 /prefetch:2
                  Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\rundll32.exe rundll32 ..\fikftkm.thj,DllRegisterServerJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\rundll32.exe rundll32 ..\fikftkm.thj1,DllRegisterServerJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\rundll32.exe rundll32 ..\fikftkm.thj2,DllRegisterServerJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\rundll32.exe rundll32 ..\fikftkm.thj3,DllRegisterServerJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\rundll32.exe rundll32 ..\fikftkm.thj4,DllRegisterServerJump to behavior
                  Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32 ..\fikftkm.thj2,DllRegisterServerJump to behavior
                  Source: C:\Program Files\Internet Explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:2824 CREDAT:275457 /prefetch:2Jump to behavior
                  Source: C:\Program Files\Internet Explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:3004 CREDAT:275457 /prefetch:2Jump to behavior
                  Source: C:\Windows\SysWOW64\rundll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32Jump to behavior
                  Source: C:\Windows\System32\rundll32.exeAutomated click: OK
                  Source: C:\Windows\System32\rundll32.exeAutomated click: OK
                  Source: C:\Windows\System32\rundll32.exeAutomated click: OK
                  Source: C:\Windows\System32\rundll32.exeAutomated click: OK
                  Source: Window RecorderWindow detected: More than 3 window changes detected
                  Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItemsJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_10001745 LoadLibraryA,GetProcAddress,6_2_10001745
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_002A348F push dword ptr [ebp-10h]; mov dword ptr [esp], ecx6_2_002A34A1
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_002A348F push dword ptr [ebp-0Ch]; mov dword ptr [esp], ecx6_2_002A3632
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_002A348F push 00000000h; mov dword ptr [esp], edx6_2_002A37FE
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_002A348F push edx; mov dword ptr [esp], 00000002h6_2_002A384A
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_002A348F push 00000000h; mov dword ptr [esp], ecx6_2_002A38D7
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_002A6194 push eax; mov dword ptr [esp], 00000004h6_2_002A61AF
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_002A6194 push esi; mov dword ptr [esp], 00001000h6_2_002A61B7
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_002A6194 push 00000000h; mov dword ptr [esp], ebp6_2_002A6267
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_002A6424 push dword ptr [ebp-08h]; mov dword ptr [esp], esp6_2_002A644D
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_002A6424 push 00000000h; mov dword ptr [esp], edi6_2_002A64EC
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_002A6424 push 00000000h; mov dword ptr [esp], ecx6_2_002A657A
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_002A6424 push 00000000h; mov dword ptr [esp], ebp6_2_002A65D2
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_002A6424 push dword ptr [ebp-08h]; mov dword ptr [esp], eax6_2_002A66E2
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_002A6424 push dword ptr [ebp-04h]; mov dword ptr [esp], ecx6_2_002A6736
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_002A463F push dword ptr [ebp-0Ch]; mov dword ptr [esp], eax6_2_002A4648
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_002A463F push ebp; mov dword ptr [esp], 00000003h6_2_002A46A2
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_002A463F push ebx; mov dword ptr [esp], 00F00000h6_2_002A46AB
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_002A6633 push dword ptr [ebp-08h]; mov dword ptr [esp], eax6_2_002A66E2
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_002A6633 push dword ptr [ebp-04h]; mov dword ptr [esp], ecx6_2_002A6736
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_002A1000 push 00000000h; mov dword ptr [esp], ebp6_2_002A110A
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_002A1000 push 00000000h; mov dword ptr [esp], ebx6_2_002A1146
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_002A1000 push 00000000h; mov dword ptr [esp], ebp6_2_002A118E
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_002A1000 push ebp; mov dword ptr [esp], 00000002h6_2_002A1270
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_002A1000 push dword ptr [ebp-08h]; mov dword ptr [esp], ecx6_2_002A12E7
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_002A1918 push dword ptr [ebp-24h]; mov dword ptr [esp], ebx6_2_002A1927
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_002A1918 push 00000000h; mov dword ptr [esp], ecx6_2_002A1B10
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_002A1918 push 00000000h; mov dword ptr [esp], esi6_2_002A1CD4
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_002A1918 push 00000000h; mov dword ptr [esp], esi6_2_002A1D37
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_002A1918 push dword ptr [ebp-20h]; mov dword ptr [esp], esi6_2_002A1DC0
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_002A1918 push 00000000h; mov dword ptr [esp], ebp6_2_002A1E4C
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_002A1918 push dword ptr [ebp-20h]; mov dword ptr [esp], ecx6_2_002A1F23
                  Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\fikftkm.thj2Jump to dropped file
                  Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\0104[1].gifJump to dropped file
                  Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\fikftkm.thj2Jump to dropped file
                  Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\0104[1].gifJump to dropped file
                  Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\fikftkm.thj2Jump to dropped file

                  Boot Survival:

                  barindex
                  Drops PE files to the user root directoryShow sources
                  Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\fikftkm.thj2Jump to dropped file

                  Hooking and other Techniques for Hiding and Protection:

                  barindex
                  Yara detected UrsnifShow sources
                  Source: Yara matchFile source: 00000006.00000002.2504044164.0000000000170000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 6.2.rundll32.exe.170000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 6.2.rundll32.exe.10000000.10.unpack, type: UNPACKEDPE
                  Yara detected UrsnifShow sources
                  Source: Yara matchFile source: 00000006.00000003.2495224017.00000000030CD000.00000004.00000040.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000006.00000003.2357108464.00000000031CB000.00000004.00000040.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 2764, type: MEMORY
                  Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\0104[1].gifJump to dropped file
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_001C12D4 RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,CloseHandle,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree,6_2_001C12D4
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_10001745 LoadLibraryA,GetProcAddress,6_2_10001745
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_002A2DF5 or edx, dword ptr fs:[00000030h]6_2_002A2DF5

                  HIPS / PFW / Operating System Protection Evasion:

                  barindex
                  Yara detected hidden Macro 4.0 in ExcelShow sources
                  Source: Yara matchFile source: document-1370071295.xls, type: SAMPLE
                  Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32 ..\fikftkm.thj2,DllRegisterServerJump to behavior
                  Source: Yara matchFile source: document-1370071295.xls, type: SAMPLE
                  Source: rundll32.exe, 00000005.00000002.2504123727.00000000006C0000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2504465351.0000000000CF0000.00000002.00000001.sdmpBinary or memory string: Program Manager
                  Source: rundll32.exe, 00000005.00000002.2504123727.00000000006C0000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2504465351.0000000000CF0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
                  Source: rundll32.exe, 00000005.00000002.2504123727.00000000006C0000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2504465351.0000000000CF0000.00000002.00000001.sdmpBinary or memory string: !Progman