Analysis Report Documents_1605962083_895739149.xlsm

Overview

General Information

Sample Name:	Documents_1605962083_895739149.xlsm
Analysis ID:	382679
MD5:	77941203a3ef209ec6b53d47f0b6d5c0
SHA1:	a2c4f211a8007a6c1def18ab10722edd235a5a70
SHA256:	05ec137601fe0cb3bb5605a55df59e9e03cff966b43e545910cd12030bfca456
Infos:
Most interesting Screenshot:

Detection

Hidden Macro 4.0

Score:	64
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Document exploit detected (UrlDownloadToFile)

Found Excel 4.0 Macro with suspicious formulas

Excel documents contains an embedded macro which executes code when the document is opened

IP address seen in connection with other malware

Potential document exploit detected (performs DNS queries)

Potential document exploit detected (performs HTTP gets)

Potential document exploit detected (unknown TCP traffic)

Uses a known web browser user agent for HTTP communication

Classification

Signatures

AV Detection:

Antivirus detection for URL or domain

Source: http://sankhyasol.com/field.php

Avira URL Cloud: Label: malware

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Software Vulnerabilities:

Document exploit detected (UrlDownloadToFile)

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Section loaded: \KnownDlls\api-ms-win-downlevel-shlwapi-l2-1-0.dll origin: URLDownloadToFileA

Jump to behavior

Potential document exploit detected (performs DNS queries)

Source: global traffic

DNS query: name: sankhyasol.com

Potential document exploit detected (performs HTTP gets)

Source: global traffic

TCP traffic: 192.168.2.22:49165 -> 148.66.138.148:80

Potential document exploit detected (unknown TCP traffic)

Source: global traffic

TCP traffic: 192.168.2.22:49165 -> 148.66.138.148:80

Networking:

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 148.66.138.148 148.66.138.148

Uses a known web browser user agent for HTTP communication

Source: global traffic

HTTP traffic detected: GET /field.php HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: sankhyasol.comConnection: Keep-Alive

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\6F6F568D.png

Jump to behavior

Source: global traffic

Source: unknown

DNS traffic detected: queries for: sankhyasol.com

System Summary:

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Source: Screenshot number: 4	Screenshot OCR: Enable Editing U the decryption of the document. U SecurityWarning Macros have been disabled. E
Source: Screenshot number: 4	Screenshot OCR: Enable content" to oerform M"crosoft Off"ce Decrvot"on Core to start V Q R S m' ^ Enable Editing
Source: Document image extraction number: 2	Screenshot OCR: Enable editing" to unlock the editing document downloaded from the internet. Protected View This fi
Source: Document image extraction number: 2	Screenshot OCR: Enable content" to perform Microsoft Office Decryption Core to start the decryption of the document
Source: Document image extraction number: 3	Screenshot OCR: Enable Content
Source: Document image extraction number: 4	Screenshot OCR: Enable Editing
Source: Document image extraction number: 13	Screenshot OCR: Enable editing" to unlock the editing document downloaded from the Internet. Protected View This fi
Source: Document image extraction number: 13	Screenshot OCR: Enable content" to perform Microsoft Office Decryption Core to start the decryption of the document

Found Excel 4.0 Macro with suspicious formulas

Source: Documents_1605962083_895739149.xlsm	Initial sample: CALL
Source: Documents_1605962083_895739149.xlsm	Initial sample: CALL

Excel documents contains an embedded macro which executes code when the document is opened

Source: workbook.xml

Binary string: " sheetId="1" r:id="rId1"/><sheet name="Docs1" sheetId="2" r:id="rId2"/><sheet name="Docs2" sheetId="3" r:id="rId3"/><sheet name="Docs3" sheetId="4" r:id="rId4"/><sheet name="Docs4" sheetId="5" r:id="rId5"/></sheets><definedNames><definedName name="_xlnm.Auto_Open">Docs2!$BA$11</definedName></definedNames><calcPr calcId="0"/></workbook>

Source: classification engine

Classification label: mal64.expl.evad.winXLSM@1/13@1/1

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\Desktop\~$Documents_1605962083_895739149.xlsm

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Temp\CVRCC43.tmp

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: Documents_1605962083_895739149.xlsm	Initial sample: OLE zip file path = xl/media/image5.png
Source: Documents_1605962083_895739149.xlsm	Initial sample: OLE zip file path = xl/media/image6.png
Source: Documents_1605962083_895739149.xlsm	Initial sample: OLE zip file path = xl/media/image4.png
Source: Documents_1605962083_895739149.xlsm	Initial sample: OLE zip file path = xl/media/image2.png
Source: Documents_1605962083_895739149.xlsm	Initial sample: OLE zip file path = xl/media/image3.png
Source: Documents_1605962083_895739149.xlsm	Initial sample: OLE zip file path = xl/media/image1.png

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
148.66.138.148	sankhyasol.com	Singapore		26496	AS-26496-GO-DADDY-COM-LLCUS	false

Contacted Domains

Name	IP	Active
sankhyasol.com	148.66.138.148	true

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://sankhyasol.com/field.php	true	Avira URL Cloud: malware	unknown

ID:	382679
Product:	CloudBasic
Start time:	13:49:51
Start date:	06.04.2021
Sample:	Documents_1605962083_895739149.xlsm
Cookbook:	defaultwindowsofficecookbook.jbs
System description:	Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Architecture:	WINDOWS
MD5:	77941203a3ef209ec6b53d47f0b6d5c0
SHA1:	a2c4f211a8007a6c1def18ab10722edd235a5a70
SHA256:	05ec137601fe0cb3bb5605a55df59e9e03cff966b43e545910cd12030bfca456
Filetype:	Excel Microsoft Office Open XML Format document (40004/1) 83.33%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\27FB0E16.png	PNG image data, 30 x 29, 8-bit/color RGB, non-interlaced	745E9775F9F61C9BFC2D13AA3AB16A2A	E9EB42E8723A4112722AFAD0A889FA9468168C78	E31538CF9239944E7C174D50FB6C75CC042D13594A79F69DF2DA97874241D7EA
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\2D8C3523.png	PNG image data, 264 x 113, 8-bit/color RGB, non-interlaced	B34FB4F2F0F9E70B72BA3AFD028CD97C	C6868336F78DEA1E718965DF3341039581DB5B5A	189D420D344A694FD1928ABACBEC94D9F0EF52BE036CEB8144A9D9A6DD14EAEB
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\39690E29.png	PNG image data, 30 x 30, 8-bit/color RGB, non-interlaced	FC475BA24ED6FFB08766AA076689DB6B	CED2C4B64F54E11D79190714331C52B5157B1429	B0E239E6DD08FCB88CB5475DCAB60AD4EF32D16287C5734E93852162D82C405B
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\5DB5A4C8.png	PNG image data, 178 x 76, 8-bit/color RGB, non-interlaced	9AD30E24270C495AE68EAF3A1EEECBFB	8642D256E7FFBEF5804A2D2220A1FE475A99DC36	6D3EAD431ABD110369EFABC6F2E474DC24FA3D7EEC28DE43456407C5BACD6D20
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\6F6F568D.png	PNG image data, 288 x 77, 8-bit/color RGB, non-interlaced	839795652A8FE78F26F4D86D757ABDE8	979E5B90C72EA3E5E9D9B506AFDC981BFCA61B60	1A9EF0E2F66682B532D15457635920067C4F29EF762D2E8A3E0363B4CF39C13E
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\6F827B1F.emf	Windows Enhanced Metafile (EMF) image data version 0x10000	0D94E1177F230340FF5F1363B68ADA08	67ABCEE0528F44BA1B6EB50EC4ADA8F5E6C7E1FC	AB58818AE1864807B22F8A58A75F7FA8703ECB19A2352BDB47469F366B868E59
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\78E8932A.png	PNG image data, 168 x 72, 8-bit/color RGB, non-interlaced	C7ED6FC355D8632DB1464BE3D56BF5CC	615484A338922DDF00B903CFA48060AD60D70207	26000244FBB0C6B2D76F80166CE85700BC96141C6CD80F8B399CA6F15FE3515C
C:\Users\user\AppData\Local\Temp\D8DE0000	data	FF71B72DC713F5B0302778515EF12EF1	180666F55365875BCD729461742051D2F898DB21	68E03DFAD51D5314D9A1CB4A65865C3DC9D5D3114E7A4B4A45A86B904C20145F
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\Desktop.LNK	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Read-Only, Directory, ctime=Tue Oct 17 10:04:00 2017, mtime=Tue Apr 6 19:50:40 2021, atime=Tue Apr 6 19:50:40 2021, length=8192, window=hide	4C87C222CEAE1F744F247D527A5D617C	F00D194359C9DE32B1ECBC31405B3B4C18CB3DCC	E788E7B7301914EF6D3F68CA761C77F8AF0AAC30B5DC5348F62F14DEBA65F62E
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\Documents_1605962083_895739149.LNK	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Aug 26 14:08:13 2020, mtime=Tue Apr 6 19:50:40 2021, atime=Tue Apr 6 19:50:40 2021, length=80447, window=hide	0965ADECBC8EAF693F71384E42E1E091	D2895F0CAEC9D6D8FEC337584023C0727D5EA0C9	FAC1A574B888EECFB50BB0DBC6BCA1402D198B95CFC484948CE8CAD6D3F7EC4F
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat	ASCII text, with CRLF line terminators	C2C383724036C4A4C7928281EA1739D6	65BE5AD41863C36977E4038CC88852B6537421AD	1CC389A2A63C14B73001DC431D2E4E196E1CFBD3ACC685915EAC9B92D74A3684
C:\Users\user\Desktop\89DE0000	data	FF71B72DC713F5B0302778515EF12EF1	180666F55365875BCD729461742051D2F898DB21	68E03DFAD51D5314D9A1CB4A65865C3DC9D5D3114E7A4B4A45A86B904C20145F
C:\Users\user\Desktop\~$Documents_1605962083_895739149.xlsm	data	96114D75E30EBD26B572C1FC83D1D02E	A44EEBDA5EB09862AC46346227F06F8CFAF19407	0C6F8CF0E504C17073E4C614C8A7063F194E335D840611EEFA9E29C7CED1A523

Analysis Report Documents_1605962083_895739149.xlsm

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Compliance:

Software Vulnerabilities:

Networking:

System Summary:

Hooking and other Techniques for Hiding and Protection:

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs