Analysis Report Documents (252).xlsm

Overview

General Information

Sample Name:	Documents (252).xlsm
Analysis ID:	382991
MD5:	966c13f10fa0b3bfe75da87bca817396
SHA1:	1769db2ec1d019b526e63637a413ceab10d00ff3
SHA256:	963963dd218deb7e041b5a2ccf85a48c12d62bd2bdc248d6636b332f234cba14
Infos:
Most interesting Screenshot:

Detection

Hidden Macro 4.0

Score:	96
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Sigma detected: Wmic Launch regsvr32

Contains functionality to create processes via WMI

Creates processes via WMI

Document exploit detected (UrlDownloadToFile)

Document exploit detected (process start blacklist hit)

Found Excel 4.0 Macro with suspicious formulas

Found abnormal large hidden Excel 4.0 Macro sheet

Office document connecting to suspicious TLD

Outdated Microsoft Office dropper detected

Performs DNS queries to domains with low reputation

Potential document exploit detected (performs DNS queries with low reputation score)

Excel documents contains an embedded macro which executes code when the document is opened

May sleep (evasive loops) to hinder dynamic analysis

Potential document exploit detected (performs DNS queries)

Tries to resolve domain names, but no domain seems valid (expired dropper behavior)

Classification

Signatures

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Software Vulnerabilities:

Document exploit detected (UrlDownloadToFile)

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Section loaded: \KnownDlls\api-ms-win-downlevel-shlwapi-l2-1-0.dll origin: URLDownloadToFileA

Jump to behavior

Document exploit detected (process start blacklist hit)

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Process created: C:\Windows\System32\wbem\WMIC.exe

Potential document exploit detected (performs DNS queries with low reputation score)

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

DNS query: name: xherzog24pv.xyz

Potential document exploit detected (performs DNS queries)

Source: global traffic

DNS query: name: xherzog24pv.xyz

Networking:

Office document connecting to suspicious TLD

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

DNS traffic detected: xherzog24pv.xyz

Outdated Microsoft Office dropper detected

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

DNS query: xherzog24pv.xyz is down

Performs DNS queries to domains with low reputation

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

DNS query: xherzog24pv.xyz

Tries to resolve domain names, but no domain seems valid (expired dropper behavior)

Source: unknown

DNS traffic detected: query: xherzog24pv.xyz replaycode: Name error (3)

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\F763B4BE.png

Jump to behavior

Source: unknown

DNS traffic detected: queries for: xherzog24pv.xyz

Source: WMIC.exe, 00000003.00000002.2083197234.0000000001BD0000.00000002.00000001.sdmp, regsvr32.exe, 00000005.00000002.2083045967.0000000001CC0000.00000002.00000001.sdmp

String found in binary or memory: http://servername/isapibackend.dll

System Summary:

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Source: Screenshot number: 4	Screenshot OCR: Enable Editing" 11 from the yellow bar above 12 13 @ Once You have Enable Editing, please click "
Source: Screenshot number: 4	Screenshot OCR: Enable Content" 14 from the yellow bar above 15 16 17 18 WHY I CANNOT OPEN THIS DOCUMENT? 19
Source: Screenshot number: 8	Screenshot OCR: Enable Editing" 11 from the yellow bar above 12 13 @ Once You have Enable Editing, please click "
Source: Screenshot number: 8	Screenshot OCR: Enable Content X R12 - "- jR V \ A B C D E F G H I J K L M N O P Q R S : 1 2 ' Ga,, THIS DO
Source: Screenshot number: 12	Screenshot OCR: Enable Editing" from the yellow bar above @ Once You have Enable Editing, please click "Enable Con
Source: Screenshot number: 12	Screenshot OCR: Enable Content Al " " Clickfor more details A B C D E F G H I J K L M N O P Q R S 1 2 3 4 5
Source: Screenshot number: 16	Screenshot OCR: enable content only if you trust the contents of the file. Trust Center Settings Learn more about
Source: Screenshot number: 16	Screenshot OCR: Enable Macros Content " You should enable content only if you trust the contents of the file. Tru

Contains functionality to create processes via WMI

Source: WMIC.exe, 00000003.00000002.2083116468.00000000001E0000.00000004.00000020.sdmp

Binary or memory string: C:\Users\user\Documents\C:\Windows\System32\Wbem;;C:\Windows\system32;C:\Windows\system;C:\Windows;.;C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\C:\Windows\System32\Wbem\wmic.exewmic.exe process call create 'regsvr32 -s C:/Users/Public/dbhfr.xref'C:\Windows\System32\Wbem\wmic.exeWinSta0\Default

Found Excel 4.0 Macro with suspicious formulas

Source: Documents (252).xlsm

Initial sample: EXEC

Found abnormal large hidden Excel 4.0 Macro sheet

Source: Documents (252).xlsm

Initial sample: Sheet size: 88698

Excel documents contains an embedded macro which executes code when the document is opened

Source: workbook.xml

Binary string: <workbook xmlns="http://schemas.openxmlformats.org/spreadsheetml/2006/main" xmlns:r="http://schemas.openxmlformats.org/officeDocument/2006/relationships" xmlns:mc="http://schemas.openxmlformats.org/markup-compatibility/2006" mc:Ignorable="x15 xr xr6 xr10 xr2" xmlns:x15="http://schemas.microsoft.com/office/spreadsheetml/2010/11/main" xmlns:xr="http://schemas.microsoft.com/office/spreadsheetml/2014/revision" xmlns:xr6="http://schemas.microsoft.com/office/spreadsheetml/2016/revision6" xmlns:xr10="http://schemas.microsoft.com/office/spreadsheetml/2016/revision10" xmlns:xr2="http://schemas.microsoft.com/office/spreadsheetml/2015/revision2"><fileVersion appName="xl" lastEdited="7" lowestEdited="7" rupBuild="23127"/><workbookPr defaultThemeVersion="124226"/><mc:AlternateContent xmlns:mc="http://schemas.openxmlformats.org/markup-compatibility/2006"><mc:Choice Requires="x15"><x15ac:absPath url="C:\Users\Janadark\3D Objects\corp\" xmlns:x15ac="http://schemas.microsoft.com/office/spreadsheetml/2010/11/ac"/></mc:Choice></mc:AlternateContent><xr:revisionPtr revIDLastSave="0" documentId="8_{29DC8E7E-AE72-4A96-8469-EA40E9BC458E}" xr6:coauthVersionLast="45" xr6:coauthVersionMax="45" xr10:uidLastSave="{00000000-0000-0000-0000-000000000000}"/><bookViews><workbookView xWindow="-120" yWindow="-120" windowWidth="29040" windowHeight="15840" firstSheet="1" activeTab="1" xr2:uid="{00000000-000D-0000-FFFF-FFFF00000000}"/></bookViews><sheets><sheet name="dbapi "=sd" sheetId="4" state="hidden" r:id="rId1"/><sheet name="FrameSecure" sheetId="5" r:id="rId2"/></sheets><definedNames><definedName name="dontdoit" function="1" xlm="1">-676986879</definedName><definedName name="okwell" function="1" xlm="1">124715010</definedName><definedName name="plzno" function="1" xlm="1">-709623808</definedName><definedName name="_xlnm.Auto_Open">'dbapi "=sd'!$AA$6</definedName></definedNames><calcPr calcId="144525"/></workbook>

Source: classification engine

Classification label: mal96.troj.expl.evad.winXLSM@4/12@1/1

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\Desktop\~$Documents (252).xlsm

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Temp\CVRBBEE.tmp

Jump to behavior

Source: C:\Windows\System32\wbem\WMIC.exe

WMI Queries: IWbemServices::ExecMethod - Win32_Process::Create

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\System32\wbem\WMIC.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\wbem\WMIC.exe wmic.exe process call create 'regsvr32 -s C:/Users/Public/dbhfr.xref'
Source: unknown	Process created: C:\Windows\System32\regsvr32.exe regsvr32 -s C:/Users/Public/dbhfr.xref
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\wbem\WMIC.exe wmic.exe process call create 'regsvr32 -s C:/Users/Public/dbhfr.xref'	Jump to behavior

Source: C:\Windows\System32\wbem\WMIC.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: Documents (252).xlsm	Initial sample: OLE zip file path = xl/media/image1.png
Source: Documents (252).xlsm	Initial sample: OLE zip file path = xl/media/image2.png
Source: Documents (252).xlsm	Initial sample: OLE zip file path = xl/media/image3.png

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Persistence and Installation Behavior:

Creates processes via WMI

Source: C:\Windows\System32\wbem\WMIC.exe

WMI Queries: IWbemServices::ExecMethod - Win32_Process::Create

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\System32\wbem\WMIC.exe TID: 2796

Thread sleep time: -180000s >= -30000s

Jump to behavior

Source: C:\Windows\System32\wbem\WMIC.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious

Private

IP
192.168.2.255

Contacted Domains

Name	IP	Active
xherzog24pv.xyz	unknown	unknown

ID:	382991
Product:	CloudBasic
Start time:	02:09:00
Start date:	07.04.2021
Sample:	Documents (252).xlsm
Cookbook:	defaultwindowsofficecookbook.jbs
System description:	Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Architecture:	WINDOWS
MD5:	966c13f10fa0b3bfe75da87bca817396
SHA1:	1769db2ec1d019b526e63637a413ceab10d00ff3
SHA256:	963963dd218deb7e041b5a2ccf85a48c12d62bd2bdc248d6636b332f234cba14
Filetype:	Excel Microsoft Office Open XML Format document (40004/1) 83.32%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\842F6688.png	PNG image data, 30 x 30, 8-bit/color RGB, non-interlaced	600F503BC1066BEB5FB5DD494AA1CD74	A504D5E687B98F9E0FD2896DFC8492DE0F974BE6	B06BA2FAAAF371AE2F92D9047FFDAAF1933E03CFBC1E999E8B7CF378E33499C3
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\9C8A64E9.png	PNG image data, 287 x 78, 8-bit/color RGBA, non-interlaced	29A9EE6FB5591751FC60ECD0FDB9478D	D8A58D27A5D77416E1B882FDE001FE827EB0C1F5	F2E6BD48ACC89A7DF730F5FE7FD0A19112FEF2C59BFEDF607996B1062337FC8F
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\ABD84DE3.png	PNG image data, 30 x 30, 8-bit/color RGB, non-interlaced	55E8A29B221E51BE421B7D4F5F5F7E52	117E73181FC9CDAA0904C6372D68EE48CEDC14E4	B54D8571DB2F8FC570144F24EF7A42CE93FAB269AF166BF1234DBD2F96D86EB8
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\C16FFF7C.png	PNG image data, 287 x 78, 8-bit/color RGBA, non-interlaced	29A9EE6FB5591751FC60ECD0FDB9478D	D8A58D27A5D77416E1B882FDE001FE827EB0C1F5	F2E6BD48ACC89A7DF730F5FE7FD0A19112FEF2C59BFEDF607996B1062337FC8F
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\F0A1E1A7.png	PNG image data, 30 x 30, 8-bit/color RGB, non-interlaced	600F503BC1066BEB5FB5DD494AA1CD74	A504D5E687B98F9E0FD2896DFC8492DE0F974BE6	B06BA2FAAAF371AE2F92D9047FFDAAF1933E03CFBC1E999E8B7CF378E33499C3
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\F763B4BE.png	PNG image data, 30 x 30, 8-bit/color RGB, non-interlaced	55E8A29B221E51BE421B7D4F5F5F7E52	117E73181FC9CDAA0904C6372D68EE48CEDC14E4	B54D8571DB2F8FC570144F24EF7A42CE93FAB269AF166BF1234DBD2F96D86EB8
C:\Users\user\AppData\Local\Temp\D2CE0000	data	BD358272AF7DAB33151195FF12D6217E	CCC193B27AA91319B42770E4B668FAF7A7929DB6	08463109BCBBC2A7F8683207172DA2DE3A8473E8D4CBE39AB1744CE83D8E6012
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\Desktop.LNK	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Read-Only, Directory, ctime=Tue Oct 17 10:04:00 2017, mtime=Wed Apr 7 08:09:35 2021, atime=Wed Apr 7 08:09:35 2021, length=8192, window=hide	835340709C9BFF9A87235BAEB59683B1	0754C627E8564659FE9FB5373FDC2F130EE5CB5E	0368C23B6D83D9BCEC16378A4E104A8CC2AFD0DA0CF5CFC78751943FC89C133D
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\Documents (252).LNK	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Aug 26 14:08:13 2020, mtime=Wed Apr 7 08:09:35 2021, atime=Wed Apr 7 08:09:35 2021, length=279279, window=hide	B2ACE93FE976A321BFC3FD8E59A2B6A6	93F2EB6AC0E1675C80834266AEB0FE694415CB66	22FEDE4E594CE2465437BAA9E7604556671CE3F8C4AC95C1B9272072A9543952
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat	ASCII text, with CRLF line terminators	EBF0A100F3CDA68735AABF46F42CEFEF	48CA8B0E2DD6FE5737EFA9DAA2F9BB055B72F9E0	F86272101EB9CA0D4BB98DE814ADAAB3FF2891930B18A20BDDD8CDE3B55AF55B
C:\Users\user\Desktop\A3CE0000	data	BD358272AF7DAB33151195FF12D6217E	CCC193B27AA91319B42770E4B668FAF7A7929DB6	08463109BCBBC2A7F8683207172DA2DE3A8473E8D4CBE39AB1744CE83D8E6012
C:\Users\user\Desktop\~$Documents (252).xlsm	data	98D7F9B901C91608CD7EA5509662BBCA	F166635CE572B615A1D80076A1AE8DE9220473CF	F07A8B18E5B50003C42020241E82DDCCFBE254236AF2678C3CEFA4709100F4FE

Analysis Report Documents (252).xlsm

Overview

General Information

Detection

Signatures

Classification

Signatures

Compliance:

Software Vulnerabilities:

Networking:

System Summary:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Language, Device and Operating System Detection:

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Private

Contacted Domains