Analysis Report upload_dreport_1364433.xls

ID:	384202
Product:	CloudBasic
Start time:	18:30:20
Start date:	08.04.2021
Sample:	upload_dreport_1364433.xls
Cookbook:	defaultwindowsofficecookbook.jbs
System description:	Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Architecture:	WINDOWS
MD5:	754118ba489515384b9607af8afb0818
SHA1:	a16a7be15f0d55a3a1e8aa771752d2740cd7b0a6
SHA256:	9a8354e138e9a773581bb74e52e6e1a7dffb3fb0f6ec1859b4a4d7dc62421c97
Filetype:	Microsoft Excel sheet (30009/1) 78.94%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Temp\A8DE0000	data	551325FC9F0EF79919C4A8BD0786DBA2	C84B11DDA1E4CA2AB035C45AD1233BB131ED26A4	EEB25E96C5A5908E5E9904C6320009E2DD73DBDEDCCF4734A5C92A9F84E1AE12
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\Desktop.LNK	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Read-Only, Directory, ctime=Tue Oct 17 10:04:00 2017, mtime=Fri Apr 9 00:30:40 2021, atime=Fri Apr 9 00:30:40 2021, length=12288, window=hide	0C1E0638A30653B168BF8AC4CC2E88F0	9D036BAE04E40BE1FD2D88911D93214F6875C761	29B581BE59FF27F53C7A94C934567DE5D2E6F331CEADF08073D141D49FD95AD6
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat	ASCII text, with CRLF line terminators	5BCEAE4B11BAD38798C24B8CFF42C07D	CDDDD3F63123E108951D9F3134E4BC6C842319AB	1FBB4753F83F300753566EF8AA2A0BD7F11B6351DB6CA28FEA3A108D5CD142AF
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\upload_dreport_1364433.LNK	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Aug 26 14:08:15 2020, mtime=Fri Apr 9 00:30:40 2021, atime=Fri Apr 9 00:30:41 2021, length=104960, window=hide	E78545EC3C3C9F12D4BE705E4E13B0C1	27067EA319F261A7E793E399928081C1C7FF66F0	BCE3E4A56B85D2BEA1879279E75E0F38264B56623CB227925772CB5E85D0057D
C:\Users\user\Desktop\79DE0000	Applesoft BASIC program data, first line number 16	C2D040D8A5936A7ED8EE93496334ADF0	9E8779B14995606BE83A7628D4B8CB54D74B28AC	A71369313985D81851B4DBCD15E50A9F2E05934C98D1F6E1BE34848EF5843360

Compliance:

Uses new MSVCR Dlls

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Software Vulnerabilities:

Document exploit detected (UrlDownloadToFile)

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Section loaded: \KnownDlls\api-ms-win-downlevel-shlwapi-l2-1-0.dll origin: URLDownloadToFileA

Jump to behavior

Document exploit detected (process start blacklist hit)

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Process created: C:\Windows\System32\rundll32.exe

Potential document exploit detected (performs DNS queries)

Source: global traffic

DNS query: name: www.algostore.in

Potential document exploit detected (unknown TCP traffic)

Source: global traffic

TCP traffic: 192.168.2.22:49165 -> 103.212.121.53:80

Networking:

Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)

Source: global traffic

TCP traffic: 192.168.2.22:49165 -> 103.212.121.53:80

Downloads files

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\7CD8CA3A.emf

Jump to behavior

Found strings which match to known social media urls

Source: rundll32.exe, 00000003.00000002.2139654977.0000000001BC0000.00000002.00000001.sdmp

String found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)

Performs DNS lookups

Source: unknown

DNS traffic detected: queries for: www.algostore.in

URLs found in memory or binary data

Source: rundll32.exe, 00000003.00000002.2139654977.0000000001BC0000.00000002.00000001.sdmp	String found in binary or memory: http://investor.msn.com
Source: rundll32.exe, 00000003.00000002.2139654977.0000000001BC0000.00000002.00000001.sdmp	String found in binary or memory: http://investor.msn.com/
Source: rundll32.exe, 00000003.00000002.2139808790.0000000001DA7000.00000002.00000001.sdmp	String found in binary or memory: http://localizability/practices/XML.asp
Source: rundll32.exe, 00000003.00000002.2139808790.0000000001DA7000.00000002.00000001.sdmp	String found in binary or memory: http://localizability/practices/XMLConfiguration.asp
Source: rundll32.exe, 00000003.00000002.2139808790.0000000001DA7000.00000002.00000001.sdmp	String found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
Source: rundll32.exe, 00000003.00000002.2139808790.0000000001DA7000.00000002.00000001.sdmp	String found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
Source: upload_dreport_1364433.xls, 79DE0000.0.dr	String found in binary or memory: http://www.algostore.in/algostoreold/printme.php
Source: rundll32.exe, 00000003.00000002.2139654977.0000000001BC0000.00000002.00000001.sdmp	String found in binary or memory: http://www.hotmail.com/oe
Source: rundll32.exe, 00000003.00000002.2139808790.0000000001DA7000.00000002.00000001.sdmp	String found in binary or memory: http://www.icra.org/vocabulary/.
Source: rundll32.exe, 00000003.00000002.2139654977.0000000001BC0000.00000002.00000001.sdmp	String found in binary or memory: http://www.msnbc.com/news/ticker.txt
Source: rundll32.exe, 00000003.00000002.2139654977.0000000001BC0000.00000002.00000001.sdmp	String found in binary or memory: http://www.windows.com/pctv.

System Summary:

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Source: Screenshot number: 4	Screenshot OCR: Enable editing" to unlock the editing document downloaded from the Internet. 13 14 Protected View
Source: Screenshot number: 4	Screenshot OCR: Enable content" to oerform Microsoft Office Decrvotion Core to start U the decryption of the docum
Source: Document image extraction number: 2	Screenshot OCR: Enable editing" to unlock the editing document downloaded from the internet. Protected View This fi
Source: Document image extraction number: 2	Screenshot OCR: Enable content" to perform Microsoft Office Decryption Core to start the decryption of the document
Source: Document image extraction number: 3	Screenshot OCR: Enable Content
Source: Document image extraction number: 4	Screenshot OCR: Enable Editing
Source: Document image extraction number: 13	Screenshot OCR: Enable editing" to unlock the editing document downloaded from the Internet. Protected View This fi
Source: Document image extraction number: 13	Screenshot OCR: Enable content" to perform Microsoft Office Decryption Core to start the decryption of the document
Source: Screenshot number: 8	Screenshot OCR: Enable editing" to unlock the editing document downloaded from the Internet. 13 14 ) Protected Vi
Source: Screenshot number: 8	Screenshot OCR: Enable content" to perform Microsoft officd Decryption Core to start 18 ['the decryption of the doc

Found Excel 4.0 Macro with suspicious formulas

Source: upload_dreport_1364433.xls	Initial sample: CALL
Source: upload_dreport_1364433.xls	Initial sample: EXEC

Document contains embedded VBA macros

Source: upload_dreport_1364433.xls

OLE indicator, VBA macros: true

Yara signature match

Source: upload_dreport_1364433.xls, type: SAMPLE

Matched rule: SUSP_EnableContent_String_Gen date = 2019-02-12, hash1 = 525ba2c8d35f6972ac8fcec8081ae35f6fe8119500be20a4113900fe57d6a0de, author = Florian Roth, description = Detects suspicious string that asks to enable active content in Office Doc, reference = Internal Research

Binary contains paths to development resources

Source: rundll32.exe, 00000003.00000002.2139654977.0000000001BC0000.00000002.00000001.sdmp

Binary or memory string: .VBPud<_

Classification label

Source: classification engine

Classification label: mal60.expl.evad.winXLS@3/5@1/1

Creates files inside the user directory

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\GDIPFONTCACHEV1.DAT

Jump to behavior

Creates temporary files

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Temp\CVRCBC7.tmp

Jump to behavior

Document contains an OLE Workbook stream indicating a Microsoft Excel file

Source: upload_dreport_1364433.xls

OLE indicator, Workbook stream: true

Reads ini files

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Reads software policies

Source: C:\Windows\System32\rundll32.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Runs a DLL by calling functions

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Process created: C:\Windows\System32\rundll32.exe rundll32 ..\hdoanal.sbl,StartW

Spawns processes

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\rundll32.exe rundll32 ..\hdoanal.sbl,StartW
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\rundll32.exe rundll32 ..\hdoanal.sbl,StartW			Jump to behavior

Found graphical window changes (likely an installer)

Source: Window Recorder

Window detected: More than 3 window changes detected

Checks if Microsoft Office is installed

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems

Jump to behavior

Uses new MSVCR Dlls

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Hooking and other Techniques for Hiding and Protection:

Disables application error messsages (SetErrorMode)

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior