Analysis Report invoice_661434949_67552437.xlsm

Overview

General Information

Sample Name:	invoice_661434949_67552437.xlsm
Analysis ID:	385000
MD5:	64f33ccbc7976306417b2b2528daa5fe
SHA1:	d71433580e83ab455556a88c483d1887e9641be6
SHA256:	03a7d4fc0e9d75fb98ca2aba43729acb93803959b1421d8878548643c12e3d73
Infos:
Most interesting Screenshot:

Detection

Hidden Macro 4.0

Score:	80
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Multi AV Scanner detection for domain / URL

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Document exploit detected (UrlDownloadToFile)

Document exploit detected (process start blacklist hit)

Found Excel 4.0 Macro with suspicious formulas

Found abnormal large hidden Excel 4.0 Macro sheet

Excel documents contains an embedded macro which executes code when the document is opened

Potential document exploit detected (performs DNS queries)

Potential document exploit detected (performs HTTP gets)

Potential document exploit detected (unknown TCP traffic)

Uses a known web browser user agent for HTTP communication

Classification

Signatures

AV Detection:

Antivirus detection for URL or domain

Source: http://indianoci.co.uk/ufriends/support.php

Avira URL Cloud: Label: phishing

Multi AV Scanner detection for domain / URL

Source: http://indianoci.co.uk/ufriends/support.php

Virustotal: Detection: 11%

Perma Link

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Software Vulnerabilities:

Document exploit detected (UrlDownloadToFile)

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Section loaded: \KnownDlls\api-ms-win-downlevel-shlwapi-l2-1-0.dll origin: URLDownloadToFileA

Jump to behavior

Document exploit detected (process start blacklist hit)

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Process created: C:\Windows\System32\rundll32.exe

Potential document exploit detected (performs DNS queries)

Source: global traffic

DNS query: name: indianoci.co.uk

Potential document exploit detected (performs HTTP gets)

Source: global traffic

TCP traffic: 192.168.2.22:49165 -> 104.21.43.238:80

Potential document exploit detected (unknown TCP traffic)

Source: global traffic

TCP traffic: 192.168.2.22:49165 -> 104.21.43.238:80

Networking:

Uses a known web browser user agent for HTTP communication

Source: global traffic

HTTP traffic detected: GET /ufriends/support.php HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: indianoci.co.ukConnection: Keep-Alive

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\28466324.png

Jump to behavior

Source: global traffic

Source: rundll32.exe, 00000003.00000002.2082025759.0000000001B20000.00000002.00000001.sdmp

String found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)

Source: unknown

DNS traffic detected: queries for: indianoci.co.uk

Source: rundll32.exe, 00000003.00000002.2082025759.0000000001B20000.00000002.00000001.sdmp	String found in binary or memory: http://investor.msn.com
Source: rundll32.exe, 00000003.00000002.2082025759.0000000001B20000.00000002.00000001.sdmp	String found in binary or memory: http://investor.msn.com/
Source: rundll32.exe, 00000003.00000002.2082257180.0000000001D07000.00000002.00000001.sdmp	String found in binary or memory: http://localizability/practices/XML.asp
Source: rundll32.exe, 00000003.00000002.2082257180.0000000001D07000.00000002.00000001.sdmp	String found in binary or memory: http://localizability/practices/XMLConfiguration.asp
Source: rundll32.exe, 00000003.00000002.2082257180.0000000001D07000.00000002.00000001.sdmp	String found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
Source: rundll32.exe, 00000003.00000002.2082257180.0000000001D07000.00000002.00000001.sdmp	String found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
Source: rundll32.exe, 00000003.00000002.2082025759.0000000001B20000.00000002.00000001.sdmp	String found in binary or memory: http://www.hotmail.com/oe
Source: rundll32.exe, 00000003.00000002.2082257180.0000000001D07000.00000002.00000001.sdmp	String found in binary or memory: http://www.icra.org/vocabulary/.
Source: rundll32.exe, 00000003.00000002.2082025759.0000000001B20000.00000002.00000001.sdmp	String found in binary or memory: http://www.msnbc.com/news/ticker.txt
Source: rundll32.exe, 00000003.00000002.2082025759.0000000001B20000.00000002.00000001.sdmp	String found in binary or memory: http://www.windows.com/pctv.
Source: support[1].htm.0.dr	String found in binary or memory: https://www.cloudflare.com/5xx-error-landing

System Summary:

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Source: Screenshot number: 4	Screenshot OCR: Enable editing button from the yellow bar above 12 " Once you have enabled edding, please click Ena
Source: Screenshot number: 4	Screenshot OCR: Enable Content bytton from the yellow bar above 13 14 15 16 17 18 19 20 21 22 23 24 25
Source: Document image extraction number: 1	Screenshot OCR: Enable editing button from the yellow bar above Once you have enabled editing. please click Enabl
Source: Document image extraction number: 1	Screenshot OCR: Enable Content bytton from the yellow bar above
Source: Screenshot number: 8	Screenshot OCR: Enable editing button from the yellm bar above 12 " Once you have enabled edding, please c\|ltfnab\|e

Found Excel 4.0 Macro with suspicious formulas

Source: invoice_661434949_67552437.xlsm

Initial sample: EXEC

Found abnormal large hidden Excel 4.0 Macro sheet

Source: invoice_661434949_67552437.xlsm

Initial sample: Sheet size: 33810

Excel documents contains an embedded macro which executes code when the document is opened

Source: workbook.xml

Binary string: <workbook xmlns="http://schemas.openxmlformats.org/spreadsheetml/2006/main" xmlns:r="http://schemas.openxmlformats.org/officeDocument/2006/relationships" xmlns:mc="http://schemas.openxmlformats.org/markup-compatibility/2006" mc:Ignorable="x15 xr xr6 xr10 xr2" xmlns:x15="http://schemas.microsoft.com/office/spreadsheetml/2010/11/main" xmlns:xr="http://schemas.microsoft.com/office/spreadsheetml/2014/revision" xmlns:xr6="http://schemas.microsoft.com/office/spreadsheetml/2016/revision6" xmlns:xr10="http://schemas.microsoft.com/office/spreadsheetml/2016/revision10" xmlns:xr2="http://schemas.microsoft.com/office/spreadsheetml/2015/revision2"><fileVersion appName="xl" lastEdited="7" lowestEdited="7" rupBuild="22730"/><workbookPr defaultThemeVersion="166925"/><mc:AlternateContent xmlns:mc="http://schemas.openxmlformats.org/markup-compatibility/2006"><mc:Choice Requires="x15"><x15ac:absPath url="E:\Nowiy\" xmlns:x15ac="http://schemas.microsoft.com/office/spreadsheetml/2010/11/ac"/></mc:Choice></mc:AlternateContent><xr:revisionPtr revIDLastSave="0" documentId="13_ncr:1_{05BDDAB3-C450-4DCC-9410-E7A97B5B20DA}" xr6:coauthVersionLast="45" xr6:coauthVersionMax="45" xr10:uidLastSave="{00000000-0000-0000-0000-000000000000}"/><bookViews><workbookView xWindow="-108" yWindow="-108" windowWidth="20376" windowHeight="12360" xr2:uid="{00000000-000D-0000-FFFF-FFFF00000000}"/></bookViews><sheets><sheet name="Doc" sheetId="1" r:id="rId1"/><sheet name="Doc1" sheetId="2" r:id="rId2"/><sheet name="Doc2" sheetId="3" state="hidden" r:id="rId3"/></sheets><definedNames><definedName name="_xlnm.Auto_Open">'Doc1'!$CL$5</definedName></definedNames><calcPr calcId="0"/></workbook>

Source: rundll32.exe, 00000003.00000002.2082025759.0000000001B20000.00000002.00000001.sdmp

Binary or memory string: .VBPud<_

Source: classification engine

Classification label: mal80.expl.evad.winXLSM@3/10@1/1

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\Desktop\~$invoice_661434949_67552437.xlsm

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Temp\CVRBBCF.tmp

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\System32\rundll32.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Process created: C:\Windows\System32\rundll32.exe rundll32 ..\GVer.iks,StartW

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\rundll32.exe rundll32 ..\GVer.iks,StartW
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\rundll32.exe rundll32 ..\GVer.iks,StartW	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: invoice_661434949_67552437.xlsm	Initial sample: OLE zip file path = xl/media/image1.png
Source: invoice_661434949_67552437.xlsm	Initial sample: OLE zip file path = xl/printerSettings/printerSettings2.bin

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.21.43.238	indianoci.co.uk	United States		13335	CLOUDFLARENETUS	false

Contacted Domains

Name	IP	Active
indianoci.co.uk	104.21.43.238	true

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://indianoci.co.uk/ufriends/support.php	true	12%, Virustotal, Browse Avira URL Cloud: phishing	unknown

ID:	385000
Product:	CloudBasic
Start time:	00:10:56
Start date:	11.04.2021
Sample:	invoice_661434949_67552437.xlsm
Cookbook:	defaultwindowsofficecookbook.jbs
System description:	Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Architecture:	WINDOWS
MD5:	64f33ccbc7976306417b2b2528daa5fe
SHA1:	d71433580e83ab455556a88c483d1887e9641be6
SHA256:	03a7d4fc0e9d75fb98ca2aba43729acb93803959b1421d8878548643c12e3d73
Filetype:	Excel Microsoft Office Open XML Format document (40004/1) 83.33%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\support[1].htm	HTML document, ASCII text	10E7CF5F758D041A498D76EA11F368BE	3C05C54B7E39AFCE95E60A2A7410194E5AE63CB7	422424BA14F529B2193794441E7D7EA69E1598D00956375481D83699544B6735
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\28466324.png	PNG image data, 756 x 756, 8-bit/color RGB, non-interlaced	2A06BF86C977F9A29739FD65CE53B5BE	33C88641A06413C919903497577EEA54ED03FAA0	4C18B1BFA7CD6C6048A5637FF7F753B78435E70FAB6BA74125EC7D633F7A3F9F
C:\Users\user\AppData\Local\Temp\72CE0000	data	A5BF33A3C05F7D7C3CFA963B69299E5A	C60AC1F23B57458BFA14EC2350D5AC6481FAE008	7CFD1262A350CBA2D2A46D563F8A296EAF7CD151D6B14E0319003AD5A4D3BCB2
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\Desktop.LNK	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Read-Only, Directory, ctime=Tue Oct 17 10:04:00 2017, mtime=Sun Apr 11 06:11:35 2021, atime=Sun Apr 11 06:11:35 2021, length=8192, window=hide	02C3D67E8B5892845174D590F43538FD	FC497AEBDD50C17B637780750F85649E615065A1	2B645F70EA210272EC0B84A998C9C79BA5A3B382375B7E7DC182397967FF1412
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat	ASCII text, with CRLF line terminators	72BF292971159E1F67067B783778231A	FAB451945E815CF506AC41935E3F8AF1B46C4D22	1751B59DDF72E20449AFEAF5EE7ED65962FCAEA8C35E089E2745CFE8A6C26B6D
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\invoice_661434949_67552437.LNK	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Aug 26 14:08:12 2020, mtime=Sun Apr 11 06:11:35 2021, atime=Sun Apr 11 06:11:35 2021, length=184279, window=hide	687051452BC2F77D72B22F577901886B	2415855383CCE43DF59225BB87EA542AC47A6DC5	569E30D1479F86CD319B1A0C8B13E60FE62637A0E17B9A585AF4CD9371BEFA92
C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\Y5D8BEZV.txt	ASCII text	0955DECC24CF4729D752A9B53C933A4D	EBDD0FEAA58E425364A68C558DFA56786E57341F	C8EEFEF799A43E339F93F6F644595C2648CCB467DE30AA301456BA20111D16C2
C:\Users\user\Desktop\03CE0000	data	A5BF33A3C05F7D7C3CFA963B69299E5A	C60AC1F23B57458BFA14EC2350D5AC6481FAE008	7CFD1262A350CBA2D2A46D563F8A296EAF7CD151D6B14E0319003AD5A4D3BCB2
C:\Users\user\Desktop\~$invoice_661434949_67552437.xlsm	data	96114D75E30EBD26B572C1FC83D1D02E	A44EEBDA5EB09862AC46346227F06F8CFAF19407	0C6F8CF0E504C17073E4C614C8A7063F194E335D840611EEFA9E29C7CED1A523
C:\Users\user\GVer.iks	HTML document, ASCII text	10E7CF5F758D041A498D76EA11F368BE	3C05C54B7E39AFCE95E60A2A7410194E5AE63CB7	422424BA14F529B2193794441E7D7EA69E1598D00956375481D83699544B6735

Analysis Report invoice_661434949_67552437.xlsm

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Compliance:

Software Vulnerabilities:

Networking:

System Summary:

Hooking and other Techniques for Hiding and Protection:

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs