Loading ...

Play interactive tourEdit tour

Analysis Report Complaint_1713723004_04122021.xlsm

Overview

General Information

Sample Name:Complaint_1713723004_04122021.xlsm
Analysis ID:386500
MD5:a4c21b67f5b8a52b143697fad19fadba
SHA1:bdb665fe0760a6d568a269e0c792bf6a2284568b
SHA256:254e090511681f16592a5afc242f0ded71c03a4a15292117f06a24aaad59fc19
Infos:

Most interesting Screenshot:

Detection

Hidden Macro 4.0
Score:64
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malicious Excel 4.0 Macro
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Document exploit detected (UrlDownloadToFile)
Found Excel 4.0 Macro with suspicious formulas
Allocates a big amount of memory (probably used for heap spraying)
Potential document exploit detected (unknown TCP traffic)
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)

Classification

Startup

  • System is w7x64
  • EXCEL.EXE (PID: 2384 cmdline: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding MD5: 5FB0A0F93382ECD19F5F499A5CAA59F0)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior

Software Vulnerabilities:

barindex
Document exploit detected (UrlDownloadToFile)Show sources
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXESection loaded: \KnownDlls\api-ms-win-downlevel-shlwapi-l2-1-0.dll origin: URLDownloadToFileAJump to behavior
Source: excel.exeMemory has grown: Private usage: 4MB later: 32MB
Source: global trafficTCP traffic: 192.168.2.22:49167 -> 37.46.133.194:80
Source: global trafficTCP traffic: 192.168.2.22:49167 -> 37.46.133.194:80
Source: global trafficTCP traffic: 192.168.2.22:49169 -> 185.212.129.66:80
Source: unknownTCP traffic detected without corresponding DNS query: 37.46.133.194
Source: unknownTCP traffic detected without corresponding DNS query: 37.46.133.194
Source: unknownTCP traffic detected without corresponding DNS query: 37.46.133.194
Source: unknownTCP traffic detected without corresponding DNS query: 37.46.133.194
Source: unknownTCP traffic detected without corresponding DNS query: 37.46.133.194
Source: unknownTCP traffic detected without corresponding DNS query: 37.46.133.194
Source: unknownTCP traffic detected without corresponding DNS query: 185.212.129.66
Source: unknownTCP traffic detected without corresponding DNS query: 185.212.129.66
Source: unknownTCP traffic detected without corresponding DNS query: 185.212.129.66
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\62042346.gifJump to behavior

System Summary:

barindex
Found malicious Excel 4.0 MacroShow sources
Source: Complaint_1713723004_04122021.xlsmInitial sample: urlmon
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)Show sources
Source: Screenshot number: 4Screenshot OCR: Enable editing button from the yellow bar above 15 0 Once you have enabled editing, please click En
Source: Screenshot number: 4Screenshot OCR: Enable Content button from the yellow bar above 16 17 18 19 20 21 22 ' 23 24 25 26 27 2
Source: Document image extraction number: 0Screenshot OCR: Enable editing button from the yellow bar above Once you have enabled editing, please click Enabl
Source: Document image extraction number: 0Screenshot OCR: Enable Content button from the yellow bar above
Source: Document image extraction number: 1Screenshot OCR: Enable editing button from the yellow bar above Once you have enabled editing, please click Enabl
Source: Document image extraction number: 1Screenshot OCR: Enable Content button from the yellow bar above
Found Excel 4.0 Macro with suspicious formulasShow sources
Source: Complaint_1713723004_04122021.xlsmInitial sample: EXEC
Source: Complaint_1713723004_04122021.xlsmInitial sample: EXEC
Source: Complaint_1713723004_04122021.xlsmInitial sample: EXEC
Source: classification engineClassification label: mal64.expl.evad.winXLSM@1/7@0/2
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\Desktop\~$Complaint_1713723004_04122021.xlsmJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\CVRD393.tmpJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile read: C:\Users\desktop.iniJump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: Complaint_1713723004_04122021.xlsmInitial sample: OLE zip file path = xl/media/image1.gif
Source: Complaint_1713723004_04122021.xlsmInitial sample: OLE zip file path = xl/printerSettings/printerSettings2.bin
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItemsJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsScripting2Path InterceptionExtra Window Memory Injection1Masquerading1OS Credential DumpingFile and Directory Discovery1Remote ServicesData from Local SystemExfiltration Over Other Network MediumIngress Tool Transfer1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default AccountsExploitation for Client Execution11Boot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsDisable or Modify Tools1LSASS MemorySystem Information Discovery1Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Scripting2Security Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Extra Window Memory Injection1NTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.