Analysis Report 9177284661-04302021.xlsm

Overview

General Information

Sample Name: 9177284661-04302021.xlsm
Analysis ID: 403443
MD5: a8b4e37766d35b543884d8882147eaa2
SHA1: 4356c14118ea9098dabb6d9af620003b7929058a
SHA256: 533c8713c4e10c223a9f8139f9d408ca326aee14a1d88382c91f2ff18cf0f93c
Infos:

Most interesting Screenshot:

Detection

Hidden Macro 4.0
Score: 84
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malicious Excel 4.0 Macro
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Document exploit detected (UrlDownloadToFile)
Found Excel 4.0 Macro with suspicious formulas
Yara detected MalDoc1
Document contains an embedded VBA macro which executes code when the document is opened / closed
Document contains embedded VBA macros
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Uses a known web browser user agent for HTTP communication

Classification

AV Detection:

barindex
Multi AV Scanner detection for domain / URL
Source: http://185.45.193.80/44313,6048108796.dat Virustotal: Detection: 6% Perma Link
Source: http://45.144.31.232/44313,6048108796.dat Virustotal: Detection: 8% Perma Link
Multi AV Scanner detection for submitted file
Source: 9177284661-04302021.xlsm Virustotal: Detection: 38% Perma Link
Source: 9177284661-04302021.xlsm ReversingLabs: Detection: 31%
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior

Software Vulnerabilities:

barindex
Document exploit detected (UrlDownloadToFile)
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Section loaded: \KnownDlls\api-ms-win-downlevel-shlwapi-l2-1-0.dll origin: URLDownloadToFileA Jump to behavior
Potential document exploit detected (performs HTTP gets)
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 185.45.193.80:80
Potential document exploit detected (unknown TCP traffic)
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 185.45.193.80:80

Networking:

barindex
Yara detected MalDoc1
Source: Yara match File source: sheet3.xml, type: SAMPLE
Source: Yara match File source: sharedStrings.xml, type: SAMPLE
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /44313,6048108796.dat HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 185.45.193.80Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /44313,6048108796.dat HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 45.144.31.232Connection: Keep-Alive
Source: unknown TCP traffic detected without corresponding DNS query: 185.45.193.80
Source: unknown TCP traffic detected without corresponding DNS query: 185.45.193.80
Source: unknown TCP traffic detected without corresponding DNS query: 185.45.193.80
Source: unknown TCP traffic detected without corresponding DNS query: 185.45.193.80
Source: unknown TCP traffic detected without corresponding DNS query: 82.118.21.70
Source: unknown TCP traffic detected without corresponding DNS query: 82.118.21.70
Source: unknown TCP traffic detected without corresponding DNS query: 82.118.21.70
Source: unknown TCP traffic detected without corresponding DNS query: 82.118.21.70
Source: unknown TCP traffic detected without corresponding DNS query: 82.118.21.70
Source: unknown TCP traffic detected without corresponding DNS query: 82.118.21.70
Source: unknown TCP traffic detected without corresponding DNS query: 45.144.31.232
Source: unknown TCP traffic detected without corresponding DNS query: 45.144.31.232
Source: unknown TCP traffic detected without corresponding DNS query: 45.144.31.232
Source: unknown TCP traffic detected without corresponding DNS query: 45.144.31.232
Source: unknown TCP traffic detected without corresponding DNS query: 185.45.193.80
Source: unknown TCP traffic detected without corresponding DNS query: 45.144.31.232
Source: unknown TCP traffic detected without corresponding DNS query: 45.144.31.232
Source: unknown TCP traffic detected without corresponding DNS query: 185.45.193.80
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\307513F9.jpg Jump to behavior
Source: global traffic HTTP traffic detected: GET /44313,6048108796.dat HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 185.45.193.80Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /44313,6048108796.dat HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 45.144.31.232Connection: Keep-Alive

System Summary:

barindex
Found malicious Excel 4.0 Macro
Source: 9177284661-04302021.xlsm Initial sample: urlmon
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Source: Screenshot number: 4 Screenshot OCR: Enable editing button from the yellow bar above 22 0 Once you have enabled editing please click Ena
Source: Screenshot number: 4 Screenshot OCR: Enable Content button from the yellow bar above 23 24 25 26 27 28 29 30 31 32 33 34 35
Found Excel 4.0 Macro with suspicious formulas
Source: 9177284661-04302021.xlsm Initial sample: EXEC
Document contains an embedded VBA macro which executes code when the document is opened / closed
Source: 9177284661-04302021.xlsm OLE, VBA macro line: Public Function Auto_Open()
Document contains embedded VBA macros
Source: 9177284661-04302021.xlsm OLE indicator, VBA macros: true
Source: classification engine Classification label: mal84.troj.expl.evad.winXLSM@1/7@0/3
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\Desktop\~$9177284661-04302021.xlsm Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Temp\CVREBA5.tmp Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File read: C:\Users\desktop.ini Jump to behavior
Source: 9177284661-04302021.xlsm Virustotal: Detection: 38%
Source: 9177284661-04302021.xlsm ReversingLabs: Detection: 31%
Source: Window Recorder Window detected: More than 3 window changes detected
Source: 9177284661-04302021.xlsm Initial sample: OLE zip file path = xl/media/image1.jpg
Source: 9177284661-04302021.xlsm Initial sample: OLE zip file path = xl/drawings/drawing2.xml
Source: 9177284661-04302021.xlsm Initial sample: OLE zip file path = xl/worksheets/_rels/sheet2.xml.rels
Source: 9177284661-04302021.xlsm Initial sample: OLE zip file path = xl/drawings/_rels/drawing2.xml.rels
Source: 9177284661-04302021.xlsm Initial sample: OLE zip file path = xl/printerSettings/printerSettings2.bin
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 403443 Sample: 9177284661-04302021.xlsm Startdate: 04/05/2021 Architecture: WINDOWS Score: 84 18 Multi AV Scanner detection for domain / URL 2->18 20 Multi AV Scanner detection for submitted file 2->20 22 Found malicious Excel 4.0 Macro 2->22 24 3 other signatures 2->24 5 EXCEL.EXE 61 35 2->5         started        process3 dnsIp4 12 185.45.193.80, 49167, 80 HSAE United Arab Emirates 5->12 14 45.144.31.232, 49170, 80 HQservCommunicationSolutionsIL United Kingdom 5->14 16 82.118.21.70, 80 GREENFLOID-ASUA Ukraine 5->16 10 C:\Users\user\...\~$9177284661-04302021.xlsm, data 5->10 dropped 26 Document exploit detected (UrlDownloadToFile) 5->26 file5 signatures6
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
82.118.21.70
 unknown Ukraine
204957 GREENFLOID-ASUA false
45.144.31.232
 unknown United Kingdom
42994 HQservCommunicationSolutionsIL false
185.45.193.80
 unknown United Arab Emirates
60117 HSAE false

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://185.45.193.80/44313,6048108796.dat true
  • 7%, Virustotal, Browse
  • Avira URL Cloud: safe
 unknown
http://45.144.31.232/44313,6048108796.dat true
  • 8%, Virustotal, Browse
  • Avira URL Cloud: safe
 unknown