Analysis Report Outstanding-Debt-1840996632-05042021.xlsm

Overview

General Information

Sample Name: Outstanding-Debt-1840996632-05042021.xlsm
Analysis ID: 404162
MD5: 0276be45120eeb640587451db55759cb
SHA1: 51424cff72ecb039f78d5005a03ec2882a96d7dd
SHA256: 06c9a8f5da75ebc77f7528ceb2797050ba17cc2c7e36467b0d259d4f48dbbcbf
Infos:

Most interesting Screenshot:

Detection

Hidden Macro 4.0
Score: 68
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malicious Excel 4.0 Macro
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Document contains an embedded VBA macro which may execute processes
Document exploit detected (UrlDownloadToFile)
Found Excel 4.0 Macro with suspicious formulas
Allocates a big amount of memory (probably used for heap spraying)
Document contains an embedded VBA macro which executes code when the document is opened / closed
Document contains embedded VBA macros
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Uses a known web browser user agent for HTTP communication

Classification

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior

Software Vulnerabilities:

barindex
Document exploit detected (UrlDownloadToFile)
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Section loaded: \KnownDlls\api-ms-win-downlevel-shlwapi-l2-1-0.dll origin: URLDownloadToFileA Jump to behavior
Allocates a big amount of memory (probably used for heap spraying)
Source: excel.exe Memory has grown: Private usage: 4MB later: 35MB
Potential document exploit detected (performs HTTP gets)
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 185.183.99.115:80
Potential document exploit detected (unknown TCP traffic)
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 185.183.99.115:80

Networking:

barindex
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /44313,6048108796.dat HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 185.183.99.115Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /44313,6048108796.dat HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 51.89.73.159Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /44313,6048108796.dat HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 190.14.37.38Connection: Keep-Alive
Source: unknown TCP traffic detected without corresponding DNS query: 185.183.99.115
Source: unknown TCP traffic detected without corresponding DNS query: 185.183.99.115
Source: unknown TCP traffic detected without corresponding DNS query: 185.183.99.115
Source: unknown TCP traffic detected without corresponding DNS query: 185.183.99.115
Source: unknown TCP traffic detected without corresponding DNS query: 51.89.73.159
Source: unknown TCP traffic detected without corresponding DNS query: 51.89.73.159
Source: unknown TCP traffic detected without corresponding DNS query: 51.89.73.159
Source: unknown TCP traffic detected without corresponding DNS query: 51.89.73.159
Source: unknown TCP traffic detected without corresponding DNS query: 190.14.37.38
Source: unknown TCP traffic detected without corresponding DNS query: 190.14.37.38
Source: unknown TCP traffic detected without corresponding DNS query: 190.14.37.38
Source: unknown TCP traffic detected without corresponding DNS query: 190.14.37.38
Source: unknown TCP traffic detected without corresponding DNS query: 185.183.99.115
Source: unknown TCP traffic detected without corresponding DNS query: 51.89.73.159
Source: unknown TCP traffic detected without corresponding DNS query: 190.14.37.38
Source: unknown TCP traffic detected without corresponding DNS query: 190.14.37.38
Source: unknown TCP traffic detected without corresponding DNS query: 51.89.73.159
Source: unknown TCP traffic detected without corresponding DNS query: 185.183.99.115
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\672DA330.jpg Jump to behavior
Source: global traffic HTTP traffic detected: GET /44313,6048108796.dat HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 185.183.99.115Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /44313,6048108796.dat HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 51.89.73.159Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /44313,6048108796.dat HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 190.14.37.38Connection: Keep-Alive

System Summary:

barindex
Found malicious Excel 4.0 Macro
Source: Outstanding-Debt-1840996632-05042021.xlsm Initial sample: urlmon
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Source: Screenshot number: 4 Screenshot OCR: Enable editing button from the yellow bar above 22 0 Once you have enabled editing please click Ena
Source: Screenshot number: 4 Screenshot OCR: Enable Content button from the yellow bar above 23 24 25 26 27 28 29 30 31 32 33 34 35
Document contains an embedded VBA macro which may execute processes
Source: VBA code instrumentation OLE, VBA macro: Module Blasr, Function Auto_Open, API Microsoft Excel:Application.Run(:Range) Name: Auto_Open
Found Excel 4.0 Macro with suspicious formulas
Source: Outstanding-Debt-1840996632-05042021.xlsm Initial sample: EXEC
Document contains an embedded VBA macro which executes code when the document is opened / closed
Source: Outstanding-Debt-1840996632-05042021.xlsm OLE, VBA macro line: Private Sub Auto_Open()
Source: VBA code instrumentation OLE, VBA macro: Module Blasr, Function Auto_Open Name: Auto_Open
Document contains embedded VBA macros
Source: Outstanding-Debt-1840996632-05042021.xlsm OLE indicator, VBA macros: true
Source: classification engine Classification label: mal68.expl.evad.winXLSM@1/8@0/3
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\Desktop\~$Outstanding-Debt-1840996632-05042021.xlsm Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Temp\CVRD345.tmp Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Window found: window name: SysTabControl32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: Outstanding-Debt-1840996632-05042021.xlsm Initial sample: OLE zip file path = xl/media/image1.jpg
Source: Outstanding-Debt-1840996632-05042021.xlsm Initial sample: OLE zip file path = xl/drawings/drawing2.xml
Source: Outstanding-Debt-1840996632-05042021.xlsm Initial sample: OLE zip file path = xl/worksheets/_rels/sheet2.xml.rels
Source: Outstanding-Debt-1840996632-05042021.xlsm Initial sample: OLE zip file path = xl/drawings/_rels/drawing2.xml.rels
Source: Outstanding-Debt-1840996632-05042021.xlsm Initial sample: OLE zip file path = xl/printerSettings/printerSettings2.bin
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 404162 Sample: Outstanding-Debt-1840996632... Startdate: 04/05/2021 Architecture: WINDOWS Score: 68 18 Found malicious Excel 4.0 Macro 2->18 20 Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros) 2->20 22 Document contains an embedded VBA macro which may execute processes 2->22 24 Found Excel 4.0 Macro with suspicious formulas 2->24 5 EXCEL.EXE 197 44 2->5         started        process3 dnsIp4 12 190.14.37.38, 49169, 80 OffshoreRacksSAPA Panama 5->12 14 51.89.73.159, 49168, 80 OVHFR France 5->14 16 185.183.99.115, 49167, 80 HSAE Netherlands 5->16 10 ~$Outstanding-Debt...96632-05042021.xlsm, data 5->10 dropped 26 Document exploit detected (UrlDownloadToFile) 5->26 file5 signatures6
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
185.183.99.115
unknown Netherlands
60117 HSAE false
51.89.73.159
unknown France
16276 OVHFR false
190.14.37.38
unknown Panama
52469 OffshoreRacksSAPA false

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://51.89.73.159/44313,6048108796.dat false
  • Avira URL Cloud: safe
unknown
http://185.183.99.115/44313,6048108796.dat false
  • Avira URL Cloud: safe
unknown
http://190.14.37.38/44313,6048108796.dat false
  • Avira URL Cloud: safe
unknown