Analysis Report Complaint-1475671703-05062021.xlsm

Overview

General Information

Sample Name:	Complaint-1475671703-05062021.xlsm
Analysis ID:	406019
MD5:	75d80453bff04143f8b2b45a5dd2f5c4
SHA1:	f50e0dc18fdb80b952763230c950ea3a63598683
SHA256:	7114322bcc159096d52ce16ab33d58126822f3f72a7b81e79eaceb06ae2e8c3a
Infos:
Most interesting Screenshot:

Detection

Hidden Macro 4.0

Score:	60
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malicious Excel 4.0 Macro

Document contains an embedded VBA macro which may execute processes

Document exploit detected (UrlDownloadToFile)

Found Excel 4.0 Macro with suspicious formulas

Allocates a big amount of memory (probably used for heap spraying)

Document contains an embedded VBA macro which executes code when the document is opened / closed

Document contains embedded VBA macros

Potential document exploit detected (performs HTTP gets)

Potential document exploit detected (unknown TCP traffic)

Uses a known web browser user agent for HTTP communication

Classification

Signatures

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Software Vulnerabilities:

Document exploit detected (UrlDownloadToFile)

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Section loaded: \KnownDlls\api-ms-win-downlevel-shlwapi-l2-1-0.dll origin: URLDownloadToFileA

Jump to behavior

Allocates a big amount of memory (probably used for heap spraying)

Source: excel.exe

Memory has grown: Private usage: 4MB later: 30MB

Potential document exploit detected (performs HTTP gets)

Source: global traffic

TCP traffic: 192.168.2.22:49167 -> 91.211.91.83:80

Potential document exploit detected (unknown TCP traffic)

Source: global traffic

TCP traffic: 192.168.2.22:49167 -> 91.211.91.83:80

Networking:

Uses a known web browser user agent for HTTP communication

Source: global traffic	HTTP traffic detected: GET /44313,6048108796.dat HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 91.211.91.83Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /44313,6048108796.dat HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 190.14.37.46Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /44313,6048108796.dat HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 185.244.149.204Connection: Keep-Alive

Source: unknown	TCP traffic detected without corresponding DNS query: 91.211.91.83
Source: unknown	TCP traffic detected without corresponding DNS query: 91.211.91.83
Source: unknown	TCP traffic detected without corresponding DNS query: 91.211.91.83
Source: unknown	TCP traffic detected without corresponding DNS query: 91.211.91.83
Source: unknown	TCP traffic detected without corresponding DNS query: 190.14.37.46
Source: unknown	TCP traffic detected without corresponding DNS query: 190.14.37.46
Source: unknown	TCP traffic detected without corresponding DNS query: 190.14.37.46
Source: unknown	TCP traffic detected without corresponding DNS query: 190.14.37.46
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.149.204
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.149.204
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.149.204
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.149.204
Source: unknown	TCP traffic detected without corresponding DNS query: 91.211.91.83
Source: unknown	TCP traffic detected without corresponding DNS query: 190.14.37.46
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.149.204
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.149.204
Source: unknown	TCP traffic detected without corresponding DNS query: 190.14.37.46
Source: unknown	TCP traffic detected without corresponding DNS query: 91.211.91.83

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\991269CE.jpg

Jump to behavior

Source: global traffic	HTTP traffic detected: GET /44313,6048108796.dat HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 91.211.91.83Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /44313,6048108796.dat HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 190.14.37.46Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /44313,6048108796.dat HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 185.244.149.204Connection: Keep-Alive

System Summary:

Found malicious Excel 4.0 Macro

Source: Complaint-1475671703-05062021.xlsm

Initial sample: urlmon

Document contains an embedded VBA macro which may execute processes

Source: VBA code instrumentation

OLE, VBA macro: Module Module1, Function Auto_Open, API Microsoft Excel:Application.Run(:Range)

Name: Auto_Open

Found Excel 4.0 Macro with suspicious formulas

Source: Complaint-1475671703-05062021.xlsm

Initial sample: EXEC

Document contains an embedded VBA macro which executes code when the document is opened / closed

Source: Complaint-1475671703-05062021.xlsm	OLE, VBA macro line: Function Auto_Open()
Source: VBA code instrumentation	OLE, VBA macro: Module Module1, Function Auto_Open			Name: Auto_Open

Document contains embedded VBA macros

Source: Complaint-1475671703-05062021.xlsm

OLE indicator, VBA macros: true

Source: classification engine

Classification label: mal60.expl.evad.winXLSM@1/7@0/3

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\Desktop\~$Complaint-1475671703-05062021.xlsm

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Temp\CVRD1DF.tmp

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: Complaint-1475671703-05062021.xlsm	Initial sample: OLE zip file path = xl/media/image1.jpg
Source: Complaint-1475671703-05062021.xlsm	Initial sample: OLE zip file path = xl/printerSettings/printerSettings2.bin
Source: Complaint-1475671703-05062021.xlsm	Initial sample: OLE zip file path = xl/printerSettings/printerSettings3.bin

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
190.14.37.46	unknown	Panama	52469	OffshoreRacksSAPA	false
91.211.91.83	unknown	Ukraine	206638	HOSTFORYUA	false
185.244.149.204	unknown	Netherlands	60117	HSAE	false

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://190.14.37.46/44313,6048108796.dat	false	Avira URL Cloud: safe	unknown
http://185.244.149.204/44313,6048108796.dat	false	Avira URL Cloud: safe	unknown
http://91.211.91.83/44313,6048108796.dat	false	Avira URL Cloud: safe	unknown

ID:	406019
Product:	CloudBasic
Start time:	16:33:03
Start date:	06.05.2021
Sample:	Complaint-1475671703-05062021.xlsm
Cookbook:	defaultwindowsofficecookbook.jbs
System description:	Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Architecture:	WINDOWS
MD5:	75d80453bff04143f8b2b45a5dd2f5c4
SHA1:	f50e0dc18fdb80b952763230c950ea3a63598683
SHA256:	7114322bcc159096d52ce16ab33d58126822f3f72a7b81e79eaceb06ae2e8c3a
Filetype:	Excel Microsoft Office Open XML Format document with Macro (57504/1) 54.50%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\991269CE.jpg	[TIFF image data, big-endian, direntries=5], baseline, precision 8, 1080x1080, frames 3	4A425E6A5A885C0D0E2589506FD2244B	E23482422480A4720E22F311B42BD65E2F3556F8	76E685FC2035D8CF19945C6686D82054B64D0A9612853D8F428C4B4FE351C160
C:\Users\user\AppData\Local\Temp\AADE0000	data	1BBE181AE4CC3432EC27C142FF965CB0	012D07FD230846652209A3CFD8E56003BD8FB75D	D1E6B90B280D7EEDD7A35B1DBF8359222AF8D1FE639EEACEC89819A84DCE8747
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\Complaint-1475671703-05062021.LNK	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Aug 26 14:08:16 2020, mtime=Thu May 6 22:33:41 2021, atime=Thu May 6 22:33:41 2021, length=116417, window=hide	9B407D33B8AC1BB21818ACE513074177	B818EC16EA7BAAB626B5F31713B98E3A7401D9B5	A1588DA2514D1E7D62943F1320D387E6F9F4E8733A8BC0E53D96A15E9BAAC9BE
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\Desktop.LNK	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Read-Only, Directory, ctime=Tue Oct 17 10:04:00 2017, mtime=Thu May 6 22:33:41 2021, atime=Thu May 6 22:33:41 2021, length=8192, window=hide	F36A1FA07CEB709D30A5E07ACB2BDF43	5BC373B351D25D379ACFC80FA97EDDC3D479C098	9EBB7E6DE76D9CDEA6F0861FF020EA93B72D84B53FB189FFEC008D7052F243FE
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat	ASCII text, with CRLF line terminators	F1E67BDDEB32B22B3A89BE194AE38536	45B5B6D575D6A2E51BFD8650B0A6CAB8806FC4D1	6D603A974D3F636183296F55AB27E2F0D6C249590305F39862845210A165B193
C:\Users\user\Desktop\6BDE0000	data	0AA95C8B93481F127F3D80D7753BA022	9E319D866CEDACAF82F0F12B23C3A44CE53DA8ED	9D06BA556F8B0B217456D0E85D23F6197B19488684D2D4C591DA2685FD1BF5F5
C:\Users\user\Desktop\~$Complaint-1475671703-05062021.xlsm	data	96114D75E30EBD26B572C1FC83D1D02E	A44EEBDA5EB09862AC46346227F06F8CFAF19407	0C6F8CF0E504C17073E4C614C8A7063F194E335D840611EEFA9E29C7CED1A523

Analysis Report Complaint-1475671703-05062021.xlsm

Overview

General Information

Detection

Signatures

Classification

Signatures

Compliance:

Software Vulnerabilities:

Networking:

System Summary:

Hooking and other Techniques for Hiding and Protection:

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted URLs