Analysis Report IovwfUybUJ.xlsx

Overview

General Information

Sample Name: IovwfUybUJ.xlsx
Analysis ID: 411582
MD5: bcb5f8c6da6103a5bbd4891095f807af
SHA1: fccc0e19a042d3da003bc4184b32c784ca5dfd14
SHA256: 9872498872843b5aae813d390df3e46ae02a4cc994ade723e4f5ba2973043fb7
Tags: Dridex
Infos:

Most interesting Screenshot:

Detection

Hidden Macro 4.0
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Document exploit detected (UrlDownloadToFile)
Document exploit detected (process start blacklist hit)
Found Excel 4.0 Macro with suspicious formulas
Found abnormal large hidden Excel 4.0 Macro sheet
Office document connecting to suspicious TLD
Outdated Microsoft Office dropper detected
Performs DNS queries to domains with low reputation
Potential document exploit detected (performs DNS queries with low reputation score)
Sigma detected: Microsoft Office Product Spawning Windows Shell
Excel documents contains an embedded macro which executes code when the document is opened
Potential document exploit detected (performs DNS queries)
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)

Classification

AV Detection:

barindex
Multi AV Scanner detection for domain / URL
Source: qvqy23thdsed03xjeqtf.xyz Virustotal: Detection: 12% Perma Link
Multi AV Scanner detection for submitted file
Source: IovwfUybUJ.xlsx Virustotal: Detection: 40% Perma Link
Source: IovwfUybUJ.xlsx ReversingLabs: Detection: 25%
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior

Software Vulnerabilities:

barindex
Document exploit detected (UrlDownloadToFile)
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Section loaded: \KnownDlls\api-ms-win-downlevel-shlwapi-l2-1-0.dll origin: URLDownloadToFileA Jump to behavior
Document exploit detected (process start blacklist hit)
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\rundll32.exe
Potential document exploit detected (performs DNS queries with low reputation score)
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE DNS query: name: qvqy23thdsed03xjeqtf.xyz
Potential document exploit detected (performs DNS queries)
Source: global traffic DNS query: name: qvqy23thdsed03xjeqtf.xyz

Networking:

barindex
Office document connecting to suspicious TLD
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE DNS traffic detected: qvqy23thdsed03xjeqtf.xyz
Outdated Microsoft Office dropper detected
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE DNS query: qvqy23thdsed03xjeqtf.xyz is down
Performs DNS queries to domains with low reputation
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE DNS query: qvqy23thdsed03xjeqtf.xyz
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)
Source: unknown DNS traffic detected: query: qvqy23thdsed03xjeqtf.xyz replaycode: Name error (3)
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\47B18D72.png Jump to behavior
Source: rundll32.exe, 00000003.00000002.2099010236.0000000001AB0000.00000002.00000001.sdmp String found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)
Source: unknown DNS traffic detected: queries for: qvqy23thdsed03xjeqtf.xyz
Source: rundll32.exe, 00000003.00000002.2099010236.0000000001AB0000.00000002.00000001.sdmp String found in binary or memory: http://investor.msn.com
Source: rundll32.exe, 00000003.00000002.2099010236.0000000001AB0000.00000002.00000001.sdmp String found in binary or memory: http://investor.msn.com/
Source: rundll32.exe, 00000003.00000002.2099200495.0000000001C97000.00000002.00000001.sdmp String found in binary or memory: http://localizability/practices/XML.asp
Source: rundll32.exe, 00000003.00000002.2099200495.0000000001C97000.00000002.00000001.sdmp String found in binary or memory: http://localizability/practices/XMLConfiguration.asp
Source: rundll32.exe, 00000003.00000002.2099200495.0000000001C97000.00000002.00000001.sdmp String found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
Source: rundll32.exe, 00000003.00000002.2099200495.0000000001C97000.00000002.00000001.sdmp String found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
Source: rundll32.exe, 00000003.00000002.2099010236.0000000001AB0000.00000002.00000001.sdmp String found in binary or memory: http://www.hotmail.com/oe
Source: rundll32.exe, 00000003.00000002.2099200495.0000000001C97000.00000002.00000001.sdmp String found in binary or memory: http://www.icra.org/vocabulary/.
Source: rundll32.exe, 00000003.00000002.2099010236.0000000001AB0000.00000002.00000001.sdmp String found in binary or memory: http://www.msnbc.com/news/ticker.txt
Source: rundll32.exe, 00000003.00000002.2099010236.0000000001AB0000.00000002.00000001.sdmp String found in binary or memory: http://www.windows.com/pctv.

System Summary:

barindex
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Source: Screenshot number: 4 Screenshot OCR: Enable Editing 11 from the yellow bar above 12 13 Once You have Enable Editing, please click Enab
Source: Screenshot number: 4 Screenshot OCR: Enable Content 14 from the yellow bar above 15 16 17 18 WHY I CANNOTOPEN THIS DOCUMENT? 19 2
Source: Document image extraction number: 9 Screenshot OCR: Enable Editing from the yellow bar above Once You have Enable Editing , please click Enable Conten
Source: Document image extraction number: 9 Screenshot OCR: Enable Content from the yellow bar above WHYICANNOTOPEN THIS DOCUMENT? You are using iOS or Andro
Source: Document image extraction number: 15 Screenshot OCR: Enable Editing from the yellow bar above CB Once You have Enable Editing, please click Enable Cont
Source: Document image extraction number: 15 Screenshot OCR: Enable Content from the yellow bar above WHYICANNOTOPEN THIS DOCUMENT? W You are using IDS or And
Found Excel 4.0 Macro with suspicious formulas
Source: IovwfUybUJ.xlsx Initial sample: CALL
Source: IovwfUybUJ.xlsx Initial sample: EXEC
Found abnormal large hidden Excel 4.0 Macro sheet
Source: IovwfUybUJ.xlsx Initial sample: Sheet size: 16417
Source: IovwfUybUJ.xlsx Initial sample: Sheet size: 5574
Excel documents contains an embedded macro which executes code when the document is opened
Source: workbook.xml Binary string: " sheetId="1" r:id="rId1"/><sheet name="Doc1" sheetId="2" r:id="rId2"/><sheet name="Doc2" sheetId="3" r:id="rId3"/><sheet name="Doc3" sheetId="4" r:id="rId4"/><sheet name="Doc4" sheetId="5" r:id="rId5"/></sheets><definedNames><definedName name="_xlnm.Auto_Open">'Doc3'!$AU$11</definedName></definedNames><calcPr calcId="145621"/></workbook>
Source: rundll32.exe, 00000003.00000002.2099010236.0000000001AB0000.00000002.00000001.sdmp Binary or memory string: .VBPud<_
Source: classification engine Classification label: mal100.troj.expl.evad.winXLSX@3/11@1/0
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\Desktop\~$IovwfUybUJ.xlsx Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Temp\CVRD596.tmp Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Windows\System32\rundll32.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\rundll32.exe rundll32 ..\iuhdvcl.ckd,DllRegisterServer
Source: IovwfUybUJ.xlsx Virustotal: Detection: 40%
Source: IovwfUybUJ.xlsx ReversingLabs: Detection: 25%
Source: unknown Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\rundll32.exe rundll32 ..\iuhdvcl.ckd,DllRegisterServer
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\rundll32.exe rundll32 ..\iuhdvcl.ckd,DllRegisterServer Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: IovwfUybUJ.xlsx Initial sample: OLE zip file path = xl/media/image3.png
Source: IovwfUybUJ.xlsx Initial sample: OLE zip file path = xl/media/image4.png
Source: IovwfUybUJ.xlsx Initial sample: OLE zip file path = xl/media/image1.png
Source: IovwfUybUJ.xlsx Initial sample: OLE zip file path = xl/media/image2.png
Source: IovwfUybUJ.xlsx Initial sample: OLE zip file path = xl/printerSettings/printerSettings2.bin
Source: IovwfUybUJ.xlsx Initial sample: OLE zip file path = xl/printerSettings/printerSettings3.bin
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 411582 Sample: IovwfUybUJ.xlsx Startdate: 12/05/2021 Architecture: WINDOWS Score: 100 17 Multi AV Scanner detection for domain / URL 2->17 19 Multi AV Scanner detection for submitted file 2->19 21 Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros) 2->21 23 8 other signatures 2->23 6 EXCEL.EXE 85 43 2->6         started        process3 dnsIp4 15 qvqy23thdsed03xjeqtf.xyz 6->15 13 C:\Users\user\Desktop\~$IovwfUybUJ.xlsx, data 6->13 dropped 25 Document exploit detected (UrlDownloadToFile) 6->25 11 rundll32.exe 6->11         started        file5 signatures6 process7
No contacted IP infos

Contacted Domains

Name IP Active
qvqy23thdsed03xjeqtf.xyz unknown unknown