Analysis Report catalog-1908475637.xls

ID:	412000
Product:	CloudBasic
Start time:	10:28:26
Start date:	12.05.2021
Sample:	catalog-1908475637.xls
Cookbook:	defaultwindowsofficecookbook.jbs
System description:	Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Architecture:	WINDOWS
MD5:	1de5671f987904abf6caa9aacb029d88
SHA1:	42fdd77f2c2ae74a92c9ba9bd3ddcd2855b1ea06
SHA256:	ae321f6cf2fff1dee8da9df91a49b43d4d24850362861929031b45d7d5399c6a
Filetype:	Microsoft Excel sheet (30009/1) 78.94%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506	Microsoft Cabinet archive data, 59863 bytes, 1 file	15775D95513782F99CDFB17E65DFCEB1	6C11F8BEE799B093F9FF4841E31041B081B23388	477A9559194EDF48848FCE59E05105168745A46BDC0871EA742A2588CA9FBE00
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E0F5C59F9FA661F6F4C50B87FEF3A15A	data	D4AE187B4574036C2D76B6DF8A8C1A30	B06F409FA14BAB33CBAF4A37811B8740B624D9E5	A2CE3A0FA7D2A833D1801E01EC48E35B70D84F3467CC9F8FAB370386E13879C7
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506	data	EA98D3F127C3CABE8CD05B5857D3E7AE	F430374BF30B7E67E9479EEC494098B9F8459E6F	2455F8CF07720DEB7D5AEA9475669DF3CD28AA99B604F9B1DA2CD8556945AAE3
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E0F5C59F9FA661F6F4C50B87FEF3A15A	data	4C8156F5DFDB4C283C66BEBE23B14372	8DB1B2CB20E1FB9726E5300AB25CE996AC3F1785	B110EEE4542F146EB1D69899295BF970DAD1BA620ADEE3A386E31DE68A6EA473
C:\Users\user\AppData\Local\Temp\CabEEC3.tmp	Microsoft Cabinet archive data, 59863 bytes, 1 file	15775D95513782F99CDFB17E65DFCEB1	6C11F8BEE799B093F9FF4841E31041B081B23388	477A9559194EDF48848FCE59E05105168745A46BDC0871EA742A2588CA9FBE00
C:\Users\user\AppData\Local\Temp\D3EE0000	data	A14ED619156D8222250A988FEF1BAD6F	9793D9BC72BF2A91A014AA5F68372E51F6D030A0	532142248DA28E7A49DA313DA5A2BEAE27560F0F55EAB70DDA433B921CDA8CCB
C:\Users\user\AppData\Local\Temp\TarEEC4.tmp	data	78CABD9F1AFFF17BB91A105CF4702188	52FA8144D1FC5F92DEB45E53F076BCC69F5D8CC7	C7B6743B228E40B19443E471081A51041974801D325DB4ED8FD73A1A24CBD066
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\Desktop.LNK	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Read-Only, Directory, ctime=Tue Oct 17 10:04:00 2017, mtime=Wed May 12 16:29:43 2021, atime=Wed May 12 16:29:43 2021, length=8192, window=hide	ECB8FA45F62B7D1E95F493B242F982B5	544277E75E8186E5C03980DB1C9DC3FFD612D77F	E62015D22528CED919EC03AD15B583D6BBAFA6FED394435630AC6E6C184A886A
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\catalog-1908475637.LNK	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Aug 26 14:08:17 2020, mtime=Wed May 12 16:29:43 2021, atime=Wed May 12 16:29:43 2021, length=179200, window=hide	2D22D98B0C3DE0097A620EA7D773F322	243BC5414C42D669B625B0D97EB975B64931D49B	86869EAF6DF3C1D014579B94D6C808D524D9FC730270AF5938B94C2253104FD6
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat	ASCII text, with CRLF line terminators	B3B278B32E27F861DCE26F203B5389CE	72C194F58B7E4F2E2D551BA0B7CE02412FF5290E	5394C095E79C2AB8490B91D0A0851B476569258F339604B07E2CFE4872FF96CC
C:\Users\user\Desktop\A4EE0000	Applesoft BASIC program data, first line number 16	BCC2F50043814CDFBE67ED0F834146AD	256D88A677B5FB27F4BBCDDAB621CD2C174CFA20	6571AE6819E29003D7EA3CEE4B767940C2CE0933EEE0D4B69934C42D2F1D9860

AV Detection:

Multi AV Scanner detection for submitted file

Source: catalog-1908475637.xls	Virustotal: Detection: 19%			Perma Link
Source: catalog-1908475637.xls	ReversingLabs: Detection: 14%

Compliance:

Uses new MSVCR Dlls

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Uses secure TLS version for HTTPS connections

Source: unknown	HTTPS traffic detected: 108.167.180.164:443 -> 192.168.2.22:49167 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 199.79.62.12:443 -> 192.168.2.22:49170 version: TLS 1.2

Software Vulnerabilities:

Document exploit detected (UrlDownloadToFile)

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Section loaded: \KnownDlls\api-ms-win-downlevel-shlwapi-l2-1-0.dll origin: URLDownloadToFileA

Jump to behavior

Document exploit detected (process start blacklist hit)

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Process created: C:\Windows\System32\rundll32.exe

Potential document exploit detected (performs DNS queries)

Source: global traffic

DNS query: name: iamihaveican.com

Potential document exploit detected (performs HTTP gets)

Source: global traffic

TCP traffic: 192.168.2.22:49167 -> 108.167.180.164:443

Potential document exploit detected (unknown TCP traffic)

Source: global traffic

TCP traffic: 192.168.2.22:49167 -> 108.167.180.164:443

Networking:

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 199.79.62.12 199.79.62.12

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 7dcce5b76c8b17472d024758970a406b

Downloads files

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ

Jump to behavior

Found strings which match to known social media urls

Source: rundll32.exe, 00000003.00000002.2116746958.0000000001C30000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2109992950.0000000001C10000.00000002.00000001.sdmp

String found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)

Performs DNS lookups

Source: unknown

DNS traffic detected: queries for: iamihaveican.com

URLs found in memory or binary data

Source: E0F5C59F9FA661F6F4C50B87FEF3A15A.0.dr	String found in binary or memory: http://apps.identrust.com/roots/dstrootcax3.p7c
Source: 77EC63BDA74BD0D0E0426DC8F8008506.0.dr	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: rundll32.exe, 00000003.00000002.2116746958.0000000001C30000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2109992950.0000000001C10000.00000002.00000001.sdmp	String found in binary or memory: http://investor.msn.com
Source: rundll32.exe, 00000003.00000002.2116746958.0000000001C30000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2109992950.0000000001C10000.00000002.00000001.sdmp	String found in binary or memory: http://investor.msn.com/
Source: rundll32.exe, 00000003.00000002.2116998078.0000000001E17000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2110131274.0000000001DF7000.00000002.00000001.sdmp	String found in binary or memory: http://localizability/practices/XML.asp
Source: rundll32.exe, 00000003.00000002.2116998078.0000000001E17000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2110131274.0000000001DF7000.00000002.00000001.sdmp	String found in binary or memory: http://localizability/practices/XMLConfiguration.asp
Source: rundll32.exe, 00000003.00000002.2116998078.0000000001E17000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2110131274.0000000001DF7000.00000002.00000001.sdmp	String found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
Source: rundll32.exe, 00000003.00000002.2116998078.0000000001E17000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2110131274.0000000001DF7000.00000002.00000001.sdmp	String found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
Source: rundll32.exe, 00000003.00000002.2116746958.0000000001C30000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2109992950.0000000001C10000.00000002.00000001.sdmp	String found in binary or memory: http://www.hotmail.com/oe
Source: rundll32.exe, 00000003.00000002.2116998078.0000000001E17000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2110131274.0000000001DF7000.00000002.00000001.sdmp	String found in binary or memory: http://www.icra.org/vocabulary/.
Source: rundll32.exe, 00000003.00000002.2116746958.0000000001C30000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2109992950.0000000001C10000.00000002.00000001.sdmp	String found in binary or memory: http://www.msnbc.com/news/ticker.txt
Source: rundll32.exe, 00000004.00000002.2109992950.0000000001C10000.00000002.00000001.sdmp	String found in binary or memory: http://www.windows.com/pctv.

Uses HTTPS

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49167
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49170
Source: unknown	Network traffic detected: HTTP traffic on port 49170 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49167 -> 443

Uses secure TLS version for HTTPS connections

Source: unknown	HTTPS traffic detected: 108.167.180.164:443 -> 192.168.2.22:49167 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 199.79.62.12:443 -> 192.168.2.22:49170 version: TLS 1.2

System Summary:

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Source: Screenshot number: 4	Screenshot OCR: Enable Editing 11 from the yellow bar above 12 13 Once You have Enable Editing, pleas ' RunDLL
Source: Screenshot number: 8	Screenshot OCR: Enable Editing 11 1 from the yellow bar above 12 13 2 Once You have Enable Editing, please click
Source: Screenshot number: 8	Screenshot OCR: Enable Content 14 , from the yellow bar above 15 D e 16 17 I 18 I WHY I CANNOT OPEN THIS DOCUME
Source: Document image extraction number: 5	Screenshot OCR: Enable Editing from the yellow bar above Once You have Enable Editing, please click Enable Content
Source: Document image extraction number: 5	Screenshot OCR: Enable Content from the yellow bar above WHY I CANNOT OPEN THIS DOCUMENT? You are using iOS or An
Source: Document image extraction number: 14	Screenshot OCR: Enable Editing from the yellow bar above Once You have Enable Editing, please click Enable Conte
Source: Document image extraction number: 14	Screenshot OCR: Enable Content from the yellow bar above WHY I CANNOT OPEN THIS DOCUMENT? w You are using IDS or

Found Excel 4.0 Macro with suspicious formulas

Source: catalog-1908475637.xls	Initial sample: CALL
Source: catalog-1908475637.xls	Initial sample: CALL
Source: catalog-1908475637.xls	Initial sample: EXEC

Found abnormal large hidden Excel 4.0 Macro sheet

Source: catalog-1908475637.xls

Initial sample: Sheet size: 14919

Document contains embedded VBA macros

Source: catalog-1908475637.xls

OLE indicator, VBA macros: true

Binary contains paths to development resources

Source: rundll32.exe, 00000003.00000002.2116746958.0000000001C30000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2109992950.0000000001C10000.00000002.00000001.sdmp

Binary or memory string: .VBPud<_

Classification label

Source: classification engine

Classification label: mal76.expl.evad.winXLS@5/11@2/2

Creates files inside the user directory

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\Desktop\A4EE0000

Jump to behavior

Creates temporary files

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Temp\CVRD9AB.tmp

Jump to behavior

Document contains an OLE Workbook stream indicating a Microsoft Excel file

Source: catalog-1908475637.xls

OLE indicator, Workbook stream: true

Reads ini files

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Reads software policies

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA

Jump to behavior

Runs a DLL by calling functions

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Process created: C:\Windows\System32\rundll32.exe rundll32 ..\ikjcvesdv.ref,DllRegisterServer

Sample is known by Antivirus

Source: catalog-1908475637.xls	Virustotal: Detection: 19%
Source: catalog-1908475637.xls	ReversingLabs: Detection: 14%

Spawns processes

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\rundll32.exe rundll32 ..\ikjcvesdv.ref,DllRegisterServer
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\rundll32.exe rundll32 ..\ikjcvesdv.ref1,DllRegisterServer
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\rundll32.exe rundll32 ..\ikjcvesdv.ref,DllRegisterServer			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\rundll32.exe rundll32 ..\ikjcvesdv.ref1,DllRegisterServer			Jump to behavior

Found GUI installer (many successful clicks)

Source: C:\Windows\System32\rundll32.exe	Automated click: OK
Source: C:\Windows\System32\rundll32.exe	Automated click: OK

Found graphical window changes (likely an installer)

Source: Window Recorder

Window detected: More than 3 window changes detected

Checks if Microsoft Office is installed

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems

Jump to behavior

Uses new MSVCR Dlls

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Hooking and other Techniques for Hiding and Protection:

Disables application error messsages (SetErrorMode)

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior