Analysis Report Copy-1986428143-05102021.xlsm

Overview

General Information

Sample Name:	Copy-1986428143-05102021.xlsm
Analysis ID:	412105
MD5:	1b3705bf5dfab6d67846af3828726e8d
SHA1:	22c0e00c0797282d2735cdfab442003b7718fb01
SHA256:	43ab199f616e24562101637463dda6b9f58610dfbcd2cf1db13d0ad699d791a4
Infos:
Most interesting Screenshot:

Detection

Hidden Macro 4.0

Score:	72
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malicious Excel 4.0 Macro

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Yara detected Obfuscated Macro In XLSM

Found Excel 4.0 Macro with suspicious formulas

Found malicious URLs in unpacked macro 4.0 sheet

Classification

Signatures

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Networking:

Found malicious URLs in unpacked macro 4.0 sheet

Source: before.4.91.29.sheet.csv_unpack

Macro 4.0 Deobfuscator: http://185.14.31.59/

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\D27E1BE7.jpg

Jump to behavior

Source: before.4.91.29.sheet.csv_unpack

String found in binary or memory: http://185.14.31.59/

System Summary:

Found malicious Excel 4.0 Macro

Source: Copy-1986428143-05102021.xlsm	Initial sample: urlmon
Source: Copy-1986428143-05102021.xlsm	Initial sample: urlmon

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Source: Document image extraction number: 0	Screenshot OCR: Enable editing button from the yellow bar above 0 Once you have enabled editing. please click Enabl
Source: Document image extraction number: 0	Screenshot OCR: Enable Content button from the yellow bar above
Source: Screenshot number: 4	Screenshot OCR: Enable editing button from the yellow bar above 25 0 Once you have enabled editing. please click En
Source: Screenshot number: 4	Screenshot OCR: Enable Content button from the yellow bar above 26 27 28 29 I 30 31 32 33 34 35 36 37 3

Found Excel 4.0 Macro with suspicious formulas

Source: Copy-1986428143-05102021.xlsm

Initial sample: EXEC

Source: classification engine

Classification label: mal72.evad.winXLSM@1/7@0/0

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\Desktop\~$Copy-1986428143-05102021.xlsm

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Temp\CVRD23C.tmp

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: Copy-1986428143-05102021.xlsm	Initial sample: OLE zip file path = xl/media/image1.jpg
Source: Copy-1986428143-05102021.xlsm	Initial sample: OLE zip file path = xl/drawings/drawing2.xml
Source: Copy-1986428143-05102021.xlsm	Initial sample: OLE zip file path = xl/drawings/drawing3.xml
Source: Copy-1986428143-05102021.xlsm	Initial sample: OLE zip file path = xl/worksheets/_rels/sheet2.xml.rels
Source: Copy-1986428143-05102021.xlsm	Initial sample: OLE zip file path = xl/worksheets/_rels/sheet3.xml.rels
Source: Copy-1986428143-05102021.xlsm	Initial sample: OLE zip file path = xl/drawings/_rels/drawing2.xml.rels
Source: Copy-1986428143-05102021.xlsm	Initial sample: OLE zip file path = xl/drawings/_rels/drawing3.xml.rels
Source: Copy-1986428143-05102021.xlsm	Initial sample: OLE zip file path = xl/printerSettings/printerSettings2.bin

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Data Obfuscation:

Yara detected Obfuscated Macro In XLSM

Source: Yara match

File source: sheet2.xml, type: SAMPLE

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No contacted IP infos

ID:	412105
Product:	CloudBasic
Start time:	12:09:05
Start date:	12.05.2021
Sample:	Copy-1986428143-05102021.xlsm
Cookbook:	defaultwindowsofficecookbook.jbs
System description:	Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Architecture:	WINDOWS
MD5:	1b3705bf5dfab6d67846af3828726e8d
SHA1:	22c0e00c0797282d2735cdfab442003b7718fb01
SHA256:	43ab199f616e24562101637463dda6b9f58610dfbcd2cf1db13d0ad699d791a4
Filetype:	Excel Microsoft Office Open XML Format document (40004/1) 83.33%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\D27E1BE7.jpg	[TIFF image data, big-endian, direntries=5], baseline, precision 8, 1080x1080, frames 3	4A425E6A5A885C0D0E2589506FD2244B	E23482422480A4720E22F311B42BD65E2F3556F8	76E685FC2035D8CF19945C6686D82054B64D0A9612853D8F428C4B4FE351C160
C:\Users\user\AppData\Local\Temp\0BDE0000	data	D49F88AEAACDFF481E03EFC122127935	C9C48C5604C50A10A1E56BF7FBC5893CFE10605B	F7DDE80E968BF9E918E8BB942BBE52B1F56FDBBC9BE8FB5AC980A6109CDCC146
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\Copy-1986428143-05102021.LNK	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Aug 26 14:08:15 2020, mtime=Wed May 12 18:09:41 2021, atime=Wed May 12 18:09:41 2021, length=110649, window=hide	AA2ED8458B9D332F099FA791BA97B66E	FBDB1B1C175256CC2E9A47D43C96F2FB66834E7C	D8A6D3E527CDE6B3844EDB8AE5047D223922168CC9849C0F65A20C6355E1D853
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\Desktop.LNK	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Read-Only, Directory, ctime=Tue Oct 17 10:04:00 2017, mtime=Wed May 12 18:09:41 2021, atime=Wed May 12 18:09:41 2021, length=8192, window=hide	4FC739F08AF5475F1999FD33DBDBAFF3	596AADC55288BEF1F3EA7F6615D099DE677E44CA	1C82560F31EA9E8449CF0F6DED094916DBBD5FC5E5890792386684DE4D16BBEE
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat	ASCII text, with CRLF line terminators	046F246D72BF157B46114FABE2BA41DD	24E24C3EB2B639EB84D8486D14196DEB28BB5B94	DF25FF89ED3B9688144CC190B29B028927139DCBEFD8113982C832B7F02ED593
C:\Users\user\Desktop\CBDE0000	data	D49F88AEAACDFF481E03EFC122127935	C9C48C5604C50A10A1E56BF7FBC5893CFE10605B	F7DDE80E968BF9E918E8BB942BBE52B1F56FDBBC9BE8FB5AC980A6109CDCC146
C:\Users\user\Desktop\~$Copy-1986428143-05102021.xlsm	data	96114D75E30EBD26B572C1FC83D1D02E	A44EEBDA5EB09862AC46346227F06F8CFAF19407	0C6F8CF0E504C17073E4C614C8A7063F194E335D840611EEFA9E29C7CED1A523

Analysis Report Copy-1986428143-05102021.xlsm

Overview

General Information

Detection

Signatures

Classification

Signatures

Compliance:

Networking:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Screenshots

Behavior Graph

Network Map