Analysis Report Copy-384955799-05102021.xlsm

Overview

General Information

Sample Name:	Copy-384955799-05102021.xlsm
Analysis ID:	412131
MD5:	3a3aae5975bd4a5512cfea2a4a5991a6
SHA1:	4ff9eafa51cdd8d979ef68dc8d0aa9ebb6168e20
SHA256:	bba463e9f1b1044f7d3b09fe0d696ebb57b1668a1fc025363731c6aefac112bd
Infos:
Most interesting Screenshot:

Detection

Hidden Macro 4.0

Score:	76
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malicious Excel 4.0 Macro

Multi AV Scanner detection for submitted file

Yara detected Obfuscated Macro In XLSM

Document exploit detected (UrlDownloadToFile)

Found Excel 4.0 Macro with suspicious formulas

Found malicious URLs in unpacked macro 4.0 sheet

Allocates a big amount of memory (probably used for heap spraying)

Document contains an embedded VBA macro which executes code when the document is opened / closed

Document contains embedded VBA macros

IP address seen in connection with other malware

Potential document exploit detected (performs HTTP gets)

Potential document exploit detected (unknown TCP traffic)

Uses a known web browser user agent for HTTP communication

Classification

Signatures

AV Detection:

Multi AV Scanner detection for submitted file

Source: Copy-384955799-05102021.xlsm

ReversingLabs: Detection: 29%

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Software Vulnerabilities:

Document exploit detected (UrlDownloadToFile)

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Section loaded: \KnownDlls\api-ms-win-downlevel-shlwapi-l2-1-0.dll origin: URLDownloadToFileA

Jump to behavior

Allocates a big amount of memory (probably used for heap spraying)

Source: excel.exe

Memory has grown: Private usage: 4MB later: 35MB

Potential document exploit detected (performs HTTP gets)

Source: global traffic

TCP traffic: 192.168.2.22:49165 -> 185.14.31.59:80

Potential document exploit detected (unknown TCP traffic)

Source: global traffic

TCP traffic: 192.168.2.22:49165 -> 185.14.31.59:80

Networking:

Found malicious URLs in unpacked macro 4.0 sheet

Source: before.4.91.29.sheet.csv_unpack

Macro 4.0 Deobfuscator: http://185.14.31.59/

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 45.138.157.63 45.138.157.63
Source: Joe Sandbox View	IP Address: 185.14.31.59 185.14.31.59
Source: Joe Sandbox View	IP Address: 167.114.48.59 167.114.48.59

Uses a known web browser user agent for HTTP communication

Source: global traffic	HTTP traffic detected: GET /44313,6048108796.dat HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 185.14.31.59Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /44313,6048108796.dat HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 45.138.157.63Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /44313,6048108796.dat HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 167.114.48.59Connection: Keep-Alive

Source: unknown	TCP traffic detected without corresponding DNS query: 185.14.31.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.14.31.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.14.31.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.14.31.59
Source: unknown	TCP traffic detected without corresponding DNS query: 45.138.157.63
Source: unknown	TCP traffic detected without corresponding DNS query: 45.138.157.63
Source: unknown	TCP traffic detected without corresponding DNS query: 45.138.157.63
Source: unknown	TCP traffic detected without corresponding DNS query: 45.138.157.63
Source: unknown	TCP traffic detected without corresponding DNS query: 167.114.48.59
Source: unknown	TCP traffic detected without corresponding DNS query: 167.114.48.59
Source: unknown	TCP traffic detected without corresponding DNS query: 167.114.48.59
Source: unknown	TCP traffic detected without corresponding DNS query: 167.114.48.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.14.31.59
Source: unknown	TCP traffic detected without corresponding DNS query: 45.138.157.63
Source: unknown	TCP traffic detected without corresponding DNS query: 167.114.48.59
Source: unknown	TCP traffic detected without corresponding DNS query: 167.114.48.59
Source: unknown	TCP traffic detected without corresponding DNS query: 45.138.157.63
Source: unknown	TCP traffic detected without corresponding DNS query: 185.14.31.59

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\54C4058B.jpg

Jump to behavior

Source: global traffic	HTTP traffic detected: GET /44313,6048108796.dat HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 185.14.31.59Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /44313,6048108796.dat HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 45.138.157.63Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /44313,6048108796.dat HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 167.114.48.59Connection: Keep-Alive

Source: before.4.91.29.sheet.csv_unpack

String found in binary or memory: http://185.14.31.59/

System Summary:

Found malicious Excel 4.0 Macro

Source: Copy-384955799-05102021.xlsm	Initial sample: urlmon
Source: Copy-384955799-05102021.xlsm	Initial sample: urlmon

Found Excel 4.0 Macro with suspicious formulas

Source: Copy-384955799-05102021.xlsm

Initial sample: EXEC

Document contains an embedded VBA macro which executes code when the document is opened / closed

Source: Copy-384955799-05102021.xlsm

OLE, VBA macro line: Private Sub Auto_Open()

Document contains embedded VBA macros

Source: Copy-384955799-05102021.xlsm

OLE indicator, VBA macros: true

Source: classification engine

Classification label: mal76.expl.evad.winXLSM@1/7@0/3

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\Desktop\~$Copy-384955799-05102021.xlsm

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Temp\CVRD45E.tmp

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: Copy-384955799-05102021.xlsm

ReversingLabs: Detection: 29%

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: Copy-384955799-05102021.xlsm	Initial sample: OLE zip file path = xl/media/image1.jpg
Source: Copy-384955799-05102021.xlsm	Initial sample: OLE zip file path = xl/drawings/drawing2.xml
Source: Copy-384955799-05102021.xlsm	Initial sample: OLE zip file path = xl/drawings/drawing3.xml
Source: Copy-384955799-05102021.xlsm	Initial sample: OLE zip file path = xl/worksheets/_rels/sheet2.xml.rels
Source: Copy-384955799-05102021.xlsm	Initial sample: OLE zip file path = xl/worksheets/_rels/sheet3.xml.rels
Source: Copy-384955799-05102021.xlsm	Initial sample: OLE zip file path = xl/drawings/_rels/drawing2.xml.rels
Source: Copy-384955799-05102021.xlsm	Initial sample: OLE zip file path = xl/drawings/_rels/drawing3.xml.rels
Source: Copy-384955799-05102021.xlsm	Initial sample: OLE zip file path = xl/printerSettings/printerSettings2.bin

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Data Obfuscation:

Yara detected Obfuscated Macro In XLSM

Source: Yara match

File source: sheet2.xml, type: SAMPLE

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
45.138.157.63	unknown	Russian Federation	44094	WEBHOST1-ASRU	false
185.14.31.59	unknown	Ukraine	21100	ITLDC-NLUA	false
167.114.48.59	unknown	Canada	16276	OVHFR	false

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://45.138.157.63/44313,6048108796.dat	false	Avira URL Cloud: safe	unknown
http://167.114.48.59/44313,6048108796.dat	false	Avira URL Cloud: safe	unknown
http://185.14.31.59/44313,6048108796.dat	true	Avira URL Cloud: safe	unknown

ID:	412131
Product:	CloudBasic
Start time:	12:42:51
Start date:	12.05.2021
Sample:	Copy-384955799-05102021.xlsm
Cookbook:	defaultwindowsofficecookbook.jbs
System description:	Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Architecture:	WINDOWS
MD5:	3a3aae5975bd4a5512cfea2a4a5991a6
SHA1:	4ff9eafa51cdd8d979ef68dc8d0aa9ebb6168e20
SHA256:	bba463e9f1b1044f7d3b09fe0d696ebb57b1668a1fc025363731c6aefac112bd
Filetype:	Excel Microsoft Office Open XML Format document with Macro (57504/1) 54.50%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\54C4058B.jpg	[TIFF image data, big-endian, direntries=5], baseline, precision 8, 1080x1080, frames 3	4A425E6A5A885C0D0E2589506FD2244B	E23482422480A4720E22F311B42BD65E2F3556F8	76E685FC2035D8CF19945C6686D82054B64D0A9612853D8F428C4B4FE351C160
C:\Users\user\AppData\Local\Temp\8DDE0000	data	AD5A6CB1FA13079B73BB4A84671FEA42	B8318B929DA96A263F31C3F164E265789B84290F	4E623CD2BB8D30076ADF036CED9D9859A8F4FFBE309C680611B528DFBEBB807E
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\Copy-384955799-05102021.LNK	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Aug 26 14:08:15 2020, mtime=Wed May 12 18:45:42 2021, atime=Wed May 12 18:45:42 2021, length=118890, window=hide	C6DB1C0F39FCFB99DD32AD58E8643821	380C2D2D52CDF9EC896BEB65DBFC496290A9F34A	25791614389FC120D9D7962C08A8CF267F529DD8C546025FC743883DFA65A16F
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\Desktop.LNK	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Read-Only, Directory, ctime=Tue Oct 17 10:04:00 2017, mtime=Wed May 12 18:45:42 2021, atime=Wed May 12 18:45:42 2021, length=8192, window=hide	6A2FAE1BEE6B1AA81289E4CDD3AA31BB	17A56D0FD49AA1EA03157C2D94EDA8389A6B6C0E	6BE5963E82D011259515D7DDEE538E302E6513DA8C96A2667B6C9929ED9EFAB0
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat	ASCII text, with CRLF line terminators	438B9CB10BCA95DD0FEF5F9FB33DBE7F	A4F06BC314BDFB4B654D357BA215346E14DAD351	2E405053595AE39D699D09BFB5752DDC1E1531D930D812E9C4455A552579E3BF
C:\Users\user\Desktop\7EDE0000	data	7A2EB52E11A0B4D4B1F7F2BD015660ED	229AE31810B52AC5729A5198211F330DAD91BB84	30382D567139C142CCD257D904C5304706F50DF1547E38689B9FA19C5F346FFC
C:\Users\user\Desktop\~$Copy-384955799-05102021.xlsm	data	96114D75E30EBD26B572C1FC83D1D02E	A44EEBDA5EB09862AC46346227F06F8CFAF19407	0C6F8CF0E504C17073E4C614C8A7063F194E335D840611EEFA9E29C7CED1A523

Analysis Report Copy-384955799-05102021.xlsm

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Compliance:

Software Vulnerabilities:

Networking:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted URLs