Analysis Report 4468873941_759979693.xlsm

Overview

General Information

Sample Name: 4468873941_759979693.xlsm
Analysis ID: 412575
MD5: b5021bc6cc8e2fc2231978d6c9118f2a
SHA1: c11430e1206f25bf768f1643f51bed8a4a1eec9d
SHA256: 5600e318bd25cb62a710d880649b11c4d85ae6f8ee5c2084a9d819a16abcd3b2
Infos:

Most interesting Screenshot:

Detection

Hidden Macro 4.0
Score: 72
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Document exploit detected (drops PE files)
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Found Excel 4.0 Macro with suspicious formulas
Office process drops PE file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected MalDoc1
Dropped file seen in connection with other malware
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Excel documents contains an embedded macro which executes code when the document is opened
Found dropped PE file which has not been started or loaded
PE file contains strange resources
Unable to load, office file is protected or invalid

Classification

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior
Source: Binary string: k:\MSSniffer\Release\Sniffer.pdb source: B5D11EA.bmp.0.dr

Software Vulnerabilities:

barindex
Document exploit detected (drops PE files)
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: B5D11EA.bmp.0.dr Jump to dropped file

Networking:

barindex
Yara detected MalDoc1
Source: Yara match File source: sharedStrings.xml, type: SAMPLE
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\96A6E04D.jpeg Jump to behavior

System Summary:

barindex
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Source: Screenshot number: 4 Screenshot OCR: Enable editing button from the yellow bar above 17 Once you have enabled editing, please click En
Source: Screenshot number: 4 Screenshot OCR: Enable Content button from the yellow bar above 18 :: 21 22 23 24 25 26 27 28 29 30 31
Source: Document image extraction number: 0 Screenshot OCR: Enable editing button from the yellow bar above Once you have enabled editing, please click Enabl
Source: Document image extraction number: 0 Screenshot OCR: Enable Content button from the yellow bar above
Source: Document image extraction number: 1 Screenshot OCR: Enable editing button from the yellow bar above Once you have enabled editing, please click Enabl
Source: Document image extraction number: 1 Screenshot OCR: Enable Content button from the yellow bar above
Found Excel 4.0 Macro with suspicious formulas
Source: 4468873941_759979693.xlsm Initial sample: EXEC
Office process drops PE file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\B5D11EA.bmp Jump to dropped file
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\B5D11EA.bmp D1FD867DD79BB803974E18598BDC97CBB8F51ACFFEB8739CE2F01DFF29985803
Excel documents contains an embedded macro which executes code when the document is opened
Source: workbook.xml Binary string: <workbook xmlns="http://schemas.openxmlformats.org/spreadsheetml/2006/main" xmlns:r="http://schemas.openxmlformats.org/officeDocument/2006/relationships" xmlns:mc="http://schemas.openxmlformats.org/markup-compatibility/2006" mc:Ignorable="x15 xr xr6 xr10 xr2" xmlns:x15="http://schemas.microsoft.com/office/spreadsheetml/2010/11/main" xmlns:xr="http://schemas.microsoft.com/office/spreadsheetml/2014/revision" xmlns:xr6="http://schemas.microsoft.com/office/spreadsheetml/2016/revision6" xmlns:xr10="http://schemas.microsoft.com/office/spreadsheetml/2016/revision10" xmlns:xr2="http://schemas.microsoft.com/office/spreadsheetml/2015/revision2"><fileVersion appName="xl" lastEdited="7" lowestEdited="7" rupBuild="22730"/><workbookPr defaultThemeVersion="166925"/><mc:AlternateContent xmlns:mc="http://schemas.openxmlformats.org/markup-compatibility/2006"><mc:Choice Requires="x15"><x15ac:absPath url="E:\Nowiy\" xmlns:x15ac="http://schemas.microsoft.com/office/spreadsheetml/2010/11/ac"/></mc:Choice></mc:AlternateContent><xr:revisionPtr revIDLastSave="0" documentId="13_ncr:1_{121D364D-A553-4376-9A63-D54AB3450050}" xr6:coauthVersionLast="45" xr6:coauthVersionMax="45" xr10:uidLastSave="{00000000-0000-0000-0000-000000000000}"/><bookViews><workbookView xWindow="-120" yWindow="-120" windowWidth="29040" windowHeight="15990" xr2:uid="{00000000-000D-0000-FFFF-FFFF00000000}"/></bookViews><sheets><sheet name="Sheet" sheetId="1" r:id="rId1"/><sheet name="Sheet1" sheetId="3" state="hidden" r:id="rId2"/><sheet name="Nolaert" sheetId="2" state="hidden" r:id="rId3"/></sheets><definedNames><definedName name="_xlnm.Auto_Open">Nolaert!$AK$7</definedName></definedNames><calcPr calcId="191029"/><extLst><ext uri="{B58B0392-4F1F-4190-BB64-5DF3571DCE5F}" xmlns:xcalcf="http://schemas.microsoft.com/office/spreadsheetml/2018/calcfeatures"><xcalcf:calcFeatures><xcalcf:feature name="microsoft.com:RD"/><xcalcf:feature name="microsoft.com:FV"/></xcalcf:calcFeatures></ext></extLst></workbook>
PE file contains strange resources
Source: B5D11EA.bmp.0.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: B5D11EA.bmp.0.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: B5D11EA.bmp.0.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: B5D11EA.bmp.0.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: B5D11EA.bmp.0.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: B5D11EA.bmp.0.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: B5D11EA.bmp.0.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: B5D11EA.bmp.0.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Unable to load, office file is protected or invalid
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Window title found: microsoft excel okcannot run 'tar.exe'. the program or one of its components is damaged or missing.
Source: classification engine Classification label: mal72.troj.expl.evad.winXLSM@1/9@0/0
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\Desktop\~$4468873941_759979693.xlsm Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Temp\CVRCF11.tmp Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File read: C:\Users\desktop.ini Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: 4468873941_759979693.xlsm Initial sample: OLE zip file path = xl/drawings/drawing2.xml
Source: 4468873941_759979693.xlsm Initial sample: OLE zip file path = xl/worksheets/_rels/sheet2.xml.rels
Source: 4468873941_759979693.xlsm Initial sample: OLE zip file path = xl/drawings/_rels/drawing2.xml.rels
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior
Source: Binary string: k:\MSSniffer\Release\Sniffer.pdb source: B5D11EA.bmp.0.dr

Persistence and Installation Behavior:

barindex
Drops PE files
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\B5D11EA.bmp Jump to dropped file
Drops files with a non-matching file extension (content does not match file extension)
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\B5D11EA.bmp Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: B5D11EA.bmp.0.dr Binary or memory string: ORIGINALFILENAMESNIFFER.EXEJ
Source: B5D11EA.bmp.0.dr Binary or memory string: INTERNALNAMESNIFFER.EXE
Found dropped PE file which has not been started or loaded
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\B5D11EA.bmp Jump to dropped file
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 412575 Sample: 4468873941_759979693.xlsm Startdate: 12/05/2021 Architecture: WINDOWS Score: 72 12 Document exploit detected (drops PE files) 2->12 14 Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros) 2->14 16 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 2->16 18 3 other signatures 2->18 5 EXCEL.EXE 84 32 2->5         started        process3 file4 8 C:\Users\user\AppData\Local\...\B5D11EA.bmp, PE32 5->8 dropped 10 C:\Users\user\...\~$4468873941_759979693.xlsm, data 5->10 dropped
No contacted IP infos