Analysis Report diagram-419065597.xls

Overview

General Information

Sample Name: diagram-419065597.xls
Analysis ID: 412973
MD5: ec968745c407ee67d80d18c25abaa8d2
SHA1: 922818d6a781b3780541837975c54baa4e7a3349
SHA256: 431c2a2e6969ba3aa239af68c3150d86837b3e58bc80b2690b91cf39d459ac55
Infos:

Most interesting Screenshot:

Detection

Hidden Macro 4.0
Score: 76
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Document exploit detected (UrlDownloadToFile)
Document exploit detected (process start blacklist hit)
Found Excel 4.0 Macro with suspicious formulas
Found abnormal large hidden Excel 4.0 Macro sheet
Sigma detected: Microsoft Office Product Spawning Windows Shell
Document contains embedded VBA macros
JA3 SSL client fingerprint seen in connection with other malware
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)

Classification

AV Detection:

barindex
Multi AV Scanner detection for submitted file
Source: diagram-419065597.xls ReversingLabs: Detection: 14%
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior
Source: unknown HTTPS traffic detected: 108.167.180.130:443 -> 192.168.2.22:49167 version: TLS 1.2
Source: unknown HTTPS traffic detected: 208.91.198.131:443 -> 192.168.2.22:49170 version: TLS 1.2

Software Vulnerabilities:

barindex
Document exploit detected (UrlDownloadToFile)
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Section loaded: \KnownDlls\api-ms-win-downlevel-shlwapi-l2-1-0.dll origin: URLDownloadToFileA Jump to behavior
Document exploit detected (process start blacklist hit)
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\rundll32.exe
Potential document exploit detected (performs DNS queries)
Source: global traffic DNS query: name: stateoftheartacademy.com.br
Potential document exploit detected (performs HTTP gets)
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 108.167.180.130:443
Potential document exploit detected (unknown TCP traffic)
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 108.167.180.130:443

Networking:

barindex
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 7dcce5b76c8b17472d024758970a406b
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ Jump to behavior
Source: rundll32.exe, 00000003.00000002.2120674840.0000000001B30000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2113337794.0000000001BB0000.00000002.00000001.sdmp String found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)
Source: unknown DNS traffic detected: queries for: stateoftheartacademy.com.br
Source: E0F5C59F9FA661F6F4C50B87FEF3A15A.0.dr String found in binary or memory: http://apps.identrust.com/roots/dstrootcax3.p7c
Source: 77EC63BDA74BD0D0E0426DC8F8008506.0.dr String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: rundll32.exe, 00000003.00000002.2120674840.0000000001B30000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2113337794.0000000001BB0000.00000002.00000001.sdmp String found in binary or memory: http://investor.msn.com
Source: rundll32.exe, 00000003.00000002.2120674840.0000000001B30000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2113337794.0000000001BB0000.00000002.00000001.sdmp String found in binary or memory: http://investor.msn.com/
Source: rundll32.exe, 00000003.00000002.2121014308.0000000001D17000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2113474322.0000000001D97000.00000002.00000001.sdmp String found in binary or memory: http://localizability/practices/XML.asp
Source: rundll32.exe, 00000003.00000002.2121014308.0000000001D17000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2113474322.0000000001D97000.00000002.00000001.sdmp String found in binary or memory: http://localizability/practices/XMLConfiguration.asp
Source: rundll32.exe, 00000003.00000002.2121014308.0000000001D17000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2113474322.0000000001D97000.00000002.00000001.sdmp String found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
Source: rundll32.exe, 00000003.00000002.2121014308.0000000001D17000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2113474322.0000000001D97000.00000002.00000001.sdmp String found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
Source: rundll32.exe, 00000003.00000002.2120674840.0000000001B30000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2113337794.0000000001BB0000.00000002.00000001.sdmp String found in binary or memory: http://www.hotmail.com/oe
Source: rundll32.exe, 00000003.00000002.2121014308.0000000001D17000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2113474322.0000000001D97000.00000002.00000001.sdmp String found in binary or memory: http://www.icra.org/vocabulary/.
Source: rundll32.exe, 00000003.00000002.2120674840.0000000001B30000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2113337794.0000000001BB0000.00000002.00000001.sdmp String found in binary or memory: http://www.msnbc.com/news/ticker.txt
Source: rundll32.exe, 00000004.00000002.2113337794.0000000001BB0000.00000002.00000001.sdmp String found in binary or memory: http://www.windows.com/pctv.
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49167
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49170
Source: unknown Network traffic detected: HTTP traffic on port 49170 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49167 -> 443
Source: unknown HTTPS traffic detected: 108.167.180.130:443 -> 192.168.2.22:49167 version: TLS 1.2
Source: unknown HTTPS traffic detected: 208.91.198.131:443 -> 192.168.2.22:49170 version: TLS 1.2

System Summary:

barindex
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Source: Screenshot number: 4 Screenshot OCR: Enable Editing 11 from the yellow bar above 12 13 Once You have Enable Editing, pleas' " ' "
Source: Screenshot number: 8 Screenshot OCR: Enable Editing 11 1 from the yellow bar above 12 13 2 Once You have Enable Editing, please click
Source: Screenshot number: 8 Screenshot OCR: Enable Content 14 , from the yellow bar above 15 D e 16 17 I 18 I WHY I CANNOT OPEN THIS DOCUME
Source: Document image extraction number: 5 Screenshot OCR: Enable Editing from the yellow bar above Once You have Enable Editing, please click Enable Content
Source: Document image extraction number: 5 Screenshot OCR: Enable Content from the yellow bar above WHY I CANNOT OPEN THIS DOCUMENT? You are using iOS or An
Source: Document image extraction number: 14 Screenshot OCR: Enable Editing from the yellow bar above Once You have Enable Editing, please click Enable Conte
Source: Document image extraction number: 14 Screenshot OCR: Enable Content from the yellow bar above WHY I CANNOT OPEN THIS DOCUMENT? w You are using IDS or
Found Excel 4.0 Macro with suspicious formulas
Source: diagram-419065597.xls Initial sample: CALL
Source: diagram-419065597.xls Initial sample: CALL
Source: diagram-419065597.xls Initial sample: EXEC
Found abnormal large hidden Excel 4.0 Macro sheet
Source: diagram-419065597.xls Initial sample: Sheet size: 14900
Document contains embedded VBA macros
Source: diagram-419065597.xls OLE indicator, VBA macros: true
Source: rundll32.exe, 00000003.00000002.2120674840.0000000001B30000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2113337794.0000000001BB0000.00000002.00000001.sdmp Binary or memory string: .VBPud<_
Source: classification engine Classification label: mal76.expl.evad.winXLS@5/11@2/2
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\Desktop\89EE0000 Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Temp\CVRDF27.tmp Jump to behavior
Source: diagram-419065597.xls OLE indicator, Workbook stream: true
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\rundll32.exe rundll32 ..\ritofm.cvm,DllRegisterServer
Source: diagram-419065597.xls ReversingLabs: Detection: 14%
Source: unknown Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\rundll32.exe rundll32 ..\ritofm.cvm,DllRegisterServer
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\rundll32.exe rundll32 ..\ritofm.cvm1,DllRegisterServer
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\rundll32.exe rundll32 ..\ritofm.cvm,DllRegisterServer Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\rundll32.exe rundll32 ..\ritofm.cvm1,DllRegisterServer Jump to behavior
Source: C:\Windows\System32\rundll32.exe Automated click: OK
Source: C:\Windows\System32\rundll32.exe Automated click: OK
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 412973 Sample: diagram-419065597.xls Startdate: 13/05/2021 Architecture: WINDOWS Score: 76 18 Multi AV Scanner detection for submitted file 2->18 20 Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros) 2->20 22 Sigma detected: Microsoft Office Product Spawning Windows Shell 2->22 24 3 other signatures 2->24 6 EXCEL.EXE 89 47 2->6         started        process3 dnsIp4 14 stateoftheartacademy.com.br 108.167.180.130, 443, 49167 UNIFIEDLAYER-AS-1US United States 6->14 16 dsafarm.com 208.91.198.131, 443, 49170 PUBLIC-DOMAIN-REGISTRYUS United States 6->16 26 Document exploit detected (UrlDownloadToFile) 6->26 10 rundll32.exe 6->10         started        12 rundll32.exe 6->12         started        signatures5 process6
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
108.167.180.130
 stateoftheartacademy.com.br United States
46606 UNIFIEDLAYER-AS-1US false
208.91.198.131
 dsafarm.com United States
394695 PUBLIC-DOMAIN-REGISTRYUS false

Contacted Domains

Name IP Active
stateoftheartacademy.com.br 108.167.180.130 true
dsafarm.com 208.91.198.131 true