Analysis Report audit-367497006.xlsb

Overview

General Information

Sample Name:	audit-367497006.xlsb
Analysis ID:	431855
MD5:	6a44858ca2fe28f5e2c4eed2c5a360e4
SHA1:	e793cbf64ad364c93e3a673a090977a3434cb6d9
SHA256:	49558300c4315c8c53216a8c17e32ff87ca4be34547ab064de7d872d429bb3f3
Tags:	xlsx
Infos:
Most interesting Screenshot:

Detection

Hidden Macro 4.0

Score:	76
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for domain / URL

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Document exploit detected (UrlDownloadToFile)

Document exploit detected (process start blacklist hit)

Found Excel 4.0 Macro with suspicious formulas

Found abnormal large hidden Excel 4.0 Macro sheet

Sigma detected: Microsoft Office Product Spawning Windows Shell

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

Potential document exploit detected (performs DNS queries)

Potential document exploit detected (performs HTTP gets)

Potential document exploit detected (unknown TCP traffic)

Registers a DLL

Tries to load missing DLLs

Yara detected Xls With Macro 4.0

Classification

Signatures

AV Detection:

Multi AV Scanner detection for domain / URL

Source: forfacks.com

Virustotal: Detection: 5%

Perma Link

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

File opened: C:\Windows\SysWOW64\MSVCR100.dll

Jump to behavior

Source: unknown	HTTPS traffic detected: 192.185.48.167:443 -> 192.168.2.4:49725 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 192.185.113.120:443 -> 192.168.2.4:49727 version: TLS 1.2

Software Vulnerabilities:

Document exploit detected (UrlDownloadToFile)

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

Section loaded: \KnownDlls32\WININET.dll origin: URLDownloadToFileA

Jump to behavior

Document exploit detected (process start blacklist hit)

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

Process created: C:\Windows\SysWOW64\regsvr32.exe

Potential document exploit detected (performs DNS queries)

Source: global traffic

DNS query: name: forfacks.com

Potential document exploit detected (performs HTTP gets)

Source: global traffic

TCP traffic: 192.168.2.4:49725 -> 192.185.48.167:443

Potential document exploit detected (unknown TCP traffic)

Source: global traffic

TCP traffic: 192.168.2.4:49725 -> 192.185.48.167:443

Networking:

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: UNIFIEDLAYER-AS-1US UNIFIEDLAYER-AS-1US

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: unknown

DNS traffic detected: queries for: forfacks.com

Source: unknown	Network traffic detected: HTTP traffic on port 49727 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49727
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49725

Source: unknown	HTTPS traffic detected: 192.185.48.167:443 -> 192.168.2.4:49725 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 192.185.113.120:443 -> 192.168.2.4:49727 version: TLS 1.2

System Summary:

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Source: Screenshot number: 4

Screenshot OCR: Enable Content ' ' 14 15 / , 16 " 17 18 WHY I CANNOT OPEN THIS DOCUMENT ? 19 20 21 W You

Found Excel 4.0 Macro with suspicious formulas

Source: audit-367497006.xlsb

Initial sample: EXEC

Found abnormal large hidden Excel 4.0 Macro sheet

Source: audit-367497006.xlsb	Initial sample: Sheet size: 8595
Source: audit-367497006.xlsb	Initial sample: Sheet size: 7538

Tries to load missing DLLs

Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: sfc.dll			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: sfc.dll			Jump to behavior

Source: classification engine

Classification label: mal76.expl.evad.winXLSB@5/9@2/2

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

File created: C:\Users\user\Desktop\~$audit-367497006.xlsb

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Temp\{CA4A0570-2497-4229-BD1C-B788DE92E1D9} - OProcSessId.dat

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\SysWOW64\regsvr32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE 'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32 -s ..\werty1.dll
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32 -s ..\werty2.dll
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32 -s ..\werty1.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32 -s ..\werty2.dll	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: audit-367497006.xlsb	Initial sample: OLE zip file path = xl/media/image1.png
Source: audit-367497006.xlsb	Initial sample: OLE zip file path = xl/media/image2.png
Source: audit-367497006.xlsb	Initial sample: OLE zip file path = xl/media/image3.png
Source: audit-367497006.xlsb	Initial sample: OLE zip file path = xl/media/image4.png
Source: audit-367497006.xlsb	Initial sample: OLE zip file path = xl/media/image5.png
Source: audit-367497006.xlsb	Initial sample: OLE zip file path = xl/media/image6.png

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

File opened: C:\Windows\SysWOW64\MSVCR100.dll

Jump to behavior

Data Obfuscation:

Registers a DLL

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32 -s ..\werty1.dll

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: regsvr32.exe, 00000001.00000002.659802132.0000000003400000.00000002.00000001.sdmp, regsvr32.exe, 00000002.00000002.661248559.0000000004640000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: regsvr32.exe, 00000001.00000002.659802132.0000000003400000.00000002.00000001.sdmp, regsvr32.exe, 00000002.00000002.661248559.0000000004640000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: regsvr32.exe, 00000001.00000002.659802132.0000000003400000.00000002.00000001.sdmp, regsvr32.exe, 00000002.00000002.661248559.0000000004640000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: regsvr32.exe, 00000001.00000002.659802132.0000000003400000.00000002.00000001.sdmp, regsvr32.exe, 00000002.00000002.661248559.0000000004640000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

HIPS / PFW / Operating System Protection Evasion:

Yara detected Xls With Macro 4.0

Source: Yara match

File source: app.xml, type: SAMPLE

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
192.185.48.167	forfacks.com	United States		46606	UNIFIEDLAYER-AS-1US	true
192.185.113.120	dreamhimalayan.com	United States		46606	UNIFIEDLAYER-AS-1US	false

Contacted Domains

Name	IP	Active
dreamhimalayan.com	192.185.113.120	true
forfacks.com	192.185.48.167	true

ID:	431855
Product:	CloudBasic
Start time:	13:16:15
Start date:	09.06.2021
Sample:	audit-367497006.xlsb
Cookbook:	defaultwindowsofficecookbook.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	6a44858ca2fe28f5e2c4eed2c5a360e4
SHA1:	e793cbf64ad364c93e3a673a090977a3434cb6d9
SHA256:	49558300c4315c8c53216a8c17e32ff87ca4be34547ab064de7d872d429bb3f3
Filetype:	Excel Microsoft Office Binary workbook document (47504/1) 49.74%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\2A108F49.png	PNG image data, 246 x 108, 8-bit/color RGB, non-interlaced	9C4F09E387EA7B36C8149EA7C5F8876E	FF83384288EB89964C3872367E43F25FAFF007CC	A51C1D65092272DAEB2541D64A10539F0D04BC2F51B281C7A3296500CFCA56DE
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\5C50E7CA.png	PNG image data, 521 x 246, 8-bit/color RGB, non-interlaced	4E69B72B0CE87CC7EE30AA1A062147FE	09B0AA5414E08756E0AE53E1BE5C70DB4DEAF2E8	77A1F749389CBF771D5197FF0FF17113FCA1D91989ADCADF2852876A6CC14988
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\8F304143.png	PNG image data, 24 x 24, 8-bit/color RGB, non-interlaced	A516B6CB784827C6BDE58BC9D341C1BD	9D602E7248E06FF639E6437A0A16EA7A4F9E6C73	EF8F7EDB6BA0B5ACEC64543A0AF1B133539FFD439F8324634C3F970112997074
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\9F7E393F.png	PNG image data, 490 x 30, 8-bit/color RGB, non-interlaced	ED31C7053D581EDC4C98D222CE02EDEF	6BA7A49CC6FF8FE00E9C5BC75F48AB7E679536DD	0FCF61397154DF01CFAECA362BD643D88AAD5FEDD07B52DC8A921CC0D7236534
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\BA0F5CB6.png	PNG image data, 934 x 29, 8-bit/color RGB, non-interlaced	B1F262A694930ADB699FA94E3394887F	9C9B66D3A3F09AECA45DB94304CDD6FB3C5BD4C9	9C99EC61392B9022A38C1354124360147E8185065095BD2EC92B1416CF9F4B68
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\DEFF0268.png	PNG image data, 24 x 24, 8-bit/color RGB, non-interlaced	02DB1068B56D3FD907241C2F3240F849	58EC338C879DDBDF02265CBEFA9A2FB08C569D20	D58FF94F5BB5D49236C138DC109CE83E82879D0D44BE387B0EA3773D908DD25F
C:\Users\user\AppData\Local\Temp\05A40000	data	1F2A5A98E12F173129B088345FFF61F3	C817375FF59A4588B3E061EB1D977B6ACA6761A0	80C5336B8456DE56D4346B3E990CF7108C3F7B4C8FA0E5C19B106EEA740EBBEF
C:\Users\user\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC	Little-endian UTF-16 Unicode text, with CR line terminators	7962B839183642D3CDC2F9CEBDBF85CE	2BE8F6F309962ED367866F6E70668508BC814C2D	5EB8655BA3D3E7252CA81C2B9076A791CD912872D9F0447F23F4C4AC4A6514F6
C:\Users\user\Desktop\~$audit-367497006.xlsb	data	7AB76C81182111AC93ACF915CA8331D5	68B94B5D4C83A6FB415C8026AF61F3F8745E2559	6A499C020C6F82C54CD991CA52F84558C518CBD310B10623D847D878983A40EF

Analysis Report audit-367497006.xlsb

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Compliance:

Software Vulnerabilities:

Networking:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

HIPS / PFW / Operating System Protection Evasion:

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains