Windows Analysis Report 00620 - 2011 Dept Expense Detail.xls

Overview

General Information

Sample Name: 00620 - 2011 Dept Expense Detail.xls
Analysis ID: 467210
MD5: 57bcdf4ddd4c73eb7b1579edf9e10d62
SHA1: fb7ee5e7a2ef599bcbf982ff6823387792a90335
SHA256: 5c0e2dc5c3e763417c7fb8f02f8d12a64e9aad4f7fa4cf0e7a09e31bfe20e4fd
Infos:

Most interesting Screenshot:

Detection

Hidden Macro 4.0
Score: 20
Range: 0 - 100
Whitelisted: false
Confidence: 80%

Signatures

Yara detected hidden Macro 4.0 in Excel
Document contains embedded VBA macros

Classification

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior
Source: 00620 - 2011 Dept Expense Detail.xls String found in binary or memory: https://peoplesoft.dealercentral.net/psp/SCMPRD_newwin/EMPLOYEE/ERP/c/REPORT_BOOKS.IC_RUN_DRILLDOWN.

System Summary:

barindex
Document contains embedded VBA macros
Source: 00620 - 2011 Dept Expense Detail.xls OLE indicator, VBA macros: true
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Temp\CVRC65A.tmp Jump to behavior
Source: 00620 - 2011 Dept Expense Detail.xls OLE indicator, Workbook stream: true
Source: classification engine Classification label: sus20.expl.winXLS@1/1@0/0
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
Yara detected hidden Macro 4.0 in Excel
Source: Yara match File source: 00620 - 2011 Dept Expense Detail.xls, type: SAMPLE
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 467210 Sample: 00620 - 2011 Dept Expense D... Startdate: 18/08/2021 Architecture: WINDOWS Score: 20 7 Yara detected hidden Macro 4.0 in Excel 2->7 5 EXCEL.EXE 189 15 2->5         started        process3
No contacted IP infos