Play interactive tour
Edit tourWindows Analysis Report COVID.XLSM
Overview
General Information
| Sample Name: | COVID.XLSM |
| Analysis ID: | 471900 |
| MD5: | c123363068a4651c9c0c6b4e01b35142 |
| SHA1: | 8de437d8df29c53e9ebb03a797fdbf805c10429a |
| SHA256: | e5e65b70b5497f146609db5c086e997a4b0ab2352b534c9e25d8a10407801d78 |
| Tags: | xlsx |
| Infos: | |
Most interesting Screenshot:  | |
Detection
| Score: | 76 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Document contains an embedded VBA macro which may execute processes
Document contains an embedded VBA macro with suspicious strings
Bypasses PowerShell execution policy
Encrypted powershell cmdline option found
Very long command line found
Creates processes via WMI
Machine Learning detection for sample
Queries the volume information (name, serial number etc) of a device
Potential document exploit detected (unknown TCP traffic)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
May sleep (evasive loops) to hinder dynamic analysis
Document contains an embedded VBA macro which executes code when the document is opened / closed
Document contains embedded VBA macros
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Creates a process in suspended mode (likely to inject code)
Contains long sleeps (>= 3 min)
Enables debug privileges
Classification
Process Tree |
|---|
|
