Play interactive tourEdit tour
Windows Analysis Report COVID.XLSM
Overview
General Information
Detection
Score: | 84 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Multi AV Scanner detection for domain / URL
Document contains an embedded VBA macro which may execute processes
Bypasses PowerShell execution policy
Encrypted powershell cmdline option found
Very long command line found
Creates processes via WMI
Machine Learning detection for sample
Document contains an embedded VBA macro with suspicious strings
Queries the volume information (name, serial number etc) of a device
Yara signature match
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
May sleep (evasive loops) to hinder dynamic analysis
Internet Provider seen in connection with other malware
Detected potential crypto function
Document contains an embedded VBA macro which executes code when the document is opened / closed
Potential document exploit detected (performs DNS queries)
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Potential document exploit detected (unknown TCP traffic)
Document contains embedded VBA macros
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Potential document exploit detected (performs HTTP gets)
Creates a process in suspended mode (likely to inject code)
Classification
Process Tree |
---|
|