Windows Analysis Report Compensation_Reject-958463727-09292021.xls


General Information

Sample Name: Compensation_Reject-958463727-09292021.xls
Analysis ID: 494138
MD5: 771470585379f22a6c76e4ff08728512
SHA1: 996717d117629fb99f697129c98dab92eac0eca2
SHA256: 310121955d11b8c4ecb14a5373f2dda35ddaac230db890b6e306302e22b11ffe
Tags: xls

Most interesting Screenshot:


Hidden Macro 4.0 Qbot
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%


Found malware configuration
Yara detected Qbot
Document exploit detected (drops PE files)
Sigma detected: Schedule system process
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Maps a DLL or memory area into another process
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Office process drops PE file
Writes to foreign memory regions
Uses cmd line tools excessively to alter registry or file data
Sigma detected: Microsoft Office Product Spawning Windows Shell
Allocates memory in foreign processes
Injects code into the Windows Explorer (explorer.exe)
Sigma detected: Regsvr32 Command Line Without DLL
Drops PE files to the user root directory
Document exploit detected (process start blacklist hit)
Document exploit detected (UrlDownloadToFile)
Yara detected hidden Macro 4.0 in Excel
Uses schtasks.exe or at.exe to add and modify task schedules
Queries the volume information (name, serial number etc) of a device
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Document contains an embedded VBA macro which executes code when the document is opened / closed
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Found dropped PE file which has not been started or loaded
Downloads executable code via HTTP
Abnormal high CPU Usage
Drops files with a non-matching file extension (content does not match file extension)
PE file does not import any functions
Potential document exploit detected (unknown TCP traffic)
PE file contains an invalid checksum
Drops PE files
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Uses reg.exe to modify the Windows registry
Document contains embedded VBA macros
Drops PE files to the user directory
PE file overlay found
Potential document exploit detected (performs HTTP gets)
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Creates a process in suspended mode (likely to inject code)


AV Detection: