Windows Analysis Report 1701667874-10042021.xls

Overview

General Information

Sample Name: 1701667874-10042021.xls
Analysis ID: 499734
MD5: 1dc3a1c0972a9e32d88e85d1cf8f2c65
SHA1: 808311a07522956f55bf842749083e199b0f04c6
SHA256: 9828f899790d150360e0a3f78f3eb3b758417644bc16896aeb411e2af9e8ea4b
Tags: xlsxls
Infos:

Most interesting Screenshot:

Detection

Hidden Macro 4.0
Score: 68
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Sigma detected: Microsoft Office Product Spawning Windows Shell
Document exploit detected (process start blacklist hit)
Document exploit detected (UrlDownloadToFile)
Yara detected hidden Macro 4.0 in Excel
Sigma detected: Regsvr32 Command Line Without DLL
Document contains an embedded VBA macro which executes code when the document is opened / closed
Document contains embedded VBA macros
Potential document exploit detected (unknown TCP traffic)
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)

Classification

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior

Software Vulnerabilities:

barindex
Document exploit detected (process start blacklist hit)
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\regsvr32.exe
Document exploit detected (UrlDownloadToFile)
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Section loaded: \KnownDlls\api-ms-win-downlevel-shlwapi-l2-1-0.dll origin: URLDownloadToFileA Jump to behavior
Potential document exploit detected (unknown TCP traffic)
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 190.14.37.165:80

Networking:

barindex
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 190.14.37.165:80
Source: global traffic TCP traffic: 192.168.2.22:49169 -> 5.196.247.11:80
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 188.119.113.3:80
Source: unknown TCP traffic detected without corresponding DNS query: 190.14.37.165
Source: unknown TCP traffic detected without corresponding DNS query: 190.14.37.165
Source: unknown TCP traffic detected without corresponding DNS query: 190.14.37.165
Source: unknown TCP traffic detected without corresponding DNS query: 190.14.37.165
Source: unknown TCP traffic detected without corresponding DNS query: 190.14.37.165
Source: unknown TCP traffic detected without corresponding DNS query: 190.14.37.165
Source: unknown TCP traffic detected without corresponding DNS query: 5.196.247.11
Source: unknown TCP traffic detected without corresponding DNS query: 5.196.247.11
Source: unknown TCP traffic detected without corresponding DNS query: 5.196.247.11
Source: unknown TCP traffic detected without corresponding DNS query: 5.196.247.11
Source: unknown TCP traffic detected without corresponding DNS query: 5.196.247.11
Source: unknown TCP traffic detected without corresponding DNS query: 5.196.247.11
Source: unknown TCP traffic detected without corresponding DNS query: 188.119.113.3
Source: unknown TCP traffic detected without corresponding DNS query: 188.119.113.3
Source: unknown TCP traffic detected without corresponding DNS query: 188.119.113.3
Source: unknown TCP traffic detected without corresponding DNS query: 188.119.113.3
Source: unknown TCP traffic detected without corresponding DNS query: 188.119.113.3
Source: unknown TCP traffic detected without corresponding DNS query: 188.119.113.3
Source: 1701667874-10042021.xls String found in binary or memory: http://188.119.113.3/
Source: 1701667874-10042021.xls String found in binary or memory: http://190.14.37.165/
Source: 1701667874-10042021.xls String found in binary or memory: http://5.196.247.11/
Source: regsvr32.exe, 00000005.00000002.679858071.0000000001D50000.00000002.00020000.sdmp, regsvr32.exe, 00000007.00000002.680607370.0000000001C80000.00000002.00020000.sdmp, regsvr32.exe, 00000008.00000002.681304870.0000000001CE0000.00000002.00020000.sdmp String found in binary or memory: http://servername/isapibackend.dll

System Summary:

barindex
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Source: Document image extraction number: 0 Screenshot OCR: Enable editing" in the yellow bar above. example of notification ( 0 PROTECTEDWARNING This file o
Source: Document image extraction number: 0 Screenshot OCR: Enable Content" to perform Microsoft Excel Decryption Core to start the decryption of the document.
Source: Document image extraction number: 0 Screenshot OCR: Enable Macros ) Why I can not open this document? - You are using iOS or Android device. Please us
Source: Document image extraction number: 1 Screenshot OCR: Enable editing" in the yellow bar above. example of notification ( 0 pRoTEcTmwARNNG Thisfileorigi
Source: Document image extraction number: 1 Screenshot OCR: Enable Content" to perform Microsoft Excel Decryption Core to start the decryption of the document.
Source: Document image extraction number: 1 Screenshot OCR: Enable Macros ) Why I can not open this document? - You are using iOS or Android device. Please us
Document contains an embedded VBA macro which executes code when the document is opened / closed
Source: 1701667874-10042021.xls OLE, VBA macro line: Sub auto_close()
Source: 1701667874-10042021.xls OLE, VBA macro line: Sub auto_open()
Source: 1701667874-10042021.xls OLE, VBA macro line: Private Sub saWorkbook_Opensa()
Document contains embedded VBA macros
Source: 1701667874-10042021.xls OLE indicator, VBA macros: true
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Temp\CVRDAD3.tmp Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: 1701667874-10042021.xls OLE indicator, Workbook stream: true
Source: classification engine Classification label: mal68.expl.winXLS@7/2@0/3
Source: unknown Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\regsvr32.exe regsvr32 -silent ..\Celod.wac
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\regsvr32.exe regsvr32 -silent ..\Celod.wac1
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\regsvr32.exe regsvr32 -silent ..\Celod.wac2
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\regsvr32.exe regsvr32 -silent ..\Celod.wac Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\regsvr32.exe regsvr32 -silent ..\Celod.wac1 Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\regsvr32.exe regsvr32 -silent ..\Celod.wac2 Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Window found: window name: SysTabControl32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
Yara detected hidden Macro 4.0 in Excel
Source: Yara match File source: 1701667874-10042021.xls, type: SAMPLE
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 499734 Sample: 1701667874-10042021.xls Startdate: 08/10/2021 Architecture: WINDOWS Score: 68 22 Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros) 2->22 24 Sigma detected: Microsoft Office Product Spawning Windows Shell 2->24 26 Document exploit detected (process start blacklist hit) 2->26 28 2 other signatures 2->28 6 EXCEL.EXE 194 26 2->6         started        process3 dnsIp4 16 188.119.113.3, 80 SERVERIUS-ASNL Russian Federation 6->16 18 190.14.37.165, 80 OffshoreRacksSAPA Panama 6->18 20 5.196.247.11, 80 OVHFR France 6->20 30 Document exploit detected (UrlDownloadToFile) 6->30 10 regsvr32.exe 6->10         started        12 regsvr32.exe 6->12         started        14 regsvr32.exe 6->14         started        signatures5 process6
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
5.196.247.11
 unknown France
16276 OVHFR false
190.14.37.165
 unknown Panama
52469 OffshoreRacksSAPA false
188.119.113.3
 unknown Russian Federation
50673 SERVERIUS-ASNL false