Windows Analysis Report art-1881052385.xls

Overview

General Information

Sample Name: art-1881052385.xls
Analysis ID: 501787
MD5: d8b24f156013e7722bfbba988da25e07
SHA1: bf3de63943d78a14a07604c90bb6e523c8bf717b
SHA256: 0361b3ee64c579db66c932ff110836fd4ade16f68eb6a18cabc9c60c96d86b59
Infos:

Most interesting Screenshot:

Detection

Hidden Macro 4.0
Score: 76
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Antivirus detection for URL or domain
Sigma detected: Regsvr32 Command Line Without DLL
Sigma detected: Microsoft Office Product Spawning Windows Shell
Document exploit detected (process start blacklist hit)
Document exploit detected (UrlDownloadToFile)
Yara detected hidden Macro 4.0 in Excel
Yara signature match
Potential document exploit detected (unknown TCP traffic)
Uses a known web browser user agent for HTTP communication
May sleep (evasive loops) to hinder dynamic analysis
Document contains embedded VBA macros
JA3 SSL client fingerprint seen in connection with other malware
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
IP address seen in connection with other malware

Classification

AV Detection:

barindex
Antivirus detection for URL or domain
Source: https://recapitol.com/pl92fIeHE11X/filht.html Avira URL Cloud: Label: malware
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior
Source: unknown HTTPS traffic detected: 101.0.113.93:443 -> 192.168.2.22:49167 version: TLS 1.2
Source: unknown HTTPS traffic detected: 108.179.232.85:443 -> 192.168.2.22:49168 version: TLS 1.2
Source: unknown HTTPS traffic detected: 103.28.121.60:443 -> 192.168.2.22:49169 version: TLS 1.2

Software Vulnerabilities:

barindex
Document exploit detected (process start blacklist hit)
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\regsvr32.exe
Document exploit detected (UrlDownloadToFile)
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Section loaded: \KnownDlls\api-ms-win-downlevel-shlwapi-l2-1-0.dll origin: URLDownloadToFileA Jump to behavior
Potential document exploit detected (unknown TCP traffic)
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 101.0.113.93:443
Potential document exploit detected (performs DNS queries)
Source: global traffic DNS query: name: boogieproductions.com.au
Potential document exploit detected (performs HTTP gets)
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 101.0.113.93:443

Networking:

barindex
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /jJNW2LDF/filkfht.html HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: boogieproductions.com.auConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /pl92fIeHE11X/filht.html HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: recapitol.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /QpPq5lm6Xy/fikfh.html HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: iu.ac.bdConnection: Keep-Alive
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 7dcce5b76c8b17472d024758970a406b
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 103.28.121.60 103.28.121.60
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49169
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49168
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49167
Source: unknown Network traffic detected: HTTP traffic on port 49168 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49169 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49167 -> 443
Source: regsvr32.exe, 00000004.00000002.475725799.0000000004880000.00000002.00020000.sdmp, regsvr32.exe, 00000005.00000002.468810119.0000000004840000.00000002.00020000.sdmp, regsvr32.exe, 00000006.00000002.457781066.00000000049E0000.00000002.00020000.sdmp String found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)
Source: regsvr32.exe, 00000004.00000002.475725799.0000000004880000.00000002.00020000.sdmp, regsvr32.exe, 00000005.00000002.468810119.0000000004840000.00000002.00020000.sdmp, regsvr32.exe, 00000006.00000002.457781066.00000000049E0000.00000002.00020000.sdmp String found in binary or memory: http://investor.msn.com
Source: regsvr32.exe, 00000004.00000002.475725799.0000000004880000.00000002.00020000.sdmp, regsvr32.exe, 00000005.00000002.468810119.0000000004840000.00000002.00020000.sdmp, regsvr32.exe, 00000006.00000002.457781066.00000000049E0000.00000002.00020000.sdmp String found in binary or memory: http://investor.msn.com/
Source: regsvr32.exe, 00000004.00000002.475915213.0000000004A67000.00000002.00020000.sdmp, regsvr32.exe, 00000005.00000002.469059710.0000000004A27000.00000002.00020000.sdmp, regsvr32.exe, 00000006.00000002.457975521.0000000004BC7000.00000002.00020000.sdmp String found in binary or memory: http://localizability/practices/XML.asp
Source: regsvr32.exe, 00000004.00000002.475915213.0000000004A67000.00000002.00020000.sdmp, regsvr32.exe, 00000005.00000002.469059710.0000000004A27000.00000002.00020000.sdmp, regsvr32.exe, 00000006.00000002.457975521.0000000004BC7000.00000002.00020000.sdmp String found in binary or memory: http://localizability/practices/XMLConfiguration.asp
Source: regsvr32.exe, 00000004.00000002.475166896.0000000003A80000.00000002.00020000.sdmp, regsvr32.exe, 00000005.00000002.468111615.0000000003A70000.00000002.00020000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: regsvr32.exe, 00000004.00000002.474684792.0000000001C80000.00000002.00020000.sdmp, regsvr32.exe, 00000005.00000002.467583178.0000000001DA0000.00000002.00020000.sdmp String found in binary or memory: http://servername/isapibackend.dll
Source: regsvr32.exe, 00000004.00000002.475915213.0000000004A67000.00000002.00020000.sdmp, regsvr32.exe, 00000005.00000002.469059710.0000000004A27000.00000002.00020000.sdmp, regsvr32.exe, 00000006.00000002.457975521.0000000004BC7000.00000002.00020000.sdmp String found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
Source: regsvr32.exe, 00000004.00000002.475915213.0000000004A67000.00000002.00020000.sdmp, regsvr32.exe, 00000005.00000002.469059710.0000000004A27000.00000002.00020000.sdmp, regsvr32.exe, 00000006.00000002.457975521.0000000004BC7000.00000002.00020000.sdmp String found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
Source: regsvr32.exe, 00000004.00000002.475166896.0000000003A80000.00000002.00020000.sdmp, regsvr32.exe, 00000005.00000002.468111615.0000000003A70000.00000002.00020000.sdmp String found in binary or memory: http://www.%s.comPA
Source: regsvr32.exe, 00000004.00000002.475725799.0000000004880000.00000002.00020000.sdmp, regsvr32.exe, 00000005.00000002.468810119.0000000004840000.00000002.00020000.sdmp, regsvr32.exe, 00000006.00000002.457781066.00000000049E0000.00000002.00020000.sdmp String found in binary or memory: http://www.hotmail.com/oe
Source: regsvr32.exe, 00000004.00000002.475915213.0000000004A67000.00000002.00020000.sdmp, regsvr32.exe, 00000005.00000002.469059710.0000000004A27000.00000002.00020000.sdmp, regsvr32.exe, 00000006.00000002.457975521.0000000004BC7000.00000002.00020000.sdmp String found in binary or memory: http://www.icra.org/vocabulary/.
Source: regsvr32.exe, 00000004.00000002.475725799.0000000004880000.00000002.00020000.sdmp, regsvr32.exe, 00000005.00000002.468810119.0000000004840000.00000002.00020000.sdmp, regsvr32.exe, 00000006.00000002.457781066.00000000049E0000.00000002.00020000.sdmp String found in binary or memory: http://www.msnbc.com/news/ticker.txt
Source: regsvr32.exe, 00000006.00000002.457781066.00000000049E0000.00000002.00020000.sdmp String found in binary or memory: http://www.windows.com/pctv.
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\filkfht[1].htm Jump to behavior
Source: unknown DNS traffic detected: queries for: boogieproductions.com.au
Source: global traffic HTTP traffic detected: GET /jJNW2LDF/filkfht.html HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: boogieproductions.com.auConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /pl92fIeHE11X/filht.html HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: recapitol.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /QpPq5lm6Xy/fikfh.html HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: iu.ac.bdConnection: Keep-Alive
Source: unknown HTTPS traffic detected: 101.0.113.93:443 -> 192.168.2.22:49167 version: TLS 1.2
Source: unknown HTTPS traffic detected: 108.179.232.85:443 -> 192.168.2.22:49168 version: TLS 1.2
Source: unknown HTTPS traffic detected: 103.28.121.60:443 -> 192.168.2.22:49169 version: TLS 1.2

System Summary:

barindex
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Source: Screenshot number: 4 Screenshot OCR: Enable Editing 18 19 OK 20 (D PROTECTED VIEW Be careful- files from the 1nterne -cted View. Ena
Source: Screenshot number: 4 Screenshot OCR: Enable Content 25 26 (i) SECURITY WARNING Macros have been disabled. Enable Content 27 28 29 3
Source: Screenshot number: 8 Screenshot OCR: Enable Editing 18 '9 41' I 20 (D PROTECTED VIEW Be careful- files from the 1nterne :cted View.
Source: Screenshot number: 8 Screenshot OCR: Enable Content 25 26 (i) SECURITY WARNING Macros have been disabled. Enable Content 27 28 29 3
Source: Document image extraction number: 0 Screenshot OCR: Enable Editing 0 PROTECTED VIEW Be careful - files from the Internet can contain viruses. Unless yo
Source: Document image extraction number: 0 Screenshot OCR: Enable Content OSECURITY WARNING Macros have been disabled. Enable Content om If you are using a m
Source: Document image extraction number: 1 Screenshot OCR: Enable Editing (D PROTECTED VIEW Be careful - files from the Internet can contain viruses. Unless y
Source: Document image extraction number: 1 Screenshot OCR: Enable Content OSECURITY WARNING Macros have been disabled. Enable Content om If you are using a m
Source: Screenshot number: 12 Screenshot OCR: Enable Editing 19 20 (D PROTECTED VIEW Be careful - files from the Internet can contain viruses. U
Source: Screenshot number: 12 Screenshot OCR: Enable Content 25 26 (i) SECURITY WARNING Macros have been disabled. Enable Content 27 28 29 3
Yara signature match
Source: art-1881052385.xls, type: SAMPLE Matched rule: SUSP_Excel4Macro_AutoOpen date = 2020-03-26, author = John Lambert @JohnLaTwC, description = Detects Excel4 macro use with auto open / close, score = 2fb198f6ad33d0f26fb94a1aa159fef7296e0421da68887b8f2548bbd227e58f
Document contains embedded VBA macros
Source: art-1881052385.xls OLE indicator, VBA macros: true
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA Jump to behavior
Source: art-1881052385.xls OLE indicator, Workbook stream: true
Source: unknown Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\regsvr32.exe 'C:\Windows\System32\regsvr32.exe' C:\Datop\test.test
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\regsvr32.exe 'C:\Windows\System32\regsvr32.exe' C:\Datop\test1.test
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\regsvr32.exe 'C:\Windows\System32\regsvr32.exe' C:\Datop\test2.test
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\regsvr32.exe 'C:\Windows\System32\regsvr32.exe' C:\Datop\test.test Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\regsvr32.exe 'C:\Windows\System32\regsvr32.exe' C:\Datop\test1.test Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\regsvr32.exe 'C:\Windows\System32\regsvr32.exe' C:\Datop\test2.test Jump to behavior
Source: regsvr32.exe, 00000004.00000002.475725799.0000000004880000.00000002.00020000.sdmp, regsvr32.exe, 00000005.00000002.468810119.0000000004840000.00000002.00020000.sdmp, regsvr32.exe, 00000006.00000002.457781066.00000000049E0000.00000002.00020000.sdmp Binary or memory string: .VBPud<_
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Temp\CVREFE9.tmp Jump to behavior
Source: classification engine Classification label: mal76.expl.winXLS@7/0@3/3
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File read: C:\Users\desktop.ini Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\System32\regsvr32.exe TID: 2080 Thread sleep time: -60000s >= -30000s Jump to behavior
Source: C:\Windows\System32\regsvr32.exe TID: 2084 Thread sleep time: -60000s >= -30000s Jump to behavior
Source: C:\Windows\System32\regsvr32.exe TID: 2728 Thread sleep count: 43 > 30 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe TID: 2144 Thread sleep time: -60000s >= -30000s Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
Yara detected hidden Macro 4.0 in Excel
Source: Yara match File source: art-1881052385.xls, type: SAMPLE
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 501787 Sample: art-1881052385.xls Startdate: 13/10/2021 Architecture: WINDOWS Score: 76 22 Antivirus detection for URL or domain 2->22 24 Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros) 2->24 26 Sigma detected: Microsoft Office Product Spawning Windows Shell 2->26 28 3 other signatures 2->28 6 EXCEL.EXE 57 25 2->6         started        process3 dnsIp4 16 recapitol.com 108.179.232.85, 443, 49168 UNIFIEDLAYER-AS-1US United States 6->16 18 boogieproductions.com.au 101.0.113.93, 443, 49167 DIGITALPACIFIC-AUDigitalPacificPtyLtdAustraliaAU Australia 6->18 20 iu.ac.bd 103.28.121.60, 443, 49169 BDREN-UGC-AS-APBangladeshResearchandEducationNetworkB Bangladesh 6->20 30 Document exploit detected (UrlDownloadToFile) 6->30 10 regsvr32.exe 6->10         started        12 regsvr32.exe 6->12         started        14 regsvr32.exe 6->14         started        signatures5 process6
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
101.0.113.93
 boogieproductions.com.au Australia
55803 DIGITALPACIFIC-AUDigitalPacificPtyLtdAustraliaAU false
103.28.121.60
 iu.ac.bd Bangladesh
63961 BDREN-UGC-AS-APBangladeshResearchandEducationNetworkB false
108.179.232.85
 recapitol.com United States
46606 UNIFIEDLAYER-AS-1US false

Contacted Domains

Name IP Active
iu.ac.bd 103.28.121.60 true
boogieproductions.com.au 101.0.113.93 true
recapitol.com 108.179.232.85 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://recapitol.com/pl92fIeHE11X/filht.html true
  • Avira URL Cloud: malware
 unknown
https://iu.ac.bd/QpPq5lm6Xy/fikfh.html false
  • Avira URL Cloud: safe
 unknown
https://boogieproductions.com.au/jJNW2LDF/filkfht.html false
  • Avira URL Cloud: safe
 unknown