Loading ...

Play interactive tourEdit tour

Windows Analysis Report BookingXConfirm-11401.xlsb

Overview

General Information

Sample Name:BookingXConfirm-11401.xlsb
Analysis ID:528391
MD5:6b7bad3cea00c7bc8af7e7d0143c5928
SHA1:8c8c8bfe0d0f61dec2a2083488ff709555b79f0a
SHA256:2131544f0cfa54af9bdd61cd990af05f1a4483df67d6e6d76ece14cb9cc550f6
Tags:xlsx
Infos:

Most interesting Screenshot:

Detection

Hidden Macro 4.0 Dridex Downloader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Multi AV Scanner detection for submitted file
Yara detected Dridex Downloader
Found malicious Excel 4.0 Macro
Multi AV Scanner detection for domain / URL
Sigma detected: Microsoft Office Product Spawning Windows Shell
Creates processes via WMI
Creates and opens a fake document (probably a fake document to hide exploiting)
Found Excel 4.0 Macro with suspicious formulas
Document exploit detected (process start blacklist hit)
Document exploit detected (UrlDownloadToFile)
Found protected and hidden Excel 4.0 Macro sheet
Contains functionality to create processes via WMI
May sleep (evasive loops) to hinder dynamic analysis
Sigma detected: Suspicious WMI Execution
Internet Provider seen in connection with other malware
IP address seen in connection with other malware
Found a hidden Excel 4.0 Macro sheet
Potential document exploit detected (unknown TCP traffic)
Searches for the Microsoft Outlook file path
Uses a known web browser user agent for HTTP communication
Yara detected Xls With Macro 4.0
Detected TCP or UDP traffic on non-standard ports
Creates a window with clipboard capturing capabilities
Potential document exploit detected (performs HTTP gets)

Classification