Loading ...

Play interactive tourEdit tour

Windows Analysis Report 474556085436219490680.xlsb

Overview

General Information

Sample Name:474556085436219490680.xlsb
Analysis ID:528398
MD5:75c325deec0cae07e089f47028c4e444
SHA1:ff3d0672ff1a95212063a42779538c1896d3b77c
SHA256:f4e3013be0615f60a3a6f6d3d3b26aa5239fe270e404dd465e1b99c2b594b4f8
Tags:xlsbxlsx
Infos:

Most interesting Screenshot:

Detection

Hidden Macro 4.0 Dridex Downloader
Score:84
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Yara detected Dridex Downloader
Creates and opens a fake document (probably a fake document to hide exploiting)
Found Excel 4.0 Macro with suspicious formulas
Sigma detected: Microsoft Office Product Spawning Windows Shell
Document exploit detected (process start blacklist hit)
Creates processes via WMI
Document exploit detected (UrlDownloadToFile)
Found protected and hidden Excel 4.0 Macro sheet
Contains functionality to create processes via WMI
Found obfuscated Excel 4.0 Macro
Queries the volume information (name, serial number etc) of a device
Found a hidden Excel 4.0 Macro sheet
Potential document exploit detected (unknown TCP traffic)
Searches for the Microsoft Outlook file path
Uses a known web browser user agent for HTTP communication
May sleep (evasive loops) to hinder dynamic analysis
Yara detected Xls With Macro 4.0
Detected TCP or UDP traffic on non-standard ports
Sigma detected: Suspicious WMI Execution
Creates a window with clipboard capturing capabilities
Potential document exploit detected (performs HTTP gets)
IP address seen in connection with other malware

Classification