Windows Analysis Report sample2.xls.vir

Overview

General Information

Sample Name: sample2.xls.vir (renamed file extension from vir to xls)
Analysis ID: 528761
MD5: 75c10281f9cae799f72d6b949199fd91
SHA1: 7bd8c6de6d714ff5e0b8f450203d24c8dd30495d
SHA256: 53a57594efe3312565fd5415ad3d7066799f831bb6854737ffaf87fe0119af01
Tags: virxlsx
Infos:

Most interesting Screenshot:

Detection

Hidden Macro 4.0
Score: 88
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Multi AV Scanner detection for submitted file
Sigma detected: Regsvr32 Command Line Without DLL
Sigma detected: Microsoft Office Product Spawning Windows Shell
Document exploit detected (process start blacklist hit)
Document exploit detected (UrlDownloadToFile)
Yara detected hidden Macro 4.0 in Excel
Performs DNS queries to domains with low reputation
Office document connecting to suspicious TLD
Potential document exploit detected (performs DNS queries with low reputation score)
Yara signature match
Found a hidden Excel 4.0 Macro sheet
Potential document exploit detected (unknown TCP traffic)
May sleep (evasive loops) to hinder dynamic analysis
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)
Yara detected Xls With Macro 4.0
Internet Provider seen in connection with other malware
Document contains embedded VBA macros
Potential document exploit detected (performs DNS queries)
Document misses a certain OLE stream usually present in this Microsoft Office document type

Classification

AV Detection:

barindex
Multi AV Scanner detection for submitted file
Source: sample2.xls.xls Virustotal: Detection: 37% Perma Link
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior

Software Vulnerabilities:

barindex
Document exploit detected (process start blacklist hit)
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\regsvr32.exe
Document exploit detected (UrlDownloadToFile)
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Section loaded: \KnownDlls\api-ms-win-downlevel-shlwapi-l2-1-0.dll origin: URLDownloadToFileA Jump to behavior
Potential document exploit detected (performs DNS queries with low reputation score)
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE DNS query: name: gupta-foods.xyz
Potential document exploit detected (unknown TCP traffic)
Source: global traffic TCP traffic: 192.168.2.22:49165 -> 51.15.56.22:80
Potential document exploit detected (performs DNS queries)
Source: global traffic DNS query: name: gupta-foods.xyz

Networking:

barindex
Performs DNS queries to domains with low reputation
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE DNS query: gupta-foods.xyz
Office document connecting to suspicious TLD
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE DNS traffic detected: gupta-foods.xyz
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)
Source: global traffic TCP traffic: 192.168.2.22:49165 -> 51.15.56.22:80
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: OnlineSASFR OnlineSASFR
Source: regsvr32.exe, 00000005.00000002.577525725.0000000004A00000.00000002.00020000.sdmp, regsvr32.exe, 00000006.00000002.556615262.0000000004A90000.00000002.00020000.sdmp, regsvr32.exe, 00000007.00000002.573740679.0000000004800000.00000002.00020000.sdmp String found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)
Source: regsvr32.exe, 00000005.00000002.577525725.0000000004A00000.00000002.00020000.sdmp, regsvr32.exe, 00000006.00000002.556615262.0000000004A90000.00000002.00020000.sdmp, regsvr32.exe, 00000007.00000002.573740679.0000000004800000.00000002.00020000.sdmp String found in binary or memory: http://investor.msn.com
Source: regsvr32.exe, 00000005.00000002.577525725.0000000004A00000.00000002.00020000.sdmp, regsvr32.exe, 00000006.00000002.556615262.0000000004A90000.00000002.00020000.sdmp, regsvr32.exe, 00000007.00000002.573740679.0000000004800000.00000002.00020000.sdmp String found in binary or memory: http://investor.msn.com/
Source: regsvr32.exe, 00000005.00000002.577764523.0000000004BE7000.00000002.00020000.sdmp, regsvr32.exe, 00000006.00000002.556792501.0000000004C77000.00000002.00020000.sdmp String found in binary or memory: http://localizability/practices/XML.asp
Source: regsvr32.exe, 00000005.00000002.577764523.0000000004BE7000.00000002.00020000.sdmp, regsvr32.exe, 00000006.00000002.556792501.0000000004C77000.00000002.00020000.sdmp String found in binary or memory: http://localizability/practices/XMLConfiguration.asp
Source: regsvr32.exe, 00000005.00000002.576925311.0000000003AA0000.00000002.00020000.sdmp, regsvr32.exe, 00000006.00000002.556186811.0000000003B00000.00000002.00020000.sdmp, regsvr32.exe, 00000007.00000002.573207626.0000000003A00000.00000002.00020000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: regsvr32.exe, 00000005.00000002.576341085.0000000001CC0000.00000002.00020000.sdmp, regsvr32.exe, 00000006.00000002.555674088.0000000001CF0000.00000002.00020000.sdmp, regsvr32.exe, 00000007.00000002.572632835.0000000001CB0000.00000002.00020000.sdmp String found in binary or memory: http://servername/isapibackend.dll
Source: regsvr32.exe, 00000005.00000002.577764523.0000000004BE7000.00000002.00020000.sdmp, regsvr32.exe, 00000006.00000002.556792501.0000000004C77000.00000002.00020000.sdmp String found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
Source: regsvr32.exe, 00000005.00000002.577764523.0000000004BE7000.00000002.00020000.sdmp, regsvr32.exe, 00000006.00000002.556792501.0000000004C77000.00000002.00020000.sdmp String found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
Source: regsvr32.exe, 00000005.00000002.576925311.0000000003AA0000.00000002.00020000.sdmp, regsvr32.exe, 00000006.00000002.556186811.0000000003B00000.00000002.00020000.sdmp, regsvr32.exe, 00000007.00000002.573207626.0000000003A00000.00000002.00020000.sdmp String found in binary or memory: http://www.%s.comPA
Source: regsvr32.exe, 00000005.00000002.577525725.0000000004A00000.00000002.00020000.sdmp, regsvr32.exe, 00000006.00000002.556615262.0000000004A90000.00000002.00020000.sdmp, regsvr32.exe, 00000007.00000002.573740679.0000000004800000.00000002.00020000.sdmp String found in binary or memory: http://www.hotmail.com/oe
Source: regsvr32.exe, 00000005.00000002.577764523.0000000004BE7000.00000002.00020000.sdmp, regsvr32.exe, 00000006.00000002.556792501.0000000004C77000.00000002.00020000.sdmp String found in binary or memory: http://www.icra.org/vocabulary/.
Source: regsvr32.exe, 00000005.00000002.577525725.0000000004A00000.00000002.00020000.sdmp, regsvr32.exe, 00000006.00000002.556615262.0000000004A90000.00000002.00020000.sdmp, regsvr32.exe, 00000007.00000002.573740679.0000000004800000.00000002.00020000.sdmp String found in binary or memory: http://www.msnbc.com/news/ticker.txt
Source: regsvr32.exe, 00000007.00000002.573740679.0000000004800000.00000002.00020000.sdmp String found in binary or memory: http://www.windows.com/pctv.
Source: unknown DNS traffic detected: queries for: gupta-foods.xyz

System Summary:

barindex
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Source: Screenshot number: 8 Screenshot OCR: Enable Editing 18 19 20 (D PROTECTED VIEW Be careful - files from the Internet can contF viruses.
Source: Screenshot number: 8 Screenshot OCR: Enable Content 25 26 CD SECURITY WARNING Macros have been disabled. Enable Content 27 28 29 30
Source: Document image extraction number: 0 Screenshot OCR: Enable Editing CD PROTECTED VIEW Be careful - files from the Internet can contain viruses. Unless y
Source: Document image extraction number: 0 Screenshot OCR: Enable Content CD SECURITY WARNING Macros have been disabled. Enable Content cm If you are using
Source: Document image extraction number: 1 Screenshot OCR: Enable Editing CD PROTECTE D VIEW Be careful - files from the Internet mn contain viruses. UrUe$$ y
Source: Document image extraction number: 1 Screenshot OCR: Enable Content (D SECURITY WARNING Macros have been disabled. Enable Content 0">Gj If you are usin
Source: Screenshot number: 12 Screenshot OCR: Enable Editing (D PROTECTED VIEW Be careful - files from the Internet can contain viruses. Unless y
Source: Screenshot number: 12 Screenshot OCR: Enable Content CD SECURITY WARNING Macros have been disabled. Enable Content cm If you are using
Yara signature match
Source: sample2.xls.xls, type: SAMPLE Matched rule: SUSP_Excel4Macro_AutoOpen date = 2020-03-26, author = John Lambert @JohnLaTwC, description = Detects Excel4 macro use with auto open / close, score = 2fb198f6ad33d0f26fb94a1aa159fef7296e0421da68887b8f2548bbd227e58f
Source: C:\Users\user\Desktop\sample2.xls.xls, type: DROPPED Matched rule: SUSP_Excel4Macro_AutoOpen date = 2020-03-26, author = John Lambert @JohnLaTwC, description = Detects Excel4 macro use with auto open / close, score = 2fb198f6ad33d0f26fb94a1aa159fef7296e0421da68887b8f2548bbd227e58f
Found a hidden Excel 4.0 Macro sheet
Source: sample2.xls.xls Macro extractor: Sheet name: Beff2
Source: sample2.xls.xls Macro extractor: Sheet name: Beff4
Source: sample2.xls.xls Macro extractor: Sheet name: Beff7
Source: sample2.xls.xls Macro extractor: Sheet name: Beff5
Source: sample2.xls.xls Macro extractor: Sheet name: Beff1
Source: sample2.xls.xls Macro extractor: Sheet name: Beff8
Source: sample2.xls.xls Macro extractor: Sheet name: Beff3
Source: sample2.xls.xls Macro extractor: Sheet name: Beff6
Document contains embedded VBA macros
Source: sample2.xls.xls OLE indicator, VBA macros: true
Source: sample2.xls.xls.0.dr OLE indicator, VBA macros: true
Document misses a certain OLE stream usually present in this Microsoft Office document type
Source: 7D1C.tmp.0.dr OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
Source: sample2.xls.xls Virustotal: Detection: 37%
Source: C:\Windows\System32\regsvr32.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: sample2.xls.xls OLE indicator, Workbook stream: true
Source: sample2.xls.xls.0.dr OLE indicator, Workbook stream: true
Source: unknown Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\regsvr32.exe "C:\Windows\System32\regsvr32.exe" C:\Datop\test.test
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\regsvr32.exe "C:\Windows\System32\regsvr32.exe" C:\Datop\test1.test
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\regsvr32.exe "C:\Windows\System32\regsvr32.exe" C:\Datop\test2.test
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\regsvr32.exe "C:\Windows\System32\regsvr32.exe" C:\Datop\test.test Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\regsvr32.exe "C:\Windows\System32\regsvr32.exe" C:\Datop\test1.test Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\regsvr32.exe "C:\Windows\System32\regsvr32.exe" C:\Datop\test2.test Jump to behavior
Source: regsvr32.exe, 00000005.00000002.577525725.0000000004A00000.00000002.00020000.sdmp, regsvr32.exe, 00000006.00000002.556615262.0000000004A90000.00000002.00020000.sdmp, regsvr32.exe, 00000007.00000002.573740679.0000000004800000.00000002.00020000.sdmp Binary or memory string: .VBPud<_
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Temp\CVRDD72.tmp Jump to behavior
Source: classification engine Classification label: mal88.troj.expl.winXLS@7/4@3/1
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Automated click: OK
Source: C:\Windows\System32\regsvr32.exe Automated click: OK
Source: C:\Windows\System32\regsvr32.exe Automated click: OK
Source: C:\Windows\System32\regsvr32.exe Automated click: OK
Source: Window Recorder Window detected: More than 3 window changes detected
Source: sample2.xls.xls Initial sample: OLE indicator appname = Microsoft Macintosh Excel
Source: sample2.xls.xls Initial sample: OLE summary creatingapplication = Microsoft Macintosh Excel
Source: sample2.xls.xls.0.dr Initial sample: OLE indicator appname = Microsoft Macintosh Excel
Source: sample2.xls.xls.0.dr Initial sample: OLE summary creatingapplication = Microsoft Macintosh Excel
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior
Source: 7D1C.tmp.0.dr Initial sample: OLE indicators vbamacros = False
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\System32\regsvr32.exe TID: 200 Thread sleep time: -60000s >= -30000s Jump to behavior
Source: C:\Windows\System32\regsvr32.exe TID: 2532 Thread sleep time: -60000s >= -30000s Jump to behavior
Source: C:\Windows\System32\regsvr32.exe TID: 2944 Thread sleep time: -60000s >= -30000s Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
Yara detected hidden Macro 4.0 in Excel
Source: Yara match File source: sample2.xls.xls, type: SAMPLE
Source: Yara match File source: C:\Users\user\Desktop\sample2.xls.xls, type: DROPPED
Yara detected Xls With Macro 4.0
Source: Yara match File source: sample2.xls.xls, type: SAMPLE
Source: Yara match File source: C:\Users\user\Desktop\sample2.xls.xls, type: DROPPED
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 528761 Sample: sample2.xls.vir Startdate: 25/11/2021 Architecture: WINDOWS Score: 88 25 Multi AV Scanner detection for submitted file 2->25 27 Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros) 2->27 29 Performs DNS queries to domains with low reputation 2->29 31 6 other signatures 2->31 6 EXCEL.EXE 54 22 2->6         started        process3 dnsIp4 19 gupta-technologies.sbs 51.15.56.22, 80 OnlineSASFR France 6->19 21 gupta-foods.xyz 6->21 23 gupta-airways.icu 6->23 17 C:\Users\user\Desktop\sample2.xls.xls, Composite 6->17 dropped 33 Document exploit detected (UrlDownloadToFile) 6->33 11 regsvr32.exe 6->11         started        13 regsvr32.exe 6->13         started        15 regsvr32.exe 6->15         started        file5 signatures6 process7
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
51.15.56.22
 gupta-foods.xyz France
12876 OnlineSASFR true

Contacted Domains

Name IP Active
gupta-foods.xyz 51.15.56.22 true
gupta-airways.icu 51.15.56.22 true
gupta-technologies.sbs 51.15.56.22 true