Windows Analysis Report Invoice.xlsm

Overview

General Information

Sample Name:	Invoice.xlsm
Analysis ID:	532378
MD5:	41b25400c2b31b922dd090e1251b37b8
SHA1:	b543cbb86a4e50506fb9be2ac455e4e606948d65
SHA256:	734577b2ffb53ddf37d71db650178c94c017f8749a9f9497d2f76abd876418a6
Infos:
Most interesting Screenshot:

Detection

Hidden Macro 4.0

Score:	76
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Multi AV Scanner detection for submitted file

Antivirus detection for URL or domain

Sigma detected: Microsoft Office Product Spawning Windows Shell

Document exploit detected (process start blacklist hit)

Document exploit detected (UrlDownloadToFile)

Found a hidden Excel 4.0 Macro sheet

Potential document exploit detected (unknown TCP traffic)

Uses a known web browser user agent for HTTP communication

Yara detected Xls With Macro 4.0

Detected potential crypto function

Excel documents contains an embedded macro which executes code when the document is opened

Potential document exploit detected (performs DNS queries)

Potential document exploit detected (performs HTTP gets)

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Contains functionality for execution timing, often used to detect debuggers

Document misses a certain OLE stream usually present in this Microsoft Office document type

Classification

Signatures

AV Detection:

Multi AV Scanner detection for submitted file

Source: Invoice.xlsm	Virustotal: Detection: 22%			Perma Link
Source: Invoice.xlsm	ReversingLabs: Detection: 20%

Antivirus detection for URL or domain

Source: http://crackedshop.org/9/q080U0ARYYL/	Avira URL Cloud: Label: malware
Source: https://ascarya.digital/wp-content/ZH4rirU	Avira URL Cloud: Label: malware
Source: https://ascarya.digital/wp-content/ZH4rirU/	Avira URL Cloud: Label: malware

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Software Vulnerabilities:

Document exploit detected (process start blacklist hit)

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Process created: C:\Windows\SysWOW64\rundll32.exe

Document exploit detected (UrlDownloadToFile)

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Section loaded: \KnownDlls\api-ms-win-downlevel-shlwapi-l2-1-0.dll origin: URLDownloadToFileA

Jump to behavior

Potential document exploit detected (unknown TCP traffic)

Source: global traffic

TCP traffic: 192.168.2.22:49165 -> 67.207.81.73:443

Potential document exploit detected (performs DNS queries)

Source: global traffic

DNS query: name: ascarya.digital

Potential document exploit detected (performs HTTP gets)

Source: global traffic

TCP traffic: 192.168.2.22:49165 -> 67.207.81.73:443

Networking:

Uses a known web browser user agent for HTTP communication

Source: global traffic	HTTP traffic detected: GET /9/q080U0ARYYL/ HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: crackedshop.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /cgi-sys/suspendedpage.cgi HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: crackedshop.orgConnection: Keep-Alive

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49169
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49167
Source: unknown	Network traffic detected: HTTP traffic on port 49165 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49165
Source: unknown	Network traffic detected: HTTP traffic on port 49169 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49167 -> 443

Source: EXCEL.EXE, 00000000.00000003.1023489983.0000000005A45000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.1225541144.0000000005A08000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.1021276243.0000000005A42000.00000004.00000001.sdmp	String found in binary or memory: /moc.nideknil.wwwwww.linkedin.comse equals www.linkedin.com (Linkedin)
Source: rundll32.exe, 00000004.00000002.963320714.0000000000950000.00000002.00020000.sdmp	String found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)
Source: EXCEL.EXE, 00000000.00000003.1023489983.0000000005A45000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.1225541144.0000000005A08000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.1021276243.0000000005A42000.00000004.00000001.sdmp	String found in binary or memory: www.linkedin.com equals www.linkedin.com (Linkedin)

Source: EXCEL.EXE, 00000000.00000003.1023489983.0000000005A45000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.1225541144.0000000005A08000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.1021276243.0000000005A42000.00000004.00000001.sdmp	String found in binary or memory: http://crackedshop.org/cgi-sys/suspendedpage.cgi
Source: EXCEL.EXE, 00000000.00000003.1023489983.0000000005A45000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.1225541144.0000000005A08000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.1021276243.0000000005A42000.00000004.00000001.sdmp	String found in binary or memory: http://crackedshop.org/cgi-sys/suspendedpage.cgi5
Source: rundll32.exe, 00000004.00000002.963320714.0000000000950000.00000002.00020000.sdmp	String found in binary or memory: http://investor.msn.com
Source: rundll32.exe, 00000004.00000002.963320714.0000000000950000.00000002.00020000.sdmp	String found in binary or memory: http://investor.msn.com/
Source: EXCEL.EXE, 00000000.00000002.1225027533.0000000005257000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.963514761.0000000000B37000.00000002.00020000.sdmp	String found in binary or memory: http://localizability/practices/XML.asp
Source: EXCEL.EXE, 00000000.00000002.1225027533.0000000005257000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.963514761.0000000000B37000.00000002.00020000.sdmp	String found in binary or memory: http://localizability/practices/XMLConfiguration.asp
Source: EXCEL.EXE, 00000000.00000002.1225541144.0000000005A08000.00000004.00000001.sdmp	String found in binary or memory: http://purl.or
Source: EXCEL.EXE, 00000000.00000002.1225495153.00000000058A6000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.open
Source: EXCEL.EXE, 00000000.00000002.1225495153.00000000058A6000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.openformatrg/package/2006/r
Source: EXCEL.EXE, 00000000.00000002.1225027533.0000000005257000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.963514761.0000000000B37000.00000002.00020000.sdmp	String found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
Source: EXCEL.EXE, 00000000.00000002.1225027533.0000000005257000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.963514761.0000000000B37000.00000002.00020000.sdmp	String found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
Source: rundll32.exe, 00000004.00000002.963320714.0000000000950000.00000002.00020000.sdmp	String found in binary or memory: http://www.hotmail.com/oe
Source: EXCEL.EXE, 00000000.00000002.1225027533.0000000005257000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.963514761.0000000000B37000.00000002.00020000.sdmp	String found in binary or memory: http://www.icra.org/vocabulary/.
Source: rundll32.exe, 00000004.00000002.963320714.0000000000950000.00000002.00020000.sdmp	String found in binary or memory: http://www.msnbc.com/news/ticker.txt
Source: rundll32.exe, 00000004.00000002.963320714.0000000000950000.00000002.00020000.sdmp	String found in binary or memory: http://www.windows.com/pctv.
Source: EXCEL.EXE, 00000000.00000002.1225438699.000000000584A000.00000004.00000001.sdmp	String found in binary or memory: https://ascarya.dig
Source: EXCEL.EXE, 00000000.00000002.1225438699.000000000584A000.00000004.00000001.sdmp	String found in binary or memory: https://ascarya.digit
Source: EXCEL.EXE, 00000000.00000002.1225438699.000000000584A000.00000004.00000001.sdmp	String found in binary or memory: https://ascarya.digital
Source: EXCEL.EXE, 00000000.00000002.1225583101.0000000005A7F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.1023508307.0000000005A7F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.1021291549.0000000005A7F000.00000004.00000001.sdmp	String found in binary or memory: https://ascarya.digital/
Source: EXCEL.EXE, 00000000.00000002.1225438699.000000000584A000.00000004.00000001.sdmp	String found in binary or memory: https://ascarya.digital/w
Source: EXCEL.EXE, 00000000.00000002.1225438699.000000000584A000.00000004.00000001.sdmp	String found in binary or memory: https://ascarya.digital/wp-c
Source: EXCEL.EXE, 00000000.00000002.1225438699.000000000584A000.00000004.00000001.sdmp	String found in binary or memory: https://ascarya.digital/wp-con
Source: EXCEL.EXE, 00000000.00000002.1225438699.000000000584A000.00000004.00000001.sdmp	String found in binary or memory: https://ascarya.digital/wp-conte
Source: EXCEL.EXE, 00000000.00000002.1225438699.000000000584A000.00000004.00000001.sdmp	String found in binary or memory: https://ascarya.digital/wp-content%https://ascarya.digital/wp-content/ZH&https://ascarya.digital/wp-
Source: EXCEL.EXE, 00000000.00000002.1225438699.000000000584A000.00000004.00000001.sdmp	String found in binary or memory: https://ascarya.digital/wp-content/ZH4rirU
Source: EXCEL.EXE, 00000000.00000002.1225438699.000000000584A000.00000004.00000001.sdmp	String found in binary or memory: https://ascarya.digital/wp-content/ZH4rirU/

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\5EEDDA76.png

Jump to behavior

Source: unknown

DNS traffic detected: queries for: ascarya.digital

Source: global traffic	HTTP traffic detected: GET /9/q080U0ARYYL/ HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: crackedshop.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /cgi-sys/suspendedpage.cgi HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: crackedshop.orgConnection: Keep-Alive

System Summary:

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Source: Screenshot number: 4	Screenshot OCR: ENABLE EDITING" FROM YELLOW BAR ABOVE 5 Once you have enabled editing. please click "Enable Content
Source: Screenshot number: 4	Screenshot OCR: protected documents. 3 4 CLICK "ENABLE EDITING" FROM YELLOW BAR ABOVE 5 Once you have enabled edi
Source: Screenshot number: 4	Screenshot OCR: Enable Content" button 6 7 8 9 10 11 12 13 14 15 16 17 18 ^
Source: Screenshot number: 8	Screenshot OCR: ENABLE EDITING" FROM YELLOW BAR ABOVE 5 Once you have enabled editing. please click "Enable Content
Source: Screenshot number: 8	Screenshot OCR: protected documents. 3 4 CLICK "ENABLE EDITING" FROM YELLOW BAR ABOVE 5 Once you have enabled edi
Source: Screenshot number: 8	Screenshot OCR: Enable Content" button 6 7 8 9 10 11 12 13 14 15 16 17 18 ^
Source: Document image extraction number: 0	Screenshot OCR: ENABLE EDITING" FROM YELLOW BAR ABOVE Once you have enabled editing, please click "Enable Content"
Source: Document image extraction number: 0	Screenshot OCR: protected documents. CLICK "ENABLE EDITING" FROM YELLOW BAR ABOVE Once you have enabled editing, p
Source: Document image extraction number: 0	Screenshot OCR: Enable Content" button
Source: Document image extraction number: 1	Screenshot OCR: ENABLE EDITING" FROM YELLOW BAR ABOVE Once you have enabled editing, please click "Enable Content"
Source: Document image extraction number: 1	Screenshot OCR: protected documents. CLICK "ENABLE EDITING" FROM YELLOW BAR ABOVE Once you have enabled editing, p
Source: Document image extraction number: 1	Screenshot OCR: Enable Content" button

Found a hidden Excel 4.0 Macro sheet

Source: Invoice.xlsm	Macro extractor: Sheet name: Buk2
Source: Invoice.xlsm	Macro extractor: Sheet name: Buk5
Source: Invoice.xlsm	Macro extractor: Sheet name: Buk1
Source: Invoice.xlsm	Macro extractor: Sheet name: Buk7
Source: Invoice.xlsm	Macro extractor: Sheet name: EFEWF
Source: Invoice.xlsm	Macro extractor: Sheet name: Buk3
Source: Invoice.xlsm	Macro extractor: Sheet name: Buk4
Source: Invoice.xlsm	Macro extractor: Sheet name: Buk6

Detected potential crypto function

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Code function: 0_2_024E6743	0_2_024E6743
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Code function: 0_2_024E6340	0_2_024E6340
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Code function: 0_2_024E6753	0_2_024E6753
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Code function: 0_2_024E66E8	0_2_024E66E8
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Code function: 0_2_024E66F3	0_2_024E66F3

Excel documents contains an embedded macro which executes code when the document is opened

Source: workbook.xml

Binary string: \Desktop\Fil\1d\Cir\" xmlns:x15ac="http://schemas.microsoft.com/office/spreadsheetml/2010/11/ac"/></mc:Choice></mc:AlternateContent><xr:revisionPtr revIDLastSave="0" documentId="13_ncr:1_{1D31CE62-AFF1-46C8-8AB3-51A0A09BC8BF}" xr6:coauthVersionLast="45" xr6:coauthVersionMax="45" xr10:uidLastSave="{00000000-0000-0000-0000-000000000000}"/><bookViews><workbookView xWindow="-120" yWindow="-120" windowWidth="20730" windowHeight="11160" xr2:uid="{00000000-000D-0000-FFFF-FFFF00000000}"/></bookViews><sheets><sheet name="Sheet" sheetId="1" r:id="rId1"/><sheet name="Ss1" sheetId="2" state="hidden" r:id="rId2"/><sheet name="Ss1br2" sheetId="3" state="hidden" r:id="rId3"/><sheet name="Ssbr3" sheetId="4" state="hidden" r:id="rId4"/><sheet name="EFEWF" sheetId="5" state="hidden" r:id="rId5"/><sheet name="Buk1" sheetId="6" state="hidden" r:id="rId6"/><sheet name="Buk2" sheetId="7" state="hidden" r:id="rId7"/><sheet name="Buk3" sheetId="8" state="hidden" r:id="rId8"/><sheet name="Buk4" sheetId="9" state="hidden" r:id="rId9"/><sheet name="Buk5" sheetId="10" state="hidden" r:id="rId10"/><sheet name="Buk6" sheetId="11" state="hidden" r:id="rId11"/><sheet name="Buk7" sheetId="12" state="hidden" r:id="rId12"/></sheets><definedNames><definedName name="LKLW">EFEWF!$D$3</definedName><definedName name="SASA">EFEWF!$D$17</definedName><definedName name="SASA1">EFEWF!$D$19</definedName><definedName name="SASA2">EFEWF!$D$21</definedName><definedName name="_xlnm.Auto_Open">EFEWF!$D$1</definedName></definedNames><calcPr calcId="191029"/><extLst><ext uri="{B58B0392-4F1F-4190-BB64-5DF3571DCE5F}" xmlns:xcalcf="http://schemas.microsoft.com/office/spreadsheetml/2018/calcfeatures"><xcalcf:calcFeatures><xcalcf:feature name="microsoft.com:RD"/><xcalcf:feature name="microsoft.com:FV"/></xcalcf:calcFeatures></ext></extLst></workbook>

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76F90000 page execute and read and write			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76E90000 page execute and read and write			Jump to behavior

Document misses a certain OLE stream usually present in this Microsoft Office document type

Source: 3F61.tmp.0.dr

OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false

Source: Invoice.xlsm	Virustotal: Detection: 22%
Source: Invoice.xlsm	ReversingLabs: Detection: 20%

Source: C:\Windows\SysWOW64\rundll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWow64\rundll32.exe ..\besta.ocx,44532.2932256944

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWow64\rundll32.exe ..\besta.ocx,44532.2932256944
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWow64\rundll32.exe ..\besta.ocx,44532.2932256944	Jump to behavior

Source: rundll32.exe, 00000004.00000002.963320714.0000000000950000.00000002.00020000.sdmp

Binary or memory string: .VBPud<_

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\Desktop\~$Invoice.xlsm

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Temp\CVRC80F.tmp

Jump to behavior

Source: classification engine

Classification label: mal76.expl.winXLSM@3/6@2/2

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: Invoice.xlsm	Initial sample: OLE zip file path = xl/worksheets/sheet4.xml
Source: Invoice.xlsm	Initial sample: OLE zip file path = xl/media/image1.png
Source: Invoice.xlsm	Initial sample: OLE zip file path = xl/worksheets/_rels/sheet2.xml.rels
Source: Invoice.xlsm	Initial sample: OLE zip file path = xl/worksheets/_rels/sheet3.xml.rels
Source: Invoice.xlsm	Initial sample: OLE zip file path = xl/printerSettings/printerSettings2.bin
Source: Invoice.xlsm	Initial sample: OLE zip file path = xl/printerSettings/printerSettings3.bin
Source: Invoice.xlsm	Initial sample: OLE zip file path = xl/calcChain.xml

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source: 3F61.tmp.0.dr

Initial sample: OLE indicators vbamacros = False

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Code function: 0_2_024E6743 rdtsc

0_2_024E6743

Anti Debugging:

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Code function: 0_2_024E6743 rdtsc

0_2_024E6743

HIPS / PFW / Operating System Protection Evasion:

Yara detected Xls With Macro 4.0

Source: Yara match

File source: app.xml, type: SAMPLE

Source: EXCEL.EXE, 00000000.00000002.1221808694.0000000000820000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: EXCEL.EXE, 00000000.00000002.1221808694.0000000000820000.00000002.00020000.sdmp	Binary or memory string: !Progman
Source: EXCEL.EXE, 00000000.00000002.1221808694.0000000000820000.00000002.00020000.sdmp	Binary or memory string: Program Manager<

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
94.102.59.39	crackedshop.org	Netherlands		202425	INT-NETWORKSC	false
67.207.81.73	ascarya.digital	United States		14061	DIGITALOCEAN-ASNUS	false

Contacted Domains

Name	IP	Active
crackedshop.org	94.102.59.39	true
ascarya.digital	67.207.81.73	true

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://crackedshop.org/cgi-sys/suspendedpage.cgi	false	4%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://crackedshop.org/9/q080U0ARYYL/	true	4%, Virustotal, Browse Avira URL Cloud: malware	unknown

AV Detection:

Multi AV Scanner detection for submitted file

Source: Invoice.xlsm	Virustotal: Detection: 22%			Perma Link
Source: Invoice.xlsm	ReversingLabs: Detection: 20%

Antivirus detection for URL or domain

Source: http://crackedshop.org/9/q080U0ARYYL/	Avira URL Cloud: Label: malware
Source: https://ascarya.digital/wp-content/ZH4rirU	Avira URL Cloud: Label: malware
Source: https://ascarya.digital/wp-content/ZH4rirU/	Avira URL Cloud: Label: malware

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Software Vulnerabilities:

Document exploit detected (process start blacklist hit)

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Process created: C:\Windows\SysWOW64\rundll32.exe

Document exploit detected (UrlDownloadToFile)

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Section loaded: \KnownDlls\api-ms-win-downlevel-shlwapi-l2-1-0.dll origin: URLDownloadToFileA

Jump to behavior

Potential document exploit detected (unknown TCP traffic)

Source: global traffic

TCP traffic: 192.168.2.22:49165 -> 67.207.81.73:443

Potential document exploit detected (performs DNS queries)

Source: global traffic

DNS query: name: ascarya.digital

Potential document exploit detected (performs HTTP gets)

Source: global traffic

TCP traffic: 192.168.2.22:49165 -> 67.207.81.73:443

Networking:

Uses a known web browser user agent for HTTP communication

Source: global traffic	HTTP traffic detected: GET /9/q080U0ARYYL/ HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: crackedshop.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /cgi-sys/suspendedpage.cgi HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: crackedshop.orgConnection: Keep-Alive

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49169
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49167
Source: unknown	Network traffic detected: HTTP traffic on port 49165 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49165
Source: unknown	Network traffic detected: HTTP traffic on port 49169 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49167 -> 443

Source: EXCEL.EXE, 00000000.00000003.1023489983.0000000005A45000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.1225541144.0000000005A08000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.1021276243.0000000005A42000.00000004.00000001.sdmp	String found in binary or memory: /moc.nideknil.wwwwww.linkedin.comse equals www.linkedin.com (Linkedin)
Source: rundll32.exe, 00000004.00000002.963320714.0000000000950000.00000002.00020000.sdmp	String found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)
Source: EXCEL.EXE, 00000000.00000003.1023489983.0000000005A45000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.1225541144.0000000005A08000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.1021276243.0000000005A42000.00000004.00000001.sdmp	String found in binary or memory: www.linkedin.com equals www.linkedin.com (Linkedin)

Source: EXCEL.EXE, 00000000.00000003.1023489983.0000000005A45000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.1225541144.0000000005A08000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.1021276243.0000000005A42000.00000004.00000001.sdmp	String found in binary or memory: http://crackedshop.org/cgi-sys/suspendedpage.cgi
Source: EXCEL.EXE, 00000000.00000003.1023489983.0000000005A45000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.1225541144.0000000005A08000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.1021276243.0000000005A42000.00000004.00000001.sdmp	String found in binary or memory: http://crackedshop.org/cgi-sys/suspendedpage.cgi5
Source: rundll32.exe, 00000004.00000002.963320714.0000000000950000.00000002.00020000.sdmp	String found in binary or memory: http://investor.msn.com
Source: rundll32.exe, 00000004.00000002.963320714.0000000000950000.00000002.00020000.sdmp	String found in binary or memory: http://investor.msn.com/
Source: EXCEL.EXE, 00000000.00000002.1225027533.0000000005257000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.963514761.0000000000B37000.00000002.00020000.sdmp	String found in binary or memory: http://localizability/practices/XML.asp
Source: EXCEL.EXE, 00000000.00000002.1225027533.0000000005257000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.963514761.0000000000B37000.00000002.00020000.sdmp	String found in binary or memory: http://localizability/practices/XMLConfiguration.asp
Source: EXCEL.EXE, 00000000.00000002.1225541144.0000000005A08000.00000004.00000001.sdmp	String found in binary or memory: http://purl.or
Source: EXCEL.EXE, 00000000.00000002.1225495153.00000000058A6000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.open
Source: EXCEL.EXE, 00000000.00000002.1225495153.00000000058A6000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.openformatrg/package/2006/r
Source: EXCEL.EXE, 00000000.00000002.1225027533.0000000005257000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.963514761.0000000000B37000.00000002.00020000.sdmp	String found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
Source: EXCEL.EXE, 00000000.00000002.1225027533.0000000005257000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.963514761.0000000000B37000.00000002.00020000.sdmp	String found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
Source: rundll32.exe, 00000004.00000002.963320714.0000000000950000.00000002.00020000.sdmp	String found in binary or memory: http://www.hotmail.com/oe
Source: EXCEL.EXE, 00000000.00000002.1225027533.0000000005257000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.963514761.0000000000B37000.00000002.00020000.sdmp	String found in binary or memory: http://www.icra.org/vocabulary/.
Source: rundll32.exe, 00000004.00000002.963320714.0000000000950000.00000002.00020000.sdmp	String found in binary or memory: http://www.msnbc.com/news/ticker.txt
Source: rundll32.exe, 00000004.00000002.963320714.0000000000950000.00000002.00020000.sdmp	String found in binary or memory: http://www.windows.com/pctv.
Source: EXCEL.EXE, 00000000.00000002.1225438699.000000000584A000.00000004.00000001.sdmp	String found in binary or memory: https://ascarya.dig
Source: EXCEL.EXE, 00000000.00000002.1225438699.000000000584A000.00000004.00000001.sdmp	String found in binary or memory: https://ascarya.digit
Source: EXCEL.EXE, 00000000.00000002.1225438699.000000000584A000.00000004.00000001.sdmp	String found in binary or memory: https://ascarya.digital
Source: EXCEL.EXE, 00000000.00000002.1225583101.0000000005A7F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.1023508307.0000000005A7F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.1021291549.0000000005A7F000.00000004.00000001.sdmp	String found in binary or memory: https://ascarya.digital/
Source: EXCEL.EXE, 00000000.00000002.1225438699.000000000584A000.00000004.00000001.sdmp	String found in binary or memory: https://ascarya.digital/w
Source: EXCEL.EXE, 00000000.00000002.1225438699.000000000584A000.00000004.00000001.sdmp	String found in binary or memory: https://ascarya.digital/wp-c
Source: EXCEL.EXE, 00000000.00000002.1225438699.000000000584A000.00000004.00000001.sdmp	String found in binary or memory: https://ascarya.digital/wp-con
Source: EXCEL.EXE, 00000000.00000002.1225438699.000000000584A000.00000004.00000001.sdmp	String found in binary or memory: https://ascarya.digital/wp-conte
Source: EXCEL.EXE, 00000000.00000002.1225438699.000000000584A000.00000004.00000001.sdmp	String found in binary or memory: https://ascarya.digital/wp-content%https://ascarya.digital/wp-content/ZH&https://ascarya.digital/wp-
Source: EXCEL.EXE, 00000000.00000002.1225438699.000000000584A000.00000004.00000001.sdmp	String found in binary or memory: https://ascarya.digital/wp-content/ZH4rirU
Source: EXCEL.EXE, 00000000.00000002.1225438699.000000000584A000.00000004.00000001.sdmp	String found in binary or memory: https://ascarya.digital/wp-content/ZH4rirU/

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\5EEDDA76.png

Jump to behavior

Source: unknown

DNS traffic detected: queries for: ascarya.digital

Source: global traffic	HTTP traffic detected: GET /9/q080U0ARYYL/ HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: crackedshop.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /cgi-sys/suspendedpage.cgi HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: crackedshop.orgConnection: Keep-Alive

System Summary:

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Source: Screenshot number: 4	Screenshot OCR: ENABLE EDITING" FROM YELLOW BAR ABOVE 5 Once you have enabled editing. please click "Enable Content
Source: Screenshot number: 4	Screenshot OCR: protected documents. 3 4 CLICK "ENABLE EDITING" FROM YELLOW BAR ABOVE 5 Once you have enabled edi
Source: Screenshot number: 4	Screenshot OCR: Enable Content" button 6 7 8 9 10 11 12 13 14 15 16 17 18 ^
Source: Screenshot number: 8	Screenshot OCR: ENABLE EDITING" FROM YELLOW BAR ABOVE 5 Once you have enabled editing. please click "Enable Content
Source: Screenshot number: 8	Screenshot OCR: protected documents. 3 4 CLICK "ENABLE EDITING" FROM YELLOW BAR ABOVE 5 Once you have enabled edi
Source: Screenshot number: 8	Screenshot OCR: Enable Content" button 6 7 8 9 10 11 12 13 14 15 16 17 18 ^
Source: Document image extraction number: 0	Screenshot OCR: ENABLE EDITING" FROM YELLOW BAR ABOVE Once you have enabled editing, please click "Enable Content"
Source: Document image extraction number: 0	Screenshot OCR: protected documents. CLICK "ENABLE EDITING" FROM YELLOW BAR ABOVE Once you have enabled editing, p
Source: Document image extraction number: 0	Screenshot OCR: Enable Content" button
Source: Document image extraction number: 1	Screenshot OCR: ENABLE EDITING" FROM YELLOW BAR ABOVE Once you have enabled editing, please click "Enable Content"
Source: Document image extraction number: 1	Screenshot OCR: protected documents. CLICK "ENABLE EDITING" FROM YELLOW BAR ABOVE Once you have enabled editing, p
Source: Document image extraction number: 1	Screenshot OCR: Enable Content" button

Found a hidden Excel 4.0 Macro sheet

Source: Invoice.xlsm	Macro extractor: Sheet name: Buk2
Source: Invoice.xlsm	Macro extractor: Sheet name: Buk5
Source: Invoice.xlsm	Macro extractor: Sheet name: Buk1
Source: Invoice.xlsm	Macro extractor: Sheet name: Buk7
Source: Invoice.xlsm	Macro extractor: Sheet name: EFEWF
Source: Invoice.xlsm	Macro extractor: Sheet name: Buk3
Source: Invoice.xlsm	Macro extractor: Sheet name: Buk4
Source: Invoice.xlsm	Macro extractor: Sheet name: Buk6

Detected potential crypto function

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Code function: 0_2_024E6743	0_2_024E6743
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Code function: 0_2_024E6340	0_2_024E6340
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Code function: 0_2_024E6753	0_2_024E6753
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Code function: 0_2_024E66E8	0_2_024E66E8
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Code function: 0_2_024E66F3	0_2_024E66F3

Excel documents contains an embedded macro which executes code when the document is opened

Source: workbook.xml

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76F90000 page execute and read and write			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76E90000 page execute and read and write			Jump to behavior

Document misses a certain OLE stream usually present in this Microsoft Office document type

Source: 3F61.tmp.0.dr

OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false

Source: Invoice.xlsm	Virustotal: Detection: 22%
Source: Invoice.xlsm	ReversingLabs: Detection: 20%

Source: C:\Windows\SysWOW64\rundll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWow64\rundll32.exe ..\besta.ocx,44532.2932256944

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWow64\rundll32.exe ..\besta.ocx,44532.2932256944
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWow64\rundll32.exe ..\besta.ocx,44532.2932256944	Jump to behavior

Source: rundll32.exe, 00000004.00000002.963320714.0000000000950000.00000002.00020000.sdmp

Binary or memory string: .VBPud<_

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\Desktop\~$Invoice.xlsm

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Temp\CVRC80F.tmp

Jump to behavior

Source: classification engine

Classification label: mal76.expl.winXLSM@3/6@2/2

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: Invoice.xlsm	Initial sample: OLE zip file path = xl/worksheets/sheet4.xml
Source: Invoice.xlsm	Initial sample: OLE zip file path = xl/media/image1.png
Source: Invoice.xlsm	Initial sample: OLE zip file path = xl/worksheets/_rels/sheet2.xml.rels
Source: Invoice.xlsm	Initial sample: OLE zip file path = xl/worksheets/_rels/sheet3.xml.rels
Source: Invoice.xlsm	Initial sample: OLE zip file path = xl/printerSettings/printerSettings2.bin
Source: Invoice.xlsm	Initial sample: OLE zip file path = xl/printerSettings/printerSettings3.bin
Source: Invoice.xlsm	Initial sample: OLE zip file path = xl/calcChain.xml

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source: 3F61.tmp.0.dr

Initial sample: OLE indicators vbamacros = False

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Code function: 0_2_024E6743 rdtsc

0_2_024E6743

Anti Debugging:

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Code function: 0_2_024E6743 rdtsc

0_2_024E6743

HIPS / PFW / Operating System Protection Evasion:

Yara detected Xls With Macro 4.0

Source: Yara match

File source: app.xml, type: SAMPLE

Source: EXCEL.EXE, 00000000.00000002.1221808694.0000000000820000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: EXCEL.EXE, 00000000.00000002.1221808694.0000000000820000.00000002.00020000.sdmp	Binary or memory string: !Progman
Source: EXCEL.EXE, 00000000.00000002.1221808694.0000000000820000.00000002.00020000.sdmp	Binary or memory string: Program Manager<

ID:	532378
Product:	CloudBasic
Start time:	07:00:37
Start date:	02.12.2021
Sample:	Invoice.xlsm
Cookbook:	defaultwindowsofficecookbook.jbs
System description:	Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Architecture:	WINDOWS
MD5:	41b25400c2b31b922dd090e1251b37b8
SHA1:	b543cbb86a4e50506fb9be2ac455e4e606948d65
SHA256:	734577b2ffb53ddf37d71db650178c94c017f8749a9f9497d2f76abd876418a6
Filetype:	Excel Microsoft Office Open XML Format document with Macro (51004/1) 51.52%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\suspendedpage[1].htm	HTML document, ASCII text, with very long lines	EB2F7C463E3BEFAD0174E89C10451BCD	80C6604E30655B9BA949210122CCFAF9C7D67766	5E6DEB3C5AD4E6AB599A3B1A86FCAF25F721C32ED65E83128E9EC0F7ACB1CA0E
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\5EEDDA76.png	PNG image data, 1714 x 241, 8-bit colormap, non-interlaced	4FE798EE522800691796BC9446918C90	1E01CDE49D0B1B5E2F0DFBAD568DC2ECFBEDEAD3	EC0BC049D3D30C29567806EB2D555589CD2E1B6B30E9145F77B73A32EC1C1087
C:\Users\user\AppData\Local\Temp\3F61.tmp	Composite Document File V2 Document, Cannot read section info	72F5C05B7EA8DD6059BF59F50B22DF33	D5AF52E129E15E3A34772806F6C5FBF132E7408E	1DC0C8D7304C177AD0E74D3D2F1002EB773F4B180685A7DF6BBE75CCC24B0164
C:\Users\user\AppData\Local\Temp\~DFF5ECB97273E842F1.TMP	data	BF619EAC0CDF3F68D496EA9344137E8B	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
C:\Users\user\Desktop\~$Invoice.xlsm	data	797869BB881CFBCDAC2064F92B26E46F	61C1B8FBF505956A77E9A79CE74EF5E281B01F4B	D4E4008DD7DFB936F22D9EF3CC569C6F88804715EAB8101045BA1CD0B081F185
C:\Users\user\besta.ocx	HTML document, ASCII text, with very long lines	EB2F7C463E3BEFAD0174E89C10451BCD	80C6604E30655B9BA949210122CCFAF9C7D67766	5E6DEB3C5AD4E6AB599A3B1A86FCAF25F721C32ED65E83128E9EC0F7ACB1CA0E

Windows Analysis Report Invoice.xlsm

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Compliance:

Software Vulnerabilities:

Networking:

System Summary:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs