Windows Analysis Report
zJ2b57acTF.xlsx

Overview

General Information

Sample Name: zJ2b57acTF.xlsx
Analysis ID: 659479
MD5: b8a6fb2af1f22213fc469b3fc7d65382
SHA1: bc2d6b81ef00a56dc2fd13fc9a4c90a08d1a5068
SHA256: 6d4e5e60b4f6cbc8a6e14343b59c406fe5c7f948aded16d23a0f6ed6984907c2
Tags: CVE-2022-30190Follinaxlsx
Infos:

Detection

Follina CVE-2022-30190
Score: 56
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected Microsoft Office Exploit Follina CVE-2022-30190
Yara signature match

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: zJ2b57acTF.xlsx Metadefender: Detection: 22% Perma Link
Source: zJ2b57acTF.xlsx ReversingLabs: Detection: 41%

Exploits
barindex
Yara detected Microsoft Office Exploit Follina CVE-2022-30190
Source: Yara match File source: .rels, type: SAMPLE
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior
Yara signature match
Source: .rels, type: SAMPLE Matched rule: SUSP_PS1_Msdt_Execution_May22 date = 2022-05-31, author = Nasreddine Bencherchali, Christian Burkard, description = Detects suspicious calls of msdt.exe as seen in CVE-2022-30190 / Follina exploitation, score = , reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, modified = 2022-06-20
Source: .rels, type: SAMPLE Matched rule: EXPL_Follina_CVE_2022_30190_Msdt_MSProtocolURI_May22 date = 2022-05-30, author = Tobias Michalski, Christian Burkard, description = Detects the malicious usage of the ms-msdt URI as seen in CVE-2022-30190 / Follina exploitation, score = , reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, modified = 2022-05-31, hash = 4a24048f81afbe9fb62e7a6a49adbd1faf41f266b5f9feecdceb567aec096784
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File read: C:\Users\desktop.ini Jump to behavior
Source: zJ2b57acTF.xlsx Metadefender: Detection: 22%
Source: zJ2b57acTF.xlsx ReversingLabs: Detection: 41%
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Temp\CVR623B.tmp Jump to behavior
Source: classification engine Classification label: mal56.expl.winXLSX@1/1@0/0
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\Desktop\~$zJ2b57acTF.xlsx Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 659479 Sample: zJ2b57acTF.xlsx Startdate: 08/07/2022 Architecture: WINDOWS Score: 56 10 Multi AV Scanner detection for submitted file 2->10 12 Yara detected Microsoft Office Exploit Follina CVE-2022-30190 2->12 5 EXCEL.EXE 4 4 2->5         started        process3 file4 8 C:\Users\user\Desktop\~$zJ2b57acTF.xlsx, data 5->8 dropped
No contacted IP infos