Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
zJ2b57acTF.xlsx

Overview

General Information

Sample Name:zJ2b57acTF.xlsx
Analysis ID:659479
MD5:b8a6fb2af1f22213fc469b3fc7d65382
SHA1:bc2d6b81ef00a56dc2fd13fc9a4c90a08d1a5068
SHA256:6d4e5e60b4f6cbc8a6e14343b59c406fe5c7f948aded16d23a0f6ed6984907c2
Tags:CVE-2022-30190Follinaxlsx
Infos:

Detection

Follina CVE-2022-30190
Score:56
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected Microsoft Office Exploit Follina CVE-2022-30190
Yara signature match

Classification

  • System is w7x64
  • EXCEL.EXE (PID: 1292 cmdline: "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding MD5: D53B85E21886D2AF9815C377537BCAC3)
  • cleanup
No configs have been found
SourceRuleDescriptionAuthorStrings
.relsSUSP_PS1_Msdt_Execution_May22Detects suspicious calls of msdt.exe as seen in CVE-2022-30190 / Follina exploitationNasreddine Bencherchali, Christian Burkard
  • 0x1ae4:$a: PCWDiagnostic
  • 0x1ad8:$sa3: ms-msdt
  • 0x1b57:$sb3: IT_BrowseForFile=
.relsEXPL_Follina_CVE_2022_30190_Msdt_MSProtocolURI_May22Detects the malicious usage of the ms-msdt URI as seen in CVE-2022-30190 / Follina exploitationTobias Michalski, Christian Burkard
  • 0x1ac7:$re1: location.href = "ms-msdt:
.relsJoeSecurity_FollinaYara detected Microsoft Office Exploit Follina / CVE-2022-30190Joe Security
    No Sigma rule has matched
    No Snort rule has matched

    Click to jump to signature section

    Show All Signature Results

    AV Detection

    barindex
    Source: zJ2b57acTF.xlsxMetadefender: Detection: 22%Perma Link
    Source: zJ2b57acTF.xlsxReversingLabs: Detection: 41%

    Exploits

    barindex
    Source: Yara matchFile source: .rels, type: SAMPLE
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
    Source: .rels, type: SAMPLEMatched rule: SUSP_PS1_Msdt_Execution_May22 date = 2022-05-31, author = Nasreddine Bencherchali, Christian Burkard, description = Detects suspicious calls of msdt.exe as seen in CVE-2022-30190 / Follina exploitation, score = , reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, modified = 2022-06-20
    Source: .rels, type: SAMPLEMatched rule: EXPL_Follina_CVE_2022_30190_Msdt_MSProtocolURI_May22 date = 2022-05-30, author = Tobias Michalski, Christian Burkard, description = Detects the malicious usage of the ms-msdt URI as seen in CVE-2022-30190 / Follina exploitation, score = , reference = https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, modified = 2022-05-31, hash = 4a24048f81afbe9fb62e7a6a49adbd1faf41f266b5f9feecdceb567aec096784
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile read: C:\Users\desktop.iniJump to behavior
    Source: zJ2b57acTF.xlsxMetadefender: Detection: 22%
    Source: zJ2b57acTF.xlsxReversingLabs: Detection: 41%
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\CVR623B.tmpJump to behavior
    Source: classification engineClassification label: mal56.expl.winXLSX@1/1@0/0
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\Desktop\~$zJ2b57acTF.xlsxJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItemsJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
    Valid AccountsWindows Management InstrumentationPath InterceptionPath Interception1
    Masquerading
    OS Credential Dumping1
    File and Directory Discovery
    Remote ServicesData from Local SystemExfiltration Over Other Network MediumData ObfuscationEavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
    Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsRootkitLSASS Memory1
    System Information Discovery
    Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


    windows-stand
    SourceDetectionScannerLabelLink
    zJ2b57acTF.xlsx23%MetadefenderBrowse
    zJ2b57acTF.xlsx41%ReversingLabsScript-JS.Exploit.CVE-2022-30190
    No Antivirus matches
    No Antivirus matches
    No Antivirus matches
    No Antivirus matches
    No contacted domains info
    No contacted IP infos
    Joe Sandbox Version:35.0.0 Citrine
    Analysis ID:659479
    Start date and time: 08/07/202208:34:092022-07-08 08:34:09 +02:00
    Joe Sandbox Product:CloudBasic
    Overall analysis duration:0h 3m 53s
    Hypervisor based Inspection enabled:false
    Report type:full
    Sample file name:zJ2b57acTF.xlsx
    Cookbook file name:defaultwindowsofficecookbook.jbs
    Analysis system description:Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
    Number of analysed new started processes analysed:2
    Number of new started drivers analysed:0
    Number of existing processes analysed:0
    Number of existing drivers analysed:0
    Number of injected processes analysed:0
    Technologies:
    • HCA enabled
    • EGA enabled
    • HDC enabled
    • AMSI enabled
    Analysis Mode:default
    Analysis stop reason:Timeout
    Detection:MAL
    Classification:mal56.expl.winXLSX@1/1@0/0
    EGA Information:Failed
    HDC Information:Failed
    HCA Information:
    • Successful, ratio: 100%
    • Number of executed functions: 0
    • Number of non-executed functions: 0
    Cookbook Comments:
    • Found application associated with file extension: .xlsx
    • Adjust boot time
    • Enable AMSI
    • Found Word or Excel or PowerPoint or XPS Viewer
    • Attach to Office via COM
    • Scroll down
    • Close Viewer
    • Exclude process from analysis (whitelisted): dllhost.exe
    • VT rate limit hit for: zJ2b57acTF.xlsx
    No simulations
    No context
    No context
    No context
    No context
    No context
    Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
    File Type:data
    Category:dropped
    Size (bytes):165
    Entropy (8bit):1.4377382811115937
    Encrypted:false
    SSDEEP:3:vZ/FFDJw2fV:vBFFGS
    MD5:797869BB881CFBCDAC2064F92B26E46F
    SHA1:61C1B8FBF505956A77E9A79CE74EF5E281B01F4B
    SHA-256:D4E4008DD7DFB936F22D9EF3CC569C6F88804715EAB8101045BA1CD0B081F185
    SHA-512:1B8350E1500F969107754045EB84EA9F72B53498B1DC05911D6C7E771316C632EA750FBCE8AD3A82D664E3C65CC5251D0E4A21F750911AE5DC2FC3653E49F58D
    Malicious:true
    Reputation:high, very likely benign file
    Preview:.user ..A.l.b.u.s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
    File type:Microsoft OOXML
    Entropy (8bit):7.2242451103796474
    TrID:
    • Excel Microsoft Office Open XML Format document (40004/1) 83.33%
    • ZIP compressed archive (8000/1) 16.67%
    File name:zJ2b57acTF.xlsx
    File size:13955
    MD5:b8a6fb2af1f22213fc469b3fc7d65382
    SHA1:bc2d6b81ef00a56dc2fd13fc9a4c90a08d1a5068
    SHA256:6d4e5e60b4f6cbc8a6e14343b59c406fe5c7f948aded16d23a0f6ed6984907c2
    SHA512:3830c5a98c28dae095bd2f44bfa29e27a856f92d3fb5d71bc2170f9d2995d9eb011cea50f84c6487e63f574ae872dd49d6ef0d8b13200c08029b5604393d4c04
    SSDEEP:192:44wboitZCnzIb3UuwVemtGa4cV2s7SlUcwNClk0UNaO8Ibwiu4W8+j4sjt/siAe:44p3zI38jV2s7SluQoPKGW8q4sjFsiAe
    TLSH:39528E1AC127A03DF273807AC20929E6DD9D22079135A40FB0A0B6CD68D2BDB579F75F
    File Content Preview:PK........e..T..7HL...5......._rels/.rels.._k.0.........}..6...n.....Z....."..Zd.H7K..w.......OC...............'.h...^...8..qE..F../.E.NK...|......wx.V"..KSGF..s^"..BDUB%c.kp.3...H.P.Z..,@...~..%...0...y..}.F..6a...(8.jV..5G.X 8..W.z?..Hx....k.nh9.Y....X.
    Icon Hash:e4e2aa8aa4b4bcb4
    No network behavior found

    Click to jump to process

    Click to jump to process

    Target ID:0
    Start time:08:35:15
    Start date:08/07/2022
    Path:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
    Wow64 process (32bit):false
    Commandline:"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
    Imagebase:0x13fbc0000
    File size:28253536 bytes
    MD5 hash:D53B85E21886D2AF9815C377537BCAC3
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Reputation:high

    No disassembly