Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Microsoft_Excel_97-2003_Worksheet.xls

Overview

General Information

Sample Name:Microsoft_Excel_97-2003_Worksheet.xls
Analysis ID:702680
MD5:7e04083a71022be0e2c08985cb8a406d
SHA1:a621721090e7edb8db20a8a4e18f1d0538f7f6b9
SHA256:bd2eaf9a11cf7f181239bca96ab37eaf4bb077d6200f5b386fde4cab5e7d9373
Tags:xls
Infos:

Detection

Score:92
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Sigma detected: Schedule script from internet via mshta
Multi AV Scanner detection for submitted file
Sigma detected: rundll32 run dll from internet
Sigma detected: Schedule system process
Antivirus detection for URL or domain
Document contains OLE streams with names of living off the land binaries
Document exploit detected (process start blacklist hit)
Uses schtasks.exe or at.exe to add and modify task schedules
Queries the volume information (name, serial number etc) of a device
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Stores large binary data to the registry
Document contains an embedded VBA macro which executes code when the document is opened / closed
JA3 SSL client fingerprint seen in connection with other malware
Potential document exploit detected (performs DNS queries)
Document misses a certain OLE stream usually present in this Microsoft Office document type
Contains long sleeps (>= 3 min)
Enables debug privileges
Potential document exploit detected (unknown TCP traffic)
Searches for the Microsoft Outlook file path
Shows file infection / information gathering behavior (enumerates multiple directory for files)
Uses a known web browser user agent for HTTP communication
Installs a global mouse hook
Creates a window with clipboard capturing capabilities
Uses taskkill to terminate processes
Document contains embedded VBA macros
Potential document exploit detected (performs HTTP gets)
Creates a process in suspended mode (likely to inject code)

Classification<