Edit tour
Windows
Analysis Report
Microsoft_Excel_97-2003_Worksheet.xls
Overview
General Information
| Sample Name: | Microsoft_Excel_97-2003_Worksheet.xls |
| Analysis ID: | 702680 |
| MD5: | 7e04083a71022be0e2c08985cb8a406d |
| SHA1: | a621721090e7edb8db20a8a4e18f1d0538f7f6b9 |
| SHA256: | bd2eaf9a11cf7f181239bca96ab37eaf4bb077d6200f5b386fde4cab5e7d9373 |
| Tags: | xls |
| Infos: |  |
 | |
Detection
| Score: | 92 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Sigma detected: Schedule script from internet via mshta
Multi AV Scanner detection for submitted file
Sigma detected: rundll32 run dll from internet
Sigma detected: Schedule system process
Antivirus detection for URL or domain
Document contains OLE streams with names of living off the land binaries
Document exploit detected (process start blacklist hit)
Uses schtasks.exe or at.exe to add and modify task schedules
Queries the volume information (name, serial number etc) of a device
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Stores large binary data to the registry
Document contains an embedded VBA macro which executes code when the document is opened / closed
JA3 SSL client fingerprint seen in connection with other malware
Potential document exploit detected (performs DNS queries)
Document misses a certain OLE stream usually present in this Microsoft Office document type
Contains long sleeps (>= 3 min)
Enables debug privileges
Potential document exploit detected (unknown TCP traffic)
Searches for the Microsoft Outlook file path
Shows file infection / information gathering behavior (enumerates multiple directory for files)
Uses a known web browser user agent for HTTP communication
Installs a global mouse hook
Creates a window with clipboard capturing capabilities
Uses taskkill to terminate processes
Document contains embedded VBA macros
Potential document exploit detected (performs HTTP gets)
Creates a process in suspended mode (likely to inject code)