Windows Analysis Report
xls.xls

Overview

General Information

Sample Name: xls.xls
Analysis ID: 736957
MD5: 109d15a7d33e671ded911d97bc4a15ab
SHA1: c6660d40673400505c70af85dfddc735fa50a39f
SHA256: 822d2e533e0537f92fa3ddcbd8cb2a0d7c33ba2ada626e1cae4ecf466ac61e9b
Tags: xls
Infos:

Detection

Score: 68
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Document contains an embedded VBA with functions possibly related to ADO stream file operations
Document contains an embedded VBA macro which may execute processes
Document contains an embedded VBA macro with suspicious strings
Machine Learning detection for sample
Document contains an embedded VBA with functions possibly related to HTTP operations
Document contains embedded VBA macros
Potential document exploit detected (unknown TCP traffic)
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: xls.xls ReversingLabs: Detection: 17%
Source: xls.xls Virustotal: Detection: 39% Perma Link
Machine Learning detection for sample
Source: xls.xls Joe Sandbox ML: detected
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior
Potential document exploit detected (unknown TCP traffic)
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 91.213.50.111:443
Source: global traffic TCP traffic: 91.213.50.111:443 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 91.213.50.111:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 91.213.50.111:443
Source: global traffic TCP traffic: 91.213.50.111:443 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 91.213.50.111:443 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49172 -> 91.213.50.111:443
Source: global traffic TCP traffic: 91.213.50.111:443 -> 192.168.2.22:49172
Source: global traffic TCP traffic: 192.168.2.22:49172 -> 91.213.50.111:443
Source: global traffic TCP traffic: 192.168.2.22:49172 -> 91.213.50.111:443
Source: global traffic TCP traffic: 91.213.50.111:443 -> 192.168.2.22:49172
Source: global traffic TCP traffic: 91.213.50.111:443 -> 192.168.2.22:49172
Source: global traffic TCP traffic: 192.168.2.22:49173 -> 91.213.50.111:443
Source: global traffic TCP traffic: 91.213.50.111:443 -> 192.168.2.22:49173
Source: global traffic TCP traffic: 192.168.2.22:49173 -> 91.213.50.111:443
Source: global traffic TCP traffic: 192.168.2.22:49173 -> 91.213.50.111:443
Source: global traffic TCP traffic: 91.213.50.111:443 -> 192.168.2.22:49173
Source: global traffic TCP traffic: 192.168.2.22:49173 -> 91.213.50.111:443
Source: global traffic TCP traffic: 192.168.2.22:49174 -> 91.213.50.111:443
Source: global traffic TCP traffic: 91.213.50.111:443 -> 192.168.2.22:49174
Source: global traffic TCP traffic: 192.168.2.22:49174 -> 91.213.50.111:443
Source: global traffic TCP traffic: 192.168.2.22:49174 -> 91.213.50.111:443
Source: global traffic TCP traffic: 91.213.50.111:443 -> 192.168.2.22:49174
Source: global traffic TCP traffic: 91.213.50.111:443 -> 192.168.2.22:49174
Source: global traffic TCP traffic: 192.168.2.22:49175 -> 91.213.50.111:443
Source: global traffic TCP traffic: 91.213.50.111:443 -> 192.168.2.22:49175
Source: global traffic TCP traffic: 192.168.2.22:49175 -> 91.213.50.111:443
Source: global traffic TCP traffic: 192.168.2.22:49175 -> 91.213.50.111:443
Source: global traffic TCP traffic: 91.213.50.111:443 -> 192.168.2.22:49175
Source: global traffic TCP traffic: 91.213.50.111:443 -> 192.168.2.22:49175
Source: global traffic TCP traffic: 192.168.2.22:49176 -> 91.213.50.111:443
Source: global traffic TCP traffic: 91.213.50.111:443 -> 192.168.2.22:49176
Source: global traffic TCP traffic: 192.168.2.22:49176 -> 91.213.50.111:443
Source: global traffic TCP traffic: 192.168.2.22:49176 -> 91.213.50.111:443
Source: global traffic TCP traffic: 91.213.50.111:443 -> 192.168.2.22:49176
Source: global traffic TCP traffic: 192.168.2.22:49176 -> 91.213.50.111:443
Potential document exploit detected (performs DNS queries)
Source: global traffic DNS query: name: dooxil.com
Potential document exploit detected (performs HTTP gets)
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 91.213.50.111:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 91.213.50.111:443
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 91.213.50.111:443
Source: global traffic TCP traffic: 192.168.2.22:49172 -> 91.213.50.111:443
Source: global traffic TCP traffic: 192.168.2.22:49172 -> 91.213.50.111:443
Source: global traffic TCP traffic: 192.168.2.22:49172 -> 91.213.50.111:443
Source: global traffic TCP traffic: 192.168.2.22:49173 -> 91.213.50.111:443
Source: global traffic TCP traffic: 192.168.2.22:49173 -> 91.213.50.111:443
Source: global traffic TCP traffic: 192.168.2.22:49173 -> 91.213.50.111:443
Source: global traffic TCP traffic: 192.168.2.22:49173 -> 91.213.50.111:443
Source: global traffic TCP traffic: 192.168.2.22:49174 -> 91.213.50.111:443
Source: global traffic TCP traffic: 192.168.2.22:49174 -> 91.213.50.111:443
Source: global traffic TCP traffic: 192.168.2.22:49174 -> 91.213.50.111:443
Source: global traffic TCP traffic: 192.168.2.22:49175 -> 91.213.50.111:443
Source: global traffic TCP traffic: 192.168.2.22:49175 -> 91.213.50.111:443
Source: global traffic TCP traffic: 192.168.2.22:49175 -> 91.213.50.111:443
Source: global traffic TCP traffic: 192.168.2.22:49176 -> 91.213.50.111:443
Source: global traffic TCP traffic: 192.168.2.22:49176 -> 91.213.50.111:443
Source: global traffic TCP traffic: 192.168.2.22:49176 -> 91.213.50.111:443
Source: global traffic TCP traffic: 192.168.2.22:49176 -> 91.213.50.111:443
Source: unknown DNS traffic detected: queries for: dooxil.com
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49176
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49175
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49174
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49173
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49172
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49171
Source: unknown Network traffic detected: HTTP traffic on port 49172 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49175 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49171 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49176 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49173 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49174 -> 443

System Summary
barindex
Document contains an embedded VBA with functions possibly related to ADO stream file operations
Source: xls.xls Stream path '_VBA_PROJECT_CUR/VBA/Foglio1' : found possibly 'ADODB.Stream' functions open, read, write
Document contains an embedded VBA macro which may execute processes
Source: xls.xls OLE, VBA macro line: riporti = trattasse(scoperte, Shell(riporti))
Document contains an embedded VBA macro with suspicious strings
Source: xls.xls OLE, VBA macro line: scoperte = aspetteremo(Left(Environ(ammiratrice("A7Uc6oP5mAs31p0Ee0c1", 3)), 20) & ammiratrice("S5r1Yu3n11dIIl7lM87", 1) & "32" & ammiratrice("K60.3EHeNN7x56eO", 4))
Source: VBA code instrumentation OLE, VBA macro: Module Foglio1, Function dimostrargli, String environ: scoperte = aspetteremo(Left(Environ(ammiratrice("A7Uc6oP5mAs31p0Ee0c1", 3)), 20) & ammiratrice("S5r1Yu3n11dIIl7lM87", 1) & "32" & ammiratrice("K60.3EHeNN7x56eO", 4)) Name: dimostrargli
Document contains an embedded VBA with functions possibly related to HTTP operations
Source: xls.xls Stream path '_VBA_PROJECT_CUR/VBA/Foglio1' : found possibly 'XMLHttpRequest' functions response, responsetext, open, send
Source: VBA code instrumentation OLE, VBA macro: Module Foglio1, Function stupidaggine, found possibly 'XMLHttpRequest' functions response, responsetext, open, send Name: stupidaggine
Document contains embedded VBA macros
Source: xls.xls OLE indicator, VBA macros: true
Source: xls.xls ReversingLabs: Detection: 17%
Source: xls.xls Virustotal: Detection: 39%
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Temp\CVR622B.tmp Jump to behavior
Source: xls.xls OLE indicator, Workbook stream: true
Source: classification engine Classification label: mal68.expl.winXLS@1/0@1/1
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File read: C:\Users\desktop.ini Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 736957 Sample: xls.xls Startdate: 03/11/2022 Architecture: WINDOWS Score: 68 10 Multi AV Scanner detection for submitted file 2->10 12 Machine Learning detection for sample 2->12 14 Document contains an embedded VBA with functions possibly related to ADO stream file operations 2->14 16 3 other signatures 2->16 5 EXCEL.EXE 10 21 2->5         started        process3 dnsIp4 8 dooxil.com 91.213.50.111, 443, 49171, 49172 ASBAXETNRU unknown 5->8
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
91.213.50.111
 dooxil.com unknown
49392 ASBAXETNRU false

Contacted Domains

Name IP Active
dooxil.com 91.213.50.111 true