Edit tour
Windows
Analysis Report
samradapps_datepicker_221114.xlam
Overview
General Information
Detection
Score: | 56 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Document contains an embedded VBA macro which may check the desktop resolution (possible anti-VM)
Document contains an embedded VBA macro which may execute shellcode
Document contains an embedded VBA macro with suspicious strings
Document contains an embedded VBA with functions possibly related to ADO stream file operations
Document contains an embedded VBA macro which executes code when the document is opened / closed
Classification
- System is w7x64
- EXCEL.EXE (PID: 1980 cmdline:
"C:\Progra m Files\Mi crosoft Of fice\Offic e14\EXCEL. EXE" /dde MD5: D53B85E21886D2AF9815C377537BCAC3)
- cleanup
⊘No configs have been found
⊘No yara matches
⊘No Sigma rule has matched
⊘No Snort rule has matched
Click to jump to signature section
Show All Signature Results
Source: | File opened: | Jump to behavior |
System Summary |
---|
Source: | OLE, VBA macro line: |
Source: | Stream path 'VBA/dp_core' : |
Source: | OLE, VBA macro line: |
Source: | Classification label: |
Source: | File created: | Jump to behavior |
Source: | File created: | Jump to behavior |
Source: | File read: | Jump to behavior |
Source: | Key value queried: | Jump to behavior |
Source: | Window found: | Jump to behavior |
Source: | Window detected: |
Source: | Key opened: | Jump to behavior |
Source: | File opened: | Jump to behavior |
Hooking and other Techniques for Hiding and Protection |
---|
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior |
Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Gather Victim Identity Information | 41 Scripting | Valid Accounts | 1 Command and Scripting Interpreter | 41 Scripting | Path Interception | 1 Masquerading | OS Credential Dumping | 1 Security Software Discovery | Remote Services | Data from Local System | Data Obfuscation | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
Credentials | Domains | Default Accounts | Scheduled Task/Job | Boot or Logon Initialization Scripts | Boot or Logon Initialization Scripts | Rootkit | LSASS Memory | 1 File and Directory Discovery | Remote Desktop Protocol | Data from Removable Media | Junk Data | Exfiltration Over Bluetooth | Network Denial of Service |
Email Addresses | DNS Server | Domain Accounts | At | Logon Script (Windows) | Logon Script (Windows) | Obfuscated Files or Information | Security Account Manager | 1 System Information Discovery | SMB/Windows Admin Shares | Data from Network Shared Drive | Steganography | Automated Exfiltration | Data Encrypted for Impact |
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
0% | ReversingLabs | |||
0% | Virustotal | Browse |
⊘No Antivirus matches
⊘No Antivirus matches
⊘No Antivirus matches
⊘No Antivirus matches
Joe Sandbox version: | 40.0.0 Tourmaline |
Analysis ID: | 1430908 |
Start date and time: | 2024-04-24 10:57:14 +02:00 |
Joe Sandbox product: | CloudBasic |
Overall analysis duration: | 0h 4m 2s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Cookbook file name: | defaultwindowsofficecookbook.jbs |
Analysis system description: | Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2) |
Number of analysed new started processes analysed: | 3 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Sample name: | samradapps_datepicker_221114.xlam |
Detection: | MAL |
Classification: | mal56.expl.evad.winXLAM@1/7@0/0 |
EGA Information: | Failed |
HCA Information: |
|
Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe
- Report size getting too big, too many NtQueryValueKey calls found.
- Report size getting too big, too many NtSetInformationFile calls found.
⊘No simulations
Process: | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 147284 |
Entropy (8bit): | 4.421539330315812 |
Encrypted: | false |
SSDEEP: | 1536:C8XL3FNSc8SetKB96vQVCBumVMOej6mXmYarrJQcd1FaLcmB:CsJNSc83tKBAvQVCgOtmXmLpLmB |
MD5: | 37BAB984A277E953DE1F115C5CF32DCA |
SHA1: | 16413DE72C233BAB57B1C47DB1514465803F9666 |
SHA-256: | EE2BF52F68E9CA60935D90172CD59A5710D8B88A04986F75C70997A34E83D6F7 |
SHA-512: | BFCC5C097A9F59067704C480BD0DE03FB71F4EA64A281F5CC2574B957EC16D18C5C615C762FE64ADB56A781A7D91E2F22A3A6F67E31A62BF676EE2B75A1FEE2E |
Malicious: | false |
Reputation: | low |
Preview: |
Process: | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 824 |
Entropy (8bit): | 2.7940329720325057 |
Encrypted: | false |
SSDEEP: | 12:Kf2Cl33333333333333GJwv73XJW33333333333333O:K+CdR |
MD5: | 8311B1A70DD383E091F3B6858C562D27 |
SHA1: | 6655A7D90D83515D9CE075A1E876AC9807264891 |
SHA-256: | 394612941273ED5AE00E051BAC56F887331F3072504D7E354FC85F7FE72E200D |
SHA-512: | 1B366316433A05FE4B9F3A09A0EF3E0E02BE3AC1F53407AC0EB7D43ABBC2DFCCA1B7F6CE76DFA41A9582CC29E4AD5FEAFB468D222EE6AE07F896406F86D6A49A |
Malicious: | false |
Reputation: | low |
Preview: |
Process: | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 344064 |
Entropy (8bit): | 0.0 |
Encrypted: | false |
SSDEEP: | 3:: |
MD5: | E265B60A4AF7915C7064C2B7AEC8E1D2 |
SHA1: | 5F2F9AB2D2C5B3FA09D05CB71A936FAA64630BB6 |
SHA-256: | 0CC5F11E4D6807ACFFD5F9167D709D2BF1E91700460CDC33161486CE3CCC22D9 |
SHA-512: | 30EECE5519E9B53D40AB66318367E94F3AC669184B6BC6084EF684014224AAB17EF5ED41542F020DE879C4EBD36E5DBC34DCC2F864C168FB4D6217BD94D55A61 |
Malicious: | false |
Reputation: | low |
Preview: |
Process: | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 16384 |
Entropy (8bit): | 0.0 |
Encrypted: | false |
SSDEEP: | 3:: |
MD5: | CE338FE6899778AACFC28414F2D9498B |
SHA1: | 897256B6709E1A4DA9DABA92B6BDE39CCFCCD8C1 |
SHA-256: | 4FE7B59AF6DE3B665B67788CC2F99892AB827EFAE3A467342B3BB4E3BC8E5BFE |
SHA-512: | 6EB7F16CF7AFCABE9BDEA88BDAB0469A7937EB715ADA9DFD8F428D9D38D86133945F5F2F2688DDD96062223A39B5D47F07AFC3C48D9DB1D5EE3F41C8D274DCCF |
Malicious: | false |
Reputation: | high, very likely benign file |
Preview: |
Process: | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 512 |
Entropy (8bit): | 0.0 |
Encrypted: | false |
SSDEEP: | 3:: |
MD5: | BF619EAC0CDF3F68D496EA9344137E8B |
SHA1: | 5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5 |
SHA-256: | 076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560 |
SHA-512: | DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE |
Malicious: | false |
Reputation: | high, very likely benign file |
Preview: |
Process: | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 512 |
Entropy (8bit): | 0.0 |
Encrypted: | false |
SSDEEP: | 3:: |
MD5: | BF619EAC0CDF3F68D496EA9344137E8B |
SHA1: | 5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5 |
SHA-256: | 076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560 |
SHA-512: | DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE |
Malicious: | false |
Reputation: | high, very likely benign file |
Preview: |
Process: | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 165 |
Entropy (8bit): | 1.4377382811115937 |
Encrypted: | false |
SSDEEP: | 3:vZ/FFDJw2fV:vBFFGS |
MD5: | 797869BB881CFBCDAC2064F92B26E46F |
SHA1: | 61C1B8FBF505956A77E9A79CE74EF5E281B01F4B |
SHA-256: | D4E4008DD7DFB936F22D9EF3CC569C6F88804715EAB8101045BA1CD0B081F185 |
SHA-512: | 1B8350E1500F969107754045EB84EA9F72B53498B1DC05911D6C7E771316C632EA750FBCE8AD3A82D664E3C65CC5251D0E4A21F750911AE5DC2FC3653E49F58D |
Malicious: | false |
Preview: |
File type: | |
Entropy (8bit): | 7.635864263284178 |
TrID: |
|
File name: | samradapps_datepicker_221114.xlam |
File size: | 135'418 bytes |
MD5: | 9a3a270b12e8549a99df3577010ef12b |
SHA1: | a639b29041bd72091b0df31da8bb4a660b0c2cd2 |
SHA256: | 66bdc42fa9dff673e23701b27b401171559d1b3acf8e0e4f67404464e8848a84 |
SHA512: | b06b73acf270684c9423f319ff4748dfca53d262a16b676e7705638ce5cab11f7f80af0d2ac9362ffeda916e40b5a9a283fe0c6a756c1fa468c1bbb001adf630 |
SSDEEP: | 3072:dFAhbR1mxqrxsFDBUO1goARJ3uA/dEmqXe8AJfKKz:dF41mw+eRJ3n/umqXenfKKz |
TLSH: | A4D30231BC0AF829D51891B9F40504857D049BCB891AFDB736CEB58A0F027EF4D69BE9 |
File Content Preview: | PK..........!.gz#.............[Content_Types].xml ...(......................................................................................................................................................................................................... |
Icon Hash: | e4b37949677fff4b |
Document Type: | OpenXML |
Number of OLE Files: | 1 |
Has Summary Info: | |
Application Name: | |
Encrypted Document: | False |
Contains Word Document Stream: | False |
Contains Workbook/Book Stream: | False |
Contains PowerPoint Document Stream: | False |
Contains Visio Document Stream: | False |
Contains ObjectPool Stream: | False |
Flash Objects Count: | 0 |
Contains VBA Macros: | True |
Author: | |
Last Saved By: | |
Create Time: | 2009-10-23T16:03:25Z |
Last Saved Time: | 2022-11-14T22:55:16Z |
Creating Application: | |
Security: | 0 |
Thumbnail Scaling Desired: | false |
Contains Dirty Links: | false |
Shared Document: | false |
Changed Hyperlinks: | false |
Application Version: | 16.0300 |
General | |
Stream Path: | VBA/DatePickerManager |
VBA File Name: | DatePickerManager |
Stream Size: | 12111 |
Data ASCII: | . . . . . . . . . . . . . . . . . . . . . . . . ' . . . . . . . . . . . 8 . . . . . . . . . . . . . . . . . . . . H . . . . . o L . s P ! . * = h . 8 . . + 3 q . . . . . . . . . . . . . . . . . . . . . [ M . D P . . . . . . . . . . . . . . . . . . . . . . . x . . . . . [ M . D P . . . o L . s P ! . . . . . M E . . . . . . . . . . . . . . . . . . . . . 8 . . . . . . . . . . . . . . S . . . . . S . . . . . S . . . . ` F . . . . . 8 . 8 . . . . . 0 . . . . . 0 . . . . . . > " . . . . . . . . . . L . . . . . P |
Data Raw: | 01 16 01 00 06 00 01 00 00 9c 15 00 00 e4 00 00 00 88 02 00 00 a8 16 00 00 c2 16 00 00 ce 27 00 00 05 00 00 00 01 00 00 00 db f2 07 38 00 00 ff ff 03 00 00 00 80 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff 48 00 ff ff 00 00 c4 80 f3 04 6f d8 c7 4c b4 d5 8f 73 af 50 21 00 2a 3d fb fc fa a0 68 10 a7 38 08 00 2b 33 71 b5 00 00 00 00 00 00 00 00 00 00 00 00 00 |
|