Windows Analysis Report
LHER000698175.xls

Overview

General Information

Sample name:	LHER000698175.xls
Analysis ID:	1446721
MD5:	4816c91c7315f48b5fbb776d90316a0f
SHA1:	1e743a1cfe0d2ec9234f90551274759d59ded6bf
SHA256:	bff53c74bf4fb85ebe5ad269a1c8ecf2e0f03b026faa29c34683d21f13c1011e
Tags:	xls
Infos:

Detection

Score:	52
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Excel sheet contains many unusual embedded objects

Document contains embedded VBA macros

Document misses a certain OLE stream usually present in this Microsoft Office document type

IP address seen in connection with other malware

Potential document exploit detected (performs DNS queries)

Potential document exploit detected (performs HTTP gets)

Potential document exploit detected (unknown TCP traffic)

Sigma detected: Excel Network Connections

Sigma detected: Suspicious Office Outbound Connections

Uses a known web browser user agent for HTTP communication

Classification

Signatures

AV Detection

Multi AV Scanner detection for submitted file

Source: LHER000698175.xls

ReversingLabs: Detection: 15%

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Potential document exploit detected (performs DNS queries)

Source: global traffic

DNS query: name: qr-in.com

Potential document exploit detected (performs HTTP gets)

Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 188.114.96.3:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 188.114.96.3:80

Potential document exploit detected (unknown TCP traffic)

Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 188.114.96.3:80
Source: global traffic	TCP traffic: 188.114.96.3:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 188.114.96.3:80
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 188.114.96.3:80
Source: global traffic	TCP traffic: 188.114.96.3:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 188.114.96.3:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 188.114.96.3:80
Source: global traffic	TCP traffic: 188.114.96.3:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 188.114.96.3:80
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 188.114.96.3:80
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 188.114.96.3:80
Source: global traffic	TCP traffic: 188.114.96.3:80 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 188.114.96.3:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 188.114.96.3:80
Source: global traffic	TCP traffic: 188.114.96.3:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 188.114.96.3:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 188.114.96.3:80
Source: global traffic	TCP traffic: 188.114.96.3:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 188.114.96.3:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 188.114.96.3:80
Source: global traffic	TCP traffic: 188.114.96.3:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 188.114.96.3:80
Source: global traffic	TCP traffic: 188.114.96.3:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 188.114.96.3:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 188.114.96.3:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 188.114.96.3:80

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 188.114.96.3 188.114.96.3
Source: Joe Sandbox View	IP Address: 188.114.96.3 188.114.96.3

Uses a known web browser user agent for HTTP communication

Source: global traffic	HTTP traffic detected: GET /JeYCrvM HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: qr-in.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /JeYCrvM HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: qr-in.comConnection: Keep-AliveCookie: PHPSESSID=0c77kn3a08eub67r90e059mkpe

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\CBFB6FE9.emf

Jump to behavior

Source: global traffic	HTTP traffic detected: GET /JeYCrvM HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: qr-in.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /JeYCrvM HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: qr-in.comConnection: Keep-AliveCookie: PHPSESSID=0c77kn3a08eub67r90e059mkpe

Source: global traffic

DNS traffic detected: DNS query: qr-in.com

Source: LHER000698175.xls, 65130000.0.dr	String found in binary or memory: http://qr-in.com/JeYCrvM
Source: LHER000698175.xls, D18F1661.emf.0.dr, ~DFA4A9D609ACFEE7BB.TMP.0.dr, ~DF4899799A00A7B9A1.TMP.0.dr, 65130000.0.dr, 781C84D6.png.0.dr	String found in binary or memory: http://www.day.com/dam/1.0

System Summary

Excel sheet contains many unusual embedded objects

Source: LHER000698175.xls	OLE: Microsoft Excel 2007+
Source: ~DF4899799A00A7B9A1.TMP.0.dr	OLE: Microsoft Excel 2007+
Source: 65130000.0.dr	OLE: Microsoft Excel 2007+

Document contains embedded VBA macros

Source: LHER000698175.xls

OLE indicator, VBA macros: true

Document misses a certain OLE stream usually present in this Microsoft Office document type

Source: ~DF4899799A00A7B9A1.TMP.0.dr

OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false

Source: classification engine

Classification label: mal52.winXLS@1/10@1/1

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\Desktop\65130000

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Temp\CVR7445.tmp

Jump to behavior

Source: LHER000698175.xls	OLE indicator, Workbook stream: true
Source: 65130000.0.dr	OLE indicator, Workbook stream: true

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: LHER000698175.xls

ReversingLabs: Detection: 15%

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source: ~DF4899799A00A7B9A1.TMP.0.dr

Initial sample: OLE indicators vbamacros = False

Source: LHER000698175.xls

Initial sample: OLE indicators encrypted = True

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: LHER000698175.xls	Stream path 'MBD000E5130/Package' entropy: 7.95029125714 (max. 8.0)
Source: LHER000698175.xls	Stream path 'Workbook' entropy: 7.990006136 (max. 8.0)
Source: ~DF4899799A00A7B9A1.TMP.0.dr	Stream path 'Package' entropy: 7.94164766249 (max. 8.0)
Source: 65130000.0.dr	Stream path 'MBD000E5130/Package' entropy: 7.94164766249 (max. 8.0)
Source: 65130000.0.dr	Stream path 'Workbook' entropy: 7.99694987933 (max. 8.0)

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
188.114.96.3	qr-in.com	European Union		13335	CLOUDFLARENETUS	false

Contacted Domains

Name	IP	Active
qr-in.com	188.114.96.3	true

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://qr-in.com/JeYCrvM	false	Avira URL Cloud: safe	unknown

ID:	1446721
Product:	CloudBasic
Start time:	20:32:18
Start date:	23.05.2024
Sample:	LHER000698175.xls
Cookbook:	defaultwindowsofficecookbook.jbs
System description:	Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Architecture:	WINDOWS
MD5:	4816c91c7315f48b5fbb776d90316a0f
SHA1:	1e743a1cfe0d2ec9234f90551274759d59ded6bf
SHA256:	bff53c74bf4fb85ebe5ad269a1c8ecf2e0f03b026faa29c34683d21f13c1011e
Filetype:	Microsoft Excel sheet (30009/1) 47.99%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\781C84D6.png	PNG image data, 1008 x 529, 8-bit/color RGBA, non-interlaced	460EFCF478D05AFB04311BA4833B41FB	35A00E81ED5AA915810702E9BA42E0D6E9E24BA1	ABBF9B20F57F85EDAD5D5B5848335775428B47D1A48C0772A72D7A6C136D9C51
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\CBFB6FE9.emf	Windows Enhanced Metafile (EMF) image data version 0x10000	97406AC149008BFED7A4F6665966EBC7	C75509B38208ACB160AA98E9F3047747967988FB	FB4718E0788BEBCD14AA2DBE7AD828AF2611B38954357D2E02C0B3D14366E8C1
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\D18F1661.emf	Windows Enhanced Metafile (EMF) image data version 0x10000	22C8FA42D4B22091373F1D1F2EE1912E	F6470431DA354BEAD500EF67FD753D9B4E6302A1	AEFC1CAC26B122089BBB1ECE6F4F6D0216DD4E91CC1DD293E3CE25C921AD586F
C:\Users\user\AppData\Local\Temp\~DF4899799A00A7B9A1.TMP	Composite Document File V2 Document, Cannot read section info	4E2087E292D76F9FE96FF7091EC18822	BB0BB72A068D5EA2F5041F2C1EBE7170A23A33C1	EEEB4BD7B60EE6237610DF15BCF81F47202B6B4D7A71D2AC2EA85AC6CE6893B5
C:\Users\user\AppData\Local\Temp\~DF77C25078B6368CC1.TMP	data	BF619EAC0CDF3F68D496EA9344137E8B	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
C:\Users\user\AppData\Local\Temp\~DF817BE1803F1E8777.TMP	data	BF619EAC0CDF3F68D496EA9344137E8B	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
C:\Users\user\AppData\Local\Temp\~DFA4A9D609ACFEE7BB.TMP	data	0990B81F8A106375BE998CFC959804BC	2634913B165E3DBCFEBAF0746594E6525BAA027A	3DDD23D99A920D6E2A8097741300860C5A5BD793129712433CCE7882D7F4342A
C:\Users\user\Desktop\65130000	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Name of Creating Application: Microsoft Excel, Create Time/Date: Sat Sep 16 01:00:00 2006, Last Saved Time/Date: Thu May 23 19:33:48 2024, Security: 1	C12E70E45ED0D495D712BC9C6F662261	EE40B6FBC9EDBFED600FB800AEB8C0DFE94A5596	D43B37353FAFFB67EA4334C04D06B4681BDABF116CCD1FCCEE0A950F5342A1C8
C:\Users\user\Desktop\65130000:Zone.Identifier	ASCII text, with CRLF line terminators	187F488E27DB4AF347237FE461A079AD	6693BA299EC1881249D59262276A0D2CB21F8E64	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
C:\Users\user\Desktop\LHER000698175.xls (copy)	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Name of Creating Application: Microsoft Excel, Create Time/Date: Sat Sep 16 01:00:00 2006, Last Saved Time/Date: Thu May 23 19:33:48 2024, Security: 1	C12E70E45ED0D495D712BC9C6F662261	EE40B6FBC9EDBFED600FB800AEB8C0DFE94A5596	D43B37353FAFFB67EA4334C04D06B4681BDABF116CCD1FCCEE0A950F5342A1C8

Windows Analysis Report
LHER000698175.xls

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

System Summary

Hooking and other Techniques for Hiding and Protection

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report LHER000698175.xls

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

System Summary

Hooking and other Techniques for Hiding and Protection

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report
LHER000698175.xls