Windows Analysis Report
PO-008847332.xlam.xlsx

Overview

General Information

Sample name: PO-008847332.xlam.xlsx
Analysis ID: 1540837
MD5: 1ceb0704ce7180d31e51d1b19577f8fd
SHA1: 2b36a1718e467f7c651b0f6988c2c00bb2cf510d
SHA256: 87c11e91ae0ec1d31aba83c2e3f3a70a8bccfc731be2be1fe4aaa91681825acd
Tags: xlamxlsxuser-abuse_ch
Infos:

Detection

Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: EQNEDT32.EXE connecting to internet
Sigma detected: File Dropped By EQNEDT32EXE
Creates HTML files with .exe extension (expired dropper behavior)
Document exploit detected (process start blacklist hit)
Office equation editor establishes network connection
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Shellcode detected
Sigma detected: Equation Editor Network Connection
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Contains functionality to read the PEB
Document misses a certain OLE stream usually present in this Microsoft Office document type
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Office Equation Editor has been started
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Suricata IDS alerts with low severity for network traffic
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: PO-008847332.xlam.xlsx Avira: detected
Multi AV Scanner detection for submitted file
Source: PO-008847332.xlam.xlsx ReversingLabs: Detection: 65%

Exploits
barindex
Office equation editor establishes network connection
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Network connect: IP: 104.21.53.112 Port: 80 Jump to behavior
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: unknown Jump to behavior
Office Equation Editor has been started
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior

Software Vulnerabilities
barindex
Document exploit detected (process start blacklist hit)
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
Shellcode detected
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Code function: 2_2_035706E9 WinExec,ExitProcess, 2_2_035706E9
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Code function: 2_2_0357069E URLDownloadToFileW, 2_2_0357069E
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Code function: 2_2_03570605 LoadLibraryW,URLDownloadToFileW, 2_2_03570605
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Code function: 2_2_0357055A ExitProcess, 2_2_0357055A
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Code function: 2_2_03570573 URLDownloadToFileW, 2_2_03570573
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Code function: 2_2_0357061F URLDownloadToFileW, 2_2_0357061F
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Code function: 2_2_0357058F URLDownloadToFileW, 2_2_0357058F
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Code function: 2_2_03570709 ExitProcess, 2_2_03570709
Potential document exploit detected (performs DNS queries)
Source: global traffic DNS query: name: eficienciaeningenieria.com.mx
Potential document exploit detected (performs HTTP gets)
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 104.21.53.112:80
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 104.21.53.112:80
Potential document exploit detected (unknown TCP traffic)
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 104.21.53.112:80
Source: global traffic TCP traffic: 104.21.53.112:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 104.21.53.112:80
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 104.21.53.112:80
Source: global traffic TCP traffic: 104.21.53.112:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 104.21.53.112:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 104.21.53.112:80
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 104.21.53.112:80
Source: global traffic TCP traffic: 104.21.53.112:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 104.21.53.112:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 104.21.53.112:80
Source: global traffic TCP traffic: 104.21.53.112:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 104.21.53.112:80
Source: global traffic TCP traffic: 104.21.53.112:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 104.21.53.112:80
Source: global traffic TCP traffic: 104.21.53.112:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 104.21.53.112:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 104.21.53.112:80
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 104.21.53.112:80
Source: global traffic TCP traffic: 104.21.53.112:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 104.21.53.112:80
Source: global traffic TCP traffic: 104.21.53.112:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 104.21.53.112:80
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 104.21.53.112:80

Networking
barindex
Creates HTML files with .exe extension (expired dropper behavior)
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: xyjhromj.exe.2.dr
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Suricata IDS alerts with low severity for network traffic
Source: Network traffic Suricata IDS: 2022550 - Severity 1 - ET MALWARE Possible Malicious Macro DL EXE Feb 2016 : 192.168.2.22:49161 -> 104.21.53.112:80
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /kdeplu/ngoct2.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: eficienciaeningenieria.com.mxConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /cgi-sys/suspendedpage.cgi HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: eficienciaeningenieria.com.mxConnection: Keep-Alive
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Code function: 2_2_0357069E URLDownloadToFileW, 2_2_0357069E
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\suspendedpage[1].htm Jump to behavior
Source: global traffic HTTP traffic detected: GET /kdeplu/ngoct2.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: eficienciaeningenieria.com.mxConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /cgi-sys/suspendedpage.cgi HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: eficienciaeningenieria.com.mxConnection: Keep-Alive
Source: global traffic DNS traffic detected: DNS query: eficienciaeningenieria.com.mx
Source: EQNEDT32.EXE, 00000002.00000002.467960216.0000000000677000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://eficienciaeningenieria.com.mx/cgi-sys/suspendedpage.cgiB
Source: EQNEDT32.EXE, 00000002.00000002.467960216.0000000000677000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://eficienciaeningenieria.com.mx/cgi-sys/suspendedpage.cgis
Source: EQNEDT32.EXE, 00000002.00000002.467960216.000000000063E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://eficienciaeningenieria.com.mx/kdeplu/ngoct2.exe
Source: EQNEDT32.EXE, 00000002.00000002.468085162.0000000003570000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://eficienciaeningenieria.com.mx/kdeplu/ngoct2.exej

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: sheet1.xml, type: SAMPLE Matched rule: detects AutoLoad documents using LegacyDrawing Author: ditekSHen
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Memory allocated: 770B0000 page execute and read and write Jump to behavior
Document misses a certain OLE stream usually present in this Microsoft Office document type
Source: PO-008847332.xlam.xlsx OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
Yara signature match
Source: sheet1.xml, type: SAMPLE Matched rule: INDICATOR_XML_LegacyDrawing_AutoLoad_Document author = ditekSHen, description = detects AutoLoad documents using LegacyDrawing
Source: classification engine Classification label: mal100.expl.winXLSX@3/4@1/1
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\Desktop\~$PO-008847332.xlam.xlsx Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Temp\CVR8A35.tmp Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: PO-008847332.xlam.xlsx ReversingLabs: Detection: 65%
Source: unknown Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Section loaded: wow64win.dll Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Section loaded: wow64cpu.dll Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Section loaded: msi.dll Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Section loaded: cryptsp.dll Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Section loaded: rpcrtremote.dll Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Section loaded: dwmapi.dll Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Section loaded: version.dll Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Section loaded: secur32.dll Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Section loaded: winhttp.dll Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Section loaded: webio.dll Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Section loaded: winnsi.dll Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Section loaded: dnsapi.dll Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Section loaded: nlaapi.dll Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Section loaded: ntvdm64.dll Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior
Source: PO-008847332.xlam.xlsx Initial sample: OLE indicators vbamacros = False
Uses code obfuscation techniques (call, push, ret)
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Code function: 2_2_0357004E push dx; retf 2_2_03570054
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Code function: 2_2_03570439 push cs; ret 2_2_0357043A
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 3596 Thread sleep time: -240000s >= -30000s Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE API call chain: ExitProcess graph end node
Contains functionality to read the PEB
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Code function: 2_2_03570710 mov edx, dword ptr fs:[00000030h] 2_2_03570710
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1540837 Sample: PO-008847332.xlam.xlsx Startdate: 24/10/2024 Architecture: WINDOWS Score: 100 20 Malicious sample detected (through community Yara rule) 2->20 22 Antivirus / Scanner detection for submitted sample 2->22 24 Multi AV Scanner detection for submitted file 2->24 26 6 other signatures 2->26 6 EXCEL.EXE 6 9 2->6         started        process3 file4 14 C:\Users\user\...\~$PO-008847332.xlam.xlsx, data 6->14 dropped 9 EQNEDT32.EXE 11 6->9         started        process5 dnsIp6 18 eficienciaeningenieria.com.mx 104.21.53.112, 49161, 80 CLOUDFLARENETUS United States 9->18 16 C:\Users\user\AppData\Local\...\xyjhromj.exe, HTML 9->16 dropped 28 Office equation editor establishes network connection 9->28 30 Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802) 9->30 file7 signatures8
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
104.21.53.112
 eficienciaeningenieria.com.mx United States
13335 CLOUDFLARENETUS true

Contacted Domains

Name IP Active
eficienciaeningenieria.com.mx 104.21.53.112 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://eficienciaeningenieria.com.mx/kdeplu/ngoct2.exe true
    		unknown
    http://eficienciaeningenieria.com.mx/cgi-sys/suspendedpage.cgi true
      		unknown