Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

MissingInvoices.xls

CDFV2 Microsoft Excel

initial sample

Details

Filetype:	CDFV2 Microsoft Excel
Entropy:	3.604322627505621
Filename:	MissingInvoices.xls
Filesize:	13824
MD5:	9756ba64da784ff1e1fa8844c89d72c0
SHA1:	d5a0e6dd911e37c9f5c0eeca310e9850fb8f1e0c
SHA256:	6ea5375726cf3ecf59dddf9e3b2a83384158adb17fb9550c67af8e2bddb8330d
SHA512:	ef128a6a363c25d2aff8a8fb7971cd9897c03172e0d44cb3467c64b80344744c88347fdb6e1398bc951af97e4b92520848c37717d11cf08de007d810879d3e74
SSDEEP:	192:rlSUb43AgdLSUXwnNsSqJOJFHSpw+6z4sAMlAFqSUIBF9j:RSw0kJF3PSNBH
Preview:	........................>......................................................................................................................................................................................................................................

Signature Hits	Behavior Group	Mitre Attack
Document misses a certain OLE stream usually present in this Microsoft Office document type	System Summary
Document has a 'vbamacros' value indicative of goodware	System Summary

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157

data

dropped

Details

File:	C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157
Category:	dropped
Dump:	57C8EDB95DF3F0AD4EE2DC2B8CFD4157.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
Type:	data
Entropy:	3.445929325402039
Encrypted:	false
Size:	338
Whitelisted:	false

C:\Users\user\AppData\Local\Microsoft\Office\Features\1-7FeatureCache.txt (copy)

data

dropped

C:\Users\user\AppData\Local\Temp\BB9395ED.tmp

data

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\BB9395ED.tmp
Category:	dropped
Dump:	BB9395ED.tmp.0.dr
ID:	dr_3
Target ID:	0
Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
Type:	data
Entropy:	2.7137153092998956
Encrypted:	false
Size:	860
Whitelisted:	false

C:\Users\user\AppData\Local\Temp\~DFCC0187D67FCC573A.TMP

data

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\~DFCC0187D67FCC573A.TMP
Category:	dropped
Dump:	~DFCC0187D67FCC573A.TMP.0.dr
ID:	dr_1
Target ID:	0
Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
Type:	data
Entropy:	2.055870471456177
Encrypted:	false
Size:	24576
Whitelisted:	false

C:\Users\user\Desktop\MissingInvoices.xls

CDFV2 Microsoft Excel

dropped

Details

File:	C:\Users\user\Desktop\MissingInvoices.xls
Category:	dropped
Dump:	MissingInvoices.xls.0.dr
ID:	dr_2
Target ID:	0
Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
Type:	CDFV2 Microsoft Excel
Entropy:	3.6097549185006668
Encrypted:	false
Size:	13824
Whitelisted:	false

Signature Hits	Behavior Group	Mitre Attack
Document misses a certain OLE stream usually present in this Microsoft Office document type	System Summary
Spawns processes	System Summary	Process Injection
Document has a 'vbamacros' value indicative of goodware	System Summary

Domains

Name

Malicious

s-part-0017.t-0009.fb-t-msedge.net

13.107.253.45

Details

Name:	s-part-0017.t-0009.fb-t-msedge.net
IP:	13.107.253.45
TargetID:	-1
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Potential document exploit detected (performs HTTP gets)	Software Vulnerabilities	Exploitation for Client Execution
Potential document exploit detected (unknown TCP traffic)	Software Vulnerabilities	Exploitation for Client Execution
Sigma detected: Excel Network Connections	System Summary
Sigma detected: Suspicious Office Outbound Connections	System Summary
Uses secure TLS version for HTTPS connections	Compliance, Networking

IPs

Domain

Country

Malicious

52.113.194.132

unknown

United States

52.109.68.129

unknown

United States

93.184.221.240

unknown

European Union

13.89.179.13

unknown

United States

52.109.28.46

unknown

United States

13.107.253.45

s-part-0017.t-0009.fb-t-msedge.net

United States

Details

IP:	13.107.253.45
TargetID:	0
Current Path:	C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
Country:	United States
Countrycode:	USA
ASN number:	8068
ASN name:	MICROSOFT-CORP-MSN-AS-BLOCKUS
Private:	false
Domain:	s-part-0017.t-0009.fb-t-msedge.net

Signature Hits	Behavior Group	Mitre Attack
Potential document exploit detected (performs HTTP gets)	Software Vulnerabilities	Exploitation for Client Execution
Potential document exploit detected (unknown TCP traffic)	Software Vulnerabilities	Exploitation for Client Execution
Sigma detected: Excel Network Connections	System Summary
Sigma detected: Suspicious Office Outbound Connections	System Summary
Uses secure TLS version for HTTPS connections	Compliance, Networking

184.28.90.27

unknown

United States

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
MissingInvoices.xls

Files

Domains

IPs

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReportMissingInvoices.xls

Files

Domains

IPs

IOC Report
MissingInvoices.xls