Windows Analysis Report
1_13904442253.xla.xlsx

Overview

General Information

Sample name:	1_13904442253.xla.xlsx
Analysis ID:	1523148
MD5:	6054b5d65c7124cb7a2c43de68776e32
SHA1:	8c386a9bec4fd0a2638e98a3c1a838133456e773
SHA256:	72b0b09f6114190a5cc8e628a2bc581081d83489b02ad2e7c7e5cf6fbce7d2b2
Tags:	xlaxlsxuser-abuse_ch
Infos:

Detection

Score:	48
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Document contains VBA stomped code (only p-code) potentially bypassing AV detection

Document contains an embedded VBA with many string operations indicating source code obfuscation

Document contains embedded VBA macros

Document embeds suspicious OLE2 link

Classification

Signatures

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source: 1_13904442253.xla.xls.0.dr	String found in binary or memory: http://sakhteman.wordpress.co
Source: 96730000.0.dr	String found in binary or memory: http://sakhteman.wordpress.com
Source: 1_13904442253.xla.xlsx	String found in binary or memory: http://sakhteman.wordpress.comb
Source: 96730000.0.dr	String found in binary or memory: http://sakhteman.wordpress.cxom

Document contains embedded VBA macros

Source: 1_13904442253.xla.xlsx	OLE indicator, VBA macros: true
Source: 1_13904442253.xla.xls.0.dr	OLE indicator, VBA macros: true
Source: 96730000.0.dr	OLE indicator, VBA macros: true

Document embeds suspicious OLE2 link

Source: 1_13904442253.xla.xlsx

Stream path '_VBA_PROJECT_CUR/VBA/__SRP_0' : http://sakhteman.wordpress.comhError! for help visit http://sakhteman.wordpress.comb

Source: classification engine

Classification label: mal48.evad.winXLSX@1/8@0/0

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\Desktop\~$1_13904442253.xla.xlsx

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Temp\CVR7C9E.tmp

Jump to behavior

Source: 1_13904442253.xla.xlsx	OLE indicator, Workbook stream: true
Source: 1_13904442253.xla.xls.0.dr	OLE indicator, Workbook stream: true
Source: 96730000.0.dr	OLE indicator, Workbook stream: true

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Data Obfuscation

Document contains an embedded VBA with many string operations indicating source code obfuscation

Source: 1_13904442253.xla.xlsx	Stream path '_VBA_PROJECT_CUR/VBA/Module1' : High number of string operations
Source: 1_13904442253.xla.xlsx	Stream path '_VBA_PROJECT_CUR/VBA/Module2' : High number of string operations
Source: VBA code instrumentation	OLE, VBA macro, High number of string operations: Module Module1	Name: Module1
Source: VBA code instrumentation	OLE, VBA macro, High number of string operations: Module Module2	Name: Module2
Source: 1_13904442253.xla.xls.0.dr	Stream path '_VBA_PROJECT_CUR/VBA/Module1' : High number of string operations
Source: 1_13904442253.xla.xls.0.dr	Stream path '_VBA_PROJECT_CUR/VBA/Module2' : High number of string operations
Source: 96730000.0.dr	Stream path '_VBA_PROJECT_CUR/VBA/Module1' : High number of string operations
Source: 96730000.0.dr	Stream path '_VBA_PROJECT_CUR/VBA/Module2' : High number of string operations

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Document contains VBA stomped code (only p-code) potentially bypassing AV detection

Source: 1_13904442253.xla.xls.0.dr

OLE indicator, VBA stomping: true

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

⊘No contacted IP infos

ID:	1523148
Product:	CloudBasic
Start time:	07:39:57
Start date:	01.10.2024
Sample:	1_13904442253.xla.xlsx
Cookbook:	defaultwindowsofficecookbook.jbs
System description:	Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Architecture:	WINDOWS
MD5:	6054b5d65c7124cb7a2c43de68776e32
SHA1:	8c386a9bec4fd0a2638e98a3c1a838133456e773
SHA256:	72b0b09f6114190a5cc8e628a2bc581081d83489b02ad2e7c7e5cf6fbce7d2b2
Filetype:	Microsoft Excel sheet (30009/1) 47.99%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Temp\~DF4E6106C13B7F04D6.TMP	data	01492E12E4B635D1FA0F6D8C076F74CC	DD11B84874C8D36A787B97EECFE8A4D105190D1D	54EEBDACDE08789D995A9E4EE656E064E0E8D05A383D26B1B8708295058DAF2C
C:\Users\user\AppData\Local\Temp\~DFAB23D18ACD7A39C8.TMP	data	BF619EAC0CDF3F68D496EA9344137E8B	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
C:\Users\user\AppData\Local\Temp\~DFC6228DFBF7598270.TMP	data	FCD6BCB56C1689FCEF28B57C22475BAD	1ADC95BEBE9EEA8C112D40CD04AB7A8D75C4F961	DE2F256064A0AF797747C2B97505DC0B9F3DF0DE4F489EAC731C23AE9CA9CC31
C:\Users\user\Desktop\1_13904442253.xla.xls	Composite Document File V2 Document, Little Endian, Os: Windows, Version 5.1, Code page: 1252, Author: a.asghari, Last Saved By: ali, Name of Creating Application: Microsoft Excel, Create Time/Date: Tue Sep 14 13:30:26 2004, Last Saved Time/Date: Tue Sep 9 18:31:55 2008, Security: 0	032398D809582FE0884563B2F54B475A	78E3DEA1C4639928CB2BE745296C72C69603F108	49CBCF538A865E3428D0A94C898764417CBB04EDCC34BA59D500AF1ACA922B6D
C:\Users\user\Desktop\5EEB3888.tmp (copy)	Composite Document File V2 Document, Little Endian, Os: Windows, Version 5.1, Code page: 1252, Author: a.asghari, Last Saved By: ali, Name of Creating Application: Microsoft Excel, Create Time/Date: Tue Sep 14 13:30:26 2004, Last Saved Time/Date: Tue Sep 9 18:31:55 2008, Security: 0	032398D809582FE0884563B2F54B475A	78E3DEA1C4639928CB2BE745296C72C69603F108	49CBCF538A865E3428D0A94C898764417CBB04EDCC34BA59D500AF1ACA922B6D
C:\Users\user\Desktop\96730000	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Author: a.asghari, Last Saved By: user, Name of Creating Application: Microsoft Excel, Create Time/Date: Tue Sep 14 13:30:26 2004, Last Saved Time/Date: Tue Oct 1 06:41:51 2024, Security: 0	CD83F5FA8B3EE27745E55F6C0515897B	9840E5EB4E44B2F5A28397B2977C2BBDB5E4FB6D	C7BF2B2D9ACF02FD1DD7339D35068E465549BD8C1F26F8C0FF1EE07BEECE0D27
C:\Users\user\Desktop\96730000:Zone.Identifier	ASCII text, with CRLF line terminators	187F488E27DB4AF347237FE461A079AD	6693BA299EC1881249D59262276A0D2CB21F8E64	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
C:\Users\user\Desktop\~$1_13904442253.xla.xlsx	data	797869BB881CFBCDAC2064F92B26E46F	61C1B8FBF505956A77E9A79CE74EF5E281B01F4B	D4E4008DD7DFB936F22D9EF3CC569C6F88804715EAB8101045BA1CD0B081F185

Windows Analysis Report
1_13904442253.xla.xlsx

Overview

General Information

Detection

Signatures

Classification

Signatures

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

HIPS / PFW / Operating System Protection Evasion

Screenshots

Behavior Graph

Network Map

Windows Analysis Report 1_13904442253.xla.xlsx

Overview

General Information

Detection

Signatures

Classification

Signatures

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

HIPS / PFW / Operating System Protection Evasion

Screenshots

Behavior Graph

Network Map

Windows Analysis Report
1_13904442253.xla.xlsx