Edit tour
Windows
Analysis Report
1_13904442253.xla.xlsx
Overview
General Information
Detection
Score: | 48 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Document contains VBA stomped code (only p-code) potentially bypassing AV detection
Document contains an embedded VBA with many string operations indicating source code obfuscation
Document contains embedded VBA macros
Document embeds suspicious OLE2 link
Classification
- System is w7x64
- EXCEL.EXE (PID: 3344 cmdline:
"C:\Progra m Files\Mi crosoft Of fice\Offic e14\EXCEL. EXE" /auto mation -Em bedding MD5: D53B85E21886D2AF9815C377537BCAC3)
- cleanup
⊘No configs have been found
⊘No yara matches
⊘No Sigma rule has matched
⊘No Suricata rule has matched
Click to jump to signature section
Show All Signature Results
Source: | File opened: | Jump to behavior |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Source: | OLE indicator, VBA macros: | ||
Source: | OLE indicator, VBA macros: | ||
Source: | OLE indicator, VBA macros: |
Source: | Stream path '_VBA_PROJECT_CUR/VBA/__SRP_0' : |
Source: | Classification label: |
Source: | File created: | Jump to behavior |
Source: | File created: | Jump to behavior |
Source: | OLE indicator, Workbook stream: | ||
Source: | OLE indicator, Workbook stream: | ||
Source: | OLE indicator, Workbook stream: |
Source: | File read: | Jump to behavior |
Source: | Key opened: | Jump to behavior |
Source: | File opened: | Jump to behavior |
Data Obfuscation |
---|
Source: | Stream path '_VBA_PROJECT_CUR/VBA/Module1' : | |||
Source: | Stream path '_VBA_PROJECT_CUR/VBA/Module2' : | |||
Source: | OLE, VBA macro, High number of string operations: | Name: Module1 | ||
Source: | OLE, VBA macro, High number of string operations: | Name: Module2 | ||
Source: | Stream path '_VBA_PROJECT_CUR/VBA/Module1' : | |||
Source: | Stream path '_VBA_PROJECT_CUR/VBA/Module2' : | |||
Source: | Stream path '_VBA_PROJECT_CUR/VBA/Module1' : | |||
Source: | Stream path '_VBA_PROJECT_CUR/VBA/Module2' : |
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior |
HIPS / PFW / Operating System Protection Evasion |
---|
Source: | OLE indicator, VBA stomping: |
Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Gather Victim Identity Information | 11 Scripting | Valid Accounts | Windows Management Instrumentation | 11 Scripting | Path Interception | 1 Masquerading | OS Credential Dumping | 1 File and Directory Discovery | Remote Services | Data from Local System | Data Obfuscation | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
Credentials | Domains | Default Accounts | Scheduled Task/Job | 1 Obfuscated Files or Information | Boot or Logon Initialization Scripts | 1 Obfuscated Files or Information | LSASS Memory | 1 System Information Discovery | Remote Desktop Protocol | Data from Removable Media | Junk Data | Exfiltration Over Bluetooth | Network Denial of Service |
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
0% | Virustotal | Browse | ||
0% | ReversingLabs |
⊘No Antivirus matches
⊘No Antivirus matches
⊘No Antivirus matches
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
0% | Virustotal | Browse |
⊘No contacted domains info
Name | Source | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|
false | unknown | |||
false | unknown | |||
false | unknown | |||
false |
| unknown |
⊘No contacted IP infos
Joe Sandbox version: | 41.0.0 Charoite |
Analysis ID: | 1523148 |
Start date and time: | 2024-10-01 07:39:57 +02:00 |
Joe Sandbox product: | CloudBasic |
Overall analysis duration: | 0h 3m 45s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Cookbook file name: | defaultwindowsofficecookbook.jbs |
Analysis system description: | Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2) |
Number of analysed new started processes analysed: | 4 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Sample name: | 1_13904442253.xla.xlsx |
Detection: | MAL |
Classification: | mal48.evad.winXLSX@1/8@0/0 |
EGA Information: | Failed |
HCA Information: |
|
Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe
- Report size getting too big, too many NtQueryValueKey calls found.
⊘No simulations
Process: | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 16384 |
Entropy (8bit): | 1.1296879193468892 |
Encrypted: | false |
SSDEEP: | 96:1nU43AgdLSUX2dINN7RMx7tJgiHQc/0c/Wc/:1nU43AgdLSUXbQ5/1/r/ |
MD5: | 01492E12E4B635D1FA0F6D8C076F74CC |
SHA1: | DD11B84874C8D36A787B97EECFE8A4D105190D1D |
SHA-256: | 54EEBDACDE08789D995A9E4EE656E064E0E8D05A383D26B1B8708295058DAF2C |
SHA-512: | 251D787D50F7D8273D52D18DA5E77A22F7BD325B52EF42B709929246501A034FE709FA1D0ED73EE883D59A151886DA60E7C98D2CC11895028BFAB50BF1E6FCFB |
Malicious: | false |
Reputation: | low |
Preview: |
Process: | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 512 |
Entropy (8bit): | 0.0 |
Encrypted: | false |
SSDEEP: | 3:: |
MD5: | BF619EAC0CDF3F68D496EA9344137E8B |
SHA1: | 5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5 |
SHA-256: | 076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560 |
SHA-512: | DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE |
Malicious: | false |
Reputation: | high, very likely benign file |
Preview: |
Process: | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 65536 |
Entropy (8bit): | 0.0 |
Encrypted: | false |
SSDEEP: | 3:: |
MD5: | FCD6BCB56C1689FCEF28B57C22475BAD |
SHA1: | 1ADC95BEBE9EEA8C112D40CD04AB7A8D75C4F961 |
SHA-256: | DE2F256064A0AF797747C2B97505DC0B9F3DF0DE4F489EAC731C23AE9CA9CC31 |
SHA-512: | 73E4153936DAB198397B74EE9EFC26093DDA721EAAB2F8D92786891153B45B04265A161B169C988EDB0DB2C53124607B6EAAA816559C5CE54F3DBC9FA6A7A4B2 |
Malicious: | false |
Reputation: | moderate, very likely benign file |
Preview: |
Process: | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 71168 |
Entropy (8bit): | 4.079784123714033 |
Encrypted: | false |
SSDEEP: | 384:EbQ5tjJtLfm2wm1nLsc9M3Qo7Iud+a9L0Dt4gE1gbdXz8xa+J7eptbMtMYuYqEAH:Estjx1sc8a21gRD80+JvWPRyZ3ANdJ |
MD5: | 032398D809582FE0884563B2F54B475A |
SHA1: | 78E3DEA1C4639928CB2BE745296C72C69603F108 |
SHA-256: | 49CBCF538A865E3428D0A94C898764417CBB04EDCC34BA59D500AF1ACA922B6D |
SHA-512: | 64E6D9D92EC1AC9F0E33A970D6DD5043062C6729FD1974FBBEBED684387A769EBE63611AB486544CC7B2758CD468FEF6415FBB4AE21BAD887338BF1012AEBFB1 |
Malicious: | false |
Reputation: | low |
Preview: |
Process: | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 71168 |
Entropy (8bit): | 4.079784123714033 |
Encrypted: | false |
SSDEEP: | 384:EbQ5tjJtLfm2wm1nLsc9M3Qo7Iud+a9L0Dt4gE1gbdXz8xa+J7eptbMtMYuYqEAH:Estjx1sc8a21gRD80+JvWPRyZ3ANdJ |
MD5: | 032398D809582FE0884563B2F54B475A |
SHA1: | 78E3DEA1C4639928CB2BE745296C72C69603F108 |
SHA-256: | 49CBCF538A865E3428D0A94C898764417CBB04EDCC34BA59D500AF1ACA922B6D |
SHA-512: | 64E6D9D92EC1AC9F0E33A970D6DD5043062C6729FD1974FBBEBED684387A769EBE63611AB486544CC7B2758CD468FEF6415FBB4AE21BAD887338BF1012AEBFB1 |
Malicious: | false |
Reputation: | low |
Preview: |
Process: | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 83968 |
Entropy (8bit): | 4.564453149253163 |
Encrypted: | false |
SSDEEP: | 1536:unxEtjPOtioVjDGUU1qfDlaGGx+cL2QnzVCGeYaYLXIlaw+78SUlKqCDUFy:unxEtjPOtioVjDGUU1qfDlaGGx+cL2Qn |
MD5: | CD83F5FA8B3EE27745E55F6C0515897B |
SHA1: | 9840E5EB4E44B2F5A28397B2977C2BBDB5E4FB6D |
SHA-256: | C7BF2B2D9ACF02FD1DD7339D35068E465549BD8C1F26F8C0FF1EE07BEECE0D27 |
SHA-512: | DC024C1338DF9C86B2D7494015CB6DE7FBF23190B3511B8CB29025315923E6BE60F5BB155D031EC2B5017A970BE0C2F507258E566084AC2551392F8195043771 |
Malicious: | false |
Reputation: | low |
Preview: |
Process: | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File Type: | |
Category: | modified |
Size (bytes): | 26 |
Entropy (8bit): | 3.95006375643621 |
Encrypted: | false |
SSDEEP: | 3:ggPYV:rPYV |
MD5: | 187F488E27DB4AF347237FE461A079AD |
SHA1: | 6693BA299EC1881249D59262276A0D2CB21F8E64 |
SHA-256: | 255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309 |
SHA-512: | 89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E |
Malicious: | false |
Preview: |
Process: | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 165 |
Entropy (8bit): | 1.4377382811115937 |
Encrypted: | false |
SSDEEP: | 3:vZ/FFDJw2fV:vBFFGS |
MD5: | 797869BB881CFBCDAC2064F92B26E46F |
SHA1: | 61C1B8FBF505956A77E9A79CE74EF5E281B01F4B |
SHA-256: | D4E4008DD7DFB936F22D9EF3CC569C6F88804715EAB8101045BA1CD0B081F185 |
SHA-512: | 1B8350E1500F969107754045EB84EA9F72B53498B1DC05911D6C7E771316C632EA750FBCE8AD3A82D664E3C65CC5251D0E4A21F750911AE5DC2FC3653E49F58D |
Malicious: | true |
Preview: |
File type: | |
Entropy (8bit): | 4.8296063912625975 |
TrID: |
|
File name: | 1_13904442253.xla.xlsx |
File size: | 68'096 bytes |
MD5: | 6054b5d65c7124cb7a2c43de68776e32 |
SHA1: | 8c386a9bec4fd0a2638e98a3c1a838133456e773 |
SHA256: | 72b0b09f6114190a5cc8e628a2bc581081d83489b02ad2e7c7e5cf6fbce7d2b2 |
SHA512: | cc61296d6715244cb6de109163eed43cbd2402b472fb6e9a8d3463a9d0f2cf0050d4c51080895e04964c57c98090d2e13f14eeb0788cf065d79e264b9e504f28 |
SSDEEP: | 768:IstjD1b+scl1ENa6A80+b/tpvOGbXbJyrPK3ANY:p1bpclK3/bvxbXw7MAN |
TLSH: | 046384027245C63BE76A1D330ECBEBFA27B67C85DE6452C77144BB2E7EB66108522740 |
File Content Preview: | ........................>...................................................................................................................................................................................................................................... |
Icon Hash: | 2562ab89a7b7bfbf |
Document Type: | OLE |
Number of OLE Files: | 1 |
Has Summary Info: | |
Application Name: | Microsoft Excel |
Encrypted Document: | False |
Contains Word Document Stream: | False |
Contains Workbook/Book Stream: | True |
Contains PowerPoint Document Stream: | False |
Contains Visio Document Stream: | False |
Contains ObjectPool Stream: | False |
Flash Objects Count: | 0 |
Contains VBA Macros: | True |
Code Page: | 1252 |
Author: | |
Last Saved By: | |
Create Time: | 2004-09-14 12:30:26 |
Last Saved Time: | 2008-09-09 17:31:55 |
Creating Application: | |
Security: | 0 |
Document Code Page: | 1252 |
Thumbnail Scaling Desired: | False |
Company: | |
Contains Dirty Links: | False |
Shared Document: | False |
Changed Hyperlinks: | False |
Application Version: | 727464 |
General | |
Stream Path: | _VBA_PROJECT_CUR/VBA/Module1 |
VBA File Name: | Module1.bas |
Stream Size: | 18705 |
Data ASCII: | . . . . . . . . . . . . . . . . . . . . . . = . . . . . . . . . . . C " B . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . 6 . . . . . . < . . . . . < . . . . . . . < . . . . . . . . . . . . . . . . . . . . . . . . . + |
Data Raw: | 01 16 01 00 03 f0 00 00 00 dc 1a 00 00 d4 00 00 00 b0 01 00 00 ff ff ff ff 0a 1b 00 00 02 3d 00 00 04 00 00 00 01 00 00 00 2e 43 22 42 00 00 ff ff 03 00 00 00 00 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff 04 00 ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |
|