Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

1_13904442253.xla.xlsx

Composite Document File V2 Document, Little Endian, Os: Windows, Version 5.1, Code page: 1252, Author: a.asghari, Last Saved By: ali, Name of Creating Application: Microsoft Excel, Create Time/Date: Tue Sep 14 13:30:26 2004, Last Saved Time/Date: Tue Sep 9 18:31:55 2008, Security: 0

initial sample

Details

Filetype:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 5.1, Code page: 1252, Author: a.asghari, Last Saved By: ali, Name of Creating Application: Microsoft Excel, Create Time/Date: Tue Sep 14 13:30:26 2004, Last Saved Time/Date: Tue Sep 9 18:31:55 2008, Security: 0
Entropy:	4.8296063912625975
Filename:	1_13904442253.xla.xlsx
Filesize:	68096
MD5:	6054b5d65c7124cb7a2c43de68776e32
SHA1:	8c386a9bec4fd0a2638e98a3c1a838133456e773
SHA256:	72b0b09f6114190a5cc8e628a2bc581081d83489b02ad2e7c7e5cf6fbce7d2b2
SHA512:	cc61296d6715244cb6de109163eed43cbd2402b472fb6e9a8d3463a9d0f2cf0050d4c51080895e04964c57c98090d2e13f14eeb0788cf065d79e264b9e504f28
SSDEEP:	768:IstjD1b+scl1ENa6A80+b/tpvOGbXbJyrPK3ANY:p1bpclK3/bvxbXw7MAN
Preview:	........................>......................................................................................................................................................................................................................................

Signature Hits	Behavior Group	Mitre Attack
Document contains an embedded VBA with many string operations indicating source code obfuscation	Data Obfuscation	Scripting Obfuscated Files or Information
Document contains embedded VBA macros	System Summary
Document embeds suspicious OLE2 link	System Summary
Document contains an OLE Workbook stream indicating a Microsoft Excel file	System Summary

C:\Users\user\Desktop\~$1_13904442253.xla.xlsx

data

dropped

Details

File:	C:\Users\user\Desktop\~$1_13904442253.xla.xlsx
Category:	dropped
Dump:	~$1_13904442253.xla.xlsx.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Type:	data
Entropy:	1.4377382811115937
Encrypted:	false
Ssdeep:	3:vZ/FFDJw2fV:vBFFGS
Size:	165
Whitelisted:	false
Reputation:	timeout

Signature Hits	Behavior Group	Mitre Attack
Document contains an embedded VBA with many string operations indicating source code obfuscation	Data Obfuscation	Scripting Obfuscated Files or Information
Document contains embedded VBA macros	System Summary	Scripting
Document embeds suspicious OLE2 link	System Summary
Creates files inside the user directory	System Summary	Masquerading
Document contains an OLE Workbook stream indicating a Microsoft Excel file	System Summary
URLs found in memory or binary data	Networking

C:\Users\user\AppData\Local\Temp\~DF4E6106C13B7F04D6.TMP

data

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\~DF4E6106C13B7F04D6.TMP
Category:	dropped
Dump:	~DF4E6106C13B7F04D6.TMP.0.dr
ID:	dr_1
Target ID:	0
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Type:	data
Entropy:	1.1296879193468892
Encrypted:	false
Ssdeep:	96:1nU43AgdLSUX2dINN7RMx7tJgiHQc/0c/Wc/:1nU43AgdLSUXbQ5/1/r/
Size:	16384
Whitelisted:	false
Reputation:	low

C:\Users\user\AppData\Local\Temp\~DFAB23D18ACD7A39C8.TMP

data

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\~DFAB23D18ACD7A39C8.TMP
Category:	dropped
Dump:	~DFAB23D18ACD7A39C8.TMP.0.dr
ID:	dr_5
Target ID:	0
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Type:	data
Entropy:	0.0
Encrypted:	false
Ssdeep:	3::
Size:	512
Whitelisted:	true
Reputation:	high

C:\Users\user\AppData\Local\Temp\~DFC6228DFBF7598270.TMP

data

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\~DFC6228DFBF7598270.TMP
Category:	dropped
Dump:	~DFC6228DFBF7598270.TMP.0.dr
ID:	dr_6
Target ID:	0
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Type:	data
Entropy:	0.0
Encrypted:	false
Ssdeep:	3::
Size:	65536
Whitelisted:	true
Reputation:	moderate

C:\Users\user\Desktop\1_13904442253.xla.xls

dropped

Details

File:	C:\Users\user\Desktop\1_13904442253.xla.xls
Category:	dropped
Dump:	1_13904442253.xla.xls.0.dr
ID:	dr_2
Target ID:	0
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 5.1, Code page: 1252, Author: a.asghari, Last Saved By: ali, Name of Creating Application: Microsoft Excel, Create Time/Date: Tue Sep 14 13:30:26 2004, Last Saved Time/Date: Tue Sep 9 18:31:55 2008, Security: 0
Entropy:	4.079784123714033
Encrypted:	false
Ssdeep:	384:EbQ5tjJtLfm2wm1nLsc9M3Qo7Iud+a9L0Dt4gE1gbdXz8xa+J7eptbMtMYuYqEAH:Estjx1sc8a21gRD80+JvWPRyZ3ANdJ
Size:	71168
Whitelisted:	false
Reputation:	low

C:\Users\user\Desktop\5EEB3888.tmp (copy)

dropped

Details

File:	C:\Users\user\Desktop\5EEB3888.tmp (copy)
Category:	dropped
Dump:	1_13904442253.xla.xls.0.dr
ID:	dr_7
Target ID:	0
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 5.1, Code page: 1252, Author: a.asghari, Last Saved By: ali, Name of Creating Application: Microsoft Excel, Create Time/Date: Tue Sep 14 13:30:26 2004, Last Saved Time/Date: Tue Sep 9 18:31:55 2008, Security: 0
Entropy:	4.079784123714033
Encrypted:	false
Ssdeep:	384:EbQ5tjJtLfm2wm1nLsc9M3Qo7Iud+a9L0Dt4gE1gbdXz8xa+J7eptbMtMYuYqEAH:Estjx1sc8a21gRD80+JvWPRyZ3ANdJ
Size:	71168
Whitelisted:	false
Reputation:	low

C:\Users\user\Desktop\96730000

Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Author: a.asghari, Last Saved By: user, Name of Creating Application: Microsoft Excel, Create Time/Date: Tue Sep 14 13:30:26 2004, Last Saved Time/Date: Tue Oct 1 06:41:51 2024, Security: 0

dropped

Details

File:	C:\Users\user\Desktop\96730000
Category:	dropped
Dump:	96730000.0.dr
ID:	dr_3
Target ID:	0
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Author: a.asghari, Last Saved By: user, Name of Creating Application: Microsoft Excel, Create Time/Date: Tue Sep 14 13:30:26 2004, Last Saved Time/Date: Tue Oct 1 06:41:51 2024, Security: 0
Entropy:	4.564453149253163
Encrypted:	false
Ssdeep:	1536:unxEtjPOtioVjDGUU1qfDlaGGx+cL2QnzVCGeYaYLXIlaw+78SUlKqCDUFy:unxEtjPOtioVjDGUU1qfDlaGGx+cL2Qn
Size:	83968
Whitelisted:	false
Reputation:	low

C:\Users\user\Desktop\96730000:Zone.Identifier

ASCII text, with CRLF line terminators

modified

Details

File:	C:\Users\user\Desktop\96730000:Zone.Identifier
Category:	modified
Dump:	96730000_Zone.Identifier.0.dr
ID:	dr_4
Target ID:	0
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Type:	ASCII text, with CRLF line terminators
Entropy:	3.95006375643621
Encrypted:	false
Ssdeep:	3:ggPYV:rPYV
Size:	26
Whitelisted:	false
Reputation:	timeout

Processes

Path

Cmdline

Malicious

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding

Details

Is windows:	true
Is dropped:	false
PID:	3344
Target ID:	0
Parent PID:	564
Name:	EXCEL.EXE
Class:	excel
Path:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Commandline:	"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
Size:	28253536
MD5:	D53B85E21886D2AF9815C377537BCAC3
Time:	01:40:47
Date:	01/10/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x13f770000
Modulesize:	28282880
Wow64:	false

URLs

Name

Malicious

http://sakhteman.wordpress.cxom

unknown

http://sakhteman.wordpress.co

unknown

Details

Name:	http://sakhteman.wordpress.co
TargetID:	0
From Memory:	true
Current Path:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Source:	1_13904442253.xla.xls.0.dr

Signature Hits	Behavior Group	Mitre Attack
Document embeds suspicious OLE2 link	System Summary
URLs found in memory or binary data	Networking

http://sakhteman.wordpress.comb

unknown

http://sakhteman.wordpress.com

unknown

Details

Name:	http://sakhteman.wordpress.com
TargetID:	0
From Memory:	true
Current Path:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Source:	96730000.0.dr

Signature Hits	Behavior Group	Mitre Attack
Document embeds suspicious OLE2 link	System Summary
URLs found in memory or binary data	Networking

Registry

Path

Value

Malicious

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems

>0/

HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Outlook\Journaling\Microsoft Excel

Enabled

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel

MTTT

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\ReviewCycle

ReviewToken

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems

l5/

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Place MRU

Max Display