Windows Analysis Report
3dYJn1GHk6

Overview

General Information

Sample Name: 3dYJn1GHk6 (renamed file extension from none to xls)
Analysis ID: 600290
MD5: 9cca0af8d3f66ccd4d88542eecdde898
SHA1: 4d9742039d3222ec7e76229acb22626f3ea156c8
SHA256: e7b337819ffbfd0cc64e0da0de7696a062cb134bb00e24dd761e4ce25acc958f
Tags: excelSilentBuilderxlsx
Infos:

Detection

Hidden Macro 4.0
Score: 72
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Multi AV Scanner detection for submitted file
Found malicious Excel 4.0 Macro
Found Excel 4.0 Macro with suspicious formulas
Document exploit detected (UrlDownloadToFile)
Yara signature match
Found a hidden Excel 4.0 Macro sheet
Sigma detected: Excel Network Connections
Potential document exploit detected (performs DNS queries)

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: 3dYJn1GHk6.xls Virustotal: Detection: 28% Perma Link
Source: 3dYJn1GHk6.xls ReversingLabs: Detection: 26%
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior

Software Vulnerabilities
barindex
Document exploit detected (UrlDownloadToFile)
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Section loaded: \KnownDlls\api-ms-win-downlevel-shlwapi-l2-1-0.dll origin: URLDownloadToFileA Jump to behavior
Potential document exploit detected (performs DNS queries)
Source: global traffic DNS query: name: www.gessersh.com
Source: unknown DNS traffic detected: queries for: www.gessersh.com

System Summary
barindex
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Source: Screenshot number: 4 Screenshot OCR: Enable Editing and click Enable Content. 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18
Source: Screenshot number: 4 Screenshot OCR: Enable Content. 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24
Found malicious Excel 4.0 Macro
Source: 3dYJn1GHk6.xls Macro extractor: Sheet: EGVEB contains: urlmon
Found Excel 4.0 Macro with suspicious formulas
Source: 3dYJn1GHk6.xls Initial sample: EXEC
Yara signature match
Source: 3dYJn1GHk6.xls, type: SAMPLE Matched rule: SUSP_Excel4Macro_AutoOpen date = 2020-03-26, author = John Lambert @JohnLaTwC, description = Detects Excel4 macro use with auto open / close, score = 2fb198f6ad33d0f26fb94a1aa159fef7296e0421da68887b8f2548bbd227e58f
Source: C:\Users\user\Desktop\3dYJn1GHk6.xls, type: DROPPED Matched rule: SUSP_Excel4Macro_AutoOpen date = 2020-03-26, author = John Lambert @JohnLaTwC, description = Detects Excel4 macro use with auto open / close, score = 2fb198f6ad33d0f26fb94a1aa159fef7296e0421da68887b8f2548bbd227e58f
Found a hidden Excel 4.0 Macro sheet
Source: 3dYJn1GHk6.xls Macro extractor: Sheet name: EGVEB
Source: 3dYJn1GHk6.xls Macro extractor: Sheet name: P1
Source: 3dYJn1GHk6.xls Virustotal: Detection: 28%
Source: 3dYJn1GHk6.xls ReversingLabs: Detection: 26%
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Temp\CVR338D.tmp Jump to behavior
Source: 3dYJn1GHk6.xls OLE indicator, Workbook stream: true
Source: 3dYJn1GHk6.xls.0.dr OLE indicator, Workbook stream: true
Source: classification engine Classification label: mal72.expl.evad.winXLS@1/2@5/2
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File read: C:\Users\desktop.ini Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior
Source: 3dYJn1GHk6.xls Initial sample: OLE indicators vbamacros = False
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 600290 Sample: 3dYJn1GHk6 Startdate: 30/03/2022 Architecture: WINDOWS Score: 72 18 Multi AV Scanner detection for submitted file 2->18 20 Found malicious Excel 4.0 Macro 2->20 22 Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros) 2->22 24 Found Excel 4.0 Macro with suspicious formulas 2->24 5 EXCEL.EXE 7 16 2->5         started        process3 dnsIp4 12 192.168.2.22, 137, 138, 53 unknown unknown 5->12 14 192.168.2.255, 137, 138 unknown unknown 5->14 16 www.gessersh.com 5->16 10 C:\Users\user\Desktop\3dYJn1GHk6.xls, Composite 5->10 dropped 26 Document exploit detected (UrlDownloadToFile) 5->26 file5 signatures6
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious

Private

IP
192.168.2.22
192.168.2.255

Contacted Domains

Name IP Active
www.gessersh.com unknown unknown