Analysis
-
max time kernel
117s -
max time network
122s -
platform
windows7_x64 -
resource
win7 -
submitted
10-07-2020 21:38
Static task
static1
Behavioral task
behavioral1
Sample
PO# AO-20051.xlsx
Resource
win7
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
PO# AO-20051.xlsx
Resource
win10v200430
0 signatures
0 seconds
General
-
Target
PO# AO-20051.xlsx
-
Size
74KB
-
MD5
8d3f38c8eddc5e47becce659102ceb3b
-
SHA1
439fda53355724dba2cd713e49334a6a928f1026
-
SHA256
2456c984a012053956c889e4bcbc484916cb4933484306f04b7e924d911b0fcb
-
SHA512
62caf3d2b53fc278b1b71771780398b68d8d4cd37434d3f848ed50b9146e1d9cbf20ada3b10e37921e299f621a43f405adeffb5d07780c592798b4dae70ae057
Score
8/10
Malware Config
Signatures
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 1492 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
EXCEL.EXEpid process 1492 EXCEL.EXE 1492 EXCEL.EXE 1492 EXCEL.EXE -
Blacklisted process makes network request 1 IoCs
Processes:
EQNEDT32.EXEflow pid process 5 336 EQNEDT32.EXE -
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
Processes
-
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /dde "C:\Users\Admin\AppData\Local\Temp\PO# AO-20051.xlsx"1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Blacklisted process makes network request
- Launches Equation Editor