Managed XDR

declver-2025-v1.0.1.xls — malware analysis report

File info

Filename: declver-2025-v1.0.1.xls
File type: Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1252, Title: Dclaration Signaltique et de Versements, Author: Manuel Cardoso, Last Saved By: EMMANUEL LICANDRO, Name of Creating Application: Microsoft Excel, Last Printed: Wed Aug 12 13:36:18 2015, Create Time/Date: Thu Oct 30 15:21:21 2008, Last Saved Time/Date: Tue Feb 18 13:04:20 2025, Security: 0
File size: 5.1 MB
First seen: 2025-03-14 11:53
Last seen: 2025-03-14 11:53

Environment

w10/x86 en

Hashes

SHA1: d7bd7922409ef74e0497f94ad258168f7489bbad
SHA256: c1a386a12c9ef8b722d19f285b405e0e9d9b53647e05c666111c4e5756e6a4e6
MD5: a15913dabb67d52824b5ef2fe2bb0826

Signatures

Execution

T1203 office_exploit_http: The document exhibits suspicious behaviour (performs HTTP requests)

T1064 office_macros_suspicious: Document contains suspicious macro

T1204 office_mshtml_load: Microsoft Office loads MSHTML DLL files (indicator of ActiveX usage)

T1204.002 office_vb_load: Microsoft Office is loading VB DLL files (macros usage indicator)

T1204.002 office_com_load: Microsoft Office loads COM DLL files (indicator of COM usage in macros)

T1059.001 url_cmdline: Cmdline of process contains URL

T1059.003 url_cmdline: Cmdline of process contains URL

T1064 office_macros: The document contains macroses (total: 12)

T1064 office_macros_strings: Feature lines found in document macro

T1064 office_macros_autoexec: The document contains an auto-start macro

Privilege Escalation

T1134 opens_thread_token: Opens the access token associated with a thread

T1134 opens_process_token: Opens the access token associated with a process

Defense Evasion

T1064 office_macros_suspicious: Document contains suspicious macro

T1564 office_vba_stomping: VBA Stomping was detected in the document (the VBA source code and P-code are different)

T1064 office_macros: The document contains macroses (total: 12)

T1064 office_macros_strings: Feature lines found in document macro

T1064 office_macros_autoexec: The document contains an auto-start macro

T1134 opens_thread_token: Opens the access token associated with a thread

T1134 opens_process_token: Opens the access token associated with a process

T1497 evasion_trustrecords: Attempts to detect Sandbox exploring trusted documents

T1027 office_macros_entropy: The document contains a macro with high entropy (a possible sign of obfuscation)

Discovery

T1518 locates_browser: Attempts to identify where browsers are installed

T1497 evasion_trustrecords: Attempts to detect Sandbox exploring trusted documents

T1083 checks_recent_files: Attempt to check recently opened files through registry

Command and Control

T1071.001 office_exploit_http: The document exhibits suspicious behaviour (performs HTTP requests)

T1071.004 office_exploit_dns: The document exhibits suspicious behaviour (performs DNS requests)

T1102.003 cloud_amazonaws: Connects to cloud services of Amazon AWS (potentially for malicious payload delivery)

T1071.001 winhttp_https: Performs HTTP/HTTPS requests using WinHttp

T1071.001 wininet_https: Performs HTTP/HTTPS requests using WinInet

Other

multiple_useragents: Uses more than one unique User-Agent

office_summary: The document contains suspicious metadata

creates_suspended_process: Creates suspended process

message_box: Displays a message

test_check_service: Starts services

suricata_alert: Malicious traffic detected

yara_rules: Static rules