Managed XDR

avtogenerator-id-5.3.1.xlsm — malware analysis report

File info

Filename
avtogenerator-id-5.3.1.xlsm
File type
Microsoft Excel 2007+
File size
895.2 KB
First seen
Last seen

Environment

w10/x86 en

Hashes

SHA1
36328c21e547df9996ca3a00c6ebbc766593d218
SHA256
ce5659bb4faaf7f75e78ae165f0a387de530aa2cc4f1f36feca45965c4d44e1a
MD5
da0234507a9c5e2e384e1aafcf6e7667

Signatures

Initial Access

T1192 html_urls: HTML-document downloads a file

Execution

T1203 office_exploit_http: The document exhibits suspicious behaviour (performs HTTP requests)
T1204.002 office_wmi_load: Microsoft Office loads WMI DLL files (WMI usage indicator in macros)
T1064 office_macros_suspicious: Document contains suspicious macro
T1106 susp_callbacks: Suspicious usage of some WinAPI with callbacks
T1204 office_dotnet_load: Microsoft Office loads .NET assembly or DLL files (indicator of suspicious MS Office activity)
T1204 office_mshtml_load: Microsoft Office loads MSHTML DLL files (indicator of ActiveX usage)
T1204.002 office_vb_load: Microsoft Office is loading VB DLL files (macros usage indicator)
T1204.002 office_com_load: Microsoft Office loads COM DLL files (indicator of COM usage in macros)
T1064 office_macros: The document contains macroses (total: 55)
T1064 office_macros_strings: Feature lines found in document macro
T1064 office_macros_autoexec: The document contains an auto-start macro

Defense Evasion

T1064 office_macros_suspicious: Document contains suspicious macro
T1497 evasion_trustrecords: Attempts to detect Sandbox exploring trusted documents
T1064 office_macros: The document contains macroses (total: 55)
T1064 office_macros_strings: Feature lines found in document macro
T1064 office_macros_autoexec: The document contains an auto-start macro

Discovery

T1497 evasion_trustrecords: Attempts to detect Sandbox exploring trusted documents
T1083 checks_recent_files: Attempt to check recently opened files through registry

Command and Control

T1071.001 office_exploit_http: The document exhibits suspicious behaviour (performs HTTP requests)
T1071.004 office_exploit_dns: The document exhibits suspicious behaviour (performs DNS requests)
T1071.001 network_http: Performs HTTP requests
T1071.001 winhttp_https: Performs HTTP/HTTPS requests using WinHttp
T1102.003 references_google: Contains links to cloud services of Google (potentially for malicious payload delivery)

Other

dead_host: Connects to IP addresses that do not respond to requests
creates_in_programdata: Creates files in the ProgramData directory
test_check_service: Starts services
office_links: Office file contains external links