RTF drops file to XLSTART | VTI
Logo
Try VMRay Analyzer
VTI SCORE: 100/100
Dynamic Analysis Report
Classification: Trojan, Spyware

83b0d7926fb2c5bc0708d9201043107e8709d77f2cd2fb5cb7693b2d930378d2 (SHA256)

Invitation CBS 2018 .doc.rtf

RTF Document

Created at 2018-08-05 19:04:00

...
Severity Category Operation Classification
5/5
Persistence Adds file to open the next time Excel is launched -
  • Adds "c:\users\nd9e1fyi\appdata\roaming\microsoft\excel\xlstart\addin.xlam" to a default Excel XLStart folder
    ...
5/5
YARA YARA match Spyware
  • Rule "Retefe" from ruleset "Malware" has matched for "C:\Users\Nd9E1FYi\Desktop\Invitation CBS 2018 .doc.rtf"
    ...
  • Rule "VBA_Create_File" from ruleset "Generic" has matched for "C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Excel\XLSTART\AddIn.XLAM"
    ...
  • Rule "VBA_Execution_Commands" from ruleset "Generic" has matched for "C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Excel\XLSTART\AddIn.XLAM"
    ...
4/5
File System Known malicious file Trojan
  • File "C:\Users\Nd9E1FYi\Desktop\Invitation CBS 2018 .doc.rtf" is a known malicious file.
    ...
2/5
File System Known suspicious file Trojan
  • File "C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Excel\XLSTART\AddIn.XLAM" is a known suspicious file.
    ...
  • File "323a14e53a1ed31e60620aae7f940a47aab2c31c21f83b7f7d8458abbcdf201a" is a known suspicious file.
    ...
2/5
VBA Macro Executes macro on specific worksheet event -
  • Executes macro automatically on target "workbook" and event "open".
    ...
  • Executes macro on target "workbook" and event "beforesave".
    ...
2/5
VBA Macro Creates suspicious COM object -
1/5
Static Unparsable sections in file -
  • Static analyzer was unable to completely parse the analyzed file: C:\Users\Nd9E1FYi\AppData\Roaming\Microsoft\Excel\XLSTART\AddIn.XLAM.
    ...
1/5
VBA Macro Contains Office macro -
Function Logfile
Download-Icon
Exit-Icon

This feature requires an online-connection to the VMRay backend.

An offline version with limited functionality is also provided.
The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy". 


    

   

   

    Before
   

   

    

     

      
       This feature requires an online-connection to the VMRay backend.
      
      

      

      An offline version with limited functionality is also provided.
      

      The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".
     

     

    

   

   

    After
   

   

    

     

      
       This feature requires an online-connection to the VMRay backend.
      
      

      

      An offline version with limited functionality is also provided.
      

      The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".
     

     

    

   

   

    

     
      

       
       
       
       
      

     
     
     
    

   

  

  

   

    
    

     Screenshot
    

    

     Expand-Icon
    

    

     Exit-Icon
    

   

   

    

     icon_left
    

    

     icon_left
    

   

   

   

   

    image