MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 314fe41c4de11eb7270e04a04b40a267109da6b1ba469e4604a0e883b0d87fb3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 10


Maldoc score: 9


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 314fe41c4de11eb7270e04a04b40a267109da6b1ba469e4604a0e883b0d87fb3
SHA3-384 hash: c246b2087f2a59a98b2a9f1a213e78f75c2af8985bf1b3e1bf9ffebd1addf191e8a7693ae01f27ddc27c5bcc24c758c7
SHA1 hash: bab4c3907f1a86135b4cfbe456dc3dba630d7d63
MD5 hash: 3290c3c5ec33256c5bd6b89f51d7b1f5
humanhash: march-fifteen-sad-johnny
File name:MEXACARE Orders 122001-2213.docx
Download: download sample
File size:175'777 bytes
First seen:2022-06-22 15:01:56 UTC
Last seen:Never
File type:Word file doc
MIME type:application/vnd.openxmlformats-officedocument.wordprocessingml.document
ssdeep 3072:QHg4fwzQ6JyYYkbyWSQz+iNbhw2iNbhw1iNbhwaiNbhwfiNbhwu:N4fwXJy5s+SllSlASljSlmSll
TLSH T14504F211CAF3E159C38D7776959BCA1CDE67D4C2B00533E60D5EE1A90D93E8183A8ECA
TrID 51.0% (.DOCX) Word Microsoft Office Open XML Format document (23500/1/4)
38.0% (.ZIP) Open Packaging Conventions container (17500/1/4)
8.6% (.ZIP) ZIP compressed archive (4000/1)
2.1% (.PG/BIN) PrintFox/Pagefox bitmap (640x800) (1000/1)
Reporter abuse_ch
Tags:doc docx

Office OLE Information

This malware samples appears to be an Office document. The following table provides more information about this document using oletools and oledump.

OLE id
Maldoc score: 9
OLE dump

MalwareBazaar was able to identify 85 sections in this file using oledump:

Section IDSection sizeSection name
A1107 bytesCompObj
A2252 bytesDocumentSummaryInformation
A3216 bytesSummaryInformation
A416418 bytesWorkbook
A5528 bytes_VBA_PROJECT_CUR/PROJECT
A6107 bytes_VBA_PROJECT_CUR/PROJECTwm
A7993 bytes_VBA_PROJECT_CUR/VBA/Module1
A8991 bytes_VBA_PROJECT_CUR/VBA/Sheet1
A9991 bytes_VBA_PROJECT_CUR/VBA/Sheet2
A101634 bytes_VBA_PROJECT_CUR/VBA/ThisWorkbook
A112732 bytes_VBA_PROJECT_CUR/VBA/_VBA_PROJECT
A121553 bytes_VBA_PROJECT_CUR/VBA/__SRP_0
A13138 bytes_VBA_PROJECT_CUR/VBA/__SRP_1
A14169 bytes_VBA_PROJECT_CUR/VBA/__SRP_2
A15156 bytes_VBA_PROJECT_CUR/VBA/__SRP_3
A16585 bytes_VBA_PROJECT_CUR/VBA/dir
B1107 bytesCompObj
B2252 bytesDocumentSummaryInformation
B3216 bytesSummaryInformation
B416418 bytesWorkbook
B5528 bytes_VBA_PROJECT_CUR/PROJECT
B6107 bytes_VBA_PROJECT_CUR/PROJECTwm
B7993 bytes_VBA_PROJECT_CUR/VBA/Module1
B8991 bytes_VBA_PROJECT_CUR/VBA/Sheet1
B9991 bytes_VBA_PROJECT_CUR/VBA/Sheet2
B101634 bytes_VBA_PROJECT_CUR/VBA/ThisWorkbook
B112732 bytes_VBA_PROJECT_CUR/VBA/_VBA_PROJECT
B121553 bytes_VBA_PROJECT_CUR/VBA/__SRP_0
B13138 bytes_VBA_PROJECT_CUR/VBA/__SRP_1
B14169 bytes_VBA_PROJECT_CUR/VBA/__SRP_2
B15156 bytes_VBA_PROJECT_CUR/VBA/__SRP_3
B16585 bytes_VBA_PROJECT_CUR/VBA/dir
C1107 bytesCompObj
C2252 bytesDocumentSummaryInformation
C3216 bytesSummaryInformation
C416418 bytesWorkbook
C5528 bytes_VBA_PROJECT_CUR/PROJECT
C6107 bytes_VBA_PROJECT_CUR/PROJECTwm
C7993 bytes_VBA_PROJECT_CUR/VBA/Module1
C8991 bytes_VBA_PROJECT_CUR/VBA/Sheet1
C9991 bytes_VBA_PROJECT_CUR/VBA/Sheet2
C101634 bytes_VBA_PROJECT_CUR/VBA/ThisWorkbook
C112732 bytes_VBA_PROJECT_CUR/VBA/_VBA_PROJECT
C121553 bytes_VBA_PROJECT_CUR/VBA/__SRP_0
C13138 bytes_VBA_PROJECT_CUR/VBA/__SRP_1
C14169 bytes_VBA_PROJECT_CUR/VBA/__SRP_2
C15156 bytes_VBA_PROJECT_CUR/VBA/__SRP_3
C16585 bytes_VBA_PROJECT_CUR/VBA/dir
D1107 bytesCompObj
D2252 bytesDocumentSummaryInformation
D3216 bytesSummaryInformation
D416418 bytesWorkbook
D5528 bytes_VBA_PROJECT_CUR/PROJECT
D6107 bytes_VBA_PROJECT_CUR/PROJECTwm
D7993 bytes_VBA_PROJECT_CUR/VBA/Module1
D8991 bytes_VBA_PROJECT_CUR/VBA/Sheet1
D9991 bytes_VBA_PROJECT_CUR/VBA/Sheet2
D101634 bytes_VBA_PROJECT_CUR/VBA/ThisWorkbook
D112732 bytes_VBA_PROJECT_CUR/VBA/_VBA_PROJECT
D121553 bytes_VBA_PROJECT_CUR/VBA/__SRP_0
D13138 bytes_VBA_PROJECT_CUR/VBA/__SRP_1
D14169 bytes_VBA_PROJECT_CUR/VBA/__SRP_2
D15156 bytes_VBA_PROJECT_CUR/VBA/__SRP_3
D16585 bytes_VBA_PROJECT_CUR/VBA/dir
E1107 bytesCompObj
E2252 bytesDocumentSummaryInformation
E3216 bytesSummaryInformation
E416418 bytesWorkbook
E5528 bytes_VBA_PROJECT_CUR/PROJECT
E6107 bytes_VBA_PROJECT_CUR/PROJECTwm
E7993 bytes_VBA_PROJECT_CUR/VBA/Module1
E8991 bytes_VBA_PROJECT_CUR/VBA/Sheet1
E9991 bytes_VBA_PROJECT_CUR/VBA/Sheet2
E101634 bytes_VBA_PROJECT_CUR/VBA/ThisWorkbook
E112732 bytes_VBA_PROJECT_CUR/VBA/_VBA_PROJECT
E121553 bytes_VBA_PROJECT_CUR/VBA/__SRP_0
E13138 bytes_VBA_PROJECT_CUR/VBA/__SRP_1
E14169 bytes_VBA_PROJECT_CUR/VBA/__SRP_2
E15156 bytes_VBA_PROJECT_CUR/VBA/__SRP_3
E16585 bytes_VBA_PROJECT_CUR/VBA/dir
OLE vba

MalwareBazaar was able to extract and deobfuscate VBA script(s) the following information from OLE objects embedded in this file using olevba:

TypeKeywordDescription
AutoExecWorkbook_BeforeCloseRuns when the Excel Workbook is closed
SuspiciousShellMay run an executable file or a system command
SuspiciousvbNormalFocusMay run an executable file or a system command
SuspiciousHex StringsHex-encoded strings were detected, may be used to obfuscate strings (option --decode to see all)
SuspiciousBase64 StringsBase64-encoded strings were detected, may be used to obfuscate strings (option --decode to see all)

Intelligence

File Origin
# of uploads :
1
# of downloads :
250
Origin country :
n/a
Vendor Threat Intelligence
Verdict:
Malicious
File type:
application/msword
Has a screenshot:
False
Contains macros:
True
Detection(s):
TwinWave.EvilDoc.SensitiveFunctionNamePollutionDeadPlanet.20210608.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.VB.Trojan.Valyria.6705.3888.18403.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Creating a window
Searching for synchronization primitives
Launching a process
Launching the default Windows debugger (dwwin.exe)
Launching a process by exploiting the app vulnerability
Result
Verdict:
Malicious
File Type:
OOXML Word File with Embedding Objects
Link:
https://app.docguard.net/314fe41c4de11eb7270e04a04b40a267109da6b1ba469e4604a0e883b0d87fb3/results/dashboard
Document image
Image:
Download PNG
Document image
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
macros macros-on-close rundll32
Link:
https://www.filescan.io/uploads/62b32ef378c72835188a4e43/reports/490168a8-c4bf-47d4-8d15-d9239a8c6fb0/overview
Label:
Malicious
Suspicious Score:
7.5/10
Score Malicious:
76%
Score Benign:
24%
Link:
https://www.malware.ai/gui/files/?id=963080f4-10c4-41bb-a41c-43e79a42d8ae
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/314fe41c4de11eb7270e04a04b40a267109da6b1ba469e4604a0e883b0d87fb3
Details
Macro with Startup Hook
Detected macro logic that will automatically execute on document open. Most malware contains some execution hook.
Macro Contains Suspicious String
Detected a macro with a suspicious string. Suspicious strings include privileged function calls, obfuscations, odd registry keys, etc...
Result
Threat name:
Unknown
Detection:
malicious
Classification:
expl.evad.troj
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1018098
Signature
Antivirus detection for URL or domain
Connects to many ports of the same IP (likely port scanning)
Document exploit detected (process start blacklist hit)
Drops PE files with a suspicious file extension
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Snort IDS alert for network traffic
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 650592 Sample: MEXACARE Orders 122001-2213.docx Startdate: 22/06/2022 Architecture: WINDOWS Score: 100 109 42502d2a-e7ed-4a16-9f11-33ffe6c54021.usrfiles.com 2->109 111 media-router.wixstatic.com 2->111 113 2 other IPs or domains 2->113 143 Snort IDS alert for network traffic 2->143 145 Multi AV Scanner detection for domain / URL 2->145 147 Antivirus detection for URL or domain 2->147 149 5 other signatures 2->149 11 EXCEL.EXE 5 5 2->11         started        13 mshta.exe 2->13         started        16 pooli.com 2->16         started        18 2 other processes 2->18 signatures3 process4 dnsIp5 20 rundll32.exe 1 11->20         started        129 www.coalminners.shop 13->129 131 ghs.google.com 142.250.203.115, 49762, 49791, 80 GOOGLEUS United States 13->131 137 3 other IPs or domains 13->137 22 powershell.exe 13->22         started        25 powershell.exe 13->25         started        27 schtasks.exe 13->27         started        37 13 other processes 13->37 133 www.coalminners.shop 16->133 139 2 other IPs or domains 16->139 135 blogspot.l.googleusercontent.com 216.58.215.225, 443, 49785, 49790 GOOGLEUS United States 18->135 141 2 other IPs or domains 18->141 29 powershell.exe 18->29         started        31 schtasks.exe 18->31         started        33 splwow64.exe 18->33         started        35 conhost.exe 18->35         started        process6 dnsIp7 39 mshta.exe 23 20->39         started        115 42502d2a-e7ed-4a16-9f11-33ffe6c54021.usrfiles.com 22->115 117 gcp.media-router.wixstatic.com 34.102.176.152, 443, 49783, 49809 GOOGLEUS United States 22->117 119 media-router.wixstatic.com 22->119 44 conhost.exe 22->44         started        121 bitbucket.org 25->121 46 conhost.exe 25->46         started        48 conhost.exe 27->48         started        123 bitbucket.org 29->123 50 conhost.exe 29->50         started        52 conhost.exe 31->52         started        54 conhost.exe 37->54         started        56 conhost.exe 37->56         started        58 9 other processes 37->58 process8 dnsIp9 125 bitbucket.org 104.192.141.1, 443, 49761, 49782 AMAZON-02US United States 39->125 105 C:\ProgramData\pooli.com, PE32 39->105 dropped 155 Drops PE files with a suspicious file extension 39->155 157 Uses schtasks.exe or at.exe to add and modify task schedules 39->157 60 powershell.exe 15 25 39->60         started        63 taskkill.exe 39->63         started        65 taskkill.exe 39->65         started        67 2 other processes 39->67 file10 signatures11 process12 dnsIp13 127 bitbucket.org 60->127 69 conhost.exe 60->69         started        72 csc.exe 60->72         started        75 powershell.exe 63->75         started        77 powershell.exe 63->77         started        79 schtasks.exe 63->79         started        87 5 other processes 63->87 81 conhost.exe 65->81         started        83 conhost.exe 67->83         started        85 conhost.exe 67->85         started        process14 file15 151 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 69->151 153 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 69->153 107 C:\Users\user\AppData\Local\...\dy4if43b.dll, PE32 72->107 dropped 89 cvtres.exe 72->89         started        91 conhost.exe 75->91         started        93 conhost.exe 77->93         started        95 conhost.exe 79->95         started        97 conhost.exe 81->97         started        99 conhost.exe 87->99         started        101 conhost.exe 87->101         started        103 conhost.exe 87->103         started        signatures16 process17
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/314fe41c4de11eb7270e04a04b40a267109da6b1ba469e4604a0e883b0d87fb3/
Threat name:
Document-Office.Trojan.Valyria
Create hunting rule
Status:
Malicious
First seen:
2022-06-21 22:43:56 UTC
File Type:
Document
Extracted files:
144
AV detection:
12 of 41 (29.27%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=gfh6ihcn4eplojyoasqewqfcm4ij3jvrxjdj4rqeuduihmgyp6zq._file
Result
Malware family:
n/a
Score:
  10/10
Tags:
n/a
Link:
https://tria.ge/reports/220622-se6s6ahdcr/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Suspicious behavior: AddClipboardFormatListener
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Program crash
Process spawned unexpected child process
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/314fe41c4de1/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.30
Link:
https://yomi.yoroi.company/submissions/314fe41c4de11eb7270e04a04b40a267109da6b1ba469e4604a0e883b0d87fb3

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Word file doc 314fe41c4de11eb7270e04a04b40a267109da6b1ba469e4604a0e883b0d87fb3

(this sample)

  
Delivery method
Distributed via e-mail attachment

Comments