MalwareBazaar Database
You are currently viewing the MalwareBazaar entry for SHA256 4b467537059ef742a71a20ac4ccf65fc68ba223a760915cac95cc23dde1b8486. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.
Database Entry
Threat unknown
Vendor detections: 9
| SHA256 hash: | 4b467537059ef742a71a20ac4ccf65fc68ba223a760915cac95cc23dde1b8486 |
|---|---|
| SHA3-384 hash: | b2db2fb497342198d10dc473f508c0b43454843833b3b0e3a843a3d3e308a8b967f7d9095a7c03b81a72bb5541a2fc8b |
| SHA1 hash: | 6fa120f7590eaf51a92379c4fbabcb0028a1db00 |
| MD5 hash: | 849ca119321706df998263be7803700d |
| humanhash: | idaho-comet-jig-pasta |
| File name: | 744_22022021.doc |
| Download: | download sample |
| Signature | n/a |
| File size: | 233'719 bytes |
| First seen: | 2021-02-23 06:41:16 UTC |
| Last seen: | Never |
| File type: |  doc |
| MIME type: | text/rtf |
| ssdeep | 6144:IfnHVKS3j8PtOPzOc/aQE8qRQAXFRVNzus:L |
| TLSH | F334472EE74B09199F51A777034B4E490ABCB22DF38540B179AC87743BE9C3E466297C |
| Reporter | @abuse_ch |
| Tags: | doc |
@abuse_ch
Malspam distributing unidentified malware:HELO: vrout10.yaziba.net
Sending IP: 185.56.204.34
From: INORĂ©A <contact@inorea.com>
Subject: Pharma Job Order
Attachment: 744_22022021.doc
Intelligence
File Origin
# of uploads :
1
# of downloads :
39
Origin country :
FRMail intelligence
Geo location:
Global
Volume:
Low
Vendor Threat Intelligence
Verdict:
Malicious
File type:
application/msword
Has a screenshot:
False
Contains macros:
False
Result
Verdict:
Malware
Maliciousness:
Behaviour
Launching a process
Creating a window
DNS request
Sending an HTTP GET request to an infection source by exploiting the app vulnerability
Result
Verdict:
Malicious
File Type:
Fake RTF File
Alert level:
10.0%
Result
Verdict:
MALICIOUS
Link:
Result
Threat name:
Unknown
Detection:
malicious
Classification:
expl
Score:
68 / 100
Signature
Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Sigma detected: EQNEDT32.EXE connecting to internet
Behaviour
Behavior Graph:
Threat name:
Document-RTF.Exploit.CVE-2017-11882
Status:
Malicious
First seen:
2021-02-23 06:42:09 UTC
AV detection:
26 of 48 (54.17%)
Threat level
5/5
Detection(s):
Suspicious file
Result
Malware family:
n/a
Score:
8/10
Tags:
n/a
Behaviour
Checks processor information in registry
Enumerates system info in registry
Launches Equation Editor
Modifies Internet Explorer settings
Suspicious behavior: AddClipboardFormatListener
Suspicious use of SetWindowsHookEx
Office loads VBA resources, possible macro or embedded object present
Drops file in Windows directory
Blocklisted process makes network request
Threat name:
Malicious File
Score:
1.00
Yara Signatures
| Rule name: | INDICATOR_RTF_MalVer_Objects |
|---|---|
| Author: | ditekSHen |
| Description: | Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents. |
File information
The table below shows additional information about this malware sample such as delivery method and external references.
Malspam
doc 4b467537059ef742a71a20ac4ccf65fc68ba223a760915cac95cc23dde1b8486
(this sample)
Delivery method
Distributed via e-mail attachment
Comments
Login required
You need to login to in order to write a comment. Login with your Twitter account.