MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4b4bcdcc293f734c7504ef54fbc90c4399210a0617a8f25e5c660d5735b1d7dd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 10


Maldoc score: 23


Intelligence 10 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4b4bcdcc293f734c7504ef54fbc90c4399210a0617a8f25e5c660d5735b1d7dd
SHA3-384 hash: 3171b8961f11387073ec117912f04f55366e03e3f182b5eb18cdc8d7dc03808b30f4605ec9a03a8911797eeeb5bc9fa0
SHA1 hash: ad538c08df7228628f680302f548eecf6c5a2fa1
MD5 hash: b21053de4824f2d8197cf3deebbcb96f
humanhash: cola-quiet-oregon-video
File name:b21053de4824f2d8197cf3deebbcb96f
Download: download sample
File size:542'720 bytes
First seen:2022-03-09 15:00:40 UTC
Last seen:Never
File type:Excel file xlsx
MIME type:application/vnd.ms-excel
ssdeep 6144:JK1Tgbyw3sz25o16yN9rjXjIKs2ATlFeIgiEoiTSPN0TMTMxr8b4S0Wu3IjxXp1:wIlgSFPM58br0Wu3c
TLSH T10DB403AABDF79F7AD61291330BE910E66325C8411F354BC3196C793C39EEEA4394904E
Reporter zbetcheckin
Tags:excel xlsx

Office OLE Information

This malware samples appears to be an Office document. The following table provides more information about this document using oletools and oledump.

OLE id
Maldoc score: 23
OLE dump

MalwareBazaar was able to identify 11 sections in this file using oledump:

Section IDSection sizeSection name
1109 bytesCompObj
2240 bytesDocumentSummaryInformation
3208 bytesSummaryInformation
4517153 bytesWorkbook
5476 bytes_VBA_PROJECT_CUR/PROJECT
6110 bytes_VBA_PROJECT_CUR/PROJECTwm
71007 bytes_VBA_PROJECT_CUR/VBA/EstaPasta_de_trabalho
89595 bytes_VBA_PROJECT_CUR/VBA/Mdulo1
9990 bytes_VBA_PROJECT_CUR/VBA/Plan1
103342 bytes_VBA_PROJECT_CUR/VBA/_VBA_PROJECT
11700 bytes_VBA_PROJECT_CUR/VBA/dir
OLE vba

MalwareBazaar was able to extract and deobfuscate VBA script(s) the following information from OLE objects embedded in this file using olevba:

TypeKeywordDescription
AutoExecAuto_OpenRuns when the Excel Workbook is opened
IOCunzip.batExecutable file name
IOCavaliacao.batExecutable file name
IOCOneDriveStart.vbsExecutable file name
IOCDynamicDrivers.vbsExecutable file name
IOCOneDrive.htaExecutable file name
SuspiciousExpandEnvironmentStrMay read system environment variables
SuspiciousCreateTextFileMay create a text file
SuspiciousShellMay run an executable file or a system command
SuspiciousWScript.ShellMay run an executable file or a system command
SuspiciousRunMay run an executable file or a system command
SuspiciousCreateMay execute file or a system command through WMI
SuspiciousCreateObjectMay create an OLE object
SuspiciousWindowsMay enumerate application windows (if combined with Shell.Application object)
SuspiciousLibMay run code from a DLL
SuspiciousHex StringsHex-encoded strings were detected, may be used to obfuscate strings (option --decode to see all)
SuspiciousBase64 StringsBase64-encoded strings were detected, may be used to obfuscate strings (option --decode to see all)

Intelligence

File Origin
# of uploads :
1
# of downloads :
143
Origin country :
n/a
Vendor Threat Intelligence
Verdict:
Malicious
File type:
application/vnd.openxmlformats-officedocument.spreadsheetml.sheet
Has a screenshot:
False
Contains macros:
True
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/248720/
Detection(s):
SecuriteInfo.com.Office.Macro-16.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Office.Macro-13.UNOFFICIAL
Create hunting rule

TwinWave.EvilDoc.DOCXRSTRGOOD.POWERSHELL.211012.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Сreating synchronization primitives
Creating a file
Moving a recently created file
Creating a process with a hidden window
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Launching a process by exploiting the app vulnerability
Result
Verdict:
Malicious
File Type:
Legacy Excel File with Macro
Link:
https://app.docguard.net/4b4bcdcc293f734c7504ef54fbc90c4399210a0617a8f25e5c660d5735b1d7dd/results/dashboard
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
macros macros-on-open schtasks.exe update.exe virus
Link:
https://www.filescan.io/uploads/6228c133b94fb38cb4486766/reports/2f7da9d4-8fb2-4ea3-8086-bda828616b77/overview
Label:
Benign
Suspicious Score:
2.4/10
Score Malicious:
24%
Score Benign:
76%
Link:
https://www.malware.ai/gui/files/?id=3ffffbc5-9d2c-4d0b-a41a-4c8b9f044546
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/4b4bcdcc293f734c7504ef54fbc90c4399210a0617a8f25e5c660d5735b1d7dd
Details
Macro with Startup Hook
Detected macro logic that will automatically execute on document open. Most malware contains some execution hook.
Macro with File System Write
Detected macro logic that can write data to the file system.
Macro Contains Suspicious String
Detected a macro with a suspicious string. Suspicious strings include privileged function calls, obfuscations, odd registry keys, etc...
EXE String Concatenation
Macro contains a possibly obfuscated reference to an executable.
InQuest Machine Learning
An InQuest machine-learning model classified this macro as potentially malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
rans.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/953787
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Bypasses PowerShell execution policy
Document contains an embedded macro with GUI obfuscation
Document contains an embedded VBA macro which may execute processes
Document contains an embedded VBA macro with suspicious strings
Document contains an embedded VBA with many string operations indicating source code obfuscation
Document contains OLE streams with names of living off the land binaries
Document exploit detected (process start blacklist hit)
Multi AV Scanner detection for submitted file
Sigma detected: Copying Sensitive Files with Credential Data
Sigma detected: New RUN Key Pointing to Suspicious Folder
Sigma detected: Ryuk Ransomware
Sigma detected: Suspicious Remote Thread Created
Sigma detected: Suspicius Schtasks From Env Var Folder
Uses cmd line tools excessively to alter registry or file data
Uses schtasks.exe or at.exe to add and modify task schedules
Uses shutdown.exe to shutdown or reboot the system
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 586265 Sample: Ic8Lg5zNpb Startdate: 09/03/2022 Architecture: WINDOWS Score: 100 68 srv1.aztronic.com.br 2->68 70 proxy.aztronic.com.br 2->70 72 Antivirus detection for URL or domain 2->72 74 Antivirus / Scanner detection for submitted sample 2->74 76 Multi AV Scanner detection for submitted file 2->76 78 12 other signatures 2->78 9 cmd.exe 2->9         started        12 EXCEL.EXE 7 12 2->12         started        15 taskeng.exe 1 2->15         started        17 2 other processes 2->17 signatures3 process4 file5 80 Uses cmd line tools excessively to alter registry or file data 9->80 82 Bypasses PowerShell execution policy 9->82 84 Uses schtasks.exe or at.exe to add and modify task schedules 9->84 19 cmd.exe 9->19         started        62 C:\Users\user\Desktop\Ic8Lg5zNpb.xls, Composite 12->62 dropped 64 C:\Users\Public\Downloads\unzip.txt, ASCII 12->64 dropped 66 C:\Users\Public\Downloads\avaliacao.txt, ASCII 12->66 dropped 21 reg.exe 1 12->21         started        23 cmd.exe 15->23         started        25 bitsadmin.exe 15->25         started        27 cmd.exe 17->27         started        29 bitsadmin.exe 17->29         started        signatures6 process7 process8 31 cmd.exe 19->31         started        34 bitsadmin.exe 19->34         started        36 cmd.exe 19->36         started        46 9 other processes 19->46 38 cmd.exe 23->38         started        40 bitsadmin.exe 27->40         started        42 bitsadmin.exe 27->42         started        44 bitsadmin.exe 27->44         started        48 4 other processes 27->48 signatures9 86 Uses cmd line tools excessively to alter registry or file data 31->86 50 reg.exe 31->50         started        88 Uses shutdown.exe to shutdown or reboot the system 34->88 52 powershell.exe 6 38->52         started        54 cmd.exe 38->54         started        56 cmd.exe 38->56         started        60 7 other processes 38->60 58 shutdown.exe 40->58         started        process10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4b4bcdcc293f734c7504ef54fbc90c4399210a0617a8f25e5c660d5735b1d7dd/
Threat name:
Script-Macro.Trojan.Maldokn
Create hunting rule
Status:
Malicious
First seen:
2022-02-26 01:21:17 UTC
File Type:
Document
Extracted files:
15
AV detection:
17 of 27 (62.96%)
Threat level:
  5/5
Result
Malware family:
n/a
Score:
  10/10
Tags:
macro macro_on_action persistence
Link:
https://tria.ge/reports/220309-sdwlsshfc8/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Modifies Internet Explorer settings
Suspicious behavior: AddClipboardFormatListener
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Office loads VBA resources, possible macro or embedded object present
Adds Run key to start application
Process spawned unexpected child process
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/4b4bcdcc293f/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.80
Link:
https://yomi.yoroi.company/submissions/4b4bcdcc293f734c7504ef54fbc90c4399210a0617a8f25e5c660d5735b1d7dd

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Excel file xlsx 4b4bcdcc293f734c7504ef54fbc90c4399210a0617a8f25e5c660d5735b1d7dd

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2086088/
Cape
Cape
https://www.capesandbox.com/analysis/248720/

Comments


Avatar
zbet commented on 2022-03-09 15:00:43 UTC

url : hxxp://securelogonweb.com/excel/Carteira-Investidores-Clientes-Quentes_001.xls