MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 67348aa265e2504aa1a048466a767b016b3369dc0203f48eae80342102af54eb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 2

Intelligence 2 IOCs YARA File information Comments

SHA256 hash:	67348aa265e2504aa1a048466a767b016b3369dc0203f48eae80342102af54eb
SHA3-384 hash:	268d609e179617f5be87057aa952c09eba295682da251e3924d87891cd7c97de444971bad468379c7346639577921566
SHA1 hash:	f671a9d4aa444bef17a7f1b0856c65a26b7b5876
MD5 hash:	1776eb6862cc5a4bd8e8321117cb3a0a
humanhash:	undress-jersey-music-cold
File name:	PO.doc
Download:	download sample
File size:	572'795 bytes
First seen:	2020-05-21 05:33:29 UTC
Last seen:	2020-05-22 06:46:11 UTC
File type:	doc
MIME type:	text/rtf
ssdeep	3072:BLLLLLLLLLLLLLLLLLLLLLLLLe+AJiYC8wnWq5Q7MvogMFyiYC8nPcTE7d:tmXqG9gM1mETyd
TLSH	6AC4BEE81745AA96D35762A55F29F188763FFE3864F0149830DFE2B873BF249F116802
Reporter	cocaman
Tags:	doc

cocaman

Malicious email
From: Mr Michael Williams <efcc@onethaifoods.com>
Received: from slot0.cherters.net (slot0.cherters.net [45.95.168.241])
Date: 21 May 2020 15:46:01 -0700
Subject: URGENT FROM EFCC TO HELP YOU GET BACK YOUR FUND FROM SCAMMERS.
Attachment: PO.doc

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

Sanesecurity.Malware.27301.RtfHeur.BadVer.UNOFFICIAL

SecuriteInfo.com.FakeRTF-2.UNOFFICIAL

MiscreantPunch.RTF.2017-0199.Obfus.170830.UNOFFICIAL

MiscreantPunch.RTF.2017-0199.Obfus.171711.UNOFFICIAL

TwinWave.EvilDoc.RTFFakeVersionWithObjUpdateUKSurfMix.20200514.UNOFFICIAL

Gathering data

Threat name:

Document-Word.Exploit.CVE-2017-11882

Status:

Malicious

First seen:

2020-05-21 11:23:36 UTC

File Type:

Document

Extracted files:

AV detection:

15 of 31 (48.39%)

Threat level:

2/5

Result

Malware family:

n/a

Score:

8/10

Tags:

n/a

Link:

https://tria.ge/reports/201109-zz3r2712c6/

Behaviour

Launches Equation Editor

Modifies Internet Explorer settings

Suspicious behavior: AddClipboardFormatListener

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Checks processor information in registry

Enumerates system info in registry

Office loads VBA resources, possible macro or embedded object present

Drops file in Windows directory

Blacklisted process makes network request

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

doc 67348aa265e2504aa1a048466a767b016b3369dc0203f48eae80342102af54eb

(this sample)

Delivery method

Distributed via e-mail attachment

Cape

https://www.capesandbox.com/analysis/4517/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample