MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 73bccef5c926cefd41f82a329a8ba732bf59195f19c67498ccf162caa6410de1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



Threat unknown


Vendor detections: 9


Intelligence 9 File information Yara 6 Comments

SHA256 hash: 73bccef5c926cefd41f82a329a8ba732bf59195f19c67498ccf162caa6410de1
SHA3-384 hash: 222ae46bb1b387c146087b6f729a0821916216eb908ff00e103eb8b966cef1e17ae441c57880a7c642202e8cd60a22ef
SHA1 hash: fe3b1e8337728c74600eab9cb5c9f073e7c04ced
MD5 hash: eda54697e6ab436600b8b74102833d7e
humanhash: cola-charlie-moon-north
File name:855_28042020.doc
Download: download sample
Signature n/a
File size:233'718 bytes
First seen:2021-02-23 06:39:25 UTC
Last seen:Never
File type:Word file doc
MIME type:text/rtf
ssdeep 6144:xLnHVKS3j8PtOPzOptaQE8qRQAX7NRNpo7s:Z
TLSH 6C34472EE74B09199F11A777030B4E490ABCB22DF38544B179AC87743BE9D3E466297C
Reporter @abuse_ch
Tags:doc


Twitter
@abuse_ch
Malspam distributing unidentified malware:

HELO: mailout.easymail.ca
Sending IP: 64.68.200.34
From: Raymond Matthew <info@bonafzar.com>
Subject: Re: Our new order
Attachment: 855_28042020.doc

Intelligence


File Origin
# of uploads :
1
# of downloads :
38
Origin country :
FR FR
Mail intelligence
Geo location:
Global
Volume:
Low
Vendor Threat Intelligence
Verdict:
Malicious
File type:
application/msword
Has a screenshot:
False
Contains macros:
False
Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Creating a window
DNS request
Sending an HTTP GET request to an infection source by exploiting the app vulnerability
Result
Verdict:
Malicious
File Type:
Fake RTF File
Alert level:
10.0%
Result
Threat name:
Unknown
Detection:
malicious
Classification:
expl
Score:
60 / 100
Signature
Antivirus / Scanner detection for submitted sample
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Sigma detected: EQNEDT32.EXE connecting to internet
Behaviour
Behavior Graph:
Threat name:
Document-RTF.Exploit.CVE-2017-11882
Status:
Malicious
First seen:
2021-02-23 06:40:09 UTC
AV detection:
26 of 47 (55.32%)
Threat level
  5/5
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Behaviour
Checks processor information in registry
Enumerates system info in registry
Launches Equation Editor
Modifies Internet Explorer settings
Suspicious behavior: AddClipboardFormatListener
Suspicious use of SetWindowsHookEx
Office loads VBA resources, possible macro or embedded object present
Drops file in Windows directory
Blocklisted process makes network request
Threat name:
Malicious File
Score:
1.00

Yara Signatures


Rule name:Email_stealer_bin_mem
Author:James_inthe_box
Description:Email in files like avemaria
Rule name:INDICATOR_RTF_MalVer_Objects
Author:ditekSHen
Description:Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents.
Rule name:IPPort_combo_mem
Author:James_inthe_box
Description:IP and port combo
Rule name:Select_from_enumeration
Author:James_inthe_box
Description:IP and port combo
Rule name:SharedStrings
Author:Katie Kleemola
Description:Internal names found in LURK0/CCTV0 samples
Rule name:UAC_bypass_bin_mem
Author:James_inthe_box
Description:UAC bypass in files like avemaria

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Word file doc 73bccef5c926cefd41f82a329a8ba732bf59195f19c67498ccf162caa6410de1

(this sample)

  
Delivery method
Distributed via e-mail attachment

Comments