MalwareBazaar Database
You are currently viewing the MalwareBazaar entry for SHA256 73bccef5c926cefd41f82a329a8ba732bf59195f19c67498ccf162caa6410de1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.
Database Entry
Threat unknown
Vendor detections: 9
| SHA256 hash: | 73bccef5c926cefd41f82a329a8ba732bf59195f19c67498ccf162caa6410de1 |
|---|---|
| SHA3-384 hash: | 222ae46bb1b387c146087b6f729a0821916216eb908ff00e103eb8b966cef1e17ae441c57880a7c642202e8cd60a22ef |
| SHA1 hash: | fe3b1e8337728c74600eab9cb5c9f073e7c04ced |
| MD5 hash: | eda54697e6ab436600b8b74102833d7e |
| humanhash: | cola-charlie-moon-north |
| File name: | 855_28042020.doc |
| Download: | download sample |
| Signature | n/a |
| File size: | 233'718 bytes |
| First seen: | 2021-02-23 06:39:25 UTC |
| Last seen: | Never |
| File type: |  doc |
| MIME type: | text/rtf |
| ssdeep | 6144:xLnHVKS3j8PtOPzOptaQE8qRQAX7NRNpo7s:Z |
| TLSH | 6C34472EE74B09199F11A777030B4E490ABCB22DF38544B179AC87743BE9D3E466297C |
| Reporter | @abuse_ch |
| Tags: | doc |
@abuse_ch
Malspam distributing unidentified malware:HELO: mailout.easymail.ca
Sending IP: 64.68.200.34
From: Raymond Matthew <info@bonafzar.com>
Subject: Re: Our new order
Attachment: 855_28042020.doc
Intelligence
File Origin
# of uploads :
1
# of downloads :
38
Origin country :
FRMail intelligence
Geo location:
Global
Volume:
Low
Vendor Threat Intelligence
Verdict:
Malicious
File type:
application/msword
Has a screenshot:
False
Contains macros:
False
Result
Verdict:
Malware
Maliciousness:
Behaviour
Launching a process
Creating a window
DNS request
Sending an HTTP GET request to an infection source by exploiting the app vulnerability
Result
Verdict:
Malicious
File Type:
Fake RTF File
Alert level:
10.0%
Result
Verdict:
MALICIOUS
Link:
Result
Threat name:
Unknown
Detection:
malicious
Classification:
expl
Score:
60 / 100
Signature
Antivirus / Scanner detection for submitted sample
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Sigma detected: EQNEDT32.EXE connecting to internet
Behaviour
Behavior Graph:
Threat name:
Document-RTF.Exploit.CVE-2017-11882
Status:
Malicious
First seen:
2021-02-23 06:40:09 UTC
AV detection:
26 of 47 (55.32%)
Threat level
5/5
Detection(s):
Suspicious file
Result
Malware family:
n/a
Score:
8/10
Tags:
n/a
Behaviour
Checks processor information in registry
Enumerates system info in registry
Launches Equation Editor
Modifies Internet Explorer settings
Suspicious behavior: AddClipboardFormatListener
Suspicious use of SetWindowsHookEx
Office loads VBA resources, possible macro or embedded object present
Drops file in Windows directory
Blocklisted process makes network request
Threat name:
Malicious File
Score:
1.00
Yara Signatures
| Rule name: | Email_stealer_bin_mem |
|---|---|
| Author: | James_inthe_box |
| Description: | Email in files like avemaria |
| Rule name: | INDICATOR_RTF_MalVer_Objects |
|---|---|
| Author: | ditekSHen |
| Description: | Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents. |
| Rule name: | IPPort_combo_mem |
|---|---|
| Author: | James_inthe_box |
| Description: | IP and port combo |
| Rule name: | Select_from_enumeration |
|---|---|
| Author: | James_inthe_box |
| Description: | IP and port combo |
| Rule name: | SharedStrings |
|---|---|
| Author: | Katie Kleemola |
| Description: | Internal names found in LURK0/CCTV0 samples |
| Rule name: | UAC_bypass_bin_mem |
|---|---|
| Author: | James_inthe_box |
| Description: | UAC bypass in files like avemaria |
File information
The table below shows additional information about this malware sample such as delivery method and external references.
Malspam
doc 73bccef5c926cefd41f82a329a8ba732bf59195f19c67498ccf162caa6410de1
(this sample)
Delivery method
Distributed via e-mail attachment
Comments
Login required
You need to login to in order to write a comment. Login with your Twitter account.