MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c71bd3833fbb10cd2f845c83a6ed957f3243990de48a74b4d5cf1602303f4bb1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



SilentBuilder


Vendor detections: 9


Maldoc score: 3


Intelligence 9 File information Yara 12 Comments

SHA256 hash: c71bd3833fbb10cd2f845c83a6ed957f3243990de48a74b4d5cf1602303f4bb1
SHA3-384 hash: 3c7d5f07e2ab4df703df5215a389e275c837cca598164430809c7c66723d54fdd2a66dcfb5755336b3ba1ea68af8d775
SHA1 hash: b3ec9fbcc5e96c45e74d503210a51a7ee5ce8132
MD5 hash: 5a75c6184001a6b8785206f1e2121290
humanhash: stream-stream-football-xray
File name:SecuriteInfo.com.Heur.15528.14839
Download: download sample
Signature SilentBuilder
File size:93'696 bytes
First seen:2021-02-22 18:14:01 UTC
Last seen:2021-02-22 18:56:55 UTC
File type:Excel file xlsx
MIME type:application/vnd.ms-excel
ssdeep 1536:ca7uDphYHceXVhca+fMHLtyeGxcl8O9pTI4XUXmRgb05SXw1OTsRKvoNGrEJcQ:ca7uDphYHceXVhca+fMHLtyeGxcl8O9v
TLSH 999369D6A3B4E8B9E718E6F44BD921291B16ED320E4E07D3334CB225FFB127009626D5
Reporter @SecuriteInfoCom
Tags:SilentBuilder

Office OLE Information


This malware samples appears to be an Office document. The following table provides more information about this document using oletools and oledump.

OLE id
Maldoc score: 3
Application name is Microsoft Excel
Office document is in OLE format
OLE dump
Sections: 3

The following OLE sections have been found using oledump:

Section IDSection sizeSection name
14096 bytesDocumentSummaryInformation
24096 bytesSummaryInformation
383229 bytesWorkbook
OLE vba
TypeKeywordDescription
AutoExecAuto_OpenRuns when the Excel Workbook is opened
SuspiciousEXECMay run an executable file or a system

Intelligence


File Origin
# of uploads :
2
# of downloads :
97
Origin country :
FR FR
Mail intelligence
No data
Vendor Threat Intelligence
Verdict:
Legit
File type:
application/vnd.openxmlformats-officedocument.spreadsheetml.sheet
Has a screenshot:
False
Contains macros:
True
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
DNS request
Creating a process with a hidden window
Sending a custom TCP request by exploiting the app vulnerability
Launching a process by exploiting the app vulnerability
Result
Verdict:
Malicious
File Type:
Legacy Office File
Alert level:
13.0%
Payload URLs
URL
File name
https://pg.happyslot88.cc/ds/2202.gif
WorkBook
Result
Verdict:
MALICIOUS
Details
Autostarting Excel Macro Sheet
Excel contains Macrosheet logic that will trigger automatically upon document open.
Result
Threat name:
Hidden Macro 4.0
Detection:
malicious
Classification:
expl.evad
Score:
76 / 100
Signature
Document exploit detected (process start blacklist hit)
Document exploit detected (UrlDownloadToFile)
Found Excel 4.0 Macro with suspicious formulas
Multi AV Scanner detection for submitted file
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Sigma detected: Microsoft Office Product Spawning Windows Shell
Yara detected hidden Macro 4.0 in Excel
Behaviour
Behavior Graph:
Threat name:
Document-Excel.Trojan.Heuristic
Status:
Malicious
First seen:
2021-02-22 18:14:07 UTC
AV detection:
2 of 47 (4.26%)
Threat level
  2/5
Result
Malware family:
n/a
Score:
  10/10
Tags:
macro xlm
Behaviour
Checks processor information in registry
Enumerates system info in registry
Modifies Internet Explorer settings
Suspicious behavior: AddClipboardFormatListener
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Process spawned unexpected child process
Malware Config
Dropper Extraction:
Threat name:
Malicious File
Score:
1.00

Yara Signatures


Rule name:Email_stealer_bin_mem
Author:James_inthe_box
Description:Email in files like avemaria
Rule name:INDICATOR_DOC_PhishingPatterns
Author:ditekSHen
Description:Detects OLE, RTF, PDF and OOXML (decompressed) documents with common phishing strings
Rule name:IPPort_combo_mem
Author:James_inthe_box
Description:IP and port combo
Rule name:multiple_concats_in_excel4_enjoy_the_silence
Author:Will Metcalf
Description:Behold The Great And Powerful Match Iterator. Multiple Concats with register Function SILENT BUILDER EDITION
Reference:https://www.youtube.com/watch?v=2sd7MQVofYc
Rule name:multiple_concats_in_excel4_exec_enjoy_the_silence
Author:Will Metcalf
Description:Behold The Great And Powerful Match Iterator. Multiple Concats with register Function SILENT BUILDER EDITION
Reference:https://blog.reversinglabs.com/blog/excel-4.0-macros
Rule name:multiple_concats_in_excel4_formula_call
Author:Will Metcalf
Description:Behold The Great And Powerful Match Iterator. Multiple Concats Inside of call Function
Reference:https://blog.reversinglabs.com/blog/excel-4.0-macros
Rule name:multiple_concats_in_excel4_formula_exec_1
Author:Will Metcalf
Description:Behold The Great And Powerful Match Iterator. Multiple Concats Inside of exec Function
Reference:https://blog.reversinglabs.com/blog/excel-4.0-macros
Rule name:Select_from_enumeration
Author:James_inthe_box
Description:IP and port combo
Rule name:SharedStrings
Author:Katie Kleemola
Description:Internal names found in LURK0/CCTV0 samples
Rule name:SUSP_EnableContent_String_Gen
Author:Florian Roth
Description:Detects suspicious string that asks to enable active content in Office Doc
Reference:Internal Research
Rule name:SUSP_Excel4Macro_AutoOpen
Author:John Lambert @JohnLaTwC
Description:Detects Excel4 macro use with auto open / close
Rule name:UAC_bypass_bin_mem
Author:James_inthe_box
Description:UAC bypass in files like avemaria

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Comments