MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1e472b9de49871cbf3a381b560312a55163a196213329fdae34f4bbae6dd9d20. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


TrickBot


Vendor detections: 7


Maldoc score: 14


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1e472b9de49871cbf3a381b560312a55163a196213329fdae34f4bbae6dd9d20
SHA3-384 hash: 1e6f4ff9d94c918c619186e2b3a20943725e22da2b712d61545da91f541afd112818347ab182f3ec254ad9a01757c126
SHA1 hash: 96c0e80d1f801b294cfac4038df584f83b637fe2
MD5 hash: 3b293561854d9ad8d99f8cf2f37ec521
humanhash: cold-florida-diet-tennessee
File name:Track1Z16301.doc
Download: download sample
Signature TrickBot
Create hunting rule
File size:156'160 bytes
First seen:2021-04-07 14:24:12 UTC
Last seen:2021-04-07 14:57:45 UTC
File type:Word file doc
MIME type:application/msword
ssdeep 3072:sBFS6igp+dDroFMky3zbcNXg+UiGMr3KKJ+:sBY6igpCiUzbctGVMrKKJ
TLSH 6BE3AD03B688DF22E12952FA0E87CEF8365A7F459E41C2A731983B5F7E745600986B5C
Reporter abuse_ch
Tags:doc Rackspace rob45 TrickBot


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: smtp73.ord1d.emailsrvr.com
Sending IP: 184.106.54.73
From: Ryan Rangel <lance.elpidama@bigfrog.com>
Reply-To: Ryan Rangel <ryan@fwscreen.com>
Subject: 94733253533 LRMS PO# LRMS
Attachment: Track1Z16301.doc

Office OLE Information

This malware samples appears to be an Office document. The following table provides more information about this document using oletools and oledump.

OLE id
Maldoc score: 14
Application name is Microsoft Office Word
Office document is in OLE format
Office document contains VBA Macros
OLE dump

MalwareBazaar was able to identify 18 sections in this file using oledump:

Section IDSection sizeSection name
1114 bytesCompObj
24096 bytesDocumentSummaryInformation
34096 bytesSummaryInformation
48737 bytes1Table
585841 bytesData
697 bytesMacros/Animated/CompObj
7374 bytesMacros/Animated/VBFrame
8727 bytesMacros/Animated/f
96652 bytesMacros/Animated/o
10533 bytesMacros/PROJECT
11294 bytesMacros/PROJECTlk
1295 bytesMacros/PROJECTwm
134355 bytesMacros/VBA/Animated
141060 bytesMacros/VBA/ThisDocument
158800 bytesMacros/VBA/_VBA_PROJECT
164651 bytesMacros/VBA/autoopen
171706 bytesMacros/VBA/dir
1815412 bytesWordDocument
OLE vba

MalwareBazaar was able to extract and deobfuscate VBA script(s) the following information from OLE objects embedded in this file using olevba:

TypeKeywordDescription
AutoExecautoopenRuns when the Word document is opened
AutoExecUserForm_ResizeRuns when the file is opened and ActiveX objects trigger events
IOCe.dllExecutable file name
SuspiciousOpenMay open a file
SuspiciousOutputMay write to a file (if combined with Open)
SuspiciousLibMay run code from a DLL
SuspiciousChrWMay attempt to obfuscate specific strings (use option --deobf to deobfuscate)
SuspiciousHex StringsHex-encoded strings were detected, may be used to obfuscate strings (option --decode to see all)
SuspiciousBase64 StringsBase64-encoded strings were detected, may be used to obfuscate strings (option --decode to see all)

Intelligence

File Origin
# of uploads :
2
# of downloads :
1'148
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Track1Z16301.doc
Verdict:
No threats detected
Analysis date:
2021-04-07 15:40:54 UTC
Tags:
macros macros-on-open generated-doc
Link:
https://app.any.run/tasks/9a67e7d4-8245-493a-8d5f-62bcdb10321a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Legit
File type:
application/msword
Has a screenshot:
False
Contains macros:
True
Detection(s):
TwinWave.EvilDoc.SpaceYourFace.20210405.UNOFFICIAL
Create hunting rule

Sanesecurity.Badmacro.Doc.blankautoopen.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Creating a file
Delayed writing of the file
Result
Verdict:
Malicious
File Type:
Legacy Word File with Macro
Link:
https://app.docguard.net/1e472b9de49871cbf3a381b560312a55163a196213329fdae34f4bbae6dd9d20/results/dashboard
Payload URLs
URL
File name
Project.autoopen.Main
1Table
Document image
Image:
Download PNG
Document image
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/1e472b9de49871cbf3a381b560312a55163a196213329fdae34f4bbae6dd9d20
Details
Suspicious Document Variables
Detected a macro that references a suspicious number of tersely named variables.
Document With Few Pages
Document contains between one and three pages of content. Most malicious documents are sparse in page count.
Macro with File System Write
Detected macro logic that can write data to the file system.
Macro Execution Coercion
Detected a document that appears to social engineer the user into activating embedded logic.
Macro Contains Suspicious String
Detected a macro with a suspicious string. Suspicious strings include privileged function calls, obfuscations, odd registry keys, etc...
Result
Threat name:
Unknown
Detection:
malicious
Classification:
expl.troj.evad
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/668798
Signature
Document contains an embedded VBA macro which may execute processes
Document contains an embedded VBA macro with suspicious strings
Document exploit detected (creates forbidden files)
Document exploit detected (process start blacklist hit)
Machine Learning detection for sample
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Suspicious powershell command line found
Tries to download and execute files (via powershell)
Uses ping.exe to check the status of other devices and networks
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 383341 Sample: Track1Z16301.doc Startdate: 07/04/2021 Architecture: WINDOWS Score: 84 45 Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros) 2->45 47 Machine Learning detection for sample 2->47 49 Document contains an embedded VBA macro with suspicious strings 2->49 51 2 other signatures 2->51 7 WINWORD.EXE 233 42 2->7         started        process3 file4 33 C:\Users\user\...\Track1Z16301.doc.LNK, MS 7->33 dropped 53 Document exploit detected (creates forbidden files) 7->53 11 cmd.exe 2 7->11         started        14 cmd.exe 2 7->14         started        signatures5 process6 signatures7 55 Suspicious powershell command line found 11->55 57 Tries to download and execute files (via powershell) 11->57 59 Uses ping.exe to check the status of other devices and networks 11->59 16 powershell.exe 21 11->16         started        19 PING.EXE 1 11->19         started        21 PING.EXE 1 11->21         started        29 2 other processes 11->29 23 powershell.exe 15 19 14->23         started        25 PING.EXE 1 14->25         started        27 PING.EXE 1 14->27         started        31 2 other processes 14->31 process8 dnsIp9 35 hinative.com 52.72.110.150 AMAZON-AESUS United States 19->35 37 192.168.2.1 unknown unknown 19->37 39 masharie.online 54.36.160.185, 49712, 49713, 80 OVHFR France 23->39 41 34.194.41.48 AMAZON-AESUS United States 25->41 43 3.211.253.137 AMAZON-AESUS United States 27->43
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1e472b9de49871cbf3a381b560312a55163a196213329fdae34f4bbae6dd9d20/
Threat name:
Script-Macro.Trojan.Woreflint
Create hunting rule
Status:
Malicious
First seen:
2021-04-07 14:25:07 UTC
AV detection:
6 of 47 (12.77%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=dzdsxhpetby4x45dqg2wamjkkulduglccmzj7wxdj5f3vzw5tuqa._file
Result
Malware family:
n/a
Score:
  10/10
Tags:
macro
Link:
https://tria.ge/reports/210407-e48vdq5qa6/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Modifies Internet Explorer settings
Modifies registry class
Runs ping.exe
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Office loads VBA resources, possible macro or embedded object present
Program crash
Drops file in Windows directory
Blocklisted process makes network request
Process spawned unexpected child process
Malware Config
Dropper Extraction:
http://masharie.online/images/point.php
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/1e472b9de49871cbf3a381b560312a55163a196213329fdae34f4bbae6dd9d20

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

TrickBot

Word file doc 1e472b9de49871cbf3a381b560312a55163a196213329fdae34f4bbae6dd9d20

(this sample)

  
Delivery method
Distributed via e-mail attachment

Comments