MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 43fd4f99f4121ae1c321154612d720660bac3407252c6b0ee2e269519a64b203. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 13


Intelligence 13 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 43fd4f99f4121ae1c321154612d720660bac3407252c6b0ee2e269519a64b203
SHA3-384 hash: 03c92bfd732381a63da91df20d03c9a372197e8ad1d9e9257075e62e19b4abab53fe1faefd38abeca51c38f565088f8c
SHA1 hash: b39fd9a64df62b97b91227966a0cf0a72d2d5c72
MD5 hash: af451f49111d54cab74320ab65bc4783
humanhash: lake-delta-wisconsin-lemon
File name:AWB# 6290868304.docx
Download: download sample
Signature Formbook
Create hunting rule
File size:183'778 bytes
First seen:2024-08-08 12:55:47 UTC
Last seen:Never
File type:Word file doc
MIME type:application/vnd.openxmlformats-officedocument.wordprocessingml.document
ssdeep 3072:ciY5rj1ATug+mhTZMxjcFQ9csn4qAzYjDp/shKuikycBSRjR/Vx7XU4Tto:m5r/g+qZMpcFSQzYHut4d1Bo
TLSH T1DB040230284384BACF63D435F452B02F738FB9236A361D6526D9ABA573488B79123F59
TrID 52.2% (.DOCX) Word Microsoft Office Open XML Format document (23500/1/4)
38.8% (.ZIP) Open Packaging Conventions container (17500/1/4)
8.8% (.ZIP) ZIP compressed archive (4000/1)
Reporter ngokoptmp
Tags:cve-2017-0199 doc docx FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
2'795
Origin country :
ID ID
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
AWB# 6290868304.docx
Verdict:
No threats detected
Analysis date:
2024-08-08 12:58:21 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/271e7087-fca6-4ba0-a395-d67243d23321

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Legit
File type:
application/msword
Has a screenshot:
False
Contains macros:
False
Detection(s):
TwinWave.EvilDoc.OkayLureDefenderWord.20220418.UNOFFICIAL
Create hunting rule

Sanesecurity.Malware.30525.XmlHeur.UNOFFICIAL
Create hunting rule

Doc.Downloader.Loda-7570590-0
Create hunting rule

TwinWave.EvilDoc.RemoteTemplateCallBadDDomainShowdown.20200304.UNOFFICIAL
Create hunting rule

MiscreantPunch.Suspicious.RemoteTemplateCall.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
96.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=66b4c064aa5b40be0a9fdd03
Tags:
Exploit Generic Infostealer Network Office Agent
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Searching for synchronization primitives
Using the Windows Management Instrumentation requests
DNS request
Creating a window
Creating a file
Connection attempt
Sending a custom TCP request
Connection attempt by exploiting the app vulnerability
Launching a process by exploiting the app vulnerability
Sending a custom TCP request by exploiting the app vulnerability
Result
Verdict:
Malicious
File Type:
OOXML Word File
Link:
https://app.docguard.net/43fd4f99f4121ae1c321154612d720660bac3407252c6b0ee2e269519a64b203/results/dashboard
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
language-af masquerade
Link:
https://www.filescan.io/uploads/66b4c0669d37dfa04d260c1e/reports/6561e0c6-6b9d-4f59-a5ef-8d8673c0e03b/overview
Verdict:
Malicious
Labled as:
CVE-2017-0199
Link:
https://www.hybrid-analysis.com/sample/43fd4f99f4121ae1c321154612d720660bac3407252c6b0ee2e269519a64b203
Label:
Benign
Suspicious Score:
4.3/10
Score Malicious:
43%
Score Benign:
57%
Link:
https://www.malware.ai/gui/files/?id=ebd954f3-397c-4e03-902d-9f3cee987aee
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/43fd4f99f4121ae1c321154612d720660bac3407252c6b0ee2e269519a64b203
Details
External Relationship Element
Document contains an externally hosted relationship, which fetches further content.
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1489979
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Adds a directory exclusion to Windows Defender
Antivirus detection for dropped file
Contains an external reference to another file
Document exploit detected (process start blacklist hit)
Found direct / indirect Syscall (likely to bypass EDR)
Injects a PE file into a foreign processes
Installs new ROOT certificates
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Microsoft Office drops suspicious files
Microsoft Office launches external ms-search protocol handler (WebDAV)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Office drops RTF file
Office equation editor drops PE file
Office equation editor establishes network connection
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Office viewer loads remote template
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sigma detected: Equation Editor Network Connection
Sigma detected: File Dropped By EQNEDT32EXE
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Suspicious Binary In User Directory Spawned From Office Application
Sigma detected: Suspicious Microsoft Office Child Process
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1489979 Sample: AWB# 6290868304.docx.doc Startdate: 08/08/2024 Architecture: WINDOWS Score: 100 62 ftvproclad.top 2->62 72 Multi AV Scanner detection for domain / URL 2->72 74 Malicious sample detected (through community Yara rule) 2->74 76 Antivirus detection for dropped file 2->76 78 17 other signatures 2->78 12 WINWORD.EXE 303 54 2->12         started        signatures3 process4 dnsIp5 70 ftvproclad.top 172.67.185.159, 443, 49161, 49162 CLOUDFLARENETUS United States 12->70 50 C:\Users\user\...\wyfRlocEnjsHiix.doc.url, MS 12->50 dropped 52 C:\Users\user\AppData\...\ftvproclad.top.url, MS 12->52 dropped 54 ~WRF{0C387EDD-9AAB...C-6582EF360EAB}.tmp, Composite 12->54 dropped 108 Microsoft Office launches external ms-search protocol handler (WebDAV) 12->108 110 Office viewer loads remote template 12->110 112 Microsoft Office drops suspicious files 12->112 17 EQNEDT32.EXE 11 12->17         started        file6 signatures7 process8 dnsIp9 56 104.21.19.74, 443, 49164 CLOUDFLARENETUS United States 17->56 58 ftvproclad.top 17->58 44 C:\Users\user\...\yhndfreshkl89221.exe, PE32 17->44 dropped 46 C:\Users\user\...\wyfRlocEnjsHiix[1].exe, PE32 17->46 dropped 80 Office equation editor establishes network connection 17->80 82 Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802) 17->82 22 yhndfreshkl89221.exe 3 17->22         started        file10 signatures11 process12 signatures13 92 Multi AV Scanner detection for dropped file 22->92 94 Machine Learning detection for dropped file 22->94 96 Adds a directory exclusion to Windows Defender 22->96 98 Injects a PE file into a foreign processes 22->98 25 yhndfreshkl89221.exe 22->25         started        28 powershell.exe 4 22->28         started        process14 signatures15 104 Maps a DLL or memory area into another process 25->104 30 TzeNYNPFbqkOC.exe 25->30 injected 106 Installs new ROOT certificates 28->106 process16 signatures17 114 Maps a DLL or memory area into another process 30->114 116 Found direct / indirect Syscall (likely to bypass EDR) 30->116 33 dfrgui.exe 1 21 30->33         started        process18 dnsIp19 60 www.sqlite.org 45.33.6.223, 49166, 49167, 80 LINODE-APLinodeLLCUS United States 33->60 48 C:\Users\user\AppData\Local\...\sqlite3.dll, PE32 33->48 dropped 84 Tries to steal Mail credentials (via file / registry access) 33->84 86 Tries to harvest and steal browser information (history, passwords, etc) 33->86 88 Maps a DLL or memory area into another process 33->88 90 Queues an APC in another process (thread injection) 33->90 38 TzeNYNPFbqkOC.exe 33->38 injected 42 firefox.exe 33->42         started        file20 signatures21 process22 dnsIp23 64 www.jucicty.xyz 38->64 66 www.jucicty.xyz 203.161.46.205, 49176, 49177, 49178 VNPT-AS-VNVNPTCorpVN Malaysia 38->66 68 4 other IPs or domains 38->68 100 Found direct / indirect Syscall (likely to bypass EDR) 38->100 signatures24 102 Performs DNS queries to domains with low reputation 64->102
Score:
99%
Verdict:
Malware
File Type:
OFFICE
Link:
https://malprob.io/report/43fd4f99f4121ae1c321154612d720660bac3407252c6b0ee2e269519a64b203
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/43fd4f99f4121ae1c321154612d720660bac3407252c6b0ee2e269519a64b203/
Threat name:
Document-Office.Exploit.CVE-2017-0199
Create hunting rule
Status:
Malicious
First seen:
2024-08-07 19:05:26 UTC
File Type:
Document
Extracted files:
12
AV detection:
14 of 24 (58.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ip6u7gpucinodqzbcvdbfvzamyf2ynaheuwgwdxc4juvdgtewibq._file
Result
Malware family:
n/a
Score:
  7/10
Tags:
discovery
Link:
https://tria.ge/reports/240809-k41pfasfmg/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Suspicious behavior: AddClipboardFormatListener
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Office loads VBA resources, possible macro or embedded object present
System Location Discovery: System Language Discovery
Drops file in Windows directory
Abuses OpenXML format to download file from external location
Verdict:
Unknown
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/f9630f6d-54d3-4e2f-a9d0-3c4ed77729f4
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/43fd4f99f412/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/43fd4f99f4121ae1c321154612d720660bac3407252c6b0ee2e269519a64b203

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Word file doc 43fd4f99f4121ae1c321154612d720660bac3407252c6b0ee2e269519a64b203

(this sample)

  
Delivery method
Distributed via e-mail attachment

Comments