MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5ee98ae0d927e1471de002517a1d09e8065064e83a87616762a988e47505b0fa. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 9


Maldoc score: 29


Intelligence 9 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5ee98ae0d927e1471de002517a1d09e8065064e83a87616762a988e47505b0fa
SHA3-384 hash: b056cc9e1b97628dff8aa696c86d28edf8e43fda1a828e18dbac482a2e2786ef7c377deb229eec85e7b7ababe11894c8
SHA1 hash: 1349a6e825171f68f4967d2696c10493770e47bc
MD5 hash: 921590862be12ee9b8b67dd4a14652e0
humanhash: maryland-cola-idaho-nitrogen
File name:diagram-595.doc
Download: download sample
File size:229'380 bytes
First seen:2021-09-13 21:48:46 UTC
Last seen:Never
File type:Word file doc
MIME type:application/msword
ssdeep 3072:s1Ew9u9qLF0EYouFCoOVaLyUqDDhllsFLkmkt9Qdkmkt9QZRh9Gvkmkt9QB:s1EJoEouGLXhlGFg/kRh9GMS
TLSH T148245B037A58C752D48566765E93CEA867367E588E8323EB712C3B4F3F74B104C1A26E
Reporter Anonymous
Tags:doc

Office OLE Information

This malware samples appears to be an Office document. The following table provides more information about this document using oletools and oledump.

OLE id
Maldoc score: 29
Application name is Microsoft Office Word
Office document is in OLE format
Office document contains VBA Macros
OLE dump

MalwareBazaar was able to identify 40 sections in this file using oledump:

Section IDSection sizeSection name
1114 bytesCompObj
24096 bytesDocumentSummaryInformation
34096 bytesSummaryInformation
411874 bytes1Table
563871 bytesData
6644 bytesMacros/PROJECT
7170 bytesMacros/PROJECTwm
897 bytesMacros/UserForm1/CompObj
9266 bytesMacros/UserForm1/VBFrame
1024953 bytesMacros/UserForm1/f
110 bytesMacros/UserForm1/o
129368 bytesMacros/VBA/Module1
139368 bytesMacros/VBA/Module2
145669 bytesMacros/VBA/Module3
153815 bytesMacros/VBA/ThisDocument
161167 bytesMacros/VBA/UserForm1
176650 bytesMacros/VBA/_VBA_PROJECT
184162 bytesMacros/VBA/__SRP_0
19365 bytesMacros/VBA/__SRP_1
201644 bytesMacros/VBA/__SRP_4
21186 bytesMacros/VBA/__SRP_5
221652 bytesMacros/VBA/__SRP_6
23103 bytesMacros/VBA/__SRP_7
241700 bytesMacros/VBA/deutsche
251300 bytesMacros/VBA/dir
2697 bytesMacros/deutsche/CompObj
27292 bytesMacros/deutsche/VBFrame
2825453 bytesMacros/deutsche/f
29115 bytesMacros/deutsche/i08/CompObj
30176 bytesMacros/deutsche/i08/f
31110 bytesMacros/deutsche/i08/i10/CompObj
3256 bytesMacros/deutsche/i08/i10/f
330 bytesMacros/deutsche/i08/i10/o
34110 bytesMacros/deutsche/i08/i11/CompObj
3540 bytesMacros/deutsche/i08/i11/f
360 bytesMacros/deutsche/i08/i11/o
37148 bytesMacros/deutsche/i08/o
3848 bytesMacros/deutsche/i08/x
3927655 bytesMacros/deutsche/o
404096 bytesWordDocument
OLE vba

MalwareBazaar was able to extract and deobfuscate VBA script(s) the following information from OLE objects embedded in this file using olevba:

TypeKeywordDescription
AutoExecAutoOpenRuns when the Word document is opened
AutoExecDocument_OpenRuns when the Word or Publisher document is opened
AutoExecUserForm_ClickRuns when the file is opened and ActiveX objects trigger events
IOCwww.ps1Executable file name
IOCcscript.exeExecutable file name
IOCwww1.dllExecutable file name
IOCwww2.dllExecutable file name
IOCwww3.dllExecutable file name
IOCwww4.dllExecutable file name
IOCwww5.dllExecutable file name
IOCrundll32.exeExecutable file name
SuspiciousEnvironMay read system environment variables
SuspiciousOpenMay open a file
SuspiciousOutputMay write to a file (if combined with Open)
SuspiciousMoveFileMay move a file
SuspiciousShellMay run an executable file or a system command
SuspiciousWScript.ShellMay run an executable file or a system command
SuspiciousRunMay run an executable file or a system command
SuspiciousPowershellMay run PowerShell commands
SuspiciousExecutionPolicyMay run PowerShell commands
SuspiciousCreateObjectMay create an OLE object
SuspiciousChrMay attempt to obfuscate specific strings (use option --deobf to deobfuscate)
SuspiciousHex StringsHex-encoded strings were detected, may be used to obfuscate strings (option --decode to see all)
SuspiciousBase64 StringsBase64-encoded strings were detected, may be used to obfuscate strings (option --decode to see all)

Intelligence

File Origin
# of uploads :
1
# of downloads :
142
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
diagram-595.doc
Verdict:
Malicious activity
Analysis date:
2021-09-13 21:46:37 UTC
Tags:
macros macros-on-open generated-doc
Link:
https://app.any.run/tasks/4bf5b47e-edef-42a4-96e0-af04171d4a1a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
File type:
application/msword
Has a screenshot:
False
Contains macros:
True
Detection(s):
SecuriteInfo.com.Office.Macro-13.UNOFFICIAL
Create hunting rule

Sanesecurity.Badmacro.doc_shellao.UNOFFICIAL
Create hunting rule

Sanesecurity.Badmacro.Wsc.exe.UNOFFICIAL
Create hunting rule

Sanesecurity.Badmacro.BadDoc.Fmt.Shell.UNOFFICIAL
Create hunting rule

MiscreantPunch.EvilMacro.AOPSH.UNOFFICIAL
Create hunting rule

MiscreantPunch.SuspiciousDoc.CrackedVersion.2.UNOFFICIAL
Create hunting rule

MiscreantPunch.PiratedOfficeVersionWithMacros.UNOFFICIAL
Create hunting rule

MiscreantPunch.Macro.PiratedOffice.171002.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malicious
File Type:
Legacy Word File with Macro
Link:
https://app.docguard.net/5ee98ae0d927e1471de002517a1d09e8065064e83a87616762a988e47505b0fa/results/dashboard
Document image
Image:
Download PNG
Document image
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
macros macros-on-open powershell
Link:
https://www.filescan.io/uploads/617506049a5a1e91c5d1fdd3/reports/3ae3c692-2faf-4d73-8669-8ebab6325517/overview
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/5ee98ae0d927e1471de002517a1d09e8065064e83a87616762a988e47505b0fa
Details
Time Delay Loop
Detected a macro with a suspicious time-wait loop, potentially to evade sandboxes.
Macro with Startup Hook
Detected macro logic that will automatically execute on document open. Most malware contains some execution hook.
Document With Few Pages
Document contains between one and three pages of content. Most malicious documents are sparse in page count.
Macro with File System Write
Detected macro logic that can write data to the file system.
Macro Execution Coercion
Detected a document that appears to social engineer the user into activating embedded logic.
Macro Contains Suspicious String
Detected a macro with a suspicious string. Suspicious strings include privileged function calls, obfuscations, odd registry keys, etc...
Result
Threat name:
Unknown
Detection:
malicious
Classification:
expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/850189
Signature
Document contains an embedded macro with GUI obfuscation
Document contains an embedded VBA macro which may execute processes
Document contains an embedded VBA macro with suspicious strings
Document contains an embedded VBA with base64 encoded strings
Document contains an embedded VBA with many string operations indicating source code obfuscation
Document exploit detected (process start blacklist hit)
Machine Learning detection for dropped file
Multi AV Scanner detection for dropped file
Powershell drops PE file
Sigma detected: Microsoft Office Product Spawning Windows Shell
Sigma detected: Office product drops script at suspicious location
System process connects to network (likely due to code injection or exploit)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 482620 Sample: diagram-595.doc Startdate: 13/09/2021 Architecture: WINDOWS Score: 100 85 Multi AV Scanner detection for dropped file 2->85 87 Sigma detected: Office product drops script at suspicious location 2->87 89 Document contains an embedded macro with GUI obfuscation 2->89 91 7 other signatures 2->91 9 WINWORD.EXE 436 34 2->9         started        process3 file4 61 C:\Users\user\AppData\Roaming\www.txt, ASCII 9->61 dropped 63 C:\Users\user\AppData\Roaming\www.ps1, ASCII 9->63 dropped 12 cscript.exe 1 9->12         started        14 cscript.exe 1 9->14         started        process5 process6 16 powershell.exe 16 11 12->16         started        21 cmd.exe 12->21         started        23 cmd.exe 12->23         started        31 3 other processes 12->31 25 cmd.exe 14->25         started        27 powershell.exe 14->27         started        29 cmd.exe 14->29         started        33 3 other processes 14->33 dnsIp7 65 tailorind.com.pk 108.167.172.176, 443, 49168, 49169 UNIFIEDLAYER-AS-1US United States 16->65 67 aartieeabhjeet.com 116.206.105.115, 443, 49171, 49172 PUBLIC-DOMAIN-REGISTRYUS Seychelles 16->67 71 3 other IPs or domains 16->71 59 C:\ProgramData\www1.dll, MS-DOS 16->59 dropped 93 Powershell drops PE file 16->93 35 rundll32.exe 21->35         started        37 rundll32.exe 23->37         started        39 rundll32.exe 25->39         started        69 stuffiknow.in 27->69 41 rundll32.exe 29->41         started        43 rundll32.exe 31->43         started        45 rundll32.exe 31->45         started        47 rundll32.exe 31->47         started        49 rundll32.exe 33->49         started        51 2 other processes 33->51 file8 signatures9 process10 process11 53 rundll32.exe 35->53         started        57 rundll32.exe 39->57         started        dnsIp12 73 serverplanner.com 88.202.230.64, 49174, 49180, 49203 UK2NET-ASGB United Kingdom 53->73 75 bengali.iu.ac.bd 103.28.121.60, 49176, 49181, 49182 BDREN-UGC-AS-APBangladeshResearchandEducationNetworkB Bangladesh 53->75 77 owfix.net 53->77 95 System process connects to network (likely due to code injection or exploit) 53->95 79 enlacelaboral.com 162.214.117.192, 49188, 49189, 49190 UNIFIEDLAYER-AS-1US United States 57->79 81 u522712.gluweb.nl 192.87.140.201, 49202, 80 SURFNET-NLSURFnetTheNetherlandsNL Netherlands 57->81 83 5 other IPs or domains 57->83 signatures13
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5ee98ae0d927e1471de002517a1d09e8065064e83a87616762a988e47505b0fa/
Threat name:
Document-Office.Trojan.Valyria
Create hunting rule
Status:
Malicious
First seen:
2021-09-13 21:49:06 UTC
AV detection:
10 of 43 (23.26%)
Threat level:
  5/5
Result
Malware family:
n/a
Score:
  10/10
Tags:
macro macro_on_action
Link:
https://tria.ge/reports/210913-1pbprshebp/
Behaviour
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Checks processor information in registry
Enumerates system info in registry
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Enumerates physical storage devices
Drops file in Windows directory
Loads dropped DLL
Blocklisted process makes network request
Downloads MZ/PE file
Process spawned unexpected child process
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/5ee98ae0d927/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5ee98ae0d927e1471de002517a1d09e8065064e83a87616762a988e47505b0fa

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_OLE_Suspicious_ActiveX
Create hunting rule
Author:ditekSHen
Description:detects OLE documents with suspicious ActiveX content
Rule name:INDICATOR_OLE_Suspicious_Reverse
Create hunting rule
Author:ditekSHen
Description:detects OLE documents containing VB scripts with reversed suspicious strings
Rule name:Office_AutoOpen_Macro
Create hunting rule
Author:Florian Roth
Description:Detects an Microsoft Office file that contains the AutoOpen Macro function
Rule name:quakbot_halo_generated
Create hunting rule
Author:Halogen Generated Rule, Corsin Camichel
Rule name:silentbuilder_halo_generated
Create hunting rule
Author:Halogen Generated Rule, Corsin Camichel

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments