MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 62b96f7ff4146f33146f2c134e2bfe2ad3bc2df63f1276c9eb6ad1af5952940e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


XWorm


Vendor detections: 15


Maldoc score: 3


Intelligence 15 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 62b96f7ff4146f33146f2c134e2bfe2ad3bc2df63f1276c9eb6ad1af5952940e
SHA3-384 hash: 83e9e33a173398b20a78a4841072d79cbc2c91bf8ebef1ffd88cc0c76bec42e0595e7c280741f4b12da79dbbcc4839f2
SHA1 hash: 2fd273a4f5a39691e4f256eebf4c0ec705a0d298
MD5 hash: 917e800806d60717238c5b767070af1a
humanhash: lemon-william-chicken-jupiter
File name:Product_Samples.doc
Download: download sample
Signature XWorm
Create hunting rule
File size:816'128 bytes
First seen:2024-11-06 15:33:16 UTC
Last seen:2024-11-06 17:19:50 UTC
File type:Word file doc
MIME type:application/msword
ssdeep 24576:/KOGjn4lUrN4vaxrB1qep1wuJ7NYtQV7dJXWlLPx:3q4m4Sxrzp1TJ7j7vXW
TLSH T142052341BEE0CFBBE56632B58942E701A12EFC8E5F068B0B3C55B34EEA34BB54545324
TrID 52.6% (.DOC) Microsoft Word document (30000/1/2)
33.3% (.DOC) Microsoft Word document (old ver.) (19000/1/2)
14.0% (.) Generic OLE2 / Multistream Compound (8000/1)
Magika doc
Reporter abuse_ch
Tags:doc xworm

Office OLE Information

This malware samples appears to be an Office document. The following table provides more information about this document using oletools and oledump.

OLE id
Maldoc score: 3
OLE dump

MalwareBazaar was able to identify 12 sections in this file using oledump:

Section IDSection sizeSection name
1114 bytesCompObj
24096 bytesDocumentSummaryInformation
34096 bytesSummaryInformation
47283 bytes1Table
5778946 bytesData
6422 bytesMacros/PROJECT
771 bytesMacros/PROJECTwm
81066 bytesMacros/VBA/NewMacros
91838 bytesMacros/VBA/ThisDocument
102640 bytesMacros/VBA/_VBA_PROJECT
11569 bytesMacros/VBA/dir
124096 bytesWordDocument
OLE vba

MalwareBazaar was able to extract and deobfuscate VBA script(s) the following information from OLE objects embedded in this file using olevba:

TypeKeywordDescription
AutoExecAUTOOPEnRuns when the Word document is opened
SuspiciousShellMay run an executable file or a system command

Intelligence

File Origin
# of uploads :
2
# of downloads :
445
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Product_Samples.doc
Verdict:
Malicious activity
Analysis date:
2024-11-06 16:21:57 UTC
Tags:
generated-doc macros macros-on-open
Link:
https://app.any.run/tasks/99ad406d-a196-4728-9097-43ccc7ffce60

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
MiscreantPunch.EvilMacro.SHBIN.170210.UNOFFICIAL
Create hunting rule

TwinWave.EvilDoc.DetonatorFRMActionAndAction.20210308.UNOFFICIAL
Create hunting rule

TwinWave.EvilDoc.SensitiveFunctionNamePollutionDeadPlanet.20210608.UNOFFICIAL
Create hunting rule

MiscreantPunch.EvilMacro.AOPSH.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
92.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=672b8c768d23d90491345eb6
Tags:
powershell autorun gumen
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Сreating synchronization primitives
Using the Windows Management Instrumentation requests
Creating a process with a hidden window
Launching a process
DNS request
Connection attempt
Sending a custom TCP request
Creating a file in the %AppData% directory
Creating a process from a recently created file
Running batch commands
Running batch commands by exploiting the app vulnerability
Result
Verdict:
Malicious
File Type:
Legacy Word File with Macro
Link:
https://app.docguard.net/62b96f7ff4146f33146f2c134e2bfe2ad3bc2df63f1276c9eb6ad1af5952940e/results/dashboard
Behaviour
BlacklistAPI detected
Document image
Image:
Download PNG
Document image
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
dropper macros macros-on-open powershell powershell
Link:
https://www.filescan.io/uploads/672b8c72dbbc410893ad80df/reports/09245682-1c6b-4726-be52-dd36bfa6f23d/overview
Verdict:
Malicious
Labled as:
Exploit.MSOffice.2
Link:
https://www.hybrid-analysis.com/sample/62b96f7ff4146f33146f2c134e2bfe2ad3bc2df63f1276c9eb6ad1af5952940e
Label:
Malicious
Suspicious Score:
8.2/10
Score Malicious:
83%
Score Benign:
17%
Link:
https://www.malware.ai/gui/files/?id=115c6ba7-5318-48b4-8400-fe883731a45f
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/62b96f7ff4146f33146f2c134e2bfe2ad3bc2df63f1276c9eb6ad1af5952940e
Details
Macro with Startup Hook
Detected macro logic that will automatically execute on document open. Most malware contains some execution hook.
Document With Few Pages
Document contains between one and three pages of content. Most malicious documents are sparse in page count.
Hidden Powershell
Detected a pivot to Powershell that utilizes commonly nefarious attributes such as '-windowstyle hidden'.
Macro Contains Suspicious String
Detected a macro with a suspicious string. Suspicious strings include privileged function calls, obfuscations, odd registry keys, etc...
Result
Threat name:
DarkTortilla, XWorm
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1550344
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Document exploit detected (process start blacklist hit)
Drops PE files to the startup folder
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Installs new ROOT certificates
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PowerShell case anomaly found
Powershell drops PE file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Suspicious Invoke-WebRequest Execution
Sigma detected: Suspicious Microsoft Office Child Process
Suricata IDS alerts for network traffic
Suspicious powershell command line found
Tries to delay execution (extensive OutputDebugStringW loop)
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Writes to foreign memory regions
Yara detected DarkTortilla Crypter
Yara detected XWorm
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1550344 Sample: Product_Samples.doc Startdate: 06/11/2024 Architecture: WINDOWS Score: 100 88 Suricata IDS alerts for network traffic 2->88 90 Found malware configuration 2->90 92 Malicious sample detected (through community Yara rule) 2->92 94 15 other signatures 2->94 11 WINWORD.EXE 339 20 2->11         started        15 xwor.exe 2 2->15         started        17 xwor.exe 2->17         started        19 xwor.exe 2 2->19         started        process3 file4 68 C:\Users\...\~WRD0000.tmp:Zone.Identifier, ASCII 11->68 dropped 70 C:\Users\user\Desktop\~WRD0000.tmp, Composite 11->70 dropped 72 C:\Users\user\...\Product_Samples.doc (copy), Composite 11->72 dropped 120 PowerShell case anomaly found 11->120 21 cmd.exe 11->21         started        122 Writes to foreign memory regions 15->122 124 Allocates memory in foreign processes 15->124 126 Hides that the sample has been downloaded from the Internet (zone.identifier) 15->126 24 InstallUtil.exe 6 15->24         started        128 Injects a PE file into a foreign processes 17->128 28 InstallUtil.exe 17->28         started        30 InstallUtil.exe 17->30         started        32 InstallUtil.exe 19->32         started        signatures5 process6 dnsIp7 100 Suspicious powershell command line found 21->100 102 PowerShell case anomaly found 21->102 34 powershell.exe 12 6 21->34         started        78 185.244.29.113, 49166, 5563 DAVID_CRAIGGG Netherlands 24->78 64 C:\Users\user\AppData\Roaming\XClient.exe, PE32 24->64 dropped 104 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 24->104 file8 signatures9 process10 dnsIp11 74 alexanu.com 69.49.234.173, 443, 49165 UNIFIEDLAYER-AS-1US United States 34->74 62 C:\Users\user\AppData\Roaming\admini.exe, PE32 34->62 dropped 96 Installs new ROOT certificates 34->96 98 Powershell drops PE file 34->98 39 admini.exe 2 34->39         started        file12 signatures13 process14 signatures15 106 Multi AV Scanner detection for dropped file 39->106 108 Machine Learning detection for dropped file 39->108 110 Hides that the sample has been downloaded from the Internet (zone.identifier) 39->110 112 Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent) 39->112 42 cmd.exe 1 39->42         started        46 cmd.exe 39->46         started        process16 file17 66 C:\Users\user\AppData\Roaming\...\xwor.exe, PE32 42->66 dropped 114 Uses ping.exe to sleep 42->114 48 xwor.exe 42->48         started        51 PING.EXE 42->51         started        53 PING.EXE 42->53         started        116 Drops PE files to the startup folder 46->116 118 Uses ping.exe to check the status of other devices and networks 46->118 55 PING.EXE 46->55         started        58 reg.exe 1 46->58         started        signatures18 process19 dnsIp20 80 Writes to foreign memory regions 48->80 82 Allocates memory in foreign processes 48->82 84 Hides that the sample has been downloaded from the Internet (zone.identifier) 48->84 86 Injects a PE file into a foreign processes 48->86 60 InstallUtil.exe 48->60         started        76 127.0.0.1 unknown unknown 55->76 signatures21 process22
Score:
100%
Verdict:
Malware
File Type:
OFFICE
Link:
https://malprob.io/report/62b96f7ff4146f33146f2c134e2bfe2ad3bc2df63f1276c9eb6ad1af5952940e
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/62b96f7ff4146f33146f2c134e2bfe2ad3bc2df63f1276c9eb6ad1af5952940e/
Threat name:
Document-Office.Downloader.Dornoe
Create hunting rule
Status:
Malicious
First seen:
2024-11-06 16:26:01 UTC
AV detection:
14 of 24 (58.33%)
Threat level:
  3/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=mk4w677ucrxtgfdpfqju4k76flj3ylpwh4jhnsplnli26wkssqha._file
Verdict:
malicious
Label(s):
xworm
Create hunting rule
Similar samples:
error
XWorm
Result
Malware family:
n/a
Score:
  10/10
Tags:
discovery execution macro
Link:
https://tria.ge/reports/241106-szrvqssjcx/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Office loads VBA resources, possible macro or embedded object present
System Location Discovery: System Language Discovery
Drops file in Windows directory
Command and Scripting Interpreter: PowerShell
Process spawned unexpected child process
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/23397920-a202-4928-9414-4ab059470814
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Detect_PowerShell_Obfuscation
Create hunting rule
Author:daniyyell
Description:Detects obfuscated PowerShell commands commonly used in malicious scripts.
Rule name:informational_win_ole_protected
Create hunting rule
Author:Jeff White (karttoon@gmail.com) @noottrak
Description:Identify OLE Project protection within documents.
Rule name:PowerShell_in_Word_Doc_RID2FBC
Create hunting rule
Author:Florian Roth
Description:Detects a powershell and bypass keyword in a Word document
Reference:Internal Research - ME

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments