MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7f03af8f9cc110a2ff8fbe81cbb4c234a66d9525ac932cdb9748a8a72adf86eb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7f03af8f9cc110a2ff8fbe81cbb4c234a66d9525ac932cdb9748a8a72adf86eb
SHA3-384 hash: e9b4f3cd157671d12acb38fd3011d5f25127ca9d25f62e564dc95c42422d95f08d7680867be5d13abd56697cea480ace
SHA1 hash: df35a0089b72f1775483a72517dba5741fd410f1
MD5 hash: c419edcbbacadee330ee7f8a9810a0df
humanhash: princess-single-princess-fix
File name:Due invoice(7829348756473).xlsx
Download: download sample
Signature Formbook
Create hunting rule
File size:1'452'966 bytes
First seen:2022-04-16 19:21:23 UTC
Last seen:Never
File type:Excel file xlsx
MIME type:application/vnd.openxmlformats-officedocument.spreadsheetml.sheet
ssdeep 24576:SXhcA861QnQ5FEdK11n2dAOX8jlvBBbxX2jCWiZEyI4++sKs8343wEY1U9ccaB+Z:UI615FuK1Z2dA3lptJ2WWObsqswEg4ku
TLSH T10A6533CA7DEFA1D3DF05AE35E04DBBEF0543EB03242345308A0256796822ADF7D96691
TrID 60.1% (.XLSX) Excel Microsoft Office Open XML Format document (34000/1/7)
30.9% (.ZIP) Open Packaging Conventions container (17500/1/4)
7.0% (.ZIP) ZIP compressed archive (4000/1)
1.7% (.PG/BIN) PrintFox/Pagefox bitmap (640x800) (1000/1)
Reporter AndreGironda
Tags:CVE-2017-11882 FormBook xlsx


Avatar
AndreGironda
MITRE T1566.001
Date: Wed, 13 Apr 2022 04:00-04:30 +0200
Received: from box.localdomain (170.39.212.249)
MIME-Version: 1.0
From: Monica Wang <spaceman@manalichemicals.cam>
To: finance department <spaceman@manalichemicals.cam>
Subject: Re: Re: Due invoice
User-Agent: Roundcube Webmail/1.4.11
Message-ID: <7f1fedb1e293cea5a4f51d8c07349599@manalichemicals.cam>
X-Sender: spaceman@manalichemicals.cam
Content-Type: multipart/mixed; boundary="=_8f260ce9576f538edbe169ce9c13f506"
Return-Path: spaceman@manalichemicals.cam
Attachment Name: Due invoice(7829348756473).xlsx
Maldoc SHA256: 7f03af8f9cc110a2ff8fbe81cbb4c234a66d9525ac932cdb9748a8a72adf86eb

Office OLE Information

This malware samples appears to be an Office document. The following table provides more information about this document using oletools and oledump.

OLE dump

MalwareBazaar was able to identify 3 sections in this file using oledump:

Section IDSection sizeSection name
A11766927 bytesOle10Native
A20 bytesNuVbK2VmVapBauVS

Intelligence

File Origin
# of uploads :
1
# of downloads :
543
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Due invoice(7829348756473).xlsx
Verdict:
No threats detected
Analysis date:
2022-04-16 18:45:07 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/83bd9127-9c4e-4149-888b-2c32812c0dec

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
File type:
application/vnd.openxmlformats-officedocument.spreadsheetml.sheet
Has a screenshot:
False
Contains macros:
False
Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Searching for the window
Sending a custom TCP request
Creating a window
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Result
Verdict:
Malicious
File Type:
OOXML Excel File with Embedding Objects
Link:
https://app.docguard.net/7f03af8f9cc110a2ff8fbe81cbb4c234a66d9525ac932cdb9748a8a72adf86eb/results/dashboard
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
CVE-2017-11882 embedequation exploit
Link:
https://www.filescan.io/uploads/625b175bffe27d5119ea53d7/reports/7470b2f2-f02f-411b-a9bf-f6a9ef200ead/overview
Label:
Malicious
Suspicious Score:
9.8/10
Score Malicious:
99%
Score Benign:
1%
Link:
https://www.malware.ai/gui/files/?id=1ac37545-5084-4bfb-9240-287ecbf5f8e6
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/7f03af8f9cc110a2ff8fbe81cbb4c234a66d9525ac932cdb9748a8a72adf86eb
Details
Document With No Content
Document contains little or no semantic information.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
n/a
Score:
60 / 100
Link:
https://www.joesandbox.com/analysis/977724
Signature
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7f03af8f9cc110a2ff8fbe81cbb4c234a66d9525ac932cdb9748a8a72adf86eb/
Threat name:
Document-Office.Exploit.CVE-2017-11882
Create hunting rule
Status:
Malicious
First seen:
2022-04-13 01:40:12 UTC
File Type:
Document
Extracted files:
16
AV detection:
24 of 42 (57.14%)
Threat level:
  5/5
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/220416-x272ysfgfm/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Launches Equation Editor
Modifies Internet Explorer settings
Modifies registry class
Suspicious behavior: AddClipboardFormatListener
Suspicious use of SetWindowsHookEx
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.60
Link:
https://yomi.yoroi.company/submissions/7f03af8f9cc110a2ff8fbe81cbb4c234a66d9525ac932cdb9748a8a72adf86eb

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Excel file xlsx 7f03af8f9cc110a2ff8fbe81cbb4c234a66d9525ac932cdb9748a8a72adf86eb

(this sample)

Cape
Cape
https://capesandbox.com/analysis/264122/
  
Delivery method
Distributed via e-mail attachment

Comments