MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a0362be648ebb92266bb64410e429350aefbddb0af74d7e89bea23cfbe75aa64. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Vjw0rm


Vendor detections: 13


Maldoc score: 22


Intelligence 13 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a0362be648ebb92266bb64410e429350aefbddb0af74d7e89bea23cfbe75aa64
SHA3-384 hash: e8cca9d865b9afdd1626184607bf5994b1bc72df90dc73bb05c59dd14d52e86d54a4a38778606fc89168eb7b7e48207a
SHA1 hash: b865efd764549e7e64eaa37ae67a977958a5fcec
MD5 hash: 7c853ab182e0e0a51baa85ba460ddf51
humanhash: india-lemon-tennis-neptune
File name:Bloomberg BNA Invoice Enclosed 0984762748365..xls
Download: download sample
Signature Vjw0rm
Create hunting rule
File size:60'928 bytes
First seen:2023-01-16 15:45:29 UTC
Last seen:2023-01-16 17:41:46 UTC
File type:Excel file xls
MIME type:application/vnd.ms-excel
ssdeep 1536:Qk3hOdsylKlgryzc4bNhZFGzE+cL2knw0jftONLqbNacyr042LfC:Qk3hOdsylKlgryzc4bNhZFGzE+cL2knZ
TLSH T1D953A652B396D956C5590F364CD6C2EA3335FC519F67870BB284F32E2E72B808E02B56
TrID 46.5% (.XLS) Microsoft Excel sheet (alternate) (56500/1/4)
26.7% (.XLS) Microsoft Excel sheet (32500/1/3)
20.1% (.XLS) Microsoft Excel sheet (alternate) (24500/1/2)
6.5% (.) Generic OLE2 / Multistream Compound (8000/1)
Reporter abuse_ch
Tags:vjw0rm xls


Avatar
abuse_ch
Vjw0rm C2:
http://38.132.119.150:2211/Vre

Office OLE Information

This malware samples appears to be an Office document. The following table provides more information about this document using oletools and oledump.

OLE id
Maldoc score: 22
OLE dump

MalwareBazaar was able to identify 28 sections in this file using oledump:

Section IDSection sizeSection name
1107 bytesCompObj
220 bytesOle
3268 bytesDocumentSummaryInformation
4132 bytesSummaryInformation
517139 bytesWorkbook
6709 bytes_VBA_PROJECT_CUR/PROJECT
7149 bytes_VBA_PROJECT_CUR/PROJECTwm
897 bytes_VBA_PROJECT_CUR/UserForm1/CompObj
9292 bytes_VBA_PROJECT_CUR/UserForm1/VBFrame
103287 bytes_VBA_PROJECT_CUR/UserForm1/f
11236 bytes_VBA_PROJECT_CUR/UserForm1/o
124211 bytes_VBA_PROJECT_CUR/VBA/Module1
13999 bytes_VBA_PROJECT_CUR/VBA/Sheet1
142001 bytes_VBA_PROJECT_CUR/VBA/ThisWorkbook
152945 bytes_VBA_PROJECT_CUR/VBA/UserForm1
163994 bytes_VBA_PROJECT_CUR/VBA/_VBA_PROJECT
174236 bytes_VBA_PROJECT_CUR/VBA/__SRP_0
18468 bytes_VBA_PROJECT_CUR/VBA/__SRP_1
19954 bytes_VBA_PROJECT_CUR/VBA/__SRP_2
20156 bytes_VBA_PROJECT_CUR/VBA/__SRP_3
21904 bytes_VBA_PROJECT_CUR/VBA/__SRP_4
22380 bytes_VBA_PROJECT_CUR/VBA/__SRP_5
231180 bytes_VBA_PROJECT_CUR/VBA/__SRP_6
24206 bytes_VBA_PROJECT_CUR/VBA/__SRP_7
251484 bytes_VBA_PROJECT_CUR/VBA/__SRP_8
26206 bytes_VBA_PROJECT_CUR/VBA/__SRP_9
274148 bytes_VBA_PROJECT_CUR/VBA/clsCifrado
28928 bytes_VBA_PROJECT_CUR/VBA/dir
OLE vba

MalwareBazaar was able to extract and deobfuscate VBA script(s) the following information from OLE objects embedded in this file using olevba:

TypeKeywordDescription
AutoExecWorkbook_OpenRuns when the Excel Workbook is opened
AutoExecbtnCifrar_ClickRuns when the file is opened and ActiveX objects trigger events
IOCtextfile.jsExecutable file name
SuspiciousOpenMay open a file
SuspiciouswriteMay write to a file (if combined with Open)
SuspiciousOutputMay write to a file (if combined with Open)
SuspiciousBinaryMay read or write a binary file (if combined with Open)
SuspiciousShellMay run an executable file or a system command
SuspiciousvbNormalFocusMay run an executable file or a system command
SuspiciouscommandMay run PowerShell commands
SuspiciousXorMay attempt to obfuscate specific strings (use option --deobf to deobfuscate)
SuspiciousHex StringsHex-encoded strings were detected, may be used to obfuscate strings (option --decode to see all)
SuspiciousXLM macroXLM macro found. It may contain malicious code

Intelligence

File Origin
# of uploads :
2
# of downloads :
232
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
vjworm
Create hunting rule
ID:
1
File name:
Bloomberg BNA Invoice Enclosed 0984762748365..xls
Verdict:
Malicious activity
Analysis date:
2023-01-16 15:47:46 UTC
Tags:
macros macros-on-open maldoc-14 trojan vjworm
Link:
https://app.any.run/tasks/c81d6725-7aa8-45f6-b1d6-d5b0d808165b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
File type:
application/vnd.ms-excel
Has a screenshot:
False
Contains macros:
True
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/353455/
Detection(s):
TwinWave.EvilDoc.DOCXSTRGOOD..JSE.200618.UNOFFICIAL
Create hunting rule

TwinWave.EvilDoc.XLSLOLBINHammerToFall.20201218.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Sending a custom TCP request
Creating a window
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file
Using the Windows Management Instrumentation requests
Sending an HTTP POST request
Launching a process by exploiting the app vulnerability
Enabling autorun by creating a file
Result
Verdict:
Malicious
File Type:
Legacy Excel File with Macro
Link:
https://app.docguard.net/a0362be648ebb92266bb64410e429350aefbddb0af74d7e89bea23cfbe75aa64/results/dashboard
Behaviour
BlacklistAPI detected
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-vm macros macros-on-open obfuscated wscript
Link:
https://www.filescan.io/uploads/63c5713b8352dc7065e30695/reports/9617a90f-0172-4e4b-b31d-31e6d91d47ac/overview
Label:
Malicious
Suspicious Score:
6.0/10
Score Malicious:
6%
Score Benign:
4%
Link:
https://www.malware.ai/gui/files/?id=3f83137d-1339-4c7b-bb6d-41287484cdce
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/a0362be648ebb92266bb64410e429350aefbddb0af74d7e89bea23cfbe75aa64
Details
Macro with Startup Hook
Detected macro logic that will automatically execute on document open. Most malware contains some execution hook.
Excel 4.0 Macro
Document contains Excel 4.0 macros (XLM). A valid, albeit dated feature, this document should be treated with suspicion.
Macro with File System Write
Detected macro logic that can write data to the file system.
Macro Contains Suspicious String
Detected a macro with a suspicious string. Suspicious strings include privileged function calls, obfuscations, odd registry keys, etc...
Document With Minimal Content
Document contains less than 1 kilobyte of semantic information.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1152468
Signature
Antivirus detection for URL or domain
Document contains an embedded macro with GUI obfuscation
Document contains an embedded VBA macro which may execute processes
Document contains an embedded VBA macro with suspicious strings
Document contains OLE streams with names of living off the land binaries
Document exploit detected (creates forbidden files)
Document exploit detected (process start blacklist hit)
Drops script or batch files to the startup folder
Microsoft Office drops suspicious files
Sigma detected: Drops script at startup location
System process connects to network (likely due to code injection or exploit)
Uses known network protocols on non-standard ports
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a0362be648ebb92266bb64410e429350aefbddb0af74d7e89bea23cfbe75aa64/
Threat name:
Script-Macro.Trojan.Leonem
Create hunting rule
Status:
Malicious
First seen:
2023-01-16 14:46:40 UTC
File Type:
Document
Extracted files:
35
AV detection:
8 of 37 (21.62%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ua3cxzsi5o4sezv3mraq4qutkcxpxxnqv52np2e35ir47ptvvjsa._file
Result
Malware family:
n/a
Score:
  10/10
Tags:
macro macro_on_action xlm
Link:
https://tria.ge/reports/230116-s7l98ahd49/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Modifies Internet Explorer settings
Modifies registry class
Suspicious behavior: AddClipboardFormatListener
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Office loads VBA resources, possible macro or embedded object present
Enumerates physical storage devices
Drops startup file
Blocklisted process makes network request
Process spawned unexpected child process
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/a0362be648eb/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a0362be648ebb92266bb64410e429350aefbddb0af74d7e89bea23cfbe75aa64

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:informational_win_ole_protected
Create hunting rule
Author:Jeff White (karttoon@gmail.com) @noottrak
Description:Identify OLE Project protection within documents.
Rule name:malware_shellcode_hash
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect shellcode api hash value
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:TA505_Maldoc_21Nov_2
Create hunting rule
Author:Arkbird_SOLG
Description:invitation (1).xls
Reference:https://twitter.com/58_158_177_102/status/1197432303057637377

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/353455/

Comments