MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a2577fc056cfff4025b8cd15f49b2d2cb150c3f7f3fb0c1ee8067afc9f5c807d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 12


Maldoc score: 4


Intelligence 12 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a2577fc056cfff4025b8cd15f49b2d2cb150c3f7f3fb0c1ee8067afc9f5c807d
SHA3-384 hash: bce8d997fc4594f837a549d832bb66d00e39d37880eb44b4bdd013d0ad66c220e0e4954682fccdd24eda30869686d709
SHA1 hash: 3f189e1c935ea707976626bb907485e90eeb6811
MD5 hash: 4c67ee1f39fbbdc5fa1ecaba1792b0e8
humanhash: juliet-comet-south-green
File name:sales contract.xls
Download: download sample
File size:523'776 bytes
First seen:2023-07-18 06:19:04 UTC
Last seen:2023-07-18 06:38:26 UTC
File type:Excel file xls
MIME type:application/vnd.ms-excel
ssdeep 12288:KOZioWQmmme6v3QLQuEZBWQmmme6v3QLQuEyBB/1EOEx10JGUFb8cje76/:vWQmmav30xKWQmmav30x/BhG10FH
TLSH T147B4F100368C9D9DE2826BFDB976B18E901CBD3372C5A1D76BC8B70A8476FAF541B411
TrID 46.5% (.XLS) Microsoft Excel sheet (alternate) (56500/1/4)
26.7% (.XLS) Microsoft Excel sheet (32500/1/3)
20.1% (.XLS) Microsoft Excel sheet (alternate) (24500/1/2)
6.5% (.) Generic OLE2 / Multistream Compound (8000/1)
Reporter abuse_ch
Tags:xls

Office OLE Information

This malware samples appears to be an Office document. The following table provides more information about this document using oletools and oledump.

OLE id
Maldoc score: 4
OLE dump

MalwareBazaar was able to identify 25 sections in this file using oledump:

Section IDSection sizeSection name
1114 bytesCompObj
2244 bytesDocumentSummaryInformation
3200 bytesSummaryInformation
493 bytesMBD000210CB/CompObj
562 bytesMBD000210CB/Ole
620243 bytesMBD000210CB/CONTENTS
793 bytesMBD000210CC/CompObj
862 bytesMBD000210CC/Ole
9141190 bytesMBD000210CC/CONTENTS
1093 bytesMBD000210CD/CompObj
1162 bytesMBD000210CD/Ole
12141190 bytesMBD000210CD/CONTENTS
1393 bytesMBD000210CE/CompObj
1462 bytesMBD000210CE/Ole
157284 bytesMBD000210CE/CONTENTS
16404 bytesMBD000210CF/Ole
17192093 bytesWorkbook
18521 bytes_VBA_PROJECT_CUR/PROJECT
19104 bytes_VBA_PROJECT_CUR/PROJECTwm
20977 bytes_VBA_PROJECT_CUR/VBA/Sheet1
21977 bytes_VBA_PROJECT_CUR/VBA/Sheet2
22977 bytes_VBA_PROJECT_CUR/VBA/Sheet3
23985 bytes_VBA_PROJECT_CUR/VBA/ThisWorkbook
242644 bytes_VBA_PROJECT_CUR/VBA/_VBA_PROJECT
25553 bytes_VBA_PROJECT_CUR/VBA/dir
OLE vba

MalwareBazaar was able to extract and deobfuscate VBA script(s) the following information from OLE objects embedded in this file using olevba:

TypeKeywordDescription
SuspiciousHex StringsHex-encoded strings were detected, may be used to obfuscate strings (option --decode to see all)

Intelligence

File Origin
# of uploads :
2
# of downloads :
266
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
sales contract.xls
Verdict:
No threats detected
Analysis date:
2023-07-18 06:22:30 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/88e112f6-4de0-4dc6-94d3-5d966cb699f6

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Legit
File type:
application/vnd.ms-excel
Has a screenshot:
False
Contains macros:
False
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/423224/
Detection(s):
SecuriteInfo.com.Trojan.Script.4681.26133.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Other.Malware-gen.12790.22077.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Other.Malware-gen.5174.11109.UNOFFICIAL
Create hunting rule

PUA.Win.Trojan.EmbeddedPDF-1
Create hunting rule

Sanesecurity.Badmacro.Xls.badsh.UNOFFICIAL
Create hunting rule

TwinWave.EvilDoc.OleWishDottedQuadPolicykill.20220908.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Searching for synchronization primitives
Launching a process
Сreating synchronization primitives
Creating a file
DNS request
Sending a custom TCP request
Creating a file in the %temp% directory
Possible injection to a system process
Sending an HTTP GET request
Launching a process by exploiting the app vulnerability
Creating a process from a recently created file
Unauthorized injection to a system process
Result
Verdict:
Suspicious
File Type:
Legacy Excel File with Macro
Link:
https://app.docguard.net/a2577fc056cfff4025b8cd15f49b2d2cb150c3f7f3fb0c1ee8067afc9f5c807d/results/dashboard
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
macros
Link:
https://www.filescan.io/uploads/64b62f158ca71f19e088e897/reports/dd0d94ad-a88c-4290-82e2-b4434faa36fa/overview
Verdict:
Malicious
Labled as:
CVE-2017-11882
Link:
https://www.hybrid-analysis.com/sample/a2577fc056cfff4025b8cd15f49b2d2cb150c3f7f3fb0c1ee8067afc9f5c807d
Label:
Benign
Suspicious Score:
4.4/10
Score Malicious:
45%
Score Benign:
55%
Link:
https://www.malware.ai/gui/files/?id=855dc420-b875-4cad-9b88-6045f52f322e
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/a2577fc056cfff4025b8cd15f49b2d2cb150c3f7f3fb0c1ee8067afc9f5c807d
Details
Document With Few Pages
Document contains between one and three pages of content. Most malicious documents are sparse in page count.
Result
Threat name:
n/a
Detection:
malicious
Classification:
n/a
Score:
68 / 100
Link:
https://www.joesandbox.com/analysis/1274869
Signature
Antivirus detection for dropped file
Malicious sample detected (through community Yara rule)
Microsoft Office drops suspicious files
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1274869 Sample: sales_contract.xls Startdate: 18/07/2023 Architecture: WINDOWS Score: 68 40 Malicious sample detected (through community Yara rule) 2->40 42 Antivirus detection for dropped file 2->42 44 Multi AV Scanner detection for submitted file 2->44 6 WINWORD.EXE 35 52 2->6         started        10 EXCEL.EXE 29 65 2->10         started        13 AcroRd32.exe 40 2->13         started        process3 dnsIp4 24 isoiosioiosiosioos...iioosioosio.DOC.url, MS 6->24 dropped 26 C:\Users\user\...\iso on 43.230.202.82.url, MS 6->26 dropped 28 ~WRF{F86660B8-EC68...8-78B7A7CBEE85}.tmp, Composite 6->28 dropped 30 C:\Users\user\AppData\Local\...\BF0437D7.doc, ISO-8859 6->30 dropped 46 Microsoft Office drops suspicious files 6->46 15 splwow64.exe 6->15         started        17 MSOSYNC.EXE 5 12 6->17         started        19 MSOSYNC.EXE 2 3 6->19         started        38 43.230.202.82, 49694, 49695, 49696 WOWUS India 10->38 32 C:\Users\user\...\sales_contract.xls (copy), Composite 10->32 dropped 34 isoiosioiosiosioos...siioosioosio[1].doc, ISO-8859 10->34 dropped 21 RdrCEF.exe 69 13->21         started        file5 signatures6 process7 dnsIp8 36 192.168.2.1 unknown unknown 21->36
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a2577fc056cfff4025b8cd15f49b2d2cb150c3f7f3fb0c1ee8067afc9f5c807d/
Threat name:
Win32.Trojan.Minerva
Create hunting rule
Status:
Malicious
First seen:
2023-07-17 10:25:23 UTC
File Type:
Document
Extracted files:
48
AV detection:
8 of 37 (21.62%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ujlx7qcwz77uajnyzuk7jgznfsyvbq7x6p5qyhxiaz5pzh24qb6q._file
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/230718-g3sewsgf35/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Suspicious behavior: AddClipboardFormatListener
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Uses Volume Shadow Copy WMI provider
Uses Volume Shadow Copy service COM API
Malware family:
RedNet
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/a2577fc056cf/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.70
Link:
https://yomi.yoroi.company/submissions/a2577fc056cfff4025b8cd15f49b2d2cb150c3f7f3fb0c1ee8067afc9f5c807d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:informational_win_ole_protected
Create hunting rule
Author:Jeff White (karttoon@gmail.com) @noottrak
Description:Identify OLE Project protection within documents.
Rule name:malware_shellcode_hash
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect shellcode api hash value
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

r01 3166d4789667570986c7c36f66bd3cbf6cd54449cd0a18c23e9c8ff1fe467b90

Excel file xls a2577fc056cfff4025b8cd15f49b2d2cb150c3f7f3fb0c1ee8067afc9f5c807d

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/423224/
  
Dropped by
SHA256 3166d4789667570986c7c36f66bd3cbf6cd54449cd0a18c23e9c8ff1fe467b90
  
Dropped by
MD5 66730821c6262469431461d7ab1ad47e

Comments