MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ae532b07108fb646ea32f903d35d6f31f2e0abe9f37bbd2e3d0c1abe6335b281. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 9


Maldoc score: 11


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ae532b07108fb646ea32f903d35d6f31f2e0abe9f37bbd2e3d0c1abe6335b281
SHA3-384 hash: d87a1cf47be05cf7e3a6d8375ef763f1709bcb7750f1c81d53024980cde6a42c777b371f5658ca9cefaf639ed1ecd4f1
SHA1 hash: 3e36838fabd4fa3964b4feda5ea7a83ec3a4de19
MD5 hash: e400c69a497da997e248081a24e59a4a
humanhash: sad-west-football-virginia
File name:Payment references.doc
Download: download sample
File size:645'120 bytes
First seen:2021-10-28 11:26:39 UTC
Last seen:2021-10-28 12:56:36 UTC
File type:Word file doc
MIME type:application/msword
ssdeep 12288:ubqTtukI4DLk+N76BI7G+eDYYQgc6gID6ijVAm5vbZ82NHKLtO2:emukI6Y+N7uDgl6gI9VAm5vzs
TLSH T1D9D42392B1D4DF9BE4176A391CC3D09C7E18FC889E6DD20B3A45BB5F4EB97368102819
Reporter lowmal3
Tags:doc

Office OLE Information

This malware samples appears to be an Office document. The following table provides more information about this document using oletools and oledump.

OLE id
Maldoc score: 11
OLE dump

MalwareBazaar was able to identify 12 sections in this file using oledump:

Section IDSection sizeSection name
1114 bytesCompObj
24096 bytesDocumentSummaryInformation
34096 bytesSummaryInformation
46979 bytes1Table
5610223 bytesData
6416 bytesMacros/PROJECT
765 bytesMacros/PROJECTwm
8982 bytesMacros/VBA/Module1
92133 bytesMacros/VBA/ThisDocument
102675 bytesMacros/VBA/_VBA_PROJECT
11562 bytesMacros/VBA/dir
124096 bytesWordDocument
OLE vba

MalwareBazaar was able to extract and deobfuscate VBA script(s) the following information from OLE objects embedded in this file using olevba:

TypeKeywordDescription
AutoExecDocument_OpenRuns when the Word or Publisher document is opened
IOCgod.batExecutable file name
SuspiciousOpenMay open a file
SuspiciousCreateTextFileMay create a text file
SuspiciousGetObjectMay get an OLE object with a running instance
SuspiciousChrMay attempt to obfuscate specific strings (use option --deobf to deobfuscate)
SuspiciousHex StringsHex-encoded strings were detected, may be used to obfuscate strings (option --decode to see all)

Intelligence

File Origin
# of uploads :
2
# of downloads :
129
Origin country :
n/a
Vendor Threat Intelligence
Verdict:
Malicious
File type:
application/msword
Has a screenshot:
False
Contains macros:
True
Detection(s):
TwinWave.GetObjectStringManipulationDontMessAroundWithJim.20200804.UNOFFICIAL
Create hunting rule

TwinWave.EvilDoc.DOCXSTRGOOD.HTTP
Create hunting rule

TwinWave.EvilDoc.DOCXRSTRGOOD.START-BITSTRANSFER.210729.UNOFFICIAL
Create hunting rule

TwinWave.EvilDoc.DOCXSTRGOOD..EXE.211019.UNOFFICIAL
Create hunting rule

Sanesecurity.Badmacro.Doc.blankopen.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malicious
File Type:
Legacy Word File with Macro
Link:
https://app.docguard.net/ae532b07108fb646ea32f903d35d6f31f2e0abe9f37bbd2e3d0c1abe6335b281/results/dashboard
Document image
Image:
Download PNG
Document image
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
cmd macros macros-on-open powershell
Link:
https://www.filescan.io/uploads/617a89079a5a1e91c5d9b12f/reports/8cb2a3cb-d867-422c-a94f-9d9a25e46699/overview
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/ae532b07108fb646ea32f903d35d6f31f2e0abe9f37bbd2e3d0c1abe6335b281
Details
Macro with Startup Hook
Detected macro logic that will automatically execute on document open. Most malware contains some execution hook.
Document With Few Pages
Document contains between one and three pages of content. Most malicious documents are sparse in page count.
Macro with File System Write
Detected macro logic that can write data to the file system.
Macro Execution Coercion
Detected a document that appears to social engineer the user into activating embedded logic.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/878543
Signature
Antivirus detection for URL or domain
Document contains an embedded VBA macro with suspicious strings
Document contains an embedded VBA with functions possibly related to ADO stream file operations
Document exploit detected (creates forbidden files)
Document exploit detected (process start blacklist hit)
Found detection on Joe Sandbox Cloud Basic with higher score
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Sigma detected: Execution from Suspicious Folder
Sigma detected: Microsoft Office Product Spawning Windows Shell
Yara detected Obfuscated Powershell
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 510972 Sample: Payment references.doc Startdate: 28/10/2021 Architecture: WINDOWS Score: 100 32 coachcarmenwilliams.com 2->32 34 Antivirus detection for URL or domain 2->34 36 Multi AV Scanner detection for dropped file 2->36 38 Multi AV Scanner detection for submitted file 2->38 40 9 other signatures 2->40 10 WINWORD.EXE 46 40 2->10         started        signatures3 process4 file5 28 C:\Users\user\...\~DF5A77DCA9E95E2187.TMP, Composite 10->28 dropped 30 C:\Users\Public\Documents\god.bat, ASCII 10->30 dropped 44 Document exploit detected (creates forbidden files) 10->44 14 cmd.exe 1 10->14         started        signatures6 process7 process8 16 powershell.exe 29 14->16         started        18 conhost.exe 14->18         started        process9 20 leastalready.exe 17 16->20         started        file10 26 C:\Users\user\AppData\Local\...\leratoz.dll, PE32 20->26 dropped 42 Injects a PE file into a foreign processes 20->42 24 leastalready.exe 1 20->24         started        signatures11 process12
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ae532b07108fb646ea32f903d35d6f31f2e0abe9f37bbd2e3d0c1abe6335b281/
Threat name:
Script.Trojan.Woreflint
Create hunting rule
Status:
Malicious
First seen:
2021-10-28 11:27:06 UTC
AV detection:
11 of 44 (25.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=vzjswbyqr63en2rs7eb5gxlpghzobk7j6n532lr5bqnl4yzvwkaq._file
Result
Malware family:
n/a
Score:
  10/10
Tags:
macro macro_on_action
Link:
https://tria.ge/reports/211028-nkd8wabec3/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Modifies Internet Explorer settings
Modifies registry class
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Office loads VBA resources, possible macro or embedded object present
Program crash
Drops file in Windows directory
Suspicious use of SetThreadContext
Loads dropped DLL
Downloads MZ/PE file
Process spawned unexpected child process
Malware Config
Dropper Extraction:
http://coachcarmenwilliams.com/RFQ012.exe
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/ae532b07108f/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ae532b07108fb646ea32f903d35d6f31f2e0abe9f37bbd2e3d0c1abe6335b281

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Word file doc ae532b07108fb646ea32f903d35d6f31f2e0abe9f37bbd2e3d0c1abe6335b281

(this sample)

  
Delivery method
Distributed via e-mail attachment

Comments