MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bd0645f57df34996eff1bbf2f5b1f80806b5f85a63a48ad0a1001cbf7cae3f80. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 4


Maldoc score: 5


Intelligence 4 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: bd0645f57df34996eff1bbf2f5b1f80806b5f85a63a48ad0a1001cbf7cae3f80
SHA3-384 hash: fe5a3016f39bb3fde4d43f81b6af7c3b197a966cf0f5db6ba9fcdfece95451e25bed985a1e45bb00d4b4ae89d6b14c14
SHA1 hash: 006ece167f2727fc7bebb37a90dc14a2a6533bc5
MD5 hash: c37e333fffd1ccc08fa6120a52a7930a
humanhash: harry-twenty-mirror-kansas
File name:Avion Quotation Request.doc
Download: download sample
File size:80'896 bytes
First seen:2020-11-20 07:51:28 UTC
Last seen:2020-11-20 09:55:22 UTC
File type:Word file doc
MIME type:application/msword
ssdeep 1536:aIOeGhQwlp7fjGZiltQ/Pb+Lt+mbnqRoIlJlzqPzu:a1hHtyZi0LI3e2WJlz
TLSH CD836C3AF2E54A08E42289B14EE1DF5432397D1D5E48478B321D776FAF33E34899225E
Reporter abuse_ch
Tags:doc


Avatar
abuse_ch
Malspam distributing unidentified malware:

From: Roberto Buchicchio - Avion Company <roberto.buchicchio@avioninternational.com>
Subject: Request for quotation - Avion International
Attachment: Avion Quotation Request.doc

Office OLE Information

This malware samples appears to be an Office document. The following table provides more information about this document using oletools and oledump.

OLE id
Maldoc score: 5
Application name is Microsoft Office Word
Office document is in OLE format
Office document contains VBA Macros
OLE dump

MalwareBazaar was able to identify 12 sections in this file using oledump:

Section IDSection sizeSection name
1114 bytesCompObj
24096 bytesDocumentSummaryInformation
34096 bytesSummaryInformation
47133 bytes1Table
549427 bytesData
6417 bytesMacros/PROJECT
771 bytesMacros/PROJECTwm
82455 bytesMacros/VBA/NewMacros
9938 bytesMacros/VBA/ThisDocument
102625 bytesMacros/VBA/_VBA_PROJECT
11569 bytesMacros/VBA/dir
124096 bytesWordDocument
OLE vba

MalwareBazaar was able to extract and deobfuscate VBA script(s) the following information from OLE objects embedded in this file using olevba:

TypeKeywordDescription
AutoExecauTocLosERuns when the Word document is closed
IOCphy__1__31629__26490Executable file name
IOC100rn.exeExecutable file name
IOCpinG.ExeExecutable file name
SuspiciousShellMay run an executable file or a system command
SuspiciousHex StringsHex-encoded strings were detected, may be used to obfuscate strings (option --decode to see all)

Intelligence

File Origin
# of uploads :
2
# of downloads :
92
Origin country :
n/a
Vendor Threat Intelligence
Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Result
Gathering data
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/543929
Signature
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Document contains an embedded VBA macro which may execute processes
Document exploit detected (process start blacklist hit)
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Obfuscated command line found
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Sigma detected: Microsoft Office Product Spawning Windows Shell
Sigma detected: Suspicious Certutil Command
System process connects to network (likely due to code injection or exploit)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 321058 Sample: Avion Quotation Request.doc Startdate: 20/11/2020 Architecture: WINDOWS Score: 100 43 Multi AV Scanner detection for dropped file 2->43 45 Multi AV Scanner detection for submitted file 2->45 47 Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros) 2->47 49 7 other signatures 2->49 8 WINWORD.EXE 292 25 2->8         started        process3 signatures4 51 Obfuscated command line found 8->51 53 Document exploit detected (process start blacklist hit) 8->53 11 cmd.exe 8->11         started        process5 signatures6 57 Obfuscated command line found 11->57 14 100rn.exe 15 11->14         started        18 cmd.exe 11->18         started        20 cmd.exe 11->20         started        process7 dnsIp8 37 93.115.22.72, 80 MVPShttpswwwmvpsnetEU Romania 14->37 39 elb097307-934924932.us-east-1.elb.amazonaws.com 54.204.14.42, 49167, 80 AMAZON-AESUS United States 14->39 41 2 other IPs or domains 14->41 59 Multi AV Scanner detection for dropped file 14->59 61 Detected unpacking (changes PE section rights) 14->61 63 Detected unpacking (overwrites its own PE header) 14->63 65 Machine Learning detection for dropped file 14->65 22 certutil.exe 4 16 18->22         started        signatures9 process10 dnsIp11 33 104.22.54.159, 443, 49166 CLOUDFLARENETUS United States 22->33 35 via.hypothes.is 172.67.22.135, 443, 49165 CLOUDFLARENETUS United States 22->35 27 C:\Users\user\AppData\Local\Temp\100rn.exe, PE32 22->27 dropped 29 phy__1__31629__264...__1605642612[1].exe, PE32 22->29 dropped 31 C:\Users\...\517EA0DECF3F03757FA40BEF3525BB9E, PE32 22->31 dropped 55 System process connects to network (likely due to code injection or exploit) 22->55 file12 signatures13
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/bd0645f57df34996eff1bbf2f5b1f80806b5f85a63a48ad0a1001cbf7cae3f80/
Threat name:
Document-Word.Trojan.Powload
Create hunting rule
Status:
Suspicious
First seen:
2020-11-20 02:01:39 UTC
AV detection:
24 of 48 (50.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=xudel5l56nezn37rxpzplmpybadll6c2mosivufbaaol67foh6aa._file
Result
Malware family:
n/a
Score:
  8/10
Tags:
macro
Link:
https://tria.ge/reports/201120-8c9lrejj7s/
Behaviour
Modifies Internet Explorer settings
Suspicious behavior: AddClipboardFormatListener
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Checks processor information in registry
Enumerates system info in registry
Office loads VBA resources, possible macro or embedded object present
Drops file in Windows directory
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Word file doc bd0645f57df34996eff1bbf2f5b1f80806b5f85a63a48ad0a1001cbf7cae3f80

(this sample)

  
Delivery method
Distributed via e-mail attachment

Comments