MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c33b31c1cbde29dfbff4723d27d6b391e6aff37a13b897f76363e5bfb104075f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 15


Maldoc score: 3


Intelligence 15 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c33b31c1cbde29dfbff4723d27d6b391e6aff37a13b897f76363e5bfb104075f
SHA3-384 hash: 862d25a3cf7e6000136eaf5ce45b0652538cc9fce06c4d1a0937519cd895398735d2624f5b5c05c8460145031a1b24c8
SHA1 hash: fc5cab6c4b37beef0d398b69f23082c1e7e2e3bf
MD5 hash: d94f01e8b8e2d602fb5196aa5978887d
humanhash: venus-sweet-asparagus-quiet
File name:Dev_Project.xls
Download: download sample
File size:97'280 bytes
First seen:2024-09-27 08:20:28 UTC
Last seen:Never
File type:Excel file xls
MIME type:application/vnd.ms-excel
ssdeep 1536:ecKoSsxz1PDZL2Qiw+4868O8K/5Le1k3hOdsylKlgxopeiBNhZFGzE+cL2kdAKfS:ecKoSsxzNDZL2Qiw+4868O8K/5Le1k3O
TLSH T125939D92B255CD8AE9590B764DE3CAE67736FC528E53830B325CF70E1E746D08A07A07
TrID 46.5% (.XLS) Microsoft Excel sheet (alternate) (56500/1/4)
26.7% (.XLS) Microsoft Excel sheet (32500/1/3)
20.1% (.XLS) Microsoft Excel sheet (alternate) (24500/1/2)
6.5% (.) Generic OLE2 / Multistream Compound (8000/1)
Magika xls
Reporter abuse_ch
Tags:xls

Office OLE Information

This malware samples appears to be an Office document. The following table provides more information about this document using oletools and oledump.

OLE id
Maldoc score: 3
OLE dump

MalwareBazaar was able to identify 17 sections in this file using oledump:

Section IDSection sizeSection name
1108 bytesCompObj
2244 bytesDocumentSummaryInformation
3204 bytesSummaryInformation
478221 bytesWorkbook
5538 bytes_VBA_PROJECT_CUR/PROJECT
686 bytes_VBA_PROJECT_CUR/PROJECTwm
71971 bytes_VBA_PROJECT_CUR/VBA/Module1
81180 bytes_VBA_PROJECT_CUR/VBA/Sheet1
91007 bytes_VBA_PROJECT_CUR/VBA/ThisWorkbook
102921 bytes_VBA_PROJECT_CUR/VBA/_VBA_PROJECT
112389 bytes_VBA_PROJECT_CUR/VBA/__SRP_0
12194 bytes_VBA_PROJECT_CUR/VBA/__SRP_1
13726 bytes_VBA_PROJECT_CUR/VBA/__SRP_2
14156 bytes_VBA_PROJECT_CUR/VBA/__SRP_3
15464 bytes_VBA_PROJECT_CUR/VBA/__SRP_4
16106 bytes_VBA_PROJECT_CUR/VBA/__SRP_5
17704 bytes_VBA_PROJECT_CUR/VBA/dir
OLE vba

MalwareBazaar was able to extract and deobfuscate VBA script(s) the following information from OLE objects embedded in this file using olevba:

TypeKeywordDescription
AutoExecAuto_OpenRuns when the Excel Workbook is opened
SuspiciousHex StringsHex-encoded strings were detected, may be used to obfuscate strings (option --decode to see all)

Intelligence

File Origin
# of uploads :
1
# of downloads :
399
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Dev_Project.xls
Verdict:
Malicious activity
Analysis date:
2024-09-27 08:24:20 UTC
Tags:
macros macros-on-open loader
Link:
https://app.any.run/tasks/d1938e93-88b8-491a-b6ba-3549abcdc65c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
TwinWave.EvilDoc.DridexRockRoughAndStuffWithXLSTPuffs.20210310.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
94.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=66f66af079032805ce8e5902
Tags:
Generic Network Office Stealth Office Agent Macro
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Using the Windows Management Instrumentation requests
Creating a window
Сreating synchronization primitives
DNS request
Connection attempt
Sending an HTTP GET request
Creating a file in the Windows subdirectories
Creating a file
Creating a file in the %AppData% subdirectories
Creating a process from a recently created file
Changing a file
Possible injection to a system process
Enabling autorun by creating a file
Result
Verdict:
Malicious
File Type:
Legacy Excel File with Macro
Link:
https://app.docguard.net/c33b31c1cbde29dfbff4723d27d6b391e6aff37a13b897f76363e5bfb104075f/results/dashboard
Payload URLs
URL
File name
http://betterwebspacetest.com/pm/setup.msi
WorkBook
Behaviour
BlacklistAPI detected
Document image
Image:
Download PNG
Document image
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
macros macros-on-open
Link:
https://www.filescan.io/uploads/66f66af119fd255708d76d17/reports/f2ed8741-cc9a-4d1d-92bd-0a922681c274/overview
Verdict:
Malicious
Labled as:
Msoffice/malicious_confidence_70%
Link:
https://www.hybrid-analysis.com/sample/c33b31c1cbde29dfbff4723d27d6b391e6aff37a13b897f76363e5bfb104075f
Gathering data
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/c33b31c1cbde29dfbff4723d27d6b391e6aff37a13b897f76363e5bfb104075f
Result
Threat name:
n/a
Detection:
malicious
Classification:
spyw.evad
Score:
64 / 100
Link:
https://www.joesandbox.com/analysis/1520389
Signature
Contains functionality to register a low level keyboard hook
Document contains an embedded macro with GUI obfuscation
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Office process queries suspicious COM object (likely to drop second stage)
Sample or dropped binary is a compiled AutoHotkey binary
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1520389 Sample: Dev_Project.xls Startdate: 27/09/2024 Architecture: WINDOWS Score: 64 30 shed.dual-low.s-part-0032.t-0009.t-msedge.net 2->30 32 s-part-0032.t-0009.t-msedge.net 2->32 34 betterwebspacetest.com 2->34 42 Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros) 2->42 44 Document contains an embedded macro with GUI obfuscation 2->44 7 msiexec.exe 25 72 2->7         started        11 EXCEL.EXE 195 70 2->11         started        14 DSAWcfProxy.exe 6 2->14         started        16 EXCEL.EXE 68 69 2->16         started        signatures3 process4 dnsIp5 38 betterwebspacetest.com 51.68.214.101, 49741, 49769, 80 OVHFR France 7->38 26 C:\Persistent\DSAWcfProxy.exe, PE32 7->26 dropped 18 DSAWcfProxy.exe 6 7->18         started        22 DSAWcfProxy.exe 7->22         started        40 s-part-0032.t-0009.t-msedge.net 13.107.246.60, 443, 49757, 49758 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 11->40 28 C:\Users\user\Desktop\Dev_Project.xls, Composite 11->28 dropped 50 Office process queries suspicious COM object (likely to drop second stage) 11->50 24 splwow64.exe 11->24         started        52 Sample or dropped binary is a compiled AutoHotkey binary 14->52 file6 signatures7 process8 dnsIp9 36 162.220.166.184, 49746, 49754, 49756 IS-AS-1US United States 18->36 46 Contains functionality to register a low level keyboard hook 18->46 48 Sample or dropped binary is a compiled AutoHotkey binary 18->48 signatures10
Score:
100%
Verdict:
Malware
File Type:
OFFICE
Link:
https://malprob.io/report/c33b31c1cbde29dfbff4723d27d6b391e6aff37a13b897f76363e5bfb104075f
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c33b31c1cbde29dfbff4723d27d6b391e6aff37a13b897f76363e5bfb104075f/
Threat name:
Document-Excel.Exploit.Heuristic
Create hunting rule
Status:
Malicious
First seen:
2024-09-26 13:03:23 UTC
File Type:
Document
Extracted files:
22
AV detection:
3 of 38 (7.89%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ym5tdqol3yu57p7uoi6spvvtshtk7432co4jp53dmps37miea5pq._file
Verdict:
malicious
Label(s):
admintool_autohotkey
Create hunting rule
Result
Malware family:
n/a
Score:
  8/10
Tags:
discovery macro macro_on_action
Link:
https://tria.ge/reports/240927-j8zr9staqn/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Modifies data under HKEY_USERS
Modifies registry class
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Office loads VBA resources, possible macro or embedded object present
System Location Discovery: System Language Discovery
Drops file in Windows directory
Blocklisted process makes network request
Enumerates connected drives
Drops startup file
Executes dropped EXE
Verdict:
Malicious
Tags:
trojan TA505
YARA:
TA505_Maldoc_21Nov_2
Link:
https://app.threat.zone/submission/78c30b07-e8ec-47a3-971c-1891726ec88e
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/c33b31c1cbde/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c33b31c1cbde29dfbff4723d27d6b391e6aff37a13b897f76363e5bfb104075f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:informational_win_ole_protected
Create hunting rule
Author:Jeff White (karttoon@gmail.com) @noottrak
Description:Identify OLE Project protection within documents.
Rule name:TA505_Maldoc_21Nov_2
Create hunting rule
Author:Arkbird_SOLG
Description:invitation (1).xls
Reference:https://twitter.com/58_158_177_102/status/1197432303057637377

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments