MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c714df95288209ef3fbafe4f685c16629edea6bbf927c9ff522170c939916016. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

SHA256 hash:	c714df95288209ef3fbafe4f685c16629edea6bbf927c9ff522170c939916016
SHA3-384 hash:	bdc6e29f45755f647ab7c4824a78165ff35150c8f8c794e9bfdceb7209c61f81f88a0ca76ce74cfbba84c2f81ea30501
SHA1 hash:	24715d7a38a0e3b3495d6fa7bd1164897fe36257
MD5 hash:	0ec4a5cbc70d9e63dc8efc2197bc03fa
humanhash:	stream-lactose-quebec-berlin
File name:	NEW ORDER.docx
Download:	download sample
File size:	16'426 bytes
First seen:	2024-06-20 07:29:29 UTC
Last seen:	2024-06-21 09:30:59 UTC
File type:	doc
MIME type:	application/vnd.openxmlformats-officedocument.wordprocessingml.document
ssdeep	384:AyXKibkWUs8PL8wi4OEwH8TIbE91r2fRwJY7vi9EyPPT:AcK735P3DOqnYJ+OvsEyP7
TLSH	T1F672AF5E85A441AEC70E44B841453071F3ECEAE7F267EF1EBA207618427B6CEDB41A58
TrID	51.0% (.DOCX) Word Microsoft Office Open XML Format document (23500/1/4) 38.0% (.ZIP) Open Packaging Conventions container (17500/1/4) 8.6% (.ZIP) ZIP compressed archive (4000/1) 2.1% (.PG/BIN) PrintFox/Pagefox bitmap (640x800) (1000/1)
Reporter	TeamDreier
Tags:	cve-2017-0199 doc

Intelligence

---

File Origin

# of uploads :

2

# of downloads :

2'536

Origin country :

DK

Vendor Threat Intelligence

ANY.RUN Malicious

Malware family:

n/a

ID:

1

File name:

c714df95288209ef3fbafe4f685c16629edea6bbf927c9ff522170c939916016.doc

Verdict:

Malicious activity

Analysis date:

2024-06-20 07:36:44 UTC

Tags:

cve-2017-0199 exploit

Link:

https://app.any.run/tasks/08f2c524-db6e-4ff2-9322-248088284c99

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

BitDam Legit

Verdict:

Legit

File type:

application/msword

Has a screenshot:

False

Contains macros:

False

ClamAV Detected

Detection(s):

TwinWave.EvilDoc.OkayLureDefenderWord.20220418.UNOFFICIAL

Alert

Create hunting rule

Sanesecurity.Malware.30525.XmlHeur.UNOFFICIAL

Alert

Create hunting rule

Doc.Downloader.Loda-7570590-0

Alert

Create hunting rule

TwinWave.EvilDoc.RemoteTemplateCallBadDDomainShowdown.20200304.UNOFFICIAL

Alert

Create hunting rule

MiscreantPunch.Suspicious.RemoteTemplateCall.UNOFFICIAL

Alert

Create hunting rule

CyberFortress Malicious

Verdict:

Malicious

Score:

95.7%

Link:

https://cyber-fortress.com/docs/result/index.php?id=6673dbd00f8138dd4eb142eawin7simulatehigh_evasion

Tags:

Network

Dr. Web vxCube Malware

Result

Verdict:

Malware

Maliciousness:

Behaviour

Сreating synchronization primitives

Searching for synchronization primitives

Using the Windows Management Instrumentation requests

Creating a window

Creating a file

Launching a process

DNS request

Connection attempt

Sending a custom TCP request

Delayed reading of the file

Creating a file in the %AppData% directory

Searching for the window

Launching cmd.exe command interpreter

Query of malicious DNS domain

Launching a file downloaded from the Internet

Unauthorized injection to a recently created process

Unauthorized injection to a recently created process by context flags manipulation

Launching a process by exploiting the app vulnerability

Connection attempt to an infection source by exploiting the app vulnerability

Sending a TCP request to an infection source by exploiting the app vulnerability

Creating a process from a recently created file

Unauthorized injection to a system process

DocGuard Malicious

Result

Verdict:

Malicious

File Type:

OOXML Word File

Link:

https://app.docguard.net/c714df95288209ef3fbafe4f685c16629edea6bbf927c9ff522170c939916016/results/dashboard

FileScan.IO Malicious

Verdict:

Malicious

Threat level:

  10/10

Confidence:

89%

Tags:

language-af masquerade

Link:

https://www.filescan.io/uploads/6673da7f21581a92819e1636/reports/ff5eb955-702c-46de-9e25-f8a3a24f498b/overview

Hybrid Analysis CVE-2017-0199

Verdict:

Malicious

Labled as:

CVE-2017-0199

Link:

https://www.hybrid-analysis.com/sample/c714df95288209ef3fbafe4f685c16629edea6bbf927c9ff522170c939916016

inlyse Malware.AI Malicious

Label:

Malicious

Suspicious Score:

6.8/10

Score Malicious:

69%

Score Benign:

31%

Link:

https://www.malware.ai/gui/files/?id=56af238f-47e6-430e-a005-994dd70d322b

InQuest MALICIOUS

Result

Verdict:

MALICIOUS

Link:

https://labs.inquest.net/dfi/sha256/c714df95288209ef3fbafe4f685c16629edea6bbf927c9ff522170c939916016

Details

External Relationship Element

Document contains an externally hosted relationship, which fetches further content.

Joe Sandbox malicious

Result

Threat name:

n/a

Detection:

malicious

Classification:

evad

Score:

92 / 100

Link:

https://www.joesandbox.com/analysis/1459926

Signature

Antivirus detection for URL or domain

Contains an external reference to another file

Malicious sample detected (through community Yara rule)

Microsoft Office launches external ms-search protocol handler (WebDAV)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Office drops RTF file

Office viewer loads remote template

Behaviour

Behavior Graph:

Download SVG

Nucleon Malprob Malware

Score:

100%

Verdict:

Malware

File Type:

OFFICE

Link:

https://malprob.io/report/c714df95288209ef3fbafe4f685c16629edea6bbf927c9ff522170c939916016

CERT.PL MWDB

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/c714df95288209ef3fbafe4f685c16629edea6bbf927c9ff522170c939916016/

ReversingLabs TitaniumCloud Document-Office.Exploit.CVE-2017-0199

Threat name:

Document-Office.Exploit.CVE-2017-0199

Alert

Create hunting rule

Status:

Malicious

First seen:

2024-06-20 00:52:08 UTC

File Type:

Document

Extracted files:

12

AV detection:

15 of 24 (62.50%)

Threat level:

  5/5

Spamhaus Hash Blocklist Suspicious file

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=y4kn7fjiqie66p527zhwqxawmkpn5jv37et4t72sefymsomrmala._file

Hatching Triage Suspicious

Result

Malware family:

n/a

Score:

  7/10

Tags:

n/a

Link:

https://tria.ge/reports/240620-jbsmpazhmr/

Behaviour

Checks processor information in registry

Enumerates system info in registry

Modifies Internet Explorer settings

Modifies registry class

Suspicious behavior: AddClipboardFormatListener

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Uses Volume Shadow Copy WMI provider

Uses Volume Shadow Copy service COM API

Office loads VBA resources, possible macro or embedded object present

Drops file in Windows directory

Abuses OpenXML format to download file from external location

Threat.Zone Suspicious

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/b15d80a4-2a98-4c08-b8c8-e97b0f200020

VirusTotal

Please note that we are no longer able to provide a coverage score for Virus Total.

YOROI YOMI Malicious File

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/c714df95288209ef3fbafe4f685c16629edea6bbf927c9ff522170c939916016