MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d4c39820192ae288fde7d999da4656ed93c402f1b7479f0a6e5aa9f903a41876. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 11


Maldoc score: 25


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d4c39820192ae288fde7d999da4656ed93c402f1b7479f0a6e5aa9f903a41876
SHA3-384 hash: 3ecd32184f10633bf817f41934f2ff57578908aa6b4b2a1d452486c16758690c35b97e818f98c83c90646ad32bee4cd6
SHA1 hash: 0e449888239ae05ce4c4eae8f01fbcfed2c3afd7
MD5 hash: 2efe46a6dc5165c9fda8839403115a3c
humanhash: winner-louisiana-september-pasta
File name:Pago de Recibo.xls
Download: download sample
File size:702'976 bytes
First seen:2021-11-22 18:46:40 UTC
Last seen:Never
File type:Excel file xls
MIME type:application/vnd.ms-excel
ssdeep 12288:yYjqj8xADczr9feRqN2tzcnNm3QSwIRf03WeExB:yVgqclf87tqmgSwI103Wek
TLSH T1BFE4CF5A668ACE0FD35F01B04EAB7FFA7399EC418F1F9AC7A010F2192C3DA55E642445
Reporter abuse_ch
Tags:xls

Office OLE Information

This malware samples appears to be an Office document. The following table provides more information about this document using oletools and oledump.

OLE id
Maldoc score: 25
OLE dump

MalwareBazaar was able to identify 24 sections in this file using oledump:

Section IDSection sizeSection name
1107 bytesCompObj
2324 bytesDocumentSummaryInformation
3208 bytesSummaryInformation
4485740 bytesWorkbook
51024 bytes_VBA_PROJECT_CUR/PROJECT
6278 bytes_VBA_PROJECT_CUR/PROJECTwm
7825 bytes_VBA_PROJECT_CUR/VBA/Module1
875135 bytes_VBA_PROJECT_CUR/VBA/Sheet1
974858 bytes_VBA_PROJECT_CUR/VBA/Sheet10
10977 bytes_VBA_PROJECT_CUR/VBA/Sheet2
11977 bytes_VBA_PROJECT_CUR/VBA/Sheet3
12977 bytes_VBA_PROJECT_CUR/VBA/Sheet4
13977 bytes_VBA_PROJECT_CUR/VBA/Sheet5
14977 bytes_VBA_PROJECT_CUR/VBA/Sheet6
15977 bytes_VBA_PROJECT_CUR/VBA/Sheet7
16977 bytes_VBA_PROJECT_CUR/VBA/Sheet8
17977 bytes_VBA_PROJECT_CUR/VBA/Sheet9
1829970 bytes_VBA_PROJECT_CUR/VBA/ThisWorkbook
199468 bytes_VBA_PROJECT_CUR/VBA/_VBA_PROJECT
201783 bytes_VBA_PROJECT_CUR/VBA/__SRP_0
21846 bytes_VBA_PROJECT_CUR/VBA/__SRP_1
22508 bytes_VBA_PROJECT_CUR/VBA/__SRP_2
23692 bytes_VBA_PROJECT_CUR/VBA/__SRP_3
24762 bytes_VBA_PROJECT_CUR/VBA/dir
OLE vba

MalwareBazaar was able to extract and deobfuscate VBA script(s) the following information from OLE objects embedded in this file using olevba:

TypeKeywordDescription
AutoExecWorkbook_OpenRuns when the Excel Workbook is opened
SuspiciousOpenMay open a file
SuspiciousWriteMay write to a file (if combined with Open)
Suspiciousadodb.streamMay create a text file
SuspiciousSaveToFileMay create a text file
SuspiciousShellMay run an executable file or a system command
SuspiciousWScript.ShellMay run an executable file or a system command
SuspiciousCreateObjectMay create an OLE object
SuspiciousShell.ApplicationMay run an application (if combined with CreateObject)
Suspiciousmicrosoft.xmlhttpMay download files from the Internet
SuspiciousChrMay attempt to obfuscate specific strings (use option --deobf to deobfuscate)
SuspiciousXorMay attempt to obfuscate specific strings (use option --deobf to deobfuscate)
SuspiciousHex StringsHex-encoded strings were detected, may be used to obfuscate strings (option --decode to see all) code and P-code are different, this may have been used to hide malicious code

Intelligence

File Origin
# of uploads :
1
# of downloads :
106
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Pago de Recibo.xls
Verdict:
Malicious activity
Analysis date:
2021-11-22 18:58:06 UTC
Tags:
macros macros-on-open loader
Link:
https://app.any.run/tasks/76858233-0616-4780-8e0f-59d624b782cd

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
File type:
application/vnd.ms-excel
Has a screenshot:
False
Contains macros:
True
Gathering data
Detection(s):
Xls.Macro.Obfuscation-9804250-0
Create hunting rule

MiscreantPunch.EvilMacro.DL.170224.UNOFFICIAL
Create hunting rule

TwinWave.EvilDoc.CROAndTheTangerineDream.M1.20200630.UNOFFICIAL
Create hunting rule

TwinWave.EvilDoc.CROAndTheTangerineDream.M2.20200630.UNOFFICIAL
Create hunting rule

TwinWave.EvilDoc.WeAreAPartOfTheRythmNation.20201230.UNOFFICIAL
Create hunting rule

TwinWave.EvilDoc.StatusIsLikeAFriend.20210201.UNOFFICIAL
Create hunting rule

TwinWave.EvilDoc.DidntIBlowYourMindThisTime.20210922.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
DNS request
Sending a custom TCP request
Creating a window
Сreating synchronization primitives
Creating a file in the %AppData% subdirectories
Launching a process
Creating a process with a hidden window
Sending an HTTP GET request
Unauthorized injection to a recently created process
Creating a process from a recently created file
Result
Verdict:
Malicious
File Type:
Legacy Excel File with Macro
Link:
https://app.docguard.net/d4c39820192ae288fde7d999da4656ed93c402f1b7479f0a6e5aa9f903a41876/results/dashboard
Document image
Image:
Download PNG
Document image
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
evasive macros macros-on-open vbastomped
Link:
https://www.filescan.io/uploads/619be5a9dd04e7d00e029972/reports/38ede303-e759-46e1-868d-444f0f008e12/overview
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/d4c39820192ae288fde7d999da4656ed93c402f1b7479f0a6e5aa9f903a41876
Details
Macro with Startup Hook
Detected macro logic that will automatically execute on document open. Most malware contains some execution hook.
Macro with File System Write
Detected macro logic that can write data to the file system.
Shell.Application Object
Detected the instantiation of Shell Application object within the macro.
Result
Threat name:
IPack Miner
Create hunting rule
Detection:
malicious
Classification:
expl.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/894133
Signature
Creates an undocumented autostart registry key
Document contains an embedded VBA macro with suspicious strings
Document contains an embedded VBA with functions possibly related to ADO stream file operations
Document contains an embedded VBA with functions possibly related to HTTP operations
Document contains an embedded VBA with hexadecimal encoded strings
Document contains VBA stomped code (only p-code) potentially bypassing AV detection
Document exploit detected (creates forbidden files)
Document exploit detected (drops PE files)
Document exploit detected (process start blacklist hit)
Encrypted powershell cmdline option found
Injects a PE file into a foreign processes
Machine Learning detection for sample
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Office process drops PE file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Sigma detected: MS Office Product Spawning Exe in User Dir
Sigma detected: Suspicious Encoded PowerShell Command Line
Writes to foreign memory regions
Yara detected Costura Assembly Loader
Yara detected IPack Miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 526611 Sample: Pago de Recibo.xls Startdate: 22/11/2021 Architecture: WINDOWS Score: 100 47 Multi AV Scanner detection for submitted file 2->47 49 Document exploit detected (drops PE files) 2->49 51 Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros) 2->51 53 13 other signatures 2->53 7 EXCEL.EXE 53 24 2->7         started        process3 dnsIp4 39 js-hurling.com 192.185.113.96, 49165, 49166, 80 UNIFIEDLAYER-AS-1US United States 7->39 41 www.js-hurling.com 7->41 27 C:\Users\user\AppData\...\HQOJYDDDF.exe, PE32+ 7->27 dropped 29 C:\Users\user\...\cetyrsfomityhgnjm[1].exe, PE32+ 7->29 dropped 31 C:\Users\user\Desktop\Pago de Recibo.xls, Composite 7->31 dropped 59 Document exploit detected (creates forbidden files) 7->59 12 HQOJYDDDF.exe 12 4 7->12         started        file5 signatures6 process7 dnsIp8 43 www.js-hurling.com 12->43 45 js-hurling.com 12->45 33 C:\Users\user\AppData\Local\...\HQOJYDDDF.exe, PE32+ 12->33 dropped 35 C:\Users\user\AppData\Roaming\...\hssrc.exe, PE32+ 12->35 dropped 61 Creates an undocumented autostart registry key 12->61 63 Encrypted powershell cmdline option found 12->63 65 Writes to foreign memory regions 12->65 67 2 other signatures 12->67 17 HQOJYDDDF.exe 12->17         started        21 powershell.exe 6 12->21         started        23 powershell.exe 7 12->23         started        25 8 other processes 12->25 file9 signatures10 process11 dnsIp12 37 45.133.1.84, 49168, 7098 DEDIPATH-LLCUS Netherlands 17->37 55 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 17->55 57 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 17->57 signatures13
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d4c39820192ae288fde7d999da4656ed93c402f1b7479f0a6e5aa9f903a41876/
Threat name:
Script-Macro.Trojan.Valyria
Create hunting rule
Status:
Malicious
First seen:
2021-11-22 18:47:15 UTC
File Type:
Document
Extracted files:
49
AV detection:
23 of 45 (51.11%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=2tbzqiazflrir7ph3gm5ursw5wj4iaxrw5dz6ctolku7sa5edb3a._file
Result
Malware family:
n/a
Score:
  8/10
Tags:
macro macro_on_action
Link:
https://tria.ge/reports/211122-xe7snsgfcr/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Modifies Internet Explorer settings
Modifies registry class
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Office loads VBA resources, possible macro or embedded object present
Enumerates physical storage devices
Suspicious use of SetThreadContext
Loads dropped DLL
Downloads MZ/PE file
Executes dropped EXE
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/d4c39820192a/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d4c39820192ae288fde7d999da4656ed93c402f1b7479f0a6e5aa9f903a41876

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Excel file xls d4c39820192ae288fde7d999da4656ed93c402f1b7479f0a6e5aa9f903a41876

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/208324/

Comments