MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 dca3ac723a130e56fb158c34c68e1c4b7d8577d0dbe9d8b859bfff7ada34d02e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: dca3ac723a130e56fb158c34c68e1c4b7d8577d0dbe9d8b859bfff7ada34d02e
SHA3-384 hash: 516c262dc217376e8096a5922e983914fec5e625b1f7f90bddce7d9da47f74b9669656ef6e3933ecc393e114f0d1c0be
SHA1 hash: 8abdcf319f439f1eb17886a8db07ae5be5f71035
MD5 hash: 3203c48d41affb26c8821ff5680e2d9d
humanhash: spaghetti-floor-august-kitten
File name:DHL open invoices.pdf.ppam
Download: download sample
File size:41'535 bytes
First seen:2022-02-16 07:39:17 UTC
Last seen:2022-02-16 07:40:06 UTC
File type:PowerPoint file ppam
MIME type:application/vnd.openxmlformats-officedocument.presentationml.presentation
ssdeep 768:c+jRD4S0JS00SneSnjS0yS03S0IMS0bS02Sote9YRuOjXHXQDjcfHTgWYpNNLj4C:c+1ceqfHXWArgrjpd0mgrAdh8f1/K8NO
TLSH T11913A014C203A526C2B3653DE83949E219578C1B6514898FD5FB7E470BA8EDB2B0EFC9
Reporter cocaman
Tags:DHL INVOICE ppam


Avatar
cocaman
Malicious email (T1566.001)
From: ""Isabel Brent" <mir.bak@warongsoto.com>" (likely spoofed)
Received: "from slot0.warongsoto.com (slot0.warongsoto.com [194.99.46.38]) "
Date: "Wed, 16 Feb 2022 07:54:17 +0100"
Subject: "Urgent Purchase order - Feb22_765432"
Attachment: "order001.ppam"

Intelligence

File Origin
# of uploads :
3
# of downloads :
170
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
TwinWave.EvilDoc.GOVarRetroSpectAllTheWayDown.20220203.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Heur.19842.16028.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malicious
File Type:
Legacy PowerPoint File with Macro
Link:
https://app.docguard.net/dca3ac723a130e56fb158c34c68e1c4b7d8577d0dbe9d8b859bfff7ada34d02e/results/dashboard
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-vm cmd macros macros-on-open mshta
Link:
https://www.filescan.io/uploads/620caa57a2660f3bb9e3630e/reports/affa5cdf-cfa5-49c3-82cd-1263d85765b6/overview
Label:
Malicious
Suspicious Score:
9.9/10
Score Malicious:
1%
Score Benign:
0%
Link:
https://www.malware.ai/gui/files/?id=b5f3f7d3-05d4-48aa-917a-2f05e8d6a070
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/dca3ac723a130e56fb158c34c68e1c4b7d8577d0dbe9d8b859bfff7ada34d02e
Details
Macro with Startup Hook
Detected macro logic that will automatically execute on document open. Most malware contains some execution hook.
Macro Contains Suspicious String
Detected a macro with a suspicious string. Suspicious strings include privileged function calls, obfuscations, odd registry keys, etc...
Result
Threat name:
Unknown
Detection:
malicious
Classification:
expl
Score:
52 / 100
Link:
https://www.joesandbox.com/analysis/940616
Signature
Document contains an embedded VBA macro with suspicious strings
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 573094 Sample: DHL open invoices.pdf.ppam Startdate: 16/02/2022 Architecture: WINDOWS Score: 52 12 Multi AV Scanner detection for submitted file 2->12 14 Document contains an embedded VBA macro with suspicious strings 2->14 6 cmd.exe 1 2->6         started        8 POWERPNT.EXE 501 3 2->8         started        process3 process4 10 POWERPNT.EXE 7 5 6->10         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/dca3ac723a130e56fb158c34c68e1c4b7d8577d0dbe9d8b859bfff7ada34d02e/
Threat name:
Script.Trojan.Heuristic
Create hunting rule
Status:
Malicious
First seen:
2022-02-15 19:32:55 UTC
File Type:
Document
Extracted files:
43
AV detection:
8 of 42 (19.05%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=3sr2y4r2cmhfn6yvrq2mndq4jn6yk56q3pu5roczx77xvwru2axa._file
Result
Malware family:
n/a
Score:
  4/10
Tags:
n/a
Link:
https://tria.ge/reports/220216-jhjy5abde6/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Modifies Internet Explorer settings
Modifies registry class
Suspicious behavior: AddClipboardFormatListener
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Drops file in Windows directory
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/dca3ac723a130e56fb158c34c68e1c4b7d8577d0dbe9d8b859bfff7ada34d02e

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

PowerPoint file ppam dca3ac723a130e56fb158c34c68e1c4b7d8577d0dbe9d8b859bfff7ada34d02e

(this sample)

  
Delivery method
Distributed via e-mail attachment
  
URLhaus
https://urlhaus.abuse.ch/url/2043511/

Comments