MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e03a7b921d3ebd2e5d1f850933f956813abf8abd23d42451f2df9b32e1f8c178. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 10


Maldoc score: 13


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e03a7b921d3ebd2e5d1f850933f956813abf8abd23d42451f2df9b32e1f8c178
SHA3-384 hash: 90076fd1041d8bbf3d86c6a2002f535d852bc7bc4b4719add1576be1397edfbbc26aaee3dfe3cb894489446ab47b24f2
SHA1 hash: 8e3c43f0b0e404470c63af05bc668950aa6fa70b
MD5 hash: 8829fbb9f6c18f5efee3bda323e89cee
humanhash: march-stairway-december-ceiling
File name:mmbv.doc
Download: download sample
File size:1'270'133 bytes
First seen:2022-01-13 13:01:44 UTC
Last seen:Never
File type:Word file doc
MIME type:application/msword
ssdeep 3072:28jC2CUNX5EIDAwQodB/ZEEOg5pxcX753tC/DZq:ZCN8nQodBGopV
TLSH T193451AE4A0729554FC1E36F2AA8138C84AC33DEA391FDF4A0114B57F28795E83AD585F
Reporter abuse_ch
Tags:doc

Office OLE Information

This malware samples appears to be an Office document. The following table provides more information about this document using oletools and oledump.

OLE id
Maldoc score: 13
OLE dump

MalwareBazaar was able to identify 18 sections in this file using oledump:

Section IDSection sizeSection name
1113 bytesCompObj
2264 bytesDocumentSummaryInformation
3384 bytesSummaryInformation
48366 bytes1Table
54096 bytesData
6492 bytesMacros/PROJECT
778 bytesMacros/PROJECTlk
868 bytesMacros/PROJECTwm
91064 bytesMacros/VBA/ThisDocument
103718 bytesMacros/VBA/_VBA_PROJECT
1118722 bytesMacros/VBA/autoOPen
12737 bytesMacros/VBA/dir
13112 bytesObjectPool/_1703547241/CompObj
1416 bytesObjectPool/_1703547241/OCXNAME
156 bytesObjectPool/_1703547241/ObjInfo
16264 bytesObjectPool/_1703547241/PRINT
1772 bytesObjectPool/_1703547241/contents
18941857 bytesWordDocument
OLE vba

MalwareBazaar was able to extract and deobfuscate VBA script(s) the following information from OLE objects embedded in this file using olevba:

TypeKeywordDescription
AutoExecautoOPenRuns when the Word document is opened
SuspiciousOpenMay open a file
SuspiciouscreateMay execute file or a system command through WMI
SuspiciousLibMay run code from a DLL
SuspiciousChrMay attempt to obfuscate specific strings (use option --deobf to deobfuscate)
SuspiciousHex StringsHex-encoded strings were detected, may be used to obfuscate strings (option --decode to see all)
SuspiciousBase64 StringsBase64-encoded strings were detected, may be used to obfuscate strings (option --decode to see all) code and P-code are different, this may have been used to hide malicious code

Intelligence

File Origin
# of uploads :
1
# of downloads :
254
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
mmbv.doc
Verdict:
Malicious activity
Analysis date:
2022-01-13 13:08:10 UTC
Tags:
macros loader
Link:
https://app.any.run/tasks/ac9cf9e5-dc62-46b8-9532-d9656c558029

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
File type:
application/msword
Has a screenshot:
False
Contains macros:
True
Detection(s):
TwinWave.EvilDoc.BanditosAndTheirHEXYEXEs.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
DNS request
Creating a window
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file
Creating a file in the %temp% directory
Creating a process with a hidden window
Launching cmd.exe command interpreter by exploiting the app vulnerability
Creating a process from a recently created file
Result
Verdict:
Malicious
File Type:
Legacy Word File with Macro
Link:
https://app.docguard.net/e03a7b921d3ebd2e5d1f850933f956813abf8abd23d42451f2df9b32e1f8c178/results/dashboard
Document image
Image:
Download PNG
Document image
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
control.exe evasive macros macros-on-open obfuscated print.exe
Link:
https://www.filescan.io/uploads/61e022d3e997359713e61a7a/reports/665c27b3-6f07-4dbe-9b07-3803ebec1af7/overview
Result
Threat name:
Unknown
Detection:
malicious
Classification:
expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/920077
Signature
Antivirus detection for URL or domain
Bypasses PowerShell execution policy
Creates an autostart registry key pointing to binary in C:\Windows
Document contains VBA stomped code (only p-code) potentially bypassing AV detection
Document exploit detected (drops PE files)
Document exploit detected (process start blacklist hit)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Office process drops PE file
Sigma detected: Execute DLL with spoofed extension
Sigma detected: Microsoft Office Product Spawning Windows Shell
Sigma detected: Office product drops script at suspicious location
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: UNC2452 Process Creation Patterns
Uses cmd line tools excessively to alter registry or file data
Writes to foreign memory regions
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 552561 Sample: mmbv.doc Startdate: 13/01/2022 Architecture: WINDOWS Score: 100 64 nasikbazar.com 2->64 74 Antivirus detection for URL or domain 2->74 76 Multi AV Scanner detection for dropped file 2->76 78 Multi AV Scanner detection for submitted file 2->78 80 11 other signatures 2->80 13 WINWORD.EXE 428 41 2->13         started        16 rundll32.exe 2->16         started        19 rundll32.exe 2->19         started        signatures3 process4 file5 56 C:\.intel\.rem\2.png, PE32 13->56 dropped 58 C:\.intel\.rem\1.png, PE32+ 13->58 dropped 60 C:\Users\user\Desktop\~$mmbv.doc, data 13->60 dropped 62 2 other malicious files 13->62 dropped 21 cmd.exe 13->21         started        66 Writes to foreign memory regions 16->66 68 Modifies the context of a thread in another process (thread injection) 16->68 70 Injects a PE file into a foreign processes 16->70 24 cmd.exe 16->24         started        26 cmd.exe 16->26         started        28 chrome.exe 16->28         started        signatures6 process7 signatures8 82 Uses cmd line tools excessively to alter registry or file data 21->82 84 Bypasses PowerShell execution policy 21->84 30 powershell.exe 6 21->30         started        32 reg.exe 24->32         started        34 reg.exe 26->34         started        process9 process10 36 rundll32.exe 30->36         started        process11 38 cmd.exe 36->38         started        process12 40 rundll32.exe 38->40         started        42 choice.exe 38->42         started        process13 44 cmd.exe 40->44         started        47 cmd.exe 40->47         started        signatures14 86 Uses cmd line tools excessively to alter registry or file data 44->86 49 reg.exe 1 44->49         started        52 rundll32.exe 47->52         started        54 choice.exe 47->54         started        process15 signatures16 72 Creates an autostart registry key pointing to binary in C:\Windows 49->72
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e03a7b921d3ebd2e5d1f850933f956813abf8abd23d42451f2df9b32e1f8c178/
Threat name:
Document-Office.Trojan.Valyria
Create hunting rule
Status:
Malicious
First seen:
2022-01-13 13:02:13 UTC
File Type:
Document
Extracted files:
21
AV detection:
15 of 28 (53.57%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=4a5hxeq5h26s4xi7queth6kwqe5l7cv5epkciups36ntfypyyf4a._file
Result
Malware family:
n/a
Score:
  10/10
Tags:
n/a
Link:
https://tria.ge/reports/220113-p9sm8saddn/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Modifies Internet Explorer settings
Modifies registry class
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Office loads VBA resources, possible macro or embedded object present
Drops file in Windows directory
Drops file in System32 directory
Loads dropped DLL
Process spawned unexpected child process
Malware Config
Dropper Extraction:
http://nasikbazar.com/ldllrndlleaw64.png
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/e03a7b921d3e/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e03a7b921d3ebd2e5d1f850933f956813abf8abd23d42451f2df9b32e1f8c178

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments