MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e10d8b2c6343432a4384928f91b398c9223a0155385ba1405192c614c6e1cf83. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Squirrelwaffle


Vendor detections: 9


Maldoc score: 29


Intelligence 9 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e10d8b2c6343432a4384928f91b398c9223a0155385ba1405192c614c6e1cf83
SHA3-384 hash: 94f04b8b5c8ba0687b9dd5daac6f873e8f3d7e22ecc47b4e6de6bc04df210367dded6944414f65a26bc82caf331f3023
SHA1 hash: ffae0692f1dbbffb4f2a87c70ca25bab90fc2219
MD5 hash: 46138b19cc3a214592a4bcc4045f145f
humanhash: alanine-oven-solar-lion
File name:diagram-378.doc
Download: download sample
Signature Squirrelwaffle
Create hunting rule
File size:229'386 bytes
First seen:2021-09-13 17:28:57 UTC
Last seen:Never
File type:Word file doc
MIME type:application/msword
ssdeep 3072:s1Ew9u9qLF0EYouFCoOVaLyUqDDhllsFLkmkt9Qdkmkt9QZRh9Gvkmkt9Qv:s1EJoEouGLXhlGFg/kRh9GMo
TLSH T11C245B037A58C752D48566765E93CEA867367E588E8323EB712C3B4F3F74B104C1A26E
Reporter ffforward
Tags: Squirrelwaffle doc SQUIRRELWAFFLE tr

Office OLE Information

This malware samples appears to be an Office document. The following table provides more information about this document using oletools and oledump.

OLE id
Maldoc score: 29
Application name is Microsoft Office Word
Office document is in OLE format
Office document contains VBA Macros
OLE dump

MalwareBazaar was able to identify 40 sections in this file using oledump:

Section IDSection sizeSection name
1114 bytesCompObj
24096 bytesDocumentSummaryInformation
34096 bytesSummaryInformation
411874 bytes1Table
563871 bytesData
6644 bytesMacros/PROJECT
7170 bytesMacros/PROJECTwm
897 bytesMacros/UserForm1/CompObj
9266 bytesMacros/UserForm1/VBFrame
1024953 bytesMacros/UserForm1/f
110 bytesMacros/UserForm1/o
129368 bytesMacros/VBA/Module1
139368 bytesMacros/VBA/Module2
145669 bytesMacros/VBA/Module3
153815 bytesMacros/VBA/ThisDocument
161167 bytesMacros/VBA/UserForm1
176650 bytesMacros/VBA/_VBA_PROJECT
184162 bytesMacros/VBA/__SRP_0
19365 bytesMacros/VBA/__SRP_1
201644 bytesMacros/VBA/__SRP_4
21186 bytesMacros/VBA/__SRP_5
221652 bytesMacros/VBA/__SRP_6
23103 bytesMacros/VBA/__SRP_7
241700 bytesMacros/VBA/deutsche
251300 bytesMacros/VBA/dir
2697 bytesMacros/deutsche/CompObj
27292 bytesMacros/deutsche/VBFrame
2825453 bytesMacros/deutsche/f
29115 bytesMacros/deutsche/i08/CompObj
30176 bytesMacros/deutsche/i08/f
31110 bytesMacros/deutsche/i08/i10/CompObj
3256 bytesMacros/deutsche/i08/i10/f
330 bytesMacros/deutsche/i08/i10/o
34110 bytesMacros/deutsche/i08/i11/CompObj
3540 bytesMacros/deutsche/i08/i11/f
360 bytesMacros/deutsche/i08/i11/o
37148 bytesMacros/deutsche/i08/o
3848 bytesMacros/deutsche/i08/x
3927655 bytesMacros/deutsche/o
404096 bytesWordDocument
OLE vba

MalwareBazaar was able to extract and deobfuscate VBA script(s) the following information from OLE objects embedded in this file using olevba:

TypeKeywordDescription
AutoExecAutoOpenRuns when the Word document is opened
AutoExecDocument_OpenRuns when the Word or Publisher document is opened
AutoExecUserForm_ClickRuns when the file is opened and ActiveX objects trigger events
IOCwww.ps1Executable file name
IOCcscript.exeExecutable file name
IOCwww1.dllExecutable file name
IOCwww2.dllExecutable file name
IOCwww3.dllExecutable file name
IOCwww4.dllExecutable file name
IOCwww5.dllExecutable file name
IOCrundll32.exeExecutable file name
SuspiciousEnvironMay read system environment variables
SuspiciousOpenMay open a file
SuspiciousOutputMay write to a file (if combined with Open)
SuspiciousMoveFileMay move a file
SuspiciousShellMay run an executable file or a system command
SuspiciousWScript.ShellMay run an executable file or a system command
SuspiciousRunMay run an executable file or a system command
SuspiciousPowershellMay run PowerShell commands
SuspiciousExecutionPolicyMay run PowerShell commands
SuspiciousCreateObjectMay create an OLE object
SuspiciousChrMay attempt to obfuscate specific strings (use option --deobf to deobfuscate)
SuspiciousHex StringsHex-encoded strings were detected, may be used to obfuscate strings (option --decode to see all)
SuspiciousBase64 StringsBase64-encoded strings were detected, may be used to obfuscate strings (option --decode to see all)

Intelligence

File Origin
# of uploads :
1
# of downloads :
184
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
diagram-378.doc
Verdict:
Malicious activity
Analysis date:
2021-09-13 17:29:41 UTC
Tags:
macros macros-on-open generated-doc
Link:
https://app.any.run/tasks/d7297375-eb7d-477f-aa38-f3fcd94c7b19

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
File type:
application/msword
Has a screenshot:
False
Contains macros:
True
Detection(s):
SecuriteInfo.com.Office.Macro-13.UNOFFICIAL
Create hunting rule

Sanesecurity.Badmacro.doc_shellao.UNOFFICIAL
Create hunting rule

Sanesecurity.Badmacro.Wsc.exe.UNOFFICIAL
Create hunting rule

Sanesecurity.Badmacro.BadDoc.Fmt.Shell.UNOFFICIAL
Create hunting rule

MiscreantPunch.EvilMacro.AOPSH.UNOFFICIAL
Create hunting rule

MiscreantPunch.SuspiciousDoc.CrackedVersion.2.UNOFFICIAL
Create hunting rule

MiscreantPunch.PiratedOfficeVersionWithMacros.UNOFFICIAL
Create hunting rule

MiscreantPunch.Macro.PiratedOffice.171002.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malicious
File Type:
Legacy Word File with Macro
Link:
https://app.docguard.net/e10d8b2c6343432a4384928f91b398c9223a0155385ba1405192c614c6e1cf83/results/dashboard
Document image
Image:
Download PNG
Document image
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
macros macros-on-open powershell
Link:
https://www.filescan.io/uploads/617503fbdb358dd15ed91cb3/reports/13455d3b-b482-466b-8f4d-36111fea9e32/overview
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/e10d8b2c6343432a4384928f91b398c9223a0155385ba1405192c614c6e1cf83
Details
Time Delay Loop
Detected a macro with a suspicious time-wait loop, potentially to evade sandboxes.
Macro with Startup Hook
Detected macro logic that will automatically execute on document open. Most malware contains some execution hook.
Document With Few Pages
Document contains between one and three pages of content. Most malicious documents are sparse in page count.
Macro with File System Write
Detected macro logic that can write data to the file system.
Macro Execution Coercion
Detected a document that appears to social engineer the user into activating embedded logic.
Macro Contains Suspicious String
Detected a macro with a suspicious string. Suspicious strings include privileged function calls, obfuscations, odd registry keys, etc...
Result
Threat name:
Unknown
Detection:
malicious
Classification:
expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/850035
Signature
Document contains an embedded macro with GUI obfuscation
Document contains an embedded VBA macro which may execute processes
Document contains an embedded VBA macro with suspicious strings
Document contains an embedded VBA with base64 encoded strings
Document contains an embedded VBA with many string operations indicating source code obfuscation
Document exploit detected (process start blacklist hit)
Machine Learning detection for dropped file
Multi AV Scanner detection for submitted file
Powershell drops PE file
Sigma detected: Microsoft Office Product Spawning Windows Shell
Sigma detected: Office product drops script at suspicious location
System process connects to network (likely due to code injection or exploit)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 482465 Sample: diagram-378.doc Startdate: 13/09/2021 Architecture: WINDOWS Score: 100 74 enlacelaboral.com 2->74 84 Multi AV Scanner detection for submitted file 2->84 86 Sigma detected: Office product drops script at suspicious location 2->86 88 Document contains an embedded macro with GUI obfuscation 2->88 90 7 other signatures 2->90 10 WINWORD.EXE 436 34 2->10         started        signatures3 process4 file5 62 C:\Users\user\AppData\Roaming\www.txt, ASCII 10->62 dropped 64 C:\Users\user\AppData\Roaming\www.ps1, ASCII 10->64 dropped 13 cscript.exe 1 10->13         started        15 cscript.exe 1 10->15         started        process6 process7 17 powershell.exe 16 11 13->17         started        22 cmd.exe 13->22         started        24 cmd.exe 13->24         started        32 3 other processes 13->32 26 cmd.exe 15->26         started        28 powershell.exe 15->28         started        30 cmd.exe 15->30         started        34 3 other processes 15->34 dnsIp8 66 tailorind.com.pk 108.167.172.176, 443, 49166, 49167 UNIFIEDLAYER-AS-1US United States 17->66 68 aartieeabhjeet.com 116.206.105.115, 443, 49169, 49170 PUBLIC-DOMAIN-REGISTRYUS Seychelles 17->68 72 3 other IPs or domains 17->72 60 C:\ProgramData\www1.dll, MS-DOS 17->60 dropped 92 Powershell drops PE file 17->92 36 rundll32.exe 22->36         started        38 rundll32.exe 24->38         started        40 rundll32.exe 26->40         started        70 stuffiknow.in 28->70 42 rundll32.exe 30->42         started        44 rundll32.exe 32->44         started        46 rundll32.exe 32->46         started        48 rundll32.exe 32->48         started        50 rundll32.exe 34->50         started        52 2 other processes 34->52 file9 signatures10 process11 process12 54 rundll32.exe 36->54         started        58 rundll32.exe 40->58         started        dnsIp13 76 enlacelaboral.com 162.214.117.192, 49174, 49176, 49177 UNIFIEDLAYER-AS-1US United States 54->76 78 serverplanner.com 88.202.230.64, 49283, 49307, 80 UK2NET-ASGB United Kingdom 54->78 82 7 other IPs or domains 54->82 94 System process connects to network (likely due to code injection or exploit) 54->94 80 bengali.iu.ac.bd 58->80 signatures14
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e10d8b2c6343432a4384928f91b398c9223a0155385ba1405192c614c6e1cf83/
Threat name:
Document-Office.Trojan.Wacatac
Create hunting rule
Status:
Malicious
First seen:
2021-09-13 17:29:08 UTC
AV detection:
10 of 43 (23.26%)
Threat level:
  5/5
Result
Malware family:
n/a
Score:
  10/10
Tags:
macro macro_on_action
Link:
https://tria.ge/reports/210913-v2j9saebf7/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Modifies Internet Explorer settings
Modifies registry class
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Office loads VBA resources, possible macro or embedded object present
Enumerates physical storage devices
Drops file in Windows directory
Blocklisted process makes network request
Process spawned unexpected child process
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/e10d8b2c6343/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e10d8b2c6343432a4384928f91b398c9223a0155385ba1405192c614c6e1cf83

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_OLE_Suspicious_ActiveX
Create hunting rule
Author:ditekSHen
Description:detects OLE documents with suspicious ActiveX content
Rule name:INDICATOR_OLE_Suspicious_Reverse
Create hunting rule
Author:ditekSHen
Description:detects OLE documents containing VB scripts with reversed suspicious strings
Rule name:Office_AutoOpen_Macro
Create hunting rule
Author:Florian Roth
Description:Detects an Microsoft Office file that contains the AutoOpen Macro function
Rule name:quakbot_halo_generated
Create hunting rule
Author:Halogen Generated Rule, Corsin Camichel
Rule name:silentbuilder_halo_generated
Create hunting rule
Author:Halogen Generated Rule, Corsin Camichel

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
URLhaus
https://urlhaus.abuse.ch/url/1616800/
  
Delivery method
Distributed via e-mail link

Comments