MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ed892f2bb59d7e92d5168c577f56902f7dd967fdc203755f5e42025c7ec7f45f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 12


Intelligence 12 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ed892f2bb59d7e92d5168c577f56902f7dd967fdc203755f5e42025c7ec7f45f
SHA3-384 hash: 08fc1e691a7e724d3a70bf4bcd3f06f823bc903d1b5cebb138885ebaad7efad18e81b9ffcefedb466e95ee5afa055179
SHA1 hash: 2c8be5f3bac575202c564aca63c1e0138c1c3e96
MD5 hash: ca1b2590df7c5925c22e9d065f718711
humanhash: one-missouri-stream-friend
File name:Arrival Notice.xlsx
Download: download sample
File size:349'184 bytes
First seen:2022-04-14 05:42:11 UTC
Last seen:Never
File type:Excel file xlsx
MIME type:application/encrypted
ssdeep 6144:uegeFNrUJdHBIzhvM9gXTMm5s26HbnSGeDO01pJbM5x+jGQgFu9yQ8PBjCCh:uNeFZUJdHYkkMqs26HN01r47+jEY9p8R
TLSH T1DB742304B8A51B1AE3CD16302C94639BE62EEC85DA24352D26623D90383DFD87564FEF
Reporter abuse_ch
Tags:CVE-2018-0802 VelvetSweatshop xlsx

Office OLE Information

This malware samples appears to be an Office document. The following table provides more information about this document using oletools and oledump.

OLE dump
Detection: VelvetSweatshop

MalwareBazaar was able to identify 6 sections in this file using oledump:

Section IDSection sizeSection name
164 bytesDataSpaces/DataSpaceInfo/StrongEncryptionDataSpace
2112 bytesDataSpaces/DataSpaceMap
3208 bytesDataSpaces/TransformInfo/StrongEncryptionTransform/Primary
476 bytesDataSpaces/Version
5342328 bytesEncryptedPackage
6224 bytesEncryptionInfo

Intelligence

File Origin
# of uploads :
1
# of downloads :
227
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Arrival Notice.xlsx
Verdict:
Suspicious activity
Analysis date:
2022-04-14 07:42:11 UTC
Tags:
encrypted
Link:
https://app.any.run/tasks/2b6527c2-457c-42f6-9ce7-7aa2f5cbc9b8

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
File type:
application/vnd.openxmlformats-officedocument.spreadsheetml.sheet
Has a screenshot:
False
Contains macros:
False
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/263560/
Detection(s):
SecuriteInfo.com.Exploit.CVE-2018-0802.Gen.14155.23121.UNOFFICIAL
Create hunting rule

PUA.Doc.Packed.EncryptedDoc-6563700-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Sending a custom TCP request
Creating a window
Searching for synchronization primitives
Launching a process
Сreating synchronization primitives
Changing an executable file
Infecting executable files
Result
Verdict:
Malicious
File Type:
OOXML Excel File with Embedding Objects in Encrypted Excel File
Link:
https://app.docguard.net/ed892f2bb59d7e92d5168c577f56902f7dd967fdc203755f5e42025c7ec7f45f/results/dashboard
Document image
Image:
Download PNG
Document image
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
embedequation exploit shellcode VelvetSweatshop
Link:
https://www.filescan.io/uploads/6257b46b482f2f41caabf1fa/reports/83f9f941-0a75-4d05-8d45-80891a829435/overview
Label:
Malicious
Suspicious Score:
7.8/10
Score Malicious:
78%
Score Benign:
22%
Link:
https://www.malware.ai/gui/files/?id=c8f04a4d-85e5-4ce7-9c71-19fe9253b2f8
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/ed892f2bb59d7e92d5168c577f56902f7dd967fdc203755f5e42025c7ec7f45f
Details
Document With No Content
Document contains little or no semantic information.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
expl
Score:
56 / 100
Link:
https://www.joesandbox.com/analysis/976641
Signature
Multi AV Scanner detection for submitted file
Sigma detected: EQNEDT32.EXE connecting to internet
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ed892f2bb59d7e92d5168c577f56902f7dd967fdc203755f5e42025c7ec7f45f/
Threat name:
Document-Office.Exploit.CVE-2018-0802
Create hunting rule
Status:
Malicious
First seen:
2022-04-13 12:18:58 UTC
File Type:
Document
Extracted files:
56
AV detection:
14 of 41 (34.15%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=5wes6k5vtv7jfviwrrlx6vuqf565sz75yibxkx26iibfy7wh6rpq._file
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://tria.ge/reports/220414-gekp5sgfgp/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Launches Equation Editor
Modifies Internet Explorer settings
Modifies registry class
Suspicious behavior: AddClipboardFormatListener
Suspicious use of SetWindowsHookEx
Blocklisted process makes network request
Malware family:
Lokibot
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/ed892f2bb59d/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/ed892f2bb59d7e92d5168c577f56902f7dd967fdc203755f5e42025c7ec7f45f

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Excel file xlsx ed892f2bb59d7e92d5168c577f56902f7dd967fdc203755f5e42025c7ec7f45f

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/263560/

Comments