MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ee103f8d64cd8fa884ff6a041db2f7aa403c502f54e26337c606044c2f205394. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



Threat unknown


Vendor detections: 9


Maldoc score: 15


Intelligence 9 IOCs YARA File information Comments

SHA256 hash: ee103f8d64cd8fa884ff6a041db2f7aa403c502f54e26337c606044c2f205394
SHA3-384 hash: f34cf63c645fba26b2018f67bfd4060d46f6dfbe67d0c9ca7a602b20ab12f295ce3f995e45c20df98b92edf975a4f47e
SHA1 hash: a00e440eb13f84c8b8faba5b81a7d85fce2a4074
MD5 hash: a9490d94cf547e27dcc0d52dc72e74e7
humanhash: seven-uniform-triple-equal
File name:instruct_11.21.doc.vir
Download: download sample
Signature n/a
File size:34'817 bytes
First seen:2021-11-12 19:58:52 UTC
Last seen:Never
File type:Word file doc
MIME type:application/vnd.openxmlformats-officedocument.wordprocessingml.document
ssdeep 384:xS6JqYxSJTvfpHhx/gFj0EEYpcVhE1ltmTV/YZO4NSCWl822TnUCSdQQUfwliiid:ZJqY0phb4a02VWnZdw9822zAEhXd
TLSH T146F2E025C165F804D697D8BDE66902F1FA1CC2066091C85F2166F9CFC7B2AA3437BE4E
Reporter @DSTLabs
Tags:doc maldoc sansisc vba

Office OLE Information


This malware samples appears to be an Office document. The following table provides more information about this document using oletools and oledump.

OLE id
Maldoc score: 15
OLE dump
Sections: 11

The following OLE sections have been found using oledump:

Section IDSection sizeSection name
A1394 bytesPROJECT
A256 bytesPROJECTwm
A32271 bytesVBA/ThisDocument
A43229 bytesVBA/_VBA_PROJECT
A51874 bytesVBA/__SRP_0
A6209 bytesVBA/__SRP_1
A7835 bytesVBA/__SRP_2
A8290 bytesVBA/__SRP_3
A9711 bytesVBA/dir
A101122 bytesVBA/main
OLE vba
TypeKeywordDescription
AutoExecdocument_openRuns when the Word or Publisher document is opened
SuspiciousshellMay run an executable file or a system command
Suspiciouswscript.shellMay run an executable file or a system command
SuspiciousCreateObjectMay create an OLE object
SuspiciouswindowsMay enumerate application windows (if combined with Shell.Application object)
SuspiciousStrReverseMay attempt to obfuscate specific strings (use option --deobf to deobfuscate)
SuspiciousexecMay run an executable file or a system
SuspiciousBase64 StringsBase64-encoded strings were detected, may be used to obfuscate strings (option --decode to see all)

Intelligence


File Origin
# of uploads :
1
# of downloads :
167
Origin country :
BE BE
Mail intelligence
No data
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
ee103f8d64cd8fa884ff6a041db2f7aa403c502f54e26337c606044c2f205394.doc
Verdict:
Malicious activity
Analysis date:
2021-11-13 06:09:12 UTC
Tags:
macros macros-on-open generated-doc

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
File type:
application/msword
Has a screenshot:
False
Contains macros:
True
Result
Verdict:
Malicious
File Type:
Word File with Macro
Alert level:
14%
Document image
Document image
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
hancitor macros macros-on-open mshta regsvr32 valyria virus
Result
Verdict:
MALICIOUS
Details
Macro with Startup Hook
Detected macro logic that will automatically execute on document open. Most malware contains some execution hook.
Macro Execution Coercion
Detected a document that appears to social engineer the user into activating embedded logic.
Macro Contains Suspicious String
Detected a macro with a suspicious string. Suspicious strings include privileged function calls, obfuscations, odd registry keys, etc...
Result
Threat name:
Unknown
Detection:
malicious
Classification:
expl
Score:
92 / 100
Signature
Antivirus detection for URL or domain
Document contains an embedded VBA macro which may execute processes
Document contains an embedded VBA macro with suspicious strings
Document exploit detected (process start blacklist hit)
Machine Learning detection for sample
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Sigma detected: Suspicious MSHTA Process Patterns
Behaviour
Behavior Graph:
behaviorgraph top1 signatures2 2 Behavior Graph ID: 520837 Sample: instruct_11.21.doc.docm Startdate: 12/11/2021 Architecture: WINDOWS Score: 92 17 Multi AV Scanner detection for domain / URL 2->17 19 Antivirus detection for URL or domain 2->19 21 Multi AV Scanner detection for submitted file 2->21 23 6 other signatures 2->23 6 explorer.exe 3 2->6         started        8 WINWORD.EXE 38 42 2->8         started        process3 process4 10 mshta.exe 23 6->10         started        13 explorer.exe 1 8->13         started        dnsIp5 15 shoulderelliottd.com 194.62.42.144, 80 ZEISS-ASRU Russian Federation 10->15
Threat name:
Document-Word.Dropper.Powdow
Status:
Malicious
First seen:
2021-11-12 19:59:05 UTC
AV detection:
19 of 44 (43.18%)
Threat level:
  3/5
Result
Malware family:
n/a
Score:
  10/10
Tags:
macro
Behaviour
Checks processor information in registry
Enumerates system info in registry
Modifies Internet Explorer settings
Modifies registry class
Suspicious behavior: AddClipboardFormatListener
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Office loads VBA resources, possible macro or embedded object present
Drops file in Windows directory
Blocklisted process makes network request
Process spawned unexpected child process

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Comments