MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ef0a68eb3e2998acdd5fdce8acd980ea9077c44fefced848a36805690844ae37. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

FIN7

Vendor detections: 7

Maldoc score: 27

Intelligence 7 IOCs YARA 4 File information Comments

SHA256 hash:	ef0a68eb3e2998acdd5fdce8acd980ea9077c44fefced848a36805690844ae37
SHA3-384 hash:	06bee4636720cb0927eddb7ef88b11211edfb9cdbda8caad176fffc1b5acfa6276132a4f60c0dbfaa82feefbd16c2707
SHA1 hash:	6b1da5e0ecda14512369a7201982a6bc13b33700
MD5 hash:	d60b6a8310373c9b84e6760c24185535
humanhash:	finch-oven-texas-king
File name:	Users-Progress-072021-1.doc
Download:	download sample
Signature	FIN7 Create hunting rule
File size:	2'499'072 bytes
First seen:	2021-09-03 07:34:03 UTC
Last seen:	2021-09-07 13:43:25 UTC
File type:	doc
MIME type:	application/msword
ssdeep	49152:kpHH1j3mpdgRf+us8azmLBVU3p2XR3451TpKPOv05AhEnfsW8:kNxmsRf+u8A+4mtKe0
TLSH	T19BC51207F7C10732C2961231954EA7D5B3258C3CA2358A6135ADB53D3A32D78B6BB7E8
Reporter	JAMESWT_WT
Tags:	doc FIN7

Office OLE Information

This malware samples appears to be an Office document. The following table provides more information about this document using oletools and oledump.

OLE id

Maldoc score: 27

Application name is Microsoft Office Word

Office document is in OLE format

Office document contains VBA Macros

OLE dump

MalwareBazaar was able to identify 15 sections in this file using oledump:

Section ID	Section size	Section name
1	114 bytes	CompObj
2	292 bytes	DocumentSummaryInformation
3	428 bytes	SummaryInformation
4	7607 bytes	1Table
5	2196072 bytes	Data
6	434 bytes	Macros/PROJECT
7	41 bytes	Macros/PROJECTwm
8	102641 bytes	Macros/VBA/ThisDocument
9	3580 bytes	Macros/VBA/_VBA_PROJECT
10	522 bytes	Macros/VBA/dir
11	76 bytes	ObjectPool/_1687197129/CompObj
12	146674 bytes	ObjectPool/_1687197129/Ole10Native
13	5012 bytes	ObjectPool/_1687197129/EPRINT
14	6 bytes	ObjectPool/_1687197129/ObjInfo
15	9774 bytes	WordDocument

OLE vba

MalwareBazaar was able to extract and deobfuscate VBA script(s) the following information from OLE objects embedded in this file using olevba:

Type	Keyword	Description
AutoExec	Document_Open	Runs when the Word or Publisher document is opened
Suspicious	open	May open a file
Suspicious	write	May write to a file (if combined with Open)
Suspicious	put	May write to a file (if combined with Open)
Suspicious	kill	May delete a file
Suspicious	run	May run an executable file or a system command
Suspicious	ShellExecuteA	May run an executable file or a system command
Suspicious	shell32	May run an executable file or a system command
Suspicious	CreateObject	May create an OLE object
Suspicious	GetObject	May get an OLE object with a running instance
Suspicious	Lib	May run code from a DLL
Suspicious	Chr	May attempt to obfuscate specific strings (use option --deobf to deobfuscate)
Suspicious	regRead	May read registry keys
Suspicious	Hex Strings	Hex-encoded strings were detected, may be used to obfuscate strings (option --decode to see all)

Intelligence

File Origin

# of uploads :

# of downloads :

191

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

Users-Progress-072021-1.doc

Verdict:

No threats detected

Analysis date:

2021-09-03 05:26:06 UTC

Tags:

macros ole-embedded macros-on-open

Link:

https://app.any.run/tasks/bf0a7e5a-c3da-4d73-b970-9ad8a7fd4c9e

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Verdict:

Legit

File type:

application/msword

Has a screenshot:

False

Contains macros:

True

Detection(s):

TwinWave.EvilDoc.BazarCosmicGear.20210629.UNOFFICIAL

TwinWave.EvilDoc.InlineShapeOfMyHeart.20210629.UNOFFICIAL

TwinWave.EvilDoc.CROMiscreantNeuralLinkTerra.20210721.UNOFFICIAL

Sanesecurity.Badmacro.Doc.imgx2.UNOFFICIAL

TwinWave.EvilDoc.FoolsHighwayM4.20210826.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Creating a file

DNS request

Replacing files

Changing a file

Sending a UDP request

Creating a file in the %temp% subdirectories

Connection attempt by exploiting the app vulnerability

Deleting of the original file

Result

Verdict:

Malicious

File Type:

Legacy Word File with Macro

Link:

https://app.docguard.net/ef0a68eb3e2998acdd5fdce8acd980ea9077c44fefced848a36805690844ae37/results/dashboard

Document image

Image:

Download PNG

Result

Verdict:

MALICIOUS

Link:

https://labs.inquest.net/dfi/sha256/ef0a68eb3e2998acdd5fdce8acd980ea9077c44fefced848a36805690844ae37

Details

Macro with Startup Hook

Detected macro logic that will automatically execute on document open. Most malware contains some execution hook.

Document With Few Pages

Document contains between one and three pages of content. Most malicious documents are sparse in page count.

Macro Execution Coercion

Detected a document that appears to social engineer the user into activating embedded logic.

Macro Contains Suspicious String

Detected a macro with a suspicious string. Suspicious strings include privileged function calls, obfuscations, odd registry keys, etc...

Macro with DLL Reference

Detected macro logic that will load additional functionality from Dynamically Linked Libraries (DLLs). While not explicitly malicious, this is a common tactic for accessing APIs that are not otherwised exposed via Visual Basic for Applications (VBA).

Result

Threat name:

Unknown

Detection:

malicious

Classification:

spyw.expl.evad.troj

Score:

96 / 100

Link:

https://www.joesandbox.com/analysis/814112

Signature

Document contains an embedded macro with GUI obfuscation

Document contains an embedded VBA macro which may execute processes

Document contains an embedded VBA macro with suspicious strings

Document contains an embedded VBA with functions possibly related to ADO stream file operations

Document contains an embedded VBA with functions possibly related to HTTP operations

Document contains an embedded VBA with functions possibly related to WSH operations (process, registry, environment, or keystrokes)

Document Viewer accesses SMB path (likely to steal NTLM hashes or to download payload)

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Opens network shares

Outdated Microsoft Office dropper detected

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/ef0a68eb3e2998acdd5fdce8acd980ea9077c44fefced848a36805690844ae37/

Threat name:

Document-Word.Trojan.Valyria

Status:

Malicious

First seen:

2021-07-09 19:48:57 UTC

File Type:

Document

Extracted files:

AV detection:

14 of 43 (32.56%)

Threat level:

5/5

Result

Malware family:

n/a

Score:

8/10

Tags:

macro macro_on_action

Link:

https://tria.ge/reports/210903-jep1zacfh5/

Behaviour

Checks processor information in registry

Enumerates system info in registry

Modifies Internet Explorer settings

NTFS ADS

Suspicious behavior: AddClipboardFormatListener

Suspicious behavior: RenamesItself

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Office loads VBA resources, possible macro or embedded object present

Drops file in Windows directory

Deletes itself

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/ef0a68eb3e2998acdd5fdce8acd980ea9077c44fefced848a36805690844ae37

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_DOC_PhishingPatterns Create hunting rule
Author:	ditekSHen
Description:	Detects OLE, RTF, PDF and OOXML (decompressed) documents with common phishing strings

Rule name:	INDICATOR_OLE_ObjectPool_Embedded_Files Create hunting rule
Author:	ditekSHen
Description:	Detects OLE documents with ObjectPool OLE storage and embed suspicous excutable files

Rule name:	INDICATOR_SUSPICIOUS_JS_WMI_ExecQuery Create hunting rule
Author:	ditekSHen
Description:	Detects JS potentially executing WMI queries

Rule name:	SUSP_EnableContent_String_Gen Create hunting rule
Author:	Florian Roth
Description:	Detects suspicious string that asks to enable active content in Office Doc
Reference:	Internal Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

https://twitter.com/Circuitous__/status/1433516145752035331?s=20

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample