MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f199cc703c62cb31955634bf10a1285c81fb95f3bba152130cb3cb2e976aef1f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 11

Maldoc score: 14

Intelligence 11 IOCs YARA 1 File information Comments

SHA256 hash:	f199cc703c62cb31955634bf10a1285c81fb95f3bba152130cb3cb2e976aef1f
SHA3-384 hash:	3f1ce06aa77e7a2c12701c1480d3fb1a4075a81efb0a21b7bac48e93df2e6775523fc3dfa786bbd422541ac825830d1f
SHA1 hash:	dc0c8a9d7fae0920c49b3cce9ac26f89c0dde321
MD5 hash:	e2f9c1c12b3ea287fe8fdca1e2c3a415
humanhash:	kentucky-mississippi-five-grey
File name:	detalhes_atualizacao_ufpa.doc
Download:	download sample
File size:	121'344 bytes
First seen:	2021-09-09 03:04:24 UTC
Last seen:	Never
File type:	doc
MIME type:	application/msword
ssdeep	1536:J3xgznD2F+Pv5DOLpf8G5JHDsYTAS96G9p0857I4SA4n:HgbyG2PJjZAYs8RI434
TLSH	T19BC38C32F275DF6FD2092AB04A528EA822357C674B92565B70057F3E7CB2B11CF11788
Reporter	JAMESWT_WT
Tags:	doc UFPA

Office OLE Information

This malware samples appears to be an Office document. The following table provides more information about this document using oletools and oledump.

OLE id

Maldoc score: 14

Application name is Microsoft Office Word

Office document is in OLE format

Office document contains VBA Macros

OLE dump

MalwareBazaar was able to identify 16 sections in this file using oledump:

Section ID	Section size	Section name
1	118 bytes	CompObj
2	4096 bytes	DocumentSummaryInformation
3	4096 bytes	SummaryInformation
4	7672 bytes	1Table
5	66939 bytes	Data
6	412 bytes	Macros/PROJECT
7	71 bytes	Macros/PROJECTwm
8	19186 bytes	Macros/VBA/NewMacros
9	1087 bytes	Macros/VBA/ThisDocument
10	3047 bytes	Macros/VBA/_VBA_PROJECT
11	1452 bytes	Macros/VBA/__SRP_0
12	122 bytes	Macros/VBA/__SRP_1
13	263 bytes	Macros/VBA/__SRP_2
14	256 bytes	Macros/VBA/__SRP_3
15	703 bytes	Macros/VBA/dir
16	5678 bytes	WordDocument

OLE vba

MalwareBazaar was able to extract and deobfuscate VBA script(s) the following information from OLE objects embedded in this file using olevba:

Type	Keyword	Description
AutoExec	AutoOpen	Runs when the Word document is opened
AutoExec	Document_Open	Runs when the Word or Publisher document is opened
IOC	powershell.exe	Executable file name
Suspicious	Shell	May run an executable file or a system command
Suspicious	Wscript.Shell	May run an executable file or a system command
Suspicious	Run	May run an executable file or a system command
Suspicious	powershell	May run PowerShell commands
Suspicious	CreateObject	May create an OLE object
Suspicious	Hex Strings	Hex-encoded strings were detected, may be used to obfuscate strings (option --decode to see all)

Intelligence

File Origin

# of uploads :

# of downloads :

152

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

detalhes_atualizacao_ufpa.doc

Verdict:

Malicious activity

Analysis date:

2021-09-09 03:05:42 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/6c9ed5d8-b687-40e9-96d5-cb6ac5fd631c

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Verdict:

Malicious

File type:

application/msword

Has a screenshot:

False

Contains macros:

True

Detection(s):

Win.Trojan.PowerShell-8

MiscreantPunch.EvilMacro.PSDL.170906.UNOFFICIAL

MiscreantPunch.EvilMacro.PSHELLNEWOBJECTw.3.UNOFFICIAL

MiscreantPunch.EvilMacro.PSHELLNEWOBJECTw.5.UNOFFICIAL

TwinWave.EvilDoc.DOCXRSTRGOOD.POWERSHELL.200302B64.3.UNOFFICIAL

TwinWave.EvilDoc.DOCXRSTRGOOD.POWERSHELL.200302B64.4.UNOFFICIAL

TwinWave.EvilDoc.DOCXRSTRGOOD.NEW-OBJECT.200322B64.3.UNOFFICIAL

TwinWave.EvilDoc.DOCXRSTRGOOD.NEW-OBJECT.200322B64.7.UNOFFICIAL

TwinWave.EvilDoc.DOCXRSTRGOOD.NEW_OBJECT.200630B64.3.UNOFFICIAL

TwinWave.EvilDoc.DOCXRSTRGOOD.NEW_OBJECT.200630B64.7.UNOFFICIAL

TwinWave.EvilDoc.DOCXRSTRGOOD.USESHELLEXECUTE.210709B64.3.UNOFFICIAL

Sanesecurity.Badmacro.Doc.blankopen.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a UDP request

Connection attempt

Sending a custom TCP request

Launching a process

Creating a process with a hidden window

Launching a process by exploiting the app vulnerability

Using obfuscated Powershell scripts

Unauthorized injection to a system process

Result

Verdict:

Malicious

File Type:

Legacy Word File with Macro

Link:

https://app.docguard.net/f199cc703c62cb31955634bf10a1285c81fb95f3bba152130cb3cb2e976aef1f/results/dashboard

Document image

Image:

Download PNG

Result

Verdict:

MALICIOUS

Link:

https://labs.inquest.net/dfi/sha256/f199cc703c62cb31955634bf10a1285c81fb95f3bba152130cb3cb2e976aef1f

Details

Base64 Encoded Powershell Directives

Detected one or more base64 encoded Powershell directives.

Macro with Startup Hook

Detected macro logic that will automatically execute on document open. Most malware contains some execution hook.

Document With Few Pages

Document contains between one and three pages of content. Most malicious documents are sparse in page count.

Base64 Encoded Powershell

Detected a macro with a base64 encoded reference to Powershell.

Hidden Powershell

Detected a pivot to Powershell that utilizes commonly nefarious attributes such as '-windowstyle hidden'.

Powershell in Macro

Detected a macro that may utilize Powershell. Such pivots are commonly found in malware.

Macro Contains Suspicious String

Detected a macro with a suspicious string. Suspicious strings include privileged function calls, obfuscations, odd registry keys, etc...

Document With Minimal Content

Document contains less than 1 kilobyte of semantic information.

Result

Threat name:

Metasploit

Detection:

malicious

Classification:

troj.spyw.expl.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/847789

Signature

Antivirus / Scanner detection for submitted sample

Contains functionality to capture and log keystrokes

Contains functionality to change the desktop window for a process (likely to hide graphical interactions)

Contains functionality to check if the process is started with administrator privileges

Contains functionality to inject code into remote processes

Contains functionality to inject threads in other processes

Document contains an embedded VBA macro which may execute processes

Document contains an embedded VBA macro with suspicious strings

Document contains an embedded VBA with many string operations indicating source code obfuscation

Document exploit detected (process start blacklist hit)

Encrypted powershell cmdline option found

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Potential dropper URLs found in powershell memory

Sigma detected: Encoded FromBase64String

Sigma detected: FromBase64String Command Line

Sigma detected: Malicious Base64 Encoded PowerShell Keywords in Command Lines

Sigma detected: Microsoft Office Product Spawning Windows Shell

Sigma detected: Suspicious PowerShell Cmdline

Sigma detected: Suspicious PowerShell Command Line

Suspicious powershell command line found

System process connects to network (likely due to code injection or exploit)

Very long command line found

Yara detected MetasploitPayload

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/f199cc703c62cb31955634bf10a1285c81fb95f3bba152130cb3cb2e976aef1f/

Threat name:

Script-Macro.Downloader.Powdow

Status:

Malicious

First seen:

2021-09-09 03:05:14 UTC

File Type:

Document

Extracted files:

AV detection:

15 of 45 (33.33%)

Threat level:

3/5

Result

Malware family:

metasploit

Score:

10/10

Tags:

family:cobaltstrike family:metasploit backdoor macro macro_on_action trojan xlm

Link:

https://tria.ge/reports/210909-dk7v3sfdg6/

Behaviour

Checks processor information in registry

Enumerates system info in registry

Modifies Internet Explorer settings

Modifies registry class

Suspicious behavior: AddClipboardFormatListener

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Office loads VBA resources, possible macro or embedded object present

Program crash

Drops file in Windows directory

Blocklisted process makes network request

Downloads MZ/PE file

Cobaltstrike

MetaSploit

Process spawned unexpected child process

Malware Config

C2 Extraction:

http://178.62.247.185:7070/w_CrkMxgNzKLC4oK6jLImgB5-5scwO1VQg4xJJ-CoPnCvBdIXpUwcaqYYGMmIaV4G9-5-He2qVmoaSHj7ntBRxRQmBA20zaLcfLIos54xYqVGKpw-2g0ijtiZe733UjAi9zQlyyPChF6xD3Udkj_36qSt9m-LsdPSLDMDjHOKaUkBmpBGpKYqU75Au_R7vGSj_lJ-Pt_UtX8AtZ-fkGjN_yYmXiVKRu5uJS

Malware family:

Cobalt Strike

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/f199cc703c62/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/f199cc703c62cb31955634bf10a1285c81fb95f3bba152130cb3cb2e976aef1f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Office_AutoOpen_Macro Create hunting rule
Author:	Florian Roth
Description:	Detects an Microsoft Office file that contains the AutoOpen Macro function

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

doc f199cc703c62cb31955634bf10a1285c81fb95f3bba152130cb3cb2e976aef1f

(this sample)

Delivery method

Distributed via web download

URLhaus

https://urlhaus.abuse.ch/url/1604154/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample