MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f9bd3a815beaf9e995e521edd22d17a06e5e1c4b1c2fdfa39f3837983716a70c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 9


Maldoc score: 13


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f9bd3a815beaf9e995e521edd22d17a06e5e1c4b1c2fdfa39f3837983716a70c
SHA3-384 hash: 752dc1472a262432163304750649e145b4eb7ad2311d17b1c7746acd2d2b7eba00c5deb3d4509101e842040d78aff4a6
SHA1 hash: 4c42b07b32c4be8693a9cff8065f3a63de2af1b4
MD5 hash: 9168703c6e3c385d371ab19d8f3c8ad7
humanhash: hot-white-cola-mango
File name:zmed.doc
Download: download sample
File size:1'668'804 bytes
First seen:2022-01-13 11:28:24 UTC
Last seen:2022-01-14 09:56:27 UTC
File type:Word file doc
MIME type:application/msword
ssdeep 3072:28jC2CUNX5EIDAwQodB/ZEEOg5pxcX753tC/Daq:ZCN8nQodBGopG
TLSH T163751AE4A0729554FC1E36F2AA8138C84AC33DEA391FDF4A0114B57F28795E83AD585F
Reporter madjack_red
Tags:doc

Office OLE Information

This malware samples appears to be an Office document. The following table provides more information about this document using oletools and oledump.

OLE id
Maldoc score: 13
OLE dump

MalwareBazaar was able to identify 18 sections in this file using oledump:

Section IDSection sizeSection name
1113 bytesCompObj
2264 bytesDocumentSummaryInformation
3384 bytesSummaryInformation
48366 bytes1Table
54096 bytesData
6492 bytesMacros/PROJECT
778 bytesMacros/PROJECTlk
868 bytesMacros/PROJECTwm
91064 bytesMacros/VBA/ThisDocument
103718 bytesMacros/VBA/_VBA_PROJECT
1118722 bytesMacros/VBA/autoOPen
12737 bytesMacros/VBA/dir
13112 bytesObjectPool/_1703547241/CompObj
1416 bytesObjectPool/_1703547241/OCXNAME
156 bytesObjectPool/_1703547241/ObjInfo
16264 bytesObjectPool/_1703547241/PRINT
1772 bytesObjectPool/_1703547241/contents
18941857 bytesWordDocument
OLE vba

MalwareBazaar was able to extract and deobfuscate VBA script(s) the following information from OLE objects embedded in this file using olevba:

TypeKeywordDescription
AutoExecautoOPenRuns when the Word document is opened
SuspiciousOpenMay open a file
SuspiciouscreateMay execute file or a system command through WMI
SuspiciousLibMay run code from a DLL
SuspiciousChrMay attempt to obfuscate specific strings (use option --deobf to deobfuscate)
SuspiciousHex StringsHex-encoded strings were detected, may be used to obfuscate strings (option --decode to see all)
SuspiciousBase64 StringsBase64-encoded strings were detected, may be used to obfuscate strings (option --decode to see all) code and P-code are different, this may have been used to hide malicious code

Intelligence

File Origin
# of uploads :
3
# of downloads :
250
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
zmed.doc
Verdict:
Malicious activity
Analysis date:
2022-01-13 11:29:39 UTC
Tags:
macros loader
Link:
https://app.any.run/tasks/fc016afd-a9c3-45f2-8c86-600cbfd4eb25

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
File type:
application/msword
Has a screenshot:
False
Contains macros:
True
Detection(s):
TwinWave.EvilDoc.BanditosAndTheirHEXYEXEs.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Searching for the window
DNS request
Creating a window
Creating a file
Creating a file in the %temp% directory
Creating a process with a hidden window
Possible injection to a system process
Launching cmd.exe command interpreter by exploiting the app vulnerability
Creating a process from a recently created file
Result
Verdict:
Malicious
File Type:
Legacy Word File with Macro
Link:
https://app.docguard.net/f9bd3a815beaf9e995e521edd22d17a06e5e1c4b1c2fdfa39f3837983716a70c/results/dashboard
Document image
Image:
Download PNG
Document image
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
control.exe evasive macros macros-on-open obfuscated print.exe
Link:
https://www.filescan.io/uploads/61e00d00e997359713e5b629/reports/04e52ae6-69d9-421f-a5be-b24f649ba94f/overview
Result
Threat name:
Unknown
Detection:
malicious
Classification:
expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/920001
Signature
Antivirus detection for URL or domain
Bypasses PowerShell execution policy
Creates an autostart registry key pointing to binary in C:\Windows
Document contains VBA stomped code (only p-code) potentially bypassing AV detection
Document exploit detected (drops PE files)
Document exploit detected (process start blacklist hit)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Office process drops PE file
Sigma detected: Execute DLL with spoofed extension
Sigma detected: Microsoft Office Product Spawning Windows Shell
Sigma detected: Office product drops script at suspicious location
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: UNC2452 Process Creation Patterns
Uses cmd line tools excessively to alter registry or file data
Writes to foreign memory regions
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 552475 Sample: zmed.doc Startdate: 13/01/2022 Architecture: WINDOWS Score: 100 64 nasikbazar.com 2->64 66 Antivirus detection for URL or domain 2->66 68 Multi AV Scanner detection for dropped file 2->68 70 Sigma detected: UNC2452 Process Creation Patterns 2->70 72 10 other signatures 2->72 15 WINWORD.EXE 428 41 2->15         started        18 rundll32.exe 2->18         started        20 rundll32.exe 2->20         started        signatures3 process4 file5 56 C:\.intel\.rem\2.png, PE32 15->56 dropped 58 C:\.intel\.rem\1.png, PE32+ 15->58 dropped 60 C:\Users\user\Desktop\~$zmed.doc, data 15->60 dropped 62 2 other malicious files 15->62 dropped 22 cmd.exe 15->22         started        process6 signatures7 76 Uses cmd line tools excessively to alter registry or file data 22->76 78 Bypasses PowerShell execution policy 22->78 25 powershell.exe 6 22->25         started        process8 process9 27 rundll32.exe 25->27         started        process10 29 cmd.exe 27->29         started        process11 31 rundll32.exe 29->31         started        33 timeout.exe 29->33         started        process12 35 cmd.exe 31->35         started        37 cmd.exe 31->37         started        signatures13 40 rundll32.exe 35->40         started        43 timeout.exe 35->43         started        74 Uses cmd line tools excessively to alter registry or file data 37->74 45 reg.exe 1 37->45         started        process14 signatures15 80 Writes to foreign memory regions 40->80 82 Modifies the context of a thread in another process (thread injection) 40->82 84 Injects a PE file into a foreign processes 40->84 47 cmd.exe 40->47         started        50 cmd.exe 40->50         started        52 chrome.exe 40->52         started        86 Creates an autostart registry key pointing to binary in C:\Windows 45->86 process16 signatures17 88 Uses cmd line tools excessively to alter registry or file data 47->88 54 reg.exe 47->54         started        process18
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f9bd3a815beaf9e995e521edd22d17a06e5e1c4b1c2fdfa39f3837983716a70c/
Threat name:
Document-Office.Trojan.Alien
Create hunting rule
Status:
Malicious
First seen:
2022-01-13 11:29:13 UTC
File Type:
Document
Extracted files:
21
AV detection:
7 of 41 (17.07%)
Threat level:
  5/5
Result
Malware family:
n/a
Score:
  10/10
Tags:
n/a
Link:
https://tria.ge/reports/220113-nlkgaahga8/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Modifies Internet Explorer settings
Modifies registry class
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Office loads VBA resources, possible macro or embedded object present
Drops file in Windows directory
Drops file in System32 directory
Loads dropped DLL
Process spawned unexpected child process
Malware Config
Dropper Extraction:
http://nasikbazar.com/ldllrndlleaw64.png
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/f9bd3a815bea/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f9bd3a815beaf9e995e521edd22d17a06e5e1c4b1c2fdfa39f3837983716a70c

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments