Windows
Analysis Report
Ziraat Bankas#U0131 Swift Mesaji2.docx.doc
Overview
General Information
Sample name: | Ziraat Bankas#U0131 Swift Mesaji2.docx.docrenamed because original name is a hash value |
Original sample name: | Ziraat Bankas Swift Mesaji2.docx.doc |
Analysis ID: | 1432092 |
MD5: | 6b558989d2d86cdefeec7f4870728234 |
SHA1: | f272ce3666af298c1bfcdc35b417a38a3e7c7a09 |
SHA256: | a0c344097b361f848249cda8b87539627f640f84e2d06b305757d7e60183e636 |
Tags: | doc |
Errors
|
Detection
Score: | 52 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Classification
Click to jump to signature section
AV Detection |
---|
Source: | Virustotal: | Perma Link | ||
Source: | ReversingLabs: |
Source: | Classification label: |
Source: | OLE indicator, Word Document stream: | ||
Source: | OLE indicator, Word Document stream: |
Source: | OLE document summary: | ||
Source: | OLE document summary: |
Source: | Virustotal: | ||
Source: | ReversingLabs: |
Source: | Initial sample: | ||
Source: | Initial sample: | ||
Source: | Initial sample: |
Source: | Initial sample: |
Persistence and Installation Behavior |
---|
Source: | Extracted files from sample: |
Source: | Stream path 'CONTENTS' entropy: | ||
Source: | Stream path 'CONTENTS' entropy: |
Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | Windows Management Instrumentation | Path Interception | Path Interception | 1 Obfuscated Files or Information | OS Credential Dumping | System Service Discovery | Remote Services | Data from Local System | Data Obfuscation | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
10% | Virustotal | Browse | ||
13% | ReversingLabs |
Joe Sandbox version: | 40.0.0 Tourmaline |
Analysis ID: | 1432092 |
Start date and time: | 2024-04-26 12:46:06 +02:00 |
Joe Sandbox product: | CloudBasic |
Overall analysis duration: | 0h 3m 34s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Cookbook file name: | defaultwindowsofficecookbook.jbs |
Analysis system description: | Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2) |
Number of analysed new started processes analysed: | 0 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Sample name: | Ziraat Bankas#U0131 Swift Mesaji2.docx.docrenamed because original name is a hash value |
Original Sample Name: | Ziraat Bankas Swift Mesaji2.docx.doc |
Detection: | MAL |
Classification: | mal52.evad.winDOC@0/0@0/0 |
- Unable to connect to analysis machine: w7x64, esxi07-W7x64_Office, timeout exceeded, no analysis of the sample was performed
- No process behavior to analyse as no analysis process or sample was found
File type: | |
Entropy (8bit): | 7.96903354700559 |
TrID: |
|
File name: | Ziraat Bankas#U0131 Swift Mesaji2.docx.doc |
File size: | 154'752 bytes |
MD5: | 6b558989d2d86cdefeec7f4870728234 |
SHA1: | f272ce3666af298c1bfcdc35b417a38a3e7c7a09 |
SHA256: | a0c344097b361f848249cda8b87539627f640f84e2d06b305757d7e60183e636 |
SHA512: | 79df3fa96b463f2aaecbf3f16144e04b753e3ca0761a10ca9c3131ff5284bd0d92670aac25cff5cbeb467d23d74f640039b1c8d03c61560e846db2aa14742609 |
SSDEEP: | 3072:Ive912Gz3qlOvRxQgrfykPwOfi7md1TFOfyS9SPg1TndPJtsu:Q/46IXVXfrFO6S951ndPJiu |
TLSH: | 7DE3017333C4B909FDB388E69A645944A27E7E54E9911C152F28E30F27BD3EDE260871 |
File Content Preview: | PK.........d.X.4..m...........[Content_Types].xmlUT...V.+fV.+fV.+f.T.n.0..W.?D....CUU..]......{.n..6..wL(.* m.K...[f<q...*[..........p+....m....,Df.S.@I...pp}.......&.d....4..h.... R[.Y.W?....6.z...RnM....4....5...=..s....d.M].*.sNI.".ta....... ,.k..V..z. |
Document Type: | OpenXML |
Number of OLE Files: | 2 |
Has Summary Info: | |
Application Name: | |
Encrypted Document: | False |
Contains Word Document Stream: | True |
Contains Workbook/Book Stream: | False |
Contains PowerPoint Document Stream: | False |
Contains Visio Document Stream: | False |
Contains ObjectPool Stream: | False |
Flash Objects Count: | 0 |
Contains VBA Macros: | False |
Title: | |
Subject: | |
Author: | 91974 |
Keywords: | |
Template: | |
Last Saved By: | 91974 |
Revion Number: | 14 |
Total Edit Time: | 4 |
Create Time: | 2023-11-10T01:33:00Z |
Last Saved Time: | 2024-04-22T13:07:00Z |
Number of Pages: | 1 |
Number of Words: | 10 |
Number of Characters: | 58 |
Creating Application: | |
Security: | 0 |
Number of Lines: | 1 |
Number of Paragraphs: | 1 |
Thumbnail Scaling Desired: | false |
Company: | |
Contains Dirty Links: | false |
Shared Document: | false |
Changed Hyperlinks: | false |
Application Version: | 12.0000 |
General | |
Stream Path: | \x1CompObj |
CLSID: | |
File Type: | data |
Stream Size: | 94 |
Entropy: | 4.345966460061678 |
Base64 Encoded: | False |
Data ASCII: | . . . . . . e . . D E S T . . . . . . A c r o b a t D o c u m e n t . . . . . . . . . A c r o E x c h . D o c u m e n t . D C . 9 q . . . . . . . . . . . . |
Data Raw: | 01 00 fe ff 03 0a 00 00 ff ff ff ff 65 ca 01 b8 fc a1 d0 11 85 ad 44 45 53 54 00 00 11 00 00 00 41 63 72 6f 62 61 74 20 44 6f 63 75 6d 65 6e 74 00 00 00 00 00 15 00 00 00 41 63 72 6f 45 78 63 68 2e 44 6f 63 75 6d 65 6e 74 2e 44 43 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00 |
General | |
Stream Path: | \x1Ole |
CLSID: | |
File Type: | data |
Stream Size: | 20 |
Entropy: | 0.8475846798245739 |
Base64 Encoded: | False |
Data ASCII: | . . . . . . . . . . . . . . . . . . . . |
Data Raw: | 01 00 00 02 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |
General | |
Stream Path: | \x3ObjInfo |
CLSID: | |
File Type: | data |
Stream Size: | 6 |
Entropy: | 1.2516291673878228 |
Base64 Encoded: | False |
Data ASCII: | . . . . . . |
Data Raw: | 00 00 03 00 01 00 |
General | |
Stream Path: | CONTENTS |
CLSID: | |
File Type: | PDF document, version 1.5, 1 pages (zip deflate encoded) |
Stream Size: | 31606 |
Entropy: | 7.916695020479147 |
Base64 Encoded: | True |
Data ASCII: | % P D F - 1 . 5 . % . 3 0 o b j . < < / C o l o r S p a c e / D e v i c e G r a y / S u b t y p e / I m a g e / H e i g h t 7 2 / F i l t e r / F l a t e D e c o d e / T y p e / X O b j e c t / W i d t h 2 5 5 / L e n g t h 2 0 8 1 / B i t s P e r C o m p o n e n t 8 > > s t r e a m . x { P . U . & B & o 1 b F P s . R 2 . . . . * Y 6 3 . . # N L 8 T X R | ( ( " * " < 6 ] . . { n n | . . s ` . . , b . E . . . q . ( ` o ^ E Y . 7 N Y ] . H X ^ 3 n . . " K . . . . . . * o " . E ( > . . . . . . . |
Data Raw: | 25 50 44 46 2d 31 2e 35 0a 25 e2 e3 cf d3 0a 33 20 30 20 6f 62 6a 0a 3c 3c 2f 43 6f 6c 6f 72 53 70 61 63 65 2f 44 65 76 69 63 65 47 72 61 79 2f 53 75 62 74 79 70 65 2f 49 6d 61 67 65 2f 48 65 69 67 68 74 20 37 32 2f 46 69 6c 74 65 72 2f 46 6c 61 74 65 44 65 63 6f 64 65 2f 54 79 70 65 2f 58 4f 62 6a 65 63 74 2f 57 69 64 74 68 20 32 35 35 2f 4c 65 6e 67 74 68 20 32 30 38 31 2f 42 69 |
Has Summary Info: | |
Application Name: | |
Encrypted Document: | False |
Contains Word Document Stream: | True |
Contains Workbook/Book Stream: | False |
Contains PowerPoint Document Stream: | False |
Contains Visio Document Stream: | False |
Contains ObjectPool Stream: | False |
Flash Objects Count: | 0 |
Contains VBA Macros: | False |
Title: | |
Subject: | |
Author: | 91974 |
Keywords: | |
Template: | |
Last Saved By: | 91974 |
Revion Number: | 14 |
Total Edit Time: | 4 |
Create Time: | 2023-11-10T01:33:00Z |
Last Saved Time: | 2024-04-22T13:07:00Z |
Number of Pages: | 1 |
Number of Words: | 10 |
Number of Characters: | 58 |
Creating Application: | |
Security: | 0 |
Number of Lines: | 1 |
Number of Paragraphs: | 1 |
Thumbnail Scaling Desired: | false |
Company: | |
Contains Dirty Links: | false |
Shared Document: | false |
Changed Hyperlinks: | false |
Application Version: | 12.0000 |
General | |
Stream Path: | \x1CompObj |
CLSID: | |
File Type: | data |
Stream Size: | 94 |
Entropy: | 4.345966460061678 |
Base64 Encoded: | False |
Data ASCII: | . . . . . . e . . D E S T . . . . . . A c r o b a t D o c u m e n t . . . . . . . . . A c r o E x c h . D o c u m e n t . D C . 9 q . . . . . . . . . . . . |
Data Raw: | 01 00 fe ff 03 0a 00 00 ff ff ff ff 65 ca 01 b8 fc a1 d0 11 85 ad 44 45 53 54 00 00 11 00 00 00 41 63 72 6f 62 61 74 20 44 6f 63 75 6d 65 6e 74 00 00 00 00 00 15 00 00 00 41 63 72 6f 45 78 63 68 2e 44 6f 63 75 6d 65 6e 74 2e 44 43 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00 |
General | |
Stream Path: | \x1Ole |
CLSID: | |
File Type: | data |
Stream Size: | 20 |
Entropy: | 0.8475846798245739 |
Base64 Encoded: | False |
Data ASCII: | . . . . . . . . . . . . . . . . . . . . |
Data Raw: | 01 00 00 02 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |
General | |
Stream Path: | \x3ObjInfo |
CLSID: | |
File Type: | data |
Stream Size: | 6 |
Entropy: | 1.2516291673878228 |
Base64 Encoded: | False |
Data ASCII: | . . . . . . |
Data Raw: | 00 00 03 00 01 00 |
General | |
Stream Path: | CONTENTS |
CLSID: | |
File Type: | PDF document, version 1.5, 1 pages (zip deflate encoded) |
Stream Size: | 30959 |
Entropy: | 7.915983867366053 |
Base64 Encoded: | True |
Data ASCII: | % P D F - 1 . 5 . % . 3 0 o b j . < < / C o l o r S p a c e / D e v i c e G r a y / S u b t y p e / I m a g e / H e i g h t 7 2 / F i l t e r / F l a t e D e c o d e / T y p e / X O b j e c t / W i d t h 2 5 5 / L e n g t h 2 0 8 1 / B i t s P e r C o m p o n e n t 8 > > s t r e a m . x { P . U . & B & o 1 b F P s . R 2 . . . . * Y 6 3 . . # N L 8 T X R | ( ( " * " < 6 ] . . { n n | . . s ` . . , b . E . . . q . ( ` o ^ E Y . 7 N Y ] . H X ^ 3 n . . " K . . . . . . * o " . E ( > . . . . . . . |
Data Raw: | 25 50 44 46 2d 31 2e 35 0a 25 e2 e3 cf d3 0a 33 20 30 20 6f 62 6a 0a 3c 3c 2f 43 6f 6c 6f 72 53 70 61 63 65 2f 44 65 76 69 63 65 47 72 61 79 2f 53 75 62 74 79 70 65 2f 49 6d 61 67 65 2f 48 65 69 67 68 74 20 37 32 2f 46 69 6c 74 65 72 2f 46 6c 61 74 65 44 65 63 6f 64 65 2f 54 79 70 65 2f 58 4f 62 6a 65 63 74 2f 57 69 64 74 68 20 32 35 35 2f 4c 65 6e 67 74 68 20 32 30 38 31 2f 42 69 |