Edit tour

Windows Analysis Report
Ziraat Bankas#U0131 Swift Mesaji2.docx.doc

Overview

General Information

Sample name:	Ziraat Bankas#U0131 Swift Mesaji2.docx.doc renamed because original name is a hash value
Original sample name:	Ziraat Bankas Swift Mesaji2.docx.doc
Analysis ID:	1432092
MD5:	6b558989d2d86cdefeec7f4870728234
SHA1:	f272ce3666af298c1bfcdc35b417a38a3e7c7a09
SHA256:	a0c344097b361f848249cda8b87539627f640f84e2d06b305757d7e60183e636
Tags:	doc
Errors Unable to connect to analysis machine: w7x64, esxi07-W7x64_Office, timeout exceeded, no analysis of the sample was performed No process behavior to analyse as no analysis process or sample was found

Detection

Score:	52
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Contains an external reference to another file

Classification

Malware Configuration

⊘No configs have been found

Yara Signatures

⊘No yara matches

Sigma Signatures

⊘No Sigma rule has matched

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: Ziraat Bankas#U0131 Swift Mesaji2.docx.doc	Virustotal: Detection: 9%			Perma Link
Source: Ziraat Bankas#U0131 Swift Mesaji2.docx.doc	ReversingLabs: Detection: 13%

Source: classification engine

Classification label: mal52.evad.winDOC@0/0@0/0

Source: Ziraat Bankas#U0131 Swift Mesaji2.docx.doc	OLE indicator, Word Document stream: true
Source: Ziraat Bankas#U0131 Swift Mesaji2.docx.doc	OLE indicator, Word Document stream: true

Source: Ziraat Bankas#U0131 Swift Mesaji2.docx.doc	OLE document summary: title field not present or empty
Source: Ziraat Bankas#U0131 Swift Mesaji2.docx.doc	OLE document summary: title field not present or empty

Source: Ziraat Bankas#U0131 Swift Mesaji2.docx.doc	Virustotal: Detection: 9%
Source: Ziraat Bankas#U0131 Swift Mesaji2.docx.doc	ReversingLabs: Detection: 13%

Source: Ziraat Bankas#U0131 Swift Mesaji2.docx.doc	Initial sample: OLE zip file path = word/embeddings/oleObject2.bin
Source: Ziraat Bankas#U0131 Swift Mesaji2.docx.doc	Initial sample: OLE zip file path = word/media/image2.emf
Source: Ziraat Bankas#U0131 Swift Mesaji2.docx.doc	Initial sample: OLE zip file path = word/_rels/settings.xml.rels

Source: Ziraat Bankas#U0131 Swift Mesaji2.docx.doc

Initial sample: OLE indicators vbamacros = False

Persistence and Installation Behavior

Contains an external reference to another file

Source: settings.xml.rels

Extracted files from sample: http://wheel.to/sewtek

Source: Ziraat Bankas#U0131 Swift Mesaji2.docx.doc	Stream path 'CONTENTS' entropy: 7.91669502048 (max. 8.0)
Source: Ziraat Bankas#U0131 Swift Mesaji2.docx.doc	Stream path 'CONTENTS' entropy: 7.91598386737 (max. 8.0)

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	Path Interception	Path Interception	1 Obfuscated Files or Information	OS Credential Dumping	System Service Discovery	Remote Services	Data from Local System	Data Obfuscation	Exfiltration Over Other Network Medium	Abuse Accessibility Features

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
Ziraat Bankas#U0131 Swift Mesaji2.docx.doc	10%	Virustotal		Browse
Ziraat Bankas#U0131 Swift Mesaji2.docx.doc	13%	ReversingLabs

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

⊘No contacted domains info

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1432092
Start date and time:	2024-04-26 12:46:06 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 3m 34s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultwindowsofficecookbook.jbs
Analysis system description:	Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Number of analysed new started processes analysed:	0
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	EGA enabled AMSI enabled
Analysis Mode:	default
Sample name:	Ziraat Bankas#U0131 Swift Mesaji2.docx.doc renamed because original name is a hash value
Original Sample Name:	Ziraat Bankas Swift Mesaji2.docx.doc
Detection:	MAL
Classification:	mal52.evad.winDOC@0/0@0/0

Errors

Unable to connect to analysis machine: w7x64, esxi07-W7x64_Office, timeout exceeded, no analysis of the sample was performed
No process behavior to analyse as no analysis process or sample was found

Simulations

Behavior and APIs

⊘No simulations

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

⊘No created / dropped files found

Static File Info

General

File type:	Microsoft Word 2007+
Entropy (8bit):	7.96903354700559
TrID:	Word Microsoft Office Open XML Format document (49504/1) 49.01% Word Microsoft Office Open XML Format document (43504/1) 43.07% ZIP compressed archive (8000/1) 7.92%
File name:	Ziraat Bankas#U0131 Swift Mesaji2.docx.doc
File size:	154'752 bytes
MD5:	6b558989d2d86cdefeec7f4870728234
SHA1:	f272ce3666af298c1bfcdc35b417a38a3e7c7a09
SHA256:	a0c344097b361f848249cda8b87539627f640f84e2d06b305757d7e60183e636
SHA512:	79df3fa96b463f2aaecbf3f16144e04b753e3ca0761a10ca9c3131ff5284bd0d92670aac25cff5cbeb467d23d74f640039b1c8d03c61560e846db2aa14742609
SSDEEP:	3072:Ive912Gz3qlOvRxQgrfykPwOfi7md1TFOfyS9SPg1TndPJtsu:Q/46IXVXfrFO6S951ndPJiu
TLSH:	7DE3017333C4B909FDB388E69A645944A27E7E54E9911C152F28E30F27BD3EDE260871
File Content Preview:	PK.........d.X.4..m...........[Content_Types].xmlUT...V.+fV.+fV.+f.T.n.0..W.?D....CUU..]......{.n..6..wL(.* m.K...[f<q...[..........p+....m....,Df.S.@I...pp}.......&.d....4..h.... R[.Y.W?....6.z...RnM....4....5...=..s....d.M]..sNI.".ta....... ,.k..V..z.

Static OLE Info

General

Document Type:	OpenXML
Number of OLE Files:	2

OLE File "Ziraat Bankas#U0131 Swift Mesaji2.docx.doc"

Indicators

Has Summary Info:
Application Name:
Encrypted Document:	False
Contains Word Document Stream:	True
Contains Workbook/Book Stream:	False
Contains PowerPoint Document Stream:	False
Contains Visio Document Stream:	False
Contains ObjectPool Stream:	False
Flash Objects Count:	0
Contains VBA Macros:	False

Summary

Title:
Subject:
Author:	91974
Keywords:
Template:	Normal.dotm
Last Saved By:	91974
Revion Number:	14
Total Edit Time:	4
Create Time:	2023-11-10T01:33:00Z
Last Saved Time:	2024-04-22T13:07:00Z
Number of Pages:	1
Number of Words:	10
Number of Characters:	58
Creating Application:	Microsoft Office Word
Security:	0

Document Summary

Number of Lines:	1
Number of Paragraphs:	1
Thumbnail Scaling Desired:	false
Company:	Grizli777
Contains Dirty Links:	false
Shared Document:	false
Changed Hyperlinks:	false
Application Version:	12.0000

Streams

Stream Path: \x1CompObj, File Type: data, Stream Size: 94

General
Stream Path:	\x1CompObj
CLSID:
File Type:	data
Stream Size:	94
Entropy:	4.345966460061678
Base64 Encoded:	False
Data ASCII:	. . . . . . e . . D E S T . . . . . . A c r o b a t D o c u m e n t . . . . . . . . . A c r o E x c h . D o c u m e n t . D C . 9 q . . . . . . . . . . . .
Data Raw:	01 00 fe ff 03 0a 00 00 ff ff ff ff 65 ca 01 b8 fc a1 d0 11 85 ad 44 45 53 54 00 00 11 00 00 00 41 63 72 6f 62 61 74 20 44 6f 63 75 6d 65 6e 74 00 00 00 00 00 15 00 00 00 41 63 72 6f 45 78 63 68 2e 44 6f 63 75 6d 65 6e 74 2e 44 43 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00

Stream Path: \x1Ole, File Type: data, Stream Size: 20

General
Stream Path:	\x1Ole
CLSID:
File Type:	data
Stream Size:	20
Entropy:	0.8475846798245739
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . .
Data Raw:	01 00 00 02 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Stream Path: \x3ObjInfo, File Type: data, Stream Size: 6

General
Stream Path:	\x3ObjInfo
CLSID:
File Type:	data
Stream Size:	6
Entropy:	1.2516291673878228
Base64 Encoded:	False
Data ASCII:	. . . . . .
Data Raw:	00 00 03 00 01 00

Stream Path: CONTENTS, File Type: PDF document, version 1.5, 1 pages (zip deflate encoded), Stream Size: 31606

General
Stream Path:	CONTENTS
CLSID:
File Type:	PDF document, version 1.5, 1 pages (zip deflate encoded)
Stream Size:	31606
Entropy:	7.916695020479147
Base64 Encoded:	True
Data ASCII:	% P D F - 1 . 5 . % . 3 0 o b j . < < / C o l o r S p a c e / D e v i c e G r a y / S u b t y p e / I m a g e / H e i g h t 7 2 / F i l t e r / F l a t e D e c o d e / T y p e / X O b j e c t / W i d t h 2 5 5 / L e n g t h 2 0 8 1 / B i t s P e r C o m p o n e n t 8 > > s t r e a m . x { P . U . & B & o 1 b F P s . R 2 . . . . * Y 6 3 . . # N L 8 T X R \| ( ( " * " < 6 ] . . { n n \| . . s ` . . , b . E . . . q . ( ` o ^ E Y . 7 N Y ] . H X ^ 3 n . . " K . . . . . . * o " . E ( > . . . . . . .
Data Raw:	25 50 44 46 2d 31 2e 35 0a 25 e2 e3 cf d3 0a 33 20 30 20 6f 62 6a 0a 3c 3c 2f 43 6f 6c 6f 72 53 70 61 63 65 2f 44 65 76 69 63 65 47 72 61 79 2f 53 75 62 74 79 70 65 2f 49 6d 61 67 65 2f 48 65 69 67 68 74 20 37 32 2f 46 69 6c 74 65 72 2f 46 6c 61 74 65 44 65 63 6f 64 65 2f 54 79 70 65 2f 58 4f 62 6a 65 63 74 2f 57 69 64 74 68 20 32 35 35 2f 4c 65 6e 67 74 68 20 32 30 38 31 2f 42 69

OLE File "Ziraat Bankas#U0131 Swift Mesaji2.docx.doc"

Indicators

Has Summary Info:
Application Name:
Encrypted Document:	False
Contains Word Document Stream:	True
Contains Workbook/Book Stream:	False
Contains PowerPoint Document Stream:	False
Contains Visio Document Stream:	False
Contains ObjectPool Stream:	False
Flash Objects Count:	0
Contains VBA Macros:	False

Summary

Title:
Subject:
Author:	91974
Keywords:
Template:	Normal.dotm
Last Saved By:	91974
Revion Number:	14
Total Edit Time:	4
Create Time:	2023-11-10T01:33:00Z
Last Saved Time:	2024-04-22T13:07:00Z
Number of Pages:	1
Number of Words:	10
Number of Characters:	58
Creating Application:	Microsoft Office Word
Security:	0

Document Summary

Number of Lines:	1
Number of Paragraphs:	1
Thumbnail Scaling Desired:	false
Company:	Grizli777
Contains Dirty Links:	false
Shared Document:	false
Changed Hyperlinks:	false
Application Version:	12.0000

Streams

Stream Path: \x1CompObj, File Type: data, Stream Size: 94

General
Stream Path:	\x1CompObj
CLSID:
File Type:	data
Stream Size:	94
Entropy:	4.345966460061678
Base64 Encoded:	False
Data ASCII:	. . . . . . e . . D E S T . . . . . . A c r o b a t D o c u m e n t . . . . . . . . . A c r o E x c h . D o c u m e n t . D C . 9 q . . . . . . . . . . . .
Data Raw:	01 00 fe ff 03 0a 00 00 ff ff ff ff 65 ca 01 b8 fc a1 d0 11 85 ad 44 45 53 54 00 00 11 00 00 00 41 63 72 6f 62 61 74 20 44 6f 63 75 6d 65 6e 74 00 00 00 00 00 15 00 00 00 41 63 72 6f 45 78 63 68 2e 44 6f 63 75 6d 65 6e 74 2e 44 43 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00

Stream Path: \x1Ole, File Type: data, Stream Size: 20

General
Stream Path:	\x1Ole
CLSID:
File Type:	data
Stream Size:	20
Entropy:	0.8475846798245739
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . .
Data Raw:	01 00 00 02 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Stream Path: \x3ObjInfo, File Type: data, Stream Size: 6

General
Stream Path:	\x3ObjInfo
CLSID:
File Type:	data
Stream Size:	6
Entropy:	1.2516291673878228
Base64 Encoded:	False
Data ASCII:	. . . . . .
Data Raw:	00 00 03 00 01 00

Stream Path: CONTENTS, File Type: PDF document, version 1.5, 1 pages (zip deflate encoded), Stream Size: 30959

General
Stream Path:	CONTENTS
CLSID:
File Type:	PDF document, version 1.5, 1 pages (zip deflate encoded)
Stream Size:	30959
Entropy:	7.915983867366053
Base64 Encoded:	True
Data ASCII:	% P D F - 1 . 5 . % . 3 0 o b j . < < / C o l o r S p a c e / D e v i c e G r a y / S u b t y p e / I m a g e / H e i g h t 7 2 / F i l t e r / F l a t e D e c o d e / T y p e / X O b j e c t / W i d t h 2 5 5 / L e n g t h 2 0 8 1 / B i t s P e r C o m p o n e n t 8 > > s t r e a m . x { P . U . & B & o 1 b F P s . R 2 . . . . * Y 6 3 . . # N L 8 T X R \| ( ( " * " < 6 ] . . { n n \| . . s ` . . , b . E . . . q . ( ` o ^ E Y . 7 N Y ] . H X ^ 3 n . . " K . . . . . . * o " . E ( > . . . . . . .
Data Raw:	25 50 44 46 2d 31 2e 35 0a 25 e2 e3 cf d3 0a 33 20 30 20 6f 62 6a 0a 3c 3c 2f 43 6f 6c 6f 72 53 70 61 63 65 2f 44 65 76 69 63 65 47 72 61 79 2f 53 75 62 74 79 70 65 2f 49 6d 61 67 65 2f 48 65 69 67 68 74 20 37 32 2f 46 69 6c 74 65 72 2f 46 6c 61 74 65 44 65 63 6f 64 65 2f 54 79 70 65 2f 58 4f 62 6a 65 63 74 2f 57 69 64 74 68 20 32 35 35 2f 4c 65 6e 67 74 68 20 32 30 38 31 2f 42 69

Network Behavior

⊘No network behavior found

Statistics

⊘No statistics

System Behavior

⊘No system behavior

Disassembly

⊘No disassembly

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Ziraat Bankas#U0131 Swift Mesaji2.docx.doc

Overview

General Information

Detection

Signatures

Classification

Malware Configuration

Yara Signatures

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

System Summary

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Mitre Att&ck Matrix

Behavior Graph

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

General Information

Errors

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

Static OLE Info

General

OLE File "Ziraat Bankas#U0131 Swift Mesaji2.docx.doc"

Indicators

Summary

Document Summary

Streams

Stream Path: \x1CompObj, File Type: data, Stream Size: 94

General

Stream Path: \x1Ole, File Type: data, Stream Size: 20

General

Stream Path: \x3ObjInfo, File Type: data, Stream Size: 6

General

Stream Path: CONTENTS, File Type: PDF document, version 1.5, 1 pages (zip deflate encoded), Stream Size: 31606

General

OLE File "Ziraat Bankas#U0131 Swift Mesaji2.docx.doc"

Indicators

Summary

Document Summary

Streams

Stream Path: \x1CompObj, File Type: data, Stream Size: 94

General

Stream Path: \x1Ole, File Type: data, Stream Size: 20

General

Stream Path: \x3ObjInfo, File Type: data, Stream Size: 6

General

Stream Path: CONTENTS, File Type: PDF document, version 1.5, 1 pages (zip deflate encoded), Stream Size: 30959

General

Network Behavior

Statistics

System Behavior

Disassembly

Windows Analysis Report
Ziraat Bankas#U0131 Swift Mesaji2.docx.doc