Loading ...

Play interactive tourEdit tour

Analysis Report Coronavirus_Informations.doc

Overview

General Information

Sample Name:Coronavirus_Informations.doc
MD5:76f3c60b0b43fae102429089bac9534c
SHA1:be29d54e1afaea92533f298d8dd7eefebe0f5142
SHA256:ef3c121f331152da56729bd8d2cf2ebb4179d23a90c211c85b2600d729e4b81a

Most interesting Screenshot:

Detection

Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Document exploit detected (creates forbidden files)
Document exploit detected (drops PE files)
Multi AV Scanner detection for submitted file
.NET source code contains potential unpacker
Binary contains a suspicious time stamp
Document contains an embedded VBA macro which may execute processes
Document contains an embedded VBA macro with suspicious strings
Document exploit detected (UrlDownloadToFile)
Document exploit detected (process start blacklist hit)
Machine Learning detection for dropped file
Machine Learning detection for sample
Office process drops PE file
Sigma detected: MS Office Product Spawning Exe in User Dir
Allocates memory with a write watch (potentially for evading sandboxes)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains long sleeps (>= 3 min)
Detected potential crypto function
Document contains an embedded VBA macro which executes code when the document is opened / closed
Document contains embedded VBA macros
Drops PE files
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file does not import any functions
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Tries to load missing DLLs
Uses code obfuscation techniques (call, push, ret)

Classification