Loading... Additional Content is being loaded
Analysis Report PL_503_13_570.docx
Overview
General Information
| Sample Name: | PL_503_13_570.docx |
| Analysis ID: | 404284 |
| MD5: | 158e499db47d9c6a56449c86f3b1596f |
| SHA1: | 6d0e9274649112ec7e9a757168b7de6eb2c48ff2 |
| SHA256: | 5e7fe9a4eb6dc098b6ed28b083d277455d66a515e7c78b270ad0515a90279f45 |
| Infos: | |
|
Most interesting Screenshot:  |
|
Detection
Vidar
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Droppers Exploiting CVE-2017-11882
Sigma detected: EQNEDT32.EXE connecting to internet
Sigma detected: File Dropped By EQNEDT32EXE
Yara detected Vidar stealer
Allocates memory in foreign processes
Creates an undocumented autostart registry key
Downloads files with wrong headers with respect to MIME Content-Type
Drops PE files to the user root directory
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Office equation editor drops PE file
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Posts data to a JPG file (protocol mismatch)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected potential crypto function
Document contains no OLE stream with summary information
Document has an unknown application name
Downloads executable code via HTTP
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Drops PE files to the user directory
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found dropped PE file which has not been started or loaded
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Office Equation Editor has been started
PE file contains more sections than normal
PE file contains sections with non-standard names
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Queries information about the installed CPU (vendor, model number etc)
Queries the volume information (name, serial number etc) of a device
Stores files to the Windows start menu directory
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses taskkill to terminate processes
Classification
AV Detection: |
  |
|---|
| Found malware configuration |
| Source: |
Malware Configuration Extractor: |
||
| Multi AV Scanner detection for dropped file |
| Source: |
ReversingLabs: |
||
| Source: |
ReversingLabs: |
||
| Source: |
ReversingLabs: |
||
| Source: |
ReversingLabs: |
||
| Multi AV Scanner detection for submitted file |
| Source: |
Virustotal: |
Perma Link | ||
| Source: |
ReversingLabs: |
|||
| Antivirus or Machine Learning detection for unpacked file |
| Source: |
Avira: |
||
| Source: |
Avira: |
||
| Source: |
Avira: |
||
| Source: |
Avira: |
||
| Source: |
Avira: |
||
| Source: |
Avira: |
||
Cryptography: |
|
|---|
| Uses Microsoft's Enhanced Cryptographic Provider |
| Source: |
Code function: |
11_2_0041CB10 | |
| Source: |
Code function: |
11_2_0041C900 | |
| Source: |
Code function: |
11_2_0041CBA0 | |
| Source: |
Code function: |
11_2_0041CD30 | |
| Source: |
Code function: |
11_2_0041EED0 | |
| Source: |
Code function: |
13_2_0041CB10 | |
| Source: |
Code function: |
13_2_0041C900 | |
| Source: |
Code function: |
13_2_0041CBA0 | |
| Source: |
Code function: |
13_2_0041CD30 | |
| Source: |
Code function: |
13_2_0041EED0 | |
Exploits: |
|
|---|
| Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802) |
| Source: |
Process created: |
|||
| Source: |
Process created: |
|||
| Source: |
Process created: |
Jump to behavior | ||
| Source: |
Process created: |
Jump to behavior | ||
| Office Equation Editor has been started |
| Source: |
Process created: |
||
| Source: |
Process created: |
||
| Source: |
Process created: |
||
| Source: |
Process created: |
||
| Source: |
Process created: |
||
| Source: |
File opened: |
Jump to behavior | ||
| Source: |
Binary string: |
||
| Source: |
Binary string: |
||
| Source: |
Binary string: |
||
| Source: |
Binary string: |
||
| Source: |
Binary string: |
||
| Source: |
Binary string: |
||
| Source: |
Binary string: |
||
| Source: |
Binary string: |
||
| Source: |
Code function: |
11_2_0041D360 | |
| Source: |
Code function: |
11_2_004043DF | |
| Source: |
Code function: |
11_2_00420540 | |
| Source: |
Code function: |
11_2_0041E640 | |
| Source: |
Code function: |
11_2_0041F6B0 | |
| Source: |
Code function: |
13_2_0041E640 | |
| Source: |
Code function: |
13_2_0041D360 | |
| Source: |
Code function: |
13_2_004043DF | |
| Source: |
Code function: |
13_2_00420540 | |
| Source: |
Code function: |
13_2_0041F6B0 | |
Software Vulnerabilities: |
|
|---|
| Found inlined nop instructions (likely shell or obfuscated code) |
| Source: |
Code function: |
4_2_0035DE1A | |
| Source: |
Code function: |
4_2_0035E01D | |
| Source: |
Code function: |
8_2_003BDDDA | |
| Source: |
Code function: |
8_2_003BDFDD | |
| Source: |
Code function: |
11_2_00423050 | |
| Source: |
Code function: |
13_2_00423050 | |
| Potential document exploit detected (performs HTTP gets) |
| Source: |
TCP traffic: |
||
| Potential document exploit detected (unknown TCP traffic) |
| Source: |
TCP traffic: |
||
Networking: |
|
|---|
| Downloads files with wrong headers with respect to MIME Content-Type |
| Source: |
Image file has PE prefix: | ||