5c334953fe87a0c6c8115f4b5f1655e005e8b5d5e3bd9903c19a666e3c0c76ef (SHA-256)
Malicious with 98% Confidence
SecondWrite’s DeepView Sandbox analyzed this file – a Microsoft Word DOC – this week and declared it to be malicious. At the time of its discovery, leading malware detection vendors had not identified this file as malicious. A link to the full report with descriptions and details is below.
Some key highlights and indicators follow.
Type of Malware: Virus
- An office file wrote an executable file to disk
- Office has Embedded Executable (Most likely in an OLE Object)
- The process wrote an executable file to disk which it then attempted to execute
- Drops a binary and executes it
- Executed a process and injected code into it, probably while unpacking
Evasiveness Indicators:
- Attempts to repeatedly call a single API many times in order to delay analysis time
- Tries to suspend sandbox threads to prevent logging of malicious activity
- Checks adapter addresses which can be used to detect virtual network interfaces
- Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available
- Queries for the computername
Other Compelling Indicators:
- A process created a hidden window
- Allocates read-write-execute memory (usually to unpack itself)
- Performs some DNS requests
- Looks up the external IP address
- Creates a suspicious process
MITRE ATT&CK Indicators:
| MITRE Tactic | MITRE Technique |
| Command and Control | Remote File Copy |
| Defense Evasion | Hidden WindowProcess Injection |
| Discovery | System Network Configuration DiscoveryVirtualization / Sandbox Evasion |
| Privilege Escalation | Process Injection |
Selection from The Report:
See Full Detailed Report:
Malware Of The Week is sourced by DeepView Sandbox using SecondWrite’s patented techniques of Forced Code Execution, Program Level Indicators, and Automatic Sequence Detection.