Malware of the Week – Virus (Word DOC)

5c334953fe87a0c6c8115f4b5f1655e005e8b5d5e3bd9903c19a666e3c0c76ef (SHA-256)

Malicious with 98% Confidence 

SecondWrite’s DeepView Sandbox analyzed this file – a Microsoft Word DOC – this week and declared it to be malicious.  At the time of its discovery, leading malware detection vendors had not identified this file as malicious.  A link to the full report with descriptions and details is below.  

Some key highlights and indicators follow.  

Type of Malware:  Virus

  • An office file wrote an executable file to disk
  • Office has Embedded Executable (Most likely in an OLE Object)
  • The process wrote an executable file to disk which it then attempted to execute
  • Drops a binary and executes it
  • Executed a process and injected code into it, probably while unpacking

Evasiveness Indicators:

  • Attempts to repeatedly call a single API many times in order to delay analysis time
  • Tries to suspend sandbox threads to prevent logging of malicious activity
  • Checks adapter addresses which can be used to detect virtual network interfaces
  • Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available
  • Queries for the computername

Other Compelling Indicators:

  • A process created a hidden window
  • Allocates read-write-execute memory (usually to unpack itself)
  • Performs some DNS requests
  • Looks up the external IP address
  • Creates a suspicious process

MITRE ATT&CK Indicators:

MITRE TacticMITRE Technique
Command and ControlRemote File Copy
Defense EvasionHidden WindowProcess Injection 
DiscoverySystem Network Configuration DiscoveryVirtualization / Sandbox Evasion
Privilege EscalationProcess Injection

Selection from The Report:

See Full Detailed Report:

Malware Of The Week is sourced by DeepView Sandbox using SecondWrite’s patented techniques of Forced Code Execution, Program Level Indicators, and Automatic Sequence Detection.