by butsch
26. October 2016 19:39
Embedded WinWord OLE Ransomware active around Switzerland 26.10.2016
Files: Abrechnung_XXXX.DOCX,
Format: Microsoft WinWord 2007
MALWARE: LNK/Agent.A5E3!tr.dldr
Following WinWord with Embedded OLE Object drops through most of the Fortigate/Mcafee/Trend Spam, Firewall, IPS, TIE, Sandboxes. Most only scanners does not detect it.
Microsoft describes this here:
https://blogs.technet.microsoft.com/mmpc/2016/06/14/wheres-the-macro-malware-author-are-now-using-ole-embedding-to-deliver-malicious-files/
26.10.2016, 14:00 Uhr
This how the WinWord Looks
If you click
You MAY have to click again….. ;-)
MCAFEE ATD Sandbox did not detect anything 15:38 Uhr, 26.10.2016 |
Summary
Threat Level | Informational | File Name | Abrechnung_129.docx | MD5 Hash Identifier | B147662DDFDAE09D7BECD016CB3C6801 | SHA-1 Hash Identifier | 451157E2807E4E0E511BAFF1BACB4B6659219A4F | SHA-256 Hash Identifier | 0EDE5F8D769B2E8F16793ACB90FD61BC88AB400AC0A5CB54B66E481EA63F96CD | File Size | 39750 bytes | File Type | application/vnd.openxmlformats-officedocument.wordprocessingml.document | File Submitted | 2016-10-26 14:42:33 | Duration | 45 seconds | Sandbox Replication | 39 seconds |
|
|
Some others in that direction:
After running the OLE Object it does HIT on the Sandbox.
On most commercial Sandbox you have to activate the OLE manual…
Sites it connects to:
| |
URL | Port | Reputation | Category Name | Risk Group | Functional Group | 198.20.239.21 | 80 | Clean | --- | --- | --- | 37VIRGINIASLIM.TOP | 80 | Failed | --- | --- | --- | 46.101.10.156 | 80 | Failed | --- | --- | --- | WPAD | 80 | Failed | --- | --- | --- |
|
It does use CALC.EXE ONLY on the "Sandbox Systems" since these are old state and thus extra not patched. Or it's a new discovered 0day for calc.exe on real machines.
File download with Powershell:
Fortigate takes business serious and did report back to us after the sample was submitted around 1.5hr later
Around 18:XX o'clock Mittwoch |
Thank you for submitting your sample to Fortinet. The sample "___Abrechnung_129.docx" with MD5:b147662ddfdae09d7becd016cb3c6801 should already be detected as LNK/Agent.A5E3!tr.dldr
This signature was released in AVDB v40.307 on October 26th, 2016 at 10AM PST
If for any reason you believe that the file is still not being detected, please let us know.
We have escalated this sample to our Fortisandbox team and we will conduct further investigation as to the nature of Fortisandbox missing this sample.
Regards,
|
1df4c55a-ce03-412b-99cf-83de17873451|1|5.0|27604f05-86ad-47ef-9e05-950bb762570c
Tags: