app.twinwave.io
Open in
urlscan Pro
2600:9000:21c7:600:f:6228:3e80:93a1
Public Scan
URL:
https://app.twinwave.io/shared/d831574e-fe4a-4d33-a20f-2730b8264a1c/ec9613af0e2434ccda1c87805a2cfd0fa4cc9d992ce324826fcd...
Submission: On March 09 via manual from US — Scanned from DE
Submission: On March 09 via manual from US — Scanned from DE
Form analysis 0 forms found in the DOM
Text Content
You need to enable JavaScript to run this app.
Attack Analyzer
W-9 DT 03.07.2023 CAPITALPREMIUM.ZIP
Score100VerdictMalwareMalware FamilyEmotetSubmitted3/8/2023, 12:50:00 AMSHA256:
da79a750dbe6537e41a1662c5ae5ab340e65f6fce2df450da7f75677d58861ee
MD5:703891f37d4d63546684abcef4e07197File Type:Zip archive data, at least
v?[0x314] to extractFile Size693 KB
Resources Analyzed
* W-9 Dt 03.07.2023 Capitalpremium.zip
* trimmed_1678236635_W-9 Dt 03.07.2023.doc
Summary
CompletedConsolidated 100
W-9 Dt 03.07.2023 Capitalpremium.zip
CompletedArchive Extraction 0
CompletedStatic File Analysis 0
CompletedVirusTotal 0
CompletedClamAV 0
CompletedYARA 0
trimmed_1678236635_W-9 Dt 03.07.2023.doc
CompletedStatic File Analysis 0
CompletedVirusTotal 0
CompletedClamAV 0
CompletedYARA 100
CompletedStatic Doc Analysis 100
CompletedTwinWave Sandbox (win7)
Microsoft Word Document
100
CompletedTwinWave Sandbox (win10) 0
* Task Results
* Normalized Forensics
Download File
Initial Submission
W-9 Dt 03.07.2023 Capitalpremium.zip
Job Duration19 minutesResources Analyzed0 URLs, 2 filesVerdictMalwareMalware
FamilyEmotet
Processing Exceptions (2)
EngineResourceExceptionArchive Extraction
* W-9 Dt 03.07.2023 Capitalpremium.zip
* trimmed_1678236635_W-9 Dt 03.07.2023.doc
File was carved/modified from input to aid downstream analysisArchive Extraction
* W-9 Dt 03.07.2023 Capitalpremium.zip
* W-9 Dt 03.07.2023.doc
File exceeded internal size limit
Detections (47)
EngineSignature / AlertScore
Static Doc Analysis
PROCESS DETONATOR AND ENABLE CONTENT OCR
SCORE:
100
Process Detonator and Enable Content OCR
100
Static Doc Analysis
PROCESS DETONATOR AND ENABLE EDITING OCR
SCORE:
100
Process Detonator and Enable Editing OCR
100
Static Doc Analysis
PROTECTED DOCUMENT LURE OCR AND MACRO WITH EXTERNAL PROCESS DETONATOR
SCORE:
100
Protected Document Lure OCR And Macro with External Process Detonator
100
TwinWave Sandbox (win7)
INSTALLS ITSELF FOR AUTORUN AT WINDOWS STARTUP
SCORE:
90
Installs itself for autorun at Windows startup
90
Static Doc Analysis
COMMON LURE ARTIFACT OFFICE CUBE LOGO OBJECT DETECTED AND SECONDARY INDICATOR
SCORE:
80
Common Lure Artifact Office Cube Logo Object Detected And Secondary Indicator
80
Static Doc Analysis
COMMON LURE ARTIFACT MICROSOFT-SQUARE OBJECT DETECTED AND SECONDARY INDICATOR
SCORE:
80
Common Lure Artifact microsoft-square Object Detected And Secondary Indicator
80
Static Doc Analysis
DOCUMENT HAS BEEN OR IS ENCRYPTED/SECURED/PROTECTED AND SECONDARY INDICATOR
SCORE:
80
Document has been or is encrypted/secured/protected and secondary indicator
80
Static Doc Analysis
EMOTET LURE TEXT RIPPED AND USED BY A FEW OTHER ACTORS
SCORE:
80
Emotet Lure Text Ripped And Used By A few Other Actors
80
Static Doc Analysis
EMOTET LURE TEXT AND SECONDARY INDICATOR
SCORE:
80
TAGS:
Malware FamilyEmotet
Emotet Lure Text and Secondary Indicator
Emotet
80
TwinWave Sandbox (win7)
ESTABLISHES ENCRYPTED HTTPS CONNECTION EMOTET C2 FORMAT
SCORE:
80
TAGS:
Malware FamilyEmotet
Establishes encrypted HTTPS connection Emotet C2 Format
Emotet
80
Static Doc Analysis
MACROS AND CHAR ENCODED HTTP FOUND
SCORE:
80
Macros and Char encoded HTTP found
80
TwinWave Sandbox (win7)
MARTIAN SUBPROCESS STARTED BY OFFICE PROCESS
SCORE:
80
Martian Subprocess Started By Office Process
80
TwinWave Sandbox (win7)
MARTIAN SUBPROCESS STARTED BY OFFICE PROCESS ALTERNATIVE DETECTION METHOD
SCORE:
80
Martian Subprocess Started By Office Process Alternative Detection Method
80
Static Doc Analysis
SELF REFERENCED ASSINGMENT OF CREATEOBJECT FROM ARGUMENT PASSED TO FUNCTION
SCORE:
80
Self Referenced Assingment of CreateObject From Argument Passed to Function
80
TwinWave Sandbox (win7)
SIGMA ALERTS
SCORE:
80
Sigma Alerts
80
TwinWave Sandbox (win7)
SUSPICIOUS CLSID LOADS
SCORE:
80
Suspicious CLSID Loads
80
Static Doc Analysis
ENABLE THIS/THEN CONTENT LURE TEXT AND DETONATORS
SCORE:
70
Enable This/Then Content Lure Text and Detonators
70
Static Doc Analysis
MACRO LIKELY CALLBYNAME OBFUSCATION ATTEMPT
SCORE:
70
Macro Likely CallByName Obfuscation Attempt
70
TwinWave Sandbox (win7)
CREATED NETWORK TRAFFIC INDICATIVE OF MALICIOUS ACTIVITY
SCORE:
64
Created network traffic indicative of malicious activity
64
TwinWave Sandbox (win7)
CAPE DETECTED THE EMOTET MALWARE FAMILY
SCORE:
60
CAPE detected the Emotet malware family
60
Static Doc Analysis
SCREENSHOT MATCH - POTENTIAL DOCUMENT DETECTED: EMOTET RED LURE
SCORE:
50
TAGS:
Malware FamilyEmotet
Screenshot Match - Potential document detected: Emotet Red Lure
Emotet
50
YARA
YARA RULE MATCH: OFFICE_BINARY_PUTWRITE
SCORE:
15
YARA rule match: Office_Binary_PutWrite
15
YARA
YARA RULE MATCH: OFFICE_MACRO_AUTOBEHAVIOR_IMAGE
SCORE:
15
YARA rule match: Office_Macro_AutoBehavior_Image
15
YARA
YARA RULE MATCH: OFFICE_MAXSTONKSNOTSTONKS
SCORE:
15
YARA rule match: Office_MaxStonksNotStonks
15
YARA
YARA RULE MATCH: OFFICE_STDOLE_CALLBYNAME_ACTIVEDOCUMENT
SCORE:
15
YARA rule match: Office_stdole_CallByName_ActiveDocument
15
YARA
YARA RULE MATCH: PEPE_SILVIA_V2_EXTREME_EDITION
SCORE:
15
YARA rule match: PEPE_Silvia_v2_Extreme_Edition
15
YARA
YARA RULE MATCH: ULTIMATE_PEPE_SILVIA
SCORE:
15
YARA rule match: Ultimate_PEPE_Silvia
15
YARA
YARA RULE MATCH: URSNIF_MALDOC_DROPPER_128BYTE
SCORE:
15
YARA rule match: ursnif_maldoc_dropper_128byte
15
Static Doc Analysis
ENABLE CONTENT OCR
SCORE:
10
Enable Content OCR
10
Static Doc Analysis
ENABLE EDITING OCR
SCORE:
10
Enable Editing OCR
10
TwinWave Sandbox (win7)
ENUMERATES RUNNING PROCESSES
SCORE:
10
Enumerates running processes
10
TwinWave Sandbox (win7)
ESTABLISHES AN ENCRYPTED HTTPS CONNECTION
SCORE:
10
Establishes an encrypted HTTPS connection
10
TwinWave Sandbox (win7)
EXPRESSES INTEREST IN SPECIFIC RUNNING PROCESSES
SCORE:
10
Expresses interest in specific running processes
10
TwinWave Sandbox (win7)
OFFICE LOADS VB DLLS, INDICATIVE OF OFFICE MACROS
SCORE:
10
Office loads VB DLLs, indicative of Office Macros
10
TwinWave Sandbox (win7)
THE OFFICE FILE CONTAINS A MACRO
SCORE:
10
The office file contains a macro
10
TwinWave Sandbox (win7)
THE OFFICE FILE CONTAINS A MACRO WITH AUTO EXECUTION
SCORE:
10
The office file contains a macro with auto execution
10
TwinWave Sandbox (win7)
THE OFFICE FILE CONTAINS A MACRO WITH SUSPICIOUS STRINGS
SCORE:
10
The office file contains a macro with suspicious strings
10
TwinWave Sandbox (win7)
PERFORMS SOME HTTP REQUESTS
SCORE:
5
Performs some HTTP requests
5
TwinWave Sandbox (win7)
YARA RULE DETECTIONS OBSERVED FROM A PROCESS MEMORY DUMP/DROPPED FILES/CAPE
SCORE:
5
Yara rule detections observed from a process memory dump/dropped files/CAPE
5
TwinWave Sandbox (win7)
DYNAMIC (IMPORTED) FUNCTION LOADING DETECTED
SCORE:
0
Dynamic (imported) function loading detected
0
Expand
Screenshots (5)
Static Doc Analysis (1)
trimmed_1678236635_W-9 Dt 03.07.2023.doc
Labels:microsoft-square, office-cube
Hashes:818181ffffffffff | 070f030000000000 | af2f7e7ad0d09081
TwinWave Sandbox (win7) (4)
trimmed_1678236635_W.doc
trimmed_1678236635_W.doc
trimmed_1678236635_W.doc
trimmed_1678236635_W.doc
Extracted Images (1)
Static Doc Analysis (1)
trimmed_1678236635_W-9 Dt 03.07.2023.doc
Labels:microsoft-square, office-cube
Hashes:00ffffffc7ffffff | 238ccc960f618080 | a0751d3d2d6d3722