EXPL_SUSP_MalDoc_TemplateInjection_Dec21_1

Rule Info

Score
65
Reference
https://attack.mitre.org/techniques/T1221/
Name
EXPL_SUSP_MalDoc_TemplateInjection_Dec21_1
Description
Detects Office documents that look as if the were exploiting the Template Injection vulnerability and use an IP address to download the second stage
Av Ratio
12.85
Author
Florian Roth
Tags
['EXPLOIT', 'T1203', 'T1221', 'T1193', 'SUSP']
Rule Hash
2957870981e34d0a0b19c81a2272c8d6
Minimum Yara
2.2.0
Date
2021-12-20
Required Modules
[]
Virustotal Matches
https://www.virustotal.com/gui/search/expl_susp_maldoc_templateinjection_dec21_1/comments

Antivirus Verdicts

Rating
Number of Samples
Malicious (>= 10 engines)
33
Suspicious (< 10 engines)
11
Clean (0 engines)
39

Rule Matches

Positives
Hash
Total
Timestamp
VT
0
7058546b599aab40f7fcf0001da55a47787d063c24f5c2312ab4e207020bd6f0
55
2022-01-22 13:02:38
0
a0a0b5becfd336e8beac10f526a52f52efd7a7b1db94b953174197cc359a47c7
57
2022-01-22 08:55:01
0
e7beab201efbff685a64f6b1f2da27ba0dab916bd9f7fbc6545e60aa40e4b179
56
2022-01-21 21:40:24
0
71f95b81edefdcb9991540a6eafc076a28cc1e122d417cf9ea40e9f15a94e921
54
2022-01-21 21:36:18
0
9ffb54ac25ba75f4642cb425f63a020f089ba57140553f68ede98a237818f99d
56
2022-01-21 18:57:56
13
9d5dc9dc5a407ee6a36997005d42e32c81f909b7845115e6318f58f00da57aae
56
2022-01-21 08:31:30
13
eb58ced0aacf4beaa991ea380d6d14d5d3335be57cda221e70b520faf4675b00
56
2022-01-21 07:48:54
2
47a70bbda8994d4e74b8e8bbeb7b1a9244e53e7a1c13d592f0c5c045614cb7d5
56
2022-01-21 00:35:38
14
f7e63a73ec94f89de646d41fab113b2e77a79f43550000f6fc64872828c1ce9d
53
2022-01-20 21:06:10
24
b62dc5724797726e04983dc35a6bc9fee61f1696e413dc7652b8262ee8c1396e
58
2022-01-19 11:29:19
23
6d3d78d3823252f6b578428e4002a6a0a5564763ef81a727c1dbb19d0c29d660
58
2022-01-19 11:28:15
23
6d053ecb7613495bb72a2a1c4e96688a10a16a8b44c13663ddf85184afbf19c5
58
2022-01-19 11:25:01
24
74fbe1554eaf3ec9ec99c009509e6a0072f46b54804f4599dc7280b85c3413d4
58
2022-01-19 11:23:54
17
dfe17cebe48d2de031101ee36fd42bde12c2967b9b8db15b5d91070ef98e56b0
56
2022-01-19 11:19:36
25
4d1a13256045b91e014e530cda97d334b531793c8d8492f307005a48e1729662
58
2022-01-19 11:17:20
24
4de6de4f2494f427eac0a25d22878eaef69be0a5e5686ad30cbf742ca7074047
57
2022-01-19 11:15:09
21
f56ff55ac1e52661951f5663246ff520745e9b9c05fafa6ae889a5069662fbd6
54
2022-01-19 11:01:05
18
5e15533b5b390ca4636b6eaafa1b1e0c50d8d17f1cb266e5ed8818ace7e2b54a
57
2022-01-19 10:57:23
22
3085c450b50e8068160986be6b738663409f290cb01a2a1f0137a609944b41a6
56
2022-01-19 10:43:03
21
18a33d1e6e00b46c81cfadf7c8661d1c083e5c1014ec13e541712a2298daeb71
58
2022-01-19 10:36:23
0
452024ad5bc053b872591d96949615754c0de13a82e627b6b21a731c9a807b85
52
2022-01-18 12:38:24
15
f6c0c8e388e3f4122851f571e5a24dac43363d239ba1a8463dead81aaf189420
53
2022-01-17 17:32:18
0
ea425a278a4004e9fe3534ee7d3513e92ec95854c3cfb0041c32c270d36494d5
56
2022-01-17 13:56:08
17
838e58b39514b1f2d986bf2d63a1c3f4e651c5a5c05808dade50cd6e3cbc97ef
56
2022-01-17 10:26:05
17
da27e6abd2e98a1b4bfebf781e31b42e1f90d34e1dcb2059f478ab3a7a8204cb
57
2022-01-17 06:06:48
0
97de68a44b8d59ad5e0dc9dd38b69b3d6c573adae45d09503e7c8926dc3a2d1b
57
2022-01-15 23:12:25
0
e98d975e45d189fa5f117e4e16591d0b4bdea48d00a8eab042947a97f67b0312
57
2022-01-14 22:50:53
0
9f227048d213754f910eccec143ae58be5b8c8cce7d7d537eebf40da1ca5438b
54
2022-01-14 15:38:33
15
504638e6a36a5484bcdb65eb0db9a30e28d36c8a459732975b5d333784ff18f2
57
2022-01-14 06:08:22
0
02a5afd2b55595babcf30b5aa9e2697883216fbd6e72d88d2bacbc43316a0dc7
57
2022-01-13 23:34:53
0
092b49d354e900a72dc6630c4e4c9a5e20f63e8c2b8140c786b5ed2aa5895046
57
2022-01-13 23:04:18
0
ecd8b3a644e84b7372bba8c8bfe8efa2ef440c411d5362452b357c765b166e18
57
2022-01-13 13:09:32
15
8852de22b93671a53e51f8b6d5f548ed016d02c14a1e8744a74cecc9426c6250
57
2022-01-13 04:53:24
1
8eaceacbe0532c69f3b76654484a369f413d48b6d15a03d7f7d4f743c6aebf8b
56
2022-01-12 15:13:45
0
5cbc516da25d1e6a30ac6838593c2af46eb42dd87b5b4eab3cb1cfb01c50c4bc
55
2022-01-12 14:42:23
14
81fc88922f2860638ece9814528dc4a8da4e8f7ead5c09e0dfc2940e6f9ee57a
55
2022-01-12 11:09:09
15
6ba2c088e51f29869c3bc7fda9503e675b930622f6c2873f298ff86b80107c3e
57
2022-01-12 07:36:31
0
d11c9ebb1fabce86300e256df8ecee1d9e7963eea1650e692f22e8746caccdf0
57
2022-01-11 23:00:34
16
d3e5fddce77312c2b45d4f23c36ef54fd02a22594c5e82f06885dbc3b4cbf3e5
57
2022-01-11 15:29:21
16
2355c841e18a54fc0db180dc4357fe1db41c4fb33fcfcad3795cf81bf161f890
56
2022-01-11 11:07:28
0
1ebad0b83e8926dd0e7bdb10df1ceaba817de7ff5aed7252774414f302f0eafe
57
2022-01-11 08:51:07
2
9d58f2c78766fb97138ebe50d4625c57a29b2fc7fc77e39fc65f9c2cccbad473
57
2022-01-11 08:18:49
15
3a3171ebbf2c074fd3f8126bcf1b1f6cc63df8b504a1c3d2612f7b927eb74157
56
2022-01-11 06:45:43
1
f312e8a7f2c0fa36d4434e8b3ab166991d815df08df09a7381103bebe4889ab6
57
2022-01-11 05:29:46
15
ed900644f5a03d10f9e2804a1e02eac071274f657f07c7ec91407f58a688c2ee
57
2022-01-10 10:46:29
15
d91842094a5ff3bcd278c7b53e0564d9df20352941d5bca8d49d4c922959254f
57
2022-01-10 02:20:15
0
07d079e07d019ecd0d3bc28353cc33a1d37217238197bf888dd1a15808781ad6
57
2022-01-09 04:17:40
0
6ce45e1207c3bc5a9cb008c2f3b18c4db7e681de8643b32d8e3b09625ba2a955
57
2022-01-09 01:24:43
0
7935bf9c6f9d776e11ba1bcefc0271d1030f2c4bda96d3eac5461a03c381e8a5
56
2022-01-06 23:05:23
25
006c4d19080c4d1ec3def7b95614debb9a6baac3e1fc0f8285b94fb1869b5f6d
57
2022-01-05 15:42:51
5
7372285b99facf17a1702b407ef88c56e472768b59a0455f10df89c479398e86
55
2022-01-05 11:07:43
2
a5da068690f3dc7564f0908b305696d108cdc3941e73263b733c74074722f7ea
39
2022-01-03 11:30:30
0
fea60f3390c86e89dba5bcf5de2e3db150361416f0b4ee184e9bd04bc665b60c
56
2022-01-03 10:24:00
1
d16e81d2b8b08796486705e85987323b34ab442a30b4609eb8eb674d983b7105
57
2022-01-02 19:07:50
0
a5164878538e4c0353ce5453efd5fa04b0b5832d376087eb240978f3586d15fa
57
2022-01-02 06:01:49
0
ea8a5aba582a9655440a5784f8aeb8254e95ee5f7e152dc8e15bc54feb1f2636
55
2022-01-02 05:53:51
0
4c8e3bd0357f0c81eb92b4747ce75c1f7984ad52fa00d1269fa8d57e63317347
56
2022-01-01 02:36:11
0
862700c702215d3b0eae39fc7936363fe9d818a0e2cc86d62d331501966a419f
52
2021-12-30 16:40:15
5
b02e3d5b8fc6a0264e7a12bb649b5c2bb37b0023a357aab67e8eadd55817bde8
55
2021-12-30 14:32:07
0
5c019cd12eff5777372ba0eb5c469cb293cf77ada74eed7561b67a40a1f457bf
57
2021-12-30 12:10:18
0
a63f05be96605746cadf72d20b91c5da3393b435458430f142911b6a59466cab
57
2021-12-30 03:33:49
0
0971c349a370dfdb6c015ba72e15f38fd6ca5486019f9cc7dd2c9b48630f3f69
57
2021-12-30 02:52:08
0
5f8d51c205125ff66d7dc57a62a6eaf0d7529aa054419825b155621cd3eb3f93
56
2021-12-30 02:50:57
0
47b08ee4d05a648c78fe6df443f2dfbdfa218ef0f0972b6189466d3e09ac176f
49
2021-12-30 02:49:42
0
a49163c1860e7740751c6bd09adb6f7a97aa1d50f074bb95beb31e8e356d5b0e
57
2021-12-30 02:49:39
3
80264631cee73c3ba9a2ed126e8485d0a1c23068d4e8ebc7dd34e51edb99ee9f
42
2021-12-28 15:55:36
4
76f686a72428906b68ee8bc5e53fe04febfc054b1b9c3716a8a276f12c0f3edd
56
2021-12-28 13:13:38
9
1155fc22924cbf8d1fbbb90517b05ed45d86e2b0d05e772d888a487d3d5cfe66
56
2021-12-26 14:59:13
0
d34bfe764fb8a33421f5b09908f8207780283914121d9a7174776253b37bc44a
55
2021-12-26 09:05:14
11
f61913d0082c392981660403131993e94bd62583d178f7bd6ad9b6a07e9860fb
57
2021-12-26 00:31:21
10
a326e99a983569226b167c8dac0a34892bec3046eac60853e76d5457a02efa68
56
2021-12-26 00:28:06
11
4c712df0f8e838b707ae014e72c51037645be1364db3183352f4b2f5304c7705
57
2021-12-26 00:23:48
0
8c8c635554e45cee8c427c342a57237095aeab8964739a7da3884434c2b0042f
57
2021-12-25 06:38:33
21
0c8dfe3b3a8ae051c48ce33d2a036e7e907f85fd857cdc1b50805061ef34b1ce
58
2021-12-25 00:28:37
10
dc663ecc743c3e15b1284edd97b17a90a8ac2ff307aeea454e56458409b2e85c
56
2021-12-24 20:17:29
0
304a480fbff38bdbc429e09f78a495ab8393df9d28805c2501bb40e37febff21
55
2021-12-24 14:07:08
0
65aadd9f75afe5a49d91599a48136ac6d34425a79cf25c093586c1867bfbb24c
52
2021-12-24 09:10:30
0
5eab0c09db27ee42f17d3ed12fe25924ab0e81dbff3ebb4140122d22c98580a8
57
2021-12-24 03:13:36
0
479fa90afba78e72390752bc8d0e39f3ea15c8f23314dca3bc8f0abf551e6603
57
2021-12-23 07:40:00
0
c27c16e8ed604f68458236f4d67a4e472081d34f61b6112bd6f6de544725d882
57
2021-12-22 00:00:39
12
982a40f6726d2a206cae3e0a77ff11309427077d33d0df0e03f11ad3483a78e0
57
2021-12-21 17:08:32
0
4a39aaacd53e8242d6f7037d14c2a1f9b1328318b76642327bc67759c6d2a034
57
2021-12-21 08:16:31
0
216b3691aff3d8ab18c353d74db5bf8b4bfddcd6d52a601d42f4e3a1ab085f3a
57
2021-12-20 21:25:49

Rule Matches per Month (last 24 months)

THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2020