Pulse Detail — Threat Intelligence

PULSE NAME

Crimea manifesto deploys VBA Rat using double attack vectors

WHITE AlienVault 2021-07-30 Modified: 2021-07-30

IOCs

LOW VOLUME

On July 21, 2021, Malwarebytes Labs identified a suspicious document named "Manifest.docx" that downloads and executes two templates: one is macro-enabled and the other is an html object that contains an Internet Explorer exploit.

MITRE ATT&CK & Malware Families

ATT&CK TECHNIQUES

T1059 T1566 T1137 T1218 T1105 T1082 T1547 T1176 T1063 T1007 T1033 T1070.004 T1020

Indicators of Compromise (7)

All CVE FileHash-SHA256 URL domain

TYPE	INDICATOR	DESCRIPTION	CREATED
CVE	CVE-2021-26411	—	2021-07-30
FileHash-SHA256	03eb08a930bb464837ede77df6c66651d526bab1560e7e6e0e8466ab23856bac	—	2021-07-30
FileHash-SHA256	fffe061643271155f29ae015bca89100dec6b4b655fe0580aa8c6aee53f34928	—	2021-07-30
URL	http://cloud-documents.com/doc/t.php?action=show_content	—	2021-07-30
URL	https://cloud-documents.com/doc/t.php?document_show=notica	—	2021-07-30
URL	https://cloud-documents.com/doc/templates/agent.dotm	—	2021-07-30
domain	cloud-documents.com	Registered=07/17/2021 Registrar=Hosting Concepts B.V. d/b/a Registrar.eu NS=ns1.firstvds.ru	2021-07-30

References (1)

↗ https://blog.malwarebytes.com/threat-intelligence/2021/07/crimea-manifesto-deploys-vba-rat-using-double-attack-vectors/