popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

참가신청서양식.doc

VBA_macro Convert Image File
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6401 April 20, 2021, 6:09 p.m. April 20, 2021, 6:12 p.m.
Size 557.0KB
Type Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 949, Author: William, Template: Normal.dotm, Last Saved By: William, Revision Number: 122, Name of Creating Application: Microsoft Office Word, Total Editing Time: 06:12:00, Create Time/Date: Sun Feb 28 00:01:00 2021, Last Saved Time/Date: Tue Apr 13 19:39:00 2021, Number of Pages: 1, Number of Words: 57, Number of Characters: 328, Security: 8
MD5 ed9aa858ba2c4671ca373496a4dd05d4
SHA256 f1eed93e555a0a33c7fef74084a6f8d06a92079e9f57114f523353d877226d72
CRC32 F12D2450
ssdeep 12288:FbHANkKPE2u2TO6NW4us4AKqL6ht+g+Jk2R:rcEyNBw9qL6Ogc
Yara
  • Contains_VBA_macro_code - Detect a MS Office document with embedded VBA macro code [binaries]
  • VBMacro_Convert_Image_File_Zero - VBMacro Convert Image File
  • Microsoft_Office_Document_Zero - Microsoft Office Document Signature Zero

Name Response Post-Analysis Lookup
No hosts contacted.
IP Address Status Action
164.124.101.2 Active Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 872
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6c9a1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 872
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6c9f5000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 872
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x71f61000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 872
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6c971000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 872
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x65001000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 872
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x06760000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 872
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x06770000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 872
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x06770000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 872
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x06780000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 872
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x067f0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 872
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x06760000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 872
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x06770000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 872
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x06760000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 872
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x06770000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 872
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6b1b1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 872
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6b0f1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 872
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6b0f4000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 872
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x507c1000
process_handle: 0xffffffff
1 0 0
file C:\Users\test22\AppData\Local\Temp\~$가신청서양식.doc
Time & API Arguments Status Return Repeated

NtCreateFile

 create_disposition: 5 (FILE_OVERWRITE_IF)
file_handle: 0x00000198
filepath: C:\Users\test22\AppData\Local\Temp\~$가신청서양식.doc
desired_access: 0x40100080 (FILE_READ_ATTRIBUTES|SYNCHRONIZE|GENERIC_WRITE)
file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN)
filepath_r: \??\C:\Users\test22\AppData\Local\Temp\~$가신청서양식.doc
create_options: 4194400 (FILE_NON_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NONALERT)
status_info: 2 (FILE_CREATED)
share_access: 0 ()
1 0 0

NtCreateFile

 create_disposition: 5 (FILE_OVERWRITE_IF)
file_handle: 0x00000200
filepath: C:\Users\test22\AppData\Local\Temp\~$가신청서양식.htm
desired_access: 0x40100080 (FILE_READ_ATTRIBUTES|SYNCHRONIZE|GENERIC_WRITE)
file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN)
filepath_r: \??\C:\Users\test22\AppData\Local\Temp\~$가신청서양식.htm
create_options: 4194400 (FILE_NON_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NONALERT)
status_info: 2 (FILE_CREATED)
share_access: 0 ()
1 0 0
com_class ADODB.Stream May attempt to write one or more files to the harddisk
cve CVE-2013-3906
McAfee RDN/GenericOLE
Sangfor Trojan.Generic-Script.Save.58bfd89c
Arcabit Trojan.Generic.D22FF5C0
Symantec W97M.Downloader
ESET-NOD32 a variant of VBA/TrojanDownloader.Agent.UOE
Avast VBA:Dropper-BX [Trj]
Kaspersky UDS:DangerousObject.Multi.Generic
BitDefender VB:Trojan.Valyria.4372
ViRobot W97M.S.Agent.570368
MicroWorld-eScan VB:Trojan.Valyria.4372
Tencent Win32.Trojan.Macrov.Anpq
Ad-Aware Trojan.GenericKD.36697536
Emsisoft Trojan.GenericKD.36697536 (B)
DrWeb Trojan.Siggen13.8929
McAfee-GW-Edition BehavesLike.OLE2.Downloader.hb
FireEye VB:Trojan.Valyria.4372
Ikarus Trojan-Downloader.VBA.Agent
Avira HEUR/Macro.Downloader.MRDT.Gen
AegisLab Trojan.Script.Generic.4!c
ZoneAlarm HEUR:Trojan.Script.Generic
GData VB:Trojan.Valyria.4372
TACHYON Suspicious/W97M.Obfus.Gen.8
AhnLab-V3 Dropper/DOC.Generic
ALYac Trojan.Downloader.DOC.Gen
MAX malware (ai score=99)
Rising Downloader.Agent!8.B23 (TOPIS:E0:bDXz1E81UUL)
SentinelOne Static AI - Suspicious OLE
Fortinet VBA/Agent.UOE!tr
AVG VBA:Dropper-BX [Trj]
Qihoo-360 virus.office.qexvmc.1065