Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x3201	May 27, 2021, 9:24 a.m.	May 27, 2021, 9:38 a.m.

Size	640.5KB
Type	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, Code page: 1252, Title: pacific hoarseness, Subject: trigonal widgets, Author: jacking annatto, Last Saved By: user, Name of Creating Application: Microsoft Excel, Create Time/Date: Wed May 26 12:14:38 2021, Last Saved Time/Date: Wed May 26 12:14:39 2021, Security: 0
MD5	`fa58cb567a2ffeee77053fadf440a56f`
SHA256	`0a4fd9a26a96d1a16fd1df17139e9acfbd4e8f82cd0b905e29a7662250e29812`
CRC32	`303B4447`
ssdeep	`12288:3sp46EAQ6zgUw2CgldPpxgr1KV7rJDYs4d4iW3jncHWSorVU3qhSFt:3zhAXwrg7PpxdJUspiWTcHYVUcmt`
Yara	Contains_VBA_macro_code - Detect a MS Office document with embedded VBA macro code [binaries] Microsoft_Office_File_Zero - Microsoft Office File

EXCEL.EXE "C:\Program Files\Microsoft Office\Office12\EXCEL.EXE" "C:\Users\ADMINI~1\AppData\Local\Temp\Document 70259454.xls"
3916

Name	Response	Post-Analysis Lookup
ntf.gov.sb	A 192.185.32.234	192.185.32.234
marcoislandguidebook.com	A 192.185.79.55	192.185.79.55
ppml.com.kh	A 209.188.15.214	209.188.15.214
bycec.in	A 208.91.198.106	208.91.198.106
vitiligomatch.com	A 192.185.16.122	192.185.16.122
labrie-sabette.com	A 173.230.252.50	173.230.252.50
www.akseral.com	A 83.150.213.154 CNAME akseral.com	83.150.213.154
alpax.elcanotradingcorp.com	A 108.167.181.248	108.167.181.248
houzzlink.com	A 148.66.138.194	148.66.138.194
incoming.telemetry.mozilla.org	A 34.215.28.152 A 52.27.200.224 CNAME pipeline-incoming-prod-elb-149169523.us-west-2.elb.amazonaws.com A 44.235.28.153 CNAME telemetry-incoming.r53-2.services.mozilla.com A 35.155.6.125 A 54.184.190.181 A 52.38.70.232 A 44.239.250.14 A 34.216.113.46	52.42.229.170
www.microsoft.com	CNAME www.microsoft.com-c-3.edgekey.net.globalredir.akadns.net CNAME www.microsoft.com-c-3.edgekey.net CNAME e13678.dscb.akamaiedge.net A 23.212.13.232	23.212.13.232
definitionupdates.microsoft.com	CNAME e3673.g.akamaiedge.net CNAME definitionupdates.microsoft.com.edgekey.net A 23.40.44.112	23.40.44.112
bellaloveboutique.com	A 107.180.58.44	107.180.58.44

IP Address	Status	Action
107.180.58.44	Active	Moloch
108.167.181.248	Active	Moloch
148.66.138.194	Active	Moloch
164.124.101.2	Active	Moloch
173.230.252.50	Active	Moloch
192.185.16.122	Active	Moloch
192.185.32.234	Active	Moloch
192.185.79.55	Active	Moloch
208.91.198.106	Active	Moloch
209.188.15.214	Active	Moloch
23.212.13.232	Active	Moloch
23.40.44.112	Active	Moloch
35.155.6.125	Active	Moloch
83.150.213.154	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.103:49593 -> 23.212.13.232:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49591 -> 35.155.6.125:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49594 -> 23.40.44.112:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.185.16.122:443 -> 192.168.56.103:49603	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49601 -> 192.185.16.122:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49605 -> 107.180.58.44:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49610 -> 209.188.15.214:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49602 -> 192.185.16.122:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 209.188.15.214:443 -> 192.168.56.103:49611	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49613 -> 192.185.79.55:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 107.180.58.44:443 -> 192.168.56.103:49607	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.185.79.55:443 -> 192.168.56.103:49615	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49617 -> 192.185.32.234:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49618 -> 192.185.32.234:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49623 -> 208.91.198.106:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49609 -> 209.188.15.214:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 208.91.198.106:443 -> 192.168.56.103:49624	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49621 -> 208.91.198.106:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49626 -> 148.66.138.194:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49631 -> 173.230.252.50:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49627 -> 148.66.138.194:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 148.66.138.194:443 -> 192.168.56.103:49628	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49636 -> 83.150.213.154:443	2230002	SURICATA TLS invalid record type	Generic Protocol Command Decode
TCP 192.168.56.103:49636 -> 83.150.213.154:443	2230010	SURICATA TLS invalid record/traffic	Generic Protocol Command Decode
TCP 83.150.213.154:443 -> 192.168.56.103:49636	2230002	SURICATA TLS invalid record type	Generic Protocol Command Decode
TCP 192.168.56.103:49638 -> 108.167.181.248:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 83.150.213.154:443 -> 192.168.56.103:49636	2230010	SURICATA TLS invalid record/traffic	Generic Protocol Command Decode
TCP 192.168.56.103:49639 -> 108.167.181.248:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 108.167.181.248:443 -> 192.168.56.103:49640	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49606 -> 107.180.58.44:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 173.230.252.50:443 -> 192.168.56.103:49632	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49635 -> 83.150.213.154:443	2230002	SURICATA TLS invalid record type	Generic Protocol Command Decode
TCP 192.168.56.103:49635 -> 83.150.213.154:443	2230010	SURICATA TLS invalid record/traffic	Generic Protocol Command Decode
TCP 192.168.56.103:49635 -> 83.150.213.154:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49614 -> 192.185.79.55:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.185.32.234:443 -> 192.168.56.103:49619	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49630 -> 173.230.252.50:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49634 -> 83.150.213.154:443	2230002	SURICATA TLS invalid record type	Generic Protocol Command Decode
TCP 192.168.56.103:49634 -> 83.150.213.154:443	2230010	SURICATA TLS invalid record/traffic	Generic Protocol Command Decode
TCP 192.168.56.103:49634 -> 83.150.213.154:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 83.150.213.154:443 -> 192.168.56.103:49634	2230002	SURICATA TLS invalid record type	Generic Protocol Command Decode
TCP 83.150.213.154:443 -> 192.168.56.103:49634	2230010	SURICATA TLS invalid record/traffic	Generic Protocol Command Decode
TCP 83.150.213.154:443 -> 192.168.56.103:49635	2230002	SURICATA TLS invalid record type	Generic Protocol Command Decode
TCP 83.150.213.154:443 -> 192.168.56.103:49635	2230010	SURICATA TLS invalid record/traffic	Generic Protocol Command Decode

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.103:49591 35.155.6.125:443	C=US, O=DigiCert Inc, CN=DigiCert SHA2 Secure Server CA	C=US, ST=California, L=Mountain View, O=Mozilla Corporation, OU=Cloud Services, CN=*.telemetry.mozilla.org	6d:3c:6a:a4:5f:46:eb:8b:b6:fb:8f:08:44:02:01:61:a0:25:c3:c8
TLSv1 192.168.56.103:49594 23.40.44.112:443	C=US, O=Microsoft Corporation, CN=Microsoft RSA TLS CA 02	C=US, ST=WA, L=Redmond, O=Microsoft Corporation, OU=Microsoft Corporation, CN=download.microsoft.com	e7:01:d1:e2:a1:0e:a1:84:0b:d0:c6:2e:a2:42:7a:f4:7b:40:91:c5
TLSv1 192.168.56.103:49593 23.212.13.232:443	C=US, O=Microsoft Corporation, CN=Microsoft RSA TLS CA 01	C=US, ST=WA, L=Redmond, O=Microsoft Corporation, OU=Microsoft Corporation, CN=www.microsoft.com	9b:2b:8a:e6:51:69:aa:47:7c:57:83:d6:48:0f:29:6e:f4:8c:f1:4d

Performs some HTTP requests (1 event)

request

GET http://go.microsoft.com/fwlink/?LinkID=121721&clcid=0x409&arch=x86&eng=0.0.0.0&asdelta=0.0.0.0&prod=925A3ACA-C353-458A-AC8D-A7E5EB378092

Allocates read-write-execute memory (usually to unpack itself) (15 events)

Time & API	Arguments	Status
NtProtectVirtualMemory May 27, 2021, 9:22 a.m.	process_identifier: 3916 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6b9c1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 27, 2021, 9:22 a.m.	process_identifier: 3916 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6ba1f000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 27, 2021, 9:22 a.m.	process_identifier: 3916 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6ba1f000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 27, 2021, 9:22 a.m.	process_identifier: 3916 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75b41000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 27, 2021, 9:22 a.m.	process_identifier: 3916 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x65001000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 27, 2021, 9:23 a.m.	process_identifier: 3916 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75621000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 27, 2021, 9:23 a.m.	process_identifier: 3916 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x71e11000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 27, 2021, 9:23 a.m.	process_identifier: 3916 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x71cb1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 27, 2021, 9:23 a.m.	process_identifier: 3916 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x71ca1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 27, 2021, 9:23 a.m.	process_identifier: 3916 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73d01000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 27, 2021, 9:23 a.m.	process_identifier: 3916 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75301000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 27, 2021, 9:23 a.m.	process_identifier: 3916 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06380000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 27, 2021, 9:23 a.m.	process_identifier: 3916 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06380000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 27, 2021, 9:23 a.m.	process_identifier: 3916 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06670000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 27, 2021, 9:23 a.m.	process_identifier: 3916 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06680000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Creates suspicious VBA object (1 event)

com_class

Wscript.Shell

May attempt to create new processes

File has been identified by 20 AntiVirus engines on VirusTotal as malicious (20 events)

Elastic	malicious (high confidence)
ALYac	VBA.Heur2.ObfDldr.10.E2ADC501.Gen
Arcabit	HEUR.VBA.Trojan.d
Avast	VBS:Dropper-QF [Trj]
BitDefender	VBA.Heur2.ObfDldr.10.E2ADC501.Gen
MicroWorld-eScan	VBA.Heur2.ObfDldr.10.E2ADC501.Gen
Ad-Aware	VBA.Heur2.ObfDldr.10.E2ADC501.Gen
VIPRE	LooksLike.Macro.Malware.gen!x1 (v)
TrendMicro	HEUR_VBA.OE
McAfee-GW-Edition	BehavesLike.OLE2.Downloader.jb
FireEye	VBA.Heur2.ObfDldr.10.E2ADC501.Gen
Emsisoft	VBA.Heur2.ObfDldr.10.E2ADC501.Gen (B)
Jiangmin	Virus/MSWord.Hunter
Microsoft	Trojan:Win32/Dridex!ml
GData	VBA.Heur2.ObfDldr.10.E2ADC501.Gen
MAX	malware (ai score=81)
Zoner	Probably Heur.W97Obfuscated
Rising	Malware.ObfusVBA@ML.97 (VBA)
SentinelOne	Static AI - Malicious OLE
AVG	VBS:Dropper-QF [Trj]

Office document performs HTTP request (possibly to download malware) (1 event)

payload_url

https://vitiligomatch.com/wpvitiligomatch/wp-includes/css/dist/block-directory/QaLUIUkxomX.php

Document 70259454.xls

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All