popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

template-jn02b3.dot

VBA_macro MSOffice File
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6402 June 3, 2021, 8:49 p.m. June 3, 2021, 8:51 p.m.
Size 55.0KB
Type Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, Code page: 1252, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Tue Jun 1 15:35:00 2021, Last Saved Time/Date: Tue Jun 1 15:35:00 2021, Number of Pages: 1, Number of Words: 0, Number of Characters: 0, Security: 0
MD5 7bad9bfadd445f637abb738bba8000c7
SHA256 fd05481da74a6d89ac3c60db954e8f02a85711f9abaf12ede2d4e54eaf06a032
CRC32 358A78F9
ssdeep 768:huuAWOOmKnnwOj+KCBbpCdOl2WDU7S+9mZRWAm8Wib2mkN:fIFCdN12WFgb
Yara
  • Contains_VBA_macro_code - Detect a MS Office document with embedded VBA macro code [binaries]
  • Microsoft_Office_File_Zero - Microsoft Office File

Name Response Post-Analysis Lookup
No hosts contacted.
IP Address Status Action
172.217.25.14 Active Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 2952
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x70731000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2952
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x70734000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2952
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05e31000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2952
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x743c1000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2952
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x064c0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2952
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x064c0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2952
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x064d0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2952
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x064e0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2952
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x507c1000
process_handle: 0xffffffff
1 0 0
Time & API Arguments Status Return Repeated

NtCreateFile

 create_disposition: 5 (FILE_OVERWRITE_IF)
file_handle: 0x00000198
filepath: C:\Users\test22\AppData\Local\Temp\~$mplate-jn02b3.dot
desired_access: 0x40100080 (FILE_READ_ATTRIBUTES|SYNCHRONIZE|GENERIC_WRITE)
file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN)
filepath_r: \??\C:\Users\test22\AppData\Local\Temp\~$mplate-jn02b3.dot
create_options: 4194400 (FILE_NON_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NONALERT)
status_info: 2 (FILE_CREATED)
share_access: 0 ()
1 0 0
host 172.217.25.14
Elastic malicious (high confidence)
MicroWorld-eScan VB.Heur2.EmoDldr.3.B043588E.Gen
ALYac VB.Heur2.EmoDldr.3.B043588E.Gen
Sangfor Malware.Generic-VBA.Save.Obfuscated
Arcabit VB.Heur2.EmoDldr.3.B043588E.Gen
Kaspersky HEUR:Trojan.Script.Generic
BitDefender VB.Heur2.EmoDldr.3.B043588E.Gen
NANO-Antivirus Trojan.Ole2.Vbs-heuristic.druvzi
Tencent Heur.Macro.Generic.a.61628d17
Ad-Aware VB.Heur2.EmoDldr.3.B043588E.Gen
TACHYON Suspicious/W97M.Obfus.Gen.2
Emsisoft VB.Heur2.EmoDldr.3.B043588E.Gen (B)
McAfee-GW-Edition BehavesLike.OLE2.Downloader.qr
FireEye VB.Heur2.EmoDldr.3.B043588E.Gen
SentinelOne Static AI - Malicious OLE
Avira HEUR/Macro.Downloader.MRJR.Gen
Microsoft Trojan:Script/Wacatac.B!ml
ZoneAlarm HEUR:Trojan.Script.Generic
GData VB.Heur2.EmoDldr.3.B043588E.Gen
Cynet Malicious (score: 99)
MAX malware (ai score=84)
Zoner Probably Heur.W97Obfuscated
Rising Malware.ObfusVBA@ML.95 (VBA)
Fortinet VBA/Agent.AQJ!tr