popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

Exports promotion highlits may 2021.xls

VBA_macro OS Processor Check MSOffice File
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6401 June 16, 2021, 10:09 a.m. June 16, 2021, 10:11 a.m.
Size 1.4MB
Type Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, Code page: 1252, Author: Testing, Last Saved By: Administrator, Name of Creating Application: Microsoft Excel, Create Time/Date: Fri Feb 7 11:26:50 2020, Last Saved Time/Date: Fri Apr 30 07:27:10 2021, Security: 0
MD5 f23dd9acbf28f324b290b970fbc40b30
SHA256 a3c020bf50d39a58f5345b671c43d790cba0e2a3f631c5182437976adf970633
CRC32 E5C1505A
ssdeep 6144:Vf1cbwPwse8axEtjPOtioVjDGUU1qfDlavx+W2QnAkSsRa:XccPwsLY
Yara
  • Contains_VBA_macro_code - Detect a MS Office document with embedded VBA macro code [binaries]
  • OS_Processor_Check_Zero - OS Processor Check
  • Microsoft_Office_File_Zero - Microsoft Office File

Name Response Post-Analysis Lookup
No hosts contacted.
IP Address Status Action
164.124.101.2 Active Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 2232
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6de91000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2232
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6deef000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2232
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6deef000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2232
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6de31000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2232
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x65001000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2232
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6db81000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2232
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6dcd1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2232
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6db41000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2232
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x066e0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2232
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x06a50000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2232
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x06a20000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2232
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x06a60000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2232
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x06a70000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0
com_class Shell.Application May attempt to create new processes
parent_process excel.exe martian_process C:\Users\test22\AppData\Roaming\WindowsSecurity.exe
Elastic malicious (high confidence)
ClamAV Ole2.Macro.Agent-9858797-0
FireEye VBA.Heur.ObfDldr.22.BB49248F.Gen
McAfee Artemis!D140F63FF050
Arcabit HEUR.VBA.Trojan.d
Cyren W32/Trojan.DDCH-7600
Symantec Trojan.Gen.MBT
ESET-NOD32 Win32/TrojanDownloader.Agent.FCH
TrendMicro-HouseCall Trojan.Win32.DONOFF.C
Avast Win32:Trojan-gen
Cynet Malicious (score: 99)
Kaspersky HEUR:Trojan-Dropper.MSOffice.SDrop.gen
BitDefender VBA.Heur.ObfDldr.22.BB49248F.Gen
NANO-Antivirus Trojan.Ole2.Vbs-heuristic.druvzi
ViRobot XLS.Z.Agent.1425408
MicroWorld-eScan VBA.Heur.ObfDldr.22.BB49248F.Gen
Ad-Aware VBA.Heur.ObfDldr.22.BB49248F.Gen
Emsisoft VBA.Heur.ObfDldr.22.BB49248F.Gen (B)
Comodo TrojWare.Win32.UMal.hoigz@0
DrWeb Exploit.Siggen3.17878
VIPRE Trojan.Win32.Generic!BT
TrendMicro Trojan.Win32.DONOFF.C
McAfee-GW-Edition BehavesLike.OLE2.Dropper.tx
Ikarus Trojan-Downloader.Win32.Agent
Avira TR/Dldr.Agent.dsfuo
Antiy-AVL Trojan/Generic.ASMalwS.3059AA2
Microsoft TrojanDownloader:O97M/Obfuse.VAL!MTB
AegisLab Trojan.MSExcel.Generic.4!c
ZoneAlarm HEUR:Trojan.Script.Generic
GData VBA.Heur.ObfDldr.22.BB49248F.Gen
TACHYON Suspicious/W97.NS.Gen
AhnLab-V3 Downloader/Win32.Agent.C4114357
BitDefenderTheta Gen:NN.ZedlaF.34738.eq4@aqXPYYj
ALYac Trojan.Downloader.XLS.gen
MAX malware (ai score=83)
Rising Trojan.Generic@ML.80 (RDML:w2ILrCKxjQVkzrQNW4ZhGw)
Fortinet WM/Agent.U!tr.dldr
AVG Win32:Trojan-gen