popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

fc8edf706344462ab7b600ae29d554bb.doc

VBA_macro MSOffice File
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6401 June 24, 2021, 7:25 p.m. June 24, 2021, 8:39 p.m.
Size 32.0KB
Type Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 936, Title: 8, Author: Administrator, Template: Normal.dot, Revision Number: 4, Name of Creating Application: Microsoft Office Word, Total Editing Time: 01:00, Create Time/Date: Fri May 21 07:18:00 2021, Last Saved Time/Date: Fri May 21 07:19:00 2021, Number of Pages: 1, Number of Words: 27, Number of Characters: 155, Security: 0
MD5 6f1fe99a6ffc835b50874a63711d2482
SHA256 01fdd01c978b69a8df70f2e5fa10bdeec06aaec4235b6cc94e4c51ea5f55f013
CRC32 3642C3EA
ssdeep 192:dXcXTJXkVGjgRDu9vFoGutkx4coeWcg4uTjsgYKaC:dXU1XkVGjgRyxFobt8uTjsg5
Yara
  • Contains_VBA_macro_code - Detect a MS Office document with embedded VBA macro code [binaries]
  • Microsoft_Office_File_Zero - Microsoft Office File

Name Response Post-Analysis Lookup
No hosts contacted.
IP Address Status Action
164.124.101.2 Active Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 2548
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x65001000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2548
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6ca81000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2548
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6ca84000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2548
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x71f61000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2548
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x71f62000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2548
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6c931000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2548
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x06720000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2548
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x06720000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2548
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x06730000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2548
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x06880000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2548
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x507c1000
process_handle: 0xffffffff
1 0 0
file C:\Users\test22\AppData\Local\Temp\~$8edf706344462ab7b600ae29d554bb.doc
Time & API Arguments Status Return Repeated

NtCreateFile

 create_disposition: 5 (FILE_OVERWRITE_IF)
file_handle: 0x00000198
filepath: C:\Users\test22\AppData\Local\Temp\~$8edf706344462ab7b600ae29d554bb.doc
desired_access: 0x40100080 (FILE_READ_ATTRIBUTES|SYNCHRONIZE|GENERIC_WRITE)
file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN)
filepath_r: \??\C:\Users\test22\AppData\Local\Temp\~$8edf706344462ab7b600ae29d554bb.doc
create_options: 4194400 (FILE_NON_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NONALERT)
status_info: 2 (FILE_CREATED)
share_access: 0 ()
1 0 0
Elastic malicious (high confidence)
DrWeb W97M.Siggen.10
MicroWorld-eScan VB:Trojan.Valyria.1610
FireEye VB:Trojan.Valyria.1610
CAT-QuickHeal W97M.Dropper.PI
ALYac VB:Trojan.Valyria.1610
Zillya Trojan.Agent.MacroWord.1
Sangfor Virus.Generic-Script.Save.cff1516b
Arcabit HEUR.VBA.V.1
Cyren W97M/Infector.A.gen
Symantec W97M.Sillycopy
ESET-NOD32 W97M/Thus.NAB
TrendMicro-HouseCall W97M_THUS.A
Avast Other:Malware-gen [Trj]
ClamAV Doc.Macro.APMPKILL-6097118-0
Kaspersky Trojan.MSWord.Agent.bd
BitDefender VB:Trojan.Valyria.1610
NANO-Antivirus Trojan.Script.Agent.dsetwk
Rising Macro.Agent.c (CLASSIC)
Ad-Aware VB:Trojan.Valyria.1610
Sophos WM97/Thus-Fam
Comodo TrojWare.W97M.Thus.NAB@7dbwyy
Baidu MSWord.Trojan.Agent.e
VIPRE Virus.W97M.Micro.a (v)
TrendMicro W97M_THUS.A
McAfee-GW-Edition BehavesLike.OLE2.Thus.nx
Emsisoft VB:Trojan.Valyria.1610 (B)
SentinelOne Static AI - Malicious OLE
Jiangmin MSWord/Agent.ga
Avira VBA/Agent.Gen
MAX malware (ai score=89)
Microsoft Virus:W97M/Thus.GB
ZoneAlarm Trojan.MSWord.Agent.bd
GData VB:Trojan.Valyria.1610
Cynet Malicious (score: 99)
AhnLab-V3 W97M/Thus
McAfee W97M/Thus.gen.a
TACHYON Trojan/W97M.Munt
Tencent OLE.Win32.Macro.700319
Ikarus Virus.W97M.Thus
MaxSecure Trojan.Malware.121218.susgen
Fortinet VBA/Thus.1A61!tr
AVG Other:Malware-gen [Trj]