Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	July 5, 2021, 9:37 a.m.	July 5, 2021, 9:39 a.m.

Size	93.0KB
Type	Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 932, Author: w, Name of Creating Application: Microsoft Excel, Create Time/Date: Fri Mar 29 13:10:12 2019, Last Saved Time/Date: Fri Mar 29 14:27:38 2019, Security: 0
MD5	`4e7768c1f32cf5da49f21bd81c2939f2`
SHA256	`a5294a62b4cd9eae6d53816f8335d4e4aa9e48e3947621383658ca595bea4da6`
CRC32	`A11E16FD`
ssdeep	`1536:hk3hOdsylKlgryzc4bNhZFGzE+cL4LgldAn66IAXER7BSVZOuDZK0LeS3g21dzxV:hk3hOdsylKlgryzc4bNhZFGzE+cL4Lgf`
Yara	Microsoft_Office_File_Zero - Microsoft Office File Contains_VBA_macro_code - Detect a MS Office document with embedded VBA macro code [binaries]

EXCEL.EXE "C:\Program Files (x86)\Microsoft Office\Office12\EXCEL.EXE" "C:\Users\test22\AppData\Local\Temp\文書名 -scan-1931.xls"
8072

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
172.217.25.14	Active	Moloch

No Suricata Alerts

No Suricata TLS

Time & API	Arguments	Status
NtProtectVirtualMemory July 5, 2021, 9:37 a.m.	process_identifier: 8072 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x70af1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 5, 2021, 9:37 a.m.	process_identifier: 8072 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x70b4f000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 5, 2021, 9:37 a.m.	process_identifier: 8072 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x70b4f000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 5, 2021, 9:37 a.m.	process_identifier: 8072 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73711000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 5, 2021, 9:37 a.m.	process_identifier: 8072 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05751000 process_handle: 0xffffffff	1

host

172.217.25.14

MicroWorld-eScan	VBA.ObfDldr.10.Gen
FireEye	VBA.ObfDldr.10.Gen
ALYac	Trojan.Downloader.XLS.gen
Cyren	Trojan.ZYJC-1
Symantec	Trojan.Mdropper
ESET-NOD32	VBA/TrojanDownloader.Agent.NKZ
Baidu	VBA.Trojan-Downloader.Agent.dbm
TrendMicro-HouseCall	Trojan.X97M.DLOADR.JHKT
Avast	Other:Malware-gen [Trj]
ClamAV	Doc.Dropper.Agent-6920238-0
GData	VBA.ObfDldr.10.Gen
Kaspersky	Trojan-Downloader.MSExcel.Agent.kh
BitDefender	VBA.ObfDldr.10.Gen
NANO-Antivirus	Trojan.Ole2.Vbs-heuristic.druvzi
Rising	Malware.ObfusVBA@ML.100 (VBA)
Ad-Aware	VBA.ObfDldr.10.Gen
TACHYON	Suspicious/X97M.Obfus.Gen.8
Sophos	Troj/DocDl-SYJ
Comodo	Malware@#2eutsphlltes1
F-Secure	Trojan:W97M/AutorunMacro.D
DrWeb	W97M.DownLoader.3620
TrendMicro	Trojan.X97M.DLOADR.JHKT
McAfee-GW-Edition	BehavesLike.Downloader.ng
Emsisoft	VBA.ObfDldr.10.Gen (B)
Ikarus	Trojan.VBA.Agent
Avira	X2000M/Agent.558729
Antiy-AVL	Trojan[Downloader]/MSOffice.Agent.ml
Endgame	malicious (high confidence)
Arcabit	HEUR.VBA.Trojan.e
AegisLab	Trojan.MSExcel.Agent.4!c
ZoneAlarm	Trojan-Downloader.MSExcel.Agent.kh
Microsoft	TrojanDownloader:O97M/Donoff
Cynet	Malicious (score: 85)
AhnLab-V3	X97M/Downloader
McAfee	RDN/Generic.dx
Zoner	Probably Heur.W97Obfuscated
Tencent	Heur:Trojan.Script.LS_Gencirc.7125039.0
SentinelOne	DFI - Malicious OLE
Fortinet	VBA/Agent.NIK!tr.dldr
AVG	Other:Malware-gen [Trj]
Qihoo-360	virus.office.qexvmc.1070

文書名 -scan-1931.xls