popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

The_Progress_and_Promise_of_the_Moon-Kim_Summit.doc

VBA_macro
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6402 July 5, 2021, 9:39 a.m. July 5, 2021, 9:42 a.m.
Size 94.3KB
Type Microsoft Word 2007+
MD5 6ead104743be6575e767986a71cf4bd9
SHA256 d1b5d606c866c304c3eb28fc52ed700c6b292e6e4387e0dac1a895e231bfe5b3
CRC32 EC25B17A
ssdeep 1536:WkNSQuGkD6MUc8CBllIIWv13Z33Le9AlwkWC7pguCr1eMVdj+WWZdDaft:WU1uGkmMrwIWv13ZDCZnuueMLj+BZdDQ
Yara
  • Contains_VBA_macro_code - Detect a MS Office document with embedded VBA macro code [binaries]

Name Response Post-Analysis Lookup
No hosts contacted.
IP Address Status Action
172.217.25.14 Active Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 7180
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6ebb1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 7180
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6ec05000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 7180
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x673a1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 7180
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x66c91000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 7180
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x054f1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 7180
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x70731000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 7180
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x70734000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 7180
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6e821000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 7180
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6e83e000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 7180
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6dfb1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 7180
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6dfce000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 7180
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x74481000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 7180
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x74482000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 7180
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x743c1000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 7180
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x063b0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 7180
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x063b0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 7180
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x063c0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 7180
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x063d0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 7180
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x507c1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 7180
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x601f1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 7180
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x618d5000
process_handle: 0xffffffff
1 0 0
file C:\Users\test22\AppData\Local\Temp\~$e_Progress_and_Promise_of_the_Moon-Kim_Summit.doc
Time & API Arguments Status Return Repeated

NtCreateFile

 create_disposition: 5 (FILE_OVERWRITE_IF)
file_handle: 0x000003e4
filepath: C:\Users\test22\AppData\Local\Temp\~$e_Progress_and_Promise_of_the_Moon-Kim_Summit.doc
desired_access: 0x40100080 (FILE_READ_ATTRIBUTES|SYNCHRONIZE|GENERIC_WRITE)
file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN)
filepath_r: \??\C:\Users\test22\AppData\Local\Temp\~$e_Progress_and_Promise_of_the_Moon-Kim_Summit.doc
create_options: 4194400 (FILE_NON_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NONALERT)
status_info: 2 (FILE_CREATED)
share_access: 0 ()
1 0 0
host 172.217.25.14
cve CVE-2013-3906
Elastic malicious (high confidence)
MicroWorld-eScan VB.Heur.EmoooDldr.4.E152881E.Gen
FireEye VB.Heur.EmoooDldr.4.E152881E.Gen
CAT-QuickHeal O97M.Downloader.39658
McAfee RDN/Generic Downloader.x
Alibaba TrojanDownloader:VBA/MalDoc.ali1000101
Arcabit VB.Heur.EmoooDldr.4.E152881E.Gen
Cyren PP97M/Downldr.gen
Symantec Trojan.Gen.NPE
ESET-NOD32 VBA/TrojanDownloader.Agent.QPO
TrendMicro-HouseCall Trojan.W97M.KIMSUK.ZKGJ
Avast Other:Malware-gen [Trj]
ClamAV Doc.Dropper.MSHTA-6966166-0
Kaspersky HEUR:Trojan-Downloader.MSOffice.SLoad.gen
BitDefender VB.Heur.EmoooDldr.4.E152881E.Gen
NANO-Antivirus Trojan.Ole2.Vbs-heuristic.druvzi
AegisLab Trojan.MSWord.Emooo.4!c
Rising Trojan.Iscodtas!8.10348 (TOPIS:E0:2CQpMiFTF1I)
Ad-Aware VB.Heur.EmoooDldr.4.E152881E.Gen
TACHYON Suspicious/WOX.Obfus.Gen.8
F-Secure Heuristic.HEUR/Macro.Downloader.PBMD.Gen
Baidu VBA.Trojan-Downloader.Agent.dbq
TrendMicro Trojan.W97M.KIMSUK.ZKGJ
McAfee-GW-Edition BehavesLike.Downloader.nc
Emsisoft VB.Heur.EmoooDldr.4.E152881E.Gen (B)
SentinelOne Static AI - Malicious OPENXML
Avira HEUR/Macro.Downloader.PBMD.Gen
Antiy-AVL Trojan[Downloader]/MSOffice.Agent.b
Microsoft Trojan:O97M/Iscodtas.B
ViRobot W97M.S.Downloader.96600
ZoneAlarm HEUR:Trojan-Downloader.MSOffice.SLoad.gen
GData VB.Heur.EmoooDldr.4.E152881E.Gen
Cynet Malicious (score: 85)
AhnLab-V3 DOC/Downloader
ALYac Trojan.Downloader.DOC.Gen
MAX malware (ai score=100)
Tencent Heur.Macro.Generic.a.e629396c
Ikarus VB.EmoooDldr
Fortinet VBA/Agent.4BD9!tr
AVG Other:Malware-gen [Trj]
Qihoo-360 virus.office.qexvmc.1095