popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

Receipt-224499.xls

VBA_macro MSOffice File
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6402 July 15, 2021, 10:18 a.m. July 15, 2021, 10:22 a.m.
Size 709.0KB
Type Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Title: Invoice 224499 from Quickbooks, LLC, Author: Quickbooks, LLC, Last Saved By: user, Name of Creating Application: Microsoft Excel, Create Time/Date: Wed Jul 14 08:38:23 2021, Last Saved Time/Date: Wed Jul 14 14:09:05 2021, Security: 0
MD5 f796ead669bf3d7e056f0b42709f3ad3
SHA256 6b6e61d4281001c9c434d05320145cfe6bc47875984d9b2aef80170a5583ce9b
CRC32 F8F07D31
ssdeep 12288:mRYbXrlUc6XS/CwRl+4MW1H5onZHBDznxcp/c0UGtkbByxlFYd2DrpX:RUc6EjDMW1UrDjxcNcfgZI2
Yara
  • Contains_VBA_macro_code - Detect a MS Office document with embedded VBA macro code [binaries]
  • Microsoft_Office_File_Zero - Microsoft Office File

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 2448
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6bc17000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2448
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6b8b3000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2448
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05b2d000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2448
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05b2d000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2588
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73bf2000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2588
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6b8b3000
process_handle: 0xffffffff
1 0 0
cmdline mshta "C:\ProgramData\qTabular.sct"
parent_process excel.exe martian_process mshta "C:\ProgramData\qTabular.sct"
Elastic malicious (high confidence)
MicroWorld-eScan VBA.Heur2.Dridex.2.1C723EC4.Gen
FireEye VBA.Heur2.Dridex.2.1C723EC4.Gen
Avast SNH:Script [Dropper]
ClamAV Doc.Dropper.MSHTA-6966166-0
Kaspersky HEUR:Trojan-Downloader.Script.Generic
BitDefender VBA.Heur2.Dridex.2.1C723EC4.Gen
NANO-Antivirus Trojan.Ole2.Vbs-heuristic.druvzi
Ad-Aware VBA.Heur2.Dridex.2.1C723EC4.Gen
TACHYON Suspicious/X97M.Dropper.Gen
Emsisoft VBA.Heur2.Dridex.2.1C723EC4.Gen (B)
McAfee-GW-Edition BehavesLike.OLE2.Downloader.bb
SentinelOne Static AI - Suspicious OLE
Microsoft Trojan:Script/Wacatac.B!ml
Arcabit VBA.Heur2.Dridex.2.1C723EC4.Gen
ZoneAlarm HEUR:Trojan-Downloader.Script.Generic
GData VBA.Heur2.Dridex.2.1C723EC4.Gen
ALYac VBA.Heur2.Dridex.2.1C723EC4.Gen
MAX malware (ai score=81)
AVG SNH:Script [Dropper]