Favorites
Tools
Dr.Zero Chatbot
Notifications
Guide 2020-06-10
Version history 2020-06-10

Summary | ZeroBOX

Invoice_55485812.xls

VBA_macro MSOffice File

Category	Machine	Started	Completed
FILE	s1_win7_x6402	July 22, 2021, 10:16 a.m.	July 22, 2021, 10:25 a.m.

Size	661.0KB
Type	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Title: Invoice_55485812, Author: Quickbooks, LLC, Last Saved By: user, Name of Creating Application: Microsoft Excel, Last Printed: Thu Jul 26 12:08:13 2018, Create Time/Date: Thu Jul 26 00:26:51 2018, Last Saved Time/Date: Wed Jul 21 11:58:29 2021, Security: 0
MD5	`c77cd6616dedbf3669345842f7231830`
SHA256	`f4643ab52e51d05bce715ec6d0baae09ef15763318928c1ed8d3c24b72df3602`
CRC32	`C2FA279F`
ssdeep	`12288:mGDH3roxGMC/mc4bl3q5uaFsvCgdz2l5MjavMmIf+Y6b:mGDXEUH/4EnsvJZ2lKjavMm/Y6`
Yara	Microsoft_Office_File_Zero - Microsoft Office File Contains_VBA_macro_code - Detect a MS Office document with embedded VBA macro code [binaries]

EXCEL.EXE "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" C:\Users\test22\AppData\Local\Temp\Invoice_55485812.xls
2060
- mshta.exe mshta C:\ProgramData//klDYMFormat.sct
  2216

Name	Response	Post-Analysis Lookup
properlysolutionsco.com	A 208.83.69.35 A 128.199.243.169	128.199.243.169
waunake.com	A 128.199.243.169 A 208.83.69.35	208.83.69.35
paymetconfirm.com	A 208.83.69.35 A 128.199.243.169	128.199.243.169
taskremindment.com	A 128.199.243.169 A 208.83.69.35	128.199.243.169
payreminament.com	A 208.83.69.35 A 128.199.243.169	128.199.243.169

IP Address	Status	Action
128.199.243.169	Active	Moloch
164.124.101.2	Active	Moloch
208.83.69.35	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx July 22, 2021, 10:16 a.m.		1	1	0

Allocates read-write-execute memory (usually to unpack itself) (6 events)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory July 22, 2021, 10:16 a.m.	process_identifier: 2060 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6b617000 process_handle: 0xffffffff	1	0	0
NtProtectVirtualMemory July 22, 2021, 10:16 a.m.	process_identifier: 2060 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6b2b3000 process_handle: 0xffffffff	1	0	0
NtProtectVirtualMemory July 22, 2021, 10:16 a.m.	process_identifier: 2060 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05c87000 process_handle: 0xffffffff	1	0	0
NtProtectVirtualMemory July 22, 2021, 10:16 a.m.	process_identifier: 2060 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05c87000 process_handle: 0xffffffff	1	0	0
NtProtectVirtualMemory July 22, 2021, 10:16 a.m.	process_identifier: 2216 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x735e2000 process_handle: 0xffffffff	1	0	0
NtProtectVirtualMemory July 22, 2021, 10:16 a.m.	process_identifier: 2216 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6b2b3000 process_handle: 0xffffffff	1	0	0

Creates a suspicious process (1 event)

cmdline

mshta C:\ProgramData//klDYMFormat.sct

File has been identified by 18 AntiVirus engines on VirusTotal as malicious (18 events)

Elastic	malicious (high confidence)
MicroWorld-eScan	VBA.Heur2.Dridex.4.CD579A05.Gen
ALYac	VBA.Heur2.Dridex.4.CD579A05.Gen
Arcabit	HEUR.VBA.CG.1
Avast	SNH:Script [Dropper]
Kaspersky	UDS:Exploit.MSOffice.CVE-2017-8570.gen
BitDefender	VBA.Heur2.Dridex.4.CD579A05.Gen
NANO-Antivirus	Trojan.Ole2.Vbs-heuristic.druvzi
Ad-Aware	VBA.Heur2.Dridex.4.CD579A05.Gen
Emsisoft	VBA.Heur2.Dridex.4.CD579A05.Gen (B)
TrendMicro	HEUR_VBA.O2
McAfee-GW-Edition	BehavesLike.OLE2.Downloader.jb
FireEye	VBA.Heur2.Dridex.4.CD579A05.Gen
GData	VBA.Heur2.Dridex.4.CD579A05.Gen
MAX	malware (ai score=83)
Zoner	Probably Heur.W97ShellB
AVG	SNH:Script [Dropper]
Qihoo-360	virus.office.obfuscated.1

One or more non-whitelisted processes were created (1 event)

parent_process

excel.exe

martian_process

mshta C:\ProgramData//klDYMFormat.sct