Favorites
Tools
Dr.Zero Chatbot
Notifications
Guide 2020-06-10
Version history 2020-06-10

Summary | ZeroBOX

Invoice_9255471.xls

VBA_macro MSOffice File

Category	Machine	Started	Completed
FILE	s1_win7_x6402	July 22, 2021, 10:58 a.m.	July 22, 2021, 11:09 a.m.

Size	660.5KB
Type	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Title: Invoice_9255471, Author: Quickbooks, LLC, Last Saved By: user, Name of Creating Application: Microsoft Excel, Last Printed: Thu Jul 26 12:08:13 2018, Create Time/Date: Thu Jul 26 00:26:51 2018, Last Saved Time/Date: Wed Jul 21 11:53:33 2021, Security: 0
MD5	`556daf1119d264ba2732fee95b65ea70`
SHA256	`413934e841b46e2dba1902765b5c49d2386736af1492ae274ccb0e50353a388b`
CRC32	`55DF4096`
ssdeep	`12288:kGDH3roxGMC/mc4bl3q5uaFsvCgdz2l5MjavMmIf+f:kGDXEUH/4EnsvJZ2lKjavMm/`
Yara	Microsoft_Office_File_Zero - Microsoft Office File Contains_VBA_macro_code - Detect a MS Office document with embedded VBA macro code [binaries]

EXCEL.EXE "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" C:\Users\test22\AppData\Local\Temp\Invoice_9255471.xls
2096

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Allocates read-write-execute memory (usually to unpack itself) (4 events)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory July 22, 2021, 10:58 a.m.	process_identifier: 2096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6b617000 process_handle: 0xffffffff	1	0	0
NtProtectVirtualMemory July 22, 2021, 10:58 a.m.	process_identifier: 2096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6b2b3000 process_handle: 0xffffffff	1	0	0
NtProtectVirtualMemory July 22, 2021, 10:58 a.m.	process_identifier: 2096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05d7c000 process_handle: 0xffffffff	1	0	0
NtProtectVirtualMemory July 22, 2021, 10:58 a.m.	process_identifier: 2096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05d7c000 process_handle: 0xffffffff	1	0	0

File has been identified by 16 AntiVirus engines on VirusTotal as malicious (16 events)

Elastic	malicious (high confidence)
ALYac	VBA.Heur2.Dridex.4.CD579A05.Gen
Arcabit	HEUR.VBA.CG.1
Kaspersky	VHO:Exploit.MSOffice.CVE-2017-8570.gen
BitDefender	VBA.Heur2.Dridex.4.CD579A05.Gen
NANO-Antivirus	Trojan.Ole2.Vbs-heuristic.druvzi
MicroWorld-eScan	VBA.Heur2.Dridex.4.CD579A05.Gen
Ad-Aware	VBA.Heur2.Dridex.4.CD579A05.Gen
Emsisoft	VBA.Heur2.Dridex.4.CD579A05.Gen (B)
TrendMicro	HEUR_VBA.O2
McAfee-GW-Edition	BehavesLike.OLE2.Downloader.jb
FireEye	VBA.Heur2.Dridex.4.CD579A05.Gen
GData	VBA.Heur2.Dridex.4.CD579A05.Gen
MAX	malware (ai score=84)
Zoner	Probably Heur.W97ShellB
Qihoo-360	virus.office.obfuscated.1