popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

2.doc

VBA_macro MSOffice File
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6403_us Aug. 2, 2021, 9:25 a.m. Aug. 2, 2021, 9:27 a.m.
Size 149.0KB
Type Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1251, Author: John PC, Template: Normal.dotm, Last Saved By: John PC, Revision Number: 2, Name of Creating Application: Microsoft Office Word, Total Editing Time: 01:00, Create Time/Date: Fri Jul 16 15:39:00 2021, Last Saved Time/Date: Fri Jul 16 15:39:00 2021, Number of Pages: 1, Number of Words: 0, Number of Characters: 0, Security: 0
MD5 4ed6ab29138f363708968244d5c5eb59
SHA256 aaeb6e6f44d20d0613e997c12e9b9fcdfcdcd8a205542adf510abfb906f64872
CRC32 84E2188C
ssdeep 1536:UxrtQ7bnXDY7LAm9cg78ctPlw5BLmOBjx541ofdcJjhM6rJIfuy:aWnnXDY7LAmh7xWdda1o/69I2y
Yara
  • Microsoft_Office_File_Zero - Microsoft Office File
  • Contains_VBA_macro_code - Detect a MS Office document with embedded VBA macro code [binaries]

Name Response Post-Analysis Lookup
No hosts contacted.
IP Address Status Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 564
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6aaad000
process_handle: 0xffffffff
1 0 0
file C:\Users\test22\AppData\Local\Temp\~$2.doc
Time & API Arguments Status Return Repeated

NtCreateFile

 create_disposition: 5 (FILE_OVERWRITE_IF)
file_handle: 0x0000049c
filepath: C:\Users\test22\AppData\Local\Temp\~$2.doc
desired_access: 0x40100080 (FILE_READ_ATTRIBUTES|SYNCHRONIZE|GENERIC_WRITE)
file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN)
filepath_r: \??\C:\Users\test22\AppData\Local\Temp\~$2.doc
create_options: 4194400 (FILE_NON_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NONALERT)
status_info: 2 (FILE_CREATED)
share_access: 0 ()
1 0 0
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 564
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 32 (PAGE_EXECUTE_READ)
base_address: 0x7ef80000
process_handle: 0xffffffff
1 0 0
Lionic Trojan.MSOffice.SDrop.b!c
Elastic malicious (high confidence)
MicroWorld-eScan VBA.Heur2.Maldade.1.0DCF3EE1.Gen
FireEye VBA.Heur2.Maldade.1.0DCF3EE1.Gen
McAfee RDN/GenericOLE
Sangfor Malware.Generic-VBA.Save.Obfuscated
Symantec W97M.Downloader
Avast Other:Malware-gen [Trj]
Cynet Malicious (score: 99)
Kaspersky HEUR:Trojan-Dropper.MSOffice.SDrop.gen
BitDefender VBA.Heur2.Maldade.1.0DCF3EE1.Gen
NANO-Antivirus Trojan.Ole2.Vbs-heuristic.druvzi
Ad-Aware VBA.Heur2.Maldade.1.0DCF3EE1.Gen
DrWeb Exploit.Siggen3.18931
McAfee-GW-Edition BehavesLike.OLE2.Downloader.cr
Emsisoft VBA.Heur2.Maldade.1.0DCF3EE1.Gen (B)
Ikarus Trojan.VBA.Crypt
Avira HEUR/Macro.Downloader.MRJR.Gen
Antiy-AVL Trojan/Generic.ASMacro.2C7C4
ViRobot W97M.S.Agent.152576.B
ZoneAlarm HEUR:Trojan-Dropper.MSOffice.SDrop.gen
GData VBA.Heur2.Maldade.1.0DCF3EE1.Gen
TACHYON Suspicious/W97M.Downloader.Gen
AhnLab-V3 Downloader/DOC.Agent
ALYac Trojan.Downloader.DOC.Gen
MAX malware (ai score=81)
SentinelOne Static AI - Malicious OLE
Fortinet VBA/Agent.EB59!tr
AVG Other:Malware-gen [Trj]