popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

mac.dotm

VBA_macro
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6401 Aug. 21, 2021, 12:14 p.m. Aug. 21, 2021, 12:16 p.m.
Size 20.1KB
Type Microsoft Word 2007+
MD5 d9b583dae1c7d4bdef40a58e084651f8
SHA256 a4781b36e0846a2a6b8e80e41367b70b440293eac9071f9bff8a9c44ae4c6cb5
CRC32 3E2980DC
ssdeep 384:tcKf+StdSjYHTSksFqXKFVOfSQm1sqcwNc:p+odMYdsFr/t1sjmc
Yara
  • Contains_VBA_macro_code - Detect a MS Office document with embedded VBA macro code [binaries]

Name Response Post-Analysis Lookup
No hosts contacted.
IP Address Status Action
164.124.101.2 Active Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 732
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6c951000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 732
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6c954000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 732
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x65001000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 732
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6c941000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 732
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05c30000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 732
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05c30000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 732
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05c40000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 732
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05c50000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 732
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x507c1000
process_handle: 0xffffffff
1 0 0
file C:\Users\test22\AppData\Local\Temp\~$mac.dotm
Time & API Arguments Status Return Repeated

NtCreateFile

 create_disposition: 5 (FILE_OVERWRITE_IF)
file_handle: 0x000003ec
filepath: C:\Users\test22\AppData\Local\Temp\~$mac.dotm
desired_access: 0x40100080 (FILE_READ_ATTRIBUTES|SYNCHRONIZE|GENERIC_WRITE)
file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN)
filepath_r: \??\C:\Users\test22\AppData\Local\Temp\~$mac.dotm
create_options: 4194400 (FILE_NON_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NONALERT)
status_info: 2 (FILE_CREATED)
share_access: 0 ()
1 0 0
Lionic Trojan.MSWord.Emooo.4!c
Elastic malicious (high confidence)
Sangfor Malware.Generic-VBA.Save.Obfuscated
Alibaba TrojanDownloader:VBA/Obfuscation.A
Arcabit VB.Heur.EmoooDldr.2.D21F479B.Gen
BitDefender VB.Heur.EmoooDldr.2.D21F479B.Gen
NANO-Antivirus Trojan.Ole2.Vbs-heuristic.druvzi
MicroWorld-eScan VB.Heur.EmoooDldr.2.D21F479B.Gen
Ad-Aware VB.Heur.EmoooDldr.2.D21F479B.Gen
Emsisoft VB.Heur.EmoooDldr.2.D21F479B.Gen (B)
DrWeb modification of W97M.Suspicious.1
McAfee-GW-Edition BehavesLike.Downloader.mc
FireEye VB.Heur.EmoooDldr.2.D21F479B.Gen
GData VB.Heur.EmoooDldr.2.D21F479B.Gen
TACHYON Suspicious/WOX.Dropper.Gen
MAX malware (ai score=83)
Zoner Probably Heur.W97Obfuscated
SentinelOne Static AI - Suspicious OPENXML