Summary | ZeroBOX

who_template.doc

VBA_macro Generic Malware MSOffice File
Category Machine Started Completed
FILE s1_win7_x6403_us Sept. 2, 2021, 6:18 p.m. Sept. 2, 2021, 6:20 p.m.
Size 347.0KB
Type Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 949, Author: Ellen Swicord, Template: Normal.dotm, Last Saved By: Honey, Revision Number: 45, Name of Creating Application: Microsoft Office Word, Total Editing Time: 28:00, Last Printed: Tue Jan 14 14:56:00 2020, Create Time/Date: Sun Mar 1 09:16:00 2020, Last Saved Time/Date: Wed Sep 30 06:02:00 2020, Number of Pages: 2, Number of Words: 314, Number of Characters: 1791, Security: 0
MD5 3657586d8555593012bfd7420d488be4
SHA256 0897c80df8b80b4c49bf1ccf876f5f782849608b830c3b5cb3ad212dc3e19eff
CRC32 8D10D34A
ssdeep 3072:MMo3HoQ45xd/y9MnLm9MLL39MoL89MFLV9MGL+/5M/WMj/X/MC/XMMZ/XQMs/XY8:MMvQ4MtGNwp6zZqop1joyQw+LS7pl8X
Yara
  • Generic_Malware_Zero - Generic Malware
  • Contains_VBA_macro_code - Detect a MS Office document with embedded VBA macro code [binaries]
  • Microsoft_Office_File_Zero - Microsoft Office File

Name Response Post-Analysis Lookup
appmedicine.whoint.cf
IP Address Status Action
164.124.101.2 Active Moloch

Suricata Alerts

Flow SID Signature Category
UDP 192.168.56.103:53893 -> 164.124.101.2:53 2025107 ET INFO DNS Query for Suspicious .cf Domain Potentially Bad Traffic

Suricata TLS

No Suricata TLS

Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

process_identifier: 2324
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6a85d000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 2324
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6a46e000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 2324
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0494b000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 2324
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0494b000
process_handle: 0xffffffff
1 0 0
file C:\Users\test22\AppData\Local\Temp\~$o_template.doc
Time & API Arguments Status Return Repeated

NtCreateFile

create_disposition: 5 (FILE_OVERWRITE_IF)
file_handle: 0x000004a4
filepath: C:\Users\test22\AppData\Local\Temp\~$o_template.doc
desired_access: 0x40100080 (FILE_READ_ATTRIBUTES|SYNCHRONIZE|GENERIC_WRITE)
file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN)
filepath_r: \??\C:\Users\test22\AppData\Local\Temp\~$o_template.doc
create_options: 4194400 (FILE_NON_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NONALERT)
status_info: 2 (FILE_CREATED)
share_access: 0 ()
1 0 0
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

process_identifier: 2324
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 32 (PAGE_EXECUTE_READ)
base_address: 0x7ef60000
process_handle: 0xffffffff
1 0 0
Lionic Trojan.Script.Generic.a!c
Elastic malicious (high confidence)
ALYac Trojan.Downloader.DOC.Gen
Symantec Trojan.Gen.NPE
ESET-NOD32 a variant of VBA/TrojanDownloader.Agent.WER
Avast SNH:Script [Dropper]
Kaspersky UDS:DangerousObject.Multi.Generic
NANO-Antivirus Trojan.Ole2.Vbs-heuristic.druvzi
ViRobot DOC.Z.Agent.355328.A
Tencent Heur.MSWord.Downloader.d
DrWeb W97M.DownLoader.2988
VIPRE LooksLike.Macro.Malware.gen!d1 (v)
McAfee-GW-Edition BehavesLike.OLE2.Downloader.fb
ZoneAlarm HEUR:Trojan-Downloader.Script.Generic
Microsoft Trojan:O97M/Sadoca.C!ml
TACHYON Suspicious/W97M.Downloader.Gen
Rising Heur.Macro.Downloader.f (CLASSIC)
SentinelOne Static AI - Malicious OLE
Fortinet VBA/Agent.0CB3!tr
AVG SNH:Script [Dropper]