Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Oct. 6, 2021, 2:26 p.m.	Oct. 6, 2021, 2:28 p.m.

Size	681.7KB
Type	Rich Text Format data, version 1, unknown character set
MD5	`614679aaac8791504e5885c9c4e97b58`
SHA256	`63e4f99b6ec33564e2d77dcf30898904742f1f2823b5f93812354e11aa5ac99f`
CRC32	`3B4DAED7`
ssdeep	`6144:SWaQc5J+8limiunMNUB2XJ/vcDfIoQZIfFo6snm8p7Wg5f1Jv:SWadob32uIdp8pz`
Yara	Rich_Text_Format_Zero - Rich Text Format Signature Zero

WINWORD.EXE "C:\Program Files (x86)\Microsoft Office\Office15\WINWORD.EXE" "C:\Users\test22\AppData\Local\Temp\Update of the OFFICE PACK.doc"
1936

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
45.14.226.221	Active	Moloch

No Suricata Alerts

No Suricata TLS

suspicious_features

GET method with no useragent header, Connection to IP address

suspicious_request

GET http://45.14.226.221/cdfe/Fack.jpg

request

GET http://45.14.226.221/cdfe/Fack.jpg

file	C:\Users\test22\AppData\Local\Temp\~$date of the OFFICE PACK.doc

Time & API	Arguments	Status	Return	Repeated
NtCreateFile Oct. 6, 2021, 2:26 p.m.	create_disposition: 5 (FILE_OVERWRITE_IF) file_handle: 0x00000490 filepath: C:\Users\test22\AppData\Local\Temp\~$date of the OFFICE PACK.doc desired_access: 0x40100080 (FILE_READ_ATTRIBUTES\|SYNCHRONIZE\|GENERIC_WRITE) file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: \??\C:\Users\test22\AppData\Local\Temp\~$date of the OFFICE PACK.doc create_options: 4194400 (FILE_NON_DIRECTORY_FILE\|FILE_SYNCHRONOUS_IO_NONALERT) status_info: 2 (FILE_CREATED) share_access: 0 ()	1	0	0

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Oct. 6, 2021, 2:27 p.m.	process_identifier: 1936 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x7ef80000 process_handle: 0xffffffff	1	0	0

filetype_details

Rich Text Format data, version 1, unknown character set

filename

Update of the OFFICE PACK.doc

host

45.14.226.221

Lionic	Trojan.MSOffice.SLoad.a!c
DrWeb	modification of W97M.Suspicious.1
CAT-QuickHeal	OLE.APT.42096
ALYac	Trojan.GenericKD.36568511
Sangfor	Exploit.Generic-Script.Save.9633523c
Arcabit	Trojan.Generic.D22DFDBF
Cyren	RTF/Trojan.LAFU-01
Symantec	Trojan.Gen.NPE
ESET-NOD32	DOC/TrojanDropper.Agent.UK
TrendMicro-HouseCall	Possible_SMBCVE20170199
Avast	VBA:Dropper-BR [Trj]
Cynet	Malicious (score: 99)
Kaspersky	UDS:DangerousObject.Multi.Generic
BitDefender	Trojan.GenericKD.36568511
MicroWorld-eScan	Trojan.GenericKD.36568511
Ad-Aware	Trojan.GenericKD.36568511
Comodo	Malware@#10egszcoxc5o9
TrendMicro	Possible_SMBCVE20170199
McAfee-GW-Edition	BehavesLike.Trojan.jx
FireEye	Trojan.GenericKD.36568511
Emsisoft	Trojan.GenericKD.36568511 (B)
Ikarus	Trojan-Dropper.DOC.Agent
Avira	EXP/YAV.Minerva.zdexr
Gridinsoft	Trojan.U.Downloader.oa
Microsoft	TrojanDownloader:O97M/Powdow.BT!MTB
GData	Trojan.GenericKD.36568511
McAfee	RDN/Generic Downloader.x
TACHYON	Suspicious/RTF.Obfus.Gen.8
Zoner	Probably Heur.RTFEmbedMacro
Rising	Downloader.EncDoc!8.11225 (TOPIS:E0:5LNaBRrfr3U)
MAX	malware (ai score=82)
Fortinet	VBA/CoinMiner.EAD9!tr
AVG	VBA:Dropper-BR [Trj]

Update of the OFFICE PACK.doc