Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	March 8, 2023, 1:57 p.m.	March 8, 2023, 2 p.m.

Size	255.0KB
Type	Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1251, Author: Gydar, Last Saved By: Gydar, Name of Creating Application: Microsoft Excel, Create Time/Date: Fri Jun 5 18:19:34 2015, Last Saved Time/Date: Sun Nov 6 17:55:13 2022, Security: 0
MD5	`6493581b246b731e4937fbee64a68803`
SHA256	`199a2e0e1bb46a5dd8eb3a58aa55de157f6005c65b70245e71cecec4905cc2c0`
CRC32	`8532DE2B`
ssdeep	`6144:NKpb8rGYrMPe3q7Q0XV5xtuEsi8/dgzNiwrfx9rNFMMrttRzV5Dz3UxqC8LUcSu:ANbDjP9XH5XIqZLnSu`
Yara	Microsoft_Office_File_Downloader_Zero - Microsoft Office File Downloader Microsoft_Office_File_Zero - Microsoft Office File

EXCEL.EXE "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" C:\Users\test22\AppData\Local\Temp\X8099607585O.xls
3008

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
164.124.101.2	Active	Moloch

No Suricata Alerts

No Suricata TLS

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory March 8, 2023, 1:57 p.m.	process_identifier: 3008 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6b927000 process_handle: 0xffffffff	1	0	0

parent_process

excel.exe

martian_process

"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /Embedding

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 3008 resumed a thread in remote process 2212
NtResumeThread March 8, 2023, 1:57 p.m.	thread_handle: 0x00000460 suspend_count: 1 process_identifier: 2212	1	0	0

Lionic	Trojan.MSExcel.Emotet.4!c
ClamAV	Xls.Downloader.Emotet-b649c93692b4c9d9-9976616-0
FireEye	XLM.Formulas.Abracadabra.8.Gen
CAT-QuickHeal	Trojan.XLM4.Emotet.47213
ALYac	Trojan.Downloader.XLS.Gen
VIPRE	XLM.Formulas.Abracadabra.8.Gen
Sangfor	Malware.Generic-XLM.Save.Emotet_ma29
K7AntiVirus	Trojan ( 0059086a1 )
K7GW	Trojan ( 0059086a1 )
VirIT	X97M.Emotet.DMG
Cyren	XF/Emotet.E.gen!Eldorado
Symantec	CL.Suspexec!gen128
ESET-NOD32	DOC/TrojanDownloader.Agent.DOV
Avast	VBS:Malware-gen
Cynet	Malicious (score: 99)
Kaspersky	HEUR:Trojan.MSOffice.Generic
BitDefender	XLM.Formulas.Abracadabra.8.Gen
MicroWorld-eScan	XLM.Formulas.Abracadabra.8.Gen
Rising	Downloader.Agent/XLM!1.DE99 (CLASSIC)
Sophos	Troj/DocDl-AGRX
DrWeb	Exploit.Siggen3.37898
TrendMicro	Trojan.XF.EMOTET.SMYXCFIC
McAfee-GW-Edition	W97M/Downloader.dwl
Emsisoft	XLM.Formulas.Abracadabra.8.Gen (B)
Ikarus	Trojan-Downloader.XLM.Agent
GData	Macro.Trojan-Downloader.EmoAgent.A
Avira	XF/Agent.B2
MAX	malware (ai score=100)
Antiy-AVL	Trojan[Downloader]/MSExcel.Agent.dov
Arcabit	XLM.Formulas.Abracadabra.8.Gen
ZoneAlarm	HEUR:Trojan.MSOffice.Generic
Microsoft	TrojanDownloader:O97M/Emotet.DD
Google	Detected
AhnLab-V3	Downloader/XLS.XlmMacro.S1947
McAfee	W97M/Downloader.dwl
VBA32	TrojanDownloader.O97M.Emotet.DD
Zoner	Probably Heur.W97ShellB
Tencent	Trojan.MsOffice.Macro40.11025283
Fortinet	MSExcel/Agent.DKF!tr.dldr
AVG	VBS:Malware-gen

X8099607585O.xls