Summary | ZeroBOX

Receipt-894324.xls

VBA_macro MSOffice File
Category Machine Started Completed
FILE s1_win7_x6401 July 17, 2023, 1:12 p.m. July 17, 2023, 1:14 p.m.
Size 711.5KB
Type Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Title: Invoice 894324 from Quickbooks, LLC, Author: Quickbooks, LLC, Last Saved By: user, Name of Creating Application: Microsoft Excel, Create Time/Date: Wed Jul 14 08:38:23 2021, Last Saved Time/Date: Wed Jul 14 14:04:09 2021, Security: 0
MD5 73f2506109fae384bc40c7ba7cb5fc9c
SHA256 eb5b61b197c89ba6a19d3eaeda56d858f6bd30beaff0a43719fc5c6591e7ad2d
CRC32 22B24BBE
ssdeep 12288:DRYbXrlUc6XS/CwRl+4MW1H5onZHBDznxcp/c0UGtkbByxlFYd2DrpE9Nr:sUc6EjDMW1UrDjxcNcfgZI2or
Yara
  • Contains_VBA_macro_code - Detect a MS Office document with embedded VBA macro code [binaries]
  • Microsoft_Office_File_Zero - Microsoft Office File

Name Response Post-Analysis Lookup
jeromfastsolutions.com
IP Address Status Action
164.124.101.2 Active Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

1 1 0
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

process_identifier: 2552
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6f5b1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 2552
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6f60f000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 2552
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6f60f000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 2552
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6f551000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 2552
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x65001000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 2552
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x70e11000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

process_identifier: 2552
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x058a0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

process_identifier: 2552
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05a40000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

process_identifier: 2552
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05c00000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

process_identifier: 2552
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05c80000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 2712
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x70da2000
process_handle: 0xffffffff
1 0 0
cmdline mshta "C:\ProgramData\qLegendPositionTop.sct"
com_class Scripting.FileSystemObject May attempt to write one or more files to the harddisk
parent_process excel.exe martian_process mshta "C:\ProgramData\qLegendPositionTop.sct"
Lionic Trojan.Script.Generic.a!c
Elastic malicious (high confidence)
DrWeb Exploit.Siggen3.18834
MicroWorld-eScan VB:Trojan.Valyria.5063
FireEye VB:Trojan.Valyria.5063
CAT-QuickHeal Ole.Trojan.A1709673
ALYac Trojan.Downloader.XLS.Gen
Cyren X97M/Agent.AAZ.gen!Eldorado
Symantec W97M.Downloader
ESET-NOD32 VBA/TrojanDropper.Agent.CBR
TrendMicro-HouseCall TROJ_FRS.0NA103GF21
Avast SNH:Script [Dropper]
ClamAV Doc.Dropper.MSHTA-6966166-0
Kaspersky UDS:DangerousObject.Multi.Generic
BitDefender VB:Trojan.Valyria.5063
NANO-Antivirus Trojan.Ole2.Vbs-heuristic.druvzi
Tencent Trojan.MsOffice.MacroS.11012383
Ad-Aware VB:Trojan.Valyria.5063
Emsisoft Trojan-Downloader.Macro.Generic.CQ (A)
Comodo Malware@#lc7v1onpryii
TrendMicro TROJ_FRS.0NA103GF21
McAfee-GW-Edition BehavesLike.OLE2.Downloader.bb
Sophos Troj/DocDl-ADXD
SentinelOne Static AI - Suspicious OLE
GData VB:Trojan.Valyria.5063
Avira HEUR/Macro.Downloader.AJAM.Gen
MAX malware (ai score=99)
Gridinsoft Trojan.U.Downloader.oa
Arcabit VB:Trojan.Valyria.D13C7
ViRobot XLS.Z.Agent.728576.C
Microsoft TrojanDownloader:O97M/Dridex.PSTT!MTB
Cynet Malicious (score: 99)
McAfee RDN/Dridex
TACHYON Suspicious/X97M.Dropper.Gen
Ikarus VBA.Dridex
Fortinet VBA/Agent.3EC4!tr
AVG SNH:Script [Dropper]