popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

HSBC Payment Advice.xls

VBA_macro Generic Malware MSOffice File
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6401 Dec. 6, 2023, 12:55 p.m. Dec. 6, 2023, 12:57 p.m.
Size 391.5KB
Type Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, Code page: 1252, Name of Creating Application: Microsoft Excel, Create Time/Date: Sat Sep 16 00:00:00 2006, Last Saved Time/Date: Thu Nov 30 04:49:47 2023, Security: 1
MD5 3a4eb467c8ee5a0661b005aa8f728c7a
SHA256 1354ec56e9bead8a7821e30f3b15578ca803359e9d19746bda9a23b62e1f471e
CRC32 3B57F72D
ssdeep 6144:9n1m9kdbtHZetJs0hdMJUXnfoNZBcwZ9E197PUypoohChdLSBoc2p+:9OeBAtqSdLnfMXrE1Nk6KdLCo
Yara
  • Microsoft_Office_File_Zero - Microsoft Office File
  • Contains_VBA_macro_code - Detect a MS Office document with embedded VBA macro code [binaries]
  • Generic_Malware_Zero - Generic Malware

Name Response Post-Analysis Lookup
No hosts contacted.
IP Address Status Action
172.245.208.126 Active Moloch

Suricata Alerts

Flow SID Signature Category
TCP 192.168.56.101:49162 -> 172.245.208.126:80 2027251 ET INFO Dotted Quad Host DOC Request Potentially Bad Traffic
TCP 192.168.56.101:49162 -> 172.245.208.126:80 2025162 ET HUNTING Suspicious Request for Doc to IP Address with Terse Headers Potentially Bad Traffic

Suricata TLS

No Suricata TLS

suspicious_features Connection to IP address suspicious_request GET http://172.245.208.126/SSH/MicrosfotEdgedeletedhistorycachecookieentirethingsfromthepc.Doc
request GET http://172.245.208.126/SSH/MicrosfotEdgedeletedhistorycachecookieentirethingsfromthepc.Doc
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 2560
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6f5b1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2560
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6f60f000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2560
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6f60f000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2560
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x70e11000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2560
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6f561000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2560
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6f701000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2560
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6f501000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2560
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6f4e1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2560
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6f4d1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2560
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6f4c1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2560
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x730d1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2560
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6f4b1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2560
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6f4a1000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2560
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x054d0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2560
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x054d0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2560
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05520000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2560
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05530000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2560
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6f441000
process_handle: 0xffffffff
1 0 0
host 172.245.208.126
Symantec Scr.Malcode!gen59
ESET-NOD32 Win32/Exploit.CVE-2017-0199.VO
Cynet Malicious (score: 99)
Kaspersky HEUR:Trojan.OLE2.UrcBadur.genw
BitDefender Trojan.GenericKD.70679578
MicroWorld-eScan Trojan.GenericKD.70679578
Tencent Exp.MsOffice.Cve2019_0199.11022681
Emsisoft Trojan.GenericKD.70679578 (B)
F-Secure Malware.W2000/avi.Malware.dggcy
DrWeb Exploit.Siggen3.44056
TrendMicro TROJ_GEN.F04IE00L423
FireEye Trojan.GenericKD.70679578
Varist CVE-2017-0199.A!Camelot
Avira W97M/AVI.Malware.ytrhi
MAX malware (ai score=84)
Antiy-AVL Trojan/PDF.Agent
Gridinsoft Trojan.U.AgentTesla.tr
Microsoft Exploit:O97M/CVE-2017-0199.RV!MTB
ZoneAlarm HEUR:Trojan.OLE2.UrcBadur.genw
GData Generic.Trojan.Agent.JLDOK7
Google Detected
TACHYON Downloader/W97.CVE-2017-0199
Ikarus Trojan-Downloader.Office.Doc