Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Jan. 6, 2024, 10:31 a.m.	Jan. 6, 2024, 10:41 a.m.

Size	167.5KB
Type	Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1252, Author: wound, Template: Normal.dotm, Last Saved By: wound, Revision Number: 43, Name of Creating Application: Microsoft Office Word, Total Editing Time: 19:45:00, Create Time/Date: Sun Dec 17 11:57:00 2023, Last Saved Time/Date: Mon Dec 18 07:42:00 2023, Number of Pages: 1, Number of Words: 191, Number of Characters: 1094, Security: 0
MD5	`4333cf43659835679e5f6e9371611b46`
SHA256	`23c54a0185284f7e9a0231f5bbd4c3527e2750c0686cb5744cb388059fbb0ec9`
CRC32	`A233C2AB`
ssdeep	`3072:EWKaAGgbsFlW4x6MdBHwYHvJFCNu7Vx6d:qaZisFlW4cIBQYPWT`
Yara	Microsoft_Office_File_Zero - Microsoft Office File Contains_VBA_macro_code - Detect a MS Office document with embedded VBA macro code [binaries] Generic_Malware_Zero - Generic Malware

WINWORD.EXE "C:\Program Files (x86)\Microsoft Office\Office12\WINWORD.EXE" C:\Users\test22\AppData\Local\Temp\test3.doc
2552
- cmd.exe cMd /c C:\Users\Public\window.vbs
  2728
  - wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\Public\window.vbs"
    2808

Name	Response	Post-Analysis Lookup
configure.syscatec.com	A 69.46.5.226	69.46.5.226

IP Address	Status	Action
164.124.101.2	Active	Moloch
69.46.5.226	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 69.46.5.226:443 -> 192.168.56.101:49169	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.101:49177 -> 69.46.5.226:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49173 -> 69.46.5.226:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49181 -> 69.46.5.226:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49176 -> 69.46.5.226:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 69.46.5.226:443 -> 192.168.56.101:49187	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 69.46.5.226:443 -> 192.168.56.101:49171	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.101:49185 -> 69.46.5.226:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49192 -> 69.46.5.226:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 69.46.5.226:443 -> 192.168.56.101:49174	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.101:49172 -> 69.46.5.226:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 69.46.5.226:443 -> 192.168.56.101:49179	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 69.46.5.226:443 -> 192.168.56.101:49178	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.101:49167 -> 69.46.5.226:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49180 -> 69.46.5.226:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 69.46.5.226:443 -> 192.168.56.101:49175	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 69.46.5.226:443 -> 192.168.56.101:49182	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 69.46.5.226:443 -> 192.168.56.101:49183	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 69.46.5.226:443 -> 192.168.56.101:49186	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.101:49184 -> 69.46.5.226:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49188 -> 69.46.5.226:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49189 -> 69.46.5.226:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 69.46.5.226:443 -> 192.168.56.101:49191	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 69.46.5.226:443 -> 192.168.56.101:49190	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic

Suricata TLS

No Suricata TLS

Allocates read-write-execute memory (usually to unpack itself) (16 events)

Time & API	Arguments	Status
NtProtectVirtualMemory Jan. 6, 2024, 10:31 a.m.	process_identifier: 2552 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6e251000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 6, 2024, 10:31 a.m.	process_identifier: 2552 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6e2a5000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 6, 2024, 10:31 a.m.	process_identifier: 2552 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6e531000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 6, 2024, 10:31 a.m.	process_identifier: 2552 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6e221000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 6, 2024, 10:31 a.m.	process_identifier: 2552 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x65001000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 6, 2024, 10:31 a.m.	process_identifier: 2552 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6e021000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 6, 2024, 10:31 a.m.	process_identifier: 2552 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6e024000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 6, 2024, 10:31 a.m.	process_identifier: 2552 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6e011000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 6, 2024, 10:31 a.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06b90000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 6, 2024, 10:31 a.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06b90000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 6, 2024, 10:31 a.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06ba0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 6, 2024, 10:31 a.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06bb0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 6, 2024, 10:31 a.m.	process_identifier: 2552 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x507c1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 6, 2024, 10:31 a.m.	process_identifier: 2552 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6c5f1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 6, 2024, 10:31 a.m.	process_identifier: 2552 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6dcd5000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 6, 2024, 10:31 a.m.	process_identifier: 2808 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6fbc2000 process_handle: 0xffffffff	1

Creates (office) documents on the filesystem (1 event)

file	C:\Users\test22\AppData\Local\Temp\~$test3.doc

Creates hidden or system file (1 event)

Time & API	Arguments	Status	Return	Repeated
NtCreateFile Jan. 6, 2024, 10:31 a.m.	create_disposition: 5 (FILE_OVERWRITE_IF) file_handle: 0x00000198 filepath: C:\Users\test22\AppData\Local\Temp\~$test3.doc desired_access: 0x40100080 (FILE_READ_ATTRIBUTES\|SYNCHRONIZE\|GENERIC_WRITE) file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: \??\C:\Users\test22\AppData\Local\Temp\~$test3.doc create_options: 4194400 (FILE_NON_DIRECTORY_FILE\|FILE_SYNCHRONOUS_IO_NONALERT) status_info: 2 (FILE_CREATED) share_access: 0 ()	1	0	0

Word document hooks document open

Yara rule detected in process memory (8 events)

description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

Wscript.exe initiated network communications indicative of a script based payload download (24 events)

Time & API	Arguments	Status	Return	Repeated
WSASend Jan. 6, 2024, 10:31 a.m.	buffer: yueWwø$¬§àÐZ%VóÍëÇðo/5 ÀÀÀ À 284ÿconfigure.syscatec.com socket: 592		0	0
WSASend Jan. 6, 2024, 10:31 a.m.	buffer: 51eW«ýNÃVPÃ¶ïâa]lÐÆíE1g ÿ socket: 592		0	0
WSASend Jan. 6, 2024, 10:31 a.m.	buffer: 51e] BM]9: à 3e-ÎÈ«×gs ÿ socket: 704		0	0
WSASend Jan. 6, 2024, 10:31 a.m.	buffer: yue]]ð±tÉrä¿UãÂ¢@`JðÝãâ/5 ÀÀÀ À 284ÿconfigure.syscatec.com socket: 704		0	0
WSASend Jan. 6, 2024, 10:31 a.m.	buffer: yueh[=cwc³ò*GÐ!>DB"jk<Ò øáF/5 ÀÀÀ À 284ÿconfigure.syscatec.com socket: 704		0	0
WSASend Jan. 6, 2024, 10:31 a.m.	buffer: 51ehZédÚXU¿Û&pCã½DÛ%BÑ7 ÿ socket: 704		0	0
WSASend Jan. 6, 2024, 10:31 a.m.	buffer: 51erÌ¸ýs¿,Ì+àôF0Ä:Vß ø¡ßÅ 9Çê ÿ socket: 704		0	0
WSASend Jan. 6, 2024, 10:31 a.m.	buffer: yues'Ç&æAN©gvÿôþ¡vúå ø½Ú/5 ÀÀÀ À 284ÿconfigure.syscatec.com socket: 704		0	0
WSASend Jan. 6, 2024, 10:31 a.m.	buffer: yue}6 ¥iYÃÃwãháv5+qïr\aO/5 ÀÀÀ À 284ÿconfigure.syscatec.com socket: 204		0	0
WSASend Jan. 6, 2024, 10:31 a.m.	buffer: 51e~_ Ö'¯4mr0p®Ù¾ÕóÆ ÿ socket: 204		0	0
WSASend Jan. 6, 2024, 10:31 a.m.	buffer: 51eÊ[Ajô*£Ô®Ã9d¢`wdÀDFnÄ ÿ socket: 204		0	0
WSASend Jan. 6, 2024, 10:31 a.m.	buffer: yue&îæ]~7µwsKT¥0h¬MTÂ½Ò/5 ÀÀÀ À 284ÿconfigure.syscatec.com socket: 204		0	0
WSASend Jan. 6, 2024, 10:32 a.m.	buffer: yueÝÀ^]¦+Çý"ôÜMQ¡_q0NQ¤Ê/5 ÀÀÀ À 284ÿconfigure.syscatec.com socket: 412		0	0
WSASend Jan. 6, 2024, 10:32 a.m.	buffer: 51eÑ]æÉL!æÿWï;È»JÙÛïòÙåÏ ÿ socket: 412		0	0
WSASend Jan. 6, 2024, 10:32 a.m.	buffer: 51e¨_Ý&7ÌAaÝÉ1õûmrhÐH ¶W ÿ socket: 560		0	0
WSASend Jan. 6, 2024, 10:32 a.m.	buffer: yueÿ4¸ÿO[óKe-Ær³=²Îr)Ç¬k#]/5 ÀÀÀ À 284ÿconfigure.syscatec.com socket: 560		0	0
WSASend Jan. 6, 2024, 10:32 a.m.	buffer: yue¨Èoü©raJ `{H«pÖxüéêËÁ/5 ÀÀÀ À 284ÿconfigure.syscatec.com socket: 560		0	0
WSASend Jan. 6, 2024, 10:32 a.m.	buffer: 51e©ë\GÜS`6Ö³M) qã3wçþB& ÿ socket: 560		0	0
WSASend Jan. 6, 2024, 10:32 a.m.	buffer: 51e³6~\|hù¤ý`õ5f¯µ²¼µÞ ÿ socket: 456		0	0
WSASend Jan. 6, 2024, 10:32 a.m.	buffer: yue³Üõd}p¢j³ö£èQ³÷k4dèÑÕ^/5 ÀÀÀ À 284ÿconfigure.syscatec.com socket: 456		0	0
WSASend Jan. 6, 2024, 10:32 a.m.	buffer: yue¾Ú_Åä9/âðqfÆðä¨-(KEÛ/5 ÀÀÀ À 284ÿconfigure.syscatec.com socket: 456		0	0
WSASend Jan. 6, 2024, 10:32 a.m.	buffer: 51e¾<Ê ;¥Þür®`'»P{b^7ÀÂC:KÚ ÿ socket: 456		0	0
WSASend Jan. 6, 2024, 10:32 a.m.	buffer: 51eÉÆöÇ+½çõ*E_f<É§ÉéQìm41Ghÿ8 ÿ socket: 456		0	0
WSASend Jan. 6, 2024, 10:32 a.m.	buffer: yueÉkzª¨~(R¼_Ý«éRÜdó:Í£W/5 ÀÀÀ À 284ÿconfigure.syscatec.com socket: 456		0	0

Network communications indicative of a potential document or script payload download was initiated by the process wscript.exe (24 events)

Time & API	Arguments	Status	Return	Repeated
WSASend Jan. 6, 2024, 10:31 a.m.	buffer: yueWwø$¬§àÐZ%VóÍëÇðo/5 ÀÀÀ À 284ÿconfigure.syscatec.com socket: 592		0	0
WSASend Jan. 6, 2024, 10:31 a.m.	buffer: 51eW«ýNÃVPÃ¶ïâa]lÐÆíE1g ÿ socket: 592		0	0
WSASend Jan. 6, 2024, 10:31 a.m.	buffer: 51e] BM]9: à 3e-ÎÈ«×gs ÿ socket: 704		0	0
WSASend Jan. 6, 2024, 10:31 a.m.	buffer: yue]]ð±tÉrä¿UãÂ¢@`JðÝãâ/5 ÀÀÀ À 284ÿconfigure.syscatec.com socket: 704		0	0
WSASend Jan. 6, 2024, 10:31 a.m.	buffer: yueh[=cwc³ò*GÐ!>DB"jk<Ò øáF/5 ÀÀÀ À 284ÿconfigure.syscatec.com socket: 704		0	0
WSASend Jan. 6, 2024, 10:31 a.m.	buffer: 51ehZédÚXU¿Û&pCã½DÛ%BÑ7 ÿ socket: 704		0	0
WSASend Jan. 6, 2024, 10:31 a.m.	buffer: 51erÌ¸ýs¿,Ì+àôF0Ä:Vß ø¡ßÅ 9Çê ÿ socket: 704		0	0
WSASend Jan. 6, 2024, 10:31 a.m.	buffer: yues'Ç&æAN©gvÿôþ¡vúå ø½Ú/5 ÀÀÀ À 284ÿconfigure.syscatec.com socket: 704		0	0
WSASend Jan. 6, 2024, 10:31 a.m.	buffer: yue}6 ¥iYÃÃwãháv5+qïr\aO/5 ÀÀÀ À 284ÿconfigure.syscatec.com socket: 204		0	0
WSASend Jan. 6, 2024, 10:31 a.m.	buffer: 51e~_ Ö'¯4mr0p®Ù¾ÕóÆ ÿ socket: 204		0	0
WSASend Jan. 6, 2024, 10:31 a.m.	buffer: 51eÊ[Ajô*£Ô®Ã9d¢`wdÀDFnÄ ÿ socket: 204		0	0
WSASend Jan. 6, 2024, 10:31 a.m.	buffer: yue&îæ]~7µwsKT¥0h¬MTÂ½Ò/5 ÀÀÀ À 284ÿconfigure.syscatec.com socket: 204		0	0
WSASend Jan. 6, 2024, 10:32 a.m.	buffer: yueÝÀ^]¦+Çý"ôÜMQ¡_q0NQ¤Ê/5 ÀÀÀ À 284ÿconfigure.syscatec.com socket: 412		0	0
WSASend Jan. 6, 2024, 10:32 a.m.	buffer: 51eÑ]æÉL!æÿWï;È»JÙÛïòÙåÏ ÿ socket: 412		0	0
WSASend Jan. 6, 2024, 10:32 a.m.	buffer: 51e¨_Ý&7ÌAaÝÉ1õûmrhÐH ¶W ÿ socket: 560		0	0
WSASend Jan. 6, 2024, 10:32 a.m.	buffer: yueÿ4¸ÿO[óKe-Ær³=²Îr)Ç¬k#]/5 ÀÀÀ À 284ÿconfigure.syscatec.com socket: 560		0	0
WSASend Jan. 6, 2024, 10:32 a.m.	buffer: yue¨Èoü©raJ `{H«pÖxüéêËÁ/5 ÀÀÀ À 284ÿconfigure.syscatec.com socket: 560		0	0
WSASend Jan. 6, 2024, 10:32 a.m.	buffer: 51e©ë\GÜS`6Ö³M) qã3wçþB& ÿ socket: 560		0	0
WSASend Jan. 6, 2024, 10:32 a.m.	buffer: 51e³6~\|hù¤ý`õ5f¯µ²¼µÞ ÿ socket: 456		0	0
WSASend Jan. 6, 2024, 10:32 a.m.	buffer: yue³Üõd}p¢j³ö£èQ³÷k4dèÑÕ^/5 ÀÀÀ À 284ÿconfigure.syscatec.com socket: 456		0	0
WSASend Jan. 6, 2024, 10:32 a.m.	buffer: yue¾Ú_Åä9/âðqfÆðä¨-(KEÛ/5 ÀÀÀ À 284ÿconfigure.syscatec.com socket: 456		0	0
WSASend Jan. 6, 2024, 10:32 a.m.	buffer: 51e¾<Ê ;¥Þür®`'»P{b^7ÀÂC:KÚ ÿ socket: 456		0	0
WSASend Jan. 6, 2024, 10:32 a.m.	buffer: 51eÉÆöÇ+½çõ*E_f<É§ÉéQìm41Ghÿ8 ÿ socket: 456		0	0
WSASend Jan. 6, 2024, 10:32 a.m.	buffer: yueÉkzª¨~(R¼_Ý«éRÜdó:Í£W/5 ÀÀÀ À 284ÿconfigure.syscatec.com socket: 456		0	0

Libraries known to be associated with a CVE were requested (may be False Positive) (1 event)

cve	CVE-2013-3906

One or more non-whitelisted processes were created (1 event)

parent_process

winword.exe

martian_process

cMd /c C:\Users\Public\window.vbs

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2728 resumed a thread in remote process 2808
NtResumeThread Jan. 6, 2024, 10:31 a.m.	thread_handle: 0x00000230 suspend_count: 1 process_identifier: 2808	1	0	0

The process wscript.exe wrote an executable file to disk (1 event)

file	C:\Windows\SysWOW64\wscript.exe

File has been identified by 31 AntiVirus engines on VirusTotal as malicious (31 events)

Lionic	Trojan.MSWord.Amphitryon.4!c
Elastic	malicious (high confidence)
DrWeb	Exploit.Siggen3.44322
MicroWorld-eScan	VBA:Amphitryon.1635
Skyhigh	BehavesLike.OLE2.Downloader.cb
Symantec	Trojan.Gen.MBT
ESET-NOD32	VBA/TrojanDropper.Agent.CXV
Avast	Script:SNH-gen [Trj]
Kaspersky	HEUR:Trojan.MSOffice.SAgent.gen
BitDefender	VBA:Amphitryon.1635
NANO-Antivirus	Trojan.Ole2.Vbs-heuristic.druvzi
Tencent	Win32.Trojan.Malware.Szfl
Emsisoft	VBA:Amphitryon.1635 (B)
Google	Detected
F-Secure	Malware.W97M/Redcap.qbumx
VIPRE	VBA:Amphitryon.1635
SentinelOne	Static AI - Suspicious OLE
Varist	ABRisk.LJPV-11
Avira	W97M/Redcap.qbumx
MAX	malware (ai score=89)
Antiy-AVL	Trojan[Downloader]/MSOffice.Agent
Kingsoft	Win32.Troj.Undef.a
Microsoft	Trojan:Win32/Leonem
Arcabit	VBA:Amphitryon.D663
ZoneAlarm	HEUR:Trojan.MSOffice.SAgent.gen
GData	VBA:Amphitryon.1635
Cynet	Malicious (score: 99)
TACHYON	Suspicious/W97M.DRP.Gen
Rising	Dropper.Agent/VBA!8.11766 (TOPIS:E0:9ddheGUZbPN)
Ikarus	VBA.Amphitryon
AVG	Script:SNH-gen [Trj]

test3.doc

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All