Category | Machine | Started | Completed |
---|---|---|---|
FILE | s1_win7_x6403_us | Jan. 26, 2024, 12:08 p.m. | Jan. 26, 2024, 12:10 p.m. |
-
WINWORD.EXE "C:\Program Files (x86)\Microsoft Office\Office15\WINWORD.EXE" C:\Users\test22\AppData\Local\Temp\currentupdationoftheexplertsayingintsverybigindustrywhichgoingtohitinthemarketwithgolobalfram.doc
1460
Name | Response | Post-Analysis Lookup |
---|---|---|
paste.ee | 172.67.187.200 |
Suricata Alerts
Flow | SID | Signature | Category |
---|---|---|---|
TCP 192.168.56.103:49162 -> 172.245.208.3:80 | 2027260 | ET INFO Dotted Quad Host VBS Request | Potentially Bad Traffic |
TCP 192.168.56.103:49165 -> 172.67.187.200:443 | 2034978 | ET POLICY Pastebin-style Service (paste .ee) in TLS SNI | Potential Corporate Privacy Violation |
TCP 192.168.56.103:49165 -> 172.67.187.200:443 | 906200054 | SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) | undefined |
Suricata TLS
Flow | Issuer | Subject | Fingerprint |
---|---|---|---|
TLSv1 192.168.56.103:49165 172.67.187.200:443 |
C=US, O=Google Trust Services LLC, CN=GTS CA 1P5 | CN=paste.ee | c2:b4:ac:5e:d6:d0:79:48:bd:61:49:ff:7a:f4:5f:ee:d4:45:1b:74 |
suspicious_features | Connection to IP address | suspicious_request | GET http://172.245.208.3/440/ibmSever.vbs |
request | GET http://172.245.208.3/440/ibmSever.vbs |
request | GET http://paste.ee/d/Kiio7 |
request | GET https://paste.ee/d/Kiio7 |
file | C:\Users\test22\AppData\Local\Temp\~$rrentupdationoftheexplertsayingintsverybigindustrywhichgoingtohitinthemarketwithgolobalfram.doc |
host | 172.245.208.3 |
CAT-QuickHeal | Exp.RTF.Obfus.Gen |
VIPRE | Exploit.RTF-ObfsStrm.Gen |
Sangfor | Exploit.Generic-Doc.Save.74c7ccbf |
Arcabit | Exploit.RTF-ObfsStrm.Gen |
Symantec | Exp.CVE-2017-11882!g2 |
ESET-NOD32 | multiple detections |
McAfee | RTFObfustream.c!BFC3EF7D2FA4 |
Avast | OLE:CVE-2017-11882-B [Expl] |
Cynet | Malicious (score: 99) |
Kaspersky | UDS:DangerousObject.Multi.Generic |
BitDefender | Exploit.RTF-ObfsStrm.Gen |
NANO-Antivirus | Exploit.Rtf.Heuristic-rtf.dinbqn |
MicroWorld-eScan | Exploit.RTF-ObfsStrm.Gen |
Emsisoft | Exploit.RTF-ObfsStrm.Gen (B) |
F-Secure | Heuristic.HEUR/Rtf.Malformed |
DrWeb | Exploit.ShellCode.69 |
TrendMicro | HEUR_RTFMALFORM |
FireEye | Exploit.RTF-ObfsStrm.Gen |
Sophos | Troj/RtfExp-EQ |
Detected | |
Avira | HEUR/Rtf.Malformed |
Antiy-AVL | Trojan[Exploit]/OLE2.CVE-2017-11882 |
ZoneAlarm | HEUR:Exploit.MSOffice.Generic |
GData | Exploit.RTF-ObfsStrm.Gen |
Varist | CVE-2017-11882.D.gen!Camelot |
AhnLab-V3 | RTF/Malform-A.Gen |
Zoner | Probably Heur.RTFBadHeader |
Tencent | Exp.Office.CVE-2017-11882.a |
Ikarus | Exploit.CVE-2017-11882 |
Fortinet | MSOffice/CVE_2017_11882.B!exploit |
AVG | OLE:CVE-2017-11882-B [Expl] |