popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

Receipt-894324.xls

VBA_macro MSOffice File
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6401 Feb. 12, 2024, 11:10 p.m. Feb. 12, 2024, 11:12 p.m.
Size 711.5KB
Type Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Title: Invoice 894324 from Quickbooks, LLC, Author: Quickbooks, LLC, Last Saved By: user, Name of Creating Application: Microsoft Excel, Create Time/Date: Wed Jul 14 08:38:23 2021, Last Saved Time/Date: Wed Jul 14 14:04:09 2021, Security: 0
MD5 73f2506109fae384bc40c7ba7cb5fc9c
SHA256 eb5b61b197c89ba6a19d3eaeda56d858f6bd30beaff0a43719fc5c6591e7ad2d
CRC32 22B24BBE
ssdeep 12288:DRYbXrlUc6XS/CwRl+4MW1H5onZHBDznxcp/c0UGtkbByxlFYd2DrpE9Nr:sUc6EjDMW1UrDjxcNcfgZI2or
Yara
  • Microsoft_Office_File_Zero - Microsoft Office File
  • Contains_VBA_macro_code - Detect a MS Office document with embedded VBA macro code [binaries]

Name Response Post-Analysis Lookup
jeromfastsolutions.com
IP Address Status Action
164.124.101.2 Active Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 2540
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6f5b1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2540
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6f60f000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2540
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6f60f000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2540
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6f551000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2540
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x65001000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2540
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x70e11000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2540
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x058f0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2540
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05980000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2540
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05990000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2540
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x059a0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2708
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x70da2000
process_handle: 0xffffffff
1 0 0
cmdline mshta "C:\ProgramData\qLegendPositionTop.sct"
com_class Scripting.FileSystemObject May attempt to write one or more files to the harddisk
parent_process excel.exe martian_process mshta "C:\ProgramData\qLegendPositionTop.sct"
Lionic Trojan.Script.Generic.a!c
Elastic malicious (high confidence)
Cynet Malicious (score: 99)
Skyhigh BehavesLike.OLE2.Downloader.bb
ALYac Trojan.Downloader.XLS.Gen
VIPRE GT:VB.Macros.Heur2.Dridex.2.1C723EC4
Sangfor Suspicious.Win32.Save.a
Arcabit GT:VB.Macros.Heur2.Dridex.2.1C723EC4
Symantec Trojan.Mdropper
ESET-NOD32 VBA/TrojanDropper.Agent.CBR
TrendMicro-HouseCall TROJ_FRS.0NA103GF21
McAfee W97M/Downloader.dqo
Avast Script:SNH-gen [Drp]
Kaspersky UDS:DangerousObject.Multi.Generic
BitDefender GT:VB.Macros.Heur2.Dridex.2.1C723EC4
NANO-Antivirus Trojan.Ole2.Vbs-heuristic.druvzi
MicroWorld-eScan GT:VB.Macros.Heur2.Dridex.2.1C723EC4
Rising Downloader.Dridex!8.10EEC (TOPIS:E0:wwFjRqjqO3C)
Emsisoft Trojan-Downloader.Macro.Generic.CQ (A)
F-Secure Heuristic.HEUR/Macro.Downloader.AJAM.Gen
DrWeb Exploit.Siggen3.18834
TrendMicro TROJ_FRS.0NA103GF21
FireEye GT:VB.Macros.Heur2.Dridex.2.1C723EC4
Sophos Troj/DocDl-ADXD
Ikarus Trojan-Dropper.VBA.Agent
Google Detected
Avira HEUR/Macro.Downloader.AJAM.Gen
MAX malware (ai score=100)
Antiy-AVL Trojan[Dropper]/Macro.Agent.cbr
Kingsoft Script.Troj.MSOffice.2022001
Xcitium Malware@#lc7v1onpryii
Microsoft TrojanDownloader:O97M/Dridex.PSTT!MTB
ZoneAlarm HEUR:Trojan-Downloader.Script.Generic
GData GT:VB.Macros.Heur2.Dridex.2.1C723EC4
Varist X97M/Agent.AAZ.gen!Eldorado
Acronis suspicious
TACHYON Suspicious/X97M.XSR.Gen
Tencent Trojan.MsOffice.MacroS.11012383
SentinelOne Static AI - Malicious OLE
Fortinet VBA/Agent.3EC4!tr
AVG Script:SNH-gen [Drp]