Favorites
Tools
Dr.Zero Chatbot
Notifications
Guide 2020-06-10
Version history 2020-06-10

latestReport
04.27 01:04
xrgfyjiwp9jhuz.potenti...
04.26 11:04
m=el_main_css
04.26 11:04
saved_resource.html
04.26 02:04
file.exe
04.26 02:04
unindictedEb7l.ps1
04.26 02:04
32ja.exe
04.26 02:04
upx.exe
04.26 02:04
svcstealer.exe
04.26 02:04
fcc.exe
04.26 02:04
untippedhi.exe

Latest News
04.27 01:04
SKT 통신사 해킹 파일 관련 dbus-...
04.27 01:04
Unsichtbare Zeichen in...
04.27 01:04
KI im Klassenzimmer: L...
04.27 01:04
Heimliches LLM-Groomin...
04.27 01:04
Datenschutz-Albtraum: ...
04.27 12:04
대만(Taiwan)을 목표로 한것으로 추...
04.26 11:04
From Good Enough to Best
04.26 10:04
North Dakota Expands D...
04.26 10:04
Gamers Beware! New Att...
04.26 09:04
IT Sicherheitsnews tae...

Summary | ZeroBOX

docx006.docx

VBA_macro Word 2007 file format(docx) ZIP Format

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Nov. 26, 2024, 9:44 a.m.	Nov. 26, 2024, 9:51 a.m.

Size	22.7KB
Type	Microsoft Word 2007+
MD5	`ed76eb774c6db599f8ad50d4489e3c31`
SHA256	`902c15cdab0459f9fcabafd664c466331a49fb535f0e199db0dabb8d3d189ce5`
CRC32	`82CD6C41`
ssdeep	`384:C6LZC78M0DUe3ngh0VqvWGoBnJ9VQF9p0lhS0wJzizefxY4W1G:Bq81Df38Fo3Qvp0lhS0ozwefxYY`
Yara	docx - Word 2007 file format detection zip_file_format - ZIP file format Contains_VBA_macro_code - Detect a MS Office document with embedded VBA macro code [binaries]

WINWORD.EXE "C:\Program Files (x86)\Microsoft Office\Office15\WINWORD.EXE" C:\Users\test22\AppData\Local\Temp\docx006.docx
1932

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Creates (office) documents on the filesystem (1 event)

file	C:\Users\test22\AppData\Local\Temp\~$ocx006.docx

Creates hidden or system file (1 event)

Time & API	Arguments	Status	Return	Repeated
NtCreateFile Nov. 26, 2024, 9:44 a.m.	create_disposition: 5 (FILE_OVERWRITE_IF) file_handle: 0x00000498 filepath: C:\Users\test22\AppData\Local\Temp\~$ocx006.docx desired_access: 0x40100080 (FILE_READ_ATTRIBUTES\|SYNCHRONIZE\|GENERIC_WRITE) file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: \??\C:\Users\test22\AppData\Local\Temp\~$ocx006.docx create_options: 4194400 (FILE_NON_DIRECTORY_FILE\|FILE_SYNCHRONOUS_IO_NONALERT) status_info: 2 (FILE_CREATED) share_access: 0 ()	1	0	0

Word document hooks document open

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Nov. 26, 2024, 9:44 a.m.	process_identifier: 1932 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x7ef80000 process_handle: 0xffffffff	1	0	0

File has been identified by 38 AntiVirus engines on VirusTotal as malicious (38 events)

Cynet	Malicious (score: 70)
Skyhigh	W97M/Thus.gen.f
ALYac	VB:Trojan.Valyria.1610
VIPRE	VB:Trojan.Valyria.1610
Sangfor	Virus.Win32-Macro.Save.APMP
BitDefender	VB:Trojan.Valyria.1610
Arcabit	VB:Trojan.Valyria.D64A
Elastic	malicious (high confidence)
ESET-NOD32	W97M/Thus.NAC
TrendMicro-HouseCall	V97M_Generic
Avast	Script:SNH-gen [Trj]
ClamAV	Doc.Macro.APMPKILL-6097118-0
Kaspersky	HEUR:Virus.Script.Generic
NANO-Antivirus	Trojan.Script.Agent.dsetwk
MicroWorld-eScan	VB:Trojan.Valyria.1610
Rising	Macro.Word.Agent.c (CLASSIC)
Emsisoft	VB:Trojan.Valyria.1610 (B)
F-Secure	Heuristic.HEUR/Macro.VBA5
DrWeb	MACRO.Virus
TrendMicro	V97M_Generic
CTX	docx.trojan.valyria
Sophos	WM97/Thus-Fam
Ikarus	Trojan.Script.Agent
FireEye	VB:Trojan.Valyria.1610
Jiangmin	WM/APMP.a
Google	Highly Suspicious
Avira	HEUR/Macro.VBA5
Antiy-AVL	Trojan/MSWord.Thus.nac
Microsoft	Virus:W97M/Thus
ZoneAlarm	HEUR:Virus.Script.Generic
GData	VB:Trojan.Valyria.1610
Varist	VBA/ABTrojan.YATZ-
McAfee	W97M/Thus.gen.f
Tencent	OLE.Win32.Macro.700319
huorong	OMacro/Thus.a
Fortinet	VBA/Thus.1A61!tr
AVG	Script:SNH-gen [Trj]
Panda	W97M/Badmacro