Report - ZeroBOX

ScreenShot

Info
Location map


Created	2021.04.28 10:00	Machine	s1_win7_x6402
Filename	c.dot
Type	Rich Text Format data, unknown version
AI Score	Not founds	Behavior Score	4.4
ZERO API	file : mailcious
VT API (file)	27 detected (ObfsStrm, CVE-2017-1188, CVE2017, Save, Camelot, Bloodhound, multiple detections, dinbqn, RTFMALFORM, Malformed, Malicious, score, Malform, Probably Heur, RTFBadVersion, ai score=87)
md5	8c953304a94209a33f4b63d71605d816
sha256	afeb7677b573a79afb6fb48fa2d5211fabe514355b6aa010928e5cdebba5b9be
ssdeep	192:oebmDcZZsBSS7v+EyYGsUsGgwE6MrrQ7WrM9skwcBPTtTRyPUaOv+u3XrAR0y0J:oezouEmy8MrrQ7WrM9ScBPm3mXGI
imphash
impfuzzy

Network IP location

Signature (10cnts)

Level	Description
warning	File has been identified by 27 AntiVirus engines on VirusTotal as malicious
watch	Communicates with host for which no DNS query was performed
notice	Allocates read-write-execute memory (usually to unpack itself)
notice	An application raised an exception which may be indicative of an exploit crash
notice	Creates hidden or system file
notice	HTTP traffic contains suspicious features which may be indicative of malware related traffic
notice	Performs some HTTP requests
notice	RTF file has an unknown version
notice	Sends data using the HTTP POST Method
info	One or more processes crashed

Rules (1cnts)

Level	Name	Description	Collection
info	Rich_Text_Format_Zero	Rich Text Format Signature Zero	binaries (upload)

Network (49cnts) ?

Request	ASN Co	IP4	Rule ?	ZERO ?
http://www.forrealmodels.com/qjnt/ whois	Signet B.V.	188.93.150.60	872	mailcious
http://www.warriornotesgolbalprayer.com/qjnt/?5j=NZEjDeTbQWI4t+jLVj6ckcPfHkTvqBwW1gJjjcociDWZiHYNHkrr42q5Qu5MGWq/DbzHTKzP&vTdDF=LJBx whois	GOOGLE	34.102.136.180	787	mailcious
http://www.buckhead-meat.com/qjnt/ whois	GOOGLE	34.102.136.180	871	mailcious
http://www.forrealmodels.com/qjnt/?5j=/8UA4kKoPYWid4Wy4SiZil89tJjdT7ic7hTrtZ5fAe41kMJ49sOOTLg7IOgO80aghp25g4RJ&vTdDF=LJBx whois	Signet B.V.	188.93.150.60	872	mailcious
http://www.rivcodevelopment.com/qjnt/?5j=8NBAzZEp5T2EoF9wMDQ69YhjG3fhuSs/Y3qkwEtmFVQU29n+5biQRN67qVAa42W8gpsiaP+Q&vTdDF=LJBx whois	AS-26496-GO-DADDY-COM-LLC	182.50.132.242	798	mailcious
http://www.xn--jpr220deud640b.com/qjnt/ whois	Tencent Building, Kejizhongyi Avenue	129.226.160.219		clean
http://www.frotaconceitos.com/qjnt/?5j=SklQbBNIGDp60jmvc81YaO0+TakJjqFF7kfS9N7pp+kjm4De+jDioVGollGezL8QEhW81teu&vTdDF=LJBx whois	CLOUDFLARENET	23.227.38.74	878	mailcious
http://www.graniteinaminute.com/qjnt/ whois	AS-26496-GO-DADDY-COM-LLC	182.50.132.242	875	mailcious
http://www.relaxxation.com/qjnt/ whois	AMAZON-02	52.58.78.16	880	mailcious
http://www.startrekepisode.com/qjnt/ whois	GOOGLE	34.102.136.180	786	mailcious
http://www.buckhead-meat.com/qjnt/?5j=/eERDYDYg8Pjpk/w148+Jv3JxRRGqAllXY9DrwYjMBHW71fIc6WywKuPNHthuS6BfUUI+/zo&vTdDF=LJBx whois	GOOGLE	34.102.136.180	871	mailcious
http://www.thebluefishhotel.net/qjnt/ whois	SQUARESPACE	198.185.159.145		clean
http://www.relaxxation.com/qjnt/?5j=mxaFhsYpdbWAcRjreClqDIL9OHFKPqnw/WaD4R8v0Y7MiHTOLhCg3x68N9MAlpNWynvCyQkZ&vTdDF=LJBx whois	AMAZON-02	52.58.78.16	880	mailcious
http://www.gailrichardson.com/qjnt/?5j=cQpYuVHVGObCoOy3oJObHgw0bCNAclVj5U/7sRdD/qRSo/tXEB2YKGAusTd/rcUBeGIQZ61D&vTdDF=LJBx whois	AMAZON-02	52.58.78.16	797	mailcious
http://www.akerii.com/qjnt/?5j=kSZZl6jWs3Sc3KX4sFYto2o1JEu4hGi+VMhwGPIJktQ5K/I5FgrvGI5WQKi2EBcGxzW2rAmT&vTdDF=LJBx whois	VOXEL-DOT-NET	72.251.224.90		clean
http://www.rivcodevelopment.com/qjnt/ whois	AS-26496-GO-DADDY-COM-LLC	182.50.132.242	798	mailcious
http://www.warriornotesgolbalprayer.com/qjnt/ whois	GOOGLE	34.102.136.180	787	mailcious
http://www.thebluefishhotel.net/qjnt/?5j=QMUGPevhnI2Yp74JHEVzH6HtR6H2zoEQzpkVeMV2m2AjEhovI/wxUE2mGeKCbnOUy7J9Z//U&vTdDF=LJBx whois	SQUARESPACE	198.185.159.145		clean
http://www.akerii.com/qjnt/ whois	VOXEL-DOT-NET	72.251.224.90		clean
http://www.frotaconceitos.com/qjnt/ whois	CLOUDFLARENET	23.227.38.74	878	mailcious
http://www.gailrichardson.com/qjnt/ whois	AMAZON-02	52.58.78.16	797	mailcious
http://www.startrekepisode.com/qjnt/?5j=5+BnPckFTRrJGxaMVUv0BF1FKPa8eJDIfTmAxOSqxwEOI5f2tl64h5cJxkg2lQOsq3TBX7Br&vTdDF=LJBx whois	GOOGLE	34.102.136.180	786	mailcious
http://www.xn--jpr220deud640b.com/qjnt/?5j=jCTS+G1v0GO0ffaNHB4bN1x+uxcHkkGvZyQiwKE+/XJ/MeCy3/lhGRbiqne2xOkH/Blgq97x&vTdDF=LJBx whois	Tencent Building, Kejizhongyi Avenue	129.226.160.219		clean
http://www.graniteinaminute.com/qjnt/?5j=Kc40ChrvGMsz5sDUgJdI1Tm80ndRwqOobrZe5CnH/KVtq0OHhWuXcnL+C6x+hGBLT8rXGqGg&vTdDF=LJBx whois	AS-26496-GO-DADDY-COM-LLC	182.50.132.242	875	mailcious
http://23.95.122.25/c/vbc.exe whois	AS-COLOCROSSING	23.95.122.25		malware
www.forrealmodels.com whois	Signet B.V.	188.93.150.60		clean
www.frotaconceitos.com whois	CLOUDFLARENET	23.227.38.74		clean
www.pds-navi.com whois				clean
www.bhcsva.com whois				mailcious
www.akerii.com whois	VOXEL-DOT-NET	72.251.224.90		clean
www.startrekepisode.com whois	GOOGLE	34.102.136.180		clean
www.thebluefishhotel.net whois	SQUARESPACE	198.185.159.145		clean
www.xn--jpr220deud640b.com whois	Tencent Building, Kejizhongyi Avenue	129.226.160.219		clean
www.buckhead-meat.com whois	GOOGLE	34.102.136.180		clean
www.relaxxation.com whois	AMAZON-02	52.58.78.16		clean
www.halostreams.net whois				mailcious
www.rivcodevelopment.com whois	AS-26496-GO-DADDY-COM-LLC	182.50.132.242		clean
www.graniteinaminute.com whois	AS-26496-GO-DADDY-COM-LLC	182.50.132.242		clean
www.gailrichardson.com whois	AMAZON-02	52.58.78.16		clean
www.warriornotesgolbalprayer.com whois	GOOGLE	34.102.136.180		clean
23.95.122.25 whois	AS-COLOCROSSING	23.95.122.25		mailcious
188.93.150.60 whois	Signet B.V.	188.93.150.60		mailcious
72.251.224.90 whois	VOXEL-DOT-NET	72.251.224.90		clean
129.226.160.219 whois	Tencent Building, Kejizhongyi Avenue	129.226.160.219		clean
52.58.78.16 whois	AMAZON-02	52.58.78.16		mailcious
34.102.136.180 whois	GOOGLE	34.102.136.180		mailcious
182.50.132.242 whois	AS-26496-GO-DADDY-COM-LLC	182.50.132.242		mailcious
23.227.38.74 whois	CLOUDFLARENET	23.227.38.74		mailcious
198.185.159.145 whois	SQUARESPACE	198.185.159.145		mailcious

Report - c.dot

Signature (10cnts)

Rules (1cnts)

Network (49cnts) ?

Suricata ids

Similarity measure (PE file only) - Checking for service failure