Report - ZeroBOX

ScreenShot

Info
Location map


Created	2021.04.30 09:47	Machine	s1_win7_x6402
Filename	Company Details.ppam
Type	Microsoft PowerPoint 2007+
AI Score	Not founds	Behavior Score	8.6
ZERO API	file : clean
VT API (file)	15 detected (MalDoc, ali1000101, Amphitryon, SAgent, Ole2, druvzi, Artemis, Static AI, Malicious OPENXML)
md5	c8e1760af8a65590d26315a4ff144b62
sha256	dffd29f5fcbcb7ee1f0a4d31e3cf616b6a525275b49d9d47d625f811f48cfc08
ssdeep	192:ZILz+pGqEls2oGnmaPuXDgrUIWBf+t1+MbJcsRgV7QyD0OoAisP3A3:mGpGqcsXGnFPSxI++T+Mbip/hu
imphash
impfuzzy

Network IP location

Signature (19cnts)

Level	Description
warning	Generates some ICMP traffic
watch	Communicates with host for which no DNS query was performed
watch	Disables proxy possibly for traffic interception
watch	File has been identified by 15 AntiVirus engines on VirusTotal as malicious
watch	Installs itself for autorun at Windows startup
watch	One or more non-whitelisted processes were created
watch	Stores PowerShell commands in the registry likely for persistence
notice	A process created a hidden window
notice	Allocates read-write-execute memory (usually to unpack itself)
notice	Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time)
notice	Creates a suspicious process
notice	Creates executable files on the filesystem
notice	HTTP traffic contains suspicious features which may be indicative of malware related traffic
notice	One or more potentially interesting buffers were extracted
notice	Performs some HTTP requests
notice	Uses Windows utilities for basic Windows functionality
info	Checks amount of memory in system
info	Command line console output was observed
info	Queries for the computername

Rules (2cnts)

Level	Name	Description	Collection
warning	Contains_VBA_macro_code	Detect a MS Office document with embedded VBA macro code [binaries]	binaries (upload)
info	PNG_Format_Zero	PNG Format	binaries (download)

Network (31cnts) ?

Request	ASN Co	IP4	ZERO ?
http://www.j.mp/ddsobpechateessentesathatesesjdw whois	GOOGLE-PRIVATE-CLOUD	67.199.248.17	clean
http://bit.ly/ddsobpechateessentesathatesesjdw whois	GOOGLE-PRIVATE-CLOUD	67.199.248.11	clean
https://resources.blogblog.com/blogblog/data/1kt/simple/body_gradient_tile_light.png whois	GOOGLE	142.250.66.41	clean
https://www.blogger.com/static/v1/widgets/115981500-css_bundle_v2.css whois	GOOGLE	172.217.26.137	clean
https://www.blogger.com/blogin.g?blogspotURL=https://yahameinhunbusorkoinai.blogspot.com/p/divine11111.html&type=blog whois	GOOGLE	172.217.26.137	clean
https://yahameinhunbusorkoinai.blogspot.com/p/divine11111.html whois	GOOGLE	142.250.199.65	clean
https://resources.blogblog.com/img/icon18_edit_allbkg.gif whois	GOOGLE	142.250.66.41	clean
https://resources.blogblog.com/img/icon18_wrench_allbkg.png whois	GOOGLE	142.250.66.41	clean
https://www.blogger.com/static/v1/widgets/1564291244-widgets.js whois	GOOGLE	172.217.26.137	clean
https://ia601409.us.archive.org/1/items/divonee111/divonee111.txt whois	INTERNET-ARCHIVE	207.241.227.129	clean
https://www.blogger.com/dyn-css/authorization.css?targetBlogID=9202096335134795169&zx=b73d5666-d098-4854-a4dd-8e948356adfd whois	GOOGLE	172.217.26.137	clean
https://resources.blogblog.com/blogblog/data/1kt/simple/gradients_light.png whois	GOOGLE	142.250.66.41	clean
https://www.blogger.com/static/v1/jsbin/1277698886-ieretrofit.js whois	GOOGLE	172.217.26.137	clean
https://www.blogger.com/img/share_buttons_20_3.png whois	GOOGLE	172.217.26.137	clean
https://www.blogger.com/static/v1/jsbin/3858658042-comment_from_post_iframe.js whois	GOOGLE	172.217.26.137	clean
resources.blogblog.com whois	GOOGLE	172.217.31.137	clean
yahameinhunbusorkoinai.blogspot.com whois	GOOGLE	172.217.175.65	clean
google.com whois	GOOGLE	216.58.220.142	clean
ia601409.us.archive.org whois	INTERNET-ARCHIVE	207.241.227.129	clean
accounts.google.com whois	GOOGLE	216.58.220.141	clean
bit.ly whois	GOOGLE-PRIVATE-CLOUD	67.199.248.10	mailcious
www.j.mp whois	GOOGLE-PRIVATE-CLOUD	67.199.248.17	mailcious
www.blogger.com whois	GOOGLE	172.217.175.9	clean
207.241.227.129 whois	INTERNET-ARCHIVE	207.241.227.129	clean
142.250.199.65 whois	GOOGLE	142.250.199.65	clean
142.250.66.109 whois	GOOGLE	142.250.66.109	clean
67.199.248.17 whois	GOOGLE-PRIVATE-CLOUD	67.199.248.17	mailcious
67.199.248.10 whois	GOOGLE-PRIVATE-CLOUD	67.199.248.10	phishing
142.250.204.110 whois	GOOGLE	142.250.204.110	clean
172.217.26.137 whois	GOOGLE	172.217.26.137	clean
142.250.66.41 whois	GOOGLE	142.250.66.41	clean

Report - Company Details.ppam

Signature (19cnts)

Rules (2cnts)

Network (31cnts) ?

Suricata ids

Similarity measure (PE file only) - Checking for service failure