popup

Report - invoice_996446.doc

RTF File doc
  1. Resubmit analysis
  2. Detailed report
ScreenShot
Created 2021.05.06 10:38 Machine s1_win7_x6401
Filename invoice_996446.doc
Type ISO-8859 text, with very long lines, with CRLF, CR, LF line terminators, with overstriking
AI Score Not founds Behavior Score
4.6
ZERO API file : clean
VT API (file) 28 detected (ObfsStrm, CVE-2017-1188, CVE2017, Save, Bloodhound, multiple detections, Obfuscated, dinbqn, RTFMALFORM, RtfExp, Malformed, ai score=89, Malicious, score, Malform, Probably Heur, RTFBadHeader)
md5 fecd086ea4879aa3e7b06eb1bcd0e102
sha256 d613dfd6cab6f9aa469698419a8f389add2c463bb7fe69e346632ee0039e2bf5
ssdeep 192:SW+EvWfVbziYUK/z6kTiN5COfw7zgxQ13N/tkWBn16lkbVjCUT7g6iaUkDNnaBS8:mESpzDlr60+bf2NC4+kZCUPgQDly084U
imphash
impfuzzy
  Network IP location

Signature (10cnts)

Level Description
warning File has been identified by 28 AntiVirus engines on VirusTotal as malicious
warning Generates some ICMP traffic
notice Allocates read-write-execute memory (usually to unpack itself)
notice An application raised an exception which may be indicative of an exploit crash
notice Creates (office) documents on the filesystem
notice Creates hidden or system file
notice HTTP traffic contains suspicious features which may be indicative of malware related traffic
notice Performs some HTTP requests
notice Sends data using the HTTP POST Method
info One or more processes crashed

Rules (1cnts)

Level Name Description Collection
info Rich_Text_Format_Zero Rich Text Format Signature Zero binaries (upload)

Network (9cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
http://bit.do/fQHvj
whois
US AMAZON-AES 54.83.52.76 clean
http://nbnbtwowsdydebateqgh.dns.army/documenst/winlog.exe
whois
VN VIETNAM POSTS AND TELECOMMUNICATIONS GROUP 103.133.106.100 clean
http://dyjcgvdfgdzgzdzzf.ga/Bn4/fre.php
whois
US CLOUDFLARENET 104.21.52.130 clean
bit.do
whois
US AMAZON-AES 54.83.52.76 mailcious
nbnbtwowsdydebateqgh.dns.army
whois
VN VIETNAM POSTS AND TELECOMMUNICATIONS GROUP 103.133.106.100 clean
dyjcgvdfgdzgzdzzf.ga
whois
US CLOUDFLARENET 172.67.199.137 clean
54.83.52.76
whois
US AMAZON-AES 54.83.52.76 suspicious
103.133.106.100
whois
VN VIETNAM POSTS AND TELECOMMUNICATIONS GROUP 103.133.106.100 suspicious
172.67.199.137
whois
US CLOUDFLARENET 172.67.199.137 clean

Suricata ids

ET INFO DNS Query for Suspicious .ga Domain
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET INFO HTTP POST Request to Suspicious *.ga Domain
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Fake 404 Response
ET HUNTING SUSPICIOUS winlog.exe in URI Probable Process Dump/Trojan Download
ET POLICY PE EXE or DLL Windows file download HTTP

Similarity measure (PE file only) - Checking for service failure