Report - id1.dotm

VBA_macro

ScreenShot

Info
Location map


Created	2021.05.12 18:21	Machine	s1_win7_x6401
Filename	id1.dotm
Type	Microsoft Word 2007+
AI Score	Not founds	Behavior Score	4.6
ZERO API	file : clean
VT API (file)
md5	71e480edcb51a02b8460ccc9b2dfa272
sha256	2f0c89a58608fc0a9791cbc9eaf7634b1ae958db3da937e08dbd4780cd22cf76
ssdeep	384:tmtZ8B8uPo0AoJCRVZ9jhUYeg+mZeNiq5Pmqi/DaC78GIycHYqldizefxY4PnB3B:qZ5uPhPgRVZvBP+mqV5PNi/x8xycHnlN
imphash
impfuzzy

Network IP location

Signature (8cnts)

Level	Description
danger	Office document performs HTTP request (possibly to download malware)
warning	Generates some ICMP traffic
watch	Creates suspicious VBA object
watch	Libraries known to be associated with a CVE were requested (may be False Positive)
notice	Allocates read-write-execute memory (usually to unpack itself)
notice	Creates (office) documents on the filesystem
notice	Creates hidden or system file
notice	Performs some HTTP requests

Rules (1cnts)

Level	Name	Description	Collection
warning	Contains_VBA_macro_code	Detect a MS Office document with embedded VBA macro code [binaries]	binaries (upload)

Network (5cnts) ?

Request	CC	ASN Co	IP4	Rule ?	ZERO ?
http://kr2959.atwebpages.com/report.php?key=ABA99C9B-8F3C59F5-84EA9C78-A49209D4&rnd=41 whois		Zetta Hosting Solutions LLC.	185.176.43.98		clean
http://kr2959.atwebpages.com/view.php?id=21504 whois		Zetta Hosting Solutions LLC.	185.176.43.98		clean
http://kr2959.atwebpages.com/view.php?id=2 whois		Zetta Hosting Solutions LLC.	185.176.43.98		clean
kr2959.atwebpages.com whois		Zetta Hosting Solutions LLC.	185.176.43.98		clean
185.176.43.98 whois		Zetta Hosting Solutions LLC.	185.176.43.98		mailcious

Suricata ids

Similarity measure (PE file only) - Checking for service failure