popup

Report - 1.doc

  1. Resubmit analysis
  2. Detailed report
ScreenShot
Created 2021.05.14 18:11 Machine s1_win7_x6401
Filename 1.doc
Type Microsoft Word 2007+
AI Score Not founds Behavior Score
2.2
ZERO API file : clean
VT API (file) 16 detected (Chronos, Obfuscation, gen87, a variant of Generik, LEIKKZW, Ole2, druvzi, ai score=82)
md5 af7ee4f20a624c4d7b5cfc7adde79332
sha256 2bfdb32860a99dc2edce59ff9c92da4e64459396097e7e58db6e9aae892550b6
ssdeep 3072:2hnDbdhVPdsPdhPdrPdrUSw212V6mjPdJ73S:2hDbdh5CL1G1212V6Wn7C
imphash
impfuzzy
  Network IP location

Signature (5cnts)

Level Description
watch File has been identified by 16 AntiVirus engines on VirusTotal as malicious
notice Creates (office) documents on the filesystem
notice Creates hidden or system file
notice HTTP traffic contains suspicious features which may be indicative of malware related traffic
notice Performs some HTTP requests

Rules (0cnts)

Level Name Description Collection

Network (7cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
http://facextrade.com.br/0A.txt
whois
BR Locaweb Servicos de Internet S/A 187.45.240.69 clean
http://facextrade.com.br/z.mp3
whois
BR Locaweb Servicos de Internet S/A 187.45.240.69 clean
http://facextrade.com.br/0C.txt
whois
BR Locaweb Servicos de Internet S/A 187.45.240.69 clean
facextrade.com.br
whois
BR Locaweb Servicos de Internet S/A 187.45.240.69 clean
nyc008.hawkhost.com
whois
CA SINGLEHOP-LLC 172.96.187.2 mailcious
187.45.240.69
whois
BR Locaweb Servicos de Internet S/A 187.45.240.69 mailcious
172.96.187.2
whois
CA SINGLEHOP-LLC 172.96.187.2 mailcious

Suricata ids

ET INFO PowerShell DownloadFile Command Common In Powershell Stagers
SURICATA TLS invalid record type
SURICATA TLS invalid record/traffic
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)

Similarity measure (PE file only) - Checking for service failure