popup

Report - diagram-58392516.xls

MSOffice File
  1. Resubmit analysis
  2. Detailed report
ScreenShot
Created 2021.05.18 09:56 Machine s1_win7_x3201
Filename diagram-58392516.xls
Type Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, Code page: 1251, Autho
AI Score Not founds Behavior Score
3.0
ZERO API file : clean
VT API (file) 15 detected (a variant of VBA, Artemis, EncDoc, ai score=81, Outbreak, Nastya)
md5 3e58b8987074c6d6b6725e2cbdb0494d
sha256 59f4e34e487efed39c297417fcd382c769518ad1c8d2b203d45b261158a682fd
ssdeep 6144:IcPiNQApW/89bK103eGvgZqr3h8GB3ckt6Uqa5DPdG9uS9QLn4z8yej:ut6Uqa5DPdG9uS9QLn4z8T
imphash
impfuzzy
  Network IP location

Signature (7cnts)

Level Description
watch File has been identified by 15 AntiVirus engines on VirusTotal as malicious
watch Network communications indicative of a potential document or script payload download was initiated by the process excel.exe
watch One or more non-whitelisted processes were created
notice Allocates read-write-execute memory (usually to unpack itself)
notice Performs some HTTP requests
info Checks amount of memory in system
info One or more processes crashed

Rules (1cnts)

Level Name Description Collection
info Microsoft_Office_File_Zero Microsoft Office File binaries (upload)

Network (13cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
http://192.168.56.103:5357/da8ea474-550f-433d-b444-54d2081d1d24/
whois
Unknown 192.168.56.103 clean
http://192.168.56.103:2869/upnphost/udhisapi.dll?content=uuid:2d284ad3-5648-4376-8360-b0559e35418f
whois
Unknown 192.168.56.103 clean
http://go.microsoft.com/fwlink/?LinkID=121721&clcid=0x409&arch=x86&eng=0.0.0.0&asdelta=0.0.0.0&prod=925A3ACA-C353-458A-AC8D-A7E5EB378092
whois
US AKAMAI-AS 184.25.186.96 clean
https://definitionupdates.microsoft.com/download/DefinitionUpdates/VersionedSignatures/AM/1.339.927.0/x86/mpas-fe.exe
whois
US AKAMAI-AS 23.40.44.112 clean
https://www.microsoft.com/security/encyclopedia/adlpackages.aspx?arch=x86&eng=0.0.0.0&asdelta=0.0.0.0&prod=925A3ACA-C353-458A-AC8D-A7E5EB378092
whois
US AKAMAI-AS 23.201.37.168 clean
www.microsoft.com
whois
US AKAMAI-AS 23.201.37.168 clean
definitionupdates.microsoft.com
whois
US AKAMAI-AS 23.40.44.112 clean
incoming.telemetry.mozilla.org
whois
US AMAZON-02 44.240.8.189 clean
hermescomm.net
whois
US UNIFIEDLAYER-AS-1 162.241.27.24 mailcious
52.33.45.66
whois
US AMAZON-02 52.33.45.66 clean
23.40.44.112
whois
US AKAMAI-AS 23.40.44.112 clean
162.241.27.24
whois
US UNIFIEDLAYER-AS-1 162.241.27.24 suspicious
23.201.37.168
whois
US AKAMAI-AS 23.201.37.168 clean

Suricata ids

ET INFO TLS Handshake Failure
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)

Similarity measure (PE file only) - Checking for service failure