popup

Report - diagram-553418662.xls

MSOffice File
  1. Resubmit analysis
  2. Detailed report
ScreenShot
Created 2021.05.18 09:55 Machine s1_win7_x6401
Filename diagram-553418662.xls
Type Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, Code page: 1251, Autho
AI Score Not founds Behavior Score
2.0
ZERO API file : clean
VT API (file)
md5 62c064e08d3aef1d97e64068583345d1
sha256 5cb31f26f2193c325c732477e1af4fae1fb5545e7c1c3c49dd8feed761d40e34
ssdeep 6144:IcPiNQApW/89bK103eGvgZqr3h8GB3ckt6Uqa5DPdG9uS9QLn4z8y6j:ut6Uqa5DPdG9uS9QLn4z8v
imphash
impfuzzy
  Network IP location

Signature (5cnts)

Level Description
watch Network communications indicative of a potential document or script payload download was initiated by the process excel.exe
watch One or more non-whitelisted processes were created
notice Allocates read-write-execute memory (usually to unpack itself)
info Checks amount of memory in system
info One or more processes crashed

Rules (1cnts)

Level Name Description Collection
info Microsoft_Office_File_Zero Microsoft Office File binaries (upload)

Network (4cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
http://192.168.56.103:5357/da8ea474-550f-433d-b444-54d2081d1d24/
whois
Unknown 192.168.56.103 clean
http://192.168.56.103:2869/upnphost/udhisapi.dll?content=uuid:2d284ad3-5648-4376-8360-b0559e35418f
whois
Unknown 192.168.56.103 clean
hermescomm.net
whois
US UNIFIEDLAYER-AS-1 162.241.27.24 mailcious
162.241.27.24
whois
US UNIFIEDLAYER-AS-1 162.241.27.24 suspicious

Suricata ids

ET INFO TLS Handshake Failure
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)

Similarity measure (PE file only) - Checking for service failure