popup

Report - Inv%2006687243.xls

VBA_macro MSOffice File
  1. Resubmit analysis
  2. Detailed report
ScreenShot
Created 2021.05.20 16:36 Machine s1_win7_x6402
Filename Inv%2006687243.xls
Type Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, Code page: 1252, Title
AI Score Not founds Behavior Score
4.8
ZERO API file : mailcious
VT API (file) 24 detected (Valyria, Save, Obfuscated, Eldorado, a variant of VBA, Ole2, druvzi, Dridex, ai score=85, Probably Heur, W97Obfuscated, ObfusVBA@ML, Static AI, Malicious OLE)
md5 5186a21d30bbf28909683c4767597481
sha256 57301e8fe9f386d64b44ddefe1c7124be0aba07cde84cba72d2c2aa9c1402b5d
ssdeep 6144:fk3hOdsylKlgryzc4bNhZF+E+W2knALkzjDpvs:o
imphash
impfuzzy
  Network IP location

Signature (7cnts)

Level Description
danger Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually)
danger Office document performs HTTP request (possibly to download malware)
warning File has been identified by 24 AntiVirus engines on VirusTotal as malicious
watch Communicates with host for which no DNS query was performed
watch Creates suspicious VBA object
notice Allocates read-write-execute memory (usually to unpack itself)
notice Performs some HTTP requests

Rules (2cnts)

Level Name Description Collection
warning Contains_VBA_macro_code Detect a MS Office document with embedded VBA macro code [binaries] binaries (upload)
info Microsoft_Office_File_Zero Microsoft Office File binaries (upload)

Network (24cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
http://192.168.56.103:2869/upnphost/udhisapi.dll?content=uuid:d96d86f3-ac35-41f2-9523-f4e50073f2f3
whois
Unknown 192.168.56.103 clean
http://192.168.56.103:5357/da8ea474-550f-433d-b444-54d2081d1d24/
whois
Unknown 192.168.56.103 clean
https://plascom.ind.br/_img/parceiros/Ii2g4cYzKfaMLz7.php
whois
BR Locaweb Servicos de Internet S/A 191.252.142.218 clean
https://armaenerji.com/UserFiles/site/enerji-kablolari/HES/tbqsCGNY.php
whois
TR FS Veri Merkezi Internet Teknolojileri Limited Sirketi 217.195.198.212 mailcious
mahinur.nucleustechbd.com
whois
US ASN-DIS 67.222.155.191 clean
lamiragereception.com.au
whois
US DIMENOC 67.23.226.231 clean
armaenerji.com
whois
TR FS Veri Merkezi Internet Teknolojileri Limited Sirketi 217.195.198.212 mailcious
plascom.ind.br
whois
BR Locaweb Servicos de Internet S/A 191.252.142.218 clean
fuherpronn.org
whois
US UNIFIEDLAYER-AS-1 162.241.194.204 mailcious
specs2go.shawalzahid.com
whois
CA OVH SAS 158.69.144.71 clean
fotounirii.ro
whois
RO Top Level Hosting SRL 89.35.173.76 clean
abdul.yousufbaloch.com
whois
US UNIFIEDLAYER-AS-1 192.185.36.81 mailcious
gamberinigianluca.com
whois
US DIMENOC 64.37.52.95 clean
lojamusic.com.br
whois
US UNIFIEDLAYER-AS-1 162.241.2.234 clean
89.35.173.76
whois
RO Top Level Hosting SRL 89.35.173.76 clean
217.195.198.212
whois
TR FS Veri Merkezi Internet Teknolojileri Limited Sirketi 217.195.198.212 mailcious
192.185.36.81
whois
US UNIFIEDLAYER-AS-1 192.185.36.81 mailcious
64.37.52.95
whois
US DIMENOC 64.37.52.95 mailcious
191.252.142.218
whois
BR Locaweb Servicos de Internet S/A 191.252.142.218 clean
67.23.226.231
whois
US DIMENOC 67.23.226.231 mailcious
67.222.155.191
whois
US ASN-DIS 67.222.155.191 mailcious
162.241.194.204
whois
US UNIFIEDLAYER-AS-1 162.241.194.204 mailcious
162.241.2.234
whois
US UNIFIEDLAYER-AS-1 162.241.2.234 clean
158.69.144.71
whois
CA OVH SAS 158.69.144.71 clean

Suricata ids

SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure

Similarity measure (PE file only) - Checking for service failure