Report - 0520_2812845003972.doc

Hancitor VBA_macro OS Processor Check MSOffice File

ScreenShot

Info
Location map


Created	2021.05.21 13:42	Machine	s1_win7_x6401
Filename	0520_2812845003972.doc
Type	Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1252, Auth
AI Score	Not founds	Behavior Score	8.4
ZERO API	file : clean
VT API (file)	10 detected (Suspexec, gen29, Ole2, druvzi, EncPk, Wacapew, ZedlaF, Eu4@aKxQvvii)
md5	aecae614ceb5f5c3dac0e00c773acb6d
sha256	a856857b48a4fc929504097cfdfde8d3ce54953995fff31b2a3adab28a994890
ssdeep	24576:MEIjrPUaphvGvGUZ93/semhXp7AsW7aHESKbhweYkTfBR0:M/jhvGvGU93097AF7sESKyeYkTfB
imphash
impfuzzy

Network IP location

Signature (19cnts)

Level	Description
watch	A process performed obfuscation on information about the computer or sent it to a remote location indicative of CnC Traffic/Preperations.
watch	Creates suspicious VBA object
watch	File has been identified by 10 AntiVirus engines on VirusTotal as malicious
watch	Libraries known to be associated with a CVE were requested (may be False Positive)
watch	One or more non-whitelisted processes were created
watch	The process winword.exe wrote an executable file to disk
notice	Allocates read-write-execute memory (usually to unpack itself)
notice	Checks adapter addresses which can be used to detect virtual network interfaces
notice	Creates (office) documents on the filesystem
notice	Creates hidden or system file
notice	HTTP traffic contains suspicious features which may be indicative of malware related traffic
notice	Looks up the external IP address
notice	One or more potentially interesting buffers were extracted
notice	Performs some HTTP requests
notice	Resolves a suspicious Top Level Domain (TLD)
notice	Sends data using the HTTP POST Method
notice	Word document hooks document open
info	Checks if process is being debugged by a debugger
info	Queries for the computername

Rules (3cnts)

Level	Name	Description	Collection
warning	Contains_VBA_macro_code	Detect a MS Office document with embedded VBA macro code [binaries]	binaries (upload)
info	Microsoft_Office_File_Zero	Microsoft Office File	binaries (upload)
info	OS_Processor_Check_Zero	OS Processor Check	binaries (upload)

Network (12cnts) ?

Request	CC	ASN Co	IP4	Rule ?	ZERO ?
http://vaethemanic.com/8/forum.php whois		IMLONGHAO	2.56.10.123	1478	mailcious
http://tembovewinated.ru/8/forum.php whois		Okay-Telecom Ltd.	185.10.45.99		mailcious
http://prournauseent.ru/8/forum.php whois		Hetzner Online GmbH	176.9.248.145		mailcious
http://api.ipify.org/ whois		AMAZON-AES	54.225.169.203		clean
api.ipify.org whois		AMAZON-AES	54.225.157.230		clean
tembovewinated.ru whois		Okay-Telecom Ltd.	185.10.45.99		mailcious
prournauseent.ru whois		Hetzner Online GmbH	176.9.248.145		mailcious
vaethemanic.com whois		IMLONGHAO	2.56.10.123		mailcious
176.9.248.145 whois		Hetzner Online GmbH	176.9.248.145		mailcious
2.56.10.123 whois		IMLONGHAO	2.56.10.123		mailcious
185.10.45.99 whois		Okay-Telecom Ltd.	185.10.45.99		mailcious
54.221.236.13 whois		AMAZON-AES	54.221.236.13		clean

Suricata ids

Similarity measure (PE file only) - Checking for service failure