popup

Report - PO 474050.xls

VBA_macro MSOffice File
  1. Resubmit analysis
  2. Detailed report
ScreenShot
Created 2021.05.26 17:40 Machine s1_win7_x6401
Filename PO 474050.xls
Type Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, Code page: 1252, Title
AI Score Not founds Behavior Score
3.4
ZERO API file : clean
VT API (file) 34 detected (malicious, high confidence, score, Save, Obfuscated, Eldorado, a variant of Generik, FJCFWJD, SDrop, Valyria, Ole2, druvzi, MRAFS, Siggen3, Dridex, NYKC, ai score=82, Probably Heur, W97Obfuscated, CLASSIC, Static AI, Malicious OLE)
md5 8cd09ba1a0a1c52115e5419c92342708
sha256 99811775df40b9988040f787af520531714fe8fbce7139886843b96fbb20cb4b
ssdeep 6144:3k3hOdsylKlgryzc4bNhZF+E+W2knA6IKi:s
imphash
impfuzzy
  Network IP location

Signature (5cnts)

Level Description
danger File has been identified by 34 AntiVirus engines on VirusTotal as malicious
danger Office document performs HTTP request (possibly to download malware)
watch Creates suspicious VBA object
notice Allocates read-write-execute memory (usually to unpack itself)
notice Performs some HTTP requests

Rules (2cnts)

Level Name Description Collection
warning Contains_VBA_macro_code Detect a MS Office document with embedded VBA macro code [binaries] binaries (upload)
info Microsoft_Office_File_Zero Microsoft Office File binaries (upload)

Network (21cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
https://market-in.org/wp-content/uploads/2020/06/H4RiD4lTF.php
whois
US CLOUDFLARENET 104.21.55.237 mailcious
fate.sa
whois
US PRIVATESYSTEMS 192.196.158.90 mailcious
akachi.co.za
whois
US HOST4GEEKS-LLC 66.85.46.71 mailcious
sklep.northserwis.pl
whois
PL MSI Telekom Sp. z o.o. Sp. k. 82.177.209.21 mailcious
mail-call.us
whois
US UNIFIEDLAYER-AS-1 74.220.219.123 mailcious
coeniglich.de
whois
DE Linode, LLC 172.104.152.37 mailcious
newzroot.com
whois
DE Hetzner Online GmbH 138.201.203.76 mailcious
agentsv2.ivm.mv
whois
US UNIFIEDLAYER-AS-1 192.185.36.231 mailcious
market-in.org
whois
US CLOUDFLARENET 104.21.55.237 mailcious
aims1.ezicodes.com
whois
PS Coolnet New Communication Provider 188.225.225.70 mailcious
creatalca.cl
whois
US UNIFIEDLAYER-AS-1 192.185.16.103 mailcious
104.21.55.237
whois
US CLOUDFLARENET 104.21.55.237 clean
82.177.209.21
whois
PL MSI Telekom Sp. z o.o. Sp. k. 82.177.209.21 mailcious
192.185.36.231
whois
US UNIFIEDLAYER-AS-1 192.185.36.231 mailcious
192.196.158.90
whois
US PRIVATESYSTEMS 192.196.158.90 mailcious
188.225.225.70
whois
PS Coolnet New Communication Provider 188.225.225.70 mailcious
138.201.203.76
whois
DE Hetzner Online GmbH 138.201.203.76 mailcious
66.85.46.71
whois
US HOST4GEEKS-LLC 66.85.46.71 mailcious
172.104.152.37
whois
DE Linode, LLC 172.104.152.37 mailcious
74.220.219.123
whois
US UNIFIEDLAYER-AS-1 74.220.219.123 malware
192.185.16.103
whois
US UNIFIEDLAYER-AS-1 192.185.16.103 mailcious

Suricata ids

SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
SURICATA TLS invalid record type
SURICATA TLS invalid record/traffic

Similarity measure (PE file only) - Checking for service failure