popup

Report - Document%20777622.xls

VBA_macro MSOffice File
  1. Resubmit analysis
  2. Detailed report
ScreenShot
Created 2021.05.27 09:18 Machine s1_win7_x6401
Filename Document%20777622.xls
Type Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, Code page: 1252, Title
AI Score Not founds Behavior Score
2.8
ZERO API file : clean
VT API (file) 20 detected (Save, Obfuscated, a variant of VBA, Valyria, Ole2, druvzi, Sabsik, ai score=88, Probably Heur, W97Obfuscated, CLASSIC, Static AI, Malicious OLE)
md5 a7b63000938bbeb31722acac4a96b004
sha256 eb9509c453a808694eb50c18101558f492f16e6fdb3f349686da3d7c627311c9
ssdeep 6144:Ik3hOdsylKlgryzc4bNhZF+E+W2knAh4s3eZCoebhQ:qelii
imphash
impfuzzy
  Network IP location

Signature (4cnts)

Level Description
danger Office document performs HTTP request (possibly to download malware)
warning File has been identified by 20 AntiVirus engines on VirusTotal as malicious
watch Creates suspicious VBA object
notice Allocates read-write-execute memory (usually to unpack itself)

Rules (2cnts)

Level Name Description Collection
warning Contains_VBA_macro_code Detect a MS Office document with embedded VBA macro code [binaries] binaries (upload)
info Microsoft_Office_File_Zero Microsoft Office File binaries (upload)

Network (19cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
supereclinica.com.br
whois
US UNIFIEDLAYER-AS-1 162.241.203.185 mailcious
donboscoschoolbd.com
whois
DE Hetzner Online GmbH 138.201.27.66 mailcious
proterra.med.br
whois
US UNIFIEDLAYER-AS-1 192.185.217.211 mailcious
smtp.computeraccess.co.in
whois
US UNIFIEDLAYER-AS-1 192.185.154.138 mailcious
coeniglich.de
whois
DE Linode, LLC 172.104.152.37 mailcious
clinicasaludmasculina.com
whois
US UNIFIEDLAYER-AS-1 192.185.131.33 mailcious
bonsventosnautica.com.br
whois
US UNIFIEDLAYER-AS-1 162.241.203.116 mailcious
agentsv2.ivm.mv
whois
US UNIFIEDLAYER-AS-1 192.185.36.231 mailcious
www.ktateeb.vision-building.com
whois
Unknown clean
bypuzzle.com.br
whois
US UNIFIEDLAYER-AS-1 192.185.215.103 mailcious
192.185.131.33
whois
US UNIFIEDLAYER-AS-1 192.185.131.33 malware
192.185.217.211
whois
US UNIFIEDLAYER-AS-1 192.185.217.211 mailcious
138.201.27.66
whois
DE Hetzner Online GmbH 138.201.27.66 mailcious
192.185.36.231
whois
US UNIFIEDLAYER-AS-1 192.185.36.231 mailcious
162.241.203.185
whois
US UNIFIEDLAYER-AS-1 162.241.203.185 malware
192.185.215.103
whois
US UNIFIEDLAYER-AS-1 192.185.215.103 mailcious
162.241.203.116
whois
US UNIFIEDLAYER-AS-1 162.241.203.116 mailcious
192.185.154.138
whois
US UNIFIEDLAYER-AS-1 192.185.154.138 mailcious
172.104.152.37
whois
DE Linode, LLC 172.104.152.37 mailcious

Suricata ids

ET INFO TLS Handshake Failure
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
SURICATA TLS invalid record type
SURICATA TLS invalid record/traffic

Similarity measure (PE file only) - Checking for service failure