popup

Report - Document 70259454.xls

VBA_macro MSOffice File
  1. Resubmit analysis
  2. Detailed report
ScreenShot
Created 2021.05.27 10:00 Machine s1_win7_x3201
Filename Document 70259454.xls
Type Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, Code page: 1252, Title
AI Score Not founds Behavior Score
3.2
ZERO API file : mailcious
VT API (file) 20 detected (malicious, high confidence, ObfDldr, OLE2, Hunter, Dridex, ai score=81, Probably Heur, W97Obfuscated, ObfusVBA@ML, Static AI, Malicious OLE)
md5 fa58cb567a2ffeee77053fadf440a56f
sha256 0a4fd9a26a96d1a16fd1df17139e9acfbd4e8f82cd0b905e29a7662250e29812
ssdeep 12288:3sp46EAQ6zgUw2CgldPpxgr1KV7rJDYs4d4iW3jncHWSorVU3qhSFt:3zhAXwrg7PpxdJUspiWTcHYVUcmt
imphash
impfuzzy
  Network IP location

Signature (5cnts)

Level Description
danger Office document performs HTTP request (possibly to download malware)
warning File has been identified by 20 AntiVirus engines on VirusTotal as malicious
watch Creates suspicious VBA object
notice Allocates read-write-execute memory (usually to unpack itself)
notice Performs some HTTP requests

Rules (2cnts)

Level Name Description Collection
warning Contains_VBA_macro_code Detect a MS Office document with embedded VBA macro code [binaries] binaries (upload)
info Microsoft_Office_File_Zero Microsoft Office File binaries (upload)

Network (29cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
http://192.168.56.103:2869/upnphost/udhisapi.dll?content=uuid:d96d86f3-ac35-41f2-9523-f4e50073f2f3
whois
Unknown 192.168.56.103 clean
http://192.168.56.103:5357/da8ea474-550f-433d-b444-54d2081d1d24/
whois
Unknown 192.168.56.103 clean
http://go.microsoft.com/fwlink/?LinkID=121721&clcid=0x409&arch=x86&eng=0.0.0.0&asdelta=0.0.0.0&prod=925A3ACA-C353-458A-AC8D-A7E5EB378092
whois
US Akamai International B.V. 104.74.214.213 clean
ntf.gov.sb
whois
US UNIFIEDLAYER-AS-1 192.185.32.234 mailcious
labrie-sabette.com
whois
US ASACENET1 173.230.252.50 mailcious
alpax.elcanotradingcorp.com
whois
US UNIFIEDLAYER-AS-1 108.167.181.248 mailcious
www.akseral.com
whois
TR Fikri DAL 83.150.213.154 clean
marcoislandguidebook.com
whois
US UNIFIEDLAYER-AS-1 192.185.79.55 mailcious
houzzlink.com
whois
SG AS-26496-GO-DADDY-COM-LLC 148.66.138.194 mailcious
incoming.telemetry.mozilla.org
whois
US AMAZON-02 52.42.229.170 clean
definitionupdates.microsoft.com
whois
US AKAMAI-AS 23.40.44.112 clean
vitiligomatch.com
whois
US UNIFIEDLAYER-AS-1 192.185.16.122 mailcious
bycec.in
whois
US PUBLIC-DOMAIN-REGISTRY 208.91.198.106 mailcious
ppml.com.kh
whois
US SSASN2 209.188.15.214 mailcious
bellaloveboutique.com
whois
US AS-26496-GO-DADDY-COM-LLC 107.180.58.44 mailcious
www.microsoft.com
whois
US AKAMAI-AS 23.212.13.232 clean
192.185.16.122
whois
US UNIFIEDLAYER-AS-1 192.185.16.122 mailcious
192.185.32.234
whois
US UNIFIEDLAYER-AS-1 192.185.32.234 mailcious
108.167.181.248
whois
US UNIFIEDLAYER-AS-1 108.167.181.248 mailcious
23.40.44.112
whois
US AKAMAI-AS 23.40.44.112 clean
35.155.6.125
whois
US AMAZON-02 35.155.6.125 clean
107.180.58.44
whois
US AS-26496-GO-DADDY-COM-LLC 107.180.58.44 mailcious
148.66.138.194
whois
SG AS-26496-GO-DADDY-COM-LLC 148.66.138.194 malware
173.230.252.50
whois
US ASACENET1 173.230.252.50 mailcious
208.91.198.106
whois
US PUBLIC-DOMAIN-REGISTRY 208.91.198.106 malware
209.188.15.214
whois
US SSASN2 209.188.15.214 mailcious
192.185.79.55
whois
US UNIFIEDLAYER-AS-1 192.185.79.55 mailcious
23.212.13.232
whois
US AKAMAI-AS 23.212.13.232 clean
83.150.213.154
whois
TR Fikri DAL 83.150.213.154 mailcious

Suricata ids

SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
SURICATA TLS invalid record type
SURICATA TLS invalid record/traffic

Similarity measure (PE file only) - Checking for service failure