popup

Report - loki.docx

RTF File doc
  1. Resubmit analysis
  2. Detailed report
ScreenShot
Created 2021.06.02 09:48 Machine s1_win7_x6402
Filename loki.docx
Type Microsoft Word 2007+
AI Score Not founds Behavior Score
3.6
ZERO API file : malware
VT API (file)
md5 b611e891cb9f097c7c357bb2c0e4ead3
sha256 c6354273980658e3a9973b5458893e925f8762b5b3b19a2b520d6ce005953d0b
ssdeep 96:kHcIMm57P6Jb73IdmGJa6T/n/jNT7aTZ4WSZny6+IwlLEl9V7JaqMxnIOU+txL/p:ScIMmtPs5G/bhaTOZu4R7JarU+3bTV
imphash
impfuzzy
  Network IP location

Signature (9cnts)

Level Description
watch Communicates with host for which no DNS query was performed
notice Allocates read-write-execute memory (usually to unpack itself)
notice An application raised an exception which may be indicative of an exploit crash
notice Connects to a Dynamic DNS Domain
notice Creates (office) documents on the filesystem
notice Creates hidden or system file
notice HTTP traffic contains suspicious features which may be indicative of malware related traffic
notice Performs some HTTP requests
info One or more processes crashed

Rules (1cnts)

Level Name Description Collection
info Rich_Text_Format_Zero Rich Text Format Signature Zero binaries (download)

Network (8cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
http://gaag.ddns.net/imo/ana.exe
whois
US AS-COLOCROSSING 23.95.122.53 clean
http://bit.do/fQWAj
whois
US AMAZON-AES 54.83.52.76 clean
http://23.95.122.53/imo/l.dot
whois
US AS-COLOCROSSING 23.95.122.53 mailcious
http://bit.do/
whois
US AMAZON-AES 54.83.52.76 clean
bit.do
whois
US AMAZON-AES 54.83.52.76 mailcious
gaag.ddns.net
whois
US AS-COLOCROSSING 23.95.122.53 clean
23.95.122.53
whois
US AS-COLOCROSSING 23.95.122.53 mailcious
54.83.52.76
whois
US AMAZON-AES 54.83.52.76 suspicious

Suricata ids

ET INFO Possible RTF File With Obfuscated Version Header
ET POLICY DNS Query to DynDNS Domain *.ddns .net
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

Similarity measure (PE file only) - Checking for service failure