Report - Inv 272590.doc

VBA_macro MSOffice File

ScreenShot

Info
Location map


Created	2021.06.02 14:23	Machine	s1_win7_x6401
Filename	Inv 272590.doc
Type	Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1252, Auth
AI Score	Not founds	Behavior Score	9.2
ZERO API	file : clean
VT API (file)	23 detected (malicious, high confidence, score, Valyria, OLE2, MRAGE, Dridex, ai score=87, Probably Heur, W97Obfuscated, ObfusVBA@ML, Static AI, Malicious OLE)
md5	8566c9b1e8b18b0f23cf21ca5f2d5daf
sha256	203d96d270e71e85cb48f51c91897d30193d65680aa8da0c3fa1547db0eaa615
ssdeep	12288:oBbfJoh59mnEXCjgoZGk+8meFn9wQz33j1JoX4WFM4BvbqmXE2BJqxKzZWSLo4:Ob+hDmgCjglKmeFnGO3j1Ja4qbquZvFT
imphash
impfuzzy

Network IP location

Signature (18cnts)

Level	Description
danger	The process winword.exe wrote an executable file to disk which it then attempted to execute
danger	Office document performs HTTP request (possibly to download malware)
warning	File has been identified by 23 AntiVirus engines on VirusTotal as malicious
warning	Uses WMI to create a new process
watch	Creates suspicious VBA object
watch	Libraries known to be associated with a CVE were requested (may be False Positive)
watch	One or more non-whitelisted processes were created
notice	Allocates read-write-execute memory (usually to unpack itself)
notice	Creates (office) documents on the filesystem
notice	Creates a suspicious process
notice	Creates hidden or system file
notice	Performs some HTTP requests
notice	Uses Windows utilities for basic Windows functionality
notice	Word document hooks document open
info	Checks if process is being debugged by a debugger
info	Command line console output was observed
info	One or more processes crashed
info	Queries for the computername

Rules (2cnts)

Level	Name	Description	Collection
warning	Contains_VBA_macro_code	Detect a MS Office document with embedded VBA macro code [binaries]	binaries (upload)
info	Microsoft_Office_File_Zero	Microsoft Office File	binaries (upload)

Network (19cnts) ?

Request	CC	ASN Co	IP4	Rule ?	ZERO ?
https://brasilvioleiro.com.br/wp-content/cache/object/e3c/9ab/rSpBh8UHQx8r.php whois		CLOUDFLARENET	172.67.210.41		clean
brandvoxtech.com whois		UNIFIEDLAYER-AS-1	162.241.123.29		clean
brasilvioleiro.com.br whois		CLOUDFLARENET	104.21.23.96		clean
pillsdaddy.com whois		NAMECHEAP-NET	198.54.115.156		clean
tkswift.com whois		SSASN2	108.170.13.242		clean
rockconsultllc.com whois		UNIFIEDLAYER-AS-1	162.241.244.67		mailcious
resaltodigital.com whois		Host Europe GmbH	160.153.133.162		clean
indiaudyogmart.com whois		Contabo GmbH	167.86.75.162		clean
stskleen.com.au whois		AS-26496-GO-DADDY-COM-LLC	198.71.233.109		clean
reachmedical.in whois		UNIFIEDLAYER-AS-1	142.4.29.146		clean
167.86.75.162 whois		Contabo GmbH	167.86.75.162		clean
160.153.133.162 whois		Host Europe GmbH	160.153.133.162		clean
198.54.115.156 whois		NAMECHEAP-NET	198.54.115.156		malware
108.170.13.242 whois		SSASN2	108.170.13.242		clean
172.67.210.41 whois		CLOUDFLARENET	172.67.210.41		clean
162.241.244.67 whois		UNIFIEDLAYER-AS-1	162.241.244.67		mailcious
162.241.123.29 whois		UNIFIEDLAYER-AS-1	162.241.123.29		mailcious
198.71.233.109 whois		AS-26496-GO-DADDY-COM-LLC	198.71.233.109		malware
142.4.29.146 whois		UNIFIEDLAYER-AS-1	142.4.29.146		clean

Suricata ids

Similarity measure (PE file only) - Checking for service failure