popup

Report - Inv%2004256248.xls

VBA_macro MSOffice File
  1. Resubmit analysis
  2. Detailed report
ScreenShot
Created 2021.06.03 20:55 Machine s1_win7_x6401
Filename Inv%2004256248.xls
Type Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, Code page: 1252, Title
AI Score Not founds Behavior Score
3.2
ZERO API file : clean
VT API (file) 21 detected (malicious, high confidence, Valyria, Eldorado, ObfusVBA@ML, OLE2, Static AI, Suspicious OLE, Sadoca, ai score=87, Probably Heur, W97Obfuscated)
md5 10a6370bb359ff9f3a595c3ad389222c
sha256 d605724b31d8627ffbf203ec7d917cb70019e6c95d0c501a7136f7e2b72b79bb
ssdeep 12288:HspCOElpb+2pUpkNXu5d3QB2RNv+ot0N8Mx6jKe3bhjWWiMLRwD:H5pjNQxE2RNvBt0N8fjKe4WikU
imphash
impfuzzy
  Network IP location

Signature (5cnts)

Level Description
danger Office document performs HTTP request (possibly to download malware)
warning File has been identified by 21 AntiVirus engines on VirusTotal as malicious
watch Creates suspicious VBA object
notice Allocates read-write-execute memory (usually to unpack itself)
notice Performs some HTTP requests

Rules (2cnts)

Level Name Description Collection
warning Contains_VBA_macro_code Detect a MS Office document with embedded VBA macro code [binaries] binaries (upload)
info Microsoft_Office_File_Zero Microsoft Office File binaries (upload)

Network (22cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
https://menuiserie-lemoine.bzh/wp-content/themes/twentynineteen/template-parts/content/x0XxEHWGdeyPBEj.php
whois
FR OVH SAS 188.165.53.185 mailcious
https://tineo.gal/wp-content/plugins/wordpress-seo/vendor/composer/installers/tests/Composer/Installers/lSNBjeKdHn.php
whois
ES DinaHosting S.L. 82.98.169.3 mailcious
kweraltd.com
whois
CA OVH SAS 54.39.133.15 mailcious
ootashop.com
whois
US NAMECHEAP-NET 199.188.205.57 mailcious
labrie-sabette.com
whois
US ASACENET1 173.230.252.50 mailcious
thelottery.io
whois
US DIGITALOCEAN-ASN 138.68.242.172 mailcious
menuiserie-lemoine.bzh
whois
FR OVH SAS 188.165.53.185 mailcious
shantijoseph.com
whois
GB Paragon Internet Group Limited 87.247.240.31 mailcious
vitiligomatch.com
whois
US UNIFIEDLAYER-AS-1 192.185.16.122 mailcious
srivinaysalian.com
whois
US None 216.37.42.46 mailcious
abidshakir.co.uk
whois
DE Contabo GmbH 62.171.164.209 mailcious
tineo.gal
whois
ES DinaHosting S.L. 82.98.169.3 mailcious
192.185.16.122
whois
US UNIFIEDLAYER-AS-1 192.185.16.122 mailcious
188.165.53.185
whois
FR OVH SAS 188.165.53.185 mailcious
216.37.42.46
whois
US None 216.37.42.46 mailcious
82.98.169.3
whois
ES DinaHosting S.L. 82.98.169.3 mailcious
87.247.240.31
whois
GB Paragon Internet Group Limited 87.247.240.31 mailcious
54.39.133.15
whois
CA OVH SAS 54.39.133.15 mailcious
138.68.242.172
whois
US DIGITALOCEAN-ASN 138.68.242.172 mailcious
173.230.252.50
whois
US ASACENET1 173.230.252.50 mailcious
199.188.205.57
whois
US NAMECHEAP-NET 199.188.205.57 mailcious
62.171.164.209
whois
DE Contabo GmbH 62.171.164.209 mailcious

Suricata ids

SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
SURICATA TLS invalid record type
SURICATA TLS invalid record/traffic

Similarity measure (PE file only) - Checking for service failure