popup

Report - Document 1659904.xls

VBA_macro MSOffice File
  1. Resubmit analysis
  2. Detailed report
ScreenShot
Created 2021.06.15 10:51 Machine s1_win7_x6402
Filename Document 1659904.xls
Type Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1252, Titl
AI Score Not founds Behavior Score
3.8
ZERO API file : clean
VT API (file) 26 detected (malicious, moderate confidence, Valyria, Eldorado, Ole2, druvzi, Static AI, Malicious OLE, MRAGE, ai score=89, Dridex, score, Probably Heur, W97Obfuscated, CLASSIC)
md5 c03577c814275b568037f2eb9e0fc1e3
sha256 aed6dd175e4f02243c27abe3194567a72631310fc737e03bb2764eff3024f60c
ssdeep 24576:4iOvq0l6lWl5lhYJ+elPxB0jEVJvuiVA9UL0ns3+YN/7U:wzl6lWl5lhKhlPxmjyYibLXVzU
imphash
impfuzzy
  Network IP location

Signature (6cnts)

Level Description
danger Office document performs HTTP request (possibly to download malware)
warning File has been identified by 26 AntiVirus engines on VirusTotal as malicious
watch Communicates with host for which no DNS query was performed
watch Creates suspicious VBA object
notice Allocates read-write-execute memory (usually to unpack itself)
notice Performs some HTTP requests

Rules (2cnts)

Level Name Description Collection
warning Contains_VBA_macro_code Detect a MS Office document with embedded VBA macro code [binaries] binaries (upload)
info Microsoft_Office_File_Zero Microsoft Office File binaries (upload)

Network (23cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
https://exam.edumation.app/wp-content/themes/twentynineteen/sass/blocks/4bcHpcgYlJKPDXl.php
whois
US DIGITALOCEAN-ASN 134.209.3.189 clean
https://www.patie.com.br/posts/hPdcXy5hUEfG.php
whois
BR Locaweb Servicos de Internet S/A 191.252.105.201 clean
https://philips.dexsandbox.com/edm/images/eoDhbmkJ.php
whois
US MEDIATEMPLE 70.32.93.146 clean
invest.arabia-investment.com
whois
US UNIFIEDLAYER-AS-1 192.254.185.136 clean
exam.edumation.app
whois
US DIGITALOCEAN-ASN 134.209.3.189 clean
philips.dexsandbox.com
whois
US MEDIATEMPLE 70.32.93.146 clean
www.patie.com.br
whois
BR Locaweb Servicos de Internet S/A 191.252.105.201 clean
hellomeela.phptasks.com
whois
US IOFLOOD 104.255.220.56 clean
cek-api.match.my.id
whois
DE Contabo GmbH 144.91.85.140 clean
voixdescedres.com
whois
US SAPIOTERRA 162.253.125.64 clean
damta.mrboatstudio.com
whois
GB Wildcard UK Limited 31.22.4.136 clean
final.foodpoint.ma
whois
NL PCextreme B.V. 185.87.187.226 clean
new.ishr.co.in
whois
IN Netmagic Datacenter Mumbai 164.52.201.122 clean
104.255.220.56
whois
US IOFLOOD 104.255.220.56 mailcious
191.252.105.201
whois
BR Locaweb Servicos de Internet S/A 191.252.105.201 mailcious
31.22.4.136
whois
GB Wildcard UK Limited 31.22.4.136 clean
185.87.187.226
whois
NL PCextreme B.V. 185.87.187.226 mailcious
162.253.125.64
whois
US SAPIOTERRA 162.253.125.64 mailcious
192.254.185.136
whois
US UNIFIEDLAYER-AS-1 192.254.185.136 malware
70.32.93.146
whois
US MEDIATEMPLE 70.32.93.146 mailcious
164.52.201.122
whois
IN Netmagic Datacenter Mumbai 164.52.201.122 clean
134.209.3.189
whois
US DIGITALOCEAN-ASN 134.209.3.189 clean
144.91.85.140
whois
DE Contabo GmbH 144.91.85.140 clean

Suricata ids

SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure

Similarity measure (PE file only) - Checking for service failure