popup

Report - Document 81161221.xls

VBA_macro Generic Malware MSOffice File
  1. Resubmit analysis
  2. Detailed report
ScreenShot
Created 2021.06.15 21:29 Machine s1_win7_x6402
Filename Document 81161221.xls
Type Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1252, Titl
AI Score Not founds Behavior Score
4.0
ZERO API file : clean
VT API (file) 30 detected (malicious, high confidence, Valyria, Eldorado, SLoad, Siggen3, OLE2, raxyq, Dridex, ai score=87, Probably Heur, W97Obfuscated, CLASSIC, Static AI, Suspicious OLE)
md5 d65c8d73d13ed5d4f2973631101c4b34
sha256 35f32786d4cef03729a8702bee05910c8cb7682cf6b2370f911d437ad0df1644
ssdeep 24576:TiOvq0l6lWl5lhYJ+elPxB0jE0JvoX92FR1TkNKbQ:tzl6lWl5lhKhlPxmjDmEmNKbQ
imphash
impfuzzy
  Network IP location

Signature (6cnts)

Level Description
danger File has been identified by 30 AntiVirus engines on VirusTotal as malicious
danger Office document performs HTTP request (possibly to download malware)
watch Communicates with host for which no DNS query was performed
watch Creates suspicious VBA object
notice Allocates read-write-execute memory (usually to unpack itself)
notice Performs some HTTP requests

Rules (3cnts)

Level Name Description Collection
warning Contains_VBA_macro_code Detect a MS Office document with embedded VBA macro code [binaries] binaries (upload)
warning Generic_Malware_Zero Generic Malware binaries (upload)
info Microsoft_Office_File_Zero Microsoft Office File binaries (upload)

Network (20cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
https://ptti.dexsandbox.com/wp-content/plugins/all-in-one-wp-migration-unlimited-extension/lib/controller/1I68ugOo4iMen.php
whois
US MEDIATEMPLE 70.32.93.146 clean
https://zankzakartigosesportivos.com.br/loja/wp-includes/SimplePie/Content/Type/3sLExhiYtVuTS.php
whois
BR Locaweb Servicos de Internet S/A 191.252.106.110 clean
indusautomobile.com
whois
SG AMAZON-02 18.136.132.202 clean
zankzakartigosesportivos.com.br
whois
BR Locaweb Servicos de Internet S/A 191.252.106.110 clean
ibnbatutta.pk
whois
SG AMAZON-02 18.136.132.202 clean
highend.pk
whois
SG AMAZON-02 18.136.132.202 clean
test.amarcampus24.com
whois
FI Hetzner Online GmbH 95.216.103.165 clean
mobile-landing.ishr.co.in
whois
IN Netmagic Datacenter Mumbai 164.52.201.122 clean
goodiesmariage.e-m2.net
whois
FR WISTEE SAS 94.124.84.11 clean
dev1.naturalgraphic.hu
whois
HU RendszerNET Kft. 87.229.72.45 clean
ptti.dexsandbox.com
whois
US MEDIATEMPLE 70.32.93.146 clean
event.cyberwoodz.site
whois
IN PUBLIC-DOMAIN-REGISTRY 119.18.54.94 clean
119.18.54.94
whois
IN PUBLIC-DOMAIN-REGISTRY 119.18.54.94 clean
95.216.103.165
whois
FI Hetzner Online GmbH 95.216.103.165 phishing
94.124.84.11
whois
FR WISTEE SAS 94.124.84.11 mailcious
70.32.93.146
whois
US MEDIATEMPLE 70.32.93.146 mailcious
164.52.201.122
whois
IN Netmagic Datacenter Mumbai 164.52.201.122 mailcious
191.252.106.110
whois
BR Locaweb Servicos de Internet S/A 191.252.106.110 mailcious
87.229.72.45
whois
HU RendszerNET Kft. 87.229.72.45 mailcious
18.136.132.202
whois
SG AMAZON-02 18.136.132.202 phishing

Suricata ids

SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
SURICATA TLS invalid record type
SURICATA TLS invalid record/traffic

Similarity measure (PE file only) - Checking for service failure