popup

Report - AZ2066 Elektronische Zustellung.pdf.js

  1. Resubmit analysis
  2. Detailed report
ScreenShot
Created 2021.06.16 09:53 Machine s1_win7_x6402
Filename AZ2066 Elektronische Zustellung.pdf.js
Type ASCII text, with very long lines, with CRLF line terminators
AI Score Not founds Behavior Score
10.0
ZERO API file : clean
VT API (file) 26 detected (FDIG, Eldorado, 0NA103FF21, Malicious, score, iacgm, Outbreak, AgentSpy, Obfuse, ai score=81)
md5 1d82ffe508e8ba642b676645b2d99e79
sha256 f7d32dacc13c20947e1e30833c1b1492179fd101748dc1fedbeff40d766f53f7
ssdeep 384:ck69dCWcGthIyVMFDUBx4QlmosbVinii6b:dmNcGHIyVMFDYSQQooVinB6b
imphash
impfuzzy
  Network IP location

Signature (23cnts)

Level Description
danger The process wscript.exe wrote an executable file to disk which it then attempted to execute
warning File has been identified by 26 AntiVirus engines on VirusTotal as malicious
watch Communicates with host for which no DNS query was performed
watch Executes one or more WMI queries
watch Network communications indicative of a potential document or script payload download was initiated by the process wscript.exe
watch One or more non-whitelisted processes were created
watch Wscript.exe initiated network communications indicative of a script based payload download
watch wscript.exe-based dropper (JScript
notice A process created a hidden window
notice Allocates read-write-execute memory (usually to unpack itself)
notice Creates a suspicious process
notice Executes one or more WMI queries which can be used to identify virtual machines
notice HTTP traffic contains suspicious features which may be indicative of malware related traffic
notice Looks up the external IP address
notice Performs some HTTP requests
notice Resolves a suspicious Top Level Domain (TLD)
notice Sends data using the HTTP POST Method
notice Uses Windows utilities for basic Windows functionality
info Checks amount of memory in system
info Checks if process is being debugged by a debugger
info Command line console output was observed
info One or more processes crashed
info Queries for the computername

Rules (0cnts)

Level Name Description Collection

Network (8cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
https://rootpass.top/update.php
whois
SG Alibaba (US) Technology Co., Ltd. 8.209.69.171 clean
https://api.ipify.org/
whois
US AMAZON-AES 54.235.175.90 clean
rootpass.top
whois
SG Alibaba (US) Technology Co., Ltd. 8.209.69.171 clean
raw.githubusercontent.com
whois
US FASTLY 185.199.111.133 malware
api.ipify.org
whois
US AMAZON-AES 54.235.190.106 clean
8.209.69.171
whois
SG Alibaba (US) Technology Co., Ltd. 8.209.69.171 clean
185.199.108.133
whois
US FASTLY 185.199.108.133 mailcious
54.235.175.90
whois
US AMAZON-AES 54.235.175.90 clean

Suricata ids

SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
ET DNS Query to a *.top domain - Likely Hostile

Similarity measure (PE file only) - Checking for service failure