ScreenShot
Created | 2021.06.16 10:07 | Machine | s1_win7_x6401 |
Filename | document-37-1849.xls | ||
Type | Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, Code page: 1252, Autho | ||
AI Score | Not founds | Behavior Score |
|
ZERO API | file : clean | ||
VT API (file) | 30 detected (TSOT, a variant of VBA, 0NA103F221, Malicious, score, GenericKD, Malware@#rco8ck87qdse, Encdoc, ynuil, ai score=85, EncBook) | ||
md5 | c41a21a821bcdea1d3ab26ebef055eed | ||
sha256 | d1d0ac76e59b9e2a8ae3a433e0186d74fc61417c89fe5ee4b93c02faa1dc58f8 | ||
ssdeep | 3072:Ghtf+HhTi14PyY63IbwFHKzke41kwph4FW20vKaCLyPKlogs9FlNrk5aWADzS1+5:GzW5i146r3tqwN1fzK8vLC2PKlhwFlNl | ||
imphash | |||
impfuzzy |
Network IP location
Signature (12cnts)
Level | Description |
---|---|
danger | The process excel.exe wrote an executable file to disk which it then attempted to execute |
danger | Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) |
danger | File has been identified by 30 AntiVirus engines on VirusTotal as malicious |
watch | A command shell or script process was created by an unexpected parent process |
watch | Network communications indicative of a potential document or script payload download was initiated by the process excel.exe |
watch | One or more non-whitelisted processes were created |
notice | A process created a hidden window |
notice | Allocates read-write-execute memory (usually to unpack itself) |
notice | Creates a suspicious process |
notice | Creates executable files on the filesystem |
notice | Uses Windows utilities for basic Windows functionality |
info | Command line console output was observed |
Rules (1cnts)
Level | Name | Description | Collection |
---|---|---|---|
info | Microsoft_Office_File_Zero | Microsoft Office File | binaries (upload) |