popup

Report - Document 2519711.xls

VBA_macro MSOffice File
  1. Resubmit analysis
  2. Detailed report
ScreenShot
Created 2021.06.17 12:05 Machine s1_win7_x6402
Filename Document 2519711.xls
Type Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1252, Titl
AI Score Not founds Behavior Score
7.2
ZERO API file : mailcious
VT API (file) 21 detected (malicious, high confidence, Valyria, GenericM, Eldorado, Ole2, druvzi, Static AI, Malicious OLE, ai score=80, Dridex, Probably Heur, W97Obfuscated, CLASSIC)
md5 c64202fc6e89fc1c49cde536894ed99d
sha256 1e993ef7ee5f21b9f815ebf853b0bd40d3328a1bd6d680ffc3ace55e4bf73a89
ssdeep 6144:wxEtjPOtioVjDGUU1qfDlavx+W2QnWxuX+Fayp3oITIvuTUFSW3EUvNx:wlFaMYITITIW06Nx
imphash
impfuzzy
  Network IP location

Signature (13cnts)

Level Description
danger The process excel.exe wrote an executable file to disk which it then attempted to execute
danger Office document performs HTTP request (possibly to download malware)
warning File has been identified by 21 AntiVirus engines on VirusTotal as malicious
watch Communicates with host for which no DNS query was performed
watch Creates suspicious VBA object
watch One or more non-whitelisted processes were created
notice A process attempted to delay the analysis task.
notice Allocates read-write-execute memory (usually to unpack itself)
notice Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time)
notice HTTP traffic contains suspicious features which may be indicative of malware related traffic
notice Performs some HTTP requests
info Checks if process is being debugged by a debugger
info Queries for the computername

Rules (2cnts)

Level Name Description Collection
warning Contains_VBA_macro_code Detect a MS Office document with embedded VBA macro code [binaries] binaries (upload)
info Microsoft_Office_File_Zero Microsoft Office File binaries (upload)

Network (13cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
http://80.82.67.127/IE9CompatViewList.xml
whois
NL IP Volume inc 80.82.67.127 clean
https://dev1.whoatemylunch.org/wp-includes/js/tinymce/themes/inlite/hxXHK0N6.php
whois
US INMOTI-1 70.39.250.160 clean
es.e-m2.net
whois
FR WISTEE SAS 94.124.84.11 clean
dev1.whoatemylunch.org
whois
US INMOTI-1 70.39.250.160 clean
teste.sitiodoastronauta.com.br
whois
US DIGITALOCEAN-ASN 138.68.235.11 clean
fitzgeraldstreet.com
whois
US SAPIOTERRA 162.253.125.64 clean
adamjeecommodities.com
whois
SG AMAZON-02 18.136.132.202 clean
138.68.235.11
whois
US DIGITALOCEAN-ASN 138.68.235.11 clean
70.39.250.160
whois
US INMOTI-1 70.39.250.160 clean
162.253.125.64
whois
US SAPIOTERRA 162.253.125.64 mailcious
94.124.84.11
whois
FR WISTEE SAS 94.124.84.11 mailcious
80.82.67.127
whois
NL IP Volume inc 80.82.67.127 clean
18.136.132.202
whois
SG AMAZON-02 18.136.132.202 phishing

Suricata ids

ET INFO TLS Handshake Failure
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)

Similarity measure (PE file only) - Checking for service failure