popup

Report - Document%2076896654.xls

VBA_macro MSOffice File
  1. Resubmit analysis
  2. Detailed report
ScreenShot
Created 2021.06.17 13:35 Machine s1_win7_x6402
Filename Document%2076896654.xls
Type Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1252, Titl
AI Score Not founds Behavior Score
5.8
ZERO API file : mailcious
VT API (file) 19 detected (malicious, high confidence, Valyria, Eldorado, Possible, OLEMAL, OLE2, Static AI, Malicious OLE, ai score=85, Dridex, Probably Heur, W97Obfuscated, ObfusVBA@ML)
md5 608d89a9afafdce353965d9ee16bd433
sha256 192c127cfb5e8ba572cda74b035db1b7cceaff14b218bac1dfd75f8e85fca5b5
ssdeep 6144:dxEtjPOtioVjDGUU1qfDlavx+W2QnWxuXksb4dlBTNMO57imHK002LR+:Jj2MzqsLQ
imphash
impfuzzy
  Network IP location

Signature (10cnts)

Level Description
danger The process excel.exe wrote an executable file to disk which it then attempted to execute
danger Office document performs HTTP request (possibly to download malware)
watch Communicates with host for which no DNS query was performed
watch Creates suspicious VBA object
watch File has been identified by 19 AntiVirus engines on VirusTotal as malicious
watch One or more non-whitelisted processes were created
notice Allocates read-write-execute memory (usually to unpack itself)
notice Performs some HTTP requests
info Checks amount of memory in system
info One or more processes crashed

Rules (2cnts)

Level Name Description Collection
warning Contains_VBA_macro_code Detect a MS Office document with embedded VBA macro code [binaries] binaries (upload)
info Microsoft_Office_File_Zero Microsoft Office File binaries (upload)

Network (22cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
https://arteecaligrafia.com.br/imagens/fotos/thumbs/MupJ4cZzxoElmn.php
whois
BR Locaweb Servicos de Internet S/A 191.252.138.153 clean
https://sierraimoveis.com.br/manager/bower_components/bootstrap/less/mixins/BpZbPd8mY0.php
whois
BR Locaweb Servicos de Internet S/A 191.252.106.110 clean
https://blog.bitz.pe/wp-content/plugins/wpforms-lite/vendor/goodby/csv/src/Goodby/CSV/Import/Protocol/Exception/M7yde0cw.php
whois
US IS-AS-1 69.10.44.242 clean
limarija-das.hr
whois
HR Avalon d.o.o. 185.58.73.16 clean
ahdmsport.com
whois
US H4Y-TECHNOLOGIES 104.255.169.179 clean
courieradmin.phebsoft-team.com
whois
DE Contabo GmbH 144.91.77.124 clean
fitzgeraldstreet.com
whois
US SAPIOTERRA 162.253.125.64 clean
steijnborg.mobilitum.com
whois
FR OVH SAS 51.68.175.88 clean
blog.bitz.pe
whois
US IS-AS-1 69.10.44.242 clean
arteecaligrafia.com.br
whois
BR Locaweb Servicos de Internet S/A 191.252.138.153 clean
sierraimoveis.com.br
whois
BR Locaweb Servicos de Internet S/A 191.252.106.110 clean
adamjeecommodities.com
whois
SG AMAZON-02 18.136.132.202 clean
tricommanagement.org
whois
SG AMAZON-02 18.136.132.202 clean
144.91.77.124
whois
DE Contabo GmbH 144.91.77.124 clean
185.58.73.16
whois
HR Avalon d.o.o. 185.58.73.16 mailcious
104.255.169.179
whois
US H4Y-TECHNOLOGIES 104.255.169.179 mailcious
191.252.138.153
whois
BR Locaweb Servicos de Internet S/A 191.252.138.153 mailcious
162.253.125.64
whois
US SAPIOTERRA 162.253.125.64 mailcious
69.10.44.242
whois
US IS-AS-1 69.10.44.242 clean
191.252.106.110
whois
BR Locaweb Servicos de Internet S/A 191.252.106.110 mailcious
51.68.175.88
whois
FR OVH SAS 51.68.175.88 clean
18.136.132.202
whois
SG AMAZON-02 18.136.132.202 phishing

Suricata ids

SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
SURICATA TLS invalid record type
SURICATA TLS invalid record/traffic

Similarity measure (PE file only) - Checking for service failure