popup

Report - Document%20185781.xls

VBA_macro MSOffice File
  1. Resubmit analysis
  2. Detailed report
ScreenShot
Created 2021.06.17 13:42 Machine s1_win7_x6402
Filename Document%20185781.xls
Type Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1252, Titl
AI Score Not founds Behavior Score
5.8
ZERO API file : mailcious
VT API (file) 18 detected (malicious, high confidence, Valyria, Eldorado, Possible, OLEMAL, ai score=88, Dridex, Probably Heur, W97Obfuscated, ObfusVBA@ML, Static AI, Malicious OLE)
md5 aae5b4c8eb3968b6bf06074865070a4e
sha256 5e138035c574034de0be2d3ae24bab8763fb918b3d0891311446b29663568534
ssdeep 6144:6xEtjPOtioVjDGUU1qfDlavx+W2QnWxuX3NZi305tYiItmzwy2ymP4P:WYZnMiemMzymP4P
imphash
impfuzzy
  Network IP location

Signature (10cnts)

Level Description
danger The process excel.exe wrote an executable file to disk which it then attempted to execute
danger Office document performs HTTP request (possibly to download malware)
watch Communicates with host for which no DNS query was performed
watch Creates suspicious VBA object
watch File has been identified by 18 AntiVirus engines on VirusTotal as malicious
watch One or more non-whitelisted processes were created
notice Allocates read-write-execute memory (usually to unpack itself)
notice Performs some HTTP requests
info Checks amount of memory in system
info One or more processes crashed

Rules (2cnts)

Level Name Description Collection
warning Contains_VBA_macro_code Detect a MS Office document with embedded VBA macro code [binaries] binaries (upload)
info Microsoft_Office_File_Zero Microsoft Office File binaries (upload)

Network (22cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
https://dev1.whoatemylunch.org/wp-includes/js/tinymce/themes/inlite/hxXHK0N6.php
whois
US INMOTI-1 70.39.250.160 clean
https://steriglass.stigmatinesafrica.org/wp-includes/sodium_compat/namespaced/Core/ChaCha20/KITDlCQHVyI.php
whois
ZA Afrihost 154.0.164.210 clean
secaudit.e-m2.net
whois
FR WISTEE SAS 94.124.84.11 clean
steijnborg.mobilitum.com
whois
FR OVH SAS 51.68.175.88 clean
fitzgeraldstreet.com
whois
US SAPIOTERRA 162.253.125.64 clean
courieradmin.phebsoft-team.com
whois
DE Contabo GmbH 144.91.77.124 clean
steriglass.stigmatinesafrica.org
whois
ZA Afrihost 154.0.164.210 clean
dev1.whoatemylunch.org
whois
US INMOTI-1 70.39.250.160 clean
teste.sitiodoastronauta.com.br
whois
US DIGITALOCEAN-ASN 138.68.235.11 clean
ahdmsport.com
whois
US H4Y-TECHNOLOGIES 104.255.169.179 clean
adamjeecommodities.com
whois
SG AMAZON-02 18.136.132.202 clean
speechelo-online.com
whois
DE Hetzner Online GmbH 88.99.209.173 clean
88.99.209.173
whois
DE Hetzner Online GmbH 88.99.209.173 clean
144.91.77.124
whois
DE Contabo GmbH 144.91.77.124 clean
154.0.164.210
whois
ZA Afrihost 154.0.164.210 clean
138.68.235.11
whois
US DIGITALOCEAN-ASN 138.68.235.11 clean
70.39.250.160
whois
US INMOTI-1 70.39.250.160 clean
104.255.169.179
whois
US H4Y-TECHNOLOGIES 104.255.169.179 mailcious
162.253.125.64
whois
US SAPIOTERRA 162.253.125.64 mailcious
94.124.84.11
whois
FR WISTEE SAS 94.124.84.11 mailcious
51.68.175.88
whois
FR OVH SAS 51.68.175.88 clean
18.136.132.202
whois
SG AMAZON-02 18.136.132.202 phishing

Suricata ids

ET INFO TLS Handshake Failure
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
SURICATA TLS invalid record type
SURICATA TLS invalid record/traffic

Similarity measure (PE file only) - Checking for service failure