popup

Report - Document%2063653957.xls

VBA_macro MSOffice File
  1. Resubmit analysis
  2. Detailed report
ScreenShot
Created 2021.06.22 09:17 Machine s1_win7_x6401
Filename Document%2063653957.xls
Type Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1252, Titl
AI Score Not founds Behavior Score
5.6
ZERO API file : clean
VT API (file) 24 detected (malicious, high confidence, Valyria, Eldorado, Shelod, Siggen3, OLE2, Dridex, ai score=87, Probably Heur, W97Obfuscated, CLASSIC, Static AI, Malicious OLE)
md5 dfb500a801d3cd450e7f54af9ccb8c4d
sha256 d4e71869ff0e236389f9b676931aefd5b898b466910c63f677df9d18d070103e
ssdeep 6144:NxEtjPOtioVjDGUU1qfDlavx+W2QnWxuXdRQyJuaTrJVB7HCwKi:5LyJucL7Bt
imphash
impfuzzy
  Network IP location

Signature (8cnts)

Level Description
danger Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually)
danger Office document performs HTTP request (possibly to download malware)
warning File has been identified by 24 AntiVirus engines on VirusTotal as malicious
warning Generates some ICMP traffic
watch Creates suspicious VBA object
watch The process excel.exe wrote an executable file to disk
notice Allocates read-write-execute memory (usually to unpack itself)
notice Performs some HTTP requests

Rules (2cnts)

Level Name Description Collection
warning Contains_VBA_macro_code Detect a MS Office document with embedded VBA macro code [binaries] binaries (upload)
info Microsoft_Office_File_Zero Microsoft Office File binaries (upload)

Network (22cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
https://hartlepooltaxi.co.uk/TaxiShop/modules/coreupdater/views/js/bbKt3OpktVRAFni.php
whois
FR OVH SAS 149.202.90.163 clean
https://www.eloyfestas.com.br/posts/EwyU0Hv3aBAST.php
whois
BR Locaweb Servicos de Internet S/A 191.252.105.201 clean
https://www.vidroboxbirigui.com.br/posts/GqlwMINB3GC.php
whois
BR Locaweb Servicos de Internet S/A 191.252.105.201 clean
www.eloyfestas.com.br
whois
BR Locaweb Servicos de Internet S/A 191.252.105.201 clean
hartlepooltaxi.co.uk
whois
FR OVH SAS 149.202.90.163 clean
tricomenergy.com.pk
whois
SG AMAZON-02 18.136.132.202 clean
esteticacanina.gruporampant.com
whois
US UNIFIEDLAYER-AS-1 162.241.61.218 clean
galaxybrindes.com.br
whois
US DIMENOC 107.161.183.42 clean
games.mobileadsit.com
whois
US UNIFIEDLAYER-AS-1 162.241.87.244 clean
cryptoexpert.work
whois
ID Rumahweb Indonesia CV. 103.253.212.34 clean
kapraywala.ga
whois
US LIQUIDWEB 67.227.152.156 clean
yourcodeliberdade.com
whois
BR Universo Online S.A. 200.98.245.52 clean
www.vidroboxbirigui.com.br
whois
BR Locaweb Servicos de Internet S/A 191.252.105.201 clean
107.161.183.42
whois
US DIMENOC 107.161.183.42 mailcious
200.98.245.52
whois
BR Universo Online S.A. 200.98.245.52 mailcious
191.252.105.201
whois
BR Locaweb Servicos de Internet S/A 191.252.105.201 mailcious
149.202.90.163
whois
FR OVH SAS 149.202.90.163 clean
162.241.87.244
whois
US UNIFIEDLAYER-AS-1 162.241.87.244 clean
67.227.152.156
whois
US LIQUIDWEB 67.227.152.156 clean
162.241.61.218
whois
US UNIFIEDLAYER-AS-1 162.241.61.218 clean
103.253.212.34
whois
ID Rumahweb Indonesia CV. 103.253.212.34 clean
18.136.132.202
whois
SG AMAZON-02 18.136.132.202 phishing

Suricata ids

SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
ET INFO DNS Query for Suspicious .ga Domain
ET INFO Suspicious Domain (*.ga) in TLS SNI
ET INFO Observed DNS Query to .work TLD

Similarity measure (PE file only) - Checking for service failure