Report - ZeroBOX

ScreenShot

Info
Location map


Created	2021.06.25 09:39	Machine	s1_win7_x6401
Filename	PO%2093951170.xls
Type	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, Code page: 1252, Title
AI Score	Not founds	Behavior Score	3.2
ZERO API	file : clean
VT API (file)	23 detected (malicious, high confidence, score, Valyria, Eldorado, OLE2, MRAGH, Dridex, ai score=86, Probably Heur, W97Obfuscated, Static AI, Malicious OLE)
md5	f32e26c6ae13dac45097c72b8c8249f5
sha256	190045bc473705e57a09727730e1d7f0d7a789980f1eb0de77e230248c54cb1a
ssdeep	6144:ok3hOdsylKlgryzc4bNhZF+E+W2knA8ucesPg2uY/T5Y9e8l9B00fWoLsR3NnBEp:uc/T5YYU/vW6s9xB/5EE6meNGovxn
imphash
impfuzzy

Network IP location

Signature (5cnts)

Level	Description
danger	Office document performs HTTP request (possibly to download malware)
warning	File has been identified by 23 AntiVirus engines on VirusTotal as malicious
watch	Creates suspicious VBA object
notice	Allocates read-write-execute memory (usually to unpack itself)
notice	Performs some HTTP requests

Rules (2cnts)

Level	Name	Description	Collection
warning	Contains_VBA_macro_code	Detect a MS Office document with embedded VBA macro code [binaries]	binaries (upload)
info	Microsoft_Office_File_Zero	Microsoft Office File	binaries (upload)

Network (24cnts) ?

Request	ASN Co	IP4	Rule ?	ZERO ?
https://afemnor.es/wp-content/themes/dt-the7/inc/mods/compatibility/elementor/pro/modules/query-contol/FHo2N5GW1hAjyYV.php whois	AMAZON-02	52.47.49.164		mailcious
https://gettingreadytolearn.co.uk/portal/wall/posts/157/thumbs/BeAsmBuB.php whois	Iomart Cloud Services Limited	109.169.78.226	1594	mailcious
https://661partyrentals.com/wp-content/plugins/ultimate-member/templates/email/UhUsapvuN2huM.php whois	BIZLAND-SD	66.96.147.106		mailcious
https://landingpages.pontodata.com.br/wp-content/plugins/duracelltomi-google-tag-manager/integration/whichbrowser/src/Analyser/Header/Useragent/Device/NPIMchMQuv.php whois	HVC-AS	104.156.57.250		mailcious
kriegeradvogados.com.br whois	DIMENOC	187.45.181.35		mailcious
decontaminationcovid19.com whois	GTCOMM	72.10.162.214		mailcious
ottomanbilisim.com whois	Aysima Bilisim Teknolojileri Erhan Mahmut	185.179.27.103		mailcious
afemnor.es whois	AMAZON-02	52.47.49.164		mailcious
firstcanadianmedical.ca whois	COGECO-PEER1	69.90.221.129		mailcious
app6.salesdatagenerator.com whois	UNIFIEDLAYER-AS-1	162.241.155.78		mailcious
www.carnivalspadubai.com whois	AS-26496-GO-DADDY-COM-LLC	166.62.25.253		clean
661partyrentals.com whois	BIZLAND-SD	66.96.147.106		mailcious
gettingreadytolearn.co.uk whois	Iomart Cloud Services Limited	109.169.78.226		mailcious
landingpages.pontodata.com.br whois	HVC-AS	104.156.57.250		mailcious
162.241.155.78 whois	UNIFIEDLAYER-AS-1	162.241.155.78		mailcious
72.10.162.214 whois	GTCOMM	72.10.162.214		mailcious
66.96.147.106 whois	BIZLAND-SD	66.96.147.106		mailcious
69.90.221.129 whois	COGECO-PEER1	69.90.221.129		clean
185.179.27.103 whois	Aysima Bilisim Teknolojileri Erhan Mahmut	185.179.27.103		mailcious
187.45.181.35 whois	DIMENOC	187.45.181.35		mailcious
104.156.57.250 whois	HVC-AS	104.156.57.250		mailcious
52.47.49.164 whois	AMAZON-02	52.47.49.164		mailcious
109.169.78.226 whois	Iomart Cloud Services Limited	109.169.78.226		mailcious
166.62.25.253 whois	AS-26496-GO-DADDY-COM-LLC	166.62.25.253		clean

Report - PO%2093951170.xls

Signature (5cnts)

Rules (2cnts)

Network (24cnts) ?

Suricata ids

Similarity measure (PE file only) - Checking for service failure