popup

Report - Receipt-224499.xls

VBA_macro MSOffice File
  1. Resubmit analysis
  2. Detailed report
ScreenShot
Created 2021.07.15 10:24 Machine s1_win7_x6402
Filename Receipt-224499.xls
Type Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Title
AI Score Not founds Behavior Score
2.4
ZERO API file : clean
VT API (file) 20 detected (malicious, high confidence, Dridex, MSHTA, Ole2, druvzi, Static AI, Suspicious OLE, Wacatac, ai score=81)
md5 f796ead669bf3d7e056f0b42709f3ad3
sha256 6b6e61d4281001c9c434d05320145cfe6bc47875984d9b2aef80170a5583ce9b
ssdeep 12288:mRYbXrlUc6XS/CwRl+4MW1H5onZHBDznxcp/c0UGtkbByxlFYd2DrpX:RUc6EjDMW1UrDjxcNcfgZI2
imphash
impfuzzy
  Network IP location

Signature (5cnts)

Level Description
warning File has been identified by 20 AntiVirus engines on VirusTotal as malicious
watch One or more non-whitelisted processes were created
notice Allocates read-write-execute memory (usually to unpack itself)
notice Creates a suspicious process
info Checks amount of memory in system

Rules (2cnts)

Level Name Description Collection
warning Contains_VBA_macro_code Detect a MS Office document with embedded VBA macro code [binaries] binaries (upload)
info Microsoft_Office_File_Zero Microsoft Office File binaries (upload)

Network (20cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
http://onlinefastsolutions.com:8088/scripts/file2.bin
whois
US CLEAR-RATE-COMMUNICATIONS 208.83.69.35 clean
http://insiderushings.com:8088/images/file2.bin
whois
SG DIGITALOCEAN-ASN 128.199.243.169 clean
http://buyer-remindment.com:8088/fonts/details.bin
whois
US CLEAR-RATE-COMMUNICATIONS 208.83.69.35 clean
http://paymentadvisry.com:8088/templates/details.bin
whois
SG DIGITALOCEAN-ASN 128.199.243.169 clean
http://buyer-remindment.com:8088/css/file13.bin
whois
US CLEAR-RATE-COMMUNICATIONS 208.83.69.35 clean
http://insiderushings.com:8088/vendors/file8.bin
whois
SG DIGITALOCEAN-ASN 128.199.243.169 clean
http://fasteasyupdates.com:8088/wp-theme/file12.bin
whois
NL Online S.a.s. 163.172.213.69 clean
http://jeromfastsolutions.com:8088/bundle/file12.bin
whois
SG DIGITALOCEAN-ASN 128.199.243.169 clean
http://webservicesamazin.com:8088/wp-theme/file9.bin
whois
NL Online S.a.s. 163.172.213.69 clean
http://buyer-remindment.com:8088/templates/file3.bin
whois
SG DIGITALOCEAN-ASN 128.199.243.169 clean
webservicesamazin.com
whois
US CLEAR-RATE-COMMUNICATIONS 208.83.69.35 clean
fasteasyupdates.com
whois
NL Online S.a.s. 163.172.213.69 clean
onlinefastsolutions.com
whois
NL Online S.a.s. 163.172.213.69 clean
jeromfastsolutions.com
whois
SG DIGITALOCEAN-ASN 128.199.243.169 clean
paymentadvisry.com
whois
US CLEAR-RATE-COMMUNICATIONS 208.83.69.35 clean
insiderushings.com
whois
NL Online S.a.s. 163.172.213.69 clean
buyer-remindment.com
whois
US CLEAR-RATE-COMMUNICATIONS 208.83.69.35 clean
128.199.243.169
whois
SG DIGITALOCEAN-ASN 128.199.243.169 clean
208.83.69.35
whois
US CLEAR-RATE-COMMUNICATIONS 208.83.69.35 clean
163.172.213.69
whois
NL Online S.a.s. 163.172.213.69 clean

Suricata ids


Similarity measure (PE file only) - Checking for service failure