Report - Invoice_55485812.xls

VBA_macro MSOffice File

ScreenShot

Info
Location map


Created	2021.07.22 10:26	Machine	s1_win7_x6402
Filename	Invoice_55485812.xls
Type	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Title
AI Score	Not founds	Behavior Score	2.2
ZERO API	file : mailcious
VT API (file)	18 detected (malicious, high confidence, Dridex, CVE-2017-8570, Ole2, druvzi, ai score=83, Probably Heur, W97ShellB, obfuscated)
md5	c77cd6616dedbf3669345842f7231830
sha256	f4643ab52e51d05bce715ec6d0baae09ef15763318928c1ed8d3c24b72df3602
ssdeep	12288:mGDH3roxGMC/mc4bl3q5uaFsvCgdz2l5MjavMmIf+Y6b:mGDXEUH/4EnsvJZ2lKjavMm/Y6
imphash
impfuzzy

Network IP location

Signature (5cnts)

Level	Description
watch	File has been identified by 18 AntiVirus engines on VirusTotal as malicious
watch	One or more non-whitelisted processes were created
notice	Allocates read-write-execute memory (usually to unpack itself)
notice	Creates a suspicious process
info	Checks amount of memory in system

Rules (2cnts)

Level	Name	Description	Collection
warning	Contains_VBA_macro_code	Detect a MS Office document with embedded VBA macro code [binaries]	binaries (upload)
info	Microsoft_Office_File_Zero	Microsoft Office File	binaries (upload)

Network (17cnts) ?

Request	CC	ASN Co	IP4	Rule ?	ZERO ?
http://properlysolutionsco.com:8088/app/xDG6fC.png whois		CLEAR-RATE-COMMUNICATIONS	208.83.69.35		clean
http://taskremindment.com:8088/img/b486Pv.png whois		CLEAR-RATE-COMMUNICATIONS	208.83.69.35		clean
http://waunake.com:8088/css/EOIxmku.png whois		DIGITALOCEAN-ASN	128.199.243.169		clean
http://paymetconfirm.com:8088/wp-theme/oQE8Qo7.png whois		CLEAR-RATE-COMMUNICATIONS	208.83.69.35		clean
http://paymetconfirm.com:8088/tpls/OcXP6U.png whois		CLEAR-RATE-COMMUNICATIONS	208.83.69.35		clean
http://paymetconfirm.com:8088/app/SGSRZF.png whois		CLEAR-RATE-COMMUNICATIONS	208.83.69.35		clean
http://waunake.com:8088/js/xpt9.png whois		DIGITALOCEAN-ASN	128.199.243.169		clean
http://paymetconfirm.com:8088/wp-content/FICvR.png whois		CLEAR-RATE-COMMUNICATIONS	208.83.69.35		clean
http://payreminament.com:8088/templates/oQE8Qo7.png whois		DIGITALOCEAN-ASN	128.199.243.169		clean
http://payreminament.com:8088/wp-theme/EOIxmku.png whois		CLEAR-RATE-COMMUNICATIONS	208.83.69.35		clean
waunake.com whois		CLEAR-RATE-COMMUNICATIONS	208.83.69.35		clean
properlysolutionsco.com whois		DIGITALOCEAN-ASN	128.199.243.169		mailcious
payreminament.com whois		DIGITALOCEAN-ASN	128.199.243.169		malware
paymetconfirm.com whois		DIGITALOCEAN-ASN	128.199.243.169		mailcious
taskremindment.com whois		DIGITALOCEAN-ASN	128.199.243.169		malware
128.199.243.169 whois		DIGITALOCEAN-ASN	128.199.243.169		malware
208.83.69.35 whois		CLEAR-RATE-COMMUNICATIONS	208.83.69.35		malware

Suricata ids

Similarity measure (PE file only) - Checking for service failure