popup

Report - GOP.dotm

VBA_macro Antivirus
  1. Resubmit analysis
  2. Detailed report
ScreenShot
Created 2021.07.30 11:03 Machine s1_win7_x6401
Filename GOP.dotm
Type Microsoft Word 2007+
AI Score Not founds Behavior Score
5.4
ZERO API file : malware
VT API (file)
md5 fb729836049f0bb0c5afffc34ada717a
sha256 40b332416564800ad5c8bf97cd0d99fac5dfa0cc94eef5f8fa66cb5063a2922d
ssdeep 384:3elHjL+EuCQNRcx5Mp8zFosVZMpcwTHnJrIqTuE5EoNVG6F7//o4MAw8Fe:ulHjMCucxZMpcsJs18ZN+Aw8E
imphash
impfuzzy
  Network IP location

Signature (11cnts)

Level Description
danger Office document performs HTTP request (possibly to download malware)
watch Communicates with host for which no DNS query was performed
watch Creates suspicious VBA object
watch The process winword.exe wrote an executable file to disk
notice Allocates read-write-execute memory (usually to unpack itself)
notice Creates (office) documents on the filesystem
notice Creates hidden or system file
notice HTTP traffic contains suspicious features which may be indicative of malware related traffic
notice Performs some HTTP requests
notice Word document hooks document open
info Office document has indirect calls

Rules (3cnts)

Level Name Description Collection
warning Contains_VBA_macro_code Detect a MS Office document with embedded VBA macro code [binaries] binaries (upload)
watch Antivirus Contains references to security software binaries (download)
info test_office test url scripts

Network (2cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
http://140.82.33.69/chim.exe
whois
DE AS-CHOOPA 140.82.33.69 malware
140.82.33.69
whois
DE AS-CHOOPA 140.82.33.69 malware

Suricata ids

ET INFO Executable Download from dotted-quad Host
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET INFO Packed Executable Download
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response

Similarity measure (PE file only) - Checking for service failure