popup

Report - Document%20896885.doc

VBA_macro Generic Malware Malicious Packer MSOffice File
  1. Resubmit analysis
  2. Detailed report
ScreenShot
Created 2021.07.31 14:07 Machine s1_win7_x6402
Filename Document%20896885.doc
Type Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1252, Auth
AI Score Not founds Behavior Score
2.8
ZERO API file : mailcious
VT API (file) 24 detected (malicious, high confidence, Valyria, Eldorado, OLE2, ai score=82, Dridex, Probably Heur, W97Obfuscated, Static AI, Malicious OLE, qexvmc)
md5 3f89ed9e9e4be551f2d13b16287248c0
sha256 7dd7fcb839e3d18745b8dfd20dc6ef4f0fd6bad46597b10ec7649a2f7f364d0a
ssdeep 12288:zBbfJoh59mnEXCjgoVGk+8meFn9wLW+KVthQt12WbwNrlgUDJfKDSwRZUIQv:Fb+hDmgCjgZKmeFnGUvQt1VwNB3lfLw+
imphash
impfuzzy
  Network IP location

Signature (6cnts)

Level Description
warning File has been identified by 24 AntiVirus engines on VirusTotal as malicious
notice Allocates read-write-execute memory (usually to unpack itself)
notice Creates (office) documents on the filesystem
notice Creates hidden or system file
notice Performs some HTTP requests
notice Word document hooks document open

Rules (4cnts)

Level Name Description Collection
warning Contains_VBA_macro_code Detect a MS Office document with embedded VBA macro code [binaries] binaries (upload)
warning Generic_Malware_Zero Generic Malware binaries (upload)
watch Malicious_Packer_Zero Malicious Packer binaries (upload)
info Microsoft_Office_File_Zero Microsoft Office File binaries (upload)

Network (22cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
https://zotno.xyz/wp-content/themes/storefront/e2e/specs/kCKt578W.php
whois
US CLOUDFLARENET 104.21.52.244 mailcious
https://brasilvioleiro.com.br/wp-content/cache/object/e3c/9ab/rSpBh8UHQx8r.php
whois
US CLOUDFLARENET 104.21.23.96 1732 mailcious
mirrorlakedrugs.com
whois
US UNIFIEDLAYER-AS-1 192.185.110.230 mailcious
highpointroofers.com
whois
US AS-26496-GO-DADDY-COM-LLC 107.180.29.18 mailcious
ukcorporatetransfer.com
whois
US Host Europe GmbH 160.153.208.149 clean
thegoldprocess.com
whois
US AS-26496-GO-DADDY-COM-LLC 198.12.234.210 clean
brasilvioleiro.com.br
whois
US CLOUDFLARENET 104.21.23.96 mailcious
test.podcastbites.io
whois
US UNIFIEDLAYER-AS-1 162.241.218.172 mailcious
breadxfish.com
whois
US AS-26496-GO-DADDY-COM-LLC 208.109.41.227 clean
zotno.xyz
whois
US CLOUDFLARENET 172.67.205.213 mailcious
reachmedical.in
whois
US UNIFIEDLAYER-AS-1 142.4.29.146 mailcious
www.thewordmarvel.com
whois
SG DIGITALOCEAN-ASN 159.89.200.161 clean
159.89.200.161
whois
SG DIGITALOCEAN-ASN 159.89.200.161 mailcious
198.12.234.210
whois
US AS-26496-GO-DADDY-COM-LLC 198.12.234.210 clean
208.109.41.227
whois
US AS-26496-GO-DADDY-COM-LLC 208.109.41.227 clean
107.180.29.18
whois
US AS-26496-GO-DADDY-COM-LLC 107.180.29.18 mailcious
104.21.52.244
whois
US CLOUDFLARENET 104.21.52.244 clean
162.241.218.172
whois
US UNIFIEDLAYER-AS-1 162.241.218.172 phishing
104.21.23.96
whois
US CLOUDFLARENET 104.21.23.96 clean
192.185.110.230
whois
US UNIFIEDLAYER-AS-1 192.185.110.230 mailcious
160.153.208.149
whois
US Host Europe GmbH 160.153.208.149 clean
142.4.29.146
whois
US UNIFIEDLAYER-AS-1 142.4.29.146 mailcious

Suricata ids

SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
SURICATA TLS invalid record type
SURICATA TLS invalid record/traffic
ET INFO TLS Handshake Failure

Similarity measure (PE file only) - Checking for service failure