popup

Report - 0803_1140088877.doc

hancitor VBA_macro MSOffice File GIF Format
  1. Resubmit analysis
  2. Detailed report
ScreenShot
Created 2021.08.04 10:43 Machine s1_win7_x6403
Filename 0803_1140088877.doc
Type Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1252, Auth
AI Score Not founds Behavior Score
9.6
ZERO API file : clean
VT API (file)
md5 6376baf5eaead1abb0ec71546fd4e4b5
sha256 96ea2ab20add8482620a7442082f9975609643962baa08dfa6f0c797cfddf6fc
ssdeep 12288:WV9iQsDr8NahqNrdjqLCV8L/EnqO1BKI9vIOaCuQByhC1A5PU:WVXkr8NnNrAmqL/EnJ1BsrPzhN5c
imphash
impfuzzy
  Network IP location

Signature (20cnts)

Level Description
danger Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually)
warning Generates some ICMP traffic
watch A process performed obfuscation on information about the computer or sent it to a remote location indicative of CnC Traffic/Preperations.
watch One or more non-whitelisted processes were created
watch The process winword.exe wrote an executable file to disk
notice Allocates read-write-execute memory (usually to unpack itself)
notice Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time)
notice Checks adapter addresses which can be used to detect virtual network interfaces
notice Creates (office) documents on the filesystem
notice Creates a shortcut to an executable file
notice Creates executable files on the filesystem
notice Creates hidden or system file
notice HTTP traffic contains suspicious features which may be indicative of malware related traffic
notice Looks up the external IP address
notice One or more potentially interesting buffers were extracted
notice Performs some HTTP requests
notice Sends data using the HTTP POST Method
notice Word document hooks document open
info Checks if process is being debugged by a debugger
info Queries for the computername

Rules (3cnts)

Level Name Description Collection
warning Contains_VBA_macro_code Detect a MS Office document with embedded VBA macro code [binaries] binaries (upload)
info Lnk_Format_Zero LNK Format binaries (download)
info Microsoft_Office_File_Zero Microsoft Office File binaries (upload)

Network (10cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
http://arviskeist.ru/8/forum.php
whois
RU Relink LTD 185.68.93.20 3688 mailcious
http://api.ipify.org/
whois
US AMAZON-AES 50.16.235.219 clean
arviskeist.ru
whois
RU Relink LTD 185.68.93.20 mailcious
api.ipify.org
whois
US AMAZON-AES 50.16.238.218 clean
stionsomi.ru
whois
BY DataHata Ltd 45.129.237.96 mailcious
priekornat.com
whois
Unknown 212.193.48.110 mailcious
212.193.48.110
whois
Unknown 212.193.48.110 clean
185.68.93.20
whois
RU Relink LTD 185.68.93.20 mailcious
50.16.216.118
whois
US AMAZON-AES 50.16.216.118 clean
45.129.237.96
whois
BY DataHata Ltd 45.129.237.96 mailcious

Suricata ids

ET POLICY External IP Lookup api.ipify.org

Similarity measure (PE file only) - Checking for service failure