Report - 0831_4532643085.doc

Generic Malware VBA_macro MSOffice File GIF Format

ScreenShot

Info
Location map


Created	2021.09.01 14:15	Machine	s1_win7_x6403
Filename	0831_4532643085.doc
Type	Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1252, Auth
AI Score	Not founds	Behavior Score	7.4
ZERO API	file : clean
VT API (file)
md5	f25c56cf3b503d96df86b4bb2c39f479
sha256	0e60b6ecec9fc13756c7a3b4905a9c66cd0aaf8e631c66be729f6fc2f1193cdb
ssdeep	12288:6V9iQsDr8NZClDfKTFi1w06/vbOes1AOrk4Y:6VXkr8NANfKB30AOesoP
imphash
impfuzzy

Network IP location

Signature (18cnts)

Level	Description
watch	A process performed obfuscation on information about the computer or sent it to a remote location indicative of CnC Traffic/Preperations.
watch	One or more non-whitelisted processes were created
watch	The process winword.exe wrote an executable file to disk
notice	Allocates read-write-execute memory (usually to unpack itself)
notice	Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time)
notice	Checks adapter addresses which can be used to detect virtual network interfaces
notice	Creates (office) documents on the filesystem
notice	Creates a shortcut to an executable file
notice	Creates executable files on the filesystem
notice	Creates hidden or system file
notice	HTTP traffic contains suspicious features which may be indicative of malware related traffic
notice	Looks up the external IP address
notice	One or more potentially interesting buffers were extracted
notice	Performs some HTTP requests
notice	Sends data using the HTTP POST Method
notice	Word document hooks document open
info	Checks if process is being debugged by a debugger
info	Queries for the computername

Rules (4cnts)

Level	Name	Description	Collection
warning	Contains_VBA_macro_code	Detect a MS Office document with embedded VBA macro code [binaries]	binaries (upload)
warning	Generic_Malware_Zero	Generic Malware	binaries (upload)
info	Lnk_Format_Zero	LNK Format	binaries (download)
info	Microsoft_Office_File_Zero	Microsoft Office File	binaries (upload)

Network (6cnts) ?

Request	CC	ASN Co	IP4	Rule ?	ZERO ?
http://buichely.com/8/forum.php whois		Sedinkin Olexandr Valeriyovuch	185.230.91.127		mailcious
http://api.ipify.org/ whois		AMAZON-AES	54.225.219.20		clean
api.ipify.org whois		AMAZON-AES	54.225.219.20		clean
buichely.com whois		Sedinkin Olexandr Valeriyovuch	185.230.91.127		mailcious
50.19.119.155 whois		AMAZON-AES	50.19.119.155		clean
185.230.91.127 whois		Sedinkin Olexandr Valeriyovuch	185.230.91.127		mailcious

Suricata ids

Similarity measure (PE file only) - Checking for service failure