Report - inv_1123.wbk

RTF File doc AntiDebug AntiVM
ScreenShot
Created 2021.09.03 09:00 Machine s1_win7_x6402
Filename inv_1123.wbk
Type data
AI Score Not founds Behavior Score
5.2
ZERO API file : mailcious
VT API (file) 26 detected (RTFObfustream, ObfsStrm, CVE-2017-1188, Camelot, Bloodhound, a variant of DOC, Abnormal, Malicious, score, dinbqn, Obfuscated, CVE-2020-1711, CVE201711882, SMYNBFR, Malformed, ASDOH, Malform, Probably Heur, RTFBadHeader, ai score=83)
md5 2a468f175032ed01e5d4fecd511b8b0f
sha256 88c49a54cc27263ce4b4eaa1fe760999fa8fb1ced1bf6097e11723dfe569befc
ssdeep 192:VqnZnKYIo0axw4K4oYw1aAno3WfYiVe7MlUznhuy++1Md0t7m:qn0aq4KowEAn/fYN7MlUz/1e04
imphash
impfuzzy
  Network IP location

Signature (14cnts)

Level Description
warning File has been identified by 26 AntiVirus engines on VirusTotal as malicious
watch Communicates with host for which no DNS query was performed
notice Allocates read-write-execute memory (usually to unpack itself)
notice An application raised an exception which may be indicative of an exploit crash
notice Creates (office) documents on the filesystem
notice Creates hidden or system file
notice HTTP traffic contains suspicious features which may be indicative of malware related traffic
notice Performs some HTTP requests
notice Yara rule detected in process memory
info Checks amount of memory in system
info Checks if process is being debugged by a debugger
info Collects information to fingerprint the system (MachineGuid
info One or more processes crashed
info Uses Windows APIs to generate a cryptographic key

Rules (9cnts)

Level Name Description Collection
info anti_dbg Checks if being debugged memory
info DebuggerCheck__GlobalFlags (no description) memory
info DebuggerCheck__QueryInfo (no description) memory
info DebuggerHiding__Active (no description) memory
info DebuggerHiding__Thread (no description) memory
info disable_dep Bypass DEP memory
info Rich_Text_Format_Zero Rich Text Format Signature Zero binaries (upload)
info SEH__vectored (no description) memory
info ThreadControl__Context (no description) memory

Network (4cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
http://23.95.122.90/icici/vbc.exe US AS-COLOCROSSING 23.95.122.90 malware
img.neko.airforce US DIGITALOCEAN-ASN 167.172.239.151 mailcious
167.172.239.151 US DIGITALOCEAN-ASN 167.172.239.151 mailcious
23.95.122.90 US AS-COLOCROSSING 23.95.122.90 mailcious

Suricata ids



Similarity measure (PE file only) - Checking for service failure