Report - 0902_7424105065.doc

Generic Malware VBA_macro MSOffice File GIF Format

ScreenShot

Info
Location map


Created	2021.09.03 09:44	Machine	s1_win7_x6403
Filename	0902_7424105065.doc
Type	Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1252, Auth
AI Score	Not founds	Behavior Score	7.4
ZERO API	file : clean
VT API (file)
md5	952ff03c89221d84c80a8414ca66be9c
sha256	7f52cba71ae29e48621ab80a8e15e95ad4c20a092d0aec473a19a91f111c3ebf
ssdeep	12288:CV9iQsDr8Niw5KY01lEIbcUXoDCWyK8hIxYfD+:CVXkr8NiwozcmTExr
imphash
impfuzzy

Network IP location

Signature (18cnts)

Level	Description
watch	A process performed obfuscation on information about the computer or sent it to a remote location indicative of CnC Traffic/Preperations.
watch	One or more non-whitelisted processes were created
watch	The process winword.exe wrote an executable file to disk
notice	Allocates read-write-execute memory (usually to unpack itself)
notice	Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time)
notice	Checks adapter addresses which can be used to detect virtual network interfaces
notice	Creates (office) documents on the filesystem
notice	Creates a shortcut to an executable file
notice	Creates executable files on the filesystem
notice	Creates hidden or system file
notice	HTTP traffic contains suspicious features which may be indicative of malware related traffic
notice	Looks up the external IP address
notice	One or more potentially interesting buffers were extracted
notice	Performs some HTTP requests
notice	Sends data using the HTTP POST Method
notice	Word document hooks document open
info	Checks if process is being debugged by a debugger
info	Queries for the computername

Rules (4cnts)

Level	Name	Description	Collection
warning	Contains_VBA_macro_code	Detect a MS Office document with embedded VBA macro code [binaries]	binaries (upload)
warning	Generic_Malware_Zero	Generic Malware	binaries (upload)
info	Lnk_Format_Zero	LNK Format	binaries (download)
info	Microsoft_Office_File_Zero	Microsoft Office File	binaries (upload)

Network (6cnts) ?

Request	CC	ASN Co	IP4	Rule ?	ZERO ?
http://asinvotheir.com/8/forum.php whois		Sedinkin Olexandr Valeriyovuch	185.230.91.127		mailcious
http://api.ipify.org/ whois		AMAZON-AES	54.235.244.43		clean
api.ipify.org whois		AMAZON-AES	50.16.244.183		clean
asinvotheir.com whois		Sedinkin Olexandr Valeriyovuch	185.230.91.127		mailcious
50.16.235.219 whois		AMAZON-AES	50.16.235.219		clean
185.230.91.127 whois		Sedinkin Olexandr Valeriyovuch	185.230.91.127		mailcious

Suricata ids

Similarity measure (PE file only) - Checking for service failure