popup

Report - specification-1115180443.xls

MSOffice File
  1. Resubmit analysis
  2. Detailed report
ScreenShot
Created 2021.09.23 09:34 Machine s1_win7_x6403
Filename specification-1115180443.xls
Type Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1251, Last
AI Score Not founds Behavior Score
4.0
ZERO API file : clean
VT API (file)
md5 fd6cc864407f1dbd7e1bb73100f7fd58
sha256 3f708e6dc8e16ec770b2b52dafdc6319b932a27790b0b85ede478738811fe461
ssdeep 6144:wKpb8rGYrMPe3q7Q0XV5xtuEsi8/dg9nfb7I6+tqDWcwnoRZzlj+oSGpGvhmmmmf:Hj7CqScwoRZ9bSXkh/nLoH
imphash
impfuzzy
  Network IP location

Signature (7cnts)

Level Description
danger The process excel.exe wrote an executable file to disk which it then attempted to execute
watch Network communications indicative of a potential document or script payload download was initiated by the process excel.exe
watch One or more non-whitelisted processes were created
notice Allocates read-write-execute memory (usually to unpack itself)
notice Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time)
notice Creates a suspicious process
notice Performs some HTTP requests

Rules (1cnts)

Level Name Description Collection
info Microsoft_Office_File_Zero Microsoft Office File binaries (upload)

Network (6cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
https://ricardopiresfotografia.com/RpuaNlWy/host.html
whois
PT Dominios, S.A. 94.126.169.140 clean
ricardopiresfotografia.com
whois
PT Dominios, S.A. 94.126.169.140 clean
keysite.com.co
whois
US UNIFIEDLAYER-AS-1 50.116.92.246 clean
colegiobilinguepioxii.com.co
whois
US UNIFIEDLAYER-AS-1 50.116.92.246 clean
50.116.92.246
whois
US UNIFIEDLAYER-AS-1 50.116.92.246 malware
94.126.169.140
whois
PT Dominios, S.A. 94.126.169.140 mailcious

Suricata ids

ET INFO TLS Handshake Failure
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)

Similarity measure (PE file only) - Checking for service failure