popup

Report - chart-1352070144.xls

MSOffice File
  1. Resubmit analysis
  2. Detailed report
ScreenShot
Created 2021.09.25 17:06 Machine s1_win7_x6403
Filename chart-1352070144.xls
Type Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1251, Last
AI Score Not founds Behavior Score
3.6
ZERO API file : clean
VT API (file)
md5 9531c29f3fa2b245c4e107a528ad3da5
sha256 8182902239d0b540da2d48a6ab55a71b5f39a628fdfccb64c46ac7e4b504a3aa
ssdeep 6144:mKpb8rGYrMPe3q7Q0XV5xtuEsi8/dg79nWXcZZVtjKFOTDwvO0PDUlQvS32no7Xt:79ndjjKoTDwvbDS3fLvfH1GOX
imphash
impfuzzy
  Network IP location

Signature (6cnts)

Level Description
danger The process excel.exe wrote an executable file to disk which it then attempted to execute
watch Network communications indicative of a potential document or script payload download was initiated by the process excel.exe
watch One or more non-whitelisted processes were created
notice Allocates read-write-execute memory (usually to unpack itself)
notice Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time)
notice Creates a suspicious process

Rules (1cnts)

Level Name Description Collection
info Microsoft_Office_File_Zero Microsoft Office File binaries (upload)

Network (5cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
thietbiagt.com
whois
VN The Corporation for Financing & Promoting Technology 210.245.90.247 mailcious
finejewels.com.au
whois
US SUCURI-SEC 192.124.249.84 mailcious
new.americold.com
whois
Unknown mailcious
210.245.90.247
whois
VN The Corporation for Financing & Promoting Technology 210.245.90.247 phishing
192.124.249.84
whois
US SUCURI-SEC 192.124.249.84 mailcious

Suricata ids

SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
SURICATA TLS invalid record type
SURICATA TLS invalid record/traffic
ET INFO TLS Handshake Failure

Similarity measure (PE file only) - Checking for service failure