Report - Afghanistan-is-rich-in-minerals-but-getting-to-them-is-challenging.docx

Word 2007 file format(docx)

ScreenShot

Info
Location map


Created	2021.09.27 14:51	Machine	s1_win7_x6403
Filename	Afghanistan-is-rich-in-minerals-but-getting-to-them-is-challenging.docx
Type	Microsoft Word 2007+
AI Score	Not founds	Behavior Score	10.0
ZERO API	file : clean
VT API (file)	8 detected (VSNW1AI21, Dotmer, CVE-2017-0199, equmby, AEIR, ExtLink, CLASSIC)
md5	ebfa7b412fe87af4bf586472f6f274c5
sha256	b00d27bb7b9a1962dd8166ec51b4497b71bf47120fdb96e0d058d2136d190b57
ssdeep	24576:YKMGlCX0q4m+Vsd0GYAi4XWRtvzS5yPK3Z/5eIaq4G7gUozAK:YKDq41kxfGXvO5yPa/cIjMt
imphash
impfuzzy

Network IP location

Signature (13cnts)

Level	Description
watch	Malicious document featuring Office DDE has been identified
watch	One or more non-whitelisted processes were created
watch	Uses Sysinternals tools in order to add additional command line functionality
watch	Zeus P2P (Banking Trojan)
notice	Allocates read-write-execute memory (usually to unpack itself)
notice	Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time)
notice	Creates (office) documents on the filesystem
notice	Creates hidden or system file
notice	File has been identified by 8 AntiVirus engines on VirusTotal as malicious
notice	Resolves a suspicious Top Level Domain (TLD)
info	Checks amount of memory in system
info	Collects information to fingerprint the system (MachineGuid
info	Queries for the computername

Rules (2cnts)

Level	Name	Description	Collection
info	docx	Word 2007 file format detection	binaries (upload)
info	OfficeDDE1	(no description)	scripts

Network (2cnts) ?

Request	CC	ASN Co	IP4	Rule ?	ZERO ?
aljazeera.cc whois		Digital Energy Technologies Ltd.	181.214.31.79		malware
181.214.31.79 whois		Digital Energy Technologies Ltd.	181.214.31.79		phishing

Suricata ids

Similarity measure (PE file only) - Checking for service failure