popup

Report - Compensation-1192584148.xls

MSOffice File
  1. Resubmit analysis
  2. Detailed report
ScreenShot
Created 2021.10.01 09:55 Machine s1_win7_x6403
Filename Compensation-1192584148.xls
Type Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1251, Name
AI Score Not founds Behavior Score
3.6
ZERO API file : clean
VT API (file)
md5 37a0ab0f9ab8422201dc00efef4a41c5
sha256 22012ef347a8149872edb8cba796060eee42f8c23ef4d93f28e7ccef6851277d
ssdeep 6144:9Kpb8rGYrMPe3q7Q0XV5xtuEsi8/dgg9HW3cZZRprq15Obr4vO8PDklovS3WHA7p:H9HVTrmkbr4vLDa3/Lvf/1eun
imphash
impfuzzy
  Network IP location

Signature (6cnts)

Level Description
danger The process excel.exe wrote an executable file to disk which it then attempted to execute
watch Network communications indicative of a potential document or script payload download was initiated by the process excel.exe
watch One or more non-whitelisted processes were created
notice Allocates read-write-execute memory (usually to unpack itself)
notice Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time)
notice Creates a suspicious process

Rules (1cnts)

Level Name Description Collection
info Microsoft_Office_File_Zero Microsoft Office File binaries (upload)

Network (5cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
safalerp.com
whois
IN PUBLIC-DOMAIN-REGISTRY 119.18.54.27 mailcious
callgirlsandescortkenya.site
whois
US UNIFIEDLAYER-AS-1 50.87.151.118 mailcious
godschildrenaf.org
whois
US UNIFIEDLAYER-AS-1 50.87.151.118 mailcious
119.18.54.27
whois
IN PUBLIC-DOMAIN-REGISTRY 119.18.54.27 mailcious
50.87.151.118
whois
US UNIFIEDLAYER-AS-1 50.87.151.118 mailcious

Suricata ids

SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure

Similarity measure (PE file only) - Checking for service failure