popup

Report - Compensation-1192735226.xls

MSOffice File
  1. Resubmit analysis
  2. Detailed report
ScreenShot
Created 2021.10.01 09:57 Machine s1_win7_x6403
Filename Compensation-1192735226.xls
Type Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1251, Name
AI Score Not founds Behavior Score
3.6
ZERO API file : clean
VT API (file)
md5 4e7ee8165dc4ce387c6c4d66a405dbd6
sha256 5e0b0cfc8cc55f38d34644e10c04abd6f16fdb5bd7b8f3fa2249710adab3988f
ssdeep 6144:9Kpb8rGYrMPe3q7Q0XV5xtuEsi8/dgg9HW3cZZRprq15Obr4vO8PDklovS3WHA7l:H9HVTrmkbr4vLDa3/Lvf/1euD
imphash
impfuzzy
  Network IP location

Signature (6cnts)

Level Description
danger The process excel.exe wrote an executable file to disk which it then attempted to execute
watch Network communications indicative of a potential document or script payload download was initiated by the process excel.exe
watch One or more non-whitelisted processes were created
notice Allocates read-write-execute memory (usually to unpack itself)
notice Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time)
notice Creates a suspicious process

Rules (1cnts)

Level Name Description Collection
info Microsoft_Office_File_Zero Microsoft Office File binaries (upload)

Network (5cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
safalerp.com
whois
IN PUBLIC-DOMAIN-REGISTRY 119.18.54.27 mailcious
godschildrenaf.org
whois
US UNIFIEDLAYER-AS-1 50.87.151.118 mailcious
callgirlsandescortkenya.site
whois
US UNIFIEDLAYER-AS-1 50.87.151.118 mailcious
119.18.54.27
whois
IN PUBLIC-DOMAIN-REGISTRY 119.18.54.27 mailcious
50.87.151.118
whois
US UNIFIEDLAYER-AS-1 50.87.151.118 mailcious

Suricata ids

ET INFO TLS Handshake Failure
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)

Similarity measure (PE file only) - Checking for service failure