Report - doc-1445313213.xls

Downloader MSOffice File

ScreenShot

Info
Location map


Created	2021.10.06 18:20	Machine	s1_win7_x6403
Filename	doc-1445313213.xls
Type	Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1251, Name
AI Score	Not founds	Behavior Score	4.0
ZERO API	file : clean
VT API (file)
md5	cf0908b4d734a5e78588b73410a25a3a
sha256	682d726d285ea5acf6c9fd14c4ed8b75d197afd376b9caaf87e8a4a06c448911
ssdeep	6144:wKpb8rGYrMPe3q7Q0XV5xtuEsi8/dgD9jWXcZZRBTq1BOzTwvOsPDslAvS32vI7b:59jVzTmszTwvTDy33LvfP1OWB
imphash
impfuzzy

Network IP location

Signature (7cnts)

Level	Description
danger	The process excel.exe wrote an executable file to disk which it then attempted to execute
watch	Network communications indicative of a potential document or script payload download was initiated by the process excel.exe
watch	One or more non-whitelisted processes were created
notice	Allocates read-write-execute memory (usually to unpack itself)
notice	Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time)
notice	Creates a suspicious process
notice	Performs some HTTP requests

Rules (2cnts)

Level	Name	Description	Collection
warning	Microsoft_Office_File_Downloader_Zero	Microsoft Office File Downloader	binaries (upload)
info	Microsoft_Office_File_Zero	Microsoft Office File	binaries (upload)

Network (7cnts) ?

Request	CC	ASN Co	IP4	Rule ?	ZERO ?
http://access-cs.com/WH0dOuF31Vjo/sep.html whois		INMOTI-1	198.46.82.18	6075	clean
http://proflizbowles.com/FC28yk4Sx7Rr/sep.html whois		INMOTI-1	198.46.82.18	6074	clean
access-cs.com whois		INMOTI-1	198.46.82.18		clean
proflizbowles.com whois		INMOTI-1	198.46.82.18		clean
dreamonvibes.gr whois		UNIFIEDLAYER-AS-1	192.185.35.74		clean
192.185.35.74 whois		UNIFIEDLAYER-AS-1	192.185.35.74		mailcious
198.46.82.18 whois		INMOTI-1	198.46.82.18		clean

Suricata ids

Similarity measure (PE file only) - Checking for service failure