Report - trend-1805140215.xls

Downloader MSOffice File

ScreenShot

Info
Location map


Created	2021.10.16 13:10	Machine	s1_win7_x6403
Filename	trend-1805140215.xls
Type	Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1251, Name
AI Score	Not founds	Behavior Score	4.0
ZERO API	file : clean
VT API (file)
md5	0c9961a5d8c7ee6bda37f75d1a59e8d9
sha256	6dca30c3de0e6c7e933edba189b540d1eed803bb8ca29ff73de4541d05947951
ssdeep	6144:NKpb8rGYrMPe3q7Q0XV5xtuEsi8/dgv9jWvcZZdtjq15OD7IvOEPD0lgvS3enw7B:A9jFrjmkD7IvLDK3vLvfn1+2D
imphash
impfuzzy

Network IP location

Signature (7cnts)

Level	Description
danger	The process excel.exe wrote an executable file to disk which it then attempted to execute
watch	Network communications indicative of a potential document or script payload download was initiated by the process excel.exe
watch	One or more non-whitelisted processes were created
notice	Allocates read-write-execute memory (usually to unpack itself)
notice	Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time)
notice	Creates a suspicious process
notice	Performs some HTTP requests

Rules (2cnts)

Level	Name	Description	Collection
warning	Microsoft_Office_File_Downloader_Zero	Microsoft Office File Downloader	binaries (upload)
info	Microsoft_Office_File_Zero	Microsoft Office File	binaries (upload)

Network (7cnts) ?

Request	CC	ASN Co	IP4	Rule ?	ZERO ?
https://saftronics.co.za/WRpRfTpvJ/alen.html whois		IS	196.37.111.115		clean
saftronics.co.za whois		IS	196.37.111.115		clean
pmbtvonline.com whois		UNIFIEDLAYER-AS-1	192.185.227.95		clean
elcbd.net whois		RELIABLESITE	209.222.97.206		clean
209.222.97.206 whois		RELIABLESITE	209.222.97.206		clean
196.37.111.115 whois		IS	196.37.111.115		mailcious
192.185.227.95 whois		UNIFIEDLAYER-AS-1	192.185.227.95		malware

Suricata ids

Similarity measure (PE file only) - Checking for service failure