popup

Report - inv_1_____-233000030000.wbk

RTF File doc
  1. Resubmit analysis
  2. Detailed report
ScreenShot
Created 2021.10.20 11:09 Machine s1_win7_x6402
Filename inv_1_____-233000030000.wbk
Type Rich Text Format data, unknown version
AI Score Not founds Behavior Score
4.4
ZERO API file : mailcious
VT API (file) 27 detected (Obfuscated, ObfsStrm, CVE-2017-1188, CVE2017, Save, Camelot, Bloodhound, a variant of DOC, Abnormal, dinbqn, RtfExp, RTFMALFORM, Malformed, Obscure, Malform, ai score=83, GenericKD)
md5 8cb07df81d4c6d3798d05097c2af1a01
sha256 b97a7205daeb89f82f2bb240d47ff5d440719723f631a42874e05327f5f90ece
ssdeep 384:VGKKhw7m9ia1UhvS0q0YGl6pAVACPlEq6RFmeuAiQKy1ytogW:oKKhw7m9ia1U003YGosACpTPnRyKu
imphash
impfuzzy
  Network IP location

Signature (10cnts)

Level Description
warning File has been identified by 27 AntiVirus engines on VirusTotal as malicious
watch Communicates with host for which no DNS query was performed
notice Allocates read-write-execute memory (usually to unpack itself)
notice An application raised an exception which may be indicative of an exploit crash
notice Creates hidden or system file
notice HTTP traffic contains suspicious features which may be indicative of malware related traffic
notice One or more potentially interesting buffers were extracted
notice Performs some HTTP requests
notice RTF file has an unknown version
info One or more processes crashed

Rules (1cnts)

Level Name Description Collection
info Rich_Text_Format_Zero Rich Text Format Signature Zero binaries (upload)

Network (40cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
http://www.gold2guide.art/mxnu/?bj=nooUTxpgyHI8Tmjtx/bEFedfCsCgFivtiLIHJ+Ou+u0gXSqijcRRlL1sEAr9C8C8DV1gd2HK&Rx=8pdDoFr0ubqhlt
whois
AU GSL Networks Pty LTD 202.165.66.108 6481 mailcious
http://www.mortgagerates.solutions/mxnu/?bj=e40TMWWr6xWVnQ1HwCqLobeJF4L/Z7xCu7/MTKlaRXTCRzwsua34O9neh9w9TPhFkJc6vnSR&Rx=8pdDoFr0ubqhlt
whois
Unknown 64.190.62.111 6648 mailcious
http://www.technichoffghosts.com/mxnu/?bj=/Fzie1hELeLn7MgSxS1T5SAjvZfamumVbzPuvONP0wKdG4fvdY2IoYOIDGhEOLvFBokHwHx6&Rx=8pdDoFr0ubqhlt
whois
RU IT Outsourcing LLC 45.156.25.115 clean
http://www.sattaking-gaziabad.xyz/mxnu/?bj=UvUEtIev0LW0Fj9rimgEuaxF8o8Q3PSD9GE10acJUnczNTSiUTsn1kpqflxWWG28G9vjgVED&Rx=8pdDoFr0ubqhlt
whois
LT Hostinger International Limited 185.28.21.80 6653 mailcious
http://192.3.110.172/00880088/vbc.exe
whois
US AS-COLOCROSSING 192.3.110.172 clean
http://www.265411.com/mxnu/?bj=25s1ERxOA1FsQEL58dsMzLXIm6T2LEHWrovGfnVbwWX5qUTqFcrkTCI5ju9rUaWf+2K12S96&Rx=8pdDoFr0ubqhlt
whois
US DXTL Tseung Kwan O Service 192.249.80.207 clean
http://www.whitebot.xyz/mxnu/?bj=mJKlLoR4AxZK/RYIFKAo0UiVtoPyzBJ6SQAFXLfvSOBYEGo1cqGoAX7CRK1QxANrckFntybM&Rx=8pdDoFr0ubqhlt
whois
DE Linode, LLC 172.104.153.244 6647 mailcious
http://www.naplesconciergerealty.com/mxnu/?bj=hecv2sMFcvsyFIpzJOhZbtwMh1SG6St5/U1aPglBFWownzq2qPNpvMi/ho6Sg43JWpVw027R&Rx=8pdDoFr0ubqhlt
whois
US GOOGLE 34.102.136.180 6394 mailcious
http://www.tbrhc.com/mxnu/?bj=dBbPwQ2utUd0Fk1uS+XSFkxz2YTUNCneFR1VLIh1vAwAXkSpHWWkzNznjyqcoekG5m5H1qts&Rx=8pdDoFr0ubqhlt
whois
HK CNSERVERS 154.208.173.145 6645 mailcious
http://www.desongli.com/mxnu/?bj=hZ80obWBB1Dtx9mJDJ/B6KhSbXm9N4IXZ9kDZpitpQpTEQWdqR+8a/o3g7qjE+O8VqYt5r7Y&Rx=8pdDoFr0ubqhlt
whois
US PEGTECHINC 108.186.180.79 6643 mailcious
http://www.normandia.pro/mxnu/?bj=kHN/hbjK4OzLmo333toUUHv3cKFKy5bivtfKIua2AYmutZDuFn6HD/HyblDUos2+bUTS6mEe&Rx=8pdDoFr0ubqhlt
whois
AU Trellian Pty. Limited 103.224.212.222 6650 mailcious
http://www.ingdalynnia.xyz/mxnu/?bj=pfZfepvuuXd3YdzLhx74JhtQE2ZsQUx19b2XlYunhcRs71ErzSq2ECWFO+pn1SXrM1L87AtC&Rx=8pdDoFr0ubqhlt
whois
DE Contabo GmbH 173.212.200.118 6654 mailcious
http://www.funkidsroomdecor.com/mxnu/?bj=iFpbfMx0kR1NhQJhtaFPfzg8Nsy3dm+jXQd2Fi3YicbHa3sz/htfiB2IN3yla1aALZWfkU50&Rx=8pdDoFr0ubqhlt
whois
US UNIFIEDLAYER-AS-1 192.254.189.87 6395 mailcious
www.funkidsroomdecor.com
whois
US UNIFIEDLAYER-AS-1 192.254.189.87 clean
www.naplesconciergerealty.com
whois
US GOOGLE 34.102.136.180 clean
www.normandia.pro
whois
AU Trellian Pty. Limited 103.224.212.222 clean
www.sattaking-gaziabad.xyz
whois
LT Hostinger International Limited 185.28.21.80 clean
www.265411.com
whois
US DXTL Tseung Kwan O Service 192.249.80.207 clean
www.mortgagerates.solutions
whois
Unknown 64.190.62.111 clean
www.whitebot.xyz
whois
DE Linode, LLC 172.104.153.244 clean
www.gold2guide.art
whois
AU GSL Networks Pty LTD 202.165.66.108 clean
www.desongli.com
whois
US PEGTECHINC 108.186.180.79 clean
www.1sunsetgroup.com
whois
Unknown mailcious
www.taquerialoteria.com
whois
Unknown clean
www.tbrhc.com
whois
HK CNSERVERS 154.208.173.145 clean
www.technichoffghosts.com
whois
RU IT Outsourcing LLC 45.156.25.115 clean
www.ingdalynnia.xyz
whois
DE Contabo GmbH 173.212.200.118 clean
45.156.25.115
whois
RU IT Outsourcing LLC 45.156.25.115 clean
108.186.180.79
whois
US PEGTECHINC 108.186.180.79 mailcious
185.28.21.80
whois
LT Hostinger International Limited 185.28.21.80 mailcious
172.104.153.244
whois
DE Linode, LLC 172.104.153.244 mailcious
34.102.136.180
whois
US GOOGLE 34.102.136.180 mailcious
192.249.80.207
whois
US DXTL Tseung Kwan O Service 192.249.80.207 clean
173.212.200.118
whois
DE Contabo GmbH 173.212.200.118 mailcious
154.208.173.145
whois
HK CNSERVERS 154.208.173.145 mailcious
192.254.189.87
whois
US UNIFIEDLAYER-AS-1 192.254.189.87 mailcious
202.165.66.108
whois
AU GSL Networks Pty LTD 202.165.66.108 mailcious
192.3.110.172
whois
US AS-COLOCROSSING 192.3.110.172 malware
103.224.212.222
whois
AU Trellian Pty. Limited 103.224.212.222 mailcious
64.190.62.111
whois
Unknown 64.190.62.111 mailcious

Suricata ids

ET INFO Executable Download from dotted-quad Host
ET MALWARE FormBook CnC Checkin (GET)
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
ET HUNTING Request to .XYZ Domain with Minimal Headers
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response

Similarity measure (PE file only) - Checking for service failure