popup

Report - EPR Payment Summary.doc

VBA_macro MSOffice File
  1. Resubmit analysis
  2. Detailed report
ScreenShot
Created 2023.03.09 10:05 Machine s1_win7_x6402
Filename EPR Payment Summary.doc
Type Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Autho
AI Score Not founds Behavior Score
4.8
ZERO API file : clean
VT API (file) 40 detected (SAgent, GenericKD, POWLOAD, TIOIBEGZ, Emotet, Malware@#1e633r8j6efl7, prkum, Malicious OLE, Eldorado, malicious, high confidence, Kryptik, NK@susp, ai score=89, Probably W97Obfuscated, CLASSIC, Mofer, bSxU71, obfuscated)
md5 ad16430c43ef743109301fa643a25eed
sha256 edc6c1995b2088e7ee42b7bc133d69f01da175705a36386e8a23dbef34c73bf8
ssdeep 6144:s5wP/XYoJqoKUzSSnLx3VafL0SlJR1GGs:s5wP/XYoJqpUGSt3VafL0Sh1ls
imphash
impfuzzy
  Network IP location

Signature (9cnts)

Level Description
danger File has been identified by 40 AntiVirus engines on VirusTotal as malicious
danger Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually)
notice Allocates read-write-execute memory (usually to unpack itself)
notice An application raised an exception which may be indicative of an exploit crash
notice Creates (office) documents on the filesystem
notice Creates hidden or system file
notice HTTP traffic contains suspicious features which may be indicative of malware related traffic
notice Performs some HTTP requests
info One or more processes crashed

Rules (2cnts)

Level Name Description Collection
warning Contains_VBA_macro_code Detect a MS Office document with embedded VBA macro code [binaries] binaries (upload)
info Microsoft_Office_File_Zero Microsoft Office File binaries (upload)

Network (15cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
http://apps.identrust.com/roots/dstrootcax3.p7c
whois
US CCCH-3 23.216.159.81 clean
http://meeting.nmconline.org/wp-content/pgynuy3gyq-qib01-12349/
whois
US NEXCESS-NET 104.207.254.70 malware
https://royalinteriorsdesign.000webhostapp.com/wp-admin/hkgyeqNXL/
whois
NL Hostinger International Limited 145.14.145.163 mailcious
royalinteriorsdesign.000webhostapp.com
whois
NL Hostinger International Limited 145.14.145.187 mailcious
stretchpilates.fit
whois
US SUCURI-SEC 192.124.249.111 malware
www.honeybearlane.com
whois
US TONAQUINT-DC 199.79.53.17 mailcious
apps.identrust.com
whois
US CCCH-3 23.216.159.9 clean
meeting.nmconline.org
whois
US NEXCESS-NET 104.207.254.70 malware
ramadepo.000webhostapp.com
whois
NL Hostinger International Limited 145.14.144.143 malware
145.14.145.163
whois
NL Hostinger International Limited 145.14.145.163 mailcious
104.207.254.70
whois
US NEXCESS-NET 104.207.254.70 clean
145.14.144.197
whois
NL Hostinger International Limited 145.14.144.197 malware
121.254.136.57
whois
KR LG DACOM Corporation 121.254.136.57 clean
192.124.249.111
whois
US SUCURI-SEC 192.124.249.111 clean
199.79.53.17
whois
US TONAQUINT-DC 199.79.53.17 clean

Suricata ids

ET INFO Observed Free Hosting Domain (*.000webhostapp .com in DNS Lookup)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO Observed DNS Query to .fit TLD
ET INFO Observed SSL Cert for Free Hosting Domain (*.000webhostapp .com)

Similarity measure (PE file only) - Checking for service failure