popup

Report - 529f38_9aa2021e548e4d6ea92f285b00a07eb4.docx

ZIP Format Word 2007 file format(docx)
  1. Resubmit analysis
  2. Detailed report
ScreenShot
Created 2023.03.23 13:15 Machine s1_win7_x6401
Filename 529f38_9aa2021e548e4d6ea92f285b00a07eb4.docx
Type Microsoft Word 2007+
AI Score Not founds Behavior Score
2.2
ZERO API file : malware
VT API (file) 16 detected (CVE-2022-3019, Save, Subdoc, RemoteTemplateInj, GDRN, CVE-2017-0199, equmby, Artemis, ai score=83, Embed, oleurl, Probably Heur, W97OleLink, Mcnw)
md5 cd265d216aa729b1051f8631185f3520
sha256 546549325cb53f665f2bc3bfd65e4ed77ca1edb80b349a54f1f68d11ed91ef25
ssdeep 192:VOWmcDKb6QuB7L5bv/02UZ4Z9hCfC3nVCj9knEI7QaX0e:VDA6Qu74ZgOfonnlXX0e
imphash
impfuzzy
  Network IP location

Signature (5cnts)

Level Description
watch File has been identified by 16 AntiVirus engines on VirusTotal as malicious
notice Allocates read-write-execute memory (usually to unpack itself)
notice Creates (office) documents on the filesystem
notice Creates hidden or system file
notice Performs some HTTP requests

Rules (2cnts)

Level Name Description Collection
info docx Word 2007 file format detection binaries (upload)
info zip_file_format ZIP file format binaries (upload)

Network (6cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
https://urlcallinghta6.blogspot.com/atom.xml
whois
US GOOGLE 142.250.207.65 28108 mailcious
https://urlcallinghta6.blogspot.com/
whois
US GOOGLE 142.250.207.65 clean
files.catbox.moe
whois
US None 107.160.74.134 malware
urlcallinghta6.blogspot.com
whois
US GOOGLE 142.250.76.129 mailcious
107.160.74.134
whois
US None 107.160.74.134 malware
142.250.207.65
whois
US GOOGLE 142.250.207.65 clean

Suricata ids

SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
ET INFO Observed File Sharing Service Download Domain (files .catbox .moe in TLS SNI)

Similarity measure (PE file only) - Checking for service failure