Report - ZeroBOX

ScreenShot

Info
Location map


Created	2023.04.20 16:39	Machine	s1_win7_x6402
Filename	###############################.doc
Type	Rich Text Format data, version 1, unknown character set
AI Score	Not founds	Behavior Score	3.6
ZERO API	file : clean
VT API (file)
md5	e35378796dfe5bd6db6e12178247de53
sha256	a2776f25f2a104054e2eb82772f7a1a4ebb6c05c6dd1e9c0835908d3bca0d9bb
ssdeep	384:BdBrhgWOxX0F4x8N9BgOMGavisb8qcxkbXBrgJvC8:hhFF4x83BgOQv0qGkbX2JvT
imphash
impfuzzy

Network IP location

Signature (9cnts)

Level	Description
watch	Communicates with host for which no DNS query was performed
notice	An application raised an exception which may be indicative of an exploit crash
notice	Creates (office) documents on the filesystem
notice	Creates hidden or system file
notice	HTTP traffic contains suspicious features which may be indicative of malware related traffic
notice	Performs some HTTP requests
notice	RTF file has an unknown character set
notice	Sends data using the HTTP POST Method
info	One or more processes crashed

Rules (2cnts)

Level	Name	Description	Collection
warning	SUSP_INDICATOR_RTF_MalVer_Objects	Detects RTF documents with non-standard version and embedding one of the object mostly observed in exploit (e.g. CVE-2017-11882) documents.	binaries (upload)
info	Rich_Text_Format_Zero	Rich Text Format Signature Zero	binaries (upload)

Network (23cnts) ?

Request	ASN Co	IP4	ZERO ?
http://www.jawstraping.com/t6t4/ whois	UNIFIEDLAYER-AS-1	162.240.74.72	clean
http://www.infomysaturn.com/t6t4/ whois	JOESDATACENTER	204.27.56.195	clean
http://www.jawstraping.com/t6t4/?tgsBCfY=XCntr2iXxRF4OzdOddE0iZuhFmxxz2UYRyIVY/3TZ+QarG+8Mk+hdkB+upmlGNbbMTHm8ylq/Cu6YgjeNTy0eEp8zKtOpX4Of63J+Iw=&XpfTw=NmpJ whois	UNIFIEDLAYER-AS-1	162.240.74.72	clean
http://www.atwtjasasbdh.com/t6t4/ whois	Host Universal Pty Ltd	103.214.22.44	clean
http://www.sqlite.org/2019/sqlite-dll-win32-x86-3290000.zip whois	Linode, LLC	45.33.6.223	clean
http://www.antifa-west.org/t6t4/?tgsBCfY=ssGDlaKvrM1Gs2+sD8JdC0DLeKE3dUnUQ6mTAZG8EY8ootQconb5U719Xwf9arvCoKYUBxAQQ/mbWT7dDEoxYepTxrisSFFRvpnacVE=&XpfTw=NmpJ whois	GOOGLE	142.250.76.147	clean
http://www.infomysaturn.com/t6t4/?tgsBCfY=J+lWmOWzRFYb6ZGDJg/c/uE65ROAxLP5sGlhcaPxy1usod+H/MjcFynVlrmwAULXY1vEuzPNHPQSWuniw4+JBk2ZSmFmkZPZ/PPuHLo=&XpfTw=NmpJ whois	JOESDATACENTER	204.27.56.195	clean
http://www.tanforks.xyz/t6t4/ whois	NAMECHEAP-NET	162.0.228.125	clean
http://www.atwtjasasbdh.com/t6t4/?tgsBCfY=6X+nuai3+Gul66mjmQ28c0ZlmwwgXmcEpPDIIfk72o6E0RnRG4ylaYKqyh5Ae9yw6Vvu+qYeGcoVzp60AAD0y2SwNXIc8Uem2VD5Cms=&XpfTw=NmpJ whois		194.29.187.15	clean
http://154.91.202.45/90/vbc.exe whois	Itace International Limited	154.91.202.45	clean
http://www.tanforks.xyz/t6t4/?tgsBCfY=fX3XyOzAJM6oM04o/7g23Zy7c/HdQQcghoeFNAWsBFGOx4rN1X7qcFb4Fe0DTcTs0H0+AvSr72QhSydJENna4UFVgzP/3/gTg0f6ty0=&XpfTw=NmpJ whois	NAMECHEAP-NET	162.0.228.125	clean
www.atwtjasasbdh.com whois	Host Universal Pty Ltd	103.214.22.44	clean
www.infomysaturn.com whois	JOESDATACENTER	204.27.56.195	clean
www.antifa-west.org whois	GOOGLE	142.250.76.147	clean
www.jawstraping.com whois	UNIFIEDLAYER-AS-1	162.240.74.72	clean
www.tanforks.xyz whois	NAMECHEAP-NET	162.0.228.125	clean
20.239.166.104 whois	MICROSOFT-CORP-MSN-AS-BLOCK	20.239.166.104	clean
154.91.202.45 whois	Itace International Limited	154.91.202.45	mailcious
142.250.204.51 whois	GOOGLE	142.250.204.51	clean
162.0.228.125 whois	NAMECHEAP-NET	162.0.228.125	mailcious
162.240.74.72 whois	UNIFIEDLAYER-AS-1	162.240.74.72	clean
45.33.6.223 whois	Linode, LLC	45.33.6.223	clean
204.27.56.195 whois	JOESDATACENTER	204.27.56.195	clean

Report - ###############################.doc

Signature (9cnts)

Rules (2cnts)

Network (23cnts) ?

Suricata ids

Similarity measure (PE file only) - Checking for service failure