Report - ZeroBOX

ScreenShot

Info
Location map


Created	2023.05.18 09:58	Machine	s1_win7_x6403
Filename	jjjj%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23kk.doc
Type	Rich Text Format data, version 1, unknown character set
AI Score	Not founds	Behavior Score	4.0
ZERO API	file : mailcious
VT API (file)
md5	f2af555f26393f34180a3845e92ba1cb
sha256	ec2a06a3c292999bd6f1d97140328bcd8ea5793aa54e4138021d260f402ff2b4
ssdeep	384:QX+jVQUSBva/4Gy2ORCoaTRYEGXj59gWIq41kE8xMFK9GyOVLxMS/B94O063z82Q:CkFFqfSuFT59gWIq41kE8xMFK3OVLuEa
imphash
impfuzzy

Network IP location

Signature (10cnts)

Level	Description
watch	Communicates with host for which no DNS query was performed
notice	An application raised an exception which may be indicative of an exploit crash
notice	Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time)
notice	Creates (office) documents on the filesystem
notice	Creates hidden or system file
notice	HTTP traffic contains suspicious features which may be indicative of malware related traffic
notice	Performs some HTTP requests
notice	RTF file has an unknown character set
notice	Sends data using the HTTP POST Method
info	One or more processes crashed

Rules (2cnts)

Level	Name	Description	Collection
warning	SUSP_INDICATOR_RTF_MalVer_Objects	Detects RTF documents with non-standard version and embedding one of the object mostly observed in exploit (e.g. CVE-2017-11882) documents.	binaries (upload)
info	Rich_Text_Format_Zero	Rich Text Format Signature Zero	binaries (upload)

Network (40cnts) ?

Request	ASN Co	IP4	Rule ?	ZERO ?
http://www.queenkidul.com/f619/?O7pS=flPn1CpczsmcmsloYAj+WZ9tyIXCLn2BUp15WA9gR+pRAl39PMpr22E4uA5K3fGksCy6GKGUT/KR36S7pADHdFopIcR3oqkCWwUH3Bw=&CP-m=8c92fQNKIzrCDRX whois	Hostinger International Limited	45.130.230.191		clean
http://www.stephenwang.photography/f619/?O7pS=u5f4p4qz7o/fTtDm3nSz6hiFO4aCCN2AsW/usgJw6zJdWxar6/CI5CJVoaMo1PtwYoo0+7BD2Z2qbjCMw+JlDyQ8u/oV4aU03sHkcSA=&CP-m=8c92fQNKIzrCDRX whois	DREAMHOST-AS	208.113.186.56		clean
http://www.intake-tree.com/f619/?O7pS=YCaZye8ndW5O5ejCJ7uN2558Y+97WERyr3klZ+XCKIlwv4gr+zruhmNXWBgIbED6mtP3DBYvR0gpojWOjcOh+ihVnCiMcphzPiGO29A=&CP-m=8c92fQNKIzrCDRX whois	AMAZON-AES	54.157.4.65		clean
http://www.towfire.life/f619/ whois	VIMRO-AS15189	67.223.117.160	33475	clean
http://www.smartinnoventions.com/f619/?O7pS=Ek2xhbXtY1qXzB2JvbkcFvKbSmJm4K+Uyb5xsLYZ3zgsIlX7EFjcw6TuiLcQZ5KUivhxYJn0P8EizsHxKHQ+wy4OSt0bovGghjBDZDE=&CP-m=8c92fQNKIzrCDRX whois	PCextreme B.V.	5.157.87.204		clean
http://www.28588v.com/f619/ whois	BGPNET Global ASN	137.220.225.73		clean
http://www.gospelfy.online/f619/?O7pS=mqENKO6x6u0B1RhcdIeKlgDLrDi38FKwdcw4276gfXsD1t5r0KVruS6mnpdZvtzm+Q0xGOUHk2EA1TA3TL1CSm4H2R6TK8LtJrZ83YI=&CP-m=8c92fQNKIzrCDRX whois	Wildcard UK Limited	185.27.134.115		clean
http://www.towfire.life/f619/?O7pS=Ehbg4LlyVMHP0pAFmIQxhDDkp6Kxs477sF6nDv0EaT5K8/1GH5wf1bgzqSKTUaDZXTnW9d28cNYQDMZcc5x0F8aQqyCdRYlsL10lLoU=&CP-m=8c92fQNKIzrCDRX whois	VIMRO-AS15189	67.223.117.160	33475	clean
http://www.gospelfy.online/f619/ whois	Wildcard UK Limited	185.27.134.115		clean
http://www.stephenwang.photography/f619/ whois	DREAMHOST-AS	208.113.186.56		clean
http://www.smartinnoventions.com/f619/ whois	PCextreme B.V.	5.157.87.204		clean
http://www.skillfulp10.buzz/f619/?O7pS=35x6vbxblib5MVXL66MiYOFyCwyiW+WpCMCOaRW/LabtpXpMR316Gm+YR9yWJR7EH7/o0i+7abS9fGbf51xT5oPd3YLLmnWOCyaGRj8=&CP-m=8c92fQNKIzrCDRX whois	CLOUDFLARENET	172.67.194.173		clean
http://www.skillfulp10.buzz/f619/ whois	CLOUDFLARENET	172.67.194.173		clean
http://195.201.147.116/433/vbc.exe whois	Hetzner Online GmbH	195.201.147.116		clean
http://www.sockmomma.com/f619/ whois	DXTL Tseung Kwan O Service	154.94.121.119		clean
http://www.sockmomma.com/f619/?O7pS=2xrbRaVqfFZAqlIaVxxROj1er0vApHth0WR1aJHeUhlKoHhTuPzXEzX44r40ys20rE4Ka7hzk9c+zV+d/czmBtVLQF0HWkNVVexiFz0=&CP-m=8c92fQNKIzrCDRX whois	DXTL Tseung Kwan O Service	154.94.121.119		clean
http://www.intake-tree.com/f619/ whois	AMAZON-AES	54.91.6.89		clean
http://www.sqlite.org/2020/sqlite-dll-win32-x86-3320000.zip whois	Linode, LLC	45.33.6.223		clean
http://www.queenkidul.com/f619/ whois	Hostinger International Limited	45.130.230.191		clean
http://www.28588v.com/f619/?O7pS=G3I5ds8dOpaKd+DH1ake2pRuUN+UMAJZaHOz+8NtztMbt4Q0fuIWaSpOJ5XO92YffYK2mOkzi8XK+GtmVritvfJB+FClpV7RO2AgtZU=&CP-m=8c92fQNKIzrCDRX whois	BGPNET Global ASN	137.220.225.97		clean
www.towfire.life whois	VIMRO-AS15189	67.223.117.160		clean
www.stephenwang.photography whois	DREAMHOST-AS	208.113.186.56		clean
www.queenkidul.com whois	Hostinger International Limited	45.130.230.191		clean
www.smartinnoventions.com whois	PCextreme B.V.	5.157.87.204		clean
www.gospelfy.online whois	Wildcard UK Limited	185.27.134.115		clean
www.sockmomma.com whois	DXTL Tseung Kwan O Service	154.94.121.119		clean
www.skillfulp10.buzz whois	CLOUDFLARENET	104.21.34.8		clean
www.intake-tree.com whois	AMAZON-AES	34.201.80.84		clean
www.28588v.com whois	BGPNET Global ASN	137.220.225.73		clean
54.196.16.164 whois	AMAZON-AES	54.196.16.164		clean
104.21.34.8 whois	CLOUDFLARENET	104.21.34.8		clean
208.113.186.56 whois	DREAMHOST-AS	208.113.186.56		clean
67.223.117.160 whois	VIMRO-AS15189	67.223.117.160		clean
137.220.225.73 whois	BGPNET Global ASN	137.220.225.73		clean
154.94.121.119 whois	DXTL Tseung Kwan O Service	154.94.121.119		clean
185.27.134.115 whois	Wildcard UK Limited	185.27.134.115		mailcious
195.201.147.116 whois	Hetzner Online GmbH	195.201.147.116		mailcious
45.130.230.191 whois	Hostinger International Limited	45.130.230.191		clean
45.33.6.223 whois	Linode, LLC	45.33.6.223		clean
5.157.87.204 whois	PCextreme B.V.	5.157.87.204		mailcious

Report - jjjj%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23kk.doc

Signature (10cnts)

Rules (2cnts)

Network (40cnts) ?

Suricata ids

Similarity measure (PE file only) - Checking for service failure