popup

Report - readme.doc

VBA_macro Generic Malware MSOffice File
  1. Resubmit analysis
  2. Detailed report
ScreenShot
Created 2023.06.13 09:44 Machine s1_win7_x6402
Filename readme.doc
Type Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1252, Titl
AI Score Not founds Behavior Score
6.2
ZERO API file : clean
VT API (file) 38 detected (SLoad, malicious, high confidence, EmoDldr, Save, score, 0NA103GT21, Ole2, druvzi, TOPIS, N2Rj37hPkdP, ADYY, ai score=82, SAgent, Obfuse, Detected, MacroS, Static AI, Malicious OLE)
md5 332f3efeb2f7f9cc98e3cea2c069a3a5
sha256 42fa927c4778be02a3b45be871cf76cf6afc5d134daa6670761cf5fe184ef138
ssdeep 384:a0HR2XiS8px8SMDxVNAtTfwfsxsGBbXy2N0j+nYj:3P3yjgRx1xNn
imphash
impfuzzy
  Network IP location

Signature (12cnts)

Level Description
danger File has been identified by 38 AntiVirus engines on VirusTotal as malicious
watch A command shell or script process was created by an unexpected parent process
watch Network communications indicative of a potential document or script payload download was initiated by the process wscript.exe
watch One or more non-whitelisted processes were created
watch The process wscript.exe wrote an executable file to disk
watch Wscript.exe initiated network communications indicative of a script based payload download
notice Allocates read-write-execute memory (usually to unpack itself)
notice An application raised an exception which may be indicative of an exploit crash
notice Creates (office) documents on the filesystem
notice Creates hidden or system file
notice Performs some HTTP requests
info One or more processes crashed

Rules (3cnts)

Level Name Description Collection
warning Contains_VBA_macro_code Detect a MS Office document with embedded VBA macro code [binaries] binaries (upload)
warning Generic_Malware_Zero Generic Malware binaries (upload)
info Microsoft_Office_File_Zero Microsoft Office File binaries (upload)

Network (3cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
http://miracle.designsoup.co.kr/user/views/resort/controller/css/update/list.php?query=1
whois
KR KINX 121.78.88.79 clean
miracle.designsoup.co.kr
whois
KR KINX 121.78.88.79 clean
121.78.88.79
whois
KR KINX 121.78.88.79 mailcious

Suricata ids

ET MALWARE Suspected Kimsuky Activity (GET)
ET MALWARE Kimsuky Related Script Activity (GET)
ET MALWARE Suspected DPRK APT Related Activity (GET)

Similarity measure (PE file only) - Checking for service failure