popup

Report - document.doc

VBA_macro Generic Malware MSOffice File
  1. Resubmit analysis
  2. Detailed report
ScreenShot
Created 2023.06.13 10:11 Machine s1_win7_x6402
Filename document.doc
Type Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1252, Titl
AI Score Not founds Behavior Score
6.2
ZERO API file : clean
VT API (file) 37 detected (SLoad, malicious, high confidence, EmoDldr, Save, score, 0NA103GT21, Ole2, druvzi, MacroS, ADYY, Static AI, Malicious OLE, SAgent, Obfuse, Detected, ai score=80, TOPIS, N2Rj37hPkdP)
md5 eabac2151828caacfa7c253d84a7b891
sha256 107f319f6a0f9cfc054aa725553a0452b0125da10784d0270befc5d0b75549a8
ssdeep 384:30HR2XiS8px8SMDxLNktTfwfsxsGBbXy2N0j+nYj:kP3yRkRx1xNn
imphash
impfuzzy
  Network IP location

Signature (12cnts)

Level Description
danger File has been identified by 37 AntiVirus engines on VirusTotal as malicious
watch A command shell or script process was created by an unexpected parent process
watch Network communications indicative of a potential document or script payload download was initiated by the process wscript.exe
watch One or more non-whitelisted processes were created
watch The process wscript.exe wrote an executable file to disk
watch Wscript.exe initiated network communications indicative of a script based payload download
notice Allocates read-write-execute memory (usually to unpack itself)
notice An application raised an exception which may be indicative of an exploit crash
notice Creates (office) documents on the filesystem
notice Creates hidden or system file
notice Performs some HTTP requests
info One or more processes crashed

Rules (3cnts)

Level Name Description Collection
warning Contains_VBA_macro_code Detect a MS Office document with embedded VBA macro code [binaries] binaries (upload)
warning Generic_Malware_Zero Generic Malware binaries (upload)
info Microsoft_Office_File_Zero Microsoft Office File binaries (upload)

Network (3cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
http://miracle.designsoup.co.kr/user/views/resort/controller/css/update/list.php?query=1
whois
KR KINX 121.78.88.79 34250 clean
miracle.designsoup.co.kr
whois
KR KINX 121.78.88.79 clean
121.78.88.79
whois
KR KINX 121.78.88.79 mailcious

Suricata ids

ET MALWARE Suspected Kimsuky Activity (GET)
ET MALWARE Kimsuky Related Script Activity (GET)
ET MALWARE Suspected DPRK APT Related Activity (GET)

Similarity measure (PE file only) - Checking for service failure