Report - 012004040003030030%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23000180080808000012200%23%23%23%23%23%23%23%23102020020222.doc

MS_RTF_Obfuscation_Objects RTF File doc

ScreenShot

Info
Location map


Created	2023.08.04 09:06	Machine	s1_win7_x6401
Filename	012004040003030030%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23000180080808000012200%23%23%23%23%23%23%23%23102020020222.doc
Type	ISO-8859 text, with very long lines, with CRLF, CR, LF line terminators
AI Score	Not founds	Behavior Score	5.6
ZERO API	file : mailcious
VT API (file)	16 detected (Siggen3, Save, CVE-2017-1188, CVE1711882, multiple detections, Malicious, score, dinbqn, Malformed, RTFMALFORM, Casdet, Detected, Probably Heur, RTFBadHeader, Kflw)
md5	9196f5d37dd1750c7ab2ea6becaddbb9
sha256	a84d393d443ffb98dc2bd25b138e1027d38e36e34988aeb15f3eaa381faad917
ssdeep	24576:MeOJ87c2SRhLAgEFTImmNCYynL6bTOlUKncNuKL4RLP/fycPKpWw9AduRpuZ44y7:SpkvDI
imphash
impfuzzy

Network IP location

Signature (12cnts)

Level	Description
danger	Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually)
watch	Communicates with host for which no DNS query was performed
watch	File has been identified by 16 AntiVirus engines on VirusTotal as malicious
notice	Allocates read-write-execute memory (usually to unpack itself)
notice	An application raised an exception which may be indicative of an exploit crash
notice	Creates (office) documents on the filesystem
notice	Creates hidden or system file
notice	HTTP traffic contains suspicious features which may be indicative of malware related traffic
notice	One or more potentially interesting buffers were extracted
notice	Performs some HTTP requests
notice	Sends data using the HTTP POST Method
info	One or more processes crashed

Rules (3cnts)

Level	Name	Description	Collection
warning	MS_RTF_Suspicious_documents	Suspicious documents using RTF document OLE object	binaries (upload)
warning	SUSP_INDICATOR_RTF_MalVer_Objects	Detects RTF documents with non-standard version and embedding one of the object mostly observed in exploit (e.g. CVE-2017-11882) documents.	binaries (upload)
info	Rich_Text_Format_Zero	Rich Text Format Signature Zero	binaries (upload)

Network (14cnts) ?

Request	CC	ASN Co	IP4	Rule ?	ZERO ?
http://www.eturnum.org/et9t/?XFkk=oGB2a62R5hQvo2E9fBkXawOuNKj3Dek6/gk22RSM/jZ849uvwjkHsue2s///UvCqJC6xkWcBqYeWgpc71Q83w80Z1Wi48i4g+hNU7Ic=&25vCm=ziVcI1CGgxu whois		Awareness Software Limited	149.255.59.16		clean
http://www.sqlite.org/2020/sqlite-dll-win32-x86-3310000.zip whois		Linode, LLC	45.33.6.223		clean
http://www.eturnum.org/et9t/ whois		Awareness Software Limited	149.255.59.16		clean
http://23.94.148.61/800/ChromeSetup.exe whois		AS-COLOCROSSING	23.94.148.61		clean
http://www.sdrfgjf04.sbs/et9t/ whois			154.23.176.81		clean
http://www.sdrfgjf04.sbs/et9t/?XFkk=fyGICc5TieCCYxLA9A3YXfgdgdyUYVbgq7FJ/PFTCWHsrK2PzodQNgOuC22hjbDQxS9NYwBdAOx0BZ+otaqny3v5VddjKMYrJbXKRJI=&25vCm=ziVcI1CGgxu whois			154.23.176.81		clean
www.dmidevel.com whois		AMAZON-02	52.17.186.13		clean
www.eturnum.org whois		Awareness Software Limited	149.255.59.16		clean
www.sdrfgjf04.sbs whois			154.23.176.81		clean
149.255.59.16 whois		Awareness Software Limited	149.255.59.16		malware
154.23.176.81 whois			154.23.176.81		clean
52.17.186.13 whois		AMAZON-02	52.17.186.13		clean
45.33.6.223 whois		Linode, LLC	45.33.6.223		clean
23.94.148.61 whois		AS-COLOCROSSING	23.94.148.61		malware

Suricata ids

Similarity measure (PE file only) - Checking for service failure