Report - 000000000000000%23%23%23%23%23%23%23%23%23%23%23%23%23%23000000000000000000%23%23%23%23%23%23%23%23%23%23%23%23%23%2300000000000%23%23%23%23%23%23%23%230.doc

Formbook MS_RTF_Obfuscation_Objects RTF File doc

ScreenShot

Info
Location map


Created	2023.08.09 09:29	Machine	s1_win7_x6403
Filename	000000000000000%23%23%23%23%23%23%23%23%23%23%23%23%23%23000000000000000000%23%23%23%23%23%23%23%23%23%23%23%23%23%2300000000000%23%23%23%23%23%23%23%230.doc
Type	ISO-8859 text, with very long lines, with CRLF, CR, LF line terminators
AI Score	Not founds	Behavior Score	5.6
ZERO API	file : mailcious
VT API (file)	30 detected (ObfsObjDat, RTFObfustream, Save, CVE-2017-1188, multiple detections, Malicious, score, CVE-2018-0802, dinbqn, Malformed, CVE-2018-0798, RTFMALFORM, Sonbokli, Detected, Malform, Probably Heur, RTFBadHeader, CLASSIC, ai score=89, Abnormal)
md5	b5851205722f0379cef7fa7f56e9c2c2
sha256	d31e495335759e79d509741d23e6b8c747406a12f1044e0857717527874cd625
ssdeep	384:rkNLgWqc0CUCRxvtne8QUz4p3QQaU9nVDnq+PIEwCQnKtwoKjS+fDWgLeAF5:rkhzqcTxvtnoQQaOnVDnq+xtwoKjXF5
imphash
impfuzzy

Network IP location

Signature (11cnts)

Level	Description
danger	Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually)
danger	File has been identified by 30 AntiVirus engines on VirusTotal as malicious
watch	Communicates with host for which no DNS query was performed
notice	An application raised an exception which may be indicative of an exploit crash
notice	Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time)
notice	Creates (office) documents on the filesystem
notice	Creates hidden or system file
notice	HTTP traffic contains suspicious features which may be indicative of malware related traffic
notice	Performs some HTTP requests
notice	Sends data using the HTTP POST Method
info	One or more processes crashed

Rules (3cnts)

Level	Name	Description	Collection
warning	MS_RTF_Suspicious_documents	Suspicious documents using RTF document OLE object	binaries (upload)
warning	SUSP_INDICATOR_RTF_MalVer_Objects	Detects RTF documents with non-standard version and embedding one of the object mostly observed in exploit (e.g. CVE-2017-11882) documents.	binaries (upload)
info	Rich_Text_Format_Zero	Rich Text Format Signature Zero	binaries (upload)

Network (11cnts) ?

Request	CC	ASN Co	IP4	Rule ?	ZERO ?
http://23.94.148.61/598/ChromeSetup.exe whois		AS-COLOCROSSING	23.94.148.61		clean
http://www.eturnum.org/et9t/?pX7nMhZ=oGB2a62R5hQvo2E9fBkXawOuNKj3Dek6/gk22RSM/jZ849uvwjkHsue2s///UvCqJC6xkWcBqYeWgpc71Q83w80Z1Wi48i4g+hNU7Ic=&4KNm0j=RN6a whois		Awareness Software Limited	149.255.59.16	35685	mailcious
http://www.eturnum.org/et9t/ whois		Awareness Software Limited	149.255.59.16	35685	mailcious
http://www.sqlite.org/2020/sqlite-dll-win32-x86-3320000.zip whois		Linode, LLC	45.33.6.223		clean
www.dmidevel.com whois		AMAZON-02	52.17.186.13		mailcious
www.eturnum.org whois		Awareness Software Limited	149.255.59.16		mailcious
www.sdrfgjf04.sbs whois					mailcious
149.255.59.16 whois		Awareness Software Limited	149.255.59.16		malware
23.94.148.61 whois		AS-COLOCROSSING	23.94.148.61		malware
34.250.27.150 whois		AMAZON-02	34.250.27.150		clean
45.33.6.223 whois		Linode, LLC	45.33.6.223		clean

Suricata ids

Similarity measure (PE file only) - Checking for service failure