Report - obizx.doc

MS_RTF_Obfuscation_Objects RTF File doc

ScreenShot

Info
Location map


Created	2023.09.07 17:54	Machine	s1_win7_x6402
Filename	obizx.doc
Type	Rich Text Format data, version 1, unknown character set
AI Score	Not founds	Behavior Score	3.6
ZERO API	file : mailcious
VT API (file)	29 detected (ObfsObjDat, RTFObfustream, Save, CVE-2017-1188, Camelot, Bloodhound, Malicious, score, CVE-2018-0802, dinbqn, RTFDl, Malformed, CVE-2018-0798, RTFMALFORM, Detected, Probably Heur, RTFObfuscation, CLASSIC, ai score=88)
md5	5c2b9063897b742f636bbed0c5dc7884
sha256	8f6adbbbaf0b3300c19c11245feda8a509e65af72091eccb5d5009635986ebde
ssdeep	768:kwAbZSibMX9gRWj29gYbYbr6xoC6tenAHi:kwAlR+YbYbr6WCSeAHi
imphash
impfuzzy

Network IP location

Signature (8cnts)

Level	Description
warning	File has been identified by 29 AntiVirus engines on VirusTotal as malicious
watch	Communicates with host for which no DNS query was performed
notice	An application raised an exception which may be indicative of an exploit crash
notice	Creates (office) documents on the filesystem
notice	Creates hidden or system file
notice	Looks up the external IP address
notice	RTF file has an unknown character set
info	One or more processes crashed

Rules (2cnts)

Level	Name	Description	Collection
warning	SUSP_INDICATOR_RTF_MalVer_Objects	Detects RTF documents with non-standard version and embedding one of the object mostly observed in exploit (e.g. CVE-2017-11882) documents.	binaries (upload)
info	Rich_Text_Format_Zero	Rich Text Format Signature Zero	binaries (upload)

Network (6cnts) ?

Request	CC	ASN Co	IP4	Rule ?	ZERO ?
http://185.28.39.17:7777/185.28.39.18/obizx.exe whois			185.28.39.17		malware
cp5ua.hyperhost.ua whois		ITL LLC	91.235.128.141		clean
api.ipify.org whois		WEBNX	104.237.62.212		clean
185.28.39.17 whois			185.28.39.17		malware
104.237.62.212 whois		WEBNX	104.237.62.212		clean
91.235.128.141 whois		ITL LLC	91.235.128.141		clean

Suricata ids

Similarity measure (PE file only) - Checking for service failure