Report - ZeroBOX

ScreenShot

Info
Location map


Created	2023.09.30 13:29	Machine	s1_win7_x6403
Filename	I0OIIOIOi0ioii0oiioi0ioiooi0i00i0i0iooi0ioi0ioi0oi0ioi0000%23%23%23%23%23%23%23%23%23%23%23%23%23%230000000%23%23%23%23%23%23%23%23%23%23%23%23%23%230000000.doc
Type	ISO-8859 text, with very long lines, with CRLF, CR, LF line terminators
AI Score	Not founds	Behavior Score	5.2
ZERO API	file : clean
VT API (file)	27 detected (RTFObfustream, Save, Bloodhound, multiple detections, Malicious, score, ObfsStrm, dinbqn, Malformed, CVE-2018-0798, RTFMALFORM, ai score=84, Wacatac, Detected, Malform, Probably Heur, RTFBadHeader, CVE-2017-1188, CVE-2018-0802)
md5	647d8be1ca923f60c2d571eb746ef0e2
sha256	285fc022dd6c67542123a95cb197146ffaf815e5b4f2334cd358c20799b4ce2d
ssdeep	1536:HlbzfmSdhVfkUKjZH7oiO6kHGTtQosL3JkAKW:FZdKjZH7pO9GTtQoszJkAKW
imphash
impfuzzy

Network IP location

Signature (12cnts)

Level	Description
warning	File has been identified by 27 AntiVirus engines on VirusTotal as malicious
watch	Communicates with host for which no DNS query was performed
notice	An application raised an exception which may be indicative of an exploit crash
notice	Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time)
notice	Creates (office) documents on the filesystem
notice	Creates hidden or system file
notice	HTTP traffic contains suspicious features which may be indicative of malware related traffic
notice	One or more potentially interesting buffers were extracted
notice	Performs some HTTP requests
notice	Resolves a suspicious Top Level Domain (TLD)
notice	Sends data using the HTTP POST Method
info	One or more processes crashed

Rules (3cnts)

Level	Name	Description	Collection
warning	MS_RTF_Suspicious_documents	Suspicious documents using RTF document OLE object	binaries (upload)
warning	SUSP_INDICATOR_RTF_MalVer_Objects	Detects RTF documents with non-standard version and embedding one of the object mostly observed in exploit (e.g. CVE-2017-11882) documents.	binaries (upload)
info	Rich_Text_Format_Zero	Rich Text Format Signature Zero	binaries (upload)

Network (33cnts) ?

Request	ASN Co	IP4	ZERO ?
http://www.banking-products.com/c8nr/?F3=ENL5hTb1LcB7CURkiczdT+ejQGmla3oISTfQo2/YV4hNHnoLkBSgmjHFVmlBRdxgRm3zMdu0VU9DbjiUlLDYulW193G769XwZ3GN77g=&rT=Nt-TZZTkeRdw whois		147.182.150.98	clean
http://www.charcoal-id.com/c8nr/ whois	Global Media Teknologi, PT	202.52.146.246	clean
http://www.ng1ljmv67o.com/c8nr/ whois	CONFLUENCE-NETWORK-INC	208.91.197.39	clean
http://www.freeprosoftz.download/c8nr/?F3=QwWL61OjL6Zjup2of9u7xYwZUk4i9WyrtzOogSBq0fTkVXlsW82z9ucnH56cGKu7VeAvdm+QQh0mLF61TehwZUGfckypRxLgmJoqexY=&rT=Nt-TZZTkeRdw whois	CLOUDFLARENET	104.21.17.78	clean
http://www.waremart.top/c8nr/?F3=KVXIGGOevITGxD2WQvY/uYGCDwnSgtX62kxPYtz8ySb+fzNjXSoJfn3Gb7fCEKXq0Dt0VHGAWvVKgT6TbMH6cQbNJ8bX2L8nNVJJ3fQ=&rT=Nt-TZZTkeRdw whois	ACP	162.0.213.94	clean
http://www.calculaqui.com/c8nr/?F3=OjdZwvBuU/ug8o3d94DJyrhInUGEGcqmO1sXFb6TuBXVHy3dgl4nqyV+jYs1QF37euEKRExOzrzz3hz7a5wEHeU8OO/DqHfi+/lveaw=&rT=Nt-TZZTkeRdw whois	CLOUDFLARENET	172.67.203.131	clean
http://www.charcoal-id.com/c8nr/?F3=6JSHidr3Bn2iwSUtC4PW4Gvpxg89xUQjO4aPVvfz4xZu1RX38nUjyBfg1u2hjWOcq5dMLqFxHMQyk/L5KrgEpXnP9NcgGvuA1NBUhr0=&rT=Nt-TZZTkeRdw whois	Global Media Teknologi, PT	202.52.146.246	clean
http://www.calculaqui.com/c8nr/ whois	CLOUDFLARENET	172.67.203.131	clean
http://www.freeprosoftz.download/c8nr/ whois	CLOUDFLARENET	104.21.17.78	clean
http://www.whistle.news/c8nr/ whois	UAB Nacionalinis Telekomunikaciju Tinklas	84.32.84.32	clean
http://www.waremart.top/c8nr/ whois	ACP	162.0.213.94	clean
http://www.sqlite.org/2017/sqlite-dll-win32-x86-3210000.zip whois	Linode, LLC	45.33.6.223	clean
http://50.3.182.140/350/audiodg.exe whois	EONIX-COMMUNICATIONS-ASBLOCK-62904	50.3.182.140	malware
http://www.whistle.news/c8nr/?F3=CqYf1SmszDBRcRt3Ry7nuhva6EmhLI5UD2I/eVu+u8EOQktcJMnp9pGxshpp5J7Zxswa5jm29s59MM0LkVDS8/fxra0kqVJlH6+elnA=&rT=Nt-TZZTkeRdw whois	UAB Nacionalinis Telekomunikaciju Tinklas	84.32.84.32	clean
http://www.banking-products.com/c8nr/ whois		147.182.150.98	clean
www.calculaqui.com whois	CLOUDFLARENET	104.21.85.74	clean
www.charcoal-id.com whois	Global Media Teknologi, PT	202.52.146.246	clean
www.shimakaze-83.cfd whois			clean
www.yle4ql.cfd whois			clean
www.freeprosoftz.download whois	CLOUDFLARENET	172.67.175.76	clean
www.waremart.top whois	ACP	162.0.213.94	clean
www.whistle.news whois	UAB Nacionalinis Telekomunikaciju Tinklas	84.32.84.32	clean
www.ng1ljmv67o.com whois	CONFLUENCE-NETWORK-INC	208.91.197.39	clean
www.banking-products.com whois		147.182.150.98	clean
162.0.213.94 whois	ACP	162.0.213.94	clean
208.91.197.39 whois	CONFLUENCE-NETWORK-INC	208.91.197.39	mailcious
50.3.182.140 whois	EONIX-COMMUNICATIONS-ASBLOCK-62904	50.3.182.140	mailcious
202.52.146.246 whois	Global Media Teknologi, PT	202.52.146.246	clean
84.32.84.32 whois	UAB Nacionalinis Telekomunikaciju Tinklas	84.32.84.32	mailcious
104.21.85.74 whois	CLOUDFLARENET	104.21.85.74	clean
147.182.150.98 whois		147.182.150.98	clean
172.67.175.76 whois	CLOUDFLARENET	172.67.175.76	clean
45.33.6.223 whois	Linode, LLC	45.33.6.223	clean

Report - I0OIIOIOi0ioii0oiioi0ioiooi0i00i0i0iooi0ioi0ioi0oi0ioi0000%23%23%23%23%23%23%23%23%23%23%23%23%23%230000000%23%23%23%23%23%23%23%23%23%23%23%23%23%230000000.doc

Signature (12cnts)

Rules (3cnts)

Network (33cnts) ?

Suricata ids

Similarity measure (PE file only) - Checking for service failure