popup

Report - 0iuoioooUIOIOiiiu0u0uioiui0iuiooi0i0u0%23%23%23%23%23%23%23%23%23%23%23%23%23%230iuI00UIuoioioU00I0uiuiuiuIUIUiuiu000%23%23%23%23%23%23%23%23%23%23%23%23%23%23000.doc

Formbook MS_RTF_Obfuscation_Objects RTF File doc
  1. Resubmit analysis
  2. Detailed report
ScreenShot
Created 2023.10.11 18:10 Machine s1_win7_x6403
Filename 0iuoioooUIOIOiiiu0u0uioiui0iuiooi0i0u0%23%23%23%23%23%23%23%23%23%23%23%23%23%230iuI00UIuoioioU00I0uiuiuiuIUIUiuiu000%23%23%23%23%23%23%23%23%23%23%23%23%23%23000.doc
Type ISO-8859 text, with very long lines, with CRLF, CR, LF line terminators
AI Score Not founds Behavior Score
4.6
ZERO API file : mailcious
VT API (file) 32 detected (CVE-2018-0802, ObfsObjDat, Save, CVE-2017-1188, multiple detections, Malicious, score, dinbqn, Wylw, Malformed, CVE-2018-0798, RTFMALFORM, Detected, Malform, RTFObfustream, Probably Heur, RTFBadHeader, CLASSIC, ai score=88)
md5 3289a3401f78873c39e10465d77be4df
sha256 c225ae64d61372f60143f86ef5f898b4f7e7e2a20de0773361eefe0034490f6f
ssdeep 768:4C00p49/GpNtYRBiYQ7YBqpFvGy9B91p0QNHrzyf9nNQgU9:fp2UqRYYQ+ktR/1pknNQX
imphash
impfuzzy
  Network IP location

Signature (10cnts)

Level Description
danger File has been identified by 32 AntiVirus engines on VirusTotal as malicious
watch Communicates with host for which no DNS query was performed
notice An application raised an exception which may be indicative of an exploit crash
notice Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time)
notice Creates (office) documents on the filesystem
notice Creates hidden or system file
notice HTTP traffic contains suspicious features which may be indicative of malware related traffic
notice Performs some HTTP requests
notice Sends data using the HTTP POST Method
info One or more processes crashed

Rules (3cnts)

Level Name Description Collection
warning MS_RTF_Suspicious_documents Suspicious documents using RTF document OLE object binaries (upload)
warning SUSP_INDICATOR_RTF_MalVer_Objects Detects RTF documents with non-standard version and embedding one of the object mostly observed in exploit (e.g. CVE-2017-11882) documents. binaries (upload)
info Rich_Text_Format_Zero Rich Text Format Signature Zero binaries (upload)

Network (39cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
http://www.onlyleona.com/kniu/
whois
US CLOUDFLARENET 104.21.13.143 36720 mailcious
http://www.prosourcegraniteinc.com/kniu/?9UU4WiQ1=9xFgCh3s8l/k2B8O7aAt9yPceR5ZLMimGcu4Dy10KR8z2IhjbkPtetaY6rVQOSuqKBOJhR+SeENFOh5XwKmANMDhEFCrb4byHJuvuWU=&XT=9LS9sDj_UX
whois
US GOOGLE 216.239.34.21 36717 mailcious
http://www.prosourcegraniteinc.com/kniu/
whois
US GOOGLE 216.239.34.21 36717 mailcious
http://23.95.106.3/479/process.exe
whois
US AS-COLOCROSSING 23.95.106.3 malware
http://www.onlyleona.com/kniu/?9UU4WiQ1=eul8o7FRTpzZYv+GqkkzOpE5tEZO7cuUa8jf7YGp4uFOB2eW2y1ALY7ycZgKlFf7jddzg63rMJOPKD43r6dZxMpJnJONv2M7MFgI8Mw=&XT=9LS9sDj_UX
whois
US CLOUDFLARENET 104.21.13.143 36720 mailcious
http://23.95.106.3/479/qw/Ooseha.exe
whois
US AS-COLOCROSSING 23.95.106.3 malware
http://www.poultry-symposium.com/kniu/
whois
PL Nazwa.pl Sp.z.o.o. 85.128.134.237 36722 mailcious
http://www.theartboxslidell.com/kniu/?9UU4WiQ1=pbzwZ3uv6ZLNK9kOZcORaqCkpmWHCySL5KPRtIvuGjYxhe5HL3eyc57X4ozDsIqy99XGgcN1QrQuWuftpLGszPSRgY0zgb673Mjl5VE=&XT=9LS9sDj_UX
whois
Unknown 199.59.243.225 36718 mailcious
http://www.xxkxcfkujyeft.xyz/kniu/
whois
US MULTA-ASN1 216.240.130.67 36719 mailcious
http://www.xxkxcfkujyeft.xyz/kniu/?9UU4WiQ1=i0HwDxosD6vP35vKxXt8TqB5hgt09UAmGu6yXsGJ7KHeDbKCAxtr8kYkpXafqSJ5CWKS4JQhNIcZa2fBS8/HEz0POFGF5EDYOp/zgDU=&XT=9LS9sDj_UX
whois
US MULTA-ASN1 216.240.130.67 36719 mailcious
http://www.theartboxslidell.com/kniu/
whois
Unknown 199.59.243.225 36718 mailcious
http://www.tsygy.com/kniu/?9UU4WiQ1=bJ36cMi4kupHJe0Hctq9gMewB+uvjmGDqwrfSqfgcqRhOtXAC1zMZIlHhDCyIhSJCFAYjWOLktx1yjWN3ai585tt7uX+B1FmFo0jbF0=&XT=9LS9sDj_UX
whois
US LEASEWEB-USA-LAX-11 23.104.137.185 36721 mailcious
http://www.frefire.top/kniu/
whois
US VIMRO-AS15189 67.223.117.37 36723 mailcious
http://23.95.106.3/479/Kodviywuey.mp3
whois
US AS-COLOCROSSING 23.95.106.3 clean
http://www.tsygy.com/kniu/
whois
US LEASEWEB-USA-LAX-11 23.104.137.185 36721 mailcious
http://www.poultry-symposium.com/kniu/?9UU4WiQ1=40XX9Ytbs/otsI+0yUtAogrXy8SgXZWV889z9rydVcgoc+JCy8vgR1icdWU6u94Njq5xrtv7NQnpOX1iusCyLYuLxlHkdapdsh1Ymak=&XT=9LS9sDj_UX
whois
PL Nazwa.pl Sp.z.o.o. 85.128.134.237 36722 mailcious
http://www.frefire.top/kniu/?9UU4WiQ1=w8rKBuSUIg6smCThP+RZr8URK2cMAOxRwdqHG6Uo67OOMeio1zBa/jWrwyXT3+M/9aqTr1N41d9bzE5WN9beyeWExgAtk5mD8L1zbeQ=&XT=9LS9sDj_UX
whois
US VIMRO-AS15189 67.223.117.37 36723 mailcious
http://www.sqlite.org/2018/sqlite-dll-win32-x86-3220000.zip
whois
US Linode, LLC 45.33.6.223 clean
www.onlyleona.com
whois
US CLOUDFLARENET 172.67.132.228 mailcious
www.poultry-symposium.com
whois
PL Nazwa.pl Sp.z.o.o. 85.128.134.237 mailcious
www.prosourcegraniteinc.com
whois
US GOOGLE 216.239.32.21 mailcious
www.xxkxcfkujyeft.xyz
whois
US MULTA-ASN1 216.240.130.67 mailcious
www.frefire.top
whois
US VIMRO-AS15189 67.223.117.37 mailcious
www.8956kjw1.com
whois
HK LEMON TELECOMMUNICATIONS LIMITED 103.71.154.243 clean
www.theartboxslidell.com
whois
Unknown 199.59.243.225 mailcious
www.tsygy.com
whois
US LEASEWEB-USA-LAX-11 23.104.137.185 mailcious
www.siteapp.fun
whois
Unknown mailcious
www.pengeloladata.click
whois
Unknown mailcious
216.239.38.21
whois
US GOOGLE 216.239.38.21 phishing
23.104.137.185
whois
US LEASEWEB-USA-LAX-11 23.104.137.185 mailcious
104.21.13.143
whois
US CLOUDFLARENET 104.21.13.143 clean
23.95.106.3
whois
US AS-COLOCROSSING 23.95.106.3 mailcious
199.59.243.225
whois
Unknown 199.59.243.225 clean
67.223.117.37
whois
US VIMRO-AS15189 67.223.117.37 mailcious
85.128.134.237
whois
PL Nazwa.pl Sp.z.o.o. 85.128.134.237 mailcious
216.240.130.67
whois
US MULTA-ASN1 216.240.130.67 mailcious
103.71.154.243
whois
HK LEMON TELECOMMUNICATIONS LIMITED 103.71.154.243 clean
45.33.6.223
whois
US Linode, LLC 45.33.6.223 clean
185.225.75.8
whois
DE Mayak Smart Services Ltd. 185.225.75.8 malware

Suricata ids

ET INFO Executable Download from dotted-quad Host
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET INFO Packed Executable Download
ET MALWARE FormBook CnC Checkin (POST) M2
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
SURICATA HTTP unable to match response to request
ET INFO HTTP Request to a *.top domain
ET DNS Query to a *.top domain - Likely Hostile
ET 3CORESec Poor Reputation IP group 16
ET MALWARE FormBook CnC Checkin (GET)
ET HUNTING Request to .TOP Domain with Minimal Headers
ET HUNTING Request to .XYZ Domain with Minimal Headers

Similarity measure (PE file only) - Checking for service failure