Report - ZeroBOX

ScreenShot

Info
Location map


Created	2023.10.24 09:37	Machine	s1_win7_x6403
Filename	millianozx.doc
Type	Rich Text Format data, version 1, unknown character set
AI Score	Not founds	Behavior Score	4.4
ZERO API	file : mailcious
VT API (file)	33 detected (CVE-2018-0802, ObfsObjDat, RTFObfustream, Save, CVE-2017-1188, Malicious, score, Rimw, iqjxu, CVE-2018-0798, RTFMALFORM, RTFDl, Camelot, ai score=84, Detected, Probably Heur, RTFObfuscation, CLASSIC)
md5	b394ab992ac85ab0fefc4a7d3d181bbd
sha256	aaebb0f42353e5c2a0273728f933a0fc9f6e5bb325cde360813240b4142ece77
ssdeep	768:4wAbZSibMX9gRWjArvPU4qm14xwIed+y4tPzXwmhoQBqnUSDzrK/6Y:4wAlRVUO14VedX4tEmhoQkUWKCY
imphash
impfuzzy

Network IP location

Signature (10cnts)

Level	Description
danger	File has been identified by 33 AntiVirus engines on VirusTotal as malicious
notice	An application raised an exception which may be indicative of an exploit crash
notice	Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time)
notice	Creates (office) documents on the filesystem
notice	Creates hidden or system file
notice	Performs some HTTP requests
notice	Resolves a suspicious Top Level Domain (TLD)
notice	RTF file has an unknown character set
notice	Sends data using the HTTP POST Method
info	One or more processes crashed

Rules (2cnts)

Level	Name	Description	Collection
warning	SUSP_INDICATOR_RTF_MalVer_Objects	Detects RTF documents with non-standard version and embedding one of the object mostly observed in exploit (e.g. CVE-2017-11882) documents.	binaries (upload)
info	Rich_Text_Format_Zero	Rich Text Format Signature Zero	binaries (upload)

Network (23cnts) ?

Request	ASN Co	IP4	ZERO ?
http://fresh1.ironoreprod.top/_errorpages/millianozx.exe whois	CLOUDFLARENET	172.67.166.168	malware
http://www.kectapp.xyz/qbru/ whois	NAMECHEAP-NET	162.0.233.82	clean
http://www.jantanslot.xyz/qbru/ whois	SEDO GmbH	91.195.240.19	clean
http://www.micsites.com/qbru/?11=mDZ2amPM8lWqbeAYWcDKqdpiecTJ9prCGyOd2oWqi+yKbAV58Q/8VgXtpTMQ/k9YpjQqe6WeoDmxmXaptUBmMq6sDIRlbyaAuf4h15w=&LQk=H8uqa whois	UNIFIEDLAYER-AS-1	162.241.63.76	clean
http://www.0857.bet/qbru/ whois	SEDO GmbH	91.195.240.19	clean
http://www.thefulfilleddog.net/qbru/?11=1EPu3c3qpncBWw5AsPbmO/uk1IuylEz0DkrYlvCIwqSSQ2S5BpR/UJA6bHVgZ1CeA3nqd3Tiw9yI3Ym4nbGMG+qDHZJm8eYC1fBVsac=&LQk=H8uqa whois	SEDO GmbH	91.195.240.19	clean
http://www.thefulfilleddog.net/qbru/ whois	SEDO GmbH	91.195.240.19	clean
http://www.micsites.com/qbru/ whois	UNIFIEDLAYER-AS-1	162.241.63.76	clean
http://www.sqlite.org/2017/sqlite-dll-win32-x86-3160000.zip whois	Linode, LLC	45.33.6.223	clean
http://www.0857.bet/qbru/?11=k1gkcJ6tXVBJWcfD5JFdj9jh1GwKScxeJP6VCK1BK8ixvV5VgN0eYG6gTrvugstFS6wF93GzuEqrlILkxAhWglV5VSYx8lCBsUKmTZc=&LQk=H8uqa whois	SEDO GmbH	91.195.240.19	clean
http://www.jantanslot.xyz/qbru/?11=kMrvYXKBNwaF4E5tRezPj5SMX6XQ+ILaa8SXqvb1iySbFntGTH4YGFtALrA4UwFGSL+bmisufUZFVXdWgTdYvXpvkIKAL06RY9IgoHM=&LQk=H8uqa whois	SEDO GmbH	91.195.240.19	clean
www.thefulfilleddog.net whois	SEDO GmbH	91.195.240.19	clean
www.rinconesdetenerife.com whois			clean
www.micsites.com whois	UNIFIEDLAYER-AS-1	162.241.63.76	clean
www.jantanslot.xyz whois	SEDO GmbH	91.195.240.19	clean
www.kectapp.xyz whois	NAMECHEAP-NET	162.0.233.82	clean
www.0857.bet whois	SEDO GmbH	91.195.240.19	clean
fresh1.ironoreprod.top whois	CLOUDFLARENET	172.67.166.168	mailcious
91.195.240.19 whois	SEDO GmbH	91.195.240.19	mailcious
172.67.166.168 whois	CLOUDFLARENET	172.67.166.168	mailcious
162.0.233.82 whois	NAMECHEAP-NET	162.0.233.82	clean
162.241.63.76 whois	UNIFIEDLAYER-AS-1	162.241.63.76	clean
45.33.6.223 whois	Linode, LLC	45.33.6.223	clean

Report - millianozx.doc

Signature (10cnts)

Rules (2cnts)

Network (23cnts) ?

Suricata ids

Similarity measure (PE file only) - Checking for service failure