popup

Report - 사이버안전참고자료.doc

VBA_macro Generic Malware MSOffice File Lnk Format GIF Format
  1. Resubmit analysis
  2. Detailed report
ScreenShot
Created 2023.10.30 17:51 Machine s1_win7_x6402
Filename 사이버안전참고자료.doc
Type Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 949, Title: , Author: Administrator, Template: Normal.dotm, Last Saved By: user1, Revision Number: 2, Name of Creating Application: Microsoft Office Word, Create T
AI Score Not founds Behavior Score
4.0
ZERO API file : clean
VT API (file) 35 detected (malicious, high confidence, 0NA103EL21, SAgent, Amphitryon, TOPIS, DZELwasrCxH, OLE2, ADZF, ai score=84, Kimsuky, Obfuse, Detected, MacroS, Static AI, Malicious OLE)
md5 04a0505cc45d2dac4be9387768efcb7c
sha256 49fa63340fef32e6e5245150ce9f02f87ffdfea7bd484e1ca76b75e5eac52828
ssdeep 3072:NkGcVP8J1r3B1MCbJYKkGcVP8J1r3Bh2B:WDqHuDq
imphash
impfuzzy
  Network IP location

Signature (9cnts)

Level Description
danger File has been identified by 35 AntiVirus engines on VirusTotal as malicious
notice Allocates read-write-execute memory (usually to unpack itself)
notice An application raised an exception which may be indicative of an exploit crash
notice Creates (office) documents on the filesystem
notice Creates a shortcut to an executable file
notice Creates executable files on the filesystem
notice Creates hidden or system file
notice Performs some HTTP requests
info One or more processes crashed

Rules (5cnts)

Level Name Description Collection
warning Contains_VBA_macro_code Detect a MS Office document with embedded VBA macro code [binaries] binaries (upload)
warning Generic_Malware_Zero Generic Malware binaries (upload)
info lnk_file_format Microsoft Windows Shortcut File Format binaries (download)
info Lnk_Format_Zero LNK Format binaries (download)
info Microsoft_Office_File_Zero Microsoft Office File binaries (upload)

Network (3cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
http://yanggucam.designsoup.co.kr/user/views/board/skin/secret/css/list.php?query=1
whois
KR KINX 121.78.88.79 mailcious
yanggucam.designsoup.co.kr
whois
KR KINX 121.78.88.79 mailcious
121.78.88.79
whois
KR KINX 121.78.88.79 mailcious

Suricata ids

ET MALWARE Suspected Kimsuky Activity (GET)
ET MALWARE Kimsuky Related Script Activity (GET)
ET MALWARE Suspected DPRK APT Related Activity (GET)

Similarity measure (PE file only) - Checking for service failure