Report - microzx.doc

MS_RTF_Obfuscation_Objects RTF File doc

ScreenShot

Info
Location map


Created	2024.03.31 11:27	Machine	s1_win7_x6401
Filename	microzx.doc
Type	Rich Text Format data, version 1, unknown character set
AI Score	Not founds	Behavior Score	4.0
ZERO API	file : mailcious
VT API (file)	38 detected (CVE-2018-0802, GenericKD, CVE-2017-1188, Save, FORMBOOK, Obfuscated, Malicious, score, CLASSIC, jqroi, CVE-2018-0798, Detected, AgentTesla, ABRisk, FDDN, RTFObfustream, Probably Heur, RTFObfuscation, Uwhl, Richer, b1ZbaG, ai score=82)
md5	43222246288ded51499a28aa77ed3cdb
sha256	549efc26b767eb73d03d661fc2234dff23a0de9198b84103ef6b20e286af04d3
ssdeep	1536:nwAlRkwAlRkwAlRhiZKAXUcqnNHCGCKiH:nwAlawAlawAljiNXUcqnNHCGCDH
imphash
impfuzzy

Network IP location

Signature (9cnts)

Level	Description
danger	File has been identified by 38 AntiVirus engines on VirusTotal as malicious
notice	Allocates read-write-execute memory (usually to unpack itself)
notice	An application raised an exception which may be indicative of an exploit crash
notice	Creates (office) documents on the filesystem
notice	Creates hidden or system file
notice	Performs some HTTP requests
notice	Resolves a suspicious Top Level Domain (TLD)
notice	RTF file has an unknown character set
info	One or more processes crashed

Rules (2cnts)

Level	Name	Description	Collection
warning	SUSP_INDICATOR_RTF_MalVer_Objects	Detects RTF documents with non-standard version and embedding one of the object mostly observed in exploit (e.g. CVE-2017-11882) documents.	binaries (upload)
info	Rich_Text_Format_Zero	Rich Text Format Signature Zero	binaries (upload)

Network (3cnts) ?

Request	CC	ASN Co	IP4	Rule ?	ZERO ?
https://covid19help.top/microzx.scr whois		CLOUDFLARENET	172.67.175.222		clean
covid19help.top whois		CLOUDFLARENET	172.67.175.222		mailcious
172.67.175.222 whois		CLOUDFLARENET	172.67.175.222		mailcious

Suricata ids

Similarity measure (PE file only) - Checking for service failure