Report - iwanttounderstandhowmuchilovertokissherwithlotoflovetounderstand___sheismygirlshemylovergirltoseeher.doc

MS_RTF_Obfuscation_Objects RTF File doc

ScreenShot

Info
Location map


Created	2024.03.31 11:33	Machine	s1_win7_x6401
Filename	iwanttounderstandhowmuchilovertokissherwithlotoflovetounderstand___sheismygirlshemylovergirltoseeher.doc
Type	Rich Text Format data, version 1, unknown character set
AI Score	Not founds	Behavior Score	4.6
ZERO API	file : mailcious
VT API (file)	32 detected (ObfsStrm, CVE-2017-1188, CVE2017, Save, multiple detections, Malicious, score, dinbqn, bgfft, RTFMALFORM, RtfExp, Detected, OLE2, Infected, AutoInfector, Remcos, Camelot, Malform, Probably Heur, RTFObfuscation, ai score=82)
md5	b5b2948d407676eab86b1152e7ce5ec4
sha256	73c5b71d2923b11a8b262321c6229520c93115f82c78d742f041a650725d482f
ssdeep	1536:fgoIW1uYod+RuUl9Zh7teyDdvqMhRSiupwk8uXjlh17AY9j:otyuYod+RuAZh84vSiowk8uXjlh17AYR
imphash	1
impfuzzy	1

Network IP location

Signature (11cnts)

Level	Description
danger	File has been identified by 32 AntiVirus engines on VirusTotal as malicious
danger	File has been identified by 32 AntiVirus engines on VirusTotal as malicious
watch	Communicates with host for which no DNS query was performed
notice	Allocates read-write-execute memory (usually to unpack itself)
notice	An application raised an exception which may be indicative of an exploit crash
notice	Creates (office) documents on the filesystem
notice	Creates hidden or system file
notice	HTTP traffic contains suspicious features which may be indicative of malware related traffic
notice	Performs some HTTP requests
notice	RTF file has an unknown character set
info	One or more processes crashed

Rules (8cnts)

Level	Name	Description	Collection
warning	SUSP_INDICATOR_RTF_MalVer_Objects	Detects RTF documents with non-standard version and embedding one of the object mostly observed in exploit (e.g. CVE-2017-11882) documents.	binaries (upload)
info	Rich_Text_Format_Zero	Rich Text Format Signature Zero	binaries (upload)
info	1		dumpmem
info	1		memory
info	1		office
info	1		scripts
info	1		urls
info	94102		shellcode

Network (9cnts) ?

Request	CC	ASN Co	IP4	Rule ?	ZERO ?
http://apps.identrust.com/roots/dstrootcax3.p7c whois		Akamai International B.V.	23.210.247.48	1	clean
http://103.237.87.56/xampp/fgh/imagepixelloverslove.jpg whois			103.237.87.56		clean
https://paste.ee/d/2pg02 whois		CLOUDFLARENET	172.67.187.200	1	clean
paste.ee whois		CLOUDFLARENET	172.67.187.200	1	mailcious
uploaddeimagens.com.br whois		CLOUDFLARENET	104.21.45.138	1	malware
23.210.247.48 whois		Akamai International B.V.	23.210.247.48	1	clean
172.67.187.200 whois		CLOUDFLARENET	172.67.187.200	1	mailcious
103.237.87.56 whois			103.237.87.56		malware
104.21.45.138 whois		CLOUDFLARENET	104.21.45.138	1	malware

Suricata ids

PE API

1

Similarity measure (PE file only) - Checking for service failure