Report - ZeroBOX

ScreenShot

Info
Location map


Created	2024.06.14 09:20	Machine	s1_win7_x6403
Filename	bin2.doc
Type	Rich Text Format data, version 1, unknown character set
AI Score	Not founds	Behavior Score	4.4
ZERO API	file : mailcious
VT API (file)	33 detected (ObfsObjDat, Malicious, score, Save, CVE-2017-1188, RTFObfustream, Obfuscated, CVE-2018-0802, CLASSIC, tferp, CVE-2018-0798, RTFMALFORM, Detected, Infected, AutoInfector, ABRisk, POUB, Probably Heur, RTFObfuscation, ai score=85)
md5	118072abaca518e6ece93908a9fee1f4
sha256	263f6d102bd67cdbc4617b0db0ee891fb53d73128b9c88d0558b10c7527e6b46
ssdeep	6144:AwAYwAYwAYwAYwAYwAYwAYwAYwAYwAJEaAFM+qe:/Ea2D
imphash
impfuzzy

Network IP location

Signature (10cnts)

Level	Description
danger	File has been identified by 33 AntiVirus engines on VirusTotal as malicious
notice	An application raised an exception which may be indicative of an exploit crash
notice	Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time)
notice	Creates (office) documents on the filesystem
notice	Creates hidden or system file
notice	Performs some HTTP requests
notice	Resolves a suspicious Top Level Domain (TLD)
notice	RTF file has an unknown character set
notice	Sends data using the HTTP POST Method
info	One or more processes crashed

Rules (2cnts)

Level	Name	Description	Collection
warning	SUSP_INDICATOR_RTF_MalVer_Objects	Detects RTF documents with non-standard version and embedding one of the object mostly observed in exploit (e.g. CVE-2017-11882) documents.	binaries (upload)
info	Rich_Text_Format_Zero	Rich Text Format Signature Zero	binaries (upload)

Network (33cnts) ?

Request	ASN Co	IP4	ZERO ?
http://www.carolinappttery.com/q380/ whois		123.58.214.101	clean
http://www.ybw73.top/zfmd/?gSDpSqhg=Wy9Xy0arXTA/u2vvBYrKIOUBpzUpOEWJyNtxnnOaFAzOmZ+G/QUaP7IPedalQRfZTnOTlfhQhpBKLAk/X9K39OImH5VRArdmcUQpro/j/mKcwsNXkqPqNRMPQWcketlQaFqDwMQ=&zd=lHTo3CucwT whois	COGENT-174	38.47.232.233	clean
http://www.aritum.top/f2qc/?gSDpSqhg=+PlbwI8tNruUpga2nartzvIoOczIwOvbU1ANxXfMuvMQEzSRrWQM3cmspk1IFvcCMV40t1yig50Ax37YShWjrdIjOvIEgJJROzqkte3OBXYcjah0B7lnBY2SKVXOZr2cpq5/qwU=&zd=lHTo3CucwT whois		203.161.55.102	clean
http://www.aritum.top/f2qc/ whois		203.161.55.102	clean
http://www.sqlite.org/2016/sqlite-dll-win32-x86-3140000.zip whois	Linode, LLC	45.33.6.223	clean
http://www.ybw73.top/zfmd/ whois	COGENT-174	38.47.232.233	clean
http://www.carolinappttery.com/q380/?gSDpSqhg=ehUrFCKl0QR4T29AJZh5dRT/ZDPm9qTvUW59H2BhLEsiO0kIW28uNcfa56DEKhzH0iD+lYFdD8RRxblUIft60LyxhWLZTQGF9CEZTcwXHMEEzcDS8bPwZbiqnYj5NbIEEA54k2w=&zd=lHTo3CucwT whois		123.58.214.101	clean
http://www.sjzsls.com/9ypd/ whois	PEGTECHINC	154.212.44.122	clean
http://www.winnscce.com/xk70/?gSDpSqhg=E9dNAQXSau8gxD7ycO4dLfQfH5YRjq6/aXbIhWqdNKhuK+zum8oLAEgkUh6j+ec/Dsz5NNoJPY83q7uKVhR+kQSzALNmdhL2cm95N3pKuY1dSsInVS8QGD1t6OErSJExWBCOe4E=&zd=lHTo3CucwT whois		123.58.214.101	clean
http://www.w90dm.top/8ms4/ whois	COGENT-174	38.47.232.178	clean
http://www.ay62m.top/orwn/ whois	COGENT-174	38.47.207.132	clean
http://www.sjzsls.com/9ypd/?gSDpSqhg=Fp4YMLPzXpbUfY9ET0WH3a72p3fXf7YhU2uVF/1Su8SRdO97GHvogqvz+96x72oMEQq3eHyW0zw8RVfXjuFBE/DSpz5ZNszOE2hxgYcLkAt/YsxuqXlLrzOhs3BZhOu+6KXTzoA=&zd=lHTo3CucwT whois	PEGTECHINC	154.212.44.122	clean
http://www.ay62m.top/orwn/?gSDpSqhg=3cBNLJTm2SpTWV5+FkCnTYkROdg55TQjKQDEk1HDa97easJD35wZE2GMsxRselnzvm7j4PFdEanRmF1YrarFthUoWpYtpzXpGMx8vyWuQ49fEDOcUJzL6xCqo7J2o8DZINEYFF8=&zd=lHTo3CucwT whois	COGENT-174	38.47.207.132	clean
http://www.sqlite.org/2022/sqlite-dll-win32-x86-3370000.zip whois	Linode, LLC	45.33.6.223	clean
http://www.w90dm.top/8ms4/?gSDpSqhg=udGRhKSFzWywOShfg4LrArlkOSU57jdgfHHoAEODJUB2/fB/f7uvWahs0ChcgR3p3uHY1bC8mP+rUPbsneCLatPp1qyYsRzD0wOOKHTt4GdecEtntAcROmt09OnVjaXmhkctiwE=&zd=lHTo3CucwT whois	COGENT-174	38.47.232.178	clean
http://www.winnscce.com/xk70/ whois		123.58.214.101	clean
https://dukeenergyltd.top/bin2.scr whois	CLOUDFLARENET	172.67.134.136	clean
www.aritum.top whois		203.161.55.102	clean
dukeenergyltd.top whois	CLOUDFLARENET	172.67.134.136	malware
www.sjzsls.com whois	PEGTECHINC	154.212.44.122	mailcious
www.carolinappttery.com whois		123.58.214.101	clean
www.winnscce.com whois		123.58.214.101	clean
www.ay62m.top whois	COGENT-174	38.47.207.132	clean
www.ybw73.top whois	COGENT-174	38.47.232.233	clean
www.w90dm.top whois	COGENT-174	38.47.232.178	clean
38.47.232.178 whois	COGENT-174	38.47.232.178	clean
203.161.55.102 whois		203.161.55.102	clean
38.47.232.233 whois	COGENT-174	38.47.232.233	clean
154.212.44.122 whois	PEGTECHINC	154.212.44.122	mailcious
38.47.207.132 whois	COGENT-174	38.47.207.132	clean
45.33.6.223 whois	Linode, LLC	45.33.6.223	clean
172.67.134.136 whois	CLOUDFLARENET	172.67.134.136	malware
123.58.214.101 whois		123.58.214.101	clean

Report - bin2.doc

Signature (10cnts)

Rules (2cnts)

Network (33cnts) ?

Suricata ids

Similarity measure (PE file only) - Checking for service failure