Report - ZeroBOX

ScreenShot

Info
Location map


Created	2024.06.14 09:22	Machine	s1_win7_x6403
Filename	bin1.doc
Type	Rich Text Format data, version 1, unknown character set
AI Score	Not founds	Behavior Score	3.2
ZERO API	file : mailcious
VT API (file)	32 detected (CVE-2018-0802, Malicious, score, Save, CVE-2017-1188, RTFObfustream, Obfuscated, CLASSIC, nbtos, CVE-2018-0798, RTFMALFORM, Detected, Infected, AutoInfector, ABRisk, AQCU, Probably Heur, RTFObfuscation, ai score=88)
md5	ab6398c625d0ae23c0582ad07d044581
sha256	cf9cafac260ef5428520c191088faa50aee7cac01a016250a7d7682e8db7853c
ssdeep	6144:DwAYwAYwAYwAYwAYwAYwAYwAYwAYwAOopbw3:X
imphash
impfuzzy

Network IP location

Signature (7cnts)

Level	Description
danger	File has been identified by 32 AntiVirus engines on VirusTotal as malicious
notice	An application raised an exception which may be indicative of an exploit crash
notice	Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time)
notice	Creates (office) documents on the filesystem
notice	Creates hidden or system file
notice	RTF file has an unknown character set
info	One or more processes crashed

Rules (2cnts)

Level	Name	Description	Collection
warning	SUSP_INDICATOR_RTF_MalVer_Objects	Detects RTF documents with non-standard version and embedding one of the object mostly observed in exploit (e.g. CVE-2017-11882) documents.	binaries (upload)
info	Rich_Text_Format_Zero	Rich Text Format Signature Zero	binaries (upload)

Network (33cnts) ?

Request	ASN Co	IP4	ZERO ?
http://www.usebanq.com/8lx9/ whois	NAMECHEAP-NET	198.54.117.242	clean
http://www.vt0lcffi5.sbs/l7g9/?jKiAM=bl14j9yqYDxocgFldxjok6x1R+NtRlt2Uf1+OGQZNODS72eMW1ZtwhRidSTzWAUsrGS2DGo+GtGKJycUT2USQQj3usU5uN+JtYedkeQAQ4XdsaDMGeGoGZ3CpJxuykDuR4Pq+/I=&f99g=xOWHwCZQheC whois		47.239.13.172	clean
http://www.mildhicky.com/i5j9/ whois		149.88.71.203	clean
http://www.sqlite.org/2020/sqlite-dll-win32-x86-3320000.zip whois	Linode, LLC	45.33.6.223	clean
http://www.heolty.xyz/fo0a/?jKiAM=5HrosfTEhGtnlXgh5+A33OOBLeux3B6ufoHrsb8plkChVIkrv9oasiKwxiX64Gpz/RJHUB31YMeIRErau5/iboJCrmqAzsq6ur+gyi7hDkEhRaEVgkYpiqHA6gdupuaUC4LYKqI=&f99g=xOWHwCZQheC whois	NAMECHEAP-NET	162.0.238.43	clean
http://www.5597043.com/twtt/ whois		172.66.44.73	clean
http://www.5597043.com/twtt/?jKiAM=9jOwijmP/etVQzF7rcl1kqtz/ou5CHORGccn6Dt67DS8vnA1pFPDL1JOuOODUGrroyf0JoOK0GGQq5Sm9O1d/0FDbfFcyGSoonOtSJXWmNJ5W5DpY36mcQwieBSb6P+fE+RGAdg=&f99g=xOWHwCZQheC whois		172.66.44.73	clean
http://www.usebanq.com/8lx9/?jKiAM=YF7y+tbSuqZ0oq6ECe1WD9e7Smi2rcwKhtQJe9qANj5rbmdcyz24Ad+lN/aWtR/fMba+1vf/rBjP9293HDDqm8zYun7mv254gUdJOGhOe2rcZ8CK0a2hkAFgrp58A4lI51B4oKw=&f99g=xOWHwCZQheC whois	NAMECHEAP-NET	198.54.117.242	clean
http://www.baldjourney.com/bgvg/ whois	GOOGLE-2	35.212.60.56	clean
http://www.mildhicky.com/i5j9/?jKiAM=lVuGMdS3eE0b3ojlNMTS7mUbJdpKIfk/QTrYgT/4/jcuXpJPGxiTvR7NnBbAoWWm4QxsXCD+/po+Duo+e2ZlKANl/5Y7+juwcXqxBN9ZmhOkdJbFY1YHbJkDx6SHpgIe+elHrrc=&f99g=xOWHwCZQheC whois		149.88.71.203	clean
http://www.planningexcellence.org/uid7/ whois	CLOUDFLARENET	104.21.68.117	clean
http://www.vt0lcffi5.sbs/l7g9/ whois		47.239.13.172	clean
http://www.heolty.xyz/fo0a/ whois	NAMECHEAP-NET	162.0.238.43	clean
http://www.baldjourney.com/bgvg/?jKiAM=EbS+ZKJNsQ1Vyaakael9KJKid9F0sMqZss6K2HRzcxpqkQWCTKV0nxD96Cae2uN4uirpyoDU5n2N4vKi9HnBkhVZwJpCzJh/kW8QVx2xu27B+tITYSPtt91BmoFjQCKgb+BafAE=&f99g=xOWHwCZQheC whois	GOOGLE-2	35.212.60.56	clean
dukeenergyltd.top whois	CLOUDFLARENET	104.21.25.202	malware
www.ekvassf.store whois			clean
www.baldjourney.com whois	GOOGLE-2	35.212.60.56	clean
www.themirrorproject.org whois			clean
www.planningexcellence.org whois	CLOUDFLARENET	104.21.68.117	clean
www.heolty.xyz whois	NAMECHEAP-NET	162.0.238.43	clean
www.5597043.com whois		172.66.47.183	clean
www.mildhicky.com whois		149.88.71.203	clean
www.usebanq.com whois	NAMECHEAP-NET	198.54.117.242	clean
www.vt0lcffi5.sbs whois		47.239.13.172	clean
47.239.13.172 whois		47.239.13.172	clean
35.212.60.56 whois	GOOGLE-2	35.212.60.56	clean
172.66.44.73 whois		172.66.44.73	clean
198.54.117.242 whois	NAMECHEAP-NET	198.54.117.242	mailcious
45.33.6.223 whois	Linode, LLC	45.33.6.223	clean
172.67.134.136 whois	CLOUDFLARENET	172.67.134.136	malware
149.88.71.203 whois		149.88.71.203	clean
162.0.238.43 whois	NAMECHEAP-NET	162.0.238.43	clean
104.21.68.117 whois	CLOUDFLARENET	104.21.68.117	clean

Report - bin1.doc

Signature (7cnts)

Rules (2cnts)

Network (33cnts) ?

Suricata ids

Similarity measure (PE file only) - Checking for service failure