Report - ZeroBOX

ScreenShot

Info
Location map


Created	2024.06.20 09:27	Machine	s1_win7_x6403
Filename	llb.doc
Type	ISO-8859 text, with very long lines, with CRLF, CR, LF line terminators
AI Score	Not founds	Behavior Score	5.0
ZERO API	file : mailcious
VT API (file)	38 detected (ObfsStrm, Malicious, score, Save, CVE-2017-1188, RTFObfustream, dinbqn, CLASSIC, Malformed, RTFMALFORM, RtfExp, Detected, OLE2, Infected, AutoInfector, Casdet, BVTNK1, Camelot, Malform, Probably Heur, RTFBadHeader, ai score=83, Abnormal)
md5	3a8df96db2b8e159c2a4d2652f1cf454
sha256	d55749dccda539b59c3fdbc7f8ba424f1bbbf3fbee4761f79f6ba7302a3f861a
ssdeep	3072:xak02GPyQrlBgGJ8oAVKVpPfDyZi0XLiutXUg:xaplPyQrlBgGIKVpPfDyZmutXUg
imphash
impfuzzy

Network IP location

Signature (11cnts)

Level	Description
danger	File has been identified by 38 AntiVirus engines on VirusTotal as malicious
watch	Communicates with host for which no DNS query was performed
notice	An application raised an exception which may be indicative of an exploit crash
notice	Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time)
notice	Creates (office) documents on the filesystem
notice	Creates hidden or system file
notice	HTTP traffic contains suspicious features which may be indicative of malware related traffic
notice	One or more potentially interesting buffers were extracted
notice	Performs some HTTP requests
notice	Sends data using the HTTP POST Method
info	One or more processes crashed

Rules (3cnts)

Level	Name	Description	Collection
warning	MS_RTF_Suspicious_documents	Suspicious documents using RTF document OLE object	binaries (upload)
warning	SUSP_INDICATOR_RTF_MalVer_Objects	Detects RTF documents with non-standard version and embedding one of the object mostly observed in exploit (e.g. CVE-2017-11882) documents.	binaries (upload)
info	Rich_Text_Format_Zero	Rich Text Format Signature Zero	binaries (upload)

Network (20cnts) ?

Request	ASN Co	IP4	ZERO ?
http://www.hissmjkl.com/zadz/ whois	CLOUDFLARENET	104.21.26.154	clean
http://www.hissmjkl.com/zadz/?pY=GqmOaWdq+kX/yRvyAZZwseYDvaTL8crr23pe6qvcgIhSte46GY4DIQa7ks3RQ77EfqOrO6E9ud6ta6vwJbbEPWpMvqhVaL5TSjftDGWhiRc7xSx2vvQWLWjMkFGYeWU0dOjwkWc=&q7iu=YOnhTm3GvPBMIU whois	CLOUDFLARENET	104.21.26.154	clean
http://www.seemorebooks.com/pi58/?pY=YYtcvmaEEn+7nyfxzWgh1us0l/woYfyMnrlu6Rjt4og+6FeMZ1IdpKDPKj+aPF1uuIq0gCsO4nwJKFBr1ceHHaYtBG7ACxwv7Iz3EuX+x6xrPs5Ey6eaPYfJ6s7i8ry1ERDc11U=&q7iu=YOnhTm3GvPBMIU whois	Linode, LLC	66.228.55.6	clean
http://www.seemorebooks.com/pi58/ whois	Linode, LLC	66.228.55.6	clean
http://192.210.150.54/800/service.exe whois	AS-COLOCROSSING	192.210.150.54	malware
http://www.go2super.app/wgnm/ whois		15.197.148.33	clean
http://www.go2super.app/wgnm/?pY=Fa4WWJW4OAk9quC/liQ5qPCm6cq5UHInoPdIisE1PBrL79EG4mQIKlmV9v0gNsYws5soHWC75TgVD8ScXJuz3zKnezho/eF1xa+ohUcEmn2mEAmZPvlgVqrPRDgE59rzl73KHjo=&q7iu=YOnhTm3GvPBMIU whois		3.33.130.190	clean
http://synergyinnovationsgroup.com/rTenPEVaZZd63.bin whois	AXCELX-NET	199.217.106.226	mailcious
http://www.sqlite.org/2017/sqlite-dll-win32-x86-3190000.zip whois	Linode, LLC	45.33.6.223	clean
www.noblessewine.com whois			clean
synergyinnovationsgroup.com whois	AXCELX-NET	199.217.106.226	mailcious
www.hissmjkl.com whois	CLOUDFLARENET	104.21.26.154	clean
www.seemorebooks.com whois	Linode, LLC	66.228.55.6	clean
www.go2super.app whois		15.197.148.33	clean
199.217.106.226 whois	AXCELX-NET	199.217.106.226	mailcious
15.197.148.33 whois		15.197.148.33	mailcious
172.67.137.15 whois	CLOUDFLARENET	172.67.137.15	clean
66.228.55.6 whois	Linode, LLC	66.228.55.6	clean
192.210.150.54 whois	AS-COLOCROSSING	192.210.150.54	malware
45.33.6.223 whois	Linode, LLC	45.33.6.223	clean

Report - llb.doc

Signature (11cnts)

Rules (3cnts)

Network (20cnts) ?

Suricata ids

Similarity measure (PE file only) - Checking for service failure