popup

Report - notorious.doc

MS_RTF_Obfuscation_Objects RTF File doc
  1. Resubmit analysis
  2. Detailed report
ScreenShot
Created 2024.06.25 09:12 Machine s1_win7_x6403
Filename notorious.doc
Type Rich Text Format data, version 1, unknown character set
AI Score Not founds Behavior Score
4.8
ZERO API file : mailcious
VT API (file) 27 detected (BadFile, ObfsObjDat, Save, CVE-2017-1188, RTFObfustream, Obfuscated, CVE-2018-0802, CLASSIC, CVE-2018-0798, RTFMALFORM, Detected, Probably Heur, RTFObfuscation, ai score=85)
md5 2d1b096a33d1b673fd06db9f3e861761
sha256 bf89362748b9e66c11aaa49ddf83b1665fe038d04225b36de4f26cffc11a0f3d
ssdeep 6144:IwAYwAYwAYwAYwAYwAYwAYwAYwAYwAYwAYwAYwAYwAYwAYwAYwAYwAYwAYwAqtUn:+u
imphash
impfuzzy
  Network IP location

Signature (11cnts)

Level Description
warning File has been identified by 27 AntiVirus engines on VirusTotal as malicious
watch Communicates with host for which no DNS query was performed
notice An application raised an exception which may be indicative of an exploit crash
notice Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time)
notice Creates (office) documents on the filesystem
notice Creates hidden or system file
notice Looks up the external IP address
notice Performs some HTTP requests
notice Resolves a suspicious Top Level Domain (TLD)
notice RTF file has an unknown character set
info One or more processes crashed

Rules (2cnts)

Level Name Description Collection
warning SUSP_INDICATOR_RTF_MalVer_Objects Detects RTF documents with non-standard version and embedding one of the object mostly observed in exploit (e.g. CVE-2017-11882) documents. binaries (upload)
info Rich_Text_Format_Zero Rich Text Format Signature Zero binaries (upload)

Network (13cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
http://apps.identrust.com/roots/dstrootcax3.p7c
whois
US Akamai International B.V. 23.76.153.211 clean
http://185.38.142.10:7474/
whois
PT Net Solutions - Consultoria Em Tecnologias De Informacao, Sociedade Unipessoal LDA 185.38.142.10 clean
https://universalmovies.top/ExtExport2.exe
whois
US CLOUDFLARENET 172.67.162.95 malware
api.ipify.org
whois
US CLOUDFLARENET 172.67.74.152 clean
universalmovies.top
whois
US CLOUDFLARENET 104.21.74.191 malware
ipinfo.io
whois
US GOOGLE 34.117.186.192 clean
api.ip.sb
whois
US CLOUDFLARENET 104.26.13.31 clean
34.117.186.192
whois
US GOOGLE 34.117.186.192 clean
104.26.12.31
whois
US CLOUDFLARENET 104.26.12.31 clean
172.67.74.152
whois
US CLOUDFLARENET 172.67.74.152 clean
182.162.106.144
whois
KR LG DACOM Corporation 182.162.106.144 clean
185.38.142.10
whois
PT Net Solutions - Consultoria Em Tecnologias De Informacao, Sociedade Unipessoal LDA 185.38.142.10 clean
172.67.162.95
whois
US CLOUDFLARENET 172.67.162.95 mailcious

Suricata ids

ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET DNS Query to a *.top domain - Likely Hostile
ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI
ET MALWARE RedLine Stealer - CheckConnect Response
ET MALWARE Win32/LeftHook Stealer Browser Extension Config Inbound
ET MALWARE Redline Stealer/MetaStealer Family Activity (Response)
ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)
SURICATA HTTP unable to match response to request

Similarity measure (PE file only) - Checking for service failure