popup

Report - scan0001.doc

Doc XML Downloader Generic Malware Malicious Library UPX Word 2007 file format(docx) ZIP Format PE File DLL PE32 .NET DLL OS Processor Check RTF File doc
  1. Resubmit analysis
  2. Detailed report
ScreenShot
Created 2024.07.24 15:30 Machine s1_win7_x6402
Filename scan0001.doc
Type Zip archive data, at least v2.0 to extract
AI Score Not founds Behavior Score
3.8
ZERO API file : clean
VT API (file) 7 detected (Malicious, score, CVE-2017-0199, equmby, W2000, uppyf, 4PF354, Probably Heur, W97OleLink)
md5 e96e2ed88e2f2fb80d02e7cd99a1420d
sha256 dc747e9846ecb4c232b2e36007abdadc6d608272a8ea4305c89931ed0979944b
ssdeep 768:3Tkbd5YLRTk1RqpsWOBFI7j5jJ3OGMXSdCoa3UcDeSHNLQgwXt1KtJBZUrAK1UO0:3TkbIVk1YTT/iR3UEeQ7ot1K1Zeu9z
imphash
impfuzzy
  Network IP location

Signature (9cnts)

Level Description
watch Communicates with host for which no DNS query was performed
notice Allocates read-write-execute memory (usually to unpack itself)
notice Creates (office) documents on the filesystem
notice Creates executable files on the filesystem
notice Creates hidden or system file
notice Drops an executable to the user AppData folder
notice File has been identified by 7 AntiVirus engines on VirusTotal as malicious
notice One or more potentially interesting buffers were extracted
notice Performs some HTTP requests

Rules (12cnts)

Level Name Description Collection
warning Doc_XML_Downloader Detect a MS Office document with embedded XML Downloader binaries (upload)
warning Generic_Malware_Zero Generic Malware binaries (download)
watch Malicious_Library_Zero Malicious_Library binaries (download)
watch UPX_Zero UPX packed file binaries (download)
info docx Word 2007 file format detection binaries (upload)
info Is_DotNET_DLL (no description) binaries (download)
info IsDLL (no description) binaries (download)
info IsPE32 (no description) binaries (download)
info OS_Processor_Check_Zero OS Processor Check binaries (download)
info PE_Header_Zero PE File Signature binaries (download)
info Rich_Text_Format_Zero Rich Text Format Signature Zero binaries (download)
info zip_file_format ZIP file format binaries (upload)

Network (11cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
http://office-updatecentral.com/armorer/opposing/stratifies/
whois
RU OOO MediaSeti 94.141.120.137 clean
http://office-updatecentral.com/armorer/opposing
whois
RU OOO MediaSeti 94.141.120.137 clean
http://office-updatecentral.com/armorer/opposing/stratifies/beachheads/canto
whois
RU OOO MediaSeti 94.141.120.137 clean
http://office-updatecentral.com/armorer/opposing/
whois
RU OOO MediaSeti 94.141.120.137 clean
http://office-updatecentral.com/armorer/opposing/stratifies/beachheads/
whois
RU OOO MediaSeti 94.141.120.137 clean
http://office-updatecentral.com/armorer/opposing/stratifies/beachheads/exacerbating
whois
RU OOO MediaSeti 94.141.120.137 clean
http://office-updatecentral.com/armorer/opposing/stratifies/beachheads
whois
RU OOO MediaSeti 94.141.120.137 clean
http://office-updatecentral.com/armorer/opposing/stratifies/beachheads/knolls
whois
RU OOO MediaSeti 94.141.120.137 clean
http://office-updatecentral.com/armorer/opposing/stratifies
whois
RU OOO MediaSeti 94.141.120.137 clean
office-updatecentral.com
whois
RU OOO MediaSeti 94.141.120.137 clean
94.141.120.137
whois
RU OOO MediaSeti 94.141.120.137 clean

Suricata ids

SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET DROP Spamhaus DROP Listed Traffic Inbound group 15
ET INFO TLS Handshake Failure
ET USER_AGENTS Microsoft Office Existence Discovery User-Agent
ET WEB_CLIENT DRIVEBY GENERIC ShellExecute in Hex No Seps

Similarity measure (PE file only) - Checking for service failure