Report - Doc1.docm

VBA_macro Word 2007 file format(docx) ZIP Format
ScreenShot
Created 2024.08.16 18:20 Machine s1_win7_x6401
Filename Doc1.docm
Type Microsoft Word 2007+
AI Score Not founds Behavior Score
4.8
ZERO API file : clean
VT API (file) 17 detected (malicious, high confidence, score, Ole2, druvzi, ahqyp, Detected, W2000M, urvmw, SAgent, XT44GH, Eldorado)
md5 0fee354732496cdbdb4e78ecb218a81a
sha256 5b168fed855515940cfe164b18fd5f9d73873902d01f04171de65bc34487f402
ssdeep 384:/i+torrZIlr3yAx6Nxt/ZtNNhtZp+30OnnLlWNB://oP0wxllNjn+3BL8B
imphash
impfuzzy
  Network IP location

Signature (9cnts)

Level Description
danger Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually)
watch A command shell or script process was created by an unexpected parent process
watch File has been identified by 17 AntiVirus engines on VirusTotal as malicious
watch One or more non-whitelisted processes were created
notice Allocates read-write-execute memory (usually to unpack itself)
notice Creates (office) documents on the filesystem
notice Creates hidden or system file
notice Starts servers listening
notice Uses Windows utilities for basic Windows functionality

Rules (4cnts)

Level Name Description Collection
warning Contains_VBA_macro_code Detect a MS Office document with embedded VBA macro code [binaries] binaries (upload)
info docx Word 2007 file format detection binaries (upload)
info zip_file_format ZIP file format binaries (upload)
info test_office test url scripts

Network (2cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
gitlab.com US CLOUDFLARENET 172.65.251.78 malware
172.65.251.78 US CLOUDFLARENET 172.65.251.78 malware

Suricata ids



Similarity measure (PE file only) - Checking for service failure