Report - Document%20896885.doc

VBA_macro Generic Malware MSOffice File

ScreenShot

Info
Location map


Created	2024.09.28 02:39	Machine	s1_win7_x6401
Filename	Document%20896885.doc
Type	Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1252, Author: rmeyer, Template: Normal, Last Saved By: user, Revision Number: 2, Name of Creating Application: Microsoft Office Word, Last Printed: Thu Jan 29 17:29:
AI Score	Not founds	Behavior Score	5.2
ZERO API	file : mailcious
VT API (file)	38 detected (Valyria, OLE2, malicious, high confidence, GenScript, 0NA103AO24, Snake, SDrop, VBA@AI, Detected, ai score=100, Malware@#2kqrg5qj8mv52, Dridex, Eldorado, SC180281, MacroS, OMacro, Errgo, MHI trojan)
md5	3f89ed9e9e4be551f2d13b16287248c0
sha256	7dd7fcb839e3d18745b8dfd20dc6ef4f0fd6bad46597b10ec7649a2f7f364d0a
ssdeep	12288:zBbfJoh59mnEXCjgoVGk+8meFn9wLW+KVthQt12WbwNrlgUDJfKDSwRZUIQv:Fb+hDmgCjgZKmeFnGUvQt1VwNB3lfLw+
imphash
impfuzzy

Network IP location

Signature (9cnts)

Level	Description
danger	File has been identified by 38 AntiVirus engines on VirusTotal as malicious
danger	Office document performs HTTP request (possibly to download malware)
watch	Creates suspicious VBA object
watch	Libraries known to be associated with a CVE were requested (may be False Positive)
notice	Allocates read-write-execute memory (usually to unpack itself)
notice	Creates (office) documents on the filesystem
notice	Creates hidden or system file
notice	Performs some HTTP requests
notice	Word document hooks document open

Rules (3cnts)

Level	Name	Description	Collection
warning	Contains_VBA_macro_code	Detect a MS Office document with embedded VBA macro code [binaries]	binaries (upload)
warning	Generic_Malware_Zero	Generic Malware	binaries (upload)
info	Microsoft_Office_File_Zero	Microsoft Office File	binaries (upload)

Network (19cnts) ?

Request	CC	ASN Co	IP4	Rule ?	ZERO ?
http://x1.i.lencr.org/ whois		Telenor Norge AS	23.52.33.11		clean
https://mirrorlakedrugs.com/wp-content/themes/twentyseventeen/template-parts/footer/0ZyL3hUtu.php whois			199.59.243.227		mailcious
mirrorlakedrugs.com whois			199.59.243.227		mailcious
highpointroofers.com whois					mailcious
ukcorporatetransfer.com whois			3.33.130.190		mailcious
x1.i.lencr.org whois		Telenor Norge AS	23.52.33.11		clean
thegoldprocess.com whois		CLOUDFLARENET	23.227.38.32		mailcious
brasilvioleiro.com.br whois					mailcious
test.podcastbites.io whois		UNIFIEDLAYER-AS-1	162.241.218.172		mailcious
breadxfish.com whois					mailcious
zotno.xyz whois		Accelerated IT Services & Consulting GmbH	77.37.75.155		mailcious
reachmedical.in whois					mailcious
www.thewordmarvel.com whois					clean
77.37.66.5 whois		Accelerated IT Services & Consulting GmbH	77.37.66.5		clean
23.227.38.32 whois		CLOUDFLARENET	23.227.38.32		mailcious
199.59.243.227 whois			199.59.243.227		clean
23.41.113.9 whois		NTT DOCOMO, INC.	23.41.113.9		clean
3.33.130.190 whois			3.33.130.190		phishing
162.241.218.172 whois		UNIFIEDLAYER-AS-1	162.241.218.172		phishing

Suricata ids

Similarity measure (PE file only) - Checking for service failure