Analysis Report documenti 12.01.20.doc
Overview
General Information
Detection
Score: | 76 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Classification
Startup |
---|
|
Malware Configuration |
---|
No configs have been found |
---|
Yara Overview |
---|
No yara matches |
---|
Sigma Overview |
---|
No Sigma rule has matched |
---|
Signature Overview |
---|
Click to jump to signature section
AV Detection: |
---|
Multi AV Scanner detection for submitted file | Show sources |
Source: | Virustotal: | Perma Link |
Machine Learning detection for sample | Show sources |
Source: | Joe Sandbox ML: |
Software Vulnerabilities: |
---|
Document exploit detected (drops PE files) | Show sources |
Source: | File created: | Jump to dropped file |
Source: | DNS query: |
Source: | TCP traffic: |
Source: | TCP traffic: |
Source: | HTTP traffic detected: |
Source: | File created: | Jump to behavior |
Source: | HTTP traffic detected: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Source: | DNS traffic detected: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Source: | Window created: |
System Summary: |
---|
Office process drops PE file | Show sources |
Source: | File created: | Jump to dropped file |
Source: | Code function: | ||
Source: | Code function: |
Source: | OLE, VBA macro line: |
Source: | OLE, VBA macro line: |
Source: | OLE indicator, VBA macros: |
Source: | OLE indicator has summary info: |
Source: | OLE indicator application name: |
Source: | Dropped File: |
Source: | Key opened: |
Source: | Binary or memory string: |
Source: | Classification label: |
Source: | File created: | Jump to behavior |
Source: | File created: | Jump to behavior |
Source: | OLE document summary: | ||
Source: | OLE document summary: | ||
Source: | OLE document summary: |
Source: | WMI Queries: |
Source: | File read: | Jump to behavior |
Source: | Key opened: |
Source: | File read: | Jump to behavior | ||
Source: | File read: | Jump to behavior |
Source: | Virustotal: |
Source: | Process created: | ||
Source: | Process created: |
Source: | Key value queried: |
Source: | Key opened: |
Source: | Window detected: |
Source: | Key opened: |
Source: | File opened: |
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: |
Persistence and Installation Behavior: |
---|
Creates processes via WMI | Show sources |
Source: | WMI Queries: |
Drops PE files with a suspicious file extension | Show sources |
Source: | File created: | Jump to dropped file |
Source: | File created: | Jump to dropped file |
Source: | File created: | Jump to dropped file |
Boot Survival: |
---|
Drops PE files to the user root directory | Show sources |
Source: | File created: | Jump to dropped file |
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: |
Source: | Memory allocated: | ||
Source: | Memory allocated: | ||
Source: | Memory allocated: | ||
Source: | Memory allocated: | ||
Source: | Memory allocated: | ||
Source: | Memory allocated: | ||
Source: | Memory allocated: | ||
Source: | Memory allocated: | ||
Source: | Memory allocated: |
Source: | Thread sleep time: |
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Code function: |
Source: | Code function: |
Source: | Key value queried: |
Mitre Att&ck Matrix |
---|
Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Exfiltration | Command and Control | Network Effects | Remote Service Effects | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Valid Accounts | Windows Management Instrumentation11 | Path Interception | Process Injection2 | Masquerading211 | OS Credential Dumping | System Time Discovery1 | Remote Services | Email Collection1 | Exfiltration Over Other Network Medium | Encrypted Channel1 | Eavesdrop on Insecure Network Communication | Remotely Track Device Without Authorization | Modify System Partition |
Default Accounts | Scripting2 | Boot or Logon Initialization Scripts | Boot or Logon Initialization Scripts | Virtualization/Sandbox Evasion2 | LSASS Memory | Virtualization/Sandbox Evasion2 | Remote Desktop Protocol | Archive Collected Data1 | Exfiltration Over Bluetooth | Ingress Tool Transfer2 | Exploit SS7 to Redirect Phone Calls/SMS | Remotely Wipe Data Without Authorization | Device Lockout |
Domain Accounts | Exploitation for Client Execution13 | Logon Script (Windows) | Logon Script (Windows) | Process Injection2 | Security Account Manager | Process Discovery1 | SMB/Windows Admin Shares | Clipboard Data1 | Automated Exfiltration | Non-Application Layer Protocol2 | Exploit SS7 to Track Device Location | Obtain Device Cloud Backups | Delete Device Data |
Local Accounts | At (Windows) | Logon Script (Mac) | Logon Script (Mac) | Scripting2 | NTDS | Remote System Discovery1 | Distributed Component Object Model | Input Capture | Scheduled Transfer | Application Layer Protocol12 | SIM Card Swap | Carrier Billing Fraud | |
Cloud Accounts | Cron | Network Logon Script | Network Logon Script | Software Packing | LSA Secrets | File and Directory Discovery1 | SSH | Keylogging | Data Transfer Size Limits | Fallback Channels | Manipulate Device Communication | Manipulate App Store Rankings or Ratings | |
Replication Through Removable Media | Launchd | Rc.common | Rc.common | Steganography | Cached Domain Credentials | System Information Discovery7 | VNC | GUI Input Capture | Exfiltration Over C2 Channel | Multiband Communication | Jamming or Denial of Service | Abuse Accessibility Features |
Behavior Graph |
---|
Screenshots |
---|
Thumbnails
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Antivirus, Machine Learning and Genetic Malware Detection |
---|
Initial Sample |
---|
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
29% | Virustotal | Browse | ||
100% | Joe Sandbox ML |
Dropped Files |
---|
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
0% | Metadefender | Browse | ||
0% | ReversingLabs |
Unpacked PE Files |
---|
No Antivirus matches |
---|
Domains |
---|
No Antivirus matches |
---|
URLs |
---|
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | Avira URL Cloud | safe |
Domains and IPs |
---|
Contacted Domains |
---|
Name | IP | Active | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|---|
nfj254aim.com | 104.28.7.227 | true | false | unknown |
Contacted URLs |
---|
Name | Malicious | Antivirus Detection | Reputation |
---|---|---|---|
false |
| unknown |
URLs from Memory and Binaries |
---|
Name | Source | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false |
| unknown | ||
false | high | |||
false |
| unknown | ||
false | high | |||
false |
| unknown | ||
false |
| low | ||
false |
| unknown | ||
false | high |
Contacted IPs |
---|
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
Public |
---|
IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
---|---|---|---|---|---|---|
104.28.7.227 | unknown | United States | 13335 | CLOUDFLARENETUS | false |
General Information |
---|
Joe Sandbox Version: | 31.0.0 Red Diamond |
Analysis ID: | 326338 |
Start date: | 03.12.2020 |
Start time: | 10:17:00 |
Joe Sandbox Product: | CloudBasic |
Overall analysis duration: | 0h 5m 6s |
Hypervisor based Inspection enabled: | false |
Report type: | light |
Sample file name: | documenti 12.01.20.doc |
Cookbook file name: | defaultwindowsofficecookbook.jbs |
Analysis system description: | Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2) |
Run name: | Without Instrumentation |
Number of analysed new started processes analysed: | 4 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Detection: | MAL |
Classification: | mal76.expl.winDOC@2/13@2/1 |
EGA Information: |
|
HDC Information: |
|
HCA Information: |
|
Cookbook Comments: |
|
Warnings: | Show All
|
Simulations |
---|
Behavior and APIs |
---|
Time | Type | Description |
---|---|---|
10:17:36 | API Interceptor |
Joe Sandbox View / Context |
---|
IPs |
---|
No context |
---|
Domains |
---|
Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
---|---|---|---|---|---|
nfj254aim.com | Get hash | malicious | Browse |
|
ASN |
---|
Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
---|---|---|---|---|---|
CLOUDFLARENETUS | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
|
JA3 Fingerprints |
---|
No context |
---|
Dropped Files |
---|
Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
---|---|---|---|---|---|
C:\Users\Public\ms.com | Get hash | malicious | Browse | ||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse |
Created / dropped Files |
---|
Process: | C:\Users\Public\ms.com |
File Type: | |
Category: | downloaded |
Size (bytes): | 205 |
Entropy (8bit): | 5.155240244937957 |
Encrypted: | false |
SSDEEP: | 6:pn0+Dy9xwGObRmEr6VnetdzRx3RSG8KCezocKqD:J0+oxBeRmR9etdzRxgzez1T |
MD5: | 6C598B85477C948D2A6C50AB26631415 |
SHA1: | 429CE2C54B01450B0250D423F08886A0F6B567DB |
SHA-256: | 04F87DABEBF8EF014741C17361A203E1DA743BA43AF231D9B8DC02DEBE9E6FC4 |
SHA-512: | 9C5D564EA1CA2842FB8667C31E8A5CCB07A05073DB509BABF9EA93425B9A344609928582A41CC7DDDAF2A068BF5CBE579F88F8EC8FC3ED4EAC6B796A387C73EA |
Malicious: | false |
Reputation: | low |
IE Cache URL: | http://nfj254aim.com/analytics/0D5FgQlJcMskzpbtgQBE7OE_tLI3/BUu5qgsI6FW8bkEsrF2HLHJUIr/lRD_7cnWmi/rwwHf1xOO/7n6dDzF/xspcd2?RltAN=vsETwS&G_=Ro_LgyQulrPjxaAj&wixw=XYJCRUJhgYHPY&bkUOD=AXjbvUQDbTcWkz |
Preview: |
|
Process: | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 57258 |
Entropy (8bit): | 7.900983242117529 |
Encrypted: | false |
SSDEEP: | 768:Nne7FOQKYij8iCi2EQrb4lF6j5UTFRHehGLOAFed/6CO2wPbttab/jz7Q+6fNsaw:Ne7Il+Oy4wUOAL2wPbnQ/Tz6CaCd |
MD5: | B44AC26E80A557B913B715F234C3D769 |
SHA1: | 1E0574649A9E5BBE0283D83A801E0E3EC4261BBC |
SHA-256: | 1EFAC6DE241D24814D7925C803E3ACBF4E2CD4A90FDE9C6826613DE2A8063B7B |
SHA-512: | 4349E729AEDC4E69A92432553C0BEA8CF5D4D92E7908F25DB5DF3E1B3628F74D362AFD15AED5EED12E53ABDFFAB44F81E39006C8C6FF4D242A05D45AFFA08E5D |
Malicious: | false |
Reputation: | low |
Preview: |
|
Process: | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 2 |
Entropy (8bit): | 1.0 |
Encrypted: | false |
SSDEEP: | 3:X:X |
MD5: | 32649384730B2D61C9E79D46DE589115 |
SHA1: | 053D8D6CEEBA9453C97D0EE5374DB863E6F77AD4 |
SHA-256: | E545D395BB3FD971F91BF9A2B6722831DF704EFAE6C1AA9DA0989ED0970B77BB |
SHA-512: | A4944ADFCB670ECD1A320FF126E7DBC7FC8CC4D5E73696D43C404E1C9BB5F228CF8A6EC1E9B1820709AD6D4D28093B7020B1B2578FDBC764287F86F888C07D9C |
Malicious: | false |
Reputation: | high, very likely benign file |
Preview: |
|
Process: | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 1024 |
Entropy (8bit): | 0.05390218305374581 |
Encrypted: | false |
SSDEEP: | 3:ol3lYdn:4Wn |
MD5: | 5D4D94EE7E06BBB0AF9584119797B23A |
SHA1: | DBB111419C704F116EFA8E72471DD83E86E49677 |
SHA-256: | 4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1 |
SHA-512: | 95F83AE84CAFCCED5EAF504546725C34D5F9710E5CA2D11761486970F2FBECCB25F9CF50BBFC272BD75E1A66A18B7783F09E1C1454AFDA519624BC2BB2F28BA4 |
Malicious: | false |
Reputation: | high, very likely benign file |
Preview: |
|
Process: | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 1536 |
Entropy (8bit): | 0.3796147056131488 |
Encrypted: | false |
SSDEEP: | 3:9l3lli4wltfSP8lFllItEMAWuWy:kFSP8gtEMAWpy |
MD5: | 39F0255F9BB41BD49E765898D326FB77 |
SHA1: | 8AD67EEB7CF2ED4CA7DD1AF586406DE92113C6F1 |
SHA-256: | 7DB4A7FAFE19900A941F5EC134454C4769D6D1F8227A176A3CEBD9F3C7D86056 |
SHA-512: | 6FD2E6037C25B4EC5D091B9E2C3F2E9EC04FC3A59AFD79D980ED0E11FFEEFBA18EA535B1C0443A01BC50C5AED4C4F1150B0487B89CE35B2B440D323B40592B28 |
Malicious: | false |
Reputation: | moderate, very likely benign file |
Preview: |
|
Process: | C:\Users\Public\ms.com |
File Type: | |
Category: | dropped |
Size (bytes): | 205 |
Entropy (8bit): | 5.155240244937957 |
Encrypted: | false |
SSDEEP: | 6:pn0+Dy9xwGObRmEr6VnetdzRx3RSG8KCezocKqD:J0+oxBeRmR9etdzRxgzez1T |
MD5: | 6C598B85477C948D2A6C50AB26631415 |
SHA1: | 429CE2C54B01450B0250D423F08886A0F6B567DB |
SHA-256: | 04F87DABEBF8EF014741C17361A203E1DA743BA43AF231D9B8DC02DEBE9E6FC4 |
SHA-512: | 9C5D564EA1CA2842FB8667C31E8A5CCB07A05073DB509BABF9EA93425B9A344609928582A41CC7DDDAF2A068BF5CBE579F88F8EC8FC3ED4EAC6B796A387C73EA |
Malicious: | false |
Reputation: | low |
Preview: |
|
Process: | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 2108 |
Entropy (8bit): | 4.53050326276553 |
Encrypted: | false |
SSDEEP: | 24:8e/XTwz6Ikns4eNHDv3q6idM7dD2e/XTwz6Ikns4eNHDv3q6idM7dV:8e/XT3IknGGtQh2e/XT3IknGGtQ/ |
MD5: | 339996F2DA09C87A7FEEC06238EE2785 |
SHA1: | A2715809849265F507EE2EFCDED0DDBE36881E80 |
SHA-256: | 92F6B1A65E873BF8F6C7D7E2B6229992956C8F96217DE3CC95A351515EE09716 |
SHA-512: | 6859674992F695DFEB10ACD08673DDDA17D6491A3994D28BC58988BC38C9FF2A3252AE5A6508436AD6FBB3083EA3CFDD389151553D07975E788AAACD46AC8612 |
Malicious: | false |
Reputation: | low |
Preview: |
|
Process: | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 92 |
Entropy (8bit): | 4.323234076376603 |
Encrypted: | false |
SSDEEP: | 3:M18H9LRB/ZELRB/mX18H9LRB/v:M+H9LxELLH9L3 |
MD5: | 51CD26B6AD58A57E3117C7891A2E898A |
SHA1: | 118C0F24D024CEF1CED16EACA93A556CAE82C721 |
SHA-256: | A2C3E26D19A5762331B519B63FE654F184C7662D14132C55E7A3594110066FDC |
SHA-512: | 3096AE1E0C209244F7123FA025CE8F45594B3C195BE6325495DDFA6D60936B0E21066F6783D0B2022DD52400A95DE2EF783BAFA04F9EA437669CB836945CDFDF |
Malicious: | false |
Reputation: | low |
Preview: |
|
Process: | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 162 |
Entropy (8bit): | 2.431160061181642 |
Encrypted: | false |
SSDEEP: | 3:vrJlaCkWtVyzALORwObGUXKbylln:vdsCkWtJLObyvb+l |
MD5: | 6AF5EAEBE6C935D9A5422D99EEE6BEF0 |
SHA1: | 6FE25A65D5CC0D4F989A1D79DF5CE1D225D790EC |
SHA-256: | CE916A38A653231ED84153C323027AC4A0695E0A7FB7CC042385C96FA6CB4719 |
SHA-512: | B2F51A8375748037E709D75C038B48C69E0F02D2CF772FF355D7203EE885B5DB9D1E15DA2EDB1C1E2156A092F315EB9C069B654AF39B7F4ACD3EFEFF1F8CAEB0 |
Malicious: | false |
Reputation: | moderate, very likely benign file |
Preview: |
|
Process: | C:\Users\Public\ms.com |
File Type: | |
Category: | downloaded |
Size (bytes): | 114 |
Entropy (8bit): | 4.318379508048024 |
Encrypted: | false |
SSDEEP: | 3:GmM/yWEYnNMqftzVSF/Av2KlSNLIXD:XM/yWEYNjz41Av2KlvD |
MD5: | 2A1065E0A209B7FD54D663FCBE2FD54E |
SHA1: | F50FA87FDF5F98376986FD80FDEBEAC159AA5AA0 |
SHA-256: | E3DCC882B10C89BB9F9565AA4844B1BA3363E8C7337D37FDACB18222510A7EB1 |
SHA-512: | 365C09C0CF69DB41FAA189923BD091F8A9D2607626E296D10BD31FA1942BC2693C514B19CCA1C5D177782EC499898C6B68F79C3F25DFECE027FFCEC038C92CF4 |
Malicious: | false |
IE Cache URL: | nfj254aim.com/ |
Preview: |
|
Process: | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 162 |
Entropy (8bit): | 2.431160061181642 |
Encrypted: | false |
SSDEEP: | 3:vrJlaCkWtVyzALORwObGUXKbylln:vdsCkWtJLObyvb+l |
MD5: | 6AF5EAEBE6C935D9A5422D99EEE6BEF0 |
SHA1: | 6FE25A65D5CC0D4F989A1D79DF5CE1D225D790EC |
SHA-256: | CE916A38A653231ED84153C323027AC4A0695E0A7FB7CC042385C96FA6CB4719 |
SHA-512: | B2F51A8375748037E709D75C038B48C69E0F02D2CF772FF355D7203EE885B5DB9D1E15DA2EDB1C1E2156A092F315EB9C069B654AF39B7F4ACD3EFEFF1F8CAEB0 |
Malicious: | false |
Preview: |
|
Process: | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 13824 |
Entropy (8bit): | 4.419080301347865 |
Encrypted: | false |
SSDEEP: | 192:aQNrOJPtfF4xtpOZ4UlT7phhbPWwelJIR:3yFu6CUlT7hWw6 |
MD5: | 95828D670CFD3B16EE188168E083C3C5 |
SHA1: | 83C70C66CD4E971BE2E36EFDC27FBCB7FF289032 |
SHA-256: | 8C10AE4BE93834A4C744F27CA79736D9123ED9B0D180DB28556D2D002545BAF2 |
SHA-512: | 22BE50366CF57FD3507760122CCAA3D74E6A137C2D46377597284D62762BFCA740BED71DDC4ECA60E4BA81055EB3D1BDE34AF382A2C4587BA9335D670D7F3B2E |
Malicious: | true |
Antivirus: |
|
Joe Sandbox View: |
|
Preview: |
|
Process: | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 17904 |
Entropy (8bit): | 5.221943493256307 |
Encrypted: | false |
SSDEEP: | 192:eBZQiLCb1hint4zdt1e870k0hs70k0C2qNXl6qJExTxvYj0lXUZIeYsa3UKh73uy:e3QYnadWs4TxYI2ZHeM7MQc |
MD5: | 7F908F1EE0BBB0B276589F06368A008D |
SHA1: | EE9D0FA4C45AEB9C75750AA003E7C0F0F22E348D |
SHA-256: | 8B23A9189FD2FE4CC89459224ED36E7A64121DE9589D3AC9CEAE9E4DEEF7F23A |
SHA-512: | 3FBEBBCD1B5F2A731470037A702BA58EEFBC0764874D465539E90B6FCD4BA16E93221E8EB402BF2D3B603A6B4D81E3B1A2E68EA3625A93716F4EF991FA625633 |
Malicious: | false |
Preview: |
|
Static File Info |
---|
General | |
---|---|
File type: | |
Entropy (8bit): | 7.894769517768764 |
TrID: |
|
File name: | documenti 12.01.20.doc |
File size: | 93665 |
MD5: | f530de77053a5c25a94f930bb954bcf8 |
SHA1: | 46cbf6e7a7ad04e3586c88a7a0d2cbcb141c3ec4 |
SHA256: | 1e70cc7a76bf59a5b559e496a0e83f91e13526533c89f001619ca70324ebfd82 |
SHA512: | f35b4d0cf4d0665117f58792a4d0fe51f13210921c1ac9d715160a4f9708e09817c6f0ab65e2c37c493a22d41fdacaaba1775fb8cc205b9d3e4855258892f916 |
SSDEEP: | 1536:A/rBcK6fNcSI7O8hRe7Il+Oy4wUOAL2wPbnQ/Tz6CaC/B2RrNbSxQml:w6lfNu/Q7Y9wkFncTZB2RrN9S |
File Content Preview: | PK..........!.[...............[Content_Types].xml ...(......................................................................................................................................................................................................... |
File Icon |
---|
Icon Hash: | e4eea2aaa4b4b4a4 |
Static OLE Info |
---|
General | ||
---|---|---|
Document Type: | OpenXML | |
Number of OLE Files: | 1 |
OLE File "/opt/package/joesandbox/database/analysis/326338/sample/documenti 12.01.20.doc" |
---|
Indicators | |
---|---|
Has Summary Info: | False |
Application Name: | unknown |
Encrypted Document: | False |
Contains Word Document Stream: | |
Contains Workbook/Book Stream: | |
Contains PowerPoint Document Stream: | |
Contains Visio Document Stream: | |
Contains ObjectPool Stream: | |
Flash Objects Count: | |
Contains VBA Macros: | True |
Summary | |
---|---|
Template: | |
Total Edit Time: | 0 |
Number of Pages: | 1 |
Number of Words: | 0 |
Number of Characters: | 0 |
Creating Application: | |
Security: | 0 |
Document Summary | |
---|---|
Number of Lines: | 3 |
Number of Paragraphs: | 0 |
Thumbnail Scaling Desired: | false |
Company: | |
Contains Dirty Links: | false |
Shared Document: | false |
Changed Hyperlinks: | false |
Application Version: | 16.0000 |
Streams with VBA |
---|
VBA File Name: ThisDocument.cls, Stream Size: 1127 |
---|
General | |
---|---|
Stream Path: | VBA/ThisDocument |
VBA File Name: | ThisDocument.cls |
Stream Size: | 1127 |
Data ASCII: | . . . . . . . . . 4 . . . . . . . . . . . b . . . p . . . . . . . . . . . . . . . . 5 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . p . . . . . s . . : . . \\ L . . # Y * . . . . . g ~ . . L . o . . . . . . . . . . . . . . . . . . . . . . . . . . ! } . . . . u D . 1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . ! } . . . . u D . 1 . . . . . . s . . : . . \\ L . . # Y * . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . |
Data Raw: | 01 16 03 00 06 00 01 00 00 34 03 00 00 e4 00 00 00 ea 01 00 00 62 03 00 00 70 03 00 00 c4 03 00 00 00 00 00 00 01 00 00 00 0e 35 d7 f8 00 00 ff ff a3 01 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff 70 00 ff ff 00 00 73 04 ec 3a 99 d0 5c 4c bb d7 23 59 2a 88 09 7f 14 fb 67 20 7e 8f de 4c 81 6f 96 90 b4 fc f3 9f 00 00 00 00 00 00 00 00 00 00 00 00 00 |
VBA Code Keywords |
---|
Keyword |
---|
False |
VB_Exposed |
Attribute |
VB_Creatable |
VB_Name |
VB_PredeclaredId |
VB_GlobalNameSpace |
VB_Base |
VB_Customizable |
VB_TemplateDerived |
"ThisDocument" |
VBA Code |
---|
|
VBA File Name: a7A5m.bas, Stream Size: 5178 |
---|
General | |
---|---|
Stream Path: | VBA/a7A5m |
VBA File Name: | a7A5m.bas |
Stream Size: | 5178 |
Data ASCII: | . . . . . . . . . j . . . . . . . . . . . . . . . q . . . ] . . . . . . . . . . . . 5 > Q . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . |
Data Raw: | 01 16 03 00 00 f0 00 00 00 6a 03 00 00 d4 00 00 00 88 01 00 00 ff ff ff ff 71 03 00 00 5d 0e 00 00 00 00 00 00 01 00 00 00 0e 35 3e 51 00 00 ff ff 03 00 00 00 00 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |
VBA Code Keywords |
---|
Keyword |
---|
joins |
effigy |
photo |
maidenhead |
torah |
imprint |
co-operative |
unfavorable |
Collects |
Public |
Diagram |
aSGxU |
Makeup |
father |
abhorred |
controls |
Cutting |
unpropitious |
minerva |
Training |
Adventures |
unveil |
Mysimon |
Replace(aPENSZ, |
slanderous |
webcast |
savoury |
nucleus |
liberia |
footstool |
Adroit |
nutmeg |
greenish |
inter |
adHaPl |
Hallow |
warner |
manger |
ethical |
Since |
pickled |
Routing |
Sniff |
Giants |
Nickel |
seventy-four |
fellowship |
shadow |
Maudlin |
stefan |
Tribal |
tabooed |
akSqK(aPENSZ) |
expire |
along |
vaccine |
reaction |
Rancid |
patricia |
lackey |
coxcomb |
Workflow |
axIuO |
succeed |
daisy |
syria |
Receptacle |
Defraud |
Knowledge |
Contacts |
Sorcery |
transit |
undersigned |
leniency |
sacrilegious |
aYKyQ |
dearborn |
insulation |
detecting |
cloud |
Glucose |
willy |
wealth |
probity |
exhort |
Accelerated |
ballast |
Articulated |
transverse |
azUoN |
Outcome |
Specifies |
graphic |
brandishing |
Attribute |
gamespot |
rectangular |
patients |
awAlq() |
tumults |
Enemies |
Basketball |
VB_Name |
Gloating |
(axSiN) |
Issue |
counterfeit |
Function |
Retrospect |
unadulterated |
comfort |
hybrid |
Munich |
brandon |
delay |
located |
actors |
commentary |
akSqK |
cubic |
stacy |
photographers |
Airport |
characters |
dappled |
chris |
mangrove |
knack |
Generates |
statute |
Attorney |
coupling |
navel |
Pyramid |
steady |
bakery |
Boolean |
Terrace |
Verzeichnis |
turnpike |
VBA Code |
---|
|
VBA File Name: aH8xms.bas, Stream Size: 863 |
---|
General | |
---|---|
Stream Path: | VBA/aH8xms |
VBA File Name: | aH8xms.bas |
Stream Size: | 863 |
Data ASCII: | . . . . . . . . . z . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 . ] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . |
Data Raw: | 01 16 03 00 00 f0 00 00 00 7a 02 00 00 d4 00 00 00 88 01 00 00 ff ff ff ff 81 02 00 00 11 03 00 00 00 00 00 00 01 00 00 00 0e 35 b2 5d 00 00 ff ff 03 00 00 00 00 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |
VBA Code Keywords |
---|
Keyword |
---|
awAlq |
Attribute |
AutoOpen() |
VB_Name |
VBA Code |
---|
|
VBA File Name: aIsb7.bas, Stream Size: 5040 |
---|
General | |
---|---|
Stream Path: | VBA/aIsb7 |
VBA File Name: | aIsb7.bas |
Stream Size: | 5040 |
Data ASCII: | . . . . . . . . . : . . . . . . . . . . . . . . . A . . . 1 . . . . . . . . . . . . 5 . w . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . |
Data Raw: | 01 16 03 00 00 f0 00 00 00 3a 06 00 00 d4 00 00 00 88 01 00 00 ff ff ff ff 41 06 00 00 31 0f 00 00 00 00 00 00 01 00 00 00 0e 35 df 77 00 00 ff ff 03 00 00 00 00 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |
VBA Code Keywords |
---|
Keyword |
---|
Blackmail |
developer |
valuation |
plume |
aMslO(aucpr) |
amZcqK |
Berkeley |
plenipotentiary |
translations |
aYzBn |
roundabout |
aVzRp() |
(akSqK(aucpr)) |
Pronoun |
aCqnt |
positions |
teams |
purveyor |
arthur |
louis |
soviet |
Tatiana |
axSiN |
motherboard |
numeric |
Idiom |
perspective |
dialectic |
shallows |
gazette |
Discovery |
felony |
unconvinced |
roller |
Proven |
medicare |
ElseIf |
clime |
cartwright |
importunate |
moiety |
guess |
Bulldog |
adeKx |
Bereavement |
asses |
participated |
Waylaid |
confiscate |
grandchildren |
Barely |
axSiN() |
Shutter |
Coiled |
realty |
compute |
Precedence |
vapid |
Attribute |
handcuffs |
aaqRT |
transparency |
specialized |
propaganda |
VB_Name |
calvin |
telephony |
everyday |
Function |
baste |
demesne |
switching |
Springer |
Modes |
Luggage |
Avant |
catalog |
Milky |
hearthstone |
tracy |
expand |
aMslO |
Johns |
sunset |
requires |
VBA Code |
---|
|
VBA File Name: aOMv0.bas, Stream Size: 3156 |
---|
General | |
---|---|
Stream Path: | VBA/aOMv0 |
VBA File Name: | aOMv0.bas |
Stream Size: | 3156 |
Data ASCII: | . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 k > . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . |
Data Raw: | 01 16 03 00 00 f0 00 00 00 e2 02 00 00 d4 00 00 00 88 01 00 00 ff ff ff ff e9 02 00 00 11 09 00 00 00 00 00 00 01 00 00 00 0e 35 6b 3e 00 00 ff ff 03 00 00 00 00 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |
VBA Code Keywords |
---|
Keyword |
---|
causes |
anFJy |
exclusively |
Truly |
Browser |
aYzBn(aDKIk, |
smell |
Searched |
adBRr(anFJy) |
Surrounding |
recommendations |
nazarene |
Constitutes |
proteins |
delegation |
String |
aMnjk |
commentator |
zoological |
trunk |
Juvenile |
pearly |
ElseIf |
Insider |
learning |
Oreilly |
Asc(aMnjk) |
Treasurer |
alfred |
aDKIk |
Integer |
limousine |
Alexander |
Respiratory |
aJjwu) |
abomination |
delayed |
Memoirs |
Attribute |
ascendancy |
acclaim |
Imprecation |
VB_Name |
wampum |
Etymology |
undeceive |
Function |
priory |
humanities |
relatives |
sufficiency |
aJjwu |
unless |
persons |
(aDKIk |
elusive |
Stumped |
turnpike |
VBA Code |
---|
|
VBA File Name: aRZcbw.bas, Stream Size: 4810 |
---|
General | |
---|---|
Stream Path: | VBA/aRZcbw |
VBA File Name: | aRZcbw.bas |
Stream Size: | 4810 |
Data ASCII: | . . . . . . . . . b . . . . . . . . . . . . . . . i . . . . . . . . . . . . . . . . 5 . ] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . |
Data Raw: | 01 16 03 00 00 f0 00 00 00 62 04 00 00 d4 00 00 00 88 01 00 00 ff ff ff ff 69 04 00 00 b1 0d 00 00 00 00 00 00 01 00 00 00 0e 35 b6 5d 00 00 ff ff 03 00 00 00 00 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |
VBA Code Keywords |
---|
Keyword |
---|
uninterested |
determinate |
Const |
serenade |
fraser |
unreliable |
Public |
Contacting |
adolescence |
Kinswoman |
wickedly |
walnut |
blots |
undivided |
vociferous |
Antigua |
Librarian |
Indolence |
procedures |
encounter |
Campaign |
riven |
Defined |
belfast |
tradespeople |
dizziness |
Abstention |
Terrorist |
Maidenhead |
Anniversary |
phosphoric |
dialectic |
enemies |
Dentists |
String |
Upskirt |
Nearly |
undecided |
affordable |
timeline |
Obviously |
selective |
offset |
const |
restrictions |
would |
shove |
nomenclature |
axIuO() |
Gentle |
Choosing |
Maine |
gamma |
consulting |
strumpet |
schooling |
Metallic |
dietary |
stumble |
landscape |
Straightforward |
prove |
deuteronomy |
ravage |
Ecological |
brazilian |
Integer |
jerky |
adroitly |
walter |
daughter-in-law |
aVzRp |
shell |
supporters |
catering |
magnanimous |
Stylish |
haven |
assets |
boarding |
holland |
washington |
"aRZcbw" |
Attribute |
abortion |
economies |
compensation |
Receptor |
latch |
Dysentery |
Variety |
expanding |
VB_Name |
Esquire |
Fisting |
aYKyQ() |
collapse |
Function |
completeness |
cambodia |
branch |
elliptical |
Entrust |
reporting |
demanding |
consolidation |
sceptic |
priced |
Gamma |
Sensuality |
unload |
cover |
brooded |
strings |
VBA Code |
---|
|
VBA File Name: abh0Rg.bas, Stream Size: 4574 |
---|
General | |
---|---|
Stream Path: | VBA/abh0Rg |
VBA File Name: | abh0Rg.bas |
Stream Size: | 4574 |
Data ASCII: | . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . |
Data Raw: | 01 16 03 00 00 f0 00 00 00 ca 03 00 00 d4 00 00 00 88 01 00 00 ff ff ff ff d1 03 00 00 e1 0c 00 00 00 00 00 00 01 00 00 00 0e 35 f9 c7 00 00 ff ff 03 00 00 00 00 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |
VBA Code Keywords |
---|
Keyword |
---|
seasonal |
pointed |
Trains |
Cancelled |
theaters |
swain |
fullness |
Public |
sulky |
referring |
explain |
compost |
Aquarium |
bullet |
digit |
downpour |
Changelog |
alabaster |
denounce |
Candy |
self-evident |
Homesickness |
Machinist |
statistical |
Primacy |
FreeFile |
Love-making |
Truism |
companies |
mother-in-law |
Competition |
subway |
analytical |
walrus |
greenhouse |
Flaccid |
Webshots |
Tress |
tricolor |
pacific |
pretension |
radius |
Drawn |
FileNumber |
Breakdown |
diffidence |
Biology |
aicyF |
illusory |
wikipedia |
poison |
adBRr |
dutch |
suggesting |
participation |
Plaza |
Sanity |
Gaoler |
impromptu |
isthmus |
Amber |
sender |
urges |
changes |
#FileNumber |
confidentiality |
tunisia |
liqueur |
Simulated |
coding |
venues |
seashore |
reservation |
lighthouse |
swimmer |
Arising |
aicyF) |
lambent |
sloped |
shortening |
fahrenheit |
transcendent |
#FileNumber, |
flexible |
Winsome |
Georgia |
option |
Forests |
lazarus |
labourer |
bukkake |
Grenada |
Surplus |
Attribute |
avhZYf |
aVOhvn |
Syntax |
Close |
devious |
engineers |
cleaner |
VB_Name |
lichen |
Outwards |
stubbornly |
proceeds |
trusted |
Function |
belle |
depth |
highlighted |
FileCopy |
louisville |
Inconsistency |
ungracious |
opposite |
adBRr(avhZYf) |
disagree |
Indisputable |
Output |
classroom |
notch |
Abandons |
allegorical |
Overhung |
eddies |
Adultery |
Intact |
VBA Code |
---|
|
VBA File Name: adGbPA.bas, Stream Size: 4586 |
---|
General | |
---|---|
Stream Path: | VBA/adGbPA |
VBA File Name: | adGbPA.bas |
Stream Size: | 4586 |
Data ASCII: | . . . . . . . . . J . . . . . . . . . . . . . . . Q . . . . . . . . . . . . . . . . 5 . ` . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . |
Data Raw: | 01 16 03 00 00 f0 00 00 00 4a 03 00 00 d4 00 00 00 88 01 00 00 ff ff ff ff 51 03 00 00 f5 0c 00 00 00 00 00 00 01 00 00 00 0e 35 ee 60 00 00 ff ff 03 00 00 00 00 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |
VBA Code Keywords |
---|
Keyword |
---|
intervals |
octagonal |
neigh |
signs |
astrology |
legitimately |
tittle |
southwest |
Technique |
Matins |
rejoin |
Mephistopheles |
intimidation |
Burdensome |
Responsibility |
syllogism |
Adobe |
pounds |
patrick |
concave |
Bequeath |
Types |
hesse |
Select |
pragmatic |
excavation |
magnificent |
Vishnu |
abolitionist |
estimated |
occurrence |
Vassal |
adkJvD |
Armenia |
Sanctified |
dunbar |
Systematically |
component |
Departments |
modular |
lucrative |
Stating |
Attica |
derivation |
attending |
Bouquet |
losses |
leave-taking |
Screens |
fleshy |
primal |
Hybrid |
)o)l)l)e)h)"), |
Redden |
utility |
clustering |
Unless |
athens |
totality |
"adGbPA" |
inferno |
recurring |
expiring |
Sampson |
languidly |
Marrow |
trojan |
Attribute |
Counsellor |
Receipt |
headers |
Inactive |
Sundown |
lingo |
charlotte |
thirty-nine |
aGSfMv() |
VB_Name |
Terminal |
overran |
Wicked |
Function |
silhouette |
recovery |
Mario |
Infringement |
Ticket |
pichunter |
chemist |
Blue-black |
brainless |
cliff |
complacent |
compendium |
aGSfMv |
defilement |
annuity |
register |
foundry |
Displacement |
remonstrate |
VBA Code |
---|
|
Streams |
---|
Stream Path: PROJECT, File Type: ASCII text, with CRLF line terminators, Stream Size: 618 |
---|
General | |
---|---|
Stream Path: | PROJECT |
File Type: | ASCII text, with CRLF line terminators |
Stream Size: | 618 |
Entropy: | 5.34267626544 |
Base64 Encoded: | True |
Data ASCII: | I D = " { 8 6 2 6 2 4 0 6 - 3 0 4 D - 4 E F A - A 4 4 C - C 5 5 4 C 4 7 8 6 1 3 8 } " . . D o c u m e n t = T h i s D o c u m e n t / & H 0 0 0 0 0 0 0 0 . . M o d u l e = a H 8 x m s . . M o d u l e = a R Z c b w . . M o d u l e = a b h 0 R g . . M o d u l e = a 7 A 5 m . . M o d u l e = a d G b P A . . M o d u l e = a I s b 7 . . M o d u l e = a O M v 0 . . N a m e = " P r o j e c t " . . H e l p C o n t e x t I D = " 0 " . . V e r s i o n C o m p a t i b l e 3 2 = " 3 9 3 2 2 2 0 0 0 " . . C M G = " 1 C |
Data Raw: | 49 44 3d 22 7b 38 36 32 36 32 34 30 36 2d 33 30 34 44 2d 34 45 46 41 2d 41 34 34 43 2d 43 35 35 34 43 34 37 38 36 31 33 38 7d 22 0d 0a 44 6f 63 75 6d 65 6e 74 3d 54 68 69 73 44 6f 63 75 6d 65 6e 74 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 4d 6f 64 75 6c 65 3d 61 48 38 78 6d 73 0d 0a 4d 6f 64 75 6c 65 3d 61 52 5a 63 62 77 0d 0a 4d 6f 64 75 6c 65 3d 61 62 68 30 52 67 0d 0a 4d 6f 64 75 |
Stream Path: PROJECTwm, File Type: data, Stream Size: 179 |
---|
General | |
---|---|
Stream Path: | PROJECTwm |
File Type: | data |
Stream Size: | 179 |
Entropy: | 3.66892704793 |
Base64 Encoded: | True |
Data ASCII: | T h i s D o c u m e n t . T . h . i . s . D . o . c . u . m . e . n . t . . . a H 8 x m s . a . H . 8 . x . m . s . . . a R Z c b w . a . R . Z . c . b . w . . . a b h 0 R g . a . b . h . 0 . R . g . . . a 7 A 5 m . a . 7 . A . 5 . m . . . a d G b P A . a . d . G . b . P . A . . . a I s b 7 . a . I . s . b . 7 . . . a O M v 0 . a . O . M . v . 0 . . . . . |
Data Raw: | 54 68 69 73 44 6f 63 75 6d 65 6e 74 00 54 00 68 00 69 00 73 00 44 00 6f 00 63 00 75 00 6d 00 65 00 6e 00 74 00 00 00 61 48 38 78 6d 73 00 61 00 48 00 38 00 78 00 6d 00 73 00 00 00 61 52 5a 63 62 77 00 61 00 52 00 5a 00 63 00 62 00 77 00 00 00 61 62 68 30 52 67 00 61 00 62 00 68 00 30 00 52 00 67 00 00 00 61 37 41 35 6d 00 61 00 37 00 41 00 35 00 6d 00 00 00 61 64 47 62 50 41 00 61 |
Stream Path: VBA/_VBA_PROJECT, File Type: data, Stream Size: 4172 |
---|
General | |
---|---|
Stream Path: | VBA/_VBA_PROJECT |
File Type: | data |
Stream Size: | 4172 |
Entropy: | 4.76403916663 |
Base64 Encoded: | True |
Data ASCII: | . a . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . * . \\ . G . { . 0 . 0 . 0 . 2 . 0 . 4 . E . F . - . 0 . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . - . C . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 4 . 6 . } . # . 4 . . . 2 . # . 9 . # . C . : . \\ . P . r . o . g . r . a . m . . F . i . l . e . s . \\ . C . o . m . m . o . n . . F . i . l . e . s . \\ . M . i . c . r . o . s . o . f . t . . S . h . a . r . e . d . \\ . V . B . A . \\ . V . B . A . 7 . . . 1 . \\ . V . B . E . 7 . |
Data Raw: | cc 61 b2 00 00 03 00 ff 19 04 00 00 09 04 00 00 e3 04 03 00 00 00 00 00 00 00 00 00 01 00 05 00 02 00 20 01 2a 00 5c 00 47 00 7b 00 30 00 30 00 30 00 32 00 30 00 34 00 45 00 46 00 2d 00 30 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 2d 00 43 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 34 00 36 00 7d 00 23 00 34 00 2e 00 32 00 23 00 |
Stream Path: VBA/__SRP_0, File Type: data, Stream Size: 2119 |
---|
General | |
---|---|
Stream Path: | VBA/__SRP_0 |
File Type: | data |
Stream Size: | 2119 |
Entropy: | 3.47748136877 |
Base64 Encoded: | True |
Data ASCII: | . K * . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . * \\ C N o r m a l r U . . . . . . . . @ . . . . . . . @ . . . . . . . @ . . . . . . . . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ Z . . . . . . . . . . . . . . . " . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 . . . . . . A . . . . . . V H . . . . . . . . . . . |
Data Raw: | 93 4b 2a b2 03 00 10 00 00 00 ff ff 00 00 00 00 01 00 02 00 ff ff 00 00 00 00 01 00 00 00 00 00 00 00 00 00 01 00 02 00 00 00 00 00 00 00 01 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 01 00 09 00 00 00 2a 5c 43 4e 6f 72 6d 61 6c 72 55 c0 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 06 00 00 00 00 00 00 |
Stream Path: VBA/__SRP_1, File Type: data, Stream Size: 230 |
---|
General | |
---|---|
Stream Path: | VBA/__SRP_1 |
File Type: | data |
Stream Size: | 230 |
Entropy: | 1.75961915218 |
Base64 Encoded: | False |
Data ASCII: | r U @ . . . . . . . @ . . . . . . . @ . . . . . . . @ . . . . . . . . . . . . . . ~ z . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 . . . . . . . . . . . A . . . . . . . . . . . . . . . . . . . . . . . b . . . . . . . . . . . . . . . |
Data Raw: | 72 55 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 02 00 00 00 00 00 00 7e 7a 00 00 00 00 00 00 7f 00 00 00 00 00 00 00 00 12 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 00 00 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 00 00 00 00 11 00 00 00 00 00 00 00 00 00 03 00 ff ff ff ff ff ff ff ff ff ff ff ff ff ff |
Stream Path: VBA/__SRP_2, File Type: data, Stream Size: 348 |
---|
General | |
---|---|
Stream Path: | VBA/__SRP_2 |
File Type: | data |
Stream Size: | 348 |
Entropy: | 1.78450864632 |
Base64 Encoded: | False |
Data ASCII: | r U @ . . . . . . . . . . . . . . . @ . . . . . . . @ . . . . . . . . . . . . . . . 8 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . P . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . a . . . . . . . . . . . . . . . ` . . . A . . . . . . . . . . . . . . . . . . . . . . . q . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . |
Data Raw: | 72 55 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 38 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 03 00 50 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 01 00 00 00 01 00 91 07 00 00 00 00 00 00 00 00 00 00 c1 07 00 00 00 00 00 00 00 00 00 00 11 08 |
Stream Path: VBA/__SRP_3, File Type: data, Stream Size: 106 |
---|
General | |
---|---|
Stream Path: | VBA/__SRP_3 |
File Type: | data |
Stream Size: | 106 |
Entropy: | 1.35911194617 |
Base64 Encoded: | False |
Data ASCII: | r U @ . . . . . . . . . . . . . . . @ . . . . . . . @ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . b . . . . . . . . . . . . . . . |
Data Raw: | 72 55 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1a 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 02 00 ff ff ff ff ff ff ff ff ff ff ff ff 00 00 00 00 78 00 00 00 08 00 00 00 00 00 00 00 62 00 00 00 00 00 00 7f 00 00 00 00 00 00 00 00 |
Stream Path: VBA/dir, File Type: data, Stream Size: 775 |
---|
General | |
---|---|
Stream Path: | VBA/dir |
File Type: | data |
Stream Size: | 775 |
Entropy: | 6.59935768005 |
Base64 Encoded: | True |
Data ASCII: | . . . . . . . . . . . . 0 * . . . . . p . . H . . . . . d . . . . . . . . P r o j e c t . Q . ( . . @ . . . . . = . . . . . l . . . . . . . . . . . . a . . . . J . < . . . . . r s t d . o l e > . . s . t . . d . o . l . e P . . . h . % ^ . . * . \\ G { 0 0 0 2 0 . 4 3 0 - . . . . C . . . . . . . 0 0 4 6 } # . 2 . 0 # 0 # C : . \\ W i n d o w s . \\ S y s t e m 3 . 2 \\ . e 2 . t l b . # O L E A u t . o m a t i o n . ` . . . . E N o r m a l . . E N . C r . m . a Q . F . . . . . . . * . \\ C . . . . . m . . . |
Data Raw: | 01 03 b3 80 01 00 04 00 00 00 03 00 30 2a 02 02 90 09 00 70 14 06 48 03 00 82 02 00 64 e3 04 04 00 07 00 1c 00 50 72 6f 6a 65 63 74 05 51 00 28 00 00 40 02 14 06 02 14 3d ad 02 0a 07 02 6c 01 14 08 06 12 09 02 12 80 95 d8 b6 61 10 00 0c 02 4a 12 3c 02 0a 16 00 01 72 73 74 64 10 6f 6c 65 3e 02 19 73 00 74 00 00 64 00 6f 00 6c 00 65 50 00 0d 00 68 00 25 5e 00 03 2a 00 5c 47 7b 30 30 |
Network Behavior |
---|
Network Port Distribution |
---|
TCP Packets |
---|
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Dec 3, 2020 10:17:50.023014069 CET | 49165 | 80 | 192.168.2.22 | 104.28.7.227 |
Dec 3, 2020 10:17:50.049793005 CET | 80 | 49165 | 104.28.7.227 | 192.168.2.22 |
Dec 3, 2020 10:17:50.049907923 CET | 49165 | 80 | 192.168.2.22 | 104.28.7.227 |
Dec 3, 2020 10:17:50.051737070 CET | 49165 | 80 | 192.168.2.22 | 104.28.7.227 |
Dec 3, 2020 10:17:50.078305960 CET | 80 | 49165 | 104.28.7.227 | 192.168.2.22 |
Dec 3, 2020 10:17:50.553350925 CET | 80 | 49165 | 104.28.7.227 | 192.168.2.22 |
Dec 3, 2020 10:17:50.553472042 CET | 80 | 49165 | 104.28.7.227 | 192.168.2.22 |
Dec 3, 2020 10:17:50.553716898 CET | 49165 | 80 | 192.168.2.22 | 104.28.7.227 |
Dec 3, 2020 10:19:39.927777052 CET | 49165 | 80 | 192.168.2.22 | 104.28.7.227 |
Dec 3, 2020 10:19:39.954610109 CET | 80 | 49165 | 104.28.7.227 | 192.168.2.22 |
Dec 3, 2020 10:19:39.954713106 CET | 49165 | 80 | 192.168.2.22 | 104.28.7.227 |
UDP Packets |
---|
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Dec 3, 2020 10:17:49.918186903 CET | 52197 | 53 | 192.168.2.22 | 8.8.8.8 |
Dec 3, 2020 10:17:49.956623077 CET | 53 | 52197 | 8.8.8.8 | 192.168.2.22 |
Dec 3, 2020 10:17:49.957684994 CET | 52197 | 53 | 192.168.2.22 | 8.8.8.8 |
Dec 3, 2020 10:17:49.996907949 CET | 53 | 52197 | 8.8.8.8 | 192.168.2.22 |
DNS Queries |
---|
Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class |
---|---|---|---|---|---|---|---|
Dec 3, 2020 10:17:49.918186903 CET | 192.168.2.22 | 8.8.8.8 | 0x2c09 | Standard query (0) | A (IP address) | IN (0x0001) | |
Dec 3, 2020 10:17:49.957684994 CET | 192.168.2.22 | 8.8.8.8 | 0x2c09 | Standard query (0) | A (IP address) | IN (0x0001) |
DNS Answers |
---|
Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class |
---|---|---|---|---|---|---|---|---|---|
Dec 3, 2020 10:17:49.956623077 CET | 8.8.8.8 | 192.168.2.22 | 0x2c09 | No error (0) | 104.28.7.227 | A (IP address) | IN (0x0001) | ||
Dec 3, 2020 10:17:49.956623077 CET | 8.8.8.8 | 192.168.2.22 | 0x2c09 | No error (0) | 104.28.6.227 | A (IP address) | IN (0x0001) | ||
Dec 3, 2020 10:17:49.956623077 CET | 8.8.8.8 | 192.168.2.22 | 0x2c09 | No error (0) | 172.67.164.220 | A (IP address) | IN (0x0001) | ||
Dec 3, 2020 10:17:49.996907949 CET | 8.8.8.8 | 192.168.2.22 | 0x2c09 | No error (0) | 104.28.7.227 | A (IP address) | IN (0x0001) | ||
Dec 3, 2020 10:17:49.996907949 CET | 8.8.8.8 | 192.168.2.22 | 0x2c09 | No error (0) | 172.67.164.220 | A (IP address) | IN (0x0001) | ||
Dec 3, 2020 10:17:49.996907949 CET | 8.8.8.8 | 192.168.2.22 | 0x2c09 | No error (0) | 104.28.6.227 | A (IP address) | IN (0x0001) |
HTTP Request Dependency Graph |
---|
|
HTTP Packets |
---|
Session ID | Source IP | Source Port | Destination IP | Destination Port | Process |
---|---|---|---|---|---|
0 | 192.168.2.22 | 49165 | 104.28.7.227 | 80 | C:\Users\Public\ms.com |
Timestamp | kBytes transferred | Direction | Data |
---|---|---|---|
Dec 3, 2020 10:17:50.051737070 CET | 1 | OUT | |
Dec 3, 2020 10:17:50.553350925 CET | 2 | IN |
Code Manipulations |
---|
Statistics |
---|
Behavior |
---|
Click to jump to process
System Behavior |
---|
General |
---|
Start time: | 10:17:34 |
Start date: | 03/12/2020 |
Path: | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x13fc70000 |
File size: | 1424032 bytes |
MD5 hash: | 95C38D04597050285A18F66039EDB456 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
General |
---|
Start time: | 10:17:36 |
Start date: | 03/12/2020 |
Path: | C:\Users\Public\ms.com |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x13fea0000 |
File size: | 13824 bytes |
MD5 hash: | 95828D670CFD3B16EE188168E083C3C5 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Antivirus matches: |
|
Reputation: | moderate |
Disassembly |
---|
Code Analysis |
---|