RTF Document Takes Advantage of CVE-2017-11882 Vulnerability   | Files
Try VMRay Analyzer
File Information
Sample files count 1
Created files count 3
Modified files count 4
c:\users\bgc6u8oy yxgxkr\desktop\WhitePaper.doc
-
File Properties
Names c:\users\bgc6u8oy yxgxkr\desktop\WhitePaper.doc (Sample File)
Size 8.48 KB (8685 bytes)
Hash Values MD5: 30926dda00ebf82f1355217d4285980f
SHA1: d1b8a2414232fbeb997dcb4fdc1d9969137a5445
SHA256: 1c0a1a7c695d5e1a7497b7fa4f75cf83f12265eaca2297b3d72461d110fcb079
Actions
c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\temporary internet files\content.ie5\b9mx3v6b\foobaz[1].txt
-
File Properties
Names c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\temporary internet files\content.ie5\b9mx3v6b\foobaz[1].txt (Modified File)
Size 0.33 KB (335 bytes)
Hash Values MD5: 5e96b592b960ec8b481f9a75f6d60e3b
SHA1: 495590c98ccbfcbc17a622e29912d4ad4009b36e
SHA256: b17c0528463b2e7c191c2adaec4135848564597531cb9b7554b8fc80d1ac0c45
Actions
c:\users\bgc6u8oy yxgxkr\appdata\local\temp\lambdoidtegument.exe
-
File Properties
Names c:\users\bgc6u8oy yxgxkr\appdata\local\temp\lambdoidtegument.exe (Created File)
Size 232.00 KB (237568 bytes)
Hash Values MD5: 437efd63bf864669ef4312750c25c462
SHA1: 247f0b1576c24e50830f6ee326dce494c6ba478d
SHA256: c5221c1250b9584be4be97a30dde5f1b82c3509749df7bf76a7d0c9d85514a5a
Actions
PE Information
+
File Properties
Image Base 0x400000
Entry Point 0x4011f8
Size Of Code 0x36000
Size Of Initialized Data 0x4000
Size Of Uninitialized Data 0x0
Format x86
Type Executable
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
Machine Type IMAGE_FILE_MACHINE_I386
Compile Timestamp 2017-12-19 16:29:45
Compiler/Packer Unknown
Sections (3)
+
Name Virtual Address Virtual Size Raw Data Size Raw Data Offset Flags Entropy
.text 0x401000 0x35d14 0x36000 0x1000 CNT_CODE, MEM_EXECUTE, MEM_READ 7.77
.data 0x437000 0x116c 0x1000 0x37000 CNT_INITIALIZED_DATA, MEM_READ, MEM_WRITE 0.0
.rsrc 0x439000 0x13d2 0x2000 0x38000 CNT_INITIALIZED_DATA, MEM_READ 3.82
Imports (44)
+
MSVBVM60.DLL (44)
+
API Name Ordinal IAT Address Thunk RVA Thunk Offset
__vbaStrI2 0x0 0x401000 0x369cc 0x369cc
_CIcos 0x0 0x401004 0x369d0 0x369d0
_adj_fptan 0x0 0x401008 0x369d4 0x369d4
__vbaVarMove 0x0 0x40100c 0x369d8 0x369d8
__vbaFreeVar 0x0 0x401010 0x369dc 0x369dc
__vbaEnd 0x0 0x401014 0x369e0 0x369e0
_adj_fdiv_m64 0x0 0x401018 0x369e4 0x369e4
_adj_fprem1 0x0 0x40101c 0x369e8 0x369e8
__vbaHresultCheckObj 0x0 0x401020 0x369ec 0x369ec
_adj_fdiv_m32 0x0 0x401024 0x369f0 0x369f0
__vbaObjSet 0x0 0x401028 0x369f4 0x369f4
_adj_fdiv_m16i 0x0 0x40102c 0x369f8 0x369f8
__vbaObjSetAddref 0x0 0x401030 0x369fc 0x369fc
_adj_fdivr_m16i 0x0 0x401034 0x36a00 0x36a00
_CIsin 0x0 0x401038 0x36a04 0x36a04
__vbaChkstk 0x0 0x40103c 0x36a08 0x36a08
EVENT_SINK_AddRef 0x0 0x401040 0x36a0c 0x36a0c
__vbaStrCmp 0x0 0x401044 0x36a10 0x36a10
(by ordinal) 0x232 0x401048 0x36a14 0x36a14
DllFunctionCall 0x0 0x40104c 0x36a18 0x36a18
_adj_fpatan 0x0 0x401050 0x36a1c 0x36a1c
EVENT_SINK_Release 0x0 0x401054 0x36a20 0x36a20
_CIsqrt 0x0 0x401058 0x36a24 0x36a24
EVENT_SINK_QueryInterface 0x0 0x40105c 0x36a28 0x36a28
__vbaExceptHandler 0x0 0x401060 0x36a2c 0x36a2c
(by ordinal) 0x2c9 0x401064 0x36a30 0x36a30
_adj_fprem 0x0 0x401068 0x36a34 0x36a34
_adj_fdivr_m64 0x0 0x40106c 0x36a38 0x36a38
__vbaFPException 0x0 0x401070 0x36a3c 0x36a3c
_CIlog 0x0 0x401074 0x36a40 0x36a40
__vbaNew2 0x0 0x401078 0x36a44 0x36a44
_adj_fdiv_m32i 0x0 0x40107c 0x36a48 0x36a48
_adj_fdivr_m32i 0x0 0x401080 0x36a4c 0x36a4c
__vbaFreeStrList 0x0 0x401084 0x36a50 0x36a50
_adj_fdivr_m32 0x0 0x401088 0x36a54 0x36a54
_adj_fdiv_r 0x0 0x40108c 0x36a58 0x36a58
(by ordinal) 0x64 0x401090 0x36a5c 0x36a5c
_CIatan 0x0 0x401094 0x36a60 0x36a60
__vbaCastObj 0x0 0x401098 0x36a64 0x36a64
__vbaStrMove 0x0 0x40109c 0x36a68 0x36a68
_allmul 0x0 0x4010a0 0x36a6c 0x36a6c
_CItan 0x0 0x4010a4 0x36a70 0x36a70
_CIexp 0x0 0x4010a8 0x36a74 0x36a74
__vbaFreeObj 0x0 0x4010ac 0x36a78 0x36a78
c:\users\bgc6u8~1\appdata\local\temp\~dff8ff715eb6fd8eb1.tmp
-
File Properties
Names c:\users\bgc6u8~1\appdata\local\temp\~dff8ff715eb6fd8eb1.tmp (Created File)
Size 6.00 KB (6144 bytes)
Hash Values MD5: 79f341fd3ffdd288d176c7ff38c456c3
SHA1: da6159d0bb110771e34af83252e0c0d5929d7e3a
SHA256: 71ede8a3db6c3437883e1ce09890aa1789ee8a4777263b8f5cd0324d493ed884
Actions
c:\users\bgc6u8oy yxgxkr\appdata\roaming\olo0nds-\olologim.jpeg
-
File Properties
Names c:\users\bgc6u8oy yxgxkr\appdata\roaming\olo0nds-\olologim.jpeg (Created File)
Size 74.99 KB (76788 bytes)
Hash Values MD5: 9679973c4495843a13589d438c7f9677
SHA1: 4d2ee9b5ef7aa537db4ef414ae9854426f8ae578
SHA256: e3925df9b65909ca5128b30cd53f1c106cd1cf3b7d36a26be06091dbab712ad8
Actions
c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\temporary internet files\content.ie5\index.dat
-
File Properties
Names c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\temporary internet files\content.ie5\index.dat (Modified File)
Size 64.00 KB (65536 bytes)
Hash Values MD5: 538010a9ee2bd83dce6e6181bcda3df3
SHA1: 5f8d3d25c60d5c9ecf2627422c77c7a895c67d4e
SHA256: 9f70b9e987c662a9555182f299b9196ae5b3bb5e8128dd75e5ac3e6f49632b60
Actions
c:\users\bgc6u8oy yxgxkr\appdata\roaming\microsoft\windows\cookies\index.dat, ...
-
File Properties
Names c:\users\bgc6u8oy yxgxkr\appdata\roaming\microsoft\windows\cookies\index.dat (Modified File)
\Users\BGC6u8Oy yXGxkR\AppData\Roaming\Microsoft\Windows\Cookies\index.dat (Process Dump)
Size 32.00 KB (32768 bytes)
Hash Values MD5: 52e5f12a1c455d32f6cafd01a89ad68e
SHA1: 3de6de86748edb5d0f9c7ca464a2301ee03b753b
SHA256: d2b2d583e7f30d11cb2daeae50b2617676783ed6cd360e0b47209d9787e224a2
Actions
c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\history\history.ie5\index.dat
-
File Properties
Names c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\history\history.ie5\index.dat (Modified File)
Size 48.00 KB (49152 bytes)
Hash Values MD5: d35b4ef54f22a55d2252d7c75217680e
SHA1: bc0c688702dc593e4a8448d723dd9311ee177aba
SHA256: 6871ece75631267dfa058661f117eda144a1f1936468df1d8cf7eb1f4b11474d
Actions
Function Logfile
Download-Icon
Exit-Icon

This feature requires an online-connection to the VMRay backend.

An offline version with limited functionality is also provided.
The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy". 


    

   

   

    

     
      

       
       
       
       
      

     
     
     
    

   

  

  

   

    
    

     Screenshot
    

    

     Expand-Icon
    

    

     Exit-Icon
    

   

   

    

     icon_left
    

    

     icon_left
    

   

   

   

   

    image