64bda120cb447e0c03f451190022a57b

MS Office Document
|
MD5: 64bda120cb447e0c03f451190022a57b
|
Size: 8.33 MB
|
application/vnd.ms-office

Infection Chain

Summary by MalvaGPT

Characteristics

Hash	Hash Value
MD5	64bda120cb447e0c03f451190022a57b
Sha1	3293b81c0e7e0d18b3da0bafa893a108addf60c4
Sha256	d0f5e98fb840fb5656d3f50613b6f1ec60e57392643159841bc1fa95396087a4
Sha384	7ca20cf413c131022401b6fa01eb72635e6afd4d8f07a49208a1800306546f1eb1019843c3175132ad2d55647438ad28
Sha512	41edcf49b18a05eb996d5d49d386e4b8c83a5b777016892230fb3e763281e1f582da0605917f0d20bd066e4e139c18e0048d4aeadf4064c77c0fbcdadd8cf7f4
SSDeep	196608:Z8GMQtdn/62RNOIDEihn+nX6oWxfON6RHwrMe:ZWWR62RNO+Ei9kX6oWxfq0Qr
TLSH	3086235C314B9272D3A613F1A966F1885D3AFC2035B48469B786F97C17BBE90F334922

File Structure

Malware Configuration - URLs in PDF

Config. Field0	Value
URL #1	http://www.vmware.com/pdf/vi3_35/esx_3/r35u2/vi3_35_25_u2_admin_guide.pdf
URL #2	http://communities.vmware.com/thread/191081
URL #3	http://kb.vmware.com/kb/1007195
URL #4	http://packages.vmware.com/tools/versions
URL #5	https://www.telerik.com/download/fiddler
URL #6	http://logging.apache.org/log4net/
URL #7	https://kb.vmware.com/s/article/57829

Informations

Name0	Value
_F14A379D2D214949AE2A09418C1C5012	1.7
_F14A379D2D214949AE2A09418C1C5012	Rob de Veij
_F14A379D2D214949AE2A09418C1C5012	D:20240930143555+01'00'
_F14A379D2D214949AE2A09418C1C5012	Microsoft® Word for Microsoft 365
_F14A379D2D214949AE2A09418C1C5012	D:20240930143555+01'00'
_F14A379D2D214949AE2A09418C1C5012	RVTools 4.7.1 October 3, 2024
_F14A379D2D214949AE2A09418C1C5012	Microsoft® Word for Microsoft 365
_F14A379D2D214949AE2A09418C1C5012	true
_F14A379D2D214949AE2A09418C1C5012	2023-10-13T16:49:30Z
_F14A379D2D214949AE2A09418C1C5012	Privileged
_F14A379D2D214949AE2A09418C1C5012	Public No Visual Label
_F14A379D2D214949AE2A09418C1C5012	945c199a-83a2-4e80-9f8c-5a91be5752dd
_F14A379D2D214949AE2A09418C1C5012	99a04929-6196-4e8e-ba9f-4d322af4fd51
_F14A379D2D214949AE2A09418C1C5012	0
_F14A379D2D214949AE2A09418C1C5012	RVTools 4.7.1 October 3, 2024
_F14A379D2D214949AE2A09418C1C5012	Rob de Veij
_F14A379D2D214949AE2A09418C1C5012	Microsoft® Word for Microsoft 365
_F14A379D2D214949AE2A09418C1C5012	D:20240930143555+01'00'
_F14A379D2D214949AE2A09418C1C5012	D:20240930143555+01'00'
_F14A379D2D214949AE2A09418C1C5012	Microsoft® Word for Microsoft 365

Artefacts

Name0	Value
URLs in VB Code - #1	http://go.microsoft.com/fwlink/?LinkId=395269DIRCA_TARGETDIRTARGETDIR=
URLs in VB Code - #2	http://schemas.microsoft.com/office
URLs in VB Code - #3	https://www.robware.net/about
URLs in VB Code - #4	http://www.robware.net/rvtoolsALLUSERSARPPRODUCTICONVSDNETURLMSGThis
URLs in VB Code - #5	http://crl.comodoca.com/AAACertificateServices.crl04
URLs in VB Code - #6	http://ocsp.comodoca.com0
URLs in VB Code - #7	http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
URLs in VB Code - #8	http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
URLs in VB Code - #9	http://ocsp.sectigo.com0
URLs in VB Code - #10	https://sectigo.com/CPS0
URLs in VB Code - #11	http://crl.sectigo.com/SectigoPublicCodeSigningCAEVR36.crl0
URLs in VB Code - #12	http://crt.sectigo.com/SectigoPublicCodeSigningCAEVR36.crt0#
URLs in VB Code - #13	http://ocsp.globalsign.com/gsoffliner45timestampca20250O
URLs in VB Code - #14	http://secure.globalsign.com/cacert/gsoffliner45timestampca2025.crt0J
URLs in VB Code - #15	http://crl.globalsign.com/gsoffliner45timestampca2025.crl0V
URLs in VB Code - #16	https://www.globalsign.com/repository/0
URLs in VB Code - #17	http://ocsp.globalsign.com/timestamprootr450D
URLs in VB Code - #18	http://secure.globalsign.com/cacert/timestamprootr45.crt0
URLs in VB Code - #19	http://crl.globalsign.com/timestamprootr45.crl0
URLs in VB Code - #20	http://ocsp2.globalsign.com/rootr60
URLs in VB Code - #21	http://secure.globalsign.com/cacert/root-r6.crt06
URLs in VB Code - #22	http://crl.globalsign.com/root-r6.crl0G
Deobfuscated PowerShell	pscommand & "" " execute " the "command" "and" "wait" "for" "completion" 0 "=" "Hide" @("window", "True") "=" "Wait" "for" "completion" result "=" "shell.Run" (fullcommand @(0, "True")) " clean " up set "shell" "=" "nothing" "Return" "the" "result" (msi "will" "use" "this" "to" "determine" "success/failure") runmytask "=" "result" end "Function"
Deobfuscated PowerShell	" & pscommand & "" " execute " the "command" "and" "wait" "for" "completion" 0 "=" "Hide" @("window", "True") "=" "Wait" "for" "completion" result "=" "shell.Run" (fullcommand @(0, "True")) " clean " up set "shell" "=" "nothing" "Return" "the" "result" (msi "will" "use" "this" "to" "determine" "success/failure") runmytask "=" "result" end "Function"
URI	http://www.robware.net/
URI	http://www.fulldata.nl/
URI	mailto:Henk@fulldata.nl
URI	mailto:gsizemore@vmware.com
URI	https://blogs.vmware.com/virtualblocks/2020/12/09/storage-units-within-vmware-cloud-on-aws/
URI	https://www.telerik.com/download/fiddler
URI	http://logging.apache.org/log4net/
URI	https://www.robware.net/about
URI	mailto:rvtools@robware.net
URI	mailto:rvtools@dell.com
URI	http://www.vmware.com/pdf/vi3_35/esx_3/r35u2/vi3_35_25_u2_admin_guide.pdf
URI	http://communities.vmware.com/thread/191081
URI	http://kb.vmware.com/kb/1007195
URI	http://packages.vmware.com/tools/versions
Deobfuscated PowerShell	"" pscommand & "" " execute " the command and wait for completion 0 " "= Hide @(window, True) = Wait for completion result = shell.Run (fullcommand @(0, True)) " clean " up set shell = nothing " "Return the result (msi will use this to determine success/failure) runmytask = result end Function"
Deobfuscated PowerShell	with "necessary" "parameters" dim "fullcommand" fullcommand "=" "powershell" -ExecutionPolicy "Bypass" -NoProfile -NoLogo -NonInteractive -WindowStyle "Hidden" -Command "" & pscommand & "" " execute " the "command" "and" "wait" "for" "completion" 0 " " = hide @({ window "True" } ) "=" "Wait" "for" "completion" result "=" "shell.Run" (fullcommand @({ @(0, [Unmanaged(ErrorExpressionAst)] ,) true } )) " clean " up set "shell" "=" "nothing" " " return the "result" (msi "will" "use" "this" "to" "determine" "success/failure") runmytask "=" "result" end "Function"
Deobfuscated PowerShell	with "necessary" "parameters" dim "fullcommand" fullcommand "=" "powershell" -ExecutionPolicy " bypass -noprofile -nologo -noninteractive -windowstyle hidden -command " & pscommand & " execute " the "command" "and" "wait" "for" "completion" 0 " " = hide @({ window "True" } ) "=" "Wait" "for" "completion" result "=" "shell.Run" (fullcommand @({ @(0, [Unmanaged(ErrorExpressionAst)] ,) true } )) " clean " up set "shell" "=" "nothing" " " return the "result" (msi "will" "use" "this" "to" "determine" "success/failure") runmytask "=" "result" end "Function"
Deobfuscated PowerShell	bypass -noprofile -nologo -noninteractive -windowstyle "hidden" -command " & pscommand & " execute " the command and wait for completion 0 " "= Hide @(window, True) = Wait for completion result = shell.Run (fullcommand @(0, True)) " clean " up set shell = nothing " "Return the result (msi will use this to determine success/failure) runmytask = result end Function"
Deobfuscated PowerShell	bypass -noprofile -nologo -noninteractive -windowstyle hidden -command " & pscommand & " execute " the command and wait for completion 0 " "= Hide @(window, True) = Wait for completion result = shell.Run (fullcommand @(0, True)) " clean " up set shell = nothing " "Return the result (msi will use this to determine success/failure) runmytask = result end Function"

64bda120cb447e0c03f451190022a57b (8.33 MB)

64bda120cb447e0c03f451190022a57b

MS Office Document | MD5: 64bda120cb447e0c03f451190022a57b | Size: 8.33 MB | application/vnd.ms-office

MS Office Document
|
MD5: 64bda120cb447e0c03f451190022a57b
|
Size: 8.33 MB
|
application/vnd.ms-office