Malicious
Malicious
Print
Infection Chain
Summary by MalvaGPT
Characteristics
Hash
 Hash Value
MD5
a78f018814b6024e31be8f343afcb322
Sha1
0e638fc2c18b1fba8bce90157629d5c85c861bce
Sha256
2877c69b79d6087d714c6e31f0365e935400c25968aa085e3a55a8ed6d766987
Sha384
c6b584e36ca37b0e2271338ad4d41180fd59f84e1c53f21a577da30e70636ffc335f46ed2e10f2931c5e2c021348d7d2
Sha512
e741f8cbba1cd59a2ce4fe56de50883f4c016bfe680eeee439110be27d0703de13cd0d03fc05a756518c2aa2dc8416af866185f4a1381198bd92f9ef2617a5bb
SSDeep
24576:ajmiPYdrtbx7bZNVvbDcE0Vs3jV8MpqJTUGQGX+:aD8b/oElCMpqFTQGO
TLSH
8D15E1BD7981C8E4EF3524BE8912E4BBDB64AA20C5A32C3B55501E4535FB0F2B3D1A4D
File Structure
a78f018814b6024e31be8f343afcb322
Malicious
[Content_Types].xml
_rels
.rels
xl
Malicious
workbook.xml
_rels
workbook.xml.rels
worksheets
sheet1.xml
sheet2.xml
sheet3.xml
sheet4.xml
sheet5.xml
sheet6.xml
sheet7.xml
sheet8.xml
sheet9.xml
sheet10.xml
sheet11.xml
sheet12.xml
sheet13.xml
sheet14.xml
sheet15.xml
sheet16.xml
sheet17.xml
sheet18.xml
sheet19.xml
sheet20.xml
sheet21.xml
sheet22.xml
sheet23.xml
sheet24.xml
sheet25.xml
sheet26.xml
sheet27.xml
sheet28.xml
_rels
sheet18.xml.rels
sheet1.xml.rels
sheet2.xml.rels
sheet3.xml.rels
sheet4.xml.rels
sheet5.xml.rels
sheet6.xml.rels
sheet7.xml.rels
sheet8.xml.rels
sheet9.xml.rels
sheet10.xml.rels
sheet11.xml.rels
sheet12.xml.rels
sheet13.xml.rels
sheet14.xml.rels
sheet15.xml.rels
sheet16.xml.rels
sheet17.xml.rels
sheet19.xml.rels
sheet20.xml.rels
sheet21.xml.rels
sheet22.xml.rels
sheet23.xml.rels
sheet24.xml.rels
sheet25.xml.rels
sheet26.xml.rels
sheet27.xml.rels
sheet28.xml.rels
drawings
_rels
drawing2.xml.rels
drawing5.xml.rels
drawing6.xml.rels
vmlDrawing1.vml.rels
drawing1.xml
drawing2.xml
drawing3.xml
drawing4.xml
drawing5.xml
drawing6.xml
drawing7.xml
drawing8.xml
drawing9.xml
drawing10.xml
drawing11.xml
drawing12.xml
drawing13.xml
drawing14.xml
drawing15.xml
drawing16.xml
drawing17.xml
drawing18.xml
drawing19.xml
vmlDrawing1.vml
theme
theme1.xml
styles.xml
sharedStrings.xml
media
image1.png
image1.png-preview.png
image2.png
image2.png-preview.png
image3.gif
image3.gif-preview.png
image4.png
image4.png-preview.png
vbaProject.bin
Malicious
Root Entry
Malicious
PROJECT
PROJECTwm
VBA
Malicious
dir
Sheet2

Sheet2

[Stored VBA]
Malicious
[PCode]
[Decompiled VBA]
Malicious
Sheet3

Sheet3

[Stored VBA]
Malicious
[PCode]
[Decompiled VBA]
Malicious
Sheet5

Sheet5

[Stored VBA]
Malicious
[PCode]
[Decompiled VBA]
Malicious
Sheet7

Sheet7

[Stored VBA]
Malicious
[PCode]
[Decompiled VBA]
Malicious
CSHA256
Malicious

CSHA256

Malicious
[Stored VBA]
Malicious
[PCode]
Malicious
[Decompiled VBA]
Malicious
[Full Diff]
Malicious
[Partial Diff]
Malicious
Module1

Module1

[Stored VBA]
Malicious
[PCode]
[Decompiled VBA]
Malicious
Sheet10

Sheet10

[Stored VBA]
Malicious
[Stored VBA].deobfuscated.vbs
[PCode]
[Decompiled VBA]
Malicious
[Decompiled VBA].deobfuscated.vbs
Sheet12

Sheet12

[Stored VBA]
Malicious
[PCode]
[Decompiled VBA]
Malicious
Sheet16

Sheet16

[Stored VBA]
Malicious
[PCode]
[Decompiled VBA]
Malicious
Sheet17

Sheet17

[Stored VBA]
Malicious
[PCode]
[Decompiled VBA]
Malicious
Sheet23

Sheet23

[Stored VBA]
Malicious
[PCode]
[Decompiled VBA]
Malicious
Sheet24

Sheet24

[Stored VBA]
Malicious
[Decompiled VBA]
Malicious
Sheet25

Sheet25

[Stored VBA]
Malicious
[Decompiled VBA]
Malicious
Sheet26

Sheet26

[Stored VBA]
Malicious
[Decompiled VBA]
Malicious
__SRP_0
__SRP_1
__SRP_2
__SRP_3
__SRP_4
__SRP_5
__SRP_6
__SRP_7
__SRP_8
__SRP_9
__SRP_a
__SRP_b
__SRP_c
__SRP_d
__SRP_e
__SRP_f
FileUtil

FileUtil

[Stored VBA]
Malicious
[PCode]
[Decompiled VBA]
Malicious
__SRP_10
__SRP_11
__SRP_12
__SRP_13
__SRP_14
__SRP_15
__SRP_16
__SRP_17
__SRP_18
__SRP_19
__SRP_1a
__SRP_1b
__SRP_1c
__SRP_1d
__SRP_1e
__SRP_1f
__SRP_20
__SRP_21
__SRP_22
__SRP_23
__SRP_24
__SRP_25
__SRP_26
__SRP_27
__SRP_28
__SRP_29
__SRP_2a
__SRP_2b
__SRP_2c
__SRP_2d
__SRP_2e
__SRP_2f
__SRP_30
__SRP_31
__SRP_32
__SRP_33
__SRP_34
__SRP_35
__SRP_36
__SRP_37
__SRP_38
__SRP_39
__SRP_3a
__SRP_3b
__SRP_3c
__SRP_3d
__SRP_3e
__SRP_3f
__SRP_40
__SRP_41
__SRP_42
__SRP_43
__SRP_44
__SRP_45
__SRP_46
__SRP_47
__SRP_48
__SRP_49
__SRP_4a
__SRP_4b
__SRP_4c
__SRP_4d
__SRP_4e
__SRP_4f
__SRP_50
__SRP_51
__SRP_52
__SRP_53
__SRP_54
__SRP_55
PDF_Module

PDF_Module

[Stored VBA]
Malicious
[Stored VBA].deobfuscated.vbs
[PCode]
[Decompiled VBA]
Malicious
ValidateMod

ValidateMod

[Stored VBA]
Malicious
[PCode]
[Decompiled VBA]
Malicious
Hashing_JSON

Hashing_JSON

[Stored VBA]
Malicious
[Stored VBA].deobfuscated.vbs
[PCode]
[Decompiled VBA]
Malicious
ThisWorkbook

ThisWorkbook

[Stored VBA]
Malicious
[PCode]
[Decompiled VBA]
Malicious
_VBA_PROJECT
Common_Module

Common_Module

[Stored VBA]
Malicious
[PCode]
[Decompiled VBA]
Malicious
JsonConverter

JsonConverter

[Stored VBA]
Malicious
[Stored VBA].deobfuscated.vbs
[PCode]
[Decompiled VBA]
Malicious
Signing_Module
Malicious

Signing_Module

Malicious
[Stored VBA]
Malicious
[Stored VBA].deobfuscated.vbs
Malicious
[PCode]
[Decompiled VBA]
Malicious
Import_Error_JSON

Import_Error_JSON

[Stored VBA]
Malicious
[PCode]
[Decompiled VBA]
Malicious
Export_JSON_Module

Export_JSON_Module

[Stored VBA]
[PCode]
[Decompiled VBA]
Import_JSON_Module

Import_JSON_Module

[Stored VBA]
Malicious
[PCode]
[Decompiled VBA]
Malicious
Validate_Functions

Validate_Functions

[Stored VBA]
Malicious
[PCode]
[Decompiled VBA]
Malicious
Variable_Initialize

Variable_Initialize

[Stored VBA]
Malicious
[PCode]
externalLinks
Malicious
externalLink1.xml
externalLink2.xml
externalLink3.xml
externalLink4.xml
externalLink5.xml
_rels
Malicious
externalLink4.xml.rels
Malicious
externalLink5.xml.rels
Malicious
externalLink1.xml.rels
Malicious
externalLink2.xml.rels
Malicious
externalLink3.xml.rels
Malicious
printerSettings
printerSettings1.bin
printerSettings25.bin
printerSettings26.bin
printerSettings27.bin
calcChain.xml
docMetadata
LabelInfo.xml
docProps
core.xml
app.xml
custom.xml
Malware Configuration - Remote Template
Config. Field
 Value
Target

file:///C:\Users\sruthi.gundeti\Desktop\UAT\GSTR_9C_Offline_Utility_84\GSTR_9C_Offline_Utility\GSTR_9C_Offline_Utility_2.7\GSTR%209C_Offline_Utility_8.xlsm
Path

externalLink4.xml.rels
XPath

/Relationships/Relationship
Outer XML

<Relationship Id="rId2" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/externalLinkPath" Target="file:///C:\Users\sruthi.gundeti\Desktop\UAT\GSTR_9C_Offline_Utility_84\GSTR_9C_Offline_Utility\GSTR_9C_Offline_Utility_2.7\GSTR%209C_Offline_Utility_8.xlsm" TargetMode="External" xmlns="http://schemas.openxmlformats.org/package/2006/relationships" />
Malware Configuration - Remote Template
Config. Field
 Value
Target

https://infosystechnologies-my.sharepoint.com/Users/sruthi.gundeti/Desktop/UAT/GSTR_9C_Offline_Utility_84/GSTR_9C_Offline_Utility/GSTR_9C_Offline_Utility_2.7/GSTR%209C_Offline_Utility_8.xlsm
Path

externalLink4.xml.rels
XPath

/Relationships/Relationship[2]
Outer XML

<Relationship Id="rId1" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/externalLinkPath" Target="https://infosystechnologies-my.sharepoint.com/Users/sruthi.gundeti/Desktop/UAT/GSTR_9C_Offline_Utility_84/GSTR_9C_Offline_Utility/GSTR_9C_Offline_Utility_2.7/GSTR%209C_Offline_Utility_8.xlsm" TargetMode="External" xmlns="http://schemas.openxmlformats.org/package/2006/relationships" />
Malware Configuration - Remote Template
Config. Field
 Value
Target

file:///D:\Users\Administrator\Downloads\GSTR%209C_Offline%20utility_071218_v2%20(1).xlsm
Path

externalLink5.xml.rels
XPath

/Relationships/Relationship
Outer XML

<Relationship Id="rId1" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/externalLinkPath" Target="file:///D:\Users\Administrator\Downloads\GSTR%209C_Offline%20utility_071218_v2%20(1).xlsm" TargetMode="External" xmlns="http://schemas.openxmlformats.org/package/2006/relationships" />
Malware Configuration - Remote Template
Config. Field
 Value
Target

https://infosystechnologies-my.sharepoint.com/Users/richi.jain/AppData/Local/Temp/Temp1_GSTR_4_Offline_Utility.zip/GSTR_4_Offline_Utility_v3.0.xls
Path

externalLink1.xml.rels
XPath

/Relationships/Relationship
Outer XML

<Relationship Id="rId1" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/externalLinkPath" Target="https://infosystechnologies-my.sharepoint.com/Users/richi.jain/AppData/Local/Temp/Temp1_GSTR_4_Offline_Utility.zip/GSTR_4_Offline_Utility_v3.0.xls" TargetMode="External" xmlns="http://schemas.openxmlformats.org/package/2006/relationships" />
Malware Configuration - Remote Template
Config. Field
 Value
Target

https://infosystechnologies-my.sharepoint.com/Users/ashutosh.khaitan/Desktop/Worksheet%20in%20SRS_Offline_GSTR10_30052018.xls
Path

externalLink2.xml.rels
XPath

/Relationships/Relationship
Outer XML

<Relationship Id="rId1" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/externalLinkPath" Target="https://infosystechnologies-my.sharepoint.com/Users/ashutosh.khaitan/Desktop/Worksheet%20in%20SRS_Offline_GSTR10_30052018.xls" TargetMode="External" xmlns="http://schemas.openxmlformats.org/package/2006/relationships" />
Malware Configuration - Remote Template
Config. Field
 Value
Target

https://infosystechnologies-my.sharepoint.com/Users/pallav_yadav/Documents/GSTR_4_Offline_Utility_v3.0_new_PY.xls
Path

externalLink3.xml.rels
XPath

/Relationships/Relationship
Outer XML

<Relationship Id="rId1" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/externalLinkPath" Target="https://infosystechnologies-my.sharepoint.com/Users/pallav_yadav/Documents/GSTR_4_Offline_Utility_v3.0_new_PY.xls" TargetMode="External" xmlns="http://schemas.openxmlformats.org/package/2006/relationships" />
Artefacts
Name
 Value
URLs in VB Code - #1

http://www.frez.co.uk
URLs in VB Code - #2

https://github.com/VBA-tools/VBA-JSON
URLs in VB Code - #3

http://www.opensource.org/licenses/mit-license.php
URLs in VB Code - #4

http://code.google.com/p/vba-json/
URLs in VB Code - #5

http://msdn.microsoft.com/en-us/library/windows/desktop/ms724421.aspx
URLs in VB Code - #6

http://msdn.microsoft.com/en-us/library/windows/desktop/ms724949.aspx
URLs in VB Code - #7

http://msdn.microsoft.com/en-us/library/windows/desktop/ms725485.aspx
URLs in VB Code - #8

http://support.microsoft.com/kb/269370
URLs in VB Code - #9

http://www.ietf.org/rfc/rfc4627.txt
URLs in VB Code - #10

https://support.microsoft.com/en-us/kb/272138
URLs in VB Code - #11

http://www.vbaccelerator.com/home/VB/Code/Techniques/RunTime_Debug_Tracing/VB6_Tracer_Utility_zip_cStringBuilder_cls.asp
URLs in VB Code - #12

https://github.com/VBA-tools/VBA-JSON/pull/82
URLs in VB Code - #13

https://github.com/VBA-tools/VBA-UtcConverter
URLs in VB Code - #14

http://s
URLs in VB Code - #1

http://www.frez.co.uk
URLs in VB Code - #1

http://www.frez.co.uk
URLs in VB Code - #1

https://github.com/VBA-tools/VBA-JSON
URLs in VB Code - #2

http://www.opensource.org/licenses/mit-license.php
URLs in VB Code - #3

http://code.google.com/p/vba-json/
URLs in VB Code - #4

http://msdn.microsoft.com/en-us/library/windows/desktop/ms724421.aspx
URLs in VB Code - #5

http://msdn.microsoft.com/en-us/library/windows/desktop/ms724949.aspx
URLs in VB Code - #6

http://msdn.microsoft.com/en-us/library/windows/desktop/ms725485.aspx
URLs in VB Code - #7

http://support.microsoft.com/kb/269370
URLs in VB Code - #8

http://www.ietf.org/rfc/rfc4627.txt
URLs in VB Code - #9

https://support.microsoft.com/en-us/kb/272138
URLs in VB Code - #10

http://www.vbaccelerator.com/home/VB/Code/Techniques/RunTime_Debug_Tracing/VB6_Tracer_Utility_zip_cStringBuilder_cls.asp
URLs in VB Code - #11

https://github.com/VBA-tools/VBA-JSON/pull/82
URLs in VB Code - #12

https://github.com/VBA-tools/VBA-UtcConverter
URLs in VB Code - #13

http://s
URLs in VB Code - #1

https://github.com/VBA-tools/VBA-JSON
URLs in VB Code - #2

http://www.opensource.org/licenses/mit-license.php
URLs in VB Code - #3

http://code.google.com/p/vba-json/
URLs in VB Code - #4

http://msdn.microsoft.com/en-us/library/windows/desktop/ms724421.aspx
URLs in VB Code - #5

http://msdn.microsoft.com/en-us/library/windows/desktop/ms724949.aspx
URLs in VB Code - #6

http://msdn.microsoft.com/en-us/library/windows/desktop/ms725485.aspx
URLs in VB Code - #7

http://support.microsoft.com/kb/269370
URLs in VB Code - #8

http://www.ietf.org/rfc/rfc4627.txt
URLs in VB Code - #9

https://support.microsoft.com/en-us/kb/272138
URLs in VB Code - #10

http://www.vbaccelerator.com/home/VB/Code/Techniques/RunTime_Debug_Tracing/VB6_Tracer_Utility_zip_cStringBuilder_cls.asp
URLs in VB Code - #11

https://github.com/VBA-tools/VBA-JSON/pull/82
URLs in VB Code - #12

https://github.com/VBA-tools/VBA-UtcConverter
URLs in VB Code - #1

https://github.com/VBA-tools/VBA-JSON
URLs in VB Code - #2

http://www.opensource.org/licenses/mit-license.php
URLs in VB Code - #3

http://code.google.com/p/vba-json/
URLs in VB Code - #4

http://msdn.microsoft.com/en-us/library/windows/desktop/ms724421.aspx
URLs in VB Code - #5

http://msdn.microsoft.com/en-us/library/windows/desktop/ms724949.aspx
URLs in VB Code - #6

http://msdn.microsoft.com/en-us/library/windows/desktop/ms725485.aspx
URLs in VB Code - #7

http://support.microsoft.com/kb/269370
URLs in VB Code - #8

http://www.ietf.org/rfc/rfc4627.txt
URLs in VB Code - #9

https://support.microsoft.com/en-us/kb/272138
URLs in VB Code - #10

http://www.vbaccelerator.com/home/VB/Code/Techniques/RunTime_Debug_Tracing/VB6_Tracer_Utility_zip_cStringBuilder_cls.asp
URLs in VB Code - #11

https://github.com/VBA-tools/VBA-JSON/pull/82
URLs in VB Code - #12

https://github.com/VBA-tools/VBA-UtcConverter
Remote Template - Highly Suspicious

file:///C:\Users\sruthi.gundeti\Desktop\UAT\GSTR_9C_Offline_Utility_84\GSTR_9C_Offline_Utility\GSTR_9C_Offline_Utility_2.7\GSTR%209C_Offline_Utility_8.xlsm
Remote Template - Highly Suspicious

https://infosystechnologies-my.sharepoint.com/Users/sruthi.gundeti/Desktop/UAT/GSTR_9C_Offline_Utility_84/GSTR_9C_Offline_Utility/GSTR_9C_Offline_Utility_2.7/GSTR%209C_Offline_Utility_8.xlsm
Remote Template - Highly Suspicious

file:///D:\Users\Administrator\Downloads\GSTR%209C_Offline%20utility_071218_v2%20(1).xlsm
Remote Template - Highly Suspicious

https://infosystechnologies-my.sharepoint.com/Users/richi.jain/AppData/Local/Temp/Temp1_GSTR_4_Offline_Utility.zip/GSTR_4_Offline_Utility_v3.0.xls
Remote Template - Highly Suspicious

https://infosystechnologies-my.sharepoint.com/Users/ashutosh.khaitan/Desktop/Worksheet%20in%20SRS_Offline_GSTR10_30052018.xls
Remote Template - Highly Suspicious

https://infosystechnologies-my.sharepoint.com/Users/pallav_yadav/Documents/GSTR_4_Offline_Utility_v3.0_new_PY.xls
a78f018814b6024e31be8f343afcb322 (887.04 KB)
An error has occurred. This application may no longer respond until reloaded. Reload 🗙