API tools faq
paste
Neonprimetime

#Emotet Word Doc Observations 12-4-2017 to 12-11-2017

Neonprimetime
Dec 11th, 2017
150
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 2.76 KB | None | 0 0
raw download clone embed print report
  1. review of Hybrid Analysis analysis of 4 word docs tagged as #emotet
  2. @neonprimetime security
  3.  
  4. 12/11/2017
  5. Microsoft Office Word Document
  6. sha256 fa3880f3ba318d422afd63e73769442951a73287ace1b3794bf78f3ddfc5c178
  7. https://www.reverse.it/sample/fa3880f3ba318d422afd63e73769442951a73287ace1b3794bf78f3ddfc5c178?environmentId=100
  8.  
  9. Body of Word Document is plain Office logo, says "This document is protected, Enable Editing, Enable Content, etc."
  10.  
  11. WinWord.exe -> cmd.exe (cmd & %comspec& ...) -> powershell.exe (repeated characters, replace chars at end) -> 35320.exe
  12.  
  13. Has urls in VBA macro you can kinda visually see, they are just split apart with a bunch of character sequences that get replaced to empty string eventually leaving you with the urls
  14. 12/9/2017
  15. Microsoft Office Word Document
  16. sha256 2c9516e9d54883f318c3972935e2796549760445f930880b35d9c65ed7617247
  17. https://www.reverse.it/sample/2c9516e9d54883f318c3972935e2796549760445f930880b35d9c65ed7617247?environmentId=100
  18.  
  19. Body of Word Document is plain Office logo, says "This document is protected, Enable Editing, Enable Content, etc."
  20.  
  21. WinWord.exe -> cmd.exe (cmd & %comspec& ...) -> powershell.exe (repeated characters, replace chars at end) -> 305820.exe
  22.  
  23. Has urls in VBA macro you can kinda visually see, they are just split apart with a bunch of character sequences that get replaced to empty string eventually leaving you with the urls
  24. 12/5/2017
  25. Microsoft Office Word Document
  26. sha256 8714fc9545f75320ff375d6e807691ef327194a8942ac8695ceb0a18cacce1b3
  27. https://www.reverse.it/sample/8714fc9545f75320ff375d6e807691ef327194a8942ac8695ceb0a18cacce1b3?environmentId=100
  28.  
  29. Body of Word Document is plain Office logo, says "This document is protected, Enable Editing, Enable Content, etc."
  30.  
  31. WinWord.exe -> cmd.exe (cmd & %comspec& ...) -> powershell.exe (repeated characters, replace chars at end) -> 110883.exe
  32.  
  33. Has urls in VBA macro you can kinda visually see, they are just split apart with a bunch of character sequences that get replaced to empty string eventually leaving you with the urls
  34. 12/4/2017
  35. Microsoft Office Word Document
  36. sha256 5dbf9dc9341bd506eb2cdf5ec294c6c3029535424aa0a42e9b045cbd95c6d3df
  37. https://www.reverse.it/sample/5dbf9dc9341bd506eb2cdf5ec294c6c3029535424aa0a42e9b045cbd95c6d3df?environmentId=100
  38.  
  39. Body of Word Document is plain Office logo, says "This document is protected, Enable Editing, Enable Content, etc."
  40.  
  41. WinWord.exe -> cmd.exe (cmd & %comspec& ...) -> powershell.exe (repeated characters, replace chars at end) -> 326052.exe
  42. Has urls in VBA macro you can kinda visually see, they are just split apart with a bunch of character sequences that get replaced to empty string eventually leaving you with the urls
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!