Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- review of Hybrid Analysis analysis of 4 word docs tagged as #emotet
- @neonprimetime security
- 12/11/2017
- Microsoft Office Word Document
- sha256 fa3880f3ba318d422afd63e73769442951a73287ace1b3794bf78f3ddfc5c178
- https://www.reverse.it/sample/fa3880f3ba318d422afd63e73769442951a73287ace1b3794bf78f3ddfc5c178?environmentId=100
- Body of Word Document is plain Office logo, says "This document is protected, Enable Editing, Enable Content, etc."
- WinWord.exe -> cmd.exe (cmd & %comspec& ...) -> powershell.exe (repeated characters, replace chars at end) -> 35320.exe
- Has urls in VBA macro you can kinda visually see, they are just split apart with a bunch of character sequences that get replaced to empty string eventually leaving you with the urls
- 12/9/2017
- Microsoft Office Word Document
- sha256 2c9516e9d54883f318c3972935e2796549760445f930880b35d9c65ed7617247
- https://www.reverse.it/sample/2c9516e9d54883f318c3972935e2796549760445f930880b35d9c65ed7617247?environmentId=100
- Body of Word Document is plain Office logo, says "This document is protected, Enable Editing, Enable Content, etc."
- WinWord.exe -> cmd.exe (cmd & %comspec& ...) -> powershell.exe (repeated characters, replace chars at end) -> 305820.exe
- Has urls in VBA macro you can kinda visually see, they are just split apart with a bunch of character sequences that get replaced to empty string eventually leaving you with the urls
- 12/5/2017
- Microsoft Office Word Document
- sha256 8714fc9545f75320ff375d6e807691ef327194a8942ac8695ceb0a18cacce1b3
- https://www.reverse.it/sample/8714fc9545f75320ff375d6e807691ef327194a8942ac8695ceb0a18cacce1b3?environmentId=100
- Body of Word Document is plain Office logo, says "This document is protected, Enable Editing, Enable Content, etc."
- WinWord.exe -> cmd.exe (cmd & %comspec& ...) -> powershell.exe (repeated characters, replace chars at end) -> 110883.exe
- Has urls in VBA macro you can kinda visually see, they are just split apart with a bunch of character sequences that get replaced to empty string eventually leaving you with the urls
- 12/4/2017
- Microsoft Office Word Document
- sha256 5dbf9dc9341bd506eb2cdf5ec294c6c3029535424aa0a42e9b045cbd95c6d3df
- https://www.reverse.it/sample/5dbf9dc9341bd506eb2cdf5ec294c6c3029535424aa0a42e9b045cbd95c6d3df?environmentId=100
- Body of Word Document is plain Office logo, says "This document is protected, Enable Editing, Enable Content, etc."
- WinWord.exe -> cmd.exe (cmd & %comspec& ...) -> powershell.exe (repeated characters, replace chars at end) -> 326052.exe
- Has urls in VBA macro you can kinda visually see, they are just split apart with a bunch of character sequences that get replaced to empty string eventually leaving you with the urls
Add Comment
Please, Sign In to add comment