Windows Analysis Report
#Inv_PI29467018.pdf.vbs

Overview

General Information

Sample name: #Inv_PI29467018.pdf.vbs
Analysis ID: 1466657
MD5: 0d7fba81a34a00e46fb11abc096eb976
SHA1: ccfdbb9f5388754ce2db0a6f05ff04ff92a41f06
SHA256: 6c60511df599252554365d394992a4cd60880d19aa8348a67f18c0c090265b72
Tags: vbs
Infos:

Detection

Score: 84
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Yara detected VBS Downloader Generic
AI detected suspicious sample
Sigma detected: Script Initiated Connection to Non-Local Network
Sigma detected: WScript or CScript Dropper
Uses an obfuscated file name to hide its real file extension (double extension)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Found WSH timer for Javascript or VBS script (likely evasive script)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
Program does not show much activity (idle)
Sigma detected: Script Initiated Connection
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Uses a known web browser user agent for HTTP communication

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: #Inv_PI29467018.pdf.vbs ReversingLabs: Detection: 18%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 93.8% probability

Spreading
barindex
Yara detected VBS Downloader Generic
Source: Yara match File source: #Inv_PI29467018.pdf.vbs, type: SAMPLE

Networking
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\System32\wscript.exe Network Connect: 41.216.183.13 80 Jump to behavior
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 41.216.183.13 41.216.183.13
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: AS40676US AS40676US
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /Users_API/gavrels/file_splnzgmx.ozu.txt HTTP/1.1Accept: */*Accept-Language: en-chUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 41.216.183.13Connection: Keep-Alive
Source: unknown TCP traffic detected without corresponding DNS query: 41.216.183.13
Source: unknown TCP traffic detected without corresponding DNS query: 41.216.183.13
Source: unknown TCP traffic detected without corresponding DNS query: 41.216.183.13
Source: unknown TCP traffic detected without corresponding DNS query: 41.216.183.13
Source: unknown TCP traffic detected without corresponding DNS query: 41.216.183.13
Source: global traffic HTTP traffic detected: GET /Users_API/gavrels/file_splnzgmx.ozu.txt HTTP/1.1Accept: */*Accept-Language: en-chUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 41.216.183.13Connection: Keep-Alive
Source: wscript.exe, 00000000.00000003.2107641600.000002107CC36000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2107759287.000002107CC3E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://41.216.183.
Source: wscript.exe, 00000000.00000003.2327531639.000002107D6D1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.2348637622.000002107D6CB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://41.216.183.13/Users_API/gavre
Source: wscript.exe, 00000000.00000003.2107759287.000002107CC4D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2107806609.000002107CC4D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2347160909.000002107ADF0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2107560179.000002107CC4D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.2348408579.000002107CC30000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2107005392.000002107CC3A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2107894778.000002107CC4D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2347297777.000002107CC4F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2327531639.000002107D6D1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2346825922.000002107AE2D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2347363700.000002107AE0E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2346863401.000002107AE2F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2347199674.000002107AE05000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2347442444.000002107D105000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.2348198584.000002107AE34000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2107039232.000002107AE05000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.2348637622.000002107D6CB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2107852065.000002107CC4D000.00000004.00000020.00020000.00000000.sdmp, #Inv_PI29467018.pdf.vbs String found in binary or memory: http://41.216.183.13/Users_API/gavrels/file_splnzgmx.ozu.txt
Source: wscript.exe, 00000000.00000003.2107759287.000002107CC4D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2107806609.000002107CC4D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2107560179.000002107CC4D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2107894778.000002107CC4D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2347297777.000002107CC4F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2107852065.000002107CC4D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://41.216.183.13/Users_API/gavrels/file_splnzgmx.ozu.txt.
Source: wscript.exe, 00000000.00000003.2347247324.000002107ADDF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.2348145195.000002107ADEE000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2347799903.000002107ADEC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://41.216.183.13/Users_API/gavrels/file_splnzgmx.ozu.txtssesROAMIN
Source: wscript.exe, 00000000.00000003.2347327797.000002107CC32000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.2348423660.000002107CC33000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://41.216.183.13/Users_APhO
Source: wscript.exe, 00000000.00000003.2327531639.000002107D6D1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.2348637622.000002107D6CB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com

System Summary
barindex
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Source: C:\Windows\System32\wscript.exe COM Object queried: XML HTTP HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F6D90F16-9C73-11D3-B32E-00C04F990BB4} Jump to behavior
Java / VBScript file with very long strings (likely obfuscated code)
Source: #Inv_PI29467018.pdf.vbs Initial sample: Strings found which are bigger than 50
Source: classification engine Classification label: mal84.spre.evad.winVBS@1/0@0/1
Source: unknown Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\#Inv_PI29467018.pdf.vbs"
Source: C:\Windows\System32\wscript.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: #Inv_PI29467018.pdf.vbs ReversingLabs: Detection: 18%
Source: C:\Windows\System32\wscript.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: vbscript.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: scrobj.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: mlang.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: msxml6.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: msxml3.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32 Jump to behavior

Hooking and other Techniques for Hiding and Protection
barindex
Uses an obfuscated file name to hide its real file extension (double extension)
Source: Possible double extension: pdf.vbs Static PE information: #Inv_PI29467018.pdf.vbs
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Found WSH timer for Javascript or VBS script (likely evasive script)
Source: C:\Windows\System32\wscript.exe Window found: window name: WSH-Timer Jump to behavior
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: wscript.exe, 00000000.00000002.2348637622.000002107D6B0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW0c
Source: wscript.exe, 00000000.00000003.2327531639.000002107D6F3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.2348637622.000002107D6F3000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: wscript.exe, 00000000.00000002.2348302837.000002107AE9B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2346863401.000002107AE83000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2347069626.000002107AE96000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2346746822.000002107AE83000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWi
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

HIPS / PFW / Operating System Protection Evasion
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\System32\wscript.exe Network Connect: 41.216.183.13 80 Jump to behavior
Source: C:\Windows\System32\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1466657 Sample: #Inv_PI29467018.pdf.vbs Startdate: 03/07/2024 Architecture: WINDOWS Score: 84 11 Multi AV Scanner detection for submitted file 2->11 13 Yara detected VBS Downloader Generic 2->13 15 Uses an obfuscated file name to hide its real file extension (double extension) 2->15 17 3 other signatures 2->17 5 wscript.exe 12 2->5         started        process3 dnsIp4 9 41.216.183.13, 49710, 80 AS40676US South Africa 5->9 19 System process connects to network (likely due to code injection or exploit) 5->19 21 Windows Scripting host queries suspicious COM object (likely to drop second stage) 5->21 signatures5
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
41.216.183.13
 unknown South Africa
40676 AS40676US true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://41.216.183.13/Users_API/gavrels/file_splnzgmx.ozu.txt true
  • Avira URL Cloud: safe
 unknown