Need help analyzing possible ransomware

[RoboMan]

Sorry if wrong section. I was sent this file by a stranger, theorically containing "Spotify Accounts". I have no VM now, so i used SandBoxie and file requested to enable content. I did so and despite it was sandboxed, VS blocked a JS script from Appdata (safe because it was sandboxed). As i have no VM and i do not fully trust this software, i'm giving you guys the file. If anybody wants to analyse it, go ahead

For a password i used the old "infected":

Spoiler: File

MWRoboMan.7z

 

[Aura]

"File does not exist on this server"

 

[RoboMan]

"File does not exist on this server"

Solved!

 

[shmu26]

Sorry if wrong section. I was sent this file by a stranger, theorically containing "Spotify Accounts". I have no VM now, so i used SandBoxie and file requested to enable content. I did so and despite it was sandboxed, VS blocked a JS script from Appdata (safe because it was sandboxed). As i have no VM and i do not fully trust this software, i'm giving you guys the file. If anybody wants to analyse it, go ahead

For a password i used the old "infected":

Spoiler: File

MWRoboMan.7z

How can a file contain "spotify accounts"? Does that make sense to anyone here?

 

[RoboMan]

How can a file contain "spotify accounts"? Does that make sense to anyone here?

A word file containing User Accounts and Passwords

 

[shmu26]

A word file containing User Accounts and Passwords

If you open a Word file and you get JS scripts, you can be 100% sure it is malware.
You can bet your last dollar on it.

 

[Winter Soldier]

If you open a Word file and you get JS scripts, you can be 100% sure it is malware.
You can bet your last dollar on it.

I agree, and preserve your dollars to pay the ransom if everything goes wrong!

 

[RoboMan]

If you open a Word file and you get JS scripts, you can be 100% sure it is malware.
You can bet your last dollar on it.

I agree as well! But it's always nice to share it and giving you guys something to play with

And maybe our researchers/analyzers would like to analyse it and trace it down, whatever they want to do

 

[Winter Soldier]

Function abfcacbee() As String
    Dim bbfcdbcbe As Object
    Set bbfcdbcbe = CreateObject("Scripting.FileSystemObject")
    deebadabfadbddef = "\cfeaabcfaccbf.js"
    babfdacaffcdcadff = CStr(bbfcdbcbe.GetSpecialFolder(2))

Just a very quick look at the VT report tells us about the method GetSpecialFolder of the FileSystemObject object that returns the path of some Windows folders. The method in question accepts a single parameter that can be valued as:

(0) WindowsFolder - system files folder

(1) SystemFolder - folder of the libraries, fonts and drives

I this case:

(2) TemporaryFolder - temporary file folder.

But an extended analysis of the sample and of any dropped files may give us more info about its behavior.